intrusion detection in high-speed networks: from packets ......6 intrusion detection in high-speed...
TRANSCRIPT
![Page 1: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/1.jpg)
CCS LabsDistributed Embedded Systems
Falko Dressler
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back1
![Page 2: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/2.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back2
Network Monitoring
![Page 3: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/3.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back3
n Observing network traffic for:
n Analysis (performance, statistics, troubleshooting, accounting)
n Intrusion detection
n Attack prevention
n ...
Network Monitoring
01001001100
Internet
![Page 4: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/4.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back4
Intrusion Detection
![Page 5: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/5.jpg)
Placement of a Network Intrusion Detection System
Internet
LAN
DMZ
Monitors all incoming traffic•High load•High rate of false alarms
Monitors all traffic to and from systems in the DMZ•Reduced amount of Data•Can only detect Intrusions on these Computers
Monitors all traffic within the corporate LAN•Possible detection of misuse by insiders•Possible detection of intrusion via mobile machines (notebooks...)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back5
![Page 6: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/6.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back6
n Analyze network traffic for malicious activity
n Anomaly-based IDSn Have a model of ’normal’ trafficn Detect and alert deviations from ’normal’ trafficn + all sorts of attacksn − higher false positive rate
n Signature-based IDSn Have rule-set of known attacks and incidentsn If packet/stream satisfies rules alarm is triggeredn + low false positive raten − no novel attacksn → Example: Snort
Network Intrusion Detection Systems (IDS)
![Page 7: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/7.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back7
n Signature analysis is very performance hungry:1. Decoding of packets
2. Preprocessing data
3. Detection phase
n Snort with 5000 rules can handle 130k pkts/s
Signature-based IDS: SnortRule File
AlertsPackets
Event FileSignatures
Packets
SwitchSnort
Packets 1. Decoding2. Preprocessors3. Detection
Snort
![Page 8: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/8.jpg)
n Mainly signature based, each intrusion needs a predefined rule
alert tcp $HOME_NET any -> any 9996 \
(msg:"Sasser ftp script to transfer up.exe"; \content:"|5F75702E657865|"; depth:250; flags:A+; \classtype: misc-activity; sid:1000000; rev:3)
n Three step processing of captured information (capturing is done by libpcap):n Preprocessing (normalized and reassembled packets)
n Detection Engine works on the data and decides what action should be taken
n Action is taken (log, alert, pass)
Signature-based IDS: Snort
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back8
![Page 9: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/9.jpg)
n Rule processing
Signature-based IDS: Snort
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back9
![Page 10: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/10.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back10
From Packets to Flows
![Page 11: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/11.jpg)
From Packets to Flows
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back11
![Page 12: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/12.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back12
n Flows are “condensed” network traffic datan Packets with same properties go into same Flown IPFIX supported by most industry grade switchesn Flow fields are configurable
Flow-based Traffic Analysis
![Page 13: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/13.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back13
n Example IPFIX Flow Record:
+--- Ipfix Data Record (id=999)
'- sourceIPv4Address :10.0.2.15
'- destinationIPv4Address :93.184.216.34
'- sourceTransportPort :50488
'- destinationTransportPort :80
'- packetTotalCount :13
'- octetDeltaCount :2304
+---
IPFIX: IP Flow Information Export
![Page 14: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/14.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back14
Flow-based IDS
![Page 15: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/15.jpg)
Signature-based Intrusion Detection on IPFIX Flows
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back15
n IPFIX flow:
+--- Ipfix Data Record (id=999)
'- sourceIPv4Address
'- destinationIPv4Address
'- sourceTransportPort
'- destinationTransportPort
'- packetTotalCount
'- octetDeltaCount
+---
n Snort rule:
alert tcp any any -> any any
(msg:"Example Alert";
content:"GET"; http_method;
content:"/evil.jpg"; http_uri;
sid:1234567; rev:0;)
No app. layer information in IPFIX flows
![Page 16: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/16.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back16
n IPFIX Flow Record w/ HTTP Data:
+--- Ipfix Data Record (id=999)
'- sourceIPv4Address :10.0.2.15
'- destinationIPv4Address :93.184.216.34
'- sourceTransportPort :50488
'- destinationTransportPort :80
'- httpRequestMethod :'GET'
'- httpRequestTarget :'/images/logo.png'
'- httpMessageVersion :'HTTP/1.0'
'- httpRequestHost :'example.com'
+---
IPFIX and HTTP
IPFIX HTTP fields now standardized with IANA
![Page 17: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/17.jpg)
Signature-based Intrusion Detection on IPFIX Flows
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back17
n IPFIX flow:
+--- Ipfix Data Record (id=999)
+- ...
'- sourceIPv4Address
'- httpRequestMethod :'GET'
'- httpRequestTarget :’/evil.jpg'
'- httpMessageVersion :'HTTP/1.1'
'- httpRequestHost :bad.com’
+---
n Snort rule:
alert tcp any any -> any any
(msg:"Example Alert";
content:"GET"; http_method;
content:"/evil.jpg"; http_uri;
sid:1234567; rev:0;)
![Page 18: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/18.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back18
n IPFIX-based signature-based intrusion detection systemn Signature-based Intrusion Detection (using Snort signatures)
n on IPFIX flows (using standardized HTTP IPFIX fields)
FIXIDS
Rule File
AlertsIPFIX Flows
Event FileSignatures
Packets
FlowExporter
FIXIDS
![Page 19: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/19.jpg)
Traditional Signature IDS (Snort) vs. FIXIDS
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back19
n FIXIDS receives IPFIX flows from a flow exporting device (e.g., switch)
n Snort receives packets from a switch
Flows 1. Detection
FIXIDS
Packets 1. Decoding2. Preprocessors3. Detection
Snort
FIXIDS has to handle less than 0.5% of the data volume of Snort
![Page 20: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/20.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back20
Performance
![Page 21: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/21.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back21
n Compare results of Snort and FIXIDS analyzing the same traffic, using the same signatures
n Replayed with increasing speed
Evaluation: Experiment Setup
SnortNIC 1Packets
FIXIDSNIC 1FlowExporterNIC 1 NIC 2 IPFIX Flows
![Page 22: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/22.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back22
n Snort vs. FIXIDS: Same traffic, same signaturesn Replayed with increasing speed
Evaluation: Results
0 2 4 6 8 10Raw Network Traffic Gbit/s
Pac
ket
s D
ropped
%20
60
100
040
80 Snort Drops
0 2 4 6 8 10Raw Network Traffic Gbit/s
Events
Dete
cte
d %
20
60
100
040
80
Snort Events
0 2 4 6 8 10Raw Network Traffic Gbit/s
Events
Dete
cte
d %
20
60
100
040
80
Snort Events
FIXIDS Events
0 2 4 6 8 10Raw Network Traffic Gbit/sP
acket
s/F
low
s D
ropped
%20
60
100
040
80 Snort Drops
FIXIDS Drops
![Page 23: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/23.jpg)
Evaluation: Results
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back23
n FIXIDS:n 6 Gbit/s (14000 flows/s):
0% Drops
n 9.5 Gbit/s (22000 flows/s): 40% Drops
n Snort:n 2 Gbit/s (136k Pkts/s):
0% Drops
n 9.5 Gbit/s: >70% Drops
0 2 4 6 8 10Raw Network Traffic Gbit/s
Events
Dete
cte
d %
20
60
100
040
80
Snort Events
FIXIDS Events
0 2 4 6 8 10Raw Network Traffic Gbit/sP
acket
s/F
low
s D
ropped
%20
60
100
040
80 Snort Drops
FIXIDS Drops
![Page 24: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/24.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back24
Testing IDS
![Page 25: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/25.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back25
n Real traffic?n hard to get
n public traces: old, no payload
n contains only very few attacks
n Manually creating attack traffic?n time intensive
n cumbersome
n In general, traces do not contain enough unique attacks
How to test a NIDS?
