the future of network flow monitoring
play

The Future of Network Flow Monitoring Prague Embedded Systems - PowerPoint PPT Presentation

Nov 25, 2023 •154 likes •367 views

The Future of Network Flow Monitoring Prague Embedded Systems Workshop (PESW 2019) Friday 28 th June, 2019 Petr Velan Flow Monitoring Introduction Internet Flow monitoring is widely used for: Accounting Probe TAP Security (IDS, forensics)

  1. The Future of Network Flow Monitoring Prague Embedded Systems Workshop (PESW 2019) Friday 28 th June, 2019 Petr Velan

  2. Flow Monitoring Introduction Internet Flow monitoring is widely used for: Accounting Probe TAP Security (IDS, forensics) Data retention Collector Router Network diagnostics SPAN Probe port Packets Internal Network Flow Records A flow record example: Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes 09:41:21.763 0.101 TCP 172.16.96.48:15094 -> 209.85.135.147:80 .AP.SF 4 715 09:41:21.893 0.031 TCP 209.85.135.147:80 -> 172.16.96.48:15094 .AP.SF 4 1594 The Future of Network Flow Monitoring Page 2 / 19

  3. The Past The Future of Network Flow Monitoring Page 3 / 19

  4. History of Flow Monitoring IETF Internet Accounting Working Group First mention of a flow export in RFC 1272 published in 1991 The goal was to provide background information on internet accounting How to deploy it, how to collect and process data The common belief was that monitoring is intrusive I t was generally frown upon Lack of interest led to conclusion of the WG in 1993 Negative attitude towards monitoring persists even now (RFC 7258) The Future of Network Flow Monitoring Page 4 / 19

  5. History of Flow Monitoring IETF Realtime Traffic Flow Measurement WG A method for Internet traffic flow profiling based on packet aggregation Presented by Claffy et al. in 1995 Renewed interest in fl ow monitoring Establishment of the I ETF RTFM WG (1996 - 2000) Published RFCs covering fl ow measurement framework Even bidirectional fl ow export Again, lack of interest of vendors → no standards emerged The WG was concluded, its goals fi nished. The Future of Network Flow Monitoring Page 5 / 19

  6. History of Flow Monitoring Cisco and NetFlow Information about packet flows stored in routers and switches Similar flow information as proposed by RTFM The main goals is packet switching/routing, not monitoring The con fi guration and features of the monitoring process are limited NetFlow was patented in 1996 General public was using NetFlow v5 available from circa 2002 O ffi cial speci fi cation for NetFlow v5 was never released I nconsistencies occurred as some elements were reused for di ff erent purposes NetFlow v9 superseded v5 and is used even now The Future of Network Flow Monitoring Page 6 / 19

  7. History of Flow Monitoring Other Vendors Everybody had to have their own protocol Very similar, NetFlow remained the most well known and used Juniper: JFlow Current version is JFlow v9 Alcatel-Lucent (now Nokia): CFlow Versions v9 and v10 interoperable with NetFlow v9 and IPFIX respectively Ericsson: RFlow Uses NetFlow v5 format Many others: Huawei ( NetStream ), Citrix ( AppFlow ), . . . The Future of Network Flow Monitoring Page 7 / 19

  8. History of Flow Monitoring Lo and Behold: IPFIX 2001 : flow monitoring is clearly an item now No standard protocol exists (NetFlow v5 not even public yet) IETF IP Flow Information eXport WG Lot of goals on the charter, but the primary was to create flow export protocol WG specified requirements and let vendors submit their proposals Cisco NetFlow v9 codified in RFC 3955 to compete NetFlow v9 was the most advanced protocol → selected as a base for I PF I X I PF I X sometimes called NetFlow v10 I PF I X WG concluded in 2014 Published 29 RFCs, some work continues beyond the WG The Future of Network Flow Monitoring Page 8 / 19

  9. History of Flow Monitoring Security and Flow Monitoring Cisco proposed to used flows for anomaly detection and traffic analysis in 2005 Used mostly for accounting and network management until then The quality of flows had to improve Sampling has negative impact → dedicated probes L7 information in flows (Flexible NetFlow Technology by Cisco in 2006) Analysis of HTTP, TLS, SSH, DNS, SMTP, ... Cisco Joy (2016) Application data, statistical data beyond simple counters The Future of Network Flow Monitoring Page 9 / 19

