CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets

Inspecting packets to detect intrusions faces challenges when coping with a high volume of network traffic. Packet-based detection processes every payload on the wire, which degrades the performance of network intrusion detection system (NIDS). This issue requires an introduction of a flow-based NID...

Full description

Saved in:
Bibliographic Details
Main Author: Alaidaros, Hashem Mohammed
Format: Thesis
Language:eng
eng
Published: 2017
Subjects:
Online Access:https://etd.uum.edu.my/6950/1/s93165_01.pdf
https://etd.uum.edu.my/6950/2/s93165_02.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
id my-uum-etd.6950
record_format uketd_dc
institution Universiti Utara Malaysia
collection UUM ETD
language eng
eng
advisor Mahmuddin, Massudi
topic QA76 Computer software
spellingShingle QA76 Computer software
Alaidaros, Hashem Mohammed
CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets
description Inspecting packets to detect intrusions faces challenges when coping with a high volume of network traffic. Packet-based detection processes every payload on the wire, which degrades the performance of network intrusion detection system (NIDS). This issue requires an introduction of a flow-based NIDS that reduces the amount of data to be processed by examining aggregated information of related packets. However, flow-based detection still suffers from the generation of the false positive alerts due to incomplete data input. This study proposed a Conditional Hybrid Intrusion Detection (CHID) by combining the flow-based with packet-based detection. In addition, it is also aimed to improve the resource consumption of the packet-based detection approach. CHID applied attribute wrapper features evaluation algorithms that marked malicious flows for further analysis by the packet-based detection. Input Framework approach was employed for triggering packet flows between the packetbased and flow-based detections. A controlled testbed experiment was conducted to evaluate the performance of detection mechanism’s CHID using datasets obtained from on different traffic rates. The result of the evaluation showed that CHID gains a significant performance improvement in terms of resource consumption and packet drop rate, compared to the default packet-based detection implementation. At a 200 Mbps, CHID in IRC-bot scenario, can reduce 50.6% of memory usage and decreases 18.1% of the CPU utilization without packets drop. CHID approach can mitigate the false positive rate of flow-based detection and reduce the resource consumption of packet-based detection while preserving detection accuracy. CHID approach can be considered as generic system to be applied for monitoring of intrusion detection systems.
format Thesis
qualification_name other
qualification_level Doctorate
author Alaidaros, Hashem Mohammed
author_facet Alaidaros, Hashem Mohammed
author_sort Alaidaros, Hashem Mohammed
title CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets
title_short CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets
title_full CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets
title_fullStr CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets
title_full_unstemmed CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets
title_sort chid : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets
granting_institution Universiti Utara Malaysia
granting_department Awang Had Salleh Graduate School of Arts & Sciences
publishDate 2017
url https://etd.uum.edu.my/6950/1/s93165_01.pdf
https://etd.uum.edu.my/6950/2/s93165_02.pdf
_version_ 1747828134581895168
spelling my-uum-etd.69502021-05-02T01:08:52Z CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets 2017 Alaidaros, Hashem Mohammed Mahmuddin, Massudi Awang Had Salleh Graduate School of Arts & Sciences Awang Had Salleh Graduate School of Arts and Sciences QA76 Computer software Inspecting packets to detect intrusions faces challenges when coping with a high volume of network traffic. Packet-based detection processes every payload on the wire, which degrades the performance of network intrusion detection system (NIDS). This issue requires an introduction of a flow-based NIDS that reduces the amount of data to be processed by examining aggregated information of related packets. However, flow-based detection still suffers from the generation of the false positive alerts due to incomplete data input. This study proposed a Conditional Hybrid Intrusion Detection (CHID) by combining the flow-based with packet-based detection. In addition, it is also aimed to improve the resource consumption of the packet-based detection approach. CHID applied attribute wrapper features evaluation algorithms that marked malicious flows for further analysis by the packet-based detection. Input Framework approach was employed for triggering packet flows between the packetbased and flow-based detections. A controlled testbed experiment was conducted to evaluate the performance of detection mechanism’s CHID using datasets obtained from on different traffic rates. The result of the evaluation showed that CHID gains a significant performance improvement in terms of resource consumption and packet drop rate, compared to the default packet-based detection implementation. At a 200 Mbps, CHID in IRC-bot scenario, can reduce 50.6% of memory usage and decreases 18.1% of the CPU utilization without packets drop. CHID approach can mitigate the false positive rate of flow-based detection and reduce the resource consumption of packet-based detection while preserving detection accuracy. CHID approach can be considered as generic system to be applied for monitoring of intrusion detection systems. 