Trends in Internet Measurement Paul Barford Assistant Professor Computer Science University of Wisconsin Fall, 2004.

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

Data-Plane Accountability with In-Band Path Diagnosis Murtaza Motiwala, Nick Feamster Georgia Tech Andy Bavier Princeton University.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
All rights reserved © 2006, Alcatel Grid Standardization & ETSI (May 2006) B. Berde, Alcatel R & I.
Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.
Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute
Lecture 7 Page 1 CS 236, Spring 2008 Proving It CS 236 Advanced Computer Security Peter Reiher May 13, 2008.
Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.
Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,
Top-Down Network Design Chapter Four Characterizing Network Traffic Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
Networks and Distributed Systems: Project Ideas
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
CSCD 433/533 Advanced Computer Networks Lecture 1 Course Overview Fall 2011.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
1 Next-Generation Secure Internet: Security Overview and Context Adrian Perrig in collaboration with Steven Bellovin, David Clark, Dawn Song.
Chapter 4 Network Layer slides are modified from J. Kurose & K. Ross CPE 400 / 600 Computer Communication Networks Lecture 14.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Copyright © 2005 Department of Computer Science CPSC 641 Winter Network Traffic Measurement A focus of networking research for 20+ years Collect.
Measuring the Spatial Structure of Traffic Congestion in the Internet Gábor Vattay Center for Communication Networks Data Analysis, Collegium Budapest.
Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.
Introduction to Honeypot, Botnet, and Security Measurement
Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,
Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
Characteristics of Internet Background Radiation Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, & Larry Peterson & Larry Peterson.
WAIL By: - Dave Plonka - Ana Bizarro Wisconsin Advanced Internet Laboratory - WAIL.
IPv6 Deployment Plan The Global IPv6 Summit 2001.
Research on design and implementation of Internet measurement infrastructure Lv Jun Aug 28, 2003.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005.
VeriFlow: Verifying Network-Wide Invariants in Real Time
Happy Network Administrators  Happy Packets  Happy Users WIRED Position Statement Aman Shaikh AT&T Labs – Research October 16,
Objectives: Chapter 5: Network/Internet Layer  How Networks are connected Network/Internet Layer Routed Protocols Routing Protocols Autonomous Systems.
FlowScan at the University of Wisconsin Perry Brunelli, Network Services.
Advanced Networking Lab. Given two IP addresses, the estimation algorithm for the path and latency between them is as follows: Step 1: Map IP addresses.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Internet2 Network Observatory Update Matt Zekauskas, Measurement SIG 2006 Fall Member Meeting 4-Dec-2006.
Trajectory Sampling for Direct Traffic Oberservation N.G. Duffield and Matthias Grossglauser IEEE/ACM Transactions on Networking, Vol. 9, No. 3 June 2001.
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
Concerns with Network Research Funding S.Floyd & R. Atkinson, Editors Internet Architecture Board draft-iab-research-funding-02.txt.
Measurement in the Internet Measurement in the Internet Paul Barford University of Wisconsin - Madison Spring, 2001.
Sponsored by the National Science Foundation Measurement System Spiral 2 Year-end Project Review University of Wisconsin, Colgate University, Boston University.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Securing the Grid & other Middleware Challenges Ian Foster Mathematics and Computer Science Division Argonne National Laboratory and Department of Computer.
Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
Top-Down Network Design Chapter Four Characterizing Network Traffic Copyright 2004 Cisco Press & Priscilla Oppenheimer.
An Architectural Approach to Managing Data in Transit Micah Beck Director & Associate Professor Logistical Computing and Internetworking Lab Computer Science.
Characteristics of Internet Background Radiation ACM Internet Measurement Conference (IMC), 2004 Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford,
Network Devices and Firewalls Lesson 14. It applies to our class…
Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,
1 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
A lustrum of malware network communication: Evolution & insights
The real-time Internet routing observatory
Presentation transcript:

