A scalable, efficient and informative approach for anomaly-based intrusion detection systems: theory and practice

Authors:
Osman Salem;Sandrine Vaton;Annie Gravey
Affiliations:
Laboratoire d'Informatique Paris Descartes, Université Paris Descartes-Paris 5, Paris, France;Département Informatique, TELECOM Bretagne, Brest, France;Département Informatique, TELECOM Bretagne, Brest, France
Venue:
International Journal of Network Management
Year:
2010

Citing 34
Cited 3

Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Finding Frequent Items in Data Streams

ICALP '02 Proceedings of the 29th International Colloquium on Automata, Languages and Programming
Statistical Analysis of the Alleged RC4 Keystream Generator

FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
SYN-dog: Sniffing SYN Flooding Sources

ICDCS '02 Proceedings of the 22 nd International Conference on Distributed Computing Systems (ICDCS'02)
Sketch-based change detection: methods, evaluation, and applications

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Tabulation based 4-universal hashing with applications to second moment estimation

SODA '04 Proceedings of the fifteenth annual ACM-SIAM symposium on Discrete algorithms
Diamond in the rough: finding Hierarchical Heavy Hitters in multi-dimensional data

SIGMOD '04 Proceedings of the 2004 ACM SIGMOD international conference on Management of data
Diagnosing network-wide traffic anomalies

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Aberrant Behavior Detection in Time Series for Network Monitoring

LISA '00 Proceedings of the 14th USENIX conference on System administration
Change-Point Monitoring for the Detection of DoS Attacks

IEEE Transactions on Dependable and Secure Computing
An improved data stream summary: the count-min sketch and its applications

Journal of Algorithms
Statistical-Based SYN-Flooding Detection Using Programmable Network Processor

ICITA '05 Proceedings of the Third International Conference on Information Technology and Applications (ICITA'05) Volume 2 - Volume 02
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Inverting sampled traffic

IEEE/ACM Transactions on Networking (TON)
Detection and identification of network anomalies using sketch subspaces

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Impact of packet sampling on anomaly detection metrics

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Is sampled data sufficient for anomaly detection?

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Reversible Sketch Based on the XOR-Based Hashing

APSCC '06 Proceedings of the 2006 IEEE Asia-Pacific Conference on Services Computing
Inferring internet denial-of-service activity

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Sensitivity of PCA for traffic anomaly detection

Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
A Study on Detecting Network Anomalies Using Sampled Flow Statistics

SAINT-W '07 Proceedings of the 2007 International Symposium on Applications and the Internet Workshops
Reversible sketches: enabling monitoring and analysis over high-speed data streams

IEEE/ACM Transactions on Networking (TON)
Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures

Proceedings of the 2007 workshop on Large scale attack defense
Load shedding in network monitoring applications

ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
A Novel Sliding Window Based Change Detection Algorithm for Asymmetric Traffic

NPC '08 Proceedings of the 2008 IFIP International Conference on Network and Parallel Computing
An empirical evaluation of entropy-based traffic anomaly detection

Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Traffic flooding attack detection with SNMP MIB using SVM

Computer Communications
Network anomaly detection based on wavelet analysis

EURASIP Journal on Advances in Signal Processing - Special issue on signal processing applications in network intrusion detection systems
Effective Change Detection in Large Repositories of Unsolicited Traffic

ICIMP '09 Proceedings of the 2009 Fourth International Conference on Internet Monitoring and Protection
Application Entropy Theory to Detect New Peer-to-Peer Botnet with Multi-chart CUSUM

ISECS '09 Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01
Network anomaly detection and classification via opportunistic sampling

IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
On the use of sketches and wavelet analysis for network anomaly detection

Proceedings of the 6th International Wireless Communications and Mobile Computing Conference

Wild-Inspired Intrusion Detection System Framework for High Speed Networks f|p IDS Framework

International Journal of Information Security and Privacy
FleXam: flexible sampling extension for monitoring and security applications in openflow

Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
ACTIDS: an active strategy for detecting and localizing network attacks

Proceedings of the 2013 ACM workshop on Artificial intelligence and security

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we present the design and implementation of a new approach for anomaly detection and classification over high speed networks. The proposed approach is based first of all on a data reduction phase through flow sampling by focusing mainly on short lived flows. The second step is then a random aggregation of some descriptors such as a number of SYN packets per flow in two different data structures called Count Min Sketch and Multi-Layer Reversible Sketch. A sequential change point detection algorithm continuously monitors the sketch cell values. An alarm is raised if a significant change is identified in cell values. With an appropriate definition of the combination of IP header fields that should be used to identify one flow, we are able not only to detect the anomaly but also to classify the anomaly as DoS, DDoS or flash crowd, network scanning and port scanning. We validate our framework for anomaly detection on various real world traffic traces and demonstrate the accuracy of our approach on these real-life case studies. Our analysis results from online implementation of our algorithm over measurements gathered by a DAG sniffing card are very attractive in terms of accuracy and response time. The proposed approach is very effective in detecting and classifying anomalies, and in providing information by extracting the culprit flows with a high level of accuracy. Copyright © 2010 John Wiley & Sons, Ltd.