intelligent real time reactive network management
play

Intelligent real-time reactive network management Intelligent - PowerPoint PPT Presentation

Intelligent real-time reactive network management Intelligent Network Management Framework Final project studies Guillaume Andreys April/August 2004 Introduction Motivation Presentation Introduction A lot of tools to collect network


  1. Intelligent real-time reactive network management Intelligent Network Management Framework Final project studies – Guillaume Andreys – April/August 2004

  2. Introduction

  3. Motivation Presentation Introduction A lot of tools to collect network informations. But no choice : Collecting only hight level data and manual intervention. Running continuously hight resource consuming tools. Low automatic reaction possibility of such systems. 3

  4. Principle Presentation Introduction From hight level data collection, we want to detect anomalies, and to (eventually) perform further data collection depending on rules and security policy. Aggregated data. Ex. Aggregated data. Ex. Aggregated data. Ex. Used Bandwidth Used Bandwidth Used Bandwidth Detailed data. Ex. Detailed data. Ex. Detailed data. Ex. User's informations User's informations User's informations 4

  5. Features Presentation Introduction Hight level anomaly detection : Holt-Winters Forecasting algorithm. Managing various tools one various hosts on the network. Collecting data in a central point. Possibility for the user to write rules and define a security policy. Reacting from the collected data, rules and policy. 5

  6. Architecture

  7. Distributed architecture Architecture Agents installed on many hosts communicate with a central server via the network. 7

  8. Example of scenario Architecture M R TG-R RD with M R TG-R RD with 1 1 Aberrant behavior D etection Aberrant behavior D etection Agent Agent Firewall (IPTable) Firewall (IPTable) TC PTrack TC PTrack Agent Agent 2 2 3 3 4 4 M anager M anager 5 5 6 6 7 7 Proxy server (Squid) Proxy server (Squid) Log analyzer Log analyzer Agent Agent 8

  9. The Agents Architecture Managing tools (Launching/Stopping) from Manager orders. Collecting data and sending it to the manager. 9

  10. The Manager Architecture Centralize all the collected data. Accede to the rules and security policy. Send appropriate decision to the appropriate Agent. User interface. 10

  11. Decision process

  12. Rules Decision process The user is defining rules to make a decision tree. We provide functions to get data information, set decision, alerting ... Actually, rules hard-coded with C++ language. In future, specific language using XML. Advantage of XML : Syntaxes verification. Comprehensible both by human and machine. We can provide “ Hight-Level” verification. 12

  13. Security policy Decision process Depending on some security policy we don't want to perform the same action. We allow to put priority on : Users or user group (not implemented yet) IP or networks Time of the day Functions can be used in the rules to get the priority of some objects. 13

  14. Tools

  15. Anomaly Detection with Holt- Winters Forecasting Algorithm Tools Algorithm who try to predict future values from older values. Implemented for Rond Robin Database, so compatible with all softwares who use those DB (ntop, MRTG, Cricket ...). Low false positive alarms. 15

  16. Other tools Tools MRTG for collecting aggregated data (compatible with RRD). TCPTrack to lock at actuals connections (port, bandwidth, IP). Different log analyzer for Squid (Proxy server) and Qmail (Mail server). Multilog to optimize the log analyze 16

  17. Conclusion

  18. Conclusion We just have a prototype version. A paper have been produced and submitted. Improvement are possible, especially on the decision process, the rules and making the configuration easier. It can interest the Open Source community and we may find people to give contribution on it. The project is actually on inmf.sourceforge.net 18

Recommend


More recommend