Signature-aware Traffic Monitoring with IPFIX 1
|
|
- Lucas Taylor
- 8 years ago
- Views:
Transcription
1 Signature-aware Traffic Monitoring with IPFIX 1 Youngseok Lee, Seongho Shin, and Taeck-geun Kwon Dept. of Computer Engineering, Chungnam National University, 220 Gungdong Yusonggu, Daejon, Korea, {lee, shshin, tgkwon}@cnu.ac.kr Abstract. Traffic monitoring is essential for accounting user traffic and detecting anomaly traffic such as Internet worms or P2P file sharing applications. Since typical Internet traffic monitoring tools use only TCP/UDP/IP header information, they cannot effectively classify diverse application traffic, because TCP or UDP port numbers could be used by different applications. Moreover, under the recent deployment of firewalls that permits only a few allowed port numbers, P2P or other non-well-known applications could use the well-known port numbers. Hence, a port-based traffic measurement scheme may not provide the correct traffic monitoring results. On the other hand, traffic monitoring has to report not only the general statistics of traffic usage but also anomaly traffic such as exploiting traffic, Internet worms, and P2P traffic. Particularly, the anomaly traffic can be more precisely identified when packet payloads are inspected to find signatures. Regardless of correct packet-level measurement, flow-level measurement is generally preferred because of easy deployment and low-cost operation. In this paper, therefore, we propose a signature-aware flow-level traffic monitoring method based on the IETF IPFIX standard for the next-generation routers, where the flow format of monitoring traffic can be dynamically defined so that signature information could be included. Our experimental results show that the signature-aware traffic monitoring scheme based on IPFIX performs better than the traditional port-based traffic monitoring method. That is, hidden anomaly traffic with the same port number has been revealed. Keywords: signature, IPFIX, traffic measurement, flow, and security. 1 Introduction Traffic monitoring is essential for accounting normal user traffic and detecting anomaly traffic such as Internet worms or P2P file-sharing applications. In general, simple packet- or byte-counting methods with SNMP have been widely used for easy and simple network administration. However, as applications become diverse and 1 This research was supported by the MIC (Ministry of Information and Communication), Korea, under the ITRC (Information Technology Research Center) support program supervised by the IITA (Institute of Information Technology Assessment). (IITA-2005-(C ))
2 anomaly traffic appears quite often, more detailed classification of application traffic is necessary. Generally, traffic measurement at high-speed networks is challenging because of fast packet-processing requirement. Though packet-level measurement generates correct results, it is not easy to support high-speed line rates. In addition, standalone systems for packet-level traffic monitoring will be expensive for deployment and management in a large-scale network. Hence, Internet Service Providers (ISPs) generally prefer routers or switches that have already traffic monitoring functions to dedicated packet-level traffic monitoring systems. Recently, flow-level measurement methods at routers such as Cisco NetFlow [1] have become popular, because flowlevel measurement could generate useful traffic statistics with a significantly small amount of measurement data. Routers with high-speed line cards such as 1Gbps are supported by Cisco sampled NetFlow. Thus, the standard [2] for traffic monitoring of routers has been proposed by IETF IP Flow Information export (IPFIX) WG, which defines the flexible and extensible template architecture that can be useful for various traffic monitoring applications. For example, IPv6 traffic monitoring, intrusion detection, and QoS measurement have been possible with routers due to the flexible template structure of IPFIX, which cannot be done with NetFlow v5. Though flow-level traffic measurement is simple and easy for deployment, its measurement result may be incorrect, because only IP/TCP/UDP header fields are considered for traffic classification. Nowadays, due to firewalls that allow only wellknown TCP/UDP port numbers, user and applications tend to change the blocked port numbers to the allowed well-known port numbers. In addition, recent P2P applications have begun to use dynamic port numbers instead of fixed port numbers. Therefore, port-based traffic classification may result in wrong traffic measurement results. On the other hand, when the payloads of IP packets are inspected to find the application-specific signatures, the possibility of correct traffic classification is increasing. Currently, most of intrusion detection systems (IDSes) or intrusion protection systems (IPSes) are employing packet inspection methods for investigating anomaly traffic patterns. However, IDSes and IPSes are focusing on only finding the anomaly traffic pattern as soon as possible and generating the alert messages. In this paper, we aim at devising a flow-level traffic monitoring scheme that can utilize the signature information for the correct traffic measurement results while complying with the IPFIX standard. Thus, we propose a flow-level traffic monitoring method with extended IPFIX templates that can carry signatures for a flow. Our proposed method achieves the capability of correct traffic classification even at highspeed routers through examining the payload signatures as well as IP/TCP/UDP header fields. The proposed scheme towards correct and IPFIX-compliant flow-level traffic monitoring has been verified with real packet traces in a campus network. From the experiments it was shown that anomaly traffic hiding itself with the well-known ports could be detected and classified. In addition, we proposed an IPFIX-compliant template that has been extended for carrying signature identification values. The remaining paper is organized as follows. Section 2 describes the related work, and Section 3 explains the IPFIX-compliant signature-aware traffic measurement scheme. In Section4, we present the experimental results of the proposed method, and conclude this paper in Section 5.
3 2 Related Work Typically, flow-level traffic measurement was done with Cisco NetFlow. FlowScan [3], that generates and visualizes traffic with NetFlow, uses port numbers for classifying applications. However, port-based traffic classification methods may be incorrect, because port numbers could be used by other applications. Although packet-level traffic measurement [4] could generate more precise results, it is expensive and difficult to deploy in a large-scale network. In general, snort [5], which is a widely-used open IDS, can detect anomaly traffic such as Internet worms, viruses, or exploiting incidents including signatures. Thus, alert messages and logs are sent and recorded. However, the purpose of the IPS is to detect anomaly traffic. Recently, a few content-aware traffic monitoring methods [6][7] have been proposed. In [6], signatures were used to classify traffic for accounting, and it was shown that traffic of well-known ports includes that of non registered applications. However, it does not support IPFIX. In [7], various traffic classification methods including packet inspection have been compared, and it was explained that unknown traffic could be correctly identified through searching signatures of the first packet, the first a few Kbytes, a few packets, or all the packets of the flow. However, these two studies use their own proprietary architectures for traffic measurement. In this paper, we propose a signature-aware traffic monitoring scheme that employs the IPFIX standard which could be used by next-generation routers. 3 A Proposed Signature-aware Traffic Monitoring Method In this section, we explain the proposed signature-aware traffic monitoring method. 3.1 Architecture Figure 1. Signature-aware IPFIX traffic measurement architecture.
4 Figure 1 illustrates the key components of the signature-aware IPFIX traffic measurement architecture. Generally, the IPFIX device is embedded into routers or switches. However, a dedicated IPFIX device could be installed with capturing packets from the fiber tap or the mirrored port at a switch. The IPFIX collector gathers and analyzes IPFIX flows from multiple IPFIX devices through reliable transport protocols Flow classifier The flow classifier processes incoming packets with 5-tuples of IP/TCP/UDP header fields to find the corresponding flow entries stored at the flow table. If the flow entry corresponding to the incoming packet does not exist, a new flow entry will be created. Otherwise, attributes of the flow entry such as the number of packets, the number of bytes, the first/last flow update time, and etc. will be updated. A flow is defined by a sequence of packet streams sharing 5-tuples (source IP address, source port, destination IP address, destination port, protocol) of IP/TCP/UDP headers within a given timeout. A flow expiration timer is set to terminate a flow if a packet belonging to the same flow specification does not arrive within the timeout. Then, the expired flow entries will be exported to the flow collector. This flow idle timeout value can be configurable. For example, in our experiment, a flow idle timeout of 30 seconds was used as with Cisco routers. In addition to the flow idle timeout, another timer is required to finish and export long-lived flows residing at the flow table Signature inspector While packets are processed at the flow classifier, their payloads are simultaneously investigated by the signature inspector. The found signature will be recorded at the signature identification field of the corresponding flow entry. For this purpose, we defined a new IPFIX template with the signature identification field. A typical example of the signature inspector is snort that has signature identification values. In this paper, every single packet belonging to a flow is inspected for matching signatures. According to the given pattern-matching policy of inspecting packet payloads, it could be determined how many packets or bytes of a flow will be examined. Therefore, we can find signatures from the first K bytes, or the first K packets belonging to a flow. It is known that a single or the first few packets of a flow contain signatures of application protocols. For example, it is enough to examine a single packet for Internet worms consisting of a single packet, while the first packets should be investigated to find the patterns of P2P applications IPFIX-compliant flow exporter When flows are expired, the IPFIX-compliant flow exporter will send to the flow collector flow-exporting packets that contains flow information. Each flow entry includes data records according to the defined flow template. The flow template,
5 which will be sent to the flow collector before the flow data are exported, explains how a flow is organized with several fields. A typical IPFIX-compliant flow data record consists of 5-tuple of IP/TCP/UDP header fields, the number of bytes, the number of packets, the flow start time, the flow end time, and the value of signature ID. In IPFIX, communication between the flow exporter and the flow collector is done through reliable transport protocols such as Stream Control Transport Protocol (SCTP) or TCP IPFIX-compliant flow collector The flow collector receives the template and data record for flows and saves the flows. The flow collector can communicate with multiple flow exporters and can aggregate many flows into a simplified form of flows. Since a lot of flow data are continuously exported to the flow collector, a post-end database system is integrated with the flow collector for further analysis Flow analyzer with signatures as well as ports Given the flow data record, the flow analyzer classifies flows with the signatures as well as typical port numbers. Thus, signature ID s are important when flows are classified. For example, Internet worms or viruses, P2P traffic, and other anomaly traffic that carry signatures are easily classified due to signature ID s regardless of port numbers. In addition, though either a few P2P applications are employing dynamic port hopping, or non-http applications are using 80 port, they could be classified with their signatures. 3.2 IPFIX templates for carrying signatures Every IPFIX message consists of an IPFIX message header, a template set, and a data set (an option template set and option data set) as shown in Fig. 2. A template set defines how the data set is organized. A newly created template is sent through an IPFIX message consisting of interleaved template set and data set (option template set and option data set). After the template set has been delivered to the IPFIX collector, following IPFIX messages can be made up with only data sets. When UDP is used as the transport protocol, template records and option template records must be periodically sent. 2 Optionally, UDP may be used. Figure 2. IPFIX message.
