Event Driven Network Topology Discovery and Inventory Listing Using REAMS
- 229 Downloads
Network Topology Discovery and Inventory Listing are two of the primary features of modern network monitoring systems (NMS). Current NMSs rely heavily on active scanning techniques for discovering and mapping network information. Although this approach works, it introduces some major drawbacks such as the performance impact it can exact, specially in larger network environments. As a consequence, scans are often run less frequently which can result in stale information being presented and used by the network monitoring system. Alternatively, some NMSs rely on their agents being deployed on the hosts they monitor. In this article, we present a new approach to Network Topology Discovery and Network Inventory Listing using only passive monitoring and scanning techniques. The proposed techniques rely solely on the event logs produced by the hosts and network devices present within a network. Finally, we discuss some of the advantages and disadvantages of our approach.
KeywordsNetwork topology Inventory systems Network monitoring Network graph Service detection Event processing Event normalization
- 1.Bondi, A. B. (1998). Network management system with improved node discovery and monitoring. US Patent 5,710,885. January 20.Google Scholar
- 2.Deb, B., Bhatnagar, S., & Nath, B. (2002). A topology discovery algorithm for sensor networks with applications to network management.Google Scholar
- 3.Case, J., Fedor, M., Schoffstall, M., & Davin, C. (1989). A simple network management protocol (SNMP).Google Scholar
- 4.Reid, D., & Blizzard, S. (2006). Standards-based secure management of networks, systems, applications and services using SNMPV3 and hp openview. Accessed 11 May 2015.Google Scholar
- 5.Enterprises, N. (2014). Nagios XI the industry standard in it infrastructure monitoring.Google Scholar
- 6.Danalis, A. G., & Dovrolis, C. (2003). Anemos: An autonomous network monitoring system. PhD thesis, University of Delaware.Google Scholar
- 7.Basa, S., & Ganji, N. (2008). Enhanced NMS tool architecture for discovery and monitoring of nodes. PhD thesis, Master thesis Computer Science Thesis No: MCS-2008-15 January 2008.Google Scholar
- 8.Azodi, A., Jaeger, D., Cheng, F., & Meinel, C. (2013). A new approach to building a multi-tier direct access knowledge base for IDS/SIEM systems. In Proceedings of the 11th IEEE international conference on dependable, autonomic and secure computing (DASC2013), Chengdu, China.Google Scholar
- 9.Barnard, R. L. (1988). Intrusion detection systems. Houston: Gulf Professional Publishing.Google Scholar
- 10.Azodi, A., Jaeger, D., Cheng, F., & Meinel, C. (2013). Pushing the limits in event normalisation to improve attack detection in IDS/SIEM systems. In Proceedings of the first international conference on advanced cloud and big data (CBD2013), Nanjing, China.Google Scholar
- 11.Elastic Company. Logstash. Accessed 20 May 2015.Google Scholar
- 12.Hewlett-Packard. Arcsight security intelligence platform. http://www.ndm.net/siem/main/arcsight-siem.
- 13.Splunk Inc. Splunk Enterprise. (2003). http://www.splunk.com/.
- 14.TORCH GmbH. Graylog2 Central Log Server. http://www.graylog2.org/.
- 15.TORCH GmbH. (2013). Graylog extended log format (version 1.1). Web Site, November.Google Scholar
- 16.Gerhards, R. (2009). The syslog protocol. RFC 5424 (Proposed Standard).Google Scholar
- 17.Inc. Cisco Systems. (2014). Cisco systems, inc. Accessed 10 May 2015.Google Scholar
- 18.Inc. Cisco Systems. (2014). Cisco adaptive security appliance (ASA) software. Accessed 10 May 2015.Google Scholar
- 19.Rekhter, Y., & Li, T. (1994). Open systems interconnection—Model and Notation. Technical report X.200, telecommunication standardization Sector of ITU.Google Scholar
- 20.Droms, R. (1997). Dynamic host configuration protocol. RFC 2131, RFC Editor.Google Scholar
- 21.Mockapetris, P. (1987). Domain Names—Implementation and specification. RFC 1035, RFC Editor.Google Scholar
- 22.Postel, J., & Reynolds, J. K. (1985). File transfer protocol (FTP). RFC 959, RFC Editor.Google Scholar
- 23.The DNS-BH project. (2014). Malware prevention through domain blocking (black hole DNS sinkhole). Accessed 11 May 2015.Google Scholar
- 24.Insecure.Org. Nmap security scanner (2014). Accessed 14 May 2015.Google Scholar