detecting network outages using different sources of data
play

Detecting network outages using different sources of data TMA - PowerPoint PPT Presentation

Oct 06, 2023 •220 likes •817 views

Detecting network outages using different sources of data TMA Experts Summit, Paris, France Cristel Pelsser University of Strasbourg / ICube June, 2019 1 / 44 Some perspective on: From unsollicited traffic Detecting Outages using

  1. Detecting network outages using different sources of data TMA Experts Summit, Paris, France Cristel Pelsser University of Strasbourg / ICube June, 2019 1 / 44

  2. Some perspective on: • From unsollicited traffic Detecting Outages using Internet Background Radiation. Andr´ eas Guillot (U. Strasbourg), Romain Fontugne (IIJ), Philipp Winter (CAIDA), Pascal M´ erindol (U. Strasbourg), Alistair King (CAIDA), Alberto Dainotti (CAIDA), Cristel Pelsser (U. Strasbourg). TMA 2019. • From highly distributed permanent TCP connections Disco: Fast, Good, and Cheap Outage Detection. Anant Shah (Colorado State U.), Romain Fontugne (IIJ), Emile Aben (RIPE NCC), Cristel Pelsser (University of Strasbourg), Randy Bush (IIJ, Arrcus). TMA 2017. • From large-scale traceroute measurements Pinpointing Anomalies in Large-Scale Traceroute Measurements. Romain Fontugne (IIJ), Emile Aben (RIPE NCC), Cristel Pelsser (University of Strasbourg), Randy Bush (IIJ, Arrcus). IMC 2017. 2 / 44

  3. Understanding Internet health? (Motivation) • To speedup failure identification and thus recovery • To identify weak areas and thus guide network design 3 / 44

  4. Understanding Internet health? (Problem 1) Manual observations and operations • Traceroute / Ping / Operators’ group mailing lists • Time consuming • Slow process • Small visibility → Our goal: Automaticaly pinpoint network disruptions (i.e. congestion and network disconnections) 4 / 44

  5. Understanding Internet health? (Problem 2) A single viewpoint is not enough → Our goal: mine results from deployed platforms → Cooperative and distributed approach → Using existing data, no added burden to the network 5 / 44

  6. Outage detection from unsollicited traffic

  7. Dataset: Internet Background Radiation Internet P1 is advertised to the Internet P1 7 / 44

  8. Dataset: Internet Background Radiation Internet Scans, responses P1 is advertised to to spoofed tra ffi c the Internet P1 7 / 44

  9. Dataset: Internet Background Radiation Spoofed traffic Sends tra ffi c with source in P1 Internet Scans, responses P1 is advertised to to spoofed tra ffi c the Internet P1 7 / 44

  10. Dataset: Internet Background Radiation Spoofed traffic Responds to spoofed tra ffi c Sends tra ffi c with source in P1 Internet Scans, responses P1 is advertised to to spoofed tra ffi c the Internet P1 7 / 44

  11. Dataset: IP count time-series (per country or AS) Use cases: Attacks, Censorship, Local outages detection Number of unique source IP Original time series 800 600 400 200 0 2011-01-14 2011-01-17 2011-01-20 2011-01-23 2011-01-26 2011-01-29 2011-02-01 2011-02-04 2011-02-07 Time Figure 1: Egyptian revolution ⇒ More than 60 000 time series in the CAIDA telescope data. We use drops in the time series are indicators of an outage. 8 / 44

  12. Current methodology used by IODA Detecting outages using fixed thresholds 9 / 44

  13. Our goal Detecting outages using dynamic thresholds 10 / 44

  14. Outage detection process Training Validation Test Number of unique source IP Original time series 800 600 400 200 0 2011-01-14 2011-01-17 2011-01-20 2011-01-23 2011-01-26 2011-01-29 2011-02-01 2011-02-04 2011-02-07 Time 11 / 44

  15. Outage detection process Training Calibration Test Number of unique source IP Original time series 800 Predicted time series 600 400 200 0 4 7 0 3 6 9 1 4 7 1 1 2 2 2 2 0 0 0 - - - - - - - - - 1 1 1 1 1 1 2 2 2 0 0 0 0 0 0 0 0 0 - - - - - - - - - 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2 2 Time Prediction and confidence interval 11 / 44

  16. Outage detection process Training Validation Test Number of unique source IP Original time series 800 Predicted time series 600 400 200 0 2011-01-14 2011-01-17 2011-01-20 2011-01-23 2011-01-26 2011-01-29 2011-02-01 2011-02-04 2011-02-07 Time • When the real data is outside the prediction interval, we raise an alarm. • We want a prediction model that is robust to the seasonality and noise in the data → We use the SARIMA model 1 . 1 More details on the methodology on wednesday. 11 / 44

