A Scalable High Performance Network Monitoring Agent for CERNET
|
|
- Reynold Simon
- 8 years ago
- Views:
Transcription
1 A Scalable High Performance Network Monitoring Agent for CERNET ZHANG, Hui CERNET Network Research Center Tsinghua University, Beijing, , China Abstract _ In a cost-effective way, collecting and analyzing data from such a nationwide operational network as China Education and Research Network (CERNET ) is an increasingly challenging task. This paper presents our experience designing and implementing a passive monitoring agent applicable to CERNET, based on which we are not only supporting our network intrusion detection system (IDS), network management system (NMS) for detecting and identifying signs of malicious activities, non-malicious failures, and other exceptional events in real-time, but providing anomaly information to accounting and billing system (ABS) so as to make it healthy. This agent is characterized by a high performance data collecting facility and a methodology of real -time data correlation and analysis. We can deploy a customized agent on a particular link of CERNET for monitoring network dynamically. We will discuss how to conflate, correlate, associate and refine measurement data to dis criminate anomalies such as DoS from normal traffic, and how to respond to the anomalies for the purpose of operational network's health. We conclude with experiences learned from the development and deployment of the agent and o ngoing research work. Keywords: Passive Monitoring, Traffic Collection, Packet Classification, Data Mining, Intrusion Detection I. Introduction This paper presents our experiences designing and developing an IP monitoring agent for the China Education and Research Network (CERNET). CERNET is the first and the largest nationwide education and research computer network in China. It has 12 global and regional channels connected with the United States, Canada, the U.K., Germany, Japan and Hong Kong SAR, and the international gateway bandwidth is over 220Mbps. Meanwhile, its domestic channels connected with other commercial carriers in China are usually up to 1Gbps in bandwidth. More than 1000 education and research institutions, 1.2 million PC's and 8 million users have connected to CERNET, constructing a 4-level hierarchy: campus network, province network, regional network and national backbone. CERNET backbone consists of over 60 OC-48 and OC-3 links, interconnecting 10 region-level nodes and 38 province-level nodes [6].The traffic volume ranges from tens _ This work was supported by the National Science Foundation of China (NSFC) under the grant No Send correspondence to Mr. ZHANG, Hui. Tel: +86 (0) Addr: Rm 210 Main Bldg, Tsinghua University, Beijing China. of Mb/sec on OC-3 province access links to more than 1Gb/sec on OC-48 national backbone links. The hierarchical structure of CERNET as shown in Figure 1 presents the location of our monitoring agents deployed across it. Fig. 1 CERNET hierarchical structure The CERNET backbone IP network provides connectivity over a geographically wide area. The back bone consists of a set of regional nodes connected by high bandwidth links, which are typically 2.5Gb/sec OC-48 links or 155Mb/sec OC-3 links. Each regional node in turn contains links, typically Gigabit Ethernet (GigE ), connecting to region access aggrega tion routers which provide access service for downstream networks. On the other hand, the BGP border routers which connect CERNET to Internet outside China and other major ISPs in China are generally connect ed to backbone via GigE links too. In case of CER NET topology, we can therefore easily deploy multiple monitoring agents across those GigE links to measure network traffic as well as monitor network anomaly and misuse. The monitoring agent is designed to focus on the following issues: 1) Support data rates up to 1Gb/sec. 2) Collect real-time IP packets from multiple carrier peering GigE links and regional access GigE links. 3) Classify ten thousands of IP packets into flows with timestamp with accurate enough fidelity. 4) Provide real-time measurements which characterize the status of link being monitored. 5) Filter out the anomaly signs according to a set of pre-defined signature in terms of multi-dimensions of
2 network flow traffic 6) Transfer the sampling IP packet data and flow data into data repository wherein previously unseen signatures are found off-line via data mining. This data correlation and analysis involves processing gigabytes or terabytes of data, and must have some facilities to handle unusual phenomena such as misuses and/or malicious network behaviors. 7) Provide identified records of traffic anomaly, network attacks, malicious mobile network worms, etc. for CERNET intrusion detection system (IDS), network management system (NMS), accounting and billing system (ABS) with daily network operation s health in mind. The remainder of the paper describes the details of how we address these design issues in our IP monitoring agent and presents some sample results that demonstrate the agent s capabilities. Section II presents architecture of this agent which consists of several major functional components and how to implement a scalable high performance agent via commodity hardware and software in a cost-effective way. Section III illustrates workflow of agent components and how they can work together in a tightly-coupled environment. Section IV presents traffic measurements, detected anomalies and attacks during last 3 months which demonstrate the capabilities of our agent. Section V discusses the cooperative relationship between our agents and IDS, NMS and ABS installed in CERNET. Section VI and VII concludes and discusses areas of ongoing and future research. II. System Architecture To satisfy the above-mentioned requirements, the design and implementation of our monitoring agent collects and aggregates packets to produce flow records with timestamp as shown in Table 1 and Table 2, respectively. This provides the fundamental traffic data concerning links being monitored. A set of components base their function on these meta-data to perform further processing and analysis. saddr daddr sport dport protocol service len_sd len_ds pkt_num_sd pkt_num_ds timestamp Table 1: Flow Record Definition source ip address(es) destination ip address(es) source port(s) destination port(s) ip protocol number(s) Description pre-defined application service(s) traffic from source to destination (in kilobytes) traffic from destination to source (in kilobytes) number of packets from source to destination number of packets from destination to source network time of first and last packet in the flow saddr daddr sport dport protocol Table 2: Captured Packet Record Definition source ip address(es) destination ip address(es) source port(s) destination port(s) ip protocol(s) size packet size (in bytes ) timestamp interface customized network time of the packet Description from which network interface the packet was captured one or more fields captured as