Security of Czech army information and communication systems - On-line monitoring, Visualization and Packet Filtration. Computer Incident Response Capability Development in the Cyber Defence EnvironmentDetection of Time Variation in Network Connections

The monitoring tools that observe current network status and send alerts when suspicious anomalies happen are regularly used for the network defence. There are active monitoring methods implemented in tools such as Nagios or Zabbix. The active approach provides explicit control on the generation of packets for measurement scenarios. In contrast, we have focused on passive monitoring in our research. The passive approach uses devices to watch the traffic as it passes by. The aim has not been to create applications substituting active monitoring tools, but complementing them. Passive monitoring is preferable from the network administrator point of view, because there is no need to install any auxiliary tool on monitored servers; moreover it does not increase the traffic on the network for the measurements.

The Delaywatch tool is our plugin for link to a new windowNfSen. It uses NetFlow record timestamps to track delays in the server responses to client requests. The rising of delay can indicate DoS or DDoS attacks in progress, but also increased internal server load. Delaywatch tool makes an effort to narrow detection only to true attacks. It reports event only if it is correlated with the network traffic surge at a given moment. The plugin graphical interface displays graphs of time evolution of delay and network traffic characteristics regarding monitored machines.

Screenshot of Delaywatch
The figure shows an unexpected increase in all monitored parameters caused by the attack on the server.