research-article

Enriching network security analysis with time travel

Authors:

Fabian SchneiderAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 38, Issue 4

Pages 183 - 194

https://doi.org/10.1145/1402946.1402980

Published: 17 August 2008 Publication History

Abstract

In many situations it can be enormously helpful to archive the raw contents of a network traffic stream to disk, to enable later inspection of activity that becomes interesting only in retrospect. We present a Time Machine (TM) for network traffic that provides such a capability. The TM leverages the heavy-tailed nature of network flows to capture nearly all of the likely-interesting traffic while storing only a small fraction of the total volume. An initial proof-of-principle prototype established the forensic value of such an approach, contributing to the investigation of numerous attacks at a site with thousands of users. Based on these experiences, a rearchitected implementation of the system provides flexible, highperformance traffic stream capture, indexing and retrieval, including an interface between the TM and a real-time network intrusion detection system (NIDS). The NIDS controls the TM by dynamically adjusting recording parameters, instructing it to permanently store suspicious activity for offline forensics, and fetching traffic from the past for retrospective analysis. We present a detailed performance evaluation of both stand-alone and joint setups, and report on experiences with running the system live in high-volume environments.

References

[1]

ANDERSON, E., AND ARLITT, M. Full Packet Capture and Offline Analysis on 1 and 10 Gb/s Networks. Tech. Rep. HPL-2006-156, HP Labs, 2006.

[2]

ANTONELLI, C., CO, K., M FIELDS, AND HONEYMAN, P. Cryptographic Wiretapping at 100 Megabits. In SPIE 16th Int. Symp. on Aerospace Defense Sensing, Simulation, and Controls. (2002).

[3]

CHANDRASEKARAN, S., AND FRANKLIN, M. Remembrance of Streams Past: Overload-sensitive Management of Archived Streams. In Proc. Very Large Data Bases (2004).

Digital Library

[4]

ClearSight Networks. http://www.clearsightnet.com.

[5]

CNET NEWS. Another suspected NASA hacker indicted. http://www.news.com/2102-7350_3-6140001.html.

[6]

CoMo. http://como.sourceforge.net.

[7]

COOKE, E., MYRICK, A., RUSEK, D., AND JAHANIAN, F. Resource-aware Multi-format Network Security Data Storage. In Proc. SIGCOMM LSAD workshop (2006).

Digital Library

[8]

CRANOR, C., JOHNSON, T., AND SPATSCHECK, O. Gigascope: A Stream Database for Network Applications. In Proc. SIGMOD (2003).

Digital Library

[9]

DESNOYERS, P., AND SHENOY, P. J. Hyperion: High Volume Stream Archival for Retrospective Querying. In Proc. 2007 USENIX Technical Conf (2007).

Digital Library

[10]

DREGER, H., FELDMANN, A., PAXSON, V., AND SOMMER, R. Operational Experiences with High-Volume Network Intrusion Detection. In Proc. 11th ACM Conf. on Comp. and Comm. Security (2004).

Digital Library

[11]

DUNLAP, G. W., KING, S. T., CINAR, S., BASRAI, M. A., AND CHEN, P. M. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In Proc. Symp. on Operating Systems Design and Implementation (2002).

Digital Library

[12]

ENDACE MEASUREMENT SYSTEMS. http://www.endace.com/, 2008.

[13]

GONZALEZ, J. M., PAXSON, V., AND WEAVER, N. Shunting: A Hardware/Software Architecture for Flexible, High-performance Network Intrusion Prevention. In Proc. 14th ACM Conf. on Comp. and Comm. Security (2007).

Digital Library

[14]

Intelica Networks. http://www.intelicanetworks.com.

[15]

KORNEXL, S., PAXSON, V., DREGER, H., FELDMANN, A., AND SOMMER, R. Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic (Short Paper). In Proc. ACM SIGCOMM IMC (2005).

