On the difficulty of scalably detecting network attacks

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

On the difficulty of scalably detecting network attacks

Full text

Pdf (259 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 11th ACM conference on Computer and communications security table of contents

Washington DC, USA

SESSION: Network intrusions table of contents

Pages: 12 - 20

Year of Publication: 2004

ISBN:1-58113-961-6

Authors

Kirill Levchenko	University of California at San Diego
Ramamohan Paturi	University of California at San Diego
George Varghese	University of California at San Diego

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 25, Downloads (12 Months): 136, Citation Count: 9

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1030083.1030087 What is a DOI?

ABSTRACT

Most network intrusion tools (e.g., Bro) use per-flow state to reassemble TCP connections and fragments in order to detect network attacks (e.g., SYN Flooding or Connection Hijacking) and preliminary reconnaissance (e.g., Port Scans). On the other hand, if network intrusion detection is to be implemented at high speeds at network vantage points, some form of aggregation is necessary. While many security analysts believe that such per-flow state is required for many of these problems, there is no clear proof that this is the case. In fact, a number of problems (such as detecting large traffic footprints or counting identifiers) have scalable solutions. In this paper, we initiate the study of identifying when and how a security attack detection problem can have a scalable solution. We use tools from Communication Complexity to prove that the common formulations of many well-known intrusion detection problems (detecting SYN Flooding, Port Scans, Connection Hijacking, and content matching across fragments) require per-flow state. Our theory exposes assumptions that need to be changed to provide scalable solutions to these problems; we conclude with some systems techniques to circumvent these lower bounds.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Noga Alon , Yossi Matias , Mario Szegedy, The space complexity of approximating the frequency moments, Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, p.20-29, May 22-24, 1996, Philadelphia, Pennsylvania, United States [doi>10.1145/237814.237823]
	2	CERT. http://www.cert.org/
	3	CERT. "CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks." 1996.
	4	CERT. "CERT Advisory CA-1997-28 IP Denial-of-Service Attacks." 1997.
	5	Check Point Software Technologies, Ltd. http://www.checkpoint.com/
	6	Cisco Systems. http://www.cisco.com/
	7	F. Cohen. "A Mathematical Structure of Simple Defense Network Deceptions." Computers & Security 19 (2000), pp. 520--528.
	8	Cristian Estan , George Varghese, New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice, ACM Transactions on Computer Systems (TOCS), v.21 n.3, p.270-313, August 2003 [doi>10.1145/859716.859719]
	9	Cristian Estan , George Varghese , Mike Fisk, Bitmap algorithms for counting active flows on high speed links, Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement, October 27-29, 2003, Miami Beach, FL, USA [doi>10.1145/948205.948225]
	10	ForeScout Technologies. http://www.forescout.com/
	11	Fortinet, Inc.. http://www.fortinet.com/
	12	Fyodor. "Remote OS detection via TCP/IP Stack FingerPrinting." http://www.insecure.org/nmap/nmap-fingerprinting-article.html
	13	M. Handley, V. Paxson. "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics." 10th USENIX Security Symposium, pp. 115--131.
	14	Cheng Jin , Haining Wang , Kang G. Shin, Hop-count filtering: an effective defense against spoofed DDoS traffic, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948116]
	15	Juniper Networks. http://www.juniper.net/
	16	Bala Kalyanasundaram , Georg Schintger, The probabilistic communication complexity of set intersection, SIAM Journal on Discrete Mathematics, v.5 n.4, p.545-557, Nov. 1992 [doi>10.1137/0405044]
	17	Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy [doi>10.1145/1028788.1028812]
	18	Eyal Kushilevitz , Noam Nisan, Communication complexity, Cambridge University Press, New York, NY, 1996
	19	Mazu Networks. http://www.mazunetworks.com/
	20	D. Moore, G. Voelker, and S. Savage. "Inferring Internet Denial-of-Service Activity." 10th USENIX Security Symposium, pp. 9--22.
	21	Norton Internet Security 2004. http://www.symantec.com/sabu/nis/nis_pe/
	22	Network Associates, Inc. http://www.nai.com/
	23	NetScreen Technologies, Inc. http://www.netscreen.com/
	24	V. Paxson. "Bro: A System for Detecting Network Intruders in Real-Time." 7th USENIX Security Symposium, pp. 31--52.
	25	J. Postel. "Transmission Control Protocol." RFC 793.
	26	J. Postel. "Internet Control Message Protocol." RFC 792.
	27	Silicon Defense. http://www.silicondefense.com/
	28	Snort. http://www.snort.org/
	29	TINY Software. http://www.tinysoftware.com/home/pg=tpf5_home
	30	TippingPoint Technologies. http://www.tippingpoint.com/
	31	H. Wang, D. Zhang, and K. Shin. "Detecting SYN Flooding Attacks." IEEE INFOCOM, 2002.

CITED BY 9

	Dana Zhang , Christopher Leckie, An evaluation technique for network intrusion detection systems, Proceedings of the 1st international conference on Scalable information systems, p.23-es, May 30-June 01, 2006, Hong Kong
	George Varghese , J. Andrew Fingerhut , Flavio Bonomi, Detecting evasion attacks at high speeds without reassembly, ACM SIGCOMM Computer Communication Review, v.36 n.4, October 2006
	Taieb Znati , James Amadei , Daniel R. Pazehoski , Scott Sweeny, Design and Analysis of an Adaptive, Global Strategy for Detecting and Mitigating Distributed DoS Attacks in GRID Environments, Proceedings of the 39th annual Symposium on Simulation, p.2-9, April 02-06, 2006
	Vijay Karamcheti , Davi Geiger , Zvi Kedem , S. Muthukrishnan, Detecting malicious network traffic using inverse distributions of packet contents, Proceeding of the 2005 ACM SIGCOMM workshop on Mining network data, August 26-26, 2005, Philadelphia, Pennsylvania, USA
	Taieb Znati , James Amadei , Daniel R. Pazehoski , Scott Sweeny, On the Design and Performance of an Adaptive, Global Strategy for Detecting and Mitigating Distributed DoS Attacks in GRID and Collaborative Workflow Environments, Simulation, v.83 n.3, p.291-303, March 2007
	Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, IEEE/ACM Transactions on Networking (TON), v.15 n.1, p.14-25, February 2007
	Ashwin Lall , Vyas Sekar , Mitsunori Ogihara , Jun Xu , Hui Zhang, Data streaming algorithms for estimating entropy of network traffic, ACM SIGMETRICS Performance Evaluation Review, v.34 n.1, June 2006
	S. Muthukrishnan, Data streams: algorithms and applications, Foundations and Trends® in Theoretical Computer Science, v.1 n.2, p.117-236, August 2005
	Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy