On scalable attack detection in the network
作者: Ramana Rao Kompella , Sumeet Singh , George Varghese
关键词: Host (network) 、 Fair queuing 、 Aggregate behavior 、 Router 、 Scalability 、 Computer network 、 Aliasing (computing) 、 Spoofing attack 、 Computer security 、 Denial-of-service attack 、 Computer science
摘要: Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans)at vantage points. Unfortunately, all the IDS we know keep per-connection or per-flow state. Thus it is hardly surprising that (other than signature mechanisms) have not scaled multi-gigabit speeds. By contrast, note both router lookups fair queuing high speeds using aggregation via prefix DiffServ. in this paper, initiate research into question as whether one can attacks without keeping We will show such aggregation, while making fast implementations possible, immediately cause two problems. First, behavioral aliasing where, for example, good behaviors aggregate look like bad behaviors. Second, aggregated schemes are susceptible spoofing by which intruder sends appropriate behavior. examine variety several categories (bandwidth based, claim-and-hold, host scanning) be scalably detected. appears stealthy port-scanning cannot detected
acm.org
core.ac.uk
udel.edu
sigcomm.org 
uccs.edu 参考文章(30)
C. Leckie, R. Kotagiri, A probabilistic approach to detecting network scans network operations and management symposium. pp. 359- 372 ,(2002) , 10.1109/NOMS.2002.1015594
Balachander Krishnamurthy, Subhabrata Sen, Yin Zhang, Yan Chen, Sketch-based change detection: methods, evaluation, and applications internet measurement conference. pp. 234- 247 ,(2003) , 10.1145/948205.948236
S. Robertson, E.V. Siegel, M. Miller, S.J. Stolfo, Surveillance detection in high bandwidth environments darpa information survivability conference and exposition. ,vol. 1, pp. 130- 138 ,(2003) , 10.1109/DISCEX.2003.1194879
Haining Wang, Danlu Zhang, K.G. Shin, SYN-dog: sniffing SYN flooding sources international conference on distributed computing systems. pp. 421- 428 ,(2002) , 10.1109/ICDCS.2002.1022280
Yin Zhang, Nick Duffield, Vern Paxson, Scott Shenker, On the constancy of internet path properties Proceedings of the First ACM SIGCOMM Workshop on Internet Measurement - IMW '01. pp. 197- 211 ,(2001) , 10.1145/505202.505228
L.T. Heberlein, G.V. Dias, K.N. Levitt, B. Mukherjee, J. Wood, D. Wolber, A network security monitor ieee symposium on security and privacy. pp. 296- 304 ,(1990) , 10.1109/RISP.1990.63859
A. Yaar, A. Perrig, D. Song, SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks ieee symposium on security and privacy. pp. 130- 143 ,(2004) , 10.1109/SECPRI.2004.1301320
Paul Barford, Jeffery Kline, David Plonka, Amos Ron, A signal analysis of network traffic anomalies acm special interest group on data communication. pp. 71- 82 ,(2002) , 10.1145/637201.637210
Burton H. Bloom, Space/time trade-offs in hash coding with allowable errors Communications of the ACM. ,vol. 13, pp. 422- 426 ,(1970) , 10.1145/362686.362692
Haining Wang, Danlu Zhang, Kang G. Shin, Detecting SYN flooding attacks international conference on computer communications. ,vol. 3, pp. 1530- 1539 ,(2002) , 10.1109/INFCOM.2002.1019404