In this work we propose an intrusion detection mechanism for high-speed networks based on the characterization of the traffic arrival patterns on connections. This approach well complements other traffic characterization schemes. Its strength lies in the fact that the management of characterization parameters is greatly simplified. Indeed, we take full advantage of the fact that applications must declare the traffic specification during connection setup if they want their QoS requirements to be met. This traffic specification provides the upper bound of the traffic envelope. An additional minimum traffic specification would provide the lower bound. No sophisticated anomaly detector is needed ([6, 10])to determine whether an intrusion occurred, since the envelope parameters have been provided during connection setup. For example, if a maximum traffic function is exceeded for a connection, an alert must be triggered to indicate that an intrusion may have happened and that the system is operating at a higher load than what is safe for the given QoS guarantees.
Our traffic model in terms of maximum and minimum traffic functions then gives us a flexible method to formulate the envelope for each connection at an arbitrary point in the network. This allows for a targeted deployment of our proposed ATM security devices across the network, and for an accurate methodology to determine the parameters for the traffic envelopes for connections.
We presented a module level description of a detection device and have shown it to be implementable with currently available off-the-shelf components and custom ASICs available at current levels of integration technology. The performance of the device has been evaluated under worst-case conditions for network traffic. It has been shown that the delay experienced by network traffic in existing virtual connections in the network is trivial when compared to its expected transit time within the network and that the management functions of creating and destroying virtual connections are not a function of the creation/destruction rate of these connections. Through the description of its operation, it is evident that, while utilizing such a framework of traffic security enforcement, the full bandwidth of the network is available to all users for authorized utilization and that traffic delays network cells will experience are constant even under sustained peak traffic conditions.
The details for the components of the device presented here have concentrated primarily on the mechanisms by which actual enforcement should occur and how to limit the impact which it has on overall network performance. Many portions of the larger issues of this method of security enforcement have been glossed over. Foremost among these issues is the topology and physical architecture that should be used to implement the network by which supervisory control data is transferred between the modules that actually provide the enforcement and the workstations that keep the operators of the security body appraised of the state of the network. An integral component of this decision will be an assessment of exactly what criteria to use in order to derive the level of enforcement that the modules designed in this document will be required to perform. Based on this, assessments may be made with regard to what the overall bandwidth and worst-case delays of the overlaying network must be in order to provide an interface to the individual enforcement modules that is deemed to be acceptable from the network management perspective.