DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy.

Slides:

Advertisements

Similar presentations

Module X Session Hijacking

Advertisements

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

Bridging. Bridge Functions To extend size of LANs either geographically or in terms number of users. − Protocols that include collisions can be performed.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.

Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

TCP/IP Protocol Suite 1 Chapter 11 Upon completion you will be able to: User Datagram Protocol Be able to explain process-to-process communication Know.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

VSP Video Station Protocol Presented by : Mittelman Dana Ben-Hamo Revital Ariel Tal Instructor : Sela Guy Presented by : Mittelman Dana Ben-Hamo Revital.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

Chapter 6: Packet Filtering

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

1 mmdump Reference: “mmdump: A Tool for Monitoring Internet Multimedia Traffic” J. van der Merwe, R. Cceres, Y-H. Chu, C. Sreenan. ACM SIGCOMM Computer.

TCP/IP Yang Wang Professor: M.ANVARI.

6.1. Transport Control Protocol (TCP) It is the most widely used transport protocol in the world. Provides reliable end to end connection between two hosts.

Jon Maloy, Ericsson Steven Blake, Ericsson Maarten Koning, WindRiver draft-maloy-tipc-00.txt Transparent Inter Process Communication TIPC.

COP 4930 Computer Network Projects Summer C 2004 Prof. Roy B. Levow Lecture 3.

24/10/2015draft-novak-bmwg-ipflow-meth- 03.txt 1 IP Flow Information Accounting and Export Benchmarking Methodology

CS 453 Computer Networks Lecture 18 Introduction to Layer 3 Network Layer.

Packet Filtering COMP 423. Packets packets datagram To understand how firewalls work, you must first understand packets. Packets are discrete blocks of.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.

Project Requirements (NetFlow Generator) 정승화 분산 처리 및 네트워크 관리 연구실 포항 공과 대학교

Open-Eye Georgios Androulidakis National Technical University of Athens.

Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University

1 University of California, Irvine Done By : Ala Khalifeh (Note : Not Presented)

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.

Mapping IP Addresses to Hardware Addresses Chapter 5.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Distributed Handler Architecture Beytullah Yildiz

1 IEX8175 RF Electronics Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

ECE 526 – Network Processing Systems Design Network Address Translator.

CS/EE 145A Reliable Transmission over Unreliable Channel II Netlab.caltech.edu/course.

POSTECH DP&NM Lab Detailed Design Document NetFlow Generator 정승화 DPNM Lab. in Postech.

1 Kyung Hee University Chapter 11 User Datagram Protocol.

1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt.

ECE 526 – Network Processing Systems Design Network Address Translator II.

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

A MAIN PROJECT SEMINAR ON PACKET FILTERING FIREWALL USING NETFILTERS IN LINUX FOR ARM9 BY: R. SRINIVASULU (07N21A0446) CH. SHIVA RAM (07N21A0442) K. MALLIKARJUNA.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

ECE 544 Group Project : Routing KC Huang. Objective Application: message multicast. A message is sent from one sender to 1~3 recipients. Reach a protocol.

Process-to-Process Delivery:

Unique Packet Identifiers for Multipoint Monitoring of QoS Parameters Juraj Giertl, František Jakab Gorazd Baldovský, Ján Genči.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

Network Processing Systems Design

DiFMon Distributed Flow Monitor Salvatore D’Antonio 1, Claudio Mazzariello 2, Francesco Oliviero 2, Dario Salvi 1 1: Lab Item, Consorzio Interuniversitario.

Network Layer COMPUTER NETWORKS Networking Standards (Network LAYER)

Snort – IDS / IPS.

Chapter 11 User Datagram Protocol

Distributed Network Traffic Feature Extraction for a Real-time IDS

Computer Networks Bhushan Trivedi, Director, MCA Programme, at the GLS Institute of Computer Technology, Ahmadabad.

