VAST: A Unified Platform for Interactive Network Forensics

Authors: 

Matthias Vallentin, University of California, Berkeley; Vern Paxson, University of California, Berkeley, and International Computer Science Institute; Robin Sommer, International Computer Science Institute and Lawrence Berkeley National Laboratory

Abstract: 

Network forensics and incident response play a vital role in site operations, but for large networks can pose daunting dif- ficulties to cope with the ever-growing volume of activity and resulting logs. On the one hand, logging sources can generate tens of thousands of events per second, which a system supporting comprehensive forensics must somehow continually ingest. On the other hand, operators greatly benefit from interactive exploration of disparate types of activity when analyzing an incident.

In this paper, we present the design, implementation, and evaluation of VAST (Visibility Across Space and Time), a distributed platform for high-performance network forensics and incident response that provides both continuous ingestion of voluminous event streams and interactive query performance. VAST leverages a native implementation of the actor model to scale both intra-machine across available CPU cores, and inter-machine over a cluster of commodity systems.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {194944,
author = {Matthias Vallentin and Vern Paxson and Robin Sommer},
title = {{VAST}: A Unified Platform for Interactive Network Forensics},
booktitle = {13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16)},
year = {2016},
isbn = {978-1-931971-29-4},
address = {Santa Clara, CA},
pages = {345--362},
url = {https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/vallentin},
publisher = {USENIX Association},
month = mar
}
Download
Vallentin PDF
View the slides

Presentation Audio