Presentation is loading. Please wait.

Presentation is loading. Please wait.

DiFMon Distributed Flow Monitor Salvatore D’Antonio 1, Claudio Mazzariello 2, Francesco Oliviero 2, Dario Salvi 1 1: Lab Item, Consorzio Interuniversitario.

Published byEsther Harrell Modified over 8 years ago

Similar presentations

Presentation on theme: "DiFMon Distributed Flow Monitor Salvatore D’Antonio 1, Claudio Mazzariello 2, Francesco Oliviero 2, Dario Salvi 1 1: Lab Item, Consorzio Interuniversitario."— Presentation transcript:

1 DiFMon Distributed Flow Monitor Salvatore D’Antonio 1, Claudio Mazzariello 2, Francesco Oliviero 2, Dario Salvi 1 1: Lab Item, Consorzio Interuniversitario Nazionale per l’Informatica, Napoli 2: Dipartimento di Informatica e sistemistica, Università degli studi di Napoli Federico II

2 o Possible Uses: traffic profiling, Intrusion Detection o Context: Internet Flow Monitoring o Contribution: Development of a distributed software for flow monitoring

3 Flows are defined by means of some properties appliable to packets headers For example: 1.IP addresses, source and destination 2.The 5-uple (source address, destination address, source port, destination port, protocol next to IP) …and by means of a timeout… The choice of the flow definition follows the needs of the application which uses monitoring data

4 A Flow Monitor should: 1.Capture packets from the network 2.Associate a flow id to each packet on the basis of the chosen definition of flow 3.When a packet arrives, update the metrics of the flow the packet belongs to 4.Keep in memory the metrics related to the “living” flows (not timed out yet) in data structures (flow records) 5.Save the measured metrics of each timed out flow in order to make them available to the applications

5 Proposed architecture: Meter Flow Cache Collector Flow Cache Application 1.Calculates the metrics at each packet arrival 2.Keeps in memory the metrics of each living flow 3.“Exporting” of timed out flows to the Collector 4.Eventually exports some “interesting” living flow 1.Keeps in memory th emtrics of each timed out flow 2.Eventually advises the application of some “interesting” living flow 1.Packet capturing 2.Associates flow id to the packet

6 The Flow Cache: It is the critical module, it must look up and update a flow record each time a packet arrives (for this reason is distributed) Packet multiplexing is done by means of a hash function (mmh) computed on the flow id Metrics can be freely implemented through an API Flow records ordering is Least Recently Used (on the basis of the last acces time) The flow record of a just-arrived packet will be positioned among the first elements of the queue with a high probability (temporal locality properties, i.e. heavy tailed distributions of the packet rates) LRU ordering allows the otpimized search of timed out flows (starting from the tail of the queue and stopping when a not-timed out flow is found)

7 Some Details: Comunication between the modules is done using UDP A flow control between modules is provided Programming language: C Operating system: Linux Used libraries: libpcap Software license: GPL Project location: SourceForge.net

8 The management Protocol: The system must be: reliable, robust and flexible. Some assumptions: Meter Flow Cache Collector Flow Cache The system internal network must be faster enough than the monitored network Modules can run on the same / different machines The Meter must perform packet capturing between packet interarrival time The collector and the meter use defined port numbers for signalling messages

9 Start and Stop of the system: Meter Collector Flow Cache 2 – ACK 6 – ACK 1 – CONN Req 4 – ACK 5 – ACK 3 – CONN Req Starting On defined port number On dinamically chosen port number 2 – END Req 6 – ACK 4 – END Req 5 – ACK 1 – END Req 3 – Export Stopping

10 Steady state protocol: Meter Collector Flow Cache On defined port number On dinamically chosen port number 1 – Captured Data 2 – ACK 1 – Exporting Data 2 – ACK

11 Meter Collector Flow Cache 2 – ABORT 1 – ABORT Flow Cache 2 – ABORT 3 – ABORT 2 – ABORT Aborting (from Flow Cache):

12 Meter Collector Flow Cache Aborting (from Meter): 1 – ABORT 2 – ABORT 1 – ABORT 2 – ABORT 1 – ABORT

13 Meter Collector Flow Cache Aborting (from Collector): 2 – ABORT 1 – ABORT 2 – ABORT 1 – ABORT 2 – ABORT

14 Adding/Removing a Flow Cache: Meter Collector Flow Cache On defined port number On dinamically chosen port number 2 – ACK 1 – DISCONN Req 2 – ACK 1 – DISCONN Req Removing 1 – CONN Req 3 – CONN Req 4 – ACK 2 – ACK 6 – ACK 5 – ACK Adding

15 Meter Flow Cache 2 – ACK 1 – ALIVE Req Collector 2 – ACK 1 – ALIVE Req Crashes: Meter’s crashCollector’s crash Flow Cache’s crash

16 Conclusions / future works: The proposed architecture and protocol is scalable to the increase of the number of the flow caches and monitored networks. The system is suitable to different contexts, such as security, traffic profiling or billing where specific metrics are of interest. Benchmarking and robustness evaluation will be conducted. The LRU sorting algorithm will be compared with other ordering algorithms. We are currently working on the implementation of an intrusion detection system and a tool for traffic profiling based on the proposed monitoring architecture.

Download ppt "DiFMon Distributed Flow Monitor Salvatore D’Antonio 1, Claudio Mazzariello 2, Francesco Oliviero 2, Dario Salvi 1 1: Lab Item, Consorzio Interuniversitario."

Similar presentations

Overview of IETF work on IP traffic flow measurement and current developments Dr. Jürgen Quittek General Manager Network Research Division, NEC Europe.

Overview of IETF work on IP traffic flow measurement and current developments Dr. Jürgen Quittek General Manager Network Research Division, NEC Europe.
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Traffic Forecasting Medium Access TRANSFORMA Vladislav Petkov Katia Obraczka 1.

Traffic Forecasting Medium Access TRANSFORMA Vladislav Petkov Katia Obraczka 1.
1 Efficient Retrieval of User Contents in MANETs Marco Fiore, Claudio Casetti, Carla-Fabiana Chiasserini Dipartimento di Elettronica, Politecnico di Torino,

1 Efficient Retrieval of User Contents in MANETs Marco Fiore, Claudio Casetti, Carla-Fabiana Chiasserini Dipartimento di Elettronica, Politecnico di Torino,
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Measuring Queuing and System Delay Using Click Modular Router By Caroline Williams.

Measuring Queuing and System Delay Using Click Modular Router By Caroline Williams.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
Draft-novak-bmwg-ipflow-meth-05.txt IP Flow Information Accounting and Export Benchmarking Methodology

Draft-novak-bmwg-ipflow-meth-05.txt IP Flow Information Accounting and Export Benchmarking Methodology
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
Research & Development Roadmap 1. Outline A New Communication Framework Giving Bro Control over the Network Security Monitoring for Industrial Control.

Research & Development Roadmap 1. Outline A New Communication Framework Giving Bro Control over the Network Security Monitoring for Industrial Control.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Fraunhofer FOKUSCompetence Center NET T. Zseby, CC NET1 IPFIX – IP Flow Information Export Overview Tanja Zseby Fraunhofer FOKUS, Network Research.

Fraunhofer FOKUSCompetence Center NET T. Zseby, CC NET1 IPFIX – IP Flow Information Export Overview Tanja Zseby Fraunhofer FOKUS, Network Research.
Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.

Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.

Similar presentations

Ads by Google