T2 interfacing AI and standard monitoring tools

The following screen shots illustrate a small overview of tranalyzer output and its application in practice. Tranalyzer is capable to run in several modes concurrently, such as flow, packet, monitoring, carving and logs into well established netflow tools such as nfcapd. Moreover practical features are provided for traffic mining and troubleshooting purposes.

Unsupervised Learning support:ESOM

11 dimensional vectors of T2's descriptive statistic plugin presented to our ESOM (Kohonen Network). Map generated could classify serveral traffic classes and abnormal traffic such as bot networks and unauthorized zone transfer. For more information regarding the traffic preprocessor plugin descriptive statistics refer to documentation chapter 9

Connection Anomaly Detection
Centrality/connection Statistics

Derived from three flow file colums, the script t2plot fed into gnuplot shows the importance of a specific ip address in time. The higher the centrality/connection value the more networked a host is. Depending on the network, this can indicate an anomaly, e.g. P2P or bot nets. An easy to interpret behavioural anomaly detection. For more information refer to documentation chapter 59.16

DNS monitoring

T2 in monitoring mode piped into a script rrdmonitor which feeds the RRD tool. Serves perfectly for anomaly monitoring of networks. For more information refer to documentation chapter 2.13.3

Packet Size Interarrival Statistics
Encrypted Traffic Mining statistics support

Packet Size Interarrival time distribution per flow directly produced from flow file column of the pktSIATHist plugin. Very useful for encrypted traffic mining. The picture above shows the signature of SKYPE, which then can be used for feature extraction and training of a classifier. Multimedia developers might like to look at their signature and obfuscate it, in order to avoid content mining. For more information refer to documentation chapter 59.16

Flow graph
Rapid traffic flow anomaly detection

A flow graph is very useful to compare traffic of the same application but from different sources or e.g. with and without malware as indicated in the example above. The eye is sometimes the best classifier to assess whether someone created appropriate data for you to train your AI classifier. For more information refer to documentation chapter 59.17

End Report
Rapid traffic assessment

Imagine to be confronted with 20TBytes of pcaps and you need to rapidly assess which file is worth looking into and which to discard. T2 end report supplies the user with ample information to achieve such assessment. For more information refer to documentation chapter 2.12

Protocol aggregated summaries
Layer3/4 statistics

After the selection via end report, specialized summary files such as Layer2/3/4 propocol statistics are generated giving an indication where the traffic comes from and what might be in it. All this without even look into the flow files. For more information refer to documentation chapter 36

Protocol aggregated summaries
ICMP anomalies

After the inspection of the protocol file the icmp file details a summary of all icmp messages in your network. If you know and manage your network, here is the place you might see the next indication for anomalies. For more information refer to documentation chapter 17.1

Flow View standard Plugins

The flow view is very flexible flow aggregation scheme and dependent on the plugins being loaded and their configuration. The difference to other tools such as BRO is output is mining compatible and can easily exported into tools such SPSS, Excel, Rapid Miner or post processed with command line tools such as sort, uniq, awk, tawk, perl, etc. Special anomaly flags facilitate the production of filters to extract flows of interest. The screen shot shows the output of the first netflow v10 compatible plugins with some additional columns not present in other plugins, useful for security and troubleshooting purposes. For more information refer to documentation chapter 4-5

Flow View protocol plugins
higher protocol plugins

Special protocol plugins either provide information about L4/L7 anomalies or provide statistics for encrypted traffic mining purposes. Several post processing scripts are provided to facilitate the analysis job for practitioneers and researchers. For more information refer to documentation chapter 9+

Packet View
Command line friendly tshark

T-shark is a well established and superbe tool to extract information from IP traffic with a well sorted protocol DB. Nevertheless, it is weak when it comes to mining and correlation with flow meta data. Hence, Tranalyer provides a commandline and mining friendly packet mode which allows an easy correlation with flow and content data. For more information refer to documentation chapter 2.4.9