SLA-based complementary approach for network intrusion detection

Enhancing the intrusion detection system is essential to maintain user confidence in network services security. However, the threat of intruders on Internet services is prevalent. This paper proposes a distributed edge-to-edge complementary approach for intrusion detection in a DiffServ/MPLS domain. The QoS metrics are inspected at the edges routers to determine anomalous behavior in the network traffic. Consumed ratios of one-way delay variation (OWDV) and packet loss are computed to monitor service level agreement (SLA) violations. The bandwidth ratio is measured to differentiate abnormal from normal traffic as well as to detect multiple intrusions launched simultaneously. We employed SLA as a comparison scale to infer the deviation between the users consumed ratios and the predefined ratios in the SLA. Service violation occurs and intrusion may be launched when the predefined ratios are exceeded. The complementary services of DiffServ and MPLS techniques guarantee accurate measurements, whereas the complementary measurements of active and passive techniques immunize network performance against scalability limitation. Simulation results indicate that the proposed approach is capable of monitoring SLA violations and can filter out traffic of intruders who breach SLA without disturbing the normal traffic of legitimate users.

[1]  Aman Jantan,et al.  Honeybee-Based Model to Detect Intrusion , 2009, ISA.

[2]  Bruce Lowekamp Combining active and passive network measurements to build scalable monitoring systems on the grid , 2003, PERV.

[3]  Bharat K. Bhargava,et al.  On detecting service violations and bandwidth theft in QoS network domains , 2003, Comput. Commun..

[4]  Dimitrios Makrakis,et al.  DiffServ-enabled adaptive traffic engineering over MPLS , 2001, 2001 International Conferences on Info-Tech and Info-Net. Proceedings (Cat. No.01EX479).

[5]  A. L. Narasimha Reddy,et al.  Real-time detection and containment of network attacks using QoS regulation , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[6]  Wai Sum Lai,et al.  Maximum Allocation Bandwidth Constraints Model for Diffserv-aware MPLS Traffic Engineering , 2005, RFC.

[7]  Charmain Cilliers,et al.  Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology , 2008 .

[8]  Francois Le Faucheur,et al.  Protocol Extensions for Support of Diffserv-aware MPLS Traffic Engineering , 2005, RFC.

[9]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[10]  HyunJu Kim,et al.  Abnormal traffic detection and its implementation , 2005, The 7th International Conference on Advanced Communication Technology, 2005, ICACT 2005..

[11]  Aman Jantan,et al.  A Potent Model for Unwanted Traffic Detection in QoS Network Domain , 2010, J. Digit. Content Technol. its Appl..

[12]  D. O. Awduche,et al.  MPLS and traffic engineering in IP networks , 1999, IEEE Commun. Mag..

[13]  Lionel M. Ni,et al.  Traffic engineering with MPLS in the Internet , 2000, IEEE Netw..

[14]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[15]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[16]  Yong Liu,et al.  Assured end-to-end QoS through adaptive marking in multi-domain differentiated services networks , 2005, Comput. Commun..

[17]  Lixia Zhang,et al.  Resource ReSerVation Protocol (RSVP) - Version 1 Functional Specification , 1997, RFC.

[18]  Peter Mell,et al.  Intrusion Detection Systems , 2001 .

[19]  Finger Wr Pilot programs increase men's involvement. , 1992 .

[20]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[21]  Peter Mell,et al.  Intrusion Detection Systems | NIST , 2001 .

[22]  René Serral Gracià Towards end-to-end sla assessment , 2009 .

[23]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[24]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[25]  Eric C. Rosen,et al.  Multiprotocol Label Switching Architecture , 2001, RFC.

[26]  Sonia Fahmy,et al.  Monitoring and controlling QoS network domains , 2005 .

[27]  Laurent Toutain,et al.  End-to-end active measurement architecture in ip networks (saturne) , 2003 .

[28]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[29]  Shekhar Verma,et al.  Service level agreements on IP networks , 2004, Proceedings of the IEEE.

[30]  Marco Mazzucco,et al.  - 1-Rate Based Congestion Control over High Bandwidth / Delay Links 1 , 2002 .

[31]  Bharat K. Bhargava,et al.  Detecting Service Violations and DoS Attacks , 2003, NDSS.

[32]  Peter Steenkiste,et al.  Evaluation and characterization of available bandwidth probing techniques , 2003, IEEE J. Sel. Areas Commun..

[33]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[34]  Paul Barford,et al.  Accurate and efficient SLA compliance monitoring , 2007, SIGCOMM 2007.

[35]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[36]  R. Braden,et al.  Resource reSer Vation Protocol (RSVP) , 1997 .

[37]  Shunzheng Yu,et al.  One-way queuing delay measurement and its application on detecting DDoS attack , 2009, J. Netw. Comput. Appl..

[38]  Bharat K. Bhargava,et al.  Edge-to-edge measurement-based distributed network monitoring , 2004, Comput. Networks.

[39]  Sudhakar Ganti,et al.  MPLS Support of Differentiated Services using E-LSP , 2002 .

[40]  Barry Irwin,et al.  Towards a taxonomy of network scanning techniques , 2008, SAICSIT '08.

[41]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[42]  Jun Murai,et al.  Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications , 2007, SIGCOMM 2007.

[43]  Arthur B. Maccabe,et al.  The architecture of a network level intrusion detection system , 1990 .

[44]  Fred Baker,et al.  Assured Forwarding PHB Group , 1999, RFC.

[45]  Anja Feldmann,et al.  A non-instrusive, wavelet-based approach to detecting network performance problems , 2001, IMW '01.

[46]  Xipeng Xiao,et al.  Internet QoS: a big picture , 1999, IEEE Netw..

[47]  Keith W. Ross,et al.  Exploiting P2P systems for DDoS attacks , 2006, InfoScale '06.

[48]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[49]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[50]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[51]  Ming Chen,et al.  Network Topology Inference Based on Delay Variation , 2009, 2009 International Conference on Advanced Computer Control.

[52]  A.L. Narasimha Reddy,et al.  Mitigation of DoS attacks through QoS regulation , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[53]  Mark Santcroos,et al.  Providing Active Measurements as a Regular Service for ISP's , 2001 .

[54]  Paul Barford,et al.  Accurate and efficient SLA compliance monitoring , 2007, SIGCOMM '07.

[55]  Tim Bass,et al.  Intrusion detection systems and multisensor data fusion , 2000, CACM.

[56]  Krzysztof Zielinski,et al.  Definition and Evaluation of Penalty Functions in SLA Management Framework , 2008, Fourth International Conference on Networking and Services (icns 2008).

[57]  Klaus Irmscher,et al.  On the Use of Passive Network Measurements for Modelling the Interne , 2003, KiVS.