A Double-Filter Structure Based Scheme for Scalable Port Scan Detection
|
|
- Beatrice Cameron
- 8 years ago
- Views:
Transcription
1 A Double-Filter Structure Based Scheme for Scalable Port Scan Detection Shijin Kong 1, Tao He 2, Xiaoxin Shao 3, Changqing An 4 and Xing Li 5 Department of Electronic Engineering, Tsinghua University, Beijing, P.R.China {ksj00 1, sxx03 3 }@mails.tsinghua.edu.cn China Education and Research Network, Beijing, P.R.China {hetao 2, xing 5 }@cernet.edu.cn, acq Abstract Port scan detection is very important to predict network intrusions and prevent viruses from spreading. Many networks deploy Network Intrusion Detection Systems (NIDS) to detect port scans in real-time. However, most NIDS are perflow based. They are not scalable on high speed links since it is infeasible to maintain the states of numerous flows. In this paper, we propose a scalable scheme for real-time port scan detection without keeping any per-flow state. We use a doublefilter structure to find out <SIP 1, SP> pairs which connect to more than N <DIP, DP> pairs in T time. The experimental results on real network traces show that our scheme can find out those over-threshold <SIP, SP> pairs with high accuracy. It is easy to scale our scheme to high speed environments due to its little memory consumption and fast processing pipeline. I. INTRODUCTION Port scan detection is very important for security management. Many attackers perform port scans as a beginning to find out vulnerable hosts to compromise. Detecting such port scans indicates incoming network intrusions. Besides, recent worm epidemics, such as Code Red-II, Nimda, etc. scan other vulnerable hosts for propagation [10], [11]. Network supervisors can prevent viruses from spreading by detecting those port scans and then prohibiting them. A port scan is typically initiated by sending some packets from a same source and a same port to various destinations and ports. If any destination has a service listening on the scanned port, the connection is established and a reply is sent back. From the reply, the attacker (or the worm) can know whether a service is available on the scanned port. It will try to exploit security problems of the service for further intrusion. There are two access patterns of port scans, horizontal (multiple destinations, same port) and vertical (same destination, multiple ports). To detect port scans early and prevent their further damage, many networks employ Network Intrusion Detection Systems (NIDS) at network entrances. With the rapid development of internet, the scalability of NIDS becomes a main problem of port scan detection. Most NIDS are per-flow based, which means they maintain the state of each flow during detection. Here, a flow is a communication process between two peers, e.g. a TCP connection or a HTTP session. Maintaining per-flow states is necessary for NIDS to detect port scans accurately. For example to identify a 1 Abbreviations are used for frequently referred terms. SIP=Source IP, DIP=Destination IP, SP=Source Port, DP=Destination Port. horizontal port scan, each <SIP, SP> pair should maintain the number of all destinations to which it has connected. Therefore, packets with different <SIP, SP, DIP> values are classified to flows on arrivals and the number of flows for each <SIP, SP> pair is counted. Although per-flow based NIDS work well in the past, this is not the case nowadays. The links connected to most network entrances are now upgraded to gigabytes or even higher capacity. The number of flows is quite large at such a high speed entrance. There is not enough time to distinguish numerous flows and space to store information for each of them. Since almost all current NIDS depend more or less on per-flow states, it is very hard to adapt them to high speed environments. A temporary solution is to split the whole traffic into several substreams, each of which is monitored by a NIDS. However, the installation is expensive and the management is complicated. Devising scalable port scan detection schemes becomes necessary and urgent. In this paper, we propose a scalable scheme for real-time port scan detection. Both horizontal and vertical port scans can be detected. We use a double-filter structure to find out <SIP, SP> pairs which connect to more than N <DIP, DP> pairs in T time. Those <SIP, SP> pairs are probably sources of port scans and they can be further inspected later. No per-flow state is maintained or updated in the process of looking for such over-threshold <SIP, SP> pairs. Only the double-filter structure is kept in a small amount of memory and the perpacket processing pipeline is simple. The experimental results on real network traces show that our scheme, though does not maintain any per-flow state, is accurate to find out overthreshold <SIP, SP> pairs. Majority of over-threshold <SIP, SP> pairs are detected and very few benign <SIP, SP> pairs are mistaken as over-threshold. We believe our scheme is among the few scalable ones devised after PCF [2], which initiates the study of scalable attack detection schemes. Two main drawbacks of applying PCF for port scan detection are solved in our scheme. The rest of this paper is organized as follows. Section II reviews related work. Section III proposes our scheme and section IV gives a deep analysis on the double-filter structure. For practical implementation, a series of problems are raised and solved in section V. In section VI, we draw a comparison between our scheme and other NIDS. Experimental results on traces are presented in section VII. Finally, section VIII concludes the
2 whole paper. II. RELATED WORK As noted in [7], little work has been done to detect port scans. Most port scan detection schemes are based on counting more than N events of interest during a given period of time T. The first approach applying this policy is NSM [6], which detects any source connecting to more than 15 destinations within a given time window. Snort [4], a famous open source NIDS, keeps a bits long vector for each source to record all the ports to which the source has connected. Bro [5], a NIDS using failed connections as indicators of port scans, also maintains all the destinations for each source. Other approaches depend on statistical models. In [7], the joint probability P (d, p) is kept for each combination of destination d and port p. Any connection whose P (d, p) is less than a given threshold is considered a part of port scans. Another probabilistic approach [8] needs to keep states for each connection (s, d, p) where s is source, d is destination and p is port. A recent research uses threshold based random walks to detect fast port scans [9]. All those schemes mentioned above have to know more or less about per-flow states. To be scalable, Partial Completion Filter(PCF) is devised in [2] to count the number of SYN flag for each source. Any source with numerous SYN but no FIN is considered as a scanner. The state of each source can be approximately told by checking the content of PCF so that no per-flow state is explicitly stored. Since PCF is similar to our scheme, we draw an analytical comparison between PCF and our scheme in section VI. III. OVERVIEW OF DOUBLE-FILTER STRUCTURE BASED SCHEME In this section, our scalable scheme for real-time port scan detection is introduced. As the policy used in Snort [4] and Bro [5], it is also based on detecting N events in T time. T is called a measurement interval. A double-filter structure is used to find out all <SIP, SP> pairs which connect to more than N <DIP, DP> pairs during a measurement interval. At the end of every measurement event, all those over-threshold <SIP, SP> pairs are reported to supervisors for further inspection. Several terms should be defined before we continue this section. A flow is defined as a set of packets with a same flow key which consists of certain fields in packet header. In this paper, a flow key is always considered as the combination of four tuples: <SIP, SP, DIP, DP>. A flow is terminated if the time since the arrival of its latest packet exceeds a time-out threshold T 0. Flow length is defined as the number of packets in a flow. Our scheme keeps a data structure which contains two filters in memory during detection. Every incoming packet attempts to pass those two filters serially. The per-packet processing pipeline is described as follows. The first filter is a Timeout Bloom Filter, which is derived from Bloom Filter [3]. TBF is a hash table with m buckets, each of which contains a timestamp. The m buckets are denoted as a[0], a[1],..., a[m 1] and the corresponding timestamps are t[0], t[1],..., t[m 1] respectively. There are d independent hash functions, h 1 (x), h 2 (x),..., h d (x), attached to TBF. Each hash function maps a given flow key into one of the m buckets with same probability. Besides, each bucket has a time-out value t 0. That is where the name Time-out comes from. When a new packet with key c comes at time t, the d timestamps stored in t[h 1 (c)], t[h 2 (c)],..., t[h d (c)], are compared with t. If any of the d timestamps, the ith for example (1 i d), follows t t[h i (c)] t 0 (or we say a[h i (c)] gets time-out), the packet passes TBF, or otherwise it fails to pass. We call a passed packet a survivor. After comparison, all those d timestamps are updated to t even if the packet fails to become a survivor. In fact, with an optimal set of (m, d, t 0 ), TBF has two special functions (analyzed in section IV and section V). (1) No flow can own two or more survivors. (2) Any flow has a probability p s to own one survivor. Here, p s is a value determined by (m, d, t 0 ). Hence, a survivor can be viewed as a representation of the corresponding flow. If the <SIP, SP> value of a survivor is equivalent to e, we say this survivor belongs to <SIP, SP> pair e. Finding out <SIP, SP> pairs which connect to more than N <DIP, DP> pairs equals to finding out <SIP, SP> pairs which create more than N flows. And the latter one can be achieved by recording <SIP, SP> pairs which have more than M = p s N survivors. That is exactly what the second filter does. Only survivors arrive at the second filter, a Multistage Filter [1]. MF has s stages, each of which has n buckets, denoted as b i [0], b i [1],..., b i [n 1](1 i s), and a hash function g i (x). Each bucket of MF is actually a counter. When a survivor attempts to pass MF, s buckets are selected from s stages based on the <SIP, SP> value e of the survivor: b 1 [g 1 (e)], b 2 [g 2 (e)],..., b s [g s (e)]. Then, each of them is increased by one. If all s buckets are over M, the survivor passes MF and e is recorded as a suspicious scanner. To give a clearer view, the whole pipeline is illustrated in figure 1. Both TBF and MF are empty at the beginning time T s. All the buckets of TBF are set to T s t 0 and those of MF are cleared to zero. TBF is never cleared again since T s. It keeps producing survivors all the time. On the contrary, MF is frequently reset to zero at the end of every measurement interval and a list of suspicious scanners is sent to supervisors. Typically, behaviors of suspicious <SIP, SP> pairs are further evaluated in the next several measurement intervals. IV. ANALYSIS OF DOUBLE-FILTER STRUCTURE As we mentioned, in an optimal TBF, each flow can have exact one survivor from its packets with probability p s. How can TBF do this and what is the value of p s? To answer this question preliminarily, we make a theoretical analysis to give a deep view inside TBF. And we illustrate the function of MF later in this section. A. Time-out Bloom Filter All packets of a flow F, denoted as P 1, P 2,..., P r in sequence, are supposed to to pass TBF. We define the inter-
3 TBF MF h 1 (c) g 1 (e) A Packet with flow key c and <SIP, SP> value e h 2 (c) Anyone time-out with t0? Yes: Survivor g 2 (e) g 3 (e) h 3 (c) Fig. 1. Per-packet pipeline of double-filter structure based scheme packet interval of P i (2 i r) is the interval between the arrival time of P i 1 and that of P i. Obviously, P 1 does not have an inter-packet interval. We call P 1 a first packet, and P i (2 i r) a rest packet. Lemma 1: At any time, the probability that any bucket of TBF gets time-out is p 0 = (1 1/m) Ld, where L is the number of flows which have packets updated during the previous t 0 time. Proof: Only the buckets that are updated by flows during the previous t 0 time do not get time-out. If the buckets getting time-out are viewed as being set to 1 and others are viewed as being set to 0, TBF degenerates to a standard Bloom Filter containing L elements. From [3], we know that the probability a bucket is 0 is p 0 = (1 1/m) Ld. In the rest discussion of this section, we assume temporarily that L does not vary much during a measurement interval. Therefore, p 0 is considered constant within a measurement interval. Lemma 2: For any flow F, the probability that P 1 becomes a survivor is p s = 1 (1 p 0 ) d. Proof: The probability that any of the d buckets gets timeout is p 0. So the probability that all d buckets do not get timeout is (1 p 0 ) d. That is the case P 1 fails to be a survivor. So the probability that P 1 becomes a survivor is p s = 1 (1 p 0 ) d. Lemma 3: For any flow F, the probability that P i (2 i r) becomes a survivor is: (1) p s, if the inter-packet of P i is greater than t 0 ; (2) 0, otherwise. Proof: If the inter-packet interval of P i (2 i r) is smaller than t 0, the d buckets are updated by P i 1 within the previous t 0 time when P i comes. All the buckets do not get time-out, so P i will not be a survivor. If the inter-packet interval of P i is greater than t 0, the analysis is the same as P 1 in lemma 2. Theorem 1: If t 0 = T 0, all the survivors are first packets. The number of survivors in a measurement interval T is p s K, where K is the number of flows during T. Proof: For any flow F, inter-packet interval of any rest packet is smaller than the flow time-out value T 0. So if t 0 = T 0, no rest packet will become survivors. As proved in lemma 2, the probability that a first packet becomes a survivor is p s. Thus, totally p s K survivors are generated from K first packets. Each survivor represents a disparate flow. B. Multistage Filter Multistage Filter is first devised in [1] to detect heavy hitters which have more than C%(1 C 100) of the total traffic. In our scheme, it is used to detect <SIP, SP> pairs which have more than M survivors. Any <SIP, SP> pair e, which has more than M survivors, will be definitely recorded. This is because after the last