Surveillance detection in high bandwidth environments

Author

Robertson, Seth ; Siegel, Eric V. ; Miller, Matt ; Stolfo, Salvatore J.

Volume

1

fYear

2003

fDate

22-24 April 2003

Firstpage

130

Abstract

In this paper, we describe System Detection´s surveillance detection techniques for enclave environments (ESD) and peering center environments (PSD) and evaluate each technique over data gathered from two different network environments. ESD is evaluated over 74 hours of tcpdump packet traces (344 million packets) from a large enclave; PSD is evaluated over 5 hours of tcpdump packet traces (110 million packets) gathered from a peering center. Both surveillance detection modules were executed over the audit data offline to generate surveillance detection alerts, though the systems can be run in real-time as well. Our results show that both ESD and PSD accurately discover great quantities of surveillance activities (including long-lived and distributed scans) and can be tuned to reduce the volume of alerts. Furthermore, existing IDS technology may be blind to many activities discovered by ESD and PSD.

Keywords

authorisation; military computing; real-time systems; surveillance; transport protocols; ESD; IDS technology; PSD; System Detection; distributed scans; enclave environments; high bandwidth environments; long-lived scans; peering center environments; real-time system; surveillance detection; tcpdump packet traces; Bandwidth; Data security; Electrostatic discharge; Filters; Information analysis; Information security; Intrusion detection; Probes; Real time systems; Surveillance;

fLanguage

English

Publisher

ieee

Conference_Titel

DARPA Information Survivability Conference and Exposition, 2003. Proceedings

Print_ISBN

0-7695-1897-4

Type

conf

DOI

10.1109/DISCEX.2003.1194879

Filename

1194879