identifying network traffic activity via flow sizes
play

Identifying Network Traffic Activity Via Flow Sizes Overview - PowerPoint PPT Presentation

Sep 11, 2023 •395 likes •580 views

Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying activity via payload Theory behind the idea Measuring NetFlow Measuring DNS traffic captures Implications and future work Motivation

  1. Identifying Network Traffic Activity Via Flow Sizes

  2. Overview • Motivation – identifying activity via payload • Theory behind the idea • Measuring NetFlow • Measuring DNS traffic captures • Implications and future work

  3. Motivation • Users don’t have the common decency to send plaintext all over the place anymore • HTTPS prevalence • OTR encryption for IM • SSL for email

  4. This Expands on Previous Work • 2007 Paper on BitTorrent detection that focused on multiple behaviors – fumbling, file transfers, &c • Now doing in depth study of control messages to see what we can find – Advantage – this time, have payload • Questions: – Size of control messages – Distribution of control messages – Frequency of combinations?

  5. Identifying Protocols Via Flow Sizes • Hypothesis: traffic consists of three families of data – “Chatter” • Short (< MTU) , roughly symmetric packets of variable size • SSH, Telnet, IRC, ICQ, AIM – Transfer • MTU packets, met by payload-zero packets • FTP, Mail, HTTP – Control • < MTU packets, fixed sizes “fill in the blank” templates • All protocols

  6. Differentiate Via Control Message Sizes Histogram CDF SMTP HTTP

  7. Done Some of This Already • 2007 paper on p2p identification showed that you could find BitTorrent by looking for specific behaviors – Control packet sizes were one particular behavior • However… – What are the actual packets? – What are the sizes • Didn’t have ground truth in previous work – Now have access to it via DNS records

  8. DNS Analysis • Using DNS data, we can compare the exact messages sent against packet sizes • See what messages produce what packet sizes • Determine if we can predict messages via sizes • Can’t predict content , but we can guess what the user was looking for

  9. The DNS Datagram Q A T R R • State is maintained by OpCode Z RCODE R A D A C Query ID • Other flags set various info – authoritative, recursive, &c • Response is sent in one Query ID or more RR’s (resource QDCount ANCount records) NSCount ARCount Resource Records… 16 0 31

  10. Resource Records and DNS Information • DNS handles a lot of information – Name lookup – Name ownership – Authentication – Redirection – Email

  11. Ripping Apart DNS Message Contents • A DNS message contains 1 or more RR’s (resource records) – Different RR’s serve different purposes – Each RR has a different format, although most contain at least one variable length domain name • Multiple different RR’s may be sent to comprise a single message • There’s no requirement that the RR’s actually be related to the original query, they may be annotative information • ~40 RR’s currently defined, including a couple of optional ones • Responses are rarely just one message

  12. Multiple Records Will Appear Simultaneously A AAAA CNAME MX NS OPT SOA TXT A 99.33 100.00 52.56 98.15 99.33 99.30 99.59 50.00 AAAA 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 CNAME 0.69 0.00 1.30 0.00 1.30 1.36 0.00 0.00 MX 1.88 0.00 0.00 1.90 1.90 0.11 69.18 50.00 NS 100.00 100.00 100.00 100.00 100.00 100.00 100.00 100.00 OPT 49.56 0.00 52.03 2.94 49.57 49.57 0.41 50.00 SOA 2.65 0.00 0.00 96.29 2.65 0.02 2.65 50.00 TXT 0.00 0.00 0.00 0.05 0.00 0.00 0.04 0.00 Table provides P(record of row type|record of column type); blue • columns are P(record of row type) Some records (NS,A) are common • Some (SOA) have a strong dependency P(SOA|MX)=96% • Records will show up in group (5,10 NS records common) •

  13. What Are These Messages? • A – IPv4 Address, 32 bit integer • AAAA – IPv6 Address, 128 bit integer • CNAME – Canonical Name, domain name string • MX – Mail record, 16 bit preference value + domain name string • NS – Nameserver name, domain name string • OPT – Option record, variable option length • SOA – 2 domain names and 128 bits of integers • TXT – Variable length text

  14. What Do We Do With DNS? • Really, three major queries – Queries returning MX – Mail lookups – Queries returning CNAME – looking up aliases (CDN’s love this) – Queries returning A on its own – simple lookups • We can split out these queries and calculate frequencies for each one

  15. Resulting In This

  16. Observations • Simple A records (least baggage) are smallest • CNAME records broken into two groups – Differentiation is by NS records – 5 NS responses – smaller group – 10 NS responses – larger group • MX is a very narrow spike (231-238 bytes) – Actual MX record is just a domain name, the rest of the offset is due to the SOA record

  17. Conclusions • Control messages in protocols can be used to differentiate the types of messages sent – We can use this information to differentiate protocols – Can use it to identify specific behaviors within protocols • Variance in domain names is not significant enough to cause ‘overlap’ in messages • Where can we go with this? – Facebook? Graph API? REST interfaces? – Markov Models?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Network Flow Max flow Min cut March 29, 2019 CSCI211 - Sprenkle 1

