NEMEA System

NEMEA (Network Measurements Analysis) system is a stream-wise, flow-based and modular detection system for network traffic analysis. It consists of many independent modules which are interconnected via communication interfaces and each of the modules has its own task. Communication between modules is done by message passing where the messages contain flow records, alerts, some statistics or preprocessed data.

Parts of the system

The following picture shows all the important parts of the system.

1. Modules – basic building blocks; separate system processes; receive stream of data on their input interfaces, process it and send another stream of data to their output interfaces; all modules are simply divided into two groups according to their task:
   • Detectors (red) – detect some malicious traffic, e.g. DNS tunnel, DoS, scanning
   • Modules (yellow) – export&storage of flow data, preprocess or postprocess the data (filter, aggregate, merge etc.)
2. NEMEA Framework – set of libraries implementing features common for all modules
   • TRAP (Traffic Analysis Platform) (blue) – implements communication interfaces and functions for sending/receiving the messages between interfaces
   • UniRec (Unified Record) (orange) – implements efficient data format of the sent/received messages
   • Common library (purple) – implements common algorithms and data structures used in modules
3. Supervisor (green) – central management and monitoring tool of the NEMEA system. It takes care of running modules according to a specified configuration.

Install && Use

Copyright (C) 2012-2016 CESNET, z.s.p.o.