Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
126 tokens/sec
GPT-4o
11 tokens/sec
Gemini 2.5 Pro Pro
47 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
3 tokens/sec
DeepSeek R1 via Azure Pro
33 tokens/sec
2000 character limit reached

Superflows: A New Tool for Forensic Network Flow Analysis (2403.01314v1)

Published 2 Mar 2024 in cs.NI

Abstract: Network security analysts gather data from diverse sources, from high-level summaries of network flow and traffic volumes to low-level details such as service logs from servers and the contents of individual packets. They validate and check this data against traffic patterns and historical indicators of compromise. Based on the results of this analysis, a decision is made to either automatically manage the traffic or report it to an analyst for further investigation. Unfortunately, due rapidly increasing traffic volumes, there are far more events to check than operational teams can handle for effective forensic analysis. However, just as packets are grouped into flows that share a commonality, we argue that a high-level construct for grouping network flows into a set a flows that share a hypothesis is needed to significantly improve the quality of operational network response by increasing Events Per Analysts Hour (EPAH). In this paper, we propose a formalism for describing a superflow construct, which we characterize as an aggregation of one or more flows based on an analyst-specific hypothesis about traffic behavior. We demonstrate simple superflow constructions and representations, and perform a case study to explain how the formalism can be used to reduce the volume of data for forensic analysis.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (25)
  1. Corsaro Software Suite. https://catalog.caida.org/software/corsaro. Accessed: 2023-6-29.
  2. S. Alcock. Flowtuples iv: Reality strikes back.
  3. k. Claffy. Internet Traffic Characterization. PhD thesis, University of California at San Diego, USA, 1994.
  4. Specification of the ip flow information export (ipfix) protocol for the exchange of flow information. Technical Report 7011, IETF, 2013.
  5. P. Clifford and I. Cosma. A simple sketching algorithm for entropy estimation over streaming data. In C. M. Carvalho and P. Ravikumar, editors, Proceedings of the Sixteenth International Conference on Artificial Intelligence and Statistics, volume 31 of Proceedings of Machine Learning Research, pages 196–206, Scottsdale, Arizona, USA, 29 Apr–01 May 2013. PMLR.
  6. Finding peer-to-peer file-sharing using coarse network behaviors. In Proceedings of the 11th European Conference on Research in Computer Security, ESORICS’06, page 1–17, Berlin, Heidelberg, 2006. Springer-Verlag.
  7. On the limits of payload-oblivious network attack detection. pages 251–270. Springer Berlin Heidelberg, 2008.
  8. D. Daniels. Netflow/ipfix generation from aws clouds. Blog Post, Gigamon Networks, 2020.
  9. M. Fullmer and S. Romig. The OSU flow-tools package and CISCO NetFlow logs. In 14th Systems Administration Conference (LISA 2000), New Orleans, LA, Dec. 2000. USENIX Association.
  10. A. Gall. Scalable and cost-effective generation of unsampled netflow. In Presented at 2020 Geant Teelemtry and Big Data Workshop, 2020.
  11. A. Gall. Snabbflow: A scalable ipfix exporter. In Presented at 2023 FOSDEM Workshop, 2023.
  12. More netflow tools for performance and security. In Proceedings of the 18th USENIX Conference on System Administration, LISA ’04, page 121–132, USA, 2004. USENIX Association.
  13. C. M. Inacio and B. Trammell. YAF: Yet another flowmeter. In 24th Large Installation System Administration Conference (LISA 10), San Jose, CA, Nov. 2010. USENIX Association.
  14. D. Jackson. Software Abstractions: Logic, Language, and Analysis. MIT Press, 2016.
  15. Sketch-based change detection: Methods, evaluation, and applications. In Proceedings of the 3rd ACM SIGCOMM Conference on Internet Measurement, IMC ’03, page 234–247, New York, NY, USA, 2003. Association for Computing Machinery.
  16. One sketch to rule them all: Rethinking network flow monitoring with univmon. In Proceedings of the 2016 ACM SIGCOMM Conference, SIGCOMM ’16, page 101–114, New York, NY, USA, 2016. Association for Computing Machinery.
  17. J. Mchugh. Sets, bags, and rock and roll: Analyzing large data sets of network data. In Proceedings of the 2004 ESORICS Conference, volume 3193, pages 407–422, 01 2004.
  18. SketchLib: Enabling efficient sketch-based monitoring on programmable switches. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), pages 743–759, Renton, WA, Apr. 2022. USENIX Association.
  19. Automating root-cause analysis of network anomalies using frequent itemset mining. SIGCOMM Comput. Commun. Rev., 40(4):467–468, aug 2010.
  20. A. Shojaie and E. B. Fox. Granger causality: A review and recent advances. Annual Review of Statistics and Its Application, 9(1):289–319, 2022.
  21. Heavy-hitter detection entirely in the data plane. In Proceedings of the Symposium on SDN Research, SOSR ’17, page 164–176, New York, NY, USA, 2017. Association for Computing Machinery.
  22. C. Systems. Cisco secure - meeting the dni nittf maturity framework white paper. CISCO White paper, 2022.
  23. Silk: A tool suite for unsampled network flow analysis at scale. Technical Report CERTCC-2014-24, CERT/CC, 2014.
  24. T.-F. Yen and M. Reiter. Are your hosts trading or plotting? telling p2p file-sharing and bots apart. IEEE, 2010.
  25. Building a scalable system for stealthy p2p-botnet detection. IEEE Transactions on Information Forensics and Security, 2014.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now