Enriching network security analysis with time travel

Authors:
Gregor Maier;Robin Sommer;Holger Dreger;Anja Feldmann;Vern Paxson;Fabian Schneider
Affiliations:
TU Berlin / DT Labs, Berlin, Germany;ICSI / LBNL, Berkeley, CA, USA;Siemens AG, Munich, Germany;TU Berlin / DT Labs, Berlin, Germany;ICSI / UC Berkeley, Berkeley, CA, USA;TU Berlin / DT Labs, Berlin, Germany
Venue:
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Year:
2008

Citing 18
Cited 20

Wide area traffic: the failure of Poisson modeling

IEEE/ACM Transactions on Networking (TON)
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
On the relationship between file sizes, transport protocols, and self-similar network traffic

ICNP '96 Proceedings of the 1996 International Conference on Network Protocols (ICNP '96)
Gigascope: a stream database for network applications

Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Operational experiences with high-volume network intrusion detection

Proceedings of the 11th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
ReVirt: enabling intrusion analysis through virtual-machine logging and replay

OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
A methodology for studying persistency aspects of internet flows

ACM SIGCOMM Computer Communication Review
Exploiting Independent State For Network Intrusion Detection

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Monitoring & Forensic Analysis forWireless Networks

ICISP '06 Proceedings of the International Conference on Internet Surveillance and Protection
Resource-aware multi-format network security data storage

Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Building a time machine for efficient recording and retrieval of high-volume network traffic

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Enabling Real-Time Querying of Live and Historical Stream Data

SSDBM '07 Proceedings of the 19th International Conference on Scientific and Statistical Database Management
Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention

Proceedings of the 14th ACM conference on Computer and communications security
Highly efficient techniques for network forensics

Proceedings of the 14th ACM conference on Computer and communications security
Remembrance of streams past: overload-sensitive management of archived streams

VLDB '04 Proceedings of the Thirtieth international conference on Very large data bases - Volume 30
Hyperion: high volume stream archival for retrospective querying

ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection

Fast monitoring of traffic subpopulations

Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Principles for developing comprehensive network visibility

HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
Coordinated weighted sampling for estimating aggregates over multiple weight assignments

Proceedings of the VLDB Endowment
Improving the accuracy of network intrusion detection systems under load using selective packet discarding

Proceedings of the Third European Workshop on System Security
Comparing and improving current packet capturing solutions based on commodity hardware

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Experience with high-speed automated application-identification for network-management

Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
Location-Aware Mobile Intrusion Detection with Enhanced Privacy in a 5G Context

Wireless Personal Communications: An International Journal
OFRewind: enabling record and replay troubleshooting for networks

USENIXATC'11 Proceedings of the 2011 USENIX conference on USENIX annual technical conference
An assessment of overt malicious activity manifest in residential networks

DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
pcapIndex: an index for network packet traces with legacy compatibility

ACM SIGCOMM Computer Communication Review
Local system security via SSHD instrumentation

LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
A sequence-oriented stream warehouse paradigm for network monitoring applications

PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
Pitfalls in HTTP traffic measurements and analysis

PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
Toward efficient querying of compressed network payloads

USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
Tolerating overload attacks against packet capturing systems

USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
AFR: automatic multi-stage forensic data retrieval

Proceedings of the 2012 ACM conference on CoNEXT student workshop
Re-examining the performance bottleneck in a NIDS with detailed profiling

Journal of Network and Computer Applications
Horizon extender: long-term preservation of data leakage evidence in web traffic

Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Scap: stream-oriented network traffic capture and analysis for high-speed networks

Proceedings of the 2013 conference on Internet measurement conference
A scalable network forensics mechanism for stealthy self-propagating attacks

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

In many situations it can be enormously helpful to archive the raw contents of a network traffic stream to disk, to enable later inspection of activity that becomes interesting only in retrospect. We present a Time Machine (TM) for network traffic that provides such a capability. The TM leverages the heavy-tailed nature of network flows to capture nearly all of the likely-interesting traffic while storing only a small fraction of the total volume. An initial proof-of-principle prototype established the forensic value of such an approach, contributing to the investigation of numerous attacks at a site with thousands of users. Based on these experiences, a rearchitected implementation of the system provides flexible, highperformance traffic stream capture, indexing and retrieval, including an interface between the TM and a real-time network intrusion detection system (NIDS). The NIDS controls the TM by dynamically adjusting recording parameters, instructing it to permanently store suspicious activity for offline forensics, and fetching traffic from the past for retrospective analysis. We present a detailed performance evaluation of both stand-alone and joint setups, and report on experiences with running the system live in high-volume environments.