internet traffic analysis modeling with real world aspects
play

Internet Traffic: Analysis, Modeling with real-world aspects Pierre - PowerPoint PPT Presentation

Oct 25, 2022 •104 likes •716 views

Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon, Laboratoire de Physique (UMR

  1. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS – ENS Lyon, Laboratoire de Physique (UMR 5672) TERA-NET – 07/2010

  2. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + • Internet traffic metrology: some basics • Analysis: Scale Invariance, LRD, Robust Estimation • Modeling: LRD / Heavy-Tails • Anomaly Detection; Host classification • Acknowledgements • P Abry, G Dewaele, P Flandrin, A Scherrer, P Gonçalves, P Loiseau, P Primet (Lyon, ENSL, CNRS & INRIA) • Ph Owezarksi, N Larrieu (LAAS-CNRS) Metrosec (ACI Sécurité & Informatique), ANR OSCAR JL Guillaume, M Latapy, C Magnien (LIP6) • K Fukuda, R Fontugne, Y Himura (NII), K Cho (IIJ) (Tokyo) • D Veitch, N Hohn (Melbourne Univ.) • O Michel (GIPSA-lab, INPGrenoble)

  3. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + • Internet traffic metrology: some basics • Analysis: Scale Invariance, LRD, Robust Estimation • Modeling: LRD / Heavy-Tails • Anomaly Detection; Host classification • Acknowledgements • P Abry, G Dewaele, P Flandrin, A Scherrer, P Gonçalves, P Loiseau, P Primet (Lyon, ENSL, CNRS & INRIA) • Ph Owezarksi, N Larrieu (LAAS-CNRS) Metrosec (ACI Sécurité & Informatique), ANR OSCAR JL Guillaume, M Latapy, C Magnien (LIP6) • K Fukuda, R Fontugne, Y Himura (NII), K Cho (IIJ) (Tokyo) • D Veitch, N Hohn (Melbourne Univ.) • O Michel (GIPSA-lab, INPGrenoble)

  4. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Traffic & Network Measurement Overview of networks properties • Heterogeneity (of information, devices, topologies, geography,...) • Evolve with time (new services, increased usage,...) • Complexity • individual elements � behaviour of the whole • interplay: architecture / protocols / usages • Crucial choice: level of description • Information flows? → Signals • Network’s level? → Graphs, or Multivariate Signals → Need for a statistical approach

  5. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Traffic & Network Measurement: What for? • Analysis of networks: (protocols, routeurs, provisioning,...) • Modeling of traffic and of its properties • Classification or recognition of traffic (with new needs: Peer to Peer, real-time, wireless,...) • Définition of service agreements (Pricing, QoS, Committed QoS...) • Security of Networks; Intrusion Detection Systems; Anomaly Detection (DDoS, scans, computer virus, worms, outages...) [ACI METROPOLIS 2001, AS Métrologie des réseaux de l’Internet 2003, ACI METROSEC 2007,...]

  6. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Passive Measurements of traffic • On networks: Internet Protocol → Packets+information • Monitoring facilities: add a time-stamp to data (dynamics) • link level , monitor packets: intercept (port-mirroring, splitter,...); capture (tcpdump, DAG, GNET,...); filter (...) Time IP Source Destination Source Destination protocol Address Address Port Port → Point processes (marked) • node level (routeur) → multivariate data Device: routeur ! Netflow (CISCO), flow-tools (Juniper) • network level → multivariate data, graph Synchronising several link or node monitoring?

  7. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Passive Measurements of traffic • → Huge stream of data. • Aggregated cout process = # of packets during ∆ Bin Size Time Time 2 3 2 4 5 2 3 4 4 3 5 3 8 Time 6 # Packets 4 2 0 0 0.2 0.4 0.6 0.8 1 time (s) ∆ = 1ms 10000 5000 0 0 10 20 30 40 50 60 time (min) ∆ = 1s • Problematic: understand the features of traffic

  8. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Short Biblio. on Longitudinal Traffic Analysis • Many works during the past 15 years. • Some Focus on newest application at the time: • FTP , Mail in early 90’s [kc claffy et al. , Comm. ACM 94] • Web, mid-90’s [Crovella & Bestravos, ToN 95] • P2P , early 2000’s [Karagiannis et al. , Globecom’04] • Video Streams, late 2000’s [Cha et al. , IMC’07] • ... • Anomalies: History of Scanning [Allman et al. , IMC’07] • Wireless, Mobile,... • Some focus on non-classical statistical properties: • ‘Failure of Poisson modeling’ / Self-similarity / Scaling / LRD [Leland et al. , 94] [Paxson & Floyd, 95], [Willinger et al. , 97], [Veitch & Abry, 01], [Cao et al. , 02], [Karagiannis et al. , 04], [Hohn et al. , 05], [Robeiro et al. , 05]

