**3.1 Packet selection model**

There are many sampling model of statistics, while there are few applied to computer network especially high speed network. For real time demands of network packets processing, packet selection model have to conform to high precision and simple applications. In this paper, systematic sampling, Poisson sampling and stratified sampling methods are applied to network packets selection.

## **3.1.1 Systematic sampling**

Systematic sampling describes the process of selecting the starting points and the duration of the selection intervals according to a deterministic function. This can be for instance the periodic selection of every n-th element of a trace but also the selection of all packets that arrive at pre-defined points in time. Even if the selection process does not follow a periodic function (e.g. if the time between the sampling intervals varies over time) we consider this as systematic sampling as long as the selection is deterministic.

The use of systematic sampling always involves the risk of biasing the results. If the systematics in the sampling process resembles systematics in the observed stochastic process (occurrence of the characteristic of interest in the network), there is a high probability that the estimation will be biased. Systematics (e.g. periodic repetition of an event) in the observed process might not be known in advance.

## **3.1.2 Poisson sampling**

Poisson sampling is an example of random additive sampling. In this sampling, samples are separated by independent, randomly generated intervals that have a common statistical distribution. In general, Poisson sampling avoids synchronization effects and yields an unbiased estimate of the property being sampled.

If sampling function obeys an exponential distribution with rate *λ*, that is () 1 *<sup>t</sup> Ft e* , then the arrival of new samples cannot be predicted (and, again, the sampling is unbiased). Furthermore, the sampling is asymptotically unbiased even if the act of sampling affects the network's state. Such sampling is referred to as Poisson sampling. The sample size during interval *T* obeys Poisson distribution with rate *λ* at which the singleton measurements will on average be made, that is () ( ) ! *k T P T Tke k <sup>k</sup>* .

To generate Poisson sampling intervals, one first determines the rate *λ* at which the singleton measurements will on average be made (e.g., for an average sampling interval of 30 seconds, we have *λ*= 1/30, if the units of time are seconds). One then generates a series of exponentially-distributed (pseudo) random numbers *E1*, *E2*,…, *En* The first measurement is made at time *E1*, the next at time *E1*+*E2*, and so on.

## **3.1.3 Stratified sampline**

64 Security Enhanced Applications for Information Systems

attack scenarios; Uppuluri provides a practical approach to detect and prevent race condition attacks (Uppuluri et al., 2005). What's more, there are many commercial IPS products available such as TippingPoint IPS, ISS IPS, Cisco IPS and NetKeeper IPS, and these representative products are online, network-based solution, designed to accurately identify, classify, and stop malicious traffic, including worms, spyware/adware, network

This subsection presents the design and implementation of DXIPS, a distributed extensible intrusion prevention system, which is composed of intrusion prevention module, central control module, log record module and communication module. And DXIPS provides an extensible architecture of intrusion detection and prevention in distributed network

**3. Packet selection model for intrusion detection system based-on sampling** 

There are many sampling model of statistics, while there are few applied to computer network especially high speed network. For real time demands of network packets processing, packet selection model have to conform to high precision and simple applications. In this paper, systematic sampling, Poisson sampling and stratified sampling

Systematic sampling describes the process of selecting the starting points and the duration of the selection intervals according to a deterministic function. This can be for instance the periodic selection of every n-th element of a trace but also the selection of all packets that arrive at pre-defined points in time. Even if the selection process does not follow a periodic function (e.g. if the time between the sampling intervals varies over time) we consider this

The use of systematic sampling always involves the risk of biasing the results. If the systematics in the sampling process resembles systematics in the observed stochastic process (occurrence of the characteristic of interest in the network), there is a high probability that the estimation will be biased. Systematics (e.g. periodic repetition of an event) in the

Poisson sampling is an example of random additive sampling. In this sampling, samples are separated by independent, randomly generated intervals that have a common statistical distribution. In general, Poisson sampling avoids synchronization effects and yields an

the arrival of new samples cannot be predicted (and, again, the sampling is unbiased).

, then

If sampling function obeys an exponential distribution with rate *λ*, that is () 1 *<sup>t</sup> Ft e*

viruses, and application abuse.

**3.1 Packet selection model** 

**3.1.1 Systematic sampling** 

**3.1.2 Poisson sampling** 

methods are applied to network packets selection.

observed process might not be known in advance.

unbiased estimate of the property being sampled.

as systematic sampling as long as the selection is deterministic.

**2.6 Summary** 

environment.

Before sampling, the whole population is first divided into mutually exclusive subgroups, called stratum. Let *N* be the number of population unit, *L* be the number of strata and

*N*1,*N*2,…,*N*L represent the size of each stratum, then 1 *L h h N N* . If the sample is taken

randomly from each stratum, the procedure is known as stratified random sampling.

For stratified sampling, there are some factors supposed to determine such as stratified characteristics, stratum number, stratum border, sample size allocation and variance within strata. The concrete discussions of these factors are as follows:

Stratified characteristics are the base of stratified sampling. Network packets may be stratified by protocol type, TTL or total length field of IP header. The selection of stratified characteristics relates to the type of intrusions. As a example of ICMP sweep attack, the characteristics of this attack is the generation of lots of ping packets with light payload suddenly, then the proportion of ICMP packets ascends and the average length of packets decreases. If the packet length is selected for stratification, sound detection results are to be achieved.

From [12], the gain of stratified sampling increases with the more stratum number; when the stratum number increases to 3 from 2, the gain won't improve too much; the gain will appear to decrease with the increase of stratum number; when the stratum number is beyond 4, the gain of stratified sampling tend to be stable.

The determination of stratum border is based on the stratified strategy. Sample with similar characteristics may be classified into certain stratum in stratified sampling, which leads to the less variance in certain stratum. The simplest way to determine stratum border is based on the type of packets such as TCP, UDP and ICMP, and stratum border is naturally determined by protocol type of IP header of packet. If packet is classified into certain stratum according to the total length field, the stratum border is determined by the variable interval of the actual value *Li* ( *L LL* min *<sup>i</sup>* max ). If every stratum is based on *Li*, it is obvious that this is impractical. In this paper, there are hundreds kinds of packets related to total length field. If every stratum is based on total length, the efficiency of this implementation is too bad. So we make use of the optimum stratified method based on the cumulate square root of stratified variable distribution [13], shown as Table 1.

Intrusion Detection and Prevention in High Speed Network 67

Figure 10 is the packet length distribution curve, and table 2 shows the proportion of different type of packets in population and separate sampling strategies. From figure 1, it can be seen that the distribution of packet length in Poisson sampling and stratified sampling conforms to the distribution of packet length in population. Though there is a little diversity between the distribution of packet length in systematic sampling and the distribution of population, this diversity is also in the acceptive scope of precision. Table 2 shows the proportion of different kind of packet with diverse sampling strategies accords

In practice, sampling may also be applied to intrusion detection by estimating the value of certain measure in population. The following parts briefly present the relative efforts with

, variance is <sup>2</sup>

, / , and <sup>2</sup> *X N*~ ,

[14].

~ 1 /

/2 /2 { ( 1) ( 1)} 1 /

 *t n*

   , so

, let *X1*, *X2*, *X3*, …, *Xn* are the sample of population <sup>2</sup> *N*

. Let *X1*, *X2*, *X3*, …, *Xn* are the sample

(1)

(2)

1

*i i X X n*

also obeys

,, *X*

1 *<sup>n</sup>*

Population

Systematic sampling Poisson sampling Stratified sampling

Fig. 10. Packet length distribution curve

0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00%

the average length of packets as the measure.

of population *X*, then <sup>2</sup> *EX DX n*

normal distribution, that is <sup>2</sup> *XN n* ~ ,/

Assume the mean of population *X* is

For given confidence 1

with population and these sampling strategies are applicable.

 

and <sup>2</sup> *S* are the corresponding mean and variance of sample, then

 

*X*

and right side distribution *t(n-1)* doesn't rely on any other parameters, then

*S n* 

*<sup>X</sup> Pt n t n S n*


Table 1. Cumulate square root table

Let *R*= 1 *n i i M* , if the stratum number is 5, then a new stratum is generated at intervals of

*R/5*, and so the four stratum border point is to make the value of cumulate *f* closed to the following value: *R/5*, *2R/5*, *3R/5*, *4R/5*, and these four values are stratum border points of stratified sampling.

For stratified sampling, it is supposed to solve the problem of sample size allocation in strata given fixed population size. Because the precision of stratified random sampling relates to sample size allocation and variance within strata, the stratification or sample size allocation would affect the efficiency of stratified sampling directly. Generally, proportional allocation is the better if the means between strata vary greatly, while optimum allocation is the better if the standard deviations between strata vary greatly. In practical sample procedure, we tend to select the proportional allocation method because optimum allocation is only toward to single target variable. In fact, there are usually more target variables. The optimum allocation of single variable may be not proper to other variables. Proportional allocation refers to allocate the size within strata based on each stratum weight.

