Signature-aware Traffic Monitoring with IPFIX 1

Size: px
Start display at page:

Download "Signature-aware Traffic Monitoring with IPFIX 1"

Transcription

1 Signature-aware Traffic Monitoring with IPFIX 1 Youngseok Lee, Seongho Shin, and Taeck-geun Kwon Dept. of Computer Engineering, Chungnam National University, 220 Gungdong Yusonggu, Daejon, Korea, {lee, shshin, tgkwon}@cnu.ac.kr Abstract. Traffic monitoring is essential for accounting user traffic and detecting anomaly traffic such as Internet worms or P2P file sharing applications. Since typical Internet traffic monitoring tools use only TCP/UDP/IP header information, they cannot effectively classify diverse application traffic, because TCP or UDP port numbers could be used by different applications. Moreover, under the recent deployment of firewalls that permits only a few allowed port numbers, P2P or other non-well-known applications could use the well-known port numbers. Hence, a port-based traffic measurement scheme may not provide the correct traffic monitoring results. On the other hand, traffic monitoring has to report not only the general statistics of traffic usage but also anomaly traffic such as exploiting traffic, Internet worms, and P2P traffic. Particularly, the anomaly traffic can be more precisely identified when packet payloads are inspected to find signatures. Regardless of correct packet-level measurement, flow-level measurement is generally preferred because of easy deployment and low-cost operation. In this paper, therefore, we propose a signature-aware flow-level traffic monitoring method based on the IETF IPFIX standard for the next-generation routers, where the flow format of monitoring traffic can be dynamically defined so that signature information could be included. Our experimental results show that the signature-aware traffic monitoring scheme based on IPFIX performs better than the traditional port-based traffic monitoring method. That is, hidden anomaly traffic with the same port number has been revealed. Keywords: signature, IPFIX, traffic measurement, flow, and security. 1 Introduction Traffic monitoring is essential for accounting normal user traffic and detecting anomaly traffic such as Internet worms or P2P file-sharing applications. In general, simple packet- or byte-counting methods with SNMP have been widely used for easy and simple network administration. However, as applications become diverse and 1 This research was supported by the MIC (Ministry of Information and Communication), Korea, under the ITRC (Information Technology Research Center) support program supervised by the IITA (Institute of Information Technology Assessment). (IITA-2005-(C ))

2 anomaly traffic appears quite often, more detailed classification of application traffic is necessary. Generally, traffic measurement at high-speed networks is challenging because of fast packet-processing requirement. Though packet-level measurement generates correct results, it is not easy to support high-speed line rates. In addition, standalone systems for packet-level traffic monitoring will be expensive for deployment and management in a large-scale network. Hence, Internet Service Providers (ISPs) generally prefer routers or switches that have already traffic monitoring functions to dedicated packet-level traffic monitoring systems. Recently, flow-level measurement methods at routers such as Cisco NetFlow [1] have become popular, because flowlevel measurement could generate useful traffic statistics with a significantly small amount of measurement data. Routers with high-speed line cards such as 1Gbps are supported by Cisco sampled NetFlow. Thus, the standard [2] for traffic monitoring of routers has been proposed by IETF IP Flow Information export (IPFIX) WG, which defines the flexible and extensible template architecture that can be useful for various traffic monitoring applications. For example, IPv6 traffic monitoring, intrusion detection, and QoS measurement have been possible with routers due to the flexible template structure of IPFIX, which cannot be done with NetFlow v5. Though flow-level traffic measurement is simple and easy for deployment, its measurement result may be incorrect, because only IP/TCP/UDP header fields are considered for traffic classification. Nowadays, due to firewalls that allow only wellknown TCP/UDP port numbers, user and applications tend to change the blocked port numbers to the allowed well-known port numbers. In addition, recent P2P applications have begun to use dynamic port numbers instead of fixed port numbers. Therefore, port-based traffic classification may result in wrong traffic measurement results. On the other hand, when the payloads of IP packets are inspected to find the application-specific signatures, the possibility of correct traffic classification is increasing. Currently, most of intrusion detection systems (IDSes) or intrusion protection systems (IPSes) are employing packet inspection methods for investigating anomaly traffic patterns. However, IDSes and IPSes are focusing on only finding the anomaly traffic pattern as soon as possible and generating the alert messages. In this paper, we aim at devising a flow-level traffic monitoring scheme that can utilize the signature information for the correct traffic measurement results while complying with the IPFIX standard. Thus, we propose a flow-level traffic monitoring method with extended IPFIX templates that can carry signatures for a flow. Our proposed method achieves the capability of correct traffic classification even at highspeed routers through examining the payload signatures as well as IP/TCP/UDP header fields. The proposed scheme towards correct and IPFIX-compliant flow-level traffic monitoring has been verified with real packet traces in a campus network. From the experiments it was shown that anomaly traffic hiding itself with the well-known ports could be detected and classified. In addition, we proposed an IPFIX-compliant template that has been extended for carrying signature identification values. The remaining paper is organized as follows. Section 2 describes the related work, and Section 3 explains the IPFIX-compliant signature-aware traffic measurement scheme. In Section4, we present the experimental results of the proposed method, and conclude this paper in Section 5.

