1 Diss. ETH No TIK-Schriftenreihe Nr. 140 Novel Techniques for Monitoring Network Traffic at the Flow Level A dissertation submitted to ETH ZURICH for the degree of Doctor of Sciences presented by Eduard Glatz Dipl. El.-Ing. ETH born July 15, 1955 citizen of Zurich and Basel accepted on the recommendation of Prof. Dr. Bernhard Plattner, examiner Dr. Xenofontas Dimitropoulos, co-examiner Prof. Dr. Björn Scheuermann, co-examiner Dr. Walter Willinger, co-examiner 2013
3 Abstract Research in Internet measurement provides us with new ways to understand, operate and improve the Internet. Learning from network traffic data requires a well-chosen set of analysis techniques. We envision a rich toolbox available for this task, and delve into novel techniques and their application on large data sets to extend the choice of analysis schemes. In particular, we focus on traffic data at the network level that is readily available from commercial routers in the form of flow metadata (e.g. NetFlow) to enable analyzes of ever growing traffic volumes with low demands on the measurement infrastructure. This thesis consists of two major parts. In a first part, we explore a promising approach to study unsolicited traffic without the need to reserve unpopulated IP address ranges to this task, as has been done in the past. Our approach is to study one-way traffic, i.e., packets that never receive a reply in live networks. We introduce a novel scheme to classify one-way traffic at the flow level into interpretable classes. We validate this scheme based on a data set that we prepare using all informative details available from packet data (e.g. header and payload contents). We use our classifier to shed light on the composition of one-way traffic, and illustrate how the particular class of Unreachable Services can be used to passively detect network service outages by processing flow-level traffic data only. Moreover, to obtain a comprehensive view on one-way traffic, we
4 ii Abstract conduct a large-scale study covering eight years of traffic data leading to new insights about the evolution of this exotic piece of traffic over time and space. In part two, we present novel visualization methods following the well-known adage A picture is worth a thousand words. In particular,wetackletheproblemsofhowtosummarizedata to extract the most relevant information from big data sets, and how to visualize this information in an easy interpretable way. We envision a top-down workflow that in a first step identifies probably hidden patterns in a data set captured from a potentially large network, followed by a second step that involves a closer inspection of the traffic of individual end systems or subnets. Specifically, we use frequent itemset mining to obtain a list of most relevant patterns from the traffic data of a network that we then visualize through hypergraphs. Then we make use of a graph representation and a domain specific summarization scheme, which is based on the characteristics of typical host roles (e.g. client, server, P2P) to provide a quick overview of what roles a host assumes and what applications it runs. We demonstrate the usefulness of our approach by using proof-ofconcept implementations in a number of illustrative case studies.
5 Kurzfassung Forschung im Gebiet der Internet-Verkehrsdatenanalyse zeigt uns neue Ansätze, um das Internet zu verstehen, zu betreiben und zu verbessern. Der Gewinn neuer Erkenntnisse aus Verkehrsdaten bedingt jedoch den Einsatz gut ausgewählter Analysetechniken. Unser Ziel ist die Bereitstellung eines reichhaltigen Instrumentariums zu diesem Zweck, weswegen wir neue Analysetechniken und ihre Anwendung auf grossen Datenbeständen zur Entwicklung dieses Instrumentariums erforschen. Im Speziellen fokussieren wir uns auf Flowdaten auf der Netzwerkschicht (z.b. NetFlow), die von kommerziellen Routern einfach zur Verfügung gestellt werden, um die stets wachsenden Verkehrsvolumina mit geringem Infrastrukturaufwand zu analysieren. Diese Dissertationsschrift ist in zwei Hauptteile gegliedert. Im ersten Teil erforschen wir einen vielversprechenden Ansatz zur Analyse von unangefordertem Verkehr, ohne dass wir dazu einen ungenutzten IP-Adressbereich reservieren müssen, wie das bisher gemacht wurde. Wir studieren das Phänomen des Einwegverkehrs, d.h., von Netzwerkpaketen, die in operativen Netzen keine Antwort erhalten. Wir führen ein neuartiges Klassifizierungssschema ein, um Einwegverkehr auf der Flow-Ebene in interpretierbare Klassen einzuteilen. Wir validieren dieses Schema mittels zusätzlicher Detailinformationen (z.b. Rahmendaten aller Pakete, Nutzlastinhalte) die nur Paket-Verkehrsdaten liefern können. Wir benutzen unseren
6 iv Kurzfassung Klassifizierer um die Zusammensetzung von Einwegverkehr sichtbar zu machen, und illustrieren die Nützlichkeit der speziellen Klasse Unerreichbare Dienste um Dienstausfälle ausschliesslich aufgrund von Flow-Verkehrsdaten passiv zu detektieren. Darüber hinaus führen wir eine umfangreiche Studie durch, in der wir Einwegverkehr aus einem Zeitraum von acht Jahren analysieren und neue Einsichten in die Eigenschaften dieses exotischen Verkehrsanteils und seiner Entwicklung über Zeit und Raum hinweg gewinnen. Im zweiten Teil der Arbeit stellen wir neue Visualisierungsmethoden vor, dem Sprichwort Ein Bild sagt mehr als tausend Worte folgend. Insbesondere befassen wir uns mit Methoden für die Verdichtung sehr umfangreicher Daten, die Extraktion relevanter Informationen und entwickeln Verfahren für die Interpretation und Visualisierung solcher Informationen. Unsere Methodik ist ein Top-Down Vorgehen, bei dem in einem ersten Schritt die potenziell vorhandenen, versteckten Muster einer Verkehrs-Datensammlung, die in einem möglicherweise sehr grossen Computernetz erfasst wurde, identifiziert werden, gefolgt von einem zweiten Schritt, bei dem Verkehrsdaten einzelner Endsysteme oder Subnetze im Detail inspiziert werden. Im Speziellen benutzen wir Frequent- Itemset Mining um eine Liste der relevantesten Muster zu extrahieren, die wir in Form von Hypergraphen visualisieren. Anschliessend benutzen wir einen domänenspezifischen Ansatz der Datenverdichtung, der auf den Eigenschaften typischer Endsystemrollen (Client, Server P2P) basiert, um selektiv den Netzwerkverkehr eines einzelnen Rechners überblicksartig in einem Graphen darzustellen, so dass seine Rollen und die von ihm ausgeführten Applikationen unmittelbar erkennbar sind. Mit Proof-of-Concept Implementierungen zeigen wir anhand von illustrativen Fallstudien die Nützlichkeit unseres Ansatzes auf.
7 Contents Abstract Kurzfassung Contents List of Figures List of Tables i iii v xi xiii INTRODUCTION 1 Network Traffic Monitoring Relevance ApplicationAreas StateoftheArt DataSets ResearchProblems Contributions Traffic Data Visualization Relevance... 25
9 Contents vii IBRTrafficinLiveNetworks NetworkOutages Conclusions References A First Look Into IBR In A Large Greynet 101 Abstract Introduction RelatedWork IBRTrafficinDarkNets IBRTrafficinLiveNetworks DatasetsandSanitization NetFlowDataSanitization ITU Internet Penetration Data Sanitization TargetedServicesandHosts Top Target Ports of IBR Traffic Over 8 Years Persistently Targeted Ports Over Time Distribution of IBR Traffic Over Ports and Hosts SourceCharacterization SpacetimeAnalysis Evolution of Geographical Distribution of IBRTraffic Evolution of the Spatial Distribution of IBRTraffic Conclusions References...135
10 viii Contents PART II: VISUALIZING NETWORK TRAFFIC 6 Visualizing Big Network Traffic Data 143 Abstract Introduction RelatedWork VisualizationScheme FIM Visualization ScalingtoLargeDataSets UseCases Usecase1:TrafficProfiling Use case 2: Attacks and Misconfigurations Conclusions References Visualizing Host Traffic through Graphs 165 Abstract Introduction HAPviewer Host Traffic Representation HostRoleSummarization FlowClassificationandFiltering CaseStudies SituationalAwareness AnalysisofanIDSAlarm Discussion RelatedWork FutureWork Conclusions...183
11 Contents ix 7.8 Acknowledgements References CONCLUSIONS 8 Summary and Conclusions One-way traffic Classification and Characterization Network Traffic Data Visualization Future Work and Outlook Automatic Inference of One-way Flow Classification Rules ClassifyingOutboundOne-wayTraffic CharacterizingOne-wayTrafficonIPv Subclassifying One-way Traffic linked to DoS Attacks A Long-term Study of the Reachability of Services Comparing One-way Traffic Analysis with NetworkTelescopes In-depth Analysis of the One-way Class Suspected Benign Extending the Host Application Profile Viewer Extending FIM Visualizations of Network Traffic. 214 References 215 APPENDIX 10 Data Sets 223
12 x Contents 11 Limitations NetFlowDataSet NetFlowPre-Processing One-wayFlowPerspective ClassificationRules Additional Measurements RoutingSymmetryTests One-wayTrafficSources References List of Publications Related Non-Related Acknowledgements 253
13 List of Figures 1.1 Networkmonitoringmethods Two- and one-way traffic illustrated Networktelescopetraffic Fiveflowtypesillustrated Exampleofacommunicationgraph Exampleofaparallelcoordinateplot Exampleofatreemapvisualization Impactoftimeintervalsizeonflowmetrics Mixtureofone-andtwo-wayflows Rulerefinementstages Evolutionofoneandtwo-wayflowcounts One-wayflowsasa(mean)fractionofall Compositionofone-waytraffic Coinciding outage on most university services Illustration that shows security-relevant events PersistencyofTCPdestinationports PersistencyofUDPdestinationports IBR flows received by a target port versus port rank IBR traffic flow volume over time decomposed
14 xii LIST OF FIGURES 5.6 IBR flows received by a target host Sourcehostactivitypatterns Average daily number of IBR flows per source One-way flows generated per host versus host rank IBRandregularflowsourcesandtargets Top-k persistence versus k (unnormalized) Top-k persistence versus k (normalized) IPv4 address space distributions of sources by ports Example of a parallel-coordinate plot ExampleofaFIMvisualization Runtimediagram Trafficprofilingexample Attacksandmisconfigurationsexample Illustrativegraphvisualizationexample Hostapplicationprofile(HAP)graphlet Exampleofaserverrolesummarization Hostrolesdefinitions ExampleofaHAPgraphlet Exampleshowingflowdirections Exampleofahostbrowselist Exampleofascantarget Exampleofascansource Exampleofaflowlist Exampleofascanpattern ExampleofaP2Phostpattern ExampleofaP2Pflowlist...179
15 List of Tables 4.1 Sizeofdatasetsperyear Overviewofdefinedsigns Rulesusedtoclassifyone-wayflows Resultsofvalidation Compositionofone-wayflowclasses Flowdatasetdescription List of top-10 target ports of one-way flows Top-10countriesofIBRscanflows Top-10countriesofIBRscan(normalized) Sizeofdatasetsperyear Fraction of pot. artificial inbound one-way flows UniqueOne-wayTrafficSources...242
17 INTRODUCTION 1
19 3 Research in Internet measurement provides us new ways to understand, operate and improve the Internet. Learning from network traffic data requires a well-chosen set of analysis techniques. We envision a rich toolbox available for this task, and delve into novel techniques and their application on large data sets to extend the choice of analysis schemes. In this introductory part we illustrate the relevance of network traffic monitoring and traffic data visualization. This includes a survey of application areas, a discussion of the state of the art and a description of the research problems investigated. We conclude with a summary of our contributions and provide an overview of how this thesis is organized.
21 Chapter 1 Network Traffic Monitoring 1.1 Relevance Today, the usage of the Internet penetrates most areas of our life making the Internet an important infrastructure for our society. According to the International Telecommunication Union (ITU)  average Internet penetration 1 has reached 35.7% for its member countries by the end of 2010 after a growth of 809% between 1998 and To operate such an infrastructure requires intimate knowledge of its working and its state at any moment. This is the task of network monitoring, as it is decentrally performed by network administrators of many organizations supervising the networks they are responsible for. 1 Internet penetration is measured as the percentage of inhabitants using the Internet. 2 Similar figures are reported by the Organization for Economic Cooperation and Development (OECD) for industrialized countries. In particular, OECD estimates the Internet penetration  for its member countries to be on average 25.2% by Q2/2011, and a growth between Q2/2002 and Q2/2011 of 582%.
22 6 1 Network Traffic Monitoring However, measuring the Internet is not as easy as it might appear on first sight - there are many pitfalls to be avoided and problems to be solved . Moreover, the extent to which a measurement infrastructure is established today is limited due to the decentralized organization of the Internet, trade-offs between cost of infrastructure and measurement support provided and privacy concerns. As a consequence, the Internet cannot precisely be characterized and we only have an incomplete view of its working and its state. Many quantitative measures of the Internet are still missing or at least are incomplete. Furthermore, to handle huge data sets resulting from ever growing traffic volumes asks for new ways to extract interesting information from summarized data as it is readily available in the form of flow metadata (e.g. NetFlow). 1.2 Application Areas There are many reasons why networks should be monitored. Network administrators want to know how well the network infrastructure is running and whether any traffic anomalies need further attention. At the same time they observe a traffic growth which routinely requires an extension of the network infrastructure to provide sufficient bandwidth to end users at any time. Additionally, emerging new applications can change the character of network traffic and therefore should not escape the attention of network administrators. As part of the quality assurance monitoring process, network traffic can help to check for compliance with service level agreements (SLA). Furthermore, privacy and availability concerns often ask for network monitoring to detect security incidents, preferably, at an early stage, or finally, as a part of forensic investigations to prosecute offenders and harden the infrastructure. Organizations offering network services to clients can use network traffic
23 1.2 Application Areas 7 data to measure the actual usage as input data for billing their services . On the other hand, researchers seek for new insights into the operation of network infrastructure, of networked applications and protocols with the goal to improve them or to provide useful information to those in charge of this task. Network traffic can be monitored across protocol layers (see Fig. 1.1 for an overview). Lower level protocol data consists primarily of router and link-level data that commonly is collected Ati Active Measurements Passive Measurements (injecting traffic) (listening to traffic) traceroutete ping Inter domain path Router/Switch End host BGP data SNMP data IDS alerts Active responders Application instance i i Endpoint connection Deep packet inspection Log data Flow data Packet data Granularity Figure 1.1: Network monitoring methods can be grouped into active (on the left) and passive techniques (on the right). Furthermore, employed data sets can be ranked by increasing granularity of details they provide (top-to-bottom inside of the rectangle).
24 8 1 Network Traffic Monitoring by an infrastructure using the Simple Network Management Protocol (SNMP). A popular use of SNMP data is the monitoring of basic information such as packet loss, delay and throughput with tools such as Observium  or MRTG [105, 106]. SNMP data can be made available from virtually everywhere in a network making it an ubiquitous data source. But, SNMP data typically is aggregated information that does not provide details about sources and destinations of traffic. Besides, SNMP frequently is used to build up-to-date inventories of network infrastructure based on a Management Information Base (MIB). An alternative is the gathering of packet traces  as part of Deep Packet Inspection (DPI) that records packet contents at a configurable granularity of details. This granularity is set by the number of attributes supported and the amount of payload captured per-packet. Packet traces provide details at several protocol layers by the encapsulated nature of packets. This starts at the link layer going up to the application layer as recorded packets contain higher layer packet contents as payload data of the underlying layers. Packet traces support, e.g. the measurement of packet jitter and round-trip time (RTT) through very precise timestamps. But, gathering packet traces poses high demands on the infrastructure to store and process the collected data due to the immense volume of such data sets. A next alternative is the use of flow-level data, e.g. in the form of the popular NetFlow [108, 109]. Flow-level data sets provide per-connection metadata as summaries over all involved packets. This comprises e.g. the total packet and byte counts aside the source and destination addresses and used protocol at the network layer. Still, gathering flow-level data at highspeed links may impose a too high demand on infrastructure. In this situation often sampling is used that e.g. only includes every n-th packet in the traffic data (other sampling strategies exist). Finally, at the application layer the amount of traffic data typically is much smaller making this kind of network
