A VISUALIZATION TOOL FOR SITUATIONAL AWARENESS OF TACTICAL AND STRATEGIC SECURITY EVENTS ON LARGE AND COMPLEX COMPUTER NETWORKS
|
|
- Bennett McBride
- 8 years ago
- Views:
Transcription
1 A VISUALIZATION TOOL FOR SITUATIONAL AWARENESS OF TACTICAL AND STRATEGIC SECURITY EVENTS ON LARGE AND COMPLEX COMPUTER NETWORKS R. Bearavolu K. Lakkaraju W. Yurcik H. Raje National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign Champaign, Illinois USA Keywords: situational awareness, NetFlows, intrusion detection, anomaly detection, computer network security ABSTRACT Situational awareness of the state of military computer networks is important for both tactical battlefield operations and strategic command-and-control networks. While there have been successful efforts to visualize the state of individual network infrastructure components (routers, links) using SNMP and other network management tools, these systems do not focus on security. Although there have been multiple research proposals, to our knowledge there have only been two realized systems which attempt to visualize security events. Assessing the overall security of a large and complex network is an open problem due to the multidimensional data space. We present a tool, NVisionIP, that makes a direct contribution to solving this open problem. NVisionIP is unique from existing systems in that it simultaneously visualizes multidimensional characteristics of individual computers as well as their relationship to network-wide security events in an entire Class B IP address space. INTRODUCTION We have developed a tool, NVisionIP, that allows an operator on one screen to visualize traffic flows to/from every machine on a large and complex computer network. This tool leverages the innate cognitive processing abilities of human operators, allowing them to see security events. In addition to an overall view of an entire network on one screen, NVisionIP also includes the ability to drilldown multiple levels to view subnets of machines or view attributes on individual machines relevant to security such as connection and data transfer statistics per protocol or per port. NVisionIP is built within the Data-To-Knowledge (D2K) data mining software framework and is modular by design with the data retrieval/preprocessing component being independent of the visualization component [4]. The data source for our experiments, the NetFlow application, was selected specifically because it provides a mid-level sensing information. While in this investigation we utilize NetFlow source data, future work will integrate other audit log data sources into what we believe will become an important general-purpose tool. The visualization component of our tool uses colored grids, histograms, and connectivity diagrams that are specifically modified for this application. Usability testing is currently progressing with security experts in order to evaluate potential visualization enhancements including magnification, size, shape, color, and GUI features. Our initial results show that network-wide characteristics can be determined easily from our visualization. In particular, the features of different subnets are clearly apparent, as well as high volume machines such as clusters and web servers. Through the profiling of benchmark traffic patterns, visualization illuminates suspicious events to be investigated. We identify examples of suspicious events and show how visualization can help to identify these events more effectively. The remainder of this paper is outlined as follows: Section 2 provides background on previous related work in visualization. Section 3 describes NetFlows, its specific implementation on our instrumented network, and general problems with its use as our data source. Section 4 presents a description of the tool NVisionIP. Section 5 provides in-depth discussion of situational awareness and the contribution of NVisionIP in this area. We close with a summary and conclusions in Section 6. RELATED WORK [5] provides the most comprehensive overview of network visualizations. Low-dimension visualizations include 1 of 6
2 networks mapped onto geography, logical diagrams of equipment (including network management tools based on SNMP), traffic level representations in X-Y diagrams/pie charts/histograms, connectivity diagrams with links sized/colored corresponding to bandwidth capacity, and packet-level animation of network simulations (as best exemplified in OPNET 1 and Nam) [7]. High-dimension visualizations include the peacock diagrams of Lumeta 2 which show the Internet in its own space independent of geography and the SKITTER diagrams of CAIDA 3 which show peer interconnections projected on a polar-projected longitude graph. There has been a small amount of work combining network visualization and computer security that we now describe (in chronological order). [10] presents a prototype design tool from the Harris Corporation named the Network Vulnerability Tool (NVT) that visually depicts the network topology under study (using the HP Openview SNMP product) and generates a vulnerability assessment window with results from proactive scans and a vulnerability database. [11] proposes visual symbols to better communicate security events to users. [17] states visualization should be the next focus of intrusion detection systems (IDSs) since it can convert the essentially serial IDS alarm process to the parallel process of visual perception. [15] presents a