Psyche - Network Flow Analysis for the masses

There was a time when our anti-virus, IDS, and anti-spyware software could protect us from the majority of threats against our networks and systems. Unfortunately, the threats have changed, and our systems are getting compromised at an alarming rate. New tools are needed to help find attackers and malware on the network.

Psyche is a tool designed to utilize information already available in your network. Most modern routers and some switches can export network flow data that includes information on source and destination IP addresses and ports as well as size of the flows and number of packets sent. By performing analysis of this data, you can find out what is normal for your network and what is potentially dangerous traffic.

Why is Psyche Different?

There are several other good FL/OSS netflow analysis tools available such as nfsen and SiLK. However, these tools are largely focused on time series analysis... that is, they are examining the data solely on a time basis. While many of these tools allow for ad hoc querying of their database, they do not have the ability to perform more advanced statistical analysis.

Psyche is designed with the security professional in mind. Psyche stores its data in a relational database rather than an RRD time series DB. Psyche, therefore, can do much more advanced analysis and visualization than other tools. This allows for security staff to quickly find abnormal patterns in traffic that aren't simple spikes in traffic utilization. The trade off is that running Psyche requires more powerful hardware than other tools. But, who doesn't want an excuse to play with new hardware? ;)

Who Should use Psyche?

Psyche is currently geared towards small-to-mid size organizations. Psyche suplements tools commonly found in organizations of this size and can quickly sift through traffic on this scale. Network and security engineers should be able to quickly learn Psyche's interface and get useful results rapidly.

We're still figuring how well Psyche scales as traffic volume grows. Due to performance issues, Psyche is not recommended for organizations that deal with more than 1M flows/hour. See the requirements page for more info on what is required to run Psyche

What is the status of Pysche?

Psyche is under active development. It's initial release occured at ShmooCon 2008 with more releases planned in the coming months. If you're interested in the development status or assisting with the development, check out the development wiki.