An Overview of IP Flow-Based Intrusion Detection

Anna Sperotto; Gregor Schaffrath; R. Sadre; Cristian Morariu; Aiko Pras; Burkhard Stiller

doi:10.1109/SURV.2010.032210.00054

An Overview of IP Flow-Based Intrusion Detection

Anna Sperotto, Gregor Schaffrath, R. Sadre, Cristian Morariu, Aiko Pras, Burkhard Stiller

Research output: Contribution to journal › Article › Academic › peer-review

2710 Downloads (Pure)

Abstract

Intrusion detection is an important area of research. Traditionally, the approach taken to find attacks is to inspect the contents of every packet. However, packet inspection cannot easily be performed at high-speeds. Therefore, researchers and operators started investigating alternative approaches, such as flow-based intrusion detection. In that approach the flow of data through the network is analyzed, instead of the contents of each individual packet. The goal of this paper is to provide a survey of current research in the area of flow-based intrusion detection. The survey starts with a motivation why flow-based intrusion detection is needed. The concept of flows is explained, and relevant standards are identified. The paper provides a classification of attacks and defense techniques and shows how flow-based techniques can be used to detect scans, worms, Botnets and (DoS) attacks.

Original language	Undefined
Pages (from-to)	343-356
Number of pages	14
Journal	IEEE communications surveys & tutorials
Volume	12
Issue number	3
DOIs	https://doi.org/10.1109/SURV.2010.032210.00054
Publication status	Published - 2010

Keywords

EWI-18341
packet inspection
invasive software
computer network security
data flow analysis
worms
METIS-277422
IR-72752
Botnets
IP flow based intrusion detection
IP networks
Data flow
DoS attacks
EC Grant Agreement nr.: FP6/026854

Access to Document

10.1109/SURV.2010.032210.00054

Cite this

@article{735b521f9cec4498b129cde2d3001858,

title = "An Overview of IP Flow-Based Intrusion Detection",

abstract = "Intrusion detection is an important area of research. Traditionally, the approach taken to find attacks is to inspect the contents of every packet. However, packet inspection cannot easily be performed at high-speeds. Therefore, researchers and operators started investigating alternative approaches, such as flow-based intrusion detection. In that approach the flow of data through the network is analyzed, instead of the contents of each individual packet. The goal of this paper is to provide a survey of current research in the area of flow-based intrusion detection. The survey starts with a motivation why flow-based intrusion detection is needed. The concept of flows is explained, and relevant standards are identified. The paper provides a classification of attacks and defense techniques and shows how flow-based techniques can be used to detect scans, worms, Botnets and (DoS) attacks.",

keywords = "EWI-18341, packet inspection, invasive software, computer network security, data flow analysis, worms, METIS-277422, IR-72752, Botnets, IP flow based intrusion detection, IP networks, Data flow, DoS attacks, EC Grant Agreement nr.: FP6/026854",

author = "Anna Sperotto and Gregor Schaffrath and R. Sadre and Cristian Morariu and Aiko Pras and Burkhard Stiller",

note = "10.1109/SURV.2010.032210.00054 ",

year = "2010",

doi = "10.1109/SURV.2010.032210.00054",

language = "Undefined",

volume = "12",

pages = "343--356",

journal = "IEEE communications surveys & tutorials",

issn = "1553-877X",

publisher = "IEEE",

number = "3",

}

TY - JOUR

T1 - An Overview of IP Flow-Based Intrusion Detection

AU - Sperotto, Anna

AU - Schaffrath, Gregor

AU - Sadre, R.

AU - Morariu, Cristian

AU - Pras, Aiko

AU - Stiller, Burkhard

N1 - 10.1109/SURV.2010.032210.00054

PY - 2010

Y1 - 2010

N2 - Intrusion detection is an important area of research. Traditionally, the approach taken to find attacks is to inspect the contents of every packet. However, packet inspection cannot easily be performed at high-speeds. Therefore, researchers and operators started investigating alternative approaches, such as flow-based intrusion detection. In that approach the flow of data through the network is analyzed, instead of the contents of each individual packet. The goal of this paper is to provide a survey of current research in the area of flow-based intrusion detection. The survey starts with a motivation why flow-based intrusion detection is needed. The concept of flows is explained, and relevant standards are identified. The paper provides a classification of attacks and defense techniques and shows how flow-based techniques can be used to detect scans, worms, Botnets and (DoS) attacks.

AB - Intrusion detection is an important area of research. Traditionally, the approach taken to find attacks is to inspect the contents of every packet. However, packet inspection cannot easily be performed at high-speeds. Therefore, researchers and operators started investigating alternative approaches, such as flow-based intrusion detection. In that approach the flow of data through the network is analyzed, instead of the contents of each individual packet. The goal of this paper is to provide a survey of current research in the area of flow-based intrusion detection. The survey starts with a motivation why flow-based intrusion detection is needed. The concept of flows is explained, and relevant standards are identified. The paper provides a classification of attacks and defense techniques and shows how flow-based techniques can be used to detect scans, worms, Botnets and (DoS) attacks.

KW - EWI-18341

KW - packet inspection

KW - invasive software

KW - computer network security

KW - data flow analysis

KW - worms

KW - METIS-277422

KW - IR-72752

KW - Botnets

KW - IP flow based intrusion detection

KW - IP networks

KW - Data flow

KW - DoS attacks

KW - EC Grant Agreement nr.: FP6/026854

U2 - 10.1109/SURV.2010.032210.00054

DO - 10.1109/SURV.2010.032210.00054

M3 - Article

SN - 1553-877X

VL - 12

SP - 343

EP - 356

JO - IEEE communications surveys & tutorials

JF - IEEE communications surveys & tutorials

IS - 3

ER -