Frequency Analysis of Protocols Dr. Craig Partridge BBN Technologies.

Slides:

Advertisements

Similar presentations

CSE 413: Computer Networks

Advertisements

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,

Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.

Data and Computer Communications

Noise & Data Reduction. Paired Sample t Test Data Transformation - Overview From Covariance Matrix to PCA and Dimension Reduction Fourier Analysis - Spectrum.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

BY PAYEL BANDYOPADYAY WHAT AM I GOING TO DEAL ABOUT? WHAT IS AN AD-HOC NETWORK? That doesn't depend on any infrastructure (eg. Access points, routers)

November 12, 2013Computer Vision Lecture 12: Texture 1Signature Another popular method of representing shape is called the signature. In order to compute.

Algorithms + L. Grewe.

Infocom'04Ossama Younis, Purdue University1 Distributed Clustering in Ad-hoc Sensor Networks: A Hybrid, Energy-Efficient Approach Ossama Younis and Sonia.

Programming Types of Testing.

Rumor Routing in Sensor Networks David Braginsky and Deborah Estrin LECS – UCLA Modified and Presented by Sugata Hazarika.

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL

Generated Waypoint Efficiency: The efficiency considered here is defined as follows: As can be seen from the graph, for the obstruction radius values (200,

Path Optimization in Computer Networks Roman Ciloci.

Centrality and Prestige HCC Spring 2005 Wednesday, April 13, 2005 Aliseya Wright.

More routing protocols Alec Woo June 18 th, 2002.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Taming the Underlying Challenges of Reliable Multihop Routing in Sensor Networks.

Classification of Music According to Genres Using Neural Networks, Genetic Algorithms and Fuzzy Systems.

CS Bayesian Learning1 Bayesian Learning. CS Bayesian Learning2 States, causes, hypotheses. Observations, effect, data. We need to reconcile.

Spanning Tree and Multicast. The Story So Far Switched ethernet is good – Besides switching needed to join even multiple classical ethernet networks Routing.

Whole genome alignments Genome 559: Introduction to Statistical and Computational Genomics Prof. James H. Thomas

ETM 607 – Random Number and Random Variates

EE513 Audio Signals and Systems Statistical Pattern Classification Kevin D. Donohue Electrical and Computer Engineering University of Kentucky.

Goals For This Class Quickly review of the main results from last class Convolution and Cross-correlation Discrete Fourier Analysis: Important Considerations.

Discrete-Time and System (A Review)

DTFT And Fourier Transform

GCT731 Fall 2014 Topics in Music Technology - Music Information Retrieval Overview of MIR Systems Audio and Music Representations (Part 1) 1.

Lecture 1 Signals in the Time and Frequency Domains

Knowledge Base approach for spoken digit recognition Vijetha Periyavaram.

Itrat Rasool Quadri ST ID COE-543 Wireless and Mobile Networks

Particle Filtering in Network Tomography

CS 376b Introduction to Computer Vision 04 / 29 / 2008 Instructor: Michael Eckmann.

Introduction to Network Layer. Network Layer: Motivation Can we built a global network such as Internet by extending LAN segments using bridges? –No!

Transforms. 5*sin (2  4t) Amplitude = 5 Frequency = 4 Hz seconds A sine wave.

1 The Fourier Series for Discrete- Time Signals Suppose that we are given a periodic sequence with period N. The Fourier series representation for x[n]

Tracking with Unreliable Node Sequences Ziguo Zhong, Ting Zhu, Dan Wang and Tian He Computer Science and Engineering, University of Minnesota Infocom 2009.

Content-Based Music Information Retrieval in Wireless Ad-hoc Networks.

Chapter 7 Random-Number Generation

Algorithms for Allocating Wavelength Converters in All-Optical Networks Authors: Goaxi Xiao and Yiu-Wing Leung Presented by: Douglas L. Potts CEG 790 Summer.

OFDM Presented by Md. Imdadul Islam.

Data and Computer Communications Chapter 10 – Circuit Switching and Packet Switching (Wide Area Networks)

TELE202 Lecture 5 Packet switching in WAN 1 Lecturer Dr Z. Huang Overview ¥Last Lectures »C programming »Source: ¥This Lecture »Packet switching in Wide.

