blinc multilevel traffic classification in the dark
play

BLINC: Multilevel Traffic Classification in the Dark Thomas - PowerPoint PPT Presentation

May 21, 2023 •341 likes •649 views

BLINC: Multilevel Traffic Classification in the Dark Thomas Karagiannis, UC Riverside Konstantina Papagiannaki, Intel Research Cambridge Michalis Faloutsos, UC Riverside The problem of workload characterization The goal: Classify Internet

  1. BLINC: Multilevel Traffic Classification in the Dark Thomas Karagiannis, UC Riverside Konstantina Papagiannaki, Intel Research Cambridge Michalis Faloutsos, UC Riverside

  2. The problem of workload characterization • The goal: Classify Internet traffic flows according to the applications that generate them “ in the dark ” – No port numbers – No payload streaming web P2P 2

  3. The problem of workload characterization – Why in the dark? • Traffic profiling based on TCP/UDP ports – Misleading • Payload-based classification – Practically infeasible • Applications are “hiding” their traffic – P2P applications, skype, etc. • Recent research approaches – Statistical/machine-learning based classification ( Roughan et al. IMC’04, Moore et al. SIGMETRICS’05) – Sensitive to network dynamics such as congestion 3

  4. Our contributions • We present BLINC (BLINd Classification), a fundamentally different “in the dark” approach – We shift the focus to the Internet host – We analyze host behavior at three levels • Social • Functional • Application • We identify “signature” communication patterns • Highly accurate classification 4

  5. Outline • Developing a classification benchmark – Payload-based classification • BLINC design – Multilevel classification – Signature communication patterns • BLINC evaluation 5

  6. Classification benchmark • Packet-traces with machine readable headers – Residential (2 traces) • 25 hours & 34 hours, 110 Mbps • web (35%), p2p (32%) – Genome campus • 44 hours, 25 Mbps, ftp (67%) • Classification based on payload signatures – Caveats : Nonpayload (1%-2%), Unknown (6%-16%) 6

  7. BLINC overview • In the dark classification – No examination of port numbers – No examination of user payload • Characterize the host – Insensitive to congestion and path changes • Deployable with existing equipment – Operates on flow records 7

  8. BLINC: Classification process • Characterize the host – Social : Popularity/Communities – Functional : Consumer/provider of services – Application : Transport layer interactions • Identify signature communication patterns • Match observed behavior to signatures 8

  9. 1. Social level • Characterization of the popularity of hosts • Two types of behavior: – Based on number of destination IPs – Communities: Groups of communicating hosts 9

  10. 1. Social level: Popularity • Reveals only basic application traffic properties Heavier tail of CCDF of destination IPs for P2P and malware 10

  11. 1. Social level: Communities • Communication cliques • Perfect cliques – Attacks • Partial cliques – Collaborative applications (p2p, games) • Partial cliques with same domain IPs – Server farms (e.g., web, dns, mail) 11

  12. 2. Functional level • We characterize based on tuple (IP, Port) • We identify three types of behavior – Client: Consumer of services – Server: Provider of services – Collaborative 12

  13. 2. Functional level: Client vs. Server src port: 1000 src port: 1001 src port: 1002 Observation: The host uses a different ephemeral src port for every flow Rule: Hosts that use a large number of source ports are clients 13

  14. 2. Functional level: Client vs. Server Rule: Hosts that use a small number of source ports are offering services on these ports Observation: Observation: The host uses a different ephemeral The host uses only two src port for every flow src ports for all flows src port: 80 src port: 80 src port: 443 14

  15. 2. Functional level: Characterizing the host flows vs. source ports per application Clients Collaborative applications: No distinction between servers and clients Servers Obscure behavior due to multiple mail protocols and passive ftp 15

  16. 3. Application level • Interactions between network hosts display diverse patterns across application types. • We capture patterns using “graphlets” – Target most typical behavior – Relationship between fields of the 4-tuple 16

  17. 3. Application level: Graphlets • Graphlets have four columns corresponding to the 4-tuple: src IP, dst IP, src port and dst port • Each node is a distinct entry for each column • Lines connect nodes when flows contain the specific field values 192.168.1.1 10.0.0.0 1026 135 sourceIP destinationIP destinationPort sourcePort 445 192.168.1.1 10.0.0.0 1026 135 17

  18. 3. Graphlet Generation (FTP) sourceIP destinationIP destinationPort sourcePort X Y 21 10001 X Y 21 10001 X Y X Y 21 21 10001 10001 X Y 20 10002 X Y X Y 20 20 10002 10002 X Z X Z 21 21 3000 3000 X Z 1026 3001 20 10002 5005 X Y 5000 21 10001 3000 Z X 3001 1026 U 18

