Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

ThunderSecure: deploying real-time intrusion detection for 100G research networks by leveraging stream-based features and one-class classification network

Journal Article · · Int.J.Inf.Secur.
 [1];  [2];  [2]
  1. Oak Ridge
  2. Fermilab
+ Show Author Affiliations

Nowadays, data generated by large-scale scientific experiments are on the scale of petabytes per month. These data are transferred through dedicated high-bandwidth networks (40/100G) across distributed sites for processing, storage, and analysis. Like general purpose networks, research networks experience intrusions. However, monitoring anomalies in such high-speed network traffics is challenging given current cyber-infrastructure. Moreover, traditional network intrusion detection systems (NIDS) are signature based. However, anomaly patterns are difficult to define and that rulesets are often not updated frequently enough to reflect the changes of attack behaviors. We present ThunderSecure, a high-throughput, unsupervised learning-based intrusions detection system for 100G research networks. ThunderSecure implements an efficient packet processing and detection pipeline using multi-cores and GPUs. It extracts statistical and temporal features from real-time network data streams and feeds them to a one-class anomaly detection network. A baseline of normal distribution will be created based on the training observation. Testing traffic deviated from the learned profile will be marked as anomalies. We trained ThunderSecure on hundreds of billions of science data packets mirrored from two 100G network connections at Fermi National Accelerator Laboratory. The detection performance was evaluated on traffic captured from the same research network days and weeks after the training with different types of attack flows injected. Results show that ThunderSecure can recognize science data traffic captured long after the training and made nearly certain detection on the segment of the streams where anomalous flows were injected.

Research Organization:
Oak Ridge National Laboratory (ORNL), Oak Ridge, TN (United States); Fermi National Accelerator Laboratory (FNAL), Batavia, IL (United States)
Sponsoring Organization:
US Department of Energy
Grant/Contract Number:
AC02-07CH11359
OSTI ID:
1867680
Alternate ID(s):
OSTI ID: 1883897
Report Number(s):
FERMILAB-PUB-22-255-CCD-OCIO; oai:inspirehep.net:2064248
Journal Information:
Int.J.Inf.Secur., Journal Name: Int.J.Inf.Secur. Journal Issue: 4 Vol. 21
Country of Publication:
United States
Language:
English

Similar Records

Real-time Intrusion Detection for High-bandwidth Research Networks using Unsupervised Deep Learning
Conference · Tue Dec 31 23:00:00 EST 2019 · OSTI ID:1769386
Network intrusion detector: NID user`s guide V 1.0
Technical Report · Thu Mar 31 23:00:00 EST 1994 · OSTI ID:10176285

Related Subjects

100G research network
97 MATHEMATICS AND COMPUTING
high-throughput streaming data
one-class classification
real-time intrusion detection