application aware flow monitoring
play

APPLICATION-AWARE FLOW MONITORING Thursday 11 th April, 2019 Petr - PowerPoint PPT Presentation

Jun 20, 2023 •121 likes •367 views

APPLICATION-AWARE FLOW MONITORING Thursday 11 th April, 2019 Petr Velan Motivation Application-Aware Flow Monitoring Page 2 / 22 Internet Basic Flow Monitoring TAP Probe Flow monitoring is widely used for: Collector Accounting Router

  1. APPLICATION-AWARE FLOW MONITORING Thursday 11 th April, 2019 Petr Velan

  2. Motivation Application-Aware Flow Monitoring Page 2 / 22

  3. Internet Basic Flow Monitoring TAP Probe Flow monitoring is widely used for: Collector Accounting Router Security (IDS, forensics) SPAN Probe port Data retention Network diagnostics Packets Internal Network Flow Records Basic flow record example: Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes 09:41:21.763 0.101 TCP 172.16.96.48:15094 -> 209.85.135.147:80 .AP.SF 4 715 09:41:21.893 0.031 TCP 209.85.135.147:80 -> 172.16.96.48:15094 .AP.SF 4 1594 Flow creation process is complex Flow vs. connection, fragmented traffic, flow termination conditions, flow keys from multiple layers ⇒ Definition of flow is necessary Application-Aware Flow Monitoring Page 3 / 22

  4. Application Layer Information Application visibility, such as provided by DPI, improves security and network diagnostics. Application identification (not relying on well-known ports) Encapsulating application protocols (HTTP used for audio/video streaming) Information about tunnels (e.g., MPLS, VLAN, IPv6 transition mechanisms) Basic flow contains only selected information from packet headers. Gather more information available from the headers (L2 layer) Analyze application layer information (application identi fi cation and visibility) Application fl ow record example: Flow start L3,4 HTTP Host HTTP URL HTTP User Agent Rsp. Code 09:41:21.763 .... www.example.com /requested/endpoint ’Mozilla/5.0 AppleWebKit/531.21.10 ...’ 09:41:21.893 .... 200 Application-Aware Flow Monitoring Page 4 / 22

  5. Growing Network Speeds 10 G, 25 G, 40 G and 100 G: Seeing Broad Adoption in Data Center http://techblog.comsoc.org/tag/25-100g-ethernet/ Application-Aware Flow Monitoring Page 5 / 22

  6. Growing Network Speeds Very short time to process individual packets Large number of concurrent flows increase memory utilization 10 G 100 G CPU cycles ∗ CPU cycles ∗ pps pps Smallest frame size 14.88 M 201 148.81 M 20 800 B packets 1.49 M 2011 14.92 M 201 ∗ On a 3 GHz CPU core Multiple concepts must be combined: Multi-core and multi-processor systems Specialized NICs (FPGA-based) Software (user and kernel space) optimizations Application-Aware Flow Monitoring Page 6 / 22

  7. Traffic Encryption Increasing amount of encrypted tra ffi c (SSL/TLS, DTLS, IPsec, . . . ): Privacy becomes increasingly important Free certi fi cates (Let ’ s Encrypt) DPI fails for encrypted tra ffi c: No precise application identi fi cation (back to port numbers) No application layer visibility Some information still available: Encryption protocol headers (e.g., certi fi cates, ciphers) Statistical information ⇒ machine learning Application-Aware Flow Monitoring Page 7 / 22

  8. Thesis Goals Propose application flow monitoring which utilises application layer information to facilitate flow analysis and threat detection. Evaluate performance of flow monitoring and propose optimisations to facilitate monitoring of high-speed networks. Analyse options for monitoring of encrypted tra ffi c, survey common encryption protocols and methods for encrypted tra ffi c classi fi cation. Application-Aware Flow Monitoring Page 8 / 22

