large scale netflow information management
play

Large-scale NetFlow Information Management Adrien Raulot, Shahrukh - PowerPoint PPT Presentation

Aug 17, 2023 •277 likes •533 views

Large-scale NetFlow Information Management Adrien Raulot, Shahrukh Zaidi University of Amsterdam Supervisor: Wim Biemolt (SURFnet) February 5, 2018 Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 1 / 24

  1. Large-scale NetFlow Information Management Adrien Raulot, Shahrukh Zaidi University of Amsterdam Supervisor: Wim Biemolt (SURFnet) February 5, 2018 Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 1 / 24

  2. What is NetFlow? Traffic monitoring technology originaly developed by Cisco. Flow : “a set of IP packets passing an observation point in the network during a certain time interval. All packets belonging to a particular flow have a set of common properties.”[4] Important differences with regular packet capture methods: NetFlow considered to be less privacy sensitive NetFlow requires less computational resources for analysis Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 2 / 24

  3. What is NetFlow? Figure 1: Schematic overview of the NetFlow export process.[2] Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 3 / 24

  4. NetFlow Analysis Three main application areas[3]: Flow analysis and reporting Threat detection Performance monitoring Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 4 / 24

  5. NetFlow analysis techniques NfDump: Figure 2: Schematic overview of the NfDump tool set.[1] Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 5 / 24

  6. Netflow Analysis techniques Limitations of this setup[5]: Inefficient file-based store: NfDump typically stores NetFlow data in separate files for every 5 minutes time frame Very slow processing speed: each file is read line by line from the beginning. Therefore, analysis of large amounts of NetFlow data takes a lot of time. Limited analysis methods: as network situations are becoming more and more complex, new analysis approaches are required that allow for NetFlow data analysis. Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 6 / 24

  7. Research question Which data analysis technique could be used in order to analyse the current SURFnet NetFlow data in a more time-efficient manner? Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 7 / 24

  8. What is Apache Hadoop? Framework for large datasets processing Distributed, local computation & storage Hadoop Distributed File System (HDFS) YARN (Yet Another Resource Negotiator) Batch, interactive & real-time jobs Designed to be scalable Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 8 / 24

  9. What is Apache Hadoop? Figure 3: Schematic overview of Hadoop 2.0. Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 9 / 24

  10. What is Apache Spark? Hadoop-related project, but not only Powerful computing engine for Big Data processing In-memory Built-in modules for streaming, SQL, machine learning, etc. Binding for Java, Scala, Python and R Ease of use Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 10 / 24

  11. What is Apache Parquet? Data-store for Hadoop Column-oriented Fast access to data Figure 4: Schematic overview of a row vs column-oriented database. Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 11 / 24

  12. Choice for analysis technique (summary) Figure 5: Apache Parquet Figure 6: Apache Hadoop Figure 7: Apache Spark logo. logo. logo. To-Do list: 1 Store NetFlow data into Parquet files on HDFS 2 Load Parquet files using PySpark (Python API) 3 Query the data using Spark SQL Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 12 / 24

  13. Experiments: test environment NfDump server specifications: Hadoop cluster specifications: 1x Dell PowerEdge R230 ∼ 100 nodes Intel Xeon CPU E3-1240L v5 @ ∼ 600 cores 2.10GHz ∼ 4TB of memory 4 cores ∼ 2PB of storage 16GB of RAM Apache Hadoop 2.7.2 ∼ 200GB of SSD storage Apache Spark 2.1.1 NfDump v1.6.12 Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 13 / 24

  14. Experiments: implementation 1 Convert NetFlow binary data to CSV nfdump -r nfcapd.201801011245 -o csv 2 Write two Spark jobs in Python: Converter: Converts CSV data to Parquet format Querier: Loads Parquet data & executes queries 3 Write SQL query query = ’SELECT ts, sa, da FROM nf_data’ 4 Using the Querier, execute and cache the results 5 Proceed with next operations on the cached results print results.count() print results.show() Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 14 / 24

  15. Experiments: test queries Retrieve all flows containing a specific IP address Retrieve all flows with a byte count larger than 100MBs List the top 10 of Telnet connections with only the SYN flag set in the IP header ordered by the number of bits per second List the top 10 of IP addresses receiving the largest amount of traffic Retrieve all flows with only the SYN flag set in the IP header Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 15 / 24

  16. Results: retrieve all flows containing a specific IP address 8 Execution time in minutes NfDump 6:42 Hadoop+Spark 6 4 3:33 2 1:05 0:33 0:08 0 5min 30min 1hr 3.5hrs 7hrs 5 Execution time in minutes 4 3:46 3:22 3:00 2:58 3 2:37 2 1 0 5min 30min 1hr 3.5hrs 7hrs Time frame Figure 8: Execution time of retrieving all flows containing a specific IP address. Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 16 / 24

