nfql a tool for querying network flow records 6

NFQL: A Tool for Querying Network Flow Records [6] - PowerPoint PPT Presentation

Apr 08, 2024 •292 likes •541 views

NFQL: A Tool for Querying Network Flow Records [6] nfql.vaibhavbajpai.com Vaibhav Bajpai, Johannes Schauer, Corneliu Claudiu Prodescu, Jrgen Schnwlder {v.bajpai, j.schauer, c.prodescu, j.schoenwaelder}@jacobs-university.de IETF 87,

  1. NFQL: A Tool for Querying Network Flow Records [6] nfql.vaibhavbajpai.com Vaibhav Bajpai, Johannes Schauer, Corneliu Claudiu Prodescu, Jürgen Schönwälder {v.bajpai, j.schauer, c.prodescu, j.schoenwaelder}@jacobs-university.de IETF 87, Berlin Computer Networks and Distributed Systems Jacobs University Bremen Bremen, Germany Supported by: July 2013 Flamingo Project: http://fp7-flamingo.eu

  2. Motivation • IP traffic flow Flow analysis use cases: • Survey on detection of intrusion attacks [1]. • Survey on behavior analysis of backbone traffic [2]. Version Features v1, {2, 3, 4} original format with several internal releases v5 CIDR, AS support and flow sequence numbers • Flow export protocols v{6, 7, 8} router-based aggregation support • Cisco NetFlow [RFC 3954] v9 template-based with IPv6 and MPLS support • IETF IPFIX [RFC 5101] IPFIX universal standard, transport-protocol agnostic • Understanding intricate traffic patterns require sophisticated flow analysis tools. • Current tools span a smaller use-case owing to their simplistic language designs. [2/21]

  3. Related Work • Simple traffic analysis tools • ntop, FlowScan, NfSen, Stager • Popular open-source NetFlow analysis tools • flow-tools: supports NetFlow v5 • nfdump : supports NetFlow v9 • Popular open-source IPFIX analysis tools • SiLK [3/21]

  4. nfql Tool Front-End Parser Python NFQL Query JSON Execution Engine Input Trace Output Trace C - NetFlow v5 - NetFlow v5 nfql - IPFIX - IPFIX nfql architecture [4/21]

  5. NFQL (Network Flow Query Language) NFQL processing pipeline [3] • Each branch runs in a separate thread. • Affinity masks help delegate each branch to a separate processor core. [5/21]

  6. NFQL Domain Specific Language (DSL) NFQL Parser "filter": { filter http { "dnf-expr": [{ tcpDestinationPort = 80 delta 1 "clause": [{ } "term": { "delta": 1, DSL "offset": { "name": "destinationTransportPort", "value": 80 The query uses IPFIX entity names and datatypes: }, http://www.iana.org/assignments/ipfix/ipfix.xhtml "op": "RULE_EQ" } }] }] } • JSON intermediate format JSON intermediate format • Each pipeline stage of the JSON query is a DNF expression. • JSON query can disable the pipeline stages at RUNTIME. • Execution engine uses json-c to parse the JSON query: http://oss.metaparadigm.com/json-c [6/21]

  7. NFQL DSL: Supported Features • Possible Operations: supported in SiLK - EQ, NE, GT, LT, LE, GE • Possible Aggregations: - COUNT, UNION, MIN, MAX, SUM, MEDIAN, - MEAN, STDDEV, XOR, PROD, AND, OR, IN • Possible Interval Operations: - X takes place before Y - X during Y - X meets Y - X finishes Y - X overlaps with Y - X is equal to Y - X starts Y [7/21]

  8. NFQL DSL: IPFIX to NetFlow v5 map NetFlow v5 IPFIX Comments srcaddr sourceIPv4Address dstaddr destionationIPv4Address nexthop ipNextHopIPv4Address input - missing in IPFIX? output - missing in IPFIX? dPkts packetDeltaCount 32bit unsigned vs 64bit unsigned dOctets octetDeltaCount 32bit unsigned vs 64bit unsigned dFlows deltaFlowCount 32bit unsigned vs 64bit unsigned First flowStartSysUpTime relative vs absolute time Last flowEndSysUpTime relative vs absolute time srcport sourceTransportPort dstport destinationTransportPort tcp_flags tcpControlBits prot protocolIdentifier tos ipClassOfService src_as bgpSourceAsNumber dst_as bgpDestinationAsNumber src_mask sourceIPv4PrefixLength [8/21] dst_mask destinationIPv4PrefixLength

  9. NFQL I/O processing NFQL processing pipeline [3] • NetFlow v5: using flow-tools : http://www.splintered.net/sw/flow-tools • IPFIX: using libfixbuf : http://tools.netsa.cert.org/fixbuf • Flow records are read in memory and indexed to allow retrieval in O(1) time. [9/21]

  10. NFQL Example: • Problem Statement: - Find all flow pairs representing HTTP traffic (TCP using port 80) that have exchanged more than 200 packets in both directions. [10/21]

  11. NFQL Example: Filter HTTP requests: NFQL processing pipeline [3] branch A { filter f1 { destinationTransportPort=80 protocolIdentifier=TCP } } HTTP responses: branch B { filter f1 { sourceTransportPort=80 protocolIdentifier=TCP } } • No splitter: Using indexes to reference flows in each branch. • Inline filter: Flows are filtered as soon as they are read in memory. [11/21]

  12. NFQL Example: Grouper NFQL processing pipeline [3] Group A and Group B grouper ... { sourceIPv4Address = sourceIPv4Address destinationIPv4Address = destinationIPv4Address HTTP responses: aggregation { sum(packetDeltaCount) sum(octetDeltaCount) } } • Flow records matching the source and destination endpoint addresses are combined. • The number of packets and octets are aggregated together within each grouped flow. • Faster grouper lookups: Sort on group keys and perform a nested binary search. [12/21]

  13. NFQL Example: Group Filter NFQL processing pipeline [3] Group A and Group B groupfilter ... { packetDeltaCount > 200 } [13/21]

  14. NFQL Example: Merger NFQL processing pipeline [3] branch A { ... } branch B { ... } merger M { A.sourceIPv4Address = B.destinationIPv4Address A.destinationIPv4Address = B.sourceIPv4Address } • Merger merges the grouped flows from each branch to create streams. • The HTTP request flow is matched with the HTTP response flow to create a HTTP session. • Faster merger matches: Sort on merger keys to skip iterator permutations. [14/21]

  15. NFQL Example: Ungrouper ungrouper U { } NFQL processing pipeline [3] • The ungrouper unfolds the streams back into individual flows. • The individual flows are written as trace files or printed on stdout. [15/21]

  16. nfql Tool • Demo - Find all flow pairs representing HTTP traffic (TCP using port 80) that have exchanged more than 200 packets in both directions. [16/21]

  17. NFQL in Theory • Features • Filter flows. • Combine flows into groups. • Aggregate flows on flow-keys as one grouped flow aggregate. • Merge grouped flows, supporting temporal relations between groups. • Apply absolute or relative filters when grouping or merging. • Unfold grouped flows back into individual flows. Filter (worst case) O(n) where n=num(flows) Grouper (average case) O(n × lg(k)) + O(p × n × lg(n)) where k=num(unique(flows)), p=num(terms) Grouper aggregations (worst case) O(n) Group Filter (worst case) O(g) where g=num(groups) Merger (worst case) O(g^m) where m=num(branches) Ungrouper (worst case) O(g)

  18. NFQL and Friends NFQL processing pipeline [3] The expressiveness of the language can be not supported by { flow-tools, nfdump} seen from [4], where NFQL queries are used to identify application signatures. not supported by SiLK [18/21]

  19. Compression Tradeoffs • Output traces are compressed using zlib library. nfdump uses lzo compression. • Compression level is configurable at RUNTIME. nfql uses ZLIB_LEVEL 5 by default. • Each compression level adds its own performance overhead when writing output traces to files. • Additional Features • Each pipeline stage results can be written out as flow-tools files. • Capability to read multiple input traces from stdin: $ flow-cat $TRACES | nfql $QUERY

  20. Performance Evaluations • Used first 20M flows from Trace 7 in the SimpleWeb repository [5]. • Input trace was compressed at ZLIB_LEVEL 5. • Ran on a machine with 24 cores, 2.5 GHz clock speed and 18 MiB of physical memory. • nfdump uses lzo compression to trade output trace size with RUNTIME speed. • Stressing the rest of the pipeline stages, please refer to [6]. [20/21]

  21. Conclusion • NFQL’ richer language capabilities allow sophisticated flow queries. • nfql can process such complex queries in minutes. • nfql has comparable execution times when processing real-world traces. • Evaluation queries developed as part of this research can become input towards a generic benchmarking suite for flow-processing tools. nfql.vaibhavbajpai.com [21/21]

  22. References [1] A. Sperotto, et al., An overview of IP flow-based intrusion detection, IEEE Communication Surveys and Tutorials, 2010. [2] A. Callado, et al., A survey on Internet traffic identification, IEEE Communication Surveys and Tutorials, 2009. [3] V. Marinov, et al., Design of a stream-based IP Flow Record Query Language, Distributed Systems: Operations & Management, 2009 [4] V. Perelman, et al., Flow Signatures of Popular Applications, Symposium on Integrated Network Management, 2011 [5] R. Barbosa, et al., Simpleweb/University of Twente Traffic Traces Data Repository, http://www.simpleweb.org/wiki/Traces [Last Accessed: May 25, 2013]

  23. References [6] V. Bajpai, et al., NFQL: A Tool for Querying Network Flow Records, IEEE/IFIP International Symposium on Integrated Network Management, 2013.

Recommend

Public Records Public Records Public Records Office Public Records Office Finance Finance

Public Records Public Records Public Records Office Public Records Office Finance Finance

WA S H I N G T O N S T AT E U N I V E R S I T Y Public Records Public Records Public Records Office Public Records Office Finance Finance & & Adminis Administration ration May 2020 Overview Public Records Law Public

319 views • 9 slides
SynAthina Onli line Tools 1. . A mapping tool 2. A Community Tool 3. An Archive Tool 3. An

SynAthina Onli line Tools 1. . A mapping tool 2. A Community Tool 3. An Archive Tool 3. An

SynAthina Onli line Tools 1. . A mapping tool 2. A Community Tool 3. An Archive Tool 3. An Archive Tool 4. A Booking Tool 5. A Connecting Tool 5. A Connecting Tool 6. A Crowdsourcing Tool 7. A Data Collection Tool 7. A Data Collection

313 views • 14 slides
Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does

Records Retention Program Training Managing Records in Schools The Records Liaison What does that mean? The guardian ofyour schools records Rule 2380 The RL knows what records are kept in your school The RL is the expert!

361 views • 13 slides
Electronic Records Kris Stenson Electronic Records Archivist Illinois State Archives Outline

Electronic Records Kris Stenson Electronic Records Archivist Illinois State Archives Outline

The State Records Act and Electronic Records Kris Stenson Electronic Records Archivist Illinois State Archives Outline The State Records Act & Records Management Introduction to E-records Dealing with E-communications

647 views • 32 slides
National Learners National Learners Records Records Database Records Records Database

National Learners National Learners Records Records Database Records Records Database

National Learners National Learners Records Records Database Records Records Database Database Database (NLRD) (NLRD) August 2014 August 2014 What is the NLRD? What is the NLRD? What is the NLRD? What is the NLRD? An integrated

525 views • 19 slides
Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we

Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we

1 Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we can bring from a source to a sink (infinite) (intermediates cannot hold water) 6 Network Flow terminology Definitions: c(u,v)

576 views • 34 slides
AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis

AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis

AS/NZS ISO 30300 and AS/NZS ISO 30301 Management systems for records Presented by Judith Ellis Framework for Good Recordkeeping Records are evidence of business Records system Records system Records Records characteristics

404 views • 21 slides
PUBLIC AND PRESENTATION RECORDS: COURTS, HOSPITALS AND OTHER GOVERNMENT AGENCIES 1 Public records

PUBLIC AND PRESENTATION RECORDS: COURTS, HOSPITALS AND OTHER GOVERNMENT AGENCIES 1 Public records

PUBLIC AND PRESENTATION RECORDS: COURTS, HOSPITALS AND OTHER GOVERNMENT AGENCIES 1 Public records are defined by the Public Records Acts 1958 & 1967 as records of departments or agencies of central government. Most of the records of central

336 views • 11 slides
Clerks Records Karen Gladney, Attorney At Law and Legal Counsel for CDCAT District Clerk Records

Clerks Records Karen Gladney, Attorney At Law and Legal Counsel for CDCAT District Clerk Records

Clerks Records Karen Gladney, Attorney At Law and Legal Counsel for CDCAT District Clerk Records Rules of Judicial Judicial Records Administration Rule 12 Records of the Judiciary Civil Court Case Records Tx Rules of Civil Procedure (non

426 views • 13 slides
Wavelets for Efficient Querying of Large Wavelets for Efficient Querying of Large

Wavelets for Efficient Querying of Large Wavelets for Efficient Querying of Large

Wavelets for Efficient Querying of Large Wavelets for Efficient Querying of Large Multidimensional Datasets Multidimensional Datasets Cyrus Shahabi University of Southern California Integrated Media Systems Center (IMSC) and Dept. of Computer

442 views • 20 slides
Combining XML querying Combining XML querying with ontology reasoning: with ontology reasoning:

Combining XML querying Combining XML querying with ontology reasoning: with ontology reasoning:

Combining XML querying Combining XML querying with ontology reasoning: with ontology reasoning: Xcerpt and DIG Xcerpt and DIG Wlodek Drabent Artur Wilk Ontology and Rule Integration Workshop Athens, GA November 2006 The problem

492 views • 20 slides
The problem Combining querying of XML data with ontology queries Example XML document

The problem Combining querying of XML data with ontology queries Example XML document

XML Querying Using XML Querying Using Ontological Information Ontological Information Eric Svensson and Artur Wilk PPSWR06 Budva, Montenegro June 11 th , 2006 The problem Combining querying of XML data with ontology queries

207 views • 10 slides
Querying XML Documents Querying XML Documents How XML may be supported in databases with

Querying XML Documents Querying XML Documents How XML may be supported in databases with

Objectives Objectives How XML generalizes relational databases An Introduction to XML and Web Technologies An Introduction to XML and Web Technologies The XQuery language Querying XML Documents Querying XML Documents How XML may be

350 views • 15 slides
Querying and Mining Data Streams: Querying and Mining Data Streams: You Only Get One Look You

Querying and Mining Data Streams: Querying and Mining Data Streams: You Only Get One Look You

Querying and Mining Data Streams: Querying and Mining Data Streams: You Only Get One Look You Only Get One Look A Tutorial A Tutorial Minos Garofalakis Garofalakis Johannes Gehrke Johannes Gehrke Minos Rajeev Rastogi Rajeev

1.58k views • 125 slides
QUERYING AND MINING QUERYING AND MINING DATA STREAMS Elena Ikonomovska Joef Stefan Institute

QUERYING AND MINING QUERYING AND MINING DATA STREAMS Elena Ikonomovska Joef Stefan Institute

Advanced School on Data Exchange, Integration, and Streams - Dagstuhl, November 2010 QUERYING AND MINING QUERYING AND MINING DATA STREAMS Elena Ikonomovska Joef Stefan Institute Department of Knowledge Technologies Outline

856 views • 57 slides
Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow

Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow

Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow of items through a network Example Transporting goods through the road/rail/air network Flow of fluids (oil, water,..) through pumping

949 views • 84 slides
No Now wha hat? t? Presenter: Kate Mullins Co-Author: Hailey DuBreuil 1 MEE EET T OU OUR

No Now wha hat? t? Presenter: Kate Mullins Co-Author: Hailey DuBreuil 1 MEE EET T OU OUR

We f e fou ound nd a d a dat ata a quali uality ty is issu sue. e. No Now wha hat? t? Presenter: Kate Mullins Co-Author: Hailey DuBreuil 1 MEE EET T OU OUR R DATA Q A QUAL ALIT ITY Y TEA EAM Yuan Zhang Ka Kate e

727 views • 27 slides
Rate Year 2021 Quality Programs June 28, 2019 Covered in this Presentation Introduction

Rate Year 2021 Quality Programs June 28, 2019 Covered in this Presentation Introduction

Rate Year 2021 Quality Programs June 28, 2019 Covered in this Presentation Introduction Maryland All- Payer Model TCOC Model Performance Based Payment Programs Overview Rate Year 2021 Approved Program Updates: MHAC Program

993 views • 84 slides
Development and deployment of integrated attribute based access control for collaboration

Development and deployment of integrated attribute based access control for collaboration

Development and deployment of integrated attribute based access control for collaboration Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual

368 views • 13 slides
LIGO Identity Management: Questions I Wish We Would Have Asked Scott Koranda for LIGO LIGO and

LIGO Identity Management: Questions I Wish We Would Have Asked Scott Koranda for LIGO LIGO and

LIGO Identity Management: Questions I Wish We Would Have Asked Scott Koranda for LIGO LIGO and University of Wisconsin-Milwaukee September 6, 2012 LIGO-XXXXXXXX-v1 1 / 39 We had a mess Late in 2007 and we stopped scaling Collaboration

734 views • 39 slides
What is happening with IEEE P1581? Heiko Ehrenberg P1581 working group chair GOEPEL Electronics

What is happening with IEEE P1581? Heiko Ehrenberg P1581 working group chair GOEPEL Electronics

What is happening with IEEE P1581? Heiko Ehrenberg P1581 working group chair GOEPEL Electronics IEEE P1581 What is happening with IEEE P1581? http://grouper.ieee.org/groups/1581/ Purpose IEEE Std. 1581 will make you forget you ever had a

571 views • 10 slides
802.1 Plenary March 2015 Berlin, Germany Opening Agenda Glenn Parsons IEEE 802.1 WG

802.1 Plenary March 2015 Berlin, Germany Opening Agenda Glenn Parsons IEEE 802.1 WG

802.1 Plenary March 2015 Berlin, Germany Opening Agenda Glenn Parsons IEEE 802.1 WG Chair glenn.parsons@ericsson.com Decorum Press (i.e., anyone reporting publicly on this meeting) are to announce their presence (SASB Ops

722 views • 40 slides
ELMO ELMO Loves Manipulating Objects Jeffrey Cua Stephen Lee jmc2108 sl2285 Erik Peterson

ELMO ELMO Loves Manipulating Objects Jeffrey Cua Stephen Lee jmc2108 sl2285 Erik Peterson

ELMO ELMO Loves Manipulating Objects Jeffrey Cua Stephen Lee jmc2108 sl2285 Erik Peterson John Waugh edp2002 jrw2005 December 21, 2004 Language Goals Accessibility Comprehensible for non-programmer Avoid direct matrix

580 views • 30 slides
Consumers at the Center: How Open Data, Health IT and Value-Based Payment Aneesh Chopra Can Fuel

Consumers at the Center: How Open Data, Health IT and Value-Based Payment Aneesh Chopra Can Fuel

Consumers at the Center: How Open Data, Health IT and Value-Based Payment Aneesh Chopra Can Fuel a Better Delivery System for Us @aneeshchopra American Competitiveness @ Stake The Goal: Constraining HC inflation to GDP + 0% unlocks $1T+ in

286 views • 14 slides

More recommend