On scalable attack detection in the network

Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004

Volumn , Issue , 2004, Pages 187-200

  Kompella, Ramana Rao ^a   Singh, Sumeet ^a   Varghese, George ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Denial of Service; Scalability; Security

Indexed keywords

ALGORITHMS; COMPUTER SOFTWARE; COMPUTER SYSTEM FIREWALLS; NETWORK PROTOCOLS; ROUTERS; SECURITY OF DATA; STATIC RANDOM ACCESS STORAGE;

DENIAL OF SERVICE (DOS); PARTIAL COMPLETION FILTERS (PCF); SCALABILITY; SPOOFING;

TELECOMMUNICATION NETWORKS;

EID: 14944386850     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1028788.1028812     Document Type: Conference Paper

References (50)

1. Cert, advisory ca-1998-01 smurf ip denial-of-service attacks. http://www.cert.org/advisories/CA-1998-01.html.
2. Cert, advisory ca-2001-19 "code red" worm exploiting buffer overflow in us indexing service dll. http://www.cert.org/advisories/CA-2001-19. html.
3. Cert advisory ca-2001-26 nimda worm. http://www.cert.org/advisories/CA- 2001-26.html.
4. Mazu networks, http://www.mazu.com.
5. Mydoom.b virus. http://www.us-cert.gov/cas/alerts/SA04-028A.html.
6. Sco inc. http://www.sco.com.
7. ARBOR NETWORKS, http://www.arbornetworks.com.
8. BARFORD, P., KLINE, J., PLONKA, D., AND RON, A. A signal analysis of network traffic anomalies. In Proceedings of ACM SIGCOMM Internet Measurement Workshop (Nov. 2002).
9. BERNSTEIN, D. J. SYN cookies. http://cr.yp.to/syncookies.html, 1997.
10. BLOOM, B. H. Space/time tradeoffs in hash coding with allowable errors. Communications of the ACM 13, 7 (July 1970), 422-426.
11. CHECK POINT SOFTWARE TECHNOLOGIES LTD. Syndefender. http://www. checkpoint.com/products/firewall-1.
12. DATAR, M., AND MUTHUKRISHNAN, S. Estimating rarity and similarity over data stream windows. Technical report, 2001-21, DIMACS, Nov. 2001.
13. ESTAN, C., AND VARGHESE, G. New directions in traffic measurement and accounting. In ACM SIGCOMM (Aug. 2002).
14. ESTAN, C., AND VARGHESE, G. Autofocus : A tool for automatic traffic analysis. In Proceedings of ACM SIGCOMM (2003).
15. FORESCOUT TECHNOLOGIES, http://www.forescout.com.
16. FYODOR, http://www.insecure.org/nmap.
17. GILBERT, A., GUHA, S., INDYK, P., MUTHUKRISHNAN, S., AND STRAUSS, M. Quicksand : Quick summary and analysis of network data. Technical report, 2001-43, DIMACS, Nov. 2001.
18. GILL, T. M., AND POLETTO, M. MULTOPS: a data-structure for bandwidth attack detection. In USENIX Security Symposium (2001).
19. GREENE, B. R., AND MCPHERSON, D. Sink holes : A swiss army knife isp security tool. http://www.nanog.org/mtg-0306/pdf/sink.pdf.
20. HEBERLEIN, L. T., DIAS, G. V., LEVITT, K. N., MUKHERJEE, B., J.WOOD, AND D.WOLBER. A network security monitor. In Proc. IEEE Symposium on Research in Security and Privacy (1990), pp. 296-304.
21. HUSSAIN, A., HEIDEMANN, J., AND PAPADOPOULOS, C. A framework for classifying denial of service attacks. In ACM SIGCOMM (Aug. 2003).
22. JIN, C., WANG, H., AND SHIN, K. G. Hop-count filtering: An effective defense against spoofed ddos traffic. In ACM Conference on Computer and Communications Security (CCS) (Oct. 2003).
23. JUNG, J., PAXSON, V., BERGER, A., AND BALAKRISHNAN, H. Fast portscan detection using sequential hypothesis testing. In Proceedings of IEEE Symposium on Security and Privacy (2004).
24. KEYES, R. The Naptha DoS Vulnerabilities, http://razor.bindview.com/ publish/advisories/adv_NAPTHA.html.
