Results 1 - 10
of
16
NVisionIP: NetFlow Visualizations of System State for Security Situational Awareness
, 2004
"... The number of attacks against large computer systems is currently growing at a rapid pace. Despite the best e#orts of security analysts, large organizations are having trouble keeping on top of the current state of their networks. In this paper, we describe a tool called NVisionIP that is designed t ..."
Abstract
-
Cited by 79 (9 self)
- Add to MetaCart
The number of attacks against large computer systems is currently growing at a rapid pace. Despite the best e#orts of security analysts, large organizations are having trouble keeping on top of the current state of their networks. In this paper, we describe a tool called NVisionIP that is designed to increase the security analyst's situational awareness. As humans are inherently visual beings, NVisionIP uses a graphical representation of a class-B network to allow analysts to quickly visualize the current state of their network. We present an overview of NVisionIP along with a discussion of various types of security-related scenarios that it can be used to detect.
Finding peer-to-peer file-sharing using coarse network behaviors
- In Proceedings of the 11th European Symposium on Research in Computer Security
, 2006
"... Abstract. A user who wants to use a service forbidden by their site’s usage policy can masquerade their packets in order to evade detection. One masquerade technique sends prohibited traffic on TCP ports commonly used by permitted services, such as port 80. Users who hide their traffic in this way p ..."
Abstract
-
Cited by 29 (10 self)
- Add to MetaCart
(Show Context)
Abstract. A user who wants to use a service forbidden by their site’s usage policy can masquerade their packets in order to evade detection. One masquerade technique sends prohibited traffic on TCP ports commonly used by permitted services, such as port 80. Users who hide their traffic in this way pose a special challenge, since filtering by port number risks interfering with legitimate services using the same port. We propose a set of tests for identifying masqueraded peer-to-peer file-sharing based on traffic summaries (flows). Our approach is based on the hypothesis that these applications have observable behavior that can be differentiated without relying on deep packet examination. We develop tests for these behaviors that, when combined, provide an accurate method for identifying these masqueraded services without relying on payload or port number. We test this approach by demonstrating that our integrated detection mechanism can identify BitTorrent with a 72 % true positive rate and virtually no observed false positives in control services (FTP-Data, HTTP, SMTP). 1
On Web Browsing Privacy in Anonymized NetFlows
, 2007
"... Anonymization of network traces is widely viewed as a necessary condition for releasing such data for research purposes. For obvious privacy reasons, an important goal of trace anonymization is to suppress the recovery of web browsing activities. While several studies have examined the possibility o ..."
Abstract
-
Cited by 28 (3 self)
- Add to MetaCart
Anonymization of network traces is widely viewed as a necessary condition for releasing such data for research purposes. For obvious privacy reasons, an important goal of trace anonymization is to suppress the recovery of web browsing activities. While several studies have examined the possibility of reconstructing web browsing activities from anonymized packet-level traces, we argue that these approaches fail to account for a number of challenges inherent in real-world network traffic, and more so, are unlikely to be successful on coarser Net-Flow logs. By contrast, we develop new approaches that identify target web pages within anonymized NetFlow data, and address many real-world challenges, such as browser caching and session parsing. We evaluate the effectiveness of our techniques in identifying front pages from the 50 most popular web sites on the Internet (as ranked by alexa.com), in both a closed-world experiment similar to that of earlier work and in tests with real network flow logs. Our results show that certain types of web pages with unique and complex structure remain identifiable despite the use of state-of-the-art anonymization techniques. The concerns raised herein pose a threat to web browsing privacy insofar as the attacker can approximate the web browsing conditions represented in the flow logs.
PlanetFlow: Maintaining Accountability for Network Services
- In Operating Systems Review
, 2006
"... PlanetFlow is a network auditing service that maintains comprehensive, permanent accountability for all traffic generated by PlanetLab services, in accordance with common Internet practice and the terms of the PlanetLab Acceptable Use Policy. PlanetFlow audits the usage of PlanetLab network resource ..."
Abstract
-
Cited by 22 (6 self)
- Add to MetaCart
(Show Context)
PlanetFlow is a network auditing service that maintains comprehensive, permanent accountability for all traffic generated by PlanetLab services, in accordance with common Internet practice and the terms of the PlanetLab Acceptable Use Policy. PlanetFlow audits the usage of PlanetLab network resources in order to facilitate the resolution of complaints, limit liability, and minimize problematic behavior. The current implementation of PlanetFlow consists of a low overhead flow classifier, an autonomously managed distributed database, and a publicly accessible Web interface. PlanetFlow currently processes up to 4 TB of generated traffic per day, and incurs negligible CPU and storage overhead. 1.