What's more, sampling strategy in a stratum is also to be determined. In practice, both systematic sampling and random sampling are to be applied.

### **3.2 Experiments and discussion**

To test the performance of different sampling strategies, we conduct experiments in our campus network. The network traffic is captured by a host linked to the router of a C class subnet. Experimental results are shown in Figure 10 and Table 2 as follows.


Table 2. Packet type proportion

of packet Number *f* Cumulate *<sup>f</sup> L1-L2 Mi M*<sup>1</sup> *M*<sup>1</sup>

*L2-L3 M2 M*<sup>2</sup> *M*<sup>1</sup> + *M*<sup>2</sup> … … … … … … … …

*Ln-1-Ln Mn Mn*

Table 1. Cumulate square root table

**3.2 Experiments and discussion** 

Table 2. Packet type proportion

*Ln-2-Ln-1 Mn-1 Mn*<sup>1</sup> *M*<sup>1</sup> + *M*<sup>2</sup> +…+ *Mi*<sup>1</sup>

, if the stratum number is 5, then a new stratum is generated at intervals of

*R/5*, and so the four stratum border point is to make the value of cumulate *f* closed to the following value: *R/5*, *2R/5*, *3R/5*, *4R/5*, and these four values are stratum border points of

For stratified sampling, it is supposed to solve the problem of sample size allocation in strata given fixed population size. Because the precision of stratified random sampling relates to sample size allocation and variance within strata, the stratification or sample size allocation would affect the efficiency of stratified sampling directly. Generally, proportional allocation is the better if the means between strata vary greatly, while optimum allocation is the better if the standard deviations between strata vary greatly. In practical sample procedure, we tend to select the proportional allocation method because optimum allocation is only toward to single target variable. In fact, there are usually more target variables. The optimum allocation of single variable may be not proper to other variables. Proportional allocation

What's more, sampling strategy in a stratum is also to be determined. In practice, both

To test the performance of different sampling strategies, we conduct experiments in our campus network. The network traffic is captured by a host linked to the router of a C class

UDP 82.47% 82.14% 82.85% 82.5% TCP 11.87% 11.92% 11.94% 11.73% ICMP 5.66% 5.95% 5.21% 5.77%

sampling Poisson sampling Stratified

sampling

refers to allocate the size within strata based on each stratum weight.

subnet. Experimental results are shown in Figure 10 and Table 2 as follows.

systematic sampling and random sampling are to be applied.

Population Systematic

1

*i*

 

*i*

*M*

*n*

Total length

Let *R*=

1

stratified sampling.

*i*

*i*

*M*

*n*

Fig. 10. Packet length distribution curve

Figure 10 is the packet length distribution curve, and table 2 shows the proportion of different type of packets in population and separate sampling strategies. From figure 1, it can be seen that the distribution of packet length in Poisson sampling and stratified sampling conforms to the distribution of packet length in population. Though there is a little diversity between the distribution of packet length in systematic sampling and the distribution of population, this diversity is also in the acceptive scope of precision. Table 2 shows the proportion of different kind of packet with diverse sampling strategies accords with population and these sampling strategies are applicable.

In practice, sampling may also be applied to intrusion detection by estimating the value of certain measure in population. The following parts briefly present the relative efforts with the average length of packets as the measure.

Assume the mean of population *X* is , variance is <sup>2</sup> . Let *X1*, *X2*, *X3*, …, *Xn* are the sample of population *X*, then <sup>2</sup> *EX DX n* , / , and <sup>2</sup> *X N*~ , , so 1 1 *<sup>n</sup> i i X X n* also obeys normal distribution, that is <sup>2</sup> *XN n* ~ ,/ [14].

For given confidence 1 , let *X1*, *X2*, *X3*, …, *Xn* are the sample of population <sup>2</sup> *N* , , *X* and <sup>2</sup> *S* are the corresponding mean and variance of sample, then

$$\frac{\overline{X} - \mu}{S \;/\sqrt{n}} \sim t(n-1) \tag{1}$$

and right side distribution *t(n-1)* doesn't rely on any other parameters, then

$$P\{-t\_{\alpha/2}(n-1) < \frac{\overline{X}-\mu}{S/\sqrt{n}} < t\_{\alpha/2}(n-1)\} = 1-\alpha \tag{2}$$

Intrusion Detection and Prevention in High Speed Network 69

In this paper, we describe the design and implementation of a uniform high-speed traffic collection platform for intrusion detection/prevention based on sampling on FPGAs. To achieve this goal, HSTCP's architecture integrates elephant flow identification and adaptive elephant flow sampling into a FPGA prototyping board, which is a gigabit Ethernet network

