network traffic classification from theory to practice
play

Network traffic classification: From theory to practice Pere - PowerPoint PPT Presentation

Sep 27, 2023 •1.25k likes •1.67k views

Network traffic classification: From theory to practice Pere Barlet-Ros Associate Professor at UPC BarcelonaTech Co-founder and Chairman at Polygraph.io Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta

  1. Network traffic classification: From theory to practice Pere Barlet-Ros Associate Professor at UPC BarcelonaTech Co-founder and Chairman at Polygraph.io Joint work with: Valentín Carela-Español, Tomasz Bujlow and Josep Solé-Pareta

  2. Background • What do we refer to as traffic classification ? – Identifying the application that generated each flow • What is traffic classification used for? – Network planning and dimensioning – Per-application performance evaluation – Traffic steering / QoS / SLA validation – Charging and billing

  3. State of the Art: Ports • Port-based – Computationally lightweight – Payloads not needed – Easy to understand and program – Low accuracy and completeness

  4. State of the Art: DPI • Deep packet inspection (DPI) – High accuracy and completeness – Computationally expensive – Needs payload access – Privacy concerns – Cannot work with encrypted traffic

  5. State of the Art: ML • Machine Learning – High accuracy and completeness – Computationally viable – Payloads not needed – Can work with encrypted traffic – Needs retraining

  6. Main limitations of ML-TC • Introduction in real products and operational environments is limited and slow – Current proposals suffer from practical problems – Actual products rely on simpler methods or DPI • We identified 3 main real-world problems 1) The deployment problem 2) The maintenance problem 3) The validation problem

  7. 1) Deployment problem • Current solutions are difficult to deploy – Need dedicated hardware appliances / probes – Need packet- level access (e.g. compute features, …) • How to address this problem? – Work with flow level data (e.g. Netflow) – Support packet sampling (e.g. Sampled Netflow)

  8. NetFlow w/o sampling • Challenge: NetFlow v5 features are very limited – IPs, ports, protocol, TCP flags, duration, #pkts , … • State-of-the-art ML technique: C4.5 decision tree

  9. Results (NetFlow w/o sampling) • UPC dataset (publicly available) – 7 x 15 min traces from UPC access link – Collected at different days and hours – Labelled with L7-filter (strict version with less FPR)

  10. Results (Sampled NetFlow) • Impact of packet sampling

  11. Sources of inaccuracy 1) Error in the estimation of the traffic features 2) Changes in flow size distribution 3) Changes in flow splitting probability

  12. Solution (Sampled NetFlow)

  13. Deployment problem: Summary • Current proposals are difficult to deploy • Proposed a simple but effective technique – Supports standard NetFlow data – Supports packet sampling • Main limitation: Needs to be frequently retrained V. Carela-Español, P . Barlet-Ros, A. Cabellos-Aparicio, J. Solé-Pareta. Analysis of the impact of sampling on NetFlow traffic classification . Computer Networks , 55(5), 2011.

  14. 2) Maintenance problem • Difficult to keep classification model updated – Traffic changes, application updates, new applications – Involve significant human intervention – ML models need to be frequently retrained • Possible solution to the problem – Make retraining automatic – Computationally viable – Without human intervention

  15. Autonomic Traffic Classification • Lightweight DPI for retraining – Small traffic sample (e.g. 1/10000 flow sampling)

  16. Evaluation • 14-days trace collected at CESCA

  17. Temporal/Spatial obsolescence • Comparison without autonomic retraining

  18. Maintenance problem: Summary • Exiting classifiers need periodic retrainings – Temporal obsolescence: Changes in application traffic – Spatial obsolescence: Different networks • Autonomic traffic classification system – Easy to deploy: Works with Sampled NetFlow – Easy to maintain: Lightweight DPI for self-training V. Carela-Español, P . Barlet-Ros, O. Mula-Valls, J. Solé-Pareta. An autonomic traffic classification system for network operation and management . Journal of Network and Systems Management , 23(3):401-419, 2015.

  19. 3) Validation problem • Current proposals are difficult to validate , compare and reproduce – Private datasets – Different ground-truth generators • Our contribution – Publication of labeled datasets (with payloads) – Common benchmark to validate/compare/reproduce – Validation of common ground-truth generators

  20. Proposal • Reliable labeled dataset with full payloads – Accurate: VBS (label from the application socket) – Avoid privacy issues: Realistic artificial traffic

  21. Methodology • Manually generate representative traffic – Create fake accounts (e.g. Gmail, Facebook, Twitter) – Interact with the service simulating human behavior (e.g. posting, chatting, gaming, watching videos, …)

  22. Dataset • > 750K flows, ~55 GB of data

  23. DPI tools compared

  24. Application protocols

  25. Applications

  26. Web services (summary) • PACE: 16/34 (6 over 80%) • nDPI: 10/34 (6 over 80%) • OpenDPI: 2/34 • Libprotoident: 0/34 • L7-filter: 0/44 (high FPR) • NBAR: 0/34

  27. Validation problem: Summary • Comparison of most popular ground-truth generators – PACE: Best results at all classification levels – Libprotoident: Very good results at application/protocol – nDPI: Good results, web services level, open source – NBAR and L7-filter: Very poor results • Dataset including payloads is publicly available – http://www.cba.upc.edu/monitoring/traffic-classification (Including also all other datasets presented in these slides) – Common benchmark to validate, compare and reproduce T. Bujlow, V. Carela-Español, P. Barlet-Ros. Independent comparison of popular DPI tools for traffic classification . Computer Networks , 76:75-89, 2015. V. Carela-Español, T. Bujlow, P. Barlet-Ros. Is our ground-truth for traffic classification reliable? In Proc. of Passive and Active Measurement Conf. (PAM), 2014.

  28. Network Polygraph • Addressed 3 practical problems – The deployment problem (Sampled Netflow) – The maintenance problem (Autonomic retraining) – The validation problem (Labeled payload traces) • We identified interest in the market – We created a UPC spin-off: https://polygraph.io – Several customers world-wide P . Barlet-Ros, J. Sanjuàs, V. Carela-Español. Network Polygraph: A cloud-based network visibility service. In ACM SIGCOMM Conf. , Industrial Demo, 2015.

  29. Why Network Polygraph? • Other products are expensive and difficult to deploy – Can only be afforded by large operators, ISPs, … – Large portion of the market are SMEs (>90% in EU) • Our technology based on Sampled NetFlow only needs a small volume of traffic data – <0.5% of extra bandwidth usage – Can be provided as a service from the cloud (SaaS)

  30. Visibility-to-cost ratio visibility cost

  31. Website + On-Line Demo https://polygraph.io

  32. traffic volume, breakdown by application

  33. HTTP services

  34. top talkers (addresses, ports, autonomous systems)

  35. subnetwork-level bandwidth hogs

  36. traffic geolocation (origins & destinations)

  37. anomaly and attack detection with automatic baselining

  38. indexed traffic database for forensic analysis

  39. Network Polygraph Talaia Networks, S.L. K2M – Parc UPC Campus Nord Jordi Girona, 1-3 Barcelona (08034) Spain Telephone: +34 93 405 45 87 contact@polygraph.io https://polygraph.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Traffic Classification: From Theory To Practice Valentn Carela-Espaol Advisor: Pere

Network Traffic Classification: From Theory To Practice Valentn Carela-Espaol Advisor: Pere

Introduction Contributions The Deployment Problem The Maintenance Problem The Validation Problem Conclusions Network Traffic Classification: From Theory To Practice Valentn Carela-Espaol Advisor: Pere Barlet-Ros Co-Advisor: Josep Sol

1.81k views • 115 slides
Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh Ghassemi, and Zahra Alimadadi TTCS 2020,Tehran, Iran 1 Network Traffic Classification, What &amp; Why?

655 views • 44 slides
Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic classification? Communities of Interest for classification BLINC Profiling Internet Backbone Traffic What is missing here? Traffic

965 views • 81 slides
Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest Classification of Internet Traffic To treat special types of traffic in a different manner Some types of classification already seen in Alok

371 views • 9 slides
A Semi-supervised Stacked Autoencoder Approach for Network Traffic Classification Ons Aouedi,

A Semi-supervised Stacked Autoencoder Approach for Network Traffic Classification Ons Aouedi,

A Semi-supervised Stacked Autoencoder Approach for Network Traffic Classification Ons Aouedi, Kandaraj Piamrat, Dhruvjyoti Bagadthey HDR-Nets 2020 Workshop The 28th IEEE International Conference on Network Protocols October 10, 2020 1/29

783 views • 29 slides
On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate Professor at UPC BarcelonaTech (pbarlet@ac.upc.edu) Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta This project

544 views • 26 slides
Deep Learning - Theory and Practice Linear Regression, Least Squares 20-02-2020 Classification

Deep Learning - Theory and Practice Linear Regression, Least Squares 20-02-2020 Classification

Deep Learning - Theory and Practice Linear Regression, Least Squares 20-02-2020 Classification and Logistic Regression http://leap.ee.iisc.ac.in/sriram/teaching/DL20/ deeplearning.cce2020@gmail.com Least Squares for Classification K-class

467 views • 24 slides
How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

MonNet a project for network and traffic monitoring How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology

760 views • 21 slides
Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit.

Theory or Practice? Theory : Without theory, practice is but routine born out of habit. Theory alone can bring forth and develop the spirit of inventions Louis Pasteur, 1822-1895 Practice : It is a capital mistake to theorize before

548 views • 42 slides
Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification, Measurement, and Analysis and Analysis ISC/CAIDA Data Collaboration Workshop October 22, 2012 David Plonka &amp; Paul Barford

1.33k views • 26 slides
EPL606 Quality of Service and Traffic Classification 1 Multimedia, Quality of Service: What is

EPL606 Quality of Service and Traffic Classification 1 Multimedia, Quality of Service: What is

EPL606 Quality of Service and Traffic Classification 1 Multimedia, Quality of Service: What is it? Multimedia applications: network audio and video (continuous media) QoS network provides application with level of performance needed

1.57k views • 93 slides
Computer Networks II Prof. Giorgio Ventre a.a. 2009/2010 Network Traffic Classification Alberto

Computer Networks II Prof. Giorgio Ventre a.a. 2009/2010 Network Traffic Classification Alberto

Computer Networks II Prof. Giorgio Ventre a.a. 2009/2010 Network Traffic Classification Alberto Dainotti alberto@unina.it Dipartimento di Informatica e Sistemistica COMICS Research Group Outline Introduction Motivations Why is it

624 views • 15 slides
Deep Learning - Theory and Practice Linear Regression, Least Squares 13-02-2020 Classification

Deep Learning - Theory and Practice Linear Regression, Least Squares 13-02-2020 Classification

Deep Learning - Theory and Practice Linear Regression, Least Squares 13-02-2020 Classification and Logistic Regression http://leap.ee.iisc.ac.in/sriram/teaching/DL20/ deeplearning.cce2020@gmail.com Linear Regression Solution to Maximum

145 views • 11 slides
Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 1 Traffic

228 views • 11 slides
Approximating the Virtual Network Embedding Problem: Theory and Practice 2 5 3 AC B 2 2 2

Approximating the Virtual Network Embedding Problem: Theory and Practice 2 5 3 AC B 2 2 2

Approximating the Virtual Network Embedding Problem: Theory and Practice 2 5 3 AC B 2 2 2 2 D 0 3 1 23rd International Symposium on Mathematical Programming 2018 Bordeaux, France Matthias Rost Technische Universitt Berlin,

1.17k views • 90 slides
Lessons from Framing the Analysis: Report from ROI on UDI Work Group Kade Etter Johnson and

Lessons from Framing the Analysis: Report from ROI on UDI Work Group Kade Etter Johnson and

Lessons from Framing the Analysis: Report from ROI on UDI Work Group Kade Etter Johnson and Johnson June 17, 2016 OFFICE CE OF TH THE E MD D CMO CMO A $700 Million Challenge? including UDIs on claims would entail significant

427 views • 11 slides
Comparing results - Discussion Fernando Galindo-Rueda OECD - DSTI INNODRIVE Conference

Comparing results - Discussion Fernando Galindo-Rueda OECD - DSTI INNODRIVE Conference

Comparing results - Discussion Fernando Galindo-Rueda OECD - DSTI INNODRIVE Conference Brussels, 23 rd February 2011 My past and current interests 2007 Satellite R&amp;D account for the UK OECD TF: Handbook on Intellectual Assets

556 views • 12 slides
Cant Wait for Perfect Implementing Good Enough&quot; Digital Preservation @shirapeltzman

Cant Wait for Perfect Implementing Good Enough&quot; Digital Preservation @shirapeltzman

bit.ly/1p1ZDGm Cant Wait for Perfect Implementing Good Enough&quot; Digital Preservation @shirapeltzman &amp; @AlicePrael Code4Lib Philadelphia | March 8th, 2016 National Digital Stewardship Residency Grant funded by 5

511 views • 23 slides
Challenges of VR Application Distribution David J. Zielinski Smith Media Labs Technology

Challenges of VR Application Distribution David J. Zielinski Smith Media Labs Technology

Challenges of VR Application Distribution David J. Zielinski Smith Media Labs Technology Specialist VR/AR Software Developer http://people.duke.edu/~djzielin/ 1 How did I University of Illinois at Urbana Champaign (UIUC). Masters Degree.

297 views • 14 slides
CEBAF Performance Plan Assets and Maintenance Management Workshop 2018 ALBA Synchrotron

CEBAF Performance Plan Assets and Maintenance Management Workshop 2018 ALBA Synchrotron

CEBAF Performance Plan Assets and Maintenance Management Workshop 2018 ALBA Synchrotron Barcelona, Spain Randy Michaud Deputy Group Leader, Operability Accelerator Operations, Jefferson Lab Wednesday September 26, 2018 Outline I. CEBAF*

400 views • 21 slides
Putting people at the centre of digital preservation Sophie Shilling Digital Archivist, Royal

Putting people at the centre of digital preservation Sophie Shilling Digital Archivist, Royal

Putting people at the centre of digital preservation Sophie Shilling Digital Archivist, Royal Historical Society of Victoria 1 The digital information paradox Most of us tend to worry that if something is on the internet, it will be there

494 views • 34 slides
AC ACC-DTA S Stryker er/LAV V Con ontrac acting D Division Stryker Wholesale Supply

AC ACC-DTA S Stryker er/LAV V Con ontrac acting D Division Stryker Wholesale Supply

Unclassified//Distribution Statement A: Approved for Public Release AC ACC-DTA S Stryker er/LAV V Con ontrac acting D Division Stryker Wholesale Supply (FY19-FY24) Five Year Cost Plus Incentive Fee (CPIF) Performance Based Logistics

522 views • 3 slides
V-MDEX2020 YOUR MISSION. OUR HONOR. Clint Herrick Senior Director Product Support Engineering

V-MDEX2020 YOUR MISSION. OUR HONOR. Clint Herrick Senior Director Product Support Engineering

V-MDEX2020 YOUR MISSION. OUR HONOR. Clint Herrick Senior Director Product Support Engineering Global Product Support Oshkosh Corporation Classification - Restricted Oshkosh Corporation &amp; Oshkosh Defense Heavy Commercial Access

653 views • 6 slides

More recommend