DRAŠAR, Martin, Tomáš JIRSÍK and Martin VIZVÁRY. Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches. In Sperotto, Anna and Doyen, Guillaume and Latré, Steven and Charalambides, Marinos and Stiller, Burkhard. Monitoring and Securing Virtualized Networks and Services, Lecture Notes in Computer Science, Vol. 8508. Berlin: Springer Berlin Heidelberg, 2014. p. 160-172. ISBN 978-3-662-43861-9. doi:10.1007/978-3-662-43862-6_19.
Other formats:   BibTeX LaTeX RIS
Basic information
Original name Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches
Authors DRAŠAR, Martin (203 Czech Republic, guarantor, belonging to the institution), Tomáš JIRSÍK (203 Czech Republic, belonging to the institution) and Martin VIZVÁRY (703 Slovakia, belonging to the institution).
Edition Berlin, Monitoring and Securing Virtualized Networks and Services, Lecture Notes in Computer Science, Vol. 8508, p. 160-172, 13 pp. 2014.
Publisher Springer Berlin Heidelberg
Other information
Original language English
Type of outcome Proceedings paper
Field of Study 10201 Computer sciences, information science, bioinformatics
Country of publisher Germany
Confidentiality degree is not subject to a state or trade secret
Publication form printed version "print"
WWW URL
Impact factor Impact factor: 0.402 in 2005
RIV identification code RIV/00216224:14610/14:00073230
Organization unit Institute of Computer Science
ISBN 978-3-662-43861-9
ISSN 0302-9743
Doi http://dx.doi.org/10.1007/978-3-662-43862-6_19
UT WoS 000347615900019
Keywords in English intrusion detection; NetFlow; sketch; modular hashes; correlation
Tags rivok
Tags International impact, Reviewed
Changed by Changed by: Mgr. Marta Novotná Buršíková, učo 15689. Changed: 1. 4. 2015 09:02.
Abstract
The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attacker’s ability to evade detection.
Links
VF20132015031, research and development projectName: Bezpečnost optických prvků v datových a komunikačních sítích (Acronym: BOP)
Investor: Ministry of the Interior of the CR, Security of Optical Components in Data and Communication Networks
Type Name Uploaded/Created by Uploaded/Created Rights
Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf Licence Creative Commons  File version Jirsík, T. 16. 7. 2014

Properties

Address within IS
https://is.muni.cz/auth/publication/1192611/Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf
Address for the users outside IS
https://is.muni.cz/publication/1192611/Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf
Address within Manager
https://is.muni.cz/auth/publication/1192611/Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf?info
Address within Manager for the users outside IS
https://is.muni.cz/publication/1192611/Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf?info
Uploaded/Created
Wed 16. 7. 2014 08:48

Rights

Right to read
  • anyone on the Internet
Right to upload
 
Right to administer:
  • a concrete person Mgr. Marta Novotná Buršíková, učo 15689
  • a concrete person RNDr. Tomáš Jirsík, Ph.D., učo 211086
  • a concrete person RNDr. Martin Vizváry, učo 255917
  • a concrete person RNDr. Martin Drašar, Ph.D., učo 98998
Attributes
 

Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf

Application
Open the file
Download file.
Address within IS
https://is.muni.cz/auth/publication/1192611/Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf
Address for the users outside IS
http://is.muni.cz/publication/1192611/Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf
File type
PDF (application/pdf)
Size
318,2 KB
Hash md5
5c135d9519f7386ab0078bd4c9ca07ab
Uploaded/Created
Wed 16. 7. 2014 08:48

Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.txt

Application
Open the file
Download file.
Address within IS
https://is.muni.cz/auth/publication/1192611/Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.txt
Address for the users outside IS
http://is.muni.cz/publication/1192611/Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.txt
File type
plain text (text/plain)
Size
33,9 KB
Hash md5
ebb276e459000bd47bb46d7d653b207e
Uploaded/Created
Wed 16. 7. 2014 08:49
slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf Licence Creative Commons  File version Jirsík, T. 16. 7. 2014

Properties

Address within IS
https://is.muni.cz/auth/publication/1192611/slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf
Address for the users outside IS
https://is.muni.cz/publication/1192611/slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf
Address within Manager
https://is.muni.cz/auth/publication/1192611/slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf?info
Address within Manager for the users outside IS
https://is.muni.cz/publication/1192611/slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf?info
Uploaded/Created
Wed 16. 7. 2014 08:50

Rights

Right to read
  • anyone on the Internet
Right to upload
 
Right to administer:
  • a concrete person Mgr. Marta Novotná Buršíková, učo 15689
  • a concrete person RNDr. Tomáš Jirsík, Ph.D., učo 211086
  • a concrete person RNDr. Martin Vizváry, učo 255917
  • a concrete person RNDr. Martin Drašar, Ph.D., učo 98998
Attributes
 

slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf

Application
Open the file
Download file.
Address within IS
https://is.muni.cz/auth/publication/1192611/slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf
Address for the users outside IS
http://is.muni.cz/publication/1192611/slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.pdf
File type
PDF (application/pdf)
Size
845,9 KB
Hash md5
6dd3dbd51751ed6a720b1666f1ab3137
Uploaded/Created
Wed 16. 7. 2014 08:50

slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.txt

Application
Open the file
Download file.
Address within IS
https://is.muni.cz/auth/publication/1192611/slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.txt
Address for the users outside IS
http://is.muni.cz/publication/1192611/slides_Enhancing_Network_Intrusion_Detection_by_Correlation_of_Modularly_Hashed_Sketches.txt
File type
plain text (text/plain)
Size
6,3 KB
Hash md5
3cc867f3d1c10e2bac81deffe1fb45d6
Uploaded/Created
Wed 16. 7. 2014 08:51
Print
Report a file uploaded without authorization. Displayed: 27. 6. 2022 19:46