Tony McGregor RIPE NCC Visiting Researcher The University of Waikato DAR Active measurement in the large.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.

Multiplexing FDM & TDM. Multiplexing When two communicating nodes are connected through a media, it generally happens that bandwidth of media is several.

1 Pattern Recognition Pattern recognition is: 1. A research area in which patterns in data are found, recognized, discovered, …whatever. 2. A catchall.

Wavelets and Multiresolution Processing (Wavelet Transforms)

A Sociability-Based Routing Scheme for Delay-Tolerant Networks May Chan-Myung Kim

Interconnect simulation. Different levels for Evaluating an architecture Numerical models – Mathematic formulations to obtain performance characteristics.

CCN COMPLEX COMPUTING NETWORKS1 This research has been supported in part by European Commission FP6 IYTE-Wireless Project (Contract No: )

Slides are modified from Lada Adamic

1 Data Link Layer Lecture 23 Imran Ahmed University of Management & Technology.

GG313 Lecture 24 11/17/05 Power Spectrum, Phase Spectrum, and Aliasing.

Unit III Bandwidth Utilization: Multiplexing and Spectrum Spreading In practical life the bandwidth available of links is limited. The proper utilization.

A Framework for Reliable Routing in Mobile Ad Hoc Networks Zhenqiang Ye Srikanth V. Krishnamurthy Satish K. Tripathi.

UNIT IV INFRASTRUCTURE ESTABLISHMENT. INTRODUCTION When a sensor network is first activated, various tasks must be performed to establish the necessary.

Internet Signal Processing: Next Steps Dr. Craig Partridge BBN Technologies.

 Tower of Hanoi – Link 1 Tower of Hanoi – Link 1  Tower of Hanoi – Link 2 Tower of Hanoi – Link 2.

Day 13 Intro to MANs and WANs. MANs Cover a larger distance than LANs –Typically multiple buildings, office park Usually in the shape of a ring –Typically.

The Frequency Domain Digital Image Processing – Chapter 8.

Introduction to Wireless Sensor Networks

MECH 373 Instrumentation and Measurements

What Are Routers? Routers are an intermediate system at the network layer that is used to connect networks together based on a common network layer protocol.

Network Administration CNET-443

Fast Fourier Transforms Dr. Vinu Thomas

ECE 544 Protocol Design Project 2016

EE513 Audio Signals and Systems

Geology 491 Spectral Analysis

Presentation transcript:

Frequency Analysis of Protocols Dr. Craig Partridge BBN Technologies

An Emerging Field Using techniques from signal processing to better understand networks and protocols A quick tour of the work done to date Along with some highly speculative thoughts about what might come next

An Overview of the Basic Concepts Please note, I’m a systems person, not a mathematician. This talk structured for an intuitive understanding… … although I’ll try to be rigorous where necessary

Step 1: Capture Packet Traces Place taps or measuring devices in various spots in the network For each transmission seen, capture Time Direction Duration Other stuff as desired Network tap

Step 2: Trace to Signal Trace is a discrete time series (time + data in non-uniform time increments) Signal processing wants a time/amplitude series (often a uniform series)

Step 3: Run Feature Detection Algorithms over Signal The meat of the task…. Indeed, the signal representation you chose is largely dictated by the algorithm you wish to run Various algorithms extract various types of information Rest of the talk is a survey of what has been done

USC DDoS Attack How many sources are attacking you? Capture attack packets Convert to a uniform series x(t) = # of attack packets received in millisecond t Condition signal Subtract mean x(t) out Removes dominant frequency

DDoS Continued Now do auto-correlation and compute spectral density Basically looking for frequency variations in the attack stream over time A uniform source would show a single stable set of frequencies Spectral-density: a spectrum where you show the power at each frequency

Wavelet-based Approach Huang, Feldmann, Willinger Finding time structures in traces Capture packet traces at some point Divide into conversations/flows Use source/destination/prefix info to do division Divide according to what class of traffic you wish to analyze Convert traces to uniform signal of 0/1

