Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Broadband Communications Center (CCABA) Universitat Politècnica de Catalunya (UPC) SMARTxAC: A Passive Monitoring and Analysis System for High-Speed.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Advanced Broadband Communications Center (CCABA) Universitat Politècnica de Catalunya (UPC) SMARTxAC: A Passive Monitoring and Analysis System for High-Speed."— Presentation transcript:

1 Advanced Broadband Communications Center (CCABA) Universitat Politècnica de Catalunya (UPC) SMARTxAC: A Passive Monitoring and Analysis System for High-Speed Networks TERENA Networking Conference 2006 Pere Barlet-Ros Josep Solé-Pareta Javier Barrantes Eva Codina Jordi Domingo-Pascual {pbarlet, pareta, jbarranp, ecodina, jordid}@ac.upc.edu http://www.ccaba.upc.edu/smartxac Acknowledgment: This work has been partially supported by CESCA (SMARTxAC agreement) and the Spanish MEC (ref. TSI2005-07520-C03-02)

2 SMARTxAC SMARTxAC: Traffic Monitoring and Analysis System for the Anella Científica  Operative since July 2003  Developed under a collaboration agreement CESCA-UPC  Tailor-made traffic monitoring system for the Anella Científica Main objectives  Low-cost platform  Continuous monitoring of high-speed links without packet loss  Detection of network anomalies and irregular usage  Multi-user system: Network operators and Institutions Measurement of two full-duplex GigE links  Connection between Anella Científica and RedIRIS  Current load: ≈ 1.5 Gbps / ≈ 270 Kpps

3 Anella Científica Measurement point 2 x GigE full-duplex

4 Daily Network Usage

5 System Architecture Monitoring high-speed links is challenging  Collection of Gbps and storage of Terabytes of data per day  Limitations of current technology –CPU power, memory access speeds, bus and disk bandwidth, storage capacity, etc. Tailor-made system divided according to real-time constraints and running on different computers  Capture System (severe real-time constraints)  Traffic Analysis System (soft real-time constraints)  Result Visualization System (user driven) Data reduction: Early discard unnecessary information  Improve performance  Reduce storage requirements

6 Measurement Scenario dag0 dag1 REDIRIS Other Regional Nodes ESPANIX GÉANT Capture System (DAG 4.3GE + GPS) Traffic Analysis System (Linux) Result Visualization System Private network 2 Gbps CISCO 6513 (Anella Científica) Juniper M-20 (RedIRIS) RedIRIS (Madrid) Internet Connection 2 x 2Gbps ANELLA CIENTÍFICA RedIRIS Global Internet Management network

7 Capture System Capture hardware  Intel Xeon 2.4 GHz. + 1 GB. RAM  2 x Endace DAG 4.3GE  4 x Optical splitters  Precise timestamping using GPS (Trimble Acutime 2000) Capture software  Multi-threaded implementation  Collection of packet-headers without loss (no sampling)  5-tuple flow aggregation  Aggregated flows are sent to the Analysis System Data Reduction  Header collection: ≈1:10(90 GB/min  9 GB/min)  Flow aggregation: ≈1:200(45 GB/5 min  200 MB/5 min)  Some data is kept to analyze anomalies (window of ≈ 20 GB.)

8 Measurement Scenario dag0 dag1 REDIRIS Other Regional Nodes ESPANIX GÉANT Capture System (DAG 4.3GE + GPS) Traffic Analysis System Result Visualization System Private network 2 Gbps CISCO 6513 (Anella Científica) Juniper M-20 (RedIRIS) RedIRIS (Madrid) Internet Connection 2 x 2Gbps ANELLA CIENTÍFICA RedIRIS Global Internet Management network

9 Traffic Analysis System Analysis hardware  Pentium IV 2.6 GHz. + 1 GB. RAM Analysis Software  Aggregation of 5-tuple flows into classified flows –  –Origins: Institutions (also Network access points) –Destinations: External networks RedIRIS is connected to –Bidirectional aggregation  This classification can be useful for charging/cost-sharing Data reduction  Classified flows: >1:1000 (≈ 60 GB/day  ≈ 50 MB/day)  Compared with header traces: > 1:250000 (≈ 13 TB/day)

10 Measurement Scenario dag0 dag1 REDIRIS Other Regional Nodes ESPANIX GÉANT Capture System (DAG 4.3GE + GPS) Traffic Analysis System Result Visualization System Private network 2 Gbps CISCO 6513 (Anella Científica) Juniper M-20 (RedIRIS) RedIRIS (Madrid) Internet Connection 2 x 2Gbps ANELLA CIENTÍFICA RedIRIS Global Internet Management network

11 Result Visualization System Hardware  Pentium III 450 MHz. Software  Web-based graphical interface  Institutions only have access to their own statistics  Graphs are generated on demand Available graphs  More than 300 combinations of graphs per institution and day  Statistics are updated every 5 minutes  Also weekly, monthly and yearly reports

12 Use case 1: Port Scanning Traffic profile per application (bps)

13 Use case 1: Port Scanning Traffic profile per application (flows/s)

14 Use case 1: Port Scanning Destination port: MySQL (tcp/3306) SRC IPDST IPSRC PORTDST PORT A.B.44.149C.D.120.25321533306 A.B.45.75E.F.60.10825263306 A.B.44.149C.D.206.18819073306 A.B.44.149C.D.127.436943306 A.B.44.149C.D.155.6435253306 A.B.44.149C.D.183.12433533306 A.B.44.149C.D.192.5618913306 A.B.45.75E.F.46.18026723306 A.B.44.149C.D.220.11617193306 A.B.45.75E.F.63.2332123306 A.B.45.75E.F.24.24144153306 A.B.44.149C.D.151.22826673306 A.B.45.75E.F.73.11522013306 A.B.44.149C.D.123.16828333306 A.B.45.75E.F.16.12622393306

15 Use case 2: Warez Server Traffic profile per application (bps)

16 Use case 2: Warez Server Top-10 (bytes)

17 Use case 3: Denial-of-Service Traffic profile per application (bps)

18 Anomaly Detection Threshold-based anomaly detection  An upper and lower traffic threshold can be set per institution  Thresholds: bits/sec, packets/sec and flows/sec  Different intervals: day/night and workday/weekend  Once an anomaly is detected additional information is kept –Additional information can be reviewed later offline Profile-based anomaly detection (work in progress)  Time-series prediction (adaptive linear filter)  It is not needed to know the “ordinary” traffic profile  Anomalies are detected when actual traffic differs from its predicted value  Thresholds mitigate limitations of adaptive prediction with long- term anomalies

19 Identification of Network Applications Traffic classification in SMARTxAC is based on port numbers  Port-based classification is no longer reliable  P2P, dynamic ports, tunnelling, web-based services, … We are developing a classification method based on machine learning techniques  It learns features of traffic flows that identify a given application  Packet payloads are only needed in the training phase  Once the system is trained only packet headers are needed

20 Preliminary Results (Accuracy)

21 Port-based vs. Machine Learning Port-based Machine learning

22 Conclusions SMARTxAC is a tailor-made network monitoring system that  Operates at gigabit speeds without packet loss  It is relatively low-cost  Provides very detailed information about the network usage  Multi-user system: network operators and institutions Since 2003, SMARTxAC is daily used by CESCA to detect anomalies, attacks, performance problems, network faults, etc. Future work  Anomaly detection and application identification  Sampling, IPv6 support, …  Deployment of more measurement points in the Anella Científica  Release the source code under an open-source license  Collaboration with Intel’s CoMo: http://como.intel-research.nethttp://como.intel-research.net

23 Advanced Broadband Communications Center (CCABA) Universitat Politècnica de Catalunya (UPC) SMARTxAC: A Passive Monitoring and Analysis System for High-Speed Networks TERENA Networking Conference 2006 Pere Barlet-Ros Josep Solé-Pareta Javier Barrantes Eva Codina Jordi Domingo-Pascual {pbarlet, pareta, jbarranp, ecodina, jordid}@ac.upc.edu http://www.ccaba.upc.edu/smartxac Acknowledgment: This work has been partially supported by CESCA (SMARTxAC agreement) and the Spanish MEC (ref. TSI2005-07520-C03-02)

Download ppt "Advanced Broadband Communications Center (CCABA) Universitat Politècnica de Catalunya (UPC) SMARTxAC: A Passive Monitoring and Analysis System for High-Speed."

Similar presentations

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.
Monitoring very high speed links Gianluca Iannaccone Sprint ATL joint work with: Christophe Diot – Sprint ATL Ian Graham – University of Waikato Nick McKeown.

Monitoring very high speed links Gianluca Iannaccone Sprint ATL joint work with: Christophe Diot – Sprint ATL Ian Graham – University of Waikato Nick McKeown.
Live migration of Virtual Machines Nour Stefan, SCPD.

Live migration of Virtual Machines Nour Stefan, SCPD.
SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, 2009 1:30 pm –

SHARKFEST '09 | Stanford University | June 15–18, 2009 The Reality of 10G Analysis Presented by: Network Critical Wednesday, June 17 th, :30 pm –
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
LONG: Laboratories Over Next Generation Networks. LONG Laboratories Over Next Generation Networks Jordi Domingo-Pascual Josep Mangues-Bafalluy Advanced.

LONG: Laboratories Over Next Generation Networks. LONG Laboratories Over Next Generation Networks Jordi Domingo-Pascual Josep Mangues-Bafalluy Advanced.
Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
A Data Stream Management System for Network Traffic Management Shivnath Babu Stanford University Lakshminarayanan Subramanian Univ. California, Berkeley.

A Data Stream Management System for Network Traffic Management Shivnath Babu Stanford University Lakshminarayanan Subramanian Univ. California, Berkeley.
A Flexible Model for Resource Management in Virtual Private Networks Presenter: Huang, Rigao Kang, Yuefang.

A Flexible Model for Resource Management in Virtual Private Networks Presenter: Huang, Rigao Kang, Yuefang.
Merit Network: Connecting People and Organizations Since 1966 CALEA Compliance – A Feasibility Study October 25, 2006 Mary Eileen McLaughlin Director –

Merit Network: Connecting People and Organizations Since 1966 CALEA Compliance – A Feasibility Study October 25, 2006 Mary Eileen McLaughlin Director –
Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.
ARP Traffic Study Jim Rees, Manish Karir Research and Development Merit Network Inc.

ARP Traffic Study Jim Rees, Manish Karir Research and Development Merit Network Inc.
Performance Analysis of Orb Rabin Karki and Thangam V. Seenivasan 1.

Performance Analysis of Orb Rabin Karki and Thangam V. Seenivasan 1.
Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.

Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.
1 Virtual Machine Resource Monitoring and Networking of Virtual Machines Ananth I. Sundararaj Department of Computer Science Northwestern University July.

1 Virtual Machine Resource Monitoring and Networking of Virtual Machines Ananth I. Sundararaj Department of Computer Science Northwestern University July.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
CHINA EDUCATION & RESEARCH NETWORK CENTER Linuxflow: A High Speed Backbone Measurement Facility ZhiChun Li Hui Zhang.

CHINA EDUCATION & RESEARCH NETWORK CENTER Linuxflow: A High Speed Backbone Measurement Facility ZhiChun Li Hui Zhang.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

Similar presentations

Ads by Google