On-demand view materialization and indexing for network forensic analysis

Authors:
Roxana Geambasu;Tanya Bragin;Jaeyeon Jung;Magdalena Balazinska
Affiliations:
Department of Computer Science and Engineering, University of Washington, Seattle, WA;Department of Computer Science and Engineering, University of Washington, Seattle, WA;Mazu Networks, Cambridge, MA;Department of Computer Science and Engineering, University of Washington, Seattle, WA
Venue:
NETB'07 Proceedings of the 3rd USENIX international workshop on Networking meets databases
Year:
2007

Citing 12
Cited 3

An overview of data warehousing and OLAP technology

ACM SIGMOD Record
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
Optimizing queries using materialized views: a practical, scalable solution

SIGMOD '01 Proceedings of the 2001 ACM SIGMOD international conference on Management of data
Partial Indexing for Nonuniform Data Distributions in Relational DBMS's

IEEE Transactions on Knowledge and Data Engineering
Generalized Partial Indexes

ICDE '95 Proceedings of the Eleventh International Conference on Data Engineering
Answering queries using views: A survey

The VLDB Journal — The International Journal on Very Large Data Bases
Dynamic Caching of Query Results for Decision Support Systems

SSDBM '99 Proceedings of the 11th International Conference on Scientific and Statistical Database Management
Gigascope: a stream database for network applications

Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Aurora: a new model and architecture for data stream management

The VLDB Journal — The International Journal on Very Large Data Bases
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Delay aware querying with seaweed

VLDB '06 Proceedings of the 32nd international conference on Very large data bases
Query processing over live and archived data streams

Query processing over live and archived data streams

NetStore: an efficient storage infrastructure for network forensics and monitoring

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
OMC-IDS: at the cross-roads of OLAP mining and intrusion detection

PAKDD'12 Proceedings of the 16th Pacific-Asia conference on Advances in Knowledge Discovery and Data Mining - Volume Part II
Toward efficient querying of compressed network payloads

USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

Today, network intrusion detection systems (NIDSs) use custom solutions to log historical network flows and support forensic analysis by network administrators. These solutions are expensive, inefficient, and lack flexibility. In this paper, we investigate database support for interactive network forensic analysis. We show that an "out-of-the-box" relational database management system (RDBMS) can support moderate flow rates in a manner that ensures high query performance. To enable support for significantly higher data rates, we propose a technique based on on-demand view materialization and indexing. In our approach, when an event occurs, the system proactively extracts relevant historical data and indexes it in preparation for forensic queries over that data. We show that our approach significantly improves response times for a large class of queries, while maintaining high insert throughput.