1. Technical Field
The present disclosure relates to a method for detecting an intrusion in a network. More specifically, the present disclosure relates to a method for detecting an intrusion in a network in which the entire network can be examined by adding SDN devices to an existing network, with different sampling rates for different switches.
2. Description of the Related Art
Software-based networks run on computers are rapidly growing as they provide Internet services such as data transmission, on-line banking, positioning systems, etc. In particular, cloud data systems are now becoming essential parts of many people's lives. As the scale of networks becomes huge, attacks on the networks are also increasing day by day, such as security threats to invade privacy and safety, and it becomes more difficult to detect intrusions.
To establish a secure and reliable network, it is an important issue to develop a system for detecting and blocking malicious traffics on the network. An intrusion detection system (IDS) observes flows on a network and examines data packets to see if any of them has a malicious intention. Previously, the IDS has been operated in two modes: a passive mode and an inline mode. In the passive mode, the IDS is dependent on a single node and is connected to a network, and receives a data packet from the node to examine it. On the other hand, in the inline mode, the IDS is disposed as a part of a node of a network and located in an arbitrary link to analyze data flows via the link.
However, it is almost impossible to predict a path via which a malicious traffic is going to pass and locate the IDS at the corresponding network traffic. Accordingly, the IDS is typically disposed at a node where many networks are engaged. Unfortunately, as the scale of networks become larger, it is very difficult to determine where to dispose the IDS. Further, many IDSes are required for performing a great amount of monitoring operations. To overcome these problems, a network traffic sampling method has been proposed.
According to the network traffic sampling method, network traffics are partially observed, and monitoring is performed on sampled traffics. During the sampling process, however, monitoring on a traffic bearing a malicious packet may be skipped. Therefore, what is required is an improved network traffic sampling method for effectively detecting a malicious traffic.