Flow-based intrusion detection

Sperotto, Anna; Pras, Aiko

doi:10.1109/inm.2011.5990529

Cited by 48 publications

(12 citation statements)

References 106 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A common flow export protocol is Cisco's Netflow, which is supported by almost all major vendors. Internet Engineering Task Force (IETF) adopted Netflow's version 9 and standardized it as IP Flow Information Exchange (IPFIX) protocol (Sperotto and Pras, 2011). IPFIX specifies a standard architecture for collection and processing of IP flow records.…”

Section: Introductionmentioning

confidence: 99%

Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection

Umer¹,

Sher²,

Yaxin³

2017

BJMC

View full text Add to dashboard Cite

Abstract. Flow-based intrusion detection systems analyze IP flow records to detect attacks against computer networks. IP flow records contain aggregated packet header information; therefore, the amount of data processed by the intrusion detection system is reduced. In addition, since no payload is analyzed, the end-to-end encryption does not affect the deployment of intermediate intrusion detection system. In this paper, we evaluate one-class classification techniques for detection of malicious flows at an initial stage of a multi-stage flow-based intrusion detection system. The initial stage uses minimal flow attributes and only decide if the IP flow is normal or malicious. Since there is only one class of interest (malicious) at the initial stage, we use one-class classification for detection of malicious flows. In this paper, we review available one-class classification techniques and evaluate them on a flow-based dataset to determine their performance for detection of malicious flows. Our results show that one-class classification techniques using boundary methods give best results in detection of malicious IP flows.

show abstract

Section: Introductionmentioning

confidence: 99%

Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection

Umer¹,

Sher²,

Yaxin³

2017

BJMC

View full text Add to dashboard Cite

show abstract

“…However, Cisco's Netflow is a common flow export and collection protocol and is supported by almost all major vendors. Due to the increased requirement of IP flow information for network management, the Internet Engineering Task Force (IETF) has standardized the flow export and collection protocol as IP Flow Information Exchange (IPFIX) protocol [19]. IPFIX is very flexible protocol and defines around 280 attributes for IP flow records.…”

Section: Introductionmentioning

confidence: 99%

Towards Multi-Stage Intrusion Detection using IP Flow Records

Umer¹,

Sher²,

Khan³

2016

ijacsa

View full text Add to dashboard Cite

Abstract-Traditional network-based intrusion detection systems using deep packet inspection are not feasible for modern high-speed networks due to slow processing and inability to read encrypted packet content. As an alternative to packetbased intrusion detection, researchers have focused on flow-based intrusion detection techniques. Flow-based intrusion detection systems analyze IP flow records for attack detection. IP flow records contain summarized traffic information. However, flow data is very large in high-speed networks and cannot be processed in real-time by the intrusion detection system. In this paper, an efficient multi-stage model for intrusion detection using IP flows records is proposed. The first stage in the model classifies the traffic as normal or malicious. The malicious flows are further analyzed by a second stage. The second stage associates an attack type with malicious IP flows. The proposed multi-stage model is efficient because the majority of IP flows are discarded in the first stage and only malicious flows are examined in detail. We also describe the implementation of our model using machine learning techniques.

show abstract

“…Following this trend, security analysis applications should evolve from packet-based to flow-based solutions [3]. Research has already been performed on flow-based anomaly detection in past years, such as in [4][5][6].…”

Section: Introductionmentioning

confidence: 99%

Real-Time and Resilient Intrusion Detection: A Flow-Based Approach

Hofstede

Pras

2012

Dependable Networks and Services

Self Cite

View full text Add to dashboard Cite

Abstract. Flow-based intrusion detection will play an important role in high-speed networks, due to the stringent performance requirements of packet-based solutions. Flow monitoring technologies, such as NetFlow or IPFIX, aggregate individual packets into flows, requiring new intrusion detection algorithms to deal with the aggregated data. These algorithms are subject to constraints on real-time and accurate detection of intrusions, due to the nature of current flow monitoring technologies. In this paper, we propose a framework for flow-based intrusion detection, aiming to detect intrusions in real-time, and to be resilient against negative effects of attacks on monitoring systems. This research is still in its initial phase and will contribute to a Ph.D. thesis after four years.

show abstract

Flow-based intrusion detection

Cited by 48 publications

References 106 publications

Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection

Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection

Towards Multi-Stage Intrusion Detection using IP Flow Records

Real-Time and Resilient Intrusion Detection: A Flow-Based Approach

Contact Info

Product

Resources

About