IDEAS home Printed from https://ideas.repec.org/a/gam/jftint/v16y2024i12p470-d1544699.html
   My bibliography  Save this article

Characterising Payload Entropy in Packet Flows—Baseline Entropy Analysis for Network Anomaly Detection

Author

Listed:
  • Anthony Kenyon

    (Hyperscalar Ltd., High Wycombe HP22 4LW, UK)

  • Lipika Deka

    (School of Computer Science and Informatics, De Montfort University, Leicester LE1 9BH, UK)

  • David Elizondo

    (School of Computer Science and Informatics, De Montfort University, Leicester LE1 9BH, UK)

Abstract

The accurate and timely detection of cyber threats is critical to keeping our online economy and data safe. A key technique in early detection is the classification of unusual patterns of network behaviour, often hidden as low-frequency events within complex time-series packet flows. One of the ways in which such anomalies can be detected is to analyse the information entropy of the payload within individual packets, since changes in entropy can often indicate suspicious activity—such as whether session encryption has been compromised, or whether a plaintext channel has been co-opted as a covert channel. To decide whether activity is anomalous, we need to compare real-time entropy values with baseline values, and while the analysis of entropy in packet data is not particularly new, to the best of our knowledge, there are no published baselines for payload entropy across commonly used network services. We offer two contributions: (1) we analyse several large packet datasets to establish baseline payload information entropy values for standard network services, and (2) we present an efficient method for engineering entropy metrics from packet flows from real-time and offline packet data. Such entropy metrics can be included within feature subsets, thus making the feature set richer for subsequent analysis and machine learning applications.

Suggested Citation

  • Anthony Kenyon & Lipika Deka & David Elizondo, 2024. "Characterising Payload Entropy in Packet Flows—Baseline Entropy Analysis for Network Anomaly Detection," Future Internet, MDPI, vol. 16(12), pages 1-18, December.
    • Handle: RePEc:gam:jftint:v:16:y:2024:i:12:p:470-:d:1544699
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/1999-5903/16/12/470/pdf
    Download Restriction: no
    File URL: https://www.mdpi.com/1999-5903/16/12/470/
    Download Restriction: no
    ---><---

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jftint:v:16:y:2024:i:12:p:470-:d:1544699. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.