Network Management Tools Presentations
description
Transcript of Network Management Tools Presentations
Network Network Management ToolsManagement Tools
PresentationsPresentationsTuesday, September 18Tuesday, September 18thth & 25 & 25thth, 2007, 2007
CSE 552 – Network ManagementCSE 552 – Network ManagementFall 2007 (Term 071)Fall 2007 (Term 071)
Assignment 2Assignment 2
Schedule of PresentationsSchedule of PresentationsSpeakerSpeaker ToolTool
Muhamad Khaled AlhamwiMuhamad Khaled AlhamwiKarim Asif SattarKarim Asif Sattar NagiosNagios
Rizwan FarooqiRizwan FarooqiMohammad Rahil RafiqMohammad Rahil Rafiq Dude 2.2Dude 2.2
Syed Usama IdreesSyed Usama IdreesMuhammad Asif SiddiquiMuhammad Asif Siddiqui PRTGPRTG
Mojeeb Al-Rhman Al-KhiatyMojeeb Al-Rhman Al-KhiatyNaif Al-WadeaiNaif Al-Wadeai Firewall analyzerFirewall analyzer
Mohameed Moustafa Abou Mohameed Moustafa Abou GhalyounGhalyoun
Ahmad Salam AlRefaiAhmad Salam AlRefaiNetwork ViewNetwork View
NM Tool (Nagios)CSE-552 Assignment#2
Karim Asif SattarMuhamad Khaled Alhamwi
Outline Nagios
Hosts Services
Configuration files Configuration Example Snapshots Q & A
Nagios Free & open-source network management
tool Run under Linux Has web interface
Can be viewed remotely Can be used to monitor your host and
services Very flexible
Many plug-ins and add-ons
Nagios – cont’ Not SNMP-based NM tool Monitor Windows & Linux hosts Monitor any service
You just need to write the appropriate plug-in Monitor public services
HTTP, DNS, Email Monitor private services with the help of other
add-ons CPU, Memory, and Disk usage
Checking Private Services NSClient++
Add-on can be used to check Windows hosts
Daemon Plug-in Add-on
Hosts Hosts can be defined with parent-child
relation Useful to reflect the real topology
Hosts can be grouped in different groups Monitored host has several possible states
UP – The host is up and running DOWN – The host is not responding UNREACHABLE – The host can not be reached
because some other host in between is down
Services Services can be grouped in different services Monitored Service has several possible
states OK – The service is running and performance
metric is within the normal range WARNING – The service is running and
performance metric is above normal but below critical range
CRITICAL – The service is not running (crashed) or the performance metric is above critical threshold
UNKNOWN – Unknown error
Configuration files Main configuration file (includes other files)
nagios.cfg CGI configuration file (web interface)
cgi.cfg Check command configuration file
commands.cfg Hosts configuration
hosts.cfg Services configuration
services.cfg You can name the files as you like, and include them in main
configuration file cfg_file=<file_name>
Example Monitoring of two machines
Localhost (on which nagios is installed) – Linux Checks for private resources on the localhost
Number of processes, users, Disk usage, and CPU Another machine on the same subnet – Windows
XP Checks for HTTP service (running) Checks for DNS service (not installed) Checks for process “Explorer.exe”
Configuration Example define host {
use template host_name localhost address localhost ….
}
define host { use template host_name Windows host address 10.90.3.x ….
}
Configuration Example – cont’ define service {
service_description Total processes host_name localhost check_command check_proc!150!300 ….
}
Configuration Options We can define (with examples)
Normal check interval (5 min) Retry interval (3 min) Maximum check attempts (4) Check period (24x7) Contacts (admin) Contact groups (admin_group) Notification period (24x7) And more…
Snapshots (1) - Authentication Web interface authentication Open internet browser and type: http://localhost/nagios/ in URL field
Snapshots (3) – Tactical overview
Snapshots (4) - Service details
Snapshots (5) – Host details
Snapshots (2) – Host Groups
Snapshots (6) – Host group grid
Snapshots (7) – Host Report
Thank you Q & A
The DudeThe DudeNetwork Management Tool Network Management Tool
PresentationPresentationCSE-552 Network ManagementCSE-552 Network Management
Term 071Term 071ByBy
M. M. Rizwan Farooqi (250501)M. M. Rizwan Farooqi (250501)Mohammad Rahil Rafiq (260308)Mohammad Rahil Rafiq (260308)
OverviewOverviewIntroductionIntroductionSystem RequirementsSystem RequirementsFeaturesFeaturesModes of OperationModes of OperationInterface LayoutInterface LayoutLogsLogsProbesProbesSnapshotsSnapshotsPros. & Cons.Pros. & Cons.ConclusionConclusionReferencesReferencesQ & A Q & A
IntroductionIntroduction
Network monitoring tool that incorporates map of Network monitoring tool that incorporates map of the network layoutthe network layoutIt helps you visualize the structure of your It helps you visualize the structure of your network network It also provides direct access to network It also provides direct access to network functions specific to each item. functions specific to each item. It can automatically discover your local network It can automatically discover your local network and draw a preliminary layout that can be further and draw a preliminary layout that can be further customized and saved.customized and saved.
