1. On the Difficulty of Scalably Detecting Network Attacks
Kirill Levchenko, Romanmohan Patruri, George Varghese
Presented by: Yaxuan Qi,

2. Outline Problem & Contributions Background Study of Attacks Conclusion
SYN-flooding
Port-scan
Connection-Hijacking
Fragmentation
Conclusion

3. Problem Most network intrusion tools (e.g., Bro)
use per-flow state to reassemble TCP connections and fragments
A high speeds at network vantage points,
some form of aggregation is necessary.
a number of problems have scalable solutions.
No clear proof that
such per-flow state is required for many of these problems

4. Contribution Proves: Exposes assumptions that
Many well-known intrusion detection problems (detecting SYN Flooding, Port Scans, Connection Hijacking, and content matching across fragments) require per-flow state.
Exposes assumptions that
need to be changed to provide scalable solutions to these problems;
Concludes with some systems techniques
to circumvent these lower bounds.

5. Background Deployment of NIDS Per-flow state
Vantage point: deeper inside the network
Cost-saving: number and management
As close to the attacker as possible
Fewer legitimate users are affected (??)
Per-flow state
Provide wire-speed detection
Reduce false positive

6. Background Related work Vantage point also requires per-flow state
However, high-speed devices rely on cache or on-chip SRAM
Still smaller
flow aggregation
Load-splitters
Expensive
Also split attacks

7. Methodology Abstract Problem Formulation Example Lower Bound
definition
Example
illustration
Lower Bound
Spatial complexity
Proof (see appendix)
Practical Implications
Scalability

8. Ingress SYN-flooding

9. Ingress SYN-flooding

10. Ingress SYN-flooding

11. Ingress SYN-flooding

12. Ingress SYN-flooding

13. Egress SYN-flooding

14. Ingress Port-Scanning

15. Ingress Port-Scanning

16. Egress Port-Scanning

17. TCP-Hijacking

18. TCP-Hijacking

19. Fragmentation Detection

20. Fragmentation Detection

21. Conclusion

22. Questions?