一种基于流的异常网络流量检测方法

2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507) Pub Date : 2004-04-23 DOI:10.1109/NOMS.2004.1317747

Myung-Sup Kim, Hun-Jeong Kang, Seong-Cheol Hong, Seung-Hwa Chung, J. W. Hong

{"title":"一种基于流的异常网络流量检测方法","authors":"Myung-Sup Kim, Hun-Jeong Kang, Seong-Cheol Hong, Seung-Hwa Chung, J. W. Hong","doi":"10.1109/NOMS.2004.1317747","DOIUrl":null,"url":null,"abstract":"One recent trend in network security attacks is an increasing number of indirect attacks which influence network traffic negatively, instead of directly entering a system and damaging it. In future, damages from this type of attack are expected to become more serious. In addition, the bandwidth consumption by these attacks influences the entire network performance. This paper presents an abnormal network traffic detecting method and a system prototype. By aggregating packets that belong to the identical flow, we can reduce processing overhead in the system. We suggest a detecting algorithm using changes in traffic patterns that appear during attacks. This algorithm can detect even mutant attacks that use a new port number or changed payload, while signature-based systems are not capable of detecting these types of attacks. Furthermore, the proposed algorithm can identify attacks that cannot be detected by examining only single packet information.","PeriodicalId":260367,"journal":{"name":"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)","volume":"196 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2004-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"168","resultStr":"{\"title\":\"A flow-based method for abnormal network traffic detection\",\"authors\":\"Myung-Sup Kim, Hun-Jeong Kang, Seong-Cheol Hong, Seung-Hwa Chung, J. W. Hong\",\"doi\":\"10.1109/NOMS.2004.1317747\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"One recent trend in network security attacks is an increasing number of indirect attacks which influence network traffic negatively, instead of directly entering a system and damaging it. In future, damages from this type of attack are expected to become more serious. In addition, the bandwidth consumption by these attacks influences the entire network performance. This paper presents an abnormal network traffic detecting method and a system prototype. By aggregating packets that belong to the identical flow, we can reduce processing overhead in the system. We suggest a detecting algorithm using changes in traffic patterns that appear during attacks. This algorithm can detect even mutant attacks that use a new port number or changed payload, while signature-based systems are not capable of detecting these types of attacks. Furthermore, the proposed algorithm can identify attacks that cannot be detected by examining only single packet information.\",\"PeriodicalId\":260367,\"journal\":{\"name\":\"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)\",\"volume\":\"196 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2004-04-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"168\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NOMS.2004.1317747\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NOMS.2004.1317747","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 168

摘要

最近网络安全攻击的一个趋势是越来越多的间接攻击，这种攻击对网络流量产生负面影响，而不是直接进入系统并破坏它。今后，这类攻击造成的损失预计会更加严重。此外，这些攻击所消耗的带宽会影响整个网络的性能。本文提出了一种异常网络流量检测方法和系统原型。通过聚合属于同一流的数据包，我们可以减少系统中的处理开销。我们建议使用攻击期间出现的流量模式变化的检测算法。该算法甚至可以检测到使用新端口号或更改有效负载的突变攻击，而基于签名的系统无法检测到这些类型的攻击。此外，该算法还可以识别仅通过检查单个数据包信息无法检测到的攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A flow-based method for abnormal network traffic detection

One recent trend in network security attacks is an increasing number of indirect attacks which influence network traffic negatively, instead of directly entering a system and damaging it. In future, damages from this type of attack are expected to become more serious. In addition, the bandwidth consumption by these attacks influences the entire network performance. This paper presents an abnormal network traffic detecting method and a system prototype. By aggregating packets that belong to the identical flow, we can reduce processing overhead in the system. We suggest a detecting algorithm using changes in traffic patterns that appear during attacks. This algorithm can detect even mutant attacks that use a new port number or changed payload, while signature-based systems are not capable of detecting these types of attacks. Furthermore, the proposed algorithm can identify attacks that cannot be detected by examining only single packet information.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507)

自引率

0.00%

发文量