Towards multi-layered intrusion detection in high-speed networks

Mario Golling, R.J. Hofstede, Robert Koch

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    10 Citations (Scopus)
    121 Downloads (Pure)

    Abstract

    Traditional Intrusion Detection approaches rely on the inspection of individual packets, often referred to as Deep Packet Inspection (DPI), where individual packets are scanned for suspicious patterns. However, the rapid increase of link speeds and throughputs - especially in larger networks such as backbone networks - seriously constrains this approach. First, devices capable of detecting intrusions on high-speed links of 10 Gbps and higher are rather expensive, or must be built based on complex arrays. Second, legislation commonly restricts the way in which backbone network operators can analyse the data in their networks. To overcome these constraints, flow-based intrusion detection can be applied, which traditionally focuses only on packet header fields and packet characteristics. Flow export technologies are nowadays embedded in most high-end packet forwarding devices and are widely used for network management, which makes this approach economically attractive. In the context of large, high-speed networks, such as backbone networks, we make two observations with respect to flow-based and packet-based intrusion detection. First, although flow-based intrusion detection offers several advantages in terms of processing requirements, the aggregation of packets into flows obviously entails a loss of information. Second, the quantity of information is not constrained when packet-based intrusion detection is performed, but its application is often unfeasible, due to stringent processing requirements. To bridge this gap, we propose a multi-layered approach that combines the advantages of both types of intrusion detection. Our approach is centred around the idea that 1) a first layer of detection comprises flow-based intrusion detection, that makes a pre-selection of suspicious traffic, and 2) additional packet-based intrusion detection is subsequently performed on a pre-filtered packet stream to facilitate in-depth detection. We demonstrate how this approach avoids the problem of a costly infrastructure, and obeys the various legal barriers on network traffic inspection.
    Original languageUndefined
    Title of host publicationProceedings of the 6th International Conference on Cyber Conflict (CyCon 2014)
    Place of PublicationUSA
    PublisherIEEE Communications Society
    Pages191-206
    Number of pages16
    ISBN (Print)978-9949-9544-0-7
    DOIs
    Publication statusPublished - Jun 2014

    Publication series

    Name
    PublisherIEEE Communications Society
    ISSN (Print)2325-5366

    Keywords

    • METIS-309584
    • IR-93151
    • EWI-25084

    Cite this

    Golling, M., Hofstede, R. J., & Koch, R. (2014). Towards multi-layered intrusion detection in high-speed networks. In Proceedings of the 6th International Conference on Cyber Conflict (CyCon 2014) (pp. 191-206). USA: IEEE Communications Society. https://doi.org/10.1109/CYCON.2014.6916403