NVisionIP: An Interactive Network Flow Visualization Tool for Security

Size: px
Start display at page:

Download "NVisionIP: An Interactive Network Flow Visualization Tool for Security"

Transcription

1 NVisionIP: An Interactive Network Flow Visualization Tool for Security Kiran Lakkaraju William Yurcik Ratna Bearavolu Adam J. Lee National Center for Supercomputing Applications (NCSA) University of Illinois, Urbana-Champaign {kiran, byurcik, ratna, Abstract Security engineers are being overwhelmed with data from the network monitoring tools. A tool is needed that will allow security engineers to view information about the entire network. In addition, the tool must allow the security engineers to use their background knowledge and intuition. NVisionIP, a tool developed at the National Center for Supercomputing Applications at the University of Illinois, Urbana-Champaign, provides a visualization of a Class B network. Following the Visual Information Seeking Mantra ( Overview first, zoom and filter, then detailson-demand ), NVisionIP provides a visualization of an entire Class B network, then allows users to drill down and gather more details about the hosts on the network. Combining the visualization and data processing capabilities of computers and the intuition and reasoning capabilities of humans, NVisionIP is a tool that allows security engineers to detect and stop attacks on networks. Keywords: Netflows, Intrusion Detection, Network Security, Network Visualization 1 Introduction As the recent wave of viruses, worms and attacks illustrate, network security is fast becoming a issue in computer systems everywhere. Attackers can easily download scripts that can be used to attack various systems. These root kits allow even hacking novices to attack large systems. With the increase in security incidents in the last few years, Security Engineers are faced with the task of securing networks that are being increasingly being attacked. There are many monitoring and logging tools that provide data on the behavior of networks. Logging facilities, like Syslog on Unix, or packet tracing utilities provide a rich set of data for security engineers to use in detecting and preventing intrusions. With the size and complexity of networks increasing, though, security engineers are often faced with a deluge of data from the network. The large amount of data /04/$20.00 c 2004 IEEE. must be processed by the security engineer in order to understand the state of the network. Unfortunately, the amount of data can often overwhelm a security engineer, and thus networks become vulnerable to attacks as the security engineer cannot keep track of the behavior of the network. To alleviate this problem, there has been much research done on automatically detecting attacks and intrusions from the logs. Automatic Intrusion Detection Systems (IDS) are useful but can easily be overwhelming when applied to a large network. Tools of this type work by matching network activity to signatures of attacks. An alarm is generated when the traffic pattern is found and an is sent to the security engineer. These methods suffer from two major problems, the first being that the signature base must constantly be updated to keep up with new attacks, and the second, the systems often generate a huge amount of alarms, overwhelming the security engineer, once again, with too much information.there is work being done to address these two concerns. The field of Misuse Detection focuses on determining if the behavior of hosts is not normal. Hosts that are behaving abnormally can be investigated further, to determine if they are under attack. The problem, though is determining the normal behavior of a host. Alarm Fusion techniques group related alarms together based on their similarity, but determining similarity can be difficult. Although the two techniques mentioned above are promising approaches to automatically detecting intrusions, we find that they are not general and scalable enough to provide practical benefit for our security engineers. Either the technique is too specific, focusing on a simple and small subset of attacks, or the technique is not scalable to the large networks. In addition, many of these techniques have a high false positive rate, that is, indicating an attack when there is not one. At our installation, security is still the domain of human, who with their ability to generalize and utilize background knowledge, are able to far outstrip the automatic IDSes in terms of analysis and determing if an attack is occurring on the system. Unfortunately, with the increase in

2 attacks, security engineers are being overwhelmed with data, and so new tools are needed, now, to aid the security engineers in grasping all the data. As automatic methods are not fully developed, we believe that a different type of tool is needed that will allow human security engineers to grasp and manipulate the large amount of information that is generated by the network monitors. In addition, we want the tool to allow human security engineers to use their background knowledge and generalization ability to make security decisions. Our tool, NVisionIP provides these two functionalities by creating a visualization of the network data, thus providing a practical solution that allows security engineers to use their generalization ability and background knowledge along with the data crunching and visualization capabilities of machines. Humans have amazing visual capabilities, in fact there is no more powerful method of presenting large amounts of information than through visual data maps [10]. By visualizing the data, human security engineers can grasp and manipulate the large amount of information that is generated by network installations. NVisionIP can be considered a middle ground between human security engineers and automatic intrusion detection systems, allowing a combination of the positive aspects of both. In addition, by monitoring the use of NVisionIP, we hope, in the future, to be able to get ideas on the security analysis process that will allow us to increase the performance of automatic IDSes. The rest of the paper is organized as follows: Section 2 details the related work in IDSes and network visualization. Section 3 discusses NetFlows, the data source for NVisionIP, Section 4 describes NVisionIP, Section 5 lists some examples of attacks and intrusions that NVisionIP can help catch, and Section 6 provides the conclusions and future work. 2 Related Work 2.1 Signature Based IDSes There are several Intrusion Detection Systems that rely on signature based detection. In general, there are two classes, Host-Based IDSes, such as [3], which monitor the host, and Network-based IDSes, like Snort [7] which monitor the packets on a network. Both types of IDSes suffer from the same drawback, namely that the signature database must be updated every time a new attack appears. In addition, the IDSes generally generate a large amount of alarms; at our installation, our security engineer received in excess of 4000 alarms when our computer systems came under attack. 2.2 Network Visualizations There has been much work on visualizing networks, [2] describes many of the early visualizations of the Internet. Some of the visualization are geographical in nature, showing the traffic flow between machines as a link between the physical locations of the machines. Other visualizations focus on connectivity patterns and traffic volumes. In terms of visualization for security, [9] provides an example using BGP routing data. Although the data has been visualized to look for security incidents on the Internet, this work does not provide a sense of situational awareness as it analyzes traffic between autonomous systems. A new tool to enhance situational awareness is the Spinning Cube of Potential Doom [4]. This tool represents network traffic as points in 3D space. The addresses of the network being monitored lie on one axis, all possible source IP addresses lie on a second axis, and the third axis represents port numbers. The color of the points represent different characteristics of the traffic flows on the network. This presentation is similar to that of NVisionIP, though it tends to be more busy. Although similar to NVisionIP, the Spinning Cube of Potential Doom does not allow the user to drill down or filter for events of interest. 3 NetFlows NVisionIP uses NetFlows as a data source. A Net- Flow is an abstract representation of a sequence of packets transmitted between a source and destination host. NetFlows can keep track of the start and end time, source and destination port, number of bytes, number of packets, and the protocol. Figure 1 shows a sample netflow record. Appended to the source/destination IP address is the source/destination port. The counts are, respectively, source to destination packets, destination to source packets, source to destination bytes, and destination to source bytes. NetFlows can be thought of as connections between computers. For instance, a NetFlow would be generated between Host A and Host B if a user on Host A used ssh to connect to Host B. The source and destination ip addresses would be that of Host A and Host B respectively. The number of bytes, number of packets, and protocol used would depend on the application. A NetFlow is an abstract representation, the only items being transmitted via the network are packets. At NCSA, we are concerned primarily about traffic between the internal network and the Internet, thus we have set up our NetFlow connection architecture to capture the flows between our internal network and our border router. [11] describes, in detail, the NetFlow collection architecture at NCSA as well as details about the various types of NetFlows and their differences. NCSA uses two types of NetFlows, the proprietary CISCO Net- Flows ([8]) and ARGUS flows ([1]). Both are similar but have their own idiosyncrasies, consult [11] for more details.

