Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches

  • Martin Drašar
  • Tomáš Jirsík
  • Martin Vizváry
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8508)


The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attacker’s ability to evade detection.


  1. 1.
    Axelsson, S.: The Base-rate Fallacy and the Difficulty of Intrusion Detection. ACM Trans. Inf. Syst. Secur. 3(3), 186–205 (2000)CrossRefMathSciNetGoogle Scholar
  2. 2.
    Casas, P., Mazel, J., Owezarski, P.: Unsupervised Network Intrusion Detection Systems: Detecting the Unknown without Knowledge. Computer Communications 35(7), 772–783 (2012)CrossRefGoogle Scholar
  3. 3.
    Cormode, G., Muthukrishnan, S.: What’s new: finding significant differences in network data streams. In: Proceedings of the IEEE INFOCOM, vol. 3, pp. 1534–1545 (2004)Google Scholar
  4. 4.
    Drašar, M.: Protocol-Independent Detection of Dictionary Attacks. In: Bauschert, T. (ed.) EUNICE 2013. LNCS, vol. 8115, pp. 304–309. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Fontugne, R., Borgnat, P., Abry, P., Fukuda, K.: MAWILab: Combining Diverse Anomaly Detectors for Automated Anomaly Labeling and Performance Benchmarking. In: Proceedings of the 6th International Conference, Co-NEXT 2010, pp. 8:1–8:12. ACM, New York (2010)Google Scholar
  6. 6.
    François, J., Wang, S., State, R., Engel, T.: BotTrack: Tracking Botnets Using NetFlow and PageRank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011, Part I. LNCS, vol. 6640, pp. 1–14. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Goldfarb, J.: Identifying Anomalous Network Traffic Through the Use of Client Port Distribution. In: CERT FloCon Workshop, Vancouver, Washington, USA (2006), (January 11, 2014)
  8. 8.
    Hellemons, L., Hendriks, L., Hofstede, R., Sperotto, A., Sadre, R., Pras, A.: SSHCure: A Flow-Based SSH Intrusion Detection System. In: Sadre, R., Novotný, J., Čeleda, P., Waldburger, M., Stiller, B. (eds.) AIMS 2012. LNCS, vol. 7279, pp. 86–97. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Idé, T., Papadimitriou, S., Vlachos, M.: Computing Correlation Anomaly Scores Using Stochastic Nearest Neighbors. In: Proceedings of the IEEE International Conference on Data Mining, pp. 523–528 (2007)Google Scholar
  10. 10.
    Ishibashi, K., Kondoh, T., Harada, S., Mori, T., Kawahara, R., Asano, S.: Detecting Anomalies in Interhosts Communication Graph. In: CERT FloCon Workshop, Scottsdale, Arizona, USA (2009), (accessed January 11, 2014)
  11. 11.
    Krishnamurthy, B., Sen, S., Zhang, Y., Chen, Y.: Sketch-based Change Detection: Methods, Evaluation, and Applications. In: Proceedings of the 3rd ACM SIGCOMM, IMC 2003, pp. 234–247. ACM, New York (2003)Google Scholar
  12. 12.
    Network Systems Lab. Opensketch (2013),
  13. 13.
    Li, A., Han, Y., Zhou, B., Han, W., Jia, Y.: Detecting Hidden Anomalies Using Sketch for High-speed Network Data Stream Monitoring. Applied Mathematics and Information Sciences 6(3), 759–765 (2012)Google Scholar
  14. 14.
    Mahimkar, A., Lall, A., Wang, J., Xu, J., Yates, J., Zhao, Q.: SYNERGY: Detecting and Diagnosing Correlated Network Anomalies, (accessed January 11, 2014)
  15. 15.
    IEEE 802.3 Ethernet Working Group. IEEE 802.3TM Industry Connections Ethernet Bandwidth Assessment (July 2012),
  16. 16.
    Synmatec Corporation. Internet Security Threat Report 2013 (April 2013),
  17. 17.
    Schweller, R., Chen, Y., Parsons, E., Gupta, A., Memik, G., Zhang, Y.: Reverse Hashing for Sketch-based Change Detection on High-speed Networks. Technical report, Proceedings of the INFOCOM (2004)Google Scholar
  18. 18.
    Schweller, R., Gupta, A., Parsons, E., Chen, Y.: Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams. In: Proceedings of the 4th ACM SIGCOMM, IMC 2004, pp. 207–212. ACM, New York (2004)Google Scholar
  19. 19.
    Vykopal, J.: A Flow-Level Taxonomy and Prevalence of Brute Force Attacks. In: Abraham, A., Lloret Mauri, J., Buford, J.F., Suzuki, J., Thampi, S.M. (eds.) ACC 2011, Part II. CCIS, vol. 191, pp. 666–675. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Vykopal, J., Drašar, M., Winter, P.: Flow-based Brute-force Attack Detection, pp. 41–51. Fraunhofer Research Institution AISEC, Garching near Muenchen (2013)Google Scholar
  21. 21.
    Yan, R., Shao, C.: Hierarchical Method for Anomaly Detection and Attack Identification in High-speed Network. Information Technology Journal 11(9), 1243–1250 (2012)Google Scholar
  22. 22.
    Zhang, Y., Singh, S., Sen, S., Duffield, N., Lund, C.: Online Identification of Hierarchical Heavy Hitters: Algorithms, Evaluation, and Applications. In: Proceedings of the 4th ACM SIGCOMM, IMC 2004, pp. 101–114. ACM, New York (2004)Google Scholar

Copyright information

© International Federation for Information Processing 2014

Authors and Affiliations

  • Martin Drašar
    • 1
  • Tomáš Jirsík
    • 1
  • Martin Vizváry
    • 1
  1. 1.Institute of Computer ScienceMasaryk UniversityBrnoCzech Republic

Personalised recommendations