Flow-Based Intrusion Detection

Anna Sperotto, Aiko Pras

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

25 Citations (Scopus)
45 Downloads (Pure)

Abstract

The spread of 1-10 Gbps technology has in recent years paved the way to a flourishing landscape of new, high-bandwidth Internet services.At the same time, we have also observed increasingly frequent and widely diversified attacks. To this threat, the research community has answered with a growing interest in intrusion detection, aiming to timely detect intruders and prevent damage. We believe that the detection problem is a key component in the field of intrusion detection. Our studies, however, made us realize that additional research is needed, in particular focusing on validation and automatic tuning of Intrusion Detection Systems (IDSs). The contribution of this thesis is that it develops a structured approach to intrusion detection that focuses on (i) system validation and (ii) automatic system tuning. We developed our approach by focusing on network flows, which offer an aggregated view of network traffic and help to cope with scalability issues. An interesting approach to validation is the creation of appropriate testbeds, or ground-truth data sets, for which it is known when an attack has taken place. First, we obtained ground-truth information for flow-based intrusion detection by manually creating it. The outcome of our research is the first publicly released flow-based labeled data set. Second, we generated ground truth information in an automatic manner, by means of probabilistic traffic models based on Hidden Markov Models (HMMs). Finally, we approached the problem of automatic tuning of IDSs. The performance of an IDS is governed by the trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing many false alarms). We developed an optimization procedure that aims to mathematically treat such trade-off in a systematic manner, by automatically tuning the system parameters.
Original languageUndefined
Title of host publicationProceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011
Place of PublicationUSA
PublisherIEEE Communications Society
Pages958-963
Number of pages6
ISBN (Print)978-1-4244-9219-0
DOIs
Publication statusPublished - May 2011

Publication series

Name
PublisherIEEE Communications Society

Keywords

  • METIS-279654
  • EWI-20320
  • EC Grant Agreement nr.: FP7/257513
  • IR-78449

Cite this

Sperotto, A., & Pras, A. (2011). Flow-Based Intrusion Detection. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011 (pp. 958-963). USA: IEEE Communications Society. https://doi.org/10.1109/INM.2011.5990529
Sperotto, Anna ; Pras, Aiko. / Flow-Based Intrusion Detection. Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011. USA : IEEE Communications Society, 2011. pp. 958-963
@inproceedings{7fd7558b4bb04249934ab2b826b23a13,
title = "Flow-Based Intrusion Detection",
abstract = "The spread of 1-10 Gbps technology has in recent years paved the way to a flourishing landscape of new, high-bandwidth Internet services.At the same time, we have also observed increasingly frequent and widely diversified attacks. To this threat, the research community has answered with a growing interest in intrusion detection, aiming to timely detect intruders and prevent damage. We believe that the detection problem is a key component in the field of intrusion detection. Our studies, however, made us realize that additional research is needed, in particular focusing on validation and automatic tuning of Intrusion Detection Systems (IDSs). The contribution of this thesis is that it develops a structured approach to intrusion detection that focuses on (i) system validation and (ii) automatic system tuning. We developed our approach by focusing on network flows, which offer an aggregated view of network traffic and help to cope with scalability issues. An interesting approach to validation is the creation of appropriate testbeds, or ground-truth data sets, for which it is known when an attack has taken place. First, we obtained ground-truth information for flow-based intrusion detection by manually creating it. The outcome of our research is the first publicly released flow-based labeled data set. Second, we generated ground truth information in an automatic manner, by means of probabilistic traffic models based on Hidden Markov Models (HMMs). Finally, we approached the problem of automatic tuning of IDSs. The performance of an IDS is governed by the trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing many false alarms). We developed an optimization procedure that aims to mathematically treat such trade-off in a systematic manner, by automatically tuning the system parameters.",
keywords = "METIS-279654, EWI-20320, EC Grant Agreement nr.: FP7/257513, IR-78449",
author = "Anna Sperotto and Aiko Pras",
note = "10.1109/INM.2011.5990529",
year = "2011",
month = "5",
doi = "10.1109/INM.2011.5990529",
language = "Undefined",
isbn = "978-1-4244-9219-0",
publisher = "IEEE Communications Society",
pages = "958--963",
booktitle = "Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011",
address = "United States",

}

Sperotto, A & Pras, A 2011, Flow-Based Intrusion Detection. in Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011. IEEE Communications Society, USA, pp. 958-963. https://doi.org/10.1109/INM.2011.5990529

Flow-Based Intrusion Detection. / Sperotto, Anna; Pras, Aiko.

Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011. USA : IEEE Communications Society, 2011. p. 958-963.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Flow-Based Intrusion Detection

AU - Sperotto, Anna

AU - Pras, Aiko

N1 - 10.1109/INM.2011.5990529

PY - 2011/5

Y1 - 2011/5

N2 - The spread of 1-10 Gbps technology has in recent years paved the way to a flourishing landscape of new, high-bandwidth Internet services.At the same time, we have also observed increasingly frequent and widely diversified attacks. To this threat, the research community has answered with a growing interest in intrusion detection, aiming to timely detect intruders and prevent damage. We believe that the detection problem is a key component in the field of intrusion detection. Our studies, however, made us realize that additional research is needed, in particular focusing on validation and automatic tuning of Intrusion Detection Systems (IDSs). The contribution of this thesis is that it develops a structured approach to intrusion detection that focuses on (i) system validation and (ii) automatic system tuning. We developed our approach by focusing on network flows, which offer an aggregated view of network traffic and help to cope with scalability issues. An interesting approach to validation is the creation of appropriate testbeds, or ground-truth data sets, for which it is known when an attack has taken place. First, we obtained ground-truth information for flow-based intrusion detection by manually creating it. The outcome of our research is the first publicly released flow-based labeled data set. Second, we generated ground truth information in an automatic manner, by means of probabilistic traffic models based on Hidden Markov Models (HMMs). Finally, we approached the problem of automatic tuning of IDSs. The performance of an IDS is governed by the trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing many false alarms). We developed an optimization procedure that aims to mathematically treat such trade-off in a systematic manner, by automatically tuning the system parameters.

AB - The spread of 1-10 Gbps technology has in recent years paved the way to a flourishing landscape of new, high-bandwidth Internet services.At the same time, we have also observed increasingly frequent and widely diversified attacks. To this threat, the research community has answered with a growing interest in intrusion detection, aiming to timely detect intruders and prevent damage. We believe that the detection problem is a key component in the field of intrusion detection. Our studies, however, made us realize that additional research is needed, in particular focusing on validation and automatic tuning of Intrusion Detection Systems (IDSs). The contribution of this thesis is that it develops a structured approach to intrusion detection that focuses on (i) system validation and (ii) automatic system tuning. We developed our approach by focusing on network flows, which offer an aggregated view of network traffic and help to cope with scalability issues. An interesting approach to validation is the creation of appropriate testbeds, or ground-truth data sets, for which it is known when an attack has taken place. First, we obtained ground-truth information for flow-based intrusion detection by manually creating it. The outcome of our research is the first publicly released flow-based labeled data set. Second, we generated ground truth information in an automatic manner, by means of probabilistic traffic models based on Hidden Markov Models (HMMs). Finally, we approached the problem of automatic tuning of IDSs. The performance of an IDS is governed by the trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing many false alarms). We developed an optimization procedure that aims to mathematically treat such trade-off in a systematic manner, by automatically tuning the system parameters.

KW - METIS-279654

KW - EWI-20320

KW - EC Grant Agreement nr.: FP7/257513

KW - IR-78449

U2 - 10.1109/INM.2011.5990529

DO - 10.1109/INM.2011.5990529

M3 - Conference contribution

SN - 978-1-4244-9219-0

SP - 958

EP - 963

BT - Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011

PB - IEEE Communications Society

CY - USA

ER -

Sperotto A, Pras A. Flow-Based Intrusion Detection. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011. USA: IEEE Communications Society. 2011. p. 958-963 https://doi.org/10.1109/INM.2011.5990529

Access to Document