A distributed network-sensor based intrusion detection framework in enterprise networks

In this paper, we propose a distributed network sensor based intrusion detection framework to detect the emerging stealthy attacks, including malware propagation in enterprise networks. In this framework, we consider the distributed detection agents on hosts, which monitor network traffic and other anomalies on the hosts, efficiently process and aggregate detection data, and generates attack alerts. The control center collects information from the distributed detection agents and detects the attacks and compromised hosts. We develop techniques, including a deep packet inspection to process network traffic efficiently, detection algorithms (e.g., passive/ active discovery mechanisms to identify compromised hosts). To demonstrate the effectiveness of our proposed framework, we have implemented a proof-of-concept system and conducted real-world experiments. Our data show the effectiveness of our approach to detect attacks, including the malware propagation.