View on GitHub

NEMEA

System for network traffic analysis and anomaly detection.

General Information

NEMEA (Network Measurements Analysis) system is a stream-wise, flow-based and modular detection system for network traffic analysis. In practice, it is a set of independently running NEMEA modules that process continuously incoming data (messages). Usually, the messages contain information about network flows (like NetFlow or IPFIX formats) but the messages are more general - they might represent detected security events or anything else. A NEMEA module is technically an executable file that can be run in multiple instances in an operating system.

The system is suitable for an on-the-fly analysis of the flow data (live or captured&stored). The system currently contains a set of modules for detection various types of suspicious traffic, computing statistics of the traffic, filtering/aggregating messages, reporting alerts that were detected. Even though the functionality of modules differ (each module has some own purpose), all modules are handled uniformly - they all use the same NEMEA framework that implements the functionality of inter-module communication, data format (representation of the messages), common data structures and algorithms.

NEMEA Modules can receive or send messages using input and output communication interfaces (IFC). The number of input and output IFCs is usually chosen by a developer based on the functionality of the NEMEA module, e.g. a detection module usually receives flow data via one input IFC and sends alerts (other format/content of messages) via one output IFC.

Connected NEMEA modules

Since the configuration of IFCs is done during startup, a user may choose which module to interconnect and how. There are several types of IFCs that can be chosen (IFC types). A NEMEA module (at the time of development) does not need any information about other modules, however, it usually expects some information fields in the messages that are needed for the processing. That means a module might be connected to any other module to receive data from, but only a data sources containing all needed information will work.

There are several ways how to get data into NEMEA. It is possible to read data from files (CSV, nfdump, PCAP), receive data from IPFIXcol collector (which supports NetFlow/IPFIX formats) via special IPFIXcol UniRec plugin, use NEMEA flow exporter (flow_meter).

NEMEA interoperability - supported data formats

Further Information

Attribution

We kindly ask anyone who uses NEMEA for research and writes an academic paper about it to cite NEMEA as follows:

@inproceedings{nemea16,
    author = {Cejka, Tomas and Bartos, Vaclav and Svepes, Marek and Rosa, Zdenek and Kubatova, Hana},
    title = {NEMEA: A Framework for Network Traffic Analysis},
    booktitle = {12th International Conference on Network and Service Management (CNSM 2016)},
    doi = {10.1109/CNSM.2016.7818417},
    url = {http://dx.doi.org/10.1109/CNSM.2016.7818417},
    year = 2016
}

NEMEA Related Publications