survivor of e has attempted to pass MF, all the s counters: b 1 [g 1 (e)], b 2 [g 2 (e)],..., b s [g s (e)] go over M. On the other hand, any <SIP, SP> pair e which has fewer than M survivors may also be recorded. This happens when all the s counters: b 1 [g 1 (e )], b 2 [g 2 (e )],..., b s [g s (e )] go over M with the help of other <SIP, SP> pairs. It is called a false positive error. In [1], detailed analysis has been drawn to decrease the occurrence of false positive errors to a very low extent. We will not discuss how to modulate parameters to reduce false positive errors any more in this paper. We just follow the indications in [1] to set (n, s) for MF. Theorem 2: If t 0 = T 0, a <SIP, SP> pair e which connects to more than N <DIP, DP> pairs will be recorded if M = p s N. Proof: e creates more than N flows. From theorem 1, we know that more than p s N survivors will be generated by TBF. If M = p s N, e is definitely recorded. V. PRACTICAL PROBLEMS, EXPLANATION AND SOLUTIONS In this section, we continue to analyze TBF and tune its parameters for practical considerations. There are several realistic problems which make some of the theoretical assumptions infeasible. However, we develop corresponding solutions to solve those inconsistencies between theory and practice. Problem 1: Why should we use TBF but not standard Bloom Filter? BF stores m 0 / 1 bits instead of timestamps in m buckets, which consumes even smaller memory. It can also be used as the first filter to select first packets of flows. The pipeline are summarized as follows.
4 (i) At the beginning of every measurement interval, all m bits of BF are set to 0. (ii) When a new packet with key c comes, d bits: a[h 1 (c)], a[h 2 (c)],..., a[h d (c)], are checked. If any of them is 0, the packet must be a first packet and it passes BF. Otherwise it fails to pass. After checking, all d bits are set to 1. Explanation: In practice, there are several drawbacks using BF to select first packets. (1) All the m bits should be reset to zero at the beginning of every measurement interval. m is usually at a level of 100,000. The time consumed for resetting such a great number of bits is not neglectable. It brings extra burden for detection. (2) BF is gradually filled with 1 by first packets, so p 0 is not constant during the measurement interval. Accordingly, the probability that a first packet becomes a survivor is not the same at different time. Therefore, each <SIP, SP> pair has different proportion of survivors in its first packets. Setting a single M for MF will result in many false positive errors and missed scanners. (3) A flow which spans measurement intervals will be detected as two flows in two measurement intervals. A server may create N long lived flows only within one measurement interval. It should not be detected in subsequent measurement intervals since it does not create any more flow. However, it does have multiple survivors in subsequent measurement intervals, which is quite unreasonable. All those drawbacks are overcomed by using TBF. For drawback (1): TBF is only cleared once at T s. All buckets automatically transform 1 (not time-out) to 0 (time-out) as time elapsing. Explicit resetting is not necessary. For drawback (2): p 0 is constant and the probability that a first packet becomes a survivor is almost the same at any time (around p s ), as referred in section IV. For drawback (3): When t 0 = T 0, a flow has exactly one survivor. Even if a flow spans measurement intervals, it has one survivor in current measurement interval and does not have any in subsequent measurement intervals. Within a measurement interval, only <SIP, SP> pairs with more than N new created flows are detected. Problem 2: In practice, a <SIP, SP> pair connecting to fewer than N <DIP, DP> pairs may have more than p s N survivors. it will definitely pass MF and cause a false positive error. Similarly, a <SIP, SP> pair with more than N <DIP, DP> pairs occasionally have fewer than p s N survivors. it may fail to pass MF and becomes a missed scanner. Solution: To our experience (from the results in section VII), those false positive errors and missed scanners only hold a very small percentage of total recorded scanners. To further reduce false positive errors, we can detect <SIP, SP> pairs which are over-threshold in several consecutive measurement intervals. Even if a benign <SIP, SP> pair is mistaken as a scanner within a measurement interval, it is less possible that this pair is recorded in several consecutive measurement intervals. Problem 3: In practice, L is not the same in all measurement intervals. L directly determines p s, so M = p s N should be calculated and reset for MF in every measurement interval. Here, L is still assumed constant within a measurement interval. A simple solution is to count the flows in the first t 0 time of every measurement interval and take it as L. However, it requires additional flow identification algorithm which may not be scalable and it consumes lots of time. Solution: Although L is not constant among all measurement intervals, the difference of L in two consecutive measurement intervals is little. We can test L in previous measurement interval and use it to calculate M for the next measurement interval. Moreover, we measure p 0 instead of L to avoid using extra flow identification algorithm. An alternative solution is described as follows, based on lemma 1. We choose several random buckets periodically to see whether they get time-out or not. We suppose such random tests are performed R times within a measurement interval, and U consecutive buckets are randomly selected at each time. At the end of a measurement interval, if V of the U R test results are time-out, V/UR is an unbiased estimation of p 0 2. We use V/UR as p 0 for next measurement interval. Take ENTRA-1 (a trace tested in section VII) for an example, U = 100 consecutive buckets are randomly chosen and tested at the beginning of every second. Problem 4: By using the solution in problem 3, L of the next measurement interval can be estimated from (1 1/m) L d = V/UR. Actually, this L is the average value within a measurement interval. Till now, we have assumed that L is constant within a measurement interval. However, in practice there are times that L changes greatly within a measurement interval. The fluctuation of L probably causes either too many false positive errors or missed scanners. Solution: We look for proper m and d to make p s insensitive to L. An insensitive p s is approximately constant even if L varies much. The sensitive extent is evaluated by p s / L. If p s / L is smaller, p s is less sensitive to L. p s L = d L (1 (1 1 m )Ld ) d 1 (1 1 m )Ld ln(1 1 m )Ld = 1 L d(1 p 0) d 1 ( p 0 ln p 0 ) (1) The former part:d(1 p 0 ) d 1 increases monotonically with the increase of p 0. And the derivative to d of the former part is. (d(1 p 0 ) d 1 ) = (1 p 0 ) d 1 (1 + d ln(1 p 0 )) (2) d According to equation (2), if d is much greater than 1/ ln(1 p 0 ), the derivative is far less than zero, and thus results in smaller d(1 p 0 ) d 1. The derivative to p 0 of latter part: p 0 ln p 0 is. ( p 0 ln p 0 ) p 0 = ln p 0 1 (3) 2 We suppose a random variable x is measured as y. If E[x] = E[y], y is an unbiased estimation of x.
5 Similarly, according to equation (3), when p 0 is far greater than 0.37 ( ln 0.37 = 1), p 0 ln p 0 is much smaller. In practice, setting d to 3 or 4 is enough. When d is fixed, m should be set as great as possible to form a great p 0. VI. COMPARISON WITH OTHER NIDS A. With Per-flow Based NIDS We compare our scheme with per-flow based NIDS in the following three aspects. 1) Memory Consumption: As noted in [12], current high speed implementations of other network tasks tend to use small memory footprints into on-chip fast SRAM, which is usually no greater than 1MB. For those per-flow based NIDS, it is impossible to store states of millions of connections in limited SRAM. They usually keep per-flow states in slow DRAM. On the contrary, our double-filter structure can be kept within less than 1MB SRAM. For example, to detect the link from which ENTRA-1 is recorded, m = 262, 144 buckets are allocated for TBF. Each bucket only needs one byte to store the last eight bits of timestamps in seconds for time-out judging (for details, see appendix). For MF, n = 16, 384, s = 3, and we set two bytes for each bucket. The total memory usage is only 262, , = 352KB. The rest of SRAM can be used to store information of suspicious scanners. 2) Processing Speed: Per-flow based NIDS have to execute time-consumed flow identification algorithms to find the flow for updating at every packet s arrival. Then, the flow state in DRAM is updated, which is also quite slow. By comparison, our scheme only calculates d hash values in fast SRAM for every packet, and additional s hash values for a very small portion of survivors. All the hash functions used in two filters are based on combinations of several AND or OR operations. Those operations consume little processing time and gives out perfect random values??. 3) Detection Accuracy: Detection accuracy is represented by the number of real scanners detected and that of false positive errors. NIDS using per-flow states to detect N events in T time can exactly capture all over-threshold <SIP, SP> pairs without exception. Although our scheme misses some suspicious scanners and creates some false positive errors in detection, the accuracy still remains high (see results in section VII). It is hard to compare our scheme with probabilistic approaches such as [8] and [9], since there isn t a uniform criterion. B. With Scalable Scheme: PCF We have introduced PCF in section II. It uses the same type of hash functions as ours and can also be placed in small amount of SRAM. However, since PCF is based on counting SYN/FIN flags, it has two major drawbacks. (1) PCF can not detect UDP scans. UDP connections do not have explicit flags to indicate a connection, such as SYN/FIN. (2) PCF depends on monitoring both directions of traffic to be correct. In the case where only one direction of traffic is available, the scanning behaviors can be spoofed and mistaken as benign. A scanner can send FIN packets before he scans any destination using SYN packets. The number of SYN and FIN are almost the same so that the scan can not be detected. Both the two drawbacks are solved in our scheme. For drawback (1): We depend on connection patterns for detection. Port scans using any protocol can be detected. For drawback (2): Even if one direction of traffic is available, a flow is definitely created as long as a destination is scanned. Any spoofing behavior can not eliminate the existence of flows. VII. EXPERIMENTAL RESULTS ON REAL TRACES A. Traces Description We test the performance of our scheme in this section by evaluating experimental results on real network traces. The purpose is to detect <SIP, SP> pairs which connect to more than N = 60 <DIP, DP> pairs within every measurement interval T = 1 minute. First, we make a description of traces. Both traces are unidirectional, captured from two entrances of THUNET (TsingHua University NETwork). ENTRA-1 is captured from an entrance connected with a gigabytes link and ENTRA-2 is captured from another entrance with an OC48 link. Both traces have a great diversity of flows and <SIP, SP> pairs. The time-out value of flow is T 0 = 30s. Table I gives detailed information of two traces. B. Evaluating TBF The evaluation of TBF focuses on its accuracy. It is represented by the number of survivors generated for each <SIP, SP> pair. The estimated number of survivors of a <SIP, SP> pair with N <DIP, DP> pairs is calculated as the closest integer to p s N. t 0 is set to 30s (equivalent to T 0 ). m, d are chosen according to the solution of problem 4 in section V. We set m = 2 18 = 262, 144, d = 3 for ENTRA-1. For ENTRA- 2, we enlarge m to 2 19 = 524, 288. Other parameters are the same as ENTRA-1. Thus, the typical p 0 is about 0.58 for both traces. Due to lack of space, Figure 2 only shows actual number of survivors A, against the estimated number of survivors B during the first measurement interval of ENTRA- 1. Every point in the figure represents a <SIP, SP> pair. Most points are very close to the line with slope 1. We calculate the average relative error E[ A B 100%/A] on all <SIP, SP> pairs. The result is merely 2.5%. C. Evaluating Our Scheme Table II shows the detection results during every measurement interval for both traces. n = 16, 384 and s = 3 are set for MF. M is recalculated at the beginning of every measurement interval according to the solution of problem 3 in section V. The row marked Detected is the number of <SIP, SP> pairs detected by our scheme. And the row marked Actual is the real number of over-threshold <SIP, SP> pairs. The number of false positive errors and missed scanners are placed in row False Pos and row Missed respectively. The results are satisfying. On average, more than 95% over-threshold <SIP, SP> pairs are detected, and the number of false positive errors are no more than 2.5% of the total detected <SIP, SP> pairs.
