TY - CHAP
T1 - Fast classification, calibration, and visualization of network attacks on backbone links
AU - Kim, Hyogon
AU - Kim, Jin Ho
AU - Bahk, Saewoong
AU - Kang, Inhye
PY - 2004
Y1 - 2004
N2 - This paper presents a novel approach that can simultaneously detect, classify, calibrate and visualize attack traffic at high speed, in real time. In particular, upon a packet arrival, this approach makes it possible to immediately determine if the packet constitutes an attack and if so, what type of attack it is. In this approach, a flow is defined by a 3-tuple, composed of source address, destination address, and destination port. The core idea starts from the observation that only DoS attack, hostscan and portscan appear as a regular geometric shape in the hyperspace defined by the 3-tuple. Instead of employing complex pattern recognition techniques to identify the regular shapes in the hyperspace, we apply an original algorithm called RADAR that captures the "pivoted movement" in one or more of the 3 coordinates. From the geometric perspective, such movement forms the aforementioned regular pattern along the axis of the pivoted dimension. Through real execution on a Gigabit link, we demonstrate that the algorithm is both fast and precise. Since we need only 3 to 4 memory lookups per packet to detect and classify an attack packet, while simultaneously running 2 copies of the algorithm on a Pentium-4 PC, the algorithm incurred no packet loss over 330Mbps live traffic. Memory requirement is also low - at most 200MB of memory suffices even for Gigabit pipes. Finally, the method is general enough to detect both DoS's and scans, but the focus of the paper is on its capability to identify the latter on backbone links, in the light of recent global worm epidemics.
AB - This paper presents a novel approach that can simultaneously detect, classify, calibrate and visualize attack traffic at high speed, in real time. In particular, upon a packet arrival, this approach makes it possible to immediately determine if the packet constitutes an attack and if so, what type of attack it is. In this approach, a flow is defined by a 3-tuple, composed of source address, destination address, and destination port. The core idea starts from the observation that only DoS attack, hostscan and portscan appear as a regular geometric shape in the hyperspace defined by the 3-tuple. Instead of employing complex pattern recognition techniques to identify the regular shapes in the hyperspace, we apply an original algorithm called RADAR that captures the "pivoted movement" in one or more of the 3 coordinates. From the geometric perspective, such movement forms the aforementioned regular pattern along the axis of the pivoted dimension. Through real execution on a Gigabit link, we demonstrate that the algorithm is both fast and precise. Since we need only 3 to 4 memory lookups per packet to detect and classify an attack packet, while simultaneously running 2 copies of the algorithm on a Pentium-4 PC, the algorithm incurred no packet loss over 330Mbps live traffic. Memory requirement is also low - at most 200MB of memory suffices even for Gigabit pipes. Finally, the method is general enough to detect both DoS's and scans, but the focus of the paper is on its capability to identify the latter on backbone links, in the light of recent global worm epidemics.
UR - http://www.scopus.com/inward/record.url?scp=35048845232&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-25978-7_84
DO - 10.1007/978-3-540-25978-7_84
M3 - Chapter
AN - SCOPUS:35048845232
SN - 3540230343
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 837
EP - 846
BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
A2 - Kahng, Hyun-Kook
A2 - Goto, Shigeki
PB - Springer Verlag
ER -