Literature Database Entry

erlacher2019efficient


Felix Erlacher, "Efficient Intrusion Detection in High-Speed Networks," PhD Thesis, Department of Computer Science, Paderborn University, June 2019. (Advisor: Falko Dressler; Referee: Felix Freiling)

Abstract

To keep today's computer networks up and running, it is paramount to detect all attacks and malicious activities contained in the network traffic. This makes network intrusion detection an integral part of every IT security strategy. In this PhD thesis we study the problem of intrusion detection in high-speed networks. To achieve sufficient accuracy, state-of-the-art Network Intrusion Detection Systems (NIDS) apply performance intensive procedures like Deep Packet Inspection (DPI)-methods on network packets and, thus, can not cope with the traffic rates in high-throughput networks. The fact that high-throughput connections are nowadays widespread even in smaller corporate or campus networks, stresses for more efficient detection approaches. This thesis proposes novel methods for efficient intrusion detection in such scenarios. In order to get an understanding of today’s threat landscape, we give an overview of the attacks which arose with the introduction of the so called Web 2.0. We analyze current mitigation techniques and point out open research problems. Further, we present an approach which increases the efficiency of anomaly-based NIDS by combining multiple anomaly detection algorithms on a single computer. Our novel load allocation scheme mitigates random packet drops caused by the high performance-demand of the combined algorithms. To increase the network throughput performance of network monitoring appliances in general and NIDS in particular, we propose two methods for preprocessing HTTP traffic before analysis. We show that both approaches significantly reduce the data portion to be analyzed while retaining the relevant parts for intrusion detection. Then we present our novel signature-based NIDS called FIXIDS, which takes as input HTTP-enriched IPFIX Flows. By applying HTTP-related signatures from the widely used NIDS Snort, it guarantees that thousands of up-to-date and community validated attack descriptions are available. Results show that FIXIDS is able to analyze the HTTP-portion of typical internet traffic even at rates of more than 9.5 Gbit/s. In the final contribution we propose a malicious HTTP traffic generator for NIDS evaluation called GENESIDS. It uses Snort signatures as attack descriptions. The evaluation shows that GENESIDS reliably generates a variety of more than 8000 different attacks. Summarizing, we strongly believe that the above contributions significantly increase the efficiency of NIDS in modern high-speed networks.

Quick access

BibTeX BibTeX

Contact

Felix Erlacher

BibTeX reference

@phdthesis{erlacher2019efficient,
    advisor = {Dressler, Falko},
    author = {Erlacher, Felix},
    institution = {Department of Computer Science},
    location = {Paderborn, Germany},
    month = {6},
    referee = {Freiling, Felix},
    school = {Paderborn University},
    title = {{Efficient Intrusion Detection in High-Speed Networks}},
    type = {PhD Thesis},
    year = {2019},
   }
   
   

Copyright notice

Links to final or draft versions of papers are presented here to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or distributed for commercial purposes without the explicit permission of the copyright holder.

The following applies to all papers listed above that have IEEE copyrights: Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

The following applies to all papers listed above that are in submission to IEEE conference/workshop proceedings or journals: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessible.

The following applies to all papers listed above that have ACM copyrights: ACM COPYRIGHT NOTICE. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or permissions@acm.org.

The following applies to all SpringerLink papers listed above that have Springer Science+Business Media copyrights: The original publication is available at www.springerlink.com.

This page was automatically generated using BibDB and bib2web.