Institute for Internet-Security

Links | Kontakt | Sitemap | Impressum | 
Merken
Internet Analysis System

Technical Realization

To match data privacy and performance requirements the basic concept relies on counting the properties of network packages independent. This approach makes it possible to collect information about a network through statistical measures.
The IAS probe in test mode has been running since the July 14th 2005 within the backbone of faculty 5 belonging to the University of Applied Sciences Gelsenkirchen.
The connection is realized through a passive network tap, which makes it possible to analyze both transfer directions in full duplex.

Grafik: Sonde am Backbone der FH Gelsenkirchen

By the help of the Packet-Capturing Library “libcap” the packets are recorded in promiscuous mode via network card and fragmented through the probe software.
A counter is incremented for each property, e.g. a set flag within the TCP Header or the TCP Port.
After a period of time the meter data is transferred to a database. Information like IP addresses are discarded due to data privacy restrictions. At the moment the system got more than 300.000 different counters.

Grafik: Verarbeitung eines Paketes durch die IAS Sonde

The evaluation of data is performed through a Java Client developed by if(is). This Client offers different possibilities to display the data collected by the probe. The preparation of data is realized through a EJA analysis module based on a JBoss J2EE Application Server.

Grafik: Java J2EE Client des IAS

Operation of the probe

The probe system is operated in the backbone of the University of Applied Sciences Gelsenkirchen on a PowerEdge 800:

CPU: Pentium 4 3,6 GHz
RAM: 1 Gb 400 MHz Dual Rank DDR2 Memory (2x512)
Disk: 2x80 GB SATA (Raid 1)

Besides the onboard network card the system is equipped with two more NICs that are used to send the up and downstream separately to the system.
The tapping of the network data is realized through a Net Optics 10/100 Ethernet Tap. The tap is equipped with a redundant power supply. The connection of the backbone to the university network is always maintained, even if the tap’s powers supply fails.
No Single Point of Failure is introduced and the tap is performed totally transparent. The operating system is Linux in the Trustix3.0 Distribution.
The probe software is a C/C++ Daemon which analyses the network packets layer by layer.
The meter data is encrypted and send to one or more transfer systems in predefined time intervals, to be stored in a MySQL database.
libpcap is used as packet capturing library.