  19. 3. Graphlet Library 19

  20. Heuristics: Further improving performance • Using the transport layer protocol. 20

  21. Heuristics: Further improving performance • Using the relative cardinality of sets. Cardinality of set of dst IPs versus set of dst ports varies with the application 21

  22. Heuristics: Further improving performance • Using the relative cardinality of sets. WEB: #dst ports >> # dst IPs P2P: #dst ports <= # dst IPs 22

  23. Heuristics: Further improving performance • Using the communities Probably WEB too!! Known: WEB 10.0.0.0 10.0.0.1 23

  24. Heuristics: Further improving performance • Other heuristics: – Using the per-flow average packet size – Recursive (mail/dns servers talk to mail/dns servers, etc.) – Failed flows (malware, p2p) 24

  25. Classification Results • We evaluate BLINC using two metrics: – Completeness • Percentage classified by BLINC – Accuracy • Percentage classified by BLINC correctly • We compare against payload classification – Exclude unknown and nonpayload flows 25

  26. BLINC achieves highly accurate classification 80%-90% completeness ! >90% accuracy !! 26

  27. Characterizing the unknown: Non-payload flows BLINC is not limited by non-payload flows or unknown signatures Flows classified as attacks reveal known exploits 27

  28. BLINC issues and limitations • Extensibility – Creating and incorporating new graphlets • Application sub-types – e.g., BitTorrent vs. Kazaa • Transport-layer encryption – then what? • NATS – Should handle most cases • Access vs. Backbone networks? – Should handle but no data to test 28

  29. Conclusions • A new way of thinking of the classification problem – Classify nodes instead of flows – Multi-level analysis: • social, functional, transport-layer characteristics • each level provides corroborative evidence or insight • BLINC works well in practice – classifies 80-90% of the traffic – with >90% accuracy • Going beyond payload-based classification – Nonpayload/unknown flows • Building block for security applications 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic classification? Communities of Interest for classification BLINC Profiling Internet Backbone Traffic What is missing here? Traffic

965 views • 81 slides
Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest Classification of Internet Traffic To treat special types of traffic in a different manner Some types of classification already seen in Alok

371 views • 9 slides
Multilevel TRILL draft-perlman-trill-rbridge-multilevel-00.txt Radia Perlman

Multilevel TRILL draft-perlman-trill-rbridge-multilevel-00.txt Radia Perlman

Multilevel TRILL draft-perlman-trill-rbridge-multilevel-00.txt Radia Perlman radiaperlman@gmail.com Intel Labs March 2011 1 Potential scalability issues routing computation load volatility of LSP database too much control traffic

828 views • 30 slides
Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification, Measurement, and Analysis and Analysis ISC/CAIDA Data Collaboration Workshop October 22, 2012 David Plonka &amp; Paul Barford

1.33k views • 26 slides
Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 1 Traffic

228 views • 11 slides
Traffic Classification Rotsos Charalampos , Jurgen Van Gael, Andrew W. Moore, Zoubin Ghahramani

Traffic Classification Rotsos Charalampos , Jurgen Van Gael, Andrew W. Moore, Zoubin Ghahramani

Probabilistic Graphical Models for Semi-Supervised Traffic Classification Rotsos Charalampos , Jurgen Van Gael, Andrew W. Moore, Zoubin Ghahramani Computer Laboratory and Engineering Department, University of Cambridge Traffic classification

257 views • 21 slides
Towards Reliable Traffic Classification Using Visual Motifs Wilson Lian 1 John McHugh 1 , 2 Fabian

Towards Reliable Traffic Classification Using Visual Motifs Wilson Lian 1 John McHugh 1 , 2 Fabian

Background Visual Motifs Traffic Classification Evaluation Towards Reliable Traffic Classification Using Visual Motifs Wilson Lian 1 John McHugh 1 , 2 Fabian Monrose 1 1 University of North Carolina at Chapel Hill 2 RedJack, LLC FloCon 2010

652 views • 47 slides
How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

MonNet a project for network and traffic monitoring How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology

760 views • 21 slides
1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop

1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop

AGENDA AGENDA 1. The role and significance of public transport and tram transport in urban areas 2. Goal and stages of the study 1 THE ANALYSIS OF TRAFFIC SAFETY THE ANALYSIS OF TRAFFIC SAFETY 3. Classification of stop stations at tram stops

169 views • 4 slides
Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh Ghassemi, and Zahra Alimadadi TTCS 2020,Tehran, Iran 1 Network Traffic Classification, What &amp; Why?

