Abstract
NetEntropy is a plugin to the Orchids intrusion detection tool that is originally meant to detect some subtle attacks on implementations of cryptographic protocols such as SSL/TLS. Netentropy compares the sample entropy of a data stream to a known profile, and flags any significant variation. Our point is to stress the mathematics behind Netentropy: the reason of the rather incredible precision of Netentropy is to be found in theorems due to Paninski and Moddemeijer.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Antos, A., Kontoyiannis, I.: Convergence properties of functional estimates for discrete distributions. Random Struct. Algorithm. 19, 163–193 (2001)
Bialek, W., Nemenman, I. (eds.): Estimation of entropy and information of undersampled probability distributions-theory, algorithms, and applications to the neural code. In: Satellite of the Neural Information Processing Systems Conference (NIPS’03), Whistler, Canada (2003). http://www.menem.com/ilya/pages/NIPS03/
CEA, CNRS, INRIA: Cecill free software license agreement (2005). http://www.cecill.info/licences/Licence_CeCILL_V2-en.html
Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley, New York (1991)
Dorfinger, P., Panholzer, G., Trammell, B., Pepe, T.: Entropy-based traffic filtering to support real-time skype detection. In: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference (IWCMC’10), pp. 747–751. ACM, New York (2010)
Efron, B., Stein, C.: The jackknife estimate of variance. Ann. Stat. 9, 586–596 (1981)
Fu, X., Graham, B., Bettati, R., Zhao, W.: Active traffic analysis attacks and countermeasures. In: Proceedings of the 2nd IEEE International Conference Computer Networks and Mobile Computing, pp. 31–39 (2003)
Goubault-Larrecq, J., Olivain, J.: A smell of Orchids. In: Leucker, M. (ed.) RV 2008. LNCS, vol. 5289, pp. 1–20. Springer, Heidelberg (2008)
Lubicz, D.: On a classification of finite statistical tests. Adv. Math. Commun. 1(4), 509–524 (2007)
Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Secur. Priv. 5(2), 40–45 (2007)
McDonald, J.: OpenSSL SSLv2 malformed client key remote buffer overflow vulnerability (2003). http://www.securityfocus.com/bid/5363 (BugTraq Id 5363)
Menezes, A.J., Vanstone, S.A., Oorschot, P.C.V.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)
Miller, G.A.: Note on the bias of information estimates. In: Quastler, H. (ed.) Information Theory in Psychology: Problems and Methods II-B, pp. 95–100. Free Press, Glencoe (1955)
Moddemeijer, R.: The distribution of entropy estimators based on maximum mean log-likelihood. In: Biemond, J. (ed.) Proceedings of the 21st Symposium on Information Theory in the Benelux, Wassenaar, The Netherlands, pp. 231–238 (2000)
The GNU MPFR library: Consulted December 02 (2013). http://www.mpfr.org/
Olivain, J., Goubault-Larrecq, J.: Detecting subverted cryptographic protocols by entropy checking. Research Report LSV-06-13, Laboratoire Spécification et Vérification, p. 19. ENS Cachan, France, June 2006
Paninski, L.: Estimation of entropy and mutual information. Neural Comput. 15, 1191–1253 (2003)
Paninski, L.: Estimating entropy on \(m\) bins given fewer than \(m\) samples. IEEE Trans. Inf. Theor. 50(9), 2200–2203 (2004)
Rossow, C., Dietrich, C.J.: Provex: Detecting botnets with encrypted command and control channels. In: Rieck, K., Stewin, P., Seifert, J.P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 21–40. Springer, Heidelberg (2013)
Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigh, S., Levenson, M., Vangel, M., Alan Heckert, D.B., Dray, J., Vo, S.: A statistical test suite for random and pseudorandom number generators for cryptographic applications. In: Bassham III, L.E. (ed.) NIST (Revised) (2010)
Wang, K., Cretu, G.F., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID’2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)
Zalewski, M.: SSH CRC-32 compensation attack detector vulnerability (2001). http://www.securityfocus.com/bid/2347 (BugTraq Id 2347)
Zhang, H., Papadopoulos, C., Massey, D.: Detecting encrypted botnet traffic. In: IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 163–168 (2013)
Acknowledgments
Thanks to Mathieu Baudet, Elie Bursztein and Stéphane Boucheron for judicious advice. This work was partially supported by the RNTL Project DICO, and the ACI jeunes chercheurs “Sécurité informatique, protocoles cryptographiques et détection d’intrusions”.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Availability
Availability
NetEntropy is a free open source project. It is available under the CeCILL2 license [3]. The project homepage can be found at http://www.lsv.ens-cachan.fr/net-entropy/.
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Goubault-Larrecq, J., Olivain, J. (2014). On the Efficiency of Mathematics in Intrusion Detection: The NetEntropy Case. In: Danger, J., Debbabi, M., Marion, JY., Garcia-Alfaro, J., Zincir Heywood, N. (eds) Foundations and Practice of Security. FPS 2013. Lecture Notes in Computer Science(), vol 8352. Springer, Cham. https://doi.org/10.1007/978-3-319-05302-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-05302-8_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05301-1
Online ISBN: 978-3-319-05302-8
eBook Packages: Computer ScienceComputer Science (R0)