{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T15:27:55Z","timestamp":1780500475058,"version":"3.54.1"},"reference-count":29,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2024,12,5]],"date-time":"2024-12-05T00:00:00Z","timestamp":1733356800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,12,5]],"date-time":"2024-12-05T00:00:00Z","timestamp":1733356800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No.61936008"],"award-info":[{"award-number":["No.61936008"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Network traffic anomaly detection is a critical issue in network security. Existing Abnormal traffic detection methods rely on statistical-based or anomaly-based approaches, and these detection methods all require a full understanding of traffic characteristics and attack patterns. Information entropy has been widely studied in abnormal traffic detection because it can describe the distribution characteristics of network traffic. However, this method makes it difficult to cope with the timing and variability of network traffic. To address these challenges, this paper proposes a network traffic anomaly detection method based on Renyi entropy. Simultaneously, we introduce a fixed time window and utilize an improved EWMA model within this window to dynamically set thresholds for anomaly detection. Experimental results show that the method proposed in this paper is superior to popular abnormal traffic detection methods in terms of effectiveness and efficiency, it is better adapted to the dynamic changes of network traffic and provides a more reliable solution for anomaly detection.<\/jats:p>","DOI":"10.1186\/s42400-024-00249-1","type":"journal-article","created":{"date-parts":[[2024,12,4]],"date-time":"2024-12-04T23:01:47Z","timestamp":1733353307000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":17,"title":["Renyi entropy-driven network traffic anomaly detection with dynamic threshold"],"prefix":"10.1186","volume":"7","author":[{"given":"Haoran","family":"Yu","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Wenchuan","family":"Yang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Baojiang","family":"Cui","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Runqi","family":"Sui","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xuedong","family":"Wu","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2024,12,5]]},"reference":[{"key":"249_CR1","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1016\/j.comcom.2021.01.021","volume":"170","author":"M Abbasi","year":"2021","unstructured":"Abbasi M, Shahraki A, Taherkordi A (2021) Deep learning for network traffic monitoring and analysis (NTMA): a survey. Comput Commun 170:19\u201341. https:\/\/doi.org\/10.1016\/j.comcom.2021.01.021","journal-title":"Comput Commun"},{"issue":"12","key":"249_CR2","doi-asserted-by":"publisher","first-page":"6127","DOI":"10.3390\/app12126127","volume":"12","author":"MA Aladaileh","year":"2022","unstructured":"Aladaileh MA, Anbar M, Hintaw AJ et al (2022) Renyi joint entropy-based dynamic threshold approach to detect DDoS attacks against SDN controller with various traffic rates. Appl Sci 12(12):6127. https:\/\/doi.org\/10.3390\/app12126127","journal-title":"Appl Sci"},{"issue":"4","key":"249_CR3","doi-asserted-by":"publisher","first-page":"2367","DOI":"10.3390\/e17042367","volume":"17","author":"P Berezi\u0144ski","year":"2015","unstructured":"Berezi\u0144ski P, Jasiul B, Szpyrka M (2015) An entropy-based network anomaly detection method. Entropy 17(4):2367\u20132408. https:\/\/doi.org\/10.3390\/e17042367","journal-title":"Entropy"},{"key":"249_CR4","first-page":"2","volume":"2004\u2013004","author":"PA Bromiley","year":"2004","unstructured":"Bromiley PA, Thacker NA, Bouhova-Thacker E (2004) Shannon entropy, Renyi entropy, and information. Statist Inf Series 2004\u2013004:2\u20138","journal-title":"Statist Inf Series"},{"key":"249_CR5","doi-asserted-by":"publisher","DOI":"10.1109\/ICCNC.2017.7876150","author":"C Callegari","year":"2017","unstructured":"Callegari C, Giordano S, Pagano M (2017) Entropy-based network anomaly detection. ICNC. https:\/\/doi.org\/10.1109\/ICCNC.2017.7876150","journal-title":"ICNC"},{"issue":"3","key":"249_CR6","doi-asserted-by":"publisher","first-page":"800","DOI":"10.1109\/TNSM.2019.2933358","volume":"16","author":"A D\u2019Alconzo","year":"2019","unstructured":"D\u2019Alconzo A, Drago I, Morichetta A et al (2019) A survey on big data for network traffic monitoring and analysis. IEEE Trans Netw Service Manag 16(3):800\u2013813. https:\/\/doi.org\/10.1109\/TNSM.2019.2933358","journal-title":"IEEE