An Overview of IP Flow-Based Intrusion Detection

Intrusion detection is an important area of research. Traditionally, the approach taken to find attacks is to inspect the contents of every packet. However, packet inspection cannot easily be performed at high-speeds. Therefore, researchers and operators started investigating alternative approaches, such as flow-based intrusion detection. In that approach the flow of data through the network is analyzed, instead of the contents of each individual packet. The goal of this paper is to provide a survey of current research in the area of flow-based intrusion detection. The survey starts with a motivation why flow-based intrusion detection is needed. The concept of flows is explained, and relevant standards are identified. The paper provides a classification of attacks and defense techniques and shows how flow-based techniques can be used to detect scans, worms, Botnets and (DoS) attacks.

[1]  George Varghese,et al.  New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice , 2003, TOCS.

[2]  Simon Leinen Evaluation of Candidate Protocols for IP Flow Information Export (IPFIX) , 2004, RFC.

[3]  Jennifer C. Hou,et al.  An In-Depth, Analytical Study of Sampling Techniques for Self-Similar Internet Traffic , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[4]  B. Plattner,et al.  A framework for real-time worm attack detection and backbone monitoring , 2005, First IEEE International Workshop on Critical Infrastructure Protection (IWCIP'05).

[5]  Reinhard German,et al.  Flow-based Worm Detection using Correlated Honeypot Logs , 2011 .

[6]  Benoit Claise,et al.  Packet Sampling for Flow Accounting: Challenges and Limitations , 2008, PAM.

[7]  Joseph B. Kadane,et al.  Scan Detection on Very Large Networks Using Logistic Regression Modeling , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[8]  Burkhard Stiller,et al.  Conceptual Integration of Flow-Based and Packet-Based Network Intrusion Detection , 2008, AIMS.

[9]  Yan Gao,et al.  A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[10]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[11]  Bernhard Plattner,et al.  Experiences with worm propagation simulations , 2003, WORM '03.

[12]  Carsten Lund,et al.  Learn more, sample less: control of volume and variance in network measurement , 2005, IEEE Transactions on Information Theory.

[13]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[14]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[15]  Wenke Lee,et al.  Botnet Detection: Countering the Largest Security Threat , 2010, Botnet Detection.

[16]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[17]  Chen Ming,et al.  Flow-based anti-spam , 2004, 2004 IEEE International Workshop on IP Operations and Management.

[18]  Yu Lin,et al.  Easily-Implemented Adaptive Packet Sampling for High Speed Networks Flow Measurement , 2006, International Conference on Computational Science.

[19]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[20]  Karl N. Levitt,et al.  GrIDS A Graph-Based Intrusion Detection System for Large Networks , 1996 .

[21]  Konstantina Papagiannaki,et al.  Structural analysis of network traffic flows , 2004, SIGMETRICS '04/Performance '04.

[22]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[23]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[24]  Abhishek Kumar,et al.  Detection of Super Sources and Destinations in High-Speed Networks: Algorithms, Analysis and Evaluation , 2006, IEEE Journal on Selected Areas in Communications.

[25]  Minsoo Lee,et al.  An Approach for Classifying Internet Worms Based on Temporal Behaviors and Packet Flows , 2007, ICIC.

[26]  Bernhard Plattner,et al.  Host behaviour based early detection of worm outbreaks in Internet backbones , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[27]  Jürgen Quittek,et al.  Requirements for IP Flow Information Export (IPFIX) , 2004, RFC.

[28]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[29]  Pele Li,et al.  A survey of internet worm detection and containment , 2008, IEEE Communications Surveys & Tutorials.

[30]  Moses Garuba,et al.  Intrusion Techniques: Comparative Study of Network Intrusion Detection Systems , 2008, Fifth International Conference on Information Technology: New Generations (itng 2008).

[31]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[32]  W. Timothy Strayer,et al.  Botnet Detection Based on Network Behavior , 2008, Botnet Detection.

[33]  Anja Feldmann,et al.  Operational experiences with high-volume network intrusion detection , 2004, CCS '04.

[34]  DiotChristophe,et al.  Diagnosing network-wide traffic anomalies , 2004 .

[35]  Georg Carle,et al.  Real-time Analysis of Flow Data for Network Attack Detection , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[36]  Benjamin Morin,et al.  Intrusion detection and virology: an analysis of differences, similarities and complementariness , 2007, Journal in Computer Virology.

[37]  Noga Alon,et al.  Estimating arbitrary subset sums with few probes , 2005, PODS '05.

[38]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[39]  Bernhard Plattner,et al.  Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[40]  Marc Dacier,et al.  A revised taxonomy for intrusion-detection systems , 2000, Ann. des Télécommunications.

[41]  Tarik Taleb,et al.  Combating Against Attacks on Encrypted Protocols , 2007, 2007 IEEE International Conference on Communications.

[42]  Michael K. Reiter,et al.  Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs , 2007, RAID.

[43]  Ming Gao,et al.  Efficient packet matching for gigabit network intrusion detection using TCAMs , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[44]  James Won-Ki Hong,et al.  A flow-based method for abnormal network traffic detection , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[45]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[46]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[47]  Martin May,et al.  Impact of packet sampling on anomaly detection metrics , 2006, IMC '06.

[48]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[49]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[50]  송왕철,et al.  IDS(Intrusion Detection System) , 2000 .

[51]  Ray Hunt,et al.  A taxonomy of network and computer attacks , 2005, Comput. Secur..

[52]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[53]  Zhixiong Chen,et al.  Adaptive Network Flow Clustering , 2007, 2007 IEEE International Conference on Networking, Sensing and Control.

[54]  Ruby B. Lee,et al.  Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures , 2004, PDCS.

[55]  Ali Movaghar-Rahimabadi,et al.  Intrusion Detection: A Survey , 2008, 2008 Third International Conference on Systems and Networks Communications.

[56]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[57]  Tarik Taleb,et al.  Tracing back attacks against encrypted protocols , 2007, IWCMC.

[58]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[59]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[60]  Hui Li,et al.  A Parallel Intrusion Detection System for High-Speed Networks , 2004, ACNS.

[61]  Hervé Debar,et al.  Intrusion Detection: Introduction to Intrusion Detection and Security Information Management , 2005, FOSAD.

[62]  Magnus Almgren,et al.  Consolidation and Evaluation of IDS Taxonomies , 2003 .

[63]  Carsten Lund,et al.  Flow sampling under hard resource constraints , 2004, SIGMETRICS '04/Performance '04.

[64]  Jean-Yves Le Boudec,et al.  A Two-Layered Anomaly Detection Technique Based on Multi-modal Flow Behavior Models , 2008, PAM.

[65]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[66]  Hui Zang,et al.  Is sampled data sufficient for anomaly detection? , 2006, IMC '06.

[67]  Harold Joseph Highland,et al.  AIN'T misbehaving—A taxonomy of anti-intrusion techniques , 1995 .

[68]  Yan Chen,et al.  Botnet Research Survey , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[69]  Aiko Pras,et al.  Anomaly Characterization in Flow-Based Traffic Time Series , 2008, IPOM.

[70]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[71]  Ronald D. Williams,et al.  Taxonomies of attacks and vulnerabilities in computer systems , 2008, IEEE Communications Surveys & Tutorials.

[72]  Eduardo Magaña,et al.  Sampling time-dependent parameters in high-speed network monitoring , 2006, PM2HW2N '06.

[73]  Yan Chen,et al.  Towards a High-speed Router-based Anomaly/Intrusion Detection System , 2005 .

[74]  Aiko Pras,et al.  Finding Elephant flows for optical networks , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.