Mathematical statistics (4th ed.)
Mathematical statistics (4th ed.)
End-to-end routing behavior in the Internet
IEEE/ACM Transactions on Networking (TON)
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
On the constancy of internet path properties
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
An analysis of using reflectors for distributed denial-of-service attacks
ACM SIGCOMM Computer Communication Review
New directions in traffic measurement and accounting
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
SYN-dog: Sniffing SYN Flooding Sources
ICDCS '02 Proceedings of the 22 nd International Conference on Distributed Computing Systems (ICDCS'02)
A framework for classifying denial of service attacks
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Analysis of a Denial of Service Attack on TCP
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Hop-count filtering: an effective defense against spoofed DDoS traffic
Proceedings of the 10th ACM conference on Computer and communications security
Proceedings of the 2003 ACM workshop on Rapid malcode
Bitmap algorithms for counting active flows on high speed links
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Sketch-based change detection: methods, evaluation, and applications
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
On the difficulty of scalably detecting network attacks
Proceedings of the 11th ACM conference on Computer and communications security
Resisting SYN flood DoS attacks with a SYN cache
BSDC'02 Proceedings of the BSD Conference 2002 on BSD Conference
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
MULTOPS: a data-structure for bandwidth attack detection
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
On the difficulty of scalably detecting network attacks
Proceedings of the 11th ACM conference on Computer and communications security
On the robustness of router-based denial-of-service (DoS) defense systems
ACM SIGCOMM Computer Communication Review
An evaluation technique for network intrusion detection systems
InfoScale '06 Proceedings of the 1st international conference on Scalable information systems
Survey of network-based defense mechanisms countering the DoS and DDoS problems
ACM Computing Surveys (CSUR)
An algorithm for approximate counting using limited memory resources
Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Reversible sketches: enabling monitoring and analysis over high-speed data streams
IEEE/ACM Transactions on Networking (TON)
WebClass: adding rigor to manual labeling of traffic anomalies
ACM SIGCOMM Computer Communication Review
The need for simulation in evaluating anomaly detectors
ACM SIGCOMM Computer Communication Review
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
Detector SherLOCK: Enhancing TRW with Bloom filters under memory and performance constraints
Computer Networks: The International Journal of Computer and Telecommunications Networking
Query-aware partitioning for monitoring massive network data streams
Proceedings of the 2008 ACM SIGMOD international conference on Management of data
A hardware platform for efficient worm outbreak detection
ACM Transactions on Design Automation of Electronic Systems (TODAES)
HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency
Computer Networks: The International Journal of Computer and Telecommunications Networking
Periodic behavior in botnet command and control channels traffic
GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
Memory-efficient IP filtering for countering DDoS attacks
APNOMS'09 Proceedings of the 12th Asia-Pacific network operations and management conference on Management enabling the future internet for changing business and new computing services
Traffic anomaly detection and characterization in the tunisian national university network
NETWORKING'06 Proceedings of the 5th international IFIP-TC6 conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems
Streams, security and scalability
DBSec'05 Proceedings of the 19th annual IFIP WG 11.3 working conference on Data and Applications Security
Towards software-based signature detection for intrusion prevention on the network card
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Time-Out bloom filter: a new sampling method for recording more flows
ICOIN'06 Proceedings of the 2006 international conference on Information Networking: advances in Data Communications and Wireless Networks
NEPnet: a scalable monitoring system for anomaly detection of network service
Proceedings of the 7th International Conference on Network and Services Management
Port scan behavior diagnosis by clustering
ICICS'05 Proceedings of the 7th international conference on Information and Communications Security
| Hi-index | 0.00 |
Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans)at network vantage points. Unfortunately, all the IDS systems we know of keep per-connection or per-flow state. Thus it is hardly surprising that IDS systems (other than signature detection mechanisms) have not scaled to multi-gigabit speeds. By contrast, note that both router lookups and fair queuing have scaled to high speeds using aggregation via prefix lookups or DiffServ. Thus in this paper, we initiate research into the question as to whether one can detect attacks without keeping per-flow state. We will show that such aggregation, while making fast implementations possible, immediately cause two problems. First, aggregation can cause behavioral aliasing where, for example, good behaviors can aggregate to look like bad behaviors. Second, aggregated schemes are susceptible to spoofing by which the intruder sends attacks that have appropriate aggregate behavior. We examine a wide variety of DoS attacks and show that several categories (bandwidth based, claim-and-hold, host scanning) can be scalably detected. By contrast, it appears that stealthy port-scanning cannot be scalably detected without keeping per-flow state.