Real-time analysis of flow data for network attack detection

10th IFIP/IEEE International Symposium on Integrated Network Management 2007, IM '07

Volumn , Issue , 2007, Pages 100-108

  Münz, Gerhard ^a   Carle, Georg ^a  

^a UNIVERSITY OF TÜBINGEN   (Germany)

Author keywords

Anomaly and attack detection; Flow analysis; Network monitoring

Indexed keywords

COMPUTER WORMS; DATA FLOW ANALYSIS; REAL TIME SYSTEMS; SECURITY OF DATA; TELECOMMUNICATION TRAFFIC;

ANOMALY AND ATTACK DETECTION; NETWORK MONITORING; TOPAS;

NETWORK MANAGEMENT;

EID: 34748852070     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/INM.2007.374774     Document Type: Conference Paper

References (38)

1. B. Claise, "Cisco Systems NetFlow Services Export Version 9," RFC 3954 (Informational), Oct. 2004. [Online]. Available: http://www.ietf.org/ rfc/rfc3954.txt
2. B. Claise, S. Bryant, G. Sadasivan, S. Leinen, and T. Dietz, "IPFIX Protocol Specifications," Internet-Draft, draft-ietf-ipfix-protocol-24, Nov. 2006.
3. N. Duffield, D. Chiou, B. Claise, A. Greenberg, M. Grossglauser, P. Marimuthu, J. Rexford, and G. Sadasivan, "A Framework for Packet Selection and Reporting," Internet-Draft, work in progress, draft-ietf-psamp- framework-10, Jan. 2005.
4. J. Quittek, T Zseby, B. Claise, and S. Zander, "Requirements for IP How Information Export (IPFIX)," RFC 3917 (Informational), Oct. 2004. [Online]. Available: http://www.ietf.org/rfc/rfc3917.txt
5. F. Dressler and G. Münz, "Flexible flow aggregation for adaptive network monitoring," in Proc. of IEEE LCN Workshop on Network Measurements 2006, Tampa, Florida, USA, Nov. 2006.
6. J. Quittek, S. Bryant, B. Claise, and J. Meyer, "Information Model for IP Flow Information Export," Internet-Draft, work in progress, draft-ietf-ipfix-info-14.txt, Oct. 2006.
7. C. Kotsokalis, D. Kalogeras, and B. Maglaris, "Router-based Detection of DoS and DDoS Attacks," in Proc. of HP Openview University Association (HP-OVUA) 8th Annual Workshop, Berlin, Germany, June 2001.
8. A. Lakhina, M. Crovella, and C. Diot, "Characterization of Network-Wide Anomalies in Traffic Flows," in Proc. of 4th ACM SIGCOMM Conference on Internet Measurement. Taormina, Sicily, Italy: ACM Press, Oct. 2004, pp. 201-206.
9. L. Ertöz, E. Eilertson, A. Lazarevic, P.-N. Tan, P. Dokas, V. Kumar, and J. Srivastava, "Detection of novel network attacks using data mining," in Proc. of Workshop on Data Mining for Computer Security, to be held in conduction with IEEE International Conference on Data Mining, Melbourne, FL, USA, Nov. 2003.
10. A. Lakhina, M. Crovella, and C. Diot, "Mining Anomalies Using Traffic Feature Distributions," in Proc. of ACM SIGCOMM Conference, Philadelphia, PA, USA, Aug. 2005, pp. 217-228.
11. J. Terrell, K. Jeffay, F. D. Smith, L. Zhang, H. Shen, Z. Zhu, and A. Nobel, "Multivariate SVD Analyses For Network Anomaly Detection," in Proc. of ACM SIGCOMM Conference, Poster Session, Philadelphia, PA, USA, Aug. 2005.
12. G. Androulidakis, V Chatzigiannakis, M. Grammatikou, and F. Stamatelopoulos, "Network Flow-Based Anomaly Detection of DDoS Attacks," in Proc. of Trans-European Research and Education Networking Assocuition (TERENA) 2004, Rhodes, Greece, June 2004.
13. A. Lazarevic, L. Ertöz, V. Kumar, A. Ozgur, and J. Srivastava, "A comparative study of anomaly detection schemes in network intrusion detection," in Proc. of 3rd SIAM International Conference on Data Mining, May 2003.
14. D. Barbará, J. C. S. Jajodia, L. Popyack, and N. Wu, "ADAM: Detecting intrusions by data mining," in Proc. of IEEE Workshop on Information Assurance and Security, West Point, NY, USA, June 2001, pp. 11-16.
15. H. Debar, D. Curry, and B. Feinstein, "The Intrusion Detection Message Exchange Format," Internet-Draft, work in progress, draft-ietf-idwg-idmef-xml-16, Mar. 2006.
