Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches

Abstract : The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attacker’s ability to evade detection.
Type de document :
Communication dans un congrès
Anna Sperotto; Guillaume Doyen; Steven Latré; Marinos Charalambides; Burkhard Stiller. 8th IFIP International Conference on Autonomous Infrastructure, Management and Security (AIMS), Jun 2014, Brno, Czech Republic. Springer, Lecture Notes in Computer Science, LNCS-8508, pp.160-172, 2014, Monitoring and Securing Virtualized Networks and Services. 〈10.1007/978-3-662-43862-6_19〉
Liste complète des métadonnées

Littérature citée [19 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01401302
Contributeur : Hal Ifip <>
Soumis le : mercredi 23 novembre 2016 - 10:26:44
Dernière modification le : mercredi 23 novembre 2016 - 10:37:35
Document(s) archivé(s) le : lundi 20 mars 2017 - 18:26:48

Fichier

978-3-662-43862-6_19_Chapter.p...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Martin Drašar, Tomáš Jirsík, Martin Vizváry. Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches. Anna Sperotto; Guillaume Doyen; Steven Latré; Marinos Charalambides; Burkhard Stiller. 8th IFIP International Conference on Autonomous Infrastructure, Management and Security (AIMS), Jun 2014, Brno, Czech Republic. Springer, Lecture Notes in Computer Science, LNCS-8508, pp.160-172, 2014, Monitoring and Securing Virtualized Networks and Services. 〈10.1007/978-3-662-43862-6_19〉. 〈hal-01401302〉

Partager

Métriques

Consultations de la notice

32

Téléchargements de fichiers

16