network monitoring on large networks - first - … monitoring on large networks 2 overview...
TRANSCRIPT
![Page 2: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/2.jpg)
2
OverviewOverview
Introduction Related Studies
SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring Tools
The Proposed Mechanism Results Conclusion
![Page 3: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/3.jpg)
3
IntroductionIntroduction
Network security has become one of themost important issues on the Internet.
Internet
DoS Attacks
Malicious Probes
Worms
Intrusio
n
![Page 4: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/4.jpg)
4
Real-time networkReal-time networktraffic monitoringtraffic monitoring
Provide the status and the patternsof network traffic.
Provide the signs of abnormal trafficand potential problems.
Detect the irregular activities. Identify the possible attack. Response the situation in time. Evidence of intrusions.
![Page 5: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/5.jpg)
5
SNMP-based toolsSNMP-based tools
Collector:collect SNMP data. Grapher:generate HTML output
containing traffic loading image. Provide a live and visual
representation of network traffic andtraffic trends in time-series data.
Only provide information aboutlevels and changes in traffic volume.
Need more detailed data.
![Page 6: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/6.jpg)
6
Packet-Sniffing toolsPacket-Sniffing tools
Capture the traffic packets. Decode the packet header fields. Dig into the packet for more detailed
information. Provide details on packet activity,
but lack information on globalnetwork activities.
Lack high-level managementsupporting.
![Page 7: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/7.jpg)
7
ProblemsProblems
Timely analysis and storing largevolume of data sometimes can beimpractical.
Breakdown: when traffic is too heavyto handle with.
Tools: designed for detectingindividual event, not monitoringoverall network traffic condition.
![Page 8: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/8.jpg)
8
SolutionsSolutions
Develop a new network monitoringmethod and build a practical system.
Examine real time network utilizationstatistics.
Look at traffic patterns. Perform early detection of worm
propagation and DoS attacks.
![Page 9: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/9.jpg)
9
Related StudiesRelated Studies
SNMP-based tools (MRTG) Packet-Sniffing tools (ntop) Packet-Sniffing tools (IPAudit) Flow-based tools (NetFlow)
![Page 10: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/10.jpg)
10
SNMP-based tools (MRTG)SNMP-based tools (MRTG)
MRTG:Multi Router Traffic Grapher Generate HTML page including traffic
statistics images, provide a live andvisual representation of networktraffic.
Keep all collected data to a log. Contain all data over last 2 years,
logs does not grow unlimited. Monitor network traffic and other
dynamic information.
![Page 11: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/11.jpg)
11
Packet-Sniffing toolsPacket-Sniffing tools(ntop(ntop))
Capture packets, and decode thepackets to show network usage.
Management: traffic measurementand monitoring, network optimization,network planning.
Database support: long-standingnetwork monitoring and problembacktracking.
Reports: web mode, interactivecommand line mode.
![Page 12: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/12.jpg)
12
Packet-Sniffing toolsPacket-Sniffing tools(IPAudit(IPAudit))
Record the network activities on anetwork by host, protocal, and port.
Listen to the network device inpromiscuous mode.
Monitoring intrusion detection,bandwidth consumption, and DoSattacks.
IPAudit-Web: web based networkreports.
![Page 13: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/13.jpg)
13
Flow-based tools Flow-based tools (NetFlow(NetFlow))
Network flow: a unidirectionalsequence of packets between givensource and destination networkendpoints.
NetFlow: provide the measurementfor the flow-based network analysis.
A unique flow: source/destination IP,source/destination port, layer 3protocal type, type of service, inputlogical interface.
![Page 14: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/14.jpg)
14
Flow ExpiredFlow Expired
Idle for a specified time. Long-lived flows are expired. By
default this is set at 30 minutes. The cache becomes full, and so
heuristics are applied to age groupsof flows to expire and export thoseflows.
The TCP connection associated withthe flow has reached its end (FIN) orhas been reset (RST).
![Page 15: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/15.jpg)
15
The Proposed MechanismThe Proposed Mechanism
Collecting
ForensicQuery
Statistic Analysis
Rule basedAnalysis
AbnormalTraffic Alert
Collecting
Database
![Page 16: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/16.jpg)
16
Collecting ModuleCollecting Module
Capture the UDP Packets. Store the NetFlow Records. Rotate the records into the disk for
further analysis. Records might occupy large space. Disk size should be carefully chosen. RAM Disk: accelerate the speed of
the analysis.
![Page 17: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/17.jpg)
17
Statistic Analysis ModuleStatistic Analysis Module
Examine each flow, maintain thecounts of the attribute values.
Summarize and store the statisticsinto the database.
Information is shown in visual graphin web pages.
Summarized information should beplotted into separate graphs.
![Page 18: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/18.jpg)
18
Graph with aggregationGraph with aggregation
![Page 19: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/19.jpg)
19
Graph without aggregationGraph without aggregation
![Page 20: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/20.jpg)
20
Rule Based Analysis ModuleRule Based Analysis Module
Establish rules to alert the attacks. Attacks often have the patten. System will collect abnormal amount
of the flows with this pattern. System needs to know the worm
behavior prior to discover the wormactivities.
Establish the filtering rules.
![Page 21: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/21.jpg)
21
ResultsResults
Results on Traffic Monitoring Traffic volume of the IP protocols Flow graph of the ICMP protocols
Results on DoS Attacks Detection Flow graphs of TCP port 22 Flow graphs of TCP port 44
![Page 22: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/22.jpg)
22
Traffic volume of theTraffic volume of theIP protocolsIP protocols
![Page 23: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/23.jpg)
23
Flow graph of theFlow graph of theICMP protocolICMP protocol
![Page 24: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/24.jpg)
24
Flow graphs of TCP port 22Flow graphs of TCP port 22
![Page 25: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/25.jpg)
25
Flow graphs of TCP port 44Flow graphs of TCP port 44
![Page 26: Network Monitoring On Large Networks - FIRST - … Monitoring On Large Networks 2 Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools](https://reader035.vdocuments.mx/reader035/viewer/2022062600/5aaafac37f8b9a86188ebd1a/html5/thumbnails/26.jpg)
26
ConclusionConclusion
Shorten the management time in alarge network.
Find the malicious activities inprogress as soon as possible.
Monitor a large network in real-time. Separate flow graphs is easier to
identify anomaly. Rule-based: filter well-known worm
or DoS attacks.