How can sliding HyperLogLog and EWMA detect port scan attacks in IP traffic?

Chabchoub, Yousra; Chiky, Raja; Dogan, Betul

doi:10.1186/1687-417x-2014-5

Cited by 21 publications

(10 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Detecting online a change of the process parameters in data streams is an important issue as it can have several interpretations depending on the application domain. In Reference 166, the authors showed that an abrupt increase in the number of destination ports in IP traffic is an efficient criterion to detect port scan attacks. Given that the amount of internet and computer traffic is growing and increasing at a fast rate, monitoring the network in real‐time becomes a challenging task.…”

Section: Challenges and Open Issuesmentioning

confidence: 99%

Anomaly‐based intrusion detection systems: The requirements, methods, measurements, and datasets

Hajj

Sibai

Abdo

et al. 2021

Trans Emerging Tel Tech

View full text Add to dashboard Cite

With the Internet's unprecedented growth and nations' reliance on computer networks, new cyber‐attacks are created every day as means for achieving financial gain, imposing political agendas, and developing cyberwarfare arsenals. Network security is thus acquiring increasing attention among researchers, practitioners, network architects, policy makers, and others. To defend organizations' networks from existing, foreseen, and future threats, intrusion detection systems (IDSs) are becoming a must. Existing surveys on anomaly‐based IDS (AIDS) focus on specific components such as detection mechanisms and lack many others. In contrast to existing surveys, this article covers the full scope needed by researchers and practitioners alike when studying AIDS. The scope ranges from the intrusion detection techniques to attacks forms and passing through the relevant attack features, most‐used datasets, challenges, and potential solutions. This article provides an exhaustive review of IDSs and discusses their requirements and performance metrics in deep. It presents a taxonomy of IDSs based on four criteria: information source, detection strategy, detection mode, and architecture. Then, in‐depth analysis and a comparison of network intrusion detection approaches based on anomaly detection techniques are given. The article also introduces a classification of computer network attacks, along with their different forms and the relevant network traffic features to detect them, as well as a summary of the popular datasets used by the researchers to evaluate the IDSs. Finally, the article highlights several research challenges and the possible solutions to deal with them.

show abstract

Section: Challenges and Open Issuesmentioning

confidence: 99%

Anomaly‐based intrusion detection systems: The requirements, methods, measurements, and datasets

Hajj

Sibai

Abdo

et al. 2021

Trans Emerging Tel Tech

View full text Add to dashboard Cite

show abstract

“…EWMA, which was proposed by Roberts [ 33 ], is an efficient statistical technique used in detecting small shifts in time-series data. It functions by first defining a threshold that delimits a standard behaviour before periodically handling updates on average of the observed data traffic [ 34 ]. EWMA is also characterised with its low complexity because the weighted average only needs to be updated for each newly observed data.…”

Section: Ewma Algorithmmentioning

confidence: 99%

“…In summary, our jamming detection technique consists of two phases; the first phase is the training phase that involves the capture of normal IAT from legitimate member nodes to the cluster head and also from the cluster heads to the base station to initialize its parameters and obtain a normal profile. Just like in the work of Chabchoub et al [ 34 ], no change point detection process will be performed during this phase. In the second phase, the test phase, a pattern change is detected during a jamming attack on a per packet basis using the EWMA algorithm.…”

Section: Ewma Algorithmmentioning

confidence: 99%

A Statistical Approach to Detect Jamming Attacks in Wireless Sensor Networks

Osanaiye

Alfa

Hancke

2018

Sensors

114

View full text Add to dashboard Cite

Wireless Sensor Networks (WSNs), in recent times, have become one of the most promising network solutions with a wide variety of applications in the areas of agriculture, environment, healthcare and the military. Notwithstanding these promising applications, sensor nodes in WSNs are vulnerable to different security attacks due to their deployment in hostile and unattended areas and their resource constraints. One of such attacks is the DoS jamming attack that interferes and disrupts the normal functions of sensor nodes in a WSN by emitting radio frequency signals to jam legitimate signals to cause a denial of service. In this work we propose a step-wise approach using a statistical process control technique to detect these attacks. We deploy an exponentially weighted moving average (EWMA) to detect anomalous changes in the intensity of a jamming attack event by using the packet inter-arrival feature of the received packets from the sensor nodes. Results obtained from a trace-driven simulation show that the proposed solution can efficiently and accurately detect jamming attacks in WSNs with little or no overhead.

show abstract

“…HLL requires m bytes and its standard deviation is σ ≈ 1.04 √ m . SWHLL extends HLL to sliding windows [9,22], and was used to detect attacks such as port scans [10]. SWAMP's space requirement is proportional to W and thus, it is only comparable in space to HLL when ε −2 = O(W ).…”

Section: Count Distinctmentioning

confidence: 99%

Pay for a Sliding Bloom Filter and Get Counting, Distinct Elements, and Entropy for Free

Assaf

Basat

Einziger

et al. 2018

IEEE INFOCOM 2018 - IEEE Conference on Computer Communications

View full text Add to dashboard Cite

For many networking applications, recent data is more significant than older data, motivating the need for sliding window solutions. Various capabilities, such as DDoS detection and load balancing, require insights about multiple metrics including Bloom filters, per-flow counting, count distinct and entropy estimation.In this work, we present a unified construction that solves all the above problems in the sliding window model. Our single solution offers a better space to accuracy tradeoff than the state-of-the-art for each of these individual problems! We show this both analytically and by running multiple real Internet backbone and datacenter packet traces.1 A fingerprint is a short random string obtained by hashing an ID.

show abstract

How can sliding HyperLogLog and EWMA detect port scan attacks in IP traffic?

Cited by 21 publications

References 20 publications

Anomaly‐based intrusion detection systems: The requirements, methods, measurements, and datasets

Anomaly‐based intrusion detection systems: The requirements, methods, measurements, and datasets

A Statistical Approach to Detect Jamming Attacks in Wireless Sensor Networks

Pay for a Sliding Bloom Filter and Get Counting, Distinct Elements, and Entropy for Free

Contact Info

Product

Resources

About