Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Slides:



Advertisements
Similar presentations
A First Look at Modern Enterprise Traffic
Advertisements

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.
Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
OSI Model.
PBS: Periodic Behavioral Spectrum of P2P Applications Tom Z.J. Fu, Yan Hu, Xingang Shi, Dah Ming Chiu and John C.S. Lui The Chinese University of Hong.
Kyushu University Graduate School of Information Science and Electrical Engineering Department of Advanced Information Technology Supervisor: Professor.
1 TCP Traffic Analysis in cooperation with Motorola Todd DeSantis and David Loose Advisor: Professor Mark Claypool Co-Advisor: Professor Robert Kinicki.
Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing.
Fundamentals of Computer Networks ECE 478/578 Lecture #2 Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University of Arizona.
P2P Games Conference “Attributes of the Gaming Cloud?” Norman Henderson ASANKYA
A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Sales Kickoff - ARCserve
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,
DPNM, POSTECH 1/23 NOMS 2010 Jae Yoon Chung 1, Byungchul Park 1, Young J. Won 1 John Strassner 2, and James W. Hong 1, 2 {dejavu94, fates, yjwon, johns,
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
Tufts Wireless Laboratory School Of Engineering Tufts University “Network QoS Management in Cyber-Physical Systems” Nicole Ng 9/16/20151 by Feng Xia, Longhua.
P.1Service Control Technologies for Peer-to-peer Traffic in Next Generation Networks Part2: An Approach of Passive Peer based Caching to Mitigate P2P Inter-domain.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
Scalable and Efficient Data Streaming Algorithms for Detecting Common Content in Internet Traffic Minho Sung Networking & Telecommunications Group College.
Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
The Internet The internet is simply a worldwide computer network that uses standardised communication protocols to transmit and exchange data.
Network-on-Chip Energy-Efficient Design Techniques for Interconnects Suhail Basit.
Analysis of Internet Backbone Traffic and Header Anomalies Observed Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers.
Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs.
Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks Jin Tang, Yu Cheng and Yong Hao Department of Electrical and Computer Engineering.
TCP/IP Network.
Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.
4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.
Unconstrained Endpoint Profiling Googling the Internet Ionut Trestian, Supranamaya Ranjan, Alekandar Kuzmanovic, Antonio Nucci Reviewed by Lee Young Soo.
Hot Interconnects TCP-Splitter: A Reconfigurable Hardware Based TCP/IP Flow Monitor David V. Schuehler
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
1 Architecture and scalability of a high-speed traffic measurement platform with a highly flexible packet classification Author: Detlef Sas *, Simon Hauger,
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
A Bandwidth Estimation Method for IP Version 6 Networks Marshall Crocker Department of Electrical and Computer Engineering Mississippi State University.
Presenter: Kuei-Yu Hsu Advisor: Dr. Kai-Wei Ke 2013/4/29 Detecting Skype flows Hidden in Web Traffic.
Fuzzy Control of Sampling Interval for Measurement of QoS Parameters Juraj Giertl.
Measurement in the Internet Measurement in the Internet Paul Barford University of Wisconsin - Madison Spring, 2001.
Analysis of UDP Traffic Usage on Internet Backbone Links* Min Zhang Maurizio Dusi Wolfgang John *This study was performed while authors visited CAIDA at.
Release 16/7/2009 Introduction to Computer Networks Chapter 1 Jetking Infotrain Ltd.
Investigating the Prefix-level Characteristics A Case Study in an IPv6 Network Department of Computer Science and Information Engineering, National Cheng.
Performance Limitations of ADSL Users: A Case Study Matti Siekkinen, University of Oslo Denis Collange, France Télécom R&D Guillaume Urvoy-Keller, Ernst.
High Throughput and Programmable Online Traffic Classifier on FPGA Author: Da Tong, Lu Sun, Kiran Kumar Matam, Viktor Prasanna Publisher: FPGA 2013 Presenter:
1 Internet Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
MicroGrid Update & A Synthetic Grid Resource Generator Xin Liu, Yang-suk Kee, Andrew Chien Department of Computer Science and Engineering Center for Networked.
Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,
Network Processing Systems Design
Could SP-NAT Save the Internet?
Port Scanning James Tate II
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING CLOUD COMPUTING
On-line Detection of Real Time Multimedia Traffic
The Devil and Packet Trace Anonymization
A DFA with Extended Character-Set for Fast Deep Packet Inspection
Computer Data Security & Privacy
Lightweight Application Classification for Network Management
CHAPTER 1 INTRODUCTION:
CPSC 641: WAN Measurement Carey Williamson
Using Protocols in Computer Networks
Carey Williamson Department of Computer Science University of Calgary
Transport Layer Identification of P2P Traffic
Internet Research Group at Clemson University
Presentation transcript:

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University of Technology Göteborg, Sweden

Licentiate Seminar Wolfgang John Internet, 1983 Internet, 2005 Why measure Internet traffic? (1) The Internet is changing in size ARPANET, 1969