6 We defined a new flow template set including the signature ID field 3 as shown in Fig. 3-(a). The FlowSet ID of 0 means that this flow is the template. Basically, the flow defined by the template in Fig. 3-(a) delivers bytes, packets, flow start/end time, and signature ID for a flow of (src IP, dst IP, src port, dst port, protocol). Here, we use the signature ID values same with snort. Therefore, if the signature inspector finds a signature, it will record the signature ID at this field. (a) IPFIX template set (b) IPFIX flow data set Figure 3. IPFIX template and flow data message format including signature ID. In Fig. 3-(b), the real example of the IPFIX data set which complies with the IPFIX template in Fig. 3-(a) is shown. The Template ID (=256) in Fig. 3-(a) and the FlowSet ID (=256) should be same if the flow data record is to be parsed according to the given template set. The web flow between and has 3,482 bytes, 5 packets, and the signature ID of 1855 which is related with the DDoS attack. Generally, in a single flow packet, more than one flow data set will be contained. 4 Experiments 4.1 Prototype of a signature-aware traffic monitoring tool In order to evaluate the signature-aware traffic monitoring method, we implemented the prototype with snort and IPFIX-compliant flow generator, nprobe [8]. The prototype generates IPFIX flows according to the pre-defined flow template that includes signatures inspected by snort. For the IPFIX collector, we developed a real-time flow collector that can analyze the flows with signature ID. 3 The type of the signature ID is defined to 200 and the length of the signature ID is 2 bytes.
7 4.2 Experimental results We verified the proposed signature-aware traffic monitoring method with packet traces in Table 1 collected at our campus network. This packet trace was captured at CNU as shown in Fig. 4 and it consists of mostly TCP traffic. Although many packet traces have been tested, only the representative set for two days is shown in this paper. Figure 4. Traffic measurement at Chungnam National University Table 1. CNU campus packet trace in the experiments ( ) Inbound Outbound Total bytes 3.2TB 2.4TB Total packets 6,812,926,748 7,272,913,398 Total flows 65,130,555 80,017,160 Overall, the prototype of the proposed traffic monitoring scheme has detected 0.6/0.8% flows with signatures for total inbound/outbound traffic. In the CNU campus network, since the recent negative firewall policy that opens only well-known port numbers has been employed, the anomaly traffic is not much reported in the experiments. Yet, our tool shows hidden anomaly traffic with signatures in Table 2. For example, bad traffic with loopback addresses or UDP port 0 was found with signatures of 528 and 525. Possible exploiting traffic with signature 312 was observed. In outbound link, hidden P2P traffic called Soribada was seen with a user-defined signature In addition, possible DDoS attack traffic with signature 1855 was captured. Table 2. Top 10 signatures found in CNU network Inbound Outbound Signature ID Number of flows Signature ID Number of flows , ,781
8 483 34, , , , , , , , , , , , , , , , , ,480 The detailed per-port statistics are shown in Table 3. In inbound traffic, various ICMP-based attack patterns have been found at port 0. Similarly, signatures are observed at well-known ports of 20, 22, 80, and 8080 as well as not-well-known ports of 2420, 2725, 3389, 4075, and In outbound traffic, one interesting port is which is used for web disk service of exchanging files. Destination Port Table 3. Top 10 port breakdown of traffic with signatures Inbound Total number of packets % of packets with signatures Destination Port Outbound Total number of packets % packets with signatures 0 198,190, ,446,312, ,441, ,463, ,035, ,413, ,638, ,554, ,638, ,500, ,907, ,935, ,004, ,201, ,867, ,077, ,295, ,164, ,619, ,544, At the specific port number, the found signature information is widely distributed. For example as shown in Fig. 5, BitTorrent signature 2180 has been found in outbound link. In addition, at port 80, other signatures such as bad traffic with loopback address (528), web-misc whisker tab splice attack (1087), spyware-put trackware (5837), and DDoS attack (1855). From the experiments, it was shown that our signature-aware traffic monitoring method can illustrate the hidden P2P or anomaly traffic patterns.
