Improving Network Security Using Ntop

Ntop has been originally designed as an open source, web-based traffic measurement and monitoring application, easy to deploy by network administrators. As ntop has been used for analysing traffic patters, some users requestes some facilities for classifying traffic hence recognising specific attacks. In order to address these requests, the authors decided to extend ntop adding an embedded NDIS (Network Intrusion Detection System). What makes ntop NIDS unique from other available NDIS is its knowledge of the monitored network. While capturing packets, ntop learns network topology and hosts relationships (i.e. routers, DNS, networks) and stores this information in a network knowledge database. This knowledge is dynamic and not specified at ntop start-up by means of configuration files. For instance, if host X successfully routes packets for host Y, then ntop assumes that X is a router for host Y. Similarly, if host K sends packets with different source IP addresses and a single MAC (Media Access Control) address, then K has enabled multihoming support. Ntop knowledge database is updated as new packets are captured and is not static whatsoever.

[1]  Luca Deri,et al.  Practical network security: experiences with ntop , 2000, Comput. Networks.

[2]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[3]  Eric S. Raymond,et al.  The Cathedral & the Bazaar , 1999 .

[4]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Luca Deri,et al.  Effective traffic measurement using ntop , 2000 .

[6]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[7]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[8]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[9]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[10]  Kevin Richards Network based intrusion detection: A review of technologies , 1999, Comput. Secur..

[11]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).