classifying internet one way traffic
play

Classifying Internet One-way Traffic Eduard Glatz, Xenofontas - PowerPoint PPT Presentation

May 31, 2023 •355 likes •653 views

Classification Scheme One-way Traffic Composition Service Availability Monitoring Classifying Internet One-way Traffic Eduard Glatz, Xenofontas Dimitropoulos ETH Zurich May 15, 2012 Eduard Glatz, Xenofontas Dimitropoulos Classifying

  1. Classification Scheme One-way Traffic Composition Service Availability Monitoring Classifying Internet One-way Traffic Eduard Glatz, Xenofontas Dimitropoulos ETH Zurich May 15, 2012 Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  2. Classification Scheme One-way Traffic Composition Service Availability Monitoring Overview ◮ Classification scheme for dissecting one-way traffic that relies solely on flow-level data ◮ Observation on one-way traffic based on a massive dataset of 457 billion flows ◮ Show how one-way flows are useful for service availability monitoring Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  3. Classification Scheme One-way Traffic Composition Service Availability Monitoring Preliminaries ◮ Study incoming one-way traffic at the network level: connections that do not receive a reply. ◮ Example causes of one-way traffic: ◮ Failures & Policies ◮ Attacks ◮ Special application behavior Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  4. Classification Scheme One-way Traffic Composition Service Availability Monitoring Preliminaries ◮ Study incoming one-way traffic at the network level: connections that do not receive a reply. ◮ Example causes of one-way traffic: ◮ Failures & Policies ◮ Attacks ◮ Special application behavior ◮ Sampling and asymmetric routing can result in artificial one-way traffic ◮ One-way traffic can be measured in edge networks Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  5. Classification Scheme One-way Traffic Composition Service Availability Monitoring Classification Scheme ◮ Associate each one-way flow with a number of signs ◮ Introduce 18 signs exploiting in 4 cases techniques from the literature ◮ Classify flows based on their signs ◮ Classes: ◮ Unreachable services ◮ P2P applications ◮ Scanning ◮ Backscatter ◮ Suspected Benign ◮ Bogon Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  6. Classification Scheme One-way Traffic Composition Service Availability Monitoring Signs: Host pair behavior a) b) c) d) Figure: Mixture of incoming one- and two-way flows exchanged between a host pair. Hosts are represented by nodes and the presence of inflow/outflow/biflows by arrows. Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  7. Classification Scheme One-way Traffic Composition Service Availability Monitoring Signs: Host pair behavior a) b) c) d) Figure: Mixture of incoming one- and two-way flows exchanged between a host pair. Hosts are represented by nodes and the presence of inflow/outflow/biflows by arrows. ◮ End-hosts-communicating: One-way flow between productive host pair ◮ Limited dialog: One-way flows between unproductive host pair Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  8. Classification Scheme One-way Traffic Composition Service Availability Monitoring Signs: Local host behavior ◮ Unused local address: Unpopulated local IP address ◮ Service unreachable: Unanswered request to local service ◮ Peer-to-peer 1 : Flow towards local P2P host 1W. John and S. Tafvelin. Heuristics to classify internet backbone traffic based on connection patterns. International Conference on Information Networking (ICOIN), 2008 Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  9. Classification Scheme One-way Traffic Composition Service Availability Monitoring Signs: Remote host behavior ◮ Service sole reply: no biflow on srcIP ∧ dstPort ≥ 1024 ∧ srcPort < 1024 ◮ Remote scanner 1 2 : TRW algorithm (suspected scanner) ◮ Remote scanner 2 3 : Host classification (suspected scanner) ◮ Remote non-scanner: TRW algorithm (suspected regular host) 2J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In Proceedings of the IEEE Symposium on Security and Privacy, 2004 3M. Allman, V. Paxson, and J. Terrell. A brief history of scanning. In Proceedings of the 7th ACM SIGCOMM IMC, 2007 Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  10. Classification Scheme One-way Traffic Composition Service Availability Monitoring Signs: Flow feature ◮ Artifact: UDP/TCP flow with both port numbers=0 ◮ Single packet: Flow contains one packet only ◮ Large flow: Flow carries ≥ 10 packets or ≥ 10240 bytes ◮ Bogon: Source IP belongs to bogon space ◮ Protocol: IP protocol type of flow Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  11. Classification Scheme One-way Traffic Composition Service Availability Monitoring Classification Rules Final classifier includes 17 classification rules Class Name Rule # Flow Membership Rules Malicious 1 { TRWscan , HCscan , PotOk } ⇒ Scanner Scanning 2 { HCscan , TRWscan , TRWnom , PotOk } ⇒ Scanner 3 { TRWscan , HCscan , PotOk } ⇒ Scanner 4 { TRWnom , HCscan } ⇒ Scanner 5 { GreyIP , Onepkt , TRWscan , HCscan , Backsc , ICMP , UDP , bogon } ⇒ Scanner 6 { GreyIP , TRWscan , HCscan , Onepkt , ICMP , Backsc , bogon } ⇒ Scanner 7 { Onepkt , GreyIP , ICMP , TRWscan , HCscan , TRWnom , bogon , P 2 P , Unreach , PotOk , Backsc , Large } ⇒ Scanner 8 { GreyIP , Onepkt , TRWscan , HCscan , Backsc , ICMP , TCP , bogon } ⇒ Scanner 9 { ICMP , TRWscan , TRWnom , HCscan , InOut , bogon , PotOk } ⇒ Scanner Backscatter 10 { Backsc , TRWscan , HCscan , P 2 P , InOut , PotOk } ⇒ Backscatter Service 11 { Unreach , TRWscan , HCscan , bogon , P 2 P } ⇒ Unreachable Unreachable Benign P2P 12 { P 2 P , TRWscan , HCscan , bogon } ⇒ P 2 P Scanning Suspected 13 { PotOk , Unreach , P 2 P , TRWnom , bogon } ⇒ Benign Benign 14 { Large , GreyIP , TRWscan , HCscan , P 2 P , Unreach , PotOk , ICMP , Backsc , bogon , TRWnom } ⇒ Benign 15 { TRWnom , GreyIP , HCscan , P 2 P , Unreach , bogon , Backsc } ⇒ Benign 16 { ICMP , InOut , TRWscan , HCscan , TRWnom , bogon , PotOk } ⇒ Benign Bogon 17 { bogon , TRWscan , HCscan , Backsc } ⇒ Bogon Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  12. Classification Scheme One-way Traffic Composition Service Availability Monitoring Data-Sets ◮ Use data from the Swiss academic backbone network (SWITCH) ◮ Analyze the first 400 hours of each Feb and Aug between 2004 and 2011 ◮ The studied traffic data correspond to: ◮ 457 billion flows ◮ 7.41 petabytes ◮ cover 9% of the total number of flows Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  13. Classification Scheme One-way Traffic Composition Service Availability Monitoring Data Sanitization ◮ Double-counting elimination reduces total traffic volume by 32.3% ◮ Defragmentation reduces the number of flows by a fraction ranging between 20.6% and 39.6% for different years ◮ Bi-flow Pairing: ◮ For TCP and UDP based on standard 5-tuple ◮ For other protocols based on 3-tuple Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  14. Classification Scheme One-way Traffic Composition Service Availability Monitoring Evolution of One- and Two-way Traffic ◮ One-way flows are a large 8e+06 fraction of all flows: Inbound One−Way Inbound One−Way Two−Way Two−Way ◮ In 2004, 2 out of every 3 Mean Flows/24 h flows were one-way 4e+06 ◮ From 2007 to 2010, 1 out of every 3 flows were one-way 0e+00 '4.2 '5.2 '6.2 '7.2 '8.2 '9.2 '0.2 '1.2 Period Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  15. Classification Scheme One-way Traffic Composition Service Availability Monitoring Evolution of One- and Two-way Traffic ◮ One-way flows are a large 8e+06 fraction of all flows: Inbound One−Way Inbound One−Way Two−Way Two−Way ◮ In 2004, 2 out of every 3 Mean Flows/24 h flows were one-way 4e+06 ◮ From 2007 to 2010, 1 out of every 3 flows were one-way ◮ The number of one-way flows 0e+00 in 2011 is almost equal to 2004 '4.2 '5.2 '6.2 '7.2 '8.2 '9.2 '0.2 '1.2 ◮ The fraction of one-way flows Period has declined Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  16. Classification Scheme One-way Traffic Composition Service Availability Monitoring Composition of One-way Traffic Class % of flows % of pkts pkts/flow Scanning 83.5% 62.6% 1.6 4e+08 P2P applications 6.7% 13.0% 6.8 Unreach services 4.8% 10.1% 4.1 One−Way Flows/24 h 3e+08 Suspected Benign 2.6% 9.1% 12.1 SuspBenign SrvUnreach Other 2.2% 4.7% 4.6 other 2e+08 Backscatter 0.3% 0.5% 3.3 MalScan 1e+08 ◮ The top sources of one-way Bogon 0e+00 BenignP2P Backscat traffic are scanning, P2P 2004.01 2004.07 2005.01 2005.07 2006.02 2006.07 2007.01 2007.07 2008.02 2008.07 2009.01 2009.07 2010.01 2010.07 2011.01 2011.08 protocols, and unreachable Period services Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

