A scalable high performance network monitoring agent for CERNET

In a cost-effective way, collecting and analyzing data from such a nationwide operational network as China Education and Research Network (CERNET) is an increasingly challenging task. We present experience gained in designing and implementing a passive monitoring agent applicable to CERNET, which helps to cooperate not only with network intrusion detection system (IDS), network management system (NMS) for detecting and identifying signs of malicious activities, nonmalicious failures and other exceptional events in real-time, but provides anomaly information to accounting and billing system (ABS) so as to make it healthy. This agent is characterized by a high performance data collecting facility and a methodology of real-time data correlation and analysis. A customized agent can be deployed on a particular link of CERNET for monitoring network dynamically. We discuss how to conflate, correlate, associate and refine measurement data to discriminate anomalies such as DoS from normal traffic, and how to respond to the anomalies for the purpose of operational network´s health. It concludes with experiences learned from the development and deployment of the agent and ongoing research work.