Digital Library

[16]

MCGRATH, K. P., AND NELSON, J. Monitoring & Forensic Analysis for Wireless Networks. In Proc. Conf. on Internet Surveillance and Protection (2006).

Digital Library

[17]

PARK, K., KIM, G., AND CROVELLA, M. On the Relationship Between File Sizes, Transport Protocols, and Self-similar Network Traffic. In Proc. ICNP 96 (1996).

Digital Library

[18]

PAXSON, V. Bro: A System for Detecting Network Intruders in Real-Time. Comp. Networks 31, 2324 (1999).

Digital Library

[19]

PAXSON, V., AND FLOYD, S. Wide-Area Traffic: The Failure of Poisson Modeling. IEEE/ACM Transactions on Networking 3, 3 (1995).

Digital Library

[20]

PONEC, M., GIURA, P., BRÖNNIMANN, H., AND WEIN, J. Highly Efficient Techniques for Network Forensics. In Proc. 14th ACM Conf. on Comp. and Comm. Security (2007).

Digital Library

[21]

REISS, F., STOCKINGER, K., WU, K., SHOSHANI, A., AND HELLERSTEIN, J. M. Enabling Real-Time Querying of Live and Historical Stream Data. In Proc. Statistical & Scientific Database Management (2007).

Digital Library

[22]

ROESCH, M. Snort Lightweight Intrusion Detection for Networks. In Proc. 13th Systems Administration Conference - LISA 99 (1999), pp. 229238.

Digital Library

[23]

SHANMUGASUNDARAM, K., MEMON, N., SAVANT, A., AND BRÖNNIMANN, H. ForNet: A Distributed Forensics Network. In Proc. Workshop on Math. Methods, Models and Architectures for Comp. Networks Security (2003).

[24]

SOMMER, R. Viable Network Intrusion Detection in High-Performance Environments. PhD thesis, TU München, 2005.

[25]

SOMMER, R., AND PAXSON, V. Exploiting Independent State For Network Intrusion Detection. In Proc. Computer Security Applications Conf. (2005).

Digital Library

[26]

VALLENTIN, M., SOMMER, R., LEE, J., LERES, C., PAXSON, V., AND TIERNEY, B. The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware. In Proc. 10th Int. Symp. Recent Advances in Intrusion Detection (RAID) (2007).

Digital Library

[27]

WALLERICH, J., DREGER, H., FELDMANN, A., KRISHNAMURTHY, B., AND WILLINGER, W. A Methodology for Studying Persistency Aspects of Internet Flows. ACM SIGCOMM CCR 35, 2 (Apr 2005), 2336.

Digital Library

Cited By

Košař VŠišmiš LMatoušek JKořenek J(2023)Accelerating IDS Using TLS Pre-Filter in FPGA2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10218049(436-442)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10218049
Hwang RPeng MHuang CLin PNguyen V(2020)An Unsupervised Deep Learning Model for Early Network Traffic Anomaly DetectionIEEE Access10.1109/ACCESS.2020.29730238(30387-30399)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2973023
Salman OElhajj IKayssi AChehab A(2020)A review on machine learning–based approaches for Internet traffic classificationAnnals of Telecommunications10.1007/s12243-020-00770-775:11-12(673-710)Online publication date: 22-Jun-2020
https://doi.org/10.1007/s12243-020-00770-7
Show More Cited By

Index Terms

Enriching network security analysis with time travel
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Enriching network security analysis with time travel
SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication

In many situations it can be enormously helpful to archive the raw contents of a network traffic stream to disk, to enable later inspection of activity that becomes interesting only in retrospect. We present a Time Machine (TM) for network traffic that ...
Network Traffic Analysis and Intrusion Detection Using Packet Sniffer
ICCSN '10: Proceedings of the 2010 Second International Conference on Communication Software and Networks

Computer software that can intercept and log traffic passing over a digital network or part of a network is better known as packet sniffer. The sniffer captures these packets by setting the NIC card in the promiscuous mode and eventually decodes them. ...
Intrusion detection system for high-speed network

The increasing network throughput challenges the current Network Intrusion Detection Systems (NIDS) to have compatible high-performance data processing. In this paper, we describe an in-depth research on the related techniques of high-performance ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 38, Issue 4

October 2008

436 pages

ISSN:0146-4833

DOI:10.1145/1402946

Issue’s Table of Contents

SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication
August 2008
452 pages
ISBN:9781605581750
DOI:10.1145/1402958
General Chairs:
Victor Bahl
Microsoft Research
,
David Wetherall
Intel Research & University of Washington
,
Program Chairs:
Stefan Savage
University of California, San Diego
,
Ion Stoica
University of California, Berkeley

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2008

Published in SIGCOMM-CCR Volume 38, Issue 4

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

74
Total Citations
View Citations
1,466
Total Downloads

Downloads (Last 12 months)100
Downloads (Last 6 weeks)13

Reflects downloads up to 25 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Košař VŠišmiš LMatoušek JKořenek J(2023)Accelerating IDS Using TLS Pre-Filter in FPGA2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10218049(436-442)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10218049
Hwang RPeng MHuang CLin PNguyen V(2020)An Unsupervised Deep Learning Model for Early Network Traffic Anomaly DetectionIEEE Access10.1109/ACCESS.2020.29730238(30387-30399)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.2973023
Salman OElhajj IKayssi AChehab A(2020)A review on machine learning–based approaches for Internet traffic classificationAnnals of Telecommunications10.1007/s12243-020-00770-775:11-12(673-710)Online publication date: 22-Jun-2020
https://doi.org/10.1007/s12243-020-00770-7
Smara MAliouat MPathan AAliouat Z(2017)Acceptance Test for Fault Detection in Component-based Cloud Computing and SystemsFuture Generation Computer Systems10.1016/j.future.2016.06.03070(74-93)Online publication date: May-2017
https://doi.org/10.1016/j.future.2016.06.030
Uceda VRodríguez MRamos JGarcía-Dorado JAracil J(2015)Selective Capping of Packet Payloads for Network Analysis and ManagementTraffic Monitoring and Analysis10.1007/978-3-319-17172-2_1(3-16)Online publication date: 17-Apr-2015
https://doi.org/10.1007/978-3-319-17172-2_1
Chen YLiu P(2014)Construction and Analysis of Website Intrusion Forensics ModelApplied Mechanics and Materials10.4028/www.scientific.net/AMM.687-691.2748687-691(2748-2751)Online publication date: Nov-2014
https://doi.org/10.4028/www.scientific.net/AMM.687-691.2748
Ulltveit-Moe N(2014)A roadmap towards improving managed security services from a privacy perspectiveEthics and Information Technology10.1007/s10676-014-9348-316:3(227-240)Online publication date: 1-Sep-2014
https://dl.acm.org/doi/10.1007/s10676-014-9348-3
Moreno VSantiago del Río PRamos JMuelas DGarcía-Dorado JGomez-Arribas FAracil J(2014)Multi-granular, multi-purpose and multi-Gb/s monitoring on off-the-shelf systemsNetworks10.1002/nem.186124:4(221-234)Online publication date: 1-Jul-2014
https://dl.acm.org/doi/10.1002/nem.1861
Gugelmann DSchatzmann DLenders VChen KXie QQiu WLi NTzeng W(2013)Horizon extenderProceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security10.1145/2484313.2484378(499-504)Online publication date: 8-May-2013
https://dl.acm.org/doi/10.1145/2484313.2484378
Kumar SPrasad MPilli S(2012)Extended Time Machine Design using Reconfigurable Computing for Efficient Recording and Retrieval of Gigabit Network TrafficComputer Engineering10.4018/978-1-61350-456-7.ch313(699-709)Online publication date: 2012
https://doi.org/10.4018/978-1-61350-456-7.ch313
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents