real time flow classification
Oguz Yarimtepe
oguzyarimtepe at gmail.com
Sat Oct 6 14:22:55 EDT 2012
Hi,
I am a Ph.D student from Turkey. My subject is real time security visualization. Now a days i am searching about real time traffic classification. My first aim is to collect real time flow attributes on a database. It seems Argus can save to MySQL but i may be using a non-sql database. I am also planning to use TNAPI and PF_RING with an Intel card on a PREEMPTIVE_KERNEL. So i have some questions. It would be great if you readirect me to some sources.
* Did you test Argus with TNAPI + PF_RING? Will it need any modifications for working with PREEMPTIVE_KERNEL and these drivers or how can i use it to sniff 1Gbit campus network? My Intel card is not Endace card, it is Intel Corporation 82572EI Gigabit Ethernet Controller. So with my commodity hardware (that is a dual core pentium 4 with 4 GB RAM, an old IBM ThinkCenter Workstation) i will be trying to collect the Gbit traffic.
* I will be saving some flow attributes to database. These attributes will be like;
Total-num-pkt (Total number of packets in the flow), Ave-pkt-len (The average packets size of a flow), Pkts-sent (The number of packets sent for the flow), Send-avelen (The average send packets size of a flow), Send-var (The variance of send packets’ size), Recv-avelen (The average receive packets size of a flow), Recv-var (The variance of receive packets’ size), Var-recv-size (The variance of received packets’ size), Duration (The duration of the flow), Protocol (The protocol (TCP or UDP)), Send-port (The source port of a flow), Recv-port (The destination port of a flow), Pkts-ratio (The number ratio of send and receive packets), Byte-ratio (The byte ratio of send and receive packets), Num-SYN (The number of SYN packets), Num-RST (The number of RST packets (rst)), Num-FIN (The number of FIN packets (fin)), Window-size (The average window size (window_size)), Window-var (The variance of window size)
I know i can get most of these values. How about Num-SYN, Num-FIN and Num-RST?
* What should i do to extend Argus save to a non-SQL database?
* Indeed my plan is to apply a classifier algorithm to the attribues i got and make outlier detection. If it will be less painfull, i may try to implement it directly at Argus code, but i should mention i will be preferring the time-saving option for now.
Thank you for now.
Cheers.
--
Oguz Yarimtepe <oguzyarimtepe at gmail.com>
http://about.me/oguzy
More information about the argus
mailing list