Thumbnail
Access Restriction
Open

Author Kompella, Ramana Rao ♦ Singh, Sumeet ♦ Varghese, George
Source CiteSeerX
Content type Text
File Format PDF
Subject Domain (in DDC) Computer science, information & general works ♦ Data processing & computer science
Subject Keyword Per-flow State ♦ Scalable Attack Detection ♦ Do Attack ♦ Id System ♦ Several Category ♦ Multi-gigabit Speed ♦ Signature Detection Mechanism ♦ Port Scan ♦ Current Intrusion Detection ♦ Fast Implementation ♦ Stealthy Port-scanning Cannot ♦ High Speed ♦ Network Intrusion ♦ Router Lookup ♦ Wide Class ♦ Prefix Lookup ♦ Appropriate Aggregate Behavior ♦ Bad Behavior ♦ Good Behavior ♦ Wide Variety ♦ Network Vantage Point ♦ Host Scanning ♦ Keep Per-connection ♦ Prevention System
Abstract Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans) at network vantage points. Unfortunately, all the IDS systems we know of keep per-connection or per-flow state. Thus it is hardly surprising that IDS systems (other than signature detection mechanisms) have not scaled to multi-gigabit speeds. By contrast, note that both router lookups and fair queuing have scaled to high speeds using aggregation via prefix lookups or DiffServ. Thus in this paper, we initiate research into the question as to whether one can detect attacks without keeping per-flow state. We will show that such aggregation, while making fast implementations possible, immediately cause two problems. First, aggregation can cause behavioral aliasing where, for example, good behaviors can aggregate to look like bad behaviors. Second, aggregated schemes are susceptible to spoofing by which the intruder sends attacks that have appropriate aggregate behavior. We examine a wide variety of DoS attacks and show that several categories (bandwidth based, claim-and-hold, host scanning) can be scalably detected. By contrast, it appears that stealthy port-scanning cannot be scalably detected without keeping per-flow state.
Educational Role Student ♦ Teacher
Age Range above 22 year
Educational Use Research
Education Level UG and PG ♦ Career/Technical Study
Publisher Date 2004-01-01