needed In our opinion, these fields are the minimal but most useful subset of data available. By this definition of flow, we can describe many kinds of traffic stream pattern normal or anom alous behavior with great flexibility and convenience. With the worst-case, if we capture packet instead of flow, this resolves to about 20 bytes of data per packet, which means we are collecting about 5% of the total traffic given a 400-byte average packet size. At this point, we have reduced our input traffic by a factor of 20, on average. The remaining data is sent to user-space program for saving or doing in-depth traffic analysis and data mining. If we capture flow, we can reduce our input traffic by a factor larger than 20, on average, i.e., produce greater efficiency. A. Data Collection Passive measurement systems include Simple Network Management Protocol (SNMP)-based network traffic measurement tools [1], tcpdump [2] /libpcap [3], NetFlow [4], and CoralReef [5], etc. The typical passive measurement projects include [5] for CAIDA, [7] for NLANR and [8] for Sprint. Our agent makes use of a novel underlying collection facility called Linuxflow [9]. As with [9], this data collection component used by our monitoring agent suffices for gigabit Ethernet too. We implement this on Intel-based x86 hardware, i.e., a dual-processor 933MHz Pentium III machine with both a 64bit/133MHz PCI bus and a 64bit/66-33MHz PCI bus, and 2GB of PC-133 memory, two AceNIC Gigabit Ethernet cards with the Tigon II chipset, and two EtherExpress Pro 100Mb Ethernet cards for management. Also, we make heavy use of the source code for the Linux kernel 2.4.x [16]. At this moment, we modify the source code for further tuning of parameters of AceNIC Gigabit Ethernet s driver so as to improve its performance (rx_coal_tick) [16]. M eanwhile, TCP window size in the kernel is set to 256 Kbytes. Monitoring agent s architecture is shown in more detail in Figure 2. This figure shows a logical view of the hardware and software, and how processing is performed among multiple modules. Agent first collects traffic from the tapped network link via an optical splitter. The two
3 network interface cards one for TX and the other for RX traffic traveling across GigE link, both of which are working in promiscuous mode then collect traffic packets from the tapped network link, pass the data through a special-purpose packet capture protocol stack [9] to the kernel. A globally synchronized clock is provided by Fig. 2 Collect traffic through optical splitter network time protocol (NTP) from [17] upon which the fidelity of captured packet timestamp is up to O(millisecond ). B. Data Analysis All real -time data analysis is performed by user-level multithreading applications which depend heavily on SMP and caching facilities in Linux kernel for high performance. As we can see from Figure 2, packet meter /filter module interfaces the kernel via a newly-defined socket, namely AF_CAPPKT [9]. Some of the basic analysis, such as measuring packet size distribution, packet source/destination port distribution, packet protocol distribution, packets per second (PPS), and average packet size could be performed within it. And it can also filter packets in real time according to dynamically configured rules by using routing lookup algorithm. The output of packet meter, ten thousands of packet records as described in Table 2, are sent to a packet classifier which, among other things, is of the most importance functionality module in this monitoring agent. This module classifies incoming packets into one of several flows based on multiple fields of packets all packets of a flow are treated by a pre-defined rule and are processed in a similar manner in the next step. Routing lookup and packet classification are both important problems in the design and implementation of generic flow-aware routers [10] [11]. At this moment, we make use of a routing lookup algorithm Lulea [12] for longest prefix matching in software to support gigabit speed for packet filtering in monitoring agent instead of packet forwarding in router. This algorithm s objective is to minimize the storage requirements of their data structure, so that it can fit in the L1 cache of a conventional general purpose processor such as Pentium; our agent is based on dual Pentium III processors. On the other hand, we take advantage of a packet classification algorithm Recursive Flow Classification (RFC) [10][11] for packet classification on multiple fields for classifying packets into flows. There are a number of properties that we desire for the purpose of getting high performance and scalability from the algorithms we cho ose. 1) High speed. 2) Low processing time. 3) Flexibility in implementation. 4) Scalability in the number of fields. After collecting a large number of flows from packet classifier, the first work is to perform flow-based classification and filtering. We examine each individual flow and extract the following information: 1) TopN statistics concerning traffic volume, address uniformity, port settings, number of packets and flows, etc. 2) Traffic matrices concerning peering links, AS, and DNS domains etc. 3) Link utilization. 4) Any self-defined type of active flow as needed. 5) Traffic breakdown by protocols, applications (network services). 6) Routing information such as routing loop s and errors. Now we are capable of focusing on the outcomes of our interests which can be acquired from AF_CAPPKT, packet meter/filter, packet classifier and flow-based filters, and do further analysis by the methods we have adopted previously [13][14] and others [15] to conflate, correlate, associate and refine all above-mentioned measurement data to discriminate anomalies such as DoS from normal traffic. C. Data Repository and Mining The data repository is a large RAID-5 array for storage of all kinds of selective data from AF_CAPPKT, packet meter/filter, packet classifier and flow-based filters. It contains 1.8TB of disk space that consists of 10 Ultra SCSI 3 hard disks (180GB each). Data mining (DM) is a promising technique for IDS, especially for detecting novel attacks. By DM, our agent is not only able to give a profile of normal traffic, i.e. attack-free traffic, in the network, and then provide statistical anomaly -based detection results by comparing current data with previously -derived profile (profile-based), but also able to do further in-depth post-mortem analysis off-line on the bad or strange traffic flow and/or packet pattern for identifying novel rules, refining or deleting out-of-date ones to improve the capability and efficiency of current classifier and/or packet filter. Currently, we mainly look at the following statistical calculations for obtaining novel signs of anomalies: intensity measure, distribution measure, categorical and counting measure. Since the values obtained are from disparate distributions, we also need to normalize them. III. Workflow of Operations Figure 3 shows the operational workflow of all components of t his monitoring agent.
