On scalable attack detection in the network

IEEE/ACM Transactions on Networking

Volumn 15, Issue 1, 2007, Pages 14-25

  Kompella, Ramana Rao ^a   Singh, Sumeet ^a   Varghese, George ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Data structures; Denial of service; Network attacks; Routers; Scanning; Streaming algorithms; Syn flooding

Indexed keywords

COMPUTER CRIME; DATA STRUCTURES; NETWORK SECURITY; ROUTERS; SCANNING;

DENIAL OF SERVICE; PARTIAL COMPLETION FILTERS; SPOOFING; SYN FLOODING;

INTRUSION DETECTION;

EID: 33947507304     PISSN: 10636692     EISSN: None     Source Type: Journal    
DOI: 10.1109/TNET.2006.890115     Document Type: Article

References (48)

1. M. Roesch, Snort. [Online]. Available: http://www.snort.org
2. P. Barford, J. Kline, D. Plonka, and A. Ron, "A signal analysis of network traffic anomalies," in Proc. 2nd ACM SIGCOMM Internet Measurement Workshop, 2002, pp. 71-82.
3. B. Krishnamurthy, S. Sen, Y. Zhang, and Y. Chen, "Sketch-based change detection: Methods, evaluation, and applications," in Proc. 3rd ACM SIGCOMM Internet Measurement Conf., 2003, pp. 234-247.
4. S. J. Staniford, "Containment of scanning worms in enterprise networks," J. Computer Security, 2004, to be published.
5. ForeScout Technologies. [Online]. Available: http://www.forescout.com
6. D. Moore, G. Voelker, and S. Savage, "Inferring Internet denial of service activity," in Proc. 10th USENIX Security Symp., Aug. 2001, pp. 9-22.
7. Mazu Publishing. [Online]. Available: http://www.mazu.com
8. Arbor Networks. [Online]. Available: http://www.arbornetworks.com
9. H. Wang, D. Zhang, and K. Shin, "Detecting SYN flooding attacks," in Proc. IEEE INFOCOM, 2002, pp. 1530-1539.
10. V. Paxson, "Bro: A system for detecting network intruders in realtime," Computer Networks, vol. 31, no. 23-24, pp. 2435-2463, 1999.
11. K. Levchenko, R. Paturi, and G. Varghese, "On the difficulty of scalably detecting network attacks," in Proc. 11th ACM Conf. Computer and Communications Security, 2004, pp. 12-20.
12. R. Keyes, "The Naptha DoS vulnerabilities," [Online]. Available: http://www.cert.org/advisories/CA-2000-21.html
13. N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, "A taxonomy of computer worms," in Proc. ACM Workshop of Rapid Malcode (WORM), 2003, pp. 11-18.
14. S. Staniford, V. Paxson, and N. Weaver, "How to Own the Internet in your spare time," in Proc. 11th USENIX Security Symp., Aug. 2002, pp. 149-167.
15. MyDoom.B Virus. [Online]. Available: http://www.us-cert.gov/cas/ techalerts/TA04-028A.html
16. CERT Advisory CA-2001-19, "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL, [Online]. Available: http://www.cert.org/advisories/CA-2001-19.html
17. CERT Advisory CA-2001-26 Nimda Worm, [Online]. Available: http://www.cert.org/advisories/CA-2001-26.html
18. CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks, [Online]. Available: http://www.cert.org/advisories/CA-1998-01.html
19. V. Paxson, "An analysis of using reflectors for distributed denial-of-service attacks," Comput. Commun. Rev., vol. 31, no. 3, Jul. 2001.
20. T. M. Gill and M. Poletto, "MULTOPS: A data-structure for bandwidth attack detection," in Proc. 10th USENIX Security Symp., 2001, pp. 23-38.
21. M. Datar and S. Muthuktishnan, "Estimating rarity and similarity over data stream windows," DIMACS, Tech. Rep. 2001-21, 2001.
22. A. C. Gilbert, S. Guha, P. Indyk, S. Muthukrishnan, and M. J. Strauss, "Quicksand: Quick summary and analysis of network data," DIMACS, Tech. Rep. 2001-43, 2001.
23. C. Estan and G. Varghese, "New directions in traffic measurement and accounting," in Proc. ACM SIGCOMM, 2002, pp. 271-282.