25 1.2 Application Areas 9 monitoring a good choice for some monitoring tasks. Such data sets are created by application programs that log important information about their network communications. Applicationlayer data sets can be collected by client or server programs. Popular examples of such data sets are server logs provided by web and DNS servers. Besides, there are more specialized measurement techniques that e.g. focus on traffic routing by inspecting exterior gateway protocol data, e.g. created by the Border Gateway Protocol (BGP). BGP data can be used to infer the Internet inter-domain (AS-level) topology and to assess route stability [110, 111]. Security appliances such as firewalls and Intrusion Detection Systems (IDS) create log data entries that list e.g. permitted and denied connections or alerts about suspicious traffic. So far, we have surveyed monitoring techniques that work passively, i.e., non-intrusive on the network traffic. For some tasks active measurements are more helpful. A popular technique is the use of the ping command to test the reachability of a destination system and the packet round-trip time. The program traceroute allows to inspect the path packets travel from source to destination aside the transfer times experienced. A further source of information about selected details of network traffic are databases. To geo-locate a source or destination system by IP address the Domain Name System (DNS) can provide the registered name (if any) including the top-level domain name identifying a country (e.g. ch ). Some top-level domain names are ambiguous when a country should be identified, e.g. the name org. In this situation alternative geo-location databases give more detailed information. Such databases commonly are maintained by commercial companies and may provide a finer granularity e.g. at the region- or even city-level. To learn more about the size of the network where packets originate from or target at, BGP data can be valuable that is collected as part of BGP traffic monitoring. Such a data set can associate individual IP addresses with subnets (identified by their network address
26 10 1 Network Traffic Monitoring and prefix length) and the associated Autonomous System (AS) number. Finally, we note that traffic data in principle can be gathered at any level of the Internet topology and from infrastructure operated by any organization that participates in the Internet. In practice, there are many limitations for several reasons. For example it is hard to exchange traffic data between interested organizations due to privacy concerns and legal requirements. This frequently raises the question if the measurement results obtained from one network are applicable to another network. A more detailed description of network monitoring issues can be found in . In summary, surveying the field of network monitoring we find a considerable diversity of data sources. Depending on the observation point and the measurement methodology a collected data set can be useful for multiple analysis purposes, but usually not for all. This requires a careful study about exactly what information can be inferred from a data set and as a consequence for what tasks it can be useful. Ignoring this preparatory step can lead to insights that are built on sand and finally are found to be misleading . Network traffic can be decomposed into two-way traffic representing dialogs between end systems and one-way traffic, i.e., packets that never receive a reply (see Fig. 1.2 for examples). In this thesis we are interested in one-way traffic - a very specific and less known perspective onto network traffic. One-way traffic represents monologs resulting from a number of communication situations which are of utmost interest to operators and researchers as they are associated with interesting events. Examples of such events are unreachable services, misconfigurations, scanning, prefix hijacking, filtering by Network Address Translation (NAT) and firewalls, peer-topeer applications, congestion and routing loops. Besides, one-way traffic constitutes a large fraction of Internet traffic (in terms of the number of flows). In this work we focus on one-way traffic at
27 1.3 State of the Art 11 Figure 1.2: Two-way traffic is the regular case (A) when there are replies on sent messages. On the other hand, one-way traffic results whenever packets get lost or are blocked on their way to thereceiveroronthereturnpath(b,c).figure(c)illustrates another case of one-way traffic when the receiver is not responsive or does not even exist. the network layer and use flow-level data to classify and further characterize this exotic piece of traffic. The use of flow-level data for analyzing one-way traffic is particularly interesting for network operators as flow data can be collected from routers as a by-product of operation. In contrast, prior work used either packet traces or IDS connection logs. Both data types require extra-infrastructure that scales not well on large networks. 1.3 State of the Art In the past, one-way traffic has been studied in a number of different ways to gain insight into its nature and causes. We describe the most popular techniques next. A traditional instrument to study one-way traffic is a network telescope, i.e., an infrastructure which routes traffic targeted at an
