SLA-based complementary approach for network intrusion detection

Enhancing the intrusion detection system is essential to maintain user confidence in network services security. However, the threat of intruders on Internet services is prevalent. This paper proposes a distributed edge-to-edge complementary approach for intrusion detection in a DiffServ/MPLS domain....

Full description

Saved in:
Bibliographic Details
Published in:Computer communications 2011-09, Vol.34 (14), p.1738-1749
Main Authors: Ahmed, Abdulghani Ali, Jantan, Aman, Wan, Tat-Chee
Format: Article
Language:English
Subjects:
Applied sciences
Complementary measurements
Computer science
control theory
systems
Computer simulation
Computer systems and distributed systems. User interface
Consumption
Differentiated service
Exact sciences and technology
Internet
Intrusion
Intrusions detection
Memory and file management (including protection and security)
Memory organisation. Data processing
Monitoring
MPLS technique
Networks
SLA
Software
Traffic engineering
Traffic flow
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Enhancing the intrusion detection system is essential to maintain user confidence in network services security. However, the threat of intruders on Internet services is prevalent. This paper proposes a distributed edge-to-edge complementary approach for intrusion detection in a DiffServ/MPLS domain. The QoS metrics are inspected at the edges routers to determine anomalous behavior in the network traffic. Consumed ratios of one-way delay variation (OWDV) and packet loss are computed to monitor service level agreement (SLA) violations. The bandwidth ratio is measured to differentiate abnormal from normal traffic as well as to detect multiple intrusions launched simultaneously. We employed SLA as a comparison scale to infer the deviation between the users consumed ratios and the predefined ratios in the SLA. Service violation occurs and intrusion may be launched when the predefined ratios are exceeded. The complementary services of DiffServ and MPLS techniques guarantee accurate measurements, whereas the complementary measurements of active and passive techniques immunize network performance against scalability limitation. Simulation results indicate that the proposed approach is capable of monitoring SLA violations and can filter out traffic of intruders who breach SLA without disturbing the normal traffic of legitimate users.
ISSN:0140-3664
1873-703X
DOI:10.1016/j.comcom.2011.03.013