This paper describes the capabilities of the CENTAUR system, which has been developed to help DoD information operations security analysts better understand and defend the NIPRNet. CENTAUR is the largest system for Global Situational Awareness of the NIPRNet available to Tier 1 Computer Network Defense Analysts. It has been deployed and used routinely over the past 2+ years by dozens of analysts at JTFGNO/ NetDefense (formerly DoD-CERT), NSA, and most recently at Service CERTs (e.g., AFNOSC) and regional CERTs (e.g., CONUS). The CENTAUR system maintains a repository of detailed data regarding network traffic handled by the border and backbone routers on the NIPRNet, as far as April 2002.
The CENTAUR system provides users with powerful and flexible capabilities to perform exploration and analysis of this NIPRNet traffic data – both current and historical. CENTAUR is not yet another system for automatically detecting intrusions and anomalies. Rather, it provides operationally-focused technological and analytical support, giving experienced security analysts the tools they need to understand the traffic on their network. The highly efficient tools provided by the CENTAUR system have helped DoD analysts keep up with the rapidly increasing (1) traffic levels on the NIPRNet and (2) number of threats and attacks against DoD systems. In addition to the built-in analysis tools, the software suite has been designed to serve as an infrastructure on top of which people can add new capabilities and views with relative ease. A major example of this is the scan detection and analysis system currently being tested.