Figure 2 - uploaded by Chakchai So-In
Content may be subject to copyright.
6: Screen snapshot from MRTG "Cricket" [Cricket06] is a free high performance system for monitoring trends in time-series data written in Perl. "Cricket" has two components, a collector and a grapher. Like "MRTG", "Cricket" collector (snmpget-liked) runs from "cron" (daemon to execute scheduled commands) and stores data into a datastructure RRD. A web-based interface can be used to view graphs of the data. "Cricket" is developed on Solaris under Apache but it works on Linux, HP-UX, variants of BSD, and Windows. "Interface Traffic Indicator" (Inftraf) by Carsten Schmidt [Inftraf 05]is another free network traffic monitoring tool running over SNMP for Windows. "Inftraf" is a tool that requests in and out data (MIB2) from SNMP-capable network interfaces and graph out the incoming and outgoing traffic on an interface in bits per second/ bytes per second or utilization.
Source publication
![Figure 2.2: Screen snapshot of FlowScan [D. Plonka, 2000]](profile/Chakchai-So-In/publication/241752391/figure/fig1/AS:1035550635073536@1623905919127/Screen-snapshot-of-FlowScan-D-Plonka-2000_Q320.jpg)
![Figure 2.6: Screen snapshot from MRTG "Cricket" [Cricket06] is a free...](profile/Chakchai-So-In/publication/241752391/figure/fig2/AS:1035550635089920@1623905919192/Screen-snapshot-from-MRTG-Cricket-Cricket06-is-a-free-high-performance-system-for_Q320.jpg)
From hundreds to thousands of computers, hubs to switched networks, and Ethernet to either ATM or 10Gbps
Citations
... Network traffic has been widely monitored and analyzed to study the network behavior, with many research papers [17,18], as well as several patents about this topic [19,20]. Use of statistics has been proposed to estimate parameters like bandwidth availability [21]. ...
Server load estimation is key in balancing traffic between servers when optimizing data center resources. Intrusive methods are sometimes difficult or impossible to implement. Therefore, non-intrusive estimation methods are the best alternative in these cases. The objective of this paper is to present a server load estimation method based on external network traffic measurements obtained in a vantage point close to the server. Statistical distributions of TCP SYN response time, that is, the time from SYN to SYN+ACK segments at the server side, are used to fit Burr Type XII heavy tail distribution mixtures. The fitting algorithm, based on maximum likelihood estimation, is developed in detail in this paper. Experimental data shows that the median of the fitted distribution correlates within the 95% confidence interval of the server load figures and, thus, it can be used as a non-intrusive and accurate method to measure it. This new method can be applied to almost any existing load balancing algorithm, as it does not make any assumption about the server, which is considered a black box.
... Another issue is validating detection performance on unlabeled real-time data and substantiating the analytic results. Because the post-detection analysis process is crucial for monitoring and determining whether to identify intrusion traffic under a corporate policy, the outcome should be appropriately interpreted [7]. Therefore, tools and libraries for explainable artificial intelligence (XAI) based on ensemble algorithms, such as the local interpretable model agnostic explanation (LIME) and Shapley additive explanations (SHAP), have been widely used [8,9]. ...
... A monitoring system for network traffic is generally referred to as a network traffic monitoring analysis system [31]. Early research has focused on the method for supervising the transmission status and network traffic speed, for example, focusing on cases where the bandwidth is out of the general range and performing pattern analysis, such as file transfer protocol (FTP) and flow monitoring [7]. Furthermore, network traffic monitoring analysis has been developed to effectively analyze complex traffic transmitted over expanding networks due to cellular and high-capacity videos or images [31]. ...
Intrusion detection involves identifying unauthorized network activity and recognizing whether the data constitute an abnormal network transmission. Recent research has focused on using semi-supervised learning mechanisms to identify abnormal network traffic to deal with labeled and unlabeled data in the industry. However, real-time training and classifying network traffic pose challenges, as they can lead to the degradation of the overall dataset and difficulties preventing attacks. Additionally, existing semi-supervised learning research might need to analyze the experimental results comprehensively. This paper proposes XA-GANomaly, a novel technique for explainable adaptive semi-supervised learning using GANomaly, an image anomalous detection model that dynamically trains small subsets to these issues. First, this research introduces a deep neural network (DNN)-based GANomaly for semi-supervised learning. Second, this paper presents the proposed adaptive algorithm for the DNN-based GANomaly, which is validated with four subsets of the adaptive dataset. Finally, this study demonstrates a monitoring system that incorporates three explainable techniques—Shapley additive explanations, reconstruction error visualization, and t-distributed stochastic neighbor embedding—to respond effectively to attacks on traffic data at each feature engineering stage, semi-supervised learning, and adaptive learning. Compared to other single-class classification techniques, the proposed DNN-based GANomaly achieves higher scores for Network Security Laboratory-Knowledge Discovery in Databases and UNSW-NB15 datasets at 13% and 8% of F1 scores and 4.17% and 11.51% for accuracy, respectively. Furthermore, experiments of the proposed adaptive learning reveal mostly improved results over the initial values. An analysis and monitoring system based on the combination of the three explainable methodologies is also described. Thus, the proposed method has the potential advantages to be applied in practical industry, and future research will explore handling unbalanced real-time datasets in various scenarios.
... Such a process is called traffic analysis (TA), a technique widely used in today's Internet. Yebo TA has been studied for decades, with myriad systems, tools, and algorithms [4]- [9] developed to serve different types of purposes, such as traffic measurement, traffic engineering, anomaly detection, and network surveillance. In early development of TA, traditional TA approaches were mainly designed for network traffic measurement/forecast [10]- [12], anomaly detection [13], and basic traffic classification [14]. ...
... TA approaches can further leverage these "log information" to measure network events, detect anomalies, and analyze network behaviors. Based on different information captured, these traffic capture engines can be classified into either packet-level or flowlevel [4]. ...
Fine-grained traffic analysis (FGTA), as an advanced form of traffic analysis (TA), aims to analyze network traffic to deduce information related to application-layer activities , fine-grained user behaviors, or traffic content, even in the presence of traffic encryption or traffic obfuscation. Different from traditional TA, FGTA approaches are usually based on sophisticated classification approaches such as machine learning and high-dimensional clustering, enabling them to discover subtle differences between different network traffic sets. Nowadays, with the increasingly complex Internet architecture, the increasingly frequent transmission of user data, and the widespread use of traffic encryption, FGTA is becoming an essential tool for both network administrators and attackers to gain different levels of visibility over the network. It plays a critical role in intrusion and anomaly detection, quality of experience investigation, user activity inference, website fingerprinting, location estimation, etc. To help scholars and developers research and advance this technology, in this survey paper, we examine the literature that deals with FGTA, investigating the frontier developments in this domain. By comprehensively surveying different approaches toward FGTA, we introduce their input traffic data, elaborate on their operating principles by different use cases, indicate their limitations and countermeasures, and raise several promising future research avenues.
... This program is designed primarily for students and people who prepare for the certification exams of Cisco Systems Corporation. Therefore, each person who wants to work with this program must possess in-depth knowledge and skills in the construction of small and large networks using the method of data static routing [1,2,3,4,8,10,11,15,17,19,20,21,22,24,27,33]. This paper is structured as follows. ...
... Thanks to this program each plain user, system and network administrator and cyber professionals could obtain detailed graphical information about the server and network devices. [4,13,14,15,17,24,26,30,31,33]. ...
... other interface FastEthernet (Fa0/1) with number network ID (Net ID) -10.10.1.64/27, interface FastEthernet (Fa0/0/0) for Cloud Internet and one interface Serial (Se0/1/0) with number network ID (Net ID) -10.10.1.96/27[20,21,22,24,25,30,31,32,33]. ...
In this paper a small corporate building with four working computer departments using static routing is designed and made. Static routes are the most important step in the construction of any computer network. Subnetting is one of the best network tools with that each system and network administrator is able to divide one specific computer network into many subnetworks. Thereby, some network administrators, security professionals and network architects can use the free of charge software program Cisco Packet Tracer in order to design and administer different corporate computer networks.
... In [7] the software PRTG Network Monitor by Paessler, A. G. is explained. In [10] network traffic monitoring and analysis tools by Chakchai SO-IN are presented and classified. In [12] network monitoring based on flow measurement techniques by Michiel Uithol is performed. ...
... Most of the network devices like switches, routers, multilayer switches and firewalls support this protocol for scanning and monitoring the determined network. The version v2c and SNMP [9], [10], [11] port 161 were selected. The DNS server addresses were also entered. ...
... The message was "7% (Free Space D:) is below the error limit of 10%. The second sensor message was Teredo Tunneling Pseudo-Inferface and his status was also in down state [2], [5], [10]. The warning message was "Could not log in using the specified credentials. ...
In this paper a comprehensive scanning and monitoring the suspicious states in determined computer networks is made. Most of the computer and network problems with many vulnerabilities are connected. Therefore it is advisable to scan the entire computer network in order to detect weaknesses and accordingly be taken precautions Thanks to the many malicious users will not be able to penetrate in the relevant computer network and to gain access to computer resources.
... This program is designed primarily for students and people who prepare for the certification exams of Cisco Systems Corporation. Therefore, each person who wants to work with this program must possess in-depth knowledge and skills in the construction of small and large networks using the dynamic routing protocol -RIP [2,5,13,17,22,23,24,30,31,32]. This paper is structured as follows. ...
... Initially was necessary to be enumerated the network devices and hosts. The computer network has consisted of the following items [30,31,32,33] [2,4,6,8,9,10,11,16,17,18,19,20,21,22,23,24,25]. ...
... As is shown in Fig.1 the connection between routers "office 2" and "office 3" is serial and router "office 3" is a DCE device, that provides a clocking data signal used to synchronize data transmission between DCE and DTE devices. The clock data rate is configured to be 2000000 bit per second [1,4,6,7,8,12,13,14,18,19,22,23,24,25]. ...
In this paper a small corporate building with four working computer departments using dynamic routing protocol - RIP is designed and made. Dynamic routes are the most important step in the construction of any computer network. Subnetting is one of the best network tools with that each system and network administrator is able to divide one specific computer network into many subnetworks. Thereby, some network administrators, security professionals and network architects can use the free of charge software program Cisco Packet Tracer in order to design and administer different corporate computer networks.
... TA has been studied for decades, with myriad systems, tools, and algorithms [4]- [9] developed to serve different types of purposes, such as traffic measurement, traffic engineering, anomaly detection, and network surveillance. In early development of TA, traditional TA approaches were mainly designed for network traffic measurement/forecast [10]- [12], anomaly detection [13], and basic traffic classification [14]. ...
... TA approaches can further leverage these "log information" to measure network events, detect anomalies, and analyze network behaviors. Based on different information captured, these traffic capture engines can be classified into either packet-level or flowlevel [4]. ...
Fine-grained traffic analysis (FGTA), as an advanced form of traffic analysis (TA), aims to analyze network traffic to deduce information related to application-layer activities, fine-grained user behaviors, or traffic content, even in the presence of traffic encryption or traffic obfuscation. Different from traditional TA, FGTA approaches are usually based on machine learning or high-dimensional clustering, enabling them to discover subtle differences between different network traffic sets. Nowadays, with the increasingly complex Internet architecture , the increasingly frequent transmission of user data, and the widespread use of traffic encryption, FGTA is becoming an essential tool for both network administrators and attackers to gain different levels of visibility over the network. It plays a critical role in intrusion and anomaly detection, quality of experience investigation, user activity inference, website fingerprinting, location estimation, etc. To help scholars and developers research and advance this technology, in this report, we examine the literature that deals with FGTA, investigating the frontier developments in this domain. By comprehensively surveying different approaches toward FGTA, we introduce their input traffic data, elaborate on their operating principles by different use cases, indicate their limitations and countermeasures, and raise several promising future research avenues.
... All companies that offer network services (ISPs, server hosting services etc.) use mechanisms to monitor link utilization. These mechanisms usually involve network interface monitoring and collection of performance statistics (e.g. with SNMP [1]), monitoring of flows (e.g. with NetFlow [2], sFlow [3], etc.) or capturing packets and further analyzing them with a specific tool [4]. Detection of high network utilization is a problem that needs to be addressed efficiently since it usually causes packet loss, increased latency due to buffering of packets, and interference with TCP's congestion-avoidance algorithms. ...
Predicting the bandwidth utilization on network links can be extremely useful for detecting congestion in order to correct them before they occur. In this paper, we present a solution to predict the bandwidth utilization between different network links with a very high accuracy. A simulated network is created to collect data related to the performance of the network links on every interface. These data are processed and expanded with feature engineering in order to create a training set. We evaluate and compare three types of machine learning algorithms, namely ARIMA (AutoRegressive Integrated Moving Average), MLP (Multi Layer Perceptron) and LSTM (Long Short-Term Memory), in order to predict the future bandwidth consumption. The LSTM outperforms ARIMA and MLP with very accurate predictions, rarely exceeding a 3\% error (40\% for ARIMA and 20\% for the MLP). We then show that the proposed solution can be used in real time with a reaction managed by a Software-Defined Networking (SDN) platform.
