Towards a High speed Router based AnomalyIntrusion detection System - PowerPoint PPT Presentation

About This Presentation
Title:

Towards a High speed Router based AnomalyIntrusion detection System

Description:

Call for High Speed network detection solution (DARPA research ... Speed test (11M insertion/seconds) Memory consumption (9MB) Validation with other approaches ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 13
Provided by: love2
Category:

less

Transcript and Presenter's Notes

Title: Towards a High speed Router based AnomalyIntrusion detection System


1
Towards a High speed Router basedAnomaly/Intrusio
n detection System
  • Yan Gao Zhichun Li

2
Outline
  • Motivation
  • Related works
  • Our approach
  • Elementary evaluation result
  • Ongoing work

3
Motivation
  • attacks are commonplace, identifying them rapidly
    and accurately is critical
  • Existing network intrusion detection systems
    (IDS) are insufficient for the following two
    reasons.
  • First, they are mostly host-based or located on
    low-end routers, and not scalable to high-speed
    networks.
  • Second, most of the existing approaches are
    signature based, which cannot detect unknown
    network attacks.

4
Motivation (cont.)
  • Statistical IDS
  • Most of them based on overall traffic, cannot do
    further migration even they find some anomalies.
  • Most of them cannot detect SYN flooding and
    different types of port scans simultaneously
  • Call for High Speed network detection solution
    (DARPA research agenda)

5
Related works
  • SYN flooding detection
  • Change point monitoring (CPM)
  • Port Scan detection
  • Threshold Random work (TRW)
  • Very Fast Containment of Scanning Worms
  • Both
  • Partial Completion Filters (PCF)

6
Our approach threat model
  • Target
  • SYN flooding
  • Port scan
  • Horizontal scan
  • Vertical scan
  • Metrics
  • SYN SYN/ACK
  • SYN FIN
  • IP header fields
  • DIP, SIP, Dport, Sport

7
Our approach System design
  • Reversible Sketch
  • Forecast model (EMWA, Holt-winter)
  • 2D Sketch

8
Our approach reversible sketch
  • RS(Key, value)

9
Our approach detection algorithm
  • RS((DIP, Dport), SYN-SYN/ACK)
  • RS((SIP, DIP), SYN-SYN/ACK)
  • RS((SIP, Dport), SYN-SYN/ACK)

10
2D sketch
  • Structure of 2D sketch

Example UPDATE
11
Elementary evaluation result
  • Threshold Knee point
  • Data Set NU data 536M flow (3.48TB)
  • Sketch vs. Non-Sketch (FP2.34, FN0.5)
  • Speed test (11M insertion/seconds)
  • Memory consumption (9MB)
  • Validation with other approaches

12
Ongoing work
  • IP Mangling of RevSketch
  • Reduce false positive
  • Validation with other approaches
  • Manual validation
  • Holt-Winter result
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Towards a High speed Router based AnomalyIntrusion detection System" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!