3 Start Time End Time Protocol Source IP,Port Destination IP, Port Counts 20 Aug 03 00:00:06 20 Aug 03 00:00:06 tcp ? E Figure 1. Sample NetFlow record 4 NVisionIP NVisionIP is comprised of three views of the data, and many features that allow manipulation of these views. The three views, Galaxy View, Small Multiple View, and Machine View, successively provide greater detail about a smaller set of machines. The Galaxy View shows high level data about the entire network; Small Multiple View is in the middle giving a reasonable amount of information on a user selected subset of machines; the Machine View shows all the information for a single machine. NVisionIP, by being organized in this way, fits the Visual Information Seeking Mantra: Overview first, zoom and filter, then detailson-demand [5] The Galaxy view provides a high level overview of the entire network. Although each machine is only represented by a 4 pixel square, the use of colors and binning allow enough information to be shown that the Galaxy View can be useful as a quick summary of the traffic patterns on the network. In addition, in the Galaxy View there are zooming and filter capabilities, which will be explained later. Details can be obtained by choosing a subset of the machines in the galaxy view - note that only the machines that the user wants to see details on will be shown here. The Small Multiple View and Machine View show greater detail of a smaller subset of machines, with the Machine View showing all the possible information we have about a single machine. 4.1 Galaxy View The Galaxy View provides an overall look of the entire network. The ip-addresses of the machines are organized in a Cartesian plane, with the X-axis representing subnets and the Y -axis representing the host, so each point in the plane is one ip address. For instance, the point at coordinates (23, 47) would represent ip address Similarly, the point (100, 20) would represent the ip address (We also allow the user the option of changing the IP header to something other than ). The color of each machine represents the number of unique ports used by that machine to send and receive data. For instance, if the host with ip-address transmitted and received data via ports, 5, 12, 3456, and 90, it would have a count of 4. The binning legend on the bottom left of the Galaxy View shows the mapping of numbers to colors. In this case, 4 would fall in the second bin, 2-10, and thus would be colored grey. The motivation behind this view is to provide a visual summary of the entire network so that a Security Engineer can quickly scan to pick up problems. For instance, it is easy to observe some strong patterns of activity in Figure 2. It can be seen that many of the hosts with subnet values greater then 100 are not active. If, one day, some activity does occur in this range, a security engineer, upon a quick visual scan, can realize this fact, and act appropriately. By providing a visualization, in one screen, of the entire network, the security engineer can quickly scan and make judgments about the state of the network. NVisionIP provides two zooming facilities. One is a drill-down zoom, where a security engineer can choose a subset of machines and view them in the Small Multiple View. This will be described in more detail later on. In addition, NVisionIP provides a standard zooming option that increases the size of the galaxy view underneath the zooming tool Filtering NVisionIP has a filtering capability in the Galaxy View. Using this capability, the user can choose to display only those hosts that satisfy some criteria. Currently, the user can decide what ports/protocols the host must have used in order to be shown. For instance, suppose a Security Engineer has been informed of a worm that propagates itself via port 4456 on the host machine. The Security Engineer can then filter the Galaxy View so that only machines that have used port 4456 will be shown in the Galaxy View. 4.2 Small Multiple View Figure 3 shows the Small Multiple View which provides a more detailed look at a subset of machines in the network. The main panel is organized as in the Galaxy View, with subnets on the X-axis, and hosts on the Y -axis. Each machine in this view, though, is represented by two bar graphs. Both of these bar graphs show traffic (in terms of number of flows) over ports. The top bar graph shows the traffic for a certain set of special ports. Table 1 shows the initial special ports in NVisionIP. Each special port is assigned a unique color. The special ports can be seen on the left hand side of the view, in the legend. New special ports can be added by using the Add button. The top bar chart shows the counts for only the special ports, the color of the bar indicates which port it is. The second (bottom) bar chart shows flow counts for the top 10 ports outside of the special ports. The ports between are colored blue, and the rest of the ports

4 PORT DESCRIPTION 7 ECHO 21 FTP 22 SSH 23 TELNET 25 SMTP 37 TIME 42 NS 53 DNS 80 HTTP 88 KRB 143 IMAP Table 1. Initial Special Ports in NVisionIP are colored black. Of course, the special ports are colored their respective colors. The colors can be changed using the change color button. Once again, in this view a security engineer can quickly scan the machines and pick out machines that are not behaving normally. 4.3 Machine View Figure 4. The NVisionIP Machine View The Machine View provides a detailed look at one machine in the network. To get the Machine View for a machine, the user must simply choose the machine from the Small Multiple View. The purpose of the Machine View is to provide all the information possible about the machine. To this end, the netflows used to generate all the visualization are presented in the Machine View. The security engineers, at this point, require a look at the raw netflows used by NVisionIP. In addition to the raw netflows, we provide several different bar charts that emphasize different aspects of the data. Each of the bar charts shows a subset of ports on the x axis, and either flow count (the number of flows in which the port was present) or Byte Count (the number of bytes which the port transmitted/received). Each set of two charts follows the same style as in the Small Multiple View, the top bar chart shows counts for a set of special ports, and the bottom shows the counts for the rest of the ports. Among the bar charts that can be viewed are charts that show how many bytes were transferred by a port that has used the protocol TCP or UDP, the byte count for every port, and several other types of ports Each of these bar charts can be accessed via the tabs at the top of the Machine View. As can be seen in Figure 4, there are three sets of bar charts in the Machine View. The top, and largest set, of bar charts shows the total traffic coming into and out of this machine. The bottom left hand bar chart shows the amount of traffic that the ports transmitted. The bottom right hand bar charts shows the amount of traffic that the ports received. The sum of the values from the left and right equal the values of the center chart. 5 User Evaluation. NVisionIP is currently being tested by the internal Security engineers at NCSA. NVisionIP was developed with security in mind, so it is useful for detecting security incidents. NVisionIP can help in several things: Worm Infection Many types of worms spread by probing for other hosts to infect. For instance, the Slammer worm sent 376-byte packets to UDP port 1434 of random hosts in an attempt to propagate [6]. A security engineer could filter the galaxy view to only show hosts that have flows with destination port 1434 transmitted using UDP. Once identified, the security engineer can alert the system admins of the hosts and inform them of the worm. Compromised Systems Many times, when a host is compromised, the attacker will install software that allows remote access to the machine. In this way, compromised hosts can act as file servers, allowing illegal software to be copied from the host. NVisionIP can aid in the detection of such hosts because the hosts will suddenly have a large amount of traffic originating from them. These machines will be displayed in red in the Galaxy View, and thus be easily spotted by the security engineer. In addition, once the security engineer drills down on these machines, they can see which ports have been used, and whether the port usage is anomalous for that machine. Port Scans Port scans are easily detectable using NVisionIP. If one host is targeted, and all its ports scanned, then that host should turn red in the galaxy view. If the attacker

