Presentation is loading. Please wait.

Presentation is loading. Please wait.

DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy.

Published byLilian Hopkins Modified over 9 years ago

Similar presentations

Presentation on theme: "DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy."— Presentation transcript:

1 DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy

2 o Possible Uses: traffic profiling, Intrusion Detection o Context: Internet flow monitoring o Contribution: development of a distributed software for flow monitoring

3 Flows are defined by means of some properties appliable to packet headers For example: 1.IP addresses (source and destination) 2.The 5-uple (source address, destination address, source port, destination port, and protocol) …and by means of a timeout… The choice of the flow definition depends on needs of the application which uses monitoring data

4 A Flow Monitor should: 1.Capture packets from the network 2.Associate a flow id to each packet on the basis of the chosen definition of flow 3.As a packet arrives, update the metrics of the flow which the packet belongs to 4.Keep in memory the metrics related to the “living” flows (not timed out) in data structures (flow records) 5.Save the computed metrics related to each timed out flow in order to make them available to the applications

5 Proposed architecture: Meter Flow Cache Collector Flow Cache Application 1.Calculates the metrics at each packet arrival 2.Keeps in memory the metrics about each living flow 3.“Exports” timed out flows to the Collector 4.Exports some “interesting” living flows 1.Keeps in memory the metrics related to timed out flows 2.Informs the application about some “interesting” living flows 1.Captures packets 2.Associates flow id to the packet

6 The Flow Cache: It is the critical module, it must look up and update a flow record as a packet arrives (for this reason it is distributed) Packet multiplexing is done by means of a hash function (mmh) computed on the flow id Metrics can be implemented in a flexible way through an API Ordering of flow records relies on the Least Recently Used algorithm (on the basis of the last acces time) The flow record of a just-arrived packet will be positioned within the first elements of the queue with a high probability (temporal locality properties, i.e. heavy tailed distributions of the packet rates) LRU ordering allows otpimized search for timed out flows (starting from the tail of the queue and stopping when a not-timed out flow is found)

7 Some implementation details: Communication between the modules is done using UDP A flow control between modules is provided Programming language: C Operating system: Linux Used libraries: libpcap Software license: GPL Project location: SourceForge.net

8 The management Protocol: The system must be: reliable, robust and flexible. Some assumptions: Meter Flow Cache Collector Flow Cache The network connecting system modules must be faster than the monitored network Modules can run on the same / different machines The Meter must perform packet capturing within the packet interarrival time The collector and the meter use defined port numbers for signalling messages

9 Start and Stop of the system: Meter Collector Flow Cache 2 – ACK 6 – ACK 1 – CONN Req 4 – ACK 5 – ACK 3 – CONN Req Starting On defined port number On dinamically chosen port number 2 – END Req 6 – ACK 4 – END Req 5 – ACK 1 – END Req 3 – Export Stopping

10 Steady state operation: Meter Collector Flow Cache On defined port number On dinamically chosen port number 1 – Captured Data 2 – ACK 1 – Exporting Data 2 – ACK

11 Meter Collector Flow Cache 2 – ABORT 1 – ABORT Flow Cache 2 – ABORT 3 – ABORT 2 – ABORT Aborting (from Flow Cache):

12 Meter Collector Flow Cache Aborting (from Meter): 1 – ABORT 2 – ABORT 1 – ABORT 2 – ABORT 1 – ABORT

13 Meter Collector Flow Cache Aborting (from Collector): 2 – ABORT 1 – ABORT 2 – ABORT 1 – ABORT 2 – ABORT

14 Adding/Removing a Flow Cache: Meter Collector Flow Cache On defined port number On dinamically chosen port number 2 – ACK 1 – DISCONN Req 2 – ACK 1 – DISCONN Req Removing 1 – CONN Req 3 – CONN Req 4 – ACK 2 – ACK 6 – ACK 5 – ACK Adding

15 Meter Flow Cache 2 – ACK 1 – ALIVE Req Collector 2 – ACK 1 – ALIVE Req Crashes: Meter’s crashCollector’s crash Flow Cache’s crash

16 Conclusions / future work: The proposed protocol is scalable with respect to the increase in the number of the flow caches and monitored networks. The system is suitable to different contexts, such as security, traffic profiling or billing where specific metrics are of interest. Benchmarking and robustness evaluation will be conducted. The LRU sorting algorithm will be compared with other ordering algorithms. We are currently working on the implementation of an intrusion detection system and a tool for traffic profiling based on the proposed monitoring architecture. http://sourceforge.net/projects/difmon/ dsalvi@napoli.consorzio-cini.it

Download ppt "DiFMon Distributed Flow Monitor Dario Salvi Consorzio Interuniversitario Nazionale per l’Informatica (CINI) Naples, Italy."

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.

1 Ports and IPv6. 2 Ports Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), used for communication Generally speaking, a computer.
Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.
Bridging. Bridge Functions To extend size of LANs either geographically or in terms number of users. − Protocols that include collisions can be performed.

Bridging. Bridge Functions To extend size of LANs either geographically or in terms number of users. − Protocols that include collisions can be performed.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.

Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
TCP/IP Protocol Suite 1 Chapter 11 Upon completion you will be able to: User Datagram Protocol Be able to explain process-to-process communication Know.

TCP/IP Protocol Suite 1 Chapter 11 Upon completion you will be able to: User Datagram Protocol Be able to explain process-to-process communication Know.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
VSP Video Station Protocol Presented by : Mittelman Dana Ben-Hamo Revital Ariel Tal Instructor : Sela Guy Presented by : Mittelman Dana Ben-Hamo Revital.

VSP Video Station Protocol Presented by : Mittelman Dana Ben-Hamo Revital Ariel Tal Instructor : Sela Guy Presented by : Mittelman Dana Ben-Hamo Revital.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering

Similar presentations

Ads by Google