System RequirementsSystem Requirements
RAM: minimum - 64MB, recommended minimum RAM: minimum - 64MB, recommended minimum - 128MB- 128MB
OS: Windows 2000/XP (does not work with OS: Windows 2000/XP (does not work with Windows 95/98/Me) with Administrator Windows 95/98/Me) with Administrator permissions permissions
Video: at least 800x600 resolutionVideo: at least 800x600 resolution
FeaturesFeaturesSupports various network monitoring tasks from Supports various network monitoring tasks from simple ping checks to port probes and service simple ping checks to port probes and service checks.checks.Individual Link usage monitoring and graphs. Individual Link usage monitoring and graphs. Direct access to remote control tools for device Direct access to remote control tools for device management.management.Helps in checking bandwidth to a device or Helps in checking bandwidth to a device or monitor its traffic in real-time. monitor its traffic in real-time.
Features Contd..Features Contd..
Automatically detects any existing subnets and Automatically detects any existing subnets and begins scanning them.begins scanning them.Detected devices are then probed to determine Detected devices are then probed to determine which IP-based services are supported (like which IP-based services are supported (like NetBIOS, HTTP, FTP, etc.), NetBIOS, HTTP, FTP, etc.), Additional probes for any services can also be Additional probes for any services can also be configured. configured. After discovery process, the results are plotted After discovery process, the results are plotted as icons on a map grid including which of its as icons on a map grid including which of its services are up, down, or unstable.services are up, down, or unstable.
Features Contd..Features Contd..How long to wait before timing out a How long to wait before timing out a devicedeviceWhich services are polled on which Which services are polled on which devicesdevicesWindow layout is stored on the server Window layout is stored on the server rather than the client, so everything set up rather than the client, so everything set up on the server can be viewed from multiple on the server can be viewed from multiple clients. clients.
Features Contd..Features Contd..
Supports remote Dude server and local clients.Supports remote Dude server and local clients.Supports SNMP, ICMP, DNS and TCP Supports SNMP, ICMP, DNS and TCP monitoring for devices that support it.monitoring for devices that support it.Easy installationEasy installationRuns on Linux, Mac OS, and Windows. Runs on Linux, Mac OS, and Windows. Best price/value ratio compared to other Best price/value ratio compared to other products (free of charge).products (free of charge).
Modes of OperationModes of Operation
LocalLocal – to connect to the local Dude server – to connect to the local Dude server
RemoteRemote – to connect insecurely (nothing is – to connect insecurely (nothing is encrypted, not even passwords) to a remote encrypted, not even passwords) to a remote Dude server (uses web based interface)Dude server (uses web based interface)
SecureSecure – to connect securely to a remote Dude – to connect securely to a remote Dude server (uses web based interface)server (uses web based interface)
Interface LayoutInterface Layout
LogsLogs
Debug – shows all changes happening in the Debug – shows all changes happening in the system system
Action – lists manual operations performed by Action – lists manual operations performed by an administrator (for example, device an administrator (for example, device add/remove events) add/remove events)
Event – stores network events (for example, Event – stores network events (for example, information about failing services) information about failing services)
ProbesProbes
ICMP – regular ping. ICMP – regular ping. TCP – a test, which opens a regular TCP TCP – a test, which opens a regular TCP connection to a given port. connection to a given port. DNS – probe the given UDP port (usually, 53) DNS – probe the given UDP port (usually, 53) with a valid DNS request for the given domain with a valid DNS request for the given domain name. name. SNMP – check the specified OID( Object SNMP – check the specified OID( Object Identifier).Identifier).
