278 research outputs found
The Future of Network Flow Monitoring
Flow monitoring has been used for accounting and security for more than two decades. This paper describes how it was developed, what is its current status, and what challenges can be expected in this field in the following years
Monitoring multicast traffic in heterogeneous networks
Estágio realizado no INESC - Porto e orientado pelo Prof. Doutor Ricardo MorlaTese de mestrado integrado. Engenharia Electrotécnica e de Computadores - Major Telecomunicações. Faculdade de Engenharia. Universidade do Porto. 200
A flow-based intrusion detection framework for internet of things networks
The application of the Internet of Things concept in domains such as industrial control, building automation, human health,
and environmental monitoring, introduces new privacy and security challenges. Consequently, traditional implementation
of monitoring and security mechanisms cannot always be presently feasible and adequate due to the number of IoT devices,
their heterogeneity and the typical limitations of their technical specifications. In this paper, we propose an IP flow-based
Intrusion Detection System (IDS) framework to monitor and protect IoT networks from external and internal threats in
real-time. The proposed framework collects IP flows from an IoT network and analyses them in order to monitor and detect
attacks, intrusions, and other types of anomalies at different IoT architecture layers based on some flow features instead of
using packet headers fields and their payload. The proposed framework was designed to consider both the IoT network
architecture and other IoT contextual characteristics such as scalability, heterogeneity, interoperability, and the minimization
of the use of IoT networks resources. The proposed IDS framework is network-based and relies on a hybrid
architecture, as it involves both centralized analysis and distributed data collection components. In terms of detection
method, the framework uses a specification-based approach drawn on normal traffic specifications. The experimental
results show that this framework can achieve & 100% success and 0% of false positives in detection of intrusions and
anomalies. In terms of performance and scalability in the operation of the IDS components, we study and compare it with
three different conventional IDS (Snort, Suricata, and Zeek) and the results demonstrate that the proposed solution can
consume fewer computational resources (CPU, RAM, and persistent memory) when compared to those conventional IDS.This work was supported by Portuguese national
funds through the FCT—Foundation for Science and Technology,
I.P., under the project UID/CEC/04524/2019info:eu-repo/semantics/publishedVersio
Adaptive Aggregation of Flow Records
This paper explores the problem of processing the immense volume of measurement data arising during network traffic monitoring. Due to the ever-increasing demands of current networks, observing accurate information about every single flow is virtually infeasible. In many cases the existing methods for the reduction of flow records are still not sufficient enough. Since the accurate knowledge of flows termed as "heavy-hitters" suffices to fulfill most of the monitoring purposes, we decided to aggregate the flow records pertaining to non-heavy-hitters. However, due to the ever-changing nature of traffic, their identification is a challenge. To overcome this challenge, our proposed approach - the adaptive aggregation of flow records - automatically adjusts its operation to the actual traffic load and to the monitoring requirements. Preliminary experiments in existing network topologies showed that adaptive aggregation efficiently reduces the number of flow records, while a significant proportion of traffic details is preserved
Flow Data Collection in Large Scale Networks
In this chapter, we present flow-based network traffic monitoring of large scale networks. Continuous Internet traffic increase requires a deployment of advanced monitoring techniques to provide near real-time and long-term network visibility. Collected flow data can be further used for network behavioral analysis to indicate legitimate and malicious traffic, proving cyber threats, etc. An early warning system should integrate flow-based monitoring to ensure network situational awareness.Kapitola pĹ™edstavuje monitorovánĂ sĂĹĄovĂ©ho provozu v rozsáhlĂ˝ch poÄŤĂtaÄŤovĂ˝ch sĂtĂch zaloĹľenĂ© na IP tocĂch. NepĹ™etrĹľitĂ˝ rĹŻst internetovĂ©ho provozu vyĹľaduje nasazenĂ pokroÄŤilĂ˝ch monitorovacĂch technik, kterĂ© poskytujĂ v reálnĂ©m ÄŤase a dlouhodobÄ› pohled na dÄ›nĂ v sĂti. NasbĂraná data mohou dále slouĹľit pro analĂ˝zu chovánĂ sĂtÄ› k rozlišenĂ legitimnĂho a škodlivĂ©ho provozu, dokazovánĂ kybernetickĂ˝ch hrozeb atd. SystĂ©m vÄŤasnĂ©ho varovánĂ by mÄ›l integrovat monitorovánĂ sĂĹĄovĂ˝ch tokĹŻ, aby mohl poskytovat pĹ™ehled o situaci na sĂti
A Two-stage Flow-based Intrusion Detection Model ForNext-generation Networks
