a case for packet sampling a case for packet sampling
play

A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, - PowerPoint PPT Presentation

Oct 07, 2022 •328 likes •448 views

A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, zseby@fokus.fhg.de Competence Center for Autonomic Networking Technologies Motivation: FloCon FloCon 2005 2005 Motivation: FloCon05 participants: We dont believe in

  1. A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, zseby@fokus.fhg.de Competence Center for Autonomic Networking Technologies

  2. Motivation: FloCon FloCon 2005 2005 Motivation: FloCon05 participants: “We don’t believe in Sampling” � Happy to use flow data � Very skeptical to packet sampling FloCon 2006 Panel 2

  3. The Problem: Limited Resources The Problem: Limited Resources � Full packet capture at each node not feasible – Increasing data rates – Hardware costs Additional CPU load for running NetFlow on different routers* – Privacy concerns � Resources are limited – Storage – Processing – Transmission We cannot measure everything *source: NetFlow Performance Analysis, Cisco white paper http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/ntfo_wpa.jpg FloCon 2006 Panel 3

  4. Solution1: Flow Data Solution1: Flow Data � Grouping of packets into flows (classification) � Reporting of flow information only � Disadvantages: – Per-packet information is lost – Information and effort depends on flow definition Flow Info: 5x 2x 1x Record Generation Classification FloCon 2006 Panel 4

  5. Flow Data Generation Flow Data Generation Traffic Mix: Traffic Mix: <s 1 , t 1 , c 1 >, <s 2 , t 2 , c 2 >, ... <s N , t N , c N > <s 1 , t 1 , c 1 >, <s 2 , t 2 , c 2 >, ... <s N , t N , c N > Classification Classification Flows: Flows: FlowID 1: FlowID 1: FlowID 2: FlowID 2: FlowID 3: FlowID 3: <s 1 , t 1 , c 1 > <s 1 , t 1 , c 1 > <s 2 , t 2 , c 2 > <s 2 , t 2 , c 2 > <s 5 , t 5 , c 5 > <s 5 , t 5 , c 5 > <s 4 , t 4 , c 4 > <s 4 , t 4 , c 4 > <s 3 , t 3 , c 3 > <s 3 , t 3 , c 3 > <s 7 , t 7 , c 7 > <s 7 , t 7 , c 7 > <s 8 , t 8 , c 8 > <s 8 , t 8 , c 8 > <s 6 , t 6 , c 6 > <s 6 , t 6 , c 6 > <s 9 , t 9 , c 9 > <s 9 , t 9 , c 9 > Record Record Record Aggregation Aggregation Aggregation Aggregation Aggregation Aggregation Generation Generation Generation Flow Characteristics: Flow Characteristics: <N f , µ f , f , … > <N f , µ f , f , … > <N f , µ f , f , … > <N f , µ f , f , … > <N f , µ f , f , … > <N f , µ f , f , … > � Information about packets is discarded � Available information depends on – Flow definition – Flow characteristics that are reported FloCon 2006 Panel 5

  6. Solution2: Packet Sampling Solution2: Packet Sampling � Random Selection of some packets – Report parts or full packet information – Estimation of metrics based on sample � Provides different viewpoint – Packet data can reveal further information – Sampled data sufficient for some metrics � Helps to protect measurement infrastructure during attack Packet Inspection Sampling FloCon 2006 Panel 6

  7. Sampling: State of Art Sampling: State of Art attack detection as protect infrastructure target application First Sampling sFlow Workshop DDos detection IPFIX PSAMP 2005 [RFC3176] flow volume stratified adaptive sample+hold [Zseb05] [EsKM04] [EsVa01] load change detection SLA/QoS (trajectory) ATM hash emulation proportion stratified [DuGr00] [NiMD04], [MoND05] [CoGi98] [Zseb02] [Zseb03] anomaly detection with hypothesis testing total volume flow sampling adaptive time vs. count [DuLT01] [ChPZ02] [ClPB93] packet-count per flow 2-run adaptive [KoLM04] [JePP92] [DrCh98] packet-count [AmCa89] 1990 1995 2000 2001 2002 2003 2004 2005 FloCon 2006 Panel 7

  8. Packet Sampling Packet Sampling Real metric substituted by estimate � Accuracy statement is essential Accuracy depends on – Sampling scheme – Estimation method – Position of sampling process in measurement sequence – Population characteristics (e.g. variance of metric of interest) FloCon 2006 Panel 8

