Glenn Mansfield

Towards trapping wily intruders in the large

Abstract Intrusions are in general characterized by some noise or indications. In the network context these signals may be seen in the TCP-RESET packets and the ICMP echo-response or destination/port unreachable packets. Analysis of network traffic has shown that the profiles of such signals due to intrusion attempts are distinctly different from those due to routine operations and/or unintentional mistakes. By monitoring such suspicious signals in a distributed framework, intrusions or attempts thereof can be effectively detected. To track down attackers who may be using spoofed addresses, a new technique-based on traffic pattern monitoring is introduced. The traffic patterns can be traced across networks. For this purpose we have developed an SNMP-based messaging system which allows “friendly” networks to collaborate in tracking down the intruder. Results using prototype implementations on a medium size operational network are presented.

Techniques for automated network map generation using SNMP

Network configuration information is useful in producing a visual map of the network complete in all details. The visual map is an essential component for network management and operations. It is also possible to generate an inventory report of a network. The inventory report describes the nodes, networks, interfaces, addresses, protocols, speeds, etc. and is a valuable component for network planning and administration. Unfortunately, network management is severely constrained in scope and effectiveness by the lack of any organized pool of network configuration information. We present results of our efforts to develop tools and techniques for automatically and mechanically synthesizing network configuration related information from the Internet. These techniques, we believe, will be instrumental in, generating the pool of network configuration information.

Non-broadcast network fault-monitoring based on system-level diagnosis

Network fault management systems are mission-critical, for they are most needed during periods when part of the network is faulty. Distributed system-level diagnosis offers a practical and theoretically sound solution for fault-tolerant fault monitoring. It guarantees that faults don’t impair the fault management process. Recently, results from the application of distributed system-level diagnosis applied for SNMP-based LAN fault management have been reported [1, 2]. In this paper we expand those results by presenting a new algorithm for diagnosis of non-broadcast networks, applied to point-to-point network fault management. In the algorithm, nodes test links periodically, and disseminate link time-out information to all its fault-free neighbors in parallel. Upon receiving link time-out information a node computes which portion of the network has become unreachable. This approach is closer to reality than previous algorithms, for it is impossible to distinguish a faulty node from a node to which all routes are faulty. The diagnosis latency of the algorithm is optimal, as nodes report events in parallel, and latency is proportional to the diameter of the network. The dissemination step includes mechanisms to reduce the number of redundant messages introduced by the parallel strategy. We present a MIB for the algorithm, and a SNMP-based implementation. The evaluation of algorithm’s impact on network performance, shows that the amount of bandwidth required is less than 0.1% for popular link capacities. We conclude demonstrating the integration of LAN and WAN fault diagnosis into a unified framework.

Self-similar and fractal nature of Internet traffic data

The Internet traffic being extremely variable and bursty in a wide range of time scales is usually characterised by a self-similarity parameter (/spl beta/), which describes its statistics depending on the scales of resolution. We study the characteristics on some previous data and observe that it can have another parameter which is its fractal dimension (D).

Network congestion monitoring and detection using the IMI infrastructure

IMI provides a scalable and flexible measurement infrastructure. It essentially uses RMON-type passive monitoring and on demand, active probes. It is built on the SNMP framework: so all interactions are through MIB-variables; security and access control is in place. Detecting congestion is a challenge and diagnosing it is an even greater challenge. In this work we have experimented with techniques of detecting congestion in the network using the distributed infrastructure of IMI. As a symptom of congestion, retransmission packets in the network traffic are detected, counted and analysed. The related information from various IMIds (IMI-daemons) are collated and used in conjunction with configuration information to detect and then locate a congestion bottleneck.

Divide and conquer technique for network fault management

From the perspective of fault management, traffic characteristics contain symptoms of faults in the network. Symptoms of faults aggregate and are manifested in the aggregate traffic characteristics generally observed by a traffic monitor. It is very difficult for a manager or an NMS to isolate the symptoms manifested in the aggregate traffic characteristics. Symptoms get obscured by other symptoms. At times there are too many symptoms clouding the symptom space, making the task of symptom isolation practically impossible. In this work we present a powerful technique, the divide and conquer technique, wherein symptoms are iteratively isolated from the aggregate observable. This provides a tractable mechanism for symptom isolation, fault detection and analysis. The symptom isolation technique makes it possible to use a simple thresholding mechanism for detecting abnormalities. We have implemented the system using the popular SNMP-based RMON technology. Using dynamically constructed filters to suppress already detected symptoms in the observed aggregate, fresh symptoms are isolated. Experimental results show a significant improvement in the fault management capability and accuracy.

An SNMP-based expert network management system for a large-scale OSI-based campus network

The authors examine the design issues of a practical network management system using the simple network management protocol (SNMP) in the context of a large-scale open systems interconnection (OSI)-based campus-network called TAINS. Various design aspects are examined and the importance of time-management is examined. In the proposed design, intelligent, time-synchronized agents are deployed to collect information about the network segments to which they are attached. The manager talks to the agents and gathers relevant network information. This information is used by the expert network manager, in conjunction with a network knowledge base, to reconstruct the overall network-traffic characteristic, to evaluate the status of the network and to take/suggest some action. The introduction of time-labeled composite objects in the MIB provides a means of reducing the load of management-related traffic on the network.<<ETX>>

A simple packet aggregation technique for fault detection

Packet monitoring has become a standard technique in network management and when applied to a large-scale transit network yields a high volume of packets. To overcome this problem, we discuss the behavior of packets and present a symptom-based packet aggregation technique which is useful for fault detection. Copyright

VINES: Distributed Algorithms for a Web-Based Distributed Network Management System

Rapid growth in networks and related services have resulted in demands for more effective, accessible, intelligent and scalable network management systems. Not only managers but also users need access to network management information. Traditional network management architectures are utterly inadequate to meet these requirements. In this work we describe VINES - a next generation network management system that builds on state-of-the-art technolgy and latest results. VINES uses a new web-based management architecture, that is intelligent and distributed. A set of Management Domain Servers, implementing an elaborate access control mechanism, allows access to management information without compromising security. To realize the new architecture a new knowledge base framework is designed, highly effective detection and diagnosis algorithms are employed, and the resilience of the management system to network failures is ensured. The results of an experimental prototype are discussed.

An improved content search engine. Usage of network configuration information

In todays Internet environment, the same service is generally available in many places and the redundancy is increasing with Web and FTP-server mirroring. Retrieving information from the closest server is desirable. Otherwise, it is inefficient for users as it will take more time to fetch the desired information. It is also common today for users to use search engines as their starting point to find the information they want. We propose a content search engine which uses network configuration and/or application log information to locate the nearest server for a given content.