4 dport protocol 17(udp) 17(udp) 17(udp) size timestamp interface nic0 nic0 nic payload Signature (multiply fields on which classification is based) derived from anomaly packet record: {saddr: any/32 daddr: any netid/24 sport: any dport: 1434 ms-sql-m protocol: udp pkt size: 404bytes/pkt }. Figure 5 and Figure 6 illustrate the consecutive traffic anomalies on a link in CERNET when the latest large-scale network worm broke out on March 8th, 2003 [19]. The following packet pattern is one of the anomalous signatures detected by this agent. It accounts for 74.3% of the total inbound packets at about 3:00 P.M., and consumes network resources maliciously. Fig. 3 workflow of the monitoring agent IV. Monitoring Results In this section we present a sample of monitoring results to demonstrate its performance and capability of traffic anomaly detection. Figure 5 illustrate the sharp increase in link utilization when MS-SQL Slammer worm broke out globally at almost exact ly 13:30 P.M. (CST) on Saturday January 25th, 2003 [18]. Fig. 4 link utilization of a GigE (Slammer worm outbreak) Table 3: Packet Records of SQL Slammer Worm value saddr daddr / / /24 sport Fig 5 traffic mix of a GigE link Table 4: Packet Records of Worm value saddr
5 daddr / / /24 sport dport protocol 6(tcp) 6(t cp) 6(tcp) size timestamp :09: :09:01 interface nic1 nic1 nic :09:01 payload Packet record signature: {s addr: any/32 daddr: any netid/24 sport: any dport: 445 microsoft-ds protocol: tcp pkt size: 48bytes/pkt }. V. Cooperation with Other Systems Figure 6 shows how the monitoring agent cooperates harmoniously with NMS, IDS and ABS in CERNET. Fig. 6 agent cooperates with IDS, NMS and ABS VI. Conclusions We describe the CERNET passive monitoring agent that is capable of supporting Gigabit Ethernet data rate and presents its capabilities with several sample measurements in this paper. The advantages of this agent are as follows: 1) The design and implementation of it is suitable for deploying either on a SMP host or a tightly-coupled environment (cluster or server farm). 2) It equips a powerful collection engine for real-time packet capture on high -speed links. 3) It provides a daily traffic measurement report. 4) It performs packet pattern and flow-based traffic analysis on-line and off-line for network anomaly detection. 5) It adjusts dynamically the packet filter and classification rules, and flow filter rules for accurately identify network anomalies and attacks with great flexibility. 6) Its monitoring results are useful in many diverse systems such as IDS, NMS and ABS. VII. Ongoing and Future Work We are still devoting to enhance this agent s capability of finding novel filter rules and anomaly signatures with a formalized description scripts. However, the major part of our future work is to deploy much more monitoring agents throughout CERNET to detect, identify network anomalies and attacks, to correlate these which occur at different positions to study the possible context amongst them, and to depict dynamically the operational status of CERNET. References [1] W. Stallings. SNMP, SNMPv2, and SNMPv3, and RMON 1 and 2, Addison Wesley, 3 rd edition, [2] Tcpdump web page, [3] S. McCanne, V. Jacobson, The BSD Packet Filter: A New Architecture for User-level Packet Capture, In Proceedings of the Winter 1993 USENIX Conference, pp USENIX Association, January, [4] NetFlow services and applications. h/napps_wp.htm, 2002, Cisco white paper. [5] CoralReef web page. [6] CERNET. [7] T. McGregor, H. W. Braun, J. Brown, The NLANR Network Analysis Infrastructure, IEEE Communications, Vol. 38, No. 5, May, [8] C. Fraleigh, C. Diot, B. Lyles, S. Moon, P. Owezarski, D. Papagiannaki, F. Tobagi, Design and Deployment of a Passive Monitoring Infrastructure, Passive and Active Measurement Workshop (PAM) 2001, Amsterdam, The Netherlands, April, [9] Z. C. Li, H. Zhang, et al. Linuxflow: A High Speed Backbone Measurement Facility, accepted for Passive and Active Measurement Workshop (PAM) 2003, La Jolla, California, USA, April, [10] P. Gupta, N. Mckeown, Packet Classification on Multiple s, In Proceedings of ACM SIGCOMM 99, ACM, August, [11] P. Gupta, Algorithm for Routing Lookups and Packet Classification, Ph.D. Dissertation, Computer Science Department, Stanford University, December, [12] M. Degermark, A. Brodnik, S. Carlsson and S. Pink, Small Forwardin g Tables for Fast Routing Lookups, Proceedings of ACM SIGCOMM, pp3-14, October, [13] H. Zhang, G. Xu, Advanced Method for Detecting Unusual Behaviors on Networks in Real-Time, In Proceedings of ICCT-2000, Beijing, China, August, [14] H. Zhang, Z. M. Li, A Stream Pattern Based Live Traffic Analysis Model System in CERNET, In Proceedings of ISFST 2002, Wuhan, China, October, [15] G. M. Voelker, S. Savage, Inferring Internet Denial-of-Service Activity, USENIX Security Symposium, [16] L. Torvalds and Free Software Community. The Linux Kernel, September, [17] CERNET Network Time Service. December, [18] CERT Advisory CA MS-SQL Server Worm. January, 25, [19] CERT Advisory CA Increased Activity Targeting Windows Shares, March 11,
