Detector SherLOCK: Enhancing TRW with Bloom filters under memory and performance constraints

Authors:
Seung Yeob Nam;Hyu-Dae Kim;Hyong S. Kim
Affiliations:
Department of Information and Communication Engineering, Yeungnam University, Gyeongsan 712-749, Republic of Korea;KAIST Institute for Information Technology Convergence, Korea Advanced Institute of Science and Technology, Daejeon 305-701, Republic of Korea;Department of Electrical and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA 15213, United States
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2008

Citing 12
Cited 2

Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Probability Models for Computer Science

Probability Models for Computer Science
Practical automated detection of stealthy portscans

Journal of Computer Security
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Inside the Slammer Worm

IEEE Security and Privacy
Bitmap algorithms for counting active flows on high speed links

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
On scalable attack detection in the network

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
A Short Visit to the Bot Zoo

IEEE Security and Privacy
Joint data streaming and sampling techniques for detection of super sources and destinations

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Packet-level traffic measurements from the Sprint IP backbone

IEEE Network: The Magazine of Global Internetworking

A Generalized Bloom Filter to Secure Distributed Network Applications

Computer Networks: The International Journal of Computer and Telecommunications Networking
A practical approach to portscan detection in very high-speed links

PAM'11 Proceedings of the 12th international conference on Passive and active measurement

Quantified Score

Hi-index	0.00

Visualization

Abstract

Computer worms and bots are significant threats to large networks because they can spread very rapidly and are used for DDoS. The first phase of worms and bots begins by scanning vulnerable hosts. Missing on-going scanning activity can significantly deteriorate network performance. We propose a new scanning detection scheme, SherLOCK, based on the connection attempt success ratio. The proposed scheme can detect scanners with guaranteed false positive and false negative probabilities and with a limited memory size. Detection of scanners at high-speed links requires a high-speed memory and such memory devices are expensive and limited in size. We reduce the memory requirement by applying the Bloom filter. We show how slow scanners can be detected with a guaranteed performance for a given offered traffic load and memory size. This study can help to design the system that satisfies the target performance requirement. The detection performance is guaranteed under the assumption that malicious scanners and benign hosts have distinct behaviors in terms of the connection success ratio. We extend the proposed detector with a sampling mechanism to detect more intelligent scanners with guaranteed performance. These include scanners that use a list of pre-acquired IP addresses. We evaluate the performance of the proposed scheme through experiment using well-known traffic traces.