  9. Application Flow Monitoring Application-Aware Flow Monitoring Page 9 / 22

  10. Flow Definition IPFIX and NetFlow v9 flow definitions have a few shortcomings: Limited to IP flows Do not account for fragmented packets Unclear definition of packet characteristics Proposed a new definition which addresses these problems: A flow is defined as a sequence of packets passing an observation point in the network during a certain time interval. All packets that belong to a particular flow have a set of common properties derived from the data contained in the packet, previous packets of the same flow, and from the packet treatment at the observation point. Formalization of the definition avoids misinterpretation. Application-Aware Flow Monitoring Page 10 / 22

  11. HTTP Parser Design 11 no HTTP 6 optimized strcmp Packets/s (x 10 6 ) strcmp 5 optimized flex flex 4 pcre 3 2 1 0 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Parser Performance Comparison with Respect to HTTP Proportion (0 % - No HTTP, 100 % - Only HTTP Headers) in the Traffic - Full Packets 1500 B. Application-Aware Flow Monitoring Page 11 / 22

  12. Use of Application Information Security monitoring of HTTP tra ffi c: Classi fi cation of HTTP tra ffi c Repeated requests (proxies and brute-force attacks) HTTP scans Web crawlers I Pv6 transition mechanisms: Teredo, protocol 41 (e.g., 6to4, 6in4), I SATAP, AY I YA Detection of tunnel endpoints Geolocation of endpoints, optimization of tra ffi c routes Anomalies, miscon fi guration (forwarding of local-link packets inside tunnels) OS fi ngerprinting Application-Aware Flow Monitoring Page 12 / 22

  13. Flow Monitoring Performance Application-Aware Flow Monitoring Page 13 / 22

  14. Flow Acceleration Hardware acceleration Software acceleration Receive Side Scaling Multithreading Packet trimming NUMA awareness Packet header preprocessing Flow state in parsers Flow processing o ffl oading Flow cache design Application identi fi cation Per- fl ow expiration timeout Delayed packet processing Bidirectional fl ow records Flow Acceleration Techniques (Novel Proposals). Application-Aware Flow Monitoring Page 14 / 22

  15. Novel Flow Acceleration Techniques Packet header preprocessing: Extraction of information from packet headers by the NIC Only necessary information sent to software Minimizes data transfers, lowers utilization of memory controller Application identification: Only small portion of packets carry important application protocol information Packets containing important headers can be identified by NIC Flow state in parsers: Flows with application information are usually processed by only single parser Apply parsers from the most common to the least common one Skip application parsers after important information is extracted Application-Aware Flow Monitoring Page 15 / 22

  16. High-Density Flow Monitoring Aggregate measurement of multiple 10 G links in a single box. 2 NICs (2x40 G ports configured as 8x10 G) Theoretical throughput: 160 Gbps Test impact of packet trimming and packet header preprocessing in NIC Different flow counts, packet sizes Test impact of CPU choice (6 vs 8 cores, 2 GHz vs 2.6 GHz) Results: Line-rate is achievable for 128 B packets with hardware acceleration I mpact of fl ow count is signi fi cant for short packet lengths Choice of CPU (especially frequency and number of cores) is very important Application-Aware Flow Monitoring Page 16 / 22

  17. Impact of Packet Trimming and Preprocessing Maximum Ethernet Full Packets Unified Headers Maximum PCIe Trimmed Packets 250 x 10 6 200 x 10 6 150 x 10 6 Packets/s 100 x 10 6 50 x 10 6 0 x 10 6 64 128 256 512 Packet size Packet Processing Performance Comparison in Packets/s for 16,384 Flows per Interface. Application-Aware Flow Monitoring Page 17 / 22

  18. Measurement of Encrypted Tra ffi c Application-Aware Flow Monitoring Page 18 / 22

  19. Information Extraction From Encrypted Traffic Some information remains disclosed even for encrypted tra ffi c: Initialisation of the encrypted connection is usually unencrypted TLS up to version 1.3 discloses certi fi cates SNI still available, but propositions are being made to encrypt it Combination with DNS monitoring is possible These information can be used directly by flow monitoring system Information about offered cryptographic algorithms can be used to fingerprint clients Confirmation Initial Authentication and shared Authenticated and encrypted handshake secret establishment data exchange Time Unencrypted initialization Encrypted data transport Application-Aware Flow Monitoring Page 19 / 22

  20. Encrypted Traffic Classification Identification of encrypted protocols is not always possible. Machine learning and statistical methods can be used Surveyed works published in the top related conferences and journals from 2004 to 2015 Payload-based classification techniques: Mostly ready-to use tools Utilized in practice for DPI Feature-based classification techniques: Intensive research area Most authors use private datasets Incomparable results Application-Aware Flow Monitoring Page 20 / 22

  21. Future Work Application-Aware Flow Monitoring Page 21 / 22

  22. Concepts for Next Generation Flow Monitoring EventFlow Group flows based on actions Proof of concept implemented on HTTP and DNS protocols MetaFlow Hierarchical structure for flows Useful for monitoring of layered tra ffi c Helps to reduce number of flow data templates Application Events Similar to MetaFlow Do not create application flows (can disrupt basic flow creation process) Attach application information to basic flow in separate record Application-Aware Flow Monitoring Page 22 / 22

  23. THANK YOU FOR YOUR ATTENTION! Petr Velan https://is.muni.cz/th/a2fxd/ @csirtmu velan@ics.muni.cz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Next Generation Application-Aware Flow Monitoring Petr Velan } , ! " # $ % & '

Next Generation Application-Aware Flow Monitoring Petr Velan } , ! " # $ % & '

Next Generation Application-Aware Flow Monitoring Petr Velan } , ! " # $ % & ' ( ) + - A| / 0 1 2 3 4 5 < y . w

363 views • 10 slides
On the Impact of Flow Monitoring Configuration Petr Velan et al. velan@ics.muni.cz Institute of

On the Impact of Flow Monitoring Configuration Petr Velan et al. velan@ics.muni.cz Institute of

On the Impact of Flow Monitoring Configuration Petr Velan et al. velan@ics.muni.cz Institute of Computer Science, Masaryk University April 20, 2020 Flow Monitoring Recapitulation Network Flow Monitoring Network Flow Monitoring Used for

383 views • 24 slides
The Future of Network Flow Monitoring Prague Embedded Systems Workshop (PESW 2019) Friday 28 th

The Future of Network Flow Monitoring Prague Embedded Systems Workshop (PESW 2019) Friday 28 th

The Future of Network Flow Monitoring Prague Embedded Systems Workshop (PESW 2019) Friday 28 th June, 2019 Petr Velan Flow Monitoring Introduction Internet Flow monitoring is widely used for: Accounting Probe TAP Security (IDS, forensics)

367 views • 20 slides
CAM: CONSTRAINT AWARE APPLICATION MAPPING FOR APPLICATION MAPPING FOR EMBEDDED SYSTEMS Luis

CAM: CONSTRAINT AWARE APPLICATION MAPPING FOR APPLICATION MAPPING FOR EMBEDDED SYSTEMS Luis

CAM: CONSTRAINT AWARE APPLICATION MAPPING FOR APPLICATION MAPPING FOR EMBEDDED SYSTEMS Luis A. Bathen, Nikil D. Dutt Outline 2 Introduction & Motivation Introduction & Motivation CAM Overview Memory aware Macro

508 views • 40 slides
On Flow-Aware CSMA in Multi-Channel Wireless Networks Mathieu Feuillet Joint work with Thomas

On Flow-Aware CSMA in Multi-Channel Wireless Networks Mathieu Feuillet Joint work with Thomas

On Flow-Aware CSMA in Multi-Channel Wireless Networks Mathieu Feuillet Joint work with Thomas Bonald CISS 2011 Outline Model Background Standard CSMA Flow-aware CSMA Conclusion Outline Model Background Standard CSMA Flow-aware CSMA

903 views • 58 slides
One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis

One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis

One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis Manousis, Greg Vorsanger, Vyas Sekar, and Vladimir Braverman Many Monitoring Requirements Traffic Engineering Anomaly Detection Flow Size

511 views • 28 slides
Flow Monitoring Deniz zharar Sales & Market Devlopment Engineer