  17. Results: retrieve all flows with byte count > 100MB 8 Execution time in minutes 6:52 NfDump Hadoop+Spark 6 4 3:39 2 1:06 0:28 0:08 0 5min 30min 1hr 3.5hrs 7hrs 5 Execution time in minutes 4 3:15 3:09 3:07 2:53 2:50 3 2 1 0 5min 30min 1hr 3.5hrs 7hrs Time frame Figure 9: Execution time of retrieving all flows with byte count larger than 100MB. Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 17 / 24

  18. Results: list top 10 Telnet connections with only SYN flag set ordered by bps 4 Execution time in minutes NfDump Hadoop+Spark 3 2:09 2 1 0:49 0:09 0 5min 30min 1hr 3.5hrs 7hrs 4 Execution time in minutes 3:22 3:15 3:15 3:09 3 2:29 2 1 0 5min 30min 1hr 3.5hrs 7hrs Time frame Figure 10: Execution time of retrieving the top 10 of Telnet connections with only the SYN flag set ordered by the number of bits per second. Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 18 / 24

  19. Results: List top 10 IPs receiving most traffic 25 23:22 Execution time in minutes NfDump 20 Hadoop+Spark 15 11:12 10 5 4:04 1:25 0:19 0 5min 30min 1hr 3.5hrs 7hrs 5 Execution time in minutes 4:03 4 3:37 3 2:39 2:42 2:38 2 1 0 5min 30min 1hr 3.5hrs 7hrs Time frame Figure 11: Execution time of Retrieving the top 10 IP addresses receiving the largest amount of traffic. Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 19 / 24

  20. Results: Retrieve all flows with only SYN flag set 100 Execution time in minutes 89:23 NfDump 80 Hadoop+Spark 60 41:44 40 20 11:53 5:22 1:02 0 5min 30min 1hr 3.5hrs 7hrs 5:52 6 Execution time in minutes 5:06 4 3:28 3:21 3:14 2 0 5min 30min 1hr 3.5hrs 7hrs Time frame Figure 12: Execution time of retrieving all flows with only the SYN flag set in the IP header. Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 20 / 24

  21. Discussion Execution time of NfDump increases linearly with longer time frames. Hadoop scales very well: Execution time of Spark with Hadoop does not increase significantly when dealing with larger amounts of data. NfDump struggles with executing more complex queries, whereas this is no problem for Spark and Hadoop. Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 21 / 24

  22. Conclusion and future work Combination of Hadoop and Apache Spark is a viable option for analyzing large-scale NetFlow data. Tuning and optimization to the Spark implementation and Hadoop cluster may lead to even better performance. Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 22 / 24

  23. Questions? Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 23 / 24

  24. References NfDump. http://nfdump.sourceforge.net/ . I. Cisco. NetFlow. Introduction to Cisco IOS NetFlow C a technical overview, 2007. R. Hofstede, P. ˇ Celeda, B. Trammell, I. Drago, R. Sadre, A. Sperotto, and A. Pras. Flow monitoring explained: From packet capture to data analysis with netflow and ipfix. IEEE Communications Surveys & Tutorials , 16(4):2037–2064, 2014. G. Sadasivan. Architecture for ip flow information export. Architecture , 2009. Z. Tian. Management of large scale NetFlow data by distributed systems. Adrien Raulot, Shahrukh Zaidi (UvA) Master’s thesis, NTNU, 2016. NetFlow Information Management February 5, 2018 24 / 24

Recommend

Large-Scale Geolocation for NetFlow Pavel eleda, Petr Velan, Martin Rbek Rick Hofstede, Aiko

Large-Scale Geolocation for NetFlow Pavel eleda, Petr Velan, Martin Rbek Rick Hofstede, Aiko

Large-Scale Geolocation for NetFlow Pavel eleda, Petr Velan, Martin Rbek Rick Hofstede, Aiko Pras {celeda|velan|xrabek1}@ics.muni.cz, {r.j.hofstede|a.pras}@utwente.nl IFIP/IEEE IM 2013, 27-31 May 2013, Ghent, Belgium Part I Introduction

297 views • 26 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Motivation Large-scale distributed systems becoming more common multiple datacenters, cloud

Census: Location-Aware Membership Management for Large-Scale Distributed Systems James Cowling Dan R. K. Ports Barbara Liskov Raluca Ada Popa Abhijeet Gaikwad* MIT CSAIL *cole Centrale Paris Motivation Large-scale distributed systems

606 views • 48 slides
NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

479 views • 26 slides
E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale Information Access Technologies Evaluation and Testing Evaluation and Testing Noriko Kando Noriko Kando National Institute of Informatics, Japan

632 views • 61 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
LSS Large-Scale Systems Group Tallinn University of Technology LSS Paper Authors Large-Scale

LSS Large-Scale Systems Group Tallinn University of Technology LSS Paper Authors Large-Scale

Lowering Financial Inclusion Barriers With a Blockchain-Based Capital Transfer System Faculty of Information Technology TalTech University Assoc.Prof. Alex Norta, Ph.D. Blockchain.taltech.ee alex.norta.phd@ieee.org LSS Large-Scale Systems

511 views • 19 slides
Large-scale Implementation of Collaborative Care Management for Depression and Diabetes and/ or

Large-scale Implementation of Collaborative Care Management for Depression and Diabetes and/ or

Large-scale Implementation of Collaborative Care Management for Depression and Diabetes and/ or Cardiovascular Disease Claire Neely, MD, FAAP Chief Medical Officer Institute for Clinical Systems Improvement No conflicts to

719 views • 25 slides
Accelerating Large-scale Phase Field Simulation with GPU Jian Zhang Computer Network Information

Accelerating Large-scale Phase Field Simulation with GPU Jian Zhang Computer Network Information

Accelerating Large-scale Phase Field Simulation with GPU Jian Zhang Computer Network Information Center(CNIC), Chinese Academy of Sciences 2 Outline Outline Background Phase Field Model Large Scale Smiulations Compute intensive

493 views • 26 slides
The Dichroicon: Spectral Photon Sorting For Large-Scale Cherenkov and Scintillation Detectors

The Dichroicon: Spectral Photon Sorting For Large-Scale Cherenkov and Scintillation Detectors

The Dichroicon: Spectral Photon Sorting For Large-Scale Cherenkov and Scintillation Detectors Tanner Kaptanoglu University of Pennsylvania DUNE Module of Opportunity Workshop November 2019 Provide Photon Wavelength Information for Large-Scale

398 views • 29 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
The Dichroicon: Spectral Photon Sorting For Large-Scale Cherenkov and Scintillation Detectors

The Dichroicon: Spectral Photon Sorting For Large-Scale Cherenkov and Scintillation Detectors

The Dichroicon: Spectral Photon Sorting For Large-Scale Cherenkov and Scintillation Detectors Tanner Kaptanoglu December 2019 Goal: Provide Photon Wavelength Information for Large-Scale Neutrino Detectors For scintillator or water-based For

701 views • 33 slides
Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA Masters level course: Chalmers MPALG and MPSOF programmes (DAT345) GU Applied Data Science programme (DIT871) Learning outcomes include:

305 views • 18 slides
Big data management and predictive analytics for customer transactions Large Scale Distributed

Big data management and predictive analytics for customer transactions Large Scale Distributed

Big data management and predictive analytics for customer transactions Large Scale Distributed Machine Learning & operations using Apache Spark and AWS BDA761 Big Data Mgmt in a Supercomputing environment MUDIT UPPAL Problem with Big

357 views • 15 slides
Large Scale Data Management with GridSite Web-centric data access and visualization Ian

Large Scale Data Management with GridSite Web-centric data access and visualization Ian

Large Scale Data Management with GridSite Web-centric data access and visualization Ian Stokes-Rees SBGrid/Sliz Lab Harvard Medical School Workflow Overview Stage 1: Protein sequence alignment 100,000 x 300 protein pair comparisons

274 views • 10 slides
Context : Deployment of secure and reliable energy management devices Issues : Large

Context : Deployment of secure and reliable energy management devices Issues : Large

ANOMALY DETECTION USING HARDWARE PERFORMANCE COUNTERS ON A LARGE SCALE IOT DEPLOYMENT Context : Deployment of secure and reliable energy management devices Issues : Large scale deployment Resources constrained IoT devices

413 views • 3 slides
The Helmholtz Association Project Large Scale Data Management and Analysis (LSDMA) Kilian

The Helmholtz Association Project Large Scale Data Management and Analysis (LSDMA) Kilian

The Helmholtz Association Project Large Scale Data Management and Analysis (LSDMA) Kilian Schwarz, GSI; Christopher Jung, KIT Overview Motivation Data Life Cycle LSDMAs dual approach Facts and Numbers Initial

488 views • 13 slides
An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of U.S. Government Employees DC-AAPOR Summer Conference Preview/Review Bureau of Labor Statistics Conference Center Washington DC Washington, DC

1.17k views • 25 slides
Autonomic IPv6 Edge Prefjx Management in Large-scale Networks ANIMA WG IETF 99, July 2017

Autonomic IPv6 Edge Prefjx Management in Large-scale Networks ANIMA WG IETF 99, July 2017

Autonomic IPv6 Edge Prefjx Management in Large-scale Networks ANIMA WG IETF 99, July 2017 drafu-ietg-anima-prefjx-management-04 Sheng Jiang Brian Carpenter Qiong Sun Zongpeng Du 1 Overview This is a chartered work item to validate the

243 views • 13 slides
Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E. Santos-Neto, L. Costa, M. Ripeanu. IEEE TPC, 2014 Sami (sa894) - R244: Large-scale data processing and optimization Efficient Large-Scale Graph Processing on

381 views • 25 slides

More recommend