3 2 Related Work Typically, flow-level traffic measurement was done with Cisco NetFlow. FlowScan [3], that generates and visualizes traffic with NetFlow, uses port numbers for classifying applications. However, port-based traffic classification methods may be incorrect, because port numbers could be used by other applications. Although packet-level traffic measurement [4] could generate more precise results, it is expensive and difficult to deploy in a large-scale network. In general, snort [5], which is a widely-used open IDS, can detect anomaly traffic such as Internet worms, viruses, or exploiting incidents including signatures. Thus, alert messages and logs are sent and recorded. However, the purpose of the IPS is to detect anomaly traffic. Recently, a few content-aware traffic monitoring methods [6][7] have been proposed. In [6], signatures were used to classify traffic for accounting, and it was shown that traffic of well-known ports includes that of non registered applications. However, it does not support IPFIX. In [7], various traffic classification methods including packet inspection have been compared, and it was explained that unknown traffic could be correctly identified through searching signatures of the first packet, the first a few Kbytes, a few packets, or all the packets of the flow. However, these two studies use their own proprietary architectures for traffic measurement. In this paper, we propose a signature-aware traffic monitoring scheme that employs the IPFIX standard which could be used by next-generation routers. 3 A Proposed Signature-aware Traffic Monitoring Method In this section, we explain the proposed signature-aware traffic monitoring method. 3.1 Architecture Figure 1. Signature-aware IPFIX traffic measurement architecture.

4 Figure 1 illustrates the key components of the signature-aware IPFIX traffic measurement architecture. Generally, the IPFIX device is embedded into routers or switches. However, a dedicated IPFIX device could be installed with capturing packets from the fiber tap or the mirrored port at a switch. The IPFIX collector gathers and analyzes IPFIX flows from multiple IPFIX devices through reliable transport protocols Flow classifier The flow classifier processes incoming packets with 5-tuples of IP/TCP/UDP header fields to find the corresponding flow entries stored at the flow table. If the flow entry corresponding to the incoming packet does not exist, a new flow entry will be created. Otherwise, attributes of the flow entry such as the number of packets, the number of bytes, the first/last flow update time, and etc. will be updated. A flow is defined by a sequence of packet streams sharing 5-tuples (source IP address, source port, destination IP address, destination port, protocol) of IP/TCP/UDP headers within a given timeout. A flow expiration timer is set to terminate a flow if a packet belonging to the same flow specification does not arrive within the timeout. Then, the expired flow entries will be exported to the flow collector. This flow idle timeout value can be configurable. For example, in our experiment, a flow idle timeout of 30 seconds was used as with Cisco routers. In addition to the flow idle timeout, another timer is required to finish and export long-lived flows residing at the flow table Signature inspector While packets are processed at the flow classifier, their payloads are simultaneously investigated by the signature inspector. The found signature will be recorded at the signature identification field of the corresponding flow entry. For this purpose, we defined a new IPFIX template with the signature identification field. A typical example of the signature inspector is snort that has signature identification values. In this paper, every single packet belonging to a flow is inspected for matching signatures. According to the given pattern-matching policy of inspecting packet payloads, it could be determined how many packets or bytes of a flow will be examined. Therefore, we can find signatures from the first K bytes, or the first K packets belonging to a flow. It is known that a single or the first few packets of a flow contain signatures of application protocols. For example, it is enough to examine a single packet for Internet worms consisting of a single packet, while the first packets should be investigated to find the patterns of P2P applications IPFIX-compliant flow exporter When flows are expired, the IPFIX-compliant flow exporter will send to the flow collector flow-exporting packets that contains flow information. Each flow entry includes data records according to the defined flow template. The flow template,

5 which will be sent to the flow collector before the flow data are exported, explains how a flow is organized with several fields. A typical IPFIX-compliant flow data record consists of 5-tuple of IP/TCP/UDP header fields, the number of bytes, the number of packets, the flow start time, the flow end time, and the value of signature ID. In IPFIX, communication between the flow exporter and the flow collector is done through reliable transport protocols such as Stream Control Transport Protocol (SCTP) or TCP IPFIX-compliant flow collector The flow collector receives the template and data record for flows and saves the flows. The flow collector can communicate with multiple flow exporters and can aggregate many flows into a simplified form of flows. Since a lot of flow data are continuously exported to the flow collector, a post-end database system is integrated with the flow collector for further analysis Flow analyzer with signatures as well as ports Given the flow data record, the flow analyzer classifies flows with the signatures as well as typical port numbers. Thus, signature ID s are important when flows are classified. For example, Internet worms or viruses, P2P traffic, and other anomaly traffic that carry signatures are easily classified due to signature ID s regardless of port numbers. In addition, though either a few P2P applications are employing dynamic port hopping, or non-http applications are using 80 port, they could be classified with their signatures. 3.2 IPFIX templates for carrying signatures Every IPFIX message consists of an IPFIX message header, a template set, and a data set (an option template set and option data set) as shown in Fig. 2. A template set defines how the data set is organized. A newly created template is sent through an IPFIX message consisting of interleaved template set and data set (option template set and option data set). After the template set has been delivered to the IPFIX collector, following IPFIX messages can be made up with only data sets. When UDP is used as the transport protocol, template records and option template records must be periodically sent. 2 Optionally, UDP may be used. Figure 2. IPFIX message.

