A scalable, efficient and informative approach for anomaly‐based intrusion detection systems: theory and practice

Salem, Osman; Vaton, Sandrine; Gravey, Annie

doi:10.1002/nem.748

Cited by 40 publications

(50 citation statements)

References 51 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In general they act on monodimensional time series and, to consider different traffic features, the same basic algorithm is sequentially repeated [2], [3], [1]. The above-mentioned papers represent the starting point for the present work, which extended the structure of the IDS described in [1] to operate with vectorial sequences.…”

Section: Related Workmentioning

confidence: 99%

“…Sketches can not be considered as a detection method, nevertheless they can be used as a building block of several AD systems [12], [13], [15], [14], [16], [17], [18], [19], [2], [1]. Indeed, the use of sketches corresponds to a random aggregation that "efficiently" reduces the dimension of the data (wrt other deterministic aggregations, such as according to input/output routers [17]); moreover, the use of reversible sketches [20] permits to trace back the flows responsible for the anomalies.…”

Section: Related Workmentioning

confidence: 99%

“…The proposed IDS can be seen as a multidimensional generalization of the scheme originally proposed in [1]. Indeed, it consists of a multidimensional sketch followed by a vectorial decision algorithm.…”

Section: System Architecturementioning

confidence: 99%

“…Roughly speaking, different types of attack cause anomalies in different traffic parameters; therefore, a wider set of traffic descriptors gives the chance of revealing more types of intrusions. "Classical" (or "monodimensional") IDSs [2], [3], [1] analyze the observed parameters separately, performing the same algorithm several times and thus increasing the computational time in order to get a more comprehensive search. The goal of this paper is to investigate the performance of "multidimensional" IDSs, which apply a single vectorial algorithm to all the traffic descriptors at the same time, leading to a processing time which is almost independent from the number of analyzed features.…”

Section: Introductionmentioning

confidence: 99%

“…The goal of this paper is to investigate the performance of "multidimensional" IDSs, which apply a single vectorial algorithm to all the traffic descriptors at the same time, leading to a processing time which is almost independent from the number of analyzed features. In more detail, we proposed a new multidimensional algorithm, which can be seen as a vectorial extension of the well-known CuSum [1] method, and compared it with five multidimensional statistical tests known in the literature (e-distance [5], Mahalanobis distance, MB-GT [6], density test [7], Log-likelihood ratio [8]). Another innovative feature of our IDS is the adaptation of the sketch to vectorial values, in order to take advantage of random aggregations in term of scalability (possibility of employing the algorithm at backbone level) and detection performance.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Sketch-based multidimensional IDS: A new approach for network anomaly detection

Callegari

Casella

Giordano

et al. 2013

2013 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

The diffusion of technologies for high speed data transmission over the Internet and the growing employment of new multimedia services require fast and effective techniques for the protection against network attacks. In this paper we present a new approach able to detect at the same time different types of network anomalies. It consists in the simultaneous analysis of several traffic descriptors (aggregated through a sketch to guarantee the scalability of the algorithm) by means of a single vectorial algorithm. In terms of ROC curve, the performance of our multidimensional Intrusion Detection System (IDS) are comparable with the separate application of traditional monodimensional IDSs to all traffic parameters, while reducing the computational time of more than 80%.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: System Architecturementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Sketch-based multidimensional IDS: A new approach for network anomaly detection

Callegari

Casella

Giordano

et al. 2013

2013 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

show abstract

Network level perspective in web sessions troubleshooting

Milanesio

Callegari

Michiardi

2019

Int J Communication

View full text Add to dashboard Cite

Summary In the last years, the quantity of data and the number of applications carried over web traffic have been continuously increasing and nowadays web browsing accounts for most of the Internet traffic. In such a scenario, a poor browsing experience can result very annoying to the end user, and the effective identification of the root cause of such bad performance is of primary interest to both the users and the network operators. In this paper, we present a unified framework, based on a novel lightweight open‐source publicly available probe and on an original statistical diagnosis algorithm, to correctly and effectively point out the segment of a web connection (eg, local client, backbone network, and DNS server) responsible for a poor web browsing experience. The extensive experimental evaluation carried out in the paper demonstrates the effectiveness of the proposed approach to diagnose poor quality of experience at a large scale.

show abstract

SYN‐Guard: An effective counter for SYN flooding attack in software‐defined networking

Mohammadi

Conti

Lal

et al. 2019

Int J Communication

View full text Add to dashboard Cite

In software-defined networking (SDN), TCP SYN flooding attack is considered as one of the most effective attacks to perform control plane and target server saturation. In this attack, an attacker generates a large number of malicious SYN requests, and because of the absence of the forwarding rules, the data plane switches have to forward these SYN messages to the controller. This excessive forwarding causes congestion over the communication channel between a data plane and control plane, and it also exhausts computational resources at both the planes. In this paper, we propose a novel countermeasure called SYN-Guard to detect and prevent SYN flooding in SDN networks. We fully implement SYN-Guard on the SDN controller to validate the incoming TCP connection requests. The controller installs forwarding rules for the SYN requests that successfully clear the validation test of SYN-Guard. The host of the fake SYN request is detected, and SYN-Guard prevents it from sending any further SYN requests to the data plane switch. The performance evaluation done using the simulation results shows that SYN-Guard exhibits low side effect for genuine TCP requests, and when compared with standard SDN and state-of-art proposals, it reduces the average response time up to 21% during an ongoing SYN flooding attack. KEYWORDS denial of service, resource exhaustion, security, software-defined networking, SYN flooding Int J Commun Syst. 2019;32:e4061.wileyonlinelibrary.com/journal/dac

show abstract

A scalable, efficient and informative approach for anomaly‐based intrusion detection systems: theory and practice

Cited by 40 publications

References 51 publications

Sketch-based multidimensional IDS: A new approach for network anomaly detection

Sketch-based multidimensional IDS: A new approach for network anomaly detection

Network level perspective in web sessions troubleshooting

SYN‐Guard: An effective counter for SYN flooding attack in software‐defined networking

Contact Info

Product

Resources

About