  17. Classification Scheme One-way Traffic Composition Service Availability Monitoring Service Availability Monitoring ◮ One-way flows are very useful for service availability monitoring ◮ Traditional service availability monitoring is based on active probing Eduard Glatz, Xenofontas Dimitropoulos Classifying Internet One-way Traffic

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance

Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance

Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance analysis Anomaly and intrusion detec=on Network engineering Traffic at different granulari=es IP-level packets Capture per-packet

539 views • 40 slides
V0D 2016 Classifying Studies V0D V0D 2016 Classifying Studies 1 2016 Classifying Studies

V0D 2016 Classifying Studies V0D V0D 2016 Classifying Studies 1 2016 Classifying Studies

V0D 2016 Classifying Studies V0D V0D 2016 Classifying Studies 1 2016 Classifying Studies 2 Classifying Studies: Influences on Statistics Features and Benefits Typically, statistics are used as evidence for MILO SCHIELD, causal

651 views • 26 slides
Practical Anomaly Detection based on Classifying Frequent Traffic Patterns Ignasi Paredes-Oliva 1

Practical Anomaly Detection based on Classifying Frequent Traffic Patterns Ignasi Paredes-Oliva 1

Practical Anomaly Detection based on Classifying Frequent Traffic Patterns Ignasi Paredes-Oliva 1 Ismael Castell-Uroz 1 Pere Barlet-Ros 1 Xenofontas Dimitropoulos 2 Josep Sol-Pareta 1 1 UPC BarcelonaTech, Spain

616 views • 36 slides
DISTRIBUTION Describing traffic How can we describe traffic? Cars, pedestrian, internet,

DISTRIBUTION Describing traffic How can we describe traffic? Cars, pedestrian, internet,

QUEUING THEORY: EXPONENTIAL DISTRIBUTION Describing traffic How can we describe traffic? Cars, pedestrian, internet, etc. Also: how can we describe how traffic is processed? What are some metrics? Rate at which people

945 views • 13 slides
Internet Governance Forum the World Malta Internet Traffic Statistics Introduction

Internet Governance Forum the World Malta Internet Traffic Statistics Introduction

6/7/2011 Outline State of the Internet Internet Governance Forum the World Malta Internet Traffic Statistics Introduction Usage and trends Internet Governance Definition/s History and today Launch of Malta I

84 views • 6 slides
Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet?

Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet?

Chair for Network Architectures and Services Department of Informatics Technische Universitt Mnchen Traffic Measurement Lothar Braun Outline Why do we need to measure traffic in the Internet? Active measurement vs. passive

771 views • 31 slides
Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet?

Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet?

Chair for Network Architectures and Services Department of Informatics Technische Universitt Mnchen Traffic Measurement Lothar Braun Outline q Why do we need to measure traffic in the Internet? q Active measurement vs. passive

654 views • 31 slides
CCOI Internet Networks in Europe an overview of Internet Geography, Regulation, Traffic

CCOI Internet Networks in Europe an overview of Internet Geography, Regulation, Traffic

NASDAQ CCOI Internet Networks in Europe an overview of Internet Geography, Regulation, Traffic Exchange, Infrastructure and Major Players. by Teresa Wan Sales Director Singapore Office Francois Lemaigre Sales VP - EMEA 2 Europe

159 views • 11 slides
Reducing BitTorrent Traffic at the Internet Scale Stevens Le Blond , Arnaud Legout, Walid Dabbous

Reducing BitTorrent Traffic at the Internet Scale Stevens Le Blond , Arnaud Legout, Walid Dabbous

Reducing BitTorrent Traffic at the Internet Scale Stevens Le Blond , Arnaud Legout, Walid Dabbous 1 Two open questions about BitTorrent locality AS 2 AS 3 # connections Internet Internet AS 1 Reduces traffic AS 4 AS 5 How far can we

366 views • 14 slides
Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019

Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019

19 Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019 https://ieeexplore.ieee.org/document/8737483 Motivations Reliable traffic modelling is important for network planning, deployment and management;

447 views • 29 slides
Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon,

Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon,

Traffic Measurement Analysis &amp; Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon, Laboratoire de Physique (UMR

716 views • 60 slides
The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Oliver Gasser, Max

The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Oliver Gasser, Max

The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic Oliver Gasser, Max Planck Institute for Informatics Virtual 27-30 Oct 2020 RIPE81 Meeting COVID-19 and the Internet COVID-19 and the Internet 1 COVID-19 and

1.17k views • 55 slides
Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic classification? Communities of Interest for classification BLINC Profiling Internet Backbone Traffic What is missing here? Traffic

965 views • 81 slides
Internet Traffic and Content Consolidation Craig Labovitz Chief Scientist, Arbor Networks S.

