[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2020215342A1 - Mesure de cardinalité d'hôtes pour détection d'anomalies de réseau - Google Patents

Mesure de cardinalité d'hôtes pour détection d'anomalies de réseau Download PDF

Info

Publication number
WO2020215342A1
WO2020215342A1 PCT/CN2019/084693 CN2019084693W WO2020215342A1 WO 2020215342 A1 WO2020215342 A1 WO 2020215342A1 CN 2019084693 W CN2019084693 W CN 2019084693W WO 2020215342 A1 WO2020215342 A1 WO 2020215342A1
Authority
WO
WIPO (PCT)
Prior art keywords
cardinality
network
destination
data structure
abnormal
Prior art date
Application number
PCT/CN2019/084693
Other languages
English (en)
Inventor
Xuyang JING
Zheng Yan
Original Assignee
Nokia Technologies Oy
Nokia Technologies (Beijing) Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy, Nokia Technologies (Beijing) Co., Ltd. filed Critical Nokia Technologies Oy
Priority to PCT/CN2019/084693 priority Critical patent/WO2020215342A1/fr
Publication of WO2020215342A1 publication Critical patent/WO2020215342A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3495Performance evaluation by tracing or monitoring for systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0766Error or fault reporting or storing
    • G06F11/0775Content or structure details of the error report, e.g. specific table structure, specific error fields
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/875Monitoring of systems including the internet

Definitions

  • Various example embodiments relate to host cardinality measuring for network anomaly detection.
  • Accurately and timely network traffic measuring assists network security. Such a measuring may be crucial for anomaly detection and defense, attack attribution, and network information forensics, among others.
  • monitoring host cardinality is one useful method in network traffic measurement.
  • the cardinality of a host represents the number of distinct peers it communicates with.
  • Destination Cardinality (DC) refers to a number of distinct destination IP addresses that a host is connected to
  • Destination Port Cardinality (DPC) refers to a number of distinct destination ports that a host is connected to
  • S Source Cardinality
  • DC and DPC can be used to identify attacking hosts while SC can be used to detect a victim in attack detection and defense.
  • a host with high DC or DPC known as super source/spreader/point or high SC known as a super destination
  • a compromised host may try to connect to as many as possible different destination IP addresses or ports in a short time.
  • a malicious host sends same content to many distinct destination IP addresses. Both of these hosts are super points.
  • Distributed Denial of Service (DDoS) flooding attacks are launched by employed massive hosts that have installed malware programs to flood a victim for the purpose of occupying its resources.
  • attackers often use a large number of source IP addresses each to send few packets to the victim.
  • the destination IP address with high SC is a candidate for a victim.
  • identifying the host with high DC/DPC/SC may help detecting and defending some typical network attacks.
  • a naive and accurate method for measuring host cardinality would be to maintain a table to track all distinct hosts with which a host communicates. However, this method would cause excessive memory consumption and content access due to large amount of networking traffic data, especially in high-speed and/or large networks.
  • a method of measuring host cardinality comprising:
  • host cardinality is divided into destination cardinality, destination port cardinality and source cardinality.
  • abnormal network events of hosts may be detected from high cardinality.
  • the abnormal network events may include any one or more of:
  • the multi-dimensional reversible data structure may be a probabilistic data structure configured for counting distinct communications among hosts.
  • the probabilistic data structure may use three dimensions to separately record traffic information about a source IP address, a destination IP address and a destination port.
  • the method may comprise performing an update operation.
  • the update operation when a new packet arrives, the probabilistic data structure may be updated by setting a bit of a corresponding buckets where the packet locates.
  • This operation may be realized by using data-oriented hash functions.
  • the data-oriented hash functions may be based on Chinese remainder theory.
  • the updating may be performed in a packet data network to monitor network traffic at real-time.
  • the method may further comprise a point estimation operation.
  • point estimation operation for a given source or destination IP address, respective source or destination cardinality may be queried using a probabilistic counting with a given level of accuracy. This operation may allow locating abnormal hosts with high cardinality.
  • the method may further comprise a combination operation.
  • a combination operation a plurality of the multi-dimensional reversible data structures with same parameters may be combined into a single one using bitwise-OR operator. This operation may be used to support a distributed collection of network traffic and subsequent centralized analysis.
  • the method may further comprise reversible calculation operation.
  • the reversible calculation operation may be performed on detecting abnormal hosts with high cardinality.
  • the reversible calculation operation may attempt reversibly reconstructing original IP addresses. This may avoid completing an exhaustive exploration of all possible addresses.
  • the method may comprise network anomaly detection.
  • the network anomaly detection may comprise any one or more of the following:
  • the multi-dimensional reversible data structure may be a SuperSketch.
  • the network security measurement method may be used to measure an aggregate security level of a network.
  • an apparatus comprising a memory and a processor that are configured to cause the apparatus to perform the method of the first example aspect.
  • a computer program comprising computer executable program code configured to execute any method of the first example aspect.
  • the computer program may be stored in a computer readable memory medium.
  • Any foregoing memory medium may comprise a digital data storage such as a data disc or diskette, optical storage, magnetic storage, holographic storage, opto-magnetic storage, phase-change memory, resistive random access memory, magnetic random access memory, solid-electrolyte memory, ferroelectric random access memory, organic memory or polymer memory.
  • the memory medium may be formed into a device without other substantial functions than storing memory or it may be formed as part of a device with other functions, including but not limited to a memory of a computer, a chip set, and a sub assembly of an electronic device.
  • Fig. 1 shows an architectural drawing of a system of an example embodiment
  • Fig. 2 shows a flow chart of a process of an example embodiment
  • Fig. 3 shows a block diagram of an apparatus of an example embodiment
  • Fig. 4 presents a diagram of a Sketch
  • Fig. 5 presents the structure of SuperSketch
  • Fig. 6 presents update operation of SuperSketch
  • Fig. 7 presents point estimation process for destination cardinality and destination port cardinality
  • Fig. 8 presents point estimation process for Source Cardinality.
  • Fig. 1 shows an architectural drawing of a system 100 of an example embodiment.
  • the system 100 comprises a plurality of hosts 110, each of which may be either or both sending or receiving hosts.
  • Fig. 1 further shows a plurality of routers 120, the Internet 130 to which the routers 120 connect the hosts 110, and a detection unit 140.
  • the detection unit 140 is drawn as a single box illustrating a functionality, although in some embodiments the detection unit 140 is distributed to two or more separate units or implemented using virtual or cloud computing.
  • the detection unit 140 is implemented in a firewall or a router. In an example embodiment, the detection unit 140 is implemented in a serving gateway (SGW) . In an example embodiment, the detection unit 140 is implemented in an evolved packet data gateway (ePDG) . In an example embodiment, the detection unit 140 is implemented in a packet data network gateway (PGW) of an LTE core network. In an example embodiment, the detection unit 140 is implemented in an access and mobility function (AMF) . In an example embodiment, the detection unit 140 is implemented in a non-3GPP interworking function (N3IWF) of a 5G core network.
