A DoS Resilient Flow-Level Intrusion Detection Approach for High-Speed Networks

Global-scale attacks like viruses and worms are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. This paper leverages data streaming techniques such as the reversible sketch to obtain HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND is scalable to low-level detection on high-speed networks; HiFIND is DoS resilient; HiFIND can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; HiFIND enables aggregate detection over multiple routers/gateways; and HiFIND separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties.