Real-Time and Resilient Intrusion Detection: A Flow-Based Approach

Hofstede, Rick; Pras, Aiko

doi:10.1007/978-3-642-30633-4_13

Cited by 7 publications

(4 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A flow is the fundamental object of the TIC research field. It has also received some attention in IDS literature recently [6,9,10]; in [28], the authors provided an overview of flow-based IDS.…”

Section: Literature Reviewmentioning

confidence: 99%

Application-Specific Traffic Anomaly Detection Using Universal Background Model

Alizadeh

Khoshrou

Zúquete

2015

Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics

View full text Add to dashboard Cite

This paper presents an application-specific intrusion detection framework in order to address the problem of detecting intrusions in individual applications when their traffic exhibits anomalies. The system is based on the assumption that authorized traffic analyzers have access to a trustworthy binding between network traffic and the source application responsible for it. Given traffic flows generated by individual genuine application, we exploit the GMM-UBM (Gaussian Mixture Model-Universal Background Model) method to build models for genuine applications, and thereby form our detection system. The system was evaluated on a public dataset collected from a real network. Favorable results indicate the success of the framework.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Application-Specific Traffic Anomaly Detection Using Universal Background Model

Alizadeh

Khoshrou

Zúquete

2015

Proceedings of the 2015 ACM International Workshop on International Workshop on Security and Privacy Analytics

View full text Add to dashboard Cite

show abstract

“…Deep Packet Inspection. In high-speed networks flow-level monitoring is increasingly outracing packet-based analysis because the monitoring systems lack processing power and storage capacity necessary for a deep packet inspection for the corresponding data rates [4]. While flow-level analysis is intended to handle huge data rates by abstracting from detailed packet data, this limitation is neither required nor suitable for analyzing automation data due to the following reasons.…”

Section: Problem Definitionmentioning

confidence: 99%

Towards Learning Normality for Anomaly Detection in Industrial Control Networks

Schuster

Paul

König

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Recent trends in automation technology lead to a rising exposition of industrial control systems (ICS) to new vulnerabilities. This requires the introduction of proper security approaches in this field. Prevalent in ICS is the use of access control. Especially in critical infrastructures, however, preventive security measures should be complemented by reactive ones, such as intrusion detection. Beginning from the characteristics of automation networks we outline the implications for a suitable application of intrusion detection in this field. On this basis, an approach for creation of self-learning anomaly detection for ICS protocols is presented. In contrast to other approaches, it takes all network data into account: flow information, application data, and the packet order. We discuss the challenges that have to be solved in each step of the network data analysis to identify future aspects of research towards learning normality in industrial control networks.

show abstract

“…These applications operate on flow data exported by flow exporters and collected by flow collectors. Since the export of flow data is heavily based on timeouts and the collection is often designed to work in time intervals of several minutes, analysis applications are subject to various delays in the detection process [8]. Especially in the case of DDoS attack detection, where overload of network infrastructure can happen very quickly, this is something that must be avoided.…”

Section: Introductionmentioning

confidence: 99%

Real-time DDoS attack detection for Cisco IOS using NetFlow

Steeg

Hofstede

Sperotto

et al. 2015

2015 IFIP/IEEE International Symposium on Integrated Network Management (IM)

Self Cite

View full text Add to dashboard Cite

Flow-based DDoS attack detection is typically performed by analysis applications that are installed on or close to a flow collector. Although this approach allows for easy deployment, it makes detection far from real-time and susceptible to DDoS attacks for the following reasons. First, the fact that the flow export process is timeout-based and that flow collectors typically provide data to analysis applications in chunks, can result in detection delays in the order of several minutes. Second, by the nature of flow export, attack traffic may be amplified by the flow export process if the original packets are small enough and are part of small flows.We have shown in a previous work how to perform DDoS attack detection on a flow exporter instead of a flow collector, i.e., close to the data source and in a real-time fashion, which however required access to a fully-extendible flow monitoring infrastructure. In this work, we investigate whether it is possible to operate the same detection system on a widely deployed networking platform: Cisco IOS. Since our ultimate goal is to identify besides the presence of an attack also attackers and targets, we rely on NetFlow. In this context, we present our DDoS attack detection prototype that has shown to generate a constant load on the underlying platform -even under attacks -underlining that DDoS attack detection can be performed on a Cisco Catalyst 6500 in production networks, if enough spare capacity is available.

show abstract

Real-Time and Resilient Intrusion Detection: A Flow-Based Approach

Cited by 7 publications

References 11 publications

Application-Specific Traffic Anomaly Detection Using Universal Background Model

Application-Specific Traffic Anomaly Detection Using Universal Background Model

Towards Learning Normality for Anomaly Detection in Industrial Control Networks

Real-time DDoS attack detection for Cisco IOS using NetFlow

Contact Info

Product

Resources

About