internet traffic analysis modeling with real world aspects
play

Internet Traffic: Analysis, Modeling with real-world aspects Pierre - PowerPoint PPT Presentation

Oct 25, 2022 •104 likes •716 views

Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon, Laboratoire de Physique (UMR

  1. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS – ENS Lyon, Laboratoire de Physique (UMR 5672) TERA-NET – 07/2010

  2. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + • Internet traffic metrology: some basics • Analysis: Scale Invariance, LRD, Robust Estimation • Modeling: LRD / Heavy-Tails • Anomaly Detection; Host classification • Acknowledgements • P Abry, G Dewaele, P Flandrin, A Scherrer, P Gonçalves, P Loiseau, P Primet (Lyon, ENSL, CNRS & INRIA) • Ph Owezarksi, N Larrieu (LAAS-CNRS) Metrosec (ACI Sécurité & Informatique), ANR OSCAR JL Guillaume, M Latapy, C Magnien (LIP6) • K Fukuda, R Fontugne, Y Himura (NII), K Cho (IIJ) (Tokyo) • D Veitch, N Hohn (Melbourne Univ.) • O Michel (GIPSA-lab, INPGrenoble)

  3. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + • Internet traffic metrology: some basics • Analysis: Scale Invariance, LRD, Robust Estimation • Modeling: LRD / Heavy-Tails • Anomaly Detection; Host classification • Acknowledgements • P Abry, G Dewaele, P Flandrin, A Scherrer, P Gonçalves, P Loiseau, P Primet (Lyon, ENSL, CNRS & INRIA) • Ph Owezarksi, N Larrieu (LAAS-CNRS) Metrosec (ACI Sécurité & Informatique), ANR OSCAR JL Guillaume, M Latapy, C Magnien (LIP6) • K Fukuda, R Fontugne, Y Himura (NII), K Cho (IIJ) (Tokyo) • D Veitch, N Hohn (Melbourne Univ.) • O Michel (GIPSA-lab, INPGrenoble)

  4. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Traffic & Network Measurement Overview of networks properties • Heterogeneity (of information, devices, topologies, geography,...) • Evolve with time (new services, increased usage,...) • Complexity • individual elements � behaviour of the whole • interplay: architecture / protocols / usages • Crucial choice: level of description • Information flows? → Signals • Network’s level? → Graphs, or Multivariate Signals → Need for a statistical approach

  5. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Traffic & Network Measurement: What for? • Analysis of networks: (protocols, routeurs, provisioning,...) • Modeling of traffic and of its properties • Classification or recognition of traffic (with new needs: Peer to Peer, real-time, wireless,...) • Définition of service agreements (Pricing, QoS, Committed QoS...) • Security of Networks; Intrusion Detection Systems; Anomaly Detection (DDoS, scans, computer virus, worms, outages...) [ACI METROPOLIS 2001, AS Métrologie des réseaux de l’Internet 2003, ACI METROSEC 2007,...]

  6. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Passive Measurements of traffic • On networks: Internet Protocol → Packets+information • Monitoring facilities: add a time-stamp to data (dynamics) • link level , monitor packets: intercept (port-mirroring, splitter,...); capture (tcpdump, DAG, GNET,...); filter (...) Time IP Source Destination Source Destination protocol Address Address Port Port → Point processes (marked) • node level (routeur) → multivariate data Device: routeur ! Netflow (CISCO), flow-tools (Juniper) • network level → multivariate data, graph Synchronising several link or node monitoring?

  7. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Passive Measurements of traffic • → Huge stream of data. • Aggregated cout process = # of packets during ∆ Bin Size Time Time 2 3 2 4 5 2 3 4 4 3 5 3 8 Time 6 # Packets 4 2 0 0 0.2 0.4 0.6 0.8 1 time (s) ∆ = 1ms 10000 5000 0 0 10 20 30 40 50 60 time (min) ∆ = 1s • Problematic: understand the features of traffic