Device propertiesDevice properties
Event LogEvent Log
Web Server Traffic Web Server Traffic
Local Network MapLocal Network Map
Local Network Map (zoom)Local Network Map (zoom)
Link SpeedLink Speed
Network SegmentsNetwork Segments
ProbesProbes
Link OutagesLink Outages
Service OutagesService Outages
Device Up/Down timeDevice Up/Down time
Pros:Pros:
FreewareFreewareLots of customizable optionsLots of customizable optionsUseful network mapping featuresUseful network mapping featuresSeparate Client & ServerSeparate Client & ServerUses ftp, http, NetBIOS & ping, SNMPUses ftp, http, NetBIOS & ping, SNMPExport and Import in PNG & PDF formatExport and Import in PNG & PDF formatEmail, popup and beep alertsEmail, popup and beep alertsSecure remote loginSecure remote login
Cons:Cons:
Rather unintuitive user interfaceRather unintuitive user interfaceDevice alerts not turned on by defaultDevice alerts not turned on by defaultMinimal and out of date documentation Minimal and out of date documentation Web based interface not comprehensive Web based interface not comprehensive compared to its windows based clientcompared to its windows based client
ConclusionConclusion
Good FreewareGood FreewareCannot work if firewall is enabled.Cannot work if firewall is enabled.Separate client and serverSeparate client and serverNo supportNo supportServer logout - Dude service closesServer logout - Dude service closes
ReferencesReferences
http://wiki.mikrotik.com/wiki/Dude_usage_http://wiki.mikrotik.com/wiki/Dude_usage_notes#Device_Representationnotes#Device_Representationhttp://www.steveatwal.com/the-dude-free-nhttp://www.steveatwal.com/the-dude-free-network-diagramming-tool/etwork-diagramming-tool/http://www.smallbusinesscomputing.com/whttp://www.smallbusinesscomputing.com/webmaster/article.php/3692871ebmaster/article.php/3692871
Q & AQ & A
Thank youThank you
May 24, 2007 MSR – A Comparative Analysis 52PRTG (Paessler Router Traffic
Grapher)
PRTGPRTG( Paessler Router Traffic Grapher )( Paessler Router Traffic Grapher )
By:By:Muhammad Asif SiddiquiMuhammad Asif Siddiqui
& Syed Usama Idrees& Syed Usama Idrees
May 24, 2007 MSR – A Comparative Analysis
OutlineOutline
PRTG (Paessler Router Traffic Grapher)
53
May 24, 2007 MSR – A Comparative Analysis
IntroductionIntroduction
54PRTG (Paessler Router Traffic
Grapher)
May 24, 2007 MSR – A Comparative Analysis
FeaturesFeatures
55PRTG (Paessler Router Traffic
Grapher)
May 24, 2007 MSR – A Comparative Analysis
… … continuedcontinued
56PRTG (Paessler Router Traffic
Grapher)
May 24, 2007 MSR – A Comparative Analysis
System RequirementsSystem Requirements
57PRTG (Paessler Router Traffic
Grapher)
• Windows 2000/XP/2003 • 64 MB RAM (128 MB and more recommended)• 20 MB disk space for installation• TCP/IP Network Connection• IE 6.0+ or FireFox 1.0+• Protocols enabled on devices
May 24, 2007 MSR – A Comparative Analysis
InstallationInstallation
58PRTG (Paessler Router Traffic
Grapher)
May 24, 2007 MSR – A Comparative Analysis
… … continuedcontinued
59PRTG (Paessler Router Traffic
Grapher)
May 24, 2007 MSR – A Comparative Analysis
WorkingWorking
60PRTG (Paessler Router Traffic
Grapher)
Supports the three most common methods of data acquisition:
• SNMP (Simple Network Management Protocol) to access traffic counters or other readings from SNMP enabled devices (most common)
• Packet Sniffing to look at incoming/outgoing network packets that pass through a network card of a compute
• NetFlow for analyzing Cisco NetFlow packets sent by Cisco routers
May 24, 2007 MSR – A Comparative Analysis
User InterfaceUser Interface
61PRTG (Paessler Router Traffic
Grapher)
• Monitoring data can be accessed via a Windows GUI and/or a web based front end
• Integrated web server for remote access (no external web server necessary)
• Results are shown in various graphs & tables
• Graphs are always generated on-the-fly for live reporting
May 24, 2007 MSR – A Comparative Analysis
ReportsReports
62PRTG (Paessler Router Traffic
Grapher)
• Configurable reports (graphs and data tables) in HTML, Excel, TIFF, RTF or PDF format
• Daily, monthly, and yearly reports can be exported via email or saved to file
• x% percentile calculation for any value, any interval, and any time frame
• Includes a billing system for bandwidth based billing
May 24, 2007 MSR – A Comparative Analysis
NotificationsNotifications
63PRTG (Paessler Router Traffic
Grapher)
• For each sensor, individual email notifications can be configured for :
Errors (e.g. device is not reachable)
Reaching traffic limits (e.g. more than x MB transferred per day or month)
Reaching traffic or usage thresholds (e.g. more than 700kbit bandwidth for more than one hour)
May 24, 2007 MSR – A Comparative Analysis 64
Experimentation (Examples)Experimentation (Examples)
PRTG (Paessler Router Traffic Grapher)
Generate reports Use web interface Specify thresholds Add and edit sensors Automatic Network Discovery Export data tables and graphs Add customized graphs / tables Customize graphs and tables view
May 24, 2007 MSR – A Comparative Analysis
Running the PRTGRunning the PRTG
65PRTG (Paessler Router Traffic
Grapher)
•When we run PRTG for the first time, it does not have any sensor to read. So we need to add some sensors to collect the data
•After we have added some sensors, the main window looks like this:
May 24, 2007 MSR – A Comparative Analysis
Running the PRTGRunning the PRTG
66PRTG (Paessler Router Traffic
Grapher)
•When we run PRTG for the first time, it does not have any sensor to read. So we need to add some sensors to collect the data
•After we have added some sensors, the main window looks like this:
May 24, 2007 MSR – A Comparative Analysis 67
Adding a standard traffic sensorAdding a standard traffic sensor
PRTG (Paessler Router Traffic Grapher)
May 24, 2007 MSR – A Comparative Analysis 68
Adding a standard traffic sensor (continued)Adding a standard traffic sensor (continued)
PRTG (Paessler Router Traffic Grapher)
May 24, 2007 MSR – A Comparative Analysis 69
Adding a standard traffic sensor (continued)Adding a standard traffic sensor (continued)
PRTG (Paessler Router Traffic Grapher)
May 24, 2007 MSR – A Comparative Analysis 70
Adding a standard traffic sensor (continued)Adding a standard traffic sensor (continued)
PRTG (Paessler Router Traffic Grapher)
May 24, 2007 MSR – A Comparative Analysis 71
Adding a standard traffic sensor (continued)Adding a standard traffic sensor (continued)
PRTG (Paessler Router Traffic Grapher)
May 24, 2007 MSR – A Comparative Analysis 72
Adding a standard traffic sensor (continued)Adding a standard traffic sensor (continued)
PRTG (Paessler Router Traffic Grapher)
May 24, 2007 MSR – A Comparative Analysis 73
Adding a standard traffic sensorAdding a standard traffic sensor
PRTG (Paessler Router Traffic Grapher)
May 24, 2007 MSR – A Comparative Analysis 74
… … continuedcontinued
PRTG (Paessler Router Traffic Grapher)
The above example clearly showed you how a Standard Traffic Sensor in PRTG is added and monitored
May 24, 2007 MSR – A Comparative Analysis
ConclusionConclusion
• The GUI of PRTG is user friendly for the installation and usage purpose
• Graphical view of the network and bandwidth usage provides better monitoring of networks
• Provides easily identifying network bottlenecks
• Better quality of service can be assured and plan according to the desired needs
75PRTG (Paessler Router Traffic
Grapher)
May 24, 2007 MSR – A Comparative Analysis 76September 18, 2007September 18, 2007
PRTGPRTG
THANK YOU !THANK YOU !
Firewall Analyzer 4
By:-Mojeeb Al-Rhman Al-Khiaty-Naif Al-Wadeai
Outline:
Reasons for choosing this tool ! What is Firewall ? Firewall Analyzer 4 ( Quick description). Features, Characteristics and Areas. How can you use this tool? Examples Firewall Architecture. References.
Reasons for choosing this tool!
Our team members are interest in the security and security management in networks.
We attempt to achieve the highest benefits from this course and connect it with our thesis ides.
What is Firewall ?
A Firewall is an important perimeter defense tool that protects your network from attacks. Security tools like Firewalls and Proxy Servers generate a huge quantity of traffic logs, which can be mined to generate a wealth of security information reports.[2]
Firewall Analyzer 4.0 !!!
A web-based, cross-platform, log analysis tool that analyzes logs received from different firewalls and generates useful reports and graphs.
Helps network administrators in doing: Trend analysis Capacity planning Policy enforcement Security compromises. [3]
How can Firewall Analyzer help you? Analyze incoming and outgoing traffic/bandwidth
patterns Identify top Web users, and top websites accessed Project trends in user activity and network activity Identify potential virus attacks and hack attempts Determine bandwidth utilization by host, protocol,
and destination Alert on firewalls generating specific log events Analyze efficiency of firewall rules and modify them
if needed Determine the complete security posture of the
enterprise
Firewall Analyzer 4.0 (Cont.)
The reporting features available in this release include,
Pre-defined reports on bandwidth, protocol, users, etc.
Instant reports on firewall activity Scheduling of reports Custom report profiles Historical trend reports Export and save reports to PDF Custom alert settings.
Features and Benefits (cont.) Multiple firewall vendor support: Support for most
leading enterprise firewall appliances and servers. Automated syslog collection and processing :
Automatically collects and parses logs, and updates the database at user-defined intervals
Syslog archiving : Allows for archiving of log files at user-defined intervals
Built-in database: Stores and processes syslog data in the embedded MySQL database
Dashboard : Provides a quick view of current activity across all devices from a single place
Features and Benefits (cont.) Automatic alerting: Automatically notifies and
warns against specific events based on user-defined thresholds
Pre-defined device reports: Includes traffic analysis reports across all devices or specific to firewalls, proxy servers, and Radius servers
Historical trending : Allows you to analyze trends in bandwidth usage, protocol usage, etc. over varying time periods
Customizable report profiles: Allows you to build reports to meet your specific needs
Features and Benefits (cont.) Report scheduling: Automatically
generates reports at specified time intervals and delivers them as PDF reports via email.
Multiple report formats: Generates and exports reports in HTML, PDF, and CSV formats.
Advanced user management: Allows you to create different users and set appropriate access privileges
Multi-platform support : Runs on Windows and Linux platforms
Examples
Protocol-wise Distribution
Severity-wise Distribution
Selecting device and date
Selecting device
changing year
changing Month
Reporting
Reporting (Cont.)
Reporting (Cont.)
Reporting (Cont.)
Architecture
References:
1. “SNMP, SNMPv2, SNMPv3, AND RMON 1 and 2” by William Stallings, Addison-Wesley, Third Edition, 1996.
2. http//www.manageengene.com3. http// www.fwanalyzer.com
AT THE END
Thanks for your attention Team Members
Ahmad Salam AlRefaiMohamed Abu Ghalioun
What is Worm? Intrusion Detection System (IDS). Billy Goat System. Collaborative Distributed Attack
Detection. Theory of Attack Detection. Cooperative Messaging Protocol Questions & Answers.
101
Worm is a self replicating computer program similar to a virus.
A virus within another program, it executes when the other
program executes, it need a host program cause mischief: deleting data, altering display.
Worms move or propagate in network replicate themselves in machines before jumping to
others Create much network traffic that overwhelms
network (DOS)
102
Started in 1987 by Dorothy E. Denning, a computer scientist then
at SRI international, Menlo Park, Calif. In "An Intrusion detection Model" published in IEEE transactions on software engineering she describes how to model the statistical characteristics of a system operating normally so that deviations from the model could be taken as evidence that intruders were present.
IDS tries to detect illegal things, however legitimate and illegitimate activities look similar, the diagnoses depends heavily on the context.
103
A centralized system uses a single device to monitor the entire network. Centralized systems are designed primarily to protect enterprises by monitoring aggregate traffic at fixed locations in the network and responding by blocking or delaying observed malicious behavior.
Distributed systems model tracks anomalies more reliably but requires installation in each machine. In this model all events are generated on the local systems individually.
104
The main problem of previous intrusion detection systems is the many false alarms they produce, their lack of resistance to both malicious attacks and accidental failures, and the constant appearance of new attacks and vulnerabilities.
IBM Zurich Research Laboratory working in a remedy for worms that differs from other approaches in targeting worms specifically rather than trying to prevent all breaches of computer security.
Billy Goat system does the work extremely accurately. Billy Goat is specialized worm-detection system that runs on dedicated machine connected to the network and detects worm-infected machines anywhere in it. Billy Goat is designed to take advantage of the way worms propagate.
105
Computer connected to the network often received automated requests from other computers (service request).
Investigating these requests worms caused large fraction of them.
Because worms typically find new computers to target by searching through Internet addresses at random.
106
Strategy effective because the ever increasing number of infected machines in an attack can soon be generating hundreds of millions of addresses to try.
The machines are assigned unused and unadvertised addresses.
Because no one knew the existence of those machines so we can assume that the traffic would almost surely be illegitimate.
107
Billy Goat respond to machine
virtual environment. Feigned services provided
(many, sapphire MSQL) Connection attempts
recorded Helps Billy Goat Revealing
identity of worm. Allow system to know worm
infected machine. When worm try to infect Billy
Goat, its identity get recorded and reported to Administrator.
108
More than one address can be assigned to the same machine.
The machine provide many virtual services.
To ensure that Billy Goat keep working under heavy worm attack, we can use distributed architecture.
Extremely effective, discover infective machines in seconds.
109
Centralized Systems:Centralized Systems: Global view of the enterprise network.Global view of the enterprise network.
Which means a centralized decision maker.Which means a centralized decision maker. High quality (low false positive and low false High quality (low false positive and low false
negative).negative). Not scalable for large networksNot scalable for large networks
may not be sufficient trust between sub-domains to may not be sufficient trust between sub-domains to accept a centralized protection policy.accept a centralized protection policy.
large numbers of mobile nodes may exit and enter the large numbers of mobile nodes may exit and enter the network leaving them temporarily without protectionnetwork leaving them temporarily without protection
110
Distributed System: Scalable for large networks. Lack of global view Low quality
high false positive and high false negative.
111
It is a suggested solution: It uses a distributed system model, all
events are generated using software detection agents on individual hosts.
Solving the problem of the lack of global view
Sharing information between nodes.
112
Attack Detection Cooperative Messaging Protocols
113
collaborating sites maintain a decision table. It is constructed using the ratio of the
likelihood of features are a good indicator of the current worm attack to the likelihood for the features to occur at random.
When the observed behavior exceeds predetermined threshold, enough evidence has been accumulated to reach a correct decision with high probability.
114
let H1 to be the hypotheses that there is a worm.
and H0 be the hypotheses that there is no worm.
Let Yi be the random variable that says there is an attack or not at site i. Yi= 1 if there is an attack; could be a false positive
(fp) Yi= 0 if there is no attack; could be a false negative
(fn). The observation vector L(Y) = {Y1, Y2 · · · Yn} then
is the set of measurements obtained by n conditionally independent end-hosts.
115
the table is constructed using many random walks through a collection of local detectors.
The strength of the desired global detectors is specified by two quantities: Desired detection rate and desired false alarm rate.
Using these, one can calculate thresholds in the table of likelihood ratios: T0 = (1 − DD/1 − DF) and T1 = (DD/ DF).
116
Each host, then, implements a global intrusion detector that makes decisions as follows: if, after including the local detector state,
the calculated likelihood ratio, L(Y) < T0, accept the hypothesis that there is no worm (H0) and halt the query .
If L(Y) > T1, accept the worm hypothesis (H1) and raise a global alarm, otherwise continue the random walk among end hosts.
117
Cooperating hosts contain a random subset of the addresses of all nodes in the collection.
Nodes with new alerts from their local detectors choose m other end-hosts at random and send the message “{1, 1}”, which means, “One site has reported one alert”.
Hosts receiving this message add their local information (e.g. it would generate a “{2, 1}” if had not seen the activity, and a “{2, 2}” if had)
118
If no decision is reached, m new sites are selected at random and the message propagates. In this manner multiple sequences (chains) of evidence are spread randomly across cooperating end-hosts. If “normal behavior” decisions are reached in any chain, that chain halts. If a “likely worm attack” decision is reached at any point, a global warning is broadcast to all nodes.
119
References How to hook Worms, JAMES RIORDAN,
ANDREAS WESPI, DIEGO ZAMBONI, May 2005
A Distributed Host-based Worm Detection System, Senthilkumar G. Cheetancheri, John Mark Agosta, Denver H. Dash, Karl N. Levitt, ,JeffRowe, Eve M. Schooler,
121