Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

Published byCurtis Campbell Modified over 8 years ago

Similar presentations

Presentation on theme: "Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,"— Presentation transcript:

1 Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring, 2002

2 pb@cs.wisc.edu2 Motivation Many applications that run over the Internet have minimum performance requirements The network is one of the two possible sources of poor performance Wide area network behavior is unpredictable –IP networks are best effort –Constant change is normal Quality of service capability is not widely deployed –Will it ever be available?

3 pb@cs.wisc.edu3 Monitoring is a First Step Accurate monitoring of network state can enable application adaptivity and improved network management –Data provides basis for improved models and protocols There are many challenges in network monitoring –All features of the Internet make monitoring difficult –When, where, what, how… Today’s focus 1.Network monitoring efforts at Wisconsin 2.Combining monitoring and analysis to understand network traffic anomalies

4 pb@cs.wisc.edu4 The Wisconsin Advanced Internet Lab Next generation environment for network research –Our focus: performance, management, security –Platform for testbeds: storage, grid computing, … Internal environment –Instances of end-to-end-through-core Internet paths External environment –Measurement nodes deployed across the Internet

5 pb@cs.wisc.edu5 WAIL’s External Environment Existing infrastructure –WAWM systems (10) –Surveyor systems (60) Partnership with Advanced Systems –NIMI systems (45) Partnership with PCS and ICIR –Condor/Grid Infrastructures Prototype system is under development Passive flow measurements –FlowScan data from UW, Internet2, others(?)

6 pb@cs.wisc.edu6 WAIL’s Internal Environment Complement to external facilities Hands-on test bed which creates paths identical to those in the Internet from end-to-end-through-core –Variety of highly configurable equipment Why do we need an internal lab? –Enables instrumentation and measurement of entire end-to-end system –Enables new systems and protocols to be implemented in places where access is not possible in wide area Vision of internal lab: New means for doing network research Status: Significant commitment from industry partners (Cisco, EMC, Fujitsu) and the university – rev. 1.0 by 5/1/02

7 pb@cs.wisc.edu7 Distributed Anomaly Detection Motivation: Anomaly detection and identification is an important task for network operators –Operators typically monitor by eye using SNMP or IP flows –Simple thresholding is ineffective –Some anomalies are obvious, other are not Focus: Characterize and develop distributed means for detecting classes of anomalies –Network outages, Flash crowds, Attacks, Measurement failures Approach: Use statistical and wavelet techniques to analyze anomalies from IP flow and SNMP data from UW and other sites Implications: Tools and infrastructure which quickly and accurately identify and adapt to traffic anomalies

8 pb@cs.wisc.edu8 Characteristics of “Normal” traffic

9 pb@cs.wisc.edu9 Our Approach to Analysis Analyze examples of each type of anomaly via statistics, time series and wavelets (our initial focus) Wavelets provide a means for describing time series data that considers both frequency and scale –Particularly useful for characterizing data with sharp spikes and discontinuities More robust than Fourier analysis which only shows what frequencies exist in a signal –Tricky to determine which wavelets provide best resolution of signals in data We use tools developed at UW Wavelet IDR center First step: Identify which filters isolate anomalies

10 pb@cs.wisc.edu10 Analysis of “Normal” Traffic Wavelets easily localize familiar daily/weekly signals

11 pb@cs.wisc.edu11 Example Anomaly: Attacks DoS: sharp increase in flows and/or packets in one direction Linear splines seem to be a good filter to distinguish DoS attacks

12 pb@cs.wisc.edu12 Characteristics of Flash Crowds Sharp increase in packets/bytes/flows followed by slow return to normal behavior eg. Linux releases Leading edge not significantly different from DoS signal so next step is to look within the spikes

13 pb@cs.wisc.edu13 Characteristics of Network Anomalies Typically a steep drop off in packets/bytes/flows followed a short time later by restoration

14 pb@cs.wisc.edu14 Summary and Conclusion Accurate network monitoring is essential for improving application performance and network management The Wisconsin Advanced Internet Lab provides a unique environment for network monitoring Wavelets are an effective means for identifying anomalous behavior in data gathered from IP flow and SNMP interface monitors –Details on distributed and coordinated monitoring and analysis available this spring

Download ppt "Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,"

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
INDIANAUNIVERSITYINDIANAUNIVERSITY GENI Global Environment for Network Innovation James Williams Director – International Networking Director – Operational.

INDIANAUNIVERSITYINDIANAUNIVERSITY GENI Global Environment for Network Innovation James Williams Director – International Networking Director – Operational.
Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Chapter 19: Network Management Business Data Communications, 5e.

Chapter 19: Network Management Business Data Communications, 5e.
AMI & Grid Data Analytics & Analysis Management Platform Page  1 What does this platform offer? Our tool is a next generation grid management software.

AMI & Grid Data Analytics & Analysis Management Platform Page  1 What does this platform offer? Our tool is a next generation grid management software.
GENI: Global Environment for Networking Innovations Larry Landweber Senior Advisor NSF:CISE Joint Techs Madison, WI July 17, 2006.

GENI: Global Environment for Networking Innovations Larry Landweber Senior Advisor NSF:CISE Joint Techs Madison, WI July 17, 2006.
Network+ Guide to Networks, Fourth Edition

Network+ Guide to Networks, Fourth Edition
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,
Chapter 19: Network Management Business Data Communications, 4e.

Chapter 19: Network Management Business Data Communications, 4e.
Integrating Network and Transfer Metrics to Optimize Transfer Efficiency and Experiment Workflows Shawn McKee, Marian Babik for the WLCG Network and Transfer.

Integrating Network and Transfer Metrics to Optimize Transfer Efficiency and Experiment Workflows Shawn McKee, Marian Babik for the WLCG Network and Transfer.
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 14 Server and Network Monitoring.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 14 Server and Network Monitoring.
1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.

1© Copyright 2015 EMC Corporation. All rights reserved. SDN INTELLIGENT NETWORKING IMPLICATIONS FOR END-TO-END INTERNETWORKING Simone Mangiante Senior.

Similar presentations

Ads by Google