  17. Validation: ground truth Characteristics • 130 known outages • Multiple spatial scales • Countries • Regions • Autonomous Systems • Multiple durations (from an hour to a week) • Multiple causes (intentional or non intentional) 12 / 44

  18. Evaluating our solution 1.0 Objectives 0.8 • Identifying the minimal number of IP True Positive Rate 0.6 addresses • Identifying a good 0.4 threshold All time series < 20 IPs 0.2 > 20 IPs Threshold 2 sigma - 95% 3 sigma - 99.5% 5 sigma - 99.99% 0.0 • TPR of 90% and 0.0 0.2 0.4 0.6 0.8 1.0 False Positive Rate FPR of 2% Figure 2: ROC curve 13 / 44

  19. 985 AP 251 Chocolatine 15 3 AP 36 633 644 445 BGP 17 DN 440 235 489 196 511 BGP Comparing our proposal (Chocolatine) to CAIDA’s tools • More events detected than the simplistic thresholding technique (DN) • Higher overlap with other detection techniques • Not a complete overlap → difference in dataset coverage → different sensitivities to outages 14 / 44

  20. Outage detection from highly dis- tributed permanent TCP connec- tions

  21. Proposed Approach Disco: • Monitor long-running TCP connections and synchronous disconnections from related network/area • We apply Disco on RIPE Atlas data, where probes are widely distributed at the edge and behind NATs/CGNs providing visibility Trinocular may not have → Outage = synchronous disconnections from the same topological/geographical area 16 / 44

  22. Assumptions / Design Choices Rely on TCP disconnects • Hence the granularity of detection is dependent on TCP timeouts Bursts of disconnections are indicators of interesting outage • While there might be non bursty outages that are interesting, Disco is designed to detect large synchronous disconnections 17 / 44

  23. Proposed System: Disco & Atlas RIPE Atlas platform • 10k probes worldwide • Persistent connections with RIPE controllers • Continuous traceroute measurements (see outages from inside) → Dataset: Stream of probe connection/disconnections (from 2011 to 2016) 18 / 44

  24. Disco Overview 1. Split disconnection stream in sub-streams (AS, country, geo-proximate 50km radius) 2. Burst modeling and outage detection 3. Aggregation and outage reporting 19 / 44

  25. Why Burst Modeling? Goal: How to find synchronous disconnections? • Time series conceal temporal characteristics • Burst model estimates disconnections arrival rate at any time Implementation: Kleinberg burst model 2 2 J. Kleinberg. “Bursty and hierarchical structure in streams”, Data Mining and Knowledge Discovery, 2003. 20 / 44

  26. Burst modeling: Example • Monkey causes blackout in Kenya at 8:30 UTC June, 7th 2016 • Same day RIPE rebooted controllers 21 / 44

  27. Results Outage detection: • Atlas probes disconnections from 2011 to 2016 • Disco found 443 significant outages Outage characterization and validation: • Traceroute results from probes (buffered if no connectivity) • Outage detection results from Trinocular 22 / 44

  28. Validation (Traceroute) Comparison to traceroutes: • Probes in detected outages can reach traceroutes destination? → Velocity ratio: proportion of completed traceroutes in given time 0.35 Probability Mass Function Normal 0.30 Outage 0.25 0.20 0.15 0.10 0.05 0.00 0.0 0.5 1.0 1.5 2.0 R (Average Velocity Ratio) → Velocity ratio ≤ 0 . 5 for 95% of detected outages 23 / 44

  29. Validation (Trinocular) Comparison to Trinocular (2015): • Disco found 53 outages in 2015 • Corresponding to 851 /24s (only 43% is responsive to ICMP) Results for /24s reported by Disco and pinged by Trinocular: • 33/53 are also found by Trinocular • 9/53 are missed by Trinocular (avg time of outages < 1hr) • Other outages are partially detected by Trinocular 23 outages found by Trinocular are missed by Disco • Disconnections are not very bursty in these cases → Disco’s precision: 95%, recall: 67% 24 / 44

  30. Outage detection from large-scale traceroute measurements

  31. Dataset: RIPE Atlas traceroutes Two repetitive large-scale measurements • Builtin : traceroute every 30 minutes to all DNS root servers ( ≈ 500 server instances) • Anchoring : traceroute every 15 minutes to 189 collaborative servers Analyzed dataset • May to December 2015 • 2.8 billion IPv4 traceroutes • 1.2 billion IPv6 traceroutes 26 / 44

  32. Monitor delays with traceroute? Traceroute to “www.target.com” Round Trip Time (RTT) between B and C? Report abnormal RTT between B and C? 27 / 44

  33. Monitor delays with traceroute? Traceroutes from CZ to BD 300 Challenges: 250 200 RTT (ms) • Noisy data 150 100 50 0 0 2 4 6 8 10 12 Number of hops 28 / 44

