Description
ABSTRACT
One recent trend in network security attacks is an increasing number of indirect attacks which influence network traffic negatively, instead of directly entering a system and damaging it. In future, damages from this type of attack are expected to become more serious. In addition, the bandwidth consumption by these attacks influences the entire network performance. This paper presents an abnormal network traffic detecting method and a system prototype. By aggregating packets that belong to the identical flow, we can reduce processing overhead in the system. We suggest a detecting algorithm using changes in traffic patterns that appear during attacks. This algorithm can detect even mutant attacks that use a new port number or changed payload, while signature-based systems are not capable of detecting these types of attacks. Furthermore, the proposed algorithm can identify attacks that cannot be detected by examining only single packet information.
In computer networking, network traffic control is the process of managing, controlling or reducing the network traffic, particularly Internet bandwidth, e.g. by the network scheduler. It is used by network administrators, to reduce congestion, latency and packet loss. This is part of bandwidth management. In order to use these tools effectively, it is necessary to measure the network traffic to determine the causes of network congestion and attack those problems specifically.
CHAPTER ONE
1.0 INTRODUCTION
Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network. Network traffic is the main component for network traffic measurement and network traffic control.
- Network traffic control – managing, prioritising, controlling or reducing the network traffic
- Network traffic measurement – measuring the amount and type of traffic on a particular network
- Traffic generation model – is a stochastic model of the traffic flows or data sources in a communication computer network.
Proper analysis of network traffic provides the organization with the network security as a benefit – unusual amount of traffic in a network is a possible sign of an attack. Network traffic reports provide valuable insights into preventing such attacks.
Traffic volume is a measure of the total work done by a resource or facility, normally over 24 hours, and is measured in units of erlang-hours. It is defined as the product of the average traffic intensity and the time period of the study.
Traffic volume = Traffic intensity × time
A traffic volume of one erlang-hour can be caused by two circuits being occupied continuously for half an hour or by a circuit being half occupied (0.5 erlang) for a period of two hours. Telecommunication operators are vitally interested in traffic volume, as it directly dictates their revenue.
1.2 OBJECTIVE OF THE STUDY
The objective of this work is to discuss on the network traffic detective which is a network traffic analysis tool that allows tracking Internet activity of the network users. It doesn’t require installing any additional software on users’ PCs; the only thing you’ll need is to share the same network (LAN) as the users being monitored
1.3 SIGINIFICANCE OF THE STUDY
This work is on device depassively monitors network activity and flags unknown, new or unusual patterns that might indicate the presence of a threat. The program can also monitor and record trends in bandwidth and protocol use. Network behavior analysis is particularly good for spotting new malware and zero day exploits.
1.4 SCOPE OF THE PROJECT
Detective stands out from its competition by being able to intercept and log data as it is transferred by high-level network protocols. Detective as compared with other network traffic analyzers and sniffers, uses Deep Packet Inspection (DPI) technology to detect malicious traffic and illicit network activity. Detective is able to reconstruct TCP/IP sessions and perform deep-analysis of application-level protocols to ensure no malicious activity or intent is concealed within high-traffic volumes. At the same time, Detective is able to restore and record transferred data in its original format without interrupting connection speed or interfering in user experience with latency issues.
A good program can help a network administrator minimize the time and labor involved in locating and resolving problems. It should be used as an enhancement to the protection provided by the network’s firewall, intrusion detection system, antivirus software and spyware-detection program.
1.5 APPLICATION OF THE STUDY
Network Detective is suitable for deployment in both home and business, and it scales well on a corporate network. Using Detective delivers the ability for network administrators to monitor both incoming and outgoing emails generated by almost all email protocols, including SMTP, POP3, IMAP and a host of public email clients. In addition, Instant Message traffic is also monitored, including chat traffic generated by ICQ, Yahoo Chat, Jabber, IRC and IMs from online social networking sites such as Facebook. You can monitor this traffic both in the workplace for policy enforcement, and also at home to protect your family and vulnerable children.
CHAPTER TWO
2.0 LITERATURE REVIEW
2.1 REVIEW OF THE STUDY
If one need a tool for monitoring LAN activities; for instance, as a manager responsible for network security or as the executive tasked with enforcing acceptable use policies for online resources, then network traffic Detective Internet Monitor provides you with the ability to do just that – enforce policies and protect your family while LAN detective will help you to monitor Internet usage in your workplace.
One can also use LAN Detective to provide a detailed and accessible utility for accessing your own personal Internet history, including caching of websites visited for use offline at a later date. Now you can do more than surf the Net – you can actively manage web content including text, images or video such as YouTube clips. Additionally, Detective Internet Monitor lets you search for and view the information you need. For example, if you are looking for files of certain type or size you can search using these criteria.
2.2 REVIEW OF NETWORK TRAFFIC CONTROL
In computer networking, network traffic control is the process of managing, controlling or reducing the network traffic, particularly Internet bandwidth, e.g. by the network scheduler. It is used by network administrators, to reduce congestion, latency and packet loss. This is part of bandwidth management. In order to use these tools effectively, it is necessary to measure the network traffic to determine the causes of network congestion and attack those problems specifically.
TRAFFIC SHAPING
Traffic shaping is the retiming (delaying) of packets (or frames) until they meet specified bandwidth and or burstiness limits. Since such delays involve queues that are nearly always finite and, once full, excess traffic is nearly always dropped (discarded), traffic shaping nearly always implies traffic policing as well.
Traffic policing
Traffic policing is the dropping (discarding) or reduction in priority (demoting) of packets (or frames) that exceed some specified bandwidth and or burstiness limit.
Description Network Traffic
Network traffic refers to the amount of data moving across a network at a given point of time. Network data is mostly encapsulated in network packets, which provide the load in the network. Network traffic is the main component for network traffic measurement, network traffic control and simulation. The proper organization of network traffic helps in ensuring the quality of service in a given network.
Network traffic can be broadly classified into the following categories:
- Busy/heavy traffic – High bandwidth is consumed in this traffic
- Non-real-time traffic – Consumption of bandwidth during working hours
- Interactive traffic – Is subject to competition for bandwidth and could result in poor response times if prioritization of applications and traffic is not set
- Latency-sensitive traffic – Is subject to competition for bandwidth and could result in poor response times
Proper analysis of network traffic provides the organization with the following benefits:
- Identifying network bottlenecks – There could be users or applications that consume high amounts of bandwidth, thus constituting a major part of the network traffic. Different solutions can be implemented to tackle these.
- Network security – Unusual amount of traffic in a network is a possible sign of an attack. Network traffic reports provide valuable insights into preventing such attacks.
- Network engineering – Knowing the usage levels of the network allows future requirements to be analyzed.
Network packet
A network packet is a formatted unit of data carried by a packet-switched network. Computer communications links that do not support packets, such as traditional point-to-point telecommunications links, simply transmit data as a bit stream. When data is formatted into packets, packet switching is possible and the bandwidth of the communication medium can be better shared among users than with circuit switching.
A packet consists of control information and user data, which is also known as the payload. Control information provides data for delivering the payload, for example: source and destination network addresses, error detection codes, and sequencing information. Typically, control information is found in packet headers and trailers.
Packet framing
Different communications protocols use different conventions for distinguishing between the elements and for formatting the data. For example, in Point-to-Point Protocol, the packet is formatted in 8-bit bytes, and special characters are used to delimit the different elements. Other protocols like Ethernet, establish the start of the header and data elements by their location relative to the start of the packet. Some protocols format the information at a bit level instead of a byte level.
A good analogy is to consider a packet to be like a letter: the header is like the envelope, and the data area is whatever the person puts inside the envelope.
A network design can achieve two major results by using packets: error detection and multiple host addressing. A packet has the following components.
Addresses
The routing of network packets requires two network addresses, the source address of the sending host, and the destination address of the receiving host.
Error detection and correction
Error detection and correction is performed at various layers in the protocol stack. Network packets may contain a checksum, parity bits or cyclic redundancy checks to detect errors that occur during transmission.
At the transmitter, the calculation is performed before the packet is sent. When received at the destination, the checksum is recalculated, and compared with the one in the packet. If discrepancies are found, the packet may be corrected or discarded. Any packet loss is dealt with by the network protocol.
In some cases modifications of the network packet may be necessary while routing, in which cases checksums are recalculated.
Hop counts
Under fault conditions packets can end up traversing a closed circuit. If nothing was done, eventually the number of packets circulating would build up until the network was congested to the point of failure. A time to live is a field that is decreased by one each time a packet goes through a network node. If the field reaches zero, routing has failed, and the packet is discarded.
Ethernet packets have no time-to-live field and so are subject to broadcast radiation in the presence of a switch loop.
Length
There may be a field to identify the overall packet length. However, in some types of networks, the length is implied by the duration of transmission.
Priority
Some networks implement quality of service which can prioritize some types of packets above others. This field indicates which packet queue should be used; a high priority queue is emptied more quickly than lower priority queues at points in the network where congestion is occurring.
Payload
In general, payload is the data that is carried on behalf of an application. It is usually of variable length, up to a maximum that is set by the network protocol and sometimes the equipment on the route. Some networks can break a larger packet into smaller packets when necessary.
2.3 REVIEW OF NETWORK SURVEILLANCE IN ACTION
Additionally, LAN Detective Internet Monitor ensures a local copy is created of all inspected data, and presents this in a simple format which is readily usable by managers. LAN Detective delivers an advanced filtering system which allows you to use various criteria to analyze the data you select. It is simple and easy to use with an advanced and intuitive GUI. LAN Detective provides you with the ability to perform network traffic interception within switched local networks (aka switch-based networks), which is a particularly unique feature of this highly functional LAN utility.
LanDetective is suitable for deployment in both home and business, and it scales well on a corporate network. Using LanDetective delivers the ability for network administrators to monitor both incoming and outgoing emails generated by almost all email protocols, including SMTP, POP3, IMAP and a host of public email clients. In addition, Instant Message traffic is also monitored, including chat traffic generated by ICQ, Yahoo Chat, Jabber, IRC and IMs from online social networking sites such as Facebook. You can monitor this traffic both in the workplace for policy enforcement, and also at home to protect your family and vulnerable children.
Reviews
There are no reviews yet.