prototype system visualization of aggregate IP address spaces for routing attacks and misconfigurations. The most relevant work is a rapid visual feedback system originally developed by the NASA Jet Propulsion Laboratory for tracking the status of spacecraft components that has now been adapted for network security as a commercial tool called TowerView Security [16]. It should be noted that neither of these two working visualization systems [15,16] show network traffic flows or individual host statistics vital for security. NETFLOWS AS A DATA SOURCE A basic point is not being addressed by current research - it is fundamental to know how a network is being used. Without some insight into network usage operators will always be reactive to crisis situations and never able to effectively manage, prevent, or anticipate security events. In this context we use the term usage to mean services and applications and not necessarily user data. The stateof-the-art in security monitoring is alarming/blocking known packet events and monitoring network component status such as CPU utilization, bandwidth utilization, packet volume, and error states. Note also that current monitoring is focused on components and does not reflect relationships between end system network usage or a holistic view of an entire network (network-wide events). NetFlows provides such requisite information about network usage using the metric of traffic flows where a flow is defined as a sequence of related packets in time. 4 While there are some security events that may not have associated network traffic (a floppy-based virus that does not propagate), the overwhelming majority of security events involve flows through characteristic host ports. The basic unit in the NetFlow system is a NetFlows record, a record of a distinct port connection between two machines for a period of time. Since resolution is at the flow level, packet level details are aggregated for an entire flow. Figure 1 shows the NetFlows record format we use: byte byte offset length 0 1 version (set to 1) 1 1 pad (set to 0) 2 4 router ip 6 4 src ip 10 4 dst ip 14 2 src port 16 2 dst port 18 4 flow bytes 22 4 flow packets 26 1 protocol 27 1 tcp flags 28 4 start time (seconds since epoch) 32 2 start time (milliseconds offset) 34 4 end time (seconds since epoch) 38 2 end time (milliseconds offset) 40 4 pad (set to 0) Figure 1. NCSA Unified NetFlows Record Format As packets are forwarded through routers or past open source software (Argus [2]) installed on an enabled host, a record for each flow is created and kept in a cache until one of the following conditions are met upon which the flow record is thus exported [3]: (1) a flow record has been idle for a specified time, (2) a flow record is active longer than the cache size limits, or (3) TCP connections which encounter a FIN or RST flag. NCSA operates multiple internal core routers with NetFlows capability as depicted in Figure 2. Currently, each of these routers is configured to send NetFlow output to one NetFlow Collector, a host dedicated to receiving NetFlow export packets. This load balancing between multiple internal routers provides robustness to handle short-term large traffic volume spread across multiple machines (no single internal router point of failure) as well sequenced TCP packets in a virtual circuit connection or UDP datagrams with the same full association (source/destination IPs and port numbers) within a short delta period of time on the same interfaces 2 of 6
3 as a scalable architecture to add additional internal routers with long-term increased loads. A complementary approach is a NetFlows capability at an Internet connection (border router) that we also employ. specific flows, FlowScan visualizes aggregate properties of a network, as seen through all network flows. None of these tools can identify specific machine or subnet traffic. Despite this success, there are potential problems with the use of NetFlows as a data source that should be addressed: Cache Flushing: A router has a finite cache size that limits the maximum amount of time flows can be cached before being flushed. This time limit is configurable with additional cache the default configuration is 30 minutes. In the default configuration a flow longer than 30 minutes would be split into more than one flow as the old cache is flushed and the new empty cache is refilled. This problem can be handled with post-processing to check the TCP flags field or by comparing beginning/end timestamps. Duplicate Records: When a flow passes through multiple routers, each router creates a separate NetFlow record that may be exported to a common NetFlow Collector resulting in duplicate records for a single flow. This can be handled by using heuristics to determine if multiple records actually refer to the same flow. Figure 2. NCSA s Network Instrumentation for NetFlows We post-process NetFlows in a multi-stage process as shown in Figure 3. We developed software to combine simultaneous NetFlows output from multiple internal routers into a unified NetFlows file for all network flows within a defined time period (at present we use 5 minutes). The unified NetFlows files are then converted to binary at the Flow Collector and another storage machine runs a script to convert binary to ASCII as needed. Figure 3. Streaming NetFlows Transformation into Log Files There has been some research published on the use of NetFlows. In [8] a fairly sophisticated package of NetFlow analysis tools were created and actively used for network management and security, mainly aimed at detecting backdoors and stepping sizes through packet size correlation. [9] develops a flow processing and X-Y plot tool that displays specific flows. In contrast, [12] uses a commercial MySQL database to store and manage flows. By far the most popular NetFlow visualization tool is FlowScan [13] that is an X-Y plot that has been used for characterizing network traffic anomalies [1]. Whereas previous attempts focused on filtering and visualization of Reliability: NetFlows from routers are exported using UDP datagrams that have no windowing retransmission/ acknowledgment mechanisms for reliability. Thus the NetFlows Collector will be unaware of flows lost during export transmission especially during times of overload (e.g. DoS attack). Argus does not have this reliability issue and can be used for calibration and error detection of lost NetFlows via router export. Authentication: Router-exported NetFlows can be spoofed. Antispoofing filters, unicast reverse path forwarding, and authentication encryption can mitigate this problem. Integrity: Router-exported NetFlows are vulnerable to modification and DoS attacks since they are unencrypted datagrams. Appending message digests or error detection codes to datagrams will detect modifications but not manin-the-middle replay attacks. Argus does not have this vulnerability due to network transmission. Confidentiality: Router-exported NetFlows are vulnerable to passive sniffing since they are unencrypted. Argus does not have this vulnerability due to network transmission. We have determined that inaccurate information from cache flushing and duplicate records is minimal and detectable in our environment and thus does not significantly change the effectiveness of our tool. Another unique problem for our network environment is that some traffic (we have identified) is cut-through switched at data 3 of 6
4 link layer Ethernet hubs and thus not seen by network layer routers instrumented with NetFlows. TOOL DESCRIPTION Figure 4 highlights how NVisionIP is built within the Data-to-Knowledge (D2K) software environment. D2K is a rapid, flexible, machine-learning system that effectively integrates different data mining methods and offers a set of software modules and application templates that can be accessed through a visual programming environment [4]. Figure 5. NVisionIP GUI Figure 4. NVisionIP Software Organization NVisionIP uses modules that are part of D2K as well as modules specifically written for analyzing data sources for intrusion detection. NVisionIP is modularly designed so that the data retrieval/preprocessing component and the visualization component are independent. While currently NVisionIP uses only one data source (NetFlows), in the future we plan to integrate other data sources relevant to intrusion detection. The modular design of NVisionIP makes it easy to extend and analyze multiple data sources. A formatted NetFlows file is taken as an input by the Compute Stats module of the NVisionIP tool to generate statistics for each IP in a given network. Some of the statistics we generate using NetFlows are the number of times - the IP is present in the NetFlow file, is in the destination column, is in the source column etc. The statistics Compute Stats generates is dependent on the data source. The results generated by the Compute Stats module are further processed by the Create Vis module to create scientific visualizations that are displayed using the D2K Display Vis module. One of the primary goals of the NVisionIP GUI (Figure 5) is to effectively display information about the entire network on one screen called the Galaxy View (see Figures 5 & 6). This is accomplished by representing an entire class B IP address space as a 256 X 256 grid in the Create Vis model. The NVisionIP GUI also allows the operator two different levels of zoom-in capabilities: (1) from the Galaxy View to a subset of IP addresses within the network the Small Multiple View and (2) from a subset of IPs to a specific IP the Machine View. The Galaxy View is a 256*256 grid where a single point (x,y) on the grid represents a machine with the corresponding IP address (see Figure 6). The subnets are on the X-axis and the hosts are on the Y-axis. All the diagrams shown in this paper are displaying NCSA s Class B IP address space ( x.y). Figure 6. NVisionIP Galaxy View (GV) The Galaxy View Menu section is divided into two main categories: Informational and Interactive. In the Informational category we have: Stat Panel: displays the essential statistics about the attribute that is displayed in the GV. Filter Option Display Panel: displays the filter options selected by the operator. 4 of 6