5 scans a series of machines on a particular subnet, this can show up as a line in the galaxy view. Figure 5 illustrates this type of scan in NVisionIP. References [1] Argus metrics. Web Page, Mar http: // [2] Martin Dodge and Rob Kitchin. Atlas of Cyberspace. Addison Wesley, Harlow, England, [3] Gene H. Kim and Eugene H. Spafford. The design and implementation of tripwire: a file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and communications security, pages ACM Press, [4] Stephen Lau. The spinning cube of potential doom. Communications of the ACM, 47(6):25 26, Jun Figure 5. Port Scan activity in NVisionIP 6 Conclusions and Future Work In the future, we plan to incorporate into the Galaxy View the ability to compare the state of the network at two different moments in time. The Security Engineer can save the Galaxy View of a period of time in which they deem the network traffic to be normal, and then compare subsequent states against this normal version. Current research in Anomaly and Misuse detection can be incorporated within NVisionIP as well. Instead of just showing the information about the host based on netflows, we could incorporate information taken from Intrusion Detection Systems and Anomaly detection algorithms running on various hosts/servers. NVisionIP can also provide insights into the security process. By monitoring NVisionIP while security engineers are using it, it could be possible to generate automatic rules derived from how the security engineers use NVisionIP. Securing and preventing attacks on computer networks is a difficult endeavor, made harder by the large amount of information a security engineer must wade through. Although there is work in Automatically looking for attacks, the work is not general, scalable, or efficient enough. NVisionIP provides a visualization of network information, allowing a human security engineer to utilize their background knowledge and generalization abilities while letting the machine handle the brute force task of visualization and data gathering. By bringing together the best parts of man and machine, NVisionIP allows a security engineer to focus on what is important - finding and detecting security incidents on the network. [5] Ben Shneiderman. The eyes have it: A task by data type taxonomy for information visualizations. In Proceedings of the 1996 IEEE Symposium on Visual Languages, page 336, [6] CERT Advisory CA MS-SQL Server Worm. Web Page, Jan org/advisories/ca html. [7] Snort: The open source network intrusion detection system. Web Page, Jun snort.org. [8] Cisco Systems. Cisco IOS Netflow Technology. Web Page, Jul public/cc/pd/iosw/prodlit/iosnf_ds.h%tm. [9] Soon Tee Teoh, Kwan-Liu Ma, S. Felix Wu, and Xiaoliang Zhao. Case study: Interactive visualization for internet security. In IEEE Visualization, [10] Edward R. Tufte. The Visual Display of Quantitative Information. Graphics Press, P.O. Box 430, Cheshire, CT 06410, Second edition, Jan [11] William Yurcik, Yifan Li, James Barlow, Kiran Lakkaraju, Xiaoxin Yin, and Cristina Abad. Scalable data-centric processing of netflows for security monitoring. In In Review, Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2004.

6 Figure 2. The NVisionIP user interface (with magnifier activated in galaxy view) Figure 3. The NVisionIP Small Multiple View

NVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows for Security

NVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows for Security NVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows for Security William Yurcik National Center for Supercomputing Applications (NCSA) University of Illinois at

More information

Visualization for Network Traffic Monitoring & Security

Visualization for Network Traffic Monitoring & Security Visualization for Network Traffic Monitoring & Security Erwan ISIT/KYUSHU, Supélec 2006 Plan Visualization Visualization Host based Network based Between networks Other prototypes Pre-processing PGVis

More information

A Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.

A Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks. A Framework for Effective Alert Visualization Uday Banerjee Jon Ramsey SecureWorks 11 Executive Park Dr Atlanta, GA 30329 {ubanerjee, jramsey}@secureworks.com Abstract Any organization/department that

More information

VisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring

VisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring VisFlowConnect-IP: A Link-Based Visualization of NetFlows for Security Monitoring William Yurcik National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign byurcik@ncsa.uiuc.edu

More information

Visualizing NetFlows for Security at Line Speed: The SIFT Tool Suite

Visualizing NetFlows for Security at Line Speed: The SIFT Tool Suite Visualizing NetFlows for Security at Line Speed: The SIFT Tool Suite William Yurcik National Center for Supercomputing Applications (NCSA) ABSTRACT The first step in improving Internet security is measurement

More information

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at

More information

Sharing Intelligence is our Best Defense: Cyber Security Today Is a bit Like the Keystone Cops

Sharing Intelligence is our Best Defense: Cyber Security Today Is a bit Like the Keystone Cops Sharing Intelligence is our Best Defense: Incentives That Work versus Disincentives That Can Be Solved William Yurcik* Adam Slagell Jun Wang NCSA Security Research (NCSA) University of Illinois at Urbana-Champaign

More information

NetBytes Viewer: An Entity-based NetFlow Visualization Utility for Identifying Intrusive Behavior

NetBytes Viewer: An Entity-based NetFlow Visualization Utility for Identifying Intrusive Behavior NetBytes Viewer: An Entity-based NetFlow Visualization Utility for Identifying Intrusive Behavior Teryl Taylor, Stephen Brooks and John McHugh Abstract NetBytes Host Viewer is an interactive visualization

More information

Overview. Security System Administration

Overview. Security System Administration Better Tools for System Administration: Enhancing the Human-Computer Interface with Visualization Bill Yurcik Manager, NCSA Security Research National Center for Advanced Secure

More information

Flamingo: Visualizing Internet Traffic

Flamingo: Visualizing Internet Traffic Flamingo: Visualizing Internet Traffic Jon Oberheide, Michael Goff, Manish Karir Networking Research and Development Merit Network Inc. Ann Arbor, MI 48104 USA {jonojono,goffm,mkarir}@merit.edu Abstract

More information

VisFlowCluster-IP: Connectivity-Based Visual Clustering of Network Hosts

VisFlowCluster-IP: Connectivity-Based Visual Clustering of Network Hosts VisFlowCluster-IP: Connectivity-Based Visual Clustering of Network Hosts Xiaoxin Yin, William Yurcik, and Adam Slagell National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign

More information

Safely Sharing Data Between CSIRTs: The SCRUB* Security Anonymization Tool Infrastructure

Safely Sharing Data Between CSIRTs: The SCRUB* Security Anonymization Tool Infrastructure Safely Sharing Data Between CSIRTs: The SCRUB* Security Anonymization Tool Infrastructure William Yurcik* Clay Woolam, Greg Hellings, Latifur Khan, Bhavani Thuraisingham University

More information

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of

Intrusion Detection. Tianen Liu. May 22, 2003. paper will look at different kinds of intrusion detection systems, different ways of Intrusion Detection Tianen Liu May 22, 2003 I. Abstract Computers are vulnerable to many threats. Hackers and unauthorized users can compromise systems. Viruses, worms, and other kinds of harmful code

More information

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline

More information

A VISUALIZATION TOOL FOR SITUATIONAL AWARENESS OF TACTICAL AND STRATEGIC SECURITY EVENTS ON LARGE AND COMPLEX COMPUTER NETWORKS

A VISUALIZATION TOOL FOR SITUATIONAL AWARENESS OF TACTICAL AND STRATEGIC SECURITY EVENTS ON LARGE AND COMPLEX COMPUTER NETWORKS A VISUALIZATION TOOL FOR SITUATIONAL AWARENESS OF TACTICAL AND STRATEGIC SECURITY EVENTS ON LARGE AND COMPLEX COMPUTER NETWORKS R. Bearavolu K. Lakkaraju W. Yurcik H. Raje National Center for Supercomputing

More information

A LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL

A LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL A LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL Christopher Schwagele Supervisor: Barry Irwin Computer Science Department, Rhodes University 29 July 2010 Abstract Network

More information

CSCI 4250/6250 Fall 2015 Computer and Networks Security

CSCI 4250/6250 Fall 2015 Computer and Networks Security CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP

More information

A Visualization Technique for Monitoring of Network Flow Data

A Visualization Technique for Monitoring of Network Flow Data A Visualization Technique for Monitoring of Network Flow Data Manami KIKUCHI Ochanomizu University Graduate School of Humanitics and Sciences Otsuka 2-1-1, Bunkyo-ku, Tokyo, JAPAPN manami@itolab.is.ocha.ac.jp

More information

1 Log visualization at CNES (Part II)

1 Log visualization at CNES (Part II) 1 Log visualization at CNES (Part II) 1.1 Background For almost 2 years now, CNES has set up a team dedicated to "log analysis". Its role is multiple: This team is responsible for analyzing the logs after

More information

Visual Data Exploration Techniques for System Administration. Tam Weng Seng

Visual Data Exploration Techniques for System Administration. Tam Weng Seng Visual Data Exploration Techniques for System Administration Tam Weng Seng Abstract The objective of this paper is to study terminology used in visual data exploration and to apply them to projects in

More information

Network Forensics: Log Analysis

Network Forensics: Log Analysis Network Forensics: Analysis Richard Baskerville Agenda P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Two Important Terms PPromiscuous Mode

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Cyber Security Through Visualization

Cyber Security Through Visualization Cyber Security Through Visualization Kwan-Liu Ma Department of Computer Science University of California at Davis Email: ma@cs.ucdavis.edu Networked computers are subject to attack, misuse, and abuse.

More information

NSC 93-2213-E-110-045

NSC 93-2213-E-110-045 NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis Agenda Richard Baskerville P Principles of P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Principles Kim, et al (2004) A fuzzy expert system for

More information

How To Protect Your Network From Attack From A Hacker On A University Server

How To Protect Your Network From Attack From A Hacker On A University Server Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com

More information

Intelligent Worms: Searching for Preys

Intelligent Worms: Searching for Preys Intelligent Worms: Searching for Preys By Zesheng Chen and Chuanyi Ji ABOUT THE AUTHORS. Zesheng Chen is currently a Ph.D. Candidate in the Communication Networks and Machine Learning Group at the School

More information

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition)

Assignment One. ITN534 Network Management. Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition) Assignment One ITN534 Network Management Title: Report on an Integrated Network Management Product (Solar winds 2001 Engineer s Edition) Unit Co-coordinator, Mr. Neville Richter By, Vijayakrishnan Pasupathinathan

More information

Intrusion Detection Systems (IDS)

Intrusion Detection Systems (IDS) Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion

More information

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) ISCA Journal of Engineering Sciences ISCA J. Engineering Sci. Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) Abstract Tiwari Nitin, Solanki Rajdeep

More information

Edge Configuration Series Reporting Overview

Edge Configuration Series Reporting Overview Reporting Edge Configuration Series Reporting Overview The Reporting portion of the Edge appliance provides a number of enhanced network monitoring and reporting capabilities. WAN Reporting Provides detailed

More information

Cooperating Security Management for Mutually Trusted Secure Networks

Cooperating Security Management for Mutually Trusted Secure Networks Cooperating Security Management for Mutually Trusted Secure Networks Lai-Ming Shiue Department of Applied Mathematics National Chung-Hsing University Taichung 402, Taiwan Shang-Juh Kao Department of Computer

More information

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior

More information

Security visualisation

Security visualisation Security visualisation This thesis provides a guideline of how to generate a visual representation of a given dataset and use visualisation in the evaluation of known security vulnerabilities by Marco

More information

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT Roopa K. Panduranga Rao MV Dept of CS and Engg., Dept of IS and Engg., J.N.N College of Engineering, J.N.N College of Engineering,

More information

Second-generation (GenII) honeypots

Second-generation (GenII) honeypots Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they

More information

Flow-based detection of RDP brute-force attacks

Flow-based detection of RDP brute-force attacks Flow-based detection of RDP brute-force attacks Martin Vizváry vizvary@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic Jan Vykopal vykopal@ics.muni.cz Institute of Computer

More information

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12 Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984

More information

Router Attacks-Detection And Defense Mechanisms

Router Attacks-Detection And Defense Mechanisms Router Attacks-Detection And Defense Mechanisms Saili Waichal, B.B.Meshram Abstract: Router is one of the most important components of any network. Their main aim is taking routing decision to forward

More information

A Software Tool for Multi-Field Multi-Level NetFlows Anonymization. University of Texas at Dallas

A Software Tool for Multi-Field Multi-Level NetFlows Anonymization. University of Texas at Dallas A Software Tool for Multi-Field Multi-Level NetFlows Anonymization William Yurcik Clay Woolam, Latifur Khan, Bhavani Thuraisingham University of Texas at Dallas

More information

Flow Based Traffic Analysis

Flow Based Traffic Analysis Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode

More information

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of

More information

EXPLORER. TFT Filter CONFIGURATION

EXPLORER. TFT Filter CONFIGURATION EXPLORER TFT Filter Configuration Page 1 of 9 EXPLORER TFT Filter CONFIGURATION Thrane & Thrane Author: HenrikMøller Rev. PA4 Page 1 6/15/2006 EXPLORER TFT Filter Configuration Page 2 of 9 1 Table of Content

