Entropy Based Analysis of Anomaly Access of IP Packets

To defend DoS (denial of service) attacks, the access filtering mechanism is adopted on the end servers or the IDS (intrusion detection system). The difficulty to define the filtering rules lies where normal and anomaly packets have to be distinguished in incoming packets. The purpose of our research is to explore the early detective method for anomaly accesses based on statistic analysis. In this paper, we firstly define the entropy-based analysis, then analyze the amount of incoming packets to our collage. As the results, we were able to extract the following features for the entropy analysis. Firstly, entropy-based analysis detect distributed small amount of 80/TCP anomaly accesses compared to the frequency-based analysis. Secondly, one hour window size is most sensitive to find the 80/TCP anomaly accesses. Finally, after applying the filter of noisy accesses of ICMP anomaly packets for total amount of data sets, entropy-based analysis detects small amount of ICMP anomaly accesses.