Crosstalk: A Scalable Crossprotocol Monitoring System For Anomaly Detection

As there is a relentless growth in IP, Monitoring is important both in the case of operations of a network and the services that run on it. Operators on the network perform monitoring on various purposes such as traffic engineering, Quality of Service, security and detection of faultsand misconfigurations. Monitoring and detection of anomalies in a network is a very challenging problem. The most common forms are botnetal of Service attacks. Many of these anomalies use several protocols to carry out their works. Botnets uses IRC to control andSMTP to send out spam. Another example is VoIP where calls tend to be split into signalling and media traffic as in the case with SIP and RTP. These have to be detected using cross-protocol correlation. In addition to cross-protocol correlation, monitoring needs to be done in a distributedfashion, since traffic from a particular attack or misconfigurations may cross different monitoring points in the network. While previous workhas looked into the area of cross-protocol detection [2] , it has focused on single-point solutions, and so did not scale nor could it correlate attacktraffic traversing more than one monitoring point. This raises a serious scalability issues while designing, which needs to monitor large quantitiesof traffic and also to aggregate results to provide network wide anomaly detection. In this paper we introduce Crosstalk - a scalable and efficientprotocol to detect anomalies using cross-protocol correlation in a distributed fashion. Evaluation of detecting anomalies in distributed systemdoes not show how it would scale under heavy load. For the purposes of evaluating Crosstalk’s scalability and performance, we focused on SIPbasedVoIP attacks. Here, we used network simulator and evaluate the performance. Based on CDR (Call Detail Record) and on the traffic theresults simulated and anomaly is detected. The probes monitor the network and collect the data in bloom filters and export the measurements tothe mediators and collector in DAT tree structure. Based on the application the results were simulated