Information Technology Reference
In-Depth Information
Calibrating Entropy Functions Applied to
Computer Networks
Duncan A. Buell
Department of Computer Science and Engineering,
University of South Carolina,
Columbia, South Carolina 20209
buell@cse.sc.edu
http://www.cse.sc.edu/ buell
Abstract.
It has been suggested that the problem of determining the
state of a network could be solved by computing entropy functions based
on the dynamic connections that are made among the nodes of that net-
work. In this paper we will attempt to calibrate, in a quantitative way,
the computation of those entropy functions on simulated data that we
believe should resemble real data. Our purpose is to understand how
one might use the entropy functions to signal that the state of a net-
work is undergoing a significant change, perhaps due to an attack on
the network or an attack emanating from the network. Our results are,
we believe, either inconclusive or negative. Specifically, we believe that
our simulations suggest either that these entropy functions are not suf-
ficiently indicative of anomalous behavior in a network as to be usable
for this purpose or that conversely in order for them to be used to detect
anomalous behavior, the underlying “normal” behavior of the network
wouldhavetobemorestablethanwemightexpectittobe.
1
Introduction
It has been suggested [1,3] that the problem of determining the state of a net-
work could be solved by computing entropy functions based on the dynamic
connections that are made among the nodes of that network. In this paper we
will attempt to calibrate, in a quantitative way, the computation of those en-
tropy functions on simulated data that we believe should resemble real data.
Our purpose is to understand how one might use the entropy functions to signal
that the state of a network is undergoing a significant change, perhaps due to
an attack on the network or an attack emanating from the network.
We are attempting to model the behavior of a network, which we assume
comprises at least hundreds if not thousands or tens of thousands of nodes. A
large university campus, for example, has on the order of 10
,
000 nodes connected
to its network. From the trac on the network, we can construct a
connectivity
matrix C
that represents the dynamic connections of the network as defined by
the trac in the time interval during which data has been gathered.
We note that the
physical
network topology is not of interest here. Physical
connections are not relevant to the state of the network unless they are actually
