Wireless Personal Communications

, Volume 94, Issue 3, pp 415–430 | Cite as

Event Driven Network Topology Discovery and Inventory Listing Using REAMS

  • Amir AzodiEmail author
  • Feng Cheng
  • Christoph Meinel


Network Topology Discovery and Inventory Listing are two of the primary features of modern network monitoring systems (NMS). Current NMSs rely heavily on active scanning techniques for discovering and mapping network information. Although this approach works, it introduces some major drawbacks such as the performance impact it can exact, specially in larger network environments. As a consequence, scans are often run less frequently which can result in stale information being presented and used by the network monitoring system. Alternatively, some NMSs rely on their agents being deployed on the hosts they monitor. In this article, we present a new approach to Network Topology Discovery and Network Inventory Listing using only passive monitoring and scanning techniques. The proposed techniques rely solely on the event logs produced by the hosts and network devices present within a network. Finally, we discuss some of the advantages and disadvantages of our approach.


Network topology Inventory systems Network monitoring Network graph Service detection Event processing Event normalization 


  1. 1.
    Bondi, A. B. (1998). Network management system with improved node discovery and monitoring. US Patent 5,710,885. January 20.Google Scholar
  2. 2.
    Deb, B., Bhatnagar, S., & Nath, B. (2002). A topology discovery algorithm for sensor networks with applications to network management.Google Scholar
  3. 3.
    Case, J., Fedor, M., Schoffstall, M., & Davin, C. (1989). A simple network management protocol (SNMP).Google Scholar
  4. 4.
    Reid, D., & Blizzard, S. (2006). Standards-based secure management of networks, systems, applications and services using SNMPV3 and hp openview. Accessed 11 May 2015.Google Scholar
  5. 5.
    Enterprises, N. (2014). Nagios XI the industry standard in it infrastructure monitoring.Google Scholar
  6. 6.
    Danalis, A. G., & Dovrolis, C. (2003). Anemos: An autonomous network monitoring system. PhD thesis, University of Delaware.Google Scholar
  7. 7.
    Basa, S., & Ganji, N. (2008). Enhanced NMS tool architecture for discovery and monitoring of nodes. PhD thesis, Master thesis Computer Science Thesis No: MCS-2008-15 January 2008.Google Scholar
  8. 8.
    Azodi, A., Jaeger, D., Cheng, F., & Meinel, C. (2013). A new approach to building a multi-tier direct access knowledge base for IDS/SIEM systems. In Proceedings of the 11th IEEE international conference on dependable, autonomic and secure computing (DASC2013), Chengdu, China.Google Scholar
  9. 9.
    Barnard, R. L. (1988). Intrusion detection systems. Houston: Gulf Professional Publishing.Google Scholar
  10. 10.
    Azodi, A., Jaeger, D., Cheng, F., & Meinel, C. (2013). Pushing the limits in event normalisation to improve attack detection in IDS/SIEM systems. In Proceedings of the first international conference on advanced cloud and big data (CBD2013), Nanjing, China.Google Scholar
  11. 11.
    Elastic Company. Logstash. Accessed 20 May 2015.Google Scholar
  12. 12.
    Hewlett-Packard. Arcsight security intelligence platform.
  13. 13.
    Splunk Inc. Splunk Enterprise. (2003).
  14. 14.
    TORCH GmbH. Graylog2 Central Log Server.
  15. 15.
    TORCH GmbH. (2013). Graylog extended log format (version 1.1). Web Site, November.Google Scholar
  16. 16.
    Gerhards, R. (2009). The syslog protocol. RFC 5424 (Proposed Standard).Google Scholar
  17. 17.
    Inc. Cisco Systems. (2014). Cisco systems, inc. Accessed 10 May 2015.Google Scholar
  18. 18.
    Inc. Cisco Systems. (2014). Cisco adaptive security appliance (ASA) software. Accessed 10 May 2015.Google Scholar
  19. 19.
    Rekhter, Y., & Li, T. (1994). Open systems interconnection—Model and Notation. Technical report X.200, telecommunication standardization Sector of ITU.Google Scholar
  20. 20.
    Droms, R. (1997). Dynamic host configuration protocol. RFC 2131, RFC Editor.Google Scholar
  21. 21.
    Mockapetris, P. (1987). Domain Names—Implementation and specification. RFC 1035, RFC Editor.Google Scholar
  22. 22.
    Postel, J., & Reynolds, J. K. (1985). File transfer protocol (FTP). RFC 959, RFC Editor.Google Scholar
  23. 23.
    The DNS-BH project. (2014). Malware prevention through domain blocking (black hole DNS sinkhole). Accessed 11 May 2015.Google Scholar
  24. 24.
    Insecure.Org. Nmap security scanner (2014). Accessed 14 May 2015.Google Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  1. 1.Hasso Plattner Institute (HPI)University of PotsdamPotsdamGermany

Personalised recommendations