Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Capturing Traffic Traces with Ground- Capturing Traffic Traces with Ground- Truth Information Truth Information Niccolo' Cascarano, Politecnico di Torino Joint work with Telecommunication Networks Group at Università di Brescia (Italy) 1
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 The problem The problem The ground truth in traffic traces • 2
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Current solutions Current solutions Manual inspection • Do you really believe this is possible? – DPI • – Is that true? Ad-hoc created traffic • – Is it realistic? – Does it contain other kind of traffic? 3
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 The GT toolset The GT toolset Hosts running GT daemon Internet Border router Capturing host GT logs GT SQL Database IPClass GT metadata 4
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Characteristics (1) Characteristics (1) Polling based • Simple – Easy to develop • • Limited intrusiveness (no kernel hooks) Portable – Not 100% coverage in terms of bytes/flows – Solutions exists • 5
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Characteristics (2) Characteristics (2) Non intrusive with respect to send/received traffic • E.g., preserves timestamp – User-friendly • Both command line and a GUI is available – 6
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Characteristics (3) Characteristics (3) Open source and freely downloadable • http://www.ing.unibs.it/ntw/tools/gt – Finally, something that works • – FreeBSD, Linux, Windows, MacOS X 7
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Limitations (1) Limitations (1) Intrusive • Need to be installed on each hosts – What about monitoring large crowds? – Monitored users are aware of it – Do they modify their behavior? • 8
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Limitations (2) Limitations (2) Not 100% coverage in terms of flows/bytes • Polling mechanism – Cannot mark traffic that doesn’t create a socket (e.g. attacks to a – closed port, ICMP traffic, …) 9
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Overhead on monitored hosts Overhead on monitored hosts 10
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Polling and coverage Polling and coverage TCP UDP 11
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Coverage with Service-Based Classification Coverage with Service-Based Classification 95% completeness in terms of flows • 99% completeness in terms of bytes • IP= IP1, Port = P1 IP= IP1, Port = P2 12
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Applications and Protocols (1) Applications and Protocols (1) HTTPS HTTP HTTPS HTTP POP3S IMAP FTP POP3 13
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Applications and Protocols (2) Applications and Protocols (2) Captured GT traffic metadata Regex proto1 Regex proto2 Regex proto3 Regex proto4 Regex proto5 DPI Traffic Regex proto6 Classifier Regex proto7 Regex proto8 GT protocol metadata 14
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 Future work Future work GT is a good start for associating ground truth to the • traces But… • Can we capture raw data? – How can we share files? – • Full payload is often needed 15
Politecnico di Torino – Seminario su Traffic Classification - 10/2009 References References Ground truth • F. Gringoli, L. Salgarelli, M. Dusi, N. Cascarano, F. Risso, K.C. Claffy, – “ GT: picking up the truth from the ground for Internet traffic ,” ACM Computer Communication Review, October 2009. Service-based traffic classification • M. Baldi, F. Risso, N. Cascarano, A. Baldini, “Service-Based Traffic – Classification: Principles and Validation,” IEEE Sarnoff Symposium, Princeton, NJ (USA), pp. 1-6, March 2009. 16
Recommend
More recommend
