eMinD: Efficient and Micro-Flow Independent Detection of Distributed Network Attacks

• Published in: International Conference on the Network of the Future (Online) pp. 159 - 167
• Main Authors: Kopmann, Samuel, Zitterbart, Martina
• Format: Conference Proceeding
• Language: English
• Published: IEEE 04.10.2023
• Subjects: Denial-of-service attack; Feature extraction; IP networks; Machine learning; Network intrusion detection; Scalability; Telecommunication traffic; Traffic Aggregation; Traffic Monitoring
• ISSN: 2833-0072
• DOI: 10.1109/NoF58724.2023.10302763

Network infrastructures are critical and, therefore, subject to harmful attacks against their operation and the availability of their provided services. Detecting such attacks, especially in high-performance networks, is challenging considering the detection rate, reaction time, and scalability. Attack detection becomes even more demanding concerning networks of the future facing increasing data rates and flow counts. With eMinD, we present an approach that scales well to high data rates and large amounts of data flows. eMinD investigates aggregated traffic data, i.e., it is not based on micro-flows and their inherent scalability problems. We evaluate eMinD with real-world traffic data, compare it to related work, and show that eMinD outperforms micro-flow-based approaches regarding the reaction time, scalability, and the detection performance. We reduce required state space by 99.97%. The average reaction time is reduced by 90%, while the detection performance is even increased, although highly aggregating arriving traffic. We further show the importance of micro-flow-overarching traffic features, e.g., IP address and port distributions, for detecting distributed network attacks, i.e., DDoS attacks and port scans.