  9. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet traffic: not a simple renewal process The Failure of Poisson Modeling. Paxson & Floyd 1994 • If Internet ≃ phone • Packets would follow a Poisson process • Short-range correlations only • Aggregated traffic: Gaussian law (per Central Limit Thm) • The thruth: much more variabilities and burstiness ∆ =1ms ∆ =1ms 1s 1s ∆ =10ms ∆ =10ms 1s 1s ∆ =1s ∆ =1s 100s 100s IP Traffic Poisson Traffic

  10. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet traffic: not a simple renewal process The Failure of Poisson Modeling. Paxson & Floyd 1994 • If Internet ≃ phone • Packets would follow a Poisson process • Short-range correlations only • Aggregated traffic: Gaussian law (per Central Limit Thm) • The thruth: much more variabilities and burstiness ∆ =1ms 1s Slope −0.7 log10(Frequency) ∆ =10ms 1s ∆ =1s 100s 0 1 2 3 4 5 6 log10(#Pkts per flow) • # packets per ∆ � = Poisson distrib. • waiting times � = Exponential distribution • correlations � = short-range only

  11. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Traffic series: aggregation at several time-scales δ =12ms 10000 5000 0 50 100 150 200 250 300 350 400 450 500 δ =12 * 8 ms 8000 6000 4000 2000 0 50 100 150 200 250 300 350 400 450 500 δ =12 * 8 * 8 ms 6000 4000 2000 0 50 100 150 200 250 300 350 400 450 500 4000 δ =12 * 8 * 8 *8 ms 2000 0 50 100 150 200 250 300 350 400 450 500 • Same kinds of fluctuations seens at all the different levels

  12. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Marginal probability distributions Traffic trace LBL-TCP-3 (1994) • Empirical histograms of the # of packets per ∆ • Estimation: count the number of occurrences 0.7 0.1 0.02 0.6 0.08 0.5 0.015 0.06 0.4 0.01 0.3 0.04 0.2 0.005 0.02 0.1 0 0 0 0 2 4 6 8 10 0 10 20 30 40 50 0 50 100 150 200 250 ∆ = 4ms ∆ = 32ms ∆ = 256ms Gaussian: p ( x ) = e − ( x − µ ) 2 / 2 σ 2 • Exp. p ( x ) = e − x /β /β √ 2 πσ � α − 1 1 � x � − x � • Fit/Model: Gamma Γ α,β ( x ) = exp . β Γ( α ) β β

  13. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Marginal probability distributions Traffic trace LBL-TCP-3 (1994) • Empirical histograms of the # of packets per ∆ • Estimation: count the number of occurrences 0.7 0.1 0.02 0.6 0.08 0.5 0.015 0.06 0.4 0.01 0.3 0.04 0.2 0.005 0.02 0.1 0 0 0 0 2 4 6 8 10 0 10 20 30 40 50 0 50 100 150 200 250 ∆ = 4ms ∆ = 32ms ∆ = 256ms Gaussian: p ( x ) = e − ( x − µ ) 2 / 2 σ 2 • Exp. p ( x ) = e − x /β /β √ 2 πσ � α − 1 1 � x � − x � • Fit/Model: Gamma Γ α,β ( x ) = exp . β Γ( α ) β β

  14. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Long-Range Dependence (or Long Memory) The Self-Similar Nature of Ethernet Traffic. Leland, Taqqu, Willinger & Wilson 1993 Property of Long-Range Dependence (LRD) Covariance tends to a non-summable power-law (at large lags) ⇒ Spectrum F X ( ν ) ∼ c | ν | − γ , | ν | → 0 , avec 0 < γ < 1 . • Spectrum – (Wiener-Khintchine) → Correlation Z T 2 ˛ ˛ 1 Z ˛ e − i 2 πν t X ( t ) d t ˛ C X ( τ ) e − i 2 πντ d τ F X ( ν ) = = ˛ ˛ T ˛ ˛ 0 Self-similarity: statistical invariance under dilatation A random process { X ( t ) , t ≥ 0 } is self-similar with index H (“ H -ss”) if for all dilation factor λ > 0 , X ( λ t ) d = λ H X ( t ) , t > 0 . • H -ss for H > 0 . 5 ⇒ LRD.

