A stateful intrusion detection system for world-wide web servers

Vigna, Giovanni; Robertson, William; Kher, Vishal; Kemmerer, Richard A.

doi:10.1109/csac.2003.1254308

Cited by 81 publications

(42 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Software-based solutions like Bro [11], Snort [12], and WebSTAT [15] perform analysis of TCP flows, but are limited to processing data at rates less than 100Mbps. FPGA-based network processing systems can process network traffic at much higher data rates.…”

Section: Related Workmentioning

confidence: 99%

A Modular System for FPGA-Based TCP Flow Processing in High-Speed Networks

Schuehler

Lockwood

2004

Field Programmable Logic and Application

View full text Add to dashboard Cite

Abstract. Field Programmable Gate Arrays (FPGAs) can be used in Intrusion Prevention Systems (IPS) to inspect application data contained within network flows. An IPS operating on high-speed network traffic can be used to stop the propagation of Internet worms and to protect networks from Denial of Services (DoS) attacks. When used in the backbone of a core network, the device will be exposed to millions of active flows simultaneously. In order to protect the data in each connection, network devices will need to track the state of every flow. This must be done at multi-gigabit line rates without introducing significant delays. This paper describes a high performance TCP processing system called TCP-Processor which supports flow processing in high-speed networks utilizing multiple devices. This circuit provides stateful flow tracking, TCP stream reassembly, context storage, and flow manipulation services for applications which process TCP data streams. A simple client interface eases the complexities associated with processing TCP data streams. In addition, a set of encoding and decoding circuits has been developed which efficiently transports this interface between multiple FPGA devices. The circuit has been implemented in FPGA hardware and tested using live Internet traffic.

show abstract

Section: Related Workmentioning

confidence: 99%

A Modular System for FPGA-Based TCP Flow Processing in High-Speed Networks

Schuehler

Lockwood

2004

Field Programmable Logic and Application

View full text Add to dashboard Cite

show abstract

“…Traditionally, intrusion detection methods fall into two main categories according to their method of detection [1], [2]. These categories are signature-based detection (also known as knowledge-based detection or misuse detection) and anomaly-based detection (also known as behaviorbased detection).…”

Section: Introductionmentioning

confidence: 99%

“…a) E-mail: aozkaya@mevlana.edu.tr DOI: 10.1587/transinf.2015EDP7357 day) attacks. It analyzes the patterns of normal network and system activities, and classifies them as anomalous if they differ from normal patterns [1]. Because machine learning algorithms enable computer systems to learn in a manner similar to the way in which a human learns, they are typically used in anomaly-based IDS.…”

Section: Introductionmentioning

confidence: 99%

Design of Multilevel Hybrid Classifier with Variant Feature Sets for Intrusion Detection System

Akyol

Hacıbeyoğlu

Karlık

2016

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYWith the increase of network components connected to the Internet, the need to ensure secure connectivity is becoming increasingly vital. Intrusion Detection Systems (IDSs) are one of the common security components that identify security violations. This paper proposes a novel multilevel hybrid classifier that uses different feature sets on each classifier. It presents the Discernibility Function based Feature Selection method and two classifiers involving multilayer perceptron (MLP) and decision tree (C4.5). Experiments are conducted on the KDD'99 Cup and ISCX datasets, and the proposal demonstrates better performance than individual classifiers and other proposed hybrid classifiers. The proposed method provides significant improvement in the detection rates of attack classes and Cost Per Example (CPE) which was the primary evaluation method in the KDD'99

show abstract

“…This set is composed of 71,596 HTTP requests. To check if this set contains only non-intrusive requests, we use WebSTAT [10] and the blackbox IDS of [8]: all alerts generated have been confirmed to be false positives. Thus we have a high confidence in the fact that the traffic does not contain successful attacks.…”

Section: Evaluation Of the False Positive Ratementioning

confidence: 99%

Anomaly Detection with Diagnosis in Diversified Systems using Information Flow Graphs

Majorczyk

Totel

Mé

et al.

Proceedings of the Ifip Tc 11 23rd International Information Security Conference

View full text Add to dashboard Cite

Design diversity is a well-known method to ensure fault tolerance. Such a method has also been applied successfully in various projects to provide intrusion detection and tolerance. Two types of approaches have been investigated: the comparison of the outputs of the diversified services without any knowledge of the internals of the server (black box approach) or an intrusive observation of the activities that occur on the diversified servers (gray box approach). Previous work on black-box approaches have shown that some types of attacks cannot be detected. In this paper, we introduce a gray-box approach, on the one hand to increase the detection coverage, and on the other hand to add some diagnosis capability to the IDS. Our gray-box approach is based on the comparison of information flow graphs generated by the activities on the servers.

show abstract

A stateful intrusion detection system for world-wide web servers

Cited by 81 publications

References 9 publications

A Modular System for FPGA-Based TCP Flow Processing in High-Speed Networks

A Modular System for FPGA-Based TCP Flow Processing in High-Speed Networks

Design of Multilevel Hybrid Classifier with Variant Feature Sets for Intrusion Detection System

Anomaly Detection with Diagnosis in Diversified Systems using Information Flow Graphs

Contact Info

Product

Resources

About