Reducing Network Traffic in CERNET
Linuxflow: A High Speed Backbone Measurement Facility ZhiChun Li (lizc@serv.edu.cn( lizc@serv.edu.cn) Hui Zhang (hzhang@cernet.edu.cn( hzhang@cernet.edu.cn) CERNET, Tsinghua Univ,, China CHINA EDUCATION
More informationStatistical Characteristics of Multicast Traffic on a National Backbone Network
Statistical Characteristics of Multicast Traffic on a National Backbone Network Tao He, Xing Li, Jian Qiu Department of Electronic Engineering Tsinghua University, Beijing, 84, China Telephone: +86--6279255
More informationLinuxflow: A High Speed Backbone Measurement Facility
Linuxflow: A High Speed Backbone Measurement Facility LI Zhichun, ZHANG Hui, YOU Yue, HE Tao lizc@serv.edu.cn hzhang@cernet.edu.cn China Education and Research Network Center (CERNET) Tsinghua University,
More informationInfrastructure for active and passive measurements at 10Gbps and beyond
Infrastructure for active and passive measurements at 10Gbps and beyond Best Practice Document Produced by UNINETT led working group on network monitoring (UFS 142) Author: Arne Øslebø August 2014 1 TERENA
More informationSignature-aware Traffic Monitoring with IPFIX 1
Signature-aware Traffic Monitoring with IPFIX 1 Youngseok Lee, Seongho Shin, and Taeck-geun Kwon Dept. of Computer Engineering, Chungnam National University, 220 Gungdong Yusonggu, Daejon, Korea, 305-764
More informationMonitoring high-speed networks using ntop. Luca Deri <deri@ntop.org>
Monitoring high-speed networks using ntop Luca Deri 1 Project History Started in 1997 as monitoring application for the Univ. of Pisa 1998: First public release v 0.4 (GPL2) 1999-2002:
More informationABSTRACT 1.1 MEASUREMENT APPROACHES 1. INTRODUCTION 2. OCXMON/CORAL PASSIVE MONITORING OF INTERNET TRAFFIC AT SUPERCOMPUTING 98
PASSIVE MONITORING OF INTERNET TRAFFIC AT SUPERCOMPUTING 98 Brynjar Åge Viken e mail: brynjar@item.ntnu.no, bviken@nlanr.net National Laboratory for Applied Network Research, Measurement and Operations
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationThe Architecture of NG-MON: a Passive Network Monitoring System for High-Speed IP Networks 1
The Architecture of NG-MON: a Passive Network Monitoring System for High-Speed IP Networks 1 Se-Hee Han 1, Myung-Sup Kim 2, Hong-Taek Ju 3 and James Won-Ki Hong 4 1,2,4 Department of Computer Science and
More informationThe SCAMPI Scaleable Monitoring Platform for the Internet. Baiba Kaskina TERENA baiba@terena.nl
The SCAMPI Scaleable Monitoring Platform for the Internet Baiba Kaskina TERENA baiba@terena.nl Agenda Project overview Project objectives Project partners Work packages Technical information SCAMPI architecture
More informationECE 578 Term Paper Network Security through IP packet Filtering
ECE 578 Term Paper Network Security through IP packet Filtering Cheedu Venugopal Reddy Dept of Electrical Eng and Comp science Oregon State University Bin Cao Dept of electrical Eng and Comp science Oregon
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationNetwork Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring
More informationResearch on Errors of Utilized Bandwidth Measured by NetFlow
Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic
More informationTICKETing High-Speed Traffic with Commodity Hardware and Software
TICKETing High-Speed Traffic with Commodity Hardware and Software Eric Weigle and Wu-chun Feng {ehw, feng}@lanl.gov Computer & Computational Sciences Division Department of Computer & Information Science
More informationOpen Source in Network Administration: the ntop Project
Open Source in Network Administration: the ntop Project Luca Deri 1 Project History Started in 1997 as monitoring application for the Univ. of Pisa 1998: First public release v 0.4 (GPL2) 1999-2002:
More informationImproving the Database Logging Performance of the Snort Network Intrusion Detection Sensor
-0- Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor Lambert Schaelicke, Matthew R. Geiger, Curt J. Freeland Department of Computer Science and Engineering University
More informationZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy
ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy OVERVIEW The global communication and the continuous growth of services provided through the Internet or local infrastructure require to
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy
ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy OVERVIEW The global communication and the continuous growth of services provided through the Internet or local infrastructure require to
More informationpacket retransmitting based on dynamic route table technology, as shown in fig. 2 and 3.
