HTCIA Introduction to Network Traffic Analysis
Was held on June 20th and 21st, 2011 Halifax, Nova Scotia
The Atlantic Canada Chapter of the High Technology Crime Investigation Association was pleased to present a two- day seminar course in Network Traffic Analysis. The course was very successful and HTCIA Atlantic Chapter would like to thank all attendees and the conference hosts as well.
HTCIA Introduction to Network Traffic Analysis
Date: June 20, 2011 Halifax, Nova Scotia
Location: TBA
 |
The Atlantic Canada Chapter of the High Technology Crime Investigation Association is pleased to present a two- day seminar course in Network Traffic Analysis.
Course Description
Title: Introduction to Network Traffic Analysis
``If you are not monitoring your network traffic then you are not doing security. “- Ron McLeod, Select Technology Corporation
Many people recognize the need to monitor network traffic to enhance their security and forensics practice. Unfortunately, the process of acquiring and analyzing the traffic is not always well understood. Too often the result is an incomprehensible body of data that consumes time and resources to organize and interpret, with little or no tangible benefit.
This seminar is intended as an overview of the entire practice of network traffic monitoring. The goal is to demonstrate approaches and procedures that will lead to an effective monitoring program. As an outcome, attendees will acquire sufficient information to allow them to set up an initial monitoring program and begin analyzing the behavior of their network traffic. Only a basic knowledge of networking is required as a prerequisite.
Given the introductory nature of the course, it may not be suitable for those who have previously established network traffic capture systems and are practiced in interpreting the analysis results.
Seminar Outline
The seminar consists of two days of classroom instruction. Attendees with laptops who choose to follow along with certain sections of the course will be issued a live CD boot disk with the Silk tools[1] and sample capture data pre-installed. (CDs must be returned at the end of the seminar as data represents a real client capture).
Day 1 – Morning
- Why do traffic analysis?
- User and organizational concerns
- Types of capture
- Network architecture challenges
- Physical challenges
- Capture Tools.
- TCP/IP networking
Day 1 – Afternoon
- Network protocol review
- Header descriptions
- Payload issues
- Preparing for the capture
- Understanding and verifying the network architecture.
Day 2 – Morning
- TAP and tool Installation
- Router flow capture
- Spanning port capture
- Promiscuous NIC capture
- Establishing the capture database using Silk
- Beginning the analysis
- What information is important?
- Building network, workstation and user profiles.
Day 2 – Afternoon
- Intrusion attempts
- Protocol violations and firewall holes
- Scanners and worms
- Hiding techniques
- Signature analysis
- Derived traffic statistics
- Cluster-based and machine learning profiling methods.
Case Study: The instructor will use the Silk tools and real capture data to walk through the discovery of information about a client network.
Instructor: Ron McLeod, MCSc. Ron is currently the CEO and CTO of Select Technology Corporation which is conducting research and development into a new generation of network traffic monitoring systems. He has worked in various information technology capacities for the previous 25 years and has for the last several years been consulting, training and researching in the area of network and information systems security. He is currently pursuing his PhD in the area of network traffic profiling.