Presented by:
Miao Luo, Wei Jiang

---

Abstract
network traffic measurement is the process of measuring the amount and type of traffic on a particular network. This is especially important with regard to effective bandwidth management.

network monitoring describes the use of a system that constantly monitors a computer network for slow or failing systems and that notifies the network administrator in case of outages via email, pager or other alarms. It is a subset of the functions involved in network management.

For more details, please visit http://cse.ohio-state.edu/~luom/788/Netw...rement.ppt

[attachment=11129]
Network Monitoring and Measurement and its application in security field
Definition
 network traffic measurement is the process of measuring the amount and type of traffic on a particular network. This is especially important with regard to effective bandwidth management.
 network monitoring describes the use of a system that constantly monitors a computer network for slow or failing systems and that notifies the network administrator in case of outages via email, pager or other alarms. It is a subset of the functions involved in network management.
Motivation
 Needs of service providers:
-Understand the behavior of their networks
-Provide fast, high-quality, reliable service to satisfy customers and thus reduce churn rate
-Plan for network deployment and expansion
-SLA monitoring, Network security
-Usage-based billing for network users (like telephone calls)
-Marketing using CRM data
Needs of Customers:
-Want to get their money’s worth
-Fast, reliable, high-quality, secure, virus-free Internet access
Application
 Network Problem Determination and Analysis
 Traffic Report Generation
 Intrusion & Hacking Attack (e.g., DoS, DDoS) Detection
 Service Level Monitoring (SLM)
 Network Planning
 Usage-based Billing
 Customer Relationship Management (CRM)
 Marketing
The General Traffic Flow Measurement Process
 Problems
 Capturing Packets:
High-speed networks (Mbps ? Gbps ? Tbps)
High-volume traffic
Streaming media (Windows Media, Real Media, Quicktime)
P2P traffic
Network Security Attacks
Flow Generation & Storage:
What packet information to save to perform various analysis?
How to minimize storage requirements?
Analysis:
How to analyze and generate data needed quickly?
What kinds of info needs to be generated? -- Depends on applications
Goals
 Capture all packets
 Generate flows
 Store flows efficiently
 Analyze data efficiently
 Generate various reports or information that are suitable for various application areas
Develop a flexible, scalable traffic monitoring and analysis system for high-speed, high-volume, rich media IP networks
Network Monitoring Metrics
 CAIDA Metrics Working Group (caida.org)
-Latency
-Packet Loss
-Throughput
-Link Utilization
-Availability
 IETF’s IP Performance Metrics (IPPM) Working Group
-Connectivity (RFC 2687)
-One-Way Delay (RFC 2679)
-One-Way Packet Loss (RFC 2680)
-Round Trip Delay (RFC 2681)
-Delay Variation
-Bulk transfer capacity
 Availability: The percentage of a specified time interval during which the system was available for normal use.
-Connectivity: the physical connectivity of network elements.
-Functionality: whether the associated system works well or not.
 Latency: The time taken for a packet to travel from a host to another.
-Round Trip Delay = Forward transport delay + server delay + backward transport delay
-Ping is still the most commonly used to measure latency.
 Link Utilization over a specified interval is simply the throughput for the page link expressed as a percentage of the access rate.
Monitoring Method
 Active Monitoring
 Passive Monitoring
 Active Monitoring
Performed by sending test traffic into network
-Generate test packets periodically or on-demand
-Measure performance of test packets or responses
-Take the statistics
 Impose extra traffic on network and distort its behavior in the process
 Test packet can be blocked by firewall or processed at low priority by routers
 Mainly used to monitor network performance
Passive Monitoring
 Carried out by observing network traffic
-Collect packets from a page link or network flow from a router
-Perform analysis on captured packets for various purposes
-Network device performance degrades by mirroring or flow export
 Used to perform various traffic usage/characterization analysis/intrusion detection
 Comparison of Monitoring Approaches
 Software in Network Monitoring and Management
EPM
 The ping program
 SNMP servers
 IBM AURORA Network Performance Profiling System
 Intellipool Network Monitor
 Jumpnode
 Microsoft Network Monitor 3
MRTG
 Nagios (formerly Netsaint)
 Netdisco
 NetQoS
 NetXMS Scalable network and application monitoring system
 Software in Network Monitoring and Management
 Opennms
 PRTG
 Pandora (Free Monitoring System) - Network and Application Monitoring System
PIKT
 RANCID - monitors router/switch configuration changes
 RRDtool
 siNMs by Siemens
 SysOrb Server & Network Monitoring System
 Sentinet3 - Network and Systems Monitoring Appliance
 ServersCheck Monitoring Software
 Cacti network graphing solution
 Zabbix - Network and Application Monitoring System
 Zenoss - Network and Systems Monitoring Platform
 Level Platforms - Software support for network monitoring
Security Monitoring and Management
 Attack detection and analysis
-detecting (high volume) traffic patterns
-investigation of origin of attacks
 Intrusion detection
-detecting unexpected or illegal packets
Intrusion detection system
 An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. The manipulations may take the form of attacks by crackers.
 network intrusion detection system
 protocol-based intrusion detection system
 application protocol-based intrusion detection system
 host-based intrusion detection system
 hybrid intrusion detection system
 Protection, Detection and Response
 Real-world security includes prevention, detection, and response.
 No prevention mechanism is perfect.
 Detection and response are not only more cost effective but also more effective than piling on more prevention.
Our problem
 The three parts of network security is comparably isolated from each other.
 Can there be a closer combination of them?
 A dynamic scheme between detection and prevention
 detection: NIDS based on pattern recognition, neutral networks, Honeypots.
 prevention: Filters
 Reponse: traceback.
Our idea
 An alert-level system.
 Example: As results from NIDS became more similar to some attack pattern, the alert level of the networks will gradually increase, prevention will be strengthen.