  9. A Simple Example A Simple Example Goal: Estimation of packet proportions (e.g. TCP-SYN packets in a flow) m M = ˆ = P P Estimate: Real proportion: N n ( ) ⋅ − − P 1 P N n σ = ⋅ Estimation Accuracy (random n-of-N): − ˆ P n N 1 ( ) − ⋅ σ ≤ ≤ + ⋅ σ = − α ˆ ˆ Prob P z P P z 1 Confidence Limits: ˆ ˆ c c P P Example: - Measurement interval with N=10,000 packets - Random packet selection 1% (n=100) σ = P = ˆ � 0.8226 � P � 0.977, with 99% confidence � 0.03 0.9 ˆ P P = ˆ � same accuracy 0.1 σ = � 0.371 � P � 0.629, with 99% confidence P = ˆ (worst case) � 0.05 0.5 ˆ P Works with other packet properties, too! FloCon 2006 Panel 9

  10. Advise Advise � Don’t restrict your analysis to flow data – Include further viewpoints – Use sampling in addition or as alternative to flow data � Trust the power of statistics – It’s a mature and well established field � full range of proven techniques � Use sampling where applicable – Applicability depends on traffic profile, metric of interest, accuracy demand � Sampled data sufficient to detect large events (high volumes, high packet counts) � May be sufficient to estimate #pkts with specific properties (e.g. SYN, VoIP packets, small packets, packets with same content, etc.) � Others � depends on scenario – Difficulties with rare events (stealth attacks, slow port scans) – Not suitable to re-assemble connections (but filtering may be) FloCon 2006 Panel 10

  11. Thank you for your Thank you for your attention! attention!

Recommend

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for IP Packet Selection draft-ietf ietf- -psamp psamp-sample-tech-00.txt -sample-tech-00.txt draft- Tanja Zseby, FhG FOKUS Maurizio Molina, NEC

600 views • 12 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate April 25, 2010 The 3rd CAIDA-WIDE-CASFI Joint Measurement Workshop @Osaka 1 2010 4 25 Background Anomaly Detection:

331 views • 20 slides
Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
What is the strengths and weakness of these sampling methods? Sampling Strengths /

What is the strengths and weakness of these sampling methods? Sampling Strengths /

Session 6. Sampling and Sample size Sampling: What are the different sampling methods used? In PIA: Convenience sampling Purposive sampling Random sampling What is the strengths and weakness of these sampling methods? Sampling

219 views • 5 slides
Sampling Distributions Sampling Distribution of the Mean &amp; Hypothesis Testing Sampling

Sampling Distributions Sampling Distribution of the Mean &amp; Hypothesis Testing Sampling

Sampling Distributions Sampling Distribution of the Mean &amp; Hypothesis Testing Sampling Remember sampling? Part 1 of definition Selecting a subset of the population to create a sample Generally random samplingusing

975 views • 55 slides
Newfound Water Quality Sampling: In Lake Sampling 8 Historic Sampling locations

Newfound Water Quality Sampling: In Lake Sampling 8 Historic Sampling locations

Newfound Water Quality Sampling: In Lake Sampling 8 Historic Sampling locations Initial Sampling in 1986 Standard Measurements include: Total Phosphorus, Chlorophyll and Secchi Disk Transparency Determine long term trends,

599 views • 26 slides
A Case for Clumsy Packet Processors Arindam Mallik and Gokhan Memik Electrical and Computer

A Case for Clumsy Packet Processors Arindam Mallik and Gokhan Memik Electrical and Computer

A Case for Clumsy Packet Processors Arindam Mallik and Gokhan Memik Electrical and Computer Engineering Dept. Northwestern University Overview Faults Correctness is overrated What if the higher levels take care of it? Processor

709 views • 26 slides
Mathematics in the Sciences Eggeling et al. Gibbs sampling for parsMMs with latent variables 1

Mathematics in the Sciences Eggeling et al. Gibbs sampling for parsMMs with latent variables 1

Introduction Gibbs sampling algorithm Case studies Gibbs sampling for parsimonious Markov models with latent variables Ralf Eggeling 1 , Pierre-Yves Bourguignon 2 , Andr e Gohr 1 , Ivo Grosse 1 1 Martin Luther University Halle-Wittenberg 2 Max

522 views • 38 slides
Overview of Sampling Topics (Shannon) sampling theorem Impulse-train sampling

Overview of Sampling Topics (Shannon) sampling theorem Impulse-train sampling

Overview of Sampling Topics (Shannon) sampling theorem Impulse-train sampling Interpolation (continuous-time signal reconstruction) Aliasing Relationship of CTFT to DTFT DT processing of CT signals DT sampling

848 views • 67 slides
Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

03/11/2017 Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer to a radio for the transmission of digital data via amateur radio. It is another mode of operation that has a multitude of uses, such as

571 views • 17 slides
Sampling frequency and uncertainty: Examples from Norwegian case studies Eva Skarbvik &amp; Per

Sampling frequency and uncertainty: Examples from Norwegian case studies Eva Skarbvik &amp; Per

