on the impact of flow monitoring configuration
play

On the Impact of Flow Monitoring Configuration Petr Velan et al. - PowerPoint PPT Presentation

Apr 13, 2023 •127 likes •383 views

On the Impact of Flow Monitoring Configuration Petr Velan et al. velan@ics.muni.cz Institute of Computer Science, Masaryk University April 20, 2020 Flow Monitoring Recapitulation Network Flow Monitoring Network Flow Monitoring Used for

  1. On the Impact of Flow Monitoring Configuration Petr Velan et al. velan@ics.muni.cz Institute of Computer Science, Masaryk University April 20, 2020

  2. Flow Monitoring Recapitulation Network Flow Monitoring Network Flow Monitoring Used for monitoring of large networks Scales better than DPI Supported by network equipment (NetFlow and IPFIX protocols) Use of Flow Monitoring Data Network management Network planning (using long term statistics) Network debugging Security Incident handling Policy verification Attack detection Anomaly detection P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 2 / 19

  3. Flow Monitoring Recapitulation Flow Record Creation A B Time Individual packet Sending side Receiving side P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 3 / 19

  4. Flow Monitoring Recapitulation Flow Record Creation Active Timeout A B Time Individual packet Sending side Receiving side P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 3 / 19

  5. Flow Monitoring Recapitulation Flow Record Creation Active Timeout Active Timeout Active Timeout A B Time Individual packet Sending side Receiving side P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 3 / 19

  6. Flow Monitoring Recapitulation Flow Record Creation Active Timeout Active Timeout Active Timeout A B Time Individual packet Sending side Active Timeout Active Timeout Receiving side A B P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 3 / 19

  7. Flow Monitoring Recapitulation Flow Record Creation Active Timeout Active Timeout Active Timeout A B Time Individual packet Sending side Active Timeout Active Timeout Receiving side A B Active Timeout Inactive Timeout Inactive Timeout A B P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 3 / 19

  8. Flow Monitoring Recapitulation Flow Record Creation Flow Expiration Conditions Active timeout Inactive timeout Protocol specific reasons (e.g. end of TCP connection) Resource restrictions (e.g. limited flow cache size) Exporter shutdown P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 4 / 19

  9. The Important Lesson Configuration of flow monitoring is essential! If you are publishing results based on flow data: Always include description of flow monitoring configuration. P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 5 / 19

  10. Flow Expiration Configuration Impact Flow Expiration Configuration Impact What is affected by flow expiration timeouts? Flow export Larger inactive timeout causes flows to be cached longer which increases computing and memory requirements Smaller timeouts increase number of generated flow records, which increases computing and export bandwidth requirements Flow collection Larger number of flow records increases computing and storage space requirements Flow analysis Larger number of flow records increases computing requirements Different number of flow records with different properties influences analysis results P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 6 / 19

  11. Flow Expiration Configuration Impact Number of Created Flows How large is impact of flow expiration timeouts on flow creation? To find out, we: Selected datasets The CAIDA Anonymized Internet Traces 2015 Dataset (1.1 billion of packets) A Realistic Cyber Defense Dataset (CSE-CIC-IDS2018) (3.6 million of packets) Computed flows using a range of different timeouts We were interested only in number of flows Python tool – unsuitable for the CAIDA dataset (too slow, large memory consumption) C++ tool, fast computation the flow records Analysed the results P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 7 / 19

  12. Analysis of Flow Expiration Timeouts Impact Impact of the Inactive Timeout (CAIDA Dataset, TCP) 0.07 # of fl ows 4x107 Interpacket gap 0.06 frequency Interpacket gap frequency 3.5x107 0.05 # of fl ows 3x107 0.04 2.5x107 0.03 2x107 0.02 1.5x107 0.00 10 20 30 40 50 60 70 80 90 100 110 120 130 Interpacket gap / inactive timeout length (seconds) P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 8 / 19

  13. Analysis of Flow Expiration Timeouts Impact Impact of the Inactive Timeout (CAIDA Dataset, TCP) Changing inactive timeout setting: 30 s -> 10 s causes an increase of almost 26% flows records 60 s -> 30 s causes an increase of almost 16% flows records 60 s -> 10 s causes an increase of almost 44% flows records A 45 second interpacket gap is quite common. Number of generated flows increases by 1.2% for 46 s and 45 s inactive timeout setting. P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 9 / 19

  14. Analysis of Flow Expiration Timeouts Impact Impact of the Active Timeout (CSE-CIC Dataset, TCP) 0.175 750000 # of fl ows Connection 0.150 700000 length frequency Connection length frequency 0.125 650000 0.100 # of fl ows 600000 0.075 550000 0.050 500000 0.025 0.000 450000 10 20 30 40 50 60 70 80 90 100 Connection / Active timeout length (seconds) P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 10 / 19

