Towards a High-Speed Router-Based Anomaly/Intrusion Detection System

Traffic anomalies and attacks are commonplace in today's networks, and identifying them rapidly and accurately is critical for large networks. With the rapid growth of network bandwidth and fast emergence of new attacks/worms, existing network Intrusion Detection Systems (IDS) are insufficient for the following two reasons. First, they are mostly host-based or located on low-end routers, and not scalable to high-speed networks. However, it is crucial to identify fast propagation of worms in their early phases, which can only possibly be achieved by detection at high speed edge/backbone routers instead of at end hosts. Unfortunately, the existing schemes are not scalable to the link speeds and number of flows for high-speed networks.