655 views • 44 slides
Classification &amp; Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification &amp; Filtering Traffic Management October 2016 Chelsio T5/T6 Packet

Classification &amp; Filtering Traffic Management October 2016 Chelsio T5/T6 Packet Classification and Filtering Features 1. Supported Match Fields with Optional Masks Up to 500K exact-match and 2K wildcard rules, 20M/sec lookup rate, 200K

92 views • 6 slides
Towards Explicable and Adaptive DDoS Traffic Classification Yebo Feng, Jun Li University of

Towards Explicable and Adaptive DDoS Traffic Classification Yebo Feng, Jun Li University of

The 21st Passive and Active Measurement Conference (PAM 2020) Towards Explicable and Adaptive DDoS Traffic Classification Yebo Feng, Jun Li University of Oregon {yebof, lijun}@cs.uoregon.edu Towards Explicable and Adaptive DDoS Traffic

339 views • 10 slides
Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
Agenda 1. More on multilevel R formulas 2. Generalized Multilevel Models 3. GMLM in R 1 More

Agenda 1. More on multilevel R formulas 2. Generalized Multilevel Models 3. GMLM in R 1 More

Agenda 1. More on multilevel R formulas 2. Generalized Multilevel Models 3. GMLM in R 1 More on multilevel R formulas 2 Building a two-level model &lt;latexit

620 views • 22 slides
Traffic analysis and modelling 1 Service classification Services may be classified according

Traffic analysis and modelling 1 Service classification Services may be classified according

Traffic analysis and modelling 1 Service classification Services may be classified according to many criteria. For example, loosely classify according to nature of transmitted information: voice services computer communications, and

407 views • 21 slides
Forum post classification to support forensic investigations of illegal trade on the Dark Web

Forum post classification to support forensic investigations of illegal trade on the Dark Web

Forum post classification to support forensic investigations of illegal trade on the Dark Web System &amp; Network Engineering (MSc) Research Project 2 Supervisors: Diana Rusu Martijn Spitters diana.rusu@os3.nl Stefan Verbruggen Motivation

378 views • 19 slides
ELEC / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ELEC / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition

ELEC / COMP 177 Fall 2016 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Project #1 Starts next Tuesday Sept 13 th Is your Linux environment all ready? Bring your laptop Work time after discussion of

739 views • 52 slides
ts

ts

s t r t r s r s t r r t r rtrs

780 views • 64 slides
System-on-Chip Design HW/SW Interfaces and Communica;ons Hao Zheng Comp Sci &amp; Eng U of

System-on-Chip Design HW/SW Interfaces and Communica;ons Hao Zheng Comp Sci &amp; Eng U of

System-on-Chip Design HW/SW Interfaces and Communica;ons Hao Zheng Comp Sci &amp; Eng U of South Florida 1 System Structural Model Mem CPU P1 P2 Arbiter Bridge P3 P5 P4 HW HW 2 Basic Elements of HW/SW Interfaces 1. On-chip

235 views • 22 slides
Distributed Systems Secure Communication Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Secure Communication Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Secure Communication Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Symmetric cryptography Both parties

860 views • 60 slides
Communicating Processors Past, Present and Future David May Bristol University and XMOS David

Communicating Processors Past, Present and Future David May Bristol University and XMOS David

Communicating Processors Past, Present and Future David May Bristol University and XMOS David May 1 NOCS, Newcastle April 9, 2008 The Past INMOS started 1978: introduced the idea of a a communicating computer - transputer - as a system

685 views • 45 slides
Dynamic Processors Demand Dynamic Operating Systems Sankaralingam Panneerselvam Michael M. Swift

Dynamic Processors Demand Dynamic Operating Systems Sankaralingam Panneerselvam Michael M. Swift

Dynamic Processors Demand Dynamic Operating Systems Sankaralingam Panneerselvam Michael M. Swift Computer Sciences Department University of Wisconsin, Madison, WI 1 HotPar 2010 Motivation Chip Multiprocessor Does not support well

378 views • 22 slides
Programming for Performance 1 Introduction Rich space of techniques and issues Trade off and

Programming for Performance 1 Introduction Rich space of techniques and issues Trade off and

Programming for Performance 1 Introduction Rich space of techniques and issues Trade off and interact with one another Issues can be addressed/helped by software or hardware Algorithmic or programming techniques Architectural

1.11k views • 79 slides
PARALLEL MEMORY ARCHITECTURE Mahdi Nazm Bojnordi Assistant Professor School of Computing

PARALLEL MEMORY ARCHITECTURE Mahdi Nazm Bojnordi Assistant Professor School of Computing

PARALLEL MEMORY ARCHITECTURE Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 6810: Computer Architecture Overview Announcement Homework 6 is due tonight n The last one! This lecture

431 views • 18 slides

More recommend