Internet Traffic and Content Consolidation Craig Labovitz Chief Scientist, Arbor Networks S.

Internet Traffic and Content Consolidation Craig Labovitz Chief Scientist, Arbor Networks S. Iekel-Johnson, D. McPherson J. Oberheide, F. Jahanian Arbor Networks, Inc. University of Michigan Talk Outline Describe two-year traffic

417 views • 22 slides
Traffic Policing in the Internet Yuchung Cheng, Neal Cardwell IETF 97 maprg. Nov 2016 1

Traffic Policing in the Internet Yuchung Cheng, Neal Cardwell IETF 97 maprg. Nov 2016 1

Traffic Policing in the Internet Yuchung Cheng, Neal Cardwell IETF 97 maprg. Nov 2016 1 Policing on YouTube videos 2 Token bucket traffic policer Tokens filled at 1Mbps up to the bucket size (== burst) Packets arriving at 3Mbps Packet

560 views • 30 slides
Global Wasp There is the Internet there is Global Wasp Overview Internet providers get payment

Global Wasp There is the Internet there is Global Wasp Overview Internet providers get payment

Global Wasp There is the Internet there is Global Wasp Overview Internet providers get payment every month from us for the traffic we use as well as for that which we havent used. That same unused traffic is then sold to us once again the

226 views • 21 slides
A Whirlwind Introduction to the Internet Internet Structure: Network of Networks Overview mobile

A Whirlwind Introduction to the Internet Internet Structure: Network of Networks Overview mobile

A Whirlwind Introduction to the Internet Internet Structure: Network of Networks Overview mobile network Whats the Internet Roughly Hierarchical At center: tier-1 ISPs (e.g., UUNet, Level 3, Sprint, AT&amp;T), Network

953 views • 25 slides
Computer Networks 2 Schedule Exam 3 Friday, April 20 th

Computer Networks 2 Schedule Exam 3 Friday, April 20 th

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Computer Networks 2 Schedule Exam 3 Friday, April

787 views • 44 slides
Physical Infrastructure Week 1 INFM 603 Agenda The Computer The Internet The Web

Physical Infrastructure Week 1 INFM 603 Agenda The Computer The Internet The Web

Physical Infrastructure Week 1 INFM 603 Agenda The Computer The Internet The Web The Course Source: Wikipedia Source: Wikipedia Source: Wikipedia Source: Wikipedia Source: Wikipedia The Big Picture Memory Processor

1.18k views • 80 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 7, Nov. 15, 2010 Malicious Software, Denial of Service Nov. 15, 2010 DD2395 Sonja Buchegger 1 Malicious

589 views • 48 slides
Network Security I: Overview April 13, 2015 Lecture by: Kevin Chen Slides credit: Vern Paxson,

Network Security I: Overview April 13, 2015 Lecture by: Kevin Chen Slides credit: Vern Paxson,

Network Security I: Overview April 13, 2015 Lecture by: Kevin Chen Slides credit: Vern Paxson, Dawn Song 1 network security 2 s T o d a y L e c t u r e Networking overview + security issues Keep in mind, networking is:

1.02k views • 71 slides
IP Fast ReRoute: Loop Free Alternates Revisited Gbor Rtvri, Jnos Tapolcai High Speed

IP Fast ReRoute: Loop Free Alternates Revisited Gbor Rtvri, Jnos Tapolcai High Speed

IP Fast ReRoute: Loop Free Alternates Revisited Gbor Rtvri, Jnos Tapolcai High Speed Networks Laboratory Department of Telecommunications and Media Informatics Budapest University of Technology and Economics Email: {retvari,

318 views • 18 slides
Mobility Management Protocols for Wireless Networks By Sanaa Taha outline Mobility

Mobility Management Protocols for Wireless Networks By Sanaa Taha outline Mobility

Mobility Management Protocols for Wireless Networks By Sanaa Taha outline Mobility Management Mobility Management Models Host-based Mobility Management Protocols Network- based Mobility Management Protocols Which is the

319 views • 19 slides
McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key:

1 2 McTiny: Encoding and decoding McEliece for tiny network servers 1978 McEliece public key: Daniel J. Bernstein, matrix G over F 2 . uic.edu , rub.de Normally m mG is injective. Tanja Lange, tue.nl Fundamental literature: 1962

2.16k views • 132 slides

More recommend