IEEE Network • January/February 2009 4 GUEST EDITORIAL bout 20 years ago in November 1988, the Morris worm spread through the Internet, taking down thousands of computers. The incident prompted the U.S. Defense Advanced Research Programs Agency to establish the CERT/CC to coordinate activities to defend against future Internet security problems, and was one of the first media stories to raise public awareness about net- work security. Security problems with the TCP/IP protocol suite were known (as noted by Steven Bellovin), but the Inter- net was a closed network for academics and researchers at the time. Spam and malware were minor problems, and the Web had not been invented. Security was understandably not one of the high priority concerns of the Internet designers 20 years ago, but the consequences of an open public Internet are now apparent. Today network security has become an everyday problem with virtually all computers connected to the Internet. The average Internet user must be constantly vigilant against a number of network threats such as spam, worms, Trojan hors- es, bots, spyware, and phishing. Enterprises are forced to forti- fy their networks against remote intrusions into their servers and databases. Governments are concerned about espionage and the possibility of cyberwarfare. Intrusion detection has been a critical component of net- work security since the 1980s. It is not realistic to expect that all attacks can be blocked by firewalls, access control lists, and other defenses. Intrusion detection serves the important func- tion of identifying malicious activities and determining their nature, origin, and seriousness. Network-based and host-based intrusion detection methods commonly use a combination of signatures to recognize known attacks and anomaly detection to recognize suspicious behaviors. This Special Issue is intended to present the state of the art in network-based intrusion detection. Although an enormous literature already exists, intrusion detection is a dynamic prob- lem demanding constant research progress to keep up with new exploits, new evasion techniques, and increasing traffic rates. In response to the open call, we were pleased to receive 44 submissions from which six articles were accepted for this issue. The large number of submissions attests to the vitality of research efforts and high interest level in intrusion detection. Intrusion detection is a problem well suited to intelligent sampling. Intrusion detection systems must observe a great amount of traffic (gigabits per second) looking for anomalies, but the vast majority of flows are normal and uninteresting. The first article in this special issue, “Network Anomaly Detection and Classification via Opportunistic Sampling” by G. Androulidakis, V. Chatziqiannakis, and S. Papavassiliou, argues that intelligent flow sampling can both reduce the data for processing and improve the effectiveness of anomaly detec- tion. An entropy-based anomaly detection method is consid- ered in combination with intelligent sampling. Two sampling algorithms are considered, one that favors large flows and another that favors small flows. Experiments are carried out to detect anomalies in traffic data collected from a university campus network. The second article, “Self-Addressable Memory-Based FSM (SAM-FSM): A Scalable Intrusion Detection Engine” by Ben- fano Soewito, Lucas Vespa, Atul Mahajan, Ning Weng, and Haibo Wang, addresses the problem of high-speed string matching, commonly performed by signature-based network intrusion detection systems. A novel pattern matching engine is proposed to exploit a memory-based programmable finite state machine to achieve deterministic processing rates that are independent of packet and pattern characteristics. The engine is fully reconfigurable for new attack patterns and is storage-efficient. Memory space is saved by using a meta- pointer for multiple states and collapsing FSM states. Accurate anomaly detection is a long-standing problem in intrusion detection. The third article, “Accurate Anomaly Detection through Parallelism” by Shashank Shanbhag and Tilman Wolf, proposes a parallel anomaly detection system. Instead of a single detection algorithm, the essential idea is to implement multiple anomaly detection algorithms and monitor multiple traffic subsets in parallel. This design approach has become practical only recently due to high-performance embedded processors (network processors). Each detection algorithm produces an anomaly metric, and all metric outputs are normalized and aggregated into an overall anomaly score reflecting the severity of the anomaly. This method increases detection accuracy by combining multiple anomaly detection algorithms (compared to any single algorithm) and increases sensitivity to anomalies specific to a particular traffic class. Naturally, attackers are cognizant of intrusion detection sys- tems and attempt numerous ways to avoid detection. One method is IP fragmentation, since it is problematic for intru- sion detection systems to collect and reassemble all fragments. The fourth article, “Counting Bloom Filters for Pattern Matching and Anti-Evasion at the Wire Speed” by Gianni Antichi, Domenico Ficara, Stefano Giordano, Gregorio Pro- Recent Developments in Network Intrusion Detection A A Thomas Chen Zhi Fu Liwen He Tim Strayer