|
Authors: | Thomas Dübendorfer, Arno Wagner, Bernhard Plattner |
Group: | Communication Systems |
Type: | Inproceedings |
Title: | A Framework for Real-Time Worm Attack Detection and Backbone Monitoring |
Year: | 2005 |
Month: | November |
Pub-Key: | upframe05 |
Book Titel: | Proceedings of First IEEE International Workshop on Critical Infrastructure Protection IWCIP 2005 |
Publisher: | IEEE |
Abstract: | We developed an open source Internet backbone monitoring and traffic analysis framework named UPFrame. It captures UDP NetFlow packets, buffers it in shared memory and feeds it to customised plug-ins. UPFrame is highly tolerant to misbehaving plug-ins and provides a watchdog mechanism for restarting crashed plug-ins. This makes UPFrame an ideal platform for experiments. It also features a traffic shaper for smoothing incoming traffic bursts. Using this framework, we have investigated IDS-like anomaly detection possibilities for high-speed Internet backbone networks. We have implemented several plug-ins for host behaviour classification, traffic activity pattern recognition, and traffic monitoring. We successfully detected the recent Blaster, Nachi and Witty worm outbreaks in a medium-sized Swiss Internet backbone (AS559) using border router NetFlow data captured in the DDoSVax project. The framework is efficient and robust and can complement traditional intrusion detection systems. |
Location: | Darmstadt, Germany |
Resources: | [BibTeX] [Paper as PDF] |