Understanding Patterns of Understanding Patterns of TCP Connection - PowerPoint PPT Presentation

The UNIVERSITY UNIVERSITY of of NORTH CAROLINA NORTH CAROLINA Motivation Motivation The at at CHAPEL HILL CHAPEL HILL Modeling Internet Traffic Modeling Internet Traffic Understanding Patterns of Understanding Patterns of TCP Connection Usage TCP Connection Usage with Statistical Clustering with Statistical Clustering INTERNET Félix Hernández-Campos Félix Hernández-Campos Kevin Jeffay Andrew Nobel Kevin Jeffay Andrew Nobel Don Smith Don Smith Department of Computer Science Department of Computer Science Department of Statistics Department of Statistics http://www.cs.unc.edu/Research/dirt 1 1 2 2 Motivation Motivation Motivation Motivation Modeling Internet Traffic Experimental Networking Research Modeling Internet Traffic Experimental Networking Research • Evaluating network technologies requires Evaluating network technologies requires realistic realistic • Web Browser Web Browser Email Server Email Server experiments experiments in a controlled laboratory environment in a controlled laboratory environment • A key component of these experiments is the • A key component of these experiments is the traf fi c traf fi c workload workload – Traf fi c is created by distributed applications running at the Traf fi c is created by distributed applications running at the – end hosts end hosts • A natural approach for traf fi c generation is to • A natural approach for traf fi c generation is to simulate these applications using models of their simulate these applications using models of their behavior behavior – This is known as – This is known as source-level modeling source-level modeling Internet Traffic Email Client Email Client Web Server Web Server 3 3 4 4

Internet Traffic Mixes Internet Traffic Mixes Difficulties in Source-Level Modeling Difficulties in Source-Level Modeling Internet2 Applications (Nov 4 2002) Internet2 Applications (Nov 4 2002) NNTP Newsgroups • Real • Real Internet traf fi c is the result of aggregating many Internet traf fi c is the result of aggregating many Individual Packets HTTP Web individual applications into a traf fi c mix traf fi c mix individual applications into a Applications FTP File Transfer • Requires protocol speci fi cations • Requires protocol speci fi cations File Sharing File Sharing Audio/Video – – Closed applications have to be reverse engineered Closed applications have to be reverse engineered Audio/Video Groups of Misc Misc • Applications change quickly • Applications change quickly Applications Encrypted Encryption • Privacy considerations complicate data acquisition • Privacy considerations complicate data acquisition Games Games Unidentified Unidentified � It is simply infeasible to develop models for each � • Dozens of different applications are commonly used • Dozens of different applications are commonly used It is simply infeasible to develop models for each application and maintain them up to date application and maintain them up to date • There is a large percentage of unidenti fi ed traf fi c • There is a large percentage of unidenti fi ed traf fi c 5 5 6 6 Our Approach Our Approach Modeling of Internet Traffic Mixes Modeling of Internet Traffic Mixes Finding Patterns in TCP Connections Goals Goals Finding Patterns in TCP Connections • Develop source-level models of traf fi c mixes Develop source-level models of traf fi c mixes • Modeling of data exchange patterns in TCP Modeling of data exchange patterns in TCP • • connections connections – Easy to populate and update – Easy to populate and update – Application-independent, network-independent Application-independent, network-independent – Derived from very large data sets – Derived from very large data sets – � � Model communication patterns in an abstract manner • Statistical clustering of TCP connection patterns • Statistical clustering of TCP connection patterns Model communication patterns in an abstract manner – Find the fundamental subpopulations Find the fundamental subpopulations – Application-independent source-level modeling – Application-independent source-level modeling – – Construct empirical or parametric models of subpopulations Construct empirical or parametric models of subpopulations – • Construct fl exible traf fi c generators • Construct fl exible traf fi c generators • Development of new, fl exible traf fi c generators Development of new, fl exible traf fi c generators • – Reproduce a wide range of traf fi c mixes Reproduce a wide range of traf fi c mixes – – Cluster-based synthetic traf fi c Cluster-based synthetic traf fi c – � Find the fundamental patterns of communication � Find the fundamental patterns of communication • Validation Validation • – Cluster-based traf fi c generation – Cluster-based traf fi c generation – Compare synthetic traf fi c with some Compare synthetic traf fi c with some gold standard gold standard – 7 7 8 8

Modeling of Data Exchange Patterns Modeling of Data Exchange Patterns Modeling of Data Exchange Patterns Modeling of Data Exchange Patterns ADU Inference from TCP Packet Headers ADU Inference from TCP Packet Headers ADU Inference from TCP Packet Headers ADU Inference from TCP Packet Headers Caller Callee Caller Callee Caller Callee Caller Callee SYN SYN SYN SYN C K C K S Y N N - - A A C K S Y N N - - A A C K S Y S Y ACK ACK ACK ACK DATA DATA DATA DATA seqno seqno seqno seqno 305 305 305 305 ackno ackno ackno ackno 1 1 bytes 1 1 305 305 bytes 3 3 0 0 5 5 3 3 0 0 5 5 a c c k k n n o o a c c k k n n o o 1 a 1 a q n n o o 1 q n n o o 1 K s s e e q K s s e e q A A C C K A A C C K 5 5 o 3 3 0 0 5 o 3 3 0 0 5 1 a a c c k k n n o a a c c k k n n o 1 1 4 4 6 6 1 1 1 4 4 6 6 1 1 e q n n o o e q n n o o s s e q s s e q A A D D A A T T A D D A A T T A 2876 bytes bytes 2876 3 0 0 5 5 3 0 0 5 5 a c k k n n o o 3 a c k k n n o o 3 2 8 7 7 6 6 a c 2 8 7 7 6 6 a c q n o o 2 8 q n o o 2 8 s s e e q n s s e e q n D A A T T A A D A A T T A A D D TIME TIME TIME TIME ACK ACK ACK ACK seqno seqno 305 seqno 305 305 seqno 305 ackno ackno ackno ackno 2876 2876 2876 2876 N N F F I I N F F I I N FIN-ACK FIN-ACK FIN-ACK FIN-ACK FIN FIN FIN FIN - A C C K K - A C C K K F F I I N N - A F F I I N N - A 9 9 10 10 Modeling of Data Exchange Patterns Modeling of Data Exchange Patterns Modeling of Data Exchange Patterns Modeling of Data Exchange Patterns ADU Inference from TCP Packet Headers ADU Inference from TCP Packet Headers HTTP Connection (Web Traffic) HTTP Connection (Web Traffic) Web Browser Web Browser Web Server Web Server • Communication pattern was ( • Communication pattern was ( a a 1 1 , , b b 1 1 ) ) SYN SYN – E.g. E.g. , (305 bytes, 2,876 bytes) , (305 bytes, 2,876 bytes) – HTTP HTTP C K K S Y N N - - A A C S Y ACK ACK Request Request HTTP HTTP 305 bytes bytes 305 Request Request HTTP o 3 3 0 0 5 5 HTTP a c c k k n n o 1 1 a e q n n o o K s s e q 305 bytes 305 bytes A A C C K Response Response Web Client Web Client 2,876 bytes bytes 2,876 TIME TIME ACK ACK seqno 305 Web Server seqno 305 Web Server ackno ackno 2876 2876 TIME TIME N F F I I N HTTP HTTP FIN-ACK FIN-ACK Response Response FIN FIN 2,876 bytes bytes 2,876 N - A A C C K K F F I I N - 11 11 12 12