Publication details

Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches



Year of publication 2014
Type Article in Proceedings
Conference Monitoring and Securing Virtualized Networks and Services, Lecture Notes in Computer Science, Vol. 8508
MU Faculty or unit

Institute of Computer Science

Field Informatics
Keywords intrusion detection; NetFlow; sketch; modular hashes; correlation
Attached files
Description The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attacker’s ability to evade detection.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.

More info