  15. Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Time-Scale Representation Definition : Wavelet transform Shifted (time) and dilated (scale) versions of ψ 0 : ψ j , k ( t ) = 2 − j / 2 ψ 0 ( 2 − j t − k ) . Wavelet coefficients: d X ∆ ( j , k ) = � ψ j , k , X ∆ � . Efficient Algo. [Mallat 1989]

Recommend

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming

Effective and Real-time In-App Activity Analysis in Encrypted Internet Traffic Streams Junming Liu Yanjie Fu, Jingci Ming, Yong Ren Leilei Sun, Hui Xiong Rutgers University, USA Futurewei Technology. Inc,. USA Background 2/27 Explosive

297 views • 26 slides
Internet Governance Forum the World Malta Internet Traffic Statistics Introduction

Internet Governance Forum the World Malta Internet Traffic Statistics Introduction

6/7/2011 Outline State of the Internet Internet Governance Forum the World Malta Internet Traffic Statistics Introduction Usage and trends Internet Governance Definition/s History and today Launch of Malta I

84 views • 6 slides
Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue

Traffic Classifier Real Time Classification and Analysis of T1/E1 Traffic 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 1 Traffic

228 views • 11 slides
Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance

Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance

Internet traffic measurements Renata Teixeira (Inria) Why measure traffic? Performance analysis Anomaly and intrusion detec=on Network engineering Traffic at different granulari=es IP-level packets Capture per-packet

539 views • 40 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Why is Internet traffic self-similar? Allen B. Downey Wellesley College No Micro$oft products

Why is Internet traffic self-similar? Allen B. Downey Wellesley College No Micro$oft products

Why is Internet traffic self-similar? Allen B. Downey Wellesley College No Micro$oft products were used in the preparation of this talk. What is self-similarity? Real-world: visually similar over range of spatial scales. Fractals:

641 views • 28 slides
Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019

Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019

19 Internet Traffic Analysis: Mohammed Alasmar Co Cosen ener ers, , 2019 2019 https://ieeexplore.ieee.org/document/8737483 Motivations Reliable traffic modelling is important for network planning, deployment and management;

447 views • 29 slides
Modeling the real world with Elixir and OTP Aish Raj Dahal Concurrency, Events and Why are

Modeling the real world with Elixir and OTP Aish Raj Dahal Concurrency, Events and Why are

Modeling the real world with Elixir and OTP Aish Raj Dahal Concurrency, Events and Why are we the Real World here? Case study of an Elixir use Tour of the BEAM and OTP Demo time! Epilogue How did we get here ? Can

1.13k views • 89 slides
An Empirical Study of Real Introduction Audio Traffic Internet is growing Web facilitates

An Empirical Study of Real Introduction Audio Traffic Internet is growing Web facilitates

An Empirical Study of Real Introduction Audio Traffic Internet is growing Web facilitates integration of streaming audio Radio juke boxes A. Mena and J. Heidemann Broadcast radio USC/Information Sciences Institute Live

414 views • 7 slides
Modeling and Analysis Issues in the Future Internet Hisashi Kobayashi Princeton University, USA

Modeling and Analysis Issues in the Future Internet Hisashi Kobayashi Princeton University, USA

Modeling and Analysis Issues in the Future Internet Hisashi Kobayashi Princeton University, USA NICT, Japan Keynote Speech at The 24 th International Teletraffic Congress, Krakow, Poland September 4-7, 2012 Outline The Internet: Its

1.96k views • 45 slides
An Internet-Wide Analysis of Traffic Policing Tobias Flach, Pavlos Papageorge, Andreas Terzis,

An Internet-Wide Analysis of Traffic Policing Tobias Flach, Pavlos Papageorge, Andreas Terzis,

An Internet-Wide Analysis of Traffic Policing Tobias Flach, Pavlos Papageorge, Andreas Terzis, Luis Pedrosa, Yuchung Cheng, Tayeb Karim, Ethan Katz-Bassett, Ramesh Govindan policing-paper@google.com 1 Internet Service Provider Content

588 views • 39 slides
TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute

TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute

H2020-ICT-15 GA 688722 TRAFFIC ANALYSIS: or... encryption is not enough Carmela Troncoso* IMDEA Software Institute Summer school on real-world crypto and privacy 9 th June 2016 *Thanks to George Danezis for sharing slides Privacy in

862 views • 33 slides
Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan

Protecting Data in Untrusted Locations An exercise in Real World threat modeling. Jan Schaumann 99CE 1DC7 770A C5A8 09A6 @jschauma 0DCD 66CE 4FE9 6F6B D3D7 Me. Errday. Obligatory James Mickens This World of Ours reference.

714 views • 40 slides
on the Internet of Things Software Project What is the Internet of Things? A system in which

on the Internet of Things Software Project What is the Internet of Things? A system in which

on the Internet of Things Software Project What is the Internet of Things? A system in which objects in the physical world can be connected to the Internet by sensors and actuators (coined 1999 by Kevin Ashton) Key aspects: E2E

343 views • 10 slides
Challenges of real-world data We face an explosion in data from e.g.: Internet

Challenges of real-world data We face an explosion in data from e.g.: Internet

Challenges of real-world data We face an explosion in data from e.g.: Internet transactions Satellite measurements Advances in Environmental sensors Privacy-Preserving Machine Learning

373 views • 6 slides
Internet Traffic Monitoring Tools and Analysis Presenta5on for

Internet Traffic Monitoring Tools and Analysis Presenta5on for

Internet Traffic Monitoring Tools and Analysis Presenta5on for Terena Javier Aracil Javier.aracil@uam.es Nov 15, 2013 Goals of this mee5ng We have been

228 views • 6 slides
Tasks for Actors Frank S. de Boer Main Problem Modeling and analysis of real-time distributed

Tasks for Actors Frank S. de Boer Main Problem Modeling and analysis of real-time distributed

Tasks for Actors Frank S. de Boer Main Problem Modeling and analysis of real-time distributed software systems Main Approach Executable modeling language for concurrent objects Main Research Context EU STREP Project Credo (FP6) on Modeling

386 views • 25 slides
Transportation Modeling and the Traffic Impact Analysis Process AMPO National Conference Clark

Transportation Modeling and the Traffic Impact Analysis Process AMPO National Conference Clark

Transportation Modeling and the Traffic Impact Analysis Process AMPO National Conference Clark County, NV October 2015 1 DISCLAIMER The views and opinions expressed during this presentation are those of the presenters and do not

819 views • 45 slides
Nonlinear state-dependent delay modeling and stability analysis of Internet congestion control

Nonlinear state-dependent delay modeling and stability analysis of Internet congestion control

Introduction Problem Network Model Stability Analysis Conclusion and Future Works Nonlinear state-dependent delay modeling and stability analysis of Internet congestion control Corentin Briat H. Hjalmarsson, K.H. Johansson, U. T. Jnsson,

299 views • 16 slides
New DNS Traffic Analysis Techniques to Identify Global Internet Threats Dhia Mahjoub and Thomas

New DNS Traffic Analysis Techniques to Identify Global Internet Threats Dhia Mahjoub and Thomas

New DNS Traffic Analysis Techniques to Identify Global Internet Threats Dhia Mahjoub and Thomas Mathew January 12 th , 2016 1 Dhia Mahjoub Technical Leader at OpenDNS PhD Graph Theory Applied on Sensor Networks Focus: Security, Graphs &amp;

1.04k views • 72 slides
XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( ) 2006.10 RSS is cool ! RSS RSS Really Simple Syndication Tired of checking your favorite news and blogs sites everyday?

786 views • 75 slides
A New Kid on the Block: CLINT - a Cryptographic Library for the INternet of Things Mike Scott

A New Kid on the Block: CLINT - a Cryptographic Library for the INternet of Things Mike Scott

A New Kid on the Block: CLINT - a Cryptographic Library for the INternet of Things Mike Scott CertiVox Ltd Real World Crypto, London, January 2014 A problem Academic Cryptographers ? Real Real World Crypto Figure: Communication Problem

632 views • 13 slides
HKIX 100G Network &amp; Internet Traffic due to World Cup HKNOG 6.1 Kenneth CHAN HKIX

HKIX 100G Network &amp; Internet Traffic due to World Cup HKNOG 6.1 Kenneth CHAN HKIX

HKIX 100G Network &amp; Internet Traffic due to World Cup HKNOG 6.1 Kenneth CHAN HKIX www.hkix.net 7 Sep 2018 HKIX Today Supports both MLPA (Multilateral Peering) and BLPA (Bilateral Peering) over layer 2 Supports IPv4/IPv6

384 views • 34 slides
The Digital Revolution The Internet has had a tremendous impact on many aspects. The

The Digital Revolution The Internet has had a tremendous impact on many aspects. The

18/10/2016 Are SMEs embracing the digital world? GRTU SME Week The Digital Revolution The Internet has had a tremendous impact on many aspects. The Digital Revolution Is The Industrial Revolution Of Our Time. How is it changing our

154 views • 14 slides

More recommend