Abstract
Defence Research and Development Canada (DRDC) is developing a security event / packet analysis tool that is useful for analyzing a wide range of network attacks. The tool allows the security analyst to visually analyze a security event from a broad range of visual perspectives using a variety of detection algorithms. The tool is easy to extend and can be used to generate automated analysis scripts. The system architecture is presented and its capabilities are demonstrated through the analysis of several covert tunnels.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Valeur, F., et al.: A Comprehensive Approach to intrusion Detection Alert Correlation. IEEE Transactions on Dependable and Secure Computing 1(3), 146–149 (2004)
Farshchi, J.: Statistical based approach to Intrusion Detection, SANS Institute(2003) (Access date 1 April 2008), http://www.sans.org/resources/idfaq/statistic_ids.php
Roesch, M.P: SNORT (Access date 1 April 2008), http://www.snort.org/
Ertoz, L., Eilerston, E. Lazarevic, A., Tan P. Srivastava, J. and Kumar, V.: Detection and Summarization of Novel Network Attacks Using Data Mining, Techincal Report (2003), http://www-users.cs.umn.edu/~aleks/MINDS/papers/raid03.pdf
Chakchai, S.: A Survey of Network Traffic Monitoring and Analysis Tools, (2006) (Access date 1 April 2008), http://www.cse.wustl.edu/~cs5/567/traffic/index.html
Ranum, M.: Packet Peekers, Information Security Magazine, p. 28 (2003)
Keshav, T.: A Survey of Network Performance Monitoring Tools (2006)(Access date 1 April 2008), http://www.cs.wustl.edu/~jain/cse567-06/ftp/net_perf_monitors1.pdf
Fortunato, T.: The Technology Firm, web page (2007), http://www.thetechfirm.com/reviews/
Lyon, G.: Top 100 Security Tools, Insecure.org (2006), http://www.insecure.org/tools.html
Bejtlich, R.: The Tao of Network Security Monitoring: Beyond Intrusion Detection, pp. 105–344. Addison-Wesley, Boston (2005)
Vissher, R.: SGUIL (2007) (Access date 2 April 2008) , http://sguil.sourceforge.net/
Combs, G., et al.: wireshark (2008) (Access date 2 April 2008), http://www.wireshark.org/
Zalewski, M.: P0f (2006) (Access date 2 April 2008), http://lcamtuf.coredump.cx/p0f.shtml
Elson, J.: tcpflow (2003) (Access date 2 April 2008), http://www.circlemud.org/~jelson/software/tcpflow
Jacobson, V., et al.: Libpcap (2007) (Access date 2 April 2008), http://www.tcpdump.org/
Jacobson, V., Leres, C., and McCanne, S.: tcpdump (2007) (Access date 2 April 2008), http://www.tcpdump.org/
OPNET ACE Application Characterization Environment (2007) (Access date 2 April 2008), http://www.opnet.com/solutions/brochures/Ace.pdf
Paxon, V.: BRO (2007) (Access date 2 April 2008), http://bro-ids.org/
Computer Associates, eHealth (2008) (Access date 2 April 2008), http://www.ca.com/us/products/product.aspx?ID=5637
Kohler, E.: ipsumdump (2006) (Access date 2 April 2008), http://www.cs.ucla.edu/~kohler/ipsumdump/
Ritter, J.: ngrep (2006) (Access date 2 April 2008), http://ngrep.sourceforge.net/
Combs, G., et al.: editcap/ mergecap (2008) (Access date 2 April 2008), http://www.wireshark.org/
Astashonok, S.: Fprobe (2005) (Access date 2 April 2008), http://sourceforge.net/projects/fprobe
Ostermann, S.: tcptrace (2003) (Access date 2 April 2008), http://www.tcptrace.org/
Deri, L.: ntop (2008) (Access date 2 April 2008), http://www.ntop.org/
Postel, J.: RFC 792 - Internet Control Message Protocol, (1981) (Access date 2 April 2008), http://www.faqs.org/rfcs/rfc792.html
Kreibich, C.: netdude (2007) (Access date 2 April 2008), http://netdude.sourceforge.net/
Fullmer, M.: flow-tools (2005) (Access date 2 April 2008), http://www.splintered.net/sw/flow-tools/docs/flow-tools.html
Walkin, L.: ipcad (2007) (Access date 2 April 2008), http://sourceforge.net/projects/ipcad/
Curry, J.: SANCP (2003) (Access date 2 April 2008), http://www.metre.net/sancp.html
Kernen, T.: Traceroute (2008) (Access date 2 April 2008), http://www.traceroute.org/
Fenner, B.: tcpslice (2002) (Access date 2 April 2008), http://sourceforge.net/projects/tcpslice/
Buyllard, C.: Argus, (2008) (Access date 2 April 2008), http://www.qosient.com/argus
Cho, K., Dittrich, D.: tcpdstat (2000), http://staff.washington.edu/dittrich/talks/core02/tools/tools.html
Naval Research Laboratory, “Handbook for the Computer Security Certification of Trusted Systems”, Technical Memorandum 5540, 062A (1996)
Temmingh, R.: Setiri: Advances in Trojan Technology (2002) (Access date 2 April 2008), http://www.blackhat.com/presentations/bh-asia-02/Sensepost/bh-asia-02-sensepost.pdf
Smith, J.: Covert Shells (2000) (Access date 2 April 2008), http://www.s0ftpj.org/docs/covert_shells.htm
Kieltyka, P.: ICMP Shell (2002) (Access date 3 April 2008), http://sourceforge.net/projects/icmpshell
Borders, K.: Web Tap: Detecting Covert Web Traffic. In: Proceedings of the 11th ACM conference on Computer and communications security, pp. 110–120. ACM, Washington (2004)
Northcutt, S., Novak, J.: Network Intrusion Detection, An Analyst’s Handbook, New Riders, Indianapolis, Indiana, pp. 63–65 (2000)
Northcutt, S., Cooper, M., Fearnow, M., Fredrick, K.: Intrusion Signatures and Analysis, New Riders, Indianapolis, Indiana, p. 137 (2001)
Knight, G., et al.: Detecting covert tunnels within the hypertext transfer protocol (2003), http://www.rmc.ca/academic/gradrech/abstracts/2003/ece2003-2_e.html
Castro, S.: Covert Channel and Tunneling over the HTTP protocol Detection: GW implementation theoretical design (2003), http://www.infosecwriters.com/hhworld/cctde.html
Dyatlov, A.: Exploitation of data streams authorized by a network access control system for arbitrary data transfers: tunneling and covert channels over HTTP protocol (2003) (Access date 2 April 2008), http://www.net-security.org/dl/articles/covertpaper.txt
Feamster, N., Balazinska, M., Harfst, G., Balakrishnan, H., Karger, D.: Infranet: Circumventing Web Censorship and Surveillance. In: 11th USENIX Security Symposium, San Francisco, CA (2002)
Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L.: Detecting HTTP Tunnels with Statistical Mechanisms. In: ICC 2007. IEEE International Conference on Communications, pp. 6162–6168 (2007)
Castro, S.: Cctde - Covert Channel and Tunneling Over the HTTP Protocol Detection (2003) (Access date 2 April 2008), http://gray-world.net/projects/papers/html/cctde.html
Vecna. PacketStorm - 007Shell.tgz (1999) (Access date 2 April 2008), http://packetstormsecurity.org/groups/s0ftpj/
Rowland, C.: Covert Channels in the TCP/IP Protocol Suite (1996) (Access date 2 April 2008), http://www.firstmonday.dk/issues/issue2_5/rowland/
Hauser, V.: Reverse-WWW-Tunnel-Backdoor v1.6 (1998) (Access date 2 April 2008), http://packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Vandenberghe, G. (2008). Network Traffic Exploration Application: A Tool to Assess, Visualize, and Analyze Network Security Events. In: Goodall, J.R., Conti, G., Ma, KL. (eds) Visualization for Computer Security. VizSec 2008. Lecture Notes in Computer Science, vol 5210. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85933-8_18
Download citation
DOI: https://doi.org/10.1007/978-3-540-85933-8_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85931-4
Online ISBN: 978-3-540-85933-8
eBook Packages: Computer ScienceComputer Science (R0)