2011 International Conference on Future Information Technology
IPCSIT vol.13 (2011) © (2011) IACSIT Press, Singapore
An Analysis on Bandwidth Utilization and Traffic Pattern for Network
Security Management
Murizah Kassim1, Hafizoah Kassim2
1
Faculty of Electrical Engineering, Universiti Teknologi MARA
2
Centre for Modern Languages and Human Sciences, Universiti Malaysia Pahang
1
40450 UiTM Shah Alam, Selangor, Malaysia
2
26500 Gambang, Kuantan, Pahang
[email protected],
[email protected] Abstract. This paper presented an analysis on network bandwidth utilizations and traffic pattern in an
organization. It presents pattern of network traffic used of bandwidth utilization and network trends properties.
Internet traffics are analyzed and the traffic pattern behavior is identified. Network Protocol Analyzer is used as
a centre agent and has been setup and plug at the main entrance of internet traffic flow from outside world into
the inside network of the organization. Valuable information such as traffic pattern on category trends,
protocols trends, internet traffic and bandwidth used is captured. Then all traffics flow from the internet to the
inside network is filtered according to the identified policies. Both traffic filtered and unfiltered traffic then are
compared and analyzed in bandwidth throughput, category trends, protocols trend, risk class trends and type of
internet applications used. Research has presented all the data captured in figures and it has been analyzed into
a few categories. This research has successfully gathered and analyzed the traffic flows, identified the network
trends and bandwidth utilization. Bandwidth shaping also has been successfully done in prioritizing the
applications used.
Keywords: Bandwidth Utilization, Traffic Pattern, Security, Network Agent, Network Management,
Bandwidth Performance.
1. Introduction
Network performance is one of the important issues today in computer engineering applications
and systems mainly in Network Management. Network performance analysis efforts would really
help the computer network engineers in order to offer better services and excellent supervision in
Network Management administrations. This project scope involves running a fluke tools as an agent
scanning the network traffic that sits on a network. The process of identifications and defining traps on
network attack will be delivered that calls policy implemented. This policy was tap to the tools or
agent to capture the network traffic on bandwidth and protocols that risk the network for security
purposes. This presented pattern of network traffic used and bandwidth utilization performance base
on the filtered trends. Statistics of all indentified captured risk and policies are tabulated. The
captured data then are analyzes on the bandwidth utilization. This paper would help the network
administrator or manager to improve the network performance and overcome the issue of network
bandwidth usage as ports scanning, peer to peer applications is mostly used. This research has
successfully gathered and analyzed the traffic flows, identified the network trends and bandwidth
utilization. Bandwidth shaping also has been successfully done in prioritizing the applications used.
46
�2. Network Traffic Pattern and Intrusion Scenario
Manage network traffic and it performances turns to be a critical problem in network management
in today’s world. Therefore much progress is being made to protect internet and intranet, such as the
firewall and intrusion detection system on the network traffic taht can cuase worm in the network.
Unfortunately the capacity of these solutions is very limited where evidence that network attacks
occur cannot be provided [1]. Much effort has been spent on designing more effective traffic
mechanisms, building better defense measures, and generating vulnerability-specific remedies, [2].
Due to this reason, research on analyze the network pattern in delivering the better network
performance and management. A network that has been prepared for forensic analysis is easy to
monitor, security vulnerabilities and configuration problems can be conveniently identified. It also
allows the best possible analysis of security violations. Consideing the network implementations
policy and where is the interest to analyze the traffic is importnt. A focus to monitor the external
accessible servers point on the external demilitarized zone (DMZ) in the network is crucial[3]. This is
where the hole for the network hackers to shoot at. Interactions between the outside traffics and
internal users is best to be monitored from the point after the firewall. This is where the network
forensic should be done [4]. Protocols thresholds are set in identifying and analyze the network
forensic process. Previous research on Network Forensics Analysis has mentioned that evidence for
network forensics investigation can be classified into two categories [6]. There are primary evidence
and secondary evidence. Primary evidence refers to information that directly indicates attacks or
security policy violations. Secondary evidence refers to information that does not directly represent
attacks but could provide complementary information for investigation. Secondary evidence comes
from extensive sources and in a much higher volume. Generally, primary evidence is the starting
point of forensic investigation and provides the basis for searches towards secondary evidence.
