on the challenges of network traffic classification with
play

On the challenges of network traffic classification with - PowerPoint PPT Presentation

Mar 18, 2023 •271 likes •544 views

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate Professor at UPC BarcelonaTech (pbarlet@ac.upc.edu) Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta This project

  1. On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate Professor at UPC BarcelonaTech (pbarlet@ac.upc.edu) Joint work with: Valentín Carela-Español, Tomasz Bujlow and Josep Solé-Pareta This project has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No 726763.

  2. Background • What do we refer to as traffic classification ? – Identifying the application that generated each flow • What is traffic classification used for? – Network planning and dimensioning – Per-application performance evaluation – Traffic steering / QoS / SLA validation – Charging and billing 2

  3. Background: Ports • Port-based – Computationally lightweight – Payloads not needed – Easy to understand and program – Low accuracy / completeness (but most NetFlow products still use it!) 3

  4. Background: DPI • Deep packet inspection (DPI) – High accuracy and completeness – Computationally expensive – Needs payload access – Privacy concerns – Cannot work with encrypted traffic 4

  5. Background: ML • Machine Learning – High accuracy and completeness – Computationally viable – Payloads not needed – Can work with encrypted traffic – Needs frequent retraining 5

  6. Main limitations of ML-TC • Introduction in real products and operational environments is limited and slow – Current proposals suffer from practical problems – Actual products rely on simpler methods or DPI • 3 main real-world challenges: 1) The deployment problem 2) The maintenance problem 3) The validation problem 6

  7. 1) Deployment problem • Current solutions are difficult to deploy – Need dedicated hardware appliances / probes – Need packet- level access (e.g. compute features, …) • How to address this problem? – Work with flow level data (e.g. Netflow / IPFIX) – Support packet sampling (e.g. Sampled Netflow) 7

  8. NetFlow w/o sampling • Challenge: NetFlow v5 features are very limited – IPs, ports, protocol, TCP flags, duration, #pkts , … • State-of-the-art ML technique: C4.5 decision tree 8

  9. Results (NetFlow w/o sampling) • UPC dataset: Real traffic from university access link – 7 x 15 min traces (collected at different days / hours) – Labelled with L7-filter (strict version with less FPR) – Public data set available at: https://cba.upc.edu/monitoring/traffic-classification 9

  10. Results (Sampled NetFlow) • Impact of packet sampling 10

  11. Sources of inaccuracy 1) Error in the estimation of the traffic features 2) Changes in flow size distribution 3) Changes in flow splitting probability 11

  12. Solution (Sampled NetFlow) V. Carela-Español, P . Barlet-Ros, A. Cabellos-Aparicio, J. Solé-Pareta. Analysis of the impact of sampling on NetFlow traffic classification . Computer Networks , 55(5), 2011. 12

  13. 2) Maintenance problem • Difficult to keep classification model updated – Traffic changes, application updates, new applications – Involve significant human intervention – ML models need to be frequently retrained • Possible solution to the problem – Make retraining automatic – Computationally viable – Without human intervention 13

  14. Autonomic Traffic Classification • Lightweight DPI for retraining – Small traffic sample (e.g. 1/10000 flow sampling) 14

  15. Results • 14-days trace collected at the Anella Científica (Catalan RREN) managed by CSUC (www.csuc.cat) V. Carela-Español, P . Barlet-Ros, O. Mula-Valls, J. Solé-Pareta. An autonomic traffic classification system for network operation and management . Journal of Network and Systems Management , 23(3):401-419, 2015. 15

  16. 3) Validation problem • Current proposals are difficult to validate , compare and reproduce – Private datasets – Different ground-truth generators • Our contribution – Publication of labeled datasets (with payloads) – Common benchmark to validate/compare/reproduce – Validation of common ground-truth generators 16

  17. Methodology • Manually generate representative traffic – Create fake accounts (e.g. Gmail, Facebook, Twitter) – Interact with the service simulating human behavior (e.g. posting, gaming, watching videos, skype calls …) 17

  18. Data set • Public labeled data set with full payloads – Accurate: VBS (label from the application socket) – Avoids privacy issues: Realistic “artificial” traffic – Limitations: Traffic mix might not be representative • Data set is publicly available at: – http://www.cba.upc.edu/monitoring/traffic-classification – Shared with 200+ researchers over the world – Cited in 100+ scientific articles (source: Google Scholar) 18

  19. Data set • > 750K flows, ~55 GB of data • 17 application protocols – DNS, HTTP, SMTP, IMAP, POP3, SSH, NTP, RTMP, … • 25 applications – Bittorrent, Dropbox, Skype, Spotify, WoW , … • 34 web services – Youtube, Facebook, Twitter, LinkedIn, Ebay , … T. Bujlow, V. Carela-Español, P. Barlet-Ros. Independent comparison of popular DPI tools for traffic classification . Computer Networks , 76:75-89, 2015. V. Carela-Español, T. Bujlow, P. Barlet-Ros. Is our ground-truth for traffic classification reliable? In Proc. of Passive and Active Measurement Conf. (PAM), 2014. 19

  20. DPI tools compared 20

  21. Results: Application protocols • Most tools achieve 70%-100% accuracy • nDPI and Libprotoident showed highest completeness (15/17) • Only Libprotoident identified encrypted protocols (e.g., IMAP TLS, POP TLS, SMTP TLS) • L7-filter suffered from false positives (9/17) 21

  22. Results: Applications • 20-30% less accuracy compared to protocols • PACE (20/22) and nDPI (17/22) obtained highest completeness • Libprotoident showed reasonable acc. (14/22) – Note it only uses 4 bytes of the payload • NBAR showed very low performance (4/22) – Unable to classify most applications 22

  23. Results: Web services • PACE: 16/34 (6 over 80%) • nDPI: 10/34 (6 over 80%) • OpenDPI: 2/34 • Libprotoident: 0/34 • L7-filter: 0/44 (high FPR) • NBAR: 0/34 23

  24. Implications for operators • Current DPI products are expensive and difficult to deploy • Accurate traffic classification with Sampled NetFlow is possible and easy to deploy • Sampled NetFlow traffic volumes are low – Flows can be easily sent (encrypted) to the cloud – Monitoring can be offered as a service (SaaS) 24

  25. Real implementation • Received funding from EU H2020 to convert technology into a commercial product – SME Instrument Phase 2 project – Grant agreement No. 726763 • Talaia Networks, S.L. (www.talaia.io) – Spin-off of UPC Barcelona-Tech – Monitoring and security service (SaaS and on-prem) – Customers worldwide (operators, ISPs, cloud prov., …) 25

  26. On-Line Demo https://www.talaia.io 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh

Combining Machine and Automata Learning for Network Traffic Classification Zeynab Sabahi, Fatemeh Ghassemi, and Zahra Alimadadi TTCS 2020,Tehran, Iran 1 Network Traffic Classification, What & Why?

655 views • 44 slides
Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic

Traffic Classification in the Fog Scott E. Coull February 23, 2006 Overview What is traffic classification? Communities of Interest for classification BLINC Profiling Internet Backbone Traffic What is missing here? Traffic

965 views • 81 slides
Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest

Need for Classification Classification required To isolate traffic of interest Classification of Internet Traffic To treat special types of traffic in a different manner Some types of classification already seen in Alok

371 views • 9 slides
A Semi-supervised Stacked Autoencoder Approach for Network Traffic Classification Ons Aouedi,

A Semi-supervised Stacked Autoencoder Approach for Network Traffic Classification Ons Aouedi,

A Semi-supervised Stacked Autoencoder Approach for Network Traffic Classification Ons Aouedi, Kandaraj Piamrat, Dhruvjyoti Bagadthey HDR-Nets 2020 Workshop The 28th IEEE International Conference on Network Protocols October 10, 2020 1/29

783 views • 29 slides
Network traffic classification: From theory to practice Pere Barlet-Ros Associate Professor at

Network traffic classification: From theory to practice Pere Barlet-Ros Associate Professor at

Network traffic classification: From theory to practice Pere Barlet-Ros Associate Professor at UPC BarcelonaTech Co-founder and Chairman at Polygraph.io Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta

1.67k views • 39 slides
How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and

MonNet a project for network and traffic monitoring How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology

760 views • 21 slides
Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification, Measurement, and Analysis and Analysis ISC/CAIDA Data Collaboration Workshop October 22, 2012 David Plonka & Paul Barford

1.33k views • 26 slides
EPL606 Quality of Service and Traffic Classification 1 Multimedia, Quality of Service: What is

EPL606 Quality of Service and Traffic Classification 1 Multimedia, Quality of Service: What is

EPL606 Quality of Service and Traffic Classification 1 Multimedia, Quality of Service: What is it? Multimedia applications: network audio and video (continuous media) QoS network provides application with level of performance needed

1.57k views • 93 slides
Computer Networks II Prof. Giorgio Ventre a.a. 2009/2010 Network Traffic Classification Alberto

Computer Networks II Prof. Giorgio Ventre a.a. 2009/2010 Network Traffic Classification Alberto

Computer Networks II Prof. Giorgio Ventre a.a. 2009/2010 Network Traffic Classification Alberto Dainotti alberto@unina.it Dipartimento di Informatica e Sistemistica COMICS Research Group Outline Introduction Motivations Why is it

624 views • 15 slides
High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
Network Traffic Classification: From Theory To Practice Valentn Carela-Espaol Advisor: Pere

Network Traffic Classification: From Theory To Practice Valentn Carela-Espaol Advisor: Pere

Introduction Contributions The Deployment Problem The Maintenance Problem The Validation Problem Conclusions Network Traffic Classification: From Theory To Practice Valentn Carela-Espaol Advisor: Pere Barlet-Ros Co-Advisor: Josep Sol

1.81k views • 115 slides
Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 1 Traffic

228 views • 11 slides
Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1 Presentation By Henk van Doorn & Marko Spithoff Relevance Security Audits Company Detects (Attempted) Breach Accountability Of Actions 2

337 views • 22 slides
Early online classification of encrypted traffic streams using multi-fractal features Erik

Early online classification of encrypted traffic streams using multi-fractal features Erik

Early online classification of encrypted traffic streams using multi-fractal features Erik Arestrm, Linkping University Niklas Carlsson, Linkping University Motivation and problem Early flow classification is important for network

629 views • 40 slides
SMU Classification: Restricted SMU Classification: Restricted Challenges of investing in Asia

SMU Classification: Restricted SMU Classification: Restricted Challenges of investing in Asia

SMU Classification: Restricted SMU Classification: Restricted Challenges of investing in Asia during the COVID-19 Crisis Prof Dave Fernandez - Director, Sim Kee Boon Institute for Financial Economics July 2, 2020 SMU Classification: Restricted

575 views • 21 slides
Self-tuning DB Technology & Info Services: from Wishful Thinking to Viable Engineering

Self-tuning DB Technology & Info Services: from Wishful Thinking to Viable Engineering

Self-tuning DB Technology & Info Services: from Wishful Thinking to Viable Engineering Gerhard Weikum , Axel Moenkeberg, Christof Hasse, Peter Zabback Teamwork is essential. It allows you to blame someone else. Acknowledgements to

681 views • 26 slides
Differentiators Gary Romano Overview Why create your Introduction Define Your Value own firm?

Differentiators Gary Romano Overview Why create your Introduction Define Your Value own firm?

Your Mission, Value, and Differentiators Gary Romano Overview Why create your Introduction Define Your Value own firm? Establish a Size Up the Minimum Viable Competition Company (MVC) If nothing else, know Design or re-design a

615 views • 42 slides
Engineering You Lynn Langit - @lynnlangit Martin Thompson - @mjpt777 A software system can

Engineering You Lynn Langit - @lynnlangit Martin Thompson - @mjpt777 A software system can

Engineering You Lynn Langit - @lynnlangit Martin Thompson - @mjpt777 A software system can best be designed if the testing is interlaced with the design, instead of being used after the design - Who and When??? A software system can

938 views • 65 slides
Collaborative Problem Solving Through Design Thinking Nancy Lewis, MPA, M.S. Director, The

Collaborative Problem Solving Through Design Thinking Nancy Lewis, MPA, M.S. Director, The

Collaborative Problem Solving Through Design Thinking Nancy Lewis, MPA, M.S. Director, The Canopy for Creative Collaboration UNM Innovation Academy June 26, 2019 Agenda Welcome & Introductions Overview of Design

486 views • 37 slides
Dynamical Dark Matter A New Framework for Dark-Matter Physics Brooks Thomas (University of

Dynamical Dark Matter A New Framework for Dark-Matter Physics Brooks Thomas (University of

Dynamical Dark Matter A New Framework for Dark-Matter Physics Brooks Thomas (University of Hawaii) Based on work done in collaboration with Keith Dienes [arXiv:1106.4546, arXiv:1107.0721, arXiv:1110.xxxx] A New Framework for Dark Matter

421 views • 15 slides
Gravitational wave generation in a viable scenario of inflationary magnetogenesis Ramkishor

Gravitational wave generation in a viable scenario of inflationary magnetogenesis Ramkishor

Gravitational wave generation in a viable scenario of inflationary magnetogenesis Ramkishor Sharma Department of Physics and Astrophysics University of Delhi, Delhi Sandhya Jagannathan , T. R. Seshadri (Delhi University, Delhi) Kandaswamy

576 views • 38 slides
Approximate Safety Enforcement Using Computed Viability Envelopes Maciej Kalisiak Michiel van de

Approximate Safety Enforcement Using Computed Viability Envelopes Maciej Kalisiak Michiel van de

Approximate Safety Enforcement Using Computed Viability Envelopes Maciej Kalisiak Michiel van de Panne <mac@dgp.toronto.edu> <van@cs.ubc.ca> University of Toronto University of British Columbia IEEE International Conference on

647 views • 37 slides
Population size and Conservation TEST 1 Mean = 83, Geometric mean = 82, Harmonic mean = 81,

Population size and Conservation TEST 1 Mean = 83, Geometric mean = 82, Harmonic mean = 81,

Population size and Conservation TEST 1 Mean = 83, Geometric mean = 82, Harmonic mean = 81, Median = 85. I will add tonight the grades to Blackboard (and also add key on Tu/We) Determining whether a population is growing or shrinking To

596 views • 11 slides

More recommend