TU Berlin

Main document

Literature Database Entry


Tobias Limmer and Falko Dressler, "Distributed Monitoring and Analysis for Reactive Security," Proceedings of 2nd GI SIG SIDAR Graduate Workshop on Reactive Security (SPRING), Dortmund, Germany, July 2007, pp. 18.


An ever growing number of attacks to sites on the Internet increases the need for effective systems to detect those incidents and initiate countermeasures. Botnets are one of the most successful methods used by hackers. Those networks are difficult to detect and neutralize, but an especially difficult task is to find the individuals controlling the attacking hosts. A crucial part of successful dissection is the analysis of monitored data in several separate networks. Recently, we introduced our monitoring toolkit Vermont to enable distributed aggregation of such information. Analysis of network monitoring data can be divided into two different types: payload-based and flow-based analysis. On the one hand, network monitors like Snort and Bro analyze complete network packets including payload. In this area usually signature-based detection methods are used. On the other hand, flow-based analysis summarizes monitored packet data to only include header information and to aggregate packets with common attributes to one record. This method achieves great information reduction but still provides enough data for following analysis to generate meaningful results. It is mostly used in high-speed environments, where payload-based monitoring is not suitable due to performance problems. The most popular data format for transferring flow-based data is Cisco's Netflow v9, which is widely supported in hardware-based routers, and its successor IP Flow Information Export (IPFIX). We are using Vermont, which runs under Unix-based operating systems, for flow-based analysis of network streams. It supports direct observation of packet data using the PCAP system library with subsequent aggregation and export as IPFIX flows. Special attention was paid to high flexibility and support of dynamic reconfiguration of its aggregation parameters. The application is also able to receive IPFIX flows, so it is hierarchically stackable. This enables it to be used in distributed high bandwidth environments, as load can be shared among several hosts. For example, the tasks for portscan detection, statistical analysis and anomaly detection can be performed on separate hosts, which work on identical data. If the task is still computationally too expensive, it could be split up in two parts and executed on two machines. Further possibilities of attack detection lie in the areas of detecting DoS-attacks, vertical and horizontal portscans, hosts sending spam mails or hosts, just in the process of being infected when downloading malware code. Those methods benefit from distributed monitoring stations which gather data in different networks and forward it to a centrally managed correlation system. Possible reactions to detected incidents may include the reconfiguration of firewalls which could help to prevent malware from spreading or to prevent the overload of analysis systems from a targeted DoS attack to cover more subtle attacks.

Quick access

Authors' Version PDF (PDF on this web site)
BibTeX BibTeX


Tobias Limmer
Falko Dressler

BibTeX reference

    author = {Limmer, Tobias and Dressler, Falko},
    title = {{Distributed Monitoring and Analysis for Reactive Security}},
    pages = {18},
    address = {Dortmund, Germany},
    booktitle = {2nd GI SIG SIDAR Graduate Workshop on Reactive Security (SPRING)},
    month = {7},
    year = {2007},

Copyright notice

Links to final or draft versions of papers are presented here to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or distributed for commercial purposes without the explicit permission of the copyright holder.

The following applies to all papers listed above that have IEEE copyrights: Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

The following applies to all papers listed above that are in submission to IEEE conference/workshop proceedings or journals: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessible.

The following applies to all papers listed above that have ACM copyrights: ACM COPYRIGHT NOTICE. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or permissions@acm.org.

The following applies to all SpringerLink papers listed above that have Springer Science+Business Media copyrights: The original publication is available at www.springerlink.com.

This page was automatically generated using BibDB and bib2web.


Featured Paper