Implementation of an Emulation Environment for Large Scale Network Security Experiments Cui Yimin, Liu Li, Jin Qi, Kuang Xiaohui National Key Laboratory of Science and Technology on Information System
More informationPacket Flow Analysis and Congestion Control of Big Data by Hadoop
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 4, Issue. 6, June 2015, pg.456
More informationPage 1. Outline EEC 274 Internet Measurements & Analysis. Traffic Measurements. Motivations. Applications
Outline EEC 274 Internet Measurements & Analysis Spring Quarter, 2006 Traffic Measurements Traffic measurements What metrics are we interested in? Measurement and analysis methodologies Traffic characterization
More informationChuck Cranor, Ted Johnson, Oliver Spatscheck
Gigascope: How to monitor network traffic 5Gbit/sec at a time. Chuck Cranor, Ted Johnson, Oliver Spatscheck June, 2003 1 Outline Motivation Illustrative applications Gigascope features Gigascope technical
More informationIntroduction to Netflow
Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationIP Network Monitoring and Measurements: Techniques and Experiences
IP Network Monitoring and Measurements: Techniques and Experiences Philippe Owezarski LAAS-CNRS Toulouse, France Owe@laas.fr 1 Outline 4 Introduction 4 Monitoring problematic 8Only based on network administration
More informationNETI@home: A Distributed Approach to Collecting End-to-End Network Performance Measurements
NETI@home: A Distributed Approach to Collecting End-to-End Network Performance Measurements Charles Robert Simpson, Jr. and George F. Riley Georgia Institute of Technology (Georgia Tech), Atlanta Georgia,
More informationExtensible Network Configuration and Communication Framework
Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood Applied Research Laboratory Department of Computer Science and Engineering: Washington University in Saint Louis
More informationCharacteristics of Network Traffic Flow Anomalies
Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka I. INTRODUCTION One of the primary tasks of network administrators is monitoring routers and switches for anomalous traffic
More informationEnabling Open-Source High Speed Network Monitoring on NetFPGA
Network Operations and Management Symposium (NOMS) 2012 Enabling Open-Source High Speed Network Monitoring on NetFPGA Gianni Antichi, Stefano Giordano Email: @iet.unipi.it Department of Information
More informationMonitoring Large Flows in Network
Monitoring Large Flows in Network Jing Li, Chengchen Hu, Bin Liu Department of Computer Science and Technology, Tsinghua University Beijing, P. R. China, 100084 { l-j02, hucc03 }@mails.tsinghua.edu.cn,
More informationHow To Monitor And Test An Ethernet Network On A Computer Or Network Card
3. MONITORING AND TESTING THE ETHERNET NETWORK 3.1 Introduction The following parameters are covered by the Ethernet performance metrics: Latency (delay) the amount of time required for a frame to travel
More informationBenefits. Product Overview. There is nothing more important than our customers. DATASHEET
DATASHEET Security Information & Event Manager (SIEM) Compliance through Security Information and Event Management, Log Management, and Network Behavioral Analysis Product Overview Delivers fast, accurate
More informationIBM QRadar Security Intelligence Platform appliances
IBM QRadar Security Intelligence Platform Comprehensive, state-of-the-art solutions providing next-generation security intelligence Highlights Get integrated log management, security information and event
More informationHigh-Performance IP Service Node with Layer 4 to 7 Packet Processing Features
UDC 621.395.31:681.3 High-Performance IP Service Node with Layer 4 to 7 Packet Processing Features VTsuneo Katsuyama VAkira Hakata VMasafumi Katoh VAkira Takeyama (Manuscript received February 27, 2001)
More informationMonitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX
Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX Martin Elich 1,3, Matěj Grégr 1,2 and Pavel Čeleda1,3 1 CESNET, z.s.p.o., Prague, Czech Republic 2 Brno University of Technology,
More informationA Collaborative Network Security Management System in Metropolitan Area Network
A Collaborative Network Security Management System in Metropolitan Area Network Beipeng Mu and Xinming Chen Department of Automation Tsinghua University Beijing, China Email: {mbp7, chen-xm}@mails.tsinghua.edu.cn
More informationQRadar Security Intelligence Platform Appliances
DATASHEET Total Security Intelligence An IBM Company QRadar Security Intelligence Platform Appliances QRadar Security Intelligence Platform appliances combine typically disparate network and security management
More informationQuantifying the Performance Degradation of IPv6 for TCP in Windows and Linux Networking
Quantifying the Performance Degradation of IPv6 for TCP in Windows and Linux Networking Burjiz Soorty School of Computing and Mathematical Sciences Auckland University of Technology Auckland, New Zealand
More informationBenefits. Product Overview. There is nothing more important than our customers. DATASHEET
DATASHEET Security Information & Event Manager (SIEM) Compliance through Security Information and Event Management, Log Management, and Network Behavioral Analysis Product Overview Delivers fast, accurate
More informationAn apparatus for P2P classification in Netflow traces
An apparatus for P2P classification in Netflow traces Andrew M Gossett, Ioannis Papapanagiotou and Michael Devetsikiotis Electrical and Computer Engineering, North Carolina State University, Raleigh, USA
More informationDistributed RAID Architectures for Cluster I/O Computing. Kai Hwang
Distributed RAID Architectures for Cluster I/O Computing Kai Hwang Internet and Cluster Computing Lab. University of Southern California 1 Presentation Outline : Scalable Cluster I/O The RAID-x Architecture
More informationCase Study: Instrumenting a Network for NetFlow Security Visualization Tools
Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at
More information50. DFN Betriebstagung
50. DFN Betriebstagung IPS Serial Clustering in 10GbE Environment Tuukka Helander, Stonesoft Germany GmbH Frank Brüggemann, RWTH Aachen Slide 1 Agenda Introduction Stonesoft clustering Firewall parallel
More informationWhite Paper. Intrusion Detection Deploying the Shomiti Century Tap
White Paper Intrusion Detection Deploying the Shomiti Century Tap . Shomiti Tap Deployment Purpose of this Paper The scalability of Intrusion Detection Systems (IDS) is often an issue when deploying an
More informationCISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY
CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY CISCO INFORMATION TECHNOLOGY SEPTEMBER 2004 1 Overview Challenge To troubleshoot capacity and quality problems and to understand
More informationA Protocol Based Packet Sniffer
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 4, Issue. 3, March 2015,
More informationNetwork Virtualization Based on Flows
TERENA NETWORKING CONFERENCE 2009 June 9, 2009 Network Virtualization Based on Flows Peter Sjödin Markus Hidell, Georgia Kontesidou, Kyriakos Zarifis KTH Royal Institute of Technology, Stockholm Outline
More informationAutonomous NetFlow Probe
Autonomous Ladislav Lhotka lhotka@cesnet.cz Martin Žádník xzadni00@stud.fit.vutbr.cz TF-CSIRT meeting, September 15, 2005 Outline 1 2 Specification Hardware Firmware Software 3 4 Short-term fixes Test
More informationDiCAP: Distributed Packet Capturing Architecture for High-Speed Network Links
DiCAP: Distributed Packet Capturing Architecture for High-Speed Network Links Cristian Morariu, Burkhard Stiller Communication Systems Group CSG, Department of Informatics IFI, University of Zürich Binzmühlestrasse
More informationNetwork congestion control using NetFlow
Network congestion control using NetFlow Maxim A. Kolosovskiy Elena N. Kryuchkova Altai State Technical University, Russia Abstract The goal of congestion control is to avoid congestion in network elements.
More informationAn Infrastructure for Passive Network Monitoring of Application Data Streams
An Infrastructure for Passive Network Monitoring of Application Data Streams Deb Agarwal, José María González, Goujun Jin, Brian Tierney Computing Sciences Directorate Lawrence Berkeley National Laboratory
More informationThe Lagopus SDN Software Switch. 3.1 SDN and OpenFlow. 3. Cloud Computing Technology
3. The Lagopus SDN Software Switch Here we explain the capabilities of the new Lagopus software switch in detail, starting with the basics of SDN and OpenFlow. 3.1 SDN and OpenFlow Those engaged in network-related
More informationICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.
ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow
More informationBro at 10 Gps: Current Testing and Plans
U.S. Department of Energy Bro at 10 Gps: Current Testing and Plans Office of Science Brian L. Tierney Lawrence Berkeley National Laboratory Bro s Use at LBL Operational 24 7 since 1996 Monitors traffic
More informationNetFlow Aggregation. Feature Overview. Aggregation Cache Schemes
NetFlow Aggregation This document describes the Cisco IOS NetFlow Aggregation feature, which allows Cisco NetFlow users to summarize NetFlow export data on an IOS router before the data is exported to
More informationA Flow-based Method for Abnormal Network Traffic Detection
A Flow-based Method for Abnormal Network Traffic Detection Myung-Sup Kim, Hun-Jeong Kang, Seong-Cheol Hong, Seung-Hwa Chung, and James W. Hong Dept. of Computer Science and Engineering POSTECH {mount,
More informationHow To Classify Network Traffic In Real Time
22 Approaching Real-time Network Traffic Classification ISSN 1470-5559 Wei Li, Kaysar Abdin, Robert Dann and Andrew Moore RR-06-12 October 2006 Department of Computer Science Approaching Real-time Network
More informationSockets vs. RDMA Interface over 10-Gigabit Networks: An In-depth Analysis of the Memory Traffic Bottleneck
Sockets vs. RDMA Interface over 1-Gigabit Networks: An In-depth Analysis of the Memory Traffic Bottleneck Pavan Balaji Hemal V. Shah D. K. Panda Network Based Computing Lab Computer Science and Engineering
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationBasic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet
Basic Networking Concepts 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet 1 1. Introduction -A network can be defined as a group of computers and other devices connected
More informationEnabling Technologies for Distributed Computing
Enabling Technologies for Distributed Computing Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF Multi-core CPUs and Multithreading Technologies
More informationSAN Conceptual and Design Basics
TECHNICAL NOTE VMware Infrastructure 3 SAN Conceptual and Design Basics VMware ESX Server can be used in conjunction with a SAN (storage area network), a specialized high speed network that connects computer
More informationCisco Performance Visibility Manager 1.0.1
Cisco Performance Visibility Manager 1.0.1 Cisco Performance Visibility Manager (PVM) is a proactive network- and applicationperformance monitoring, reporting, and troubleshooting system for maximizing
More informationOpenFlow with Intel 82599. Voravit Tanyingyong, Markus Hidell, Peter Sjödin
OpenFlow with Intel 82599 Voravit Tanyingyong, Markus Hidell, Peter Sjödin Outline Background Goal Design Experiment and Evaluation Conclusion OpenFlow SW HW Open up commercial network hardware for experiment
More informationIPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令
IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,
More informationHow To Monitor A Network On A Network With Bro (Networking) On A Pc Or Mac Or Ipad (Netware) On Your Computer Or Ipa (Network) On An Ipa Or Ipac (Netrope) On
Michel Laterman We have a monitor set up that receives a mirror from the edge routers Monitor uses an ENDACE DAG 8.1SX card (10Gbps) & Bro to record connection level info about network usage Can t simply
More informationLimitations of Packet Measurement
Limitations of Packet Measurement Collect and process less information: Only collect packet headers, not payload Ignore single packets (aggregate) Ignore some packets (sampling) Make collection and processing
More informationInternet Traffic Measurement
Internet Traffic Measurement Internet Traffic Measurement Network Monitor Placement Measurement Analysis Tools Measurement Result Reporting Probing Mechanism Vantage Points Edge vs Core Hardware vs Software
More informationNetFlow Analysis with MapReduce
NetFlow Analysis with MapReduce Wonchul Kang, Yeonhee Lee, Youngseok Lee Chungnam National University {teshi85, yhlee06, lee}@cnu.ac.kr 2010.04.24(Sat) based on "An Internet Traffic Analysis Method with
More informationVON/K: A Fast Virtual Overlay Network Embedded in KVM Hypervisor for High Performance Computing
Journal of Information & Computational Science 9: 5 (2012) 1273 1280 Available at http://www.joics.com VON/K: A Fast Virtual Overlay Network Embedded in KVM Hypervisor for High Performance Computing Yuan
More informationQ1 Labs Inc. 15 Piedmont Center, suite 1040 Atlanta, Georgia 30305 USA +1-877-471-5227 info@q1labs.com www.q1labs.com
1. Name of the Technology and the Corporation supporting it Product: Company: RFI Contact: QVISION Q1 Labs Inc. 15 Piedmont Center, suite 1040 Atlanta, Georgia 30305 USA +1-877-471-5227 info@q1labs.com
More informationAnalysis of Automated Model against DDoS Attacks
Analysis of Automated Model against DDoS Attacks Udaya Kiran Tupakula Vijay Varadharajan Information and Networked Systems Security Research Division of Information and Communication Sciences Macquarie
More informationPutting it on the NIC: A Case Study on application offloading to a Network Interface Card (NIC)
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE CCNC 2006 proceedings. Putting it on the NIC: A Case Study on application
More informationLayer 3 Network + Dedicated Internet Connectivity
Layer 3 Network + Dedicated Internet Connectivity Client: One of the IT Departments in a Northern State Customer's requirement: The customer wanted to establish CAN connectivity (Campus Area Network) for
More informationQRadar Security Management Appliances
QRadar Security Management Appliances Q1 Labs QRadar network security management appliances and related software provide enterprises with an integrated framework that combines typically disparate network
