ASDIC is a system for advanced traffic monitoring and analysis in large TCP/IP networks. It helps you to investigate the traffic in your network, surveying the activity finding potential weaknesses and threats before they cause you a disturbance. The functions of ASDIC can be broken down into parts:
- Collects traffic data from various sources such as syslog, firewall log files, real time flow monitors, span ports in switches and routers.
- Converts different source data formats into a comparable and consistent format.
- Stores network sessions in a searchable central database.
- Analyses network flows.
- Identifies all traffic patterns.
- Classifies traffic.
- Detects anomalies and deviations.
- Reports events of interest.
The unique feature of ASDIC is its ability to classify all network traffic into meaningful categories, i.e. aggregates. Where other traffic analysis and log collection tools present sessions, ASDIC works on a more abstract level of aggregates of sessions. An aggregate is a collection of sessions, and each session is automatically cataloged into one or more aggregates. In the aggregate, redundant data of the sessions, such as high random ports, are eliminated. An ordinary network consists of a near-infinite number of sessions, but only a limited number of aggregates. With this approach you take the volume out of the equation of traffic analysis - you can as easy disregard the tons of uninteresting traffic as well as locating the single packet or log entry pinpointing the event you really need to pay your undivided attention to.
ASDIC identifies and measures all aggregates, and every session must belong to at least one aggregate. This way, new traffic can be detected when it forces the creation of a new aggregate. With other tools you define aggregates manually, which requires you know what you are looking for, and therefore can never be used to detect and measure new or unknown traffic.
Contrary to an Intrusion Detection System (IDS), ASDIC keeps track of all network traffic, and not only the known bad traffic. In a conventional IDS, all unknown traffic is assumed to be good. In ASDIC, all unknown traffic can be assumed bad. This makes ASDIC very different in network security analysis compared to an IDS/IPS.
You can loosely look at the aggregation process of ASDIC as a reverse firewall. Input unstructured traffic information and output a "rule set". This "rule set" then controls what to measure and report.
We believe ASDIC is one of the most powerful analyzer today available parsing firewall traffic logs. If you disagree, please drop us a mail telling us why. Read more about all the details of ASDIC and traffic analysis and see if it really is something you can afford to be without. You can even download ASDIC and try it out for yourself in your own network environment, free of charge.