Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,

Published byAlban Douglas Modified over 9 years ago

Similar presentations

Presentation on theme: "Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,"— Presentation transcript:

1 Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review, 2007 Networking Journal Club 9th July 2010

2 1 Outline 1.Introduction 2.(Related Work) 3.Protocol Fingerprints 4.Classification Algorithm 5.Experimental Analysis 6.Discussion 7.Future work and Conclusions

3 2 Introduction  Motivation: Traffic classification: Allocation, control and management of resources Intrusion detection QoS-aware mechanisms …  Methods: Port-based DPI …

4 3 Protocol Fingerprints  TCP flows (HTTP, SMTP, SSH, …)  Unidirectional  Statistical properties of the flows: Size of packets Inter-arrival times Order of arrivals  PDF i : Probability density function of packet i-th on the plane (size,interarrival)  PDF: vector of L PDF i

5 4 Protocol Fingerprints  Anomaly score: “how statistically far” an unknown flow F is from a given protocol PDF  To smooth PDF i use Gaussian filter: M i  Preliminary anomaly score:  Anomaly score:  Anomaly threshold: upper bound of the anomaly score to be considered of this protocol

6 5 Classification algorithm

7 6 a.Collect traffic traces (training set) b.Pre-classify traces (the accuracy of the tool is critical) c.Build protocol fingerprints d.Start the classification engine e.Periodically, update the fingerprints  Low computational load

8 7 Experimental Analysis  Traffic traces collected in campus: 24 Mbps link  >60% TCP port: 80, 110, 25  >40GB, 20K flows, of HTTP, POP3, SMTP  Performance parameters: Hit rate False positive rate  4 th packet

9 8 Sensitivity to parameters

10 9 Discussion  Accuracy of training sets  Complexity of the technique  Fclient or Fserver? Where’s the classifier?  On the precision of the measuring devices

11 10 Future Work  Application to a larger data set: VoIP, P2P…  Behavior in different networks  How does the classifier respond to imprecise training set?  Complexity of the algorithm: memory occupation amenability to HW-assisted implementation computational costs of the training phase

Download ppt "Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,"

Similar presentations

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.

URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907

Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907
The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.

The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering.

Detecting P2P Traffic from the P2P Flow Graph Jonghyun Kim Khushboo Shah Stephen Bohacek Electrical and Computer Engineering.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.
Controlling High- Bandwidth Flows at the Congested Router Ratul Mahajan, Sally Floyd, David Wetherall AT&T Center for Internet Research at ICSI (ACIRI)

Controlling High- Bandwidth Flows at the Congested Router Ratul Mahajan, Sally Floyd, David Wetherall AT&T Center for Internet Research at ICSI (ACIRI)
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
PBS: Periodic Behavioral Spectrum of P2P Applications Tom Z.J. Fu, Yan Hu, Xingang Shi, Dah Ming Chiu and John C.S. Lui The Chinese University of Hong.

PBS: Periodic Behavioral Spectrum of P2P Applications Tom Z.J. Fu, Yan Hu, Xingang Shi, Dah Ming Chiu and John C.S. Lui The Chinese University of Hong.
On the Difficulty of Scalably Detecting Network Attacks Kirill Levchenko with Ramamohan Paturi and George Varghese.

On the Difficulty of Scalably Detecting Network Attacks Kirill Levchenko with Ramamohan Paturi and George Varghese.
A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.
Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware Aug 19th / 2004 Rafael Nunez.

Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware Aug 19th / 2004 Rafael Nunez.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Similar presentations

Ads by Google