Towards multi-layered intrusion detection in high-speed networks

Mario Golling; R.J. Hofstede; Robert Koch

doi:10.1109/CYCON.2014.6916403

Towards multi-layered intrusion detection in high-speed networks

Mario Golling, R.J. Hofstede, Robert Koch

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

11 Citations (Scopus)

227 Downloads (Pure)

Abstract

Traditional Intrusion Detection approaches rely on the inspection of individual packets, often referred to as Deep Packet Inspection (DPI), where individual packets are scanned for suspicious patterns. However, the rapid increase of link speeds and throughputs - especially in larger networks such as backbone networks - seriously constrains this approach. First, devices capable of detecting intrusions on high-speed links of 10 Gbps and higher are rather expensive, or must be built based on complex arrays. Second, legislation commonly restricts the way in which backbone network operators can analyse the data in their networks. To overcome these constraints, flow-based intrusion detection can be applied, which traditionally focuses only on packet header fields and packet characteristics. Flow export technologies are nowadays embedded in most high-end packet forwarding devices and are widely used for network management, which makes this approach economically attractive. In the context of large, high-speed networks, such as backbone networks, we make two observations with respect to flow-based and packet-based intrusion detection. First, although flow-based intrusion detection offers several advantages in terms of processing requirements, the aggregation of packets into flows obviously entails a loss of information. Second, the quantity of information is not constrained when packet-based intrusion detection is performed, but its application is often unfeasible, due to stringent processing requirements. To bridge this gap, we propose a multi-layered approach that combines the advantages of both types of intrusion detection. Our approach is centred around the idea that 1) a first layer of detection comprises flow-based intrusion detection, that makes a pre-selection of suspicious traffic, and 2) additional packet-based intrusion detection is subsequently performed on a pre-filtered packet stream to facilitate in-depth detection. We demonstrate how this approach avoids the problem of a costly infrastructure, and obeys the various legal barriers on network traffic inspection.

Original language	Undefined
Title of host publication	Proceedings of the 6th International Conference on Cyber Conflict (CyCon 2014)
Place of Publication	USA
Publisher	IEEE
Pages	191-206
Number of pages	16
ISBN (Print)	978-9949-9544-0-7
DOIs	https://doi.org/10.1109/CYCON.2014.6916403
Publication status	Published - Jun 2014
Event	6th International Conference on Cyber Conflict (CyCon 2014), Tallinn, Estonia: Proceedings of the 6th International Conference on Cyber Conflict (CyCon 2014) - USA Duration: 1 Jun 2014 → …

Publication series

Name
Publisher	IEEE Communications Society
ISSN (Print)	2325-5366

Conference

Conference	6th International Conference on Cyber Conflict (CyCon 2014), Tallinn, Estonia
City	USA
Period	1/06/14 → …

Keywords

METIS-309584
IR-93151
EWI-25084

Access to Document

10.1109/CYCON.2014.6916403

d2r2s3_golling

Cite this

@inproceedings{8fa16761d0464c73a647070e383fee38,

title = "Towards multi-layered intrusion detection in high-speed networks",

abstract = "Traditional Intrusion Detection approaches rely on the inspection of individual packets, often referred to as Deep Packet Inspection (DPI), where individual packets are scanned for suspicious patterns. However, the rapid increase of link speeds and throughputs - especially in larger networks such as backbone networks - seriously constrains this approach. First, devices capable of detecting intrusions on high-speed links of 10 Gbps and higher are rather expensive, or must be built based on complex arrays. Second, legislation commonly restricts the way in which backbone network operators can analyse the data in their networks. To overcome these constraints, flow-based intrusion detection can be applied, which traditionally focuses only on packet header fields and packet characteristics. Flow export technologies are nowadays embedded in most high-end packet forwarding devices and are widely used for network management, which makes this approach economically attractive. In the context of large, high-speed networks, such as backbone networks, we make two observations with respect to flow-based and packet-based intrusion detection. First, although flow-based intrusion detection offers several advantages in terms of processing requirements, the aggregation of packets into flows obviously entails a loss of information. Second, the quantity of information is not constrained when packet-based intrusion detection is performed, but its application is often unfeasible, due to stringent processing requirements. To bridge this gap, we propose a multi-layered approach that combines the advantages of both types of intrusion detection. Our approach is centred around the idea that 1) a first layer of detection comprises flow-based intrusion detection, that makes a pre-selection of suspicious traffic, and 2) additional packet-based intrusion detection is subsequently performed on a pre-filtered packet stream to facilitate in-depth detection. We demonstrate how this approach avoids the problem of a costly infrastructure, and obeys the various legal barriers on network traffic inspection.",

keywords = "METIS-309584, IR-93151, EWI-25084",

author = "Mario Golling and R.J. Hofstede and Robert Koch",

note = "10.1109/CYCON.2014.6916403 ; 6th International Conference on Cyber Conflict (CyCon 2014), Tallinn, Estonia ; Conference date: 01-06-2014",

year = "2014",

month = jun,

doi = "10.1109/CYCON.2014.6916403",

language = "Undefined",

isbn = "978-9949-9544-0-7",

publisher = "IEEE",

pages = "191--206",

booktitle = "Proceedings of the 6th International Conference on Cyber Conflict (CyCon 2014)",

address = "United States",

}

TY - GEN

T1 - Towards multi-layered intrusion detection in high-speed networks

AU - Golling, Mario

AU - Hofstede, R.J.

AU - Koch, Robert

N1 - 10.1109/CYCON.2014.6916403

PY - 2014/6

Y1 - 2014/6

N2 - Traditional Intrusion Detection approaches rely on the inspection of individual packets, often referred to as Deep Packet Inspection (DPI), where individual packets are scanned for suspicious patterns. However, the rapid increase of link speeds and throughputs - especially in larger networks such as backbone networks - seriously constrains this approach. First, devices capable of detecting intrusions on high-speed links of 10 Gbps and higher are rather expensive, or must be built based on complex arrays. Second, legislation commonly restricts the way in which backbone network operators can analyse the data in their networks. To overcome these constraints, flow-based intrusion detection can be applied, which traditionally focuses only on packet header fields and packet characteristics. Flow export technologies are nowadays embedded in most high-end packet forwarding devices and are widely used for network management, which makes this approach economically attractive. In the context of large, high-speed networks, such as backbone networks, we make two observations with respect to flow-based and packet-based intrusion detection. First, although flow-based intrusion detection offers several advantages in terms of processing requirements, the aggregation of packets into flows obviously entails a loss of information. Second, the quantity of information is not constrained when packet-based intrusion detection is performed, but its application is often unfeasible, due to stringent processing requirements. To bridge this gap, we propose a multi-layered approach that combines the advantages of both types of intrusion detection. Our approach is centred around the idea that 1) a first layer of detection comprises flow-based intrusion detection, that makes a pre-selection of suspicious traffic, and 2) additional packet-based intrusion detection is subsequently performed on a pre-filtered packet stream to facilitate in-depth detection. We demonstrate how this approach avoids the problem of a costly infrastructure, and obeys the various legal barriers on network traffic inspection.

AB - Traditional Intrusion Detection approaches rely on the inspection of individual packets, often referred to as Deep Packet Inspection (DPI), where individual packets are scanned for suspicious patterns. However, the rapid increase of link speeds and throughputs - especially in larger networks such as backbone networks - seriously constrains this approach. First, devices capable of detecting intrusions on high-speed links of 10 Gbps and higher are rather expensive, or must be built based on complex arrays. Second, legislation commonly restricts the way in which backbone network operators can analyse the data in their networks. To overcome these constraints, flow-based intrusion detection can be applied, which traditionally focuses only on packet header fields and packet characteristics. Flow export technologies are nowadays embedded in most high-end packet forwarding devices and are widely used for network management, which makes this approach economically attractive. In the context of large, high-speed networks, such as backbone networks, we make two observations with respect to flow-based and packet-based intrusion detection. First, although flow-based intrusion detection offers several advantages in terms of processing requirements, the aggregation of packets into flows obviously entails a loss of information. Second, the quantity of information is not constrained when packet-based intrusion detection is performed, but its application is often unfeasible, due to stringent processing requirements. To bridge this gap, we propose a multi-layered approach that combines the advantages of both types of intrusion detection. Our approach is centred around the idea that 1) a first layer of detection comprises flow-based intrusion detection, that makes a pre-selection of suspicious traffic, and 2) additional packet-based intrusion detection is subsequently performed on a pre-filtered packet stream to facilitate in-depth detection. We demonstrate how this approach avoids the problem of a costly infrastructure, and obeys the various legal barriers on network traffic inspection.

KW - METIS-309584

KW - IR-93151

KW - EWI-25084

U2 - 10.1109/CYCON.2014.6916403

DO - 10.1109/CYCON.2014.6916403

M3 - Conference contribution

SN - 978-9949-9544-0-7

SP - 191

EP - 206

BT - Proceedings of the 6th International Conference on Cyber Conflict (CyCon 2014)

PB - IEEE

CY - USA

T2 - 6th International Conference on Cyber Conflict (CyCon 2014), Tallinn, Estonia

Y2 - 1 June 2014

ER -