ABSTRACT
In this work we investigate a new approach for detecting network-wide attacks that aim to degrade the network's Quality of Service (QoS). To this end, a new network-based intrusion detection system (NIDS) is proposed. In contrast to the passive approach which most contemporary NIDS follow and which relies solely on production traffic monitoring, the propose NIDS takes the active approach where special crafted probes are sent according to a known probability distribution in order to monitor the network for anomalous behavior. The proposed approach takes away much of the variability of network traffic that makes it so difficult to classify, and therefore can detect subtle attacks which would not be detected passively. Furthermore, the active probing approach allows the NIDS to be effectively trained using only examples of the network's normal states, hence enabling an effective detection of zero-day attacks. Preliminary results on a real-life ISP network topology demonstrate the advantages of the proposed NIDS.
- Barford, P., Duffield, N., Ron, A., and Sommers, J. Network performance anomaly detection and localization. In INFOCOM 2009, IEEE (april 2009), pp. 1377--1385.Google ScholarCross Ref
- Bejerano, Y., and Rastogi, R. In INFOCOM 2009, IEEE.Google Scholar
- Kowalski, J. P., and Warfield, B. Modelling traffic demand between nodes in a telecommunications network. In in ATNAC (1995).Google Scholar
- Leland, W., Taqqu, M., Willinger, W., and Wilson, D. On the self-similar nature of ethernet traffic (extended version). Networking, IEEE/ACM Transactions on 2, 1 (feb 1994), 1 --15. Google ScholarDigital Library
- Moy, J. OSPF version 2. IETF RFC 2328, Apr. 1998.Google Scholar
- Schölkopf, B., Platt, J. C., Shawe-taylor, J., Smola, A. J., and Williamson, R. C. Estimating the support of a high-dimensional distribution, 1999.Google Scholar
- Sommer, R., and Paxson, V. Outside the closed world: On using machine learning for network intrusion detection. In Security and Privacy (SP), 2010 IEEE Symposium on (may 2010), pp. 305--316. Google ScholarDigital Library
- Spring, N. T., Mahajan, R., and Wetherall, D. Measuring isp topologies with rocketfuel. In SIGCOMM (2002), pp. 133--145. Google ScholarDigital Library
- Varga, A., and Hornig, R. An overview of the omnet++ simulation environment. In SimuTools (2008), p. 60. Google ScholarDigital Library
- Witten, I. H., and Frank, E. Data Mining: Practical machine learning tools and techniques, 2nd edition ed. Morgan Kaufmann, San Francisco, 2005. Google ScholarDigital Library
Index Terms
- Network-based intrusion detection systems go active!
Recommendations
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion
In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Syntax vs. semantics: competing approaches to dynamic network intrusion detection
Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Comments