Article

On scalable attack detection in the network

Authors:

Ramana Rao Kompella,

George VargheseAuthors Info & Claims

IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement

Pages 187 - 200

https://doi.org/10.1145/1028788.1028812

Published: 25 October 2004 Publication History

Abstract

Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans)at network vantage points. Unfortunately, all the IDS systems we know of keep per-connection or per-flow state. Thus it is hardly surprising that IDS systems (other than signature detection mechanisms) have not scaled to multi-gigabit speeds. By contrast, note that both router lookups and fair queuing have scaled to high speeds using <i>aggregation</i> via prefix lookups or DiffServ. Thus in this paper, we initiate research into the question as to whether one can detect attacks without keeping per-flow state. We will show that such aggregation, while making fast implementations possible, immediately cause two problems. First, aggregation can cause <i>behavioral</i> aliasing where, for example, good behaviors can aggregate to look like bad behaviors. Second, aggregated schemes are susceptible to spoofing by which the intruder sends attacks that have appropriate aggregate behavior. We examine a wide variety of DoS attacks and show that several categories (bandwidth based, claim-and-hold, host scanning) can be scalably detected. By contrast, it appears that stealthy port-scanning cannot be scalably detected without keeping per-flow state.

References

[1]

Cert. advisory ca-1998-01 smurf ip denial-of-service attacks. http://www.cert.org/advisories/CA-1998-01.html.

[2]

Cert. advisory ca-2001-19 "code red" worm exploiting buffer overflow in iis indexing service dll. http://www.cert.org/advisories/CA-2001-19.html.

[3]

Cert advisory ca-2001-26 nimda worm. http://www.cert.org/advisories/CA-2001-26.html.

[4]

Mazu networks. http://www.mazu.com.

[5]

Mydoom.b virus. http://www.us-cert.gov/cas/alerts/SA04-028A.html.

[6]

Sco inc. http://www.sco.com.

[7]

Arbor Networks. http://www.arbornetworks.com.

[8]

Barford, P., Kline, J., Plonka, D., and Ron, A. A signal analysis of network traffic anomalies. In Proceedings of ACM SIGCOMM Internet Measurement Workshop (Nov. 2002).

Digital Library

[9]

Bernstein, D. J. SYN cookies. http://cr.yp.to/syncookies.html, 1997.

[10]

Bloom, B. H. Space/time tradeoffs in hash coding with allowable errors. Communications of the ACM 13, 7 (July 1970), 422--426.

Digital Library

[11]

Check Point Software Technologies Ltd. Syndefender. http://www.checkpoint.com/products/firewall-1.

[12]

Datar, M., and Muthukrishnan, S. Estimating rarity and similarity over data stream windows. Technical report, 2001--21, DIMACS, Nov. 2001.

[13]

Estan, C., and Varghese, G. New directions in traffic measurement and accounting. In ACM SIGCOMM (Aug. 2002).

Digital Library

[14]

Estan, C., and Varghese, G. Autofocus: A tool for automatic traffic analysis. In Proceedings of ACM SIGCOMM (2003).

Digital Library

[15]

Forescout Technologies. http://www.forescout.com.

[16]

Fyodor. http://www.insecure.org/nmap.

[17]

Gilbert, A., Guha, S., Indyk, P., Muthukrishnan, S., and Strauss, M. Quicksand: Quick summary and analysis of network data. Technical report, 2001-43, DIMACS, Nov. 2001.

[18]

Gill, T. M., and Poletto, M. MULTOPS: a data-structure for bandwidth attack detection. In USENIX Security Symposium (2001).

Digital Library

[19]

Greene, B. R., and McPherson, D. Sink holes: A swiss army knife isp security tool. http://www.nanog.org/mtg-0306/pdf/sink.pdf.

[20]

Heberlein, L. T., Dias, G. V., Levitt, K. N., Mukherjee, B., J.Wood, and D.Wolber. A network security monitor. In Proc. IEEE Symposium on Research in Security and Privacy (1990), pp. 296--304.

[21]

Hussain, A., Heidemann, J., and Papadopoulos, C. A framework for classifying denial of service attacks. In ACM SIGCOMM (Aug. 2003).

Digital Library

[22]

Jin, C., Wang, H., and Shin, K. G. Hop-count filtering: An effective defense against spoofed ddos traffic. In ACM Conference on Computer and Communications Security (CCS) (Oct. 2003).

Digital Library

[23]

Jung, J., Paxson, V., Berger, A., and Balakrishnan, H. Fast portscan detection using sequential hypothesis testing. In Proceedings of IEEE Symposium on Security and Privacy (2004).

[24]

Keyes, R. The Naptha DoS Vulnerabilities. http://razor.bindview.com/publish/advisories/adv_NAPTHA.html.

