{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T00:22:55Z","timestamp":1772065375590,"version":"3.50.1"},"reference-count":31,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2015,9,8]],"date-time":"2015-09-08T00:00:00Z","timestamp":1441670400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"<jats:p>Network anomaly detection and classification is an important open issue in network security. Several approaches and systems based on different mathematical tools have been studied and developed, among them, the Anomaly-Network Intrusion Detection System (A-NIDS), which monitors network traffic and compares it against an established baseline of a \u201cnormal\u201d traffic profile. Then, it is necessary to characterize the \u201cnormal\u201d Internet traffic. This paper presents an approach for anomaly detection and classification based on Shannon, R\u00e9nyi and Tsallis entropies of selected features, and the construction of regions from entropy data employing the Mahalanobis distance (MD), and One Class Support Vector Machine (OC-SVM) with different kernels (Radial Basis Function (RBF) and Mahalanobis Kernel (MK)) for \u201cnormal\u201d and abnormal traffic. Regular and non-regular regions built from \u201cnormal\u201d traffic profiles allow anomaly detection, while the classification is performed under the assumption that regions corresponding to the attack classes have been previously characterized. Although this approach allows the use of as many features as required, only four well-known significant features were selected in our case. In order to evaluate our approach, two different data sets were used: one set of real traffic obtained from an Academic Local Area Network (LAN), and the other a subset of the 1998 MIT-DARPA set. For these data sets, a True positive rate up to 99.35%, a True negative rate up to 99.83% and a False negative rate at about 0.16% were yielded. Experimental results show that certain q-values of the generalized entropies and the use of OC-SVM with RBF kernel improve the detection rate in the detection stage, while the novel inclusion of MK kernel in OC-SVM and k-temporal nearest neighbors improve accuracy in classification. In addition, the results show that using the Box-Cox transformation, the Mahalanobis distance yielded high detection rates with an efficient computation time, while OC-SVM achieved detection rates slightly higher, but is more computationally expensive.<\/jats:p>","DOI":"10.3390\/e17096239","type":"journal-article","created":{"date-parts":[[2015,9,8]],"date-time":"2015-09-08T11:59:54Z","timestamp":1441713594000},"page":"6239-6257","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":11,"title":["Using Generalized Entropies and OC-SVM with Mahalanobis Kernel for Detection and Classification of Anomalies in Network Traffic"],"prefix":"10.3390","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7036-0074","authenticated-orcid":false,"given":"Jayro","family":"Santiago-Paz","sequence":"first","affiliation":[{"name":"CINVESTAV, Campus Guadalajara, Av. del Bosque 1145, Col. El Bajio, Zapopan 45019, Mexico"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Deni","family":"Torres-Roman","sequence":"additional","affiliation":[{"name":"CINVESTAV, Campus Guadalajara, Av. del Bosque 1145, Col. El Bajio, Zapopan 45019, Mexico"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Angel","family":"Figueroa-Ypi\u00f1a","sequence":"additional","affiliation":[{"name":"CINVESTAV, Campus Guadalajara, Av. del Bosque 1145, Col. El Bajio, Zapopan 45019, Mexico"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jesus","family":"Argaez-Xool","sequence":"additional","affiliation":[{"name":"CINVESTAV, Campus Guadalajara, Av. del Bosque 1145, Col. El Bajio, Zapopan 45019, Mexico"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2015,9,8]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly Detection: A Survey. ACM Comput. Surv., 41.","DOI":"10.1145\/1541880.1541882"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Lakhina, A., Crovella, M., and Diot, C. (2005, January 22\u201326). Mining Anomalies Using Traffic Feature Distributions. Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Philadelphia, PA, USA.","DOI":"10.1145\/1080091.1080118"},{"key":"ref_3","unstructured":"Wagner, A., and Plattner, B. (2005, January 13\u201315). Entropy Based Worm and Anomaly Detection in Fast IP Networks. Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, Link\u00f6ping, Sweden."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Xu, K., Zhang, Z.L., and Bhattacharyya, S. (2005, January 22\u201326). Profiling Internet Backbone Traffic: Behavior Models and Applications. Proceedings of the 2005 conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Philadelphia, PA, USA.","DOI":"10.1145\/1080091.1080112"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Santiago-Paz, J., Torres-Roman, D., and Velarde-Alvarado, P. (2012, January 27\u201329). Detecting anomalies in network traffic using Entropy and Mahalanobis distance. Proceedings of the 2012 22nd International Conference on Electrical Communications and Computers (CONIELECOMP), Cholula, Mexico.","DOI":"10.1109\/CONIELECOMP.2012.6189887"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Santiago-Paz, J., and Torres-Roman, D. (2014, January 26\u201328). Characterization of worm attacks using entropy, Mahalanobis distance and K-nearest neighbors. Proceedings of the 2014 International Conference on Electronics, Communications and Computers (CONIELECOMP), Cholula, Mexico.","DOI":"10.1109\/CONIELECOMP.2014.6808591"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Mason, R.L., and Young, J.C. (2002). Multivariate Statistical Process Control with Industrial Applications, Siam.","DOI":"10.1137\/1.9780898718461"},{"key":"ref_8","unstructured":"Li, K.L., Huang, H.K., Tian, S.F., and Xu, W. (2003, January 2\u20135). Improving one-class SVM for anomaly detection. Proceedings of the 2003 International Conference on Machine Learning and Cybernetics, Xi\u2019an, China."