Trans Netw Service Manag"},{"key":"249_CR7","doi-asserted-by":"publisher","DOI":"10.1109\/ICIN.2019.8685891","author":"S Daneshgadeh","year":"2019","unstructured":"Daneshgadeh S, Ahmed T, Kemmerich T et al (2019) Detection of DDoS attacks and flash events using Shannon entropy KOAD and Mahalanobis distance. ICIN. https:\/\/doi.org\/10.1109\/ICIN.2019.8685891","journal-title":"ICIN"},{"key":"249_CR8","doi-asserted-by":"publisher","DOI":"10.1007\/s12652-020-02628-1","author":"DB Dasari","year":"2021","unstructured":"Dasari DB, Edamadaka G, Chowdary CS, Sobhana M (2021) Anomaly-based network intrusion detection with ensemble classifiers and meta-heuristic scale (ECMHS) in traffic flow streams. J Ambient Intell Human Comput. https:\/\/doi.org\/10.1007\/s12652-020-02628-1","journal-title":"J Ambient Intell Human Comput"},{"key":"249_CR9","doi-asserted-by":"publisher","DOI":"10.1109\/ICSPIS54653.2021.9729355","author":"Z Hemmati","year":"2021","unstructured":"Hemmati Z, Mirjalily G, Mohtajollah Z (2021) Entropy-based DDoS attack detection in SDN using dynamic threshold. ICSPIS. https:\/\/doi.org\/10.1109\/ICSPIS54653.2021.9729355","journal-title":"ICSPIS"},{"issue":"4","key":"249_CR10","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1080\/00224065.1986.11979014","volume":"18","author":"JS Hunter","year":"1986","unstructured":"Hunter JS (1986) The exponentially weighted moving average. J Qual Technol 18(4):203\u2013210. https:\/\/doi.org\/10.1080\/00224065.1986.11979014","journal-title":"J Qual Technol"},{"key":"249_CR11","doi-asserted-by":"publisher","first-page":"140","DOI":"10.11959\/j.issn.1000-436x.2018140","volume":"39","author":"T Junfeng","year":"2018","unstructured":"Junfeng T, Lioling Q (2018) DDoS attack detection method based on conditional entropy and GHSOM in SDN. J Commun 39:140. https:\/\/doi.org\/10.11959\/j.issn.1000-436x.2018140","journal-title":"J Commun"},{"key":"249_CR12","doi-asserted-by":"publisher","first-page":"947","DOI":"10.1016\/j.procs.2018.05.110","volume":"132","author":"A Kb","year":"2018","unstructured":"Kb A, Bbg A (2018) Hypothesis test for low-rate ddos attack detection in cloud computing environment. Procedia Comput Sci 132:947\u2013955. https:\/\/doi.org\/10.1016\/j.procs.2018.05.110","journal-title":"Procedia Comput Sci"},{"key":"249_CR13","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102392","volume":"109","author":"Z Liu","year":"2021","unstructured":"Liu Z, Hu C, Shan C (2021) Riemannian Manifold on stream data: fourier transform and entropy-based DDoS attacks detection method. Comput Secur 109:102392. https:\/\/doi.org\/10.1016\/j.cose.2021.102392","journal-title":"Comput Secur"},{"key":"249_CR14","doi-asserted-by":"publisher","DOI":"10.1109\/MilCIS.2015.7348942","author":"N Moustafa","year":"2015","unstructured":"Moustafa N, Slay J (2015) UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). MilCIS. https:\/\/doi.org\/10.1109\/MilCIS.2015.7348942","journal-title":"MilCIS"},{"key":"249_CR15","doi-asserted-by":"publisher","DOI":"10.1145\/3457904","author":"E Papadogiannaki","year":"2021","unstructured":"Papadogiannaki E, Ioannidis S (2021) A survey on encrypted network traffic analysis applications, techniques, and countermeasures. ACM Comput Surv. https:\/\/doi.org\/10.1145\/3457904","journal-title":"ACM Comput Surv"},{"key":"249_CR16","doi-asserted-by":"publisher","DOI":"10.5220\/0000157000003120","author":"A Rosay","year":"2022","unstructured":"Rosay A, Cheval E, Carlier F et al (2022) Network intrusion detection: a comprehensive analysis of CIC-IDS2017. ICISSP. https:\/\/doi.org\/10.5220\/0000157000003120","journal-title":"ICISSP"},{"key":"249_CR17","doi-asserted-by":"publisher","DOI":"10.1109\/CCST.2019.8888419","author":"I Sharafaldin","year":"2019","unstructured":"Sharafaldin I, Lashkari AH, Hakak S, Ghorbani AA (2019) Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy. ICCST. https:\/\/doi.org\/10.1109\/CCST.2019.8888419","journal-title":"ICCST"},{"key":"249_CR18","doi-asserted-by":"publisher","DOI":"10.4316\/AECE.2021.04006","volume-title":"Machine learning enhanced entropy-based network anomaly detection","author":"V Timcenko","year":"2021","unstructured":"Timcenko V, Gajin S (2021) Machine learning enhanced entropy-based network anomaly detection. Electr. Comput. Eng, Adv. https:\/\/doi.org\/10.4316\/AECE.2021.04006"},{"issue":"2","key":"249_CR19","doi-asserted-by":"publisher","first-page":"1679","DOI":"10.1109\/TNSM.2022.3142254","volume":"19","author":"LD Tsobdjou","year":"2022","unstructured":"Tsobdjou LD, Pierre S, Quintero A (2022)  An Online Entropy-Based DDoS Flooding Attack Detection System With Dynamic Threshold. IEEE Trans. Netw. Service Manag. 