9 Various Signatures at Port 80 in CNU Inbound Traffic # of Packets Signature ID Various Signatures at Port 80 in CNU Outbound Traffic # of Packets Signature ID Figure 5. Various signatures found at port 80 Figure 6 is a snapshot of our tool [9] which can visualize signature-aware IPFIX flow data exported from routers. The traffic with signatures of 527 and 2586 has been shown. The signature ID of 527 is related with a DoS traffic attack with the same source and destination addresses. The signature ID of 2586 is the edonkey traffic which has E3 signature in the payload as follows. Figure 6. A snapshot of visualizing the signature-aware IPFIX flows.
10 5 Conclusion In this paper, we proposed a signature-aware traffic monitoring method under the IETF IPFIX standard, and showed experimental results with the prototype. Our traffic monitoring scheme can reveal the hidden traffic patterns that are not shown under the port-based traffic monitoring tools. In order to be compliant with the IPFIX standard, we defined the signature field by extending the IPFIX template. While the traffic monitoring function proposed by this paper requires high performance for deep packet inspection and fast flow classification, it could be supported with network processor (NP) systems with ASIC or TCAM. In addition, since the proposed method uses the IPFIX standard, it could easily support IPv6 networks by changing IP address types. Although this paper has shown the first and realistic security-related application of IPFIX, the payload inspection algorithm is needed to be further studied for completeness and correctness. For instance, the false positive of the signature-based traffic classification method will be further studied in the future work. References [1] Cisco NetFlow, x-charter.html [2] J. Quittek, T. Zseby, B. Claise, and S. Zander, Requirements for IP Flow Information Export (IPFIX), IETF RFC3917, Oct [3] D. Plonka, FlowScan: A Network Traffic Flow Reporting and Visualization Tool, USENIX LISA, [4] C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll, R. Rockell, T. Seely, and C. Diot, Packet-Level Traffic Measurements from the Sprint IP Backbone, IEEE Network, vol. 17 no. 6, pp. 6-16, Nov [5] M. Roesch, Snort - Lightweight Intrusion Detection for Networks, USENIX LISA, [6] T. Choi, C. Kim, S. Yoon, J. Park, B. Lee, H. Kim, H. Chung, and T. Jeong, Contentaware Internet Application Traffic Measurement and Analysis, IEEE/IFIP Network Operations & Management Symposium, [7] A. Moore and K. Papagiannaki, Toward the Accurate Identification of Network Applications, Passive and Active Measurement Workshop, April [8] nprobe, [9] WinIPFIX,
NetFlow Analysis with MapReduce
NetFlow Analysis with MapReduce Wonchul Kang, Yeonhee Lee, Youngseok Lee Chungnam National University {teshi85, yhlee06, lee}@cnu.ac.kr 2010.04.24(Sat) based on "An Internet Traffic Analysis Method with
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationIntroduction to Cisco IOS Flexible NetFlow
Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity
More informationNSC 93-2213-E-110-045
NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends
More informationScalable Extraction, Aggregation, and Response to Network Intelligence
Scalable Extraction, Aggregation, and Response to Network Intelligence Agenda Explain the two major limitations of using Netflow for Network Monitoring Scalability and Visibility How to resolve these issues
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationIntroduction to Netflow
Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationResearch on Errors of Utilized Bandwidth Measured by NetFlow
Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic
More informationAnalysis of SIP Traffic Behavior with NetFlow-based Statistical Information
Analysis of SIP Traffic Behavior with NetFlow-based Statistical Information Changyong Lee, Hwankuk-Kim, Hyuncheol Jeong, Yoojae Won Korea Information Security Agency, IT Infrastructure Protection Division
More informationNetFlow: What is it, why and how to use it? Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.