6 TABLE I DETAILED DESCRIPTION OF TRACES Number of Packets Duration Number of Flows Number of <SIP,SP> pairs Typical Value of L (t 0 =30s) ENTRA-1 44M 10min 712, ,226 about 48,000 ENTRA-2 79M 10min 1,161, ,249 about 96,000 TABLE II DETECTION RESULTS OF DOUBLE-FILTER STRUCTURED SCHEME Detection Results in 10 measurement intervals (T = 60, t 0 = T 0 = 30s) 1T 2T 3T 4T 5T 6T 7T 8T 9T 10T Total Percentage ENTRA-1 Detected False Pos % Missed % Actual ENTRA-2 Detected False Pos % Missed % Actual Actual Number of Survivors Estimated Number of Survivors (p s N) Fig. 2. Actual number of survivors vs. estimated number of survivors for ENTRA-1 VIII. CONCLUSION In this paper, we devise a double-filter structure based scheme for scalable port scan detection in real-time. it detects port scans without keeping any per-flow state. The detection accuracy is satisfying, with very small percentage of false positive errors and missed scanners. The scheme consumes far less memory and processing time than per-flow based NIDS, which makes it much more scalable in high speed network environments. APPENDIX One byte timestamp for correct time-out judging: A bucket can represent up to 2 8 = 256 seconds in one byte. We suppose a bucket is recently updated at t 1 (in seconds). The last eight bits of t 1 are denoted as t 1. Now at time t 2 (t 2 > t 1 ), we are going to judge whether the bucket gets time-out or not. The last eight bits of t 2 are denoted as t 2. If the bucket does not get time-out (t 2 t 1 < t 0 ), either t 2 t 1 < t 0 (when t 2 > t 1) or t 2 t < t 0 (when t 2 < t 1) is valid. However, theoretically speaking, we can not judge correctly from the values of t 2 t 1 and t 2 t As long as t 2 t 1 256n < t 0 (n is an integer and n 0), either t 2 t 1 < t 0 or t 2 t < t 0 is valid. In the case n > 0, the bucket actually gets time-out. Fortunately, in practice any bucket is updated within 256 seconds, so there won t be n > 0. Therefore, any bucket which has t 2 t 1 < t 0 or t 2 t < t 0 can be judged correctly as time-out. REFERENCES [1] C. Estan, G. W. Daly. New Directions in Traffic Measurement and Accounting. ACM SIGCOMM, [2] R. R. Kompella, S. Singh, and G. Varghese. On Scalable Attack Detection in the Network. ACM SIGCOMM IMC, [3] B. H. Bloom. Space/time Tradeoffs in Hash Coding with Allowable Errors. ACM Communications 13(7), [4] Snort. [5] V. Paxson. Bro: A System for Detecting Network Intruders in Real-time. Computer Networks, 31(23-24): , [6] L. T. Heberlein, G. V. Dias, K. N. Levitt, et al. A Network Security Monitor. IEEE Symposium on Research in Security and Privacy, [7] S. Stainford, J. A. Hoagland, and J. M. McAlerney. Practical Automated Detection of Stealthy Portscans. ACM CCS, [8] C. Leckie, R. Kotagiri. A Probablilistic Approach to Detecting Network Scans. IEEE Network Operations and Management Symposium, [9] J. Jung, V. Paxson, A. Berger, et al. Fast Portscan Detection Using Sequential Hypothesis Testing. IEEE Symposium on Security and Privacy, [10] S. Stainford. Containment of Scanning Worms in Enterpirse Networks. IEEE INFOCOM, [11] N. Weaver, V. Paxson, S. Staniford, et al. A Taxonomy of Computer Worms. ACM Workshop of Rapid Malcode, [12] K. Levchenko, R. Paturi, and G. Varghese. On the Difficulty of Scalably Detecting Network Attacks. ACM CCS, [13] G. Cheng, J. Gong, W. Ding, et al. A Hash Algorithm for IP Flow Measurement. Journal of Software, 16(5): , 2005.
Monitoring Large Flows in Network
Monitoring Large Flows in Network Jing Li, Chengchen Hu, Bin Liu Department of Computer Science and Technology, Tsinghua University Beijing, P. R. China, 100084 { l-j02, hucc03 }@mails.tsinghua.edu.cn,
More informationADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN ABSTRACT Muraleedharan N and Arun Parmar Centre for Development of Advanced Computing (C-DAC) Electronics City, Bangalore, India {murali,parmar}@ncb.ernet.in
More informationDetecting Anomalies in Network Traffic Using Maximum Entropy Estimation
Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Yu Gu, Andrew McCallum, Don Towsley Department of Computer Science, University of Massachusetts, Amherst, MA 01003 Abstract We develop
More informationAnalysis of a Distributed Denial-of-Service Attack
Analysis of a Distributed Denial-of-Service Attack Ka Hung HUI and OnChing YUE Mobile Technologies Centre (MobiTeC) The Chinese University of Hong Kong Abstract DDoS is a growing problem in cyber security.
More informationIntelligent Worms: Searching for Preys
Intelligent Worms: Searching for Preys By Zesheng Chen and Chuanyi Ji ABOUT THE AUTHORS. Zesheng Chen is currently a Ph.D. Candidate in the Communication Networks and Machine Learning Group at the School
More informationDetecting UDP attacks using packet symmetry with only flow data
University of Twente Department of Electrical Engineering, Mathematics an Computer Science Chair for Design and Analysis of Communication Systems Detecting UDP attacks using packet symmetry with only flow
More informationStateful Firewalls. Hank and Foo
Stateful Firewalls Hank and Foo 1 Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation
More informationOn Scalable Attack Detection in the Network
On Scalable Attack Detection in the Network Ramana Rao Kompella, Sumeet Singh, George Varghese University of California, San Diego, 9500 Gilman Drive, La Jolla, CA 92093 {ramana,susingh,varghese}@cs.ucsd.edu
More informationAn apparatus for P2P classification in Netflow traces
An apparatus for P2P classification in Netflow traces Andrew M Gossett, Ioannis Papapanagiotou and Michael Devetsikiotis Electrical and Computer Engineering, North Carolina State University, Raleigh, USA
More informationCSE331: Introduction to Networks and Security. Lecture 18 Fall 2006
CSE331: Introduction to Networks and Security Lecture 18 Fall 2006 Announcements Project 2 is due next Weds. Homework 2 has been assigned: It's due on Monday, November 6th. CSE331 Fall 2004 2 Attacker
More informationMalice Aforethought [D]DoS on Today's Internet
Malice Aforethought [D]DoS on Today's Internet Henry Duwe and Sam Mussmann http://bit.ly/cs538-ddos What is DoS? "A denial of service (DoS) attack aims to deny access by legitimate users to shared services
More informationSoftware-Defined Traffic Measurement with OpenSketch
Software-Defined Traffic Measurement with OpenSketch Lavanya Jose Stanford University Joint work with Minlan Yu and Rui Miao at USC 1 1 Management is Control + Measurement control - Access Control - Routing
More informationFine-Grained DDoS Detection Scheme Based on Bidirectional Count Sketch
Fine-Grained DDoS Detection Scheme Based on Bidirectional Count Sketch Haiqin Liu, Yan Sun, and Min Sik Kim School of Electrical Engineering and Computer Science Washington State University Pullman, Washington
More informationANALYZING NETWORK TRAFFIC FOR MALICIOUS ACTIVITY
CANADIAN APPLIED MATHEMATICS QUARTERLY Volume 12, Number 4, Winter 2004 ANALYZING NETWORK TRAFFIC FOR MALICIOUS ACTIVITY SURREY KIM, 1 SONG LI, 2 HONGWEI LONG 3 AND RANDALL PYKE Based on work carried out
More informationReview Study on Techniques for Network worm Signatures Automation
Review Study on Techniques for Network worm Signatures Automation 1 Mohammed Anbar, 2 Sureswaran Ramadass, 3 Selvakumar Manickam, 4 Syazwina Binti Alias, 5 Alhamza Alalousi, and 6 Mohammed Elhalabi 1,
More informationFirewall Verification and Redundancy Checking are Equivalent
Firewall Verification and Redundancy Checking are Equivalent H. B. Acharya University of Texas at Austin acharya@cs.utexas.edu M. G. Gouda National Science Foundation University of Texas at Austin mgouda@nsf.gov
More informationTraffic Behavior Analysis with Poisson Sampling on High-speed Network 1
Traffic Behavior Analysis with Poisson Sampling on High-speed etwork Guang Cheng Jian Gong (Computer Department of Southeast University anjing 0096, P.R.China) Abstract: With the subsequent increasing
More informationSolution of Exercise Sheet 5
Foundations of Cybersecurity (Winter 15/16) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Protocols = {????} Client Server IP Address =???? IP Address =????
More informationAn Efficient Filter for Denial-of-Service Bandwidth Attacks
An Efficient Filter for Denial-of-Service Bandwidth Attacks Samuel Abdelsayed, David Glimsholt, Christopher Leckie, Simon Ryan and Samer Shami Department of Electrical and Electronic Engineering ARC Special
More informationDetection of Distributed Denial of Service Attack with Hadoop on Live Network
Detection of Distributed Denial of Service Attack with Hadoop on Live Network Suchita Korad 1, Shubhada Kadam 2, Prajakta Deore 3, Madhuri Jadhav 4, Prof.Rahul Patil 5 Students, Dept. of Computer, PCCOE,
More informationDynamic Rule Based Traffic Analysis in NIDS
International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 14 (2014), pp. 1429-1436 International Research Publications House http://www. irphouse.com Dynamic Rule Based
More informationResearch on Errors of Utilized Bandwidth Measured by NetFlow
Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic
More informationFuzzy Network Profiling for Intrusion Detection
Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University
More informationNetwork TrafficBehaviorAnalysisby Decomposition into Control and Data Planes
Network TrafficBehaviorAnalysisby Decomposition into Control and Data Planes Basil AsSadhan, Hyong Kim, José M. F. Moura, Xiaohui Wang Carnegie Mellon University Electrical and Computer Engineering Department
More informationInternet Worm Classification and Detection using Data Mining Techniques
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 17, Issue 3, Ver. 1 (May Jun. 2015), PP 76-81 www.iosrjournals.org Internet Worm Classification and Detection
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationAnnouncements. Lab 2 now on web site
Lab 2 now on web site Announcements Next week my office hours moved to Monday 4:3pm This week office hours Wednesday 4:3pm as usual Weighting of papers for final discussion [discussion of listen] Bro:
More information8. 網路流量管理 Network Traffic Management
8. 網路流量管理 Network Traffic Management Measurement vs. Metrics end-to-end performance topology, configuration, routing, link properties state active measurements active routes active topology link bit error
More informationA Case Study in Testing a Network Security Algorithm
A Case Study in Testing a Network Security Algorithm Dr. Carrie E. Gates CA Labs, CA Islandia, NY 11749 carrie.gates@ca.com ABSTRACT Several difficulties arise when testing network security algorithms.
More informationOutline. Outline. Outline
Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today? Basics Some Techniques What is it? OS fingerprinting aims to gather
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationDual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise
More informationSlow Port Scanning Detection
Slow Port Scanning Detection Mehiar Dabbagh 1, Ali J. Ghandour 1, Kassem Fawaz 1, Wassim El Hajj 2, Hazem Hajj 1 1 Department of Electrical and Computer Engineering 2 Department of Computer Science American
More informationFuture Generation Computer Systems
Future Generation Computer Systems 29 (2013) 1838 1850 Contents lists available at SciVerse ScienceDirect Future Generation Computer Systems journal homepage: www.elsevier.com/locate/fgcs A confidence-based
More informationACHILLES CERTIFICATION. SIS Module SLS 1508
ACHILLES CERTIFICATION PUBLIC REPORT Final DeltaV Report SIS Module SLS 1508 Disclaimer Wurldtech Security Inc. retains the right to change information in this report without notice. Wurldtech Security
More informationThe Effects of Filtering Malicious Traffic. under DoS Attacks
The Effects of Filtering Malicious Traffic Chinawat Wongvivitkul IT Security Department Gosoft (Thailand), CP Tower 1 313 Silom Road, Bangkok 10500 Thailand chinawatwon@ gosoft.co.th under DoS Attacks
More informationFinal exam review, Fall 2005 FSU (CIS-5357) Network Security
Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection
More informationCYBER ATTACKS EXPLAINED: PACKET CRAFTING
CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure
More informationNSC 93-2213-E-110-045
NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends
More informationBitmap Algorithms for Counting Active Flows on High Speed Links. Elisa Jasinska jasinska@informatik.hu-berlin.de
Bitmap Algorithms for Counting Active Flows on High Speed Links Elisa Jasinska jasinska@informatik.hu-berlin.de Seminar: Internet Measurement Technische Universität Berlin - Deutsche Telekom Laboratories
More informationAttack and Defense Techniques 2
Network Security Attack and Defense Techniques 2 Anna Sperotto, Ramin Sadre Design and Analysis of ommunication Networks (DAS) University of Twente The Netherlands Firewalls Network firewall Internet 25
More informationA Novel Packet Marketing Method in DDoS Attack Detection
SCI-PUBLICATIONS Author Manuscript American Journal of Applied Sciences 4 (10): 741-745, 2007 ISSN 1546-9239 2007 Science Publications A Novel Packet Marketing Method in DDoS Attack Detection 1 Changhyun
More informationTwo State Intrusion Detection System Against DDos Attack in Wireless Network
Two State Intrusion Detection System Against DDos Attack in Wireless Network 1 Pintu Vasani, 2 Parikh Dhaval 1 M.E Student, 2 Head of Department (LDCE-CSE) L.D. College of Engineering, Ahmedabad, India.
