Towards Online Flow-level Anomaly/Intrusion Detection System for High-speed Networks

Traffic anomalies and attacks are commonplace in today's networks, and identifying them rapidly and accurately is critical for large network operators. We propose a High-speed Router-based Anomaly and Intrusion Detection system, HRAID, leveraging the recent work on data streaming computation and in particular, sketches. We analyze the attributes in TCP/IP headers and select an optimal small set of metrics for flow-level sketch-based traffic monitoring and intrusion detection. To overcome the limitations of existing single-dimensional sketches, we design an efficient two-dimensional sketches to further distinguish different type of attacks for mitigation.

We further propose several heuristics to reduce the false positive for SYN flooding detection. Simulation with several router traces shows that HRAID is highly accurate, efficient, uses very small memory, and can effectively detect multiple types of attacks simultaneously. In addition, we compare HRAID with other state-of-the-art detection schemes, and validate the attacks detected.

To the best of our knowledge, HRAID is the first online flow-level anomaly/intrusion detection system for high-speed networks, even for the worst case traffic of 40-byte-packet streams with each packet forming a flow.