Information Technology Reference
In-Depth Information
Fig. 5.
Removing Unlikely Adjacencies from a Multi-Indegree Node using the Time
Oriented Heuristic
Multi-indegree nodes (MINs) are an ideal target for edge removal because
they are over-represented in the adjacency graphs. Although naive chaining pro-
duces lots of them, MINs only happen for real when requests initiated from mul-
tiple connections are being issued on a single, already open, connection. This is
a connection reuse scenario that web browsers do not experience often. MONs
(multi-outdegree nodes), on the other hand, happen all the time. They represent
the situation where multiple connections are being initiated from the same con-
nection, like when a flurry of implicit requests are made for objects embedded
in a page.
Because it focuses only on MINs, the time oriented heuristic is consistently
optimistic. It leaves most out-links intact. The only out-links it removes are those
associated with MINs.
2.4
Fragment Isolation
The Link Chaining process begins as a tangled graph of naively chained con-
nections. This graph is then processed to remove the impossible and unlikely
adjacencies. The remaining graphs of connected nodes form the fragments that
the analyst will use to assemble user sessions. The fragments are isolated by
simply tracing the edges of each graph and aggregating the connection nodes.
3
Experimental Setup
Network trac was collected passively from the inside of a live campus network
with a high volume (2 GB/hour) of web trac and later written to a database.
The logging point was situated at the gateway before any NAT or proxy so that
individual host IP addresses were visible. A real attack would tap external to
this gateway, but IP address visibility was necessary here to validate the results.
All trac features that would not normally appear in the presence of NAT or
proxy were selectively ignored for each experiment. The tap and network under
test are illustrated in Figure 6.
Trac collection was performed using Snort 2.0. Snort is an open source net-
work intrusion detection system, capable of performing real-time packet sning,