  10. The Present The Future of Network Flow Monitoring Page 10 / 19

  11. Current State of Flow Monitoring Growing Speed of Networks 10 G, 25 G, 40 G and 100 G: Seeing Broad Adoption in Data Center http://techblog.comsoc.org/tag/25-100g-ethernet/ The Future of Network Flow Monitoring Page 11 / 19

  12. Current State of Flow Monitoring Growing Speed of Networks 100G+ network probes (L2-L4) using HW accelerated NICs Always with custom kernel drivers and userspace libraries FPGA vs ASIC Basic acceleration (RSS, timestamps) provided by commodity cards L7 monitoring up to 10G Processing payloads requires a lot more performance Parallelisation of the monitoring Utilisation of multicore CPUs The Future of Network Flow Monitoring Page 12 / 19

  13. Current State of Flow Monitoring Growing Amount of Encrypted Traffic Wide adoption of encryption: TLS used to encapsulate everything (HTTP/2 implementations require TLS) WireGuard VPN Some information remains disclosed even for encrypted traffic: Initialisation of the encrypted connection is usually unencrypted TLS up to version 1.3 discloses certificates SNI still available, but propositions are being made to encrypt it Confirmation Initial Authentication and shared Authenticated and encrypted handshake secret establishment data exchange Time Unencrypted initialization Encrypted data transport The Future of Network Flow Monitoring Page 13 / 19

  14. Current State of Flow Monitoring Encrypted Traffic Classification Identification of encrypted protocols is not often possible. Unencrypted payload does not provide enough information Machine learning and statistical methods can be used Current problems of machine learning on network flow data: Not enough features to work with Labelled data are needed for semi-supervised and supervised ML Training on a static data sets The Future of Network Flow Monitoring Page 14 / 19

  15. The Future The Future of Network Flow Monitoring Page 15 / 19

  16. The Future of Flow Monitoring Monitoring beyond 100G Distributed architecture Divide the traffic to multiple devices and process separately Limited set of features Collecting only basic statistics L7 is encrypted anyway Further hardware acceleration New chips come with more memory and performance Implement most of the monitoring process in dedicated HW The Future of Network Flow Monitoring Page 16 / 19

  17. The Future of Flow Monitoring Machine Learning I. Need for features Per-packet information is needed (size, timestamp) Flows must be extended to collect these features Accuracy vs amount of data Performance of ML Training is costly HW acceleration chips for ML (Huawei) Compute directly on packets? Accuracy of ML Network tra ffi c properties are changing Accuracy decreases over time → need to periodically retrain models Training on a stream of data The Future of Network Flow Monitoring Page 17 / 19

  18. The Future of Flow Monitoring Machine Learning II. Ground truth Labelled data are needed for semi-supervised and supervised ML Manually created data sets vs manually annotated real network traffic Continuous retraining needs continuous ground truth Getting the ground truth Data from other sources (server logs, DNS logs, IDS, . . . ) Combine the data with flows → labelled dataset Allows to continuously retrain The Future of Network Flow Monitoring Page 18 / 19

  19. The Future of Flow Monitoring Quality of Flow Data Flow data is used for anomaly and attack detection Does quality of flow data matter? Impact of data loss, imprecise timestamps Especially for machine learning Balance quality and performance The Future of Network Flow Monitoring Page 19 / 19

  20. THANK YOU FOR YOUR ATTENTION! Petr Velan https://csirt.muni.cz/ @csirtmu velan@ics.muni.cz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Impact of Flow Monitoring Configuration Petr Velan et al. velan@ics.muni.cz Institute of

On the Impact of Flow Monitoring Configuration Petr Velan et al. velan@ics.muni.cz Institute of

On the Impact of Flow Monitoring Configuration Petr Velan et al. velan@ics.muni.cz Institute of Computer Science, Masaryk University April 20, 2020 Flow Monitoring Recapitulation Network Flow Monitoring Network Flow Monitoring Used for

383 views • 24 slides
One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis

One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis

One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis Manousis, Greg Vorsanger, Vyas Sekar, and Vladimir Braverman Many Monitoring Requirements Traffic Engineering Anomaly Detection Flow Size

