Network event detection with entropy measures
Information measures may be used to estimate the amount of information emitted by discrete information
sources. Network streams are an example for such discrete information sources. This thesis investigates
the use of information measures for the detection of events in network streams.
Starting with the fundamental entropy and complexity measures proposed by Shannon and Kolmogorov,
it reviews a range of candidate information measures for network event detection, including algorithms
from the Lempel-Ziv family and a relative newcomer, the T-entropy. Using network trace data from
the University of Auckland, the thesis demonstrates experimentally that these measures are in principle
suitable for the detection of a wide range of network events.
Several key parameters influence the detectability of network events with information measures. These
include the amount of data considered in each traffic sample and the choice of observables. Among others,
a study of the entropy behaviour of individual observables in event and non-event scenarios investigates
the optimisation of these parameters.
The thesis also examines the impact of some of the detected events on different information measures.
This motivates a discussion on the sensitivity of various measures.
A set of experiments demonstrating multi-dimensional network event classification with multiple observables
and multiple information measures concludes the thesis.