Towards multi-layered intrusion detection in high-speed networks

Golling, Mario; Hofstede, Rick; Koch, Robert

doi:10.1109/cycon.2014.6916403

Cited by 14 publications

(11 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The primary focus of this work are multiple high-speed networks using a link speed of 10 Gbps and higher [17]. In addition, we focus on network operators that cooperate among trusted partners to minimize or prevent damages caused by network-based attacks and use an automated threat information exchange.…”

Section: Scenariomentioning

confidence: 99%

In Whom Do We Trust - Sharing Security Events

Steinberger

Kuhnert

Sperotto

et al. 2016

Management and Security in the Age of Hyperconnectivity

View full text Add to dashboard Cite

Abstract. Security event sharing is deemed of critical importance to counteract large-scale attacks at Internet service provider (ISP) networks as these attacks have become larger, more sophisticated and frequent. On the one hand, security event sharing is regarded to speed up organization's mitigation and response capabilities. On the other hand, it is currently done on an ad-hoc basis via email, member calls or in personal meetings only under the premise that participating partners are personally known to each other. As a consequence, mitigation and response actions are delayed and thus security events are not processed in time. One approach to reduce this delay and the time for manual processing is to disseminate security events among trusted partners. However, exchanging security events and semi-automatically deploying mitigation is currently not well established as a result of two shortcomings. First, the personal knowledge of each sharing partner to develop trust does not scale very well. Second, current exchange formats and protocols often are not able to use security mechanisms (e.g., encryption and signature) to ensure both confidentiality and integrity of the security event information and its remediation. The goal of this paper is to present a trust model that determines a trust and a knowledge level of a security event in order to deploy semi-automated remediations and facilitate the dissemination of security event information using the exchange format FLEX in the context of ISPs. We show that this trust model is scalable and helps to build a trust community in order to share information about threats and its remediation suggestions.

show abstract

Section: Scenariomentioning

confidence: 99%

In Whom Do We Trust - Sharing Security Events

Steinberger

Kuhnert

Sperotto

et al. 2016

Management and Security in the Age of Hyperconnectivity

View full text Add to dashboard Cite

show abstract

“…However, modifying parameters to fit defined security policies is not an obvious task. Golling et al [11] propose multi-layered detection system. This system uses a manager that communicates with different types of IDS/IPS: flow-based, protocol-based, statistical based and DPI based ones.…”

Section: Detection and Response Solutionsmentioning

confidence: 99%

A Novel Security Architecture Based on Multi-level Rule Expression Language

Souissi

Sliman

Charroux

2015

Hybrid Intelligent Systems

View full text Add to dashboard Cite

International audienceThis paper introduces an attack detection and response system based on multi-level rule expression language. It provides a framework to evaluate, identify, classify and defend against sophisticated attacks. Our approach helps simplifying complex rules' expression and alert handling, thanks to a modular architecture and an intuitive rules along with a powerful expression language. The proposed system is flexible and takes into account several attack properties in order to simplify attack handling and aggregate defense mechanisms. 1 Introduction Security aims at protecting firm resources from undesired access by users and applications. Improving security in enterprise information system relies on analyzing threats, risks and vulnerabilities to specify appropriate countermeasures. This imposes several challenges to tackle with security issues. One of these challenges is detection and mitigation of attacks. To deal with the growing complexity of new attacks, several solutions such as intrusion detection and prevention systems (IDS/IPS) and web application firewalls (WAF) have been proposed. These solutions can be based either on signature or on behavior detection. They play an important role in countering security threats. Signature based system tend to use static rules and to detect only specific attacks or anomalous behaviors that are already known. In anomaly-based case, they need learning process and detection is more complex. In addition, attack detection techniques are far from being satisfactory [1]. In fact, solutions like IDSs provide unmanageable amount of " false positives " alarms which are hard to inspect. Furthermore, many detection systems do not offer an appropriate compromise between acceptable performance and detection language simplicity

show abstract

“…Flow-based intrusion detection systems have several advantages over payload and protocol-based techniques (Golling et al, 2014). Flow-based approaches only inspect the packet headers and do not consume any resources in the analysis of packet payloads.…”

Section: Introductionmentioning

confidence: 99%

“…Also, the flow export and collection process involve a certain delay in intrusion detection during which slow and small ramped attacks can go undetected (Vykopal et al, 2013). Golling et al, 2014) have given a comparison of flow-based intrusion detection technique with other approaches.…”

Section: Introductionmentioning

confidence: 99%

Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection

Umer¹,

Sher²,

Yaxin³

2017

BJMC

View full text Add to dashboard Cite

Abstract. Flow-based intrusion detection systems analyze IP flow records to detect attacks against computer networks. IP flow records contain aggregated packet header information; therefore, the amount of data processed by the intrusion detection system is reduced. In addition, since no payload is analyzed, the end-to-end encryption does not affect the deployment of intermediate intrusion detection system. In this paper, we evaluate one-class classification techniques for detection of malicious flows at an initial stage of a multi-stage flow-based intrusion detection system. The initial stage uses minimal flow attributes and only decide if the IP flow is normal or malicious. Since there is only one class of interest (malicious) at the initial stage, we use one-class classification for detection of malicious flows. In this paper, we review available one-class classification techniques and evaluate them on a flow-based dataset to determine their performance for detection of malicious flows. Our results show that one-class classification techniques using boundary methods give best results in detection of malicious IP flows.

show abstract

Towards multi-layered intrusion detection in high-speed networks

Cited by 14 publications

References 19 publications

In Whom Do We Trust - Sharing Security Events

In Whom Do We Trust - Sharing Security Events

A Novel Security Architecture Based on Multi-level Rule Expression Language

Applying One-Class Classification Techniques to IP Flow Records for Intrusion Detection

Contact Info

Product

Resources

About