Towards multi-layered intrusion detection in high-speed networks

Mario Golling, R.J. Hofstede, Robert Koch

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    11 Citations (Scopus)
    163 Downloads (Pure)


    Traditional Intrusion Detection approaches rely on the inspection of individual packets, often referred to as Deep Packet Inspection (DPI), where individual packets are scanned for suspicious patterns. However, the rapid increase of link speeds and throughputs - especially in larger networks such as backbone networks - seriously constrains this approach. First, devices capable of detecting intrusions on high-speed links of 10 Gbps and higher are rather expensive, or must be built based on complex arrays. Second, legislation commonly restricts the way in which backbone network operators can analyse the data in their networks. To overcome these constraints, flow-based intrusion detection can be applied, which traditionally focuses only on packet header fields and packet characteristics. Flow export technologies are nowadays embedded in most high-end packet forwarding devices and are widely used for network management, which makes this approach economically attractive. In the context of large, high-speed networks, such as backbone networks, we make two observations with respect to flow-based and packet-based intrusion detection. First, although flow-based intrusion detection offers several advantages in terms of processing requirements, the aggregation of packets into flows obviously entails a loss of information. Second, the quantity of information is not constrained when packet-based intrusion detection is performed, but its application is often unfeasible, due to stringent processing requirements. To bridge this gap, we propose a multi-layered approach that combines the advantages of both types of intrusion detection. Our approach is centred around the idea that 1) a first layer of detection comprises flow-based intrusion detection, that makes a pre-selection of suspicious traffic, and 2) additional packet-based intrusion detection is subsequently performed on a pre-filtered packet stream to facilitate in-depth detection. We demonstrate how this approach avoids the problem of a costly infrastructure, and obeys the various legal barriers on network traffic inspection.
    Original languageUndefined
    Title of host publicationProceedings of the 6th International Conference on Cyber Conflict (CyCon 2014)
    Place of PublicationUSA
    PublisherIEEE Communications Society
    Number of pages16
    ISBN (Print)978-9949-9544-0-7
    Publication statusPublished - Jun 2014
    Event6th International Conference on Cyber Conflict (CyCon 2014), Tallinn, Estonia: Proceedings of the 6th International Conference on Cyber Conflict (CyCon 2014) - USA
    Duration: 1 Jun 2014 → …

    Publication series

    PublisherIEEE Communications Society
    ISSN (Print)2325-5366


    Conference6th International Conference on Cyber Conflict (CyCon 2014), Tallinn, Estonia
    Period1/06/14 → …


    • METIS-309584
    • IR-93151
    • EWI-25084

    Cite this