A flow is a sequence of packets that share certain common properties (called flow specification) and have some temporal locality as observed at a given measurement point. Depending on the application and measurement objectives, flows may be defined in various manners such as source/destination IP addresses, port numbers, protocols, or combinations thereof. They can be further grouped and aggregated into various granularity levels such as network prefixes or autonomous systems. In this paper, we present flow statistics and experimental results using flows of 5 tuple (source/destination IP addresses, port numbers,

As many measurement-based studies have revealed, flow statistics exhibit strong heavy-tail behaviors in various networks (including the Internet). This characteristic is often referred to as the elephant and mice phenomenon (aka the vital few and trivial many rule), i.e., most flows (mice flows) only have a small number of packets, while a very few flows (elephant flows) have a large number of packets. A noticeable attribute of elephant flows is that they contribute a large portion of the total traffic volume despite being relatively few in the number of flows. In this paper, we define an elephant flow as a flow that contributes more

The elephant flow identification module maintains an array of counters for every flow. Counters at certain index would contain the total number of packets belonging to all of the

At intervals of certain time (60 s), the adaptive elephant flow sampling module would adjust the sampled rate according to the traffic load changes in the identified elephant flow. The sampled rate is based on the packet count. An AR model is used for predicting the number

HSTCP is built on the Avnet Virtex-II Pro Development Board shown in Figure 11. This FPGA prototyping board includes all of the components necessary for a gigabit Ethernet

and the protocol number) with a 60-s timeout value as our basic flow definition.

**4. STAMP -A high-speed traffic collection platform based on sampling on** 

**FPGAs** 

**4.1 Design and implementation of STAMP** 

than 0.1% of all unsampled packets.

flows colliding into this index.

Fig. 11. HSTCP PCI card

interface card with open hardware and software specifications.

of packets of a certain elephant flow in the next time interval.

network interface with embedded processors and on-board memory.

that is

$$p\{\overline{X} - \frac{S}{\sqrt{n}}t\_{\alpha/2}(n-1) < \mu < \overline{X} + \frac{S}{\sqrt{n}}t\_{\alpha/2}(n-1)\} = 1 - \alpha t$$

so the confidence interval of with given confidence 1 is

$$\sqrt{X} \pm \frac{S}{\sqrt{n}} t\_{\alpha/2} (n-1) \tag{3}$$

The measured value of average length of packet with systematic sampling is 134.0631, standard variance is 73.607 and total number of packet *n* is 92647. From the distribution table of *t*, the value of *t(n-1)* appears to be a constant when *n* run to infinite.

We estimate the average packet length of population by systematic sampling and ensure the confidence of this length is 95%. From (3), we get the confidence interval of average packet length of population with confidence 95% is (134.0634 0.47). If the error is no more than 0.94, the confidence of this error is 95% considering any value in this interval as the estimate of packet average length in population. From preceding experimental results, the value of average length of packet in population is 134.4601, which is in the interval of (134.0634 0.47).

It can be seen from experiments that the average length of packet in normal traffic tends to be stable. When ICMP sweep attack appears, there are lots of packets with short length, and average length of packet is obviously various [15]. So the average length may be considered as the measure to detect intrusions.

With the change of user behavior and network topology, the characteristic of network may also vary. So the data related to the behavior of certain network during some time may be chosen to characterize the normal characteristics rather than all the passed data. Assume the granularity of time is *T*, *Li* is the average length of packet in the *ith* time interval. Anomaly actions are to be detected by comparing current sampled value and the value of preceding *i-1th* time interval. That is, if current average length of packet is in the scope of normal value calculated by preceding sampled data, there is no intrusion, and then the preceding data can be updated. Otherwise, there appears intrusion, and current data can't be updated.

#### **3.3 Summary**

With the rapid development of network technology, there are more severe challenges to information security, and IDS has been an indispensable part of computer security. However, there appears packet drop for IDS especially in a high speed network environment. In this chaper, we apply packet selection model based on sampling methods of statistics to the procedure of data collection of IDS. Experiment results show that selected sample (packets) can be applied to detection and analysis for IDS in the scope of certain precision. In short, our method has the following advantages: firstly, this method exceedingly strengthens the processing performance of IDS by the means of replacing dropping packets passively with sampling packets actively especially in the large-scale high-speed network; secondly, this method has better expansibility, and various sampling strategies may be applied corresponding to different implementation.