6 We defined a new flow template set including the signature ID field 3 as shown in Fig. 3-(a). The FlowSet ID of 0 means that this flow is the template. Basically, the flow defined by the template in Fig. 3-(a) delivers bytes, packets, flow start/end time, and signature ID for a flow of (src IP, dst IP, src port, dst port, protocol). Here, we use the signature ID values same with snort. Therefore, if the signature inspector finds a signature, it will record the signature ID at this field. (a) IPFIX template set (b) IPFIX flow data set Figure 3. IPFIX template and flow data message format including signature ID. In Fig. 3-(b), the real example of the IPFIX data set which complies with the IPFIX template in Fig. 3-(a) is shown. The Template ID (=256) in Fig. 3-(a) and the FlowSet ID (=256) should be same if the flow data record is to be parsed according to the given template set. The web flow between and has 3,482 bytes, 5 packets, and the signature ID of 1855 which is related with the DDoS attack. Generally, in a single flow packet, more than one flow data set will be contained. 4 Experiments 4.1 Prototype of a signature-aware traffic monitoring tool In order to evaluate the signature-aware traffic monitoring method, we implemented the prototype with snort and IPFIX-compliant flow generator, nprobe [8]. The prototype generates IPFIX flows according to the pre-defined flow template that includes signatures inspected by snort. For the IPFIX collector, we developed a real-time flow collector that can analyze the flows with signature ID. 3 The type of the signature ID is defined to 200 and the length of the signature ID is 2 bytes.

7 4.2 Experimental results We verified the proposed signature-aware traffic monitoring method with packet traces in Table 1 collected at our campus network. This packet trace was captured at CNU as shown in Fig. 4 and it consists of mostly TCP traffic. Although many packet traces have been tested, only the representative set for two days is shown in this paper. Figure 4. Traffic measurement at Chungnam National University Table 1. CNU campus packet trace in the experiments ( ) Inbound Outbound Total bytes 3.2TB 2.4TB Total packets 6,812,926,748 7,272,913,398 Total flows 65,130,555 80,017,160 Overall, the prototype of the proposed traffic monitoring scheme has detected 0.6/0.8% flows with signatures for total inbound/outbound traffic. In the CNU campus network, since the recent negative firewall policy that opens only well-known port numbers has been employed, the anomaly traffic is not much reported in the experiments. Yet, our tool shows hidden anomaly traffic with signatures in Table 2. For example, bad traffic with loopback addresses or UDP port 0 was found with signatures of 528 and 525. Possible exploiting traffic with signature 312 was observed. In outbound link, hidden P2P traffic called Soribada was seen with a user-defined signature In addition, possible DDoS attack traffic with signature 1855 was captured. Table 2. Top 10 signatures found in CNU network Inbound Outbound Signature ID Number of flows Signature ID Number of flows , ,781

8 483 34, , , , , , , , , , , , , , , , , ,480 The detailed per-port statistics are shown in Table 3. In inbound traffic, various ICMP-based attack patterns have been found at port 0. Similarly, signatures are observed at well-known ports of 20, 22, 80, and 8080 as well as not-well-known ports of 2420, 2725, 3389, 4075, and In outbound traffic, one interesting port is which is used for web disk service of exchanging files. Destination Port Table 3. Top 10 port breakdown of traffic with signatures Inbound Total number of packets % of packets with signatures Destination Port Outbound Total number of packets % packets with signatures 0 198,190, ,446,312, ,441, ,463, ,035, ,413, ,638, ,554, ,638, ,500, ,907, ,935, ,004, ,201, ,867, ,077, ,295, ,164, ,619, ,544, At the specific port number, the found signature information is widely distributed. For example as shown in Fig. 5, BitTorrent signature 2180 has been found in outbound link. In addition, at port 80, other signatures such as bad traffic with loopback address (528), web-misc whisker tab splice attack (1087), spyware-put trackware (5837), and DDoS attack (1855). From the experiments, it was shown that our signature-aware traffic monitoring method can illustrate the hidden P2P or anomaly traffic patterns.

9 Various Signatures at Port 80 in CNU Inbound Traffic # of Packets Signature ID Various Signatures at Port 80 in CNU Outbound Traffic # of Packets Signature ID Figure 5. Various signatures found at port 80 Figure 6 is a snapshot of our tool [9] which can visualize signature-aware IPFIX flow data exported from routers. The traffic with signatures of 527 and 2586 has been shown. The signature ID of 527 is related with a DoS traffic attack with the same source and destination addresses. The signature ID of 2586 is the edonkey traffic which has E3 signature in the payload as follows. Figure 6. A snapshot of visualizing the signature-aware IPFIX flows.