  8. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Short Biblio. on Longitudinal Traffic Analysis • Many works during the past 15 years. • Some Focus on newest application at the time: • FTP , Mail in early 90’s [kc claffy et al. , Comm. ACM 94] • Web, mid-90’s [Crovella & Bestravos, ToN 95] • P2P , early 2000’s [Karagiannis et al. , Globecom’04] • Video Streams, late 2000’s [Cha et al. , IMC’07] • ... • Anomalies: History of Scanning [Allman et al. , IMC’07] • Wireless, Mobile,... • Some focus on non-classical statistical properties: • ‘Failure of Poisson modeling’ / Self-similarity / Scaling / LRD [Leland et al. , 94] [Paxson & Floyd, 95], [Willinger et al. , 97], [Veitch & Abry, 01], [Cao et al. , 02], [Karagiannis et al. , 04], [Hohn et al. , 05], [Robeiro et al. , 05]

  9. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet traffic: not a simple renewal process The Failure of Poisson Modeling. Paxson & Floyd 1994 • If Internet ≃ phone • Packets would follow a Poisson process • Short-range correlations only • Aggregated traffic: Gaussian law (per Central Limit Thm) • The thruth: much more variabilities and burstiness ∆ =1ms ∆ =1ms 1s 1s ∆ =10ms ∆ =10ms 1s 1s ∆ =1s ∆ =1s 100s 100s IP Traffic Poisson Traffic

  10. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet traffic: not a simple renewal process The Failure of Poisson Modeling. Paxson & Floyd 1994 • If Internet ≃ phone • Packets would follow a Poisson process • Short-range correlations only • Aggregated traffic: Gaussian law (per Central Limit Thm) • The thruth: much more variabilities and burstiness ∆ =1ms 1s Slope −0.7 log10(Frequency) ∆ =10ms 1s ∆ =1s 100s 0 1 2 3 4 5 6 log10(#Pkts per flow) • # packets per ∆ � = Poisson distrib. • waiting times � = Exponential distribution • correlations � = short-range only

  11. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Traffic series: aggregation at several time-scales δ =12ms 10000 5000 0 50 100 150 200 250 300 350 400 450 500 δ =12 * 8 ms 8000 6000 4000 2000 0 50 100 150 200 250 300 350 400 450 500 δ =12 * 8 * 8 ms 6000 4000 2000 0 50 100 150 200 250 300 350 400 450 500 4000 δ =12 * 8 * 8 *8 ms 2000 0 50 100 150 200 250 300 350 400 450 500 • Same kinds of fluctuations seens at all the different levels

  12. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Marginal probability distributions Traffic trace LBL-TCP-3 (1994) • Empirical histograms of the # of packets per ∆ • Estimation: count the number of occurrences 0.7 0.1 0.02 0.6 0.08 0.5 0.015 0.06 0.4 0.01 0.3 0.04 0.2 0.005 0.02 0.1 0 0 0 0 2 4 6 8 10 0 10 20 30 40 50 0 50 100 150 200 250 ∆ = 4ms ∆ = 32ms ∆ = 256ms Gaussian: p ( x ) = e − ( x − µ ) 2 / 2 σ 2 • Exp. p ( x ) = e − x /β /β √ 2 πσ � α − 1 1 � x � − x � • Fit/Model: Gamma Γ α,β ( x ) = exp . β Γ( α ) β β

  13. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Marginal probability distributions Traffic trace LBL-TCP-3 (1994) • Empirical histograms of the # of packets per ∆ • Estimation: count the number of occurrences 0.7 0.1 0.02 0.6 0.08 0.5 0.015 0.06 0.4 0.01 0.3 0.04 0.2 0.005 0.02 0.1 0 0 0 0 2 4 6 8 10 0 10 20 30 40 50 0 50 100 150 200 250 ∆ = 4ms ∆ = 32ms ∆ = 256ms Gaussian: p ( x ) = e − ( x − µ ) 2 / 2 σ 2 • Exp. p ( x ) = e − x /β /β √ 2 πσ � α − 1 1 � x � − x � • Fit/Model: Gamma Γ α,β ( x ) = exp . β Γ( α ) β β

  14. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Long-Range Dependence (or Long Memory) The Self-Similar Nature of Ethernet Traffic. Leland, Taqqu, Willinger & Wilson 1993 Property of Long-Range Dependence (LRD) Covariance tends to a non-summable power-law (at large lags) ⇒ Spectrum F X ( ν ) ∼ c | ν | − γ , | ν | → 0 , avec 0 < γ < 1 . • Spectrum – (Wiener-Khintchine) → Correlation Z T 2 ˛ ˛ 1 Z ˛ e − i 2 πν t X ( t ) d t ˛ C X ( τ ) e − i 2 πντ d τ F X ( ν ) = = ˛ ˛ T ˛ ˛ 0 Self-similarity: statistical invariance under dilatation A random process { X ( t ) , t ≥ 0 } is self-similar with index H (“ H -ss”) if for all dilation factor λ > 0 , X ( λ t ) d = λ H X ( t ) , t > 0 . • H -ss for H > 0 . 5 ⇒ LRD.