  15. Analysis of Flow Expiration Timeouts Impact Impact of the Active Timeout (CSE-CIC Dataset, TCP) The impact of active timeout is more complicated to evaluate Correlation between active timeout and connection length is weaker Number of multiples of active timeout that can fit into a connection length is also important (e.g. 10 s active timeout) Interpacket gaps influence the result as well Decreasing the active timeout from 300 seconds to 120 seconds increases the number of flow records only by 3% (for this dataset). P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 11 / 19

  16. Analysis of Flow Expiration Timeouts Impact Impact of the Combination of Both Timeouts (CAIDA Dataset, TCP) 2.4*10 7 120 2.3*10 7 100 2.2*10 7 Inactive timeout 2.1*10 7 80 2.0*10 7 60 1.9*10 7 1.8*10 7 40 1.7*10 7 20 1.6*10 7 50 100 150 200 250 300 Active timeout P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 12 / 19

  17. Analysis of Flow Expiration Timeouts Impact Impact of the Combination of Both Timeouts (CAIDA Dataset, TCP) Following can be derived from analysing the timeouts: Specifics of used transport protocols such as timeouts and common connection lengths (e.g. HTTP keepalive) can be observed as faster changes in the number of flows (colour changes) Different protocols (UDP, TCP, ICMP) and networks (datasets) behave differently Decreasing the active timeout from 300 seconds to 120 seconds and the inactive timeout from 30 seconds to 10 seconds increases the number of flow records by 26% (for this dataset). P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 13 / 19

  18. Analysis of Flow Expiration Timeouts Impact Impact on Flow Data Analysis The magnitude of impact of flow timeouts depends on a type of analysis, for example: Port scan detection will not be affected because port scans always generate only short flow records Covert dictionary attack can run slowly from multiple attackers to avoid detection. Their detection might be be affected by flow timeout settings DDoS attacks detection such as Slowloris detection will be affected the most P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 14 / 19

  19. Analysis of Flow Expiration Timeouts Impact Impact on a Slowloris Attack Detection There is a Slowloris attack in the CSE-CIC dataset, which we analysed: Successful attack establishes a TCP connection, sends first part of HTTP header and continues to send a small part of request header every 100 seconds (first after 78 s). The server responds with Bad Request response after approximately 2470 seconds. When the attack is successful, attacker does not get response for initial part of GET request and closes connection after 108 seconds In the most severe case, TCP connection cannot be established and attacker gives up after sending tree SYN packet in 3 seconds. P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 15 / 19

  20. Analysis of Flow Expiration Timeouts Impact Impact on a Slowloris Attack Detection 9.0*10 4 120 100s interpacket gap 8.0*10 4 100 7.0*10 4 108s failed HTTP GET 78s request chunk 80 Inactive timeout 6.0*10 4 54s fraction 5.0*10 4 60 4.0*10 4 40 3.0*10 4 20 2.0*10 4 1.0*10 4 0 0 20 40 60 80 100 120 140 160 180 200 220 240 Active timeout P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 16 / 19

  21. Analysis of Flow Expiration Timeouts Impact Impact on a Slowloris Attack Detection Caution is required when relying on flow data for Slowloris detection Large enough timeouts should be used Preprocessing using flow aggregation might be needed When using machine learning, ensure that flow expiration conditions remain the same throughout the whole process P. Velan · On the Impact of Flow Monitoring Configuration · April 20, 2020 17 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automating the Automating the configuration of flow configuration of flow monitoring probes

Automating the Automating the configuration of flow configuration of flow monitoring probes

Zurich Research Laboratory Automating the Automating the configuration of flow configuration of flow monitoring probes monitoring probes Xenofontas (Fontas) Dimitropoulos (xed@zurich.ibm.com) Andreas Kind (ank@zurich.ibm.com) IBM | Dec 07

303 views • 14 slides
SUSE Cloud 8 CLM Overview Input Model and Configuration Processor Configuration Processing Flow

SUSE Cloud 8 CLM Overview Input Model and Configuration Processor Configuration Processing Flow

SUSE Cloud 8 CLM Overview Input Model and Configuration Processor Configuration Processing Flow Key Build Artifacts Ansible Playbooks Ardana release Configuration file templates Generated Customer Examples Service Edit Definitions

108 views • 10 slides
APPLICATION-AWARE FLOW MONITORING Thursday 11 th April, 2019 Petr Velan Motivation

APPLICATION-AWARE FLOW MONITORING Thursday 11 th April, 2019 Petr Velan Motivation

APPLICATION-AWARE FLOW MONITORING Thursday 11 th April, 2019 Petr Velan Motivation Application-Aware Flow Monitoring Page 2 / 22 Internet Basic Flow Monitoring TAP Probe Flow monitoring is widely used for: Collector Accounting Router

367 views • 23 slides
The Future of Network Flow Monitoring Prague Embedded Systems Workshop (PESW 2019) Friday 28 th

The Future of Network Flow Monitoring Prague Embedded Systems Workshop (PESW 2019) Friday 28 th

The Future of Network Flow Monitoring Prague Embedded Systems Workshop (PESW 2019) Friday 28 th June, 2019 Petr Velan Flow Monitoring Introduction Internet Flow monitoring is widely used for: Accounting Probe TAP Security (IDS, forensics)

367 views • 20 slides
Configuration management Configuration management Configuration management Configuration

Configuration management Configuration management Configuration management Configuration

Configuration management Configuration management Configuration management Configuration management Configuration management Field of management that focuses on establishing and maintaining consistency of a systems attributes

647 views • 6 slides
One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis

One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis

One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis Manousis, Greg Vorsanger, Vyas Sekar, and Vladimir Braverman Many Monitoring Requirements Traffic Engineering Anomaly Detection Flow Size

511 views • 28 slides
Flow Monitoring Deniz zharar Sales & Market Devlopment Engineer

Flow Monitoring Deniz zharar Sales & Market Devlopment Engineer

BRIGHTSENSE: SMART WAY OF FLOW MONITORING Digitalize & Manage Intelligent Mold Coolant Flow Monitoring Deniz zharar Sales & Market Devlopment Engineer www.brightworksengineering.com Digital Revolution for Mold Temperature Management

142 views • 11 slides
Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration

Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration

Augeas a configuration API Raphal Pinson Configuration Management Sitewide configuration Local configuration Editing of Configuration Data (1) Keyhole approaches (2) Greenfield approaches (3) Templating Missing pieces Handle

831 views • 61 slides
Metering Pump Station Flow Monitoring Presented by: Glenn Hummel Presentation Objective Keep

Metering Pump Station Flow Monitoring Presented by: Glenn Hummel Presentation Objective Keep

Laser for Open Channel Flow Metering Pump Station Flow Monitoring Presented by: Glenn Hummel Presentation Objective Keep your Toolbox equipped with Flow Metering Solutions Introduce a New Technology for Open Channel Flow Measurement

1k views • 72 slides
201 019 C 9 CHEMISTR HEMISTRY Y & & FL FLOW MONITOR OW MONITORING ING February 12,

201 019 C 9 CHEMISTR HEMISTRY Y & & FL FLOW MONITOR OW MONITORING ING February 12,

201 019 C 9 CHEMISTR HEMISTRY Y & & FL FLOW MONITOR OW MONITORING ING February 12, 2020 PROGRAM GOALS Collect high-quality, scientific data on the local waterways. Educated decision-makers and the public. Provide

626 views • 28 slides
Services & Settings Basic Services Computer Center, CS, NCTU Common Flow of Running a

Services & Settings Basic Services Computer Center, CS, NCTU Common Flow of Running a

Services & Settings Basic Services Computer Center, CS, NCTU Common Flow of Running a Service 1. Installation Through ports, packages, or source tarballs pkg install kde4 2. Configuration Service specific configuration file(s)

174 views • 14 slides
CS615 - Aspects of System Administration Monitoring, Configuration Management Department of

CS615 - Aspects of System Administration Monitoring, Configuration Management Department of

CS615 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration Monitoring, Configuration Management Department of Computer Science Stevens Institute of Technology Jan Schaumann jschauma@stevens-tech.edu

1.26k views • 90 slides
23 AUGUST 2017 IMPACT AND MONITORING PLAN FARM PERSPECTIVE OVERVIEW Factors affecting

23 AUGUST 2017 IMPACT AND MONITORING PLAN FARM PERSPECTIVE OVERVIEW Factors affecting

FARMERS MEETING - PETERSVILLE IMPACT AND MONITORING PLAN FARM PERSPECTIVE 23 AUGUST 2017 IMPACT AND MONITORING PLAN FARM PERSPECTIVE OVERVIEW Factors affecting Yield Dust on crops Copper Uranium Potential

563 views • 14 slides
Integrated Instrumentation for Monitoring at High Flow Sites Brian Polagye University of Washington

Integrated Instrumentation for Monitoring at High Flow Sites Brian Polagye University of Washington

Integrated Instrumentation for Monitoring at High Flow Sites Brian Polagye University of Washington Northwest National Marine Renewable Energy Center Andrea Copping Pacific Northwest National Laboratory Environmental Monitoring, Regulatory Needs

215 views • 17 slides
with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan

with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan

Automating Configuration Troubleshooting with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan Configuration Troubleshooting Is Difficult Software systems Users make mistakes difficult to configure Mona

644 views • 60 slides
Outline cluster management & infrastructure management: installation and configuration

Outline cluster management & infrastructure management: installation and configuration

Outline cluster management & infrastructure management: installation and configuration monitoring maintenance xCAT we use xCAT for both node deployment and configuration management http://xcat.sf.net 100% free,

543 views • 18 slides
WLAN Power Save Mode in Linux Kalle Valo kalle.valo@iki.fi (...@nokia.com) FUDCon Berlin 2009

WLAN Power Save Mode in Linux Kalle Valo kalle.valo@iki.fi (...@nokia.com) FUDCon Berlin 2009

WLAN Power Save Mode in Linux Kalle Valo kalle.valo@iki.fi (...@nokia.com) FUDCon Berlin 2009 Linux Wireless Linux Wireless Outline 1 Introduction 2 Status 3 Future Linux Wireless Linux Wireless Introduction Introduction Linux Wireless

644 views • 18 slides
Beta Presentation Battle Aircraft Position Share The Capstone Experience Team Boeing Adam Cook

Beta Presentation Battle Aircraft Position Share The Capstone Experience Team Boeing Adam Cook

Beta Presentation Battle Aircraft Position Share The Capstone Experience Team Boeing Adam Cook Steven Garske Andrew Kos Eric Muller Department of Computer Science and Engineering Michigan State University Spring 2011 From Students to

387 views • 14 slides
Establishing the 1 st RR in Lebanon: Justification , Needs and Strategy Rony El Bitar, Bilal

Establishing the 1 st RR in Lebanon: Justification , Needs and Strategy Rony El Bitar, Bilal

Establishing the 1 st RR in Lebanon: Justification , Needs and Strategy Rony El Bitar, Bilal Nsouli Lebanese Atomic Energy Commission IAEA Workshop on Regulatory Inspection Programmes for Research Reactors . 28 September 2 October 2014,

561 views • 9 slides
SSMTT- -35 Micro OTDR 35 Micro OTDR SSMTT Product Presentation Product Presentation 20 Rue de

SSMTT- -35 Micro OTDR 35 Micro OTDR SSMTT Product Presentation Product Presentation 20 Rue de

SSMTT- -35 Micro OTDR 35 Micro OTDR SSMTT Product Presentation Product Presentation 20 Rue de Billancourt 92100 Boulogne-Billancourt Tlphone : 33 (0) 1 41 22 10 00 Tlcopie : 33 (0) 1 41 22 10 01 Courriel : info@elexo.fr TVA :

453 views • 22 slides
Electrical Conduction in Carbon Nanotubes T. Nakanishi (AIST) 1. What is Carbon

Electrical Conduction in Carbon Nanotubes T. Nakanishi (AIST) 1. What is Carbon

1 ISSP International Summer School for Young Researchers on Quantum Transport in Mesoscopic Scale & Low Dimensions Aug. 13 - 21, 2003. (My talk is given at 16 Aug. 2003.) Electrical Conduction in Carbon Nanotubes T.

757 views • 33 slides
The van der Waals Interaction Derek Stampone Binghamton University 5/9/2013 Outline The van

The van der Waals Interaction Derek Stampone Binghamton University 5/9/2013 Outline The van

The van der Waals Interaction Derek Stampone The van der Waals Interaction Derek Stampone Binghamton University 5/9/2013 Outline The van der Waals Interaction 1 Introduction Derek Stampone 2 The Hamiltonian Outline Introduction The

493 views • 21 slides
HOW TO USE THE REMOTE CONTROL 1. On / OFF button. 2. Temperature & time Up / Down buttons.

HOW TO USE THE REMOTE CONTROL 1. On / OFF button. 2. Temperature & time Up / Down buttons.

HOW TO USE THE REMOTE CONTROL 1. On / OFF button. 2. Temperature & time Up / Down buttons. 3. Damper Mode selection Button. 4. Operation Mode selection button. 5. Operation Mode Display. 6. Set Temperature Display. 7. Room Temperature

306 views • 6 slides
Seconds Aim I can measure and record time in seconds. Success Criteria I can measure time

Seconds Aim I can measure and record time in seconds. Success Criteria I can measure time

Seconds Aim I can measure and record time in seconds. Success Criteria I can measure time in seconds. I can record my measurements. Minute Measure How many faces can you draw in one minute? Click the timer for a 1 minute countdown.

449 views • 18 slides

More recommend