Three Levels Network Analysis for Anomaly Detection
|
|
- Thomas Bond
- 7 years ago
- Views:
Transcription
1 Three Levels Network Analysis for Anomaly Detection Bruno B. Zarpelão 1, Leonardo S. Mendes 1, Mario L. Proença Jr. 2 and Joel J. P. C. Rodrigues 3 1 School of Electrical and Computer Engineering, University of Campinas (UNICAMP), Campinas, SP, Brazil 2 Computer Science Department, State University of Londrina (UEL), Londrina, PR, Brazil 3 Instituto de Telecomunicações, University of Beira Interior, Covilhã, Portugal s: {bzarpe,lmendes}@decom.fee.unicamp.br, proenca@uel.br, joel@ubi.pt Abstract - Anomaly detection is fundamental to ensure reliability and security in computer networks. In this work, it is proposed an anomaly detection system that monitors the network in three different levels. In the first one, data is collected from Simple Network Management Protocol (SNMP) objects and compared to profiles of normal traffic, in order to detect behavior changes. Second level of analysis includes a dependency graph that represents the relationships between SNMP objects. It is used to analyze first level alerts, confirming the occurrence of anomalies in device level. In the third level of analysis, second level alerts are grouped according to network topology information, and network administrators are informed about the context where the anomaly occurred. Tests were performed in a real network environment and good results were obtained. 1. INTRODUCTION Evolution of networking technologies has encouraged the creation of new and sophisticated services for government, academy and industry. Therefore, computer networks have become essential in a diverse array of environments, where reliability and security have been highlighted as key issues [1]. As computer networks present these advances, managing them efficiently becomes more important and harder. Today s networks are composed by heterogeneous software and hardware elements, characterizing complex scenarios where it is impossible to work without tools like anomaly detection systems. Anomalies are unexpected changes in traffic levels that can cause from small performance degradation to disruption of network operations. They can be caused by flash crowds, malfunctioning, network devices failures, vendor implementation bugs, misconfigurations, transfer of very large files, outages and malicious attacks such as DoS (Denial of Service), DDoS (Distributed Denial of Service) and worms [2]. This work proposes an anomaly detection system that organizes the network analysis in three levels. In the first one, a comparison is performed between data collected from SNMP objects and profiles of normal traffic. A hysteresisbased mechanism is used and first level alerts are generated when behavior deviations are detected. In the second level, first level alerts are analyzed together, taking into account the characteristics of the SNMP objects. Each SNMP object brings a different view of the network device, and system efficiency is improved by combining information from these different perspectives. When anomalies are confirmed for a device, second level alerts are generated. Finally, in the third level, second level alerts are grouped in order to provide to the network administrator a wide view of the problem in the network. Besides detecting anomalies, the proposed system informs the network administrator about the context where they are inserted, helping to find the cause and solution of the problem. The remainder of this paper is organized as follows. Section 2 presents the related work. Section 3 depicts the proposed solution for anomaly detection, based in a three levels analysis. This section is divided in three parts, one for each analysis level. Section 4 brings evaluation results obtained in a real network environment. Finally, conclusion and future work are presented in the section RELATED WORK Denning [3] presented the first work that used the characterization of network normal behavior to detect anomalies. Since this proposal, many authors have presented solutions using the same model, which has been combined with different techniques such as generalized likelihood ratio (GLR) [2], general wavelet filters [4], principal component analysis (PCA) [5], discrete wavelet transform [6], and intelligent flow sampling [7]. Lakhina et al. [5] presented an important work concerning detection and characterization of network-wide anomalies. By using the PCA technique, data collected from the network was separated into two disjoint subspaces, enabling anomaly behavior identification. Besides detecting anomalies, this work searched for causes of anomalies, showing the problem scenario to the network administrator. Ringberg et al. [8] addressed a work that also applies PCA. They evaluated how difficult is the adoption of proposed solution, concluding that it is hard to configure and deploy in production environments. An anomaly diagnosis system is proposed in [9]. With similar objectives than [4], they proposed to detect and classify the anomalies, showing to the network administrator the traffic flow that is responsible for the problem. The
2 solution is organized in three parts. At first, two different data windows are compared, in order to find changes in some measurements such as number of packets, bytes and flows. In the second step, if any change has been detected previously, the network is scanned to find which flows are responsible for the anomaly. Finally, in the last step, anomalies are classified and signatures are created and stored to be used in future analyses. In this work, it is proposed an anomaly detection system that analyzes the network in three different levels, using heuristics, simple algorithms and the Simple Network Management Protocol (SNMP) [10]. Our anomaly detection system is a lightweight solution, which does not use flow or packet instrumentation. Besides, it is able to offer useful reports containing additional information about the problem to network administrators. with these characteristics of network traffic behavior. In our work, BLGBA model is used to generate different profiles of normal behavior for each day of the week, meeting this requirement. 3. ANOMALY DETECTION SYSTEM Architecture of the proposed anomaly detection system is presented in Figure 1. At first, there is a module that is responsible for collecting the network information from Management Information Bases (MIB) [11]. For each SNMP object analyzed in each network device, there is an instance of the module for object level analysis. This module compares the profiles of normal behavior to the data collected from SNMP objects. For each monitored device, there is an instance of the module for device level analysis, which is responsible for analyzing all the object level alerts and generating a device level alarm if the anomaly is confirmed. Finally, the module for network level analysis gathers all device level alarms and analyzes them to verify if they are related, using network topology information. If different device level alarms are related to the same problem, a network level alarm is generated and a report is sent to the network administrator. 3.1 Object level analysis Object level analysis is defined as a step where each SNMP object data is analyzed to detect unexpected changes of behavior. Therefore, it is necessary to characterize the normal behavior of each SNMP object, what represents a significant challenge due to the non-stationary nature of network traffic. In this work, SNMP object data is characterized by using the Baseline for Automatic Backbone Management (BLGBA) model [12], which is applied in historical data of a given SNMP object to construct the Digital Signature of Network Segment (DSNS) [12]. Traffic behavior is composed by daily cycles, where traffic levels are usually higher in working hours. Traffic levels are also distinct for different days, as can be verified when workdays traffic is compared to weekends traffic [4], [12]. The traffic characterization model should be able to deal Figure 1 - Architecture of proposed model. The BLGBA algorithm was developed based on a variation in the calculation of statistical mode. In order to determine an expected value to a given second of the day, the model analyzes the values for the same second in previous weeks. These values are distributed in frequencies, based on the difference between the greatest G aj and the smallest S aj element of the sample, using 5 classes. This difference, divided by five, forms the amplitude h between the classes, h = (G aj S aj )/5. Then, the limits of each L Ck class are obtained. They are calculated by L Ck = S aj + h*k, where C k represents the k class (k = 1...5). The value that is the greatest element inserted in the class with accumulated frequency equal or greater than 80% is included in DSNS. This process is performed for all seconds of a day, building the DSNS, which has an expected value for each second of any day of the week. After characterizing the traffic, object level analysis is performed by comparing the DSNS to real data. The comparison algorithm is based in a hysteresis mechanism, which includes a parameter named delta (δ) to decrease the probability of generating false positive alarms. Three different events drive the hysteresis mechanism operation. At first, DSNS value is used as a threshold. When a real value collected from the SNMP object is greater than the DSNS value, a type 1 event is identified and the hysteresis interval is initiated. A new threshold is established with the real value. During the hysteresis interval, every time a real value overcomes the current threshold, a type 2 event is identified and a new threshold is established. When the amount of type 2 event occurrences is greater than the value defined in δ, a type 3 event is identified. Then, a first level alert is generated. Figure 2 presents a flow chart that illustrates this algorithm.
3 compose a path in the graph that begins in an initial point of monitoring and ends in a final one, an anomaly is detected. Figure 3 - Dependency graph used in device level analysis. 3.3 Network level analysis Figure 2 - Flow chart of hysteresis algorithm. 3.2 Device level analysis In the device level analysis, first level alerts are analyzed to confirm if an anomaly is occurring or not. By monitoring different SNMP objects, diverse views of the device are obtained, enabling the system to generate a more reliable second level alert. First level alerts are analyzed according to a dependency graph that represents the relationships between the SNMP objects. Each vertex represents a SNMP object and each edge represents a possible path of anomaly propagation between two objects. Since the objects ifinoctets and ifoutoctets have a different instance for each interface of the device, there is a vertex for each instance. The dependency graph includes objects from groups interface, ip and tcp, covering main operations of network devices such as servers, switches and routers. Figure 3 shows the dependency graph. Aiming to perform the analysis, initial and final points of monitoring are defined for each device. For instance, in a proxy server where the objects ipinreceives, ipindelivers and tcpinsegs are monitored, the object ipinreceives is the initial point and the object tcpinsegs is the final point of monitoring. These objects are selected according to their positions in relation to device data streams. In this proxy server example, ipinreceives is the first monitored object in input data stream and tcpinsegs is the last object monitored in the same stream. First level alerts generated in the same five-minute time frame are analyzed together. If the objects with alerts In the network level analysis, second level alerts are analyzed to show a network-wide view of the problem to the network administrator. All devices affected by an anomaly present changes in their traffic levels, and various alerts are generated in different points of the network, signaling the same problem. Therefore, third level of analysis is used to group alerts from different devices that belong to the same problem, aiming to improve the reports quality. This module of the system uses network topology information to group the second level alerts. If they are generated in the same five-minute time frame and belong to devices that are connected, a single third level alert is generated, gathering all related second level alerts. 4. PERFORMANCE EVALUATION AND RESULTS Tests were performed in two important devices related to the security of State University of Londrina (Brazil) network: the firewall (IP address: ) and the proxy server (IP address: ). In order to complete the scenario, a switch that interconnects the both devices was also monitored (IP address: ). Data used for tests was collected in April Proxy server is connected in the interface 3011 of the switch and the firewall is connected in the interface Figure 4 illustrates the test scenario.
4 generated only one report, containing all alarms and showing the context where the problem was occurring. Figure 4 - Test scenario. Table I presents the selected values for parameters of object level analysis module. Values for δ were defined after analyzing previous data. The polling interval was defined according to SNMP agents constraints, always using the smallest possible value for this parameter. It is possible to observe that δ values depend on polling intervals. When the polling interval is greater, fewer samples are analyzed during a hysteresis interval and a smaller delta is needed. In each device, the same values were applied for all objects. Table 1 - Parameter values used in tests. hysteresis δ value polling interval s 2 10 s s 1 10 s s 20 1 s Two metrics of performance were calculated: detection rate and false positive rate. The first one shows how many anomalies were detected in relation to the total of anomalies. The second metric calculates how many alarms were generated for situations that were not considered as anomalies in relation to the total amount of alarms. The results were good. The detection rate was 83.56% and the false positive rate was 12.62%. Figures 5, 6, 7, and 8 present a case of a real anomaly that occurred on April 27. They show plots containing real traffic, DSNS and first level alerts for each object in each device. It is possible to observe a great difference between real and expected traffic. All monitored objects had alerts generated in the same time frame, between 22h50 and 22h55. Second level alerts were generated in all devices. An anomaly was occurring and the security devices of the network should have been checked. All second level alerts were grouped in a third level alert. Instead of sending to the network administrator a lot of alerts reporting problems device by device, the system Figure 5 - Anomaly and respective alarms in the proxy server. 5. CONCLUSION AND FUTURE WORK This paper proposed an anomaly detection system that combines analysis from three different levels, in order to produce useful reports to network administrators. The solution is able to detect anomalies in device level, grouping these alerts to show to network administrators which network devices are affected and how the anomaly is propagating through the network. Results were obtained from tests in the network environment of State University of Londrina (Brazil). Collected false positive and detection rates were great. The behavior of the system during the occurrence of a real anomaly was presented. It was demonstrated that the report was useful, since it provided a wide view of the problem. It would not be possible if the analysis was performed device by device, without taking into account the connections between them. Future work includes the improvement of the system, aiming to classify and characterize the anomalies, showing to the network administrator the exact root-cause of the problem.
5 Figure 6 - Anomaly and respective alarms in the switch, interface Figure 7 - Anomaly and respective alarms in the switch, interface Figure 8 - Anomaly and respective alarms in the firewall. ACKNOWLEDGMENTS This work has been supported by The State of São Paulo Research Foundation (FAPESP), Brazil, and by Instituto de Telecomunicações, Next Generation Networks and Applications Group (NetGNA), Portugal. [3] D. E. Denning: An Intrusion-Detection model, IEEE Transactions on Software Engineering, v. 13, no. 2, pp , [4] P. Barford, J. Kline, D. Plonka and A. Ron, A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurement, 2002, pp [5] A. Lakhina, M. Crovella, C. Diot: Diagnosing Network- Wide Traffic Anomalies. ACM SIGCOMM Computer Communication Review, Proc. of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, V. 34, pp , [6] S. S. Kim and A. L. N. Reddy, Statistical techniques for detecting traffic anomalies through packet header data, IEEE/ACM Transactions on Networking, V. 16, n. 3, [7] G. Androulidakis, V. Chatziqiannakis and S. Papavassiliou: Network anomaly detection and classification via opportunistic sampling, IEEE Network, V. 23, n. 1, pp. 6-12, [8] H. Ringberg, A. Soule, J. Rexford and C. Diot: Sensitivity of PCA for traffic anomaly detection Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, pp , [9] S. Farraposo, P. Owezarski, e E. Monteiro: A Multi- Scale Tomographic Algorithm for Detecting and Classifying Traffic Anomalies. Proceedings of IEEE International Conference on Communications 2007, pp , [10] W. Stallings: SNMP, SNMPv2, SNMPv3, and RMON 1, 2 and 3. Addison-Wesley, [11] K. McCloghrie, M. Rose: Management Information Base for Network Management of TCP/IP-based internet: MIB-II. RFC 1213, mar [12] M. L. Proença Jr., C. Coppelmans, M. Bottoli, L. S. Mendes: The Hurst Parameter for Digital Signature of Network Segment. 11th International Conference on Telecommunications (ICT 2004), pp , REFERENCES [1] A. Patcha e J. M. Park, "An overview of anomaly detection techniques: Existing solutions and latest technological trends," Computer Networks, v. 51, no. 12, pp , [2] M. Thottan, C. Ji: Anomaly Detection in IP Networks IEEE Transactions in Signal Processing, v. 51, n. 8, pp , 2003.
Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment *
LANOMS 2005-4th Latin American Network Operations and Management Symposium 53 Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment * Bruno Bogaz
More informationAUTONOMOUS NETWORK SECURITY FOR DETECTION OF NETWORK ATTACKS
AUTONOMOUS NETWORK SECURITY FOR DETECTION OF NETWORK ATTACKS Nita V. Jaiswal* Prof. D. M. Dakhne** Abstract: Current network monitoring systems rely strongly on signature-based and supervised-learning-based
More informationOn the Use of Traffic Monitoring and Measurements for Improving Networking
On the Use of Traffic Monitoring and Measurements for Improving Networking Sílvia Farraposo 1, Philippe Owezarski 2, Edmundo Monteiro 3 1 Escola Superior de Tecnologia e Gestão de Leiria, Morro do Lena
More informationTop-Down Network Design
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer 29 Network Management Design A good design can help an organization achieve
More informationNADA Network Anomaly Detection Algorithm
NADA Network Anomaly Detection Algorithm Sílvia Farraposo 1, Philippe Owezarski 2, Edmundo Monteiro 3 1 School of Technology and Management of Leiria Alto-Vieiro, Morro do Lena, 2411-901 Leiria, Apartado
More informationDetecting Anomalies in Network Traffic Using Maximum Entropy Estimation
Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Yu Gu, Andrew McCallum, Don Towsley Department of Computer Science, University of Massachusetts, Amherst, MA 01003 Abstract We develop
More informationDetecting Network Anomalies. Anant Shah
Detecting Network Anomalies using Traffic Modeling Anant Shah Anomaly Detection Anomalies are deviations from established behavior In most cases anomalies are indications of problems The science of extracting
More informationA HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING
A HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING AZRUDDIN AHMAD, GOBITHASAN RUDRUSAMY, RAHMAT BUDIARTO, AZMAN SAMSUDIN, SURESRAWAN RAMADASS. Network Research Group School of
More informationIntroduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.
Contents Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Technical OverView... Error! Bookmark not defined. Network Intrusion Detection
More informationApplication of Netflow logs in Analysis and Detection of DDoS Attacks
International Journal of Computer and Internet Security. ISSN 0974-2247 Volume 8, Number 1 (2016), pp. 1-8 International Research Publication House http://www.irphouse.com Application of Netflow logs in
More informationNetwork System Design Lesson Objectives
Network System Design Lesson Unit 1: INTRODUCTION TO NETWORK DESIGN Assignment Customer Needs and Goals Identify the purpose and parts of a good customer needs report. Gather information to identify network
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationAccurate Anomaly Detection using Adaptive Monitoring and Fast Switching in SDN
I.J. Information Technology and Computer Science, 2015, 11, 34-42 Published Online October 2015 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijitcs.2015.11.05 Accurate Anomaly Detection using Adaptive
More informationInformation Technology Policy
Information Technology Policy Security Information and Event Management Policy ITP Number Effective Date ITP-SEC021 October 10, 2006 Category Supersedes Recommended Policy Contact Scheduled Review RA-ITCentral@pa.gov
More informationOverview. Summary of Key Findings. Tech Note PCI Wireless Guideline
Overview The following note covers information published in the PCI-DSS Wireless Guideline in July of 2009 by the PCI Wireless Special Interest Group Implementation Team and addresses version 1.2 of the
More informationDDoS Protection Technology White Paper
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
More informationNetwork congestion control using NetFlow
Network congestion control using NetFlow Maxim A. Kolosovskiy Elena N. Kryuchkova Altai State Technical University, Russia Abstract The goal of congestion control is to avoid congestion in network elements.
More informationACL Based Dynamic Network Reachability in Cross Domain
South Asian Journal of Engineering and Technology Vol.2, No.15 (2016) 68 72 ISSN No: 2454-9614 ACL Based Dynamic Network Reachability in Cross Domain P. Nandhini a, K. Sankar a* a) Department Of Computer
More informationDesign and simulation of wireless network for Anomaly detection and prevention in network traffic with various approaches
IJISE - International Journal of Innovative Science, Engineering & echnology, Vol. 1 Issue 5, July 2014. Design and simulation of wireless network for Anomaly detection and prevention in network traffic
More informationTraffic Anomaly Detection and Characterization in the Tunisian National University Network
Traffic Anomaly Detection and Characterization in the Tunisian National University Network Khadija RAMAH 1, Hichem AYARI 2, Farouk KAMOUN 3 2,3 CRISTAL laboratory École Nationale des Sciences de l Informatique
More informationFail-Safe IPS Integration with Bypass Technology
Summary Threats that require the installation, redeployment or upgrade of in-line IPS appliances often affect uptime on business critical links. Organizations are demanding solutions that prevent disruptive
More informationHow To Protect A Network From Attack From A Hacker (Hbss)
Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment
More informationAdvantech WebAccess Device Driver Guide. BwSNMP Advantech WebAccess to SNMP Agent (Simple Network Management Protocol) Device Driver Guide
BwSNMP Advantech WebAccess to SNMP Agent (Simple Network Management Protocol) Device Driver Guide Version 5.0 rev 1 Advantech Corp., Ltd. Table of Contents BwSNMP Advantech WebAccess to SNMP Agent (Simple
More informationTroubleshooting an Enterprise Network
Troubleshooting an Enterprise Network Introducing Routing and Switching in the Enterprise Chapter 9 Released under Creative Commons License 3.0 By-Sa Cisco name, logo and materials are Copyright Cisco
More informationA Design and Implementation of Network Traffic Monitoring System for PC-room Management
A Design and Implementation of Network Traffic Monitoring System for PC-room Management Yonghak Ahn, Oksam Chae Dept. of Computer Engineering, Kyunghee University, Sochen-ri, Giheung-eup, Yongin-si, Gyeonggi-do
More informationCCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network
CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network Olga Torstensson SWITCHv6 1 Components of High Availability Redundancy Technology (including hardware and software features)
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationNetwork traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010
Network traffic monitoring and management Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Lecture outline What is network traffic management? Traffic management applications Traffic monitoring
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationIntroduction to Simple Network Management Protocol (SNMP)
Introduction to Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is an application layer protocol for collecting information about devices on the network. It is part
More informationResearch on Errors of Utilized Bandwidth Measured by NetFlow
Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic
More informationDDoS Attacks and Defenses Overview
DDoS Attacks and Defenses Overview Pedro Pinto 1 1 ESTG/IPVC Escola Superior de Tecnologia e Gestão, Intituto Politécnico de Viana do Castelo, Av. do Atlântico, 4900-348 Viana do Castelo, Portugal pedropinto@estg.ipvc.pt
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationIntelligent. Data Sheet
Cisco IPS Software Product Overview Cisco IPS Software is the industry s leading network-based intrusion prevention software. It provides intelligent, precise, and flexible protection for your business
More informationEffect of sampling rate and monitoring granularity on anomaly detectability
Effect of sampling rate and monitoring granularity on anomaly detectability Keisuke Ishibashi, Ryoichi Kawahara, Mori Tatsuya, Tsuyoshi Kondoh and Shoichiro Asano Information Sharing Platform Labs. NTT
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion
More informationHow To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme
Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Thivya. T 1, Karthika.M 2 Student, Department of computer science and engineering, Dhanalakshmi
More informationSNMP Network Management Concepts
SNMP Network Management Concepts Chu-Sing Yang Department of Electrical Engineering National Cheng Kung University Outline Background Basic Concepts Summary The Origins of TCP/IP Starts at 1969, and founded
More informationProduct Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity
NIP IDS Product Overview The Network Intelligent Police (NIP) Intrusion Detection System (IDS) is a new generation of session-based intelligent network IDS developed by Huaweisymantec. Deployed in key
More informationTesting Network Security Using OPNET
Testing Network Security Using OPNET Agustin Zaballos, Guiomar Corral, Isard Serra, Jaume Abella Enginyeria i Arquitectura La Salle, Universitat Ramon Llull, Spain Paseo Bonanova, 8, 08022 Barcelona Tlf:
More informationCiscoWorks Internetwork Performance Monitor 4.0
CiscoWorks Internetwork Performance Monitor 4.0 Product Overview The CiscoWorks Internetwork Performance Monitor (IPM) is a network response-time and availability troubleshooting application. Included
More informationActive Internet Traffic Filtering to Denial of Service Attacks from Flash Crowds
Active Internet Traffic Filtering to Denial of Service Attacks from Flash Crowds S.Saranya Devi 1, K.Kanimozhi 2 1 Assistant professor, Department of Computer Science and Engineering, Vivekanandha Institute
More informationSystem Specification. Author: CMU Team
System Specification Author: CMU Team Date: 09/23/2005 Table of Contents: 1. Introduction...2 1.1. Enhancement of vulnerability scanning tools reports 2 1.2. Intelligent monitoring of traffic to detect
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationINFORMATION TECHNOLOGY DIVISION TELECOMMUNICATIONS NETWORK SERVICES WYOMING INTERNETWORK DECLARATION OF SERVICES SERVICES AND RESPONSIBILITIES
INFORMATION TECHNOLOGY DIVISION TELECOMMUNICATIONS NETWORK SERVICES WYOMING INTERNETWORK DECLARATION OF SERVICES The Wyoming Internetwork is a shared Wide Area Network (WAN) that interconnects agency Local
More informationIntrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)
ISCA Journal of Engineering Sciences ISCA J. Engineering Sci. Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) Abstract Tiwari Nitin, Solanki Rajdeep
More informationPacket Sampling and Network Monitoring
Packet Sampling and Network Monitoring CERN openlab Monthly Technical Meeting 13 th November, 2007 Milosz Marian Hulboj milosz.marian.hulboj@cern.ch Ryszard Erazm Jurga ryszard.jurga@cern.ch What is Network
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationA Dynamic Flooding Attack Detection System Based on Different Classification Techniques and Using SNMP MIB Data
International Journal of Computer Networks and Communications Security VOL. 2, NO. 9, SEPTEMBER 2014, 279 284 Available online at: www.ijcncs.org ISSN 2308-9830 C N C S A Dynamic Flooding Attack Detection
More informationCNS-200-1I Basic Administration for Citrix NetScaler 9.0
CNS-200-1I Basic Administration for Citrix NetScaler 9.0 This course covers the initial configuration and administration of Citrix NetScaler 9.0. Learners gain an understanding of NetScaler features such
More informationTraffic Analyzer Based on Data Flow Patterns
AUTOMATYKA 2011 Tom 15 Zeszyt 3 Artur Sierszeñ*, ukasz Sturgulewski* Traffic Analyzer Based on Data Flow Patterns 1. Introduction Nowadays, there are many systems of Network Intrusion Detection System
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationMaruleng Local Municipality
Maruleng Local Municipality. 22 November 2011 1 Version Control Version Date Author(s) Details 1.1 23/03/2012 Masilo Modiba New Policy 2 Contents ICT Firewall Policy 1 Version Control.2 1. Introduction.....4
More informationRanch Networks for Hosted Data Centers
Ranch Networks for Hosted Data Centers Internet Zone RN20 Server Farm DNS Zone DNS Server Farm FTP Zone FTP Server Farm Customer 1 Customer 2 L2 Switch Customer 3 Customer 4 Customer 5 Customer 6 Ranch
More informationINTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY
INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY A PATH FOR HORIZING YOUR INNOVATIVE WORK AUTONOMOUS NETWORK SECURITY FOR UNSUPERVISED DETECTION OF NETWORK ATTACKS MS. PRITI
More informationTABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY
IT FIREWALL POLICY TABLE OF CONTENT 1. INTRODUCTION... 3 2. TERMS AND DEFINITION... 3 3. PURPOSE... 5 4. SCOPE... 5 5. POLICY STATEMENT... 5 6. REQUIREMENTS... 5 7. OPERATIONS... 6 8. CONFIGURATION...
More informationSuperAgent and Siebel
SuperAgent and Siebel Executive summary Siebel Systems provides a comprehensive family of multichannel ebusiness applications services, all within a single architecture. The Siebel architecture is an n-tier
More informationAdvanced Administration for Citrix NetScaler 9.0 Platinum Edition
Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Course Length: 5 Days Course Code: CNS-300 Course Description This course provides the foundation to manage, configure and monitor advanced
More informationIRENE. Intelligence between POS terminal and authorization system. Gateway. Increased security, availability and transparency.
Gateway IRENE INTELLIGENT ROUTER FOR ENHANCED NETWORKING WITH ETHERNET PROTOCOLS Intelligence between POS terminal and authorization system Increased security, availability and transparency. »»» MORE INSIGHT
More informationINCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS
WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by
More informationCharacteristics of Network Traffic Flow Anomalies
Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka I. INTRODUCTION One of the primary tasks of network administrators is monitoring routers and switches for anomalous traffic
More informationG DATA TechPaper #0275. G DATA Network Monitoring
G DATA TechPaper #0275 G DATA Network Monitoring G DATA Software AG Application Development May 2016 Contents Introduction... 3 1. The benefits of network monitoring... 3 1.1. Availability... 3 1.2. Migration
More informationDefending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks
More informationMoni4VDTN: a Monitoring System for Vehicular Delay-Tolerant Networks
Moni4VDTN: a Monitoring System for Vehicular Delay-Tolerant Networks João N. Isento 1, João A. Dias 1, Fábio Canelo 1, Joel J. P. C. Rodrigues 1, and Mario L. Proença Jr. 2 1 Instituto de Telecomunicações,
More informationNetwork Traffic Anomalies Detection and Identification with Flow Monitoring
Network Traffic Anomalies Detection and Identification with Flow Monitoring Huy Anh Nguyen, Tam Van Nguyen, Dong Il Kim, Deokjai Choi Department of Computer Engineering, Chonnam National University, Korea
More informationNetwork Management and Monitoring Software
Page 1 of 7 Network Management and Monitoring Software Many products on the market today provide analytical information to those who are responsible for the management of networked systems or what the
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationMonitoring Traffic manager
Monitoring Traffic manager eg Enterprise v6 Restricted Rights Legend The information contained in this document is confidential and subject to change without notice. No part of this document may be reproduced
More informationService Description DDoS Mitigation Service
Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3
More information52-20-15 RMON, the New SNMP Remote Monitoring Standard Nathan J. Muller
52-20-15 RMON, the New SNMP Remote Monitoring Standard Nathan J. Muller Payoff The Remote Monitoring (RMON) Management Information Base (MIB) is a set of object definitions that extend the capabilities
More informationA Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack
A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack Abhishek Kumar Department of Computer Science and Engineering-Information Security NITK Surathkal-575025, India Dr. P. Santhi
More informationOPNET Network Simulator
Simulations and Tools for Telecommunications 521365S: OPNET Network Simulator Jarmo Prokkola Research team leader, M. Sc. (Tech.) VTT Technical Research Centre of Finland Kaitoväylä 1, Oulu P.O. Box 1100,
More informationIntrusion Detection Systems
Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics
More informationQoSpy an approach for QoS monitoring in DiffServ Networks.
QoSpy an approach for QoS monitoring in DiffServ Networks. Ulrich Hofmann Alessandro Anzaloni Ricardo de Farias Santos. anzaloni@ele.ita.br Instituto Tecnológico de Aeronaútica São José dos Campos-SP-Brazil
More informationReduce Your Virus Exposure with Active Virus Protection
Reduce Your Virus Exposure with Active Virus Protection Executive Summary Viruses are the leading Internet security threat facing businesses of all sizes. Viruses spread faster and cause more damage than
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationGaining Operational Efficiencies with the Enterasys S-Series
Gaining Operational Efficiencies with the Enterasys S-Series Hi-Fidelity NetFlow There is nothing more important than our customers. Gaining Operational Efficiencies with the Enterasys S-Series Introduction
More informationIntroducing FortiDDoS. Mar, 2013
Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline
More informationHANDBOOK 8 NETWORK SECURITY Version 1.0
Australian Communications-Electronic Security Instruction 33 (ACSI 33) Point of Contact: Customer Services Team Phone: 02 6265 0197 Email: assist@dsd.gov.au HANDBOOK 8 NETWORK SECURITY Version 1.0 Objectives
More informationMoonv6 Test Suite. IPv6 Firewall Network Level Interoperability Test Suite. Technical Document. Revision 1.0
Moonv6 Test Suite IPv6 Firewall Network Level Interoperability Test Suite Technical Document Revision 1.0 IPv6 Consortium 121 Technology Drive, Suite 2 InterOperability Laboratory Durham, NH 03824-3525
More informationCTS2134 Introduction to Networking. Module 8.4 8.7 Network Security
CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by
More informationJoint Entropy Analysis Model for DDoS Attack Detection
2009 Fifth International Conference on Information Assurance and Security Joint Entropy Analysis Model for DDoS Attack Detection Hamza Rahmani, Nabil Sahli, Farouk Kammoun CRISTAL Lab., National School
More informationNetwork Management for Picture Archiving and Communication Systems
Network Management for Picture Archiving and Communication Systems Master of Engineering School of Engineering Science Simon Fraser University November 21, 2006 Road Map Introduction Hospital overview
More informationSimple Network Management Protocol
A Seminar Report on Simple Network Management Protocol Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science SUBMITTED TO: SUBMITTED BY: www.studymafia.org www.studymafia.org
More informationNetwork Management. Jaakko Kotimäki. Department of Computer Science Aalto University, School of Science. 21. maaliskuuta 2016
Jaakko Kotimäki Department of Computer Science Aalto University, School of Science Outline Introduction SNMP architecture Management Information Base SNMP protocol Network management in practice Niksula
More informationMonitoring Large Flows in Network
Monitoring Large Flows in Network Jing Li, Chengchen Hu, Bin Liu Department of Computer Science and Technology, Tsinghua University Beijing, P. R. China, 100084 { l-j02, hucc03 }@mails.tsinghua.edu.cn,
More informationChapter 2 - The TCP/IP and OSI Networking Models
Chapter 2 - The TCP/IP and OSI Networking Models TCP/IP : Transmission Control Protocol/Internet Protocol OSI : Open System Interconnection RFC Request for Comments TCP/IP Architecture Layers Application
More informationOn-Premises DDoS Mitigation for the Enterprise
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
More informationInternet Traffic Measurement
Internet Traffic Measurement Internet Traffic Measurement Network Monitor Placement Measurement Analysis Tools Measurement Result Reporting Probing Mechanism Vantage Points Edge vs Core Hardware vs Software
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationA Guide to Understanding SNMP
A Guide to Understanding SNMP Read about SNMP v1, v2c & v3 and Learn How to Configure SNMP on Cisco Routers 2013, SolarWinds Worldwide, LLC. All rights reserved. Share: In small networks with only a few
More informationConfiguring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA
Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline
More informationAnalysis of a Distributed Denial-of-Service Attack
Analysis of a Distributed Denial-of-Service Attack Ka Hung HUI and OnChing YUE Mobile Technologies Centre (MobiTeC) The Chinese University of Hong Kong Abstract DDoS is a growing problem in cyber security.
More informationCisco Performance Visibility Manager 1.0.1
Cisco Performance Visibility Manager 1.0.1 Cisco Performance Visibility Manager (PVM) is a proactive network- and applicationperformance monitoring, reporting, and troubleshooting system for maximizing
More informationTime-Frequency Detection Algorithm of Network Traffic Anomalies
2012 International Conference on Innovation and Information Management (ICIIM 2012) IPCSIT vol. 36 (2012) (2012) IACSIT Press, Singapore Time-Frequency Detection Algorithm of Network Traffic Anomalies
More informationDoS protection for a Pragmatic Multiservice Network Based on Programmable Networks 1
DoS protection for a Pragmatic Multiservice Network Based on Programmable Networks 1 Bernardo Alarcos 1, María Calderón 2, Marifeli Sedano 3, Juan R. Velasco 1 1 Department of Automática, Universidad de
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationLecture 12: Network Management Architecture
Lecture 12: Network Management Architecture Prof. Shervin Shirmohammadi SITE, University of Ottawa Prof. Shervin Shirmohammadi CEG 4185 12-1 Defining Network Management Contains multiple layers: Business
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationCharacterization of Network-Wide Anomalies in Traffic Flows
Characterization of Network-Wide Anomalies in Traffic Flows Anukool Lakhina Dept. of Computer Science, Boston University anukool@cs.bu.edu Mark Crovella Dept. of Computer Science, Boston University crovella@cs.bu.edu
More information