Helcom workshop May 18, 2015 Sampling frequency and uncertainty: Examples from Norwegian case studies Eva Skarbvik &amp; Per Stlnacke Bioforsk Norwegian Institute for Agricultural and Environmental Research Focus on: loads and

368 views • 36 slides
Sampling of probability measures in the convex order and approximation of Martingale Optimal

Sampling of probability measures in the convex order and approximation of Martingale Optimal

Introduction Sampling in the convex order The dimension 1 case Sampling in the convex order in higher dimensions Numerical results Sampling of probability measures in the convex order and approximation of Martingale Optimal Transport problems

641 views • 37 slides
Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet

Lab 1: Packet Sniffing and Wireshark Fengwei Zhang SUSTech CS 315 Computer Security 1 Packet Sniffer Packet sniffer is a basic tool for observing network packet exchanges in a computer Capturing (sniffs) packets being

485 views • 13 slides
SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to

SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to

SAMPLING Week 6 Slides ScWk 240 1 Purpose of Sampling Why sampling? - to study the whole popula5on? A major reason studying samples rather than the

288 views • 16 slides
The ICPC Process Case worker finds possible placement for child out of state. Placement packet

The ICPC Process Case worker finds possible placement for child out of state. Placement packet

4/22/15 The ICPC Process Case worker finds possible placement for child out of state. Placement packet completed and submitted The he N National E Electronic I Interstate to central ICPC office in state. Compact E Enterprise (

411 views • 4 slides
Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #)

Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #)

Curriculum &amp; Activities Night Class of 2020 Packet Information IMPORTANT LABEL ON RIGHT HAND SIDE OF PACKET Shoe, Gym 11111 (Student ID #) Feeder School Name NEON GREEN sticker on front of packet = MISSING EXPLORE Appointment date

99 views • 6 slides
Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How to authenticate a data packet containing the electricity usage of a room at certain time? Data is signed, but how to verify the signature?

224 views • 19 slides
Modelling of Packet Loss in an Asynchronous Packet Switch using PEPA Wim Vanderbauwhede

Modelling of Packet Loss in an Asynchronous Packet Switch using PEPA Wim Vanderbauwhede

Modelling of Packet Loss in an Asynchronous Packet Switch using PEPA Wim Vanderbauwhede Department of Computing Science University of Glasgow September 6, 2005- WV 1 Overview Asynchronous Packet Switch Building the PEPA Model

658 views • 26 slides
Case-base sampling for fitting and validating prognostic models Workshop on Statistical Issues in

Case-base sampling for fitting and validating prognostic models Workshop on Statistical Issues in

Case-base sampling for fitting and validating prognostic models Workshop on Statistical Issues in Biomarker and Drug Co-development Fields Institute, Toronto Olli Saarela Dalla Lana School of Public Health, University of Toronto November 8,

921 views • 55 slides
Composite and Discrete Sampling to Attain Risk-Based Site Characterization Objectives - A Case

Composite and Discrete Sampling to Attain Risk-Based Site Characterization Objectives - A Case

Composite and Discrete Sampling to Attain Risk-Based Site Characterization Objectives - A Case History Mark C. Gemperline Bureau of Reclamation About this presentation Case history of a site characterization which utilized both composite

567 views • 30 slides
A novel approach to competing risks analysis using case-base sampling Maxime Turgeon June 10th,

A novel approach to competing risks analysis using case-base sampling Maxime Turgeon June 10th,

A novel approach to competing risks analysis using case-base sampling Maxime Turgeon June 10th, 2017 McGill University Department of Epidemiology, Biostatistics, and Occupational Health 1/19 Acknowledgements This project is joint work with:

956 views • 71 slides
Double, Multiple, and Sequential Sampling Double-sampling In a double-sampling plan, a first

Double, Multiple, and Sequential Sampling Double-sampling In a double-sampling plan, a first

ST 435/535 Statistical Methods for Quality and Productivity Improvement / Statistical Process Control Double, Multiple, and Sequential Sampling Double-sampling In a double-sampling plan, a first sample of size n 1 is inspected, revealing d 1

249 views • 13 slides
OUTLINE THE BEAUTY SAMPLING BAR WHAT IS IT? CUSTOMIZED BEAUTY SAMPLING FOR A CAUSE Onsite

OUTLINE THE BEAUTY SAMPLING BAR WHAT IS IT? CUSTOMIZED BEAUTY SAMPLING FOR A CAUSE Onsite

PROGRAM OUTLINE THE BEAUTY SAMPLING BAR WHAT IS IT? CUSTOMIZED BEAUTY SAMPLING FOR A CAUSE Onsite sampling bar station located the highly-trafficked foyer area directly from the lobby High-end environment with clear dispensers

398 views • 8 slides

More recommend