LOBSTER: a European platform for passive network traffic monitoring

Over the past few years we have been witnessing a large number of new programs and applications which generate prolific amounts of questionable, if not illegal, traffic that dominates our networks. Hoping from one port to another and using sophisticated encoding mechanisms, such applications have managed to evade traditional monitoring tools and confuse system administrators. In this paper we present a concerted European effort to improve our understanding of the Internet through the LOBSTER passive network traffic monitoring infrastructure. By capitalizing on a novel Distributed Monitoring Application Programming Interface which enables the creation of sophisticated applications on top of commodity hardware, LOBSTER empowers a large number of researchers and system administrators into reaching a better understanding of the kind of traffic that flows through their networks. We have been running LOBSTER for more than a year now and we have deployed close to forty sensors in twelve countries in three continents. Using LOBSTER sensors • we have captured more than 600,000 sophisticated cyberattacks which attempted to masquerade themselves using advanced polymorphic approaches • we have monitored the traffic of entire NRENs making it possible to identify the magnitude (as well as the sources) of file-sharing (peer to peer) traffic.

[1]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[2]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[3]  Markus Fiedler,et al.  A Distributed Passive Measurement Infrastructure , 2005, PAM.

[4]  David E. Culler,et al.  The ganglia distributed monitoring system: design, implementation, and experience , 2004, Parallel Comput..

[5]  Evangelos P. Markatos,et al.  Efficient content-based detection of zero-day worms , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[6]  E. Markatos,et al.  PASSIVE END-TO-END PACKET LOSS ESTIMATION FOR GRID TRAFFIC MONITORING , 2006 .

[7]  Evangelos P. Markatos,et al.  A Generic Anonymization Framework for Network Traffic , 2006, 2006 IEEE International Conference on Communications.

[8]  Evangelos P. Markatos,et al.  Design of an application programming interface for IP network monitoring , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[9]  Philippe Owezarski,et al.  Design and Deployment of a Passive Monitoring Infrastructure , 2001, IWDC.

[10]  Mikel Izal,et al.  The European Traffic Observatory Measurement Infrastructure (ETOMIC): a testbed for universal active and passive measurements , 2005, First International Conference on Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities.

[11]  Sven Ubik,et al.  ABW--Short-Timescale Passive Bandwidth Monitoring , 2007, Sixth International Conference on Networking (ICN'07).

[12]  Evangelos P. Markatos,et al.  Emulation-Based Detection of Non-self-contained Polymorphic Shellcode , 2007, RAID.

[13]  Sergio Andreozzi,et al.  GridICE: a monitoring service for Grid systems , 2005, Future Gener. Comput. Syst..

[14]  Jiang Wu,et al.  An Effective Architecture and Algorithm for Detecting Worms with Various Scan , 2004, NDSS.

[15]  Evangelos P. Markatos,et al.  Network-level polymorphic shellcode detection using emulation , 2006, Journal in Computer Virology.

[16]  Evangelos P. Markatos,et al.  DiMAPI: An Application Programming Interface for Distributed Network Monitoring , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[17]  Theodore Johnson,et al.  Gigascope: a stream database for network applications , 2003, SIGMOD '03.

[18]  Christophe Diot,et al.  The CoMo white paper , 2004 .

[19]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Worm Detection and Signature Generation , 2005, RAID.

[20]  Jennifer Rexford,et al.  Passive Traac Measurement for Ip Operations , 2002 .