Querying the secondary evidence usually has two objectives: to discover hidden suspicious events
and to evaluate the trustworthiness of primary evidence. In their current prototype, they have used
network Intruder Detections Systems (IDS) alerts as the primary evidence. They also captured raw
network flow logs and host logs that are used as secondary evidence. Network analysis framework
presented based on the distributed techniques which providing an integrated platform for automatic
analysis evidence collection and efficient data storage [7]. It supports easy integration of known
attribution methods, effective cooperation and an attack attribution graph generation mechanism to
illustrate hacking procedures.
3. Data Collections and Method
This research present the method similar to forensics network in forensic system architecture but
the agent are placed at the one core centre from the internet to the inside network as shown in Figure
4. More data on bandwidth are presented because this forensic try to details in one of the worms’
attacks are on the bandwidth used on the network such as the Denial of Services (DoS) attacks. Flow
of the method form the start, data collections, policy filtered, data captured, analyzed and compare is
shown in Figure 5.
47
� Figure 4: Filtered at on the Core Centre from internet to the
inside network.
Figure 5: Network Forensic Flow Method
There are two type of filtering policy done for the capture traffic such as default filtering where
Network analyzer is setup with Global policy applied to collect the raw data went through from the
internet to inside network. The second one is called Customize Filtering. Customized policies are
defined in different levels of access of the internet users. The listed filtered policy is the category and
protocol trends, Managing Protocol and Internet Application, Managing Bandwidth, Filtered by
Protocol and Filtered by Risk Class.
4. Captured Traffic and Analysis Data
All captured of the raw and filtered is presented and analysed in this section. Category trend is the
bandwidth utilization of internet traffic collected by category. Data on the on the Category on
Bandwidth utilization of internet traffic has been captured in 20 days. Protocol trend is the collections
of Bandwidth utilization on internet traffic that are filtered by Protocol. Certain protocols that are
filtered are known to users to do such a non-productive work or malicious work while they are surfing
to the internet. Table 2 shows the bandwidth of internet usage by protocol used by most of users
through the internet traffic. Risk Class trend is the collections of internet traffic on Bandwidth
utilization by Risk Class. Risk Class explains the risk details whether the spike in the network
bandwidth. Risk Class is an attribute of a category that describes the potential risk of activity in that
category. There are 5 categories in the risk class captured for the findings in table 3 that are the
productivity Loss, Business Usage, Network Bandwidth Loss, Security Risk and Legal liability.
Table 2: Bandwidth Usage by Protocol Table 3:Bandwidth Usage by Risk Class
Protocol Bandwidth [Kb] Risk Class Bandwidth [Kb]
HTTP 1834942606
Yahoo! Messenger 566787 Productivity Loss 1000069760
Business Usage 874411040
HTTPS 111254861
Windows Media 876069 Network
Bandwidth Loss 389262680
RTSP (QuickTime
RealPlayer) 104549 Security Risk 88819797
MSN Messenger 151944 Legal Liability 8024960
BitTorrent 604102 Total 2360588237
SHOUTcast 357382
Gnutella
(Morpheus Xolox) 713003
iTunes 693829
SQL Net 21674
SOCK 5 902
Total 1950287709
48
�5. Results and Conclusion
The comparison of protocol use on bandwidth usage has been analyzed on the findings gathered
in 10 days time between filtered and unfiltered data. Table 4 shows the difference gathered of
bandwidth differences and increment between filtered and unfiltered task.
Table 4: Bandwidth Difference by Protocol between Filtered and Unfiltered Data.
Type of Protocol Increased %
Protocol Bandwidth Filtered Bandwidth Increased
HTTP 1834942606 366988521 1467954085 20%
Yahoo!
Messenger 566787 56679 510108 10%
HTTPS 111254861 100129378 101241923 9%
Windows
Media 876069 613248 262821 70%
RTSP
(QuickTime
RealPlayer) 104549 73184 31365 70%
MSN
Messenger 151944 75972 75972 50%
BitTorrent 604102 573897 30205 95%
SHOUTcast 357382 325218 32164 91%
Gnutella
(Morpheus
Xolox) 713003 598923 114081 84%
iTunes 693829 492618 201210 71%
SQL Net 21674 11704 9970 54%
SOCK 5 902 298 605 33%
Total 1950287709 379823200 1570464509 657%
After filtered has been done on prioritized protocols then bandwidth were filtered based on the
identified protocols. The percentage of gathered bandwidth is shown in Figure 6: Graph 1. The
highest bandwidth has been filtered is the Bit torrent which has been identified as the Peer to peer
channel. The data on risk class on filtered and unfiltered implementation has been compared. Table 5
shows the difference of bandwidth use during both situations. The risk class factors are productivity
loss, Business usage, Network Bandwidth loss, security risk and legal liability. Network bandwidth
loss uses most bandwidth with 89% and productivity loss also uses second most bandwidth with 83%.
Security Risk also has presented a high bandwidth loss. This shows that, there are facts that the
network is being attack on the bandwidth usage.
49
� Table 5: Bandwidth Difference by Risk Class between Filtered and
Unfiltered Data.
%
Filtered Increased Increas
Risk Class Bandwidth Risk Class Bandwidth %loss ed
Productivity
Loss 1000069760 830057901 170011859 83% 17%
Business
Usage 874411040 183626318 690784722 21% 79%
Network
Bandwidth
Loss 389262680 346443785 42818895 89% 11%
Security
Risk 88819797 67503046 21316751 76% 24% Figure 6: Graph1: Bandwidth difference
Legal between Protocols
Liability 8024960 2006240 6018720 25% 75%
Total 2360588237 583969312 930950947 294% 206%
The two situation of unfiltered and filtered traffic is illustrated in Figure 7. The difference
between the green line and blue line in the graph shows that network bandwidth loss has the biggest
difference of about 42818895 kbps and productivity loss also has a bigger difference that is 83%.
Although filtered on risk class is implemented but there are still losses of bandwidth usage in internet
misuse. This is because task cannot block all the traffics base on productivity loss because it is still
not in the policy to block all identified web page that categorized as the productivity loss and network
bandwidth loss.
Based on the traffic analyzed, the list of Top 20 Hits of URL on Security risk is capture and shown
in Table 6. Data shows the top of the highest hits top URL to the least hits URL. Most of the URL is
identified as the entertainment site. This also results that the internet misused is not for works. Most
of the entertainment side today proves that it has phishing and denial of Services attacks and the virus
that used bandwidth.
Table 6: Top 20 Hits of URL On Security Risk
Hits URL
90281 www.ysbweb.com
69769 oss-content.marketscore.com
25969 www.shazaa.com
18544 Secure.keenvalue.com
15956 www.favoramp.com
11963 mymusic.mymaxis.com.my
11325 tracker.prq.to
8869 www.cinematicwallpaper.com
3525 Data.warezclient.com
3450 cerealandmilk.net
2906 www.smartphonevideoplus.com
Figure 7: Percentage Loss difference between Risk 2738 67.15.72.14
Class 1950 c4tdownload.com
2081 gbs.gator.com
1350 tracker.prq.to
450 64.95.228.144
413 re.abetterinternet.com
413 st.abetterinternet.com
375 tv.180solutions.com
300 www.sonnerie.net
50
�6. References
[1] D. Wang, T. Li, S. Liu, J. Zhang, C. Liu, “Dynamical Network Forensics Based on Immune Agent,” 3rd international
Conference on Natural Computation, ICNC 2007.
[2] Y. Xie, V. Sekar, M. K. Reiter, H. Zhang, “Forensic Analysis for Epidemic Attacks in Federated Networks,”
Proceedings of the 2006 14th IEEE International Conference on Network Protocols, 2006. ICNP '06.
[3] W. Wang, E.D. Thomas, “Building Evidence Graphs for Network Forensic Analysis,” Proceeding of the 21st Annual
Computer Security Applications, IEEE ACSAC 2005.
[4] V. Corey, C. Peterman, S. Shearin, M. S.Greenberg, and J. V. Bokkelen, “Network Forensic Analysis,” IEEE Internet
Computing,. Vol.6, Issue 6, Nov – Dec 2002, pp. 60 -66.
[5] Sherman S. M. Chow., Lucas C. K. Hui., Yiu, S. M,"A Generic Anti-Spyware Solution By Access Control List At
Kernel Level",Journal of Systems and Software, 2005
[6] R.C. Dodge JR, D. Cook, “Out of Box – Forensic Labs,” Proceeding of the 40th Hawaii IEEE International
Conference on System Sciences 2007.
[7] Y. Tang, E.D. Thomas, “A Simple Framework for Distributed Forensic,” Proceeding of the 25th IEEE International
Conference on Distributed Computing Systems Workshops, IEEE ICDCSW 2007.
[8] R. Wie, H. Jin, “Distributed Agent Based Real Time network Intrusion Forensics System Architecture Design,”
Proceeding of the 19th international Conference on Advanced Information Networking and Applications, IEEE
AINA 2005.
51