28 12 1 Network Traffic Monitoring unpopulated IP address range to a measurement site [ ]. The idea of a network telescope is to observe traffic using destination IP addresses not assigned to any end system (IP darkspace). In this measurement setup incoming traffic stays unreplied as it targets otherwise unused IP addresses. A network telescope enables the monitoring of different kinds of unsolicited traffic. For example in scenario (A) in Fig. 1.3 an attacker sends a large number of requests to a victim system trying to create a Denial-of-Service (DoS) situation. To remain hidden the attacker forges the source IP addresses of these attack flows using random values that to some extent fall into the address space of the network telescope. Therefore the victim system sends replies towards the network telescope among other random destinations. Network telescopes are also known as a darknet, whileincontrast a live network can be designated a greynet in the context of oneway traffic analysis. Attacker Victim Scanner Network telescope (B) (A) (C) DoS attack Backscatter Scan flow Misdirected flow Figure 1.3: This figure illustrates three scenarios generating traffic that can be seen in a network telescope: backscatter traffic as a result of a Denial-of-Service (DoS) attack using spoofed source IP addresses (A), scanning of randomly chosen target hosts (B), and misdirected traffic due to configuration errors (C).
29 1.3 State of the Art 13 An often used term for traffic seen in a network telescope is Internet Background Radiation (IBR) based on a definition of traffic sent to unused addresses [116, 117] or unsolicited one-way Internet traffic . Network telescopes have been shown to be useful to study major worm outbreaks [ ], scanning and probing , misconfigurations , botnets [118, 122] and major network disruptions . Typically, traffic towards a network telescope can be recorded with all packet details as this setup does not suffer from the same privacy concerns and accompanied restrictions than production networks carrying sensitive information of a company or organization. At a few places [114, 124] parts of incoming traffic towards a network telescope are used to actively probe the sources of this traffic through manual exploration or so-called active responders which are small programs that answer to predefined application protocols [113,114] with the goal of verifying the kind of targeted service. However, this active approach is considered problematic as it can reveal the location of the network telescope in IP address space to the attacker . If the location of a network telescope cannot be kept secret then it might be avoided by attackers thereby jeopardizing its value for the analysis of attack traffic. But, even if an operator of a network telescope is running it passively it can be detected by attackers when analysis results are published . Network telescopes are blind for targeted attacks that use lists of previously identified victim systems and, therefore, network telescopes provide an incomplete picture of the attack scene. Besides, a network telescope requires the availability of a substantial IP address range dedicated to this purpose which is hard to achieve for those not yet in possession of one. An extension of the idea of active responders is the use of socalled honeypots  that mimic an important end system, e.g. a web server to attract attacks with the goal to analyze them. In practice, such systems are measurement sites isolated from pro-
30 14 1 Network Traffic Monitoring duction networks that help operators and researchers to collect information about emerging attacks and to test counter measures. A honeypot can be built as a dedicated computer system or as a guest on top of a system virtual machine  which makes it easy to run a farm of honeypots (a honey farm) with reasonable hardware cost. In contrast to network telescopes, honeypots allow to analyze attacks that are specifically tailored to exploit server-type applications . Moreover, they do not occupy a large number of IPv4 addresses that likely cannot be reserved in the future for pure research purposes. But, honeypots will miss attacks trying to exploit vulnerabilities of client applications, e.g. web browsers. Similar to network telescopes, honeypots can be avoided by attackers at the moment their purpose is recognized and their exact IP address is identified . Honeypots can be very useful to analyze particular attacks in-depth. But they are less useful to create macroscopic statistics on malicious traffic. A third source of information about the failure or success of connection attempts is the use of dedicated intrusion detection systems (IDS) that create connection logs such as the Bro system . Connection logs are text files that describe each observed connection with a text line containing connection information and success or failure details. This data source is useful to analyze TCP traffic [116, 131, 132], and with extensions also UDP and ICMP traffic. But, Bro and any similar system are resource-intensive as they require the processing of packet traces. A fourth approach makes use of IDS alerts to identify malicious or otherwise unwanted traffic. IDS alerts are text files that describe each suspicious observation with a text line comprising an estimated threat priority, connection details and threat characterization. An interesting source of such IDS alert data is the Dshield project  that involves many sites contributing their alert data providing a globally distributed perspective . On the other hand, IDS alerts are limited by the employed ruleset that relies on the characteristics of
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
with Route Analytics Executive Summary IP networks are critical infrastructure, transporting application and service traffic that powers productivity and customer revenue. Yet most network operations departments
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
IP Telephony Contact Centers Mobility Services WHITE PAPER Avaya ExpertNet Lite Assessment Tool April 2005 avaya.com Table of Contents Overview... 1 Network Impact... 2 Network Paths... 2 Path Generation...
PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
Introduction to Network Traffic Monitoring -ICS firstname.lastname@example.org http://www.ics.forth.gr/~markatos Institute of Computer Science (ICS) Foundation for Research and Technology Hellas () Roadmap Motivation
Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM
Detection of illegal gateways in protected networks Risto Vaarandi and Kārlis Podiņš Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia email@example.com 1. Introduction In this
TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING 20 APRIL 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
Reporting Edge Configuration Series Reporting Overview The Reporting portion of the Edge appliance provides a number of enhanced network monitoring and reporting capabilities. WAN Reporting Provides detailed
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. firstname.lastname@example.org Abstract Honeypots are security resources which trap malicious activities, so they
Network Level Multihoming and BGP Challenges Li Jia Helsinki University of Technology email@example.com Abstract Multihoming has been traditionally employed by enterprises and ISPs to improve network connectivity.
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example
Internet Traffic Measurement Internet Traffic Measurement Network Monitor Placement Measurement Analysis Tools Measurement Result Reporting Probing Mechanism Vantage Points Edge vs Core Hardware vs Software
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) firstname.lastname@example.org 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring
Network-Wide Class of Service (CoS) Management with Route Analytics Integrated Traffic and Routing Visibility for Effective CoS Delivery E x e c u t i v e S u m m a r y Enterprise IT and service providers
Introduction " $ % & ' The Inherent Unpredictability of IP Networks A major reason that IP became the de facto worldwide standard for data communications networks is its automated resiliency based on intelligent
White Paper Table of Contents 1. Executive Summary...3 2. The Challenge of a Multi-Homed Environment...4 3. Network Congestion and Blackouts...4 4. Intelligent Routing Platform...5 4.1 How It Works...5
How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
IPsonar provides visibility into every IP asset, host, node, and connection on the network, performing an active probe and mapping everything that's on the network, resulting in a comprehensive view of
University of Twente Department of Electrical Engineering, Mathematics an Computer Science Chair for Design and Analysis of Communication Systems Detecting UDP attacks using packet symmetry with only flow
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
Border Gateway Protocol Exterior routing protocols created to: control the expansion of routing tables provide a structured view of the Internet by segregating routing domains into separate administrations
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
The Ecosystem of Computer Networks Ripe 46 Amsterdam, The Netherlands Silvia Veronese NetworkPhysics.com Sveronese@networkphysics.com September 2003 1 Agenda Today s IT challenges Introduction to Network
CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION MATIJA STEVANOVIC PhD Student JENS MYRUP PEDERSEN Associate Professor Department of Electronic Systems Aalborg University,
PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute
CMSGu2014-02 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Firewall National Computer Board Mauritius Version 1.0 June
UTM I&C School Prof. P. Janson September 2014 C. Universal Threat Management C.4. Defenses 1 of 20 Over 80 000 vulnerabilities have been found in existing software These vulnerabilities are under constant
Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at
Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)
Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense
Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do
Firewalls, NAT and Intrusion Detection and Prevention Systems (IDS) Internet (In)Security Exposed Prof. Dr. Bernhard Plattner With some contributions by Stephan Neuhaus Thanks to Thomas Dübendorfer, Stefan