More Wavelet Compute an energy function Compute discrete Haar wavelet transform Energy function measures wavelet coefficients Low coefficients reveal regular or periodic structure in time series Use energy graphs to reveal periodic structure

Lomb Periodogram Cousins, Krishnan, Partridge Similar to wavelet approach Lomb periodogram: designed for non-uniform signal traces [ideal for packets] Computes spectral power at each frequency

Lomb Example

Example Results Identified CBR Send Rates Identified FTP Round Trip Times Characteristics from all three flows observed

Node ID Application Frequencies (Hz) XX0– X001.0 X X X031.0 X041.0 X X061.0 X071.0 X X091.0 X X X121.0 Xp Xp Xp Xp Xp Xp Green: Correct Detection Red: Missed Detection Data: 18 nodes, tcpdump Results: Detected 6 out of 6 application frequencies emitted Detected 15 out of 27 traffic generators Missed most generators emitting at 1 Hz Spectral Techniques easily show periodic application traffic on the network Lomb Analysis of b Data Hz

A Pause to Comment All three approaches mentioned so far have the characteristic that We can detect timing structure from our data If we have ground-truth, we can show how the timing structure we find relates to the timing structures in the network But, without ground-truth, we can’t say for sure what the structure means

Topology Discovery Techniques where we can show a valuable set of results, without ground-truth to interpret Discover links in a network (wireless) Coherence Causality Given complete map, which links are used? Route discovery

Coherence Take samples of the time series at different points in the network Compare them, offset in time Look for statistically significant relationships between their spectral peaks

A Sketch of the Coherence Math Compute the Discrete Fourier Transform This gives you a series of equally spaced points in a spectrum The Cross Spectral Density is an averaged product (for each of the points in the spectrum) of the DFT of one series with the complex conjugate of the DFT from another series Normalize the CSD to 0…1 to get coherence

Coherence Plots

Coherence Comments Coherence works Nicely tracks moving nodes But coherence gets confused For instance, confusion over applications with similar periodicity Sometimes skips hop in path

Causality Instead of related spectra, try relating individual transmissions to transmissions that came before Define a weight function W that estimates the likelihood that event k came from a prior transmission by node i Then the probability that an event at node i caused k is:

Topology Discovery Now create a conversation matrix Consider C which is the set of all events at a particular node i. The probability that node j is sending to node i is: These values define a matrix Row x is probabilities that x is sending to each of the nodes Column x is probability that x is receiving from each of the nodes N.B.: Probability can be computed incrementally over C

Comments on Causality Core idea: Over the course of a number of events, the probability function will give enough more weight to correct sources to yield a good conversation matrix Current W is pretty simple Exponential (Poisson) focused on most recent event Self similarity not a problem until we look fairly deep back in time May need a more expensive weight function Very fast… (real time analysis)

Egress Nodes Extend the causality equation For each event, compute 1 minus maximum weight: the egress weight I.e. figure weighting algorithm correctly identified source of event, if present. If no source, this inverse will be large Define a new column of the conversation matrix that contains the normalized average of the egress weight. Large values flag egress nodes

Egress Example

Stitching Once egress nodes identified, it is possible to connect graphs efficiently Each probe shares with its neighboring probes the traffic traces from its egress nodes Traces are combined to create a single trace between each set of pairs Rerun the topology algorithm with the additional trace and see if a link appears

Stitching Example

Thoughts on Egress and Stitching Extensions to causality analysis Egress is highly dependent on the weighting function

End-to-End Route Discovery Discover end-to-end paths between communicating hosts (src and dst) Route: A path or sequence of links (src to dst) There may be multiple paths – need the path actually taken by data from src to dst Require identification of active links Can do receiver identification from conversation matrix Choose shortest paths Break ties using “aggregate path coherence” Coherence between steps in each path End result: Layer 3 (network) connectivity – Routing Tables

Some Thoughts Progress is likely to be rapid Better techniques Match and latch Max-plus Timing structure is remarkably robust E.g. Lomb showed frequency of traffic that wasn’t visible