Making a case for high-bandwidth monitoring - a use case for analysis on the wire

Abstract

This paper describes current efforts to architect, research, develop, and test a next-generation, high-bandwidth network monitoring framework designed to handle the rigors of large scientific feeds. This framework will be capable of transparently capturing and analyzing network traffic in real time so as to enable early and rapid response to potential threats. We seek to adapt and integrate existing and ongoing work on streaming data analysis on the wire and packet capture with real-time analytics using accelerators to create a next-generation, high-bandwidth network-monitoring framework. Flow inter-rogation in real time will transparently divert selected network flows to an attached computing infrastructure and subject them to processing and analysis. With acceptable quality of service (QoS), this system will detect suspicious activities, with innocent flows allowed to proceed to their original destination and suspicious flows are either dropped or further processed and monitored with appropriate storage and analysis. Going beyond detecting what would be the preponderance of attack vectors to identifying all attack vectors including the subtle methods of Advanced Persistent Threats (APTs). Although it is hard to hack the existing systems, with no direct monitoring or air-gap, a determined adversary such as an APT could find a way onto a government network.