Abstract
In the beginning stage of the security functions, defending and monitoring was treated as a single solution. Today’s security management system has reached at the state of integration of risk management systems and security management system. However, the existing system can have negatively leak of internal information and be inefficient for prevention and post event tracing of security instance. Therefore if we formalize the event information from a variety of security systems and do correlation analysis, we can establish a more active defense. In this paper we built up a developmental environment for network management system using a customized Linux System and several network devices. Using SNMP and SYSLOG, network information are collected from the network equipment and recorded on Maria DB in Linux Server. We also developed a database system and a monitoring system for the collected data.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
In today’s Internet environments, there are many varieties of security threats. Recently there have been some attacks using DDOS that paralize computer networks. Network of the Republic of Korea and the United States government agencies, portal sites and financial institutions server were paralyzed by the DDOS attack in July 7, 2009 [1]. And in March 3, 2011 a more advanced method has been used to paralyze the computer network [2]. More recently in June 26, 2015, group of hackers in Europe attacked the three Korean bank’s computer network including Daegu Bank, which increased a lot of threats [3]. In addition to these DDOS attack, there are other attacks such as IP spoofing, MAC address spoofing, ARP spoofing and session hijacking. It is quite sure that a variety of attacks will be found in the future. Although many security control system has been built as responds to these attacks, most of them offer only single solution for a specific attack. Security devices such as IDS and firewall provide only partial protection [4].
While security control systems that are currently used can simply detect intrusions or block the packets [5], we are planning to build an integrated security control system which can actively cope with those attacks. If we use simple network management protocol (SNMP) and syslog, it is possible to collect various information from the network. And if we develop an algorithm to analyze this information, we can effectively respond to variety of threats.
In this paper, as the first phase of the study for the integrated security control system construction, we build an environment for collecting network traffic and security event (here after we call NTSE) based on SNMP and syslog. We also developed database system and monitoring system for the collected data.
2 Background Knowledge
2.1 SNMP
SNMP is an Internet-standard protocol for managing devices over IP networks. Typical devices that support SNMP include routers, switches, servers, workstations, printers, modem racks and more. SNMP is widely used in network management systems to monitor network-attached devices for conditions that warrant administrative attention. Version 3 is the most updated version with security enhancement.
As shown in Fig. 48.2, manager, the agent and management information base (MIB) is the major entities of SNMP. Manager will request the necessary information to the agent, then the agent responses by sending back the collected information from network device [6]. Finally, MIB is a database that actually stores the information in a structured format. Even though the devices in companies will have their own MIB, there is a standardized MIB. An object is a unit of information managed by the DB management target device. Objects in the SNMP are organized in a hierarchical structure or a tree structure (Fig. 48.1).
SNMP information gathering process
2.2 Syslog
In the computing system, syslog is a widely used standard for message logging. It permits separation of the software that generates messages which is then stored in the system, and the software that reports and analyzes them. Computer system designers may use syslog for system management and security auditing as well as general information, analysis, and debugging messages. A wide variety of devices, such as printers, routers, and message receivers across many platforms are using the syslog standard. This permits the consolidation of logging data from different types of systems in a central repository [7]. As shown in Table 48.1 the basic log files provided in the current Linux system are classified into 9 types.
In order to continuously operate a syslog server, system log management daemon is required. Demon is a computer program that runs as a background process in a multitasking computer operating system rather than operates as direct control of an interactive use. It starts when the computer system is started and stops when the system is being shutdown.
3 Network Traffic and Security Event Collecting System
3.1 Log Collecting System Requirement
For the system design, we selected five requirements among several requirements [8].
Correctness As the most important requirement, in order to efficiently manage networks, it is necessary to collect correctly all of the logs that occur in the internal network. However, in the most business networks today, traffic capacity is extremely high because of the rapid increase of the network based business process. Even though the log-collecting-system receives, processes and compresses these massive amounts of data, it should not offer a defective or erroneous information associated with that.
Integrity Because the collected log messages are used to monitor and detect future attacks, these messages are very important. Thus the reliability of the information source has a very close relationship with the system performance. Digital signature to the log data can provide reliability of the data, however it is impractical to apply the digital signature to the log data in the current network environment. If the log data is used as the evidence in criminal investigations, it may require a certain level of system integrity for legislation.
Storage and processing While storing the collected logs, they should not be tampered. The collecting system must be secure from the deletion and modification of log data by the insider or illegal intruder. Because the original log data is ill-formed, it should be processed before being provided to the administrator so that he/she can intuitively identify attacks.
Normalization Normalization is the task of normalizing the type of collected log data for the use of processing and reporting by network analyst or security analyst. That is a step of generating well-known log event formats. For this step, the various elements are mapped into the data to illustrate the log data into a common format. The original log data are converted into more meaningful information by classification and normalization.
Log data mining Data mining technology can be utilized to obtain better information from the raw log data for a better attack prediction and detection. Thus, by introducing this technology in the log collecting system, we can decrease the reliance on network exporter and make the general administrator to verify the log and to monitor the traces of penetration easily.
3.2 System Design and Implementation
In this paper we implemented a system that collects and analyzes all network traffic from a number of the network devices in an internal network. This system can provide basic data for detecting of attacks and provide a fast attack event extracting function by analyzing vast network traffic. If our system is utilized for detection and defense technology of attack events, based on the information that has been collected, it allows the detection and response to attacks through secure management and attack event analysis of the large capacity of the log data and network application systems.