More informationObserver Probe Family
Observer Probe Family Distributed analysis for local and remote networks Monitor and troubleshoot vital network links in real time from any location Network Instruments offers a complete line of software
More informationDetect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 21, 571-578 (2005) Short Paper Detect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network Department of Computer Science and Information
More informationOn A Network Forensics Model For Information Security
On A Network Forensics Model For Information Security Ren Wei School of Information, Zhongnan University of Economics and Law, Wuhan, 430064 renw@public.wh.hb.cn Abstract: The employment of a patchwork
More informationLocal-Area Network -LAN
Computer Networks A group of two or more computer systems linked together. There are many [types] of computer networks: Peer To Peer (workgroups) The computers are connected by a network, however, there
More informationNetwork Design. Yiannos Mylonas
Network Design Yiannos Mylonas Physical Topologies There are two parts to the topology definition: the physical topology, which is the actual layout of the wire (media), and the logical topology, which
More informationA HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING
A HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING AZRUDDIN AHMAD, GOBITHASAN RUDRUSAMY, RAHMAT BUDIARTO, AZMAN SAMSUDIN, SURESRAWAN RAMADASS. Network Research Group School of
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationDesign Issues in a Bare PC Web Server
Design Issues in a Bare PC Web Server Long He, Ramesh K. Karne, Alexander L. Wijesinha, Sandeep Girumala, and Gholam H. Khaksari Department of Computer & Information Sciences, Towson University, 78 York
More informationService Description DDoS Mitigation Service
Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3
More informationA Catechistic Method for Traffic Pattern Discovery in MANET
A Catechistic Method for Traffic Pattern Discovery in MANET R. Saranya 1, R. Santhosh 2 1 PG Scholar, Computer Science and Engineering, Karpagam University, Coimbatore. 2 Assistant Professor, Computer
More informationD1.2 Network Load Balancing
D1. Network Load Balancing Ronald van der Pol, Freek Dijkstra, Igor Idziejczak, and Mark Meijerink SARA Computing and Networking Services, Science Park 11, 9 XG Amsterdam, The Netherlands June ronald.vanderpol@sara.nl,freek.dijkstra@sara.nl,
More informationGigabit Ethernet Design
Gigabit Ethernet Design Laura Jeanne Knapp Network Consultant 1-919-254-8801 laura@lauraknapp.com www.lauraknapp.com Tom Hadley Network Consultant 1-919-301-3052 tmhadley@us.ibm.com HSEdes_ 010 ed and
More informationTowards Streaming Media Traffic Monitoring and Analysis. Hun-Jeong Kang, Hong-Taek Ju, Myung-Sup Kim and James W. Hong. DP&NM Lab.
Towards Streaming Media Traffic Monitoring and Analysis Hun-Jeong Kang, Hong-Taek Ju, Myung-Sup Kim and James W. Hong Dept. of Computer Science and Engineering, Pohang Korea Email: {bluewind, juht, mount,
More informationRestorable Logical Topology using Cross-Layer Optimization
פרויקטים בתקשורת מחשבים - 236340 - סמסטר אביב 2016 Restorable Logical Topology using Cross-Layer Optimization Abstract: Today s communication networks consist of routers and optical switches in a logical
More informationA Study of Network Security Systems
A Study of Network Security Systems Ramy K. Khalil, Fayez W. Zaki, Mohamed M. Ashour, Mohamed A. Mohamed Department of Communication and Electronics Mansoura University El Gomhorya Street, Mansora,Dakahlya
More informationBuilding Secure Network Infrastructure For LANs
Building Secure Network Infrastructure For LANs Yeung, K., Hau; and Leung, T., Chuen Abstract This paper discusses the building of secure network infrastructure for local area networks. It first gives
More informationNew!! - Higher performance for Windows and UNIX environments
New!! - Higher performance for Windows and UNIX environments The IBM TotalStorage Network Attached Storage Gateway 300 (NAS Gateway 300) is designed to act as a gateway between a storage area network (SAN)
More informationQuick Start for Network Agent. 5-Step Quick Start. What is Network Agent?
What is Network Agent? The Websense Network Agent software component uses sniffer technology to monitor all of the internet traffic on the network machines that you assign to it. Network Agent filters
More informationIntroduction to Cisco IOS Flexible NetFlow
Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity
More informationGR2000: a Gigabit Router for a Guaranteed Network
Hitachi Review Vol. 48 (1999), No. 4 203 GR2000: a Gigabit Router for a Guaranteed Network Kazuo Sugai Yoshihito Sako Takeshi Aimoto OVERVIEW: Driven by the progress of the information society, corporate
More informationnfdump and NfSen 18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH
18 th Annual FIRST Conference June 25-30, 2006 Baltimore Peter Haag 2006 SWITCH Some operational questions, popping up now and then: Do you see this peek on port 445 as well? What caused this peek on your
More informationOpenFlow Based Load Balancing
OpenFlow Based Load Balancing Hardeep Uppal and Dane Brandon University of Washington CSE561: Networking Project Report Abstract: In today s high-traffic internet, it is often desirable to have multiple
More informationThe new frontier of the DATA acquisition using 1 and 10 Gb/s Ethernet links. Filippo Costa on behalf of the ALICE DAQ group
The new frontier of the DATA acquisition using 1 and 10 Gb/s Ethernet links Filippo Costa on behalf of the ALICE DAQ group DATE software 2 DATE (ALICE Data Acquisition and Test Environment) ALICE is a
More information