Title: Flow-based profile generation and network traffic detection for DNS anomalies using optimised entropy-based features selection and modified Holt Winter's method

Authors: Rohini Sharma; Ajay Guleria; R.K. Singla

Addresses: Department of Computer Science and Applications, Panjab University, Chandigarh, India ' Department of CSC, Indian Institute of Delhi, Delhi, India ' Department of Computer Science and Applications, Panjab University, Chandigarh, India

Abstract: Network anomaly detection systems detect zero-day anomalies but false positive rate is quite high. In this paper, a profile-based network anomaly detection system (P-NADS) is proposed that works in three phases. In the first phase, a minimal set of characteristic features for DNS service is identified using proposed optimal entropy-based features selection (OEFS) which helps in detecting anomalies with higher accuracy. In the second phase, modified Holt Winter's method using partial trend (MHWT) that generates normal profile of a system to predict future normal behaviour is proposed. In the final phase, anomalies are detected and localised. Experimental results show that OEFS method works better than information gain and forward feature selection algorithm. The MHWT method gives better prediction accuracy for DNS when compared to HWDS. Experiments are performed on Panjab University flow-based dataset (PUF-dataset) which is created using real flows collected from Panjab University Chandigarh Campus and is freely available on request.

Keywords: network anomaly detection? Holt Winter's method? domain name system? features selection? entropy? normal profile? network flows.

DOI: 10.1504/IJSN.2021.119380

International Journal of Security and Networks, 2021 Vol.16 No.4, pp.244 - 257

Received: 05 Mar 2020
Accepted: 04 Oct 2020
Published online: 02 Dec 2021 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article