HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency

Zhichun Li*, Yan Gao, Yan Chen

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

21 Scopus citations


Global-scale attacks like worms and botnets are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper, leveraging data streaming techniques such as the reversible sketch, we design HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND: (i) is scalable to flow-level detection on high-speed networks; (ii) is DoS resilient; (iii) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; (iv) enables aggregate detection over multiple routers/gateways; and (v) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (e.g. OC192), even for the worst-case traffic of 40-byte-packet streams with each packet forming a flow.

Original languageEnglish (US)
Pages (from-to)1282-1299
Number of pages18
JournalComputer Networks
Issue number8
StatePublished - Jun 1 2010


  • Attack resilience
  • Data streaming
  • Intrusion detection
  • Network monitoring
  • Network-level security and protection
  • Statistical detection

ASJC Scopus subject areas

  • Computer Networks and Communications


Dive into the research topics of 'HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency'. Together they form a unique fingerprint.

Cite this