article

On scalable attack detection in the network

Authors:

Ramana Rao Kompella,

George VargheseAuthors Info & Claims

IEEE/ACM Transactions on Networking (TON), Volume 15, Issue 1

Pages 14 - 25

https://doi.org/10.1109/TNET.2006.890115

Published: 01 February 2007 Publication History

Abstract

Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans) at network vantage points. Unfortunately, even today, many IDS systems we know of keep per-connection or per-flow state to detect malicious TCP flows. Thus, it is hardly surprising that these IDS systems have not scaled to multigigabit speeds. By contrast, both router lookups and fair queuing have scaled to high speeds using aggregation via prefix lookups or DiffServ. Thus, in this paper, we initiate research into the question as to whether one can detect attacks without keeping per-flow state. We will show that such aggregation, while making fast implementations possible, immediately causes two problems. First, aggregation can cause behavioral aliasing where, for example, good behaviors can aggregate to look like bad behaviors. Second, aggregated schemes are susceptible to spoofing by which the intruder sends attacks that have appropriate aggregate behavior. We examine a wide variety of DoS and scanning attacks and show that several categories (bandwidth based, claim-and-hold, port-scanning) can be scalably detected. In addition to existing approaches for scalable attack detection, we propose a novel data structure called partial completion filters (PCFs) that can detect claim-and-hold attacks scalably in the network. We analyze PCFs both analytically and using experiments on real network traces to demonstrate how we can tune PCFs to achieve extremely low false positive and false negative probabilities.

References

[1]

{1} M. Roesch, Snort. {Online}. Available: http://www.snort.org

[2]

{2} P. Barford, J. Kline, D. Plonka, and A. Ron, "A signal analysis of network traffic anomalies," in Proc. 2nd ACM SIGCOMM Internet Measurement Workshop, 2002, pp. 71-82.

[3]

{3} B. Krishnamurthy, S. Sen, Y. Zhang, and Y. Chen, "Sketch-based change detection: Methods, evaluation, and applications," in Proc. 3rd ACM SIGCOMM Internet Measurement Conf., 2003, pp. 234-247.

[4]

{4} S. J. Staniford, "Containment of scanning worms in enterprise networks," J. Computer Security, 2004, to be published.

[5]

{5} ForeScout Technologies. {Online}. Available: http://www. forescout.com

[6]

{6} D. Moore, G. Voelker, and S. Savage, "Inferring Internet denial of service activity," in Proc. 10th USENIX Security Symp., Aug. 2001, pp. 9-22.

[7]

{7} Mazu Publishing. {Online}. Available: http://www.mazu.com

[8]

{8} Arbor Networks. {Online}. Available: http://www.arbornetworks.com

[9]

{9} H. Wang, D. Zhang, and K. Shin, "Detecting SYN flooding attacks," in Proc. IEEE INFOCOM, 2002, pp. 1530-1539.

[10]

{10} V. Paxson, "Bro: A system for detecting network intruders in real-time," Computer Networks, vol. 31, no. 23-24, pp. 2435-2463, 1999.

[11]

{11} K. Levchenko, R. Paturi, and G. Varghese, "On the difficulty of scalably detecting network attacks," in Proc. 11th ACM Conf. Computer and Communications Security, 2004, pp. 12-20.

[12]

{12} R. Keyes, "The Naptha DoS vulnerabilities," {Online}. Available: http://www.cert.org/advisories/CA-2000-21.html

[13]

{13} N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, "A taxonomy of computer worms," in Proc. ACM Workshop of Rapid Malcode (WORM), 2003, pp. 11-18.

[14]

{14} S. Staniford, V. Paxson, and N. Weaver, "How to 0wn the Internet in your spare time," in Proc. 11th USENIX Security Symp., Aug. 2002, pp. 149-167.

[15]

{15} MyDoom. B Virus. {Online}. Available: http://www.us-cert.gov/cas/ techalerts/TA04-028A.html

[16]

{16} CERT Advisory CA-2001-19, "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL, {Online}. Available: http://www.cert.org/advisories/CA-2001-19.html

[17]

{17} CERT Advisory CA-2001-26 Nimda Worm, {Online}. Available: http:// www.cert.org/advisories/CA-2001-26.html

[18]

{18} CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks, {Online}. Available: http://www.cert.org/advisories/CA-1998-01.html

[19]

{19} V. Paxson, "An analysis of using reflectors for distributed denial-of-service attacks," Comput. Commun. Rev., vol. 31, no. 3, Jul. 2001.

[20]

{20} T. M. Gill and M. Poletto, "MULTOPS: A data-structure for bandwidth attack detection," in Proc. 10th USENIX Security Symp., 2001, pp. 23-38.

[21]

{21} M. Datar and S. Muthuktishnan, "Estimating rarity and similarity over data stream windows," DIMACS, Tech. Rep. 2001-21, 2001.

[22]

{22} A. C. Gilbert, S. Guha, P. Indyk, S. Muthukrishnan, and M. J. Strauss, "Quicksand: Quick summary and analysis of network data," DIMACS, Tech. Rep. 2001-43, 2001.

[23]

{23} C. Estan and G. Varghese, "New directions in traffic measurement and accounting," in Proc. ACM SIGCOMM, 2002, pp. 271-282.

[24]

{24} C. Estan and G. Varghese, "Autofocus: A tool for automatic traffic analysis," in Proc. ACM SIGCOMM, 2003, pp. 137-148.

[25]

{25} Cisco NetFlow. {Online}. Available: http://www.cisco.com/en/US/ products/ps6601/products_ios_protocol_group_home.html

[26]

{26} B. H. Bloom, "Space/time tradeoffs in hash coding with allowable errors," Commun. ACM, vol. 13, no. 7, pp. 422-426, Jul. 1970.

[27]

{27} Y. Zhang, N. Duffleld, V. Paxson, and S. Shenker, "On the constancy of internet path properties," in Proc. ACM SIGCOMM Internet Measurement Workshop, 2001, pp. 197-211.

[28]

{28} R. J. Larsen and M. L. Marx, An Introduction to Mathematical Statistics and Its Applications. Upper Saddle River, NJ: Prentice-Hall, 2001.

[29]

{29} NMap. {Online}. Available: http://www.insecure.org/nmap

[30]

{30} Cooperative Association for Internet Data Analysis (CAIDA). {On-line}. Available: http://www.caida.org

[31]

{31} A. Hussain, J. Heidemann, and C. Papadopoulos, "A framework for classifying denial of service attacks," in Proc. ACM SIGCOMM, 2003, pp. 99-110.

[32]

{32} L. T. Heberlein, G. V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, and D. Wolber, "A network security monitor," in Proc. IEEE Symp. Research in Security and Privacy, 1990, pp. 296-304.

[33]

{33} S. Robertson, E. V. Siegel, M. Miller, and S. J. Stolfo, "Surveillance detection in high bandwidth environments," in Proc. 2003 DARPA DISCEX III Conf., pp. 229-238.

[34]

{34} J. Jung, V. Paxson, A. Berger, and H. Balakrishnan, "Fast portscan detection using sequential hypothesis testing," in Proc. IEEE Symp. Security and Privacy, 2004, pp. 211-225.

[35]

{35} E. Shenk, "Another new thought on dealing with SYN flooding," 1996 {Online}. Available: http://www.wcug.wwu.edu/lists/netdev/199609/ msg00171.html

[36]

{36} Riverhead Networks. {Online}. Available: http://www.riverhead.com

[37]

{37} L. Carter and M. N. Wegman, "Universal classes of hash functions," J. Comput. Syst. Sci., vol. 18, no. 2, pp. 143-154, 1979.

[38]

{38} A. Yaar, A. Perrig, and D. Song, "SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks," in Proc. IEEE Symp. Security and Privacy, 2004, pp. 130-143.

[39]

{39} A. Yaar, A. Perrig, and D. Song, "Pi: a path identification mechanism to defend against DDoS attacks," in Proc. IEEE Symp. Security and Privacy, 2003, pp. 93-107.

[40]

{40} H. Wang, D. Zhang, and K. Shin, "SYN-dog: sniffing SYN flooding sources," in Proc. IEEE Int. Conf. Distributed Computing Systems (ICDCS), 2002, pp. 421-428.

[41]

{41} D. J. Bernstein, "SYN Cookies," 1997 {Online}. Available: http://cr.yp.to/syncookies.html

[42]

{42} J. Lemon, "Resisting syn flooding dos attacks with a syn cache," in Proc. USENIX BSDCon'2002, pp. 89-98.

[43]

{43} C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A. Sundaram, and D. Zamboni, "Analysis of a denial of service attack on TCP," in Proc. IEEE Symp. Security and Privacy, 1997, pp. 208-223.

[44]

{44} Netscreen Technologies. {Online}. Available: http://www. netscreen.com

[45]

{45} C. Jin, H. Wang, and K. G. Shin, "Hop-count filtering: An effective defense against spoofed ddos traffic," in Proc. 10th ACM Int. Conf. Computer and Communications Security (CCS), 2003, pp. 30-41.

[46]

{46} C. Leckie and R. Kotagiri, "A probabilistic approach to detecting network scans," in Proc. 8th IEEE Network Operations and Management Symp., 2002, pp. 359-372.

[47]

{47} S. Staniford, J. A. Hoagland, and J. M. McAlerney, "Practical automated detection of stealthy portscans," in Proc. 7th ACM Conf. Computer and Communications Security, 2000, pp. 1-7.

