Další formáty:
BibTeX
LaTeX
RIS
@inproceedings{1192611, author = {Drašar, Martin and Jirsík, Tomáš and Vizváry, Martin}, address = {Berlin}, booktitle = {Monitoring and Securing Virtualized Networks and Services, Lecture Notes in Computer Science, Vol. 8508}, doi = {http://dx.doi.org/10.1007/978-3-662-43862-6_19}, editor = {Sperotto, Anna and Doyen, Guillaume and Latré, Steven and Charalambides, Marinos and Stiller, Burkhard}, keywords = {intrusion detection; NetFlow; sketch; modular hashes; correlation}, howpublished = {tištěná verze "print"}, language = {eng}, location = {Berlin}, isbn = {978-3-662-43861-9}, pages = {160-172}, publisher = {Springer Berlin Heidelberg}, title = {Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches}, url = {http://dx.doi.org/10.1007/978-3-662-43862-6_19}, year = {2014} }
TY - JOUR ID - 1192611 AU - Drašar, Martin - Jirsík, Tomáš - Vizváry, Martin PY - 2014 TI - Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches PB - Springer Berlin Heidelberg CY - Berlin SN - 9783662438619 KW - intrusion detection KW - NetFlow KW - sketch KW - modular hashes KW - correlation UR - http://dx.doi.org/10.1007/978-3-662-43862-6_19 L2 - http://dx.doi.org/10.1007/978-3-662-43862-6_19 N2 - The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attacker’s ability to evade detection. ER -
DRAŠAR, Martin, Tomáš JIRSÍK a Martin VIZVÁRY. Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches. In Sperotto, Anna and Doyen, Guillaume and Latré, Steven and Charalambides, Marinos and Stiller, Burkhard. \textit{Monitoring and Securing Virtualized Networks and Services, Lecture Notes in Computer Science, Vol. 8508}. Berlin: Springer Berlin Heidelberg, 2014, s.~160-172. ISBN~978-3-662-43861-9. Dostupné z: https://dx.doi.org/10.1007/978-3-662-43862-6\_{}19.
|