Fast classification, calibration, and visualization of network attacks on backbone links

Hyogon Kim, Jin Ho Kim, Saewoong Bahk, Inhye Kang

Research output: Contribution to journalArticle

4 Citations (Scopus)

Abstract

This paper presents a novel approach that can simultaneously detect, classify, calibrate and visualize attack traffic at high speed, in real time. In particular, upon a packet arrival, this approach makes it possible to immediately determine if the packet constitutes an attack and if so, what type of attack it is. In this approach, a flow is defined by a 3-tuple, composed of source address, destination address, and destination port. The core idea starts from the observation that only DoS attack, hostscan and portscan appear as a regular geometric shape in the hyperspace defined by the 3-tuple. Instead of employing complex pattern recognition techniques to identify the regular shapes in the hyperspace, we apply an original algorithm called RADAR that captures the "pivoted movement" in one or more of the 3 coordinates. From the geometric perspective, such movement forms the aforementioned regular pattern along the axis of the pivoted dimension. Through real execution on a Gigabit link, we demonstrate that the algorithm is both fast and precise. Since we need only 3 to 4 memory lookups per packet to detect and classify an attack packet, while simultaneously running 2 copies of the algorithm on a Pentium-4 PC, the algorithm incurred no packet loss over 330Mbps live traffic. Memory requirement is also low - at most 200MB of memory suffices even for Gigabit pipes. Finally, the method is general enough to detect both DoS's and scans, but the focus of the paper is on its capability to identify the latter on backbone links, in the light of recent global worm epidemics.

Original languageEnglish
Pages (from-to)837-846
Number of pages10
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume3090
Publication statusPublished - 2004 Dec 1

Fingerprint

Backbone
Calibration
Visualization
Attack
Data storage equipment
Hyperspace
Classify
Traffic
Packet loss
Worm
Pattern recognition
Packet Loss
Pipe
Pattern Recognition
Immediately
High Speed
Requirements
Demonstrate
Movement

ASJC Scopus subject areas

  • Computer Science(all)
  • Biochemistry, Genetics and Molecular Biology(all)
  • Theoretical Computer Science

Cite this

@article{110872d137c44441933f398856c65d8a,
title = "Fast classification, calibration, and visualization of network attacks on backbone links",
abstract = "This paper presents a novel approach that can simultaneously detect, classify, calibrate and visualize attack traffic at high speed, in real time. In particular, upon a packet arrival, this approach makes it possible to immediately determine if the packet constitutes an attack and if so, what type of attack it is. In this approach, a flow is defined by a 3-tuple, composed of source address, destination address, and destination port. The core idea starts from the observation that only DoS attack, hostscan and portscan appear as a regular geometric shape in the hyperspace defined by the 3-tuple. Instead of employing complex pattern recognition techniques to identify the regular shapes in the hyperspace, we apply an original algorithm called RADAR that captures the {"}pivoted movement{"} in one or more of the 3 coordinates. From the geometric perspective, such movement forms the aforementioned regular pattern along the axis of the pivoted dimension. Through real execution on a Gigabit link, we demonstrate that the algorithm is both fast and precise. Since we need only 3 to 4 memory lookups per packet to detect and classify an attack packet, while simultaneously running 2 copies of the algorithm on a Pentium-4 PC, the algorithm incurred no packet loss over 330Mbps live traffic. Memory requirement is also low - at most 200MB of memory suffices even for Gigabit pipes. Finally, the method is general enough to detect both DoS's and scans, but the focus of the paper is on its capability to identify the latter on backbone links, in the light of recent global worm epidemics.",
author = "Hyogon Kim and Kim, {Jin Ho} and Saewoong Bahk and Inhye Kang",
year = "2004",
month = "12",
day = "1",
language = "English",
volume = "3090",
pages = "837--846",
journal = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
issn = "0302-9743",
publisher = "Springer Verlag",

}

TY - JOUR

T1 - Fast classification, calibration, and visualization of network attacks on backbone links

AU - Kim, Hyogon

AU - Kim, Jin Ho

AU - Bahk, Saewoong

AU - Kang, Inhye

PY - 2004/12/1

Y1 - 2004/12/1

N2 - This paper presents a novel approach that can simultaneously detect, classify, calibrate and visualize attack traffic at high speed, in real time. In particular, upon a packet arrival, this approach makes it possible to immediately determine if the packet constitutes an attack and if so, what type of attack it is. In this approach, a flow is defined by a 3-tuple, composed of source address, destination address, and destination port. The core idea starts from the observation that only DoS attack, hostscan and portscan appear as a regular geometric shape in the hyperspace defined by the 3-tuple. Instead of employing complex pattern recognition techniques to identify the regular shapes in the hyperspace, we apply an original algorithm called RADAR that captures the "pivoted movement" in one or more of the 3 coordinates. From the geometric perspective, such movement forms the aforementioned regular pattern along the axis of the pivoted dimension. Through real execution on a Gigabit link, we demonstrate that the algorithm is both fast and precise. Since we need only 3 to 4 memory lookups per packet to detect and classify an attack packet, while simultaneously running 2 copies of the algorithm on a Pentium-4 PC, the algorithm incurred no packet loss over 330Mbps live traffic. Memory requirement is also low - at most 200MB of memory suffices even for Gigabit pipes. Finally, the method is general enough to detect both DoS's and scans, but the focus of the paper is on its capability to identify the latter on backbone links, in the light of recent global worm epidemics.

AB - This paper presents a novel approach that can simultaneously detect, classify, calibrate and visualize attack traffic at high speed, in real time. In particular, upon a packet arrival, this approach makes it possible to immediately determine if the packet constitutes an attack and if so, what type of attack it is. In this approach, a flow is defined by a 3-tuple, composed of source address, destination address, and destination port. The core idea starts from the observation that only DoS attack, hostscan and portscan appear as a regular geometric shape in the hyperspace defined by the 3-tuple. Instead of employing complex pattern recognition techniques to identify the regular shapes in the hyperspace, we apply an original algorithm called RADAR that captures the "pivoted movement" in one or more of the 3 coordinates. From the geometric perspective, such movement forms the aforementioned regular pattern along the axis of the pivoted dimension. Through real execution on a Gigabit link, we demonstrate that the algorithm is both fast and precise. Since we need only 3 to 4 memory lookups per packet to detect and classify an attack packet, while simultaneously running 2 copies of the algorithm on a Pentium-4 PC, the algorithm incurred no packet loss over 330Mbps live traffic. Memory requirement is also low - at most 200MB of memory suffices even for Gigabit pipes. Finally, the method is general enough to detect both DoS's and scans, but the focus of the paper is on its capability to identify the latter on backbone links, in the light of recent global worm epidemics.

UR - http://www.scopus.com/inward/record.url?scp=35048845232&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=35048845232&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:35048845232

VL - 3090

SP - 837

EP - 846

JO - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

JF - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SN - 0302-9743

ER -