Monitoring is a matter of the greatest importance for the correct operation of current communication networks. In spite of that, analyzing and checking out the traffic flowing over a high capacity link is still a very challenging technological issue, due to the huge amount of data stemming from such a process. Furthermore, current national and international legislation is imposing stricter and stricter limits on the storage and utilization of potentially privacy-sensitive data that may be generated from monitoring applications. In this work we argue that both of these problems can be effectively addressed by increasing and extending the capabilities of traffic capturing devices beyond plain packet capturing and flow metering and by designing a new generation of “smarter probes”. Such probes will be able to preprocess traffic according to the needs of the specific application that is expected to provide the final results of the monitoring activity. The benefits of such an approach are two-fold: on the one hand in-network traffic filtering allows to discard a huge amount of information which is not relevant at all to the selected application, thus relaxing the performance requirements of the application itself; as an example, most of the regular traffic is not relevant to an intrusion detection system and can be safely discarded by the probe. On the other hand, traffic pre-processing can be used to hide personal information that may be made available only to a user in possession of the required privileges upon verification of a given condition; still referring to the previous example, the address of a user can be disclosed to the network administrator only in case such user is suspected of carrying out malicious activities. Following such a general approach we propose a modular architecture that allows application specific traffic pre-processing to be carried out in a scalable and performance-specific way. Such an architecture, which is organized into a processing and a control plane, interacts with the external network by enforcing strict role-based policies, thus allowing selective and proportional information disclosure; the architecture as it is can be easily integrated with a standard access control infrastructure. An example application is demonstrated in order to prove the effectiveness of our proposal.
Towards smarter probes: in-network traffic capturing and processing
BONELLI, NICOLA;GIORDANO, STEFANO;PROCISSI, GREGORIO;VITUCCI, FABIO
2010-01-01
Abstract
Monitoring is a matter of the greatest importance for the correct operation of current communication networks. In spite of that, analyzing and checking out the traffic flowing over a high capacity link is still a very challenging technological issue, due to the huge amount of data stemming from such a process. Furthermore, current national and international legislation is imposing stricter and stricter limits on the storage and utilization of potentially privacy-sensitive data that may be generated from monitoring applications. In this work we argue that both of these problems can be effectively addressed by increasing and extending the capabilities of traffic capturing devices beyond plain packet capturing and flow metering and by designing a new generation of “smarter probes”. Such probes will be able to preprocess traffic according to the needs of the specific application that is expected to provide the final results of the monitoring activity. The benefits of such an approach are two-fold: on the one hand in-network traffic filtering allows to discard a huge amount of information which is not relevant at all to the selected application, thus relaxing the performance requirements of the application itself; as an example, most of the regular traffic is not relevant to an intrusion detection system and can be safely discarded by the probe. On the other hand, traffic pre-processing can be used to hide personal information that may be made available only to a user in possession of the required privileges upon verification of a given condition; still referring to the previous example, the address of a user can be disclosed to the network administrator only in case such user is suspected of carrying out malicious activities. Following such a general approach we propose a modular architecture that allows application specific traffic pre-processing to be carried out in a scalable and performance-specific way. Such an architecture, which is organized into a processing and a control plane, interacts with the external network by enforcing strict role-based policies, thus allowing selective and proportional information disclosure; the architecture as it is can be easily integrated with a standard access control infrastructure. An example application is demonstrated in order to prove the effectiveness of our proposal.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
