Abstract
We present a multi-agent system designed to detect malicious traffic in high-speed networks. In order to match the performance requirements related to the traffic volume, the network traffic data is acquired by hardware accelerated probes in NetFlow format and preprocessed before processing by the detection agent. The proposed detection algorithm is based on extension of trust modeling techniques with representation of uncertain identities, context representation and implicit assumption that significant traffic anomalies are a result of potentially malicious action. In order to model the traffic, each of the cooperating agents uses an existing anomaly detection method, that are then correlated using a reputation mechanism. The output of the detection layer is presented to operator by a dedicated analyst interface agent, which retrieves additional information to facilitate incident analysis. Our performance results illustrate the potential of the combination of high-speed hardware with cooperative detection algorithms and advanced analyst interface.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Lakhina, A., Crovella, M., Diot, C.: Characterization of Network-Wide Anomalies in Traffic Flows. In: ACM SIGCOMM conference on Internet measurement IMC 2004, pp. 201–206. ACM Press, New York (2004)
Xu, K., Zhang, Z.L., Bhattacharrya, S.: Reducing Unwanted Traffic in a Backbone Network. In: USENIX Workshop on Steps to Reduce Unwanted Traffic in the Internet (SRUTI), Boston, MA (2005)
Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies using Traffic Feature Distributions. In: ACM SIGCOMM, Philadelphia, PA, August 2005, pp. 217–228. ACM Press, New York (2005)
Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P.N., Kumar, V., Srivastava, J., Dokas, P.: MINDS - Minnesota Intrusion Detection System. In: Next Generation Data Mining, MIT Press, Cambridge (2004)
Čeleda, P., Kováčik, M., Koníř, T., Krmíček, V., Špringl, P., Žádník, M.: FlowMon Probe. Technical Report 31/2006, CESNET, z. s. p. o. (2006), http://www.cesnet.cz/doc/techzpravy/2006/flowmon-probe/
CESNET, z. s. p. o.: Family of COMBO Cards (2007), http://www.liberouter.org/hardware.php
Sabater, J., Sierra, C.: Review on computational trust and reputation models. Artif. Intell. Rev. 24, 33–60 (2005)
Rehak, M., Pechoucek, M.: Trust modeling with context representation and generalized identities. In: Klusch, M., Hindriks, K., Tapazoglou, M.P., Sterling, L. (eds.) CIA 2007. LNCS(LNAI), vol. 4676, pp. 298–312. Springer, Heidelberg (2007)
Rehak, M., Gregor, M., Pechoucek, M., Bradshaw, J.M.: Representing context for multiagent trust modeling. In: IAT 2006. IEEE/WIC/ACM International Conference on Intelligent Agent Technology (IAT 2006 Main Conference Proceedings), Los Alamitos, CA, USA, pp. 737–746. IEEE Computer Society, Los Alamitos (2006)
Rehák, M., Foltýn, L., Pěchouček, M., Benda, P.: Trust Model for Open Ubiquitous Agent Systems. In: Intelligent Agent Technology. 2005 IEEE/WIC/ACM International Conference, vol. PR2416, IEEE, Los Alamitos (2005)
Staníček, Z.: Universal Modeling and IS Construction. PhD thesis, Masaryk University, Brno (2003)
Procházka, F.: Universal Information Robots a way to the effective utilisation of cyberspace. PhD thesis, Masaryk University, Brno (2006)
Spirent, C.: Spirent AX/4000 Broadband Test System (2007), http://www.spirentcom.com/
Deri, L.: nProbe - An Extensible NetFlow v5/v9/IPFIX GPL Probe for IPv4/v6 (2007), http://www.ntop.org/nProbe.html
Mai, J., Chuah, C.N., Sridharan, A., Ye, T., Zang, H.: Is sampled data sufficient for anomaly detection? In: IMC 2006. Proceedings of the 6th ACM SIGCOMM on Internet measurement, pp. 165–176. ACM Press, New York (2006)
Brauckhoff, D., Tellenbach, B., Wagner, A., May, M., Lakhina, A.: Impact of packet sampling on anomaly detection metrics. In: IMC 2006. Proceedings of the 6th ACM SIGCOMM on Internet measurement, pp. 159–164. ACM Press, New York (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rehák, M., Pěchouček, M., Čeleda, P., Krmíček, V., Minařík, P., Medvigy, D. (2007). Collaborative Attack Detection in High-Speed Networks. In: Burkhard, HD., Lindemann, G., Verbrugge, R., Varga, L.Z. (eds) Multi-Agent Systems and Applications V. CEEMAS 2007. Lecture Notes in Computer Science(), vol 4696. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75254-7_8
Download citation
DOI: https://doi.org/10.1007/978-3-540-75254-7_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75253-0
Online ISBN: 978-3-540-75254-7
eBook Packages: Computer ScienceComputer Science (R0)