Stateful Intrusion Detection for High-speed Networks

@inproceedings{Kruegel02, abstract = {As networks become faster there is an emerging need for security, analysis techniques that can keep up with the increased network throughput. Existing network-based intrusion detection sensors can barely, keep up with bandwidths of a few hundred Mbps. Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers. We propose a partitioning approach to network security, analysis that supports in-depth, stateful intrusion detection on high-speed links. The approach is centered around a slicing mechanism that divides the overall network traffic into subsets of manageable size. The traffic partitioning is done so that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interactions unnecessary. This paper describes the approach and presents a first experimental evaluation of its effectiveness.}, author = {Kruegel, Christopher and Valeur, Fredrik and Vigna, Giovanni and Kemmerer, Richard }, booktitle = {Proceedings of IEEE Symposium on Security and Privacy}, citeulike-article-id = {366727}, doi = {http://dx.doi.org/10.1109/SECPRI.2002.1004378}, journal = {Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on}, keywords = {hma, intrusion\_detection}, pages = {285--293}, posted-at = {2005-10-27 14:06:53}, priority = {0}, title = {Stateful Intrusion Detection for High-speed Networks}, url = {http://dx.doi.org/10.1109/SECPRI.2002.1004378}, year = {2002} }

TY - CONF ID - Kruegel02 L3 - citeulike-article-id:366727 N2 - As networks become faster there is an emerging need for security, analysis techniques that can keep up with the increased network throughput. Existing network-based intrusion detection sensors can barely, keep up with bandwidths of a few hundred Mbps. Analysis tools that can deal with higher throughput are unable to maintain state between different steps of an attack or they are limited to the analysis of packet headers. We propose a partitioning approach to network security, analysis that supports in-depth, stateful intrusion detection on high-speed links. The approach is centered around a slicing mechanism that divides the overall network traffic into subsets of manageable size. The traffic partitioning is done so that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interactions unnecessary. This paper describes the approach and presents a first experimental evaluation of its effectiveness. JF - Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on EP - 293 TI - Stateful Intrusion Detection for High-speed Networks T2 - Proceedings of IEEE Symposium on Security and Privacy SP - 285 KW - hma KW - intrusion_detection AU - Kruegel, Christopher AU - Valeur, Fredrik AU - Vigna, Giovanni AU - Kemmerer, Richard PY - 2002/// UR - http://dx.doi.org/10.1109/SECPRI.2002.1004378 ER -