A behavioral analysis engine for network traffic

Authors:
Miad Faezipour;Mehrdad Nourani;Sateesh AddepaIli
Affiliations:
Center for Integrated Circuits & Systems, The University of Texas at Dallas, Richardson, TX;Center for Integrated Circuits & Systems, The University of Texas at Dallas, Richardson, TX;Cisco Systems Inc., San Jose, CA
Venue:
CCNC'10 Proceedings of the 7th IEEE conference on Consumer communications and networking conference
Year:
2010

Citing 10
Cited 0

Space/time trade-offs in hash coding with allowable errors

Communications of the ACM
Throttling Viruses: Restricting propagation to defeat malicious mobile code

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Winnowing: local algorithms for document fingerprinting

Proceedings of the 2003 ACM SIGMOD international conference on Management of data
The top speed of flash worms

Proceedings of the 2004 ACM workshop on Rapid malcode
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

Proceedings of the 12th ACM conference on Computer and communications security
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Design of a system for real-time worm detection

HOTI '04 Proceedings of the High Performance Interconnects, 2004. on Proceedings. 12th Annual IEEE Symposium
A Real-Time Worm Outbreak Detection System Using Shared Counters

HOTI '07 Proceedings of the 15th Annual IEEE Symposium on High-Performance Interconnects
Adaptive Defense Against Various Network Attacks

IEEE Journal on Selected Areas in Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network intrusion detection systems continuously monitor the network traffic in order to identify any traces of suspicious activities such as worm, viruses or spam. One attractive technique for identifying potential Internet threats is detecting previously unknown, but common sub-strings that appear very frequently in data packets. In this paper, we propose a novel architectural platform that thoroughly analyzes the network traffic behavior in terms of repetitions to identify potential Internet threats. The main idea is to use a two-phase hashing system and small memory units functioning in parallel to achieve a high-throughput and memory efficient behavioral analysis engine. The system performs behavioral analysis on selected information/user(s) and builds a bell-shaped curve for normal traffic using parallel counters. Our traffic behavioral analysis system has been fully prototyped on Altera Stratix FPGA. Experimental results verify that our system can support line speed of gigabit-rates with very negligible false positive and negative rates.