ECE 544 Protocol Design Project 2016

ECE 544 Group Project : Routing

Implementing an OpenFlow Switch on the NetFPGA platform

Chapter 3 Part 3 Switching and Bridging

Ch 17 - Binding Protocol Addresses

An XML-based System Architecture for IXA/IA Intercommunication

2019/5/13 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter：Hung-Yen Wang Authors：Peng Wang, George Trimponias, Hong Xu,

Statistical based IDS background introduction

Presentation transcript:

DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy

o Possible Uses: traffic profiling, Intrusion Detection o Context: Internet flow monitoring o Contribution: development of a distributed software for flow monitoring

Flows are defined by means of some properties appliable to packet headers For example: 1.IP addresses (source and destination) 2.The 5-uple (source address, destination address, source port, destination port, and protocol) …and by means of a timeout… The choice of the flow definition depends on needs of the application which uses monitoring data

A Flow Monitor should: 1.Capture packets from the network 2.Associate a flow id to each packet on the basis of the chosen definition of flow 3.As a packet arrives, update the metrics of the flow which the packet belongs to 4.Keep in memory the metrics related to the “living” flows (not timed out) in data structures (flow records) 5.Save the computed metrics related to each timed out flow in order to make them available to the applications

Proposed architecture: Meter Flow Cache Collector Flow Cache Application 1.Calculates the metrics at each packet arrival 2.Keeps in memory the metrics about each living flow 3.“Exports” timed out flows to the Collector 4.Exports some “interesting” living flows 1.Keeps in memory the metrics related to timed out flows 2.Informs the application about some “interesting” living flows 1.Captures packets 2.Associates flow id to the packet

The Flow Cache: It is the critical module, it must look up and update a flow record as a packet arrives (for this reason it is distributed) Packet multiplexing is done by means of a hash function (mmh) computed on the flow id Metrics can be implemented in a flexible way through an API Ordering of flow records relies on the Least Recently Used algorithm (on the basis of the last acces time) The flow record of a just-arrived packet will be positioned within the first elements of the queue with a high probability (temporal locality properties, i.e. heavy tailed distributions of the packet rates) LRU ordering allows otpimized search for timed out flows (starting from the tail of the queue and stopping when a not-timed out flow is found)

Some implementation details: Communication between the modules is done using UDP A flow control between modules is provided Programming language: C Operating system: Linux Used libraries: libpcap Software license: GPL Project location: SourceForge.net

The management Protocol: The system must be: reliable, robust and flexible. Some assumptions: Meter Flow Cache Collector Flow Cache The network connecting system modules must be faster than the monitored network Modules can run on the same / different machines The Meter must perform packet capturing within the packet interarrival time The collector and the meter use defined port numbers for signalling messages

Start and Stop of the system: Meter Collector Flow Cache 2 – ACK 6 – ACK 1 – CONN Req 4 – ACK 5 – ACK 3 – CONN Req Starting On defined port number On dinamically chosen port number 2 – END Req 6 – ACK 4 – END Req 5 – ACK 1 – END Req 3 – Export Stopping

Steady state operation: Meter Collector Flow Cache On defined port number On dinamically chosen port number 1 – Captured Data 2 – ACK 1 – Exporting Data 2 – ACK

Meter Collector Flow Cache 2 – ABORT 1 – ABORT Flow Cache 2 – ABORT 3 – ABORT 2 – ABORT Aborting (from Flow Cache):

Meter Collector Flow Cache Aborting (from Meter): 1 – ABORT 2 – ABORT 1 – ABORT 2 – ABORT 1 – ABORT

Meter Collector Flow Cache Aborting (from Collector): 2 – ABORT 1 – ABORT 2 – ABORT 1 – ABORT 2 – ABORT

Adding/Removing a Flow Cache: Meter Collector Flow Cache On defined port number On dinamically chosen port number 2 – ACK 1 – DISCONN Req 2 – ACK 1 – DISCONN Req Removing 1 – CONN Req 3 – CONN Req 4 – ACK 2 – ACK 6 – ACK 5 – ACK Adding

Meter Flow Cache 2 – ACK 1 – ALIVE Req Collector 2 – ACK 1 – ALIVE Req Crashes: Meter’s crashCollector’s crash Flow Cache’s crash

Conclusions / future work: The proposed protocol is scalable with respect to the increase in the number of the flow caches and monitored networks. The system is suitable to different contexts, such as security, traffic profiling or billing where specific metrics are of interest. Benchmarking and robustness evaluation will be conducted. The LRU sorting algorithm will be compared with other ordering algorithms. We are currently working on the implementation of an intrusion detection system and a tool for traffic profiling based on the proposed monitoring architecture.