a case for packet sampling a case for packet sampling
play

A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, - PowerPoint PPT Presentation

Oct 07, 2022 •328 likes •448 views

A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, zseby@fokus.fhg.de Competence Center for Autonomic Networking Technologies Motivation: FloCon FloCon 2005 2005 Motivation: FloCon05 participants: We dont believe in

  1. A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, zseby@fokus.fhg.de Competence Center for Autonomic Networking Technologies

  2. Motivation: FloCon FloCon 2005 2005 Motivation: FloCon05 participants: “We don’t believe in Sampling” � Happy to use flow data � Very skeptical to packet sampling FloCon 2006 Panel 2

  3. The Problem: Limited Resources The Problem: Limited Resources � Full packet capture at each node not feasible – Increasing data rates – Hardware costs Additional CPU load for running NetFlow on different routers* – Privacy concerns � Resources are limited – Storage – Processing – Transmission We cannot measure everything *source: NetFlow Performance Analysis, Cisco white paper http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/ntfo_wpa.jpg FloCon 2006 Panel 3

  4. Solution1: Flow Data Solution1: Flow Data � Grouping of packets into flows (classification) � Reporting of flow information only � Disadvantages: – Per-packet information is lost – Information and effort depends on flow definition Flow Info: 5x 2x 1x Record Generation Classification FloCon 2006 Panel 4

  5. Flow Data Generation Flow Data Generation Traffic Mix: Traffic Mix: <s 1 , t 1 , c 1 >, <s 2 , t 2 , c 2 >, ... <s N , t N , c N > <s 1 , t 1 , c 1 >, <s 2 , t 2 , c 2 >, ... <s N , t N , c N > Classification Classification Flows: Flows: FlowID 1: FlowID 1: FlowID 2: FlowID 2: FlowID 3: FlowID 3: <s 1 , t 1 , c 1 > <s 1 , t 1 , c 1 > <s 2 , t 2 , c 2 > <s 2 , t 2 , c 2 > <s 5 , t 5 , c 5 > <s 5 , t 5 , c 5 > <s 4 , t 4 , c 4 > <s 4 , t 4 , c 4 > <s 3 , t 3 , c 3 > <s 3 , t 3 , c 3 > <s 7 , t 7 , c 7 > <s 7 , t 7 , c 7 > <s 8 , t 8 , c 8 > <s 8 , t 8 , c 8 > <s 6 , t 6 , c 6 > <s 6 , t 6 , c 6 > <s 9 , t 9 , c 9 > <s 9 , t 9 , c 9 > Record Record Record Aggregation Aggregation Aggregation Aggregation Aggregation Aggregation Generation Generation Generation Flow Characteristics: Flow Characteristics: <N f , µ f , f , … > <N f , µ f , f , … > <N f , µ f , f , … > <N f , µ f , f , … > <N f , µ f , f , … > <N f , µ f , f , … > � Information about packets is discarded � Available information depends on – Flow definition – Flow characteristics that are reported FloCon 2006 Panel 5

  6. Solution2: Packet Sampling Solution2: Packet Sampling � Random Selection of some packets – Report parts or full packet information – Estimation of metrics based on sample � Provides different viewpoint – Packet data can reveal further information – Sampled data sufficient for some metrics � Helps to protect measurement infrastructure during attack Packet Inspection Sampling FloCon 2006 Panel 6

  7. Sampling: State of Art Sampling: State of Art attack detection as protect infrastructure target application First Sampling sFlow Workshop DDos detection IPFIX PSAMP 2005 [RFC3176] flow volume stratified adaptive sample+hold [Zseb05] [EsKM04] [EsVa01] load change detection SLA/QoS (trajectory) ATM hash emulation proportion stratified [DuGr00] [NiMD04], [MoND05] [CoGi98] [Zseb02] [Zseb03] anomaly detection with hypothesis testing total volume flow sampling adaptive time vs. count [DuLT01] [ChPZ02] [ClPB93] packet-count per flow 2-run adaptive [KoLM04] [JePP92] [DrCh98] packet-count [AmCa89] 1990 1995 2000 2001 2002 2003 2004 2005 FloCon 2006 Panel 7

  8. Packet Sampling Packet Sampling Real metric substituted by estimate � Accuracy statement is essential Accuracy depends on – Sampling scheme – Estimation method – Position of sampling process in measurement sequence – Population characteristics (e.g. variance of metric of interest) FloCon 2006 Panel 8