  34. Monitor delays with traceroute? Traceroutes from CZ to BD 300 250 200 RTT (ms) 150 100 50 0 Challenges: 0 2 4 6 8 10 12 Number of hops • Noisy data • Traffic asymmetry 28 / 44

  35. What is the RTT between B and C? RTT C - RTT B = RTT CB ? 29 / 44

  36. What is the RTT between B and C? RTT C - RTT B = RTT CB ? • No! • Traffic is asymmetric • RTT B and RTT C take different return paths! 30 / 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detecting outages with telemetry Alessio Placitelli - @dexterp37 June 16th - Internet

Detecting outages with telemetry Alessio Placitelli - @dexterp37 June 16th - Internet

Detecting outages with telemetry Alessio Placitelli - @dexterp37 June 16th - Internet Measurement Village 2020 Italy, March 11th - 2020 Tales from a mid-pandemic network outage Public 2 ...failure on a foreign network... Source :

591 views • 29 slides
Using Social Sensors for Detecting Power Outages in the Electrical Utility Industry Konstantin

Using Social Sensors for Detecting Power Outages in the Electrical Utility Industry Konstantin

Using Social Sensors for Detecting Power Outages in the Electrical Utility Industry Konstantin Bauman , Alexander Tuzhilin, Ryan Zaczynski Stern School of Business, New York University WITS December 12, 2015 Power outages is a big problem

430 views • 21 slides
Detecting Peering Infrastructure Outages in the Wild Vasileios Giotsas , Christoph

Detecting Peering Infrastructure Outages in the Wild Vasileios Giotsas , Christoph

Detecting Peering Infrastructure Outages in the Wild Vasileios Giotsas , Christoph Dietzel , Georgios Smaragdakis , Anja Feldmann , Arthur Berger , Emile Aben # TU Berlin CAIDA DE-CIX MIT Akamai

1.07k views • 58 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
Detecting inconsistencies in INRDB data to identify MOAS cases and possible illegitimate Internet

Detecting inconsistencies in INRDB data to identify MOAS cases and possible illegitimate Internet

Problem: Prefix/ASN Hijacking Research RIPE NCC Data Sources The algorithm: constructing unique trees Results Comments Detecting inconsistencies in INRDB data to identify MOAS cases and possible illegitimate Internet resource usage Peter

702 views • 16 slides
Data Sources; SCNL Data Sources Data sources producing waveform data can come from a remote

Data Sources; SCNL Data Sources Data sources producing waveform data can come from a remote

Data Sources; SCNL Data Sources Data sources producing waveform data can come from a remote source, via an import or a connection to a Seed Link server (ie: slink2ew), or from a local source, for example: a Quanterra digitizer (q3302ew) or

252 views • 22 slides
Data Streams Many large sources of data are generated as streams of updates: IP Network

Data Streams Many large sources of data are generated as streams of updates: IP Network

Summarizing and Mining Skewed Data Streams Graham Cormode cormode@bell-labs.com Flip Korn, S. Muthukrishnan, Divesh Srivastava Data Streams Many large sources of data are generated as streams of updates: IP Network traffic data Text:

485 views • 44 slides
Data Streams Many large sources of data are generated as streams of updates: IP Network

Data Streams Many large sources of data are generated as streams of updates: IP Network

Summarizing and Mining Skewed Data Streams Graham Cormode cormode@bell-labs.com S. Muthukrishnan muthu@cs.rutgers.edu Data Streams Many large sources of data are generated as streams of updates: IP Network traffic data Text: email/

535 views • 20 slides
Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016 Milan ermk Pavel eleda State of the Art of Network Data Analysis Methods classification based on the detection approach Statistical Soft

215 views • 17 slides
data sources, PhysIcal condItIons &amp; assessments Data Sources GIS DATA This data was

data sources, PhysIcal condItIons &amp; assessments Data Sources GIS DATA This data was

Before developing a set of recommendations for the Parks future, we assessed the physical condition of the Park. This review of the Parks status is based on a number of different sources. data sources, PhysIcal condItIons &amp;

186 views • 4 slides
Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks Matthew V.

Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks Matthew V.

Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks Matthew V. Mahoney Philip K. Chan Intrusion Detection Systems. Is data x hostile? Signature - models known hostile behavior: P( x |attack) Good: low

237 views • 22 slides
Detecting Threats, Not Sandboxes (C (Characterizin ing Ne Network Environments to o Im

Detecting Threats, Not Sandboxes (C (Characterizin ing Ne Network Environments to o Im

Detecting Threats, Not Sandboxes (C (Characterizin ing Ne Network Environments to o Im Improve Mal alware Clas lassification) Blake Anderson (blake.anderson@cisco.com), David McGrew (mcgrew@cisco.com) FloCon 2017 January, 2017 Data

645 views • 21 slides
Modeling Transmission Outages in the CRR Network Model Lorenzo Kristov Market &amp; Product