![Page 26: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/26.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back26
n Generating Events for Signature-based Intrusion Detection Systems
n INPUT: Set of attack descriptionsn Snort syntax
n HTTP attacks
n OUTPUT: Stateful network traffic containing attack patternsn One flow per attack
n Annotated with an attack ID
GENESIDS
![Page 27: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/27.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back27
alert tcp any any -> any any (
msg:"This is an example rule";
content:"POST"; http_method;
uricontent:"|2F|evil.jpg";
pcre:"/AttackBody-V[0-9].*/P";
sid:1234567; rev:0;)
n genesids -f example.rule -s example.com
Rule example
![Page 28: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/28.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back28
n Ability to generate a variety of different attacksn Generated attacks trigger expected event
n All supported Snort rules from:n Snort.org subscriber rule-set
n Snort.org community rule-set
n Emerging Threats rule-set
n TOTAL 8101 different rules
GENESIDS Evaluation: Goals & Rules
![Page 29: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/29.jpg)
GENESIDS Evaluation Steps
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back29
SignaturesGENESIDSTCP Connection
SignaturesHTTP Server
tcpdump Step 1
Rules
00101100101
01001010010
00001110111
11100110100
10111010010
01010111111
NetworkTrace
Rules
SignaturesSnort
00101100101
01001010010
00001110111
11100110100
10111010010
01010111111
NetworkTrace
AlertsStep 2
GENESIDSTCP Connection HTTP Server
tcpdump Step 1
Rules
00101100101
01001010010
00001110111
11100110100
10111010010
01010111111
NetworkTrace
![Page 30: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/30.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back30
n GENESIDS: 8101 attacks generated (out of 8101 rules)
n Snort: 7877 (avg) true positive alerts triggered (out of 8101)
n Snort: 2847 (avg) false positive alerts triggered (62% triggered by 3 rules)
n Snort: 223 (avg) false negatives (generated attacks that did not trigger the corresponding alert)
Evaluation Results: Generated Attacks
0 20 40 60 80 100100
200
500
1000
2000
5000
10000
Experiment Run
Att
ack
s Attacks Sent
Snort True Pos. Alerts
Snort False Pos. Alerts
Snort False Negatives
0 20 40 60 80 100100
200
500
1000
2000
5000
10000
Experiment Run
Att
ack
s Attacks Sent
Snort True Pos. Alerts
Snort False Pos. Alerts
0 20 40 60 80 1000
2000
4000
6000
8000
10000
Experiment Run
Att
ack
s Attacks Sent
0 20 40 60 80 1000
2000
4000
6000
8000
10000
Experiment Run
Att
ack
s Attacks Sent
Snort True Pos. Alerts
![Page 31: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/31.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back31
Open Challenges
![Page 32: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/32.jpg)
Network Monitoring on Encrypted Traffic
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back32
End-to-End Encrypted Connection
Interception Proxy
01001001100
Traffic Analysis
Very performance intensive
End-to-End Encrypted Connection
Interception Proxy
01001001100
Traffic Analysis
![Page 33: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/33.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back33
n Using statistical properties and machine learningn Only categorization possible (e.g., application)
n How to passively detect malware (communication) in encrypted traffic?n More general: How to foster strong encryption without sacrificing intrusion
detection accuracy?
Passive Monitoring on Encrypted Traffic
End-to-End Encrypted Connection
01001001100
Traffic Analysis
![Page 34: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/34.jpg)
Where to Look for Attacks
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back34
![Page 35: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/35.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back35
DFG Project PANDA
![Page 36: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/36.jpg)
PANDA – Precise Attack Detection for Network Domains by Application Classification
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back36
![Page 37: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/37.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back37
Conclusion
![Page 38: Intrusion Detection in High-Speed Networks: From Packets ......6 Intrusion Detection in High-Speed Networks: From Packets to Flows and Back n Analyze network traffic for malicious](https://reader034.vdocuments.us/reader034/viewer/2022050206/5f596251b7a41f7f3b49edb3/html5/thumbnails/38.jpg)
Intrusion Detection in High-Speed Networks: From Packets to Flows and Back38
n Network Monitoring and IDSn Fundamental parts of every modern security solutionn Flexible packet-based analysis is just too slow
n Flow-based approachesn Now standardized by IETF and IANAn FIXIDS builds directly upon this
n Unsolved so farn Evaluation of encrypted trafficn Optimal placement of probes in larger networks
n … as can be seen, there are many open challenges and questions for another decade of interesting research J
Conclusion
We are hiring! PhD positions available in Paderborn