NetADHICT: A Tool for Understanding Network Traffic

Computer and network administrators are often confused or uncertain about the behavior of their networks. Traditional analysis using IP ports, addresses, and protocols are insufficient to understand modern computer networks. Here we describe NetADHICT, a tool for better understanding the behavior of network traffic. The key innovation of NetADHICT is that it can identify and present a hierarchical decomposition of traffic that is based upon the learned structure of both packet headers and payloads. In particular, it decomposes traffic without the use of protocol dissectors or other application-specific knowledge. Through an AJAX-based web interface, NetADHICT allows administrators to see the high-level structure of network traffic, monitor how traffic within that structure changes over time, and analyze the significance of those changes. NetADHICT allows administrators to observe global patterns of behavior and then focus on the specific packets associated with that behavior, acting as a bridge from higher level tools to the lower level ones. From experiments we believe that NetADHICT can assist in the identification of flash crowds, rapidly propagating worms, and P2P applications.

[1]  Anirban Mahanti,et al.  Traffic classification using clustering algorithms , 2006, MineNet '06.

[2]  Shigeo Abe DrEng Pattern Classification , 2001, Springer London.

[3]  David Plonka,et al.  FlowScan: A Network Traffic Flow Reporting and Visualization Tool , 2000, LISA.

[4]  George Varghese,et al.  Automatically inferring patterns of resource consumption in network traffic , 2003, SIGCOMM '03.

[5]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[6]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[7]  Tobias Oetiker,et al.  MRTG: The Multi Router Traffic Grapher , 1998, LISA.

[8]  Paul C. van Oorschot,et al.  Mitigating Network Denial-of-Service Through Diversity-Based Traffic Management , 2005, ACNS.

[9]  Carrie Gates,et al.  Challenging the anomaly detection paradigm: a provocative discussion , 2006, NSPW '06.

[10]  Renata Teixeira,et al.  Traffic classification on the fly , 2006, CCRV.

[11]  Stefan Savage,et al.  Unexpected means of protocol inference , 2006, IMC '06.

[12]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[13]  Evan Hughes,et al.  Towards Network Awareness , 2005, LISA.

[14]  David E. Taylor Survey and taxonomy of packet classification techniques , 2005, CSUR.

[15]  Michael S. Greenberg,et al.  Network Forensics Analysis , 2002, IEEE Internet Comput..

[16]  David G. Stork,et al.  Pattern Classification , 1973 .