Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

LONG Xiao-fei,FENG Yan,WANG Rui-jie

DOI: https://doi.org/10.3785/j.issn.1008-973x.2006.10.009

2006-01-01

Abstract:A pre-decision detection engine to mitigate false positives generated by signature-based network intrusion detection system and improve the performance of processing packets was proposed.By utilizing hosts'software information on monitored network,predecision detection engine makes a decision before pattern match to filter out unnecessary rules,which minimizes average pattern-match times for each packet,and reduces false positives and improves performance as a result.Experimental results showed that pre-decision detection engine can decrease false positives and improve the performance of processing packets,without increasing the false negative rate.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

ZHANG Zhen,ZHANG Jin,WANG Bin-qiang,LI Hui

2009-01-01

Abstract:The technique of traffic sampling measurement is an important scalable solution in high-speed network.NetFlow is one of the applications which is widely deployed for traffic measurement.However,the sampling method of NetFlow has shortcomings.In order to overcome those deficiencies,a novel sketch called time stratified adaptive packet sampling was proposed based on traffic load.The proposed sketch adopts the following methods:bounding sampling error within a pre-specified tolerance level,time stratified sampling and predicting traffic load adaptively.The easily-implemented packet sampling method presented can not only automatically adapt the sampling rate to traffic variety,but also give the right tradeoff between resource consumption and accuracy for all traffic mixes.Experiments were conducted based on real network traces.Results demonstrate that the proposed method can achieve simplicity,adaptability and controllability of resource consumption without sacrificing accuracy compared with other sampling methods.

ZHANG Hai,ZHANG Jian,DAI Shao-feng

DOI: https://doi.org/10.3969/j.issn.1007-130X.2012.09.004

2012-01-01

Abstract:The portscan is most popular anomaly in the network and the TRW is the most representative algorithm for the portscan detection.The packet sampling is currently the majority of packet selection method used by many business demands.Prior work has shown that the packet sampling thins traffic flows and impacts anomaly detection.The success ratio and the false negative ratio of the TRW initially increases for low sampling intervals before dropping off for high sampling intervals as the traffic is increasingly thinned.Based on previous researches , we design an improved TRW using theTCP protocol information in the sampling packet.Experimental results show that using the algorithm the false negative ratio drops off while the success ratio does not change.

TU Peng,JING Yi-nan,FU Zhen-yong,ZHANG Gen-du

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.18.002

2006-01-01

Abstract:Probabilistic packet marking(PPM)is an efficient solution to defeat denial-of-service attacks.One of the available solutions is node sampling scheme proposed by Savage.Based on the theoretic analysis of node sampling scheme,some improvement are provided.Conducting performance analyzing is proven by simulation on the improved scheme by comparing the simulation results,the improved scheme is much better than the original node sampling scheme at performance is obtained.

Chengchen Hu,Bin Liu,Zhen Liu,Shifang Gao,Dapeng Oliver Wu

2008-01-01

Abstract:Flow-level traffic measurement is important for network traffic accounting, traffic engineering, and network security. However, flow-level measurement in high speed networks poses great challenges due to the requirements of high packet processing speed and large memory size (high time/space complexity). To reduce these demanding requirements, sampling is usually used and samplers are deployed in the network. But sampling incurs information loss. To address this issue, this paper studies the tradeoff between sampling loss and complexity in distributed sampling system. We formulate the distributed sampling problem as a constrained optimization problem; specifically, maximizing the measurement coverage (i.e., the percentage of sampled traffic among the total traffic) and minimizing the complexity/budget. Considering the stochastic nature of traffic flows, we further formulate the optimization problem under two stochastic criteria: Stochastic Expected Value Optimization criterion (which is concerned with average performance) and Stochastic Chance Constrained Optimization criterion (which is concerned with the distribution of performance measure). Then we propose a Hybrid Intelligent algorithm to decide the optimal deployment strategy for monitors' placement and the sampling rate at each monitor. Equipped with the proposed algorithm, we are able to address the optimal tradeoff between measurement coverage and deployment cost for networks with random traffic, which has not been studied before. The extensive simulations and experiments demonstrate the effectiveness of our models and algorithm: with careful deployment, monitoring over a small fraction of nodes in a high speed network is sufficient to maintain a high level of measurement coverage.

