A scalable, efficient and informative approach for anomaly-based intrusion detection systems: Theory and practice

International Journal of Network Management

Volumn 20, Issue 5, 2010, Pages 271-293

  Salem, Osman ^a   Vaton, Sandrine ^b   Gravey, Annie ^b  

^a Huawei Technologies Co   (France)

^b ECOLE DES MINES DE NANTES   (France)

Author keywords

[No Author keywords available]

Indexed keywords

ANALYSIS RESULTS; ANOMALY DETECTION; ANOMALY-BASED INTRUSION DETECTION; COUNT-MIN SKETCH; DESCRIPTORS; FLASH CROWD; FLOW SAMPLING; IN-CELL; NETWORK SCANNING; NEW APPROACHES; ONLINE IMPLEMENTATION; PORT SCANNING; RANDOM AGGREGATION; REDUCTION PHASE; RESPONSE TIME; REVERSIBLE SKETCHES; SEQUENTIAL CHANGES; SHORT-LIVED FLOW; THEORY AND PRACTICE; TRAFFIC TRACES;

COMPUTER CRIME; DATA REDUCTION; DATA STRUCTURES;

INTRUSION DETECTION;

EID: 77956377864     PISSN: 10557148     EISSN: 10991190     Source Type: Journal    
DOI: 10.1002/nem.748     Document Type: Article

References (59)

