Abstract:
The paper covers the centralized analysis of geographically-distributed network traffic. Traffic capture techniques, captured traffic delivery, aggregation, analysis and decision-making are presented. A special GNU/Linux distribution with integrated PF_RING technology is created. It makes possible successful hi-speed (1Gb/s) traffic capture. The captured traffic delivery system consists of two parts: client(s) and server. Both applications use encryption methods to transport captured traffic. The encryption methods are virtually unlimited due to the extensible encryption primitives. By default, a probabilistic stream cryptosystem called libpssc is used. After decryption, all the captured traffic is directed to a processing center where it becomes available for analysis. The processing center allows to plug in at real-time special independent plugins which analyze the traffic according to a criteria. Many plugins can work at once. Pilot implementation details and other results are reported also.