10 5 Conclusion In this paper, we proposed a signature-aware traffic monitoring method under the IETF IPFIX standard, and showed experimental results with the prototype. Our traffic monitoring scheme can reveal the hidden traffic patterns that are not shown under the port-based traffic monitoring tools. In order to be compliant with the IPFIX standard, we defined the signature field by extending the IPFIX template. While the traffic monitoring function proposed by this paper requires high performance for deep packet inspection and fast flow classification, it could be supported with network processor (NP) systems with ASIC or TCAM. In addition, since the proposed method uses the IPFIX standard, it could easily support IPv6 networks by changing IP address types. Although this paper has shown the first and realistic security-related application of IPFIX, the payload inspection algorithm is needed to be further studied for completeness and correctness. For instance, the false positive of the signature-based traffic classification method will be further studied in the future work. References [1] Cisco NetFlow, x-charter.html [2] J. Quittek, T. Zseby, B. Claise, and S. Zander, Requirements for IP Flow Information Export (IPFIX), IETF RFC3917, Oct [3] D. Plonka, FlowScan: A Network Traffic Flow Reporting and Visualization Tool, USENIX LISA, [4] C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll, R. Rockell, T. Seely, and C. Diot, Packet-Level Traffic Measurements from the Sprint IP Backbone, IEEE Network, vol. 17 no. 6, pp. 6-16, Nov [5] M. Roesch, Snort - Lightweight Intrusion Detection for Networks, USENIX LISA, [6] T. Choi, C. Kim, S. Yoon, J. Park, B. Lee, H. Kim, H. Chung, and T. Jeong, Contentaware Internet Application Traffic Measurement and Analysis, IEEE/IFIP Network Operations & Management Symposium, [7] A. Moore and K. Papagiannaki, Toward the Accurate Identification of Network Applications, Passive and Active Measurement Workshop, April [8] nprobe, [9] WinIPFIX,

NetFlow Analysis with MapReduce

NetFlow Analysis with MapReduce NetFlow Analysis with MapReduce Wonchul Kang, Yeonhee Lee, Youngseok Lee Chungnam National University {teshi85, yhlee06, lee}@cnu.ac.kr 2010.04.24(Sat) based on "An Internet Traffic Analysis Method with

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

Introduction to Cisco IOS Flexible NetFlow

Introduction to Cisco IOS Flexible NetFlow Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity

More information

NSC 93-2213-E-110-045

NSC 93-2213-E-110-045 NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends

More information

Scalable Extraction, Aggregation, and Response to Network Intelligence

Scalable Extraction, Aggregation, and Response to Network Intelligence Scalable Extraction, Aggregation, and Response to Network Intelligence Agenda Explain the two major limitations of using Netflow for Network Monitoring Scalability and Visibility How to resolve these issues

More information

Network Monitoring and Management NetFlow Overview

Network Monitoring and Management NetFlow Overview Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Introduction to Netflow

Introduction to Netflow Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)

More information

Research on Errors of Utilized Bandwidth Measured by NetFlow

Research on Errors of Utilized Bandwidth Measured by NetFlow Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic

More information

Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information

Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information Changyong Lee, Hwankuk-Kim, Hyuncheol Jeong, Yoojae Won Korea Information Security Agency, IT Infrastructure Protection Division

More information

NetFlow: What is it, why and how to use it? Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.

NetFlow: What is it, why and how to use it? Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o. NetFlow: What is it, why and how to use it?, milos.zekovic@soneco.rs Soneco d.o.o. Serbia Agenda What is NetFlow? What are the benefits? How to deploy NetFlow? Questions 2 / 22 What is NetFlow? NetFlow

More information

Network Traffic Anomalies Detection and Identification with Flow Monitoring

Network Traffic Anomalies Detection and Identification with Flow Monitoring Network Traffic Anomalies Detection and Identification with Flow Monitoring Huy Anh Nguyen, Tam Van Nguyen, Dong Il Kim, Deokjai Choi Department of Computer Engineering, Chonnam National University, Korea

More information

Towards Streaming Media Traffic Monitoring and Analysis. Hun-Jeong Kang, Hong-Taek Ju, Myung-Sup Kim and James W. Hong. DP&NM Lab.

Towards Streaming Media Traffic Monitoring and Analysis. Hun-Jeong Kang, Hong-Taek Ju, Myung-Sup Kim and James W. Hong. DP&NM Lab. Towards Streaming Media Traffic Monitoring and Analysis Hun-Jeong Kang, Hong-Taek Ju, Myung-Sup Kim and James W. Hong Dept. of Computer Science and Engineering, Pohang Korea Email: {bluewind, juht, mount,

More information

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,

More information

A VoIP Traffic Monitoring System based on NetFlow v9

A VoIP Traffic Monitoring System based on NetFlow v9 A VoIP Traffic Monitoring System based on NetFlow v9 Chang-Yong Lee *1, Hwan-Kuk Kim, Kyoung-Hee Ko, Jeong-Wook Kim, Hyun- Cheol Jeong Korea Information Security Agency, Seoul, Korea {chylee, rinyfeel,

More information

Network congestion control using NetFlow

Network congestion control using NetFlow Network congestion control using NetFlow Maxim A. Kolosovskiy Elena N. Kryuchkova Altai State Technical University, Russia Abstract The goal of congestion control is to avoid congestion in network elements.

