Abnormal Hosts Monitor for City Wide Core Network by Real Time Super Points Cardinality Estimation

Core network abnormal events, such as warm, spam, scanning, ddos and so on, threat the security of the network. These abnormal events relate to a special kind of hosts named super points. For a host in the network, its cardinality is the number of other distinct hosts communicating with it during a certain time window. Super points, whose cardinalities are bigger than a predefined threshold, are a small part of hosts but play important roles for network management and security. This paper devises a novel paradigm to detect abnormal network events by monitoring super points. On the basis that normal events contain bi-direction packets, super points detected in different directions should be the same. So by comparing the difference of super points detected in different directions, abnormal events would be found out. The key step in the paradigm is to detect out super points in real time because super points in different directions need to be identified parallel. This paper proposes a double direction hash functions group which can map hosts randomly and restore them from a dense structure. Because the high randomness and simple process of the double direction hash functions group, this novel algorithm reduces the memory greatly, smaller than one-fourth of other algorithms' memory. This algorithm is also parallel available which means it can run on GPU to deal with huge packets in real time. Experiments on the traffic collecting from a city-wide network demonstrate the advantage of our algorithm.

[1]  Kyu-Young Whang,et al.  A linear-time probabilistic counting algorithm for database applications , 1990, TODS.

[2]  Enrico Gregori,et al.  On the incompleteness of the AS-level graph: a novel methodology for BGP route collector placement , 2012, Internet Measurement Conference.

[3]  MyungKeun Yoon,et al.  A grand spread estimator using a graphics processing unit , 2014, J. Parallel Distributed Comput..

[4]  Muttukrishnan Rajarajan,et al.  A survey of intrusion detection techniques in Cloud , 2013, J. Netw. Comput. Appl..

[5]  Yang Liu,et al.  Identifying high-cardinality hosts from network-wide traffic measurements , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[6]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[7]  Jing Cao,et al.  Identifying High Cardinality Internet Hosts , 2009, IEEE INFOCOM 2009.

[8]  Ahmed Patel,et al.  An intrusion detection and prevention system in cloud computing: A systematic review , 2013, J. Netw. Comput. Appl..

[9]  Chun-Hung Richard Lin,et al.  Intrusion detection system: A comprehensive review , 2013, J. Netw. Comput. Appl..

[10]  Xenofontas A. Dimitropoulos,et al.  Indexing million of packets per second using GPUs , 2013, Internet Measurement Conference.

[11]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[12]  Keqiu Li,et al.  Detection of Superpoints Using a Vector Bloom Filter , 2016, IEEE Transactions on Information Forensics and Security.

[13]  Abhishek Kumar,et al.  Detection of Super Sources and Destinations in High-Speed Networks: Algorithms, Analysis and Evaluation , 2006, IEEE Journal on Selected Areas in Communications.

[14]  Tao Qin,et al.  A Data Streaming Method for Monitoring Host Connection Degrees of High-Speed Links , 2011, IEEE Transactions on Information Forensics and Security.

[15]  John E. Stone,et al.  OpenCL: A Parallel Programming Standard for Heterogeneous Computing Systems , 2010, Computing in Science & Engineering.

[16]  Chiara Orsini,et al.  BGPStream: A Software Framework for Live and Historical BGP Data Analysis , 2016, Internet Measurement Conference.

[17]  Yinhui Li,et al.  An efficient intrusion detection system based on support vector machines and gradually feature removal method , 2012, Expert Syst. Appl..

[18]  Michael Garland,et al.  Designing efficient sorting algorithms for manycore GPUs , 2009, 2009 IEEE International Symposium on Parallel & Distributed Processing.

[19]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.