Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Throttling Viruses: Restricting propagation to defeat malicious mobile code
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Winnowing: local algorithms for document fingerprinting
Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Proceedings of the 2004 ACM workshop on Rapid malcode
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
Proceedings of the 12th ACM conference on Computer and communications security
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Design of a system for real-time worm detection
HOTI '04 Proceedings of the High Performance Interconnects, 2004. on Proceedings. 12th Annual IEEE Symposium
A Real-Time Worm Outbreak Detection System Using Shared Counters
HOTI '07 Proceedings of the 15th Annual IEEE Symposium on High-Performance Interconnects
Adaptive Defense Against Various Network Attacks
IEEE Journal on Selected Areas in Communications
Hi-index | 0.00 |
Network intrusion detection systems continuously monitor the network traffic in order to identify any traces of suspicious activities such as worm, viruses or spam. One attractive technique for identifying potential Internet threats is detecting previously unknown, but common sub-strings that appear very frequently in data packets. In this paper, we propose a novel architectural platform that thoroughly analyzes the network traffic behavior in terms of repetitions to identify potential Internet threats. The main idea is to use a two-phase hashing system and small memory units functioning in parallel to achieve a high-throughput and memory efficient behavioral analysis engine. The system performs behavioral analysis on selected information/user(s) and builds a bell-shaped curve for normal traffic using parallel counters. Our traffic behavioral analysis system has been fully prototyped on Altera Stratix FPGA. Experimental results verify that our system can support line speed of gigabit-rates with very negligible false positive and negative rates.