Daniela Brauckhoff,Bernhard Tellenbach,Arno Wagner,Martin May,Anukool Lakhina

DOI: https://doi.org/10.1145/1177080.1177101

2006-01-01

Abstract:Packet sampling methods such as Cisco's NetFlow are widely employed by large networks to reduce the amount of traffic data measured. A key problem with packet sampling is that it is inherently a lossy process, discarding (potentially useful) information. In this paper, we empirically evaluate the impact of sampling on anomaly detection metrics. Starting with unsampled flow records collected during the Blaster worm outbreak, we reconstruct the underlying packet trace and simulate packet sampling at increasing rates. We then use our knowledge of the Blaster anomaly to build a baseline of normal traffic (without Blaster), against which we can measure the anomaly size at various sampling rates. This approach allows us to evaluate the impact of packet sampling on anomaly detection without being restricted to (or biased by) a particular anomaly detection method.We find that packet sampling does not disturb the anomaly size when measured in volume metrics such as the number of bytes and number of packets, but grossly biases the number of flows. However, we find that recently proposed entropy-based summarizations of packet and flow counts are affected less by sampling, and expose the Blaster worm outbreak even at higher sampling rates. Our findings suggest that entropy summarizations are more resilient to sampling than volume metrics. Thus, while not perfect, sampling still preserves sufficient distributional structure, which when harnessed by tools like entropy, can expose hard-to-detect scanning anomalies.

Shigen Shen,Yuanjie Li,Hongyun Xu,Qiying Cao

DOI: https://doi.org/10.1016/j.camwa.2011.07.027

IF: 3.218

2011-01-01

Computers & Mathematics with Applications

Abstract:As Wireless Sensor Networks (WSNs) become increasingly popular, it is necessary to require Intrusion Detection System (IDS) available to detect internal malicious sensor nodes. Because sensor nodes have limited capabilities in terms of their computation, communication, and energy, selecting the profitable detection strategy for lowering resources consumption determines whether the IDS can be used practically. In this paper, we adopt the distributed-centralized network in which each sensor node has equipped an IDS agent, but only the IDS agent resided in the Cluster Head (CH) with sufficient energy will launch. Then, we apply the signaling game to construct an Intrusion Detection Game modeling the interactions between a malicious sensor node and a CH-IDS agent, and seek its equilibriums for the optimal detection strategy. We illustrate the stage Intrusion Detection Game at an individual time slot in aspects of its player’s utilities, pure-strategy Bayesian–Nash equilibrium (BNE) and mixed-strategy BNE. Under these BNEs the CH-IDS agent is not always on the Defend strategy, as a result, the power of CH can be saved. As the game evolves, we develop the stage Intrusion Detection Game into a multi-stage dynamic Intrusion Detection Game in which, based on Bayesian rules, the beliefs on the malicious sensor node can be updated. Upon the current belief and the Perfect Bayesian equilibrium (PBE), the best response strategy for the CH-IDS agent can be gained. Afterward, we propose an intrusion detection mechanism and corresponding algorithm. We also study the properties of the multi-stage dynamic Intrusion Detection Game by simulations. The simulation results have shown the effectiveness of the proposed game, thus, the CH-IDS agents are able to select their optimal strategies to defend the malicious sensor nodes’ Attack action.

Lu Yu,Richard R. Brooks

DOI: https://doi.org/10.1007/978-3-319-75683-7_15

2017-09-22

Abstract:With the rapid development of Internet and the sharp increase of network crime, network security has become very important and received a lot of attention. We model security issues as stochastic systems. This allows us to find weaknesses in existing security systems and propose new solutions. Exploring the vulnerabilities of existing security tools can prevent cyber-attacks from taking advantages of the system weaknesses. We propose a hybrid network security scheme including intrusion detection systems (IDSs) and honeypots scattered throughout the network. This combines the advantages of two security technologies. A honeypot is an activity-based network security system, which could be the logical supplement of the passive detection policies used by IDSs. This integration forces us to balance security performance versus cost by scheduling device activities for the proposed system. By formulating the scheduling problem as a decentralized partially observable Markov decision process (DEC-POMDP), decisions are made in a distributed manner at each device without requiring centralized control. The partially observable Markov decision process (POMDP) is a useful choice for controlling stochastic systems. As a combination of two Markov models, POMDPs combine the strength of hidden Markov Model (HMM) (capturing dynamics that depend on unobserved states) and that of Markov decision process (MDP) (taking the decision aspect into account). Decision making under uncertainty is used in many parts of business and <a class="link-external link-http" href="http://science.We" rel="external noopener nofollow">this http URL</a> use here for security <a class="link-external link-http" href="http://tools.We" rel="external noopener nofollow">this http URL</a> adopt a high-quality approximation solution for finite-space POMDPs with the average cost criterion, and their extension to DEC-POMDPs. We show how this tool could be used to design a network security framework.

Cryptography and Security

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

G. Androulidakis,V. Chatzigiannakis,S. Papavassiliou,Georgios Androulidakis,Vassilis Chatzigiannakis,Symeon Papavassiliou

DOI: https://doi.org/10.1109/mnet.2009.4804318

IF: 10.294

2009-01-01

IEEE Network

Abstract:In this article the emphasis is placed on the evaluation of the impact of intelligent flow sampling techniques on the detection and classification of network anomalies. Based on the observation that for specific-purpose applications such as anomaly detection a large fraction of information is contained in a small fraction of flows, we demonstrate that by using sampling techniques that opportunistically and preferentially sample traffic data, we achieve magnification of the appearance of anomalies within the sampled data set and therefore improve their detection. Therefore, the inherently lossy sampling process is transformed to an advantageous feature in the anomaly detection case, allowing the revealing of anomalies that would be otherwise untraceable, and thus becoming the vehicle for efficient anomaly detection and classification. The evaluation of the impact of intelligent sampling techniques on the anomaly detection process is based on the application of an entropy-based anomaly detection method on a packet trace with data that has been collected from a real operational university campus network.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Chen Hu,Shen Wang,Jinping Tian,B. Liu,Yu Cheng,Y. Chen

DOI: https://doi.org/10.1109/infocom.2007.14

2008-01-01

Abstract:Sampling technology has been widely deployed in measurement systems to control memory consumption and processing overhead. However, most of the existing sampling methods suffer from large estimation errors in analyzing small-size flows. To address the problem, we propose a novel adaptive non-linear sampling (ANLS) method for passive measurement. Instead of statically configuring the sampling rate, ANLS dynamically adjusts the sampling rate for a flow depending on the number of packets having been counted. We provide the generic principles guiding the selection of sampling function for sampling rate adjustment. Moreover, we derive the unbiased flow size estimation, the bound of the relative error, and the bound of required counter size for ANLS. The performance of ANLS is thoroughly studied through theoretic analysis and experiments under synthetic/real network data traces, with comparison to several related sampling methods. The results demonstrate that the proposed ANLS can significantly improve the estimation accuracy, particularly for small-size flows, while maintain a memory and processing overhead comparable to existing methods.

Qianli Zhang,Xing Li

1999-01-01

Abstract:In order to present large-scale malicious attacks on an ISP network to maintain network services, we have designed a method to record key packets classified by sessions. Session is the service provided above the IP layer. We define a TCP connection a session, a UDP packet exchange a session, or echo and echo response of ICMP to be a session. The research of network attack/intrusion/information collection has shown that most of the illegal action performed would have something special ongoing in such sessions. For example, winnuke will send OOB packets to the 139 port of a host; most of the platform detection will use strange packets too. Not only the strange packets itself, but the sequence of such packets going through the network indicate the attack. For example, teardrop will transmit packets that have abnormal fragment offset in the second packet, then cause some platform to crash. Some patterns of sessions will be created by flood based attack/information collection. For example, the SYN flood will create a pile SYN-SYN ACK-RST packets in the network, and most of scan tools will create several kind of patterns in the network, all of these patterns indicate the failure of the connection, these include SYN-SYN ACK-RST and SYN-RST and SYNICMP Unreachable message. Based on this thought, we have designed the session-state transition analysis. We will define some packets as the indication of the session state. The happening of such packets causes the change of the session state. When comparing with the predefined rules, we will detect most of the DOS attacks. Another approach is to store these session states transition patterns into a database; thus we can calculate the happening rates of some specific patterns. Compared with the average level, abnormal high happening rates often indicate the possible attack or information collection. For example, we can collect a site’s all sessions' SYN-SYN ACK-RST pattern to decide whether a normal scan had happened. The implementation includes four parts. The first is the data collection part, which collects and unwraps packets passing through the network; the second part is the signature matching part, which will match the packet signature, to filter only the specified packets; the third part will cluster such pa ckets into sessions, and store the session specific signature chain and check whether a rule based match is satisfied; the fourth part will flush the session data into a database, and check whether a statistical based anomaly has happened. Using such kind of techniques has several basic advantages. The first is not to violate privacy, since we are interested in only packet header to know whether a state has changed, to inspect header only also make this implementation efficient and fit for a large scale network. The other advantage is to avoid the headache to set the threshold of a statistical approach. Most scan detection tools (For example, gabriel) will calculate the burst of connections. New scan technique has appeared to avoid burst of connections, for example, slow scan and stealthy scan. Set a proper threshold is much more difficult for a large-scale network. For rule based analysis, since we use the state transition to detect intrusion, we could predict the happening of some attacks in a premature stage. The future approach includes the content analysis based IDS, especially the remote buffer overflow detection. This part of research is underway.

Xiaoxin Shao,Tao He,Shijin Kong,Changqing An,Xing Li

DOI: https://doi.org/10.1007/11919568_61

2006-01-01

Abstract:Traffic sampling technology has been widely deployed in front of many high-speed network applications to alleviate the great pressure on packet capturing Packet-driven sampling mechanism is believed better than time-driven one and no in-depth comparison is given to these two kinds of mechanisms In this paper, a systematic comparison is conducted on three sampling methods, 1/N packet-driven, 1/T time-driven and t/T time-driven samplings, with a result showing that t/T sampling achieves similar accuracy as 1/N sampling in most aspects, and surpasses 1/N sampling in estimating the interval time distribution Then we try to optimize performance of t/T sampling by tuning its parameters, and verify putative conclusions with both real and simulation traffic The experiment in a real measurement application also indicates that these two kinds of sampling mechanisms achieve similar online estimation performance.

Keqiang He,Chengchen Hu,Junchen Jiang,Yachao Zhou,Bin Liu

DOI: https://doi.org/10.1109/glocom.2010.5684142

2010-01-01

Abstract:Flow-level sampling methods have been widely studied and extensively employed in network traffic measurement systems. However, traffic anomalies are becoming more prevalent and severe in the Internet, which pose great challenges to the traffic measurement. Existing solutions targeted at such scenario have either low accuracy or high memory usage. In this paper, we propose a two-stage sampling approach-Anti Attack Counters (A2C) and an efficient parameter adapting method to solve the problem. The proposed sampling mechanism can adapt to the network condition automatically and collect more information even under severe traffic attacks. Theoretical analysis on accuracy and resource requirement is presented in our work. Furthermore, we validate our approach using both synthetic and real traces. The experimental results demonstrate that A2C is of high resilience while providing significantly improved measurement accuracy with reduced memory occupation comparing with other existing anti-attack countermeasures.

Xu Chen,Liang Xiao,Wei Feng,Ning Ge,Xianbin Wang

DOI: https://doi.org/10.1109/jiot.2021.3138094

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:The proliferation of Distributed Denial of Service (DDoS) attacks in Internet of Things (IoT) not only threatens the security of digital devices and infrastructure but also severely degrades IoT system performance due to the overly consumed network resources. With the knowledge of identity information of devices and signaling data, Internet service providers (ISPs) can detect and block DDoS traffic by monitoring the upstream IoT packets, and thereby, improve network efficiency. However, inspecting all data packets online for DDoS detection will significantly increase both the network delay and the computational overhead. Therefore, the packet sampling strategy is crucial for the defenders to detect DDoS attacks. To this end, this article formulates a Stackelberg game model to analyze the collaborative IoT packet sampling against DDoS attacks. Through the equilibrium analysis of the DDoS game, we derive the lower bound of packet sampling rate (PSR) that can effectively deter potential attackers. Unlike traditional offline detection, our proposed packet sampling strategy can support both the online detection and proactive prevention of DDoS traffic. As a use case, a multipoint DDoS defense framework is developed to address the IP spoofing in 5G networks based on the proposed packet sampling strategy, which deters DDoS attacks and reduces the packet sampling cost, and thereby, maximizes the IoT utility, compared with existing methods. In typical reflection attacks (in which no more than five packets of response are triggered by a request packet), our proposed scheme not only reduces more than 70% of the sampling rate but also demonstrates superior robustness against boundary condition variation.

Michael Kallitsis,Stilian Stoev,George Michailidis

DOI: https://doi.org/10.48550/arXiv.1306.5793

2013-06-24

Systems and Control

Abstract:The robustness and integrity of IP networks require efficient tools for traffic monitoring and analysis, which scale well with traffic volume and network size. We address the problem of optimal large-scale flow monitoring of computer networks under resource constraints. We propose a stochastic optimization framework where traffic measurements are done by exploiting the spatial (across network links) and temporal relationship of traffic flows. Specifically, given the network topology, the state-space characterization of network flows and sampling constraints at each monitoring station, we seek an optimal packet sampling strategy that yields the best traffic volume estimation for all flows of the network. The optimal sampling design is the result of a concave minimization problem; then, Kalman filtering is employed to yield a sequence of traffic estimates for each network flow. We evaluate our algorithm using real-world Internet2 data.