Flow Monitoring Deniz zharar Sales & Market Devlopment Engineer

BRIGHTSENSE: SMART WAY OF FLOW MONITORING Digitalize & Manage Intelligent Mold Coolant Flow Monitoring Deniz zharar Sales & Market Devlopment Engineer www.brightworksengineering.com Digital Revolution for Mold Temperature Management

142 views • 11 slides
The Measured Performance of Database-Aware Test Coverage Monitoring Gregory M. Kapfhammer

The Measured Performance of Database-Aware Test Coverage Monitoring Gregory M. Kapfhammer

Introduction to Database Applications Introduction to Software Testing Database-Aware Test Coverage Monitoring Experimental Study The Measured Performance of Database-Aware Test Coverage Monitoring Gregory M. Kapfhammer Department of

553 views • 30 slides
Automating the Automating the configuration of flow configuration of flow monitoring probes

Automating the Automating the configuration of flow configuration of flow monitoring probes

Zurich Research Laboratory Automating the Automating the configuration of flow configuration of flow monitoring probes monitoring probes Xenofontas (Fontas) Dimitropoulos (xed@zurich.ibm.com) Andreas Kind (ank@zurich.ibm.com) IBM | Dec 07

303 views • 14 slides
Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST

Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST

www.liberouter.org Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST Regional Symposium for Europe Security Tools as a Service Flow monitoring overview Flow monitoring extended by application layer

1.99k views • 184 slides
A New Cache Monitoring Scheme for Memory-Aware Scheduling and Partitioning G. Edward Suh

A New Cache Monitoring Scheme for Memory-Aware Scheduling and Partitioning G. Edward Suh

A New Cache Monitoring Scheme for Memory-Aware Scheduling and Partitioning G. Edward Suh Srinivas Devadas Larry Rudolph Massachusetts Institute of Technology February 5, 2002 HPCA-8: 1 Problem Memory system performance is critical

415 views • 18 slides
Metering Pump Station Flow Monitoring Presented by: Glenn Hummel Presentation Objective Keep

Metering Pump Station Flow Monitoring Presented by: Glenn Hummel Presentation Objective Keep

Laser for Open Channel Flow Metering Pump Station Flow Monitoring Presented by: Glenn Hummel Presentation Objective Keep your Toolbox equipped with Flow Metering Solutions Introduce a New Technology for Open Channel Flow Measurement

1k views • 72 slides
Evolution-Aware Monitoring-Oriented Programming (eMOP) Owolabi Legunsen, Darko Marinov , and

Evolution-Aware Monitoring-Oriented Programming (eMOP) Owolabi Legunsen, Darko Marinov , and

Evolution-Aware Monitoring-Oriented Programming (eMOP) Owolabi Legunsen, Darko Marinov , and Grigore Rou ICSE 2015 (NIER Track) Florence, Italy May 21, 2015 CCF-1439957 ITI RPS #28 CCF-1012759 Monitoring-Oriented Programming (MOP)

279 views • 13 slides
QoS-Aware Adaptive Flow-Rule Aggregation in Software-Defined IoT N. Saha, S. Misra and S. Bera

QoS-Aware Adaptive Flow-Rule Aggregation in Software-Defined IoT N. Saha, S. Misra and S. Bera

QoS-Aware Adaptive Flow-Rule Aggregation in Software-Defined IoT N. Saha, S. Misra and S. Bera Department of Computer Science and Engineering, Indian Institute of Technology, Kharagpur, India IEEE GLOBECOM 2018, Abu Dhabi, UAE Problem

219 views • 10 slides
FAB: Towards Flow-aware Bu fg er Sharing in Programmable Switches Maria Apostolaki Joint work

FAB: Towards Flow-aware Bu fg er Sharing in Programmable Switches Maria Apostolaki Joint work

FAB: Towards Flow-aware Bu fg er Sharing in Programmable Switches Maria Apostolaki Joint work with Laurent Vanbever & Manya Ghobadi An old story An old story Fan-in causing queue built-up Switch Senders Receivers An

1.04k views • 85 slides
201 019 C 9 CHEMISTR HEMISTRY Y & & FL FLOW MONITOR OW MONITORING ING February 12,

