research-article

LOBSTER: a European platform for passive network traffic monitoring

Authors:

Demetris Antoniades,

Panagiotis Trimintzios,

Michalis Polychronakis,

Antonis Papadogiannakis,

Vladimir SmotlachaAuthors Info & Claims

TridentCom '08: Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities

Article No.: 8, Pages 1 - 10

Published: 18 March 2008 Publication History

Abstract

Over the past few years we have been witnessing a large number of new programs and applications which generate prolific amounts of questionable, if not illegal, traffic that dominates our networks. Hoping from one port to another and using sophisticated encoding mechanisms, such applications have managed to evade traditional monitoring tools and confuse system administrators.

In this paper we present a concerted European effort to improve our understanding of the Internet through the LOBSTER passive network traffic monitoring infrastructure. By capitalizing on a novel Distributed Monitoring Application Programming Interface which enables the creation of sophisticated applications on top of commodity hardware, LOBSTER empowers a large number of researchers and system administrators into reaching a better understanding of the kind of traffic that flows through their networks.

We have been running LOBSTER for more than a year now and we have deployed close to forty sensors in twelve countries in three continents. Using LOBSTER sensors

• we have captured more than 600,000 sophisticated cyberattacks which attempted to masquerade themselves using advanced polymorphic approaches

• we have monitored the traffic of entire NRENs making it possible to identify the magnitude (as well as the sources) of file-sharing (peer to peer) traffic.

References

[1]

WinPcap Remote Capture. http://www.winpcap.org/docs/docs31beta4/html/group__remote.html.

[2]

P. Akritidis, K. Anagnostakis, and E. Markatos. Efficient content-based detection of zero-day worms. Communications, 2005. ICC 2005. 2005 IEEE International Conference on, 2, 2005.

[3]

S. Andreozzi, N. D. Bortoli, S. Fantinel, A. Ghiselli, G. Rubini, G. Tortone, and M. Vistoli. GridICE: a Monitoring Service for Grid Systems. Future Generation Computer Systems Journal, 21(4):559--571, Apr. 2005.

Digital Library

[4]

D. Antoniades, M. Polychronakis, S. Antonatos, E. P. Markatos, S. Ubik, and A. Oslebo. Appmon: An application for accurate per application traffic characterization. In Proceedings of IST Broadband Europe 2006 Conference, December 2006.

[5]

P. Arlos, M. Fiedler, and A. A. Nilsson. A distributed passive measurement infrastructure. In Proceedings of the 6th International Passive and Active Network Measurement Workshop (PAM'05), pages 215--227, 2005.

Digital Library

[6]

C. Cranor, T. Johnson, O. Spataschek, and V. Shkapenyuk. Gigascope: a stream database for network applications. In Proceedings of the ACM SIGMOD international conference on Management of data, 2003.

Digital Library

[7]

C. Fraleigh, C. Diot, B. Lyles, S. Moon, P. Owezarski, D. Papagiannaki, and F. Tobagi. Design and Deployment of a Passive Monitoring Infrastructure. In Proceedings of the Passive and Active Measurement Workshop, Apr. 2001.

[8]

M. Grossglauser and J. Rexford. Passive traffic measurement for IP operations. In The Internet as a Large-Scale Complex System, pages 91--120. 2005.

[9]

G. Iannaccone, C. Diot, D. McAuley, A. Moore, I. Pratt, and L. Rizzo. The CoMo White Paper, 2004. http://como.intel-research.net/pubs/como.whitepaper.pdf.

[10]

D. Koukis, S. Antonatos, D. Antoniades, E. Markatos, and P. Trimintzios. A Generic Anonymization Framework for Network Traffic. Communications, 2006 IEEE International Conference on, 5, 2006.

[11]

S. Krishnan. rpcap. http://rpcap.sourceforge.net/.

[12]

M. L. Massie, B. N. Chun, and D. E. Culler. The Ganglia Distributed Monitoring System: Design, Implementation, and Experience. Parallel Computing, 30(7), July 2004.

[13]

S. McCanne, C. Leres, and V. Jacobson. libpcap. Lawrence Berkeley Laboratory, Berkeley, CA. (software available from http://www.tcpdump.org/).

[14]

D. Morato, E. Magana, M. Izal, J. Aracil, F. Naranjo, F. Astiz, U. Alonso, I. Csabai, P. Haga, G. Simon, et al. The European Traffic Observatory Measurement Infrastructure (ETOMIC): a testbed for universal active and passive measurements. Testbeds and Research Infrastructures for the Development of Networks and Communities, 2005. Tridentcom 2005. First International Conference on, pages 283--289, 2005.

Digital Library

[15]

A. Papadogiannakis, A. Kapravelos, M. Polychronakis, E. P. Markatos, and A. Ciuffoletti. Passive end-to-end packet loss estimation for grid traffic monitoring. In Proceedings of the CoreGRID Integration Workshop, 2006.

[16]

Peter Morriessy. RMON2: To the Network Layer and Beyond! Network Computing, Feb. 1998. http://www.nwc.com/903/903f1.html.

[17]

M. Polychronakis, K. Anagnostakis, and E. Markatos. Network-level Polymorphic Shellcode Detection using Emulation. In Proceedings of the Third Conference on Detection of Intrusions and Malware and Vulnerability Assesment (DIMVA), 2006.

Digital Library

[18]

M. Polychronakis, K. Anagnostakis, and E. Markatos. Emulation-Based Detection of Non-self-contained Polymorphic Shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), 2007.

Digital Library

[19]

M. Polychronakis, K. G. Anagnostakis, E. P. Markatos, and A. Øslebø. Design of an Application Programming Interface for IP Network Monitoring. In Proceedings of the 9th IFIP/IEEE Network Operations and Management Symposium (NOMS'04), pages 483--496, Apr. 2004.

[20]

J. Ritter. ngrep -- Network grep. http://ngrep.sourceforge.net/.

[21]

M. Roesch. Snort: Lightweight intrusion detection for networks. In Proceedings of the 1999 USENIX LISA Systems Administration Conference, November 1999.

Digital Library

[22]

P. Trimintzios, M. Polychronakis, A. Papadogiannakis, M. Foukarakis, E. P. Markatos, and A. Øslebø. DiMAPI: An application programming interface for distributed network monitoring. In Proceedings of the 10^th IEEE/IFIP Network Operations and Management Symposium (NOMS), April 2006.

[23]

S. Ubik, D. Antoniades, and A. Oslebo. Abw--short-timescale passive bandwidth monitoring. In Sixth International Conference on Networking, 2007.

Digital Library

[24]

K. Wang, G. Cretu, and S. J. Stolfo. Anomalous payload-based worm detection and signature generation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID), 2005.

Digital Library

[25]

J. Wu, S. Vangala, L. Gao, and K. Kwiat. An effective architecture and algorithm for detecting worms with various scan techniques. In Proceedings of the 11th Network and Distributed System Security Symposium (NDSS), 2004.

[26]

C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and early warning for internet worms. In Proceedings of the 10th ACM conference on Computer and communications security (CCS), pages 190--199, 2003.

Digital Library

Cited By

Cruz TSimões PMonteiro EBastos FLaranjeira A(2015)Cooperative security management for broadband network environmentsSecurity and Communication Networks10.1002/sec.13138:18(3953-3977)Online publication date: 1-Dec-2015
https://dl.acm.org/doi/10.1002/sec.1313
Balachandran KBroberg JRevsbech KPedersen J(2010)Volunteer-based distributed traffic data collection systemProceedings of the 12th international conference on Advanced communication technology10.5555/1833006.1833050(1147-1152)Online publication date: 7-Feb-2010
https://dl.acm.org/doi/10.5555/1833006.1833050
Polychronakis MAnagnostakis KMarkatos E(2008)Real-world polymorphic attack detection using network-level emulationProceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead10.1145/1413140.1413164(1-3)Online publication date: 12-May-2008
https://dl.acm.org/doi/10.1145/1413140.1413164

Index Terms

LOBSTER: a European platform for passive network traffic monitoring
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks
  1. Network services

Recommendations

Automatic discovery of botnet communities on large-scale communication networks
ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

Botnets are networks of compromised computers infected with malicious code that can be controlled remotely under a common command and control (C&C) channel. Recognized as one the most serious security threats on current Internet infrastructure, advanced ...
Detecting malware with graph-based methods: traffic classification, botnets, and facebook scams
WWW '13 Companion: Proceedings of the 22nd International Conference on World Wide Web

In this talk, we highlight two topics on security from our lab. First, we address the problem of Internet traffic classification (e.g. web, filesharing, or botnet?). We present a fundamentally different approach to classifying traffic that studies the ...
Service Violation Monitoring Model for Detecting and Tracing Bandwidth Abuse

Bandwidth abuse is a critical Internet service violation. However, its origins are difficult to detect and trace given similarities between abusive and normal traffic. So far, there is no capable and scalable mechanism to deal with bandwidth abuse. This ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

TridentCom '08: Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities

March 2008

335 pages

ISBN:9789639799240

General Chair:
Miguel Ponce de Leon
Waterford Institute of Technology, Ireland

Sponsors

imdea networks
ACM: Association for Computing Machinery
Create-Net
SIGARCH: ACM Special Interest Group on Computer Architecture
ICST

Publisher

ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering)

Brussels, Belgium

Publication History

Published: 18 March 2008

Check for updates

Author Tags

Qualifiers

Research-article

Conference

TridentCom08

Sponsor:

TridentCom08: Fourth International Conference on Testbeds and Research Infastructures for the Development of Netwoks & Communities and Workshops

March 18 - 20, 2008

Innsbruck, Austria

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
296
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cruz TSimões PMonteiro EBastos FLaranjeira A(2015)Cooperative security management for broadband network environmentsSecurity and Communication Networks10.1002/sec.13138:18(3953-3977)Online publication date: 1-Dec-2015
https://dl.acm.org/doi/10.1002/sec.1313
Balachandran KBroberg JRevsbech KPedersen J(2010)Volunteer-based distributed traffic data collection systemProceedings of the 12th international conference on Advanced communication technology10.5555/1833006.1833050(1147-1152)Online publication date: 7-Feb-2010
https://dl.acm.org/doi/10.5555/1833006.1833050
Polychronakis MAnagnostakis KMarkatos E(2008)Real-world polymorphic attack detection using network-level emulationProceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead10.1145/1413140.1413164(1-3)Online publication date: 12-May-2008
https://dl.acm.org/doi/10.1145/1413140.1413164

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten