An overview of IP flow-based intrusion detection

IEEE Communications Surveys and Tutorials

Volumn 12, Issue 3, 2010, Pages 343-356

  Sperotto, Anna ^a   Schaffrath, Gregor ^b   Sadre, Ramin ^a   Morariu, Cristian ^c   Pras, Aiko ^c   Stiller, Burkhard ^c  

^a UNIVERSITY OF TWENTE   (Netherlands)

^b TECHNISCHE UNIVERSITÄT BERLIN   (Germany)

^c UNIVERSITY OF ZURICH   (Switzerland)

Author keywords

attacks; Botnets; DoS; intrusion detection; Network flows; scan; worms

Indexed keywords

BOTNET; DENIAL-OF-SERVICE ATTACK; SURVEYS;

ATTACK; BOTNETS; DOS; FLOW BASED; INTRUSION-DETECTION; IP FLOW; NETWORKS FLOWS; PACKET INSPECTION; SCAN; WORM;

INTRUSION DETECTION;

EID: 77955469676     PISSN: None     EISSN: 1553877X     Source Type: Journal    
DOI: 10.1109/SURV.2010.032210.00054     Document Type: Article

References (82)

1. 2007 mal ware report: The economic impact of viruses, Spyware, adware, botnets, and other malicious code Jul. 2008 Computer Economics http://www.computereconomics.com
2. M. Roesch Snort, intrusion detection system Jul. 2008 http://www.snort.org
3. V. Paxson Bro: a system for detecting network intruders in real-time Computer Networks 31 23-24 2435 2463 1999
4. H. Lai S. Cai H. Huang J. Xie H. Li A parallel intrusion detection system for high-speed networks Proc. of the Second International Conference Applied Cryptography and Network Security (ACNS'04) 439 451 Proc. of the Second International Conference Applied Cryptography and Network Security (ACNS'04) 2004-May
5. M. Gao Κ. Zhang J. Lu Efficient packet matching for gigabit network intrusion detection using TCAMs Proc. of 20th International Conferece on Advanced Information Networking and Applications (AINA'06) 249 254 Proc. of 20th International Conferece on Advanced Information Networking and Applications (AINA'06) 2006
6. L. Heberlein G. Dias Κ. Levitt Β. Mukherjee J. Wood D. Wolber A network security monitor Proc. of IEEE Computer Society Symposium on Research in Security and Privacy 296 304 Proc. of IEEE Computer Society Symposium on Research in Security and Privacy 1990-May
7. S. Stanford-Chen S. Cheung R. Crawford M. Dilger J. Frank J. Hoagl K. Levitt C. Wee R. Yip D. Zerkle GrIDS-a graph based intrusion detection system for large networks Proc. of the 19th National Information Systems Security Conference (NISS '96) 361 370 Proc. of the 19th National Information Systems Security Conference (NISS '96) 1996
8. Cisco IOS NetFlow Configuration Guide, Release 12.4 Jul. 2008 Cisco.com http://www.cisco.com
9. B. Claise Cisco Systems NetFlow Services Export Version 9 Jul. 2008 RFC 3954 http: //www.ietf. org/rfc/rfc3954. txt
10. J. Quittek T. Zseby B. Claise S. Zander Requirements for IP Flow Information Export (IPFIX) Jul. 2008 RFC 3917 http://www.ietf.org/rfc/rfc3917.txt
11. H. Debar M. Dacier A. Wespi Towards a taxonomy of intrusion-detection systems Computer Networks 31 9 805 822 Apr. 1999
12. H. Debar M. Dacier A. Wespi A revised taxonomy for intrusion detection systems Annales des Telecommunications 55 7-8 361 378 Jul. 2000
13. S. Axelsson Intrusion detection systems: A survey and taxonomy Mar. 2000 99-15 Chalmers Univ.
14. H. Debar J. Viinikka Intrusion detection: Introduction to intrusion detection and security information management Foundations of Security Analysis and Design III 207 236 Sep. 2005
15. A. Lazarevic V. Kumar J. Srivastava Intrusion detection: A survey Managing Cyber Threats 19 78 June 2005
16. CERT Coordination Center Jul. 2008 http://www.cert.org/certcc.html
17. Internet2 NetFlow Weekly Reports Jul. 2008 http://netflow.internet2.edu/weekly
18. H. Dreger A. Feldmann V. Paxson R. Sommer Operational experiences with high-volume network intrusion detection Proc. SIGSAC: 11th ACM Conference on Computer and Communications Security (CSS'04) 2 11 Proc. SIGSAC: 11th ACM Conference on Computer and Communications Security (CSS'04) 2004
19. Z. Fadlullah T. Taleb N. Ansari K. Hashimoto Y. Y. Miyake Y. Nemoto N. Kato Combating against attacks on encrypted protocols IEEE International Conference on Communications (ICC '07) 1211 1216 IEEE International Conference on Communications (ICC '07) 2007-June
20. T. Taleb Z. M. Fadlullah K. Hashimoto Y. Nemoto N. Kato Tracing back attacks against encrypted protocols Proc. of the 2007 international conference on Wireless communications and mobile computing (IWCMC '07) 121 126 Proc. of the 2007 international conference on Wireless communications and mobile computing (IWCMC '07) 2007
