A Framework for Real-Time Worm Attack Detection and Backbone Monitoring

Dübendorfer, Thomas; Wagner, Arno; Plattner, Bernhard

doi:10.1109/iwcip.2005.2

Cited by 15 publications

(12 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The approach adopted by Wagner et al [154], for example, can naturally be extended to worms, as well as the ones of Gao et al [56] and Zhao et al [159] (Sections 3.1 and 3.2). Dübendorfer et al [38] and Wagner et al [39] attempt to characterize the host behavior on the basis of incoming and outgoing connections. The proposed algorithm assigns the hosts of a network to a set of predefined classes: the traffic class, the connector class and the responder class.…”

Section: Wormsmentioning

confidence: 99%

“…As for payload-based solution, the anomaly-/misuse-based classes play an important role: we can see contributions in both fields. Some researchers, such as Münz et al [110], Düben-dorfer et al [38] and Wagner et al [39], developed compound methods. This is due to the interest in combining the strengths of both anomaly and misusebased approaches, as well as to the increasing interest in multi-purpose platforms that offer a shared base for different detection modules.…”

Section: Solutions Classificationmentioning

confidence: 99%

See 1 more Smart Citation

Flow-based intrusion detection

Sperotto

Pras

2011

12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops

View full text Add to dashboard Cite

The spread of 1-10Gbps technology has in recent years paved the way to a flourishing landscape of new, high-bandwidth Internet services. As users, we depend on the Internet in our daily life for simple tasks such as checking emails, but also for managing private and financial information. However, entrusting such information to the Internet also means that the network has become an alluring place for hackers. To this threat, the research community has answered with an increased interest in intrusion detection. With the number of attacks almost exponentially increasing, and the attackers' motivations moving from ideological to economical, the researchers' attention is focused on developing new techniques to timely detect intruders and prevent damage. Our studies in the field of intrusion detection, however, made us realize that additional research is needed, in particular: the creation of shared data sets to validate Intrusion Detection Systems (IDSs) and the development of automatic procedures to tune the parameters of IDSs.The contribution of this thesis is that it develops a structured approach to intrusion detection that focuses on (i) shared ground-truth data sets and (ii) automatic parameter tuning. We develop our approach by focusing on network flows. Flows offer an aggregated view of network traffic, by reporting on the amount of packets and bytes exchanged over the network. Therefore, flows drastically reduce the amount of data to be analyzed. In this thesis, we aim at detecting anomalies in flow-based time series, describing how the number of flows, packets and bytes changes over time.Ground truth data sets are fundamental in the development phase, for validation purposes and, if publicly available, for comparison between different IDSs. We attack the problem of ground truth generation in two complementary manners.First, we obtain ground truth information for flow-based intrusion detection by manually creating it. We do so by means of a honeypot-based data collection and monitoring setup, specifically tuned to (i) offer an attracting platform for attackers, and (ii) include enhanced logging capabilities to support the vi labeling of the collected data. The outcome of our research has been a publicly released flow-based labeled data set. To the best of our knowledge, no such data set already exists.Second, we generate ground truth information in an automatic manner. We do this by generating artificial flow, packet and byte time series for benign and attack traffic. In this thesis, we rely upon Hidden Markov Models (HMMs), which allow for probabilistic and compact representations of flow-based time series and can be used for generation purposes.Finally, we approach the problem of automatic tuning of IDSs. The performance of an IDS is governed by the trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing many false alarms). We developed an optimization procedure that aims to mathematically treat such trade-off in a systematic m...

show abstract

Section: Wormsmentioning

confidence: 99%

Section: Solutions Classificationmentioning

confidence: 99%

Flow-based intrusion detection

Sperotto

Pras

2011

12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops

View full text Add to dashboard Cite

show abstract

“…Related tools are Gigascope [4] for packet trace processing, the TelgraphCQ DSMS [5] or the network monitoring specific CoMo project [6]. Other tools focus on the dispatching of received NetFlow data [7] or on Flow Query Languages [8]. The presented tools are often limited to a certain domain and not suitable for extracting and correlating network characteristics or data from different data sources.…”

Section: Existing Processing Toolsmentioning

confidence: 99%

Processing of Flow Accounting Data in Java: Framework Design and Performance Evaluation

Kögel

Scholz

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Flow Accounting is a passive monitoring mechanism implemented in routers that gives insight into traffic behavior and network characteristics. However, processing of Flow Accounting data is a challenging task, especially in large networks where the rate of Flow Records received at the collector can be very high. We developed a framework for processing of Flow Accounting data in Java. It provides processing blocks for aggregation, sorting, statistics, correlation, and other tasks. Besides reading data from files for offline analysis, it can also directly process data received from the network. In terms of multithreading and data handling, the framework is highly configurable, which allows performance tuning depending on the given task. For setting these parameters there are several trade-offs concerning memory consumption and processing overhead. In this paper, we present the framework design, study these trade-offs based on a reference scenario and examine characteristics caused by garbage collection.

show abstract

“…Under the realistic assumption that each Netflow or IPFIX packet contains multiple records, this is still below our measured maximum even though we do not know whether special care is necessary if the data is received in short bursts. A possible countermeasure against bursty Netflow traffic is traffic shaping as applied in Thomas Diibendorfer's UPFrame [18].…”

Section: Performance Measurementsmentioning

confidence: 99%

“…Real-time analysis of UDP payload can be accomplished with UDFrame [18]. Thomas Diibendorfer and Arno Wagner developed this framework in parallel to our work and used it to process Netflow.v5 data.…”

Section: Related Workmentioning

confidence: 99%

Real-time Analysis of Flow Data for Network Attack Detection

Münz

Carle

2007

2007 10th IFIP/IEEE International Symposium on Integrated Network Management

View full text Add to dashboard Cite

With the wide deployment of flow monitoring in IP networks, the analysis of the exported flow data has become an important research area. It has been shown that flow data can be used to detect traffic anomalies, DoS attacks, and the propagation of worms. In practice, anomalies and attacks should be detected as fast as possible in order to allow taking appropriate countermeasures. We describe the necessary steps from the raw flow data to the detection result in a systematic way. Furthermore, we present TOPAS, a system and framework for real-time analysis of flow data, that has been developed in order to meet these requirements. Performance measurements and various application examples point out the capabilities and benefits of our approach.

show abstract

A Framework for Real-Time Worm Attack Detection and Backbone Monitoring

Cited by 15 publications

References 2 publications

Flow-based intrusion detection

Flow-based intrusion detection

Processing of Flow Accounting Data in Java: Framework Design and Performance Evaluation

Real-time Analysis of Flow Data for Network Attack Detection

Contact Info

Product

Resources

About