Objectives Network Flow Max flow Min cut March 29, 2019 CSCI211 - Sprenkle 1

3/29/19 Objectives Network Flow Max flow Min cut March 29, 2019 CSCI211 - Sprenkle 1 Motivating Flow Network Problems Modeling transportation networks Edges: carry traffic Nodes: pass traffic between edges Can represent

646 views • 23 slides
NETWORK TRAFFIC CHARACTERISATION USING FLOW-BASED STATISTICS Wednesday 27 th April, 2016 Petr

NETWORK TRAFFIC CHARACTERISATION USING FLOW-BASED STATISTICS Wednesday 27 th April, 2016 Petr

NETWORK TRAFFIC CHARACTERISATION USING FLOW-BASED STATISTICS Wednesday 27 th April, 2016 Petr Velan Jana Medkov, Tom Jirsk, Pavel eleda Introduction We need to be able to describe the network traffic. The researchers have to be

320 views • 17 slides
Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov

Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov

Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov TWGRID/EGI What can be wrong in a cloud?! Agenda Methods Case Studies Lessons Learnt The DATA Raw Data (network packet captures)

408 views • 30 slides
Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013 Reflection and Amplification Attacks DNS abused as DDoS Tool Spamhaus hit with 300 Gigabit/second DDoS Reflected Amplification Attack

429 views • 23 slides
Identifying Network Users Using Flow-Based Behavioral Fingerprinting Barsamian, Berk, Murphy

Identifying Network Users Using Flow-Based Behavioral Fingerprinting Barsamian, Berk, Murphy

Identifying Network Users Using Flow-Based Behavioral Fingerprinting Barsamian, Berk, Murphy Presented to FloCon 2013 What Is A User Fingerprint? Users settle into unique patterns of behavior according to their tasks and interests

416 views • 23 slides
Traffic Flow Characteristics and Theory Primary Elements of Traffic Flow a. Flow Rate = q

Traffic Flow Characteristics and Theory Primary Elements of Traffic Flow a. Flow Rate = q

Traffic Flow Characteristics and Theory Primary Elements of Traffic Flow a. Flow Rate = q (vehicle per hour, vph) b. Density = k (vehicle per mile, vpm) c. Speed = u (mile per hour, mph) 2 Dr. Randa Oqab Mujalli Flow Flow (q) : is the

943 views • 20 slides
Optima and Equilibria for Traffic Flow on a Network Alberto Bressan Department of Mathematics,

Optima and Equilibria for Traffic Flow on a Network Alberto Bressan Department of Mathematics,

Optima and Equilibria for Traffic Flow on a Network Alberto Bressan Department of Mathematics, Penn State University bressan@math.psu.edu Alberto Bressan (Penn State) Optima and equilibria for traffic flow 1 / 29 A Traffic Flow Problem Car

768 views • 33 slides
Traffic Flow Models CIVL 4162/6162 (Traffic Engineering) Lesson Objective Demonstrate

Traffic Flow Models CIVL 4162/6162 (Traffic Engineering) Lesson Objective Demonstrate

Traffic Flow Models CIVL 4162/6162 (Traffic Engineering) Lesson Objective Demonstrate traffic flow characteristics using observed data Describe traffic flow models Single regime Multiple regime Develop and calibrate traffic

343 views • 30 slides
A Flow Control Strategy for Connectionless Traffic over an ATM Network Lorne G. Mason

A Flow Control Strategy for Connectionless Traffic over an ATM Network Lorne G. Mason

0 A Flow Control Strategy for Connectionless Traffic over an ATM Network Lorne G. Mason INRS-Telecommunications University of Quebec, Nuns Island, Quebec H3E 1H6 e-mail: lgmason@telusplanet.net Felisa J. V azquez-Abad Department of Computer

417 views • 13 slides
A linear programming approach to maximum flow estimation on the European air traffic network

A linear programming approach to maximum flow estimation on the European air traffic network

ROC Air Force A linear programming approach to maximum flow estimation on the European air traffic network ICRAT 2014 Kuang-Chang Pien k.pien11@imperial.ac.uk Curriculum Vitae Air Force Officer in Taiwan (1999-2003, 2005-2011) BA

508 views • 26 slides
Enhancing Network Traffic Flow by Connecting Railroad Preemption with Advanced Traveler

Enhancing Network Traffic Flow by Connecting Railroad Preemption with Advanced Traveler

ITE- North Dakota State University Chapter Presenting Enhancing Network Traffic Flow by Connecting Railroad Preemption with Advanced Traveler Information System Organized by NOCoE and U.S. DOT ITS JPO PCB 1 Current System Overview Prosper

378 views • 15 slides
Optimizing Flow Bandwidth Consumption with Traffic-diminishing Middlebox Placement Yan Yang

Optimizing Flow Bandwidth Consumption with Traffic-diminishing Middlebox Placement Yan Yang

Optimizing Flow Bandwidth Consumption with Traffic-diminishing Middlebox Placement Yan Yang Chen en, Jie Wu, and Bo Ji Center for Networked Computing Temple University, USA VNF: Evolution of Network Service l Network Function Virtualization

315 views • 19 slides
Is Anybody Home? Inferring Activity from Smart Home Network Traffic Bogdan Copos Matt Bishop

