A network security monitor

Heberlein, L. Todd; Dias, Gihan; Levitt, Karl N.; Mukherjee, Biswanath; Wood, Jason M.; Wolber, David

doi:10.1109/risp.1990.63859

Cited by 229 publications

(51 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This observation makes sense for desktop machines and for servers (which primarily handle incoming connections), and makes less sense for machines running notification services. Evidence from [9,10] supports this observation, showing that most machines interact with a few other machines. The idea is to implement a filter on the network stack that uses a series of timeouts to restrict the rate of connections to new hosts such that most normal traffic is unaffected.…”

Section: Introductionmentioning

confidence: 78%

Throttling viruses: restricting propagation to defeat malicious mobile code

Williamson¹

18th Annual Computer Security Applications Conference, 2002. Proceedings.

234

204

View full text Add to dashboard Cite

anti-virusModern computer viruses spread incredibly quickly, far faster than human-mediated responses. This greatly increases the damage that they cause. This paper presents an approach to restricting this high speed propagation automatically. The approach is based on the observation that during virus propagation, an infected machine will connect to as many different machines as fast as possible. An uninfected machine has a different behaviour: connections are made at a lower rate, and are locally correlated (repeat connections to recently accessed machines are likely). This paper describes a simple technique to limit the rate of connections to "new" machines that is remarkably effective at both slowing and halting virus propagation without affecting normal traffic. Results of applying the filter to web browsing data are included. The paper concludes by suggesting an implementation and discussing the potential and limitations of this approach.

show abstract

Section: Introductionmentioning

confidence: 78%

Throttling viruses: restricting propagation to defeat malicious mobile code

Williamson¹

18th Annual Computer Security Applications Conference, 2002. Proceedings.

234

204

View full text Add to dashboard Cite

show abstract

“…Unless they failed to publish further work, they built the framework and then tested only one IDS: NSM [15,16]. -Wan and Yang [17] developed a framework for testing sensors that used the Internet Engineering Task Force (IETF) Intrusion Detection Working Group (IDWG) Intrusion Detection Message Exchange Format (IDMEF) [18].…”

Section: Framework For Testingmentioning

confidence: 99%

Comparing Anomaly Detection Techniques for HTTP

Ingham

Inoue

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Much data access occurs via HTTP, which is becoming a universal transport protocol. Because of this, it has become a common exploit target and several HTTP specific IDSs have been proposed as a response. However, each IDS is developed and tested independently, and direct comparisons are difficult. We describe a framework for testing IDS algorithms, and apply it to several proposed anomaly detection algorithms, testing using identical data and test environment. The results show serious limitations in all approaches, and we make predictions about requirements for successful anomaly detection approaches used to protect web servers.

show abstract

“…The Network Based sub-class can be identified indirectly by intercepting strange communications or by monitoring the amount of traffic on the system [30]. These strange communications can be occur in Data, Network or Session layers.…”

Section: Attack Mechanism Determinationmentioning

confidence: 99%

Human Perception of the Measurement of a Network Attack Taxonomy in Near Real-Time

Heerden

Malan

Mouton

et al. 2014

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Abstract. This paper investigates how the measurement of a network attack taxonomy can be related to human perception. Network attacks do not have a time limitation, but the earlier its detected, the more damage can be prevented and the more preventative actions can be taken. This paper evaluate how elements of network attacks can be measured in near real-time(60 seconds). The taxonomy we use was developed by van Heerden et al (2012) with over 100 classes. These classes present the attack and defenders point of view. The degree to which each class can be quantified or measured is determined by investigating the accuracy of various assessment methods. We classify each class as either defined, high, low or not quantifiable. For example, it may not be possible to determine the instigator of an attack (Aggressor), but only that the attack has been launched by a Hacker (Actor). Some classes can only be quantified with a low confidence or not at all in a sort (near real-time) time. The IP address of an attack can easily be faked thus reducing the confidence in the information obtained from it, and thus determining the origin of an attack with a low confidence. This determination itself is subjective. All the evaluations of the classes in this paper is subjective, but due to the very basic grouping (High, Low or Not Quantifiable) a subjective value can be used. The complexity of the taxonomy can be significantly reduced if classes with only a high perceptive accuracy is used.

show abstract

A network security monitor

Cited by 229 publications

References 13 publications

Throttling viruses: restricting propagation to defeat malicious mobile code

Throttling viruses: restricting propagation to defeat malicious mobile code

Comparing Anomaly Detection Techniques for HTTP

Human Perception of the Measurement of a Network Attack Taxonomy in Near Real-Time

Contact Info

Product

Resources

About