Network Topology Discovery and Inventory Listing are two of the primary features of modern network monitoring systems (NMS). Current NMSs rely heavily on active scanning techniques for discovering and mapping network information. Although this approach works, it introduces some major drawbacks such as the performance impact it can exact, specially in larger network environments. As a consequence, scans are often run less frequently which can result in stale information being presented and used by the network monitoring system. Alternatively, some NMSs rely on their agents being deployed on the hosts they monitor. In this article, we present a new approach to Network Topology Discovery and Network Inventory Listing using only passive monitoring and scanning techniques. The proposed techniques rely solely on the event logs produced by the hosts and network devices present within a network. Finally, we discuss some of the advantages and disadvantages of our approach.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Price excludes VAT (USA)
Tax calculation will be finalised during checkout.
Wrapper is defined as an event format that encapsulated the original event. e.g. GELF .
Header is the portion of the event which is common across all events of a particular format. e.g. Syslog  header.
Message is the core information that is to be persisted using the event. e.g. user x logged into system y.
IP address ranges are shown to reduce the size of the graph.
Some ports and hosts were omitted due to size constraints.
Bondi, A. B. (1998). Network management system with improved node discovery and monitoring. US Patent 5,710,885. January 20.
Deb, B., Bhatnagar, S., & Nath, B. (2002). A topology discovery algorithm for sensor networks with applications to network management.
Case, J., Fedor, M., Schoffstall, M., & Davin, C. (1989). A simple network management protocol (SNMP).
Reid, D., & Blizzard, S. (2006). Standards-based secure management of networks, systems, applications and services using SNMPV3 and hp openview. Accessed 11 May 2015.
Enterprises, N. (2014). Nagios XI the industry standard in it infrastructure monitoring.
Danalis, A. G., & Dovrolis, C. (2003). Anemos: An autonomous network monitoring system. PhD thesis, University of Delaware.
Basa, S., & Ganji, N. (2008). Enhanced NMS tool architecture for discovery and monitoring of nodes. PhD thesis, Master thesis Computer Science Thesis No: MCS-2008-15 January 2008.
Azodi, A., Jaeger, D., Cheng, F., & Meinel, C. (2013). A new approach to building a multi-tier direct access knowledge base for IDS/SIEM systems. In Proceedings of the 11th IEEE international conference on dependable, autonomic and secure computing (DASC2013), Chengdu, China.
Barnard, R. L. (1988). Intrusion detection systems. Houston: Gulf Professional Publishing.
Azodi, A., Jaeger, D., Cheng, F., & Meinel, C. (2013). Pushing the limits in event normalisation to improve attack detection in IDS/SIEM systems. In Proceedings of the first international conference on advanced cloud and big data (CBD2013), Nanjing, China.
Elastic Company. Logstash. Accessed 20 May 2015.
Hewlett-Packard. Arcsight security intelligence platform. http://www.ndm.net/siem/main/arcsight-siem.
Splunk Inc. Splunk Enterprise. (2003). http://www.splunk.com/.
TORCH GmbH. Graylog2 Central Log Server. http://www.graylog2.org/.
TORCH GmbH. (2013). Graylog extended log format (version 1.1). Web Site, November.
Gerhards, R. (2009). The syslog protocol. RFC 5424 (Proposed Standard).
Inc. Cisco Systems. (2014). Cisco systems, inc. Accessed 10 May 2015.
Inc. Cisco Systems. (2014). Cisco adaptive security appliance (ASA) software. Accessed 10 May 2015.
Rekhter, Y., & Li, T. (1994). Open systems interconnection—Model and Notation. Technical report X.200, telecommunication standardization Sector of ITU.
Droms, R. (1997). Dynamic host configuration protocol. RFC 2131, RFC Editor.
Mockapetris, P. (1987). Domain Names—Implementation and specification. RFC 1035, RFC Editor.
Postel, J., & Reynolds, J. K. (1985). File transfer protocol (FTP). RFC 959, RFC Editor.
The DNS-BH project. (2014). Malware prevention through domain blocking (black hole DNS sinkhole). Accessed 11 May 2015.
Insecure.Org. Nmap security scanner (2014). Accessed 14 May 2015.
Rights and permissions
About this article
Cite this article
Azodi, A., Cheng, F. & Meinel, C. Event Driven Network Topology Discovery and Inventory Listing Using REAMS. Wireless Pers Commun 94, 415–430 (2017). https://doi.org/10.1007/s11277-015-3061-3
- Network topology
- Inventory systems
- Network monitoring
- Network graph
- Service detection
- Event processing
- Event normalization