  15. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Time-Scale Representation Definition : Wavelet transform Shifted (time) and dilated (scale) versions of ψ 0 : ψ j , k ( t ) = 2 − j / 2 ψ 0 ( 2 − j t − k ) . Wavelet coefficients: d X ∆ ( j , k ) = � ψ j , k , X ∆ � . Efficient Algo. [Mallat 1989]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming Liu Yanjie Fu, Jingci Ming, Yong Ren Leilei Sun, Hui Xiong Rutgers University, USA Futurewei Technology. Inc,. USA Background 2/27 Explosive

297 views • 26 slides
Internet Governance Forum the World Malta Internet Traffic Statistics Introduction

Internet Governance Forum the World Malta Internet Traffic Statistics Introduction

6/7/2011 Outline State of the Internet Internet Governance Forum the World Malta Internet Traffic Statistics Introduction Usage and trends Internet Governance Definition/s History and today Launch of Malta I

84 views • 6 slides
Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 1 Traffic

228 views • 11 slides
Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance

Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance

Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance analysis Anomaly and intrusion detec=on Network engineering Traffic at different granulari=es IP-level packets Capture per-packet

539 views • 40 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Why is Internet traffic self-similar? Allen B. Downey Wellesley College No Micro$oft products

Why is Internet traffic self-similar? Allen B. Downey Wellesley College No Micro$oft products

Why is Internet traffic self-similar? Allen B. Downey Wellesley College No Micro$oft products were used in the preparation of this talk. What is self-similarity? Real-world: visually similar over range of spatial scales. Fractals:

641 views • 28 slides
Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019

Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019

19 Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019 https://ieeexplore.ieee.org/document/8737483 Motivations Reliable traffic modelling is important for network planning, deployment and management;

447 views • 29 slides
Modeling the real world with Elixir and OTP Aish Raj Dahal Concurrency, Events and Why are

Modeling the real world with Elixir and OTP Aish Raj Dahal Concurrency, Events and Why are

Modeling the real world with Elixir and OTP Aish Raj Dahal Concurrency, Events and Why are we the Real World here? Case study of an Elixir use Tour of the BEAM and OTP Demo time! Epilogue How did we get here ? Can

1.13k views • 89 slides
An Empirical Study of Real Introduction Audio Traffic Internet is growing Web facilitates

An Empirical Study of Real Introduction Audio Traffic Internet is growing Web facilitates

An Empirical Study of Real Introduction Audio Traffic Internet is growing Web facilitates integration of streaming audio Radio juke boxes A. Mena and J. Heidemann Broadcast radio USC/Information Sciences Institute Live

414 views • 7 slides
Modeling and Analysis Issues in the Future Internet Hisashi Kobayashi Princeton University, USA

Modeling and Analysis Issues in the Future Internet Hisashi Kobayashi Princeton University, USA

Modeling and Analysis Issues in the Future Internet Hisashi Kobayashi Princeton University, USA NICT, Japan Keynote Speech at The 24 th International Teletraffic Congress, Krakow, Poland September 4-7, 2012 Outline The Internet: Its

1.96k views • 45 slides
An Internet-Wide Analysis of Traffic Policing Tobias Flach, Pavlos Papageorge, Andreas Terzis,

An Internet-Wide Analysis of Traffic Policing Tobias Flach, Pavlos Papageorge, Andreas Terzis,

An Internet-Wide Analysis of Traffic Policing Tobias Flach, Pavlos Papageorge, Andreas Terzis, Luis Pedrosa, Yuchung Cheng, Tayeb Karim, Ethan Katz-Bassett, Ramesh Govindan policing-paper@google.com 1 Internet Service Provider Content

588 views • 39 slides
TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute

TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute

H2020-ICT-15 GA 688722 TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute Summer school on real-world crypto and privacy 9 th June 2016 *Thanks to George Danezis for sharing slides Privacy in

862 views • 33 slides
Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan Schaumann 99CE 1DC7 770A C5A8 09A6 @jschauma 0DCD 66CE 4FE9 6F6B D3D7 Me. Errday. Obligatory James Mickens This World of Ours reference.

714 views • 40 slides
on the Internet of Things Software Project What is the Internet of Things? A system in which

on the Internet of Things Software Project What is the Internet of Things? A system in which

on the Internet of Things Software Project What is the Internet of Things? A system in which objects in the physical world can be connected to the Internet by sensors and actuators (coined 1999 by Kevin Ashton) Key aspects: E2E

343 views • 10 slides
Challenges of real-world data We face an explosion in data from e.g.: Internet

Challenges of real-world data We face an explosion in data from e.g.: Internet

Challenges of real-world data We face an explosion in data from e.g.: Internet transactions Satellite measurements Advances in Environmental sensors Privacy-Preserving Machine Learning

373 views • 6 slides
Internet Traffic Monitoring Tools and Analysis Presenta5on for

Internet Traffic Monitoring Tools and Analysis Presenta5on for

Internet Traffic Monitoring Tools and Analysis Presenta5on for Terena Javier Aracil Javier.aracil@uam.es Nov 15, 2013 Goals of this mee5ng We have been

228 views • 6 slides
Outline Basics of network security Network Security Definitions CS 239 Sample

Outline Basics of network security Network Security Definitions CS 239 Sample

Outline Basics of network security Network Security Definitions CS 239 Sample attacks Computer Software Defense mechanisms March 1, 2004 Lecture 12 Lecture 12 Page 1 Page 2 CS 239, Winter 2004 CS 239, Winter 2004 Some

535 views • 8 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 8 Denial of Service DD2395 Sonja Buchegger 1 Course Admin l WANTED: Student representatives for the

1.29k views • 37 slides
Erlang's Open Telecom Platform (OTP) Framework Steve Vinoski Architect, Basho Technologies

Erlang's Open Telecom Platform (OTP) Framework Steve Vinoski Architect, Basho Technologies

Erlang's Open Telecom Platform (OTP) Framework Steve Vinoski Architect, Basho Technologies Cambridge, MA USA vinoski@ieee.org @stevevinoski http://steve.vinoski.net 1 Monday, June 18, 12 1 Erlang 2 Monday, June 18, 12 2 Functional

2.15k views • 188 slides
Ch02. Constrained Optimization Ping Yu Faculty of Business and Economics The University of Hong

Ch02. Constrained Optimization Ping Yu Faculty of Business and Economics The University of Hong

Ch02. Constrained Optimization Ping Yu Faculty of Business and Economics The University of Hong Kong Ping Yu (HKU) Constrained Optimization 1 / 38 Equality-Constrained Optimization 1 Lagrange Multipliers Caveats and Extensions

537 views • 39 slides
Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1 CS 136, Winter 2008 Outline Basics of network security Definitions Sample attacks Defense mechanisms Lecture 11 Page 2 CS 136,

613 views • 50 slides
A Simulation-Driven Approach for Assessing Risks of Complex Systems Fabrizio Baiardi 1 Claudio

A Simulation-Driven Approach for Assessing Risks of Complex Systems Fabrizio Baiardi 1 Claudio

Complex Systems A Simulation-Based Approach Current Prototype Conclusions A Simulation-Driven Approach for Assessing Risks of Complex Systems Fabrizio Baiardi 1 Claudio Telmon 1 Daniele Sgandurra 2 1 Dipartimento di Informatica, Universit` a

601 views • 29 slides
Yang Models for I2NSF Capabilities draft-hares-i2nsf-capabilities-yang Susan Hares Co-author:

Yang Models for I2NSF Capabilities draft-hares-i2nsf-capabilities-yang Susan Hares Co-author:

Yang Models for I2NSF Capabilities draft-hares-i2nsf-capabilities-yang Susan Hares Co-author: Robert Moskowitz` Capability Model (Xia, et al.) External Meta External ECA Model Model Capability sub-model Attack Mitigation Network Security

258 views • 15 slides
Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

3/28/19 Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell at me if I dont notice?) Profs Peter Steenkiste &amp; Justine Sherry &amp; (Guest Lecturer) Sannan Slides almost entirely copied from

288 views • 18 slides

More recommend