The next-generation network provides state-of-the-art access-independent services over converged mobile and fixed networks. Security in the converged network environment is a major challenge. Traditional packet and protocol-based intrusion detection techniques cannot be used in next-generation networks due to slow throughput, low accuracy and their inability to inspect encrypted payload. An alternative solution for protection of next-generation networks is to use network flow records for detection of malicious activity in the network traffic. The network flow records are independent of access networks and user applications. In this paper, we propose a two-stage flow-based intrusion detection system for next-generation networks. The first stage uses an enhanced unsupervised one-class support vector machine which separates malicious flows from normal network traffic. The second stage uses a self-organizing map which automatically groups malicious flows into different alert clusters. We validated the proposed approach on two flow-based datasets and obtained promising results
Enhanced IPFIX flow monitoring for VXLAN based cloud overlay networks
The demands for cloud computing services is rapidly growing due to its fast adoption and the migration of workloads from private data centers to cloud data centers. Many companies, small and large, prefer switching their data to the enterprise cloud environment rather than expanding their own data centers. As a result, the network traffic in cloud data centers is increasing rapidly. However, due to the dynamic resource provisioning and high-speed virtualized cloud networks, the traditional flow-monitoring systems is unable to provide detail visibility and information of traffic traversing the cloud overlay network environment. Hence, it does not fulfill the monitoring requirement of cloud overlay traffic. As the growth of cloud network traffic causes difficulties for the service providers and end-users to manage the traffic efficiently, an enhanced IPFIX flow monitoring mechanism for cloud overlay networks was proposed to address this problem. The monitoring mechanism provided detail visibility and information of overlay network traffic that traversed the cloud environment, which is not available in the current network monitoring systems. The experimental results showed that the proposed monitoring system able to capture overlay network traffic and segregated the tenant traffic based on virtual machines as compare to the standard monitoring system
Engineering the application of machine learning in an IDS based on IoT traffic flow
Internet of Things (IoT) devices are now widely used, enabling intelligent services that, in association with
new communication technologies like the 5G and broadband internet, boost smart-city environments. Despite
their limited resources, IoT devices collect and share large amounts of data and are connected to the internet,
becoming an attractive target for malicious actors. This work uses machine learning combined with an Intrusion Detection System (IDS) to detect possible attacks. Due to the limitations of IoT devices and low latency services, the IDS must have a specialized architecture. Furthermore, although machine learning-based solutions have high potential, there are still challenges related to training and generalization, which may impose constraints on the architecture. Our proposal is an IDS with a distributed architecture that relies on Fog computing to run specialized modules
and use deep neural networks to identify malicious traffic inside IoT data flows. We compare our IoT-Flow
IDS with three other architectures. We assess model generalization using test data from different datasets and
evaluate their performance in terms of Recall, Precision, and F1-Score. Results confirm the feasibility of flowbased anomaly detection and the importance of network traffic segmentation and specialized models in the AI-based IDS for IoT.info:eu-repo/semantics/publishedVersio
Detection of HTTPS brute-force attacks in high-speed computer networks
Tato práce pĹ™edstavuje pĹ™ehled metod pro detekci sĂĹĄovĂ˝ch hrozeb se zaměřenĂm na Ăştoky hrubou silou proti webovĂ˝m aplikacĂm, jako jsou WordPress a Joomla. Byl vytvoĹ™en novĂ˝ dataset, kterĂ˝ se skládá z provozu zachycenĂ©ho na páteĹ™nĂ sĂti a ĂştokĹŻ generovanĂ˝ch pomocĂ open-source nástrojĹŻ. Práce pĹ™inášà novou metodu pro detekci Ăştoku hrubou silou, která je zaloĹľena na charakteristikách jednotlivĂ˝ch paketĹŻ a pouĹľĂvá modernĂ metody strojovĂ©ho uÄŤenĂ. Metoda funguje s šifrovanou HTTPS komunikacĂ, a to bez nutnosti dešifrovánĂ jednotlivĂ˝ch paketĹŻ. Stále vĂce webovĂ˝ch aplikacĂ pouĹľĂvá HTTPS pro zabezpeÄŤenĂ komunikace, a proto je nezbytnĂ© aktualizovat detekÄŤnĂ metody, aby byla zachována základnĂ viditelnost do sĂĹĄovĂ©ho provozu.This thesis presents a review of flow-based network threat detection, with the focus on brute-force attacks against popular web applications, such as WordPress and Joomla. A new dataset was created that consists of benign backbone network traffic and brute-force attacks generated with open-source attack tools. The thesis proposes a method for brute-force attack detection that is based on packet-level characteristics and uses modern machine-learning models. Also, it works with encrypted HTTPS traffic, even without decrypting the payload. More and more network traffic is being encrypted, and it is crucial to update our intrusion detection methods to maintain at least some level of network visibility
- …