Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

Slides:

Advertisements

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Advertisements

INDIANAUNIVERSITYINDIANAUNIVERSITY GENI Global Environment for Network Innovation James Williams Director – International Networking Director – Operational.

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Chapter 19: Network Management Business Data Communications, 5e.

AMI & Grid Data Analytics & Analysis Management Platform Page  1 What does this platform offer? Our tool is a next generation grid management software.

GENI: Global Environment for Networking Innovations Larry Landweber Senior Advisor NSF:CISE Joint Techs Madison, WI July 17, 2006.

Network+ Guide to Networks, Fourth Edition

Introduction to Network Analysis and Sniffer Pro

Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

Chapter 19: Network Management Business Data Communications, 4e.

Integrating Network and Transfer Metrics to Optimize Transfer Efficiency and Experiment Workflows Shawn McKee, Marian Babik for the WLCG Network and Transfer.

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 14 Server and Network Monitoring.

1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Hands-On Microsoft Windows Server 2008 Chapter 11 Server and Network Monitoring.

CH 13 Server and Network Monitoring. Hands-On Microsoft Windows Server Objectives Understand the importance of server monitoring Monitor server.

Windows Server 2008 Chapter 11 Last Update

A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.

Tomo-gravity Yin ZhangMatthew Roughan Nick DuffieldAlbert Greenberg “A Northern NJ Research Lab” ACM.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.

BMC Software confidential. BMC Performance Manager Will Brown.

Reading Report 14 Yin Chen 14 Apr 2004 Reference: Internet Service Performance: Data Analysis and Visualization, Cross-Industry Working Team, July, 2000.

Information-Centric Networks10b-1 Week 13 / Paper 1 OpenFlow: enabling innovation in campus networks –Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru.

Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.

Network+ Guide to Networks, Fourth Edition Chapter 1 An Introduction to Networking.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.

Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.

Happy Network Administrators  Happy Packets  Happy Users WIRED Position Statement Aman Shaikh AT&T Labs – Research October 16,

The Data Grid: Towards an Architecture for the Distributed Management and Analysis of Large Scientific Dataset Caitlin Minteer & Kelly Clynes.

WG Goals and Workplan We have a charter, we have a group of interested people…what are our plans? goalsOur goals should reflect what we have listed in.

PPDG and ATLAS Particle Physics Data Grid Ed May - ANL ATLAS Software Week LBNL May 12, 2000.

Chapter 5: Implementing Intrusion Prevention

Towards a Well-Managed Next Generation Internet! Hot Research Topics in Next Generation Internet Panel NY Systems/Networking Summit, NYU Aman Shaikh AT&T.

Chapter 3  Network Implementation and Management Strategies 1 Chapter 3 Overview  Why is a network implementation strategy necessary?  Why is network.

Resilient Overlay Networks Robert Morris Frans Kaashoek and Hari Balakrishnan MIT LCS

Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.

Monitoring and Managing Server Performance. Server Monitoring To become familiar with the server’s performance – typical behavior Prevent problems before.

ASTUTE: Detecting a Different Class of Traffic Anomalies Fernando Silveira 1,2, Christophe Diot 1, Nina Taft 3, Ramesh Govindan 4 1 Technicolor 2 UPMC.

Troubleshooting Mesh Networks Lili Qiu Joint Work with Victor Bahl, Ananth Rao, Lidong Zhou Microsoft Research Mesh Networking Summit 2004.

Measurement in the Internet Measurement in the Internet Paul Barford University of Wisconsin - Madison Spring, 2001.

Sponsored by the National Science Foundation Measurement System Spiral 2 Year-end Project Review University of Wisconsin, Colgate University, Boston University.

Information-Centric Networks Section # 13.2: Alternatives Instructor: George Xylomenos Department: Informatics.

WIRELESS INTEGRATED NETWORK SENSORS

Company LOGO Network Management Architecture By Dr. Shadi Masadeh 1.

Volunteer-based Monitoring System Min Gyung Kang KAIST.

Company LOGO Network Architecture By Dr. Shadi Masadeh 1.

Resolve today’s IT management dilemma Enable generalist operators to localize user perceptible connectivity problems Raise alerts prioritized by the amount.

Introduction of An Engineering Project for KOREN/APII Seung-Joon Seok Korea University.

BORDER SECURITY USING WIRELESS INTEGRATED NETWORK SENSORS (WINS) By B.S.Indrani (07841A0406) Aurora’s Technological and Research Institute.

© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.

By: Surapheal Belay ITEC 6322 / Spring ABSTRACT NIST , guide to intrusion detection and prevention systems (IDPS), discusses four types of.

Chapter 19: Network Management

Network Administration CNET-443

An Overview of the ITTC Networking & Distributed Systems Laboratory

Software Defined Networking (SDN)

DDoS Attack Detection under SDN Context

Network Architecture By Dr. Shadi Masadeh 1.

Community Wireless Mesh Networks

Task Manager & Profile Interface

Presentation transcript:

Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring, 2002

Motivation Many applications that run over the Internet have minimum performance requirements The network is one of the two possible sources of poor performance Wide area network behavior is unpredictable –IP networks are best effort –Constant change is normal Quality of service capability is not widely deployed –Will it ever be available?

Monitoring is a First Step Accurate monitoring of network state can enable application adaptivity and improved network management –Data provides basis for improved models and protocols There are many challenges in network monitoring –All features of the Internet make monitoring difficult –When, where, what, how… Today’s focus 1.Network monitoring efforts at Wisconsin 2.Combining monitoring and analysis to understand network traffic anomalies

The Wisconsin Advanced Internet Lab Next generation environment for network research –Our focus: performance, management, security –Platform for testbeds: storage, grid computing, … Internal environment –Instances of end-to-end-through-core Internet paths External environment –Measurement nodes deployed across the Internet

WAIL’s External Environment Existing infrastructure –WAWM systems (10) –Surveyor systems (60) Partnership with Advanced Systems –NIMI systems (45) Partnership with PCS and ICIR –Condor/Grid Infrastructures Prototype system is under development Passive flow measurements –FlowScan data from UW, Internet2, others(?)

WAIL’s Internal Environment Complement to external facilities Hands-on test bed which creates paths identical to those in the Internet from end-to-end-through-core –Variety of highly configurable equipment Why do we need an internal lab? –Enables instrumentation and measurement of entire end-to-end system –Enables new systems and protocols to be implemented in places where access is not possible in wide area Vision of internal lab: New means for doing network research Status: Significant commitment from industry partners (Cisco, EMC, Fujitsu) and the university – rev. 1.0 by 5/1/02

Distributed Anomaly Detection Motivation: Anomaly detection and identification is an important task for network operators –Operators typically monitor by eye using SNMP or IP flows –Simple thresholding is ineffective –Some anomalies are obvious, other are not Focus: Characterize and develop distributed means for detecting classes of anomalies –Network outages, Flash crowds, Attacks, Measurement failures Approach: Use statistical and wavelet techniques to analyze anomalies from IP flow and SNMP data from UW and other sites Implications: Tools and infrastructure which quickly and accurately identify and adapt to traffic anomalies

Characteristics of “Normal” traffic

Our Approach to Analysis Analyze examples of each type of anomaly via statistics, time series and wavelets (our initial focus) Wavelets provide a means for describing time series data that considers both frequency and scale –Particularly useful for characterizing data with sharp spikes and discontinuities More robust than Fourier analysis which only shows what frequencies exist in a signal –Tricky to determine which wavelets provide best resolution of signals in data We use tools developed at UW Wavelet IDR center First step: Identify which filters isolate anomalies

Analysis of “Normal” Traffic Wavelets easily localize familiar daily/weekly signals

Example Anomaly: Attacks DoS: sharp increase in flows and/or packets in one direction Linear splines seem to be a good filter to distinguish DoS attacks

Characteristics of Flash Crowds Sharp increase in packets/bytes/flows followed by slow return to normal behavior eg. Linux releases Leading edge not significantly different from DoS signal so next step is to look within the spikes

Characteristics of Network Anomalies Typically a steep drop off in packets/bytes/flows followed a short time later by restoration

Summary and Conclusion Accurate network monitoring is essential for improving application performance and network management The Wisconsin Advanced Internet Lab provides a unique environment for network monitoring Wavelets are an effective means for identifying anomalous behavior in data gathered from IP flow and SNMP interface monitors –Details on distributed and coordinated monitoring and analysis available this spring