More information

Network Management & Monitoring

Network Management & Monitoring Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

An apparatus for P2P classification in Netflow traces

An apparatus for P2P classification in Netflow traces An apparatus for P2P classification in Netflow traces Andrew M Gossett, Ioannis Papapanagiotou and Michael Devetsikiotis Electrical and Computer Engineering, North Carolina State University, Raleigh, USA

More information

Flow Based Traffic Analysis

Flow Based Traffic Analysis Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode

More information

Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System

Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System 1 Hyun-chul Kim, 2Jihoon Lee Dept. of Computer Software Engineering, Sangmyung Univ., hyunchulk@gmail.com

More information

Netflow Overview. PacNOG 6 Nadi, Fiji

Netflow Overview. PacNOG 6 Nadi, Fiji Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools

More information

A Review of the Measuring Platform

A Review of the Measuring Platform Measuring Platform Architecture Based on the IPFIX Standard Alžbeta Kleinová, Anton Baláž, Jana Trelová, Norbert Ádám Department of Computers and Informatics, Technical University of Košice Letná 9, 042

More information

and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs

and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty

More information

NetFlow v9 Export Format

NetFlow v9 Export Format NetFlow v9 Export Format With this release, NetFlow can export data in NetFlow v9 (version 9) export format. This format is flexible and extensible, which provides the versatility needed to support new

More information

Get Your FIX: Flow Information export Analysis and Visualization

Get Your FIX: Flow Information export Analysis and Visualization Get Your FIX: Flow Information export Analysis and Visualization Joint Techs Workshop, Madison, Wisconsin, July 19, 2006 Dave Plonka plonka@doit.wisc.edu Division of Information Technology, Computer Sciences

More information

Comprehensive IP Traffic Monitoring with FTAS System

Comprehensive IP Traffic Monitoring with FTAS System Comprehensive IP Traffic Monitoring with FTAS System Tomáš Košňar kosnar@cesnet.cz CESNET, association of legal entities Prague, Czech Republic Abstract System FTAS is designed for large-scale continuous

More information

Flow Analysis Versus Packet Analysis. What Should You Choose?

Flow Analysis Versus Packet Analysis. What Should You Choose? Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation

More information

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring

More information

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B. ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow

More information

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA

Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA What is ReporterAnalyzer? ReporterAnalyzer gives network professionals insight into how application traffic is impacting network performance.

More information

A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks

A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks Long-Quan Zhao 1, Seong-Chul Hong 1, Hong-Taek Ju 2 and James Won-Ki Hong 1 1 Dept. of Computer Science and Engineering,

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

Hadoop Technology for Flow Analysis of the Internet Traffic

Hadoop Technology for Flow Analysis of the Internet Traffic Hadoop Technology for Flow Analysis of the Internet Traffic Rakshitha Kiran P PG Scholar, Dept. of C.S, Shree Devi Institute of Technology, Mangalore, Karnataka, India ABSTRACT: Flow analysis of the internet

More information

Network security Exercise 10 Network monitoring

Network security Exercise 10 Network monitoring Network security Exercise 10 Network monitoring Tobias Limmer Computer Networks and Communication Systems Dept. of Computer Sciences, University of Erlangen-Nuremberg, Germany 2. 6.02.2009 Tobias Limmer:

More information

NetFlow/IPFIX Various Thoughts

NetFlow/IPFIX Various Thoughts NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application

More information

How To Classify Network Traffic In Real Time

How To Classify Network Traffic In Real Time 22 Approaching Real-time Network Traffic Classification ISSN 1470-5559 Wei Li, Kaysar Abdin, Robert Dann and Andrew Moore RR-06-12 October 2006 Department of Computer Science Approaching Real-time Network

More information

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker

More information

Using UDP Packets to Detect P2P File Sharing

Using UDP Packets to Detect P2P File Sharing 188 IJCSNS International Journal of Computer Science and Network Security, VOL.7 No.8, August 27 Using UDP Packets to Detect P2P File Sharing Tsang-Long Pao and Jian-Bo Chen Tatung University, Taipei,

More information

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX Martin Elich 1,3, Matěj Grégr 1,2 and Pavel Čeleda1,3 1 CESNET, z.s.p.o., Prague, Czech Republic 2 Brno University of Technology,

More information

Two State Intrusion Detection System Against DDos Attack in Wireless Network

Two State Intrusion Detection System Against DDos Attack in Wireless Network Two State Intrusion Detection System Against DDos Attack in Wireless Network 1 Pintu Vasani, 2 Parikh Dhaval 1 M.E Student, 2 Head of Department (LDCE-CSE) L.D. College of Engineering, Ahmedabad, India.