Trends in Internet Measurement Paul Barford Assistant Professor Computer Science University of Wisconsin Fall, 2004

wail.cs.wisc.edu2 Motivation The Internet is gigantic, complex, and constantly evolving – Began as something quite simple Infrequent use of “scientific method” in network research –Historical artifact –Lack of inherent measurement capability –Decentralization and privacy concerns Recognition of importance of empirically-based research –Critical trend over past five years (Internet Measurement Conf.) Good research hypothesis + good data + good analysis = good research results –Focus of this talk: “good data” - where we’ve been and where we’re going

wail.cs.wisc.edu3 In the beginning… Measurement was part of the original Arpanet in ’70 –Kleinrock’s Network Measurement Center at UCLA –Resources in the network were reserved for measurement Formation of Network Measurement Group in ’72 –Rfc 323 – who is involved and what is important First network measurement publication in ’74 –“On Measured Behavior of the ARPA Network,” Kleinrock and Taylor No significant difference between operations a research –Size kept things tractable

wail.cs.wisc.edu4 From ARPAnet to Internet In the 80’s, measurement-based publications increased –“The Experimental Literature of the Internet: An Annotated Bibliography”,J. Mogul, ’88. Rfc 1262 – Guidelines for Internet Measurement Activities, 1991 –V. Cerf, “ Measurement of the Internet is critical for future development, evolution and deployment planning.” What happened? “On the Self-Similar Nature of Ethernet Traffic”, Leland et al., ‘94. –Novel measurement combined with thorough analysis –A transition point between operational and research measurement (?)

wail.cs.wisc.edu5 Gold in the streets in the 90’s Lots of juicy problems garnered much attention in 90’s –Transport, ATM, QoS, Multicast, Lookup scalability, etc. The rise of simulation (aaagggghhhhh!!!!) Measurement activity didn’t die… –Research focus on Internet behavior and structure Self-similarity established as an invariant in series of studies Paxson’s NPD study from ’93 to ’97 Routing (BGP) studies by Labovitz et al. Structural properties (the Internet as a graph) by Govindan et al. –Organizations focused on measurement National Laboratory for Applied Network Research (‘95) Cooperative Association for Internet Data Analysis (‘97)

wail.cs.wisc.edu6 Measurement must be hard… Well, not really…lot’s of folks are measuring the Internet –See CAIDA or SLAC pages –Business get paid to measure the Internet Lot’s of tools are available for Internet measurement –See CAIDA and SLAC pages –Dedicated hardware –Public infrastructures

wail.cs.wisc.edu7 So, what’s the problem? “Strategies for Sound Internet Measurement,” Paxson ‘04. –Lack consistent methods for measurement-based experiments –Problems faced in other sciences years ago Issues of scale in every direction –What is representative? –HUGE, HIGH-DIMENSION date sets make things break Disconnect between measurements for operations and measurements for research –Operational interests: SLA’s, billing, privacy, … –Research interests: network-wide properties

wail.cs.wisc.edu8 Current measurement trends 1.Open end host network measurement infrastructures Available for a variety of uses 2.Large public data repositories – Domain specific – Suitable for longitudinal studies 3.Network telescope monitors Malicious traffic 4.Laboratory-based testbeds Bench environments 5.Standard anonymization methods Address privacy concerns

wail.cs.wisc.edu9 End host infrastructures Paxson’s NPD study; an end-host prototype –Accounts on 35 systems distributed throughout the Internet –Active, end-to-end measurement focus National Internet Measurement Infrastructure (NIMI) and others evolved from NPD –Perhaps a bit too ambitious at the time Today’s end host infrastructure “success story”: Planetlab

wail.cs.wisc.edu10 PlanetLab overview Collaboration between Intel, Princeton, Berkeley, Washington, others starting in early ‘02 Began as a distributed, virtualized system project –Peer-to-peer overlay systems were getting hot –Applications BOF at SIGCOMM ‘02 had only 6/80 people Systems were donated to an initial set of sites in ‘02 –Most major universities and Abilene POPs Available to members who host systems Developers have done a fine job creating a management environment –Isolates individual experiments from each other