16. M. Ruff, "White Paper XmlBlaster," Mar. 2000. [Online]. Available: http://www.xmlblaster.org/xmlBlaster/doc/whitepaper/whitepaper.html
17. SWITCH Homepage, http://www.switch.ch/, 2006.
18. T. Dübendorfer, A. Wagner, and B. Plattner, "A Framework for Real-Time Worm Attack Detection and Backbone Monitoring," in Proc. of 1st IEEE International Workshop on Critical Infrastructure Protection (IWCIP 2005), Darmstadt, Germany, Nov. 2005.
19. B. Claise, J. Quittek, and A. Johnson, "Packet Sampling (PSAMP) Protocol Specifications," Internet-Draft, work in progress, draft-ietf-psamp-pratocol-07, Oct. 2006.
20. Diadem Firewall Homepage, http://www.diadem-firewall.org/, 2006.
21. F. Dressler, C. Sommer, and G. Münz, "IPFIX Aggregation," Internet-Draft, work in progress, draft-dressler-ipfix-aggregation-03.txt, June 2006.
22. A. Fessi, S. Yusuf, Y. Carlinet, O. Paul, P. Sagmeister, J. van Lunteren, V. Thing, M. Sloman, D. Thomas, D. Gabrijelcic, P. Tobis, G. Münz, D. Haage, R. Sasnauskas, and K. Dragicevic, "Evaluation Report, DIADEM Firewall Deliverable D14," Sept. 2006.
23. H. Wang, D. Zhang, and K. G. Shin, "SYN-dog: Sniffing SYN Flooding Sources," in Proc. of 22nd International Conference on Distributed Computing Systems (ICDCS'02), Vienna, Austria, July 2002.
24. R. T. Lampert, C. Sommer, G. Münz, and F. Dressler, "Vermont - A Versatile Monitoring Toolkit for IPFIX and PSAMP," in Proc. of IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006), Tuebingen, Germany, Sept. 2006.
25. O. Paul and J. E. Kiba, "Requin, a tool for fast web traffic inference," in 48th annual IEEE Global Telecommunications Conference (GLOBECOM 2005), Saint Louis, MO, USA, Nov./Dec. 2005.
26. G. Münz, A. Fessi, G. Carle, O. Paul, D. Gabrijelcic, Y. Carlinet, S. Yusuf, M. Sloman, V. Thing, J. van Lunteren, P. Sagmeister, and G. Dittmann, "Diadem Firewall: Web Server Overload Attack Detection and Response," Bordeaux, France, Dec. 2005.
27. O. Paul, "Improving web servers focused DoS attacks detection," in Proc. of IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006), Tuebingen, Germany, Sept. 2006.
28. T. Karagiannis, K. Papagiannaki, and M. Faloutsos, "BLINC: Multilevel Traffic Classification in the Dark," in Proc. of Conference of the Special Interest Group on Data Communication (SIGCOMM'05), Philadelphia, Pennsylvania, USA, Aug. 2005, pp. 229-240.
29. M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," in Proc. of 13th USENDi Conference on System Administration. USENIX Association, Nov. 1999, pp. 229-238.
30. Netflow Monitor Homepage, http://netflow.cesnet.cz/, 2006.
31. History Project Homepage, http://www.history-praject.net/, 2006.
32. F. Dressler and G. Carle, "History - high speed network monitoring and analysis," in Proc of 24th IEEE Conference on Computer Communications (IEEE INFOCOM 2005), Poster Session, Mar. 2005.
33. Ntop Homepage, http://www.ntop.org/, 2006.
34. J. McHugh, "Sets, Bags, and Rock and Roll: Analyzing Large Data Sets of Network Data," in Proc. of European Symposium on Research in Computer Security 2004 (ESORICS 04), Sophia Antipolis, France, Sept. 2004.
35. C. Gates, M. Collins, M. Duggan, A. Kompanek, and M. Thomas, "More Netflow Tools: For Performance and Security," in Proc. of Large Installation System Administration Conference (LISA) 2004, Atlanta, GA, Nov. 2004.
36. C. Gates and D. Becknel, "Host Anomalies from Network Data," in Proc. of IEEE Systems, Man and Cybernetics Information Assurance Workshop, West Point, NY, June 2005.
37. M. Fullmer and S. Romig, "The OSU Flow-tools Package and Cisco NetFlow Logs," in Proc. of 14th USENIX Conference on System Administration (LISA 2000), New Orleans, Louisiana, USA, Dec. 2000, pp. 291-304.
38. HowScan Homepage, http://www.caida.org/tools/utilities/flowscan/, 2006.