More information

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com NetFlow Tracker Overview Mike McGrath x ccie CTO mike@crannog-software.com 2006 Copyright Crannog Software www.crannog-software.com 1 Copyright Crannog Software www.crannog-software.com 2 LEVELS OF NETWORK

More information

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline

More information

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY SEPTEMBER 2004 1 Overview Challenge To troubleshoot capacity and quality problems and to understand

More information

A Fast Pattern-Matching Algorithm for Network Intrusion Detection System

A Fast Pattern-Matching Algorithm for Network Intrusion Detection System A Fast Pattern-Matching Algorithm for Network Intrusion Detection System Jung-Sik Sung 1, Seok-Min Kang 2, Taeck-Geun Kwon 2 1 ETRI, 161 Gajeong-dong, Yuseong-gu, Daejeon, 305-700, Korea jssung@etri.re.kr

More information

Detect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network

Detect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 21, 571-578 (2005) Short Paper Detect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network Department of Computer Science and Information

More information

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by

More information

Detecting UDP attacks using packet symmetry with only flow data

Detecting UDP attacks using packet symmetry with only flow data University of Twente Department of Electrical Engineering, Mathematics an Computer Science Chair for Design and Analysis of Communication Systems Detecting UDP attacks using packet symmetry with only flow

More information

NetFlow Tips and Tricks

NetFlow Tips and Tricks NetFlow Tips and Tricks Introduction... 2 NetFlow and other Flow Technologies... 2 NetFlow Tips and Tricks... 4 Tech Tip 1: Troubleshooting Network Issues... 4 Tech Tip 2: Network Anomaly Detection...

More information

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring

More information

FlowMon. Complete solution for network monitoring and security. INVEA-TECH info@invea-tech.com

FlowMon. Complete solution for network monitoring and security. INVEA-TECH info@invea-tech.com FlowMon Complete solution for network monitoring and security INVEA-TECH info@invea-tech.com INVEA-TECH University spin-off company 10 years of development, participation in EU funded projects project

More information

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6 (Integrated) Technology White Paper Issue 01 Date 2012-9-6 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means

More information

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at

More information

How To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On

How To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On Michel Laterman We have a monitor set up that receives a mirror from the edge routers Monitor uses an ENDACE DAG 8.1SX card (10Gbps) & Bro to record connection level info about network usage Can t simply

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

Keywords Attack model, DDoS, Host Scan, Port Scan

Keywords Attack model, DDoS, Host Scan, Port Scan Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com DDOS Detection

More information

Network Performance Monitoring at Minimal Capex

Network Performance Monitoring at Minimal Capex Network Performance Monitoring at Minimal Capex Some Cisco IOS technologies you can use to create a high performance network Don Thomas Jacob Technical Marketing Engineer About ManageEngine Network Servers

More information

Practical Experience with IPFIX Flow Collectors

Practical Experience with IPFIX Flow Collectors Practical Experience with IPFIX Flow Collectors Petr Velan CESNET, z.s.p.o. Zikova 4, 160 00 Praha 6, Czech Republic petr.velan@cesnet.cz Abstract As the number of Internet applications grows, the number

More information

IPTV Traffic Monitoring System with IPFIX/PSAMP

IPTV Traffic Monitoring System with IPFIX/PSAMP IPTV Traffic Monitoring System with IPFIX/PSAMP Shingo Kashima NTT Information Sharing Platform Laboratories 3rd NMRG Workshop 2010 NTT Information Sharing Platform Laboratories Outline Introduction Motivation

More information

Configuring NetFlow. Information About NetFlow. Send document comments to nexus1k-docfeedback@cisco.com. CHAPTER

Configuring NetFlow. Information About NetFlow. Send document comments to nexus1k-docfeedback@cisco.com. CHAPTER CHAPTER 11 Use this chapter to configure NetFlow to characterize IP traffic based on its source, destination, timing, and application information, to assess network availability and performance. This chapter

More information

Enhancing Flow Based Network Monitoring

Enhancing Flow Based Network Monitoring Enhancing Flow Based Network Monitoring Flow-based technologies such as NetFlow, sflow, J-Flow, and IPFIX are increasingly popular tools used by network operators. The tools leverage the capabilities embedded

More information

Network Agent Quick Start

Network Agent Quick Start Network Agent Quick Start Topic 50500 Network Agent Quick Start Updated 17-Sep-2013 Applies To: Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.7 and 7.8 Websense

More information

Page 1. Outline EEC 274 Internet Measurements & Analysis. Traffic Measurements. Motivations. Applications

Page 1. Outline EEC 274 Internet Measurements & Analysis. Traffic Measurements. Motivations. Applications Outline EEC 274 Internet Measurements & Analysis Spring Quarter, 2006 Traffic Measurements Traffic measurements What metrics are we interested in? Measurement and analysis methodologies Traffic characterization

More information

CISCO IOS NETFLOW AND SECURITY

CISCO IOS NETFLOW AND SECURITY CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network

More information

How To Identify Different Operating Systems From A Set Of Network Flows

How To Identify Different Operating Systems From A Set Of Network Flows Passive OS detection by monitoring network flows Siebren Mossel University of Twente P.O. Box 217, 7500AE Enschede The Netherlands s.mossel@gmx.net ABSTRACT` Network flow monitoring is a way of monitoring

More information

Application of Netflow logs in Analysis and Detection of DDoS Attacks

Application of Netflow logs in Analysis and Detection of DDoS Attacks International Journal of Computer and Internet Security. ISSN 0974-2247 Volume 8, Number 1 (2016), pp. 1-8 International Research Publication House http://www.irphouse.com Application of Netflow logs in

More information

Cisco IOS NetFlow Version 9 Flow-Record Format

Cisco IOS NetFlow Version 9 Flow-Record Format Cisco IOS NetFlow Version 9 Flow-Record Format Last updated: February 007 Overview Cisco IOS NetFlow services provide network administrators with access to information concerning IP flows within their

More information

Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks

Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Yan Hu Dept. of Information Engineering Chinese University of Hong Kong Email: yhu@ie.cuhk.edu.hk D. M. Chiu

More information

How To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)

How To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free) Network Traffic Performance & Security Monitoring Project proposal minimal project Orsenna;Invea-Tech FLOWMON PROBES 1000 & 100 Contents 1. Introduction... 2 1.1. General System Requirements... 2 1.2.

More information

WhatsUpGold. v12.3.1. NetFlow Monitor User Guide

WhatsUpGold. v12.3.1. NetFlow Monitor User Guide WhatsUpGold v12.3.1 NetFlow Monitor User Guide Contents CHAPTER 1 WhatsUp Gold NetFlow Monitor Overview What is NetFlow?... 1 How does NetFlow Monitor work?... 2 Supported versions... 2 System requirements...

More information

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor -0- Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland Department of Computer Science and Engineering University

More information

Wireshark Developer and User Conference

Wireshark Developer and User Conference Wireshark Developer and User Conference Using NetFlow to Analyze Your Network June 15 th, 2011 Christopher J. White Manager Applica6ons and Analy6cs, Cascade Riverbed Technology cwhite@riverbed.com SHARKFEST

More information

Attack and Defense Techniques 2

Attack and Defense Techniques 2 Network Security Attack and Defense Techniques 2 Anna Sperotto, Ramin Sadre Design and Analysis of ommunication Networks (DAS) University of Twente The Netherlands Firewalls Network firewall Internet 25

More information

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with

More information

PROFESSIONAL SECURITY SYSTEMS

PROFESSIONAL SECURITY SYSTEMS PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security

More information

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes NetFlow Aggregation This document describes the Cisco IOS NetFlow Aggregation feature, which allows Cisco NetFlow users to summarize NetFlow export data on an IOS router before the data is exported to

More information

Monitoring for network security and management. Cyber Solutions Inc.

Monitoring for network security and management. Cyber Solutions Inc. Monitoring for network security and management Cyber Solutions Inc. Why monitoring? Health check of networked node Usage and load evaluation for optimizing the configuration Illegal access detection for

More information

Network traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010

Network traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Network traffic monitoring and management Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Lecture outline What is network traffic management? Traffic management applications Traffic monitoring

More information

A Flow-based Method for Abnormal Network Traffic Detection

A Flow-based Method for Abnormal Network Traffic Detection A Flow-based Method for Abnormal Network Traffic Detection Myung-Sup Kim, Hun-Jeong Kang, Seong-Cheol Hong, Seung-Hwa Chung, and James W. Hong Dept. of Computer Science and Engineering POSTECH {mount,

More information

Integrated Traffic Monitoring

Integrated Traffic Monitoring 61202880L1-29.1F November 2009 Configuration Guide This configuration guide describes integrated traffic monitoring (ITM) and its use on ADTRAN Operating System (AOS) products. Including an overview of

More information

The SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA baiba@terena.nl

The SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA baiba@terena.nl The SCAMPI Scaleable Monitoring Platform for the Internet Baiba Kaskina TERENA baiba@terena.nl Agenda Project overview Project objectives Project partners Work packages Technical information SCAMPI architecture

More information

CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA

CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA Professor Yang Xiang Network Security and Computing Laboratory (NSCLab) School of Information Technology Deakin University, Melbourne, Australia http://anss.org.au/nsclab

More information

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory. : Real-time Inter-network Defense Against Denial of Service Attacks Kathleen M. Moriarty 22 October 2002 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations,

More information

NetFlow The De Facto Standard for Traffic Analytics

NetFlow The De Facto Standard for Traffic Analytics NetFlow The De Facto Standard for Traffic Analytics A Webinar on NetFlow and its uses in Enterprise Networks for Bandwidth and Traffic Analytics Don Thomas Jacob Technical Marketing Engineer ManageEngine

More information

Internet Management and Measurements Measurements

Internet Management and Measurements Measurements Internet Management and Measurements Measurements Ramin Sadre, Aiko Pras Design and Analysis of Communication Systems Group University of Twente, 2010 Measurements What is being measured? Why do you measure?