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationKeywords Attack model, DDoS, Host Scan, Port Scan
Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com DDOS Detection
More informationProvider-Based Deterministic Packet Marking against Distributed DoS Attacks
Provider-Based Deterministic Packet Marking against Distributed DoS Attacks Vasilios A. Siris and Ilias Stavrakis Institute of Computer Science, Foundation for Research and Technology - Hellas (FORTH)
More informationKNOM Tutorial 2003. Internet Traffic Measurement and Analysis. Sue Bok Moon Dept. of Computer Science
KNOM Tutorial 2003 Internet Traffic Measurement and Analysis Sue Bok Moon Dept. of Computer Science Overview Definition of Traffic Matrix 4Traffic demand, delay, loss Applications of Traffic Matrix 4Engineering,
More informationTracking Darkports for Network Defense
Tracking Darkports for Network Defense David Whyte Paul C. van Oorschot Evangelos Kranakis School of Computer Science Carleton University, Ottawa, Canada {dlwhyte, paulv, kranakis}@scs.carleton.ca Abstract
More informationAn Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh
More informationApplication of Netflow logs in Analysis and Detection of DDoS Attacks
International Journal of Computer and Internet Security. ISSN 0974-2247 Volume 8, Number 1 (2016), pp. 1-8 International Research Publication House http://www.irphouse.com Application of Netflow logs in
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationNetwork Monitoring Using Traffic Dispersion Graphs (TDGs)
Network Monitoring Using Traffic Dispersion Graphs (TDGs) Marios Iliofotou Joint work with: Prashanth Pappu (Cisco), Michalis Faloutsos (UCR), M. Mitzenmacher (Harvard), Sumeet Singh(Cisco) and George
More informationEffective Worm Detection for Various Scan Techniques
Effective Worm Detection for Various Scan Techniques Jianhong Xia, Sarma Vangala, Jiang Wu and Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts at Amherst Amherst,
More informationInternational Journal of Scientific & Engineering Research, Volume 4, Issue 8, August-2013 1300 ISSN 2229-5518
International Journal of Scientific & Engineering Research, Volume 4, Issue 8, August-2013 1300 Efficient Packet Filtering for Stateful Firewall using the Geometric Efficient Matching Algorithm. Shriya.A.
More informationScan Detection - Revisited
Scan Detection - Revisited Levent Ertöz 1, Eric Eilertson 1, Paul Dokas 1, Vipin Kumar 1, and Kerry Long 2 1 University of Minnesota, Minneapolis MN 55455, USA 2 Army Research Laboratory, Adelphi MD 20783,
More informationHost Discovery with nmap
Host Discovery with nmap By: Mark Wolfgang moonpie@moonpie.org November 2002 Table of Contents Host Discovery with nmap... 1 1. Introduction... 3 1.1 What is Host Discovery?... 4 2. Exploring nmap s Default
More informationLoad Distribution in Large Scale Network Monitoring Infrastructures
Load Distribution in Large Scale Network Monitoring Infrastructures Josep Sanjuàs-Cuxart, Pere Barlet-Ros, Gianluca Iannaccone, and Josep Solé-Pareta Universitat Politècnica de Catalunya (UPC) {jsanjuas,pbarlet,pareta}@ac.upc.edu
More informationDetecting Flooding Attacks Using Power Divergence
Detecting Flooding Attacks Using Power Divergence Jean Tajer IT Security for the Next Generation European Cup, Prague 17-19 February, 2012 PAGE 1 Agenda 1- Introduction 2- K-ary Sktech 3- Detection Threshold
More informationBuilding a Better NetFlow
Building a Better NetFlow Cristian Estan cestan@cs.ucsd.edu Ken Keys kkeys@caida.org David Moore, dmoore@caida.org George Varghese varghese@cs.ucsd.edu ABSTRACT Network operators need to determine the
More informationA Passive Method for Estimating End-to-End TCP Packet Loss
A Passive Method for Estimating End-to-End TCP Packet Loss Peter Benko and Andras Veres Traffic Analysis and Network Performance Laboratory, Ericsson Research, Budapest, Hungary {Peter.Benko, Andras.Veres}@eth.ericsson.se
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationAdaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks
Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Yan Hu Dept. of Information Engineering Chinese University of Hong Kong Email: yhu@ie.cuhk.edu.hk D. M. Chiu
More informationReal-Time Feature Extraction for High Speed Networks
Real-Time Feature Extraction for High Speed Networks David Nguyen, Gokhan Memik, Seda Ogrenci Memik, and Alok Choudhary Department of Electrical and Computer Engineering Northwestern University Evanston,
More informationAn Efficient Algorithm for Measuring Medium- to Large-sized Flows in Network Traffic
An Efficient Algorithm for Measuring Medium- to Large-sized Flows in Network Traffic Ashwin Lall Georgia Inst. of Technology Mitsunori Ogihara University of Miami Jun (Jim) Xu Georgia Inst. of Technology
More informationReal-Time Detection of Hidden Traffic Patterns
Real-Time Detection of Hidden Traffic Patterns Fang Hao Murali Kodialam T.V. Lakshman Bell Labs 101 Crawfords Corner Road Holmdel, NJ 07733 {fangh, muralik,lakshman }@bell-labs.com Abstract We address
More informationEfficiently Managing Firewall Conflicting Policies
Efficiently Managing Firewall Conflicting Policies 1 K.Raghavendra swamy, 2 B.Prashant 1 Final M Tech Student, 2 Associate professor, Dept of Computer Science and Engineering 12, Eluru College of Engineeering
More informationBotnet Detection Based on Degree Distributions of Node Using Data Mining Scheme
Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme Chunyong Yin 1,2, Yang Lei 1, Jin Wang 1 1 School of Computer & Software, Nanjing University of Information Science &Technology,
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of
More informationAn Analysis on Distribution of Malicious Packets and Threats over the Internet
An Analysis on Distribution of Malicious Packets and Threats over the Internet Masaki Ishiguro Mitsubishi Research Institute 3-6 Otemachi 2-Chome, Chiyoda-ku, Tokyo, Japan masa@mri.co.jp Shigeki Goto Waseda
