Advanced BroadbandCommunications Center (CCABA)

Universitat Politècnicade Catalunya (UPC)

SMARTxAC: A Passive Monitoring and Analysis System for High-Speed Networks

TERENA Networking Conference 2006

Pere Barlet-RosJosep Solé-Pareta

Javier BarrantesEva Codina

Jordi Domingo-Pascual

{pbarlet, pareta, jbarranp, ecodina, jordid}@ac.upc.eduhttp://www.ccaba.upc.edu/smartxac

Acknowledgment: This work has been partially supported by CESCA (SMARTxAC agreement) and the Spanish MEC (ref. TSI2005-07520-C03-02)

SMARTxACSMARTxAC

SMARTxAC: Traffic Monitoring and Analysis System for the Anella Científica Operative since July 2003 Developed under a collaboration agreement CESCA-UPC Tailor-made traffic monitoring system for the Anella Científica

Main objectives Low-cost platform Continuous monitoring of high-speed links without packet loss Detection of network anomalies and irregular usage Multi-user system: Network operators and Institutions

Measurement of two full-duplex GigE links Connection between Anella Científica and RedIRIS Current load: ≈ 1.5 Gbps / ≈ 270 Kpps

Anella CientíficaAnella Científica

Measurement point2 x GigE full-duplex

Daily Network UsageDaily Network Usage

System ArchitectureSystem Architecture

Monitoring high-speed links is challenging Collection of Gbps and storage of Terabytes of data per day Limitations of current technology

– CPU power, memory access speeds, bus and disk bandwidth, storage capacity, etc.

Tailor-made system divided according to real-time constraints and running on different computers Capture System (severe real-time constraints) Traffic Analysis System (soft real-time constraints) Result Visualization System (user driven)

Data reduction: Early discard unnecessary information Improve performance Reduce storage requirements

Measurement ScenarioMeasurement Scenario

dag0

dag1

REDIRIS

Other Regional

Nodes

ESPANIX

GÉANT

Capture System(DAG 4.3GE + GPS)

Traffic Analysis System (Linux)

Result Visualization System

Private network

2 Gbps

2 Gbps

CISCO 6513 (Anella

Científica)

Juniper M-20 (RedIRIS)

RedIRIS (Madrid)

Internet Connection

2 x 2Gbps

ANELLA CIENTÍFICA

RedIRIS

Global Internet

Management network

Capture SystemCapture System

Capture hardware Intel Xeon 2.4 GHz. + 1 GB. RAM 2 x Endace DAG 4.3GE 4 x Optical splitters Precise timestamping using GPS (Trimble Acutime 2000)

Capture software Multi-threaded implementation Collection of packet-headers without loss (no sampling) 5-tuple flow aggregation Aggregated flows are sent to the Analysis System

Data Reduction Header collection: ≈1:10 (90 GB/min 9 GB/min) Flow aggregation: ≈1:200 (45 GB/5 min 200 MB/5

min) Some data is kept to analyze anomalies (window of ≈ 20 GB.)

Measurement ScenarioMeasurement Scenario

dag0

dag1

REDIRIS

Other Regional

Nodes

ESPANIX

GÉANT

Capture System(DAG 4.3GE + GPS)

Traffic Analysis System

Result Visualization System

Private network

2 Gbps

2 Gbps

CISCO 6513 (Anella

Científica)

Juniper M-20 (RedIRIS)

RedIRIS (Madrid)

Internet Connection

2 x 2Gbps

ANELLA CIENTÍFICA

RedIRIS

Global Internet

Management network

Traffic Analysis SystemTraffic Analysis System

Analysis hardware Pentium IV 2.6 GHz. + 1 GB. RAM

Analysis Software Aggregation of 5-tuple flows into classified flows

– <srcIP, dstIP, srcPort, dstPort, proto> <origin, dest., app>

– Origins: Institutions (also Network access points)

– Destinations: External networks RedIRIS is connected to

– Bidirectional aggregation This classification can be useful for charging/cost-sharing

Data reduction Classified flows: >1:1000 (≈ 60 GB/day ≈ 50 MB/day) Compared with header traces: > 1:250000 (≈ 13 TB/day)

Measurement ScenarioMeasurement Scenario

dag0

dag1

REDIRIS

Other Regional

Nodes

ESPANIX

GÉANT

Capture System(DAG 4.3GE + GPS)

Traffic Analysis System

Result Visualization System

Private network

2 Gbps

2 Gbps

CISCO 6513 (Anella

Científica)

Juniper M-20 (RedIRIS)

RedIRIS (Madrid)

Internet Connection

2 x 2Gbps

ANELLA CIENTÍFICA

RedIRIS

Global Internet

Management network

Result Visualization SystemResult Visualization System

Hardware Pentium III 450 MHz.

Software Web-based graphical interface Institutions only have access to their own statistics Graphs are generated on demand

Available graphs More than 300 combinations of graphs per institution and day Statistics are updated every 5 minutes Also weekly, monthly and yearly reports

Use case 1: Port ScanningUse case 1: Port Scanning

Traffic profile per application (bps)

Use case 1: Port ScanningUse case 1: Port Scanning

Traffic profile per application (flows/s)

Use case 1: Port ScanningUse case 1: Port Scanning

Destination port: MySQL (tcp/3306)

SRC IP DST IP SRC PORT DST PORT

A.B.44.149 C.D.120.253 2153 3306

A.B.45.75 E.F.60.108 2526 3306

A.B.44.149 C.D.206.188 1907 3306

A.B.44.149 C.D.127.4 3694 3306

A.B.44.149 C.D.155.64 3525 3306

A.B.44.149 C.D.183.124 3353 3306

A.B.44.149 C.D.192.56 1891 3306

A.B.45.75 E.F.46.180 2672 3306

A.B.44.149 C.D.220.116 1719 3306

A.B.45.75 E.F.63.23 3212 3306

A.B.45.75 E.F.24.241 4415 3306

A.B.44.149 C.D.151.228 2667 3306

A.B.45.75 E.F.73.115 2201 3306

A.B.44.149 C.D.123.168 2833 3306

A.B.45.75 E.F.16.126 2239 3306

Use case 2: Warez ServerUse case 2: Warez Server

Traffic profile per application (bps)

Use case 2: Warez ServerUse case 2: Warez Server

Top-10 (bytes)

Use case 3: Denial-of-ServiceUse case 3: Denial-of-Service

Traffic profile per application (bps)

Anomaly DetectionAnomaly Detection

Threshold-based anomaly detection An upper and lower traffic threshold can be set per institution Thresholds: bits/sec, packets/sec and flows/sec Different intervals: day/night and workday/weekend Once an anomaly is detected additional information is kept

– Additional information can be reviewed later offline

Profile-based anomaly detection (work in progress) Time-series prediction (adaptive linear filter) It is not needed to know the “ordinary” traffic profile Anomalies are detected when actual traffic differs from its

predicted value Thresholds mitigate limitations of adaptive prediction with long-

term anomalies

Identification of Network ApplicationsIdentification of Network Applications

Traffic classification in SMARTxAC is based on port numbers Port-based classification is no longer reliable P2P, dynamic ports, tunnelling, web-based services, …

We are developing a classification method based on machine learning techniques It learns features of traffic flows that identify a given application Packet payloads are only needed in the training phase Once the system is trained only packet headers are needed

Preliminary Results (Accuracy)Preliminary Results (Accuracy)

99,62

90,32

97,8695,43 95,20

96,87 97,22

80,73

92,9890,14

98,40 99,88

84,56

96,20 97,14

0,00

10,00

20,00

30,00

40,00

50,00

60,00

70,00

80,00

90,00

100,00

Precisió (%)

Grups d'aplicació

Port-based vs. Machine LearningPort-based vs. Machine Learning

Port-based Machine learning

ConclusionsConclusions

SMARTxAC is a tailor-made network monitoring system that Operates at gigabit speeds without packet loss It is relatively low-cost Provides very detailed information about the network usage Multi-user system: network operators and institutions

Since 2003, SMARTxAC is daily used by CESCA to detect anomalies, attacks, performance problems, network faults, etc.

Future work Anomaly detection and application identification Sampling, IPv6 support, … Deployment of more measurement points in the Anella Científica Release the source code under an open-source license Collaboration with Intel’s CoMo: http://como.intel-research.net

Advanced BroadbandCommunications Center (CCABA)

Universitat Politècnicade Catalunya (UPC)

SMARTxAC: A Passive Monitoring and Analysis System for High-Speed Networks

TERENA Networking Conference 2006

Pere Barlet-RosJosep Solé-Pareta

Javier BarrantesEva Codina

Jordi Domingo-Pascual

{pbarlet, pareta, jbarranp, ecodina, jordid}@ac.upc.eduhttp://www.ccaba.upc.edu/smartxac

Acknowledgment: This work has been partially supported by CESCA (SMARTxAC agreement) and the Spanish MEC (ref. TSI2005-07520-C03-02)