advanced broadband communications center (ccaba) universitat politècnica de catalunya (upc)...
Post on 20-Dec-2015
218 views
TRANSCRIPT
Advanced BroadbandCommunications Center (CCABA)
Universitat Politècnicade Catalunya (UPC)
SMARTxAC: A Passive Monitoring and Analysis System for High-Speed Networks
TERENA Networking Conference 2006
Pere Barlet-RosJosep Solé-Pareta
Javier BarrantesEva Codina
Jordi Domingo-Pascual
{pbarlet, pareta, jbarranp, ecodina, jordid}@ac.upc.eduhttp://www.ccaba.upc.edu/smartxac
Acknowledgment: This work has been partially supported by CESCA (SMARTxAC agreement) and the Spanish MEC (ref. TSI2005-07520-C03-02)
SMARTxACSMARTxAC
SMARTxAC: Traffic Monitoring and Analysis System for the Anella Científica Operative since July 2003 Developed under a collaboration agreement CESCA-UPC Tailor-made traffic monitoring system for the Anella Científica
Main objectives Low-cost platform Continuous monitoring of high-speed links without packet loss Detection of network anomalies and irregular usage Multi-user system: Network operators and Institutions
Measurement of two full-duplex GigE links Connection between Anella Científica and RedIRIS Current load: ≈ 1.5 Gbps / ≈ 270 Kpps
Anella CientíficaAnella Científica
Measurement point2 x GigE full-duplex
Daily Network UsageDaily Network Usage
System ArchitectureSystem Architecture
Monitoring high-speed links is challenging Collection of Gbps and storage of Terabytes of data per day Limitations of current technology
– CPU power, memory access speeds, bus and disk bandwidth, storage capacity, etc.
Tailor-made system divided according to real-time constraints and running on different computers Capture System (severe real-time constraints) Traffic Analysis System (soft real-time constraints) Result Visualization System (user driven)
Data reduction: Early discard unnecessary information Improve performance Reduce storage requirements
Measurement ScenarioMeasurement Scenario
dag0
dag1
REDIRIS
Other Regional
Nodes
ESPANIX
GÉANT
Capture System(DAG 4.3GE + GPS)
Traffic Analysis System (Linux)
Result Visualization System
Private network
2 Gbps
2 Gbps
CISCO 6513 (Anella
Científica)
Juniper M-20 (RedIRIS)
RedIRIS (Madrid)
Internet Connection
2 x 2Gbps
ANELLA CIENTÍFICA
RedIRIS
Global Internet
Management network
Capture SystemCapture System
Capture hardware Intel Xeon 2.4 GHz. + 1 GB. RAM 2 x Endace DAG 4.3GE 4 x Optical splitters Precise timestamping using GPS (Trimble Acutime 2000)
Capture software Multi-threaded implementation Collection of packet-headers without loss (no sampling) 5-tuple flow aggregation Aggregated flows are sent to the Analysis System
Data Reduction Header collection: ≈1:10 (90 GB/min 9 GB/min) Flow aggregation: ≈1:200 (45 GB/5 min 200 MB/5
min) Some data is kept to analyze anomalies (window of ≈ 20 GB.)
Measurement ScenarioMeasurement Scenario
dag0
dag1
REDIRIS
Other Regional
Nodes
ESPANIX
GÉANT
Capture System(DAG 4.3GE + GPS)
Traffic Analysis System
Result Visualization System
Private network
2 Gbps
2 Gbps
CISCO 6513 (Anella
Científica)
Juniper M-20 (RedIRIS)
RedIRIS (Madrid)
Internet Connection
2 x 2Gbps
ANELLA CIENTÍFICA
RedIRIS
Global Internet
Management network
Traffic Analysis SystemTraffic Analysis System
Analysis hardware Pentium IV 2.6 GHz. + 1 GB. RAM
Analysis Software Aggregation of 5-tuple flows into classified flows
– <srcIP, dstIP, srcPort, dstPort, proto> <origin, dest., app>
– Origins: Institutions (also Network access points)
– Destinations: External networks RedIRIS is connected to
– Bidirectional aggregation This classification can be useful for charging/cost-sharing
Data reduction Classified flows: >1:1000 (≈ 60 GB/day ≈ 50 MB/day) Compared with header traces: > 1:250000 (≈ 13 TB/day)
Measurement ScenarioMeasurement Scenario
dag0
dag1
REDIRIS
Other Regional
Nodes
ESPANIX
GÉANT
Capture System(DAG 4.3GE + GPS)
Traffic Analysis System
Result Visualization System
Private network
2 Gbps
2 Gbps
CISCO 6513 (Anella
Científica)
Juniper M-20 (RedIRIS)
RedIRIS (Madrid)
Internet Connection
2 x 2Gbps
ANELLA CIENTÍFICA
RedIRIS
Global Internet
Management network
Result Visualization SystemResult Visualization System
Hardware Pentium III 450 MHz.
Software Web-based graphical interface Institutions only have access to their own statistics Graphs are generated on demand
Available graphs More than 300 combinations of graphs per institution and day Statistics are updated every 5 minutes Also weekly, monthly and yearly reports
Use case 1: Port ScanningUse case 1: Port Scanning
Traffic profile per application (bps)
Use case 1: Port ScanningUse case 1: Port Scanning
Traffic profile per application (flows/s)
Use case 1: Port ScanningUse case 1: Port Scanning
Destination port: MySQL (tcp/3306)
SRC IP DST IP SRC PORT DST PORT
A.B.44.149 C.D.120.253 2153 3306
A.B.45.75 E.F.60.108 2526 3306
A.B.44.149 C.D.206.188 1907 3306
A.B.44.149 C.D.127.4 3694 3306
A.B.44.149 C.D.155.64 3525 3306
A.B.44.149 C.D.183.124 3353 3306
A.B.44.149 C.D.192.56 1891 3306
A.B.45.75 E.F.46.180 2672 3306
A.B.44.149 C.D.220.116 1719 3306
A.B.45.75 E.F.63.23 3212 3306
A.B.45.75 E.F.24.241 4415 3306
A.B.44.149 C.D.151.228 2667 3306
A.B.45.75 E.F.73.115 2201 3306
A.B.44.149 C.D.123.168 2833 3306
A.B.45.75 E.F.16.126 2239 3306
Use case 2: Warez ServerUse case 2: Warez Server
Traffic profile per application (bps)
Use case 2: Warez ServerUse case 2: Warez Server
Top-10 (bytes)
Use case 3: Denial-of-ServiceUse case 3: Denial-of-Service
Traffic profile per application (bps)
Anomaly DetectionAnomaly Detection
Threshold-based anomaly detection An upper and lower traffic threshold can be set per institution Thresholds: bits/sec, packets/sec and flows/sec Different intervals: day/night and workday/weekend Once an anomaly is detected additional information is kept
– Additional information can be reviewed later offline
Profile-based anomaly detection (work in progress) Time-series prediction (adaptive linear filter) It is not needed to know the “ordinary” traffic profile Anomalies are detected when actual traffic differs from its
predicted value Thresholds mitigate limitations of adaptive prediction with long-
term anomalies
Identification of Network ApplicationsIdentification of Network Applications
Traffic classification in SMARTxAC is based on port numbers Port-based classification is no longer reliable P2P, dynamic ports, tunnelling, web-based services, …
We are developing a classification method based on machine learning techniques It learns features of traffic flows that identify a given application Packet payloads are only needed in the training phase Once the system is trained only packet headers are needed
Preliminary Results (Accuracy)Preliminary Results (Accuracy)
99,62
90,32
97,8695,43 95,20
96,87 97,22
80,73
92,9890,14
98,40 99,88
84,56
96,20 97,14
0,00
10,00
20,00
30,00
40,00
50,00
60,00
70,00
80,00
90,00
100,00
Precisió (%)
Grups d'aplicació
Port-based vs. Machine LearningPort-based vs. Machine Learning
Port-based Machine learning
ConclusionsConclusions
SMARTxAC is a tailor-made network monitoring system that Operates at gigabit speeds without packet loss It is relatively low-cost Provides very detailed information about the network usage Multi-user system: network operators and institutions
Since 2003, SMARTxAC is daily used by CESCA to detect anomalies, attacks, performance problems, network faults, etc.
Future work Anomaly detection and application identification Sampling, IPv6 support, … Deployment of more measurement points in the Anella Científica Release the source code under an open-source license Collaboration with Intel’s CoMo: http://como.intel-research.net
Advanced BroadbandCommunications Center (CCABA)
Universitat Politècnicade Catalunya (UPC)
SMARTxAC: A Passive Monitoring and Analysis System for High-Speed Networks
TERENA Networking Conference 2006
Pere Barlet-RosJosep Solé-Pareta
Javier BarrantesEva Codina
Jordi Domingo-Pascual
{pbarlet, pareta, jbarranp, ecodina, jordid}@ac.upc.eduhttp://www.ccaba.upc.edu/smartxac
Acknowledgment: This work has been partially supported by CESCA (SMARTxAC agreement) and the Spanish MEC (ref. TSI2005-07520-C03-02)