{"title":"使用复杂事件处理的基于流的检测方法的快速原型","authors":"P. Velan, M. Husák, Daniel Tovarnák","doi":"10.1109/NOMS.2018.8406121","DOIUrl":null,"url":null,"abstract":"Detection of network attacks is the first step to network security. Many different methods for attack detection were proposed in the past. However, descriptions of these methods are often not complete and it is difficult to verify that the actual implementation matches the description. In this demo paper, we propose to use Complex Event Processing (CEP) for developing detection methods based on network flows. By writing the detection methods in an Event Processing Language (EPL), we can address the above-mentioned problems. The SQL-like syntax of most EPLs is easily readable so the detection method is self-documented. Moreover, it is directly executable in the CEP system, which eliminates inconsistencies between documentation and implementation. The demo will show a running example of a multi-stage HTTP brute force attack detection using Esper and its EPL.","PeriodicalId":19331,"journal":{"name":"NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2018-04-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Rapid prototyping of flow-based detection methods using complex event processing\",\"authors\":\"P. Velan, M. Husák, Daniel Tovarnák\",\"doi\":\"10.1109/NOMS.2018.8406121\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Detection of network attacks is the first step to network security. Many different methods for attack detection were proposed in the past. However, descriptions of these methods are often not complete and it is difficult to verify that the actual implementation matches the description. In this demo paper, we propose to use Complex Event Processing (CEP) for developing detection methods based on network flows. By writing the detection methods in an Event Processing Language (EPL), we can address the above-mentioned problems. The SQL-like syntax of most EPLs is easily readable so the detection method is self-documented. Moreover, it is directly executable in the CEP system, which eliminates inconsistencies between documentation and implementation. The demo will show a running example of a multi-stage HTTP brute force attack detection using Esper and its EPL.\",\"PeriodicalId\":19331,\"journal\":{\"name\":\"NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-04-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NOMS.2018.8406121\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NOMS.2018.8406121","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Rapid prototyping of flow-based detection methods using complex event processing
Detection of network attacks is the first step to network security. Many different methods for attack detection were proposed in the past. However, descriptions of these methods are often not complete and it is difficult to verify that the actual implementation matches the description. In this demo paper, we propose to use Complex Event Processing (CEP) for developing detection methods based on network flows. By writing the detection methods in an Event Processing Language (EPL), we can address the above-mentioned problems. The SQL-like syntax of most EPLs is easily readable so the detection method is self-documented. Moreover, it is directly executable in the CEP system, which eliminates inconsistencies between documentation and implementation. The demo will show a running example of a multi-stage HTTP brute force attack detection using Esper and its EPL.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
