Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
The Packet Vault: Secure Storage of Network Data
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
A methodology for studying persistency aspects of internet flows
ACM SIGCOMM Computer Communication Review
Detecting distributed scans using high-performance query-driven visualization
Proceedings of the 2006 ACM/IEEE conference on Supercomputing
Proceedings of the 14th ACM conference on Computer and communications security
Evaluation of collaborative worm containment on the DETER testbed
DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
Passive network forensics: behavioural classification of network hosts based on connection patterns
ACM SIGOPS Operating Systems Review
Swift: a fast dynamic packet filter
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Enriching network security analysis with time travel
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Design of an IP Flow Record Query Language
AIMS '08 Proceedings of the 2nd international conference on Autonomous Infrastructure, Management and Security: Resilient Networks and Services
Real-time GPS via Jamdroid server enhanced by TelegraphCQ & augmented by RFID tag
Proceedings of the International Conference on Advances in Computing, Communication and Control
Information processing using data stream management system on Jamdroid
Proceedings of the International Conference on Advances in Computing, Communication and Control
Clarified Recorder and Analyzer for Visual Drill Down Network Analysis
PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
A unified format for traces of peer-to-peer systems
Proceedings of the 1st ACM workshop on Large-Scale system and application performance
Improving real-time GPS by incorporating telegraphCQ in Jamdroid architecture
ISWPC'09 Proceedings of the 4th international conference on Wireless pervasive computing
Design of a Stream-Based IP Flow Record Query Language
DSOM '09 Proceedings of the 20th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management: Integrated Management of Systems, Services, Processes and People in IT
Per flow packet sampling for high-speed network monitoring
COMSNETS'09 Proceedings of the First international conference on COMmunication Systems And NETworks
A reactive measurement framework
PAM'08 Proceedings of the 9th international conference on Passive and active network measurement
Efficient querying and maintenance of network provenance at internet-scale
Proceedings of the 2010 ACM SIGMOD International Conference on Management of data
Dialog-based payload aggregation for intrusion detection
Proceedings of the 17th ACM conference on Computer and communications security
Comparing and improving current packet capturing solutions based on commodity hardware
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
On campus beta site: architecture designs, operational experience, and top product defects
IEEE Communications Magazine
State of the Practice Reports
The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Design and implementation of a fast dynamic packet filter
IEEE/ACM Transactions on Networking (TON)
Horizon extender: long-term preservation of data leakage evidence in web traffic
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
| Hi-index | 0.00 |
There are times when it would be extraordinarily convenient to record the entire contents of a high-volume network traffic stream, in order to later "travel back in time" and inspect activity that has only become interesting in retrospect. Two examples are security forensics--determining just how an attacker compromised a given machine--and network trouble-shooting, such as inspecting the precursors to a fault after the fault. We describe the design and implementation of a Time Machine to efficiently support such recording and retrieval. The efficiency of our approach comes from leveraging the heavy-tailed nature of network traffic: because the bulk of the traffic in high-volume streams comes from just a few connections, by constructing a filter that records only the first N bytes of each connection we can greatly winnow down the recorded volume while still retaining both small connections in full, and the beginnings of large connections (which often suffices). The system is designed for operation in Gbps environments, running on commodity hardware. It can hold a few minutes of a high volume stream in RAM, and many hours to days on disk; the user can flexibly configure its operation to suit the site's nature. We present simulation and operational results from three distinct Gbps production environments exploring the feasibility and efficiency of a Time Machine implementation. The system has already proved useful in enabling analysis of a break-in at one of the sites.