Modeling Transmission Outages in the CRR Network Model Lorenzo Kristov Market &amp; Product

California Independent System Operator Corporation Modeling Transmission Outages in the CRR Network Model Lorenzo Kristov Market &amp; Product Development Dept. CRR Stakeholder Meeting June 14, 2007 California Independent System Operator

351 views • 21 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
Integrated Visualization of Network Security Metadata from Heterogeneous Data Sources Bastian

Integrated Visualization of Network Security Metadata from Heterogeneous Data Sources Bastian

Integrated Visualization of Network Security Metadata from Heterogeneous Data Sources Bastian Hellmann Trust@HsH Research Group University of Applied Sciences and Arts in Hanover July 13th 2015 GraMSec 2015 Verona, Italy Bastian Hellmann

547 views • 15 slides
Detecting adaptive differentiation in structured populations with genomic data and common gardens

Detecting adaptive differentiation in structured populations with genomic data and common gardens

Detecting adaptive differentiation in structured populations with genomic data and common gardens Emily Josephs @emjosephs Photo credits: Brook Moyers, Hoekstra lab, Whitehead + Crawford 2006 Detecting local adaptation requires knowing about

767 views • 59 slides
Probing Primordial Magnetic Fields with Cosmic Microwave Background Radiation T R Seshadri

Probing Primordial Magnetic Fields with Cosmic Microwave Background Radiation T R Seshadri

Probing Primordial Magnetic Fields with Cosmic Microwave Background Radiation T R Seshadri Department of Physics and Astrophysics University of Delhi IIT Madras, May 17, 2012 Collaborators: K. Subramanian, Pranjal Trivedi, John Barrow T R

569 views • 32 slides
Internet Background Radiation Seminar in Distributed Computing Jeremia Br Internet Background

Internet Background Radiation Seminar in Distributed Computing Jeremia Br Internet Background

Internet Background Radiation Seminar in Distributed Computing Jeremia Br Internet Background Radiation? Network packets to unassigned addresses. Useless Traffic Internet Background Radiation, 2 Jeremia Br, 2. April 2014 Why would I

286 views • 28 slides
The Universe: What We Know and What we Don t Fundamental Physics Cosmology Elementary

The Universe: What We Know and What we Don t Fundamental Physics Cosmology Elementary

The Universe: What We Know and What we Don t Fundamental Physics Cosmology Elementary Particle Physics 1 Cosmology Study of the universe at the largest scale How big is the universe? Where did the universe come from?

577 views • 38 slides
Clojure in the Wild Web 7 Reflections Ignacio Thayer, ReadyForZero.com Summer 2010: The

Clojure in the Wild Web 7 Reflections Ignacio Thayer, ReadyForZero.com Summer 2010: The

Clojure in the Wild Web 7 Reflections Ignacio Thayer, ReadyForZero.com Summer 2010: The Beginning 2 person team Validation is key No communication overhead &quot;No conventions required&quot; 1: Frameworks: easy things are

470 views • 22 slides
I ntroduction I ntrusion Detection How prevalent are DoS attacks? Backscatter and Global

I ntroduction I ntrusion Detection How prevalent are DoS attacks? Backscatter and Global

I ntroduction I ntrusion Detection How prevalent are DoS attacks? Backscatter and Global Analysis Quantitative analysis Long term predictions and Stefan Zota recurring patterns of attacks Measurement and Global Analysis The UNIVERSITY

474 views • 14 slides
The Resistive Plate Chamber detectors at the Large Hadron Collider experiments Roberto Guida

The Resistive Plate Chamber detectors at the Large Hadron Collider experiments Roberto Guida

The Resistive Plate Chamber detectors at the Large Hadron Collider experiments Roberto Guida PH-DT-DI CERN PH Detector Seminar October 2 nd , 2009 Outline Introduction to the RPC detector Where are the RPC detectors at LHC Main

838 views • 83 slides
The Beginning of Time Chapter 23 23.1 The Big Bang Our goals for learning What were

The Beginning of Time Chapter 23 23.1 The Big Bang Our goals for learning What were

The Beginning of Time Chapter 23 23.1 The Big Bang Our goals for learning What were conditions like in the early universe? What is the history of the universe according to the Big Bang theory? What were conditions like in the

607 views • 59 slides
Filtering Sources of Unwanted Traffic (or: dealing with good, bad and ugly IP addresses)

Filtering Sources of Unwanted Traffic (or: dealing with good, bad and ugly IP addresses)

Filtering Sources of Unwanted Traffic (or: dealing with good, bad and ugly IP addresses) F.Soldo, K. El Defrawy, A. Markopoulou UC Irvine B. Krishnamurthy, K. van der Merwe AT&amp;T Labs-Researh Outline Background/Motivation

445 views • 30 slides

More recommend