[48]

{48} J. Pescatore, M. Easley, and R. Stiennon, "Network security platforms will transform security markets," 2002 {Online}. Available: http://www.techrepublic.com/article.jhtml?id=r00220021223jdt01. htm&src=bc

Cited By

(2018)Enhanced efficient SYN spoofing detection and mitigation scheme for DDoS attacksInternational Journal of Internet Technology and Secured Transactions10.5555/3292867.32928748:4(583-600)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.5555/3292867.3292874
Dodig ISruk VCafuta D(2018)Reducing false rate packet recognition using Dual Counting Bloom FilterTelecommunications Systems10.5555/3204306.320434468:1(67-78)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.5555/3204306.3204344
Kinsner WGonzalez J(2016)Zero-Crossing Analysis of Lévy Walks and a DDoS Dataset for Real-Time Feature ExtractionInternational Journal of Software Science and Computational Intelligence10.5555/3273686.32736878:4(1-28)Online publication date: 1-Oct-2016
https://dl.acm.org/doi/10.5555/3273686.3273687
Show More Cited By

Index Terms

On scalable attack detection in the network

Recommendations

On scalable attack detection in the network
IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement

Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans)at network vantage points. Unfortunately, all the IDS systems we know of keep per-connection or per-flow state. ...
DDoSniffer: Detecting DDoS attack at the source agents

Distributed Denial of Service (DDoS) attacks are an important and challenging security threat. Despite the existing defence mechanisms, attackers manage to build large sets of impersonated hosts. Our approach consists in detecting DDoS directly on these ...
SYN flooding attack detection by TCP handshake anomalies

We present an original approach to identify synchronize (SYN) flooding attacks from the victim's side, on the basis of a classification of the different forms that TCP handshakes can take during a connection set-up between a client and a server (e.g. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image IEEE/ACM Transactions on Networking

IEEE/ACM Transactions on Networking Volume 15, Issue 1

February 2007

245 pages

ISSN:1063-6692

Issue’s Table of Contents

Publisher

IEEE Press

Publication History

Published: 01 February 2007

Published in TON Volume 15, Issue 1

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
1,417
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

(2018)Enhanced efficient SYN spoofing detection and mitigation scheme for DDoS attacksInternational Journal of Internet Technology and Secured Transactions10.5555/3292867.32928748:4(583-600)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.5555/3292867.3292874
Dodig ISruk VCafuta D(2018)Reducing false rate packet recognition using Dual Counting Bloom FilterTelecommunications Systems10.5555/3204306.320434468:1(67-78)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.5555/3204306.3204344
Kinsner WGonzalez J(2016)Zero-Crossing Analysis of Lévy Walks and a DDoS Dataset for Real-Time Feature ExtractionInternational Journal of Software Science and Computational Intelligence10.5555/3273686.32736878:4(1-28)Online publication date: 1-Oct-2016
https://dl.acm.org/doi/10.5555/3273686.3273687
Čermák MČeleda P(2016)Detecting Advanced Network Threats Using a Similarity SearchProceedings of the 10th IFIP WG 6.6 International Conference on Management and Security in the Age of Hyperconnectivity - Volume 970110.1007/978-3-319-39814-3_14(137-141)Online publication date: 20-Jun-2016
https://dl.acm.org/doi/10.1007/978-3-319-39814-3_14
Gulisano VCallau-Zori MFu ZJiménez-Peris RPapatriantafilou MPatiño-Martínez M(2015)STONEExpert Systems with Applications: An International Journal10.1016/j.eswa.2015.07.02742:24(9620-9633)Online publication date: 30-Dec-2015
https://dl.acm.org/doi/10.1016/j.eswa.2015.07.027
Callau-Zori MJiménez-Peris RGulisano VPapatriantafilou MFu ZPatiño-Martínez MShin SMaldonado J(2013)STONEProceedings of the 28th Annual ACM Symposium on Applied Computing10.1145/2480362.2480517(807-812)Online publication date: 18-Mar-2013
https://dl.acm.org/doi/10.1145/2480362.2480517
Nalavade KMeshram BMishra B(2010)Intrusion prevention systemsProceedings of the International Conference and Workshop on Emerging Trends in Technology10.1145/1741906.1741952(211-214)Online publication date: 26-Feb-2010
https://dl.acm.org/doi/10.1145/1741906.1741952
Narita MKatoh TBista BTakata T(2009)A distributed detecting method for SYN flood attacks and its implementation using mobile agentsProceedings of the 7th German conference on Multiagent system technologies10.5555/1791994.1792005(91-102)Online publication date: 9-Sep-2009
https://dl.acm.org/doi/10.5555/1791994.1792005
Sun CHu CZhou YXiao XLiu B(2009)A more accurate scheme to detect SYN flood attacksProceedings of the 28th IEEE international conference on Computer Communications Workshops10.5555/1719850.1719904(304-305)Online publication date: 19-Apr-2009
https://dl.acm.org/doi/10.5555/1719850.1719904
Golab LJohnson TKoudas NSrivastava DToman DLee B(2008)Optimizing away joins on data streamsProceedings of the 2nd international workshop on Scalable stream processing system10.1145/1379272.1379282(48-57)Online publication date: 29-Mar-2008
https://dl.acm.org/doi/10.1145/1379272.1379282

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents