Network Traffic Exploration Application: A Tool to Assess, Visualize, and Analyze Network Security Events

  • Grant Vandenberghe
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5210)

Abstract

Defence Research and Development Canada (DRDC) is developing a security event / packet analysis tool that is useful for analyzing a wide range of network attacks. The tool allows the security analyst to visually analyze a security event from a broad range of visual perspectives using a variety of detection algorithms. The tool is easy to extend and can be used to generate automated analysis scripts. The system architecture is presented and its capabilities are demonstrated through the analysis of several covert tunnels.

Keywords

Packet Analysis Network Forensics Visualization Covert Tunnels 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Valeur, F., et al.: A Comprehensive Approach to intrusion Detection Alert Correlation. IEEE Transactions on Dependable and Secure Computing 1(3), 146–149 (2004)CrossRefGoogle Scholar
  2. 2.
    Farshchi, J.: Statistical based approach to Intrusion Detection, SANS Institute(2003) (Access date 1 April 2008), http://www.sans.org/resources/idfaq/statistic_ids.php
  3. 3.
    Roesch, M.P: SNORT (Access date 1 April 2008), http://www.snort.org/
  4. 4.
    Ertoz, L., Eilerston, E. Lazarevic, A., Tan P. Srivastava, J. and Kumar, V.: Detection and Summarization of Novel Network Attacks Using Data Mining, Techincal Report (2003), http://www-users.cs.umn.edu/~aleks/MINDS/papers/raid03.pdf
  5. 5.
    Chakchai, S.: A Survey of Network Traffic Monitoring and Analysis Tools, (2006) (Access date 1 April 2008), http://www.cse.wustl.edu/~cs5/567/traffic/index.html
  6. 6.
    Ranum, M.: Packet Peekers, Information Security Magazine, p. 28 (2003)Google Scholar
  7. 7.
    Keshav, T.: A Survey of Network Performance Monitoring Tools (2006)(Access date 1 April 2008), http://www.cs.wustl.edu/~jain/cse567-06/ftp/net_perf_monitors1.pdf
  8. 8.
    Fortunato, T.: The Technology Firm, web page (2007), http://www.thetechfirm.com/reviews/
  9. 9.
    Lyon, G.: Top 100 Security Tools, Insecure.org (2006), http://www.insecure.org/tools.html
  10. 10.
    Bejtlich, R.: The Tao of Network Security Monitoring: Beyond Intrusion Detection, pp. 105–344. Addison-Wesley, Boston (2005)Google Scholar
  11. 11.
    Vissher, R.: SGUIL (2007) (Access date 2 April 2008) , http://sguil.sourceforge.net/
  12. 12.
    Combs, G., et al.: wireshark (2008) (Access date 2 April 2008), http://www.wireshark.org/
  13. 13.
    Zalewski, M.: P0f (2006) (Access date 2 April 2008), http://lcamtuf.coredump.cx/p0f.shtml
  14. 14.
    Elson, J.: tcpflow (2003) (Access date 2 April 2008), http://www.circlemud.org/~jelson/software/tcpflow
  15. 15.
    Jacobson, V., et al.: Libpcap (2007) (Access date 2 April 2008), http://www.tcpdump.org/
  16. 16.
    Jacobson, V., Leres, C., and McCanne, S.: tcpdump (2007) (Access date 2 April 2008), http://www.tcpdump.org/
  17. 17.
    OPNET ACE Application Characterization Environment (2007) (Access date 2 April 2008), http://www.opnet.com/solutions/brochures/Ace.pdf
  18. 18.
    Paxon, V.: BRO (2007) (Access date 2 April 2008), http://bro-ids.org/
  19. 19.
    Computer Associates, eHealth (2008) (Access date 2 April 2008), http://www.ca.com/us/products/product.aspx?ID=5637
  20. 20.
    Kohler, E.: ipsumdump (2006) (Access date 2 April 2008), http://www.cs.ucla.edu/~kohler/ipsumdump/
  21. 21.
    Ritter, J.: ngrep (2006) (Access date 2 April 2008), http://ngrep.sourceforge.net/
  22. 22.
    Combs, G., et al.: editcap/ mergecap (2008) (Access date 2 April 2008), http://www.wireshark.org/
  23. 23.
    Astashonok, S.: Fprobe (2005) (Access date 2 April 2008), http://sourceforge.net/projects/fprobe
  24. 24.
    Ostermann, S.: tcptrace (2003) (Access date 2 April 2008), http://www.tcptrace.org/
