An evaluation of anomaly-based intrusion detection engines for mobile ad hoc networks

Mobile Ad Hoc Networks are susceptible to a variety of attacks that threaten their operation and the provided services. Intrusion Detection Systems may act as defensive mechanisms, since they monitor network activities in order to detect malicious actions performed by intruders. Anomaly-based detection engines are a topic of ongoing interest in the research community, due to their advantage in detecting unknown attacks. However, this advantage is offset by a number of limitations such as high rates of false alarms, imposition of processing overhead, lack of adaptability under dynamic network conditions etc. This paper presents a comprehensive evaluation and comparison of the most recent literature in the area of anomaly detection for MANETs. The provided weaknesses and limitations, which are thoroughly examined in this paper, constitute open issues in the area of MANET security and will drive future research steps. © 2011 Springer-Verlag

Packet-Level Network Telemetry and Analytics

Continuous monitoring is an essential part of the operation of computer networks. High-fidelity monitoring data can be used to detect security issues, misconfigurations, equipment failure, or to perform traffic engineering. With networks growing in complexity, traffic volume, and facing more complex attacks, the need for continuous and precise monitoring is greater than ever before. Existing SNMP or NetFlow based approaches are not suited for these new challenges as they compromise on flexibility, fidelity, and performance. These compromises are a result of the assumption that analytics software cannot scale to high traffic rates. In this work, we look holistically at the requirements and challenges in network monitoring and present an architecture consisting of integrated telemetry, analytics, and record persistence components. By finding the right balance between responsibilities of hardware and software, we demonstrate that flexible and high-fidelity network analytics at high rates is indeed possible. Our system includes a packet-level, analytics-aware telemetry component in the data plane that runs at line-rates of several Terabits per second and tightly integrates with a flexible software network analytics platform. Operators can interact with this system through a time series database interface that also provides record persistence. We implement a full prototype of our system called Toccoa which can process approximately 80 million packets per 16-core commodity server for a wide variety of monitoring applications and scales linearly with server count.</p