},{"key":"ref_9","unstructured":"Zhang, R., Zhang, S., Lan, Y., and Jiang, J. (2008, January 19\u201321). Network anomaly detection using one class support vector machine. Proceedings of the International MultiConference of Engineers and Computer Scientists (IMECS), Hong Kong, China."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Nychis, G., Sekar, V., Andersen, D.G., Kim, H., and Zhang, H. (2008, January 20\u201322). An Empirical Evaluation of Entropy-based Traffic Anomaly Detection. Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, Vouliagmeni, Greece.","DOI":"10.1145\/1452520.1452539"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"1034","DOI":"10.1109\/LCOMM.2007.070761","article-title":"Network anomaly detection using nonextensive entropy","volume":"11","author":"Ziviani","year":"2007","journal-title":"IEEE Commun. Lett."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"3485","DOI":"10.1016\/j.comnet.2011.07.008","article-title":"Accurate Network Anomaly Classification with Generalized Entropy Metrics","volume":"55","author":"Tellenbach","year":"2011","journal-title":"Comput. Netw."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"114","DOI":"10.1109\/LCOMM.2013.112613.132275","article-title":"DDoS Detection method based on chaos analysis of network traffic entropy","volume":"18","author":"Ma","year":"2014","journal-title":"Commun. Lett. IEEE"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.patrec.2014.07.019","article-title":"An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection","volume":"51","author":"Bhuyan","year":"2015","journal-title":"Pattern Recognit. Lett."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"379","DOI":"10.1002\/j.1538-7305.1948.tb01338.x","article-title":"A Mathematical Theory of Communication","volume":"27","author":"Shannon","year":"1948","journal-title":"Bell Syst. Tech. J."},{"key":"ref_16","unstructured":"R\u00e9nyi, A. (1970). Probability Theory, Elsevier."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"479","DOI":"10.1007\/BF01016429","article-title":"Possible generalization of Boltzmann-Gibbs statistics","volume":"52","author":"Tsallis","year":"1988","journal-title":"J. Stat. Phys."},{"key":"ref_18","unstructured":"Mahalanobis, P.C. (1936). On the Generalised Distance in Statistics, Proceedings of the National Institute of Science."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"88","DOI":"10.1080\/00224065.1992.12015232","article-title":"Multivariate control charts for individual observations","volume":"24","author":"Tracy","year":"1992","journal-title":"J. Qual. Technol."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"211","DOI":"10.1111\/j.2517-6161.1964.tb00553.x","article-title":"An Analysis of Transformations","volume":"26","author":"Box","year":"1964","journal-title":"J. R. Stat. Soc. B Stat. Methodol."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"1443","DOI":"10.1162\/089976601750264965","article-title":"Estimating the Support of a High-Dimensional Distribution","volume":"13","author":"Platt","year":"2001","journal-title":"Neural Comput."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Boser, B.E., Guyon, I.M., and Vapnik, V.N. (1992, January 27\u201329). A Training Algorithm for Optimal Margin Classifiers. Proceedings of the Fifth Annual Workshop on Computational Learning Theory, Pittsburgh, PA, USA.","DOI":"10.1145\/130385.130401"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Vapnik, V.N. (1995). The Nature of Statistical Learning Theory, Springer.","DOI":"10.1007\/978-1-4757-2440-0"},{"key":"ref_24","unstructured":"Sch\u00f6lkopf, B., Burges, C.J.C., and Smola, A.J. (1999). Advances in Kernel Methods: Support Vector Learning, MIT Press."},{"key":"ref_25","first-page":"571","article-title":"Training of Support Vector Machines with Mahalanobis Kernels","volume":"Volume 3697","author":"Duch","year":"2005","journal-title":"Artificial Neural Networks: Formal Models and Their Applications\u2014ICANN 2005"},{"key":"ref_26","unstructured":"Platt, J. (1998). Sequential Minimal Optimization: A Fast Algorithm for Training Support Vector Machines, Microsoft Research. Technical Report MSR-TR-98-14."},{"key":"ref_27","first-page":"119","article-title":"Entropy-based profiles for intrusion detection in LAN traffic","volume":"40","year":"2008","journal-title":"Adv. Artif. Intell."},{"key":"ref_28","unstructured":"Kendall, K. (1999). A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems, Massachusetts Institute of Technology. Technical Report, DTIC Document."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"861","DOI":"10.1016\/j.patrec.2005.10.010","article-title":"An Introduction to ROC Analysis","volume":"27","author":"Fawcett","year":"2006","journal-title":"Pattern Recognit. Lett."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"271","DOI":"10.1023\/A:1017181826899","article-title":"Glossary of Terms","volume":"30","author":"Kohavi","year":"1998","journal-title":"J. Mach. Learn."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Chang, C.C., and Lin, C.J. (2011). LIBSVM: A Library for Support Vector Machines. ACM Trans. Intell. Syst. Technol., 2.","DOI":"10.1145\/1961189.1961199"}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/17\/9\/6239\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T20:48:10Z","timestamp":1760215690000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/17\/9\/6239"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,9,8]]},"references-count":31,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2015,9]]}},"alternative-id":["e17096239"],"URL":"https:\/\/doi.org\/10.3390\/e17096239","relation":{},"ISSN":["1099-4300"],"issn-type":[{"value":"1099-4300","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015,9,8]]}}}