Modern TCP/IP networks and the traffic they carry are both extremely complex. From a network operator's perspective, catastrophic events such as worm outbreaks, large DDOS attacks or disturbances affecting a large number of users are a major concern. Classic detection strategies use either a plethora of statistical measures, which are difficult to tune, or look for specific event signatures, such as code fragments, specific ports used, etc., which miss hitherto unknown types of events. We observe that the observables of a complex system in a stable state represent a more or less stationary source and as such can be regarded as having a constant entropy rate. In the case of network, this source can in its simplest form be the concatenation of data from packet headers. We demonstrate on actual traces from the University of Auckland that network events of various kinds have an observable effect on network entropy, and thus propose entropy as a tool for network event detection. The idea as such is not new (first proposed by Kulkarni, Bush and Evans), but we use T-entropy, a specialised general entropy estimator that combines real-time computability with sensitivity to patterns whose length is a priori unknown.

Biography

Ulrich Speidel is a senior lecturer in the Department of Computer Science. He holds a PhD in Computer Science and an MSc in Physics from Auckland, and held a visiting associate professorship at the University of Tokyo in 2010. He works in information theory, variable-length coding, information measurement and web technologies and applications of all these fields.