K.: Accelerating network traffic analytics using query-driven visualization
- In: IEEE Symposium On Visual Analytics Science And Technology
, 2006
"... Abstract Realizing operational analytics solutions where large and complex data must be analyzed in a time-critical fashion entails integrating many different types of technology. This paper focuses on an interdisciplinary combination of scientific data management and visualization/analysis technol ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
Abstract Realizing operational analytics solutions where large and complex data must be analyzed in a time-critical fashion entails integrating many different types of technology. This paper focuses on an interdisciplinary combination of scientific data management and visualization/analysis technologies targeted at reducing the time required for data filtering, querying, hypothesis testing and knowledge discovery in the domain of network connection data analysis. We show that use of compressed bitmap indexing can quickly answer queries in an interactive visual data analysis application, and compare its performance with two alternatives for serial and parallel filtering/querying on 2.5 billion records' worth of network connection data collected over a period of 42 weeks. Our approach to visual network connection data exploration centers on two primary factors: interactive ad-hoc and multiresolution query formulation and execution over n dimensions and visual display of the n−dimensional histogram results. This combination is applied in a case study to detect a distributed network scan and to then identify the set of remote hosts participating in the attack. Our approach is sufficiently general to be applied to a diverse set of data understanding problems as well as used in conjunction with a diverse set of analysis and visualization tools.
Collection and Exploration of Large Data Monitoring Sets Using Bitmap Databases
"... Abstract. Collecting and exploring monitoring data is becoming increasingly challenging as networks become larger and faster. Solutions based on both SQL-databases and specialized binary formats do not scale well as the amount of monitoring information increases. This paper presents a novel approach ..."
Abstract
-
Cited by 5 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Collecting and exploring monitoring data is becoming increasingly challenging as networks become larger and faster. Solutions based on both SQL-databases and specialized binary formats do not scale well as the amount of monitoring information increases. This paper presents a novel approach to the problem by using a bitmap database that allowed the authors to implement an efficient solution for both data collection and retrieval. The validation process on production networks has demonstrated the advantage of the proposed solution over traditional approaches. This makes it suitable for efficiently handling and interactively exploring large data monitoring sets. Keywords: NetFlow, Flow Collection, Bitmap Databases. 1
Design of a stream-based ip flow record query language
- In DSOM ’09: Proceedings of the 20th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management
, 2009
"... Abstract. Analyzing Internet traffic has become an important and challenging task. NetFlow/IPFIX flow records are widely used to provide a summary of the Internet traffic carried on a link or forwarded by a router. Several tools exist to filter or to search for specific flows in a collection of flo ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Analyzing Internet traffic has become an important and challenging task. NetFlow/IPFIX flow records are widely used to provide a summary of the Internet traffic carried on a link or forwarded by a router. Several tools exist to filter or to search for specific flows in a collection of flow records, however the filtering or query languages that these tools use have limited capabilities when it comes to describing more complex network activity. This paper proposes a framework and a new streambased flow record query language, which allows certain types of traffic patterns to be defined and matched in a collection of flow records. The usage of the proposed new language is exemplified by constructing a query identifying the Blaster.A worm.
Massive Scale Cyber Traffic Analysis: A Driver for Graph Database Research
"... We consider cyber traffic analysis (TA) as a challenge problem for research in graph database systems. TA involves observing and analyzing connections between clients, servers, hosts, and actors within IP networks, over time, to detect suspicious patterns. Towards that end, NetFlow (or more generica ..."
Abstract
-
Cited by 3 (2 self)
- Add to MetaCart
(Show Context)
We consider cyber traffic analysis (TA) as a challenge problem for research in graph database systems. TA involves observing and analyzing connections between clients, servers, hosts, and actors within IP networks, over time, to detect suspicious patterns. Towards that end, NetFlow (or more generically, IPFLOW) data are available from routers and servers which summarize coherent groups of IP packets flowing through the network. The ability to cast IPFLOW data as a massive graph and query it interactively is potentially transformative for cybersecurity, but issues of scale and data complexity pose challenges for current technology. In this paper, we outline requirements and opportunities for graphstructured IPFLOW analytics based on our experience with real IPFLOW databases. We describe real use cases from the security domain, cast them as graph patterns, show how to express them in two graph-oriented query languages (SPARQL and Datalog), and use these examples to motivate a new class of “hybrid ” graph-relational systems.
A Visualization Tool For Situational Awareness Of Tactical And Strategic Security Events On Large and Complex Computer Networks
, 2003
"... Situational awareness of the state of military computer networks is important for both tactical battlefield operations and strategic command-and-control networks. While there have been successful efforts to visualize the state of individual network infrastructure components (routers, links) using SN ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
Situational awareness of the state of military computer networks is important for both tactical battlefield operations and strategic command-and-control networks. While there have been successful efforts to visualize the state of individual network infrastructure components (routers, links) using SNMP and other network management tools, these systems do not focus on security. Although there have been multiple research proposals, to our knowledge there have only been two realized systems which attempt to visualize security events. Assessing the overall security of a large and complex network is an open problem due to the multidimensional data space. We present a tool, NVisionIP, that makes a direct contribution to solving this open problem. NVisionIP is unique from existing systems in that it simultaneously visualizes multidimensional characteristics of individual computers as well as their relationship to network-wide security events in an entire Class B IP address space.