More informationApplication Security Backgrounder
Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International
More informationNetwork Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Part I: Attack Prevention Network Security Chapter 9 Attack prevention, detection and response Part Part I:
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationFlexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks
Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks Prashil S. Waghmare PG student, Sinhgad College of Engineering, Vadgaon, Pune University, Maharashtra, India. prashil.waghmare14@gmail.com
More informationRadware s Behavioral Server Cracking Protection
Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information
More informationPer-Flow Queuing Allot's Approach to Bandwidth Management
White Paper Per-Flow Queuing Allot's Approach to Bandwidth Management Allot Communications, July 2006. All Rights Reserved. Table of Contents Executive Overview... 3 Understanding TCP/IP... 4 What is Bandwidth
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationto-end Packet Loss Estimation for Grid Traffic Monitoring
Passive End-to to-end Packet Loss Estimation for Grid Traffic Monitoring Antonis Papadogiannakis, Alexandros Kapravelos, Michalis Polychronakis, Evangelos P. Markatos Institute of Computer Science (ICS)
More informationDissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong
Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application Author: Fung, King Pong MSc in Information Technology The Hong Kong Polytechnic University June 1999 i Abstract Abstract of dissertation
More informationA Fuzzy Logic-Based Information Security Management for Software-Defined Networks
A Fuzzy Logic-Based Information Security Management for Software-Defined Networks Sergei Dotcenko *, Andrei Vladyko *, Ivan Letenko * * The Bonch-Bruevich Saint-Petersburg State University of Telecommunications,
More informationSecuring EtherNet/IP Using DPI Firewall Technology
Securing EtherNet/IP Using DPI Firewall Technology www.odva.org Technical Track About Us Erik Schweigert Leads device firmware development at Tofino Security BSc in Computer Science from VIU Michael Thomas
More informationINCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS
WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by
More informationFrom Network Security To Content Filtering
Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals
More informationIntrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com
Intrusion Detection & SNORT Fakrul Alam fakrul@bdhbu.com Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not up to date 0- days get through
More informationAPPENDIX 1 USER LEVEL IMPLEMENTATION OF PPATPAN IN LINUX SYSTEM
152 APPENDIX 1 USER LEVEL IMPLEMENTATION OF PPATPAN IN LINUX SYSTEM A1.1 INTRODUCTION PPATPAN is implemented in a test bed with five Linux system arranged in a multihop topology. The system is implemented
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationTHREE LAYERS APPROACH FOR NETWORK SCANNING DETECTION
THREE LAYERS APPROACH FOR NETWORK SCANNING DETECTION 1 OMAR E. ELEJLA, 2 AMAN B. JANTAN, 3 ABDULGHANI ALI AHMED School of Computer Sciences, Universiti Sains Malaysia (USM), Penang, Malaysia 1 omar.elejla@hotmail.com,
More informationCoimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring
Volume 4, Issue 8, August 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Investigate the
More informationFuzzy Network Profiling for Intrusion Detection
Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University
More informationHands-on Network Traffic Analysis. 2015 Cyber Defense Boot Camp
Hands-on Network Traffic Analysis 2015 Cyber Defense Boot Camp What is this about? Prerequisite: network packet & packet analyzer: (header, data) Enveloped letters inside another envelope Exercises Basic
More informationIntruders and viruses. 8: Network Security 8-1
Intruders and viruses 8: Network Security 8-1 Intrusion Detection Systems Firewalls allow traffic only to legitimate hosts and services Traffic to the legitimate hosts/services can have attacks CodeReds
More informationFlow-based detection of RDP brute-force attacks
Flow-based detection of RDP brute-force attacks Martin Vizváry vizvary@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic Jan Vykopal vykopal@ics.muni.cz Institute of Computer
More informationFlow-based Worm Detection using Correlated Honeypot Logs
Flow-based Worm Detection using Correlated Honeypot Logs Falko Dressler, Wolfgang Jaegers, and Reinhard German Computer Networks and Communication Systems, University of Erlangen, Martensstr. 3, 91058
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationImproving DNS performance using Stateless TCP in FreeBSD 9
Improving DNS performance using Stateless TCP in FreeBSD 9 David Hayes, Mattia Rossi, Grenville Armitage Centre for Advanced Internet Architectures, Technical Report 101022A Swinburne University of Technology
More informationVulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks
International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 12 (2014), pp. 1167-1173 International Research Publications House http://www. irphouse.com Vulnerability
More informationSelected Topics of IT Security (41.4456) Seminar description
Selected Topics of IT Security (41.4456) Seminar description Sebastian Abt, Frank Breitinger April 3, 2012 1 Introduction The lecture and accompanying seminar target at master-level students interested
More informationCisco IPS Tuning Overview
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
More informationHow To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On
Michel Laterman We have a monitor set up that receives a mirror from the edge routers Monitor uses an ENDACE DAG 8.1SX card (10Gbps) & Bro to record connection level info about network usage Can t simply
More information