DiFMon Distributed Flow Monitor Salvatore D’Antonio 1, Claudio Mazzariello 2, Francesco Oliviero 2, Dario Salvi 1 1: Lab Item, Consorzio Interuniversitario.

Slides:

Advertisements

Similar presentations

Overview of IETF work on IP traffic flow measurement and current developments Dr. Jürgen Quittek General Manager Network Research Division, NEC Europe.

Advertisements

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Traffic Forecasting Medium Access TRANSFORMA Vladislav Petkov Katia Obraczka 1.

1 Efficient Retrieval of User Contents in MANETs Marco Fiore, Claudio Casetti, Carla-Fabiana Chiasserini Dipartimento di Elettronica, Politecnico di Torino,

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Measuring Queuing and System Delay Using Click Modular Router By Caroline Williams.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Draft-novak-bmwg-ipflow-meth-05.txt IP Flow Information Accounting and Export Benchmarking Methodology

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

Research & Development Roadmap 1. Outline A New Communication Framework Giving Bro Control over the Network Security Monitoring for Industrial Control.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Fraunhofer FOKUSCompetence Center NET T. Zseby, CC NET1 IPFIX – IP Flow Information Export Overview Tanja Zseby Fraunhofer FOKUS, Network Research.

Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.

1 mmdump Reference: “mmdump: A Tool for Monitoring Internet Multimedia Traffic” J. van der Merwe, R. Cceres, Y-H. Chu, C. Sreenan. ACM SIGCOMM Computer.

TCP/IP Yang Wang Professor: M.ANVARI.

Active Monitoring in GRID environments using Mobile Agent technology Orazio Tomarchio Andrea Calvagna Dipartimento di Ingegneria Informatica e delle Telecomunicazioni.

Jon Maloy, Ericsson Steven Blake, Ericsson Maarten Koning, WindRiver draft-maloy-tipc-00.txt Transparent Inter Process Communication TIPC.

DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy.

24/10/2015draft-novak-bmwg-ipflow-meth- 03.txt 1 IP Flow Information Accounting and Export Benchmarking Methodology

7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.

Chapter 19 Binding Protocol Addresses (ARP) A frame transmitted across a physical network must contain the hardware address of the destination. Before.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.

Project Requirements (NetFlow Generator) 정승화 분산 처리 및 네트워크 관리 연구실 포항 공과 대학교

Open-Eye Georgios Androulidakis National Technical University of Athens.

Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

Mapping IP Addresses to Hardware Addresses Chapter 5.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Distributed Handler Architecture Beytullah Yildiz

1 IEX8175 RF Electronics Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

Stack Processing Algorithm for Go Back N protocol Team Members: Vinti (vv2236) Garvit Singh (gs2731) Pramod Nayak (ppn2106) Vidhatre Gathey (vvg2111)

ECE 526 – Network Processing Systems Design Network Address Translator.

CS/EE 145A Reliable Transmission over Unreliable Channel II Netlab.caltech.edu/course.

POSTECH DP&NM Lab Detailed Design Document NetFlow Generator 정승화 DPNM Lab. in Postech.

Relying on Safe Distance to Achieve Strong Partitionable Group Membership in Ad Hoc Networks Authors: Q. Huang, C. Julien, G. Roman Presented By: Jeff.

1 Kyung Hee University Chapter 11 User Datagram Protocol.

1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt.

ECE 526 – Network Processing Systems Design Network Address Translator II.

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

A MAIN PROJECT SEMINAR ON PACKET FILTERING FIREWALL USING NETFILTERS IN LINUX FOR ARM9 BY: R. SRINIVASULU (07N21A0446) CH. SHIVA RAM (07N21A0442) K. MALLIKARJUNA.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

ECE 544 Group Project : Routing KC Huang. Objective Application: message multicast. A message is sent from one sender to 1~3 recipients. Reach a protocol.

Unique Packet Identifiers for Multipoint Monitoring of QoS Parameters Juraj Giertl, František Jakab Gorazd Baldovský, Ján Genči.

G. Russo, D. Del Prete, S. Pardi Kick Off Meeting - Isola d'Elba, 2011 May 29th–June 01th A proposal for distributed computing monitoring for SuperB G.

Network Layer COMPUTER NETWORKS Networking Standards (Network LAYER)

Snort – IDS / IPS.

Chapter 11 User Datagram Protocol

Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.

Distributed Network Traffic Feature Extraction for a Real-time IDS

IPFIX Requirements: Document Changes from Version -07 to Version -09

Computer Networks Bhushan Trivedi, Director, MCA Programme, at the GLS Institute of Computer Technology, Ahmadabad.

Chapter 3 Part 3 Switching and Bridging

Network Core and QoS.

ECE 544 Protocol Design Project 2016

ECE 544 Group Project : Routing

Implementing an OpenFlow Switch on the NetFPGA platform

Chapter 3 Part 3 Switching and Bridging

Ch 17 - Binding Protocol Addresses

2019/5/13 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter：Hung-Yen Wang Authors：Peng Wang, George Trimponias, Hong Xu,

Statistical based IDS background introduction

Network Core and QoS.

Presentation transcript:

DiFMon Distributed Flow Monitor Salvatore D’Antonio 1, Claudio Mazzariello 2, Francesco Oliviero 2, Dario Salvi 1 1: Lab Item, Consorzio Interuniversitario Nazionale per l’Informatica, Napoli 2: Dipartimento di Informatica e sistemistica, Università degli studi di Napoli Federico II

o Possible Uses: traffic profiling, Intrusion Detection o Context: Internet Flow Monitoring o Contribution: Development of a distributed software for flow monitoring

Flows are defined by means of some properties appliable to packets headers For example: 1.IP addresses, source and destination 2.The 5-uple (source address, destination address, source port, destination port, protocol next to IP) …and by means of a timeout… The choice of the flow definition follows the needs of the application which uses monitoring data

A Flow Monitor should: 1.Capture packets from the network 2.Associate a flow id to each packet on the basis of the chosen definition of flow 3.When a packet arrives, update the metrics of the flow the packet belongs to 4.Keep in memory the metrics related to the “living” flows (not timed out yet) in data structures (flow records) 5.Save the measured metrics of each timed out flow in order to make them available to the applications

Proposed architecture: Meter Flow Cache Collector Flow Cache Application 1.Calculates the metrics at each packet arrival 2.Keeps in memory the metrics of each living flow 3.“Exporting” of timed out flows to the Collector 4.Eventually exports some “interesting” living flow 1.Keeps in memory th emtrics of each timed out flow 2.Eventually advises the application of some “interesting” living flow 1.Packet capturing 2.Associates flow id to the packet

The Flow Cache: It is the critical module, it must look up and update a flow record each time a packet arrives (for this reason is distributed) Packet multiplexing is done by means of a hash function (mmh) computed on the flow id Metrics can be freely implemented through an API Flow records ordering is Least Recently Used (on the basis of the last acces time) The flow record of a just-arrived packet will be positioned among the first elements of the queue with a high probability (temporal locality properties, i.e. heavy tailed distributions of the packet rates) LRU ordering allows the otpimized search of timed out flows (starting from the tail of the queue and stopping when a not-timed out flow is found)

Some Details: Comunication between the modules is done using UDP A flow control between modules is provided Programming language: C Operating system: Linux Used libraries: libpcap Software license: GPL Project location: SourceForge.net

The management Protocol: The system must be: reliable, robust and flexible. Some assumptions: Meter Flow Cache Collector Flow Cache The system internal network must be faster enough than the monitored network Modules can run on the same / different machines The Meter must perform packet capturing between packet interarrival time The collector and the meter use defined port numbers for signalling messages

Start and Stop of the system: Meter Collector Flow Cache 2 – ACK 6 – ACK 1 – CONN Req 4 – ACK 5 – ACK 3 – CONN Req Starting On defined port number On dinamically chosen port number 2 – END Req 6 – ACK 4 – END Req 5 – ACK 1 – END Req 3 – Export Stopping

Steady state protocol: Meter Collector Flow Cache On defined port number On dinamically chosen port number 1 – Captured Data 2 – ACK 1 – Exporting Data 2 – ACK

Meter Collector Flow Cache 2 – ABORT 1 – ABORT Flow Cache 2 – ABORT 3 – ABORT 2 – ABORT Aborting (from Flow Cache):

Meter Collector Flow Cache Aborting (from Meter): 1 – ABORT 2 – ABORT 1 – ABORT 2 – ABORT 1 – ABORT

Meter Collector Flow Cache Aborting (from Collector): 2 – ABORT 1 – ABORT 2 – ABORT 1 – ABORT 2 – ABORT

Adding/Removing a Flow Cache: Meter Collector Flow Cache On defined port number On dinamically chosen port number 2 – ACK 1 – DISCONN Req 2 – ACK 1 – DISCONN Req Removing 1 – CONN Req 3 – CONN Req 4 – ACK 2 – ACK 6 – ACK 5 – ACK Adding

Meter Flow Cache 2 – ACK 1 – ALIVE Req Collector 2 – ACK 1 – ALIVE Req Crashes: Meter’s crashCollector’s crash Flow Cache’s crash

Conclusions / future works: The proposed architecture and protocol is scalable to the increase of the number of the flow caches and monitored networks. The system is suitable to different contexts, such as security, traffic profiling or billing where specific metrics are of interest. Benchmarking and robustness evaluation will be conducted. The LRU sorting algorithm will be compared with other ordering algorithms. We are currently working on the implementation of an intrusion detection system and a tool for traffic profiling based on the proposed monitoring architecture.