25. KRISHNAMURTHY, B., SEN, S., ZHANG, Y., AND CHEN, Y. Sketch-based change detection: methods, evaluation, and applications. In Proceedings of the conference on Internet measurement conference (2003), ACM Press, pp. 234-247.
26. LARSEN, R. J., AND MARX, M. L. An Introduction to Mathematical Statistics and Its Applications. Prentice Hall, Upper Saddle River, NJ 07458, 2001.
27. LECKIE, C., AND KOTAGIRI, R. A probabilistic approach to detecting network scans. In Proceedings of the Eight IEEE Network Operations and Management Symposium (Apr. 2002).
28. LEMON, J. Resisting syn flooding dos attacks with a syn cache. In Proceedings of USENIX BSDCon'2002 (Feb. 2002).
29. LEVCHENKO, K., PATURI, R., AND VARGHESE, G. On the difficulty of scalably detecting network attacks. In Proceedings of the ACM Conference on Computer and Communications Security, Washington, D.C. (Oct. 2004).
30. MARTIN ROESCH. Snort, http://www.snort.org.
31. MOORE, D., AND SHANNON, C. Sco offline from dos attack. http://www.sco.com.
32. MOORE, D., VOELKER, G., AND SAVAGE, S. Inferring internet denial of service activity. In USENIX Security Symposium (2001).
33. NETFLOW, C. http://www.cisco.com/warp/public/732/Tech/netflow.
34. NETSCREEN 100 FIREWALL APPLIANCE. http://www.netscreen.com.
35. NETSCREEN TECHNOLOGIES, http://www.netscreen.com.
36. PAXSON, V. End-to-end routing behavior in the internet. IEEE/ACM Transactions on Networking 5, 5 (Oct. 1997), 601-615.
37. PAXSON, V. Bro: A system for detecting network intruders in real-time. In Computer Networks, 31(23-24), pp. 2435-2463 (Dec. 1999).
38. PAXSON, V. An analysis of using reflectors for distributed denial-of-service attacks. In Computer Communication Review 31(3) (July 2001).
39. PESCATORE, J., EASLEY, M., AND STIENNON, R. Network security platforms will transform security markets. http://www.techripublic.com/article.jhtml?id= r00220021223jdt01.htm&src=bc, Dec. 2002.
40. ROBERTSON, S., SIEGEL, E., MILLER, M., AND STOLFO, S. Surveillance detection in high bandwidth environments. In Proceedings of the 2003 DARPA DISCEX III Conference (Apr. 2003), pp. 229-238.
41. SCHUBA, C., KRSUL, I., KUHN, M., SPAFFORD, E., SUNDARAM, A., AND ZAMBONI, D. Analysis of a denial of service attack on tcp. In Proceedings of IEEE Symposium on Security and Privacy (May 1997).
42. STANIFORD, S., HOAGLAND, J. A., AND MCALERNEY, J. M. Practical automated detection of stealthy portscans. In In Proceedings of the 7th A CM Conference on Computer and Communications Security (2000).
43. STANIFORD, S., PAXSON, V., AND WEAVER, N. How to Own the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium (Aug. 2002).
44. STANIFORD, S. J. Containment of scanning worms in enterprise networks. In Journal of Computer Security (Nov. 2003).
45. WANG, H., ZHANG, D., AND SHIN, K. Detecting syn flooding attacks. In IEEE INFOCOM (2002).
46. WANG, H., ZHANG, D., AND SHIN, K. Syn-dog: Sniffing syn flooding sources. In IEEE ICDCS (Vienna, Austria, 2002).
47. WEAVER, N., PAXSON, V., STANIFORD, S., AND CUNNINGHAM, R. A taxonomy of computer worms. In Proceedings of the ACM Workshop of Rapid Malcode (WORM) (2003).
48. YAAR, A., PERRIG, A., AND SONG, D. Pi: A path identification mechansim to defend against ddos attacks. In Proceedings of the IEEE Symposium on Security and Privacy (2003).
49. YAAR, A., PERRIG, A., AND SONG, D. Siff: A stateless internet flow filter to mitigate ddos flooding attacks. In Proceedings of the IEEE Symposium on Security and Privacy (2004).
50. ZHANG, Y., DUFFIELD, N., PAXSON, V., AND SHENKER, S. On the constancy of internet path properties. In Proc. ACM SIGCOMM Internet Measurement Workshop (Nov. 2001).