This document discusses IP flow based intrusion detection. It notes issues with payload-based network intrusion detection systems and describes how flow-based detection addresses these issues by relying only on header information. It covers topics like flow sampling techniques, common types of attacks, and how flow-based detection is well-suited for detecting denial of service attacks, scans, worms, and botnets.
7. Sampling
State information kept for each active flow
Flow look-up for each incoming packet puts heavy
demand on CPU and memory resources
IETF PSAMP working group creating standards for
sampling
Makes intrusion detection harder
Two categories:
− Packet sampling
− Flow Sampling
8. Sampling...
Packet Sampling
− Systematic Sampling
Time-driven sampling
Event-driven sampling
− Random Sampling
Probability distribution function is used
− n-inN sampling
− Probabilistic sampling
9. Sampling...
Flow Sampling
− Similar to random packet sampling
− Sample and hold method
A new incoming packet that does not
belong to existing flow leads to the creation
of new flow entry with probability p.
− Smart Sampling
Dynamically controls the size of sampled
data
Threshold sampling and priority
sampling
− Flow sampling probability depending on
10. Attack Classification
Physical attacks
Buffer overflow attacks
Password attacks
(Distributed) Denial of Service attacks
Information gathering attacks
Trojan horses
Worms
Viruses
11. Attack classification...
Botnets
− Group of computers infected with
malicious programs that cause them to
operate against their owners' intentions
and without their knowledge
− Remotely controlled by bot-masters
− Perfect for performing distributed attacks
12. Flow based Intrusion detection
As it relies only the header information it
addresses the following attacks
− Denial of service
− Scans
− Worms
− Botnets