Licentiate Seminar Wolfgang John The Internet is changing in application Why measure Internet traffic? (2)

Licentiate Seminar Wolfgang John The Internet –is constantly developing –is used differently in different locations –is heterogeneous The Internet is not understood in its entirety! INTERconnected NETworks Why measure Internet traffic? (3) INTER NET

Licentiate Seminar Wolfgang John Operational purpose –Troubleshooting, provisioning, planning …. Scientific purpose –Protocols, infrastructure and services –Performance properties –Internet simulation models –Security measures Why measure Internet traffic? (4)

Licentiate Seminar Wolfgang John Thesis Objectives 1.Guidelines for Internet measurement 2.Current traffic characteristics 3.Traffic decomposition 4.Inconsistent behavior

Licentiate Seminar Wolfgang John Outline Measurement approaches Internet measurement challenges The MonNet project Scientific contribution Results –Four studies included Conclusions Measurement Analysis

Licentiate Seminar Wolfgang John Measurement approaches Network traffic measurement Active Passive Software Hardware Online Offline Flows Packets Complete Headers Different protocol levels Statistical summaries Transport layer

Licentiate Seminar Wolfgang John Internet measurement challenges (1) Legal considerations Ethical and moral considerations Operational considerations Technical considerations

Licentiate Seminar Wolfgang John Measurement challenges (3) Technical considerations Data amount –Exhausting I/O and storage access speeds Data reduction techniques –Filtering, sampling, packet truncation Timing –Clock synchronization

Licentiate Seminar Wolfgang John The MonNet Project (1) Technical Solution 10 Gbps Göteborg splitter Borås 10 Gbps Processing Platform and Storage Measurement Node 2 Measurement Node 1

Licentiate Seminar Wolfgang John The MonNet Project (2) Internet Regional ISPs Göteborg Stockholm Other smaller Univ. and Institutes Göteborgs Univ. Student- Net Chalmers Univ. Measurement location Borås April traces (20 minutes) 11 billion packets, 7.6 TB of data Sept. – Nov traces (10 minutes) 28 billion packets, 19.5 TB of data

Licentiate Seminar Wolfgang John Scientific Contribution Level of complexity Quantification of inconsistent behavior Traffic characterization Packet level Flow level Traffic classes Study I Study II Study IV Study III Upcoming

Licentiate Seminar Wolfgang John Study I: Packet Level Analysis Updated packet-level characteristics of Internet traffic Inconsistencies in headers will appear –Network attacks and malicious traffic –Active OS fingerprinting –Buggy applications or protocol stacks

Licentiate Seminar Wolfgang John High level analysis does not necessarily show differences → detailed analysis does! 2 main reasons for directional differences: –Malicious traffic the Internet is “unfriendly” –P2P Göteborg is a P2P source P2P is changing traffic characteristics e.g. packet sizes, TCP termination, TCP option usage Study II: Flow level analysis

Licentiate Seminar Wolfgang John Study III: Classification Method (1) Classification of flow traffic without payload Heuristics to identify nature of endpoints Rules based on connection patterns and port numbers –5 rules for P2P traffic –10 rules to classify other types of traffic remove ‘false positives’ from P2P

Licentiate Seminar Wolfgang John Study III: Classification Method (2) # connections in 10 6 Amount of data in TB Comparison of classification methods for P2P traffic

Licentiate Seminar Wolfgang John Study III: Classification Method (3) Previous classification methods on packet header traces don’t work well on backbone data Proposal of refined and updated heuristics –Simple and fast method to decompose traffic –No payload required –Effectively used even on short traces (10 min) 0.2% of the data left unclassified

Licentiate Seminar Wolfgang John Study IV: Classification Results (1) Tuesday,

Licentiate Seminar Wolfgang John Study IV: Classification Results (2) Application breakdown April till Nov. 2006

Licentiate Seminar Wolfgang John Study IV: Classification Results (3) Connection establishment for traffic classes

Licentiate Seminar Wolfgang John Study IV: Classification Results (4) Behavior of P2P traffic –Unsuccessful TCP connection attempts increasing –Serving peers terminate with FIN and RST Decreased from 20% to 8% –UDP overlay traffic doubled TCP options deployment differs –P2P behaves as expected –Web traffic shows artifacts of client-server patter e.g. popular web-servers neglecting SACK option

Licentiate Seminar Wolfgang John Summary 1.Guidelines for Internet measurement Experiences of the MonNet project 2.Current traffic characteristics Packet and flow level 3.Traffic decomposition Traffic classification method 4.Inconsistent behavior Packet header anomalies Malicious traffic flows

Licentiate Seminar Wolfgang John General remarks Internet today is essential, but still not understood entirely Large-scale traffic measurements uncommon –A lot of analysis is done on outdated datasets Each study generated as much questions as answers Reconsider measurement process (duration, payload…) A lot of open questions … …get more answers in two years…