Article

Free access

Resource-aware multi-format network security data storage

Authors:

Evan Cooke,

Andrew Myrick,

David Rusek,

Farnam JahanianAuthors Info & Claims

LSAD '06: Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense

Pages 177 - 184

https://doi.org/10.1145/1162666.1162677

Published: 11 September 2006 Publication History

PDF eReader

Abstract

Internet security systems like intrusion detection and intrusion prevention systems are based on a simple input-output principle: they receive a high-bandwidth stream of input data and produce summaries of suspicious events. This simple model has serious drawbacks, including the inability to attach context to security alerts, a lack of detailed historical information for anomaly detection baselines, and a lack of detailed forensics information. Together these problems highlight a need for fine-grained security data in the shortterm, and coarse-grained security data in the long-term. To address these limitations we propose resource-aware multi-format security data storage. Our approach is to develop an architecture for recording different granularities of security data simultaneously. To explore this idea we present a novel framework for analyzing security data as a spectrum of information and a set of algorithms for collecting and storing multi-format data. We construct a prototype system and deploy it on darknets at academic, Fortune 100 enterprise, and ISP networks. We demonstrate how a hybrid algorithm that provides guarantees on time and space satisfies the short and long-term goals across a four month deployment period and during a series of large-scale denial of service attacks.

References

[1]

M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A distributed blackhole monitoring system. In Proceedings of Network and Distributed System Security Symposium (NDSS '05), San Diego, CA, February 2005.

Google Scholar

[2]

E. Cooke, M. Bailey, F. Jahanian, and R. Mortier. The dark oracle: Perspective-aware unused and unreachable address discovery. In Proceedings of the 3rd USENIX Symposium on Networked Systems Design and Implementation (NSDI '06), May 2006.

Digital Library

Google Scholar

[3]

N. Duffield and C. Lund. Predicting Resource Usage and Estimation Accuracy in an IP Flow Measurement Collection Infrastructure. In ACM SIGCOMM Internet Measurement Conference, 2003.

Digital Library

Google Scholar

[4]

N. Duffield, C. Lund, and M. Thorup. Charging from sampled network usage. In ACM SIGCOMM Internet Measurement Workshop, 2001.

Digital Library

Google Scholar

[5]

C. Estan, K. Keys, D. Moore, and G. Varghese. Building a better netflow. In Proc of ACM SIGCOMM, Portland, Oregon, USA, 2004.

Digital Library

Google Scholar

[6]

C. S. Inc. Netflow services and applications. http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.h%tm, 2002.

Google Scholar

[7]

R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet background radiation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 27--40. ACM Press, 2004.

Digital Library

Google Scholar

[8]

V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks, 31(23--24):2435--2463, 1999.

Digital Library

Google Scholar

[9]

S. Phaal, S. Panchen, and N. McKee. RFC 3176: InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks. 2001.

Digital Library

Google Scholar

[10]

M. Roesch. Snort --- lightweight intrusion detection for networks. In USENIX, editor, Proceedings of the Thirteenth Systems Administration Conference (LISA XIII): November 7--12, 1999, Seattle, WA, USA, Berkeley, CA, USA, 1999. USENIX.

Digital Library

Google Scholar

Cited By

View all

Fachkha CDebbabi M(2016)Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and CharacterizationIEEE Communications Surveys & Tutorials10.1109/COMST.2015.249769018:2(1197-1227)Online publication date: Oct-2017
https://doi.org/10.1109/COMST.2015.2497690
Lee JLee SLee JYi YPark KLu SRiedel E(2015)FloSISProceedings of the 2015 USENIX Conference on Usenix Annual Technical Conference10.5555/2813767.2813800(445-457)Online publication date: 8-Jul-2015
https://dl.acm.org/doi/10.5555/2813767.2813800
Papadopoulos PPetsas TChristou GVasiliadis G(2015)MAD: A Middleware Framework for Multi-step Attack Detection2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)10.1109/BADGERS.2015.012(8-15)Online publication date: Nov-2015
https://doi.org/10.1109/BADGERS.2015.012
Show More Cited By

