Ramin Sadre scite author profile

Intrusion detection is an important area of research. Traditionally, the approach taken to nd attacks is to inspect the contents of every packet. However, packet inspection cannot easily be performed at high-speeds. Therefore, researchers and operators started investigating alternative approaches, such as ow-based intrusion detection. In that approach the ow of data through the network is analyzed, instead of the contents of each individual packet. The goal of this paper is to provide a survey of current research in the area of ow-based intrusion detection. The survey starts with a motivation why ow-based intrusion detection is needed. The concept of ows is explained, and relevant standards are identied. The paper provides a classication of attacks and defense techniques and shows how ow-based techniques can be used to detect scans, worms, Botnets and Denial of Service (DoS) attacks.

show abstract

Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX

Hofstede

Čeleda

Trammell

et al. 2014

IEEE Commun. Surv. Tutorials

345

176

View full text Add to dashboard Cite

Flow monitoring has become a prevalent method for monitoring traffic in high-speed networks. By focusing on the analysis of flows, rather than individual packets, it is often said to be more scalable than traditional packet-based traffic analysis. Flow monitoring embraces the complete chain of packet observation, flow export using protocols such as NetFlow and IPFIX, data collection, and data analysis. In contrast to what is often assumed, all stages of flow monitoring are closely intertwined. Each of these stages therefore has to be thoroughly understood, before being able to perform sound flow measurements. Otherwise, flow data artifacts and data loss can be the consequence, potentially without being observed. This paper is the first of its kind to provide an integrated tutorial on all stages of a flow monitoring setup. As shown throughout this paper, flow monitoring has evolved from the early nineties into a powerful tool, and additional functionality will certainly be added in the future. We show, for example, how the previously opposing approaches of Deep Packet Inspection and flow monitoring have been united into novel monitoring approaches.

show abstract

A Labeled Data Set for Flow-Based Intrusion Detection

et al. 2009

View full text Add to dashboard Cite

Flow-based intrusion detection has recently become a promising security mechanism in high speed networks (1-10 Gbps). Despite the richness in contributions in this field, benchmarking of flow-based IDS is still an open issue. In this paper, we propose the first publicly available, labeled data set for flowbased intrusion detection. The data set aims to be realistic, i.e., representative of real traffic and complete from a labeling perspective. Our goal is to provide such enriched data set for tuning, training and evaluating ID systems. Our setup is based on a honeypot running widely deployed services and directly connected to the Internet, ensuring attack-exposure. The final data set consists of 14.2M flows and more than 98% of them has been labeled.

show abstract

Flow whitelisting in SCADA networks

Barbosa

Sadre

Pras

2013

International Journal of Critical Infrastructure Protection

View full text Add to dashboard Cite

Supervisory Control And Data Acquisition (SCADA) networks are commonly deployed to aid the operation of large industrial facilities. Modern SCADA networks are becoming more vulnerable to network attacks, due to the now common use of standard communication protocols and increased interconnection to corporate networks and the Internet. In this work, we propose an approach to improve the security of these networks based on flow whitelisting. A flow whitelist describes the legitimate traffic solely using four properties of network packets: the client address, the server address, the server-side port, and the transport protocol.The proposed approach consists in learning a flow whitelist by capturing network traffic and aggregating it into flows for a given period of time. After this learning phase is complete, any non-whitelisted connection observed generates an alarm. The evaluation of the approach focuses on two important whitelist characteristics: size and stability. We demonstrate the applicability of the approach using realworld traffic traces, captured in two water treatment plants and a gas and electric utility. * r.barbosa@utwente.nl † a.pras@utwente.nl ‡ rsadre@cs.aau.dk

show abstract

Fitting world-wide web request traces with the EM-algorithm

Khayari

Sadre

Haverkort

2003

Performance Evaluation

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Ramin Sadre

An Overview of IP Flow-Based Intrusion Detection

Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX

A Labeled Data Set for Flow-Based Intrusion Detection

Flow whitelisting in SCADA networks

Fitting world-wide web request traces with the EM-algorithm

Contact Info

Product

Resources

About