21. S. Song Z. Chen Adaptive network flow clustering IEEE International Conference on Networking, Sensing and Control (ICNSC07) 596 601 IEEE International Conference on Networking, Sensing and Control (ICNSC07) 2007-April
22. B. Claise Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information Jul. 2008 RFC 5101 http://www.ietf.org/rfc/rfc5101.txt
23. G. Schaffrath B. Stiller Conceptual integration of flow-based and packet-based network intrusion detection Proc. of 2nd International Conference on Autonomous Infrastructure, Management and Security (AIMS '08) 190 194 Proc. of 2nd International Conference on Autonomous Infrastructure, Management and Security (AIMS '08) 2008
24. T. Fioreze M. O. Wolbers R. van de Meent A. Pras Finding elephant flows for optical networks Proc. of 10th IFIP/IEEE International Symposium on Integrated Network Management (IM '07) 627 640 Proc. of 10th IFIP/IEEE International Symposium on Integrated Network Management (IM '07) 2007-May
25. S. Leinen Evaluation of Candidate Protocols for IP Flow Information Export (IPFIX) Jul 2008 RFC 3955
26. Packet Sampling (PSAMP) working group Jul. 2008 http://www.ietf.org/html.charters/psamp-charter.html
27. D. Brauckhoff Β. Tellenbach A. Wagner M. May A. Lakhina Impact of packet sampling on anomaly detection metrics Proc. of the 6th ACM SIGCOMM conference on Internet measurement (IMC '06) 159 164 Proc. of the 6th ACM SIGCOMM conference on Internet measurement (IMC '06) 2006
28. J. Mai C.-N. Chuah A. Sridharan T. Ye H. Zang Is sampled data sufficient for anomaly detection? Proc. of the 6th ACM SIGCOMM Conference on Internet Measurement (IMC'06) 165 176 Proc. of the 6th ACM SIGCOMM Conference on Internet Measurement (IMC'06) 2006
29. T. Zseby T. Hirsch B. Claise Packet sampling for flow accounting: Challenges and limitations Proc. of 9th International Conference on Passive and Active Measurement (PAM'08) 61 71 Proc. of 9th International Conference on Passive and Active Measurement (PAM'08) 2008
30. E. Izkue E. Magaña Sampling time-dependent parameters in high-speed network monitoring Proc. of the ACM international workshop on Performance monitoring, measurement, and evaluation of heterogeneous wireless and wired networks (PM2HW2N '06) 13 17 Proc. of the ACM international workshop on Performance monitoring, measurement, and evaluation of heterogeneous wireless and wired networks (PM2HW2N '06) 2006
31. H. Wang Y. Lin Y. Jin S. Cheng Easily-implemented adaptive packet sampling for high speed networks flow measurement Proc. of 6th International Conference on Computational Science (ICCS'06) 128 135 Proc. of 6th International Conference on Computational Science (ICCS'06) 2006
32. G. He J. C. Hou An in-depth, analytical study of sampling techniques for self-similar internet traffic Proc.of 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05) 404 413 Proc.of 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05) 2005
33. C. Estan G. Varghese New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice ACM Transactions on Computer Systems (TOCS) 21 3 270 313 2003
34. N. Duffield C. Lund M. Thorup Flow sampling under hard resource constraints SIGMETRICS Perform. Eval. Rev. 32 1 85 96 2004
35. N. Duffield C. Lund M. Thorup Learn more, sample less: control of volume and variance in network measurement IEEE Transactions on Information Theory 51 5 1756 1775 May 2005
36. N. Alon N. Duffield C. Lund M. Thorup Estimating arbitrary subset sums with few probes Proc. of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems (PODS '05) 317 325 Proc. of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems (PODS '05) 2005
37. V. Igure R. Williams Taxonomies of attacks and vulnerabilities in computer systems Communications Surveys & Tutorials, IEEE 10 1 6 19 2008
38. N. Weaver V. Paxson S. Stamford R. Cunningham A taxonomy of computer worms Proc. of2003 ACM workshop on Rapid malcode (WORM'03) 11 18 Proc. of2003 ACM workshop on Rapid malcode (WORM'03) 2003
39. S. Hansman R. Hunt A taxonomy of network and computer attacks Computers & Security 24 1 31 43 Feb. 2005
40. D. Moore V. Paxson S. Savage C. Shannon S. Stamford N. Weaver Inside the slammer worm IEEE Security & Privacy 1 4 33 39 Jul.-Aug. 2003