  9. A Simple Example A Simple Example Goal: Estimation of packet proportions (e.g. TCP-SYN packets in a flow) m M = ˆ = P P Estimate: Real proportion: N n ( ) ⋅ − − P 1 P N n σ = ⋅ Estimation Accuracy (random n-of-N): − ˆ P n N 1 ( ) − ⋅ σ ≤ ≤ + ⋅ σ = − α ˆ ˆ Prob P z P P z 1 Confidence Limits: ˆ ˆ c c P P Example: - Measurement interval with N=10,000 packets - Random packet selection 1% (n=100) σ = P = ˆ � 0.8226 � P � 0.977, with 99% confidence � 0.03 0.9 ˆ P P = ˆ � same accuracy 0.1 σ = � 0.371 � P � 0.629, with 99% confidence P = ˆ (worst case) � 0.05 0.5 ˆ P Works with other packet properties, too! FloCon 2006 Panel 9

  10. Advise Advise � Don’t restrict your analysis to flow data – Include further viewpoints – Use sampling in addition or as alternative to flow data � Trust the power of statistics – It’s a mature and well established field � full range of proven techniques � Use sampling where applicable – Applicability depends on traffic profile, metric of interest, accuracy demand � Sampled data sufficient to detect large events (high volumes, high packet counts) � May be sufficient to estimate #pkts with specific properties (e.g. SYN, VoIP packets, small packets, packets with same content, etc.) � Others � depends on scenario – Difficulties with rare events (stealth attacks, slow port scans) – Not suitable to re-assemble connections (but filtering may be) FloCon 2006 Panel 10

  11. Thank you for your Thank you for your attention! attention!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for IP Packet Selection draft-ietf ietf- -psamp psamp-sample-tech-00.txt -sample-tech-00.txt draft- Tanja Zseby, FhG FOKUS Maurizio Molina, NEC

600 views • 12 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate April 25, 2010 The 3rd CAIDA-WIDE-CASFI Joint Measurement Workshop @Osaka 1 2010 4 25 Background Anomaly Detection:

331 views • 20 slides
Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
What is the strengths and weakness of these sampling methods? Sampling Strengths /

What is the strengths and weakness of these sampling methods? Sampling Strengths /

Session 6. Sampling and Sample size Sampling: What are the different sampling methods used? In PIA: Convenience sampling Purposive sampling Random sampling What is the strengths and weakness of these sampling methods? Sampling

219 views • 5 slides
Sampling Distributions Sampling Distribution of the Mean &amp; Hypothesis Testing Sampling

Sampling Distributions Sampling Distribution of the Mean &amp; Hypothesis Testing Sampling

Sampling Distributions Sampling Distribution of the Mean &amp; Hypothesis Testing Sampling Remember sampling? Part 1 of definition Selecting a subset of the population to create a sample Generally random samplingusing

975 views • 55 slides
Newfound Water Quality Sampling: In Lake Sampling 8 Historic Sampling locations

Newfound Water Quality Sampling: In Lake Sampling 8 Historic Sampling locations

Newfound Water Quality Sampling: In Lake Sampling 8 Historic Sampling locations Initial Sampling in 1986 Standard Measurements include: Total Phosphorus, Chlorophyll and Secchi Disk Transparency Determine long term trends,

599 views • 26 slides
A Case for Clumsy Packet Processors Arindam Mallik and Gokhan Memik Electrical and Computer

A Case for Clumsy Packet Processors Arindam Mallik and Gokhan Memik Electrical and Computer

A Case for Clumsy Packet Processors Arindam Mallik and Gokhan Memik Electrical and Computer Engineering Dept. Northwestern University Overview Faults Correctness is overrated What if the higher levels take care of it? Processor

709 views • 26 slides
Mathematics in the Sciences Eggeling et al. Gibbs sampling for parsMMs with latent variables 1

Mathematics in the Sciences Eggeling et al. Gibbs sampling for parsMMs with latent variables 1

Introduction Gibbs sampling algorithm Case studies Gibbs sampling for parsimonious Markov models with latent variables Ralf Eggeling 1 , Pierre-Yves Bourguignon 2 , Andr e Gohr 1 , Ivo Grosse 1 1 Martin Luther University Halle-Wittenberg 2 Max

522 views • 38 slides
Overview of Sampling Topics (Shannon) sampling theorem Impulse-train sampling

Overview of Sampling Topics (Shannon) sampling theorem Impulse-train sampling

Overview of Sampling Topics (Shannon) sampling theorem Impulse-train sampling Interpolation (continuous-time signal reconstruction) Aliasing Relationship of CTFT to DTFT DT processing of CT signals DT sampling

848 views • 67 slides
Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

03/11/2017 Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer to a radio for the transmission of digital data via amateur radio. It is another mode of operation that has a multitude of uses, such as

571 views • 17 slides
Sampling frequency and uncertainty: Examples from Norwegian case studies Eva Skarbvik &amp; Per

Sampling frequency and uncertainty: Examples from Norwegian case studies Eva Skarbvik &amp; Per

