Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
On the relationship between file sizes, transport protocols, and self-similar network traffic
ICNP '96 Proceedings of the 1996 International Conference on Network Protocols (ICNP '96)
Gigascope: a stream database for network applications
Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Operational experiences with high-volume network intrusion detection
Proceedings of the 11th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
A methodology for studying persistency aspects of internet flows
ACM SIGCOMM Computer Communication Review
Exploiting Independent State For Network Intrusion Detection
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Monitoring & Forensic Analysis forWireless Networks
ICISP '06 Proceedings of the International Conference on Internet Surveillance and Protection
Resource-aware multi-format network security data storage
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Building a time machine for efficient recording and retrieval of high-volume network traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Enabling Real-Time Querying of Live and Historical Stream Data
SSDBM '07 Proceedings of the 19th International Conference on Scientific and Statistical Database Management
Proceedings of the 14th ACM conference on Computer and communications security
Highly efficient techniques for network forensics
Proceedings of the 14th ACM conference on Computer and communications security
Remembrance of streams past: overload-sensitive management of archived streams
VLDB '04 Proceedings of the Thirtieth international conference on Very large data bases - Volume 30
Hyperion: high volume stream archival for retrospective querying
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Fast monitoring of traffic subpopulations
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Principles for developing comprehensive network visibility
HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
Coordinated weighted sampling for estimating aggregates over multiple weight assignments
Proceedings of the VLDB Endowment
Proceedings of the Third European Workshop on System Security
Comparing and improving current packet capturing solutions based on commodity hardware
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Experience with high-speed automated application-identification for network-management
Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
Location-Aware Mobile Intrusion Detection with Enhanced Privacy in a 5G Context
Wireless Personal Communications: An International Journal
OFRewind: enabling record and replay troubleshooting for networks
USENIXATC'11 Proceedings of the 2011 USENIX conference on USENIX annual technical conference
An assessment of overt malicious activity manifest in residential networks
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
pcapIndex: an index for network packet traces with legacy compatibility
ACM SIGCOMM Computer Communication Review
Local system security via SSHD instrumentation
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
A sequence-oriented stream warehouse paradigm for network monitoring applications
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
Pitfalls in HTTP traffic measurements and analysis
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
Toward efficient querying of compressed network payloads
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Tolerating overload attacks against packet capturing systems
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
AFR: automatic multi-stage forensic data retrieval
Proceedings of the 2012 ACM conference on CoNEXT student workshop
Re-examining the performance bottleneck in a NIDS with detailed profiling
Journal of Network and Computer Applications
Horizon extender: long-term preservation of data leakage evidence in web traffic
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Scap: stream-oriented network traffic capture and analysis for high-speed networks
Proceedings of the 2013 conference on Internet measurement conference
A scalable network forensics mechanism for stealthy self-propagating attacks
Computer Communications
Hi-index | 0.00 |
In many situations it can be enormously helpful to archive the raw contents of a network traffic stream to disk, to enable later inspection of activity that becomes interesting only in retrospect. We present a Time Machine (TM) for network traffic that provides such a capability. The TM leverages the heavy-tailed nature of network flows to capture nearly all of the likely-interesting traffic while storing only a small fraction of the total volume. An initial proof-of-principle prototype established the forensic value of such an approach, contributing to the investigation of numerous attacks at a site with thousands of users. Based on these experiences, a rearchitected implementation of the system provides flexible, highperformance traffic stream capture, indexing and retrieval, including an interface between the TM and a real-time network intrusion detection system (NIDS). The NIDS controls the TM by dynamically adjusting recording parameters, instructing it to permanently store suspicious activity for offline forensics, and fetching traffic from the past for retrospective analysis. We present a detailed performance evaluation of both stand-alone and joint setups, and report on experiences with running the system live in high-volume environments.