usenix conference policies
Ourmon and Network Monitoring Performance
Ourmon is an open-source network management and anomaly detection system that has been developed over a period of several years at Portland State University. Ourmon monitors a target network both to highlight abnormal network traffic and measure normal traffic loads. In this paper, we describe the features and performance characteristics of Ourmon.
Ourmon features include a novel mechanism for running multiple concurrent Berkeley Packet Filter (BPF) expressions bound to a single RRDTOOL-style graph, as well as various types of "top talker" (top-N) filters aimed at conventional network flow measurements and anomaly detection. These features permit a variety of useful and easily-understood measurements.
One problem that sniffer-based network monitor systems face is network-intensive attacks that can overwhelm monitoring and analysis resources. Lab experiments with an IXIA high-speed packet generator, as well as experiences with Ourmon in a real network environment, demonstrate this problem. Some recent modifications to Ourmon have greatly improved its performance. However, minimum-size packets in a high-speed network can still easily make a host lose packets even at relatively slow rates and low monitor workloads. We contend that small packet performance is a general network security problem faced by current monitoring systems including both open source systems such as Ourmon and Snort, and commercial systems.
author = {James R. Binkley and Bart Massey},
title = {Ourmon and Network Monitoring Performance},
booktitle = {2005 USENIX Annual Technical Conference (USENIX ATC 05)},
year = {2005},
address = {Anaheim, CA},
url = {https://www.usenix.org/conference/2005-usenix-annual-technical-conference/ourmon-and-network-monitoring-performance},
publisher = {USENIX Association},
month = apr
}
connect with us