direkt zum Inhalt springen

direkt zum Hauptnavigationsmenü

Sie sind hier

TU Berlin

Inhalt des Dokuments

Publications about the Time Machine

Building a Time Machine for Efficient Recording and Retrieval of High-Volume Network Traffic
Citation key KPDFS-BTMERRHNT-05
Author Kornexl, Stefan and Paxson, Vern and Dreger, Holger and Feldmann, Anja and Sommer, Robin
Title of Book IMC '05: Proceedings of the 5th ACM SIGCOMM Internet Measurement Conference
Pages 267–272
Year 2005
Location Berkeley, CA, USA
Address New York, NY, USA
Publisher ACM Press
Abstract There are times when it would be extraordinarily convenient to record the entire contents of a high-volume network traffic stream, in order to later ''travel back in time'' and inspect activity that has only become interesting in retrospect. Two examples are security forensics–determining just how an attacker compromised a given machine–and network trouble-shooting, such as inspecting the precurso rs to a fault after the fault. We describe the design and implementation of a Time Machine to efficiently support such recording and retrieval. The efficiency o f our approach comes from leveraging the heavy-tailed nature of network traffic: because the bulk of the traffic in high-volume streams comes from just a few co nnections, by constructing a filter that records only the first N bytes of each connection we can greatly winnow down the recorded volume while still retaining both small connections in full, and the beginnings of large connections (which often suffices). The system is designed for operation in Gbps environments, running on commodity hardware. It can hold a few minutes of a high volume stream in RAM, and many hours to days on disk; the user can flexibly configure its operation to suit the site's nature. We present simulation and operational results from three distinct Gbps production environments exploring the feasibility and efficiency of a Time Machine implementation. The system has already proved useful in enabling analysis of a break-in at one of the sites.
Link to publication Link to original publication Download Bibtex entry

Zusatzinformationen / Extras

Quick Access:

Schnellnavigation zur Seite über Nummerneingabe

Auxiliary Functions