[25]

Krishnamurthy, B., Sen, S., Zhang, Y., and Chen, Y. Sketch-based change detection: methods, evaluation, and applications. In Proceedings of the conference on Internet measurement conference (2003), ACM Press, pp. 234--247.

Digital Library

[26]

Larsen, R. J., and Marx, M. L. An Introduction to Mathematical Statistics and Its Applications. Prentice Hall, Upper Saddle River, NJ 07458, 2001.

Digital Library

[27]

Leckie, C., and Kotagiri, R. A probabilistic approach to detecting network scans. In Proceedings of the Eight IEEE Network Operations and Management Symposium (Apr. 2002).

[28]

Lemon, J. Resisting syn flooding dos attacks with a syn cache. In Proceedings of USENIX BSDCon'2002 (Feb. 2002).

Digital Library

[29]

Levchenko, K., Paturi, R., and Varghese, G. On the difficulty of scalably detecting network attacks. In Proceedings of the ACM Conference on Computer and Communications Security, Washington, D.C. (Oct. 2004).

Digital Library

[30]

Martin Roesch. Snort. http://www.snort.org.

[31]

Moore, D., and Shannon, C. Sco offline from dos attack. http://www.sco.com.

[32]

Moore, D., Voelker, G., and Savage, S. Inferring internet denial of service activity. In USENIX Security Symposium (2001).

Digital Library

[33]

NetFlow, C. http://www.cisco.com/warp/public/732/Tech/netflow.

[34]

Netscreen 100 Firewall Appliance. http://www.netscreen.com.

[35]

Netscreen Technologies. http://www.netscreen.com.

[36]

Paxson, V. End-to-end routing behavior in the internet. IEEE/ACM Transactions on Networking 5, 5 (Oct. 1997), 601--615.

Digital Library

[37]

Paxson, V. Bro: A system for detecting network intruders in real-time. In Computer Networks, 31(23-24), pp. 2435--2463 (Dec. 1999).

Digital Library

[38]

Paxson, V. An analysis of using reectors for distributed denial-of-service attacks. In Computer Communication Review 31(3) (July 2001).

Digital Library

[39]

Pescatore, J., Easley, M., and Stiennon, R. Network security platforms will transform security markets. http://www.techrepublic.com/article.jhtml?id=r00220021223jdt01.htm&src=bc, Dec. 2002.

[40]

Robertson, S., Siegel, E., Miller, M., and Stolfo, S. Surveillance detection in high bandwidth environments. In Proceedings of the 2003 DARPA DISCEX III Conference (Apr. 2003), pp. 229--238.

[41]

Schuba, C., Krsul, I., Kuhn, M., Spafford, E., Sundaram, A., and Zamboni, D. Analysis of a denial of service attack on tcp. In Proceedings of IEEE Symposium on Security and Privacy (May 1997).

Digital Library

[42]

Staniford, S., Hoagland, J. A., and McAlerney, J. M. Practical automated detection of stealthy portscans. In In Proceedings of the 7th ACM Conference on Computer and Communications Security (2000).

[43]

Staniford, S., Paxson, V., and Weaver, N. How to 0wn the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium (Aug. 2002).

Digital Library

[44]

Staniford, S. J. Containment of scanning worms in enterprise networks. In Journal of Computer Security (Nov. 2003).

[45]

Wang, H., Zhang, D., and Shin, K. Detecting syn flooding attacks. In IEEE INFOCOM (2002).

[46]

Wang, H., Zhang, D., and Shin, K. Syn-dog: Sniffing syn flooding sources. In IEEE ICDCS (Vienna, Austria, 2002).

Digital Library

[47]

Weaver, N., Paxson, V., Staniford, S., and Cunningham, R. A taxonomy of computer worms. In Proceedings of the ACM Workshop of Rapid Malcode (WORM) (2003).

Digital Library

[48]

Yaar, A., Perrig, A., and Song, D. Pi: A path identification mechansim to defend against ddos attacks. In Proceedings of the IEEE Symposium on Security and Privacy (2003).

Digital Library

[49]

Yaar, A., Perrig, A., and Song, D. Si: A stateless internet flow lter to mitigate ddos ooding attacks. In Proceedings of the IEEE Symposium on Security and Privacy (2004).

[50]

Zhang, Y., Duffield, N., Paxson, V., and Shenker, S. On the constancy of internet path properties. In Proc. ACM SIGCOMM Internet Measurement Workshop (Nov. 2001).

Digital Library

Cited By

Ujjan RPervez ZDahal KKhan WKhattak AHayat B(2021)Entropy Based Features Distribution for Anti-DDoS Model in SDNSustainability10.3390/su1303152213:3(1522)Online publication date: 1-Feb-2021
https://doi.org/10.3390/su13031522
Lee JSingh K(2020)SwitchTree: in-network computing and traffic analyses with Random ForestsNeural Computing and Applications10.1007/s00521-020-05440-2Online publication date: 11-Nov-2020
https://doi.org/10.1007/s00521-020-05440-2
Ivkin NYu ZBraverman VJin XMohaisen AZhang Z(2019)QPipeProceedings of the 15th International Conference on Emerging Networking Experiments And Technologies10.1145/3359989.3365433(285-291)Online publication date: 3-Dec-2019
https://dl.acm.org/doi/10.1145/3359989.3365433
Show More Cited By

Index Terms

On scalable attack detection in the network
1. Networks
  1. Network components
    1. Intermediate nodes
      1. Routers

Recommendations

On scalable attack detection in the network

Current intrusion detection and prevention systems seek to detect a wide class of network intrusions (e.g., DoS attacks, worms, port scans) at network vantage points. Unfortunately, even today, many IDS systems we know of keep per-connection or per-flow ...
Antivirus security: naked during updates

The security of modern computer systems heavily depends on security tools, especially on antivirus software solutions. In the anti-malware research community, development of techniques for evading detection by antivirus software is an active research ...
Scalable network-based buffer overflow attack detection
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

Buffer overflow attack is the main attack method that most if not all existing malicious worms use to propagate themselves from machine to machine. Although a great deal of research has been invested in defense mechanisms against buffer overflow attack, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement

October 2004

386 pages

ISBN:1581138210

DOI:10.1145/1028788

General Chair:
Alfio Lombardo
U. Catania
,
Program Chair:
Jim Kurose
University of Massachusetts

Copyright © 2004 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

IMC04

Sponsor:

IMC04: Internet Measurement Conference

October 25 - 27, 2004

Taormina, Sicily, Italy

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

54
Total Citations
View Citations
2,034
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)4

Reflects downloads up to 11 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ujjan RPervez ZDahal KKhan WKhattak AHayat B(2021)Entropy Based Features Distribution for Anti-DDoS Model in SDNSustainability10.3390/su1303152213:3(1522)Online publication date: 1-Feb-2021
https://doi.org/10.3390/su13031522
Lee JSingh K(2020)SwitchTree: in-network computing and traffic analyses with Random ForestsNeural Computing and Applications10.1007/s00521-020-05440-2Online publication date: 11-Nov-2020
https://doi.org/10.1007/s00521-020-05440-2
Ivkin NYu ZBraverman VJin XMohaisen AZhang Z(2019)QPipeProceedings of the 15th International Conference on Emerging Networking Experiments And Technologies10.1145/3359989.3365433(285-291)Online publication date: 3-Dec-2019
https://dl.acm.org/doi/10.1145/3359989.3365433
Melhim LJemmali MAlharbi M(2019)Network Monitoring Enhancement based on Mathematical Modeling2019 2nd International Conference on Computer Applications & Information Security (ICCAIS)10.1109/CAIS.2019.8769583(1-4)Online publication date: May-2019
https://doi.org/10.1109/CAIS.2019.8769583
Tang HWu YLi THan CGe JZhao X(2019)Efficient Identification of TOP-K Heavy Hitters over Sliding WindowsMobile Networks and Applications10.1007/s11036-018-1051-x24:5(1732-1741)Online publication date: 1-Oct-2019
https://dl.acm.org/doi/10.1007/s11036-018-1051-x
Wang CMiu TLuo XWang J(2018)SkyShield: A Sketch-Based Defense System Against Application Layer DDoS AttacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2017.275875413:3(559-573)Online publication date: Mar-2018
https://doi.org/10.1109/TIFS.2017.2758754
Kalkan KGur GAlagoz F(2017)Filtering-Based Defense Mechanisms Against DDoS Attacks: A SurveyIEEE Systems Journal10.1109/JSYST.2016.260284811:4(2761-2773)Online publication date: Dec-2017
https://doi.org/10.1109/JSYST.2016.2602848
Iordache MJouet SMarnerides APezaros D(2017)Distributed, multi-level network anomaly detection for datacentre networks2017 IEEE International Conference on Communications (ICC)10.1109/ICC.2017.7996569(1-6)Online publication date: May-2017
https://doi.org/10.1109/ICC.2017.7996569
Garcia-Luna-Aceves J(2016)Towards Loop-Free Forwarding of Anonymous Internet Datagrams That Enforce Provenance2016 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOCOM.2016.7842346(1-6)Online publication date: Dec-2016
https://doi.org/10.1109/GLOCOM.2016.7842346
Tang HWu YLi TShi HGe J(2016)D2Sketch: Supporting Efficient Identification of Heavy Hitters Over Sliding WindowsSmart Grid Inspired Future Technologies10.1007/978-3-319-47729-9_7(60-68)Online publication date: 13-Nov-2016
https://doi.org/10.1007/978-3-319-47729-9_7
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents