Towards real-time intrusion detection for NetFlow and IPFIX

2013 9th International Conference on Network and Service Management, CNSM 2013 and its three collocated Workshops - ICQT 2013, SVM 2013 and SETM 2013

Volumn , Issue , 2013, Pages 227-234

  Hofstede, Rick ^a   Bartoš, Vaclav ^b   Sperotto, Anna ^a   Pras, Aiko ^a  

^a UNIVERSITY OF TWENTE   (Netherlands)

^b BRNO UNIVERSITY OF TECHNOLOGY   (Czech Republic)

Author keywords

Denial of service; Flow monitoring; Internet measurements; Intrusion detection; IPFIX; NetFlow

Indexed keywords

INDUSTRY; NETWORK ARCHITECTURE;

DENIAL OF SERVICE; FLOW MONITORING; INTERNET MEASUREMENT; IPFIX; NETFLOWS;

INTRUSION DETECTION;

EID: 84894455825     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CNSM.2013.6727841     Document Type: Conference Paper

References (20)

1. The Spamhaus Project, "Spamhaus, " 2013, accessed on 9 August 2013. [online]. Available: http://www. spamhaus. org
2. The New York Times, "Firm Is Accused of Sending Spam, and Fight Jams Internet, " March 2013, accessed on 9 August 2013. [online]. Available: http://www. nytimes. com/2013/03/27/technology/ internet/online-dispute-becomes- internet-snarling-attack. html
3. Ars Technica, "Can a DDoS break the Internet? Sure just not all of it, " April 2013, accessed on 9 August 2013. [online]. Available: http://arstechnica. com/security/2013/04/ can-A-ddos-break-The-internet-sure- just-not-all-of-it/
4. Arbor Networks, "DDoS and Security Reports: The Arbor Networks Security Blog, " December 2012, accessed on 9 August 2013. [online]. Available: http://ddos. arbornetworks. com/2012/12/ lessons-learned-from-The-u- s-financial-services-ddos-attacks/
5. B. Claise, "Cisco Systems NetFlow Services Export Version 9, " RFC 3954 (Informational), Internet Engineering Task Force, October 2004. [online]. Available: http://www. ietf. org/rfc/rfc3954. txt
6. G. Sadasivan, N. Brownlee, B. Claise, and J. Quittek, "Architecture for IP Flow Information Export, " RFC 5470 (Informational), Internet Engineering Task Force, March 2009. [online]. Available: http: //www. ietf. org/rfc/rfc5470. txt
7. B. Claise, S. Bryant, S. Leinen, T. Dietz, and B. Trammell, "Specification of the IP Flow Information Export protocol, " RFC 5101 (Standards Track), Internet Engineering Task Force, January 2008. [online]. Available: http://www. ietf. org/rfc/rfc5101. txt
8. A. A. Galtsev and A. M. Sukhov, "Network Attack Detection at Flow Level, " in Proceedings of the 11th International Conference and 4th International Conference on Smart Spaces and Next Neneration Wired/Wireless Networking, NEW2AN'11/ruSMART'11, ser. Lecture Notes in Computer Science, 2011, pp. 326-334.
9. M.-S. Kim, H.-J. Kang, S.-C. Hong, S.-H. Chung, and J. W. Hong, "A Flow-based Method for Abnormal Network Traffic Detection, " in IEEE Network Operations and Management Symposium, NOMS 2004, vol. 1, April 2004, pp. 599-612.
10. G. Munz and G. Carle, "Real-time Analysis of Flow Data for Network Attack Detection, " in 10th IFIP/IEEE International Symposium on Integrated Network Management, IM 2007, 2007, pp. 100-108.
11. R. Hofstede and A. Pras, "Real-Time and Resilient Intrusion Detection: A Flow-Based Approach, " in Dependable Networks and Services. Proceedings of the 6th International Conference on Autonomous Infrastructure, Management and Security, AIMS 2012, June 2012, pp. 109-112.
12. R. Sadre, A. Sperotto, and A. Pras, "The Effects of DDoS Attacks on Flow Monitoring Applications, " in IEEE Network Operations and Management Symposium, NOMS 2012, 2012, pp. 269-277.
13. Cisco Systems, "Introduction to Cisco IOS NetFlow-A Technical Overview, " White paper, May 2012.
14. Juniper Networks, Inc., "flow-inactive-timeout-Technical Documentation, " November 2012, accessed on 9 August 2013. [online]. Available: http://www. juniper. net/ techpubs/en US/junos/topics/reference/ configuration-statement/ flow-inactive-timeout-edit-forwarding-options. html
15. V. A. Siris and F. Papagalou, "Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks, " Computer Communications, vol. 29, no. 9, pp. 1433-1442, 2006.
16. N. Ye, C. Borror, and Y. Zhang, "EWMA Techniques for Computer Intrusion Detection Through Anomalous Changes in Event Intensity, " Quality and Reliability Engineering International, vol. 18, no. 6, pp. 443-451, 2002.
17. H. Wang, D. Zhang, and K. Shin, "Detecting SYN flooding attacks, " in INFOCOM 2002. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 3, 2002, pp. 1530-1539.
18. G. Munz and G. Carle, "Application of forecasting techniques and control charts for traffic anomaly detection, " in Proceedings of the 19th ITC Specialist Seminar on Network Usage and Traffic, 2008.
19. J. D. Brutlag, "Aberrant Behavior Detection in Time Series for Network Monitoring, " in Proceedings of the 14th Conference on Systems Administration, LISA 2000, 2000, pp. 139-146.
20. A. Sperotto, M. Mandjes, R. Sadre, P. T. de Boer, and A. Pras, "Autonomic Parameter Tuning of Anomaly-Based IDSs: an SSH Case Study, " in IEEE Transactions on Network and Service Management, vol. 9, no. 2, 2012, pp. 128-141.