Skip content, jump to navigation.

Jump to : Download | Note | Abstract | Keyword | Contact | BibTex reference | EndNote reference |

MSDFPS-ENSATT-08

Gregor Maier, Robin Sommer, Holger Dreger, Anja Feldmann, Vern Paxson, Fabian Schneider. Enriching Network Security Analysis with Time Travel. In SIGCOMM '08: Proceedings of the 2008 conference on Applications, technologies, architectures, and protocols for computer communications, (Location: Seattle, WA, USA), Pages 183-194, ACM Press, New York, NY, USA, August 2008.

Download [help]

Download paper: Doi page

Download paper: Adobe portable document (pdf)

Copyright notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.

Note on this paper

Please find the Slides of the talk held during SigComm'08 under Enriching Network Security Analysis with Time Travel

Abstract

In many situations it can be enormously helpful to archive the raw contents of a network traffic stream to disk, to enable later inspection of activity that becomes interesting only in retrospect. We present a Time Machine (TM) for network traffic that provides such a capability. The TM leverages the heavy-tailed nature of network flows to capture nearly all of the likely-interesting traffic while storing only a small fraction of the total volume. An initial proof-of-principle prototype established the forensic value of such an approach, contributing to the investigation of numerous attacks at a site with thousands of users. Based on these experiences, a rearchitected implementation of the system provides flexible, high-performance traffic stream capture, indexing and retrieval, including an interface between the TM and a real-time network intrusion detection system (NIDS). The NIDS controls the TM by dynamically adjusting recording parameters, instructing it to permanently store suspicious activity for offline forensics, and fetching traffic from the past for retrospective analysis. We present a detailed performance evaluation of both stand-alone and joint setups, and report on experiences with running the system live in high-volume environments.

Keyword

[ Tm ]

Contact

Gregor Maier
Anja Feldmann
Fabian Schneider

BibTex Reference

@InProceedings{MSDFPS-ENSATT-08,
   Author = {Maier, Gregor and Sommer, Robin and Dreger, Holger and Feldmann, Anja and Paxson, Vern and Schneider, Fabian},
   Title = {Enriching Network Security Analysis with Time Travel},
   BookTitle = {SIGCOMM '08: Proceedings of the 2008 conference on Applications, technologies, architectures, and protocols for computer communications},
   Pages = {183--194},
   Publisher = {ACM Press},
   Address = {New York, NY, USA},
   Location = {Seattle, WA, USA},
   Month = {August},
   Year = {2008}
}

EndNote Reference [help]

Get EndNote Reference (.ref)

It has been automatically generated using the bib2html program.