Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
On the constancy of internet path properties
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
An analysis of using reflectors for distributed denial-of-service attacks
ACM SIGCOMM Computer Communication Review
New directions in traffic measurement and accounting
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
SYN-dog: Sniffing SYN Flooding Sources
ICDCS '02 Proceedings of the 22 nd International Conference on Distributed Computing Systems (ICDCS'02)
A framework for classifying denial of service attacks
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Analysis of a Denial of Service Attack on TCP
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Hop-count filtering: an effective defense against spoofed DDoS traffic
Proceedings of the 10th ACM conference on Computer and communications security
Proceedings of the 2003 ACM workshop on Rapid malcode
Sketch-based change detection: methods, evaluation, and applications
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
On the difficulty of scalably detecting network attacks
Proceedings of the 11th ACM conference on Computer and communications security
Resisting SYN flood DoS attacks with a SYN cache
BSDC'02 Proceedings of the BSD Conference 2002 on BSD Conference
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
MULTOPS: a data-structure for bandwidth attack detection
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Optimizing away joins on data streams
SSPS '08 Proceedings of the 2nd international workshop on Scalable stream processing system
A more accurate scheme to detect SYN flood attacks
INFOCOM'09 Proceedings of the 28th IEEE international conference on Computer Communications Workshops
Intrusion prevention systems: data mining approach
Proceedings of the International Conference and Workshop on Emerging Trends in Technology
A distributed detecting method for SYN flood attacks and its implementation using mobile agents
MATES'09 Proceedings of the 7th German conference on Multiagent system technologies
Detecting SYN flooding attacks based on traffic prediction
Security and Communication Networks
Intelligent network security assessment with modeling and analysis of attack patterns
Security and Communication Networks
STONE: a stream-based DDoS defense framework
Proceedings of the 28th Annual ACM Symposium on Applied Computing
| Hi-index | 0.00 |
Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans) at network vantage points. Unfortunately, even today, many IDS systems we know of keep per-connection or per-flow state to detect malicious TCP flows. Thus, it is hardly surprising that these IDS systems have not scaled to multigigabit speeds. By contrast, both router lookups and fair queuing have scaled to high speeds using aggregation via prefix lookups or DiffServ. Thus, in this paper, we initiate research into the question as to whether one can detect attacks without keeping per-flow state. We will show that such aggregation, while making fast implementations possible, immediately causes two problems. First, aggregation can cause behavioral aliasing where, for example, good behaviors can aggregate to look like bad behaviors. Second, aggregated schemes are susceptible to spoofing by which the intruder sends attacks that have appropriate aggregate behavior. We examine a wide variety of DoS and scanning attacks and show that several categories (bandwidth based, claim-and-hold, port-scanning) can be scalably detected. In addition to existing approaches for scalable attack detection, we propose a novel data structure called partial completion filters (PCFs) that can detect claim-and-hold attacks scalably in the network. We analyze PCFs both analytically and using experiments on real network traces to demonstrate how we can tune PCFs to achieve extremely low false positive and false negative probabilities.