1. Roesch M. Snort: lightweight intrusion detection for networks. In LISA 99: Proceedings of the 13th USENIX Conference on System Administration, Berkeley, CA, 1999;229-238.
2. Paxson V. Bro: a system for detecting network intruders in real-time. Computer Networks 1999;31%(23-24):2435-2463.
3. Moore D, Voelker GM, Savage S. Inferring internet denial-of-service activity. In Proceedings of the 10th Conference on USENIX Security Symposium (SSYM 01), 2001;9-22.
4. Claise B, Bryant S, Sadasivan G, Leinen S, Dietz T. Specification of the IP Flow Information Export (IPFIX) Protocol for the exchange of IP traffic flow information. RFC 5101, January 2008.
5. Wang H, Zhang D, Shin KG. Detecting SYN flooding attacks. In Proceedings of IEEE Infocom 02, 2002.
6. Wang H, Zhang D, Shin KG. SYN-dog: sniffing SYN flooding sources. In Proceedings of the 22th International Conference on Distributed Computing Systems (ICDCS 02), 2002;421-429.
7. Siris VA, Papagalou F. Application of anomaly detection algorithms for detecting SYN flooding attacks. In Proceedings of IEEE Global Telecommunications Conference (GLOBECOM 04), Vol. 4, Dallas, TX, 2004;2050-2054.
8. Ye N, Vilbert S, Chen Q. Computer intrusion detection through EWMA for autocorrelated and uncorrelated data. IEEE Transactions on Reliability 2003;51(1):75-82.
9. Charikar M, Chen K, Farach-Colton M. Finding frequent items in data streams. In Proceedings of the 29th International Colloquium on Automata, Languages and Programming (ICALP 02), 2002;693-703.
10. Krishnamurthy B, Sen S, Zhang Y, Chen Y. Sketch-based change detection: methods, evaluation, and applications. In Proceedings of the 3rd ACM SIGCOMM Conference on Internet Measurement (IMC 03), 2003;234-247.
11. Li X, Bian F, Crovella M, Diot C., Govindan R, Iannaccone G, Lakhina A. Detection and identification of network anomalies using sketch subspaces. In Proceedings of the 6th ACMSIGCOMM on Internet Measurement (IMC 06), 2006;147-152.
12. Cormode G, Muthukrishnan S. An improved data stream summary: the Count-Min sketch and its applications. Journal of Algorithms 2005;55(1):58-75.
13. Tartakovsky A, Rozovskii B, Blazek R, Kim H. Detection of intrusion in information systems by sequential change-point methods. Statistical Methodology 2006;3(3):252-340.
14. Kim H, Rozovskii B, Tartakovsky A. A nonparametric multichart CUSUM test for rapid intrusion detection. International Journal of Computing and Information Science 2004;2(3):149-158.
15. Lu W, Ghorbani A. Network anomaly detection based on wavelet analysis. EURASIP Journal on Advances in Signal Processing 2009;1-16.
16. Nychis G, Sekar V, Andersen DG, Kim H, Zhang H. An empirical evaluation of entropy-based traffic anomaly detection. In Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement (IMC 08), 2008;151-156.
17. Bu S, Wang R, Zhou H. Anomaly network traffic detection based on auto-adapted parameters method. In Proceedings of the 4th International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM 08), 2008;601-607.
18. Brutlag JD. Aberrant behavior detection in time series for network monitoring. In Proceedings of the 14th USENIX Conference on System administration (LISA 00), 2000;139-146.
19. Yu J, Lee H, Kim M-S, Park D. Traffic flooding attack detection with SNMP MIB using SVM. Computer Communications 2008;31(17):4212-4219.
20. Lakhina A, Crovella M, Diot C. Diagnosing network-wide traffic anomalies. In Proceedings of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM 04), 2004;219-230.
21. Huang L, Nguyen X, Garofalakis M, Hellerstein JM. Communication-efficient online detection of network-wide anomalies. In IEEE Conference on Computer Communications (INFOCOM), 2007;134-142.
22. Zhang Y, Singh S, Sen S, Duffield N, Lund C. Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications. In IMC 04: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, 2004;101-114.
23. Feng W, Zhang Z, Jia Z, Fu Z. Reversible sketch based on the XOR-based hashing. In Proceedings of the Asia-Pacific Conference on Services Computing (APSCC 06), 2006;93-98.
24. Schweller R, Li Z, Chen Y, Gao Y, Gupta A, Parsons E, Zhang Y, Dinda P, Kao M-Y, Memik G. Reverse hashing for high-speed network monitoring: algorithms, evaluation, and applications. In Proceedings of IEEE International Conference on Computer Communications (INFOCOM '06), April 2006;1-12.
25. Schweller R, Li Z, Chen Y, Gao Y, Gupta A, Zhang Y, Dinda P, Kao M-Y, Memik G. Reversible sketches: enabling monitoring and analysis over high-speed data streams. IEEE/ACM Transactions on Networking 2007;15(5):1059-1072.
26. Bu T, Cao J, Chen A, Lee P. A fast and compact method for unveiling significant patterns in high speed networks. In 26th IEEE International Conference on Computer Communications (INFOCOM 2007), 2007;1893-1901.
27. Ringberg H, Soule A, Rexford J, Diot C. Sensitivity of PCA for traffic anomaly detection. In Proceedings of the ACM SIGMETRICS 07 Conference, 2007;109-120.
28. Wang H, Zhang D, Shin KG. Change-point monitoring for the detection of DoS attacks. IEEE Transactions on Dependable and Secure Computing 2004;1(4):1993-2004.
29. Lim B, Uddin M. Statistical-based SYN-flooding detection using programmable network processor. In Proceedings of the 3rd International Conference on Information Technology and Applications (ICITA 05), 2005;465-470.
30. He L, Tang B, Yu S. Available bandwidth estimation and its application in detection of DDoS attacks. In Proceedings of the 11th IEEE Singapore International Conference on Communication Systems (ICCS 08), 2008;1187-1191.
31. Lee P, Bu T, Woo T. On the detection of signaling DoS attacks on 3G wireless networks. In Proceedings of the 26th IEEE International Conference on Computer Communications (INFOCOM 07), 2007;1289-1297.
32. Yan G, Cuellar L, Eidenbenz S, Hengartner N. Blue-Watchdog: detecting Bluetooth worm propagation in public areas. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 09), 2009;317-326.
33. Bo C., Fang B-X, Yun X-C. A new approach for early detection of Internet worms based on connection degree. In Proceedings of the 2005 International Conference on Machine Learning and Cybernetics, Guangzhou, China, 2005;2424-2430.
34. Bu T, Chen A, VanDerWiel S, Woo T. Design and evaluation of a fast and robust worm detection algorithm. In Proceedings of IEEE International Conference on Computer Communications (INFOCOM 06), 2006;1-12.
35. Ahmed E, Clark A, Mohay G. A novel sliding window based change detection algorithm for asymmetric traffic. In Proceedings of the IFIP International Conference on Network and Parallel Computing (NPC 08), 2008;168-175.
36. Ahmed E, Clark A, Mohay G. Effective change detection in large repositories of unsolicited traffic. In Proceedings of the 4th International Conference on Internet Monitoring and Protection (ICIMP 09), 2009;1-6.
37. Tartakovsky A, Hongjoong K. Performance of certain decentralized distributed change detection procedures. In Proceedings of the 9th International Conference on Information Fusion, 2006;1-8.
38. Kang J, Zhang J-Y. Application entropy theory to detect new peer-to-peer botnet with multi-chart CUSUM. In Proceedings of the 2nd International Symposium on Electronic Commerce and Security (ISECS 09), 2009;470-474.
39. Fadlullah Z, Taleb T, Ansari N, Hashimoto K, Miyake Y, Nemoto Y, Kato N. Combating against attacks on encrypted protocols. In Proceedings of the IEEE International Conference on Communications, 2007 (ICC07), 2007;1211-1216.
40. Claise B, Sadasivan G, Valluri V, Djernaes M. Cisco Systems NetFlow Services Export Version 9. RFC 3954, October 2004.
41. Brauckhoff D, Tellenbach B, Wagner A, May M, Lakhina A. Impact of packet sampling on anomaly detection metrics. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement (IMC 06), 2006;159-164.
42. Mai J, Chuah C-N, Sridharan A, Ye T, Zang H. Is sampled data sufficient for anomaly detection? In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (IMC 06), 2006;165-176.
43. Kawahara R, Mori T, Kamiyama N, Harada S, Asano S. A study on detecting network anomalies using sampled flow statistics. In Proceedings of the International Symposium on Applications and the Internet Workshops, 2007.
44. Hohn N, Veitch D. Inverting sampled traffic. IEEE/ACM Transactions on Networking 2006;14(1):68-80.
45. Androulidakis G, Chatzigiannakis V, Papavassiliou S. Network anomaly detection and classification via opportunistic sampling. IEEE Network 2009;23(1):6-12.
46. Androulidakis G, Papavassiliou S. Improving network anomaly detection via selective flow-based sampling. IET Communications Journal 2008;2(3):399-409.
47. Cormode G, Korn F, Muthukrishnan S, Srivastava D. Diamond in the rough: finding hierarchical heavy hitters in multi-dimensional data. In Proceedings of the 23rd ACM SIGMOD, 2004;155-166.
48. Cormode G, Muthukrishnan S. What's new: finding significant differences in network data streams. In Proceedings of IEEE Infocom, 2004;1534-1545.
49. Lakhina A, Crovella M, Diot C. Mining anomalies using traffic feature distributions. SIGCOMM Computer Communication Review 2005;35(4):217-228.
50. Salem O, Vaton S, Gravey A. An efficient online anomalies detection mechanism for high-speed networks. In IEEE Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2007), November 2007.
51. Dewaele G, Fukuda K, Borgnat P, Abry P, Cho K. Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures. In Proceedings of the ACM SIGCOMM Workshop on Large-Scale Attack Defense (LSAD07), 2007.
52. Callegari C., Giordano S, Pagano M, Pepe T. On the use of sketches and wavelet analysis for network anomaly detection. In Proceedings of the 1st International Workshop on Traffic Analysis and Classification (TRAC), 2010.
53. Levy-Leduc C., Roueff F. Detection and localization of change points in high-dimensional network traffic data. Annals of Applied Statistics, 2009;3(2):637-662.
54. Barlet-Ros P, Iannaccone G, Sanjuàs-Cuxart J, Amores-Lopez D, Solé-Pareta J. Load shedding in network monitoring applications. In Proceedings of the USENIX Annual Technical Conference (ATC 07), 2007;1-14.
55. Fluhrer S, McGrew D. Statistical analysis of the alleged RC4 keystream generator. In Proceedings of the 7th International Workshop on Fast Software Encryption (FSE 00), 2001;19-30.
56. Optimized RC4 code. Available: http://www.zengl.net/freeswan/[9 July 2010].
57. Count-Min sketch source code. Available: http://www.cs.rutgers.edu/muthu/ massdal-code-index.html [9 July 2010].
58. MAWI working group traffic archive. http://mawi.wide.ad.jp/mawi/.
59. Thorup M, Zhang Y. Tabulation based 4-Universal hashing with applications to second moment estimation. In Proceedings of the ACM-SIAM Symposium on Discrete Algorithms (SODA 04), New Orleans, LA, January 2004.