NetFlow: What is it, why and how to use it?, milos.zekovic@soneco.rs Soneco d.o.o. Serbia Agenda What is NetFlow? What are the benefits? How to deploy NetFlow? Questions 2 / 22 What is NetFlow? NetFlow
More informationNetwork Traffic Anomalies Detection and Identification with Flow Monitoring
Network Traffic Anomalies Detection and Identification with Flow Monitoring Huy Anh Nguyen, Tam Van Nguyen, Dong Il Kim, Deokjai Choi Department of Computer Engineering, Chonnam National University, Korea
More informationTowards Streaming Media Traffic Monitoring and Analysis. Hun-Jeong Kang, Hong-Taek Ju, Myung-Sup Kim and James W. Hong. DP&NM Lab.
Towards Streaming Media Traffic Monitoring and Analysis Hun-Jeong Kang, Hong-Taek Ju, Myung-Sup Kim and James W. Hong Dept. of Computer Science and Engineering, Pohang Korea Email: {bluewind, juht, mount,
More informationIPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令
IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,
More informationA VoIP Traffic Monitoring System based on NetFlow v9
A VoIP Traffic Monitoring System based on NetFlow v9 Chang-Yong Lee *1, Hwan-Kuk Kim, Kyoung-Hee Ko, Jeong-Wook Kim, Hyun- Cheol Jeong Korea Information Security Agency, Seoul, Korea {chylee, rinyfeel,
More informationNetwork congestion control using NetFlow
Network congestion control using NetFlow Maxim A. Kolosovskiy Elena N. Kryuchkova Altai State Technical University, Russia Abstract The goal of congestion control is to avoid congestion in network elements.
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationAn apparatus for P2P classification in Netflow traces
An apparatus for P2P classification in Netflow traces Andrew M Gossett, Ioannis Papapanagiotou and Michael Devetsikiotis Electrical and Computer Engineering, North Carolina State University, Raleigh, USA
More informationFlow Based Traffic Analysis
Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode
More informationDesign and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System
Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System 1 Hyun-chul Kim, 2Jihoon Lee Dept. of Computer Software Engineering, Sangmyung Univ., hyunchulk@gmail.com
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationA Review of the Measuring Platform
Measuring Platform Architecture Based on the IPFIX Standard Alžbeta Kleinová, Anton Baláž, Jana Trelová, Norbert Ádám Department of Computers and Informatics, Technical University of Košice Letná 9, 042
More informationand reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs
ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty
More informationNetFlow v9 Export Format
NetFlow v9 Export Format With this release, NetFlow can export data in NetFlow v9 (version 9) export format. This format is flexible and extensible, which provides the versatility needed to support new
More informationGet Your FIX: Flow Information export Analysis and Visualization
Get Your FIX: Flow Information export Analysis and Visualization Joint Techs Workshop, Madison, Wisconsin, July 19, 2006 Dave Plonka plonka@doit.wisc.edu Division of Information Technology, Computer Sciences
More informationComprehensive IP Traffic Monitoring with FTAS System
Comprehensive IP Traffic Monitoring with FTAS System Tomáš Košňar kosnar@cesnet.cz CESNET, association of legal entities Prague, Czech Republic Abstract System FTAS is designed for large-scale continuous
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationNetwork Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring
More informationICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.
ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow
More informationViete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA
Viete, čo robia Vaši užívatelia na sieti? Roman Tuchyňa, CSA What is ReporterAnalyzer? ReporterAnalyzer gives network professionals insight into how application traffic is impacting network performance.
More informationA Real-Time Network Traffic Based Worm Detection System for Enterprise Networks
A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks Long-Quan Zhao 1, Seong-Chul Hong 1, Hong-Taek Ju 2 and James Won-Ki Hong 1 1 Dept. of Computer Science and Engineering,
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationHadoop Technology for Flow Analysis of the Internet Traffic
Hadoop Technology for Flow Analysis of the Internet Traffic Rakshitha Kiran P PG Scholar, Dept. of C.S, Shree Devi Institute of Technology, Mangalore, Karnataka, India ABSTRACT: Flow analysis of the internet
More informationNetwork security Exercise 10 Network monitoring
Network security Exercise 10 Network monitoring Tobias Limmer Computer Networks and Communication Systems Dept. of Computer Sciences, University of Erlangen-Nuremberg, Germany 2. 6.02.2009 Tobias Limmer:
More informationNetFlow/IPFIX Various Thoughts
NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application
More informationHow To Classify Network Traffic In Real Time
22 Approaching Real-time Network Traffic Classification ISSN 1470-5559 Wei Li, Kaysar Abdin, Robert Dann and Andrew Moore RR-06-12 October 2006 Department of Computer Science Approaching Real-time Network
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker
More informationUsing UDP Packets to Detect P2P File Sharing
188 IJCSNS International Journal of Computer Science and Network Security, VOL.7 No.8, August 27 Using UDP Packets to Detect P2P File Sharing Tsang-Long Pao and Jian-Bo Chen Tatung University, Taipei,
More informationMonitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX
Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX Martin Elich 1,3, Matěj Grégr 1,2 and Pavel Čeleda1,3 1 CESNET, z.s.p.o., Prague, Czech Republic 2 Brno University of Technology,
More informationTwo State Intrusion Detection System Against DDos Attack in Wireless Network
Two State Intrusion Detection System Against DDos Attack in Wireless Network 1 Pintu Vasani, 2 Parikh Dhaval 1 M.E Student, 2 Head of Department (LDCE-CSE) L.D. College of Engineering, Ahmedabad, India.
More informationNetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com
NetFlow Tracker Overview Mike McGrath x ccie CTO mike@crannog-software.com 2006 Copyright Crannog Software www.crannog-software.com 1 Copyright Crannog Software www.crannog-software.com 2 LEVELS OF NETWORK
More informationConfiguring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA
Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline
More informationCISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY
CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY SEPTEMBER 2004 1 Overview Challenge To troubleshoot capacity and quality problems and to understand
More informationA Fast Pattern-Matching Algorithm for Network Intrusion Detection System
A Fast Pattern-Matching Algorithm for Network Intrusion Detection System Jung-Sik Sung 1, Seok-Min Kang 2, Taeck-Geun Kwon 2 1 ETRI, 161 Gajeong-dong, Yuseong-gu, Daejeon, 305-700, Korea jssung@etri.re.kr
More informationDetect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 21, 571-578 (2005) Short Paper Detect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network Department of Computer Science and Information
More informationINCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS
WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by
More informationDetecting UDP attacks using packet symmetry with only flow data
University of Twente Department of Electrical Engineering, Mathematics an Computer Science Chair for Design and Analysis of Communication Systems Detecting UDP attacks using packet symmetry with only flow
More informationNetFlow Tips and Tricks
NetFlow Tips and Tricks Introduction... 2 NetFlow and other Flow Technologies... 2 NetFlow Tips and Tricks... 4 Tech Tip 1: Troubleshooting Network Issues... 4 Tech Tip 2: Network Anomaly Detection...
More informationJ-Flow on J Series Services Routers and Branch SRX Series Services Gateways
APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring
More informationFlowMon. Complete solution for network monitoring and security. INVEA-TECH info@invea-tech.com
FlowMon Complete solution for network monitoring and security INVEA-TECH info@invea-tech.com INVEA-TECH University spin-off company 10 years of development, participation in EU funded projects project
More informationNetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6
(Integrated) Technology White Paper Issue 01 Date 2012-9-6 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means
More informationCase Study: Instrumenting a Network for NetFlow Security Visualization Tools
Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at
More informationHow To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On
Michel Laterman We have a monitor set up that receives a mirror from the edge routers Monitor uses an ENDACE DAG 8.1SX card (10Gbps) & Bro to record connection level info about network usage Can t simply
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationKeywords Attack model, DDoS, Host Scan, Port Scan
Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com DDOS Detection
More informationNetwork Performance Monitoring at Minimal Capex
Network Performance Monitoring at Minimal Capex Some Cisco IOS technologies you can use to create a high performance network Don Thomas Jacob Technical Marketing Engineer About ManageEngine Network Servers
More informationPractical Experience with IPFIX Flow Collectors
Practical Experience with IPFIX Flow Collectors Petr Velan CESNET, z.s.p.o. Zikova 4, 160 00 Praha 6, Czech Republic petr.velan@cesnet.cz Abstract As the number of Internet applications grows, the number
More informationIPTV Traffic Monitoring System with IPFIX/PSAMP
IPTV Traffic Monitoring System with IPFIX/PSAMP Shingo Kashima NTT Information Sharing Platform Laboratories 3rd NMRG Workshop 2010 NTT Information Sharing Platform Laboratories Outline Introduction Motivation
More informationConfiguring NetFlow. Information About NetFlow. Send document comments to nexus1k-docfeedback@cisco.com. CHAPTER
CHAPTER 11 Use this chapter to configure NetFlow to characterize IP traffic based on its source, destination, timing, and application information, to assess network availability and performance. This chapter
More informationEnhancing Flow Based Network Monitoring
Enhancing Flow Based Network Monitoring Flow-based technologies such as NetFlow, sflow, J-Flow, and IPFIX are increasingly popular tools used by network operators. The tools leverage the capabilities embedded
More informationNetwork Agent Quick Start
Network Agent Quick Start Topic 50500 Network Agent Quick Start Updated 17-Sep-2013 Applies To: Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.7 and 7.8 Websense
More informationPage 1. Outline EEC 274 Internet Measurements & Analysis. Traffic Measurements. Motivations. Applications
