Passive Network Monitoring using REAMS
As computer networks grow in size and complexity, monitoring them becomes more challenging. In order to meet the needs of IT administrators maintaining such networks, various Network Monitoring Systems (NMS) have been developed. Most NMSs rely solely on active scanning techniques in order to detect the topology of the networks they monitor. We propose a passive scanning solution using the logs produced by the systems within the networks. Additionally, we demonstrate how passive monitoring can be used to develop a holistic knowledge graph of the network landscape.
Index termsNetwork Monitoring Network Graph Event Processing Event Normalization
Unable to display preview. Download preview PDF.
- 1.Amir Azodi, David Jaeger, Feng Cheng, and Christoph Meinel. A New Approach to Building a Multi-Tier Direct Access Knowledge Base For IDS/SIEM Systems. In Proceedings of the 11th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC2013), Chengdu, China, December 2013.Google Scholar
- 2.Amir Azodi, David Jaeger, Feng Cheng, and Christoph Meinel. Pushing the Limits in Event Normalisation to Improve Attack Detection in IDS/SIEM Systems. In Proceedings of the First International Conference on Advanced Cloud and Big Data (CBD2013), Nanjing, China, December 2013.Google Scholar
- 3.Srinivas Basa and Naveen Ganji. Enhanced NMS Tool Architecture for Discovery and Monitoring of Nodes. PhD thesis, Master Thesis Computer Science Thesis no: MCS-2008-15 January 2008, 2008.Google Scholar
- 4.A.B. Bondi. Network management system with improved node discovery and monitoring, January 20 1998. US Patent 5,710,885.Google Scholar
- 5.Jeffery Case, Mark Fedor, Martin Schoffstall, and C Davin. A simple network management protocol (snmp), 1989.Google Scholar
- 6.Antonios G Danalis and Constantinos Dovrolis. Anemos: An autonomous network monitoring system. PhD thesis, University of Delaware, 2003.Google Scholar
- 7.Budhaditya Deb, Sudeept Bhatnagar, and Badri Nath. A topology discovery algorithm for sensor networks with applications to network management. 2002.Google Scholar
- 8.Nagios Enterprises. Nagios XI the industry standard in it infrastructure monitoring, 2014.Google Scholar
- 9.Rainer Gerhards. The Syslog Protocol. RFC 5424 (Proposed Standard), March 2009.Google Scholar
- 10.Hewlett-Packard. Arcsight security intelligence platform. http://www.ndm.net/ siem/main/arcsight-siem.
- 11.Insecure.Org. Nmap security scanner, 2014. [Online; accessed 14-August-2014].Google Scholar
- 12.Logstash. Logstash.Google Scholar
- 13.The DNS-BH project. Malware prevention through domain blocking (black hole dns sinkhole), 2014. [Online; accessed 11-August-2014].Google Scholar
- 14.David Reid and Steve Blizzard. Standards-based secure management of networks, systems, applications and services using snmpv3 and hp openview, 2006. [Online; accessed 11-August-2014].Google Scholar
- 15.Splunk Inc. Splunk Enterprise. http://www.splunk.com/, 2003.
- 16.TORCH GmbH. Graylog2 Central Log Server. http://www.graylog2.org/.
- 17.TORCH GmbH. Graylog Extended Log Format (version 1.1). Web Site, November 2013.Google Scholar