Figure 48.2 is a schematic structure of the implemented system. Agent is a program that plays a role of Syslog and SNMP where such functions are not supported in an operating server. It is a TCP application program and sends NTSE from network device to our collecting system. Because most of the network devices provide Syslog and SNMP services, they can send NTSE directly using the Syslog and SNMP trap. However most of general servers do not provide these two services, therefore the agent creates packets for NTSE and sends them to the NTSE collecting system.
The concept diagram for a network traffic and security event collecting system
For the development environment, a log server was prepared by installing Centos 6.5 Linux system on a custom hardware platform and mounting the SNMP and syslog on the Linux system as shown in Fig. 48.3. Log server program has been implemented in the environment of C#, .NET 4.5 and a WPF (Windows Presentation Foundation). We used Maria DB for the archive of the collected data. Server program was coded in C++ utilizing the POCO Libraries [9]. We developed four data viewer for SNMP information, syslog event, syslog analysis, and network device status monitoring.
Real implementation network diagram
Our log server was deployed in the real time network to check the possibility of real time application. As shown in Fig. 48.3, the log collecting server, backbone switch and VPN firewall are located in separate networks. In the log server, SNMP/Syslog server has been installed so that it receives and processes NTSE from PSMC and Hyosung Electric network.
To collect NTSE for each network devices, Juniper’s backbone switches from PSMC network and VPN firewall from Hyosung Electric network were selected. Figure 48.4 shows a screen view of SNMP information collection. Figure 48.5 shows real time syslog event collection from PSMC backbone switch. Figure 48.6 shows syslog analyses view of data from Hyosung Electric VPN device. Figure 48.7 shows network device status monitoring of CPU load, memory usage, and session collected from Hyosung Electric VPN device.
SNMP information collection
Syslog event collection
Syslog analysis view
Network device status monitoring
3.3 The Result of System Implementation
To test our log system in the real network, the proposed system was link with the back bone switch, firewall and VPN equipment in the real network and carried out traffic analysis. As corporate networks become more complex and larger in size, the amount of logs will increase explosively. Furthermore, dealing with the big data and security issues, the need of integrated log management is increasing. If we apply our system to the complex company networks for collecting logs of all networks and analyzing them in real time, it is possible to provide appropriate information as a response. Most network devices do not collect and save logs, but because we can collect and analyze the logs using our system,, the proposed system is very useful to solve this problem. Thus our system can be easily installed and managed in the existing network so that it is not necessary to build a new system to collect the logs.
4 Conclusion
In this paper, we designed and implemented a system for collecting and analyzing network traffics to analyze and monitor the security problem of the internal network of an organization in real-time. The proposed system saves all of the traffics generated from storage-less network devices and analyzes the security problem in real time. It enables the organization to monitor the state of the internal network. Also, when security incidents occur, our system can acquire the log data for the traffic information and rapidly analyzes it. The expected benefit of deploying our system is that the network security features can be enhanced by managing the network-based security issues while using the existing network systems.
References
Wikipedia Website on 7.7 DDoS Attack. https://ko.wikipedia.org/wiki/7%C2%B77_DDoS_%EA%B3%B5%EA%B2%A9
Wikipedia Website on 3.3 DDoS Attack. https://ko.wikipedia.org/wiki/3%C2%B73_DDoS_%EA%B3%B5%EA%B2%A9
Financial news website. http://www.fnnews.com/news/201506261801326408
Yu, Y.J.: DDoS Attack Detection Method Using Average Rate of Change of Traffic. MS thesis, Graduate school of Chungbuk National University (2011)
Tabona, A.: The Top 20 Free Network Monitoring and Analysis Tools for Sys Admins, GFI Blog, 15th, 4, 2015. http://www.gfi.com/blog/the-top-20-free-network-monitoring-and-analysis-tools-for-sys-admins/
Kim, Y.S.: Understanding of SNMP concept, Novo networks (2010)
Wikipedia Website on Syslog. https://en.wikipedia.org/wiki/Syslog
Chuvakin, A.A., Schmid, K.J., Phillips, C.: Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management, 1st edn. Syngress, California (2012)
POCO C++ Libraries. http://pocoproject.org/
Acknowledgments
This paper was supported by the Ministry of Trade, Industry and Energy (MOTIE) through the fostering project of the Innovation for Engineering Education and by Ministry of Education (MOE) through the project of the Leaders in the Industry-university cooperation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer Science+Business Media Singapore
About this paper
Cite this paper
Son, HS., Lee, JH., Kim, TY., Lee, SG. (2016). Network Traffic and Security Event Collecting System. In: Pasila, F., Tanoto, Y., Lim, R., Santoso, M., Pah, N. (eds) Proceedings of Second International Conference on Electrical Systems, Technology and Information 2015 (ICESTI 2015). Lecture Notes in Electrical Engineering, vol 365. Springer, Singapore. https://doi.org/10.1007/978-981-287-988-2_48
Download citation
DOI: https://doi.org/10.1007/978-981-287-988-2_48
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-287-986-8
Online ISBN: 978-981-287-988-2
eBook Packages: EngineeringEngineering (R0)