ThunderSecure: deploying real-time intrusion detection for 100G research networks by leveraging stream-based features and one-class classification network (Journal Article) | OSTI.GOV
Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

ThunderSecure: deploying real-time intrusion detection for 100G research networks by leveraging stream-based features and one-class classification network

Journal Article · · International journal of information security
 [1];  [2];  [2]
  1. Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)
  2. Fermi National Accelerator Lab. (FNAL), Batavia, IL (United States)
+ Show Author Affiliations

Nowadays, data generated by large-scale scientific experiments are on the scale of petabytes per month. These data are transferred through dedicated high-bandwidth networks (40/100G) across distributed sites for processing, storage, and analysis. Like general purpose networks, research networks experience intrusions. However, monitoring anomalies in such high-speed network traffics is challenging given current cyber-infrastructure. Moreover, traditional network intrusion detection systems (NIDS) are signature based. However, anomaly patterns are difficult to define and that rulesets are often not updated frequently enough to reflect the changes of attack behaviors. We present ThunderSecure, a high-throughput, unsupervised learning-based intrusions detection system for 100G research networks. ThunderSecure implements an efficient packet processing and detection pipeline using multi-cores and GPUs. It extracts statistical and temporal features from real-time network data streams and feeds them to a one-class anomaly detection network. A baseline of normal distribution will be created based on the training observation. Testing traffic deviated from the learned profile will be marked as anomalies. We trained ThunderSecure on hundreds of billions of science data packets mirrored from two 100G network connections at Fermi National Accelerator Laboratory. The detection performance was evaluated on traffic captured from the same research network days and weeks after the training with different types of attack flows injected. In conclusion, results show that ThunderSecure can recognize science data traffic captured long after the training and made nearly certain detection on the segment of the streams where anomalous flows were injected.

Research Organization:
Oak Ridge National Laboratory (ORNL), Oak Ridge, TN (United States); Fermi National Accelerator Laboratory (FNAL), Batavia, IL (United States)
Sponsoring Organization:
USDOE Office of Science (SC), High Energy Physics (HEP)
Grant/Contract Number:
AC02-07CH11359; AC05-00OR22725
OSTI ID:
1867680
Alternate ID(s):
OSTI ID: 1883897
Report Number(s):
FERMILAB-PUB-22-255-CCD-OCIO; oai:inspirehep.net:2064248; TRN: US2306211
Journal Information:
International journal of information security, Vol. 21, Issue 4; ISSN 1615-5262
Publisher:
Springer NatureCopyright Statement
Country of Publication:
United States
Language:
English

References (25)

Anomaly Detection with Robust Deep Autoencoders
  • Zhou, Chong; Paffenroth, Randy C.
  • KDD '17: The 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining https://doi.org/10.1145/3097983.3098052
conference August 2017
High-dimensional and large-scale anomaly detection using a linear one-class SVM with deep learning journal October 2016
FlowScope: Efficient packet capture and storage in 100 Gbit/s networks conference June 2017
Evaluation of Network Intrusion Detection with Features Selection and Machine Learning Algorithms on CICIDS-2017 Dataset journal January 2019
Towards Efficient Traffic Monitoring for Science DMZ with Side-Channel based Traffic Winnowing
  • Li, Hongda; Zhang, Fuqiang; Yu, Lu
  • CODASPY '18: Eighth ACM Conference on Data and Application Security and Privacy, Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization https://doi.org/10.1145/3180465.3180474
conference March 2018
Catch It If You Can: Real-Time Network Anomaly Detection with Low False Alarm Rates conference December 2017
Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection conference January 2018
Introducing SmartNICs in Server-Based Data Plane Processing: The DDoS Mitigation Use Case journal January 2019
Globus: Research Data Management as Service and Platform
  • Chard, Kyle; Foster, Ian; Tuecke, Steven
  • PEARC17: Practice and Experience in Advanced Research Computing 2017, Proceedings of the Practice and Experience in Advanced Research Computing 2017 on Sustainability, Success and Impact https://doi.org/10.1145/3093338.3093367
conference July 2017
Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks conference November 2018
Are We Missing Labels? A Study of the Availability of Ground-Truth in Network Security Research conference September 2014
UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set) conference November 2015
The US-CMS Tier-1 Center Network Evolving toward 100Gbps journal December 2011
Big data analytics for network anomaly detection from netflow data conference October 2017
Data-Driven Cyber Security in Perspective—Intelligent Traffic Analysis journal July 2020
Adversarial Discriminative Attention for Robust Anomaly Detection conference March 2020
Securing Ultra-High-Bandwidth Science DMZ Networks with Coordinated Situational Awareness
  • Nagendra, Vasudevan; Yegneswaran, Vinod; Porras, Phillip
  • HotNets-XVI: The 16th ACM Workshop on Hot Topics in Networks, Proceedings of the 16th ACM Workshop on Hot Topics in Networks https://doi.org/10.1145/3152434.3152460
conference November 2017
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection conference May 2010
Coordinated dataflow protection for ultra-high bandwidth science networks
  • Nagendra, Vasudevan; Yegneswaran, Vinod; Porras, Phillip
  • ACSAC '19: 2019 Annual Computer Security Applications Conference, Proceedings of the 35th Annual Computer Security Applications Conference https://doi.org/10.1145/3359789.3359843
conference December 2019
GoldenEye: stream-based network packet inspection using GPUs conference October 2018
Security in high-performance computing environments journal August 2017
Network anomaly detection using IP flows with Principal Component Analysis and Ant Colony Optimization journal April 2016
Big data analysis and distributed deep learning for next-generation intrusion detection system optimization journal October 2019
Deep learning approach for Network Intrusion Detection in Software Defined Networking conference October 2016
A Comprehensive Tutorial on Science DMZ journal July 2019

Similar Records

Related Subjects

97 MATHEMATICS AND COMPUTING
real-time intrusion detection
high-throughput streaming data
100G research network
one-class classification