HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches

Abstract : The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attacker’s ability to evade detection.
Complete list of metadata

Cited literature [19 references]  Display  Hide  Download

Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Wednesday, November 23, 2016 - 10:26:44 AM
Last modification on : Wednesday, November 18, 2020 - 6:32:03 PM
Long-term archiving on: : Monday, March 20, 2017 - 6:26:48 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Martin Drašar, Tomáš Jirsík, Martin Vizváry. Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches. 8th IFIP International Conference on Autonomous Infrastructure, Management and Security (AIMS), Jun 2014, Brno, Czech Republic. pp.160-172, ⟨10.1007/978-3-662-43862-6_19⟩. ⟨hal-01401302⟩



Record views


Files downloads