TY - GEN
T1 - A DoS resilient flow-level intrusion detection approach for High-speed networks
AU - Gao, Yan
AU - Li, Zhichun
AU - Chen, Yan
PY - 2006
Y1 - 2006
N2 - Global-scale attacks like viruses and worms are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper we leverage data streaming techniques such as the reversible sketch to obtain HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND 1) is scalable to flow-level detection on high-speed networks; 2) is DoS resilient; 3) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; 4) enables aggregate detection over multiple routers/gateways; and 5) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (approximately 10s of Gigabit/second), even for the worst case traffic of 40-byte-packet streams with each packet forming a flow.
AB - Global-scale attacks like viruses and worms are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper we leverage data streaming techniques such as the reversible sketch to obtain HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND 1) is scalable to flow-level detection on high-speed networks; 2) is DoS resilient; 3) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; 4) enables aggregate detection over multiple routers/gateways; and 5) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (approximately 10s of Gigabit/second), even for the worst case traffic of 40-byte-packet streams with each packet forming a flow.
KW - Data streaming
KW - High-speed networking
KW - Intrusion detection
KW - Statistical detection
UR - http://www.scopus.com/inward/record.url?scp=33947634049&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33947634049&partnerID=8YFLogxK
U2 - 10.1109/ICDCS.2006.6
DO - 10.1109/ICDCS.2006.6
M3 - Conference contribution
AN - SCOPUS:33947634049
SN - 0769525407
SN - 9780769525402
T3 - Proceedings - International Conference on Distributed Computing Systems
BT - 26th IEEE Internationa26th IEEE International Conference on Distributed Computing Systems, ICDCS 2006
T2 - 26th IEEE Internationa26th IEEE International Conference on Distributed Computing Systems, ICDCS 2006
Y2 - 4 July 2006 through 7 July 2006
ER -