5 Figure 7. NVisionIP Filter Option Display Panel The top of the SMV window displays the zoom view of the IP address space selected by the operator to enable quick comparison and browsing of port traffic patterns. The bottom of the SMV window provides options for the operator to zoom in further to look at the port traffic on a specific machine - The Machine View (MV). The MV for an IP is displayed by selecting an IP from the SMV and clicking on the "Show Composite" button. An example MV is shown in Figure 9. In the Interactive Category, we have the following options: AxisSwap Button: swaps the axes in the GV. Magnify Button: enables a magnifier in the GV. Filter Button: Figure 7 is the filter panel displayed upon clicking the filter button to select attributes to be displayed on the GV such as IP address (all/source/destination), activity type (connections/ bytes), protocol (all/subset), or ports (all/source/destination/subset). Color Legend shows mapping of a range of values to colors. The initial mapping is defined by the system and can be modified using Add Bin and Remove Bin buttons. The first zoom-in view is activated by clicking and dragging the mouse over a section of the IP address space in the Galaxy View. This results in displaying a window with detailed port traffic information about a selected subset of IP addresses, subnets, or multiple subnets as shown in Figure 8. The colored histograms represent traffic levels on pre-defined well-known ports and dynamic unregistered ports. Figure 8. NVisionIP Small Multiple View (SMV) Figure 9. NVisionIP Machine View (MV) SITUATIONAL AWARENESS To the military commander, situational awareness is knowing where his troops are, their readiness and capabilities, and more importantly intelligence on the location of enemy troops, their readiness and capabilities. A more simplified definition is knowing what is going on around you. Assessing security on large and complex computer networks poses challenges to situational awareness similar to the battlefield fog of war : information overload, dynamically changing information, and a high degree of uncertainty about what is happening. NetFlows provide unidirectional flow records between source and destination machines along with information about how much data is transferred, over which port, and for how long. Hence NetFlows track all security events (~99%) reflected in flow level details. For example, scans, stepping stones, DoS attacks, chains, botnets, irc channels, rogue access points, authentication attacks, warez ftp sites, and countless unauthorized services have all been detected using NetFlows. NetFlows are also a good source for traffic profiling statistical traffic benchmarks for a 5 of 6
6 network, subnet within a network, class of machine, specific machine, or specific service. Lastly, one of the biggest arguments in favor of NetFlows is the availability of open source software independent of routers (Argus) such that a NetFlows sensing capability can be dynamically implemented anywhere on a network. The situational awareness provided by NetFlows does have uncertainty in two areas: (1) correctly determining the client/server relationship between two hosts, and (2) correctly interpreting live flows [6, 14]. NetFlows are unidirectional and do not contain an indication of which host initiated the flow but heuristics such as timestamps, byte counts, port numbers, and other log data sources may be queried to infer the client/server relationship. In the case where client/server flows are asymmetric (inbound/outbound flows travel different paths), records from different NetFlow sensors will need to be correlated to infer the client/server relationship. As for determining live flows, since NetFlow records are created upon flow termination and not upon flow establishment it follows that (1) most flows are reported in near-real-time only after they have terminated, (2) only flows longer than the cache flush period (30 minute default configuration) may be caught in progress, and (3) it is inevitable that streams of exported NetFlow records will easily become out-ofstarting-time-order since short flows will be sequenced ahead of any long flows that terminates later. Determining live flows can be handled by timestamp sort postprocessing but this institutes a near-real-time delay equal to the cache flush period. In summary, despite uncertainty in some situations, NetFlows provide situational awareness unavailable from other sources. 5 While NetFlows may provide complete situational awareness in many cases, the ultimate value of NetFlows will be realized when correlated with other logs. CONCLUSIONS We have presented a novel visualization tool that provides holistic multi-level security monitoring of an entire IP address space on one screen. Initial testing with operators emphasizes the situational awareness provided by being able to simultaneously visualize traffic activity at different levels (network-wide, subnet, individual machine) to discover new relationships and patterns that otherwise would have been obscured by the sheer volume of raw data and difficulty of gathering and analyzing this data. 5 For just one example: Suppose a flood of small packets is directed at a group of campus addresses. The flood will be visible on NVisionIP based on NetFlows but obscured on a graph of aggregate packet traffic since the spike produced by the flood is a larger percentage of total flows than it is of total packets. REFERENCES [1] Barford, P., and D. Plonka. Characteristics of Network Traffic Flow Anomalies, ACM SIGCOMM Internet Measurement Workshop, [2] Bullard, C. Audit Record Generation and Utilization System (Argus). < and <ftp://ftp.andrew.cmu.edu/pub/argus> [3] Cisco Systems. NetFlow Services and Applications, White Paper < t/neflct/tech/napps_wp.htm> [4] Data-to-Knowledge (D2K) Ref. Manual, NCSA, < [5] Dodge, M., R. Kitchin, Atlas of Cyberspace, Addison-Wesley, [6] Dunn J. Security Applications for Cisco NetFlow Data, SANS Institute, < [7] Estrin D. et al., Network Visualization with Nam, the VINT Network Animator, IEEE Computer, Nov. 2000, pp [8] Fullmer, M. and S. Romig. The