Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Finding Frequent Items in Data Streams
ICALP '02 Proceedings of the 29th International Colloquium on Automata, Languages and Programming
Statistical Analysis of the Alleged RC4 Keystream Generator
FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
SYN-dog: Sniffing SYN Flooding Sources
ICDCS '02 Proceedings of the 22 nd International Conference on Distributed Computing Systems (ICDCS'02)
Sketch-based change detection: methods, evaluation, and applications
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Tabulation based 4-universal hashing with applications to second moment estimation
SODA '04 Proceedings of the fifteenth annual ACM-SIAM symposium on Discrete algorithms
Diamond in the rough: finding Hierarchical Heavy Hitters in multi-dimensional data
SIGMOD '04 Proceedings of the 2004 ACM SIGMOD international conference on Management of data
Diagnosing network-wide traffic anomalies
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Aberrant Behavior Detection in Time Series for Network Monitoring
LISA '00 Proceedings of the 14th USENIX conference on System administration
Change-Point Monitoring for the Detection of DoS Attacks
IEEE Transactions on Dependable and Secure Computing
An improved data stream summary: the count-min sketch and its applications
Journal of Algorithms
Statistical-Based SYN-Flooding Detection Using Programmable Network Processor
ICITA '05 Proceedings of the Third International Conference on Information Technology and Applications (ICITA'05) Volume 2 - Volume 02
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
IEEE/ACM Transactions on Networking (TON)
Detection and identification of network anomalies using sketch subspaces
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Impact of packet sampling on anomaly detection metrics
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Is sampled data sufficient for anomaly detection?
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Reversible Sketch Based on the XOR-Based Hashing
APSCC '06 Proceedings of the 2006 IEEE Asia-Pacific Conference on Services Computing
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Sensitivity of PCA for traffic anomaly detection
Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
A Study on Detecting Network Anomalies Using Sampled Flow Statistics
SAINT-W '07 Proceedings of the 2007 International Symposium on Applications and the Internet Workshops
Reversible sketches: enabling monitoring and analysis over high-speed data streams
IEEE/ACM Transactions on Networking (TON)
Proceedings of the 2007 workshop on Large scale attack defense
Load shedding in network monitoring applications
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
A Novel Sliding Window Based Change Detection Algorithm for Asymmetric Traffic
NPC '08 Proceedings of the 2008 IFIP International Conference on Network and Parallel Computing
An empirical evaluation of entropy-based traffic anomaly detection
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Traffic flooding attack detection with SNMP MIB using SVM
Computer Communications
Network anomaly detection based on wavelet analysis
EURASIP Journal on Advances in Signal Processing - Special issue on signal processing applications in network intrusion detection systems
Effective Change Detection in Large Repositories of Unsolicited Traffic
ICIMP '09 Proceedings of the 2009 Fourth International Conference on Internet Monitoring and Protection
Application Entropy Theory to Detect New Peer-to-Peer Botnet with Multi-chart CUSUM
ISECS '09 Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01
Network anomaly detection and classification via opportunistic sampling
IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
On the use of sketches and wavelet analysis for network anomaly detection
Proceedings of the 6th International Wireless Communications and Mobile Computing Conference
Wild-Inspired Intrusion Detection System Framework for High Speed Networks f|p IDS Framework
International Journal of Information Security and Privacy
FleXam: flexible sampling extension for monitoring and security applications in openflow
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
ACTIDS: an active strategy for detecting and localizing network attacks
Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Hi-index | 0.00 |
In this paper, we present the design and implementation of a new approach for anomaly detection and classification over high speed networks. The proposed approach is based first of all on a data reduction phase through flow sampling by focusing mainly on short lived flows. The second step is then a random aggregation of some descriptors such as a number of SYN packets per flow in two different data structures called Count Min Sketch and Multi-Layer Reversible Sketch. A sequential change point detection algorithm continuously monitors the sketch cell values. An alarm is raised if a significant change is identified in cell values. With an appropriate definition of the combination of IP header fields that should be used to identify one flow, we are able not only to detect the anomaly but also to classify the anomaly as DoS, DDoS or flash crowd, network scanning and port scanning. We validate our framework for anomaly detection on various real world traffic traces and demonstrate the accuracy of our approach on these real-life case studies. Our analysis results from online implementation of our algorithm over measurements gathered by a DAG sniffing card are very attractive in terms of accuracy and response time. The proposed approach is very effective in detecting and classifying anomalies, and in providing information by extracting the culprit flows with a high level of accuracy. Copyright © 2010 John Wiley & Sons, Ltd.