19(2):1679\u20131689. https:\/\/doi.org\/10.1109\/TNSM.2022.3142254","journal-title":"IEEE Trans Netw Service Manag"},{"issue":"4","key":"249_CR20","doi-asserted-by":"publisher","first-page":"850","DOI":"10.1587\/transinf.2015ICP0016","volume":"99","author":"X Wang","year":"2016","unstructured":"Wang X, Chen M, Xing C, Zhang T (2016) Defending ddos attacks in software-defined networking based on legitimate source and destination ip address database. IEICE T INF SYST 99(4):850\u2013859. https:\/\/doi.org\/10.1587\/transinf.2015ICP0016","journal-title":"IEICE T INF SYST"},{"key":"249_CR21","doi-asserted-by":"publisher","DOI":"10.1109\/Trustcom.2015.389","author":"R Wang","year":"2015","unstructured":"Wang R, Jia Z, Ju L (2015) An entropy-based distributed ddos detection mechanism in software-defined networking. IEEE Trustcom\/BigDataSE\/ISPA. https:\/\/doi.org\/10.1109\/Trustcom.2015.389","journal-title":"IEEE Trustcom\/BigDataSE\/ISPA"},{"key":"249_CR22","doi-asserted-by":"publisher","DOI":"10.1109\/QRS-C57518.2022.00014","author":"X Wang","year":"2022","unstructured":"Wang X, Zhang X, Wang C (2022) Generalized network temperature for DDoS detection through R\u00e9nyi entropy. Int Conf Softw Qual Reliab Security Comp. https:\/\/doi.org\/10.1109\/QRS-C57518.2022.00014","journal-title":"Int Conf Softw Qual Reliab Security Comp"},{"key":"249_CR23","unstructured":"Wang W, Xiao J, Cheng P, et al (2021) DDoS attack defense system based on SDN. Computers and Modernization."},{"key":"249_CR24","doi-asserted-by":"publisher","first-page":"8309","DOI":"10.1007\/s10586-018-1755-5","volume":"22","author":"C Yang","year":"2019","unstructured":"Yang C (2019) Anomaly network traffic detection algorithm based on information entropy measurement under the cloud computing environment. Clust Comput 22:8309\u20138317. https:\/\/doi.org\/10.1007\/s10586-018-1755-5","journal-title":"Clust Comput"},{"key":"249_CR25","doi-asserted-by":"publisher","DOI":"10.3390\/e22020186","author":"KS Yu","year":"2020","unstructured":"Yu KS, Kim SH, Lim DW et al (2020) A multiple R\u00e9nyi entropy based intrusion detection system for connected vehicles. Entropy. https:\/\/doi.org\/10.3390\/e22020186","journal-title":"Entropy"},{"key":"249_CR26","doi-asserted-by":"publisher","first-page":"108346","DOI":"10.1109\/ACCESS.2020.3001350","volume":"8","author":"S Zavrak","year":"2020","unstructured":"Zavrak S, \u0130skefiyeli M (2020) Anomaly-based intrusion detection from network flow features using variational autoencoder. IEEE Access 8:108346\u2013108358. https:\/\/doi.org\/10.1109\/ACCESS.2020.3001350","journal-title":"IEEE Access"},{"key":"249_CR27","doi-asserted-by":"publisher","DOI":"10.1109\/ICETCI57876.2023.10176631","author":"H Zhang","year":"2023","unstructured":"Zhang H, Zhou L, Lei J (2023) Renyi Entropy-based DDoS Attack Detection in SDN-based Networks. ICETCI. https:\/\/doi.org\/10.1109\/ICETCI57876.2023.10176631","journal-title":"ICETCI"},{"key":"249_CR28","doi-asserted-by":"publisher","DOI":"10.1145\/3501409.3501537","author":"Z Zhao","year":"2021","unstructured":"Zhao Z, Shi K (2021) Renyi entropy-based detection method for lowrate interest flooding attacks. ICEITCE. https:\/\/doi.org\/10.1145\/3501409.3501537","journal-title":"ICEITCE"},{"issue":"10","key":"249_CR29","doi-asserted-by":"publisher","first-page":"2573","DOI":"10.0000\/1000-9825-3698","volume":"21","author":"Y Zhu","year":"2010","unstructured":"Zhu Y, Yang J, Zhang J (2010) Anomaly detection based on traffic information structure. J Softw 21(10):2573\u20132583. https:\/\/doi.org\/10.0000\/1000-9825-3698","journal-title":"J Softw"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00249-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-024-00249-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00249-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,5]],"date-time":"2024-12-05T10:21:23Z","timestamp":1733394083000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-024-00249-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,5]]},"references-count":29,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2024,12]]}},"alternative-id":["249"],"URL":"https:\/\/doi.org\/10.1186\/s42400-024-00249-1","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,12,5]]},"assertion":[{"value":"11 January 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"28 April 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 December 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"64"}}