Outline EEC 274 Internet Measurements & Analysis Spring Quarter, 2006 Traffic Measurements Traffic measurements What metrics are we interested in? Measurement and analysis methodologies Traffic characterization
More informationCISCO IOS NETFLOW AND SECURITY
CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network
More informationHow To Identify Different Operating Systems From A Set Of Network Flows
Passive OS detection by monitoring network flows Siebren Mossel University of Twente P.O. Box 217, 7500AE Enschede The Netherlands s.mossel@gmx.net ABSTRACT` Network flow monitoring is a way of monitoring
More informationApplication of Netflow logs in Analysis and Detection of DDoS Attacks
International Journal of Computer and Internet Security. ISSN 0974-2247 Volume 8, Number 1 (2016), pp. 1-8 International Research Publication House http://www.irphouse.com Application of Netflow logs in
More informationCisco IOS NetFlow Version 9 Flow-Record Format
Cisco IOS NetFlow Version 9 Flow-Record Format Last updated: February 007 Overview Cisco IOS NetFlow services provide network administrators with access to information concerning IP flows within their
More informationAdaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks
Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Yan Hu Dept. of Information Engineering Chinese University of Hong Kong Email: yhu@ie.cuhk.edu.hk D. M. Chiu
More informationHow To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)
Network Traffic Performance & Security Monitoring Project proposal minimal project Orsenna;Invea-Tech FLOWMON PROBES 1000 & 100 Contents 1. Introduction... 2 1.1. General System Requirements... 2 1.2.
More informationWhatsUpGold. v12.3.1. NetFlow Monitor User Guide
WhatsUpGold v12.3.1 NetFlow Monitor User Guide Contents CHAPTER 1 WhatsUp Gold NetFlow Monitor Overview What is NetFlow?... 1 How does NetFlow Monitor work?... 2 Supported versions... 2 System requirements...
More informationImproving the Database Logging Performance of the Snort Network Intrusion Detection Sensor
-0- Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland Department of Computer Science and Engineering University
More informationWireshark Developer and User Conference
Wireshark Developer and User Conference Using NetFlow to Analyze Your Network June 15 th, 2011 Christopher J. White Manager Applica6ons and Analy6cs, Cascade Riverbed Technology cwhite@riverbed.com SHARKFEST
More informationAttack and Defense Techniques 2
Network Security Attack and Defense Techniques 2 Anna Sperotto, Ramin Sadre Design and Analysis of ommunication Networks (DAS) University of Twente The Netherlands Firewalls Network firewall Internet 25
More informationHP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide
HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationNetFlow Aggregation. Feature Overview. Aggregation Cache Schemes
NetFlow Aggregation This document describes the Cisco IOS NetFlow Aggregation feature, which allows Cisco NetFlow users to summarize NetFlow export data on an IOS router before the data is exported to
More informationMonitoring for network security and management. Cyber Solutions Inc.
Monitoring for network security and management Cyber Solutions Inc. Why monitoring? Health check of networked node Usage and load evaluation for optimizing the configuration Illegal access detection for
More informationNetwork traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010
Network traffic monitoring and management Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Lecture outline What is network traffic management? Traffic management applications Traffic monitoring
More informationA Flow-based Method for Abnormal Network Traffic Detection
A Flow-based Method for Abnormal Network Traffic Detection Myung-Sup Kim, Hun-Jeong Kang, Seong-Cheol Hong, Seung-Hwa Chung, and James W. Hong Dept. of Computer Science and Engineering POSTECH {mount,
More informationIntegrated Traffic Monitoring
61202880L1-29.1F November 2009 Configuration Guide This configuration guide describes integrated traffic monitoring (ITM) and its use on ADTRAN Operating System (AOS) products. Including an overview of
More informationThe SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA baiba@terena.nl
The SCAMPI Scaleable Monitoring Platform for the Internet Baiba Kaskina TERENA baiba@terena.nl Agenda Project overview Project objectives Project partners Work packages Technical information SCAMPI architecture
More informationCLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA
CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA Professor Yang Xiang Network Security and Computing Laboratory (NSCLab) School of Information Technology Deakin University, Melbourne, Australia http://anss.org.au/nsclab
More informationRID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.
