Detector SherLOCK: Enhancing TRW with Bloom filters under memory and performance constraints
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Nam S.Y. | ko |
| dc.contributor.author | Kim H.-D. | ko |
| dc.contributor.author | Kim H.S. | ko |
| dc.date.accessioned | 2013-03-06T16:18:03Z | - |
| dc.date.available | 2013-03-06T16:18:03Z | - |
| dc.date.created | 2012-02-06 | - |
| dc.date.created | 2012-02-06 | - |
| dc.date.issued | 2008 | - |
| dc.identifier.citation | COMPUTER NETWORKS, v.52, no.8, pp.1545 - 1566 | - |
| dc.identifier.issn | 1389-1286 | - |
| dc.identifier.uri | http://hdl.handle.net/10203/87563 | - |
| dc.description.abstract | Computer worms and bots are significant threats to large networks because they can spread very rapidly and are used for DDoS. The first phase of worms and bots begins by scanning vulnerable hosts. Missing on-going scanning activity can significantly deteriorate network performance. We propose a new scanning detection scheme, SherLOCK, based on the connection attempt success ratio. The proposed scheme can detect scanners with guaranteed false positive and false negative probabilities and with a limited memory size. Detection of scanners at high-speed links requires a high-speed memory and such memory devices are expensive and limited in size. We reduce the memory requirement by applying the Bloom filter, We show how slow scanner, can be detected with a guaranteed performance for a given offered traffic load and memory size. This study can help to design the system that satisfies the target performance requirement. The detection performance is guaranteed under the assumption that malicious scanners and benign hosts have distinct behaviors in terms of the connection success ratio. We extend the proposed detector with a sampling mechanism to detect more intelligent scanners with guaranteed performance. These include scanners that use a list of pre-acquired IP addresses. We evaluate the performance of the proposed scheme through experiment using well-known traffic traces. (C) 2008 Elsevier B.V. All rights reserved. | - |
| dc.language | English | - |
| dc.publisher | ELSEVIER SCIENCE BV | - |
| dc.title | Detector SherLOCK: Enhancing TRW with Bloom filters under memory and performance constraints | - |
| dc.type | Article | - |
| dc.identifier.wosid | 000256133200002 | - |
| dc.identifier.scopusid | 2-s2.0-42049106617 | - |
| dc.type.rims | ART | - |
| dc.citation.volume | 52 | - |
| dc.citation.issue | 8 | - |
| dc.citation.beginningpage | 1545 | - |
| dc.citation.endingpage | 1566 | - |
| dc.citation.publicationname | COMPUTER NETWORKS | - |
| dc.identifier.doi | 10.1016/j.comnet.2008.01.008 | - |
| dc.contributor.localauthor | Kim H.-D. | - |
| dc.contributor.nonIdAuthor | Nam S.Y. | - |
| dc.contributor.nonIdAuthor | Kim H.S. | - |
| dc.type.journalArticle | Article | - |
| dc.subject.keywordAuthor | scanner | - |
| dc.subject.keywordAuthor | slow scanner | - |
| dc.subject.keywordAuthor | scanner detection | - |
| dc.subject.keywordAuthor | connection attempt success ratio | - |
| dc.subject.keywordAuthor | Bloom filter | - |
| dc.subject.keywordAuthor | memory conflict | - |
- Appears in Collection
- RIMS Journal Papers
- Files in This Item
- There are no files associated with this item.
This item is cited by other documents in WoS
| ⊙ Detail Information in WoSⓡ | Click to see |  |
| ⊙ Cited 2 items in WoS | Click to see citing articles in |  |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.