Tranalyzer: Versatile high performance network traffic analyser

IP-based networks are prone to hardware failures, software errors and misconfigurations. This leads to service outages, such as those experienced by American Airlines in 2015. Moreover, cyber threats are becoming ever more sophisticated. As demonstrated by recent success stories of malware, such as the crimeware BlackEnergy, current defence solutions are insufficient to detect those anomalies and threats. Indeed, the widespread use of cryptography and obfuscation techniques limits the effectiveness of standard solutions relying on content inspection. Although statistical based approaches are able to deal with some of these limitations, threats such as data exfiltration and covert channels remain challenging to detect. This paper presents Tranalyzer, a flow-based traffic analyser built upon a flexible plugin-based architecture, allowing efficient processing and analysis of network traffic. The program is presented through a series of real-life scenarios dealing with traffic mining and troubleshooting and provides the analyst with a methodology on how to tackle such challenges, even when encryption or obfuscation techniques are being used.

[1]  Daniele Piccitto Traffic Mining in IP Tunnels , 2008 .

[2]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[3]  Maurizio Vichi,et al.  Studies in Classification Data Analysis and knowledge Organization , 2011 .

[4]  A. Nur Zincir-Heywood,et al.  Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification , 2016, IEEE Systems Journal.

[5]  Y. Raghu Reddy,et al.  Web100: extended TCP instrumentation for research, education and diagnosis , 2003, CCRV.

[6]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[7]  Marco Mellia,et al.  TStat: TCP STatistic and Analysis Tool , 2003, QoS-IP.

[8]  Matthew Mathis,et al.  The macroscopic behavior of the TCP congestion avoidance algorithm , 1997, CCRV.

[9]  Sui Song,et al.  Flow-based Statistical Aggregation Schemes for Network Anomaly Detection , 2006, 2006 IEEE International Conference on Networking, Sensing and Control.

[10]  tcpdump Tcpdump/Libpcap public repository , 2010 .

[11]  Hao Jiang,et al.  Passive estimation of TCP round-trip times , 2002, CCRV.

[12]  Sakir Sezer,et al.  On the Privacy of Encrypted Skype Communications , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[13]  Aiko Pras,et al.  SSHCure: A Flow-Based SSH Intrusion Detection System , 2012, AIMS.

[14]  Antonio Pescapè,et al.  TIE: A Community-Oriented Traffic Classification Platform , 2009, TMA.

[15]  Jake D. Brutlag,et al.  Aberrant Behavior Detection in Time Series for Network Monitoring , 2000, LISA.