Helcom workshop May 18, 2015 Sampling frequency and uncertainty: Examples from Norwegian case studies Eva Skarbvik &amp; Per Stlnacke Bioforsk Norwegian Institute for Agricultural and Environmental Research Focus on: loads and

368 views • 36 slides
Sampling of probability measures in the convex order and approximation of Martingale Optimal

Sampling of probability measures in the convex order and approximation of Martingale Optimal

Introduction Sampling in the convex order The dimension 1 case Sampling in the convex order in higher dimensions Numerical results Sampling of probability measures in the convex order and approximation of Martingale Optimal Transport problems

641 views • 37 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs) packets being

485 views • 13 slides
SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to

SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to

SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to study the whole popula5on? A major reason studying samples rather than the

288 views • 16 slides
The ICPC Process Case worker finds possible placement for child out of state. Placement packet

The ICPC Process Case worker finds possible placement for child out of state. Placement packet

4/22/15 The ICPC Process Case worker finds possible placement for child out of state. Placement packet completed and submitted The he N National E Electronic I Interstate to central ICPC office in state. Compact E Enterprise (

411 views • 4 slides
Rachel Hoffman Texas Christian University June 3, 2016 History Actuarial concentration first

Rachel Hoffman Texas Christian University June 3, 2016 History Actuarial concentration first

Rachel Hoffman Texas Christian University June 3, 2016 History Actuarial concentration first offered in Fall 2001 TCU program planned with guidance from Dr. Jim Daniel of UT Austin Added minor in Actuarial Mathematics in Fall 2010

659 views • 12 slides
2019 Actuarial Valuation July 2019 Panel West Sussex County Council Pension Fund Steven Law FFA

2019 Actuarial Valuation July 2019 Panel West Sussex County Council Pension Fund Steven Law FFA

2019 Actuarial Valuation July 2019 Panel West Sussex County Council Pension Fund Steven Law FFA 24 July 2019 Hymans Robertson LLP is authorised and regulated by the Financial Conduct Authority Valuation milestones Individual employer

437 views • 16 slides
Aaron Halbur Carroll High Graduate (2003) University of Iowa Graduate (2007) Actuarial Associate

Aaron Halbur Carroll High Graduate (2003) University of Iowa Graduate (2007) Actuarial Associate

Aaron Halbur Carroll High Graduate (2003) University of Iowa Graduate (2007) Actuarial Associate II Aviva USA Math Careers Where is your ship sailing? Where is your shipping sailing? Delete this box and replace with image. Fields

217 views • 10 slides
Clemson University Actuarial Club Dr. Mark Cawood Advisor Kaitlin Carter President Jake

Clemson University Actuarial Club Dr. Mark Cawood Advisor Kaitlin Carter President Jake

Clemson University Actuarial Club Dr. Mark Cawood Advisor Kaitlin Carter President Jake Marshall Vice-President Lindsey Moyer - Secretary Actuarial Program History Typically, students get BS in Mathematical Sciences with emphasis

418 views • 12 slides
Development of Data Assimilation Schemes in Support of Coastal Ocean Observing Systems Zhijin Li

Development of Data Assimilation Schemes in Support of Coastal Ocean Observing Systems Zhijin Li

Development of Data Assimilation Schemes in Support of Coastal Ocean Observing Systems Zhijin Li , Yi Chao Jet Propulsion Laboratory, California Institute of Technology James C. McWilliams, Kayo Ide University of California, Los Angeles

553 views • 28 slides
Building P Partner erships t to Implem emen ent A Adaptive e Managem emen ent: E Exper

Building P Partner erships t to Implem emen ent A Adaptive e Managem emen ent: E Exper

Building P Partner erships t to Implem emen ent A Adaptive e Managem emen ent: E Exper eriences es T Throu ough NEW Waters Silver C r Creek P Pilot P Proje ject Government Affairs Seminar February 22, 2018 Jeff Smudde

814 views • 16 slides
Adaptive Restoration of the West Coasts Tidal Wetlands Dr. Joy Zedler Presentation Notes

Adaptive Restoration of the West Coasts Tidal Wetlands Dr. Joy Zedler Presentation Notes

Adaptive Restoration of the West Coasts Tidal Wetlands Dr. Joy Zedler Presentation Notes Adaptive Restoration of Tijuana Estuary Joy Zedler, U. Wisconsin-Madison jbzedler@wisc.edu Based on research and field work conducted with dozens of

37 views • 3 slides
The Roadmap: a recap of where weve been, where were heading, and how its all related

The Roadmap: a recap of where weve been, where were heading, and how its all related

The Roadmap: a recap of where weve been, where were heading, and how its all related Harva vard IACS CS109B Chris Tanner, Pavlos Protopapas, Mark Glickman Learning Objectives Recap models from CS CS109A and CS CS109B Understand the

1.53k views • 148 slides

More recommend