| System Functions |
| |
Internet Traffic Analysis |
| |
 Once
users define the Internet boundary according to the
network topology, Internet Traffic Modeling will automatically
classify the Into/Out of Internet traffic and generate
various analysis reports including the summary, breakdown,
and attribute reports. The summary report gathers various
total quantities of the Internet traffic such as Into
Home, Out of Home, and so on; the breakdown report analyzes
specific traffic further for the Internet traffic such
as the Internet traffic to/from each sub-network, the
Internet traffic originated from different ASes, and
so on; the attribute report focuses on analyzing some
common attributes such as application, protocol, port
number, ...etc.
|
|
| |
Neighbor AS Traffic Analysis |
| |
 Once
users define the Neighbor AS boundary according to the
network topology, Neighbor AS Traffic Modeling will automatically
classify the traffic through neighbor ASes to/from Home
network and generate various analysis reports including
the summary, breakdown, and attribute reports. The summary
report contains the compare analysis for the traffic between
Home network and each neighbor AS, and the detail analysis
for the traffic of each neighbor AS; the breakdown report
dedicates to analyze specific traffic further for the
neighbor AS traffic such as the traffic of a specific
neighbor AS Into/Out of each sub-network or other neighbor
ASes, and the BGP Message traffic analysis; the attribute
report the attribute report focuses on analyzing some
common attributes such as application, protocol, port
number, ...etc. |
|
| |
Backbone Traffic Analysis |
| |
 Once
users define the Backbone boundary according to the
network topology, Backbone Traffic Modeling will automatically
classify the backbone traffic and generate various analysis
reports including the summary and core router reports.
The summary report is to analyzes the traffic Into/Out
of backbone network including the Home to Home traffic
(also called the On-net traffic), the Internet to Home
traffic (the traffic from Internet through backbone
to Home, also called the Off-net In traffic), the Home
to Internet traffic (the traffic from Home through backbone
to Internet, also called the Off-net Out traffic); the
core router report includes the traffic summary for
each core router and the detail traffic information
for a specific core router.
|
|
| |
Router Traffic Analysis |
| |
 The
Router Traffic analysis is focusing on monitoring the
traffic and status of all routers subscribed in the
system. Once the router has been subscribed in the system,
the router monitoring would be proceeded automatically.
In addition to monitoring the router’s utilization,
Router Traffic Modeling also analyzes and compares the
data-link-layer traffic of all interfaces on each router.
|
|
| |
Sub-Network Traffic
Analysis |
| |
 Once
users define the Sub-Network boundary according to the
network topology, Sub-Network Traffic Modeling will
automatically classify the traffic through into/out
of sub-network and generate various analysis reports
including the summary, breakdown, and attribute reports.
The summary report contains the compare analysis for
the total quantity of each sub-network traffic, and
the detail analysis for the traffic of each sub-network
such as the traffic from the Home Network or Internet
to a specific sub-network; the breakdown report dedicates
to analyze specific traffic further for the sub-network
traffic such as the traffic of a specific sub-network
into/out of each sub-network or other neighbor ASes;
the attribute report the attribute report focuses on
analyzing some common attributes such as application,
protocol, port number, ...etc.
|
|
| |
Customer Traffic Analysis |
| |
 Once
users define the Customer boundary according to the
network topology, Customer Traffic Modeling will automatically
classify the traffic through into/out of Customer network,
detect anomaly traffic, and generate various analysis
reports as well as detailed anomaly event reports. Furthermore,
users authorized to a specific Customer can utilize
Snapshot to analyze the real-time traffic status in
the Customer.
|
|
| |
Snapshot |
| |
 The
unique “Snapshot” contributes a lot on analyzing
the real-time traffic status in specified area; a TOP-N
snapshot report is generated instantly with detail information
presented in pie-chart as well as table-list data format
for timely reference. The snapshot could be triggered
by analysis criteria defined such as [IP Block], [Protocol+Port],
[Interface], [Peer AS], [Origin AS], [BGP Community],
[TCP Flag], [TOS Value] ...etc and a traffic scope specified.
Top-N report gives an instant traffic analysis with ranking
by traffic volume (bps), packet (pps), and session (fps).
Through the ranking analysis of the network traffic in
real time, users will be able to have the latest information
in hand and discover abnormal traffic including the sources,
destinations, and traffic characteristics in time. |
|
| |
Anomaly Traffic Detection |
| |
GenieATM 6000 not only supports
network-wide traffic analysis but also provides an high-precision
anomaly detection, which can timely detect the abnormal
traffic like DoS/DDoS attacks or the incorrect routing
configuration …etc. before they impact to or even
disable the network service performance, and then promptly
notify network operators to prevent any of damages formed
or spread. Several detection models and techniques are
provided by GenieATM 6000, for specific traffic scopes,
there are Traffic Anomaly Detection, Protocol-Misuse Anomaly
Detection, and Application Anomaly Detection; for network
devices (routers), there are Interface Traffic Anomaly
Detection, BGP Update Message Anomaly Detection, and BGP
Hijack Analysis. With these detection models and techniques,
no matter known or unknown network attacks can be detected
efficiently.
- Traffic Anomaly Detection is based
on the normal network traffic to dynamically build
a traffic baseline and then according to this baseline
to analyze and detect anomaly traffic, so as to find
out any attacks in time.
- Protocol-Misuse Anomaly Detection
detects protocol-misuse anomalies and DoS/DDoS attacks
by matching abnormal protocol rules built in the system.
- Application Anomaly Detection
is used to detect known network attacks like worms
and DoS/DDoS attacks by matching system built-in or
user-defined attack flow signatures.
- Interface Traffic Anomaly Detection
is a SNMP Polling-based baseline detection model which
supports L2 network analysis. The interface measurement
includes Throughput, Packet, Interface Utilization,
CRC Error, Discards, and Percentage of Multicast +
Broadcast.
- BGP Update Message Anomaly Detection
is used to analyze the update routing message on BGP
routers and issue anomaly notifications when detecting
the exceeding update message.
- BGP Hijack Analysis Detection
analyzes and compares the retrieved routing announcements
from BGP routers to see if any BGP Hijack occurs.
The system will immediately issue the notification
once detecting the BGP Hijack.
|
|
| |
Anomaly Report/Tracing/Mitigation |
| |
 GenieATM
6000 cannot only generate relevant detail anomaly reports
but also trace back the attack sources as well as provide
the case handling suggestion for the detected anomalies
in case of improper operation.
GenieATM 6000 divides the detected anomalies into two
categories of alarms: Anomaly Event and Alert Event. The
Anomaly Event alarm lists all abnormal traffic detected
basing on traffic baselines; oppositely, the Alert Event
alarm lists the rest detected not basing on traffic baselines.
The system provides an open-and-shut Status summary console
assembling all detected anomalies so that users can quickly
understand the latest status entirely.
In addition, the Snapshot function is also integrated
into the alarm system; thus, the real-time anomaly tracing
could be performed conveniently. Users can take a traffic
snapshot aiming at the detected anomaly with a specific
scope and then every characteristic of the anomaly will
be revealed thoroughly; hence the accuracy of anomaly
traffic detection could be greatly enhanced.
After confirming the traffic problem, GenieATM provides several measures for mitigating and resolving the detected threats. The mitigation options include proper ACL command suggestions, Black-hole routing, and integrating with 3rd-party traffic cleaning devices (e.g. Cisco Guard).
Network operators can consequently save time on collecting
relevant information as well as timely take actions against
the attacks or mitigating greater damages for achieving
security inspection and fault management. |
| |
|
| |
|
| |
|
| |
NetFlow™ is a trademark of Cisco Systems, Inc.
NetStream™ is a trademark of Huawei-3Com Technology Co., Ltd.
sFlow ® is registered as a trademark of InMon Corp.
|
|
|
|
|