OSU Flow-tools Package and Cisco NetFlow Logs, 14th Systems Admin. Conf. (LISA) Usenix, 2000, pp [9] Haberman, M. et. al. flowboy: An Object-Oriented Framework for Generic Network Flow Management, Passive/Active Measuremt. (PAM) Workshop, [10] Henning, R., K. Fox, The Network Vulnerability Tool (NVT) A System Vulnerability Visualization Architecture, National Information Systems Security Conference (NISSC), [11] Hosmer, H., Visualizing Risks: Icons for Information Attack Scenarios, National Information Systems Security Conference (NISSC), [12] Navarro, J-P. et al. Combining Cisco NetFlow Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics, 14th Systems Admin. Conf. (LISA) Usenix, 2000, pp [13] Plonka, D. FlowScan: A Network Traffic Flow Reporting and Visualization Tool, 14th Systems Administration Conference (LISA) Usenix, [14] Sommer, R. and A. Feldmann. NetFlow: Information Loss or Win? ACM SIGCOMM Internet Measurement Workshop (IMW), [15] Teoh, S. et al. Case Study: Interactive Visualization For Internet Security, IEEE Visualization, [16] TowerView Security < [17] P. Varner and J. Knight, Security Monitoring, Visualization, and System Survivability, IEEE/SEI Information Survivability Workshop (ISW), of 6
NVisionIP: An Interactive Network Flow Visualization Tool for Security
NVisionIP: An Interactive Network Flow Visualization Tool for Security Kiran Lakkaraju William Yurcik Ratna Bearavolu Adam J. Lee National Center for Supercomputing Applications (NCSA) University of Illinois,
More informationResearch on Errors of Utilized Bandwidth Measured by NetFlow
Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic
More informationNVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows for Security
NVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows for Security William Yurcik National Center for Supercomputing Applications (NCSA) University of Illinois at
More informationNetwork Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring
More informationInternet Security Visualization Case Study: Instrumenting a Network for NetFlow Security Visualization Tools
Internet Security Visualization Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik and Yifan Li National Center for Supercomputing Applications (NCSA) University
More informationCase Study: Instrumenting a Network for NetFlow Security Visualization Tools
Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at
More informationVisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring
VisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring William Yurcik National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign byurcik@ncsa.uiuc.edu
More informationCISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY
CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY SEPTEMBER 2004 1 Overview Challenge To troubleshoot capacity and quality problems and to understand
More informationNSC 93-2213-E-110-045
NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationEmerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.
Emerald Network Collector Version 4.0 Emerald Management Suite IEA Software, Inc. Table Of Contents Purpose... 3 Overview... 3 Modules... 3 Installation... 3 Configuration... 3 Filter Definitions... 4
More informationIntroduction to Cisco IOS Flexible NetFlow
Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity
More informationNetFlow Aggregation. Feature Overview. Aggregation Cache Schemes
NetFlow Aggregation This document describes the Cisco IOS NetFlow Aggregation feature, which allows Cisco NetFlow users to summarize NetFlow export data on an IOS router before the data is exported to
More informationNetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com
NetFlow Tracker Overview Mike McGrath x ccie CTO mike@crannog-software.com 2006 Copyright Crannog Software www.crannog-software.com 1 Copyright Crannog Software www.crannog-software.com 2 LEVELS OF NETWORK
More informationGet Your FIX: Flow Information export Analysis and Visualization
Get Your FIX: Flow Information export Analysis and Visualization Joint Techs Workshop, Madison, Wisconsin, July 19, 2006 Dave Plonka plonka@doit.wisc.edu Division of Information Technology, Computer Sciences
More informationNfsight: NetFlow-based Network Awareness Tool
Nfsight: NetFlow-based Network Awareness Tool Robin Berthier Coordinated Science Laboratory Information Trust Institute University of Illinois Urbana-Champaign, IL, USA rgb@illinois.edu Michel Cukier The
More informationNetflow Collection with AlienVault Alienvault 2013
Netflow Collection with AlienVault Alienvault 2013 CONFIGURE Configuring NetFlow Capture of TCP/IP Traffic from an AlienVault Sensor or Remote Hardware Level: Beginner to Intermediate Netflow Collection
More informationVisualizing NetFlows for Security at Line Speed: The SIFT Tool Suite
Visualizing NetFlows for Security at Line Speed: The SIFT Tool Suite William Yurcik National Center for Supercomputing Applications (NCSA) ABSTRACT The first step in improving Internet security is measurement
More informationOverview. Security System Administration
Better Tools for System Administration: Enhancing the Human-Computer Interface with Visualization Bill Yurcik Manager, NCSA Security Research National Center for Advanced Secure
More informationHP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide
HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with
More informationICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.
ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow
More informationUsing The Paessler PRTG Traffic Grapher In a Cisco Wide Area Application Services Proof of Concept
Using The Paessler PRTG Traffic Grapher In a Cisco Wide Area Application Services Proof of Concept What You Will Learn Understanding bandwidth traffic and resource consumption is vital to enhanced and
More informationViete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA
Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA What is ReporterAnalyzer? ReporterAnalyzer gives network professionals insight into how application traffic is impacting network performance.
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationCisco NetFlow TM Briefing Paper. Release 2.2 Monday, 02 August 2004
Cisco NetFlow TM Briefing Paper Release 2.2 Monday, 02 August 2004 Contents EXECUTIVE SUMMARY...3 THE PROBLEM...3 THE TRADITIONAL SOLUTIONS...4 COMPARISON WITH OTHER TECHNIQUES...6 CISCO NETFLOW OVERVIEW...7
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationGaining Operational Efficiencies with the Enterasys S-Series
Gaining Operational Efficiencies with the Enterasys S-Series Hi-Fidelity NetFlow There is nothing more important than our customers. Gaining Operational Efficiencies with the Enterasys S-Series Introduction
More informationAvaya ExpertNet Lite Assessment Tool
IP Telephony Contact Centers Mobility Services WHITE PAPER Avaya ExpertNet Lite Assessment Tool April 2005 avaya.com Table of Contents Overview... 1 Network Impact... 2 Network Paths... 2 Path Generation...
More informationWhatsUpGold. v12.3.1. NetFlow Monitor User Guide
WhatsUpGold v12.3.1 NetFlow Monitor User Guide Contents CHAPTER 1 WhatsUp Gold NetFlow Monitor Overview What is NetFlow?... 1 How does NetFlow Monitor work?... 2 Supported versions... 2 System requirements...
More informationNetwork congestion control using NetFlow
Network congestion control using NetFlow Maxim A. Kolosovskiy Elena N. Kryuchkova Altai State Technical University, Russia Abstract The goal of congestion control is to avoid congestion in network elements.
More informationCISCO IOS NETFLOW AND SECURITY
CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network
More informationApplications. Network Application Performance Analysis. Laboratory. Objective. Overview
Laboratory 12 Applications Network Application Performance Analysis Objective The objective of this lab is to analyze the performance of an Internet application protocol and its relation to the underlying
More informationSecure Networks for Process Control
Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than
More informationNetFlow/IPFIX Various Thoughts
NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application
More informationRecommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document
Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Produced by AMRES NMS Group (AMRES BPD 104) Author: Ivan Ivanović November 2011 TERENA 2010. All rights reserved.
More informationLOG INTELLIGENCE FOR SECURITY AND COMPLIANCE
PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become
More informationINCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS
WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by
More informationIntroduction to Netflow
Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity
More informationRedefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance
White Paper Redefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance What You Will Learn Modern data centers power businesses through a new generation of applications,
More informationApplication of Netflow logs in Analysis and Detection of DDoS Attacks
International Journal of Computer and Internet Security. ISSN 0974-2247 Volume 8, Number 1 (2016), pp. 1-8 International Research Publication House http://www.irphouse.com Application of Netflow logs in
More informationJ-Flow on J Series Services Routers and Branch SRX Series Services Gateways
APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring
More informationIntegrated Traffic Monitoring
61202880L1-29.1F November 2009 Configuration Guide This configuration guide describes integrated traffic monitoring (ITM) and its use on ADTRAN Operating System (AOS) products. Including an overview of
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationJK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA
JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates
More informationVidi NMs Network Management
VIDI NMS Network Management The VIDI Network Management System VIDI NMS is a comprehensive tool for a centralised network management with graphical frontend. As it is working in real time the user gets
More informationFlow Based Traffic Analysis
Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode
More informationNMS300 Network Management System
NMS300 Network Management System User Manual June 2013 202-11289-01 350 East Plumeria Drive San Jose, CA 95134 USA Support Thank you for purchasing this NETGEAR product. After installing your device, locate
More informationA Summary of Network Traffic Monitoring and Analysis Techniques
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 1 of 9 A Summary of Network Traffic Monitoring and Analysis Techniques Alisha Cecil, acecil19@yahoo.com Abstract As company intranets
More informationNetFlow Analytics for Splunk
NetFlow Analytics for Splunk User Manual Version 3.5.1 September, 2015 Copyright 2012-2015 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents Introduction... 3 Overview... 3 Installation...