Module 7 Routing and Congestion Control Lesson 4 Border Gateway Protocol (BGP) Specific Instructional Objectives On completion of this lesson, the students will be able to: Explain the operation of the
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing
ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet
DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with
BGP Prefix Hijack: An Empirical Investigation of a Theoretical Effect Masters Project Advisor: Sharon Goldberg Adam Udi 1 Introduction Interdomain routing, the primary method of communication on the internet,
HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest
FIREWALLS VIEWPOINT 02/2006 31 MARCH 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the Protection
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way
Chair for Network Architectures and Services Technische Universität München Advanced Computer Networks IN2097 1 Dec 2015 Prof. Dr.-Ing. Georg Carle Chair for Network Architectures and Services Department
Lecture Notes (Syracuse University) ICMP Protocol and Its Security: 1 ICMP Protocol and Its Security 1 ICMP Protocol (Internet Control Message Protocol Motivation Purpose IP may fail to deliver datagrams
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
Providing complete and comprehensive real-time network protection Today s networks are constantly under attack by an ever growing number of emerging exploits and attackers using advanced evasion techniques
Assignment One ITN534 Network Management Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition) Unit Co-coordinator, Mr. Neville Richter By, Vijayakrishnan Pasupathinathan
Proceedings of the APAN Network Research Workshop 2013 The flow back tracing and DDoS defense mechanism of the TWAREN defender cloud Ming-Chang Liang 1, *, Meng-Jang Lin 2, Li-Chi Ku 3, Tsung-Han Lu 4,
Distributed Denial of Service Attack Tools Introduction: Distributed Denial of Service Attack Tools Internet Security Systems (ISS) has identified a number of distributed denial of service tools readily
Understanding and Optimizing BGP Peering Relationships with Advanced Route and Traffic Analytics WHITE PAPER Table of Contents Introduction 3 Route-Flow Fusion 4 BGP Policy Visibility 5 Traffic Visibility
Dell SonicWALL report portfolio Table of contents Dell SonicWALL Global Management System (GMS ) and Analyzer reports I. Sample on-screen reports II. Sample PDF-generated reports Dell SonicWALL Scrutinizer
the Availability Digest Prolexic a DDoS Mitigation Service Provider April 2013 Prolexic (www.prolexic.com) is a firm that focuses solely on mitigating Distributed Denial of Service (DDoS) attacks. Headquartered
A VULNERABILITY AUDIT OF THE U.S. STATE E-GOVERNMENT NETWORK SYSTEMS Dr. Jensen J. Zhao, Ball State University, email@example.com Dr. Allen D. Truell, Ball State University, firstname.lastname@example.org Dr. Melody W. Alexander,
Advanced Honeypot Architecture for Network Threats Quantification Mr. Susheel George Joseph M.C.A, M.Tech, M.Phil(CS) (Associate Professor, Department of M.C.A, Kristu Jyoti College of Management and Technology,
Troubleshooting Network Performance with Alpine Jeffrey Papen As a Network Engineer, I am often annoyed by slow Internet performance caused by network issues like congestion, fiber cuts, and packet loss.
ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security
Firewalls & Intrusion Detection CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan Security Intrusion
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...
Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs As a head of the campus network department in the Deanship of Information Technology at King Abdulaziz University for more
Gaining Operational Efficiencies with the Enterasys S-Series Hi-Fidelity NetFlow There is nothing more important than our customers. Gaining Operational Efficiencies with the Enterasys S-Series Introduction
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
SOUTHERN POLYTECHNIC STATE UNIVERSITY Snort and Wireshark IT-6873 Lab Manual Exercises Lucas Varner and Trevor Lewis Fall 2013 This document contains instruction manuals for using the tools Wireshark and
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE email@example.com www.cloudflare.com
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls