Presentation is loading. Please wait.

Presentation is loading. Please wait.

AutoFocus: A Tool for Automatic Traffic Analysis Cristian Estan, University of California, San Diego.

Published bySara Todd Modified over 9 years ago

Similar presentations

Presentation on theme: "AutoFocus: A Tool for Automatic Traffic Analysis Cristian Estan, University of California, San Diego."— Presentation transcript:

1 AutoFocus: A Tool for Automatic Traffic Analysis Cristian Estan, University of California, San Diego

2 October 2003AutoFocus - NANOG 292 Who is using my link?

3 October 2003AutoFocus - NANOG 293 Informal problem definition Gigabytes of measurement data Analysis Traffic reports Applications: 50% of traffic is Kazaa Sources: 20% is from Steve’s PC

4 October 2003AutoFocus - NANOG 294 Informal problem definition Gigabytes of measurement data 20% is Kazaa from Steve’s PC 50% is Kazaa from network A Analysis Traffic reports

5 October 2003AutoFocus - NANOG 295 AutoFocus: system structure Traffic parser Web based GUI Traffic analyzer Grapher (sampled) NetFlow data or Packet header traces categories names

6 October 2003AutoFocus - NANOG 296 System details l Availability u Downloadable u Free for educational, research and non-profit use l Requirements u Linux or BSD (might run on other Unix OSes) u 256 Megs of RAM at least u 1-10 gigabytes of hard disk (depends on traffic) u Recent Netscape, Mozilla or I.E. (Javascript) u Needs no web server – no server side scripting

7 October 2003AutoFocus - NANOG 297 Traffic analysis approach l Characterize traffic mix by describing all important traffic clusters u Multi-field clusters (e.g. flash crowd described by protocol, port number and IP address) u At the the right level of granularity (e.g. computer, proper prefix length) u Analysis is automated – finds insightful data without human guidance

8 October 2003AutoFocus - NANOG 298 Traffic clusters: example l Incoming web traffic for CS Dept. u SrcIP=*, u DestIP in 132.239.64.0/21, u Proto=TCP, u SrcPort=80, u DestPort in [1024,65535]

9 October 2003AutoFocus - NANOG 299 l Traffic reports automatically list significant traffic clusters l Describe only clusters above threshold (e.g. T=total of traffic/20) l Compression removes redundant clusters whose traffic can be inferred from more specific clusters Traffic report

10 October 2003AutoFocus - NANOG 2910 Automatic cluster selection 10.0.0.210.0.0.310.0.0.410.0.0.510.0.0.810.0.0.910.0.0.1010.0.0.14 153530 40 160110 35 75 10.0.0.2/3110.0.0.4/31 50 10.0.0.8/31 10.0.0. 10/31 702703575 10.0.0.0/3010.0.0.4/3010.0.0.8/30 753055070 10.0.0.0/2910.0.0.8/29 120380 10.0.0.0/28 500 10.0.0.14/31 10.0.0.12/30

11 October 2003AutoFocus - NANOG 2911 Automatic cluster selection 10.0.0.210.0.0.310.0.0.410.0.0.510.0.0.810.0.0.910.0.0.1010.0.0.14 153530 40 160110 35 75 10.0.0.2/3110.0.0.4/31 50 10.0.0.8/31 10.0.0. 10/31 702703575 10.0.0.0/3010.0.0.4/3010.0.0.8/30 753055070 10.0.0.0/2910.0.0.8/29 120380 10.0.0.0/28 500 120380 305 270 160110 Threshold=100 10.0.0.14/31 10.0.0.12/30

12 October 2003AutoFocus - NANOG 2912 270 120 500 305 380 160110 Automatic cluster selection 10.0.0.810.0.0.9 10.0.0.0/2910.0.0.8/29 10.0.0.8/31 10.0.0.8/30 10.0.0.0/28 120380 160110 Compression keeps interesting clusters by removing those that can be inferred from more specific ones 305-270<100 380-270≥100

13 October 2003AutoFocus - NANOG 2913 Single field report example Source IPTraffic pkts. 10.0.0.0/29120 10.0.0.8/29380 10.0.0.8160 10.0.0.9110 AutoFocus has both single field and multi-field traffic reports

14 October 2003AutoFocus - NANOG 2914 Graphical user interface l Web based interface l Many pre-computed traffic reports l Interactive drill-down l Traffic categories defined by user

15 October 2003AutoFocus - NANOG 2915 Traffic reports for weeks, days, three hour intervals and half hour intervals

16 October 2003AutoFocus - NANOG 2916 Traffic reports measure traffic in bytes, packets and flows, have various thresholds

17 October 2003AutoFocus - NANOG 2917 Single field report

18 October 2003AutoFocus - NANOG 2918

19 October 2003AutoFocus - NANOG 2919 Colors – user defined traffic categories Separate reports for each category

20 October 2003AutoFocus - NANOG 2920 The filter and threshold allow interactive drill-down

21 October 2003AutoFocus - NANOG 2921 The filter and threshold allow interactive drill-down

22 October 2003AutoFocus - NANOG 2922 The filter and threshold allow interactive drill-down

23 October 2003AutoFocus - NANOG 2923 Case study : SD-NAP l Structure of regular traffic mix u Backups from CAIDA to tape server u FTP from SLAC Stanford u Scripps web traffic u Web & Squid servers u Large ssh traffic u Steady ICMP probing from CAIDA l Unexpected events

24 October 2003AutoFocus - NANOG 2924 l Backups from CAIDA to tape server Structure of regular traffic mix SD-NAP

25 October 2003AutoFocus - NANOG 2925 l Backups from CAIDA to tape server u Semi-regular time pattern Structure of regular traffic mix SD-NAP

26 October 2003AutoFocus - NANOG 2926 l Steady ICMP probing from CAIDA Structure of regular traffic mix SD-NAP The flow view highlights different traffic clusters

27 October 2003AutoFocus - NANOG 2927 Analysis of unusual events l Sapphire/SQL Slammer worm u Find worm port & proto automatically

28 October 2003AutoFocus - NANOG 2928 Analysis of unusual events l Sapphire/SQL Slammer worm u Can identify infected hosts

29 October 2003AutoFocus - NANOG 2929 How can AutoFocus help you? l Understand your regular traffic mix better u Better planning of network growth u Better traffic policing l Understand unusual events u More effective reactions to worms, DoS attacks u Notice effects of route changes on traffic

30 October 2003AutoFocus - NANOG 2930 Benefits w.r.t. existing tools l Multi-field aggregation l Automatically finds right granularity l Drill-down u Per category reports u Using filter

31 October 2003AutoFocus - NANOG 2931 Thank you! Beta version of AutoFocus downloadable from http://ial.ucsd.edu/AutoFocus/ Any questions? Acknowledgements: Stefan Savage, George Varghese, Vern Paxson, David Moore, Liliana Estan, Mike Hunter, Pat Wilson, Jennifer Rexford, K Claffy, Alex Snoeren, Geoff Voelker, NIST,NSF

32 October 2003AutoFocus - NANOG 2932

33 October 2003AutoFocus - NANOG 2933 Definition: unexpectedness l To highlight non-obvious traffic clusters by using unexpectedness label u 50% of all traffic is web u Prefix B receives 20% of all traffic u The web traffic received by prefix B is 15% instead of 50%*20%=10%, unexpectedness label is 15%/10%=150%

Download ppt "AutoFocus: A Tool for Automatic Traffic Analysis Cristian Estan, University of California, San Diego."

Similar presentations

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian.

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian.
Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
FlowScan at the University of Wisconsin-Madison Copyright Dave Plonka and Perry Brunelli, 2001. This work is the intellectual property of the authors.

FlowScan at the University of Wisconsin-Madison Copyright Dave Plonka and Perry Brunelli, This work is the intellectual property of the authors.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Copyright © 2005 Department of Computer Science CPSC 641 Winter 20111 WAN Traffic Measurements There have been several studies of wide area network traffic.

Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.
Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.

Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.
The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.

The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Controlling High Bandwidth Aggregates in the Network.

1 Controlling High Bandwidth Aggregates in the Network.
11 Diagnosing and improving 802.11 Wireless Networks Patrick Verkaik Mikhail Afanasyev Yuvraj Agarwal Yu-Chung Cheng Stefan Savage Alex C. Snoeren Geoffrey.

11 Diagnosing and improving Wireless Networks Patrick Verkaik Mikhail Afanasyev Yuvraj Agarwal Yu-Chung Cheng Stefan Savage Alex C. Snoeren Geoffrey.
Copyright © 2005 Department of Computer Science CPSC 641 Winter 20111 Network Traffic Measurement A focus of networking research for 20+ years Collect.

Copyright © 2005 Department of Computer Science CPSC 641 Winter Network Traffic Measurement A focus of networking research for 20+ years Collect.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.

1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.

Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.
Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage Presenter: Martin Krogel.

Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage Presenter: Martin Krogel.
A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.

A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.

Similar presentations

Ads by Google