AutoFocus: A Tool for Automatic Traffic Analysis Cristian Estan, University of California, San Diego.

Slides:



Advertisements
Similar presentations
Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian.
Advertisements

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
FlowScan at the University of Wisconsin-Madison Copyright Dave Plonka and Perry Brunelli, This work is the intellectual property of the authors.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.
Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.
The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Controlling High Bandwidth Aggregates in the Network.
11 Diagnosing and improving Wireless Networks Patrick Verkaik Mikhail Afanasyev Yuvraj Agarwal Yu-Chung Cheng Stefan Savage Alex C. Snoeren Geoffrey.
Copyright © 2005 Department of Computer Science CPSC 641 Winter Network Traffic Measurement A focus of networking research for 20+ years Collect.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.
Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage Presenter: Martin Krogel.
A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
George Varghese (based on Cristi Estan’s work) University of California, San Diego May 2011 Internet traffic measurement: from packets to insight.
Attig 1 Automatically Inferring Patterns of Resource Consumption in Network Traffic In Proceedings of SIGCOMM 2003 Reviewed By Michael Attig
Copyright © 2002 OSI Software, Inc. All rights reserved. PI-NetFlow and PacketCapture Eric Tam, OSIsoft.
Lab How to Use WANem Last Update Copyright 2011 Kenneth M. Chipps Ph.D. 1.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Step-by-Step Intrusion Detection using TCPdump SHADOW.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
Honeypot and Intrusion Detection System
NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.
FlowScan at the University of Wisconsin Perry Brunelli, Network Services.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Linux Networking and Security
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
Metadata Management of Terabyte Datasets from an IP Backbone Network: Experience and Challenges Sue B. Moon and Timothy Roscoe.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.
Online Identification of Hierarchical Heavy Hitters Yin Zhang Joint work with Sumeet SinghSubhabrata Sen Nick DuffieldCarsten Lund.
Mining Anomalies in Network-Wide Flow Data Anukool Lakhina with Mark Crovella and Christophe Diot NANOG35, Oct 23-25, 2005.
N. Hu (CMU)L. Li (Bell labs) Z. M. Mao. (U. Michigan) P. Steenkiste (CMU) J. Wang (AT&T) Infocom 2005 Presented By Mohammad Malli PhD student seminar Planete.
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
IP addresses IPv4 and IPv6. IP addresses (IP=Internet Protocol) Each computer connected to the Internet must have a unique IP address.
Keeping Your Computer Safe and Running Efficiently.
Cristian Estan, Garret Magin University of Wisconsin-Madison USENIX LISA, 17 December 2015 Interactive traffic analysis and visualization with Wisconsin.
PART3 Data collection methodology and NM paradigms 1.
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.
NetTech Solutions Protecting the Computer Lesson 10.
Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/20151.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
#16 Application Measurement Presentation by Bobin John.
1 Internet Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
1 Introduction IETF RFC1752 – a specification for a next-generation IP (IPng) IETF RFC2460 – IPv6 specification Designed to accommodate the highest speed.
NetFlow Analyzer Best Practices, Tips, Tricks. Agenda Professional vs Enterprise Edition System Requirements Storage Settings Performance Tuning Configure.
Chapter 5 Network and Transport Layers
Jennifer Rexford Princeton University
FIREWALL configuration in linux
Data Streaming in Computer Networking
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Data collection methodology and NM paradigms
Information Security Session October 24, 2005
Cristian Estan, Stefan Savage, George Varghese
Firewalls Purpose of a Firewall Characteristic of a firewall
CPSC 641: WAN Measurement Carey Williamson
Programmable Networks
Carey Williamson Department of Computer Science University of Calgary
MESSAGE ACCESS AGENT: POP AND IMAP
PCAV: Evaluation of Parallel Coordinates Attack Visualization
Presentation transcript:

AutoFocus: A Tool for Automatic Traffic Analysis Cristian Estan, University of California, San Diego

October 2003AutoFocus - NANOG 292 Who is using my link?