More information

UKCMG Industry Forum November 2006

UKCMG Industry Forum November 2006 UKCMG Industry Forum November 2006 Capacity and Performance Management of IP Networks Using IP Flow Measurement Agenda Challenges of capacity and performance management of IP based networks What is IP

More information

Network Based Intrusion Detection Using Honey pot Deception

Network Based Intrusion Detection Using Honey pot Deception Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.

More information

A Measurement of NAT & Firewall Characteristics in Peer to Peer Systems

A Measurement of NAT & Firewall Characteristics in Peer to Peer Systems A Measurement of NAT & Firewall Characteristics in Peer to Peer Systems L. D Acunto, J.A. Pouwelse, and H.J. Sips Department of Computer Science Delft University of Technology, The Netherlands l.dacunto@tudelft.nl

More information

Advanced Computer Networks IN2097. 1 Dec 2015

Advanced Computer Networks IN2097. 1 Dec 2015 Chair for Network Architectures and Services Technische Universität München Advanced Computer Networks IN2097 1 Dec 2015 Prof. Dr.-Ing. Georg Carle Chair for Network Architectures and Services Department

More information

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of

More information

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Flow Analysis. Make A Right Policy for Your Network. GenieNRM Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do

More information

Extensible Network Configuration and Communication Framework

Extensible Network Configuration and Communication Framework Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood Applied Research Laboratory Department of Computer Science and Engineering: Washington University in Saint Louis

More information

Statistical Characteristics of Multicast Traffic on a National Backbone Network

Statistical Characteristics of Multicast Traffic on a National Backbone Network Statistical Characteristics of Multicast Traffic on a National Backbone Network Tao He, Xing Li, Jian Qiu Department of Electronic Engineering Tsinghua University, Beijing, 84, China Telephone: +86--6279255

More information

Gaining Operational Efficiencies with the Enterasys S-Series

Gaining Operational Efficiencies with the Enterasys S-Series Gaining Operational Efficiencies with the Enterasys S-Series Hi-Fidelity NetFlow There is nothing more important than our customers. Gaining Operational Efficiencies with the Enterasys S-Series Introduction

More information

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document

Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Produced by AMRES NMS Group (AMRES BPD 104) Author: Ivan Ivanović November 2011 TERENA 2010. All rights reserved.

More information

The Architecture of NG-MON: a Passive Network Monitoring System for High-Speed IP Networks 1

The Architecture of NG-MON: a Passive Network Monitoring System for High-Speed IP Networks 1 The Architecture of NG-MON: a Passive Network Monitoring System for High-Speed IP Networks 1 Se-Hee Han 1, Myung-Sup Kim 2, Hong-Taek Ju 3 and James Won-Ki Hong 4 1,2,4 Department of Computer Science and

More information

Stateful vs. stateless traffic analysis

Stateful vs. stateless traffic analysis Stateful vs. stateless traffic analysis Rahul Patel Business Line Manager, Advanced Products Group Hifn, Inc. Introduction Over the past few years, the Internet has become a conduit of diverse and complex

More information

The Value of Flow Data for Peering Decisions

The Value of Flow Data for Peering Decisions The Value of Flow Data for Peering Decisions Hurricane Electric IPv6 Native Backbone Massive Peering! Martin J. Levy Director, IPv6 Strategy Hurricane Electric 22 nd August 2012 Introduction Goal of this

More information

Flow-based Worm Detection using Correlated Honeypot Logs

Flow-based Worm Detection using Correlated Honeypot Logs Flow-based Worm Detection using Correlated Honeypot Logs Falko Dressler, Wolfgang Jaegers, and Reinhard German Computer Networks and Communication Systems, University of Erlangen, Martensstr. 3, 91058

More information

SonicOS 5.8: NetFlow Reporting

SonicOS 5.8: NetFlow Reporting SonicOS 5.8: NetFlow Reporting Document Scope Rapid growth of IP networks has created interest in new business applications and services. These new services have resulted in increases in demand for network

More information

Network Security Incident Analysis System for Detecting Large-scale Internet Attacks

Network Security Incident Analysis System for Detecting Large-scale Internet Attacks Network Security Incident Analysis System for Detecting Large-scale Internet Attacks Dr. Kenji Rikitake Security Advancement Group NICT, Japan September 6, 2005 Our goals Collaborative monitoring, centralized

More information

Agenda. Cisco Research SCRIPT and the Big Picture. Building Blocks for the SCRIPT Project

Agenda. Cisco Research SCRIPT and the Big Picture. Building Blocks for the SCRIPT Project Cisco Research SCRIPT and the Big Picture Ralf Wolter, Cisco Systems 1 Agenda Building Blocks for the SCRIPT Project Cisco Research Center (CRC) NetFlow: the story and the challenge IPFIX @ IETF Cisco

More information