MNEMOSYNE: designing and implementing network short-term memory

Network traffic logs play an important role in incident analysis. With the increasing throughput of network links, maintaining a complete log of all network activity has become a task that requires an enormous amount of resources. We propose an approach to network monitoring that mitigates the resource consumption problem while still providing effective support to evidence collection and incident analysis. The approach relies on a tool, called MNEMOSYNE, that maintains a sliding window containing the traffic that has been recently seen on a network link. MNEMOSYNE provides improved logging features, such as multiple streams, support for cross-stream queries, and dynamic remote reconfiguration. By integrating MNEMOSYNE with real-time intrusion detection capability, it is possible to provide incident analysis functionality and effective evidence collection, without having to maintain complete traffic logs. This paper describes the MNEMOSYNE tool, its architecture, and presents the results of the quantitative evaluation of its performance.