Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unveiling Core Network-Wide Communication Patterns through Application Traffic Activity Graph Decomposition Yu Jin, Esam Sharafuddin, Zhi-Li Zhang SIGMETRICS.

Published byRichard Wheeler Modified over 9 years ago

Similar presentations

Presentation on theme: "Unveiling Core Network-Wide Communication Patterns through Application Traffic Activity Graph Decomposition Yu Jin, Esam Sharafuddin, Zhi-Li Zhang SIGMETRICS."— Presentation transcript:

1 Unveiling Core Network-Wide Communication Patterns through Application Traffic Activity Graph Decomposition Yu Jin, Esam Sharafuddin, Zhi-Li Zhang SIGMETRICS / Performance 2009 2009. 7. 8 Seokshin Son ssson@mmlab.snu.ac.kr

2 Methodology for network graph analysis Decompose the graph (extracting community structures or dense subgraphs) Interpretation and persistence of the subgraphs (identifying non- random substructures) Understanding the formation of network graphs and associated applications decomposition interpretable? persistent? 1. Characterizing the graph 2. Explain the graph formation 3. Applications 1 2 3 2/24

3 Outline Application traffic activity graph (TAG) Decomposing application traffic activity graphs Interpretation of TAG subgraphs Temporal properties of TAG subgraphs Applications Summary and General remarks 3/24

4 Application traffic activity graphs (TAG’s) Host-to-host communication involves various types of traffic. We study snapshots of network traffic to capture the temporal correlations. We detrend the data based on ports (applications) and create TAGs. Inside hosts are (likely) service requesters and outside hosts are service providers. TAG’s are bi-partite and the associated adjacency matrices are binary. UMN Internet T HTTP port 80/443 Email port 25/993 Gnutella port 6346/6348 4/24

5 Application traffic activity graphs (TAGs) and evolution HTTP 1K to 3KDNS 1K to 3KAOL IM 1K to 3KEmail 1K to 3K 5/24

6 Characteristics of TAGs We observe difference in terms of basic statistics, such as graph density, average in/out degree, etc. ALL TAGs contain giant connected component (GCC), which accounts for more than 85% of all the edges. 6/24

7 Outline Application traffic activity graph (TAG) Decomposing application traffic activity graphs Interpretation of TAG subgraphs Temporal properties of TAG subgraphs Applications Summary and General remarks 7/24

8 Dense subgraphs in TAGs Block structures in the adjacency matrices indicate dense subgraphs in TAGs Rotating rows and columns of corresponding adjacency matrices… 1 1 1 0 0 1 0 1 1 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 1 0 1 1 HTTP EmailAOL IM BitTorrentDNS 8/24

9 Extracting dense subgraphs Extracting dense subgraphs can be formulated as a co-clustering problem, i.e., cluster hosts into inside host groups and outside host groups, then extract pairs of groups with more edges connected (higher density). This co-clustering problem can be solved by tri-nonnegative matrix factorization algorithm, which minimizes: We use hard clustering setting by assigning each host to only one inside/outside group 9/24

10 Tri-nonnegative matrix factorization ≈ 1 0 0 … 0 0 1 0 … 0 … 0 0 0 … 1 1 1 1 0 0 … 0 0 0 0 1 1 … 0... 0 0 0 0 0 … 1 × × ≈ × × A R H C Adjacency matrix assoc. with TAG Row group membership Indicator matrix Proportional to the subgraph density matrix Column group membership Indicator matrix We identify dense subgraphs based on the large entries in H R is m-by-k, C is r-by-n, hence, the product is a low-rank approximation of A, with rank min(k, r) 10/24

11 Subgraph prototypes Recall inside (UMN) hosts are (likely) service requesters and outside hosts are service providers. Based on the number of inside/outside hosts in each subgraph, we propose three prototypes. In-starBi-meshOut-star One inside client accesses multiple outside servers Multiple inside client accesses one outside servers Multiple inside clients interacts with many outside servers 11/24

12 Characterizing TAGs with subgraph prototypes Different application TAGs contain different types of subgraphs We can distinguish and characterize applications based on the subgraph components What do these subgraphs mean? HTTP Email AOL IMBitTorrent DNS 12/24

13 Outline Application traffic activity graph (TAG) Decomposing application traffic activity graphs Interpretation of TAG subgraphs Temporal properties of TAG subgraphs Applications Summary and General remarks 13/24

14 Interpreting HTTP bi-mesh structures Most star structures are due to popular servers or active clients We can explain more than 80% of the HTTP bi- meshes identified in one day Server correlation driven –Server farms Lycos, Yahoo, Google –Correlated service providers CDN: LLNW, Akamai, SAVVIS, Level3 Advertising providers: DoubleClick, etc. User interests driven News: WashingtonPost, New York Times, Cnet Media: ImageShack, casalemedia, tl4s2 Online shopping: Ebay, Costco, Walmart Social network: Facebook, MySpace 14/24

15 How are the dense subgraphs connected? (A) Randomly connected stars (C) Pool (B) Tree: client/server dual role (D) Correlated pool 15/24

16 Outline Application traffic activity graph (TAG) Decomposing application traffic activity graphs Interpretation of TAG subgraphs Temporal properties of TAG subgraphs Applications Summary and General remarks 16/24

17 Evolution of HTTP TAGs The extracted dense subgraphs are assumed to be non-random (persistent) However, each subgraph may evolve over time with hosts leaving/joining the subgraph A “best effort” similarity metric: AS domain name IP = ? If the percentage of similar hosts (at certain level) is greater than η 17/24

18 Evolution of HTTP TAGs (2) TAGs are temporally stable at the Domain/AS level TAGs are transient at the host level 18/24

19 Evolution of HTTP TAGs (2) Subgraphs last from a few hours to a whole day Subgraphs become more similar during the day time 19/24

20 Outline Application traffic activity graph (TAG) Decomposing application traffic activity graphs Interpretation of TAG subgraphs Temporal properties of TAG subgraphs Applications Summary and General remarks 20/24

21 Application: Identifying unknown traffic Similarity of UDP port 4000 TAG subgraphs with subgraphs from messenger (chat) traffic AOL Messenger Yahoo! Messenger UDP port 4000 Best match 21/24

22 Application: Storm worm botnet analysis StormTypical P2P Storm worm botnet graph contains many bi-mesh structures, which differs significantly from typical p2p applications Bots query for supernodes Bots acquire commands from supernodes Spam campaign 22/24

23 Outline Application traffic activity graph (TAG) Decomposing application traffic activity graphs Interpretation of TAG subgraphs Temporal properties of TAG subgraphs Applications Summary and General Remarks 23/24

24 Summary and General Remarks Many network research questions can be formulated as “graph analysis” problem These graphs are mostly not random and have latent structures. We propose a co-clustering (tri-Nonnegative matrix factorization) based method for decomposing such graphs and reveal the community structures (dense subgraphs). Obtained subgraphs are meaningful and persistent, which help understand the formation of complicated communication graphs. We demonstrate various applications based on the decomposition results 24/24

25 Appendix 25

26 Characteristics of app. TAGs These statistics show difference between various app. TAGs It does not explain the formation of TAGs 26/24

27 TNMF algorithm related Iterative optimization algorithm Group density matrix derivation 27/24

28 Pratical issues of tNMF Selection of rank and density –Linear search of appropriate ranks –Edge coverage converges after proper chosen rank and density With the above rank selection method, we achieve stable subgraph decomposition results 28/24

29 Pratical issues of tNMF (2) Low convergence rate and local minima –We use SVD as an initialization approach for tNMF. –Multiple runs are applied when necessary and the result with the lowest relative square error (RSE) is selected. 29/24

30 Number of subgraphs over time 30/24

Download ppt "Unveiling Core Network-Wide Communication Patterns through Application Traffic Activity Graph Decomposition Yu Jin, Esam Sharafuddin, Zhi-Li Zhang SIGMETRICS."

Similar presentations

Google News Personalization: Scalable Online Collaborative Filtering

Google News Personalization: Scalable Online Collaborative Filtering
Active Learning for Streaming Networked Data Zhilin Yang, Jie Tang, Yutao Zhang Computer Science Department, Tsinghua University.

Active Learning for Streaming Networked Data Zhilin Yang, Jie Tang, Yutao Zhang Computer Science Department, Tsinghua University.
Community Detection with Edge Content in Social Media Networks Paper presented by Konstantinos Giannakopoulos.

Community Detection with Edge Content in Social Media Networks Paper presented by Konstantinos Giannakopoulos.
Experimental Design, Response Surface Analysis, and Optimization

Experimental Design, Response Surface Analysis, and Optimization
Dimensionality Reduction PCA -- SVD

Dimensionality Reduction PCA -- SVD
Online Social Networks and Media. Graph partitioning The general problem – Input: a graph G=(V,E) edge (u,v) denotes similarity between u and v weighted.

Online Social Networks and Media. Graph partitioning The general problem – Input: a graph G=(V,E) edge (u,v) denotes similarity between u and v weighted.
PCA + SVD.

PCA + SVD.
Social Media Mining Chapter 5 1 Chapter 5, Community Detection and Mining in Social Media. Lei Tang and Huan Liu, Morgan & Claypool, September, 2010.

Social Media Mining Chapter 5 1 Chapter 5, Community Detection and Mining in Social Media. Lei Tang and Huan Liu, Morgan & Claypool, September, 2010.
DSPIN: Detecting Automatically Spun Content on the Web Qing Zhang, David Y. Wang, Geoffrey M. Voelker University of California, San Diego 1.

DSPIN: Detecting Automatically Spun Content on the Web Qing Zhang, David Y. Wang, Geoffrey M. Voelker University of California, San Diego 1.
Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.
Author: Jie chen and Yousef Saad IEEE transactions of knowledge and data engineering.

Author: Jie chen and Yousef Saad IEEE transactions of knowledge and data engineering.
UNDERSTANDING VISIBLE AND LATENT INTERACTIONS IN ONLINE SOCIAL NETWORK Presented by: Nisha Ranga Under guidance of : Prof. Augustin Chaintreau.

UNDERSTANDING VISIBLE AND LATENT INTERACTIONS IN ONLINE SOCIAL NETWORK Presented by: Nisha Ranga Under guidance of : Prof. Augustin Chaintreau.
Communities in Heterogeneous Networks Chapter 4 1 Chapter 4, Community Detection and Mining in Social Media. Lei Tang and Huan Liu, Morgan & Claypool,

Communities in Heterogeneous Networks Chapter 4 1 Chapter 4, Community Detection and Mining in Social Media. Lei Tang and Huan Liu, Morgan & Claypool,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Graph & BFS.

Graph & BFS.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
© University of Minnesota Data Mining for the Discovery of Ocean Climate Indices 1 CSci 8980: Data Mining (Fall 2002) Vipin Kumar Army High Performance.

© University of Minnesota Data Mining for the Discovery of Ocean Climate Indices 1 CSci 8980: Data Mining (Fall 2002) Vipin Kumar Army High Performance.
1 Latent Semantic Indexing Jieping Ye Department of Computer Science & Engineering Arizona State University

1 Latent Semantic Indexing Jieping Ye Department of Computer Science & Engineering Arizona State University
Cluster Analysis.  What is Cluster Analysis?  Types of Data in Cluster Analysis  A Categorization of Major Clustering Methods  Partitioning Methods.

Cluster Analysis.  What is Cluster Analysis?  Types of Data in Cluster Analysis  A Categorization of Major Clustering Methods  Partitioning Methods.
1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

Similar presentations

Ads by Google