: Real-time Inter-network Defense Against Denial of Service Attacks Kathleen M. Moriarty 22 October 2002 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations,
More informationNetFlow The De Facto Standard for Traffic Analytics
NetFlow The De Facto Standard for Traffic Analytics A Webinar on NetFlow and its uses in Enterprise Networks for Bandwidth and Traffic Analytics Don Thomas Jacob Technical Marketing Engineer ManageEngine
More informationInternet Management and Measurements Measurements
Internet Management and Measurements Measurements Ramin Sadre, Aiko Pras Design and Analysis of Communication Systems Group University of Twente, 2010 Measurements What is being measured? Why do you measure?
More informationUKCMG Industry Forum November 2006
UKCMG Industry Forum November 2006 Capacity and Performance Management of IP Networks Using IP Flow Measurement Agenda Challenges of capacity and performance management of IP based networks What is IP
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationA Measurement of NAT & Firewall Characteristics in Peer to Peer Systems
A Measurement of NAT & Firewall Characteristics in Peer to Peer Systems L. D Acunto, J.A. Pouwelse, and H.J. Sips Department of Computer Science Delft University of Technology, The Netherlands l.dacunto@tudelft.nl
More informationAdvanced Computer Networks IN2097. 1 Dec 2015
Chair for Network Architectures and Services Technische Universität München Advanced Computer Networks IN2097 1 Dec 2015 Prof. Dr.-Ing. Georg Carle Chair for Network Architectures and Services Department
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationFlow Analysis. Make A Right Policy for Your Network. GenieNRM
Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do
More informationExtensible Network Configuration and Communication Framework
Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood Applied Research Laboratory Department of Computer Science and Engineering: Washington University in Saint Louis
More informationStatistical Characteristics of Multicast Traffic on a National Backbone Network
Statistical Characteristics of Multicast Traffic on a National Backbone Network Tao He, Xing Li, Jian Qiu Department of Electronic Engineering Tsinghua University, Beijing, 84, China Telephone: +86--6279255
More informationGaining Operational Efficiencies with the Enterasys S-Series
Gaining Operational Efficiencies with the Enterasys S-Series Hi-Fidelity NetFlow There is nothing more important than our customers. Gaining Operational Efficiencies with the Enterasys S-Series Introduction
More informationRecommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document
Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Produced by AMRES NMS Group (AMRES BPD 104) Author: Ivan Ivanović November 2011 TERENA 2010. All rights reserved.
More informationThe Architecture of NG-MON: a Passive Network Monitoring System for High-Speed IP Networks 1
The Architecture of NG-MON: a Passive Network Monitoring System for High-Speed IP Networks 1 Se-Hee Han 1, Myung-Sup Kim 2, Hong-Taek Ju 3 and James Won-Ki Hong 4 1,2,4 Department of Computer Science and
More informationStateful vs. stateless traffic analysis
Stateful vs. stateless traffic analysis Rahul Patel Business Line Manager, Advanced Products Group Hifn, Inc. Introduction Over the past few years, the Internet has become a conduit of diverse and complex
More informationThe Value of Flow Data for Peering Decisions
The Value of Flow Data for Peering Decisions Hurricane Electric IPv6 Native Backbone Massive Peering! Martin J. Levy Director, IPv6 Strategy Hurricane Electric 22 nd August 2012 Introduction Goal of this
More informationFlow-based Worm Detection using Correlated Honeypot Logs
Flow-based Worm Detection using Correlated Honeypot Logs Falko Dressler, Wolfgang Jaegers, and Reinhard German Computer Networks and Communication Systems, University of Erlangen, Martensstr. 3, 91058
More informationSonicOS 5.8: NetFlow Reporting
SonicOS 5.8: NetFlow Reporting Document Scope Rapid growth of IP networks has created interest in new business applications and services. These new services have resulted in increases in demand for network
More informationNetwork Security Incident Analysis System for Detecting Large-scale Internet Attacks
Network Security Incident Analysis System for Detecting Large-scale Internet Attacks Dr. Kenji Rikitake Security Advancement Group NICT, Japan September 6, 2005 Our goals Collaborative monitoring, centralized
More informationAgenda. Cisco Research SCRIPT and the Big Picture. Building Blocks for the SCRIPT Project
Cisco Research SCRIPT and the Big Picture Ralf Wolter, Cisco Systems 1 Agenda Building Blocks for the SCRIPT Project Cisco Research Center (CRC) NetFlow: the story and the challenge IPFIX @ IETF Cisco
More information