# Adaptive Network Intrusion Detection System using a Hybrid Approach

Save this PDF as:

Size: px
Start display at page:

## Transcription

2 close to line speed, and computes probability of occurrence of groups of incoming packets, windows. The NB model is used for online classification and HMM model is used for offline analysis of traffic. Traffic that were flagged as anomalous by the NB model were fed into an offline HMM that computed the probability of connections present in the window. Thus combining NB and HMM models we form a hybrid model, where in NB model computes probability of occurrence of windows and HMM computes the probability of each connection within the window. This way the output from the HMM, list of attacking IPs, can be used as an update to firewall on what IPs to block. HMM now can be used to generate IP blacklist and makes the hybrid model more efficient. The rest of the paper is organized as follows. A brief description of HMM is presented in Section 2. Section 3 describes our proposed HMM model and preliminary results obtained are presented in Section 4. Section 5 explains the problems that we anticipated that could be faced while implementing this system in real time. Section 6 describes hybrid model and Section 7 describes various experiments and results obtained. Section 8 describes related work that has been done by research community in this area. II. HIDDEN MARKOV MODEL HMM is a generative model that can model data which is sequential in nature. It is used to model data where the assumption of i.i.d. is too restrictive, like speech processing applications. A detailed tutorial on HMM is available in [1]. Markov Property: Consider a system with N states and at discrete time intervals, there is transition among states. Let these instances be t, t = 1,2,3,. Any process is Markovian if the conditional probability of future states, given the present state and past states, depend only upon the present state. In order to predict future state, the process by which the current state is obtained does not matter, i.e., Pr[q t = S i q t 1 = S j,q t 2 = S k, ] = Pr[q t = S i q t 1 = S j ] We have used HMM that follows the above first order Markov property. In a HMM, the states and their transitions are not visible. Instead an output symbol, from a discrete set of symbols, is emitted during every transition. This sequence of symbols are the observables used to train a HMM. The following figure explains this. Definition of a HMM: HMM [λ] is a five tuple, i.e., λ = [N,M,A,B,π]. The parameters of the model are N, number of states in the model, S = {S 1,S 2,,S N }. M, number of observation symbols, V = {V 1,V 2,,V M }. (1) Fig. 1. HMM Architecture A, state transition probability matrix, A={a ij }, where a ij = Pr[q t+1 = S j q t = S i ] 1 i,j N It is a N*N matrix. B, observation symbol probability matrix, B={b j (k)}, where b j (k) = Pr[v k at t q t = S j ] 1 j N It is a N*M matrix. 1 k M π, initial state probability matrix, π = {π i }, where It is a 1*N matrix. π i = Pr[q 1 = S i ] 1 i N Algorithms for HMM: The following two algorithms are used to model and use the HMM. 1) Baum-Welch algorithm is used to learn the parameters of the model, {A, B, π}, from input data. 2) Forward-Backward algorithm is used to learn the probability of occurrence of an observation sequence given the model, P[O λ]. III. DESIGN CHOICES Web servers in general use Transmission Control Protocol (TCP) for communication between clients and server. TCP is a state based protocol, i.e., any TCP connection would progress through set of state transitions during its life time. This inherent stateful and temporal nature of TCP traffic could be captured well by using a HMM based classifier. This lead us to use HMM as our basic building block in our system design. In the remainder of this section, we describe parameters that were used to build our model and other design considerations that shaped our model design. (2) (3) (4)

