1 / 33

AutoFocus: A Tool for Automatic Traffic Analysis

AutoFocus is a free traffic analysis tool for educational, research, and non-profit use. It offers automated traffic cluster characterization with detailed reports and a user-friendly interface.

bapperson
Download Presentation

AutoFocus: A Tool for Automatic Traffic Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AutoFocus: A Tool for Automatic Traffic Analysis Cristian Estan, University of California, San Diego

  2. Who is using my link? AutoFocus - NANOG 29

  3. Informal problem definition Traffic reports Analysis Applications: 50% of traffic is Kazaa Sources: 20% is from Steve’s PC Gigabytes of measurement data AutoFocus - NANOG 29

  4. Informal problem definition Traffic reports Analysis 20% is Kazaa from Steve’s PC Gigabytes of measurement data 50% is Kazaa from network A AutoFocus - NANOG 29

  5. names categories AutoFocus: system structure Traffic analyzer Web based GUI Grapher Traffic parser (sampled) NetFlow data or Packet header traces AutoFocus - NANOG 29

  6. System details • Availability • Downloadable • Free for educational, research and non-profit use • Requirements • Linux or BSD (might run on other Unix OSes) • 256 Megs of RAM at least • 1-10 gigabytes of hard disk (depends on traffic) • Recent Netscape, Mozilla or I.E. (Javascript) • Needs no web server – no server side scripting AutoFocus - NANOG 29

  7. Traffic analysis approach • Characterize traffic mix by describing all important traffic clusters • Multi-field clusters (e.g. flash crowd described by protocol, port number and IP address) • At the the right level of granularity (e.g. computer, proper prefix length) • Analysis is automated– finds insightful data without human guidance AutoFocus - NANOG 29

  8. Traffic clusters: example • Incoming web traffic for CS Dept. • SrcIP=*, • DestIP in 132.239.64.0/21, • Proto=TCP, • SrcPort=80, • DestPort in [1024,65535] AutoFocus - NANOG 29

  9. Traffic report • Traffic reportsautomatically list significant traffic clusters • Describe only clusters above threshold (e.g. T=total of traffic/20) • Compression removes redundant clusters whose traffic can be inferred from more specific clusters AutoFocus - NANOG 29

  10. 500 10.0.0.0/28 10.0.0.0/29 10.0.0.8/29 120 380 10.0.0.0/30 10.0.0.4/30 10.0.0.8/30 10.0.0.12/30 50 70 305 75 10.0.0.10/31 10.0.0.2/31 10.0.0.4/31 10.0.0.8/31 10.0.0.14/31 50 70 270 35 75 Automatic cluster selection 40 35 15 35 30 160 110 75 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.8 10.0.0.9 10.0.0.10 10.0.0.14 AutoFocus - NANOG 29

  11. 500 500 10.0.0.0/28 10.0.0.0/29 10.0.0.8/29 120 120 380 380 10.0.0.0/30 10.0.0.4/30 10.0.0.8/30 50 70 305 305 75 10.0.0.10/31 10.0.0.2/31 10.0.0.4/31 10.0.0.8/31 50 70 270 270 35 75 160 110 Automatic cluster selection Threshold=100 10.0.0.12/30 10.0.0.14/31 40 35 15 35 30 160 110 75 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.8 10.0.0.9 10.0.0.10 10.0.0.14 AutoFocus - NANOG 29

  12. 500 10.0.0.0/28 120 380 380-270≥100 120 380 305 10.0.0.8/30 305-270<100 270 10.0.0.8/31 160 110 160 110 Automatic cluster selection 10.0.0.0/29 10.0.0.8/29 Compression keeps interesting clusters by removing those that can be inferred from more specific ones 10.0.0.8 10.0.0.9 AutoFocus - NANOG 29

  13. Single field report example AutoFocus has both single field and multi-field traffic reports AutoFocus - NANOG 29

  14. Graphical user interface • Web based interface • Many pre-computed traffic reports • Interactive drill-down • Traffic categories defined by user AutoFocus - NANOG 29

  15. Traffic reports for weeks, days, three hour intervals and half hour intervals AutoFocus - NANOG 29

  16. Traffic reports measure traffic in bytes, packets and flows, have various thresholds AutoFocus - NANOG 29

  17. Single field report AutoFocus - NANOG 29

  18. AutoFocus - NANOG 29

  19. Colors – user defined traffic categories Separate reports for each category AutoFocus - NANOG 29

  20. The filter and threshold allow interactive drill-down AutoFocus - NANOG 29

  21. The filter and threshold allow interactive drill-down AutoFocus - NANOG 29

  22. The filter and threshold allow interactive drill-down AutoFocus - NANOG 29

  23. Case study : SD-NAP • Structure of regular traffic mix • Backups from CAIDA to tape server • FTP from SLAC Stanford • Scripps web traffic • Web & Squid servers • Large ssh traffic • Steady ICMP probing from CAIDA • Unexpected events AutoFocus - NANOG 29

  24. Structure of regular traffic mix • Backups from CAIDA to tape server SD-NAP AutoFocus - NANOG 29

  25. Structure of regular traffic mix • Backups from CAIDA to tape server • Semi-regular time pattern SD-NAP AutoFocus - NANOG 29

  26. Structure of regular traffic mix • Steady ICMP probing from CAIDA SD-NAP The flow view highlights different traffic clusters AutoFocus - NANOG 29

  27. Analysis of unusual events • Sapphire/SQL Slammer worm • Find worm port & proto automatically AutoFocus - NANOG 29

  28. Analysis of unusual events • Sapphire/SQL Slammer worm • Can identify infected hosts AutoFocus - NANOG 29

  29. How can AutoFