Presentation is loading. Please wait.

Presentation is loading. Please wait.

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.

Published byPosy Turner Modified over 9 years ago

Similar presentations

Presentation on theme: "Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM."— Presentation transcript:

1 Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM CoNEXT, December 1 st 2010 Profiling-by-Association: A Resilient Traffic Profiling Solution for the Internet Backbone

2 Profiling Internet traffic Who is using my network and for what? Which applications are running in my network? 1 Internet Internet Service Provider (ISP) Application Breakdown Assign traffic to different applications Why is this useful? Traffic engineering Network planning

3 Profiling traffic is challenging There is a gap between what network administrators want and what existing tools can provide 2 What we want Traffic profiling results using deep packet inspection (data are from a peering link between two ISP is the US) What we get with existing tools We present a tool that: Profiles ALL the traffic Has high prediction accuracy (~90%)

4 Why traffic profiling is challenging? 3 Obfuscation at multiple levels Users and applications try to hide their traffic e.g., Peer-to-peer (P2P) Port Numbers Level-1 Use random ports Payload Signatures Flow Statistics Level-2 Encryption Level-3 Payload padding What existing profilers use:How to evade them:

5 Monitored link The more flows we see for a host, the easier is to profile him successfully [Kim et al. 2008] Profiling end-hosts is more robust, but … 4 Sensitive to partial visibility at the backbone Significantly affects behavioral host-profiling solutions BLINC [Karagiannis et al. 2005] Availability of information can be limited (e.g., P2P) Googling the Internet [Trestian et al. 2008] 233.14.60.67 Profiler Easy for long lived servers, hard for short lived P2P IPs We need a tool that can profile traffic: 1. Even when ports, payload, and flows are obfuscated 2. At the backbone, where we have partial visibility 3. For P2P applications successfully, which is more challenging

6 Outline Introduction Profiling-by-Association (PBA) framework Our PBA-based profiling algorithms Experimental results Conclusions 5

7 Not all traffic is hard to profile Is easier to profile traffic from: 1. Popular servers (Web, Email, DNS, etc.) E.g., white lists, Googling the Internet [Trestian et al. 2008] 2. Some P2P hosts that do not hide their traffic 6 The default in many P2P clients is not to encrypt traffic. Some users keep these settings.

8 Connectivity does not lie We can exploit the “social” interactions of hosts E.g., P2P host tend to have many flows with other P2P hosts 7 P2P SMTP (email) online game Graph representation of Internet traffic: - Nodes = IP addresses - Edges = TCP/UDP flows Traffic from a real-world ISP in the US P2P Email Our two key observations: 1. It is easy to profile some IP hosts 2. Social interactions among hosts contain valuable information

9 Our approach: Profiling-by-Association 8 A systematic way of utilizing our observations Network Traffic Initial Knowledge Phase A Seeding Nodes= IP addresses Edges= flows (TCP/UDP) Profiled Network Traffic Phase B Inference Use ONLY Connectivity (PBA) We no longer need: ports, payload, or flow features

10 Outline Introduction Profiling-by-Association (PBA) framework Our PBA-based profiling algorithms NLC (neighboring link classifier) HYP (hyper-graph classifier) CLUST, CSEED, C+NLC (in the paper) Experimental results Conclusions 9

11 1) The neighboring link classifier (NLC) Uses local structure of the graph Classify an edge using information from its neighbors ep 1 ep 2 u web x 0.5 +

12 After seeding, 10% edges labeled After NLC 1, 80% edges labeled After NLC 2, 90% edges labeled After NLC 3, 100% edges labeled The basic steps of NLC known host known host known host Profiled by association: 90% of edges

13 2) The HYP algorithm 12 P2P SMTP (email) online game Two main steps: 1.Graph clustering: Use connectivity to identify communities 2.Exploit seeds: Use knowledge about few hosts to profile each community Known P2P Known gamers Known email servers Uses global structure of the graph Community: A group of nodes in a graph that are more densely connected internally than with the rest of the graph. (The Louvain method by Blondel et al. outperformed other methods.)

14 2) The HYP algorithm (cont.) What if we have mixed clusters? Re-apply graph clustering to each such cluster Stop when we have a homogeneous cluster How do we profile clusters with no seeds? 13 ? HYPer-graph NLC

15 Outline Introduction Profiling-by-Association (PBA) framework Our PBA-based profiling algorithms Experimental results Conclusions 14

16 Evaluating at four backbone traces Seeding configurations 1.Randomly selected X% of IPs 2.Intentionally causing errors 3.Seeding using existing profilers BLINC, Coral Reef (in the paper) Evaluation Averaged over 20 runs Small standard error Ground truth: using a payload classifier Accuracy=

17 Comparing NLC and HYP on four trace HYP is more robust to the specifics of a trace 1% of hosts as seeds Accuracy This trace has more hosts with multiple applications

18 Results are from the BRAZ trace Our methods are robust to deficient seeds Few seeds Accuracy Hosts as seeds Bad seeds 40% with errors Accuracy Hosts as seeds We can make up for bad seeds using more seeds

19 Connectivity does not lie (except when it does) Hosts may try to evade the PBA profilers by: 1. Eliminating their associations It will defeat the very purpose of the application (e.g., P2P) 2. Confusing their associations P2P SMTP (email) online game Open more connections towards other applications X = Total links from known P2P towards other applications We add more such links

20 HYP is robust to Connectivity Obfuscation We increase the number of observed connections from P2P hosts towards other applications k = how many times more connections we add 19 20x 200x k Results are from the BRAZ trace

21 Outline Introduction Profiling-by-Association (PBA) framework Our profiling algorithms Experimental results Conclusions 20

22 NLC is susceptible to connectivity obfuscation 21 Port Numbers Level-1 Use random ports Level-2 Level-3 Payload Signatures Flow Statistics Encryption Payload padding Level-4 Local Connectivity Random connections to servers HYP is robust to all four levels of obfuscation

23 Compared to the state-of-the-art HYP

24 Conclusions Users can change what they control Ports, payload, flow statistics, local connections Changing the global structure of connectivity is more challenging for evaders Our HYP algorithm shows robustness to all four levels of obscurations (ports, payload, flow, connectivity) Profiling by associations is a powerful new approach for profiling Internet backbone traffic ~90% accuracy with knowledge of only 1% of IP hosts 23

25 Thank You! Questions/Discussion? This work was sponsored by:

Download ppt "Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM."

Similar presentations

Google-based Traffic Classification Aleksandar Kuzmanovic Northwestern University IEEE Computer Communications Workshop (CCW 08) October 23, 2008

Google-based Traffic Classification Aleksandar Kuzmanovic Northwestern University IEEE Computer Communications Workshop (CCW 08) October 23, 2008
An Evaluation of Community Detection Algorithms on Large-Scale Email Traffic 1 An Evaluation of Community Detection Algorithms on Large-Scale Email Traffic.

An Evaluation of Community Detection Algorithms on Large-Scale Traffic 1 An Evaluation of Community Detection Algorithms on Large-Scale Traffic.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
IPlane: An Information Plane for Distributed Services Offence by: Anup Goyal Sagar Vemuri.

IPlane: An Information Plane for Distributed Services Offence by: Anup Goyal Sagar Vemuri.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.

Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.
Traffic Engineering With Traditional IP Routing Protocols

Traffic Engineering With Traditional IP Routing Protocols
Multi-level Application-based Traffic Characterization in a Large-scale Wireless Network Maria Papadopouli 1,2 Joint Research with Thomas Karagianis 3.

Multi-level Application-based Traffic Characterization in a Large-scale Wireless Network Maria Papadopouli 1,2 Joint Research with Thomas Karagianis 3.
NetQuest: A Flexible Framework for Internet Measurement Lili Qiu Joint work with Mike Dahlin, Harrick Vin, and Yin Zhang UT Austin.

NetQuest: A Flexible Framework for Internet Measurement Lili Qiu Joint work with Mike Dahlin, Harrick Vin, and Yin Zhang UT Austin.
1 GENI: Global Environment for Network Innovations Jennifer Rexford Princeton University

1 GENI: Global Environment for Network Innovations Jennifer Rexford Princeton University
Measurement in the Internet. Outline Internet topology Bandwidth estimation Tomography Workload characterization Routing dynamics.

Measurement in the Internet. Outline Internet topology Bandwidth estimation Tomography Workload characterization Routing dynamics.
Internet In A Slice Andy Bavier CS461 Lecture.

Internet In A Slice Andy Bavier CS461 Lecture.
Application Identification in Information-poor Environments Charalampos (Haris) Rotsos Computer Laboratory University of Cambridge

Application Identification in Information-poor Environments Charalampos (Haris) Rotsos Computer Laboratory University of Cambridge
Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao.

RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao.

Similar presentations

Ads by Google