More informationNetwork Management Deployment Guide
Smart Business Architecture Borderless Networks for Midsized organizations Network Management Deployment Guide Revision: H1CY10 Cisco Smart Business Architecture Borderless Networks for Midsized organizations
More informationApplication Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1
Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1 This document supports the version of each product listed and supports all subsequent versions until the document
More informationConfiguring NetFlow. Information About NetFlow. Send document comments to nexus1k-docfeedback@cisco.com. CHAPTER
CHAPTER 11 Use this chapter to configure NetFlow to characterize IP traffic based on its source, destination, timing, and application information, to assess network availability and performance. This chapter
More informationIPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令
IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,
More informationSafely Sharing Data Between CSIRTs: The SCRUB* Security Anonymization Tool Infrastructure
Safely Sharing Data Between CSIRTs: The SCRUB* Security Anonymization Tool Infrastructure William Yurcik* Clay Woolam, Greg Hellings, Latifur Khan, Bhavani Thuraisingham University
More informationAssets, Groups & Networks
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationDMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch
DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)
More informationUsage of Netflow in Security and Monitoring of Computer Networks
Usage of Netflow in Security and Monitoring of Computer Networks Shivam Choudhary MIT Manipal ABSTRACT Management of a network is a challenging task without accurate traffic statistics. Through this paper
More informationCANINE: A Combined Conversion and Anonymization Tool for Processing NetFlows for Security
CANINE: A Combined Conversion and Anonymization Tool for Processing NetFlows for Security Abstract Yifan Li, Adam Slagell, Katherine Luo, William Yurcik National Center for Supercomputing Applications
More informationIntegrated Traffic Monitoring
61202880L1-29.1E July 2008 Configuration Guide This configuration guide describes integrated traffic monitoring (ITM) and its use on ADTRAN Operating System (AOS) products. Including an overview of the
More informationSecurity Event Management. February 7, 2007 (Revision 5)
Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST
More informationIP Filter/Firewall Setup
IP Filter/Firewall Setup Introduction The IP Filter/Firewall function helps protect your local network against attack from outside. It also provides a method of restricting users on the local network from
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationNetwork Performance Monitoring at Minimal Capex
Network Performance Monitoring at Minimal Capex Some Cisco IOS technologies you can use to create a high performance network Don Thomas Jacob Technical Marketing Engineer About ManageEngine Network Servers
More informationCharacteristics of Network Traffic Flow Anomalies
Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka I. INTRODUCTION One of the primary tasks of network administrators is monitoring routers and switches for anomalous traffic
More informationA Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.
A Framework for Effective Alert Visualization Uday Banerjee Jon Ramsey SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.com Abstract Any organization/department that
More informationA Software Tool for Multi-Field Multi-Level NetFlows Anonymization. University of Texas at Dallas
A Software Tool for Multi-Field Multi-Level NetFlows Anonymization William Yurcik Clay Woolam, Latifur Khan, Bhavani Thuraisingham University of Texas at Dallas
More informationECE 578 Term Paper Network Security through IP packet Filtering
ECE 578 Term Paper Network Security through IP packet Filtering Cheedu Venugopal Reddy Dept of Electrical Eng and Comp science Oregon State University Bin Cao Dept of electrical Eng and Comp science Oregon
More informationUnified network traffic monitoring for physical and VMware environments
Unified network traffic monitoring for physical and VMware environments Applications and servers hosted in a virtual environment have the same network monitoring requirements as applications and servers
More informationCYBER ATTACKS EXPLAINED: PACKET CRAFTING
CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationand reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs
ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty
More informationEKT 332/4 COMPUTER NETWORK
UNIVERSITI MALAYSIA PERLIS SCHOOL OF COMPUTER & COMMUNICATIONS ENGINEERING EKT 332/4 COMPUTER NETWORK LABORATORY MODULE LAB 2 NETWORK PROTOCOL ANALYZER (SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK)
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More informationQuick Start for Network Agent. 5-Step Quick Start. What is Network Agent?
What is Network Agent? The Websense Network Agent software component uses sniffer technology to monitor all of the internet traffic on the network machines that you assign to it. Network Agent filters
More informationRAVEN, Network Security and Health for the Enterprise
RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations
More informationFirewall Implementation
CS425: Computer Networks Firewall Implementation Ankit Kumar Y8088 Akshay Mittal Y8056 Ashish Gupta Y8410 Sayandeep Ghosh Y8465 October 31, 2010 under the guidance of Prof. Dheeraj Sanghi Department of
More informationDuring your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) 192.168.0.2 /24
Introduction The Network Vulnerabilities module provides you with the instruction and Server hardware to develop your hands on skills in the defined topics. This module includes the following exercises:
More informationConceptual Integration of Flow-based and Packet-based Network Intrusion Detection
Conceptual Integration of Flow-based and Packet-based Network Intrusion Detection Gregor Schaffrath, Burkhard Stiller Department of Informatics IFI, University of Zürich Communication Systems Group CSG
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationNetwork Monitoring and Traffic CSTNET, CNIC
Network Monitoring and Traffic Analysis in CSTNET Chunjing Han Aug. 2013 CSTNET, CNIC Topics 1. The background of network monitoring 2. Network monitoring protocols and related tools 3. Network monitoring
More information1. Firewall Configuration
1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationScalable Extraction, Aggregation, and Response to Network Intelligence
Scalable Extraction, Aggregation, and Response to Network Intelligence Agenda Explain the two major limitations of using Netflow for Network Monitoring Scalability and Visibility How to resolve these issues
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationUsing IPM to Measure Network Performance
CHAPTER 3 Using IPM to Measure Network Performance This chapter provides details on using IPM to measure latency, jitter, availability, packet loss, and errors. It includes the following sections: Measuring
More informationPlugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help
Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationA guide to using the Policy Hit Accounting Tool to display a graphical representation of policy hits on the network
Policy Hit Accounting Tool Guide A guide to using the Policy Hit Accounting Tool to display a graphical representation of policy hits on the network Introduction Enterasys policy-enabled infrastructure
More informationNetFlow v9 Export Format
NetFlow v9 Export Format With this release, NetFlow can export data in NetFlow v9 (version 9) export format. This format is flexible and extensible, which provides the versatility needed to support new
More informationWireshark Developer and User Conference
Wireshark Developer and User Conference Using NetFlow to Analyze Your Network June 15 th, 2011 Christopher J. White Manager Applica6ons and Analy6cs, Cascade Riverbed Technology cwhite@riverbed.com SHARKFEST
More informationPort evolution: a software to find the shady IP profiles in Netflow. Or how to reduce Netflow records efficiently.
TLP:WHITE - Port Evolution Port evolution: a software to find the shady IP profiles in Netflow. Or how to reduce Netflow records efficiently. Gerard Wagener 41, avenue de la Gare L-1611 Luxembourg Grand-Duchy
More informationNETFORT LANGUARDIAN MONITORING WAN CONNECTIONS. How to monitor WAN connections with NetFort LANGuardian Aisling Brennan
NETFORT LANGUARDIAN MONITORING WAN CONNECTIONS How to monitor WAN connections with NetFort LANGuardian Aisling Brennan LANGuardian gives you the information you need to troubleshoot problems and monitor
More informationNetFlow Analysis with MapReduce
NetFlow Analysis with MapReduce Wonchul Kang, Yeonhee Lee, Youngseok Lee Chungnam National University {teshi85, yhlee06, lee}@cnu.ac.kr 2010.04.24(Sat) based on "An Internet Traffic Analysis Method with
More informationBest Practices for NetFlow/IPFIX Analysis and Reporting
WHITEPAPER Best Practices for NetFlow/IPFIX Analysis and Reporting IT managers and network administrators are constantly making decisions affecting critical business activity on the network. Management
More informationDell SonicWALL report portfolio
Dell SonicWALL report portfolio Table of contents Dell SonicWALL Global Management System (GMS ) and Analyzer reports I. Sample on-screen reports II. Sample PDF-generated reports Dell SonicWALL Scrutinizer
More information