Zurich Research Laboratory
SYSTEMS
Servers
Storage
Networking
	Network monitoring research
		Aurora
		Publications
	Advanced messaging technologies
	Sensor networking

Contact
	Andreas Kind

Network monitoring research

Overview

The networking group focuses on research related to the Aurora traffic profiling and visualization system. Aurora is a NetFlow/IPFIX collector optimized for processing flow records at high data rates. More details on Aurora along with technical specifications and tutorials can be found on the Aurora page. We are researching problems related to processing, analyzing, and visualizing large NetFlow datasets.

Anomaly detection

Our anomaly detection research focuses on techniques for identifying network anomalies, such as attacks, failures, or misconfigurations, by online analysis of network flow data. Unlike traditional intrusion detection systems (IDS) that rely on attack signatures, we are interested in statistically modeling normal network behavior and in identifying deviations from the modeled behavior. Thus, anomaly detection aims at identifying both known as well as new, unknown anomalies. Moreover, we are interested in the related problem of network forensics, i.e., identifying suspecious events from archived flow data. For more information, please check the relevant papers.

Data structures and efficient processing algorithms

Computer networks typically generate several Gbytes of NetFlow/IPFIX packets that have to be processed, analyzed, and archived efficiently. In this context, we have been working on (1) aggregation databases for summarizing flow data over long periods of weeks or months; (2) optimized Bloom filters and sketches for computing useful statistics without keeping per flow state; and (3) efficient algorithms for finding the heavy-hitter flows of a network. For more information, please check the relevant papers.

Dependencies mining

Knowing the dependencies between the different servers in an enterprise network is essential for important network management applications, such as root cause analysis and impact estimation. Our research focuses on mapping such dependencies from flow data analysis without requiring server credentials and distributed agents installed on different hosts. In addition, we investigate the related problem of identifying the finite state machine of a process from server log files. For more information, please check the relevant papers.