3 A. Choosing Parameters The key aspect in building a HMM is to decide the states and symbols that are to be used to build the model. Choosing right set of attributes for a model is very important as this step would ensure effective usage of available data. For our experiments, we use TCP header information present in packets as features. States of the model are called hidden or latent variables and are used to describe the underlying distribution generating the data. In our approach, states of the HMM do not correspond to actual TCP states. They are used to model the HMM to best explain the traffic. They do not have direct physical significance. For example, network traffic can be assumed to consist of traffic from legitimate and malicious users. Transition from one state to another can be considered equivalent to switch from traffic between malicious and legitimate users. Next we had to decide upon what could be used to represent symbols in our HMM model. We use TCP flags as symbols for the HMM model, following Vijayasarathy et al. [2]. The other parameters of the HMM model - π, A, and B are estimated using Baum-Welch algorithm. B. Initial Approach Building anomaly based classifier involves two phases - training and testing. During the training phase, the classifier is made to profile over clean traffic, i.e., traffic stream which is devoid of any malicious traffic stream. During the testing phase, traffic which were not used during training are used to measure the performance of the model built. The classifier flags any traffic that deviates from clean traffic profile as suspicious. The intuition behind this approach is that clean traffic and malicious traffic are not generated from the same distribution. Training phase of our algorithm begins with source separating training traffic into separate streams. All packets between a source/destination constitute a stream. Each stream consist of series of TCP flags that were used in the packets throughout the connection. Then a single HMM model is used to learn the characteristics of all streams to the server. The HMM model takes these TCP flags as observables and other parameters of the model can be computed from them. Upon analyzing the traffic data, we found that only few flags were used in general for most TCP communication. We associated a number with each flag and a connection with sequence of flags is converted into a sequence of numbers. HMM model is trained over this sequence of numbers. The frequently used TCP flags and the ID which we used for our modeling are as follows. SYN - 0 SYN/ACK - 1 ACK - 2 PUSH/ACK -3 FIN/ACK - 4 RST - 5 other TCP flags - 6 The same procedure is followed in the testing phase. The TCP flag sequence is converted into a sequence of numbers and the probability of occurrence of this sequence is tested over the model. Since states of the model does not correspond to actual TCP states, the number of states can be chosen empirically. The testing phase of the above said approach is depicted in Figure 2. Incoming traffic to server Source Separation Fig. 2. Initial Approach HMM model Legitimate traffic Attack traffic DARPA data set for intrusion detection [3] is used for training and testing our HMM model. Preliminary results obtained for the above said approach were not satisfactory. The model had very high false positive rate, i.e., clean traffic stream were also being flagged as attack. The classifier did not succeed in discriminating between good traffic and bad traffic. This low performance might be attributed to using just one HMM to learn all clean traffic profile. A single HMM could not capture all the characteristics of clean traffic that were used for training. C. Alternate Design In order to overcome the above said shortcoming, we performed source separation on training/testing traffic according to destination ports of the server and then upon source/destination IP address. Instead of using a single HMM to lean all traffic coming to a server, we used separate HMMs for each frequently occurring server port. The reasoning behind such an approach is that not all traffic belonging to different applications behave in the same way. For instance, different traffic streams belonging to a particular application port, say port 25 (SMTP), have similar characteristics than to traffic at port 20 (FTP). This approach improved the results drastically, i.e., the model had higher accuracy and lower false positive rate compared to the single HMM approach. The implementation details of this model are as follows. Training traffic to the server is first separated based upon destination port number of packets. Traffic to particular ports are then source separated and trained by separate models for each port. Ports which have higher traffic, like ports for HTTP, telnet, FTP, etc., were modeled with separate HMM models. Traffic to other infrequent ports were modeled by a separate model. The testing phase proceeds the same way. Testing traffic is first separated based upon ports and then source

4 separated and tested by corresponding HMM model for the port. Figure 3 describes this approach. Fig. 4. Cascaded HMM design Fig. 3. Layered Model Even though port wise separation approach had better results that single model approach, the false positive rate were still high, almost 10% of training traffic were flagged as attack. Any practical system designed to detect intrusions should have low false positive rate, i.e., rate at which a legitimate user is wrongly classified as attack should be very low. It is able to classify most of the frequently occurring positive traffic correctly but it is not able to correctly classify positive traffic that were infrequent. Infrequent traffic that were clean or positive were also flagged as attack. We made this model as our basic classifier model and it required us explore other strategies that would improve the performance of our base classifier. D. Cascaded HMMs The positive traffic that were wrongly classified by the above approach were traffic streams that were not so frequent. This can be attributed to those traffic streams which had very low probabilities in the training phase of the above approach. In order to overcome this high false positive rate, we employed multi-stage combination of models to improve the base classifier s performance. We employed cascading of base classifiers into several layers to improve performance. Figure 4 describes the cascading of models. Implementation details of this approach: Low probability legitimate streams that were flagged suspicious by all the base classifiers are fed as input to a separate HMM model. This HMM trains on all the infrequently occurring streams and builds a model. Traffic streams that have low probabilities in this model are fed into next layer of HMM model for training. The above process of adding new HMMs, i.e., cascading HMMs, can be continued until addition of a new model makes no improvement to the accuracy of the model. The usage of traffic streams from different protocols for the first layer of cascaded HMM might be counter-intuitive, since we perform protocol based traffic separation in the first step before feeding traffic into HMM models for each protocol. We observed that most of training traffic connections to frequently occurring ports were correctly classified by their respective HMM model. The number of connections that were wrongly flagged as anomalous were very less. But this was not the case with the HMM model for infrequent port traffic. The traffic connections that occur infrequently were the ones wrongly flagged by initial HMMs. Since the connections were anyway infrequent in their respective protocol, combining them together did not reduce the performance of the model. Instead, it improved the accuracy of the HMM model. The HMM model can be extended to having separate levels of cascading for each protocol. Since the data available for training and testing were limited, we performed a combined layer of cascading for all protocols. IV. PRELIMINARY RESULTS Building any classifier involves two phases, i.e., training and testing phases. Training phase in our approach involves learning the parameters of the model from a clean traffic trace. HMM profiles this data and uses this information to test incoming traffic. During the testing phase, traffic that were not used for training are tested against the model learnt. To build a classifier we need to have labeled data for training and testing. Data sets released by DARPA[3] were used to train and test our classifier. Experiments The experiments that were conducted are described as follows.

5 # states Connection Separation Separate Models for Protocols Boosting Accuracy (%) False Alarm Rate (%) 5 Just IP No No Just IP No No IP & Port Yes No IP & Port Yes No IP & Port Yes Yes IP & Port Yes Yes TABLE I RESULTS ON DARPA DATA SET 1) Single HMM model: Training traffic is separated according to source/destination and trained with a single HMM model. In the testing phase, source separated connections were tested against the learnt model. The performance of the model is bad since it had very high false positive rate. Probable reason for the failure of the model could be that a single HMM could not capture all possible traffic characteristics. High false positive rate can be alleviated by the following approach. 2) Multiple HMM models: We performed source separation both on IP and port information of source and destination. Separate HMMs were used to train/test connections pertaining to different protocols. Protocols with large amount of incoming traffic were trained separately, while other infrequent ports were trained separately. This approach reduced the false positive rate and we made this type of source separation as our basic step for building HMM. 3) Cascading of HMMs: In order to improve the performance of the above approach, we employed boosting. HMM models were cascaded into several layers to model low probability traffic. The results reported for our experiments are using two layers of HMM model for cascading. We used two days of clean traffic data from DARPA data set for training and the rest of the traffic from other days were used for testing the learnt model. This way we don t overfit the training process. Table I describe the performance of our model on a particular server in DARPA data. Number of states for the model The number of states to be used for HMM could be determined experimentally. Using 9 or 10 states for the model gave us good results for DARPA data set. We tried using higher number of states for HMM and the results obtained were similar and did not improve the performance any further. Hence we have reported the results on using 9 states for HMM model. Attacks detected by HMM The following attacks present in the DARPA data set were detected by HMM model. neptune - Syn flood denial of service attack on one or more ports. ipsweep - Surveillance sweep performing ping on multiple host addresses. portsweep - Surveillance sweep through many ports to determine which services are active on a single host. satan - Network probing tool to exploiting well-known weaknesses. nmap - Network mapping using the nmap tool. Auckland Data Set We tried our cascaded HMM experiments on Auckland IV[4] data set. In the training phase, HMM model is trained with clean HTTP traffic from DARPA data. For testing purpose, HTTP traffic to various servers in Auckland data set were considered. Auckland data set is not a labeled data set. Hence the testing results had to be cross checked manually. HTTP sequences that were flagged as anomalous were of the following types. Reset Attacks Short Connections Connections that were too short were flagged as anomalous by the model. The reason for very short connection length could be abrupt end of connection. HMM model with just 5 states is sufficient for classifying Auckland data set. V. MOTIVATION FOR HYBRID APPROACH The goal of the work is to implement suitable models that can function effectively in real time. When implementing the above model into a real-time system and it in turn had the following pitfalls [6]. Source separation of incoming traffic is the first and foremost step in our design. This way, the model keeps track of all incoming IP addresses. But then, the problem of IP address spoofing could tax our proposed model. Assume an incoming packet to have spoofed IP address. The server replies to it and allocates resource for this IP address. It is highly unlikely that the connection established by a spoofed IP address would proceed any further. This would make the server to wait until time out period and to reclaim allocated resource. The above scenario could be repeated by attackers and result in exhausting the resources of a server. The second issue to consider is the typical length of a connection. The DARPA data used for training and testing our model had information about entire connections. But in reality, we have no way of telling when a connection would end. The computations performed had complete end to end connection data, which is quite impossible in reality. If this model were to be implemented in a server, then the server has to have separate buffers for each incoming new connection. This again would end up in using all of server s available buffer to store packets. We cannot decide on how much buffer

6 space to allocate, since we do not know the length of each connection. Aforementioned drawbacks prevent HMM based model from being implemented as a stand alone device for a server s security. In the next section, we will describe another approach where HMM model coupled with Naive Bayesian based model would overcome these issues. VI. HYBRID MODEL We propose a hybrid model combining our HMM based model with Naive Bayesian (NB) based approach proposed by Vijayasarathy et al. [2] to address the issues. Hybrid model would have NB model for online learning and HMM model for offline learning. The online classifier (NB model) would monitor incoming traffic and flag traffic blocks that are suspicious. The offline classifier (HMM model) would be fed with the traffic flagged by NB model. HMM model would then perform source separation for the connections present in the flagged traffic and classifies the connections as either attack or normal. The addition of HMM model to NB model is intended to narrow down on the attacking IPs present in flagged traffic rather than to improve the performance of it. Figure 5 depicts the proposed hybrid model. Fig. 5. A. Working of NB model Flow diagram Incoming traffic to NB model is split up into logical units called windows. Each window is a group of packets and modeling is based on TCP flags set in packets. Based on experiments, packets in a window can belong to any one of the following depending upon the TCP flag that is set. 1) RST - packets with reset bit set 2) SYN - syn packets 3) ACK - ack packets 4) FIN/ACK - fin/ack packets 5) PSH/ACK - push/ack packets 6) others - packets with other TCP flags set. This six tuple describes the mix of traffic present in a window. For example, for a window of size 100 with <3 RSTs, 8 SYNs, 48 ACKs, 1 FIN/ACKs, 40 PSH/ACKs, 0 other packets> could be considered normal, but <0 RSTs, 100 SYNs, 0 ACKs, 0 FIN/ACKs, 0 PSH/ACKs, 0 other packets> would represent a syn flooding scenario. Windows that are similar are grouped to form bands, so as to reduce the number of different events to model. During the training phase, the model computes the probability of occurrence of various event types. In the testing phase, traffic windows with very low probability of occurrence are flagged as attack. For a detailed description of NB based approach, refer to the original paper [2] B. Combining the models We used the same clean data set for training both NB and HMM models. In the testing phase, for every window, the NB model would classify if it were normal or abnormal. In our implementation, if there were five consecutive attack flags raised by the NB model, and incoming traffic from then on would be buffered and fed as input to the HMM model. Attack flag would be on until there are five consecutive normal windows to the server. Buffering of data is carried on between the raise and fall of flag. The number of windows to consider during time out mechanism is implementation specific, depending upon traffic characteristics of a server. The windows that were buffered when the attack flag is on, would be fed into HMM for further processing. Source separation is then performed on the IP addresses present in the flagged traffic. Individual streams, thus obtained are tested using HMM model and probability of occurrence of each sequence could be calculated. IP address of connections that were anomalous could be added to firewall black list. This way, HMM model could be used to blacklist IP addresses that have suspicious traffic characteristics. Experiments conducted using this approach are described in the next section. VII. EXPERIMENTS AND RESULTS We used CAIDA [5] data set for testing our hybrid model. It is an hour long Distributed Denial of Service (DDoS) attack data at a server. Since the data set consist only of attack traffic, we mixed it with normal traffic and used hybrid model to classify it. We considered traffic to port 80 (HTTP protocol) for training and testing. We used same clean traffic trace from DARPA data set for training both NB and HMM models. For testing the classifier, we mixed traffic traces from CAIDA and DARPA together. The IP address of destination server of CAIDA data set traffic is changed to the same destination server used by DARPA traffic. This mixed traffic is used for testing our hybrid model. NB model processes incoming traffic online, and feeds offline HMM with flagged traffic. When an attack flag is raised, we start buffering from ten windows prior to the window where the attack flag was actually raised. This is done to ensure that we don t erroneously classify connections that began recently, just before attack flag was raised, as attack. Buffering continues until we receive five consecutive clean windows or upto the end of testing data file. Figure 6 describes this process. HMM was trained throughout with equal prior probability to all states. This is done to ensure not to flag any clean traffic stream that was buffered from middle as attack. When an attack flag is raised, there would connections that would have

7 Buffering begins here Attack Flag Raised Fig. 6. Buffering ends here Attack Flag Dropped Buffering Procedure Timeline Each horizontal line represents an individual connection started early and half way through. The beginning of such a stream would not necessarily have three way handshake. We perform source separation on the buffered data and use HMM to classify it. HMM was successful in finding out IPs from CAIDA traffic on almost all cases. HMM with more than five states had 100% accuracy classifying all IPs from CAIDA as attack and IPs from DARPA as clean. When tried with HMM with less than five states, few of the attacking streams were classified as clean traffic. This is due to the inability of HMM with very few states to model the data accurately. Using HMM with larger states gave us exact results and the number of states to be chosen for a server can be computed empirically. VIII. RELATED WORK Lee et al. [7] proposed a system using combined misuse and anomaly detection approaches to generate rules for IDS. For improving efficiency, multiple model cost based approaches are applied. These analyze and detect models with high accuracy but low cost. A distributed architecture is proposed for evaluating models in real time. To improve usability adaptive learning algorithms are used for incremental updates. To reduce reliance on the labeled data unsupervised learning is studied. Ourston et al. [8] have used a HMM based model to detect complex network attacks that happens in various stages. They use HMM to model alert sequences that were raised between every source/destination. The hidden states of their model correspond to various attack stages. For example, a generic network intrusion would undergo the following states, i.e., probe, consolidate, exploit and compromise. They use separate HMMs for every attack type to detect such multistage network attacks. Chu et al. [9] use an Frequent Pattern Tree (FP-Tree) based approach to construct a network intrusion detection system. The architecture used for on the updates and detection is outlined. FP Tree is constructed for normal traffic as well as attacks so as to increase the detection rate and decrease false alarm rate. Cai et al. [10] have explored a TCP rule based TCP anomaly detection system. TCP header information is used to generate different clusters of normal traffic. These clusters then represent patterns in normal network traffic. A connection which is dissimilar to all these clusters is termed as an attack. In [11], Estevez et al. have used a Markov model to model incoming HTTP requests to a server. The key assumption is that HTTP protocol requests have highly structured payloads. Xu et al. [12] have considered monitoring the influx of new IP address during DDoS scenario. IP address of incoming traffic is categorized into two types, i.e., those which have been observed already and those which are new. HMM is used to model this sequence of IP address. The models are placed at distributed points in the network and Reinforcement Learning (RL) algorithms are used for efficient message passing among these distributed network points. IX. CONCLUSION In this paper, we have proposed a hybrid approach for adaptive network intrusion detection. We started off with HMM for network intrusion detection and it performed good empirically on DARPA data set. The difficulties that might arise when implementing HMM model in real time were described. We incorporated HMM model along with NB model into a hybrid model for intrusion detection. The proposed hybrid model also performed well in detecting intrusions and the experiments and results also reported. As an extension to HMM model, we would like to look at characterizing the diurnal variation characteristics of traffic to web server. It would involve learning the nature of traffic at various instances of the day. REFERENCES [1] Lawrence R. Rabiner, A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition, Proceedings of the IEEE, [2] Vijayasarathy, R., Ravindran, B.and Raghavan, S.V., A system approach to network modeling for DDoS detection using a Naive Bayesian classifier, COMSNETS, [3] DARPA intrusion detection evaluation dataset, mission/communications/ist/corpora/ideval/data/index.html [4] Auckland IV Dataset, [5] Paul Hick, Emile Aben, kc claffy, Josh Polterock, The CAIDA DDoS Attack 2007 Dataset, dataset.xml [6] Vijayasarathy, R - personal communication. [7] Wenke Lee and Salvatore J. Stolfo and Philip K. Chan and Eleazar Eskin and Wei Fan and Matthew Miller and Shlomo Hershkop and Junxin Zhang, Real Time Data Mining-based Intrusion Detection, IEEE, [8] Ourston, Dirk and Matzner, Sara and Stump, William and Hopkins, Bryan, Applications of Hidden Markov Models to Detecting Multi-stage Network Attacks, HICSS, [9] Nelson CN Chu, Adepele Williams, Reda Alhajj, Ken Barker, Data stream mining architecture for network intrusion detection, IEEE, [10] Weijie Cai, Li Li, Network Traffic Anomaly Detection Using TCP Header Information, IEEE, [11] Estevez-Tapiador, Juan M. and Diaz-Verdejo, Jesus E, Detection of Webbased Attacks through Markovian Protocol Parsing, ISCC, [12] Xu, Xin and Sun, Yongqiang and Huang, Zunguo, Defending DDoS Attacks Using Hidden Markov Models and Cooperative Reinforcement Learning, PAISI, 2007.

### Intrusion Detection System using Hidden Markov Model (HMM)

IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661, p- ISSN: 2278-8727Volume 10, Issue 3 (Mar. - Apr. 2013), PP 66-70 Intrusion Detection System using Hidden Markov Model (HMM) Megha Bandgar,

### NETWORK INTRUSION DETECTION SYSTEM USING HYBRID CLASSIFICATION MODEL

NETWORK INTRUSION DETECTION SYSTEM USING HYBRID CLASSIFICATION MODEL Prof. Santosh T. Waghmode 1, Prof. Vinod S. Wadne 2 Department of Computer Engineering, 1, 2 JSPM s Imperial College of Engineering

### Development of a Network Intrusion Detection System

Development of a Network Intrusion Detection System (I): Agent-based Design (FLC1) (ii): Detection Algorithm (FLC2) Supervisor: Dr. Korris Chung Please visit my personal homepage www.comp.polyu.edu.hk/~cskchung/fyp04-05/

### 1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

### CS5008: Internet Computing

CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

### An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh

### Fuzzy Network Profiling for Intrusion Detection

Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University

### A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

### A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of

### Keywords Attack model, DDoS, Host Scan, Port Scan

Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com DDOS Detection

### CHAPTER 1 INTRODUCTION

21 CHAPTER 1 INTRODUCTION 1.1 PREAMBLE Wireless ad-hoc network is an autonomous system of wireless nodes connected by wireless links. Wireless ad-hoc network provides a communication over the shared wireless

### Hybrid Intrusion Detection System Model using Clustering, Classification and Decision Table

IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661, p- ISSN: 2278-8727Volume 9, Issue 4 (Mar. - Apr. 2013), PP 103-107 Hybrid Intrusion Detection System Model using Clustering, Classification

### Fuzzy Network Profiling for Intrusion Detection

Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University

### Hybrid Intrusion Detection System Using K-Means Algorithm

International Journal of Computer Sciences and Engineering Open Access Review Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Hybrid Intrusion Detection System Using K-Means Algorithm Darshan K. Dagly 1*, Rohan

### Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2

### A SYSTEM FOR DENIAL OF SERVICE ATTACK DETECTION BASED ON MULTIVARIATE CORRELATION ANALYSIS

Journal homepage: www.mjret.in ISSN:2348-6953 A SYSTEM FOR DENIAL OF SERVICE ATTACK DETECTION BASED ON MULTIVARIATE CORRELATION ANALYSIS P.V.Sawant 1, M.P.Sable 2, P.V.Kore 3, S.R.Bhosale 4 Department

### Stochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection

2003 IEEE International Workshop on Information Assurance March 24th, 2003 Darmstadt, Germany Stochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection Juan M. Estévez-Tapiador (tapiador@ugr.es)

### CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure

### IDS / IPS. James E. Thiel S.W.A.T.

IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods

### PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

### Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Denial of Service attacks: analysis and countermeasures Marek Ostaszewski DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended

### Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and

### WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for

### Solution of Exercise Sheet 5

Foundations of Cybersecurity (Winter 15/16) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Protocols = {????} Client Server IP Address =???? IP Address =????

### Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection

### Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

### Architecture Overview

Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

### CHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM

59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against

### Taxonomy of Intrusion Detection System

Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use

### Implementation of Intelligent Techniques for Intrusion Detection Systems

Ain Shams University Faculty of Computer & Information Sciences Implementation of Intelligent Techniques for Intrusion Detection Systems A Thesis Submitted to Department of Computer Science In partial

### Intrusion Detection System using Log Files and Reinforcement Learning

Intrusion Detection System using Log Files and Reinforcement Learning Bhagyashree Deokar, Ambarish Hazarnis Department of Computer Engineering K. J. Somaiya College of Engineering, Mumbai, India ABSTRACT

### Analysis of Network Packets. C DAC Bangalore Electronics City

Analysis of Network Packets C DAC Bangalore Electronics City Agenda TCP/IP Protocol Security concerns related to Protocols Packet Analysis Signature based Analysis Anomaly based Analysis Traffic Analysis

### Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention

Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Thivya. T 1, Karthika.M 2 Student, Department of computer science and engineering, Dhanalakshmi

### Network Intrusion Detection Systems

Network Intrusion Detection Systems False Positive Reduction Through Anomaly Detection Joint research by Emmanuele Zambon & Damiano Bolzoni 7/1/06 NIDS - False Positive reduction through Anomaly Detection

### A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial

### Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

### Today s outline. CSE 127 Computer Security. NAT, Firewalls IDS DDoS. Basic Firewall Concept. TCP/IP Protocol Stack. Packet Filtering.

CSE 127 Computer Security Fall 2011 More on network security Todays outline NAT, Firewalls IDS DDoS Chris Kanich (standing in for Hovav) [some slides courtesy Dan Boneh & John Mitchell] TCP/IP Protocol

### Attacks and Defense. Phase 1: Reconnaissance

Attacks and Defense Phase 1: Reconnaissance Phase 2: Port Scanning Phase 3: Gaining Access Using Application and Operating System Using Networks Phase 1: Reconnaissance Known as information gathering.

### Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of

### IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 40 Firewalls and Intrusion

### Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by

### STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION SYSTEMS

STANDARDISATION AND CLASSIFICATION OF ALERTS GENERATED BY INTRUSION DETECTION SYSTEMS Athira A B 1 and Vinod Pathari 2 1 Department of Computer Engineering,National Institute Of Technology Calicut, India

### CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

### Conclusions and Future Directions

Chapter 9 This chapter summarizes the thesis with discussion of (a) the findings and the contributions to the state-of-the-art in the disciplines covered by this work, and (b) future work, those directions

### Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

### Two State Intrusion Detection System Against DDos Attack in Wireless Network

Two State Intrusion Detection System Against DDos Attack in Wireless Network 1 Pintu Vasani, 2 Parikh Dhaval 1 M.E Student, 2 Head of Department (LDCE-CSE) L.D. College of Engineering, Ahmedabad, India.

### Transport Layer Protocols

Transport Layer Protocols Version. Transport layer performs two main tasks for the application layer by using the network layer. It provides end to end communication between two applications, and implements

### Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

### Performance Evaluation of Intrusion Detection Systems using ANN

Performance Evaluation of Intrusion Detection Systems using ANN Khaled Ahmed Abood Omer 1, Fadwa Abdulbari Awn 2 1 Computer Science and Engineering Department, Faculty of Engineering, University of Aden,

### Neural networks vs. decision trees for intrusion detection

Neural networks vs. decision trees for intrusion detection Yacine Bouzida Mitsubishi Electric ITE-TCL 1, allée de Beaulieu CS 186 3578, Rennes, France Bouzida@tcl.ite.mee.com Frédéric Cuppens Département

### Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks

### A Frequency-Based Approach to Intrusion Detection

A Frequency-Based Approach to Intrusion Detection Mian Zhou and Sheau-Dong Lang School of Electrical Engineering & Computer Science and National Center for Forensic Science, University of Central Florida,

### Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

### Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Part I: Attack Prevention Network Security Chapter 9 Attack prevention, detection and response Part Part I:

### Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback

Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow Correlation Coeff icient with Collective Feedback N.V.Poorrnima 1, K.ChandraPrabha 2, B.G.Geetha 3 Department of Computer

### International Journal of Innovative Research in Advanced Engineering (IJIRAE) ISSN: 2349-2163 Volume 1 Issue 11 (November 2014)

Denial-of-Service Attack Detection Mangesh D. Salunke * Prof. Ruhi Kabra G.H.Raisoni CEM, SPPU, Ahmednagar HOD, G.H.Raisoni CEM, SPPU,Ahmednagar Abstract: A DoS (Denial of Service) attack as name indicates

### Firewalls and Intrusion Detection

Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

### Network Intrusion Simulation Using OPNET

Network Intrusion Simulation Using OPNET Shabana Razak, Mian Zhou, Sheau-Dong Lang* School of Electrical Engineering & Computer Science and National Center for Forensic Science* University of Central Florida,

### SURVEY OF INTRUSION DETECTION SYSTEM

SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT

### STUDY OF IMPLEMENTATION OF INTRUSION DETECTION SYSTEM (IDS) VIA DIFFERENT APPROACHS

STUDY OF IMPLEMENTATION OF INTRUSION DETECTION SYSTEM (IDS) VIA DIFFERENT APPROACHS SACHIN MALVIYA Student, Department of Information Technology, Medicaps Institute of Science & Technology, INDORE (M.P.)

### Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013

the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point

### Hybrid Model For Intrusion Detection System Chapke Prajkta P., Raut A. B.

www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume1 Issue 3 Dec 2012 Page No. 151-155 Hybrid Model For Intrusion Detection System Chapke Prajkta P., Raut A. B.

### Internet Worm Classification and Detection using Data Mining Techniques

IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 17, Issue 3, Ver. 1 (May Jun. 2015), PP 76-81 www.iosrjournals.org Internet Worm Classification and Detection

### HMM Profiles for Network Traffic Classification

HMM Profiles for Network Traffic Classification Charles Wright, Fabian Monrose and Gerald Masson Johns Hopkins University Information Security Institute Baltimore, MD 21218 Overview Problem Description

### FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker

### Denial of Service Attack Detection Using Multivariate Correlation Information and Support Vector Machine Classification

International Journal of Computer Sciences and Engineering Open Access Research Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Denial of Service Attack Detection Using Multivariate Correlation Information and

### System Specification. Author: CMU Team

System Specification Author: CMU Team Date: 09/23/2005 Table of Contents: 1. Introduction...2 1.1. Enhancement of vulnerability scanning tools reports 2 1.2. Intelligent monitoring of traffic to detect

### INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad OUTLINE Security incident Attack scenario Intrusion detection system Issues and challenges Conclusion

### Application of Hidden Markov Model in Credit Card Fraud Detection

Application of Hidden Markov Model in Credit Card Fraud Detection V. Bhusari 1, S. Patil 1 1 Department of Computer Technology, College of Engineering, Bharati Vidyapeeth, Pune, India, 400011 Email: vrunda1234@gmail.com

### Survey on DDoS Attack Detection and Prevention in Cloud

Survey on DDoS Detection and Prevention in Cloud Patel Ankita Fenil Khatiwala Computer Department, Uka Tarsadia University, Bardoli, Surat, Gujrat Abstract: Cloud is becoming a dominant computing platform

### CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

CSE331: Introduction to Networks and Security Lecture 18 Fall 2006 Announcements Project 2 is due next Weds. Homework 2 has been assigned: It's due on Monday, November 6th. CSE331 Fall 2004 2 Attacker

### Detecting Denial of Service attack using Multivariate Correlation Analysis

Detecting Denial of Service attack using Multivariate Correlation Analysis P.Chitra 1, Assistant Professor P.Pooja 2, V.Vijayalakshmi 3, S.Divya 3 Dept of Computer Science and Engineering Velammal Institute

### Intrusion Detection Systems: A Formal Algorithmic approach

Intrusion Detection Systems: A Formal Algorithmic approach Santosh Company Biswas LOGO Associate Professor Dept. of CSE, IIT Guwahati What is Intrusion Detection System? Intrusion What is IDS? A set of

### Stateful Firewalls. Hank and Foo

Stateful Firewalls Hank and Foo 1 Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

### - TCP and UDP - Transport Layer Protocols

1 Transport Layer Protocols - TCP and UDP - The Transport layer (OSI Layer-4) does not actually transport data, despite its name. Instead, this layer is responsible for the reliable transfer of data, by

### SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

### Science Park Research Journal

2321-8045 Science Park Research Journal Original Article th INTRUSION DETECTION SYSTEM An Approach for Finding Attacks Ashutosh Kumar and Mayank Kumar Mittra ABSTRACT Traditionally firewalls are used to

### Firewall Firewall August, 2003

Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

### Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

Data Mining For Intrusion Detection Systems Monique Wooten Professor Robila December 15, 2008 Wooten 2 ABSTRACT The paper discusses the use of data mining techniques applied to intrusion detection systems.

### Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment Keyur Chauhan 1,Vivek Prasad 2 1 Student, Institute of Technology, Nirma University (India) 2 Assistant Professor,

### Exploiting Stateful Inspection of Network Security in Reconfigurable Hardware

Exploiting Stateful Inspection of Network Security in Reconfigurable Hardware Shaomeng Li, Jim Tørresen, Oddvar Søråsen Department of Informatics University of Oslo N-0316 Oslo, Norway {shaomenl, jimtoer,

### On-Premises DDoS Mitigation for the Enterprise

On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has

### Web Application Security

Web Application Security Richard A. Kemmerer Reliable Software Group Computer Science Department University of California Santa Barbara, CA 93106, USA http://www.cs.ucsb.edu/~rsg www.cs.ucsb.edu/~rsg/

### Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

Network Anomaly Detection A Machine Learning Perspective Dhruba Kumar Bhattacharyya Jugal Kumar KaKta»C) CRC Press J Taylor & Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor

### 1. Firewall Configuration

1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets

### Classification of Firewalls and Proxies

Classification of Firewalls and Proxies By Dhiraj Bhagchandka Advisor: Mohamed G. Gouda (gouda@cs.utexas.edu) Department of Computer Sciences The University of Texas at Austin Computer Science Research

### Firewalls Netasq. Security Management by NETASQ

Firewalls Netasq Security Management by NETASQ 1. 0 M a n a g e m e n t o f t h e s e c u r i t y b y N E T A S Q 1 pyright NETASQ 2002 Security Management is handled by the ASQ, a Technology developed

### International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 3, May-June 2015

RESEARCH ARTICLE OPEN ACCESS Data Mining Technology for Efficient Network Security Management Ankit Naik [1], S.W. Ahmad [2] Student [1], Assistant Professor [2] Department of Computer Science and Engineering

### Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report...

### 20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

### MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India

### Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Port Scanning Objectives 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Introduction: All machines connected to a LAN or connected to Internet via a modem

### Role of Anomaly IDS in Network

Role of Anomaly IDS in Network SumathyMurugan 1, Dr.M.Sundara Rajan 2 1 Asst. Prof, Department of Computer Science, Thiruthangal Nadar College, Chennai -51. 2 Asst. Prof, Department of Computer Science,

### Mahalanobis Distance Map Approach for Anomaly Detection

Edith Cowan University Research Online Australian Information Security Management Conference Security Research Institute Conferences 2010 Mahalanobis Distance Map Approach for Anomaly Detection Aruna Jamdagnil

### Bridging the gap between COTS tool alerting and raw data analysis

Article Bridging the gap between COTS tool alerting and raw data analysis An article on how the use of metadata in cybersecurity solutions raises the situational awareness of network activity, leading

### Network- vs. Host-based Intrusion Detection

Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477

### Network TrafficBehaviorAnalysisby Decomposition into Control and Data Planes

Network TrafficBehaviorAnalysisby Decomposition into Control and Data Planes Basil AsSadhan, Hyong Kim, José M. F. Moura, Xiaohui Wang Carnegie Mellon University Electrical and Computer Engineering Department