41. J. D. Howard An analysis of security incidents on the internet 1989-1995 1998 Carnegie Mellon University
42. Countering the Largest Security Threat 36 2008 Spinger Botnet Detection
43. D. Dagon G. Gu C. Lee A taxonomy of botnet structures Botnet Detection 36 143 164 Oct. 2007
44. W. Strayer D. Lapsely R. Walsh C. Livadas Botnet detection based on network behavior Botnet Detection 36 1 24 2008
45. L. R. Halme R. K. Bauer AINT misbehaving-A taxonomy of anti-intrusion techniques Proc. of 18th NIST-NCSC National Information Systems Security Conference 163 172 Proc. of 18th NIST-NCSC National Information Systems Security Conference 1995
46. B. Morin L. Mé Intrusion detection and virology: an analysis of differences, similarities and complementariness Journal in Computer Virology 3 39 49 Apr. 2007
47. P. Li M. Salour X. Su A survey of internet worm detection and containment IEEE Communications Surveys & Tutorials 10 1 20 35 2008
48. M. Garuba C. Liu D. Fraites Intrusion techniques: Comparative study of network intrusion detection systems Proc. of 5th International Conference on Information Technology: New Generations (ITNG '08) 592 598 Proc. of 5th International Conference on Information Technology: New Generations (ITNG '08) 2008-Apr.
49. M. Almgren E. L. Barse E. Jonsson Consolidation and evaluation of IDS taxonomies Proc. of 8th Nordic Workshop on Secure IT systems (NordSec '03) Proc. of 8th Nordic Workshop on Secure IT systems (NordSec '03) 2003-Oct.
50. D. Moore C. Shannon D. J. Brown G. M. Voelker S. Savage Inferring Internet denial-of-service activity ACM Transactions on Computer Systems 24 2 115 139 May 2006
51. Z. Li Y. Gao Y. Chen Towards a highspeed router-based anomaly/intrusion detection system Aug. 2005 http://conferences.sigcomm.org/sigcomm/2005/poster-121.pdf
52. Y. Gao Ζ. Li Y. Chen A dos resilient flow-level intrusion detection approach for high-speed networks Proc. of the 26th IEEE International Conference on Distributed Computing Systems (ICDCS '06) 39 Proc. of the 26th IEEE International Conference on Distributed Computing Systems (ICDCS '06) 2006
53. S. M. Specht R. B. Lee Distributed denial of service: Taxonomies of attacks, tools, and countermeasures Proc. of the ISCA 17th International Conference on Parallel and Distributed Computing Systems (ISCA ΡDCS'04) 543 550 Proc. of the ISCA 17th International Conference on Parallel and Distributed Computing Systems (ISCA ΡDCS'04) 2004-Sep.
54. Q. Zhao J. Xu A. Kumar Detection of super sources and destinations in high-speed networks: Algorithms, analysis and evaluation IEEE Journal on Selected Areas in Communications 24 10 1840 1852 Oct. 2006
55. M.-S. Kim H.-J. Kong S.-C. Hong S.-H. Chung J. Hong A flow-based method for abnormal network traffic detection Proc. of IEEE/IFIP Network Operations and Management Symposium (NOMS'04) 599 612 Proc. of IEEE/IFIP Network Operations and Management Symposium (NOMS'04) 2004-Apr.
56. G. Münz G. Carle Real-time analysis of flow data for network attack detection Proc. of 10th IFIP/IEEE International Symposium on Integrated Network Management (IM'07) 100 108 Proc. of 10th IFIP/IEEE International Symposium on Integrated Network Management (IM'07) 2007
57. Diadem Firewall European Project Jul. 2008 http://www.diadem-firewall.org
58. C. D. A. Lakhina M. Crovella Characterization of network-wide anomalies in traffic flows Proc. of 4th ACM SIGCOMM conference on Internet measurement (IMC '04) 201 206 Proc. of 4th ACM SIGCOMM conference on Internet measurement (IMC '04) 2004
59. A. Lakhina M. Crovella C. Diot Mining anomalies using traffic feature distributions SIGCOMM Comput. Commun. Rev. 35 4 217 228 2005
60. A. Lakhina K. Papagiannaki M. Crovella C. Diot E. D. Kolaczyk N. Taft Structural analysis of network traffic flows SIGMETRICS Perform. Eval. Rev. 32 1 61 72 2004
61. A. Lakhina M. Crovella C. Diot Diagnosing network-wide traffic anomalies Proc. of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications (SIGCOMM '04) 4 219 230 Proc. of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications (SIGCOMM '04) 2004
62. Sprint.net Jul. 2008 http://www.sprint.net
63. A. Sperotto R. Sadre A. Pras Anomaly characterization in flow-based traffic time series Proc. of the 8th IEEE International Workshop on IP Operations and Management, IPOM 2008 15 27 Proc. of the 8th IEEE International Workshop on IP Operations and Management, IPOM 2008 Samos Greece 2008-Sep.
64. SURFnet Jul. 2008 www.surfnet.nl
65. A. Wagner B. Plattner Entropy based worm and anomaly detection in fast IP networks Proc. of 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE '05) 172 177 Proc. of 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE '05) 2005-June
66. C. E. Shannon A mathematical theory of communication The Bell System Technical Journal 27 3 379 423 1948
67. C. Gates J. McNutt J. Kadane M. Kellner Scan detection on very large networks using logistic regression modeling Proc. of 11th IEEE Symposium on Computers and Communications (ISCC'06) 402 408 Proc. of 11th IEEE Symposium on Computers and Communications (ISCC'06) 2006
68. M. Stoecklin J.-Y. L. Boudec A. Kind A two-layered anomaly detection technique based on multi-modal flow behavior models Proc. of 9th International Conference on Passive and Active Measurement (PAM'08) 212 221 Proc. of 9th International Conference on Passive and Active Measurement (PAM'08) 2008
69. T. Dübendorfer B. Plattner Host behaviour based early detection of worm outbreaks in internet backbones Proc. of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05) 166 171 Proc. of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05) 2005
70. T. Dübendorfer A. Wagner B. Plattner A framework for real-time worm attack detection and backbone monitoring Proc.of 1st IEEE International Workshop on Critical Infrastructure Protection (IWCIP' 05) Proc.of 1st IEEE International Workshop on Critical Infrastructure Protection (IWCIP' 05) 2005-Nov.
71. A. Wagner T. Dübendorfer Β. Plattner R. Hiestand Experiences with worm propagation simulations Proc. of 2003 ACM workshop on Rapid malcode (WORM'03) 34 41 Proc. of 2003 ACM workshop on Rapid malcode (WORM'03) 2003
72. M. Lee T. Shon K. Cho M. Chung J. Seo J. Moon An approach for classifying internet worms based on temporal behaviors and packet flows Proc. of 3rd Int. Conf. on Intelligent Computing (ICIC 2007) 646 655 Proc. of 3rd Int. Conf. on Intelligent Computing (ICIC 2007) 2007
73. C. Zou W. Gong D. Towsley Code red worm propagation modeling and analysis Proc. of 17th USENIX Security Symposium (USENIX Security '08) 138 147 Proc. of 17th USENIX Security Symposium (USENIX Security '08) 2002
74. F. Dressler W. Jaegers R. German Flow-based worm detection using correlated honeypot logs Proc. of 15th GI/ITG Fachtagung Kommunikation in Verteilten Systemen (KiVS 2007) 181 186 Proc. of 15th GI/ITG Fachtagung Kommunikation in Verteilten Systemen (KiVS 2007) 2007-Feb.
75. M. Collins M. Reiter Hit-list worm detection and bot identification in large networks using protocol graphs Proc. of 10th International Symposium on Recent Advances in Intrusion Detection (RAID'07) 276 295 Proc. of 10th International Symposium on Recent Advances in Intrusion Detection (RAID'07) 2007
76. D. H. A. Karasaridis B. Rexroad Wide-scale botnet detection and characterization Proc.of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots'07) 1 8 Proc.of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots'07) 2007
77. C. Livadas R. Walsh D. Lapsley W. Strayer Using machine learning techniques to identify botnet traffic Proc. of 31st IEEE Conference on Local Computer Networks (LCN'06) 967 974 Proc. of 31st IEEE Conference on Local Computer Networks (LCN'06) 2006
78. G. Gu R. Perdisci J. Zhang W. Lee Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection Proc. of 17th USENIX Security Symposium (USENIX Security '08) 139 154 Proc. of 17th USENIX Security Symposium (USENIX Security '08) 2008-June
79. Z. Zhu G. Lu Y. Chen Ζ. Fu P. Roberts K. Han Botnet research survey 32nd Annual IEEE International Computer Software and Applications (COMPSAC '08) 967 972 32nd Annual IEEE International Computer Software and Applications (COMPSAC '08) 2008-Aug.
80. Q. Xiaofeng H. Jihong C. Ming Flow-based anti-spam Proc. of 4th IEEE Workshop on IP Operations and Management (IPOMV4) 99 103 Proc. of 4th IEEE Workshop on IP Operations and Management (IPOMV4) 2004-Oct.
81. The state of spam, a monthly report-july 2008 Jul. 2008 Symantec.com http://www.symantec.com/
82. A. Ramachandran N. Feamster Understanding the network-level behavior of spammers SIGCOMM Comput. Commun. Rev. 36 4 291 302 2006