Hi -

We are researching on the possibility of having a distributed
statistical IDS for our DiffServ domain. We have in the past deployed
the SRI-NIDES algorithm to monitor and protect OSPF routers (JiNao
project at MCNC).

Briefly, what we have done is to profile aggregate/macro- DiffServ flows
to detect, statistically, packet dropping/delaying/remarking attacks in
the domain when one ore more core or edge routers have been compromised.

We are still more interested in protecting certain 'critical'
communications for which we plan to use micro-flow level rule-based and
statistical anomaly detection on the traffic. It is for this rule-based
detection, that I was looking for more ideas/input. What
parameters/'rules' would an IDS designer consider important for
monitoring microflow-level network traffic - specifically for
DiffServ-domain traffic. For example, one rule we intend to use is to
detect a non-zero or a significantly high packet-dropping rate of AF
traffic with a low drop-priority. Another would be to detect remarking
of EF/AF to BE and the other way around within (an appropriately
paid/brokered) session.

Yes, we have been prudent enough to note that anomaly != attack, but it
*is* a good indication of the 'ill-health' of the diffserv domain.

Ideas and criticism welcome.

Thanks,
Vinay.

--
Mr. Mahadik, Vinay A.
http://hickory.csc.ncsu.edu

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]