Information Technology Reference
In-Depth Information
Digging into IP Flow Records with a Visual
Kernel Method
Cynthia Wagner, Gerard Wagener, Radu State, and Thomas Engel
University of Luxembourg - SnT,
Campus Kircherg, L-1359 Luxembourg, Luxembourg
{cynthia.wagner,jerome.francois,
radu.state,thomas.engel}@uni.lu
http://www.securityandtrust.lu
Abstract.
This paper presents a network monitoring framework with an
intuitive visualization engine. The framework leverages a kernel method
with spatial and temporal aggregated IP flows for the off/online pro-
cessing of Netflow records and full packet captures from ISP and hon-
eypot input data and is operating on aggregated Netflow records and is
supporting network management activities related to the anomaly and
attack detection.
Keywords:
Netflow records, Visualization, Kernel Function, Honeypot.
1
Introduction
The business of network monitoring has been studied a lot and still, there are
a lot of problems to be solved. Problems, as full automation of monitoring pro-
cesses respectively the evaluation are still challenging. Network incidents may
have most different natures, i.e. attacks, component failures or unusual user
activities. In most cases, incident evaluation requires strong and fast interpre-
tation skills of network operators, because countermeasures have to be taken
quickly. Another challenge is the quantity of available data. Information on net-
work borders are mostly Netflow
1
records, which can also be exported by most
commercially available routers today, but evaluating these large quantities of
Netflow records in real time remains an open issue. A convenient solution is to
use condensed forms of packets or to refer to a more novel approach by spatially
aggregating flow records over time. In this paper, a new network monitoring
framework for on/off-line processing of temporal-spatial aggregated IP flows is
described, which aims to detect network incidents/attacks and to visualize them
in an intuitive way. For the network monitoring task, a modified version of the
Aguri tool [2] is used, which monitors IP flow records and summarizes them into
trac profiles. These trac profiles are applied to a specific kernel method for
evaluation purpose. The kernel function captures topological and trac changes
without having a manual profile comparison. The kernel results are then mapped
1
Netflow records: RFC3954,
http://tools.ietf.org/html/rfc3954
Search WWH ::
Custom Search