Enhancing Enterprise Security through Cost-effective and Highly Customizable Network Monitoring
Pages 133 - 142
Abstract
Network monitoring and network traffic analysis software are
common tools used in an enterprise, giving IT administrators
valuable insight into the status of their servers and network
devices. Limited research has been done to highlight the security
benefits of low-level network traffic logging and analysis, though
much of it involves testing the network activity of malicious
software in lab environments, using cost-prohibitive software to
analyze traffic for a pre-determined amount of time. This is a
useful way to isolate network activity to only the malicious
software, but it also eliminates valuable baseline traffic
information for an enterprise network. There are significant
security benefits to be gained from analyzing how malware reacts
in – or alters – an enterprise network. This paper provides
techniques for getting a baseline of enterprise network traffic and
analyzes how different types of malware can affect this baseline.
Using only low- and no-cost software and services, we analyze
the storage requirements for historical network traffic data and
present techniques to filter out much of the noise, significantly
reducing the amount of data that must be stored and analyzed. The
results of our technique are compared against traditional antimalware
and network traffic analysis methods, revealing our
approach to be a cost-effective, highly customizable and effective
layer of a complete defense-in-depth security strategy.
References
[1]
Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack, "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It," March 2014. Available: http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
[2]
Nagios. (2015). Retrieved Feb. 10, 2017 from http://www.nagios.org/
[3]
Cacti. The complete rrdtool-based graphing solution. (2012). Retrieved Feb. 10, 2017 from http://www.cacti.net/
[4]
Zabbix. The Enterprise-class Monitoring Solution for Everyone. (2015). Retrieved Feb. 10, 2017 from http://www.zabbix.com/
[5]
Spiceworks: Where IT goes to work. (2015). Retrieved Feb. 10, 2017 from http://www.spiceworks.com/
[6]
Solarwinds. The Power to Manage IT. (2015). Retrieved Feb. 10, 2017 from http://www.solarwinds.com/
[7]
Paessler. The network monitoring company. (2015). Retrieved Feb. 10, 2017 from http://www.paessler.com/prtg
[8]
Observium. Network monitoring with intuition. (2015). Retrieved Feb. 10, 2017 from http://www.observium.org/
[9]
Christian Rossow, Christian J. Dietrich, Herbert Bos, Lorenzo Cavallaro, Maarten van Steen, Felix C. Freiling, and Norbert Pohlmann. 2011. Sandnet: network traffic analysis of malicious software. In Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS '11). ACM, New York, NY, USA, 78-88.
[10]
Xiaohong Yuan, Percy Vega, Jinsheng Xu, Huiming Yu, and Yaohang Li. 2007. Using packet sniffer simulator in the class: experience and evaluation. In Proceedings of the 45th annual southeast regional conference (ACM-SE 45). ACM, New York, NY, USA, 116-121.
[11]
Alexandros Fragkiadakis, Ioannis Askoxylakis, "Malicious traffic analysis in wireless sensor networks using advanced signal processing techniques," 2013 IEEE 14th International Symposium on "A World of Wireless, Mobile and Multimedia Networks" (WoWMoM), pp. 1-6.
[12]
Liran Ma; Teymorian, A.Y.; Xiuzhen Cheng, "Passive Listening and Intrusion Management in Commodity Wi-Fi Networks," Global Telecommunications Conference, 2007. GLOBECOM '07. IEEE, pp. 327-331, 26-30 Nov. 2007.
[13]
Vasil Y. Hnatyshin and Andrea F. Lobo. 2008. Undergraduate data communications and networking projects using opnet and wireshark software. SIGCSE Bull. 40, 1 (March 2008), 241-245.
[14]
Wireshark. Go Deep. (2015). Retrieved Feb. 10, 2017 from https://www.wireshark.org/about.html
[15]
Xin Wu, Daniel Turner, Chao-Chih Chen, David A. Maltz, Xiaowei Yang, Lihua Yuan, and Ming Zhang. 2012. NetPilot: automating datacenter network failure mitigation. SIGCOMM Comput. Commun. Rev. 42, 4 (August 2012), 419-430.
[16]
Command Five. (2015). Retrieved Feb. 10, 2017 from https://www.commandfive.com/downloads/c5sigma.html
[17]
Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. 2006. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement (IMC '06). ACM, New York, NY, USA, 41-52.
[18]
Thomas Karagiannis, Andre Broido, Michalis Faloutsos, and Kc claffy. 2004. Transport layer identification of P2P traffic. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement (IMC '04). ACM, New York, NY, USA, 121-134.
[19]
Lawrence Teo. 2000. Port Scans and Ping Sweeps Explained. Linux J. 2000, 80es, Article 2 (November 2000).
[20]
Malware Domain Blocklist. (2008). Retrieved Feb. 10, 2017 from http://www.malwaredomains.com/
[21]
GeoLite Legacy Downloadable Databases. (2015). Retrieved Feb. 10, 2017 from http://dev.maxmind.com/geoip/legacy/geolite/
[22]
Datatype for Storing IP Address in SQL Server. (September 2009). Retrieved from http://stackoverflow.com/questions/1385552/datatype-for-storing-ip-address-in-sql-server.
Index Terms
- Enhancing Enterprise Security through Cost-effective and Highly Customizable Network Monitoring
Index terms have been assigned to the content through auto-classification.
Recommendations
A Network Behavior-Based Botnet Detection Mechanism Using PSO and K-means
In today's world, Botnet has become one of the greatest threats to network security. Network attackers, or Botmasters, use Botnet to launch the Distributed Denial of Service (DDoS) to paralyze large-scale websites or steal confidential data from ...
Directions in Network-Based Security Monitoring
This article outlines some recently emerging research in network-based malicious software detection. The author discusses differences between traditional network intrusion detection and these new techniques, and highlights a new freely available tool ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2017
338 pages
Publisher
ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering)
Brussels, Belgium
Publication History
Published: 08 December 2017
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 14 Dec 2024