2017 Thesis https://etd.uum.edu.my/6950/ https://etd.uum.edu.my/6950/1/s93165_01.pdf text eng public https://etd.uum.edu.my/6950/2/s93165_02.pdf text eng public other doctoral Universiti Utara Malaysia [1] Internet World Stats, "Internet Growth Statistics," 2016, [Online; accessed 8-Dec-2015]. [Online]. Available: http://www.internetworldstats.com/emarketing.htm [2] J. Nazario and J. Kristoff, "Internet Infrastructure Security," IEEE Security & Privacy, vol. 10, pp. 24-25, 2012. [3] E. Amoroso, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, and Response: New Jersey, 1999. [4] G. Khalil, "Open Source IDS High Performance Shootout," SANS Institute InfoSec Reading Room, 2015. [5] S. S. Silva, R. M. Silva, R. C. Pinto, and R. M. Salles, "Botnets: A survey," Computer Networks, vol. 57, pp. 378-403, 2013. [6] H. Debar, M. Dacier, and A. Wespi, "Towards a Taxonomy of Intrusion Detection Systems," Computer Networks, vol. 31, pp. 805-822, 1999. [7] N. Weng, L. Vespa, and B. Soewito, "Deep Packet Pre-filtering and Finite State Encoding for Adaptive Intrusion Detection System," Computer Networks, vol. 55, pp. 1648-1661, 2011. [8] R. Koch, "Towards Next-generation Intrusion Detection," in 2011 3rd International Conference on Cyber Conflict, 2011, pp. 1-18. [9] M. Golling, R. Hofstede, and R. Koch, "Towards Multi-layered Intrusion Detection in High Speed Networks," in 6th International Conference On Cyber Conflict (CyCon 2014), 2014, pp. 191-206. [10] J. Svoboda, "Network Traffic Analysis with Deep Packet Inspection Method," Master thesis, Faculty of Informatics, Masaryk University, Brno, 2014. [11] M. Nor, "Malware Detection Using IP Flow Level Attributes," Journal of Theoretical and Applied Information Technology, vol. 57, 2013. [12] H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, "Operational Experiences with High-volume Network Intrusion Detection," in 11th ACM conference on Computer and Communications Security, 2004, pp. 2-11. [13] A. Papadogiannakis, M. Polychronakis, and E. P. Markatos, "Improving the Accuracy of Network Intrusion Detection Systems under Load using Selective Packet Discarding," in Proceedings of the Third European Workshop on System Security, 2010, pp. 15-21. [14] I. Sourdis, D. N. Pnevmatikatos, and S. Vassiliadis, "Scalable Multigigabit Pattern Matching for Packet Inspection," IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 16, pp. 156-166, 2008. [15] H.-J. Liao, C.-H. R. Lin, Y.-C. Lin, and K.-Y. Tung, "Intrusion Detection System: A Comprehensive Review," Journal of Network and Computer Applications, vol. 36, pp. 16-24, 2013. [16] R. Hofstede, V. Bartoš, A. Sperotto, and A. Pras, "Towards Real-time Intrusion Detection for NetFlow and IPFIX," in Proceedings of the 9th International Conference on Network and Service Management (CNSM 2013), 2013, pp. 227-234. [17] Y. Abuadlla, G. Kvascev, S. Gajin, and Z. Jovanovic, "Flow-based Anomaly Intrusion Detection System using Two Neural Network Stages," Comput. Sci. Inf. Syst., vol. 11, pp. 601-622, 2014. [18] J. Zhang, R. Perdisci, W. Lee, X. Luo, and U. Sarfraz, "Building a Scalable System for Stealthy P2P-Botnet Detection," IEEE Transactions on Information Forensics and Security, vol. 9, pp. 27-38, 2014. [19] A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, and B. Stiller, "An Overview of IP Flow-based Intrusion Detection," IEEE Communications Surveys & Tutorials, vol. 12, pp. 343-356, 2010. [20] T. Hyslip and J. Pittman, "A Survey of Botnet Detection Techniques by Command and Control Infrastructure," Journal of Digital Forensics, Security and Law, vol. 10, pp. 7-26, 2015. [21] L. Sheng, L. Zhiming, H. Jin, D. Gaoming, and H. Wen, "A Distributed Botnet Detecting Approach Based on Traffic Flow Analysis," in Second International Conference on Instrumentation, Measurement, Computer, Communication and Control (IMCCC), 2012, pp. 124-128. [22] T. Limmer and F. Dressler, "Flow-based Front Payload Aggregation," in IEEE LCN, 2009, pp. 1102-1109. [23] F. Hensel, "Flow-based and Packet level-based Intrusion Detection as Complementary Concepts," High Diploma Thesis, Department of Informatics, University of Zurich, Zurich, Switzerland, 2008. [24] S. Khattak, N. R. Ramay, K. R. Khan, A. A. Syed, and S. A. Khayam, "A Taxonomy of Botnet Behavior, Detection, and Defense," IEEE Communications Surveys & Tutorials, vol. 16, pp. 898-924, 2014. [25] S. Soltani, S. A. H. Seno, M. Nezhadkamali, and R. Budiarto, "A Survey on Real World Botnets and Detection Mechanisms," International Journal of Information and Network Security, vol. 3, p. 116, 2014. [26] Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, and K. Han, "Botnet Research Survey," in 32nd Annual IEEE International Computer Software and Applications Conference, 2008, pp. 967-972. [27] S. Abt and H. Baier, "Towards Efficient and Privacy-Preserving Network-Based Botnet Detection Using Netflow Data," in Internation Network Conference, 2012, pp. 37-50. [28] V. M. Igure and R. D. Williams, "Taxonomies of Attacks and Vulnerabilities in Computer Systems," IEEE Communications Surveys & Tutorials, vol. 10, pp. 6-19, 2008. [29] Symantec Corp, "Internet Security Threat Report," 2016, [Online; accessed 4-Feb-2016]. [Online]. Available: https://www.symantec.com/ securitycenter/threat-report [30] S. X. Wu and W. Banzhaf, "The Use of Computational Intelligence in Intrusion Detection Systems: A Review," Applied Soft Computing, vol. 10, pp. 1-35, 2010. [31] Snort IDS, "Snort," 2012, [Online; accessed 8-May-2013]. [Online]. Available: www.snort.org [32] J. GERBER,"Suricata: A Next Generation IDS/IPS Engine," 2010, [Online; accessed 4-May-2014]. [Online]. Available: https://suricata-ids.org/ [33] P. Mehra, "A Brief Study and Comparison of Snort and Bro Open Source Network Intrusion Detection Systems," International Journal of Advanced Research in Computer and Communication Engineering, vol. 1, pp. 383-386, 2012. [34] J. Beale, A. R. Baker, and J. Esler, Snort: IDS and IPS toolkit: Syngress, 2007. [35] Bro, "Bro IDS," 2012, [Online; accessed 5-June-2013]. [Online]. Available: www.bro.org [36] B. Morin and L. Mé, "Intrusion Detection and Virology: an Analysis of Differences, Similarities and Complementariness," Journal in Computer Virology, vol. 3, pp. 39-49, 2007. [37] R. R. Singh, N. Gupta, and S. Kumar, "To Reduce the False Alarm in Intrusion Detection System Using Self Organizing Map," International Journal of Soft Computing and Engineering (IJSCE), vol. 1, pp. 27-32, 2011. [38] K. Wang, & Stolfo, S. J. , "Anomalous payload-based Network Intrusion Detection," Recent Advances in Intrusion Detection, p. 19, 2004. [39] M. Mahoney and P. Chan, "Learning Non-stationary Models of Normal Network Traffic for Detecting Novel Attacks," in 8th ACM SIGKDD International Conference on Knowledge Discovery and Data mining, 2002, pp. 376–385. [40] M.-S. Kim, H.-J. Kong, S.-C. Hong, S.-H. Chung, and J. W. Hong, "A Flowbased Method for Abnormal Network Traffic Detection," in Network Operations and Management Symposium, 2004, pp. 599-612. [41] S. M. Hussein, F. H. M. Ali, and Z. Kasiran, "Evaluation Effectiveness of Hybrid IDS using Snort with Naïve Bayes to Detect Attacks," in Second International Conference on Digital Information and Communication Technology and it's Applications (DICTAP), 2012, pp. 256-260. [42] Z. M. Fadlullah, T. Taleb, A. V. Vasilakos, M. Guizani, and N. Kato, "DTRAB: Combating Against Attacks on Encrypted Protocols through Traffic-feature Analysis," IEEE/ACM Transactions on Networking (TON), vol. 18, pp. 1234-1247, 2010. [43] K.-K. Tseng, J. Lo, Y. Liu, S.-H. Chang, M. Merabti, F. Ng, CK, et al., "A Feasibility Study of Stateful Automaton Packet Inspection for Streaming Application Detection Systems," Enterprise Information Systems, pp. 1-20, 2016. [44] H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, "Predicting the Resource Consumption of Network Intrusion Detection Systems," in International Workshop on Recent Advances in Intrusion Detection, 2008, pp. 135-154. [45] F. Fusco and L. Deri, "High Speed Network Traffic Analysis with Commodity Multi-core Systems," in Proceedings of the 10th ACM SIGCOMM Conference on Internet measurement, 2010, pp. 218-224. [46] J. Morgan, "Streaming Network Traffic Analysis Using Active Learning," Master thesis, Department of Computer Science, Dalhousie University, Halifax, Nova Scotia, 2015. [47] M. Pihelgas, "A Comparative Analysis of Open-Source Intrusion Detection Systems," Master thesis, Departement of Computer Science, Tallinn University of Technology, Tallinn, 2012. [48] J. Korenek and P. Kobiersky, "Intrusion Detection System Intended for Multigigabit Networks," in 2007 IEEE Design and Diagnostics of Electronic Circuits and Systems, 2007, pp. 1-4. [49] L. Braun, A. Didebulidze, N. Kammenhuber, and G. Carle, "Comparing and Improving Current Packet Capturing Solutions based on Commodity Hardware," in Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, 2010, pp. 206-217. [50] P. Lambruschini, M. Raggio, R. Bajpai, and A. Sharma, "Efficient Implementation of Packet Pre-filtering for Scalable Analysis of IP Traffic on High-speed Lines," in 20th International Conference on Software, Telecommunications and Computer Networks (SoftCOM), 2012, pp. 1-5. [51] D. Ficara, G. Antichi, A. Di Pietro, S. Giordano, G. Procissi, and F. Vitucci, "Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems," in IEEE International Conference on Communications (ICC), 2010, pp. 1-5. [52] G. Jacob, P. M. Comparetti, M. Neugschwandtner, C. Kruegel, and G. Vigna, "A Static Packer-agnostic Filter to Detect Similar Malware Samples," in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2012, pp. 102-122. [53] Q. Zhao, J. Xu, and A. Kumar, "Detection of Super Sources and Destinations in High-speed Networks: Algorithms, Analysis and Evaluation," IEEE Journal on Selected Areas in Communications, vol. 24, pp. 1840-1852, 2006. [54] F. Haddadi, J. Morgan, E. Gomes Filho, and A. N. Zincir-Heywood, "Botnet Behaviour Analysis using IP Flows: with HTTP Filters using Classifiers," in Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on, 2014, pp. 7-12. [55] C.-H. Lin and S.-C. Chang, "Efficient Pattern Matching Algorithm for Memory Architecture," IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 19, pp. 33-41, 2011. [56] N. Weaver, V. Paxson, and J. M. Gonzalez, "The Shunt: an FPGA-based Accelerator for Network Intrusion Prevention," in Proceedings of the 2007 ACM/SIGDA 15th International Symposium on Field Programmable Gate Arrays, 2007, pp. 199-206. [57] G. Munz and G. Carle, "Real-time Analysis of Flow Data for Network Attack Detection," in 2007 10th IFIP/IEEE International Symposium on Integrated Network Management, 2007, pp.100-108. [58] A. Karim, R. B. Salleh, M. Shiraz, S. A. A. Shah, I. Awan, and N. B. Anuar, "Botnet Detection Techniques: Review, Future Trends, and Issues," Journal of Zhejiang University SCIENCE, vol. 15, pp. 943-983, 2014. [59] P. Porras, H. Saidi, and V. Yegneswaran, "A Multi-perspective Analysis of the Storm (Peacomm) Worm," Computer Science Laboratory, Tech. Rep., 2007 [60] G. Sinclair, C. Nunnery, and B. B. Kang, "The Waledac Protocol: The How and Why," in 4th International Conference on Malicious and Unwanted Software (MALWARE), 2009, pp. 69-77. [61] D. Andriesse and H. Bos, "An Analysis of the Zeus Peer-to-Peer Protocol," 2013. [Online]. Available: http://www.few.vu.nl/~dae400/papers/ zeus-techreport-2013.pdf [62] W. Zilong, W. Jinsong, H. Wenyi, and X. Chengyi, "The Detection of IRC Botnet based on Abnormal Behavior," in 2010 Second International Conference on Multimedia and Information Technology, 2010. [63] G. Gu, R. Perdisci, J. Zhang, and W. Lee, "BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection," in USENIX Security Symposium, 2008, pp. 139-154. [64] G. Gu, J. Zhang, and W. Lee, "BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic," 2008. [65] J. Goebel and T. Holz, "Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation," HotBots, vol. 7, pp. 8-8, 2007. [66] T.-F. Yen and M. K. Reiter, "Traffic Aggregation for Malware Detection," in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2008, pp. 207-227. [67] G. Gu, P. A. Porras, V. Yegneswaran, M. W. Fong, and W. Lee, "Bothunter: Detecting Malware Infection through IDS-Driven Dialog Correlation," in Usenix Security, 2007, pp. 1-16. [68] P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, and E. Kirda, "Automatically Generating Models for Botnet Detection," in European Symposium on Research in Computer Security, 2009, pp. 232-249. [69] D. H. Kim, T. Lee, J. Kang, H. Jeong, and H. P. In, "Adaptive Pattern Mining Model for Early Detection of Botnet Propagation Scale," Security and Communication Networks, vol. 5, pp. 917-927, 2012. [70] S. García, A. Zunino, and M. Campo, "Botnet Behavior Detection using Network Synchronism," Privacy, Intrusion Detection and Response: Technologies for Protecting Networks, pp. 122-144, 2011. [71] G. Jian, K. Zheng, Y. Yang, and X. Niu, "An Evaluation Model of Botnet based on Peer to Peer," in Fourth International Conference on Computational Intelligence and Communication Networks (CICN), 2012, pp. 925-929. [72] L. Dan, L. Yichao, H. Yue, and L. Zongwen, "A P2P-Botnet Detection Model and Algorithms based on Network Streams Analysis," in International Conference on Future Information Technology and Management Engineering (FITME), 2010, pp. 55-58. [73] R. Hofstede, P. Čeleda, B. Trammell, I. Drago, R. Sadre, A. Sperotto, et al., "Flow Monitoring Explained: From Packet Capture to Data Analysis with NetFlow and IPFIX," IEEE Communications Surveys & Tutorials, vol. 16, pp. 2037-2064, 2014. [74] B. Claise, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information," RFC 5101, 2008. [Online]. Available: http://www.rfc-editor.org/rfc/rfc5101.txt [75] C. Estan, K. Keys, D. Moore, and G. Varghese, "Building a Better NetFlow," ACM SIGCOMM Computer Communication Review, vol. 34, p. 245, 2004. [76] U. Banerjee, A. Vashishtha, and M. Saxena, "Evaluation of the Capabilities of WireShark as a Tool for Intrusion Detection," International Journal of Computer Applications, vol. 6, 2010. [77] L. MartinGarcia,"TcpDump and Libpcap," 2012, [Online; accessed 9-July-2012]. [Online]. Available: http://www.tcpdump.org [78] V. Kumaran, "Event Stream Database based Architecture to Detect Network Intrusion," in Proceedings of the 7th ACM International Conference on Distributed Event-based Systems, 2013, pp. 241-248. [79] V. Carela-Español, P. Barlet-Ros, A. Cabellos-Aparicio, and J. Solé-Pareta, "Analysis of the Impact of Sampling on NetFlow Traffic Classification," Computer Networks, vol. 55, pp. 1083-1099, 2011. [80] N. Duffield, "Sampling for Passive Internet Measurement: A Review," Statistical Science, pp. 472-498, 2004. [81] T. Zseby, T. Hirsch, and B. Claise, "Packet Sampling for Flow Accounting: Challenges and Limitations," in International Conference on Passive and Active Network Measurement, 2008, pp. 61-71. [82] D. Brauckhoff, M. May, and B. Plattner, "Flow-level Anomaly Detection-Blessing or Curse," in IEEE INFOCOM Conference, 2007. [83] J. David and C. Thomas, "DDoS Attack Detection using Fast Entropy Approach on Flow-based Network Traffic," Procedia Computer Science, vol. 50, pp. 30-36, 2015. [84] S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, "Discriminating DDoS Attacks from Flash Crowds using Flow Correlation Coefficient," IEEE Transactions on Parallel and Distributed Systems, vol. 23, pp. 1073-1080, 2012. [85] S. A. Abdulla, S. Ramadass, A. Altaher, and A. A. Nassiri, "Setting a Worm Attack Warning by Using Machine Learning to Classify Netflow Data," International Journal of Computer Applications, vol. 36, pp. 49-56, 2011. [86] F. Dressler, W. Jaegers, and R. German, "Flow-based Worm Detection using Correlated Honeypot Logs," in Communication in Distributed Systems Conference, 2007, pp. 1-6. [87] L. Hellemons, L. Hendriks, R. Hofstede, A. Sperotto, R. Sadre, and A. Pras, "SSHCure: a Flow-based SSH Intrusion Detection System," in IFIP International Conference on Autonomous Infrastructure, Management and Security, 2012, pp. 86-97. [88] M. Vizváry and J. Vykopal, "Flow-based Detection of RDP Brute-force Attacks," in Proceedings of 7th International Conference on Security and Protection of Information (SPI 2013), 2013. [89] P. Amini, R. Azmi, and M. Araghizadeh, "Botnet Detection using NetFlow and Clustering," Advances in Computer Science: an International Journal, vol. 3, pp. 139-149, 2014. [90] D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani, et al., "Botnet Detection based on Traffic Behavior Analysis and Flow Intervals," Computers & Security, vol. 39, pp. 2-16, 2013. [91] J. François, S. Wang, and T. Engel, "BotTrack: Tracking Botnets using NetFlow and PageRank," in International Conference on Research in Networking, 2011, pp. 1-14. [92] M. Stevanovic and J. M. Pedersen, "Machine Learning for Identifying Botnet Network Traffic," Journal of Aalborg University, 2013. [93] S. Ganapathy, K. Kulothungan, S. Muthurajkumar, M. Vijayalakshmi, P. Yogesh, and A. Kannan, "Intelligent Feature Selection and Classification Techniques for Intrusion Detection in Networks: A Survey," EURASIP Journal on Wireless Communications and Networking, vol. 2013, p. 271, 2013. [94] M. Stevanovic and J. M. Pedersen, "An Efficient Flow-based Botnet Detection using Supervised Machine Learning," in International Conference on Computing, Networking and Communications (ICNC), 2014, pp. 797-801. [95] N. Bhargava, G. Sharma, R. Bhargava, and M. Mathuria, "Decision Tree Analysis on J48 Algorithm for Data Mining," Proceedings of International Journal of Advanced Research in Computer Science and Software Engineering, vol. 3, 2013. [96] M. N. Anyanwu and S. G. Shiva, "Comparative Analysis of Serial Decision Tree Classification Algorithms," International Journal of Computer Science and Security, vol. 3, pp. 230-240, 2009. [97] A. Liaw and M. Wiener, "Classification and Regression by Random Forest," R news, vol. 2, pp. 18-22, 2002. [98] A. Nogueira, P. Salvador, and F. Blessa, "A Botnet Detection System based on Neural Networks," in Fifth International Conference on Digital Telecommunications (ICDT), 2010, pp. 57-62. [99] S. Saad, I. Traore, A. Ghorbani, B. Sayed, D. Zhao, W. Lu, et al., "Detecting P2P Botnets through Network Behavior Analysis and Machine Learning," in Ninth Annual International Conference on Privacy, Security and Trust (PST), 2011, pp. 174-180. [100] S. Ting, W. Ip, and A. H. Tsang, "Is Naive Bayes a Good Classifier for Document Classification," International Journal of Software Engineering and Its Applications, vol. 5, pp. 37-46, 2011. [101] D. Miller,"Softflowd: A Software Netflow Probe," 2012, [Online; accessed 7-June-2013]. [Online]. Available: http://www.mindrot.org/ projects/softflowd/ [102] F. Tegeler, X. Fu, G. Vigna, and C. Kruegel, "Botfinder: Finding Bots in Network Traffic without Deep Packet Inspection," in Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies, 2012, pp. 349-360. [103] L. Bilge, D. Balzarotti, W. Robertson, E. Kirda, and C. Kruegel, "Disclosure: Detecting Botnet Command and Control Servers through Large-scale Netflow Analysis," in Proceedings of the 28th Annual Computer Security Applications Conference, 2012, pp. 129-138. [104] U. Wijesinghe, U. Tupakula, and V. Varadharajan, "An Enhanced Model for Network Flow Based Botnet Detection," in Proceedings of the 38th Australasian Computer Science Conference (ACSC 2015), 2015, p. 30. [105] G. Schaffrath, & B. Stiller, , "Conceptual Integration of Flow-based and Packet-based Network Intrusion Detection," Resilient Networks and Services, pp. 190-194, 2008. [106] J. Steinberger, L. Schehlmann, S. Abt, and H. Baier, "Anomaly Detection and Mitigation at Internet Scale: A survey," in IFIP International Conference on Autonomous Infrastructure, Management and Security, 2013, pp. 49-60. [107] M. A. Mehmood, A. Feldmann, S. Uhlig, and W. Willinger, "We Are All Treated Equal, Aren't We?—Flow-level Performance as a Function of Flow Size," in Networking Conference, 2014 IFIP, 2014, pp. 1-9. [108] G. F. Guo, "The Study of the Ontology and Context Verification Based Intrusion Detection Model," in Applied Mechanics and Materials, 2014, pp. 3338-3341. [109] U. Shankar and V. Paxson, "Active Mapping: Resisting NIDS Evasion without Altering Traffic," in Proceedings Symposium on Security and Privacy, 2003, pp. 44-61. [110] F. Valeur, G. Vigna, C. Kruegel, and R. A. Kemmerer, "Comprehensive Approach to Intrusion Detection Alert Correlation," IEEE Transactions on Dependable and Secure Computing, vol. 1, pp. 146-169, 2004. [111] M. Sourour, B. Adel, and A. Tarek, "Environmental Awareness Intrusion Detection and Prevention System Toward Reducing False Positives and False Negatives," in IEEE Symposium on Computational Intelligence in Cyber Security, 2009, pp. 107-114. [112] G. S. Kumar and C. Sirisha, "Robust Preprocessing and Random Forests Technique for Network Probe Anomaly Detection," International Journal of Soft Computing and Engineering (IJSCE) ISSN, pp. 2231-2307, 2012. [113] D. G. Bhatti and P. Virparia, "Data Preprocessing for Reducing False Positive Rate in Intrusion Detection," International Journal of Computer Applications, vol. 57, 2012. [114] D. G. Bhatti, P. Virparia, and B. Patel, "Conceptual Framework for Soft Computing based Intrusion Detection to Reduce False Positive Rate," International Journal of Computer Applications, vol. 44, pp. 1-3, 2012. [115] G. P. Spathoulas and S. K. Katsikas, "Using a Fuzzy Inference System to Reduce False Positives in Intrusion Detection," in 2009 16th International Conference on Systems, Signals and Image Processing, 2009, pp. 1-4. [116] T. Pietraszek and A. Tanner, "Data Mining and Machine Learning—Towards Reducing False Positives in Intrusion Detection," Information Security Technical Report, vol. 10, pp. 169-183, 2005. [117] D. Bolzoni, B. Crispo, and S. Etalle, "ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems," in LISA, 2007, pp. 1-12. [118] T. Kaur, "A Hybrid approach using Signature and Anomaly Detection to Detect Network Intrusions," Ph.D. thesis, Thapar Univeristy Patiala, 2013. [119] G. Gu, M. Sharif, X. Qin, D. Dagon, W. Lee, and G. Riley, "Worm Detection, Early Warning and Response based on Local Victim Information," in 20th Annual Computer Security Applications Conference, 2004, pp. 136-145. [120] K. Wang, G. Cretu, and S. J. Stolfo, "Anomalous Payload-based Worm Detection and Signature Generation," in International Workshop on Recent Advances in Intrusion Detection, 2005, pp. 227-246. [121] A. D. Todd, R. A. Raines, R. O. Baldwin, B. E. Mullins, and S. K. Rogers, "Alert Verification Evasion through Server Response Forging," in International Workshop on Recent Advances in Intrusion Detection, 2007, pp. 256-275. [122] M. A. Aydın, A. H. Zaim, and K. G. Ceylan, "A Hybrid Intrusion Detection System Design for Computer Network Security," Computers & Electrical Engineering, vol. 35, pp. 517-526, 2009. [123] E. Tombini, H. Debar, L. Mé, and M. Ducassé, "A Serial Combination of Anomaly and Misuse IDSes Applied to HTTP Traffic," in 20th Computer Security Applications Conference 2004, pp. 428-437. [124] Y.-X. Ding, M. Xiao, and A.-W. Liu, "Research and Implementation on Snortbased Hybrid Intrusion Detection System," in 2009 International Conference on Machine Learning and Cybernetics, 2009, pp. 1414-1418. [125] K. Hwang, M. Cai, Y. Chen, and M. Qin, "Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes," IEEE Transactions on Dependable and Secure Computing, vol. 4, pp. 41-55, 2007. [126] J. Yang, X. Chen, X. Xiang, and J. Wan, "HIDS-DT: An Effective Hybrid Intrusion Detection System Based on Decision Tree," in International Conference on Communications and Mobile Computing (CMC), 2010, pp. 70-75. [127] J. Zhang and M. Zulkernine, "A Hybrid Network Intrusion Detection Technique using Random Forests," in First International Conference on Availability, Reliability and Security (ARES'06), 2006, p. 8 pp. [128] S. M. Hussein, F. H. M. Ali, and Z. Kasiran, "Evaluation effectiveness of Hybrid IDS using Snort with Naïve Bayes to Detect Attacks," in Second International Conference on Digital Information and Communication Technology and it's Applications, 2012, pp. 256-260. [129] D. J. Day, D. A. Flores, and H. S. Lallie, "CONDOR: A Hybrid IDS to Offer Improved Intrusion Detection," in 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, 2012, pp. 931-936. [130] V. Jacobson and S. McCanne, "libpcap: Packet Capture Library," Lawrence Berkeley Laboratory, Berkeley, CA, 2009. [131] C. Kreibich and R. Sommer, "Policy-controlled Event Management for Distributed Intrusion Detection," in 25th IEEE International Conference on Distributed Computing Systems Workshops, 2005, pp. 385-391. [132] B. Amann, R. Sommer, A. Sharma, and S. Hall, "A Lone Wolf No More: Supporting Network Intrusion Detection with Real-time Intelligence," in International Workshop on Recent Advances in Intrusion Detection, 2012, pp. 314-333. [133] L. Deri,"PF_Ring Packet Capture," 2011, [Online; accessed 4-May-2013]. [Online]. Available: http://www.ntop.org [134] J. Stebelton,"Berkeley Packet Filters – The Basics," 2014, [Online; accessed 5-May-2013]. [Online]. Available: http://www.infosecwriters.com/text_resources/ pdf/JStebelton_BPF.pdf [135] L. Deri and N. Spa, "nProbe: An Open Source Netflow Probe for Gigabit Networks," in TERENA Networking Conference, 2003. [136] S. Astashonok,"fprobe: a NetFlow Probe," 2007, [Online; accessed 25-October-2013]. [Online]. Available: http://fprobe.sourceforge.net/ [137] P. B. Ruthven, "Contextual Profiling of Homogeneous User Groups for Masquerade Detection," Master Thesis, Department of Computer Science and Media Technology, Gjøvik University, Norway, 2014. [138] Logging Framework, "Bro 2.4.1 documentation Framework," [Online; accessed 19-Dec-2013]. [Online]. Available: https://www.bro.org/sphinx/frameworks/logging. html#streams [139] R. G. Sargent, "Verification and Validation of Simulation Models," Journal of Simulation, vol. 7, pp. 12-24, 2013. [140] K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee, "A Design Science Research Methodology for Information Systems Research," Journal of Management Information Systems, vol. 24, pp. 45-77, 2007. [141] S. Garcia, M. Grill, J. Stiborek, and A. Zunino, "An Empirical Comparison of Botnet Detection Methods," Computers & Security, vol. 45, pp. 100-123, 2014. [142] C. Rossow, C. J. Dietrich, C. Grier, C. Kreibich, V. Paxson, N. Pohlmann, et al., "Prudent Practices for Designing Malware Experiments: Status Quo and outlook," in 2012 IEEE Symposium on Security and Privacy, 2012, pp. 65-79. [143] M. Tavallaee, N. Stakhanova, and A. A. Ghorbani, "Toward Credible Evaluation of Anomaly-based Intrusion Detection Methods," IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews), vol. 40, pp. 516-524, 2010. [144] A. Papadogiannakis, D. Antoniades, M. Polychronakis, and E. P. Markatos, "Improving the performance of passive network monitoring applications using locality buffering," in Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, 2007. MASCOTS'07. 15th International Symposium on, 2007, pp. 151-157. [145] F. Schneider and J. Wallerich, "Performance evaluation of packet capturing systems for high-speed networks," in Proceedings of the 2005 ACM conference on Emerging network experiment and technology, 2005, pp. 284-285. [146] J. Corsini, "Analysis and Evaluation of Network Intrusion Detection Methods to Uncover Data Theft," Napier University, 2009. [147] A. Turner and M. Bing,"TcpReplay," 2011, [Online; accessed 9-Dec-2012]. [Online]. Available: https://sourceforge.net/ projects/tcpreplay/ [148] A. Folkerts, G. Portokalidis, and H. Bos, "Multi-tier Intrusion Detection by Means of Replayable Virtual Machines," Technical Report IR-CS-47, VU University2008 [149] A. Yeow,"Bit-Twist: Libpcap-based Ethernet Packet Generator," 2016, [Online; accessed 19-Jan-2016]. [Online]. Available: http://bittwist.sourceforge.net/ [150] S. Forge,"TOMAHAWK," [Online; accessed 10-December-2016]. [Online]. Available: http://tomahawk.sourceforge.net [151] S. C. Smith, K. W. Wong, I. Hammell, J. Robert, and C. J. Mateo, "An Experimental Exploration of the Impact of Network-level Packet Loss on Network Intrusion Detection," DTIC Document, 2015 [152] J. W. Haines, R. P. Lippmann, D. J. Fried, M. Zissman, and E. Tran, "1999 DARPA Intrusion Detection Evaluation: Design and Procedures," 2001. [153] N. Nwanze, S.-i. Kim, and D. H. Summerville, "Payload Modeling for Network Intrusion Detection Systems," in MILCOM 2009-2009 IEEE Military Communications Conference, 2009, pp. 1-7. [154] C. Thomas, V. Sharma, and N. Balakrishnan, "Usefulness of DARPA Dataset for Intrusion Detection System Evaluation," in SPIE Defense and Security Symposium, 2008, pp. 69730G-69730G-8. [155] H. Om and A. Kundu, "A Hybrid System for Reducing the False Alarm Rate of Anomaly Intrusion Detection System," in 1st International Conference on Recent Advances in Information Technology (RAIT), 2012, pp. 131-136. [156] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, "Toward Developing a Systematic Approach to Generate Benchmark Datasets for Intrusion Detection," Computers & Security, vol. 31, pp. 357-374, 2012. [157] J. O. Nehinbe, "A Simple Method for Improving Intrusion Detections in Corporate Networks," in International Conference on Information Security and Digital Forensics, 2009, pp. 111-122. [158] S. Tricaud,"French Honeynet Chapter Status Report," 2011, [Online; accessed 20-May-2013]. [Online]. Available: http://www.honeynet.org/ chapters/france [159] G. Szabó, D. Orincsay, S. Malomsoky, and I. Szabó, "On the Validation of Traffic Classification Algorithms," in International Conference on Passive and Active Network Measurement, 2008, pp. 72-81. [160] Lawrence Berkeley National Laboratory, "Enterprise Tracing Project," 2005, [Online; accessed 8-July-2014]. [Online]. Available: http://www.icir.org/enterprise-tracing/ [161] J. Pouwelse, P. Garbacki, D. Epema, and H. Sips, "The Bittorrent P2P File-Sharing System: Measurements and Analysis," in International Workshop on Peer-to-Peer Systems, 2005, pp. 205-216. [162] O. E. Elejla, A. B. Jantan, and A. A. Ahmed, "Three Layers Approach For Network Scanning Detection," Journal of Theoretical & Applied Information Technology, vol. 70, 2014. [163] G. Kumar, "Evaluation metrics for intrusion detection systems-a study," International Journal of Computer Science and Mobile Applications, II, vol. 11, 2014. [164] D. Smallwood and A. Vance, "Intrusion Analysis with Deep Packet Inspection: Increasing Efficiency of Packet Based Investigations," in Cloud and Service Computing (CSC), 2011 International Conference on, 2011, pp. 342-347. [165] A. Bremler-Barr, Y. Harchol, D. Hay, and Y. Koral, "Deep Packet Inspection As a Service," in Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies, 2014, pp. 271-282. [166] M. M. Masud, T. Al-khateeb, L. Khan, B. Thuraisingham, and K. W. Hamlen, "Flow-based Identification of Botnet Traffic by Mining Multiple Log Files," in First International Conference on Distributed Framework and Applications, 2008, pp. 200-206. [167] M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and I. H. Witten, "The WEKA Data Mining Software: An Update," ACM SIGKDD Explorations Newsletter, vol. 11, pp. 10-18, 2009. [168] R. A. Rodríguez-Gómez, G. Maciá-Fernández, and P. García-Teodoro, "Survey and Taxonomy of Botnet Research Through Life-cycle," ACM Computing Surveys (CSUR), vol. 45, p. 45, 2013. [169] X. Ma, X. Guan, J. Tao, Q. Zheng, Y. Guo, L. Liu, et al., "A Novel IRC Botnet Detection Method Based on Packet Size Sequence," in IEEE International Conference on Communications (ICC), 2010, pp. 1-5. [170] S. Garg, A. K. Sarje, and S. K. Peddoju, "Improved Detection of P2P Botnets Through Network Behavior Analysis," in International Conference on Security in Computer Networks and Distributed Systems, 2014, pp. 334-345. [171] H. R. Zeidanloo and A. B. A. Manaf, "Botnet Detection by Monitoring Similar Communication Patterns," 2010. [Online]. Available: http://arxiv.org/abs/1004.1232 [172] G. Stringhini, T. Holz, B. Stone-Gross, C. Kruegel, and G. Vigna, "BOTMAGNIFIER: Locating Spambots on the Internet," in USENIX Security Symposium, 2011, pp. 1-32. [173] G. Vliek, "Detecting Spam Machines, A Netflow-data Based Approach," Master thesis, Faculty of Electrical Engineering, University of Twente, 2009. [174] Y. Li, D. Gruenbacher, and C. Scoglio, "Reward Only Is Not Enough: Evaluating and Improving the Fairness Policy of the P2P File Sharing Network eMule/eDonkey," Peer-to-Peer Networking and Applications, vol. 5, pp. 40- 57, 2012. [175] D. Garant and W. Lu, "Mining Botnet Behaviors on the Large-Scale Web Application Community," in Advanced Information Networking and Applications Workshops (WAINA), 2013 27th International Conference on, 2013, pp. 185-190. [176] E. B. Beigi, H. H. Jazi, N. Stakhanova, and A. A. Ghorbani, "Towards Effective Feature Selection in Machine Learning-based Botnet Detection Approaches," in IEEE Conference on Communications and Network Security (CNS), 2014, pp. 247-255. [177] W. T. Strayer, D. Lapsely, R. Walsh, and C. Livadas, "Botnet Detection based on Network Behavior," Botnet Detection, pp. 1-24, 2008. [178] A. I. Madbouly, A. M. Gody, and T. M. Barakat, "Relevant Feature Selection Model Using Data Mining for Intrusion Detection System," International Journal of Engineering Trends and Technology (IJETT), 2014. [179] P. Sangkatsanee, N. Wattanapongsakorn, and C. Charnsripinyo, "Practical Real-time Intrusion Detection Using Machine Learning Approaches," Computer Communications, vol. 34, pp. 2227-2235, 2011. [180] P. Narang, J. M. Reddy, and C. Hota, "Feature Selection for Detection of Peerto- Peer Botnet Traffic," in Proceedings of the 6th ACM India Computing Convention, 2013, p. 16. [181] J. V. Gomes, P. R. Inácio, M. Pereira, M. M. Freire, and P. P. Monteiro, "Detection and Classification of Peer-to-peer Traffic: A survey," ACM Computing Surveys, vol. 45, p. 30, 2013. [182] F. Giroire, J. Chandrashekar, N. Taft, E. Schooler, and D. Papagiannaki, "Exploiting Temporal Persistence to Detect Covert Botnet Channels," in International Workshop on Recent Advances in Intrusion Detection, 2009, pp. 326-345. [183] A. Sperotto, G. Vliek, R. Sadre, and A. Pras, "Detecting Spam at the Network Level," in Meeting of the European Network of Universities and Companies in Information and Communication Engineering, 2009, pp. 208-216. [184] H. Weststrate, "Botnet Detection using Netflow Information," in 10th Twente Student Conference on IT, 23rd January, 2009. [185] Y. Liu, "Data Streaming Algorithms for Rapid Cyber Attack Detection," Ph.D. thesis, Department of Computer Engineering, Iowa State University, Ames, Iowa, 2013. [186] H. Ma, S. Tan, and Z. He, "The Research of P2P Recognition Technology," in Software Engineering and Service Science (ICSESS), 2014 5th IEEE International Conference on, 2014, pp. 601-604. [187] R. Keralapura, A. Nucci, and C.-N. Chuah, "A Novel Self-learning Architecture for P2P Traffic Classification in High Speed Ntworks," Computer Networks, vol. 54, pp. 1055-1068, 2010. [188] M. Agnihotri,"DeepEnd Research: Library of Malware Traffic Patterns," 2013, [Online; accessed 9-May-2014]. [Online]. Available: http://www.deependresearch.org/2013/04/library-of-malware-trafficpatterns.html [189] S. Stover, D. Dittrich, J. Hernandez, and S. Dietrich, "Analysis of the Storm and Nugache Trojans: P2P is here," USENIX Login, vol. 32, pp. 18-27, 2007. [190] Bro IDS, "Signature framework — Bro 2.4.1 documentation," 2012, [Online; accessed 6-Nov-2013]. [Online]. Available: https://www.bro.org/sphinx/frameworks/ signatures.html [191] J. Amann, S. Hall, and R. Sommer, "Count Me In: Viable Distributed Summary Statistics for Securing High-Speed Networks," in International Workshop on Recent Advances in Intrusion Detection, 2014, pp. 320-340. [192] M. Jonkman,"Emerging Bro Threats," 2008, [Online; accessed 30-June-2012]. [Online]. Available: http://doc.emergingthreats.net/bin/view/Main/ EmergingBro [193] M. Jonkman,"Storm Worm Emerging Threats," 2007, [Online; accessed 4-April-2013]. [Online]. Available: http://doc.emergingthreats.net/bin/ view/Main/StormWorm [194] M. Tavallaee, "An Adaptive Hybrid Intrusion Detection System," Ph.D. thesis, University of New Brunswick, 2011. [195] G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson, and F. Schneider, "Enriching Network Security Analysis with Time Travel," in ACM SIGCOMM Computer Communication Review, 2008, pp. 183-194. [196] B. AsSadhan, J. M. Moura, D. Lapsley, C. Jones, and W. T. Strayer, "Detecting Botnets using Command and Control Traffic," in Eighth IEEE International Symposium on Network Computing and Applications 2009, pp. 156-162. [197] PacketFilter, "Packet Filter in Bro," 2013, [Online; accessed 20-June-2013]. [Online]. Available: https://www.bro.org/sphinx/scripts/base/ frameworks/packetfilter/main.bro.html [198] G. Carle, F. Dressler, R. A. Kemmerer, H. Koenig, C. Kruegel, and P. Laskov, "Network attack detection and defense–Manifesto of the Dagstuhl Perspective Workshop, March 2nd–6th, 2008," Computer Science-Research and Development, vol. 23, pp. 15-25, 2009. [199] G. Münz, N. Weber, and G. Carle, "Signature Detection in Sampled Packets," in Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2007), Toulouse, France, 2007. [200] R. Sommer,"Bro Cluster Architecture — Bro 2.4.1 Documentation," 2013, [Online; accessed 24-Jan-2015]. [Online]. Available: https://www.bro.org/sphinx/cluster/index.html [201] E. Alparslan, A. Karahoca, and D. Karahoca, "BotNet Detection: Enhancing Analysis by Using Data Mining Techniques," INTECH Open Access Publisher, 2012. [202] Bro IDS, "Policy Stats," 2008, [Online; accessed 7-Dec-2013]. [Online]. Available: https://www.bro.org/sphinx/scripts/policy/misc/ stats.bro.html [203] R. Love, "Kernel Korner: CPU Affinity," Linux Journal, vol. 2003, p. 8, 2003. [204] Open BL, "Abuse Reporting and Blacklisting," 2014, [Online; accessed 4-July-2014]. [Online]. Available: https://www.openbl.org [205] Black List, "URL Blacklist," 2013, [Online; accessed 2-May-2015]. [Online]. Available: http://urlblacklist.com/ [206] S. Hansman and R. Hunt, "A Taxonomy of Network and Computer Attacks," Computers & Security, vol. 24, pp. 31-43, 2005. [207] K. Labib, "Computer Security and Intrusion Detection," Crossroads, vol. 11, pp. 2-2, 2004. [208] Y. Gao, Z. Li, and Y. Chen, "A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks," in 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06), 2006, pp. 39-39. [209] T. Diibendorfer and B. Plattner, "Host Behaviour based Early Detection of Worm Outbreaks in Internet Backbones," in 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05), 2005, pp. 166-171. [210] A. Sperotto, R. Sadre, P.-T. de Boer, and A. Pras, "Hidden Markov Model modeling of SSH Brute-force Attacks," in International Workshop on Distributed Systems: Operations and Management, 2009, pp. 164-176