On the self-similar nature of Ethernet traffic (extended version)
IEEE/ACM Transactions on Networking (TON)
On the generation and use of TCP acknowledgments
ACM SIGCOMM Computer Communication Review
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites
Proceedings of the 11th international conference on World Wide Web
Cisco Secure Intrusion Detection Systems
Cisco Secure Intrusion Detection Systems
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
A framework for classifying denial of service attacks
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
IEEE Security and Privacy
Conversation Exchange Dynamics for Real-Time Network Monitoring and Anomaly Detection
IWIA '04 Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04)
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
An empirical evaluation of TCP performance in online games
Proceedings of the 2006 ACM SIGCHI international conference on Advances in computer entertainment technology
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Undermining an anomaly-based intrusion detection system using common exploits
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Hi-index | 0.00 |
Anomaly-based intrusion detection systems have the ability to detect novel attacks, but when applied in real-time detection, they face the challenges of producing many false alarms and failing to match with the high speed of modern networks due to their computationally demanding algorithms. In this paper, we present Fates, an anomaly-based NIDS designed to alleviate the two challenges. Fates views the monitored network as a collection of individual hosts instead of as a single autonomous entity and uses dynamic, individual threshold for each monitored host, such that it can differentiate between characteristics of individual hosts and can independently assess their threat to the network. Each packet to and from a monitored host is analyzed with an adaptive and efficient charging scheme that considers the packet type, number of occurrences, source, and destination. The resulting charge is applied to the individual hosts threat assessment, providing pinpointed analysis of anomalous activities. We use various datasets to validate Fates ability to distinguish scanning behavior from benign traffic in real time.