More information

Science Park Research Journal

Science Park Research Journal 2321-8045 Science Park Research Journal Original Article th INTRUSION DETECTION SYSTEM An Approach for Finding Attacks Ashutosh Kumar and Mayank Kumar Mittra ABSTRACT Traditionally firewalls are used to

More information

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security

More information

Coimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring

Coimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring Volume 4, Issue 8, August 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Investigate the

More information

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques

More information

Network Monitoring and Management NetFlow Overview

Network Monitoring and Management NetFlow Overview Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Flexible Web Visualization for Alert-Based Network Security Analytics

Flexible Web Visualization for Alert-Based Network Security Analytics Flexible Web Visualization for Alert-Based Network Security Analytics Lihua Hao 1, Christopher G. Healey 1, Steve E. Hutchinson 2 1 North Carolina State University, 2 U.S. Army Research Laboratory lhao2@ncsu.edu

More information

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection

More information

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewall VPN Router. Quick Installation Guide M73-APO09-380 Firewall VPN Router Quick Installation Guide M73-APO09-380 Firewall VPN Router Overview The Firewall VPN Router provides three 10/100Mbit Ethernet network interface ports which are the Internal/LAN, External/WAN,

More information

Best Practices for NetFlow/IPFIX Analysis and Reporting

Best Practices for NetFlow/IPFIX Analysis and Reporting WHITEPAPER Best Practices for NetFlow/IPFIX Analysis and Reporting IT managers and network administrators are constantly making decisions affecting critical business activity on the network. Management

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Intrusion Forecasting Framework for Early Warning System against Cyber Attack

Intrusion Forecasting Framework for Early Warning System against Cyber Attack Intrusion Forecasting Framework for Early Warning System against Cyber Attack Sehun Kim KAIST, Korea Honorary President of KIISC Contents 1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting

More information

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Multi-Homing Dual WAN Firewall Router

Multi-Homing Dual WAN Firewall Router Multi-Homing Dual WAN Firewall Router Quick Installation Guide M73-APO09-400 Multi-Homing Dual WAN Firewall Router Overview The Multi-Homing Dual WAN Firewall Router provides three 10/100Mbit Ethernet

More information

Fuzzy Network Profiling for Intrusion Detection

Fuzzy Network Profiling for Intrusion Detection Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University

More information

Network Defense Tools

Network Defense Tools Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall

More information

Network Incident Report

Network Incident Report To submit copies of this form via facsimile, please FAX to 202-406-9233. Network Incident Report United States Secret Service Financial Crimes Division Electronic Crimes Branch Telephone: 202-406-5850

More information

Assets, Groups & Networks

Assets, Groups & Networks Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

Transformation of honeypot raw data into structured data

Transformation of honeypot raw data into structured data Transformation of honeypot raw data into structured data 1 Majed SANAN, Mahmoud RAMMAL 2,Wassim RAMMAL 3 1 Lebanese University, Faculty of Sciences. 2 Lebanese University, Director of center of Research

More information

Network Monitoring Tool to Identify Malware Infected Computers

Network Monitoring Tool to Identify Malware Infected Computers Network Monitoring Tool to Identify Malware Infected Computers Navpreet Singh Principal Computer Engineer Computer Centre, Indian Institute of Technology Kanpur, India navi@iitk.ac.in Megha Jain, Payas

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

Exercise 7 Network Forensics

Exercise 7 Network Forensics Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:

More information

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses. Lab Exercise DNS Objective DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses. Step 1: Analyse the supplied DNS Trace Here we examine the supplied trace of a

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda

More information

How To Protect A Network From Attack From A Hacker (Hbss)

How To Protect A Network From Attack From A Hacker (Hbss) Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Network & Agent Based Intrusion Detection Systems

Network & Agent Based Intrusion Detection Systems Network & Agent Based Intrusion Detection Systems Hakan Albag TU Munich, Dep. of Computer Science Exchange Student Istanbul Tech. Uni., Dep. Of Comp. Engineering Abstract. The following document is focused

More information

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by

More information

Fuzzy Network Profiling for Intrusion Detection

Fuzzy Network Profiling for Intrusion Detection Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University

More information

Securing the system using honeypot in cloud computing environment

Securing the system using honeypot in cloud computing environment Volume: 2, Issue: 4, 172-176 April 2015 www.allsubjectjournal.com e-issn: 2349-4182 p-issn: 2349-5979 Impact Factor: 3.762 M. Phil Research Scholar, Department of Computer Science Vivekanandha College

More information

Classic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1

Classic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1 Classic IOS Firewall using CBACs 2012 Cisco and/or its affiliates. All rights reserved. 1 Although CBAC serves as a good foundation for understanding the revolutionary path toward modern zone based firewalls,

More information

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION Kleissner & Associates Botconf 14, 3-5 Dec 2014, Nancy/France Worlds largest botnet monitoring system Since September 2012 Originally

More information

VisFlowConnect: NetFlow Visualizations of Link Relationships for Security Situational Awareness

VisFlowConnect: NetFlow Visualizations of Link Relationships for Security Situational Awareness VisFlowConnect: NetFlow Visualizations of Link Relationships for Security Situational Awareness Xiaoxin Yin National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign

More information

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01 How to build and use a Honeypot By Ralph Edward Sutton, Jr DTEC 6873 Section 01 Abstract Everybody has gotten hacked one way or another when dealing with computers. When I ran across the idea of a honeypot

More information

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

More information

Using IPM to Measure Network Performance

Using IPM to Measure Network Performance CHAPTER 3 Using IPM to Measure Network Performance This chapter provides details on using IPM to measure latency, jitter, availability, packet loss, and errors. It includes the following sections: Measuring

More information

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure

More information

How To Protect Your Network From Attack From Outside From Inside And Outside

How To Protect Your Network From Attack From Outside From Inside And Outside IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

More information

Datasheet. Cover. Datasheet. (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0

Datasheet. Cover. Datasheet. (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0 Cover Datasheet Datasheet (Enterprise Edition) Copyright 2015 Colasoft LLC. All rights reserved. 0 Colasoft Capsa Enterprise enables you to: Identify the root cause of performance issues; Provide 24/7

More information

An Adaptable Innovative Visualization For Multiple Levels of Users

An Adaptable Innovative Visualization For Multiple Levels of Users World Applied Sciences Journal 15 (5): 722-727, 2011 ISSN 1818-4952 IDOSI Publications, 2011 An Adaptable Innovative Visualization For Multiple Levels of Users Doris Hooi-Ten Wong and Sureswaran Ramadass

More information

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security (MIS), by Whitman

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

Network Security In Linux: Scanning and Hacking

Network Security In Linux: Scanning and Hacking Network Security In Linux: Scanning and Hacking Review Lex A lexical analyzer that tokenizes an input text. Yacc A parser that parses and acts based on defined grammar rules involving tokens. How to compile

More information

Cover. White Paper. (nchronos 4.1)

Cover. White Paper. (nchronos 4.1) Cover White Paper (nchronos 4.1) Copyright Copyright 2013 Colasoft LLC. All rights reserved. Information in this document is subject to change without notice. No part of this document may be reproduced

More information

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton

More information

Detect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network

Detect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 21, 571-578 (2005) Short Paper Detect and Notify Abnormal SMTP Traffic and Email Spam over Aggregate Network Department of Computer Science and Information

More information

Integrated Traffic Monitoring

Integrated Traffic Monitoring 61202880L1-29.1F November 2009 Configuration Guide This configuration guide describes integrated traffic monitoring (ITM) and its use on ADTRAN Operating System (AOS) products. Including an overview of

More information

Network Monitoring Using Traffic Dispersion Graphs (TDGs)

Network Monitoring Using Traffic Dispersion Graphs (TDGs) Network Monitoring Using Traffic Dispersion Graphs (TDGs) Marios Iliofotou Joint work with: Prashanth Pappu (Cisco), Michalis Faloutsos (UCR), M. Mitzenmacher (Harvard), Sumeet Singh(Cisco) and George

More information

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1 Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology Project Proposal 1 Project Proposal 2 Abstract Honeypot systems are readily used by organizations large and

More information

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report...

More information

Interactive Visualization for Network and Port Scan Detection

Interactive Visualization for Network and Port Scan Detection Interactive Visualization for Network and Port Scan Detection Chris Muelder 1, Kwan-Liu Ma 1, and Tony Bartoletti 2 1 University of California, Davis 2 Lawrence Livermore National Laboratory Abstract.

More information

Security Event Management. February 7, 2007 (Revision 5)

Security Event Management. February 7, 2007 (Revision 5) Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST

More information

Monitor network traffic in the Dashboard tab

Monitor network traffic in the Dashboard tab As a network analyzer (aka. packet sniffer & protocol analyzer), Capsa makes it easy for us to monitor and analyze network traffic in its intuitive and information-rich tab views. With Capsa's network

More information

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces Measurement of the Usage of Several Secure Internet Protocols from Internet Traces Yunfeng Fei, John Jones, Kyriakos Lakkas, Yuhong Zheng Abstract: In recent years many common applications have been modified

More information