  • SGW serving gateway
  • ePDG evolved packet data gateway
  • ePDG evolved packet data gateway
  • PGW packet data network gateway
  • AMF access and mobility function
  • N3IWF non-3GPP interworking function
  • Fig. 2 shows a flow chart of a process of an example embodiment illustrating a method of measuring host cardinality, comprising:
  • performing network anomaly detection comprising any one or more of the following: 1) performing the update operation to record traffic information about source IP addresses, destination IP addresses and ports; 2) performing an adaptive high cardinality host identification algorithm based on the traffic data recorded in the multi-dimensional reversible data structure; 3) Reversibly calculating with the multi-dimensional reversible data structures to reconstruct original IP addresses of abnormal hosts that hold high cardinality; 4) performing anomaly attribution to classify anomaly types for selecting one or more suitable anomaly defense or mitigation mechanisms.
  • Fig. 3 shows a block diagram of an apparatus 300 of an example embodiment, such as the detection unit 140.
  • the apparatus 300 comprises an input/output function, a processing function 320, an optional user interface 330, a memory 340 and computer program code 350 stored in the memory 340.
  • the processor 320 is configured to control the operation of the apparatus 300 based on the computer program code 350 when executing the program code 350.
  • the input/output function 310 310 comprises, for example, a local area network (LAN) port such as a base 100/base 1000 Ethernet port; a data bus; a wireless local area network (WLAN) unit; cellular data communication unit; or satellite data communication unit.
  • the processing function 320 comprises, for example, any one or more of: a master control unit (MCU) ; a microprocessor; a digital signal processor (DSP) ; an application specific integrated circuit (ASIC) ; a field programmable gate array; a microcontroller; a portion of one or more virtualized or cloud computing processing cores.
  • MCU master control unit
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • microcontroller a portion of one or more virtualized or cloud computing processing cores.
  • An example embodiment is based data summarization technique called Sketch.
  • the Sketch is a probabilistic data summarization technique composed of H hash tables of size M, as shown in Fig. 4.
  • Incoming network traffic is modeled as pairwise items encompassing a key and an associated value, where the key can be one or more fields in packet headers, and the value can be any accumulative feature, such as the size of a packet, the number of packets, etc.
  • Each row i is associated with an independent hash function h i that maps an incoming key into a hashing space of (0, 1, 2, ...., M-1) .
  • the data whose keys are hashed to the same values will be put in the same bucket and the values will be added up.
  • H hash functions in a sketch are chosen from the family of k-universal hash functions defined in Equation (1) , where r is an arbitrary prime (e.g., Mersenne prime numbers are chosen for fast implementation) , a i ( ⁇ 0) and b i are randomly selected from the set of (0, 1, ...., r-1) , M is the width of sketch.
  • k-universal hash functions the probability that two keys are aggregated in the same bucket over H hash tables is (1/M) kH .
  • Each SS i is a bit cube (three-dimensional bit arrays) with the size of p i ⁇ p i ⁇ u i , where 1 ⁇ i ⁇ N, p i and u i are integers.
  • Multiple bit cubes (or, more typically rectangular cuboids) with different sizes used here aim to accurately collect as much traffic information as possible and reversibly recover abnormal keys.
  • the height, length and width of SS i are represented as L 1 , L 2 and L 3 , respectively.
  • SS i [j] [ ⁇ ] [ ⁇ ] represents j –th row in L 1
  • SS i [ ⁇ ] [k] [ ⁇ ] represents k -th column in L 2
  • SS i [ ⁇ ] [ ⁇ ] [l] denotes l -th column in L 3
  • SS i [j] [k] [l] denotes bit value recorded in (j, k, l) bucket, where i ⁇ ⁇ 1, 2, ..., N ⁇ , j ⁇ ⁇ 0, 1, 2, ..., p i -1 ⁇ , k ⁇ ⁇ 0, 1, 2, ..., p i -1 ⁇ , and l ⁇ ⁇ 0, 1, 2, ..., u i -1 ⁇ .
  • L 1 and L 2 of SS i are associated with the same hash functions, h i (x) ⁇ (ax + b) mod r mod p i , where i ⁇ ⁇ 1, 2, ..., N ⁇ , r is an arbitrary prime number, a ( ⁇ 0) and b are randomly selected from the set of (0, 1, ..., r -1) , p 1 , p 2 , p 3 , ..., p N are selected as pair-wise coprime numbers around an integer P to guarantee the probability of hash collision in a certain range and they satisfy p 1 > p 2 > p 3 ...> p N .
  • L 3 of SS i is associated with the following hash functions, h’ i (x) ⁇ (a’ x + b′) mod u i , where u i is a prime number near an integer U. That the prime number is near an integer is in an example embodiment a difference not greater than 1, 5, 10 or 20 %, or not greater than 1, 5, 10, 20, 50, or 100.
  • h i (x) of L 1 and L 2 and h’ i (x) of L are data-oriented hash functions configured to obtain the location index using randomly hashing.
  • hash functions associated with L 1 , L 2 and L 3 are:
  • Update operation of SuperSketch is used to collect traffic information. Initially, all bits in SuperSketch are set to zero. When a new packet (S IP , D IP , D p ) arrives, each SS i (1 ⁇ i ⁇ N) is updated by setting the bit to the corresponding bucket where the packet locates.
  • the update formula is described as follows:
  • the update process of SuperSketch is described in Algorithm 1 and shown in Fig. 6 (the marked bucket is updated) .
  • the packets come from a specified source IP address are hashed into the same row in L 1 in SS i (1 ⁇ i ⁇ N) but may be hashed into different buckets due to the different destination IP address or port number.
  • Update time for each SS i , it needs to take four times of calculation to update a bucket (from line 6 to 9 in Algorithm 1) .
  • the total times of calculation for SS is thus only 4 ⁇ N.
  • point estimation operation of SuperSketch is used to return an approximate estimation of host cardinality for an IP addresses. Given a specified source IP address e, e ⁇ E and a destination IP address q, q ⁇ Q, where E and Q denote the set of all available IP addresses in the network.
  • DC (e) is the mean value of set ⁇ DC 1 (e) , DC 2 (e) , ..., DC N (e) ⁇ :
  • Estimation bit array (L 3 is a row, L 2 is a column) of size u i of DPC i (e) is obtained by taking the bitwise-OR operation from the first column to the last column, as shown Step 3 (b) in Fig. 7. Based on the same method, DPC (e) is estimated as follows:
  • FIG. 8 shows the estimation process of SC i (q) .
  • the process is similar to the estimation process of DC i (e) , which we omit here.
  • the combination operation of SuperSketch allows us to conduct a distributed collection of network traffic using SuperSketch and then carry out a centralized analysis.
  • the combined SuperSketch has global network traffic information as if all the network traffic passes through the same router.
  • the reversible calculation operation aims to reversely recovering a set of keys that exhibit abnormal.
  • S IP reversibly calculating S IP
  • N marked abnormal rows over SS, denoted as c 1 , c 2 , ..., c N .
  • S IP Based on Chinese Reminder Theory, S IP can be determined with the following expression:
  • modular coefficient notation in number theory to record the remainders for further row number combination.
  • v DC and v DPC denotes the number of zero-bit buckets in estimation bit array (defined in subsection 5.2) .
  • F1 i and F2 i in L 1 of SS i are computed as follows:
  • Algorithm 3 Network Anomaly Detection with SuperSketch
  • High pro s means that there is a large number of malicious traffic entered the network.
  • Num_as the number of abnormal source addresses is Num_as and the number of distinct source addresses is Num_sin a time interval.
  • Num_as can be obtained in high cardinality host identification and recovery step. Initially, all flags in SS 1 , SS 2 , ..., SS N-1 are set as Null. When a packet with new source address arrives, the flag of the row where this packet locates in L 1 will be set to an integer. Therefore, Num_scan be approximatively estimated by employing the similar idea of probabilistic counting algorithm. The algorithm of calculating pro s is described as below:
  • Algorithm 4 Calculation process of the proportion of abnormal addresses in total addresses
  • pro s Num_as/Num_s
  • the whole security level of the network can be determined based on the following judgements:
  • a network administrator can select a suitable defense mechanisms based on the result of the measurement method.
  • its security level can be measured by aggregating the security levels of its sub-networks as calculated based on the above method.
  • a technical effect of one or more of the example embodiments disclosed herein is ability to perform real-time and distributed network traffic collection also in a high-speed network environment to collect network traffic at real-time thanks the use of data-oriented hash functions.
  • Another technical effect of one or more of the example embodiments disclosed herein is that the efficient combination operation of enables distributed network traffic collection.
  • Distributed network traffic collection covers more traffic information, and outperforms single point measurement methods in measuring host cardinality.
  • Another technical effect of one or more of the example embodiments disclosed herein is enabling finding abnormal host addresses and further enabling network administrator to take proper mitigation actions.
  • Another technical effect of one or more of the example embodiments disclosed herein is enabling identifying of super sources and super destinations simultaneously instead of building various sketches with different keys.
  • Another technical effect of one or more of the example embodiments disclosed herein is enabling detection of high-rate and low-rate DDoS flooding attacks.
  • Another technical effect of one or more of the example embodiments disclosed herein is versatility as three dimensions can be used to separately record traffic information about source IP address, destination IP address and destination port. It is further possible to apply three point estimation operations on recorded traffic, namely Destination Cardinality, Destination Port Cardinality and Source Cardinality.
  • the sketch data structure can be extended to conduct more network functions. First, it not only supports to collect packet-level (except the content in packet payload) data and flow-level traffic data but also has the ability of collecting connection-level traffic data. Second, it can involve more traffic features to detect other network anomalies that exhibit
  • Another technical effect of one or more of the example embodiments disclosed herein is providing a general data structure that supports detecting attackers that need to conduct a lot of communications with others.
  • the key can be selected as any source identifier in L 1 , any destination identifier in L 2 and any other identifiers in L 3 .
  • it can be deployed in many network environments to collect data and then perform anomaly detection, such as using SuperSketch in the Internet to constrain worm propagation and bot communications, in Long Term Evolution (LTE) network to eliminate spam distribution, in Wireless Sensor Network (WSN) to prevent fake information spread.
  • LTE Long Term Evolution
  • WSN Wireless Sensor Network
  • the network administrator can fuse the measurement results obtained from each sub-network to measure the whole security level of the heterogeneous network.
  • Embodiments of the present invention may be implemented in software, hardware, application logic or a combination of software, hardware and application logic.
  • the application logic, software or an instruction set is maintained on any one of various conventional computer-readable media.
  • a “computer-readable medium” may be any non-transitory media or means that can contain, store, communicate, propagate or transport the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer, with one example of a computer described and depicted in Fig. 3.
  • a computer-readable medium may comprise a computer-readable storage medium that may be any media or means that can contain or store the instructions for use by or in connection with an instruction execution system, apparatus, or device, such as a computer.
  • the different functions discussed herein may be performed in a different order and/or concurrently with each other. Furthermore, if desired, one or more of the before-described functions may be optional or may be combined.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • Computer Hardware Design (AREA)
  • Environmental & Geological Engineering (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Algebra (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Selon l'invention, une cardinalité d'hôtes est mesurée dans un processus incluant l'application d'une structure de données réversible multidimensionnelle pour détecter des hôtes anormaux dans un réseau. La cardinalité d'hôtes est divisée en une cardinalité de destinations, une cardinalité de ports de destination et une cardinalité de sources. L'invention concerne également un appareil et un programme informatique correspondants et une mémoire stockant le programme informatique.
PCT/CN2019/084693 2019-04-26 2019-04-26 Mesure de cardinalité d'hôtes pour détection d'anomalies de réseau WO2020215342A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/084693 WO2020215342A1 (fr) 2019-04-26 2019-04-26 Mesure de cardinalité d'hôtes pour détection d'anomalies de réseau

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/084693 WO2020215342A1 (fr) 2019-04-26 2019-04-26 Mesure de cardinalité d'hôtes pour détection d'anomalies de réseau

Publications (1)

Publication Number Publication Date
WO2020215342A1 true WO2020215342A1 (fr) 2020-10-29

Family

ID=72940837

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/084693 WO2020215342A1 (fr) 2019-04-26 2019-04-26 Mesure de cardinalité d'hôtes pour détection d'anomalies de réseau

Country Status (1)

Country Link
WO (1) WO2020215342A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8406132B2 (en) * 2008-05-30 2013-03-26 Alcatel Lucent Estimating cardinality distributions in network traffic
US20170250953A1 (en) * 2016-02-26 2017-08-31 Microsoft Technology Licensing, Llc Hybrid hardware-software distributed threat analysis
KR20180065678A (ko) * 2016-12-08 2018-06-18 엘지디스플레이 주식회사 외부 보상용 표시장치와 그 구동방법

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8406132B2 (en) * 2008-05-30 2013-03-26 Alcatel Lucent Estimating cardinality distributions in network traffic
US20170250953A1 (en) * 2016-02-26 2017-08-31 Microsoft Technology Licensing, Llc Hybrid hardware-software distributed threat analysis
KR20180065678A (ko) * 2016-12-08 2018-06-18 엘지디스플레이 주식회사 외부 보상용 표시장치와 그 구동방법

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YANG LIU ET AL.: "Identifying High-Cardinality Hosts from Network-Wide Traffic Measurements", IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, vol. 13, no. 5, 16 April 2015 (2015-04-16), XP011621292, DOI: 20200102221020X *

Similar Documents

Publication Publication Date Title
CN106657038B (zh) 一种基于对称度Sketch的网络流量异常检测与定位方法
EP3831034B1 (fr) Procédé, dispositif et système d'analyse de trafic de réseau
US10129270B2 (en) Apparatus, system and method for identifying and mitigating malicious network threats
Ganguly et al. Streaming algorithms for robust, real-time detection of ddos attacks
CN113114694B (zh) 一种面向高速网络分组抽样数据采集场景的DDoS攻击检测方法
US7669241B2 (en) Streaming algorithms for robust, real-time detection of DDoS attacks
Xu et al. ELDA: Towards efficient and lightweight detection of cache pollution attacks in NDN
CN110545291B (zh) 一种攻击报文的防御方法、多核转发系统及相关产品
Knockel et al. Counting packets sent between arbitrary internet hosts
CN106302450A (zh) 一种基于ddos攻击中恶意地址的检测方法及装置
Saurabh et al. Linear and remainder packet marking for fast IP traceback
Reviriego et al. Pollution attacks on counting bloom filters for black box adversaries
Basat et al. Volumetric hierarchical heavy hitters
US20180270197A1 (en) Intrusion prevention
WO2020215342A1 (fr) Mesure de cardinalité d'hôtes pour détection d'anomalies de réseau
US20230208857A1 (en) Techniques for detecting cyber-attack scanners
US8842690B2 (en) System, method, and media for network traffic measurement on high-speed routers
Chabchoub et al. Improving the detection of on-line vertical port scan in IP traffic
Bellaïche et al. SYN flooding attack detection by TCP handshake anomalies
Zhou et al. Limiting self-propagating malware based on connection failure behavior
Bou-Harb et al. On detecting and clustering distributed cyber scanning
Dashti et al. An efficient sketch-based framework to identify multiple heavy-hitters and its application in DoS detection
Li et al. Towards a high-speed router-based anomaly/intrusion detection system
Priyanka et al. IP Traceback Techniques–A Selective Survey
Subash et al. An enhanced hybrid scheme for IP Traceback

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19926292

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19926292

Country of ref document: EP

Kind code of ref document: A1