wail.cs.wisc.edu11 PlanetLab sites 449 nodes at 209 sites: source

wail.cs.wisc.edu12 End host infrastructures & SP End host infrastructures are primarily for active measurement –Generate probes and measure responses Problem domains –Network structure via tomography –Network distance estimation –End-to-end resource estimation –End-to-end packet dynamics

wail.cs.wisc.edu13 Large public data repositories First data repository - Internet Traffic Archive (LBL) –Hodgepodge of traces from various projects Current projects are more focused – Passive Measurement and Analysis Project – Packet traces from high performance monitors – Abilene Observatory – Flow traces from the Internet2 backbone routers – Route views/RIPE – BGP routing updates from ~150 networks – Datasets for network security – DHS project focused on making attack and intrusion data available for research

wail.cs.wisc.edu14 Data repositories & SP Most of the data in aforementioned repositories was gathered via passive means –Counters/logs on devices –Installed instrumentation –Configuration to measure specific traffic (BGP) Problem domains –Anomaly detection –Traffic dynamics –Routing dynamics

wail.cs.wisc.edu15 Network telescopes Simple observation 1: number globally routed IP addresses <> number of live hosts –Network address translation –Networks (ranges of IP addresses) are routed Simple observation 2: traffic to/from standard services should only arrive at live hosts –Misconfigurations and malicious traffic are the exceptions Network telescope = traffic monitor on routed but otherwise unused IP addresses –This traffic is otherwise usually dropped at border router

wail.cs.wisc.edu16 So, what’s the point? Bad guys don’t know which IP addresses in a network a live –Random and systematic scanning commonly used –Spoofed source addresses are used in DoS attacks –Misconfigurations are fairly rare Ergo, network telescopes can provide important perspective on malicious traffic –Most importantly, a clean signal Implementation is fairly simple –Honeypots of live systems or honeypot specific monitors

wail.cs.wisc.edu17 What do we see? “Characteristics of Internet Background Radiation,” Yegneswaran et al., ‘04. –Active monitors (small, medium, large) at 3 sites Traffic is dominated by activity on common services –Worms and probes targeting HTTP and NetBIOS –The focus of our study Traffic is highly variable and diverse –Perspectives from 3 monitors are quite different Traffic mutates rapidly Much deeper analysis is necessary

wail.cs.wisc.edu18 Network telescopes & SP An emerging, rich source of data Network security is critically important Problem domains –Outbreak and attack detection –Collaborative monitoring –Dynamic quarantine –(Misconfiguration analysis)

wail.cs.wisc.edu19 Laboratory-based testbeds Most scientific disciplines commonly use bench environments to conduct research –Control –Instrumentation –Repeatability Network research community has relied on analytic modeling, simulation and empirical measurement Openly available bench environments for network research are emerging –EMULAB at Utah - collection of end hosts –Wisconsin Advanced Internet Lab - collection of routers and end hosts

wail.cs.wisc.edu20 Laboratory testbeds & SP The effectiveness of bench research hinges on research hypothesis and experimental design –Aspects of scale (emergent behavior) are difficult to capture Problem domains –Inference tool analysis –Protocol (implementation) analysis –Anomaly detection –Network system evaluation

wail.cs.wisc.edu21 Data anonymization Lots of people measure, most are scared s*!#less about sharing datas*!#less –This is a legal issue –No standards (sure payloads are off limits, but addresses?) –Don’t ask, don’t tell? The community is developing tools for trace anonymization –“A High-Level Programming Environment for Packet Trace Anonymization and Transformation,” Pang et al., ‘03. –Prefix preserving address anonymization –Payload hashing Probably no direct SP application –But, implications vis-à-vis future data availability

wail.cs.wisc.edu22 Summary Trends over past 30 years –Divergence of research and operations –Decline of importance of measurement in research –Empirical study of the Internet as an artifact Current trends –Rise of measurement as a discipline –Open infrastructures and network testbeds –Large-scale domain specific data repositories –Novel measurement methods Future trends –?? –Embedded measurement systems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.