... All companies that offer network services (ISPs, server hosting services etc.) use mechanisms to monitor link utilization. These mechanisms usually involve network interface monitoring and collection of performance statistics (e.g. with SNMP [106]), monitoring of flows (e.g. with NetFlow [107], sFlow [108], etc.) or capturing packets and further analyzing them with a specific tool [109]. Detection of high network utilization is a problem that needs to be addressed efficiently since it usually causes packet loss, increased latency due to buffering of packets, and interference with TCP's congestion-avoidance algorithms. ...
In recent years, hacking has become an industry unto itself, increasing the number and diversity of cyber attacks. Threats on computer networks range from malware to denial of service attacks, phishing and social engineering. An effective cyber security plan can no longer rely solely on antiviruses and firewalls to counter these threats: it must include several layers of defence. Network-based Intrusion Detection Systems (IDSs) are a complementary means of enhancing security, with the ability to monitor packets from OSI layer 2 (Data link) to layer 7 (Application). Intrusion detection techniques are traditionally divided into two categories: signatured-based (or misuse) detection and anomaly detection. Most IDSs in use today rely on signature-based detection; however, they can only detect known attacks. IDSs using anomaly detection are able to detect unknown attacks, but are unfortunately less accurate, which generates a large number of false alarms. In this context, the creation of precise anomaly-based IDS is of great value in order to be able to identify attacks that are still unknown.In this thesis, machine learning models are studied to create IDSs that can be deployed in real computer networks. Firstly, a three-step optimization method is proposed to improve the quality of detection: 1/ data augmentation to rebalance the dataset, 2/ parameters optimization to improve the model performance and 3/ ensemble learning to combine the results of the best models. Flows detected as attacks can be analyzed to generate signatures to feed signature-based IDS databases. However, this method has the disadvantage of requiring labelled datasets, which are rarely available in real-life situations. Transfer learning is therefore studied in order to train machine learning models on large labeled datasets, then finetune them on benign traffic of the network to be monitored. This method also has flaws since the models learn from already known attacks, and therefore do not actually perform anomaly detection. Thus, a new solution based on unsupervised learning is proposed. It uses network protocol header analysis to model normal traffic behavior. Anomalies detected are then aggregated into attacks or ignored when isolated. Finally, the detection of network congestion is studied. The bandwidth utilization between different links is predicted in order to correct issues before they occur.
... Network analysis is a process of capturing network traffic and examining it deeply to decide what is the occurrence in the network. Network analysis is identified by numerous other names: network analysis, protocol analysis, packet analysis and others [1]. Network traffic analysis is a set of methods that are consecutively utilised to understand the nature of traffic on a per-packet or per-level basis. ...
... The non-crisp FCM gives a varying membership value to the objects in the same cluster. The equation [1] is represented as FCM. The figure displays how FCM algorithm clusters the objects. ...
Network traffic analysis and predictions have become vital for monitoring networks. Network prediction is the process of capturing network traffic and examining it deeply to decide what is the occurrence in the network. The accuracy of analysis and estimation of network traffic are increasingly becoming significant in achieving guaranteed Quality of Service (QoS) in the network. The main aim of the presented research is to propose a new methodology to improve network traffic prediction by using sequence mining. The significance of this important topic lies in the urge to contribute to solving the research problem in network traffic prediction intelligently. We propose an integrated model that combines clustering with existing series models to enhance prediction the network traffic. Clustering granules are obtained using fuzzy c-means to analyze the network data for improving the existing time series. The novelty of the proposed research has used the clustering approach to handle the ambiguity from the entire network data for enhancing the existing time series models. Furthermore, we have suggested using the weighted exponential smoothing model as preprocessing stages for increasing the reliability of the proposed model. In this research paper, machine intelligence proposed to predict network traffic. The machine intelligence is working as pre-processing for enhancing the existing time series models. The machine intelligence combines non-crisp Fuzzy-C-Means (FCM) clustering and the weight exponential method for improving deep learning Long Short-Time Memory(LSTM)and Adaptive Neuro-Fuzzy Inference System (ANFIS)time series models. The ANFIS and LSMT time series models are applied to predict network traffic. Two real network traffic traces were conducted to test the proposed time series models. The empirical results of proposed to enhanced LSTM 97.95% and enhanced ANFIS model is R=96.78% for cellular traffic data, with respect to the correlation indicator. It is observed that the proposed model outperforms alternative time series models. A comparative prediction results between the proposed model and existing time series models are presented. The comparisons indicate that the presented model outperforms the opponent models; the proposed method optimises the deep learning LSTM and ANFIS time series models. The proposed methodology offers more effective approach to the prediction of network traffic.
