Network forensics is the process of capturing traffic information that moves over a network with the attempt to materialize it into digital intelligence capacity. It is usually used for assisting in cybercrime investigation, providing operational support for troubleshooting, and supplementing the data for customer complaint handling.
Traffic Forensics
The Innovative GenieATM Solution: when flow meets DPI
There are two types of network forensic solutions available, flow-based solutions and Deep Packet Inspection-based (DPI-based) solutions. The two types of solutions each have their respective pros and cons. By receiving flow data from the existing devices deployed in the networks, the flow-based solutions enjoy the advantages of lower deployment costs while having network-wide scalability. However, flow data only contains up to layer-4 network information and cannot provide layer-7 network information. DPI-based solution is capable of providing specific traffic content information, nonetheless, the deployment cost in a large service provider network is intimidating. Aiming to offer the advantages of both flow-based and DPI-based solutions, GenieATM provides a solution which offers network-wide deep traffic intelligence in an innovative approach. The solution comprises GenieATM Info Extractor and GenieATM Controller.
Rich Traffic Monitoring and Analysis Features
GenieATM Controller provides abundant pre-defined reports, flexible user customizable reports, real-time and retrospective traffic snapshot, and raw flow data warehousing.
Real-time Traffic Monitoring & Top-N Analysis
Historical Raw Flow Data Storage & View
Business Analysis
An IDC operator would like to analyze how their hosting services are consuming the bandwidths while the services are defined by URL hosts rather than server IP addresses. Basing on the information such as how much regional network bandwidth is consumed by each service, how much domestic bandwidth is consumed by each service, or how much internet transit bandwidth is consumed by each service, the operator can conduct fact-based ROI calculation.
Troubleshooting
When a user complaint about bad network performance or a controversial service bill is received and the user is identified by his mobile phone number (MSISDN), the capability of translating the MSISDN information to IP address information (at a given time period) is required to retrieve further traffic information. Basing on the user identity information (IP address, user account, MSISDN, IMSI, or even more), the network manager can perform real-time or retrospective snapshot to get traffic visibility behind the incident in question.
Lawful Interception
To respond to lawful authority’s network data pursuant requirement, a network operator needs to provide communication information such as time, IP address, MSISDN, application (protocol + port), call content, etc. There may be a number of different systems in the network holding different parts of the information required, or the investigation agent may only know limited information such as only the time, the private IP address, or the phone number. Therefore, a solution is needed to merge all the information and provide a user friendly interface for the network operator to retrieve data in accordance with the law.
Network Planning
A carrier network manager would like to measure how much IP traffic is ‘traditional traffic’ (i.e. from PC) and how much traffic is ‘mobile-offload traffic’ (i.e. from handheld device). Basing on the measurement, the carrier can better plan their bandwidth resources for their convergence network.