24. C. Estan and G. Varghese, "Autofocus: A tool for automatic traffic analysis," in Proc. ACM SIGCOMM, 2003, pp. 137-148.
25. Cisco NetFlow. [Online]. Available: http://www.cisco.com/en/US/products/ ps6601/products_ios_protocol_group_home.html
26. B. H. Bloom, "Space/time tradeoffs in hash coding with allowable errors," Commun. ACM, vol. 13, no. 7, pp. 422-426, Jul. 1970.
27. Y. Zhang, N. Duffleld, V. Paxson, and S. Shenker, "On the constancy of internet path properties," in Proc. ACM SIGCOMM Internet Measurement Workshop, 2001, pp. 197-211.
28. R. J. Larsen and M. L. Marx, An Introduction to Mathematical Statistics and Its Applications. Upper Saddle River, NJ: Prentice-Hall, 2001.
29. NMap. [Online]. Available: http://www.insecure.org/nmap
30. Cooperative Association for Internet Data Analysis (CAIDA). [Online]. Available: http://www.caida.org
31. A. Hussain, J. Heidemann, and C. Papadopoulos, "A framework for classifying denial of service attacks," in Proc. ACM SIGCOMM, 2003, pp. 99-110.
32. L. T. Heberlein, G. V. Dias, K. N. Levitt, B. Mukherjee,, J. Wood, and D. Wolber, "A network security monitor," in Proc. IEEE Symp. Research in Security and Privacy, 1990, pp. 296-304.
33. S. Robertson, E. V. Siegel, M. Miller, and S. J. Stolfo, "Surveillance detection in high bandwidth environments," in Proc. 2003 DARPA DISCEX III Conf., pp. 229-238.
34. J. Jung, V. Paxson, A. Berger, and H. Balakrishnan, "Fast portscan detection using sequential hypothesis testing," in Proc. IEEE Symp. Security and Privacy, 2004, pp. 211-225.
35. E. Shenk, "Another new thought on dealing with SYN flooding," 1996 [Online]. Available: http://www.wcug.wwu.edu/lists/netdev/199609/ msg00171.html
36. Riverhead Networks. [Online]. Available: http://www.riverhead.com
37. L. Carter and M. N. Wegman, "Universal classes of hash functions," J. Comput. Syst. Sci., vol. 18, no. 2, pp. 143-154, 1979.
38. A. Yaar, A. Perrig, and D. Song, "SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks," in Proc. IEEE Symp. Security and Privacy, 2004, pp. 130-143.
39. A. Yaar, A. Perrig, and D. Song, "Pi: A path identification mechanism to defend against DDoS attacks," in Proc. IEEE Symp. Security and Privacy, 2003, pp. 93-107.
40. H. Wang, D. Zhang, and K. Shin, "SYN-dog: Sniffing SYN flooding sources," in Proc. IEEE Int. Conf. Distributed Computing Systems (ICDCS), 2002, pp. 421-428.
41. D. J. Bernstein, "SYN Cookies," 1997 [Online]. Available: http://cr.yp.to/syncookies.html
42. J. Lemon, "Resisting syn flooding dos attacks with a syn cache," in Proc. USENIX BSDCon' 2002, pp. 89-98.
43. C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A. Sundaram, and D. Zamboni, "Analysis of a denial of service attack on TCP," in Proc. IEEE Symp. Security and Privacy, 1997, pp. 208-223.
44. Netscreen Technologies. [Online]. Available: http://www.netscreen.com
45. C. Jin, H. Wang, and K. G. Shin, "Hop-count filtering: An effective defense against spoofed ddos traffic," in Proc. 10th ACM Int. Conf. Computer and Communications Security (CCS), 2003, pp. 30-41.
46. C. Leckie and R. Kotagiri, "A probabilistic approach to detecting network scans," in Proc. 8th IEEE Network Operations and Management Symp., 2002, pp. 359-372.
47. S. Staniford, J. A. Hoagland, and J. M. McAlerney, "Practical automated detection of stealthy portscans," in Proc. 7th ACM Conf. Computer and Communications Security, 2000, pp. 1-7.
48. J. Pescatore, M. Easley, and R. Stiennon, "Network security platforms will transform security markets," 2002 [Online]. Available: http://www.techrepublic.com/ article.jhtml?id=r00220021223jdt01.htm&src=bc