Index Terms

Resource-aware multi-format network security data storage
1. Networks
  1. Network services

Recommendations

Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications

The increasing practicality of large-scale flow capture makes it possible to conceive of traffic analysis methods that detect and identify a large and diverse set of anomalies. However the challenge of effectively analyzing this massive data source for ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
Mining anomalies using traffic feature distributions
SIGCOMM '05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications

The increasing practicality of large-scale flow capture makes it possible to conceive of traffic analysis methods that detect and identify a large and diverse set of anomalies. However the challenge of effectively analyzing this massive data source for ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

LSAD '06: Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense

September 2006

91 pages

ISBN:1595935711

DOI:10.1145/1162666

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 September 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SIGCOMM06

SIGCOMM06: ACM SIGCOMM 2006 Conference

September 11 - 15, 2006

Pisa, Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
476
Total Downloads

Downloads (Last 12 months)46
Downloads (Last 6 weeks)9

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Fachkha CDebbabi M(2016)Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and CharacterizationIEEE Communications Surveys & Tutorials10.1109/COMST.2015.249769018:2(1197-1227)Online publication date: Oct-2017
https://doi.org/10.1109/COMST.2015.2497690
Lee JLee SLee JYi YPark KLu SRiedel E(2015)FloSISProceedings of the 2015 USENIX Conference on Usenix Annual Technical Conference10.5555/2813767.2813800(445-457)Online publication date: 8-Jul-2015
https://dl.acm.org/doi/10.5555/2813767.2813800
Papadopoulos PPetsas TChristou GVasiliadis G(2015)MAD: A Middleware Framework for Multi-step Attack Detection2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)10.1109/BADGERS.2015.012(8-15)Online publication date: Nov-2015
https://doi.org/10.1109/BADGERS.2015.012
Gugelmann DSchatzmann DLenders VChen KXie QQiu WLi NTzeng W(2013)Horizon extenderProceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security10.1145/2484313.2484378(499-504)Online publication date: 8-May-2013
https://dl.acm.org/doi/10.1145/2484313.2484378
Kumar SPrasad MPilli S(2012)Extended Time Machine Design using Reconfigurable Computing for Efficient Recording and Retrieval of Gigabit Network TrafficComputer Engineering10.4018/978-1-61350-456-7.ch313(699-709)Online publication date: 2012
https://doi.org/10.4018/978-1-61350-456-7.ch313
Kumar SPrasad MPilli S(2011)Extended Time Machine Design using Reconfigurable Computing for Efficient Recording and Retrieval of Gigabit Network TrafficCyber Security, Cyber Crime and Cyber Forensics10.4018/978-1-60960-123-2.ch012(168-177)Online publication date: 2011
https://doi.org/10.4018/978-1-60960-123-2.ch012
Papadogiannakis APolychronakis MMarkatos E(2010)RRDtraceProceedings of the 2010 IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems10.1109/MASCOTS.2010.19(101-110)Online publication date: 17-Aug-2010
https://dl.acm.org/doi/10.1109/MASCOTS.2010.19
Maier GSommer RDreger HFeldmann APaxson VSchneider FBahl VWetherall DSavage SStoica I(2008)Enriching network security analysis with time travelProceedings of the ACM SIGCOMM 2008 conference on Data communication10.1145/1402958.1402980(183-194)Online publication date: 17-Aug-2008
https://dl.acm.org/doi/10.1145/1402958.1402980
Maier GSommer RDreger HFeldmann APaxson VSchneider F(2008)Enriching network security analysis with time travelACM SIGCOMM Computer Communication Review10.1145/1402946.140298038:4(183-194)Online publication date: 17-Aug-2008
https://dl.acm.org/doi/10.1145/1402946.1402980

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Index Terms

Recommendations

Mining anomalies using traffic feature distributions

Correlation Analysis between Spamming Botnets and Malware Infected Hosts

Mining anomalies using traffic feature distributions

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations