Abstract | ||
---|---|---|
Most network intrusion tools (e.g., Bro) use per-flow state to reassemble TCP connections and fragments in order to detect network attacks (e.g., SYN Flooding or Connection Hijacking) and preliminary reconnaissance (e.g., Port Scans). On the other hand, if network intrusion detection is to be implemented at high speeds at network vantage points, some form of aggregation is necessary. While many security analysts believe that such per-flow state is required for many of these problems, there is no clear proof that this is the case. In fact, a number of problems (such as detecting large traffic footprints or counting identifiers) have scalable solutions. In this paper, we initiate the study of identifying when and how a security attack detection problem can have a scalable solution. We use tools from Communication Complexity to prove that the common formulations of many well-known intrusion detection problems (detecting SYN Flooding, Port Scans, Connection Hijacking, and content matching across fragments) require per-flow state. Our theory exposes assumptions that need to be changed to provide scalable solutions to these problems; we conclude with some systems techniques to circumvent these lower bounds. |
Year | DOI | Venue |
---|---|---|
2004 | 10.1145/1030083.1030087 | ACM Conference on Computer and Communications Security |
Keywords | Field | DocType |
network intrusion tool,network vantage point,port scans,per-flow state,syn flooding,network intrusion detection,security attack detection problem,scalable solution,connection hijacking,network attack,communication complexity,lower bound,intrusion detection | Host-based intrusion detection system,Network intrusion detection,Identifier,Computer science,Computer security,Communication complexity,Anomaly-based intrusion detection system,SYN flood,Intrusion detection system,Scalability,Distributed computing | Conference |
ISBN | Citations | PageRank |
1-58113-961-6 | 16 | 1.35 |
References | Authors | |
12 | 3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Kirill Levchenko | 1 | 1235 | 83.12 |
Ramamohan Paturi | 2 | 1260 | 92.20 |
George Varghese | 3 | 8149 | 727.66 |