Download pdf - Trends and Differences in Connection-behavior within Classes of

Transcript
Page 1: Trends and Differences in Connection-behavior within Classes of

MonNet – a project for network and traffic monitoring

Trends and Differences in Connection-behaviorwithin Classes of Internet Backbone Traffic

Wolfgang John, Sven Tafvelin and Tomas OlovssonDepartment of Computer Science and Engineering

Chalmers University of TechnologyGöteborg, Sweden

Page 2: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Introduction: Overview

1. Background• Dataset• Traffic classification

2. Results• Traffic volumes• Diurnal patterns• Signaling behavior• Option deployment

3. Summary and Conclusions

Page 3: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Background: Measurement location

Internet

Internet

Regional

ISPsRegional

ISPsGöteborg

Stockholm

Other smaller Univ. and Institutes

Göteborgs Univ.

Student-Net

• 2x 10 Gbit/s (OC-192)• capturing headers only• IP addresses anonymized• tightly synchronized• bidirectional per-flow analysis

Chalmers Univ.

Page 4: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Background: Datasets

Resulting traces (10 minutes duration)• April 2006

146 bidirectional traces, 7.5 TB of data81 million TCP connections91 million UDP flows

• Fall 2006 (Sep. – Nov.) 65 bidirectional traces, 5.0 TB of data49 million TCP connections70 million UDP flows

More Info: CAIDA‘s Datcat, “SUNET OC 192 Traces”

Page 5: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Background: Motivation

• Previous studies“Analysis of Internet Backbone Traffic and Anomalies observed” (IMC 07)“Differences between in- and outbound Internet Backbone Traffic” (TNC 07)

→Influence of P2P and malicious traffic

• How are different types of traffic behaving ‘in the wild’?

• Improving simulation models• Developing infrastructure, applications and protocols• Finding trends and changes in network applications

Page 6: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Background: Traffic Classification

• Traffic classification necessary

– Four approaches in literature:1. Port numbers

+ easy to implement - unreliable (P2P, malicious traffic)

2. Packet payloads+ accurate- requires updated payload signatures- privacy and legal issues- data encryption

Page 7: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Background: Traffic Classification (2)

• Traffic classification (contd.)

3. Statistical fingerprinting+ no detailed packet information needed - depending on quality of training data- promising, but still immature

4. Connection patterns+ no payload required+ no training data required- not perfect accuracy

Page 8: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Background: Proposed Heuristics

• Rules based on connection patterns and port numbersInspired by Karagiannis et al. 2004: "Transport layer identification of P2P traffic" Perenyi et al. 2006: "Identification and analysis of P2P traffic“

– 5 rules for P2P traffic– 10 rules to classify other types of traffic

Page 9: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Background: Proposed Heuristics (2)

• Main traffic classes– P2P file sharing traffic – Web traffic (HTTP, HTTPS)– Malicious traffic (scans, sweeps and DoS)– Other traffic (mail, messenger, ftp, dns …)

More Info: “Heuristics to Classify Internet Backbone Traffic based on Connection Patterns” (ICOIN 08)

Page 10: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Overview (2)

1. Background• Dataset• Traffic classification

2. Results• Traffic volumes• Diurnal patterns• Signaling behavior• Option deployment

3. Summary and Conclusions

Page 11: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Results: Traffic Volumes

• Application Breakdown April till Nov. 2006

Page 12: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Results: Traffic Volumes (2)

• Fractions of P2P data, April till November

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

1143000000 1148000000 1153000000 1158000000 1163000000

Linear (2AM P2P data)Linear (10AM P2P data)Linear (14PM P2P data)Linear (20PM P2P data )

Page 13: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Results: Diurnal Patterns

• Tuesday, 18.04.2006

Page 14: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Results: Signaling Behavior

• Connection establishment for P2P, Web and malicious traffic

Page 15: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Results: Signaling Behavior (2)

• Breakdown of non-established TCP conn.

Page 16: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Results: Signaling Behavior (3)

• Breakdown of established TCP connections

Page 17: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Results: Option Deployment

• Differences in TCP option deployment

Page 18: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Summary and Conclusions

• P2P dominating (~90 % of data volume)• P2P peak time at evening and night-time• Web peak time during office hours

• P2P connections carry large amounts of data• Traffic is increasing for TCP and UDP• Fractions of P2P and Web constant• Malicious traffic constant in absolute numbers

→'background noise'

Page 19: Trends and Differences in Connection-behavior within Classes of

2008-04-30PAM 2008

Summary and Conclusions (2)

• Major differences in signaling behavior• 43% of TCP P2P connections 1-packet flows (attempts)• 80% of malicious TCP traffic 1-packet flows (scans)• Web traffic behaving ‘nicely‘

• Different TCP options deployment• P2P behaves as expected• Web traffic shows artifacts of client-server patter

e.g. popular web-servers neglecting SACK option

Page 20: Trends and Differences in Connection-behavior within Classes of

MonNet – a project for network and traffic monitoring

More Information:

http://www.chalmers.se/cse/EN/people/john-wolfgang

or Email: [email protected]

Questions?

http://www.chalmers.se/cse/EN/people/john-wolfgang

Recommended

Graph Algorithms - Peoplejburkardt/classes/asa_2011/asa_2011_graphs.pdf · Graph Algorithms Overview Representing a Graph Connections The Connection Algorithm in MATLAB Components
Graph Algorithms - Peoplejburkardt/classes/asa_2011/asa_2011_graphs.pdf · Graph Algorithms Overview Representing a Graph Connections The Connection Algorithm in MATLAB Components Documents
Chapter 6 Objects and Classes F OO Programming Concepts F Creating Objects and Object Reference Variables –Differences between primitive data type and
Chapter 6 Objects and Classes F OO Programming Concepts F Creating Objects and Object Reference Variables –Differences between primitive data type and Documents
CTK Connection - Christ the King Cathedral School … · CTK Connection April 18, 2019 ... Classes resume on Tuesday, 4/23 On behalf of the faculty and staff of Christ the King
CTK Connection - Christ the King Cathedral School … · CTK Connection April 18, 2019 ... Classes resume on Tuesday, 4/23 On behalf of the faculty and staff of Christ the King Documents
inheritance - University of Richmonddszajda/classes/...— these differences will be handled when we create new (extending) classes for each preview. Now in the BlueJ main window,
inheritance - University of Richmonddszajda/classes/...— these differences will be handled when we create new (extending) classes for each preview. Now in the BlueJ main window, Documents
Connection Classesstorage.cloversites.com/bethanybaptistchurch6... · look at the scars we have, the scars we have caused and how we can heal from all our hurt. Connection Classes
Connection Classesstorage.cloversites.com/bethanybaptistchurch6... · look at the scars we have, the scars we have caused and how we can heal from all our hurt. Connection Classes Documents
Designing and Exploring Classes We look further into classes and objects here, emphasizing the differences between OOP and procedural programming – Cohesion
Designing and Exploring Classes We look further into classes and objects here, emphasizing the differences between OOP and procedural programming – Cohesion Documents
Inner Classes. Lecture Objectives Learn about inner classes. Know the differences between static and non- static inner classes. Designing and using inner
Inner Classes. Lecture Objectives Learn about inner classes. Know the differences between static and non- static inner classes. Designing and using inner Documents
PowerPoint Presentation · CMC: Competition Movement Connection Hypothesis Much larger genetic differences between ecosystems for lions than for African wild dogs. Geographic Distance:
PowerPoint Presentation · CMC: Competition Movement Connection Hypothesis Much larger genetic differences between ecosystems for lions than for African wild dogs. Geographic Distance: Documents
UNIVERSITY OF CALIFORNIA College of Engineering Department …bwrcs.eecs.berkeley.edu/Classes/icdesign/ee141_s07/Home... · 2007-02-06 · of VDS. These differences are consistent
UNIVERSITY OF CALIFORNIA College of Engineering Department …bwrcs.eecs.berkeley.edu/Classes/icdesign/ee141_s07/Home... · 2007-02-06 · of VDS. These differences are consistent Documents
Ge11d: Connection between seismic observations and …web.gps.caltech.edu/classes/ge11d/doc/Ge11d_EarthComposition.pdf · Ge11d: Connection between seismic observations and Earth’s
Ge11d: Connection between seismic observations and …web.gps.caltech.edu/classes/ge11d/doc/Ge11d_EarthComposition.pdf · Ge11d: Connection between seismic observations and Earth’s Documents
Variability. Learning outcomes Variability classes of long period variables Various time scales of variability phenomena Spectroscopic variability Connection
Variability. Learning outcomes Variability classes of long period variables Various time scales of variability phenomena Spectroscopic variability Connection Documents
Why Single Gender Classes? -Brain differences - Learning styles - Academic performance -Behavior differences
Why Single Gender Classes? -Brain differences - Learning styles - Academic performance -Behavior differences Documents
What About the Input?: The Diachronic Connection to Early Bilingual Outcome Differences
What About the Input?: The Diachronic Connection to Early Bilingual Outcome Differences Documents
BIOL 3340 Chapter 3. Microbial Cell Structure Types of Cells Two major classes: eukaryotes & prokaryotes. Differences: the materials making up the nucleus
BIOL 3340 Chapter 3. Microbial Cell Structure Types of Cells Two major classes: eukaryotes & prokaryotes. Differences: the materials making up the nucleus Documents
Data Mining - Technische Universität Ilmenau · Typical Problem Classes Prediction Models ... (besides sums and differences) products and quotients have an interpretation rational
Data Mining - Technische Universität Ilmenau · Typical Problem Classes Prediction Models ... (besides sums and differences) products and quotients have an interpretation rational Documents
Similarities: Differences Differences
Similarities: Differences Differences Documents
thejourneymag.co m A Mind, Body and Soul Connection...A Mind, Body and Soul Connection ... and traditional classes like kundalini and sivananda. Green Yoga also offers a ... The vision
thejourneymag.co m A Mind, Body and Soul Connection...A Mind, Body and Soul Connection ... and traditional classes like kundalini and sivananda. Green Yoga also offers a ... The vision Documents
English Colonization, Part 2: New England Coloniesmrfarshtey.net/classes/English_Colonization_New_England.pdf · English Colonization, Part 2: New England Colonies. Differences in
English Colonization, Part 2: New England Coloniesmrfarshtey.net/classes/English_Colonization_New_England.pdf · English Colonization, Part 2: New England Colonies. Differences in Documents