An Architecture for Inline Anomaly Detection

Krueger, Tammo; Gehl, Christian; Rieck, Konrad; Laskov, Pavel

doi:10.1109/ec2nd.2008.8

Cited by 9 publications

(7 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other programmable chips, like Network Interface Cards (NICs), Field Programmable Gate Arrays (FPGAs) and Network Processing Units (NPUs), cannot currently ensure high throughput and low latency on par with ASICs. Additionally, in the context of network security, compared to highly-optimized software solutions, such as inline Intrusion Detection Systems (IDSs) [33], the throughput ensured by ASICs is orders of magnitude higher and introduces much lower latency (∼ 50µs − 1ms) [23]. This makes programmable ASICs well suited for the implementation of some network monitoring/security tasks, such as the DDoS detection strategy proposed in this paper.…”

Section: B Data Plane Programmable Switches Exploiting Asicsmentioning

confidence: 99%

In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches

Ding

Savi

Pederzolli

et al. 2021

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Volumetric distributed Denial-of-Service (DDoS) attacks have become one of the most significant threats to modern telecommunication networks. However, most existing defense systems require that detection software operates from a centralized monitoring collector, leading to increased traffic load and delayed response. The recent advent of Data Plane Programmability (DPP) enables an alternative solution: thresholdbased volumetric DDoS detection can be performed directly in programmable switches to skim only potentially hazardous traffic, to be analyzed in depth at the controller. In this paper, we first introduce the BACON data structure based on sketches, to estimate per-destination flow cardinality, and theoretically analyze it. Then we employ it in a simple in-network DDoS victim identification strategy, INDDoS, to detect the destination IPs for which the number of incoming connections exceeds a predefined threshold. We describe its hardware implementation on a Tofino-based programmable switch using the domain-specific P4 language, proving that some limitations imposed by real hardware to safeguard processing speed can be overcome to implement relatively complex packet manipulations. Finally, we present some experimental performance measurements, showing that our programmable switch is able to keep processing packets at line-rate while performing volumetric DDoS detection, and also achieves a high F1 score on DDoS victim identification.

show abstract

Section: B Data Plane Programmable Switches Exploiting Asicsmentioning

confidence: 99%

In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches

Ding

Savi

Pederzolli

et al. 2021

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

show abstract

“…Grozea et al [25] allowed to accelerate existing comparison algorithms (MergeSort, Bitonic Sort, parallel Insertion Sort) (see, e.g. [22,28] for details) to work at a typical speed of an Ethernet link of 1 Gbit/s by using parallel architectures (FPGAs, multi-core CPUs machines and GPUs). The obtained results show that the FPGA platform is the most flexible, but it is less accessible.…”

Section: Background and Related Workmentioning

confidence: 99%

A Comparative Study of Sorting Algorithms with FPGA Acceleration by High Level Synthesis

Jmaa¹,

Atitallah²,

Duvivier³

et al. 2019

CyS

View full text Add to dashboard Cite

Nowadays, sorting is an important operation for several real-time embedded applications. It is one of the most commonly studied problems in computer science. It can be considered as an advantage for some applications such as avionic systems and decision support systems because these applications need a sorting algorithm for their implementation. However, sorting a big number of elements and/or real-time decision making need high processing speed. Therefore, accelerating sorting algorithms using FPGA can be an attractive solution. In this paper, we propose an efficient hardware implementation for different sorting algorithms (BubbleSort, InsertionSort, SelectionSort, QuickSort, HeapSort, ShellSort, MergeSort and TimSort) from high-level descriptions in the zynq-7000 platform. In addition, we compare the performance of different algorithms in terms of execution time, standard deviation and resource utilization. From the experimental results, we show that the SelectionSort is 1.01-1.23 times faster than other algorithms when N < 64; Otherwise, TimSort is the best algorithm.

show abstract

“…The Jensen distance [15] uses an entropy-like function H . The variables within H are two of the summation variables a, b, and c; shown in (20) where φ w (x) is the frequency of occurrence of w in x.…”

Section: B Types Of Measuresmentioning

confidence: 99%

“…A variation of the χ 2 distance known as squared χ 2 (also known as χ-Squared) [20] can also be used to compute distances with n-grams. The squared χ 2 measure is shown in (39), where S is the set of all possible n-grams, x and z are byte sequences taken from the packet payload, φ s (x) is the frequency of occurrence of s in x.…”

Section: B Types Of Measuresmentioning

confidence: 99%

A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection

Weller-Fahy

Borghetti

Sodemann

2015

IEEE Commun. Surv. Tutorials

192

View full text Add to dashboard Cite

Anomaly detection (AD) use within the network intrusion detection field of research, or network intrusion AD (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple k-means clustering through advanced multiagent distributed AD systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas that require further focus on improving the distance measure rigor in the NIAD field are presented.

show abstract

An Architecture for Inline Anomaly Detection

Cited by 9 publications

References 14 publications

In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches

In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches

A Comparative Study of Sorting Algorithms with FPGA Acceleration by High Level Synthesis

A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection

Contact Info

Product

Resources

About