Is Anybody Home? Inferring Activity from Smart Home Network Traffic Bogdan Copos Matt Bishop

Is Anybody Home? Inferring Activity from Smart Home Network Traffic Bogdan Copos Matt Bishop Karl Levitt Jeff Rowe University of California, Davis 1 / 21 2 / 21 3 / 21 4 / 21 Security Many things can go wrong... malicious firmware

803 views • 36 slides
Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow

Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow

Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow of items through a network Example Transporting goods through the road/rail/air network Flow of fluids (oil, water,..) through pumping

949 views • 84 slides
Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we

Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we

1 Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we can bring from a source to a sink (infinite) (intermediates cannot hold water) 6 Network Flow terminology Definitions: c(u,v)

576 views • 34 slides
traffic flow estimation from cellular network data Masters thesis presentation Nils Breyer

traffic flow estimation from cellular network data Masters thesis presentation Nils Breyer

traffic flow estimation from cellular network data Masters thesis presentation Nils Breyer August 27, 2015 LiU/ITN, UC Berkeley (USA) why are linkflows of interest? Linkflow number of vehicles or people using a link during a certain time

786 views • 53 slides
Germanys Specialist for Power Generation AGGRETECH History 1948 1950 The first years

Germanys Specialist for Power Generation AGGRETECH History 1948 1950 The first years

Germanys Specialist for Power Generation AGGRETECH History 1948 1950 The first years Ludwig Grndl establishes a genset Opening of the first genset assembly facility. maintenance and repair center in Ruhstorf, Germany. Expanding

352 views • 17 slides
April 2019 ASX:KIS K I N G I S L A N D S C H E E L I T E Investment Highlights HIGH GRADE

April 2019 ASX:KIS K I N G I S L A N D S C H E E L I T E Investment Highlights HIGH GRADE

April 2019 ASX:KIS K I N G I S L A N D S C H E E L I T E Investment Highlights HIGH GRADE Worlds highest grade deposit known to exist LOW COST Low OPEX &amp; CAPEX compared to peers APPROVALS GRANTED Mining license, Environmental

642 views • 17 slides
MTU Press Conference Engines of the future MTUs contribution to meeting tomorrows

MTU Press Conference Engines of the future MTUs contribution to meeting tomorrows

MTU Press Conference Engines of the future MTUs contribution to meeting tomorrows market requirements Reiner Winkler, CEO Michael Schreygg, Chief Program Officer Berlin, May 21, 2014 Commercial aviation is a global Multi

336 views • 15 slides
Mobile Treatment Unit for septage emptying and safe disposal in Dindigul, India Aaron

Mobile Treatment Unit for septage emptying and safe disposal in Dindigul, India Aaron

Mobile Treatment Unit for septage emptying and safe disposal in Dindigul, India Aaron Forbis-Stokes 1,2 Arumugam Kalimuthu 3 , L. Peter 3 , Marc Deshusses 1 1 Duke University, Dept. of Civil &amp; Environmental Engineering, Durham, NC, USA 2

394 views • 17 slides
s Mee Meeting ting S toc khol der www.ADOMANIelectric.com May, 8 2019 NASDAQ: NASDAQ: AD

s Mee Meeting ting S toc khol der www.ADOMANIelectric.com May, 8 2019 NASDAQ: NASDAQ: AD

Providing healthier air for all while reducing dependency on fossil fuels. 2019 Annual s Mee Meeting ting S toc khol der www.ADOMANIelectric.com May, 8 2019 NASDAQ: NASDAQ: AD OM Disclaimer This presentation has been prepared by

437 views • 27 slides
Cargo turnover by stevedores, Mt (2015) 90% of grain export transported through Total 144.6 Mt

Cargo turnover by stevedores, Mt (2015) 90% of grain export transported through Total 144.6 Mt

WATERWAYS IN UKRAINE MINISTRY OF INFRASTRUCTURE OF UKRAINE March 2016 Cargo turnover by stevedores, Mt (2015) 90% of grain export transported through Total 144.6 Mt (2015) seaports 16.8 Attraction of private investments to State

306 views • 8 slides
Core Performances and Safety Implications of TRU Burning Medium to Large Fast Reactor Core

Core Performances and Safety Implications of TRU Burning Medium to Large Fast Reactor Core

Core Performances and Safety Implications of TRU Burning Medium to Large Fast Reactor Core Concepts The 10th IEMPT Mito, Japan 6-10 October 2008 Hoon Song, Sang-Ji Kim, Jinwook Jang, Yeong-Il Kim IEMPT, Mito, 6-10 October 2008 1 Outline I

281 views • 17 slides
Measuring and Characterizing IPv6 Router Availability Robert Beverly , Matthew Luckie ,

Measuring and Characterizing IPv6 Router Availability Robert Beverly , Matthew Luckie ,

Measuring and Characterizing IPv6 Router Availability Robert Beverly , Matthew Luckie , Lorenza Mosley , kc claffy Naval Postgraduate School UCSD/CAIDA March 20, 2015 PAM 2015 - 16th Passive and Active Measurement

519 views • 35 slides

More recommend