511 views • 28 slides
Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow

Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow

Network Flow CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Network Flow Models the flow of items through a network Example Transporting goods through the road/rail/air network Flow of fluids (oil, water,..) through pumping

949 views • 84 slides
Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we

Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we

1 Network Flow 5 Network Flow terminology Network flow is similar to finding how much water we can bring from a source to a sink (infinite) (intermediates cannot hold water) 6 Network Flow terminology Definitions: c(u,v)

576 views • 34 slides
APPLICATION-AWARE FLOW MONITORING Thursday 11 th April, 2019 Petr Velan Motivation

APPLICATION-AWARE FLOW MONITORING Thursday 11 th April, 2019 Petr Velan Motivation

APPLICATION-AWARE FLOW MONITORING Thursday 11 th April, 2019 Petr Velan Motivation Application-Aware Flow Monitoring Page 2 / 22 Internet Basic Flow Monitoring TAP Probe Flow monitoring is widely used for: Collector Accounting Router

367 views • 23 slides
CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) =

CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) =

CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) = directed graph, no parallel edges. Two distinguished nodes: s = source, t = sink. c(e) = capacity of edge e. 9 2 5 10 15 15 10 4 source 5

1.01k views • 21 slides
CSE 521 Algorithms The Network Flow Problem 2 The Network Flow Problem 4 a x 3 5 3 7 7 4

CSE 521 Algorithms The Network Flow Problem 2 The Network Flow Problem 4 a x 3 5 3 7 7 4

CSE 521 Algorithms The Network Flow Problem 2 The Network Flow Problem 4 a x 3 5 3 7 7 4 s b y t 6 6 1 4 5 c z How much stuff can flow from s to t? 4 Soviet Rail Network, 1955 Reference: On the history of the transportation

1.05k views • 84 slides
Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms

Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms

Review Network flow definitions CSE 421 Flow examples Augmenting Paths Algorithms g Residual Graph Richard Anderson Ford Fulkerson Algorithm Lecture 22 Cuts Network Flow Maxflow-MinCut Theorem Network Flow

860 views • 4 slides
DESIGNING PROVINCIAL-SCALE WATER MONITORING NETWORKS TO MEET FUTURE NEEDS Provincial Groundwater

DESIGNING PROVINCIAL-SCALE WATER MONITORING NETWORKS TO MEET FUTURE NEEDS Provincial Groundwater

DESIGNING PROVINCIAL-SCALE WATER MONITORING NETWORKS TO MEET FUTURE NEEDS Provincial Groundwater Monitoring Network (PGMN) Provincial Stream Water Quality Monitoring Network (PWQMN) Presentation for Solinst Symposium on Recent Advances in

547 views • 52 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Overview

Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Overview

Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Overview Overview Introduction Related Studies SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring Tools

493 views • 26 slides
Network Flow II 2 Every edge e has a capacity c(e) 0. Flow: 1 Inge Li Grtz

Network Flow II 2 Every edge e has a capacity c(e) 0. Flow: 1 Inge Li Grtz

Network Flow 1 Network flow: 2 graph G=(V,E). 2 2 s 1 t Special vertices s (source) and t (sink). 2 2 Network Flow II 2 Every edge e has a capacity c(e) 0. Flow: 1 Inge Li Grtz capacity constraint: every

503 views • 15 slides
CSE 421 Introduction to Algorithms The Network Flow Problem 1 The Network Flow Problem 4 a x

CSE 421 Introduction to Algorithms The Network Flow Problem 1 The Network Flow Problem 4 a x

CSE 421 Introduction to Algorithms The Network Flow Problem 1 The Network Flow Problem 4 a x 3 5 3 7 7 4 s b y t 6 6 1 4 5 c z How much stuff can flow from s to t ? 2 Soviet Rail Network, 1955 Reference: On the history of

889 views • 75 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Network Flows Network Flow Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson Residual Spring 2014 Network Augmenting Path Max-flow Min-cut Matching 4.2 Network Flows Mat 3770 Network

896 views • 61 slides
Using Network Flow to Bridge the Gap Using Network Flow to Bridge the Gap between Genotype and

Using Network Flow to Bridge the Gap Using Network Flow to Bridge the Gap between Genotype and

Using Network Flow to Bridge the Gap Using Network Flow to Bridge the Gap between Genotype and Phenotype Teresa Przytycka NIH / NLM / NCBI NIH / NLM / NCBI Journal Wisla (1902) Picture from a local fare in Lublin Poland from a local

576 views • 47 slides
ATO Journey IMechE - May 2019 Mainline ATO over ETCS development CR1238 - ATO B3 R2 TEN-T

ATO Journey IMechE - May 2019 Mainline ATO over ETCS development CR1238 - ATO B3 R2 TEN-T

The Mainline ATO Journey IMechE - May 2019 Mainline ATO over ETCS development CR1238 - ATO B3 R2 TEN-T PROGRAMME 2011- 2014 2 ATO Development Projects S2R IP2 Advanced Traffic Management and Control system NGTC Learning from CBTC

165 views • 16 slides
Enabling GPU-as-a-Service Providers with Red Hat OpenShift @jeremyeder Senior Principal Software

Enabling GPU-as-a-Service Providers with Red Hat OpenShift @jeremyeder Senior Principal Software

Enabling GPU-as-a-Service Providers with Red Hat OpenShift @jeremyeder Senior Principal Software Engineer, Red Hat March, 2018 1 JEREMY EDER - RED HAT PERFORMANCE ENGINEERING Agenda OpenShift Cluster Overview Infrastructure

1.1k views • 25 slides
DATA PROTECTION RIGHT Prof. dr. Mireille Hildebrandt Interfacing Law & Technology Vrije

DATA PROTECTION RIGHT Prof. dr. Mireille Hildebrandt Interfacing Law & Technology Vrije

GETTING DATA PROTECTION RIGHT Prof. dr. Mireille Hildebrandt Interfacing Law & Technology Vrije Universiteit Brussel Smart Environments, Data Protection & the Rule of Law Radboud University 21/2/17 Hildebrandt SNS seminar Stockholm

676 views • 50 slides
Slot clouds getting more from orbital slots with networking Lloyd Wood Global Defense and Space

Slot clouds getting more from orbital slots with networking Lloyd Wood Global Defense and Space

Slot clouds getting more from orbital slots with networking Lloyd Wood Global Defense and Space Group, Cisco Systems http://www.cisco.com/go/gdsg Alex da Silva Curiel, Javad Anzalchi, Dave Cooke, Chris Jackson Surrey Satellite Technology Ltd

833 views • 18 slides
Routing in packet-switching networks Circuit switching vs. Packet switching Most of WANs based on

Routing in packet-switching networks Circuit switching vs. Packet switching Most of WANs based on

Routing in packet-switching networks Circuit switching vs. Packet switching Most of WANs based on circuit or packet switching Circuit switching designed for voice Resources dedicated to a particular call Much of the time a data connection is

358 views • 14 slides
Performance and Security Evaluation of SDN Networks in OMNeT++/INET Marco Tiloca, Alexandra

Performance and Security Evaluation of SDN Networks in OMNeT++/INET Marco Tiloca, Alexandra

Performance and Security Evaluation of SDN Networks in OMNeT++/INET Marco Tiloca, Alexandra Stagkopoulou, Gianluca Dini Software Defined Networking - Overview Key concepts Separation of Control plane and Data plane Centralized SDN

386 views • 22 slides
S9709 Dynamic Sharing of f GPUs and IO IO in in a PCIe Network Hkon Kvale Stensland Senior

S9709 Dynamic Sharing of f GPUs and IO IO in in a PCIe Network Hkon Kvale Stensland Senior

S9709 Dynamic Sharing of f GPUs and IO IO in in a PCIe Network Hkon Kvale Stensland Senior Research Scientist / Associate Professor Simula Research Laboratory / University of Oslo Outline Motivation PCIe Overview

645 views • 36 slides
Maple: Simplifying SDN Programming Using Algorithmic Policies Andreas Voellmy Junchang Wang

Maple: Simplifying SDN Programming Using Algorithmic Policies Andreas Voellmy Junchang Wang

Maple: Simplifying SDN Programming Using Algorithmic Policies Andreas Voellmy Junchang Wang Y. Richard Yang Bryan Ford Paul Hudak Presented by Eldad Rubinstein November 21, 2013 Introduction Looking for an abstraction for

559 views • 23 slides

More recommend