201 019 C 9 CHEMISTR HEMISTRY Y & & FL FLOW MONITOR OW MONITORING ING February 12,

201 019 C 9 CHEMISTR HEMISTRY Y & & FL FLOW MONITOR OW MONITORING ING February 12, 2020 PROGRAM GOALS Collect high-quality, scientific data on the local waterways. Educated decision-makers and the public. Provide

626 views • 28 slides
The IPCC Guidance and the Paris Agreement IPCC TFI side event Wednesday, 19 June 2019 SB 50,

The IPCC Guidance and the Paris Agreement IPCC TFI side event Wednesday, 19 June 2019 SB 50,

The IPCC Guidance and the Paris Agreement IPCC TFI side event Wednesday, 19 June 2019 SB 50, Bonn Transparency Framework Mitigation, Data and Analysis Programme UNFCCC secretariat IPCC guidelines and the transparency arrangements under the

99 views • 6 slides
412 th Test Wing War- Winning Capabilities On Time, On Cost A New Standard for Packets: RCC

412 th Test Wing War- Winning Capabilities On Time, On Cost A New Standard for Packets: RCC

412 th Test Wing War- Winning Capabilities On Time, On Cost A New Standard for Packets: RCC 106 Chapter 7 14 May 2015 Jon Morgan JT3 661-277-8942 Approved for public release; distribution is unlimited. 412TW-PA-14474 I n t e g r i t y

409 views • 14 slides
UPCS-V Summer 2016 What is UPCS-V? Replacement

UPCS-V Summer 2016 What is UPCS-V? Replacement

UPCS-V Summer 2016 What is UPCS-V? Replacement standard for HCV program, while: Retaining the core concepts of a Voucher Inspec?on

739 views • 20 slides
Effective Data Pipelines: Data Management from Chaos Katharine Jarmul (@kjam) QCon - London -

Effective Data Pipelines: Data Management from Chaos Katharine Jarmul (@kjam) QCon - London -

3/13/2017 qcon-london2017-datapipelines slides Effective Data Pipelines: Data Management from Chaos Katharine Jarmul (@kjam) QCon - London - March 6, 2017 About Katharine Data Scientist, Engineer, Author, Pythonista Founder @ kjamistan UG:

246 views • 8 slides
Collecting telemetry data using P4 and RDMA Rutger Beltman Silke Knossen Supervisors: Joseph

Collecting telemetry data using P4 and RDMA Rutger Beltman Silke Knossen Supervisors: Joseph

Collecting telemetry data using P4 and RDMA Rutger Beltman Silke Knossen Supervisors: Joseph Hill M.Sc. Dr. Paola Grosso 1 Introduction: Network Telemetry (I) Monitoring network health In-band network telemetry includes

702 views • 23 slides
challenges of the Paris Agreement on Climate Change The Potential of Blockchain Technology to

challenges of the Paris Agreement on Climate Change The Potential of Blockchain Technology to

Centre for International Governance Innovation (CIGI) Blockchain Governance Innovation Gym (BlockGIG) Discussion: Legal, political and implementation challenges of the Paris Agreement on Climate Change The Potential of Blockchain Technology to

470 views • 23 slides
NC-CELL: Network Coding-based Content Distribution in Cellular Networks for Cloud Applications

NC-CELL: Network Coding-based Content Distribution in Cellular Networks for Cloud Applications

NC-CELL: Network Coding-based Content Distribution in Cellular Networks for Cloud Applications Claudio Fiandrino , Dzmitry Kliazovich , Pascal Bouvry and Albert Y. Zomaya University of Luxembourg - The University of Sydney

327 views • 5 slides
Stacks at Edge A work in collaboration with RISE SICS Presentation for EUCNC18 Workshop 3:

Stacks at Edge A work in collaboration with RISE SICS Presentation for EUCNC18 Workshop 3:

Virtualize IoT Multi-RAT Stacks at Edge A work in collaboration with RISE SICS Presentation for EUCNC18 Workshop 3: Multi-provider, multi-vendor, multi-player orchestration: from distributed cloud to edge and fog environments in 5G Chenguang

250 views • 8 slides

More recommend