October 2003AutoFocus - NANOG 293 Informal problem definition Gigabytes of measurement data Analysis Traffic reports Applications: 50% of traffic is Kazaa Sources: 20% is from Steve’s PC

October 2003AutoFocus - NANOG 294 Informal problem definition Gigabytes of measurement data 20% is Kazaa from Steve’s PC 50% is Kazaa from network A Analysis Traffic reports

October 2003AutoFocus - NANOG 295 AutoFocus: system structure Traffic parser Web based GUI Traffic analyzer Grapher (sampled) NetFlow data or Packet header traces categories names

October 2003AutoFocus - NANOG 296 System details l Availability u Downloadable u Free for educational, research and non-profit use l Requirements u Linux or BSD (might run on other Unix OSes) u 256 Megs of RAM at least u 1-10 gigabytes of hard disk (depends on traffic) u Recent Netscape, Mozilla or I.E. (Javascript) u Needs no web server – no server side scripting

October 2003AutoFocus - NANOG 297 Traffic analysis approach l Characterize traffic mix by describing all important traffic clusters u Multi-field clusters (e.g. flash crowd described by protocol, port number and IP address) u At the the right level of granularity (e.g. computer, proper prefix length) u Analysis is automated – finds insightful data without human guidance

October 2003AutoFocus - NANOG 298 Traffic clusters: example l Incoming web traffic for CS Dept. u SrcIP=*, u DestIP in /21, u Proto=TCP, u SrcPort=80, u DestPort in [1024,65535]

October 2003AutoFocus - NANOG 299 l Traffic reports automatically list significant traffic clusters l Describe only clusters above threshold (e.g. T=total of traffic/20) l Compression removes redundant clusters whose traffic can be inferred from more specific clusters Traffic report

October 2003AutoFocus - NANOG 2910 Automatic cluster selection / / / / / / / / / / / /30

October 2003AutoFocus - NANOG 2911 Automatic cluster selection / / / / / / / / / / Threshold= / /30

October 2003AutoFocus - NANOG Automatic cluster selection / / / / / Compression keeps interesting clusters by removing those that can be inferred from more specific ones < ≥100

October 2003AutoFocus - NANOG 2913 Single field report example Source IPTraffic pkts / / AutoFocus has both single field and multi-field traffic reports

October 2003AutoFocus - NANOG 2914 Graphical user interface l Web based interface l Many pre-computed traffic reports l Interactive drill-down l Traffic categories defined by user

October 2003AutoFocus - NANOG 2915 Traffic reports for weeks, days, three hour intervals and half hour intervals

October 2003AutoFocus - NANOG 2916 Traffic reports measure traffic in bytes, packets and flows, have various thresholds

October 2003AutoFocus - NANOG 2917 Single field report

October 2003AutoFocus - NANOG 2918

October 2003AutoFocus - NANOG 2919 Colors – user defined traffic categories Separate reports for each category

October 2003AutoFocus - NANOG 2920 The filter and threshold allow interactive drill-down

October 2003AutoFocus - NANOG 2921 The filter and threshold allow interactive drill-down

October 2003AutoFocus - NANOG 2922 The filter and threshold allow interactive drill-down

October 2003AutoFocus - NANOG 2923 Case study : SD-NAP l Structure of regular traffic mix u Backups from CAIDA to tape server u FTP from SLAC Stanford u Scripps web traffic u Web & Squid servers u Large ssh traffic u Steady ICMP probing from CAIDA l Unexpected events

October 2003AutoFocus - NANOG 2924 l Backups from CAIDA to tape server Structure of regular traffic mix SD-NAP

October 2003AutoFocus - NANOG 2925 l Backups from CAIDA to tape server u Semi-regular time pattern Structure of regular traffic mix SD-NAP

October 2003AutoFocus - NANOG 2926 l Steady ICMP probing from CAIDA Structure of regular traffic mix SD-NAP The flow view highlights different traffic clusters

October 2003AutoFocus - NANOG 2927 Analysis of unusual events l Sapphire/SQL Slammer worm u Find worm port & proto automatically

October 2003AutoFocus - NANOG 2928 Analysis of unusual events l Sapphire/SQL Slammer worm u Can identify infected hosts

October 2003AutoFocus - NANOG 2929 How can AutoFocus help you? l Understand your regular traffic mix better u Better planning of network growth u Better traffic policing l Understand unusual events u More effective reactions to worms, DoS attacks u Notice effects of route changes on traffic

October 2003AutoFocus - NANOG 2930 Benefits w.r.t. existing tools l Multi-field aggregation l Automatically finds right granularity l Drill-down u Per category reports u Using filter

October 2003AutoFocus - NANOG 2931 Thank you! Beta version of AutoFocus downloadable from Any questions? Acknowledgements: Stefan Savage, George Varghese, Vern Paxson, David Moore, Liliana Estan, Mike Hunter, Pat Wilson, Jennifer Rexford, K Claffy, Alex Snoeren, Geoff Voelker, NIST,NSF

October 2003AutoFocus - NANOG 2932

October 2003AutoFocus - NANOG 2933 Definition: unexpectedness l To highlight non-obvious traffic clusters by using unexpectedness label u 50% of all traffic is web u Prefix B receives 20% of all traffic u The web traffic received by prefix B is 15% instead of 50%*20%=10%, unexpectedness label is 15%/10%=150%

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.