Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University."— Presentation transcript:

1 Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University Narus Inc. http://networks.cs.northwestern.edu http://www.narus.com

2

3 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 3 Introduction Can we use Google for networking research? Can we systematically exploit search engines to harvest endpoint information available on the Internet? Huge amount of endpoint information available on the web

4 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 4 Websites run logging software and display statistics Some popular proxy services also display logs Popular servers (e.g., gaming) IP addresses are listed Blacklists, banlists, spamlists also have web interfaces Even P2P information is available on the Internet since the first point of contact with a P2P swarm is a publicly available IP address Where Does the Information Come From? Servers Clients P2P Malicious

5 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) Problem – detecting active IP ranges Needed for large-scale measurements –e.g., Iplane [OSDI’06] Current approaches –Active –Passive Our approach –IP addresses that generate hits on Google could suggest active ranges 5 Inferring Active IP Ranges in Target Networks

6 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 6 Can we infer what applications people are using across the world without having access to network traces? Can we infer what applications people are using across the world without having access to network traces? Detecting Application Usage Trends

7 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 7 Traffic Classification Problem – traffic classification Current approaches (port-based, payload signatures, numerical and statistical etc.) Our approach –Use information about destination IP addresses available on the Internet

8 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) URL Hit text URL Hit text URL Hit text …. Rapid Match Domain name Keywords Domain name Keywords …. IP tagging IP Address xxx.xxx.xxx.xxx Website cache Search hits 8 58.61.33.40 – QQ Chat Server Methodology – Web Classifier and IP Tagging

9 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 9 China ● Packet level traces available Brasil ● Packet level traces available United States ● Sampled NetFlow available France ● No traces available Evaluation – Ground Truth

10 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 10 Inferring Active IP Ranges in Target Networks

11 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 11 Google hits XXX.163.0.0/17 network range Overlap is around 77% XXX.163.0.0/17 network range Overlap is around 77% Inferring Active IP Ranges in Target Networks Actual endpoints from trace

12 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 12 Application Usage Trends

13 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 13 Correlation Between Network Traces and UEP

14 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 14 Traffic Classification

15 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) Is this scalable? 15 165.124.182.169 Tagged IP Cache Traffic Classification Mail server 193.226.5.150Website 68.87.195.25Router 186.25.13.24Halo server Hold a small % of the IP addresses seen Look at source and destination IP addresses and classify traffic

16 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 16 5% of the destinations sink 95% of traffic Traffic Classification

17 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) UEP (SIGCOMM 2008) - Uses information available on the web - Constructs a semantically rich endpoint database - Very flexible (can be used in a variety of scenarios) 17 BLINC vs. UEP BLINC (SIGCOMM 2005) - Works “in the dark” (doesn’t examine payload) - Uses “graphlets” to identify traffic patterns - Uses thresholds to further classify traffic

18 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) Traffic[%] BLINC doesn’t find some categories UEP also provides better semantics Classes can be further divided into different services UEP also provides better semantics Classes can be further divided into different services UEP classifies twice as much traffic as BLINC 18 BLINC vs. UEP (cont.)

19 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 19 Each packet has a 1/Sampling rate chance of being kept (Cisco Netflow) Sampled data is considered to be poorer in information However ISPs consider scalable to gather only sampled data Working with Sampled Traffic XX XX XX XX

20 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) A quarter of the IP addresses still in the trace at sampling rate 100 Most of the popular IP addresses still in the trace 20 Working with Sampled Traffic

21 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) When no sampling is done UEP outperforms BLINC UEP maintains a large classification ratio even at higher sampling rates BLINC stays in the dark 2% at sampling rate 100 UEP retains high classification capabilities with sampled traffic UEP retains high classification capabilities with sampled traffic 21 Working with Sampled Traffic

22 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) Performed clustering of endpoints in order to cluster out common behavior Please see the paper for detailed results 22 Endpoint Clustering Real strength: We managed to achieve similar results both by using the trace and only by using UEP Real strength: We managed to achieve similar results both by using the trace and only by using UEP

23 I. Trestian Unconstrained Endpoint Profiling (Googling the Internet) 23 Key contribution: –Shift research focus from mining operational network traces to harnessing information that is already available on the web Our approach can: –Predict application and protocol usage trends in arbitrary networks –Dramatically outperform classification tools –Retain high classification capabilities when dealing with sampled data Conclusions

Download ppt "Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Google-based Traffic Classification Aleksandar Kuzmanovic Northwestern University IEEE Computer Communications Workshop (CCW 08) October 23, 2008

Google-based Traffic Classification Aleksandar Kuzmanovic Northwestern University IEEE Computer Communications Workshop (CCW 08) October 23, 2008
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Taming User-Generated Content in Mobile Networks via Drop Zones Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Taming User-Generated Content in Mobile Networks via Drop Zones Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
Measuring Serendipity: Connecting People, Locations and Interests in a Mobile 3G Network Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio.

Measuring Serendipity: Connecting People, Locations and Interests in a Mobile 3G Network Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
G-RCA: A Generic Root Cause Analysis Platform for Service Quality Management in Large IP Networks He Yan, Lee Breslau, Zihui Ge, Dan Massey, Dan Pei, Jennifer.

G-RCA: A Generic Root Cause Analysis Platform for Service Quality Management in Large IP Networks He Yan, Lee Breslau, Zihui Ge, Dan Massey, Dan Pei, Jennifer.
Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.
Chapter 12: Web Usage Mining - An introduction

Chapter 12: Web Usage Mining - An introduction
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Multi-level Application-based Traffic Characterization in a Large-scale Wireless Network Maria Papadopouli 1,2 Joint Research with Thomas Karagianis 3.

Multi-level Application-based Traffic Characterization in a Large-scale Wireless Network Maria Papadopouli 1,2 Joint Research with Thomas Karagianis 3.
CSCI 4550/8556 Computer Networks Comer, Chapter 3: Network Programming and Applications.

CSCI 4550/8556 Computer Networks Comer, Chapter 3: Network Programming and Applications.
Efficient Content Location Using Interest-based Locality in Peer-to-Peer Systems Presented by: Lin Wing Kai.

Efficient Content Location Using Interest-based Locality in Peer-to-Peer Systems Presented by: Lin Wing Kai.
Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.

Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.
Countering Large-Scale Internet Pollution and Poisoning Aleksandar Kuzmanovic Northwestern University

Countering Large-Scale Internet Pollution and Poisoning Aleksandar Kuzmanovic Northwestern University
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
Internet Traffic Analysis for Threat Detection Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services Joshua Thomas,

Internet Traffic Analysis for Threat Detection Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services Joshua Thomas,

Similar presentations

Ads by Google