  25. 25.
    Deri, L.: ntop (2008) (Access date 2 April 2008), http://www.ntop.org/
  26. 26.
    Postel, J.: RFC 792 - Internet Control Message Protocol, (1981) (Access date 2 April 2008), http://www.faqs.org/rfcs/rfc792.html
  27. 27.
    Kreibich, C.: netdude (2007) (Access date 2 April 2008), http://netdude.sourceforge.net/
  28. 28.
    Fullmer, M.: flow-tools (2005) (Access date 2 April 2008), http://www.splintered.net/sw/flow-tools/docs/flow-tools.html
  29. 29.
    Walkin, L.: ipcad (2007) (Access date 2 April 2008), http://sourceforge.net/projects/ipcad/
  30. 30.
    Curry, J.: SANCP (2003) (Access date 2 April 2008),http://www.metre.net/sancp.html
  31. 31.
    Kernen, T.: Traceroute (2008) (Access date 2 April 2008), http://www.traceroute.org/
  32. 32.
    Fenner, B.: tcpslice (2002) (Access date 2 April 2008), http://sourceforge.net/projects/tcpslice/
  33. 33.
    Buyllard, C.: Argus, (2008) (Access date 2 April 2008), http://www.qosient.com/argus
  34. 34.
  35. 35.
    Naval Research Laboratory, “Handbook for the Computer Security Certification of Trusted Systems”, Technical Memorandum 5540, 062A (1996)Google Scholar
  36. 36.
    Temmingh, R.: Setiri: Advances in Trojan Technology (2002) (Access date 2 April 2008), http://www.blackhat.com/presentations/bh-asia-02/Sensepost/bh-asia-02-sensepost.pdf
  37. 37.
    Smith, J.: Covert Shells (2000) (Access date 2 April 2008), http://www.s0ftpj.org/docs/covert_shells.htm
  38. 38.
    Kieltyka, P.: ICMP Shell (2002) (Access date 3 April 2008), http://sourceforge.net/projects/icmpshell
  39. 39.
    Borders, K.: Web Tap: Detecting Covert Web Traffic. In: Proceedings of the 11th ACM conference on Computer and communications security, pp. 110–120. ACM, Washington (2004)CrossRefGoogle Scholar
  40. 40.
    Northcutt, S., Novak, J.: Network Intrusion Detection, An Analyst’s Handbook, New Riders, Indianapolis, Indiana, pp. 63–65 (2000)Google Scholar
  41. 41.
    Northcutt, S., Cooper, M., Fearnow, M., Fredrick, K.: Intrusion Signatures and Analysis, New Riders, Indianapolis, Indiana, p. 137 (2001)Google Scholar
  42. 42.
    Knight, G., et al.: Detecting covert tunnels within the hypertext transfer protocol (2003), http://www.rmc.ca/academic/gradrech/abstracts/2003/ece2003-2_e.html
  43. 43.
    Castro, S.: Covert Channel and Tunneling over the HTTP protocol Detection: GW implementation theoretical design (2003), http://www.infosecwriters.com/hhworld/cctde.html
  44. 44.
    Dyatlov, A.: Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over HTTP protocol (2003) (Access date 2 April 2008), http://www.net-security.org/dl/articles/covertpaper.txt
  45. 45.
    Feamster, N., Balazinska, M., Harfst, G., Balakrishnan, H., Karger, D.: Infranet: Circumventing Web Censorship and Surveillance. In: 11th USENIX Security Symposium, San Francisco, CA (2002)Google Scholar
  46. 46.
    Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L.: Detecting HTTP Tunnels with Statistical Mechanisms. In: ICC 2007. IEEE International Conference on Communications, pp. 6162–6168 (2007)Google Scholar
  47. 47.
    Castro, S.: Cctde - Covert Channel and Tunneling Over the HTTP Protocol Detection (2003) (Access date 2 April 2008), http://gray-world.net/projects/papers/html/cctde.html
  48. 48.
    Vecna. PacketStorm - 007Shell.tgz (1999) (Access date 2 April 2008), http://packetstormsecurity.org/groups/s0ftpj/
  49. 49.
    Rowland, C.: Covert Channels in the TCP/IP Protocol Suite (1996) (Access date 2 April 2008), http://www.firstmonday.dk/issues/issue2_5/rowland/
  50. 50.
    Hauser, V.: Reverse-WWW-Tunnel-Backdoor v1.6 (1998) (Access date 2 April 2008), http://packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Grant Vandenberghe
    • 1
  1. 1.Network Information Operations SectionDefence Research and Development Canada (DRDC) 

Personalised recommendations