Network forensics is the process of capturing traffic information that moves over a network with the attempt to materialize it into digital intelligence capacity. It is usually used for assisting in cybercrime investigation, providing operational support for troubleshooting, and supplementing the data for customer complaint handling.
The Innovative GenieATM Solution: when flow meets DPI
There are two types of network forensic solutions available, flow-based solutions and Deep Packet Inspection-based (DPI-based) solutions. The two types of solutions each have their respective pros and cons. By receiving flow data from the existing devices deployed in the networks, the flow-based solutions enjoy the advantages of lower deployment costs while having network-wide scalability. However, flow data only contains up to layer-4 network information and cannot provide layer-7 network information. DPI-based solution is capable of providing specific traffic content information, nonetheless, the deployment cost in a large service provider network is intimidating. Aiming to offer the advantages of both flow-based and DPI-based solutions, GenieATM provides a solution which offers network-wide deep traffic intelligence in an innovative approach. The solution comprises GenieATM Info Extractor and GenieATM Controller.
Abundant Information Sources and Deep Traffic Visibility
The solution correlates network-wide flow information with specific deep traffic intelligence. An Info Extractor is deployed at a strategic point or a representative link in the network. The Info Extractor captures and distills information such as L7 application type (e.g. P2P, VoIP, streaming), specific traffic attribute (e.g. URL, NAT private IP address), and end-user attribute (e.g. MSISDN, user agent type.). The source of the deep traffic information can be the real-time raw traffic packets or from data exporting networking devices for specific traffic information formats (e.g. RDR, Syslog, etc.). Info Extractor is embedded a learning agent to map the deep traffic information to layer-3/4 flow information (e.g. IP address) and then dispatches the dynamic-learning L4-L7 information map to GenieATM Controller for real-time, network-wide monitoring and analysis.
Rich Traffic Monitoring and Analysis Features
GenieATM Controller provides abundant pre-defined reports, flexible user customizable reports, real-time and retrospective traffic snapshot, and raw flow data warehousing.
Real-Time & Retrospective Data Query
Historical Raw Flow View
Mapping Table Example: URL host vs. IP address
Various Use Cases
The solution can be used by different customer types for different applications:
An IDC operator would like to analyze how their hosting services are consuming the bandwidths while the services are defined by URL hosts rather than server IP addresses. Basing on the information such as how much regional network bandwidth is consumed by each service, how much domestic bandwidth is consumed by each service, or how much internet transit bandwidth is consumed by each service, the operator can conduct fact-based ROI calculation.
To respond to lawful authority’s network data pursuant requirement, a network operator needs to provide communication information such as time, IP address, MSISDN, application (protocol + port), call content, etc. There may be a number of different systems in the network holding different parts of the information required, or the investigation agent may only know limited information such as only the time, the private IP address, or the phone number. Therefore, a solution is needed to merge all the information and provide a user friendly interface for the network operator to retrieve data in accordance with the law.
A carrier network manager would like to measure how much IP traffic is ‘traditional traffic’ (i.e. from PC) and how much traffic is ‘mobile-offload traffic’ (i.e. from handheld device). Basing on the measurement, the carrier can better plan their bandwidth resources for their convergence network.
When a user complaint about bad network performance or a controversial service bill is received and the user is identified by his mobile phone number (MSISDN), the capability of translating the MSISDN information to IP address information (at a given time period) is required to retrieve further traffic information. Basing on the user identity information (IP address, user account, MSISDN, IMSI, or even more), the network manager can perform real-time or retrospective snapshot to get traffic visibility behind the incident in question.