Abstract
Original language | Undefined |
---|---|
Title of host publication | Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011 |
Place of Publication | USA |
Publisher | IEEE Communications Society |
Pages | 958-963 |
Number of pages | 6 |
ISBN (Print) | 978-1-4244-9219-0 |
DOIs | |
Publication status | Published - May 2011 |
Publication series
Name | |
---|---|
Publisher | IEEE Communications Society |
Keywords
- METIS-279654
- EWI-20320
- EC Grant Agreement nr.: FP7/257513
- IR-78449
Cite this
}
Flow-Based Intrusion Detection. / Sperotto, Anna; Pras, Aiko.
Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011. USA : IEEE Communications Society, 2011. p. 958-963.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review
TY - GEN
T1 - Flow-Based Intrusion Detection
AU - Sperotto, Anna
AU - Pras, Aiko
N1 - 10.1109/INM.2011.5990529
PY - 2011/5
Y1 - 2011/5
N2 - The spread of 1-10 Gbps technology has in recent years paved the way to a flourishing landscape of new, high-bandwidth Internet services.At the same time, we have also observed increasingly frequent and widely diversified attacks. To this threat, the research community has answered with a growing interest in intrusion detection, aiming to timely detect intruders and prevent damage. We believe that the detection problem is a key component in the field of intrusion detection. Our studies, however, made us realize that additional research is needed, in particular focusing on validation and automatic tuning of Intrusion Detection Systems (IDSs). The contribution of this thesis is that it develops a structured approach to intrusion detection that focuses on (i) system validation and (ii) automatic system tuning. We developed our approach by focusing on network flows, which offer an aggregated view of network traffic and help to cope with scalability issues. An interesting approach to validation is the creation of appropriate testbeds, or ground-truth data sets, for which it is known when an attack has taken place. First, we obtained ground-truth information for flow-based intrusion detection by manually creating it. The outcome of our research is the first publicly released flow-based labeled data set. Second, we generated ground truth information in an automatic manner, by means of probabilistic traffic models based on Hidden Markov Models (HMMs). Finally, we approached the problem of automatic tuning of IDSs. The performance of an IDS is governed by the trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing many false alarms). We developed an optimization procedure that aims to mathematically treat such trade-off in a systematic manner, by automatically tuning the system parameters.
AB - The spread of 1-10 Gbps technology has in recent years paved the way to a flourishing landscape of new, high-bandwidth Internet services.At the same time, we have also observed increasingly frequent and widely diversified attacks. To this threat, the research community has answered with a growing interest in intrusion detection, aiming to timely detect intruders and prevent damage. We believe that the detection problem is a key component in the field of intrusion detection. Our studies, however, made us realize that additional research is needed, in particular focusing on validation and automatic tuning of Intrusion Detection Systems (IDSs). The contribution of this thesis is that it develops a structured approach to intrusion detection that focuses on (i) system validation and (ii) automatic system tuning. We developed our approach by focusing on network flows, which offer an aggregated view of network traffic and help to cope with scalability issues. An interesting approach to validation is the creation of appropriate testbeds, or ground-truth data sets, for which it is known when an attack has taken place. First, we obtained ground-truth information for flow-based intrusion detection by manually creating it. The outcome of our research is the first publicly released flow-based labeled data set. Second, we generated ground truth information in an automatic manner, by means of probabilistic traffic models based on Hidden Markov Models (HMMs). Finally, we approached the problem of automatic tuning of IDSs. The performance of an IDS is governed by the trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing many false alarms). We developed an optimization procedure that aims to mathematically treat such trade-off in a systematic manner, by automatically tuning the system parameters.
KW - METIS-279654
KW - EWI-20320
KW - EC Grant Agreement nr.: FP7/257513
KW - IR-78449
U2 - 10.1109/INM.2011.5990529
DO - 10.1109/INM.2011.5990529
M3 - Conference contribution
SN - 978-1-4244-9219-0
SP - 958
EP - 963
BT - Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, IM 2011
PB - IEEE Communications Society
CY - USA
ER -