Enhancing Network Intrusion Detection by Correlation of
Modularly Hashed Sketches

D 2014

Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches

DRAŠAR, Martin; Tomáš JIRSÍK a Martin VIZVÁRY

Základní údaje

Originální název

Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches

Autoři

DRAŠAR, Martin ; Tomáš JIRSÍK a Martin VIZVÁRY

Vydání

Berlin, Monitoring and Securing Virtualized Networks and Services, Lecture Notes in Computer Science, Vol. 8508, od s. 160-172, 13 s. 2014

Nakladatel

Springer Berlin Heidelberg

Další údaje

Jazyk

angličtina

Typ výsledku

Stať ve sborníku

Obor

10201 Computer sciences, information science, bioinformatics

Stát vydavatele

Německo

Utajení

není předmětem státního či obchodního tajemství

Forma vydání

tištěná verze "print"

Odkazy

URL

Impakt faktor

Impact factor: 0.402 v roce 2005

Kód RIV

RIV/00216224:14610/14:00073230

Organizační jednotka

Ústav výpočetní techniky

ISBN

978-3-662-43861-9

ISSN

DOI

https://doi.org/10.1007/978-3-662-43862-6_19

UT WoS

000347615900019

EID Scopus

2-s2.0-84904187711

Klíčová slova anglicky

intrusion detection; NetFlow; sketch; modular hashes; correlation

Štítky

rivok

Příznaky

Mezinárodní význam, Recenzováno

Změněno: 1. 4. 2015 09:02, Mgr. Marta Novotná Buršíková

Anotace

V originále

The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attacker’s ability to evade detection.

Návaznosti

VF20132015031, projekt VaV

Název: Bezpečnost optických prvků v datových a komunikačních sítích (Akronym: BOP)

Investor: Ministerstvo vnitra ČR, Bezpečnost optických prvků v datových a komunikačních sítích

Přiložené soubory

Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf

slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf

Citovat

DRAŠAR, Martin; Tomáš JIRSÍK a Martin VIZVÁRY. Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches. In Sperotto, Anna and Doyen, Guillaume and Latré, Steven and Charalambides, Marinos and Stiller, Burkhard. Monitoring and Securing Virtualized Networks and Services, Lecture Notes in Computer Science, Vol. 8508. Berlin: Springer Berlin Heidelberg, 2014, s. 160-172. ISBN 978-3-662-43861-9. Dostupné z: https://doi.org/10.1007/978-3-662-43862-6_19.

@inproceedings{1192611,
   author = {Drašar, Martin and Jirsík, Tomáš and Vizváry, Martin},
   address = {Berlin},
   booktitle = {Monitoring and Securing Virtualized Networks and Services, Lecture Notes in Computer Science, Vol. 8508},
   doi = {https://doi.org/10.1007/978-3-662-43862-6_19},
   editor = {Sperotto, Anna and Doyen, Guillaume and Latré, Steven and Charalambides, Marinos and Stiller, Burkhard},
   keywords = {intrusion detection; NetFlow; sketch; modular hashes; correlation},
   howpublished = {tištěná verze "print"},
   language = {eng},
   location = {Berlin},
   isbn = {978-3-662-43861-9},
   pages = {160-172},
   publisher = {Springer Berlin Heidelberg},
   title = {Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches},
   url = {http://dx.doi.org/10.1007/978-3-662-43862-6_19},
   year = {2014}
}

TY  - CONF
ID  - 1192611
AU  - Drašar, Martin - Jirsík, Tomáš - Vizváry, Martin
PY  - 2014
TI  - Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches
PB  - Springer Berlin Heidelberg
CY  - Berlin
SN  - 9783662438619
KW  - intrusion detection
KW  - NetFlow
KW  - sketch
KW  - modular hashes
KW  - correlation
UR  - http://dx.doi.org/10.1007/978-3-662-43862-6_19
L2  - http://dx.doi.org/10.1007/978-3-662-43862-6_19
N2  - The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attacker’s ability to evade detection.
ER  -

DRAŠAR, Martin; Tomáš JIRSÍK a Martin VIZVÁRY. Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches. In Sperotto, Anna and Doyen, Guillaume and Latré, Steven and Charalambides, Marinos and Stiller, Burkhard. \textit{Monitoring and Securing Virtualized Networks and Services, Lecture Notes in Computer Science, Vol. 8508}. Berlin: Springer Berlin Heidelberg, 2014, s.~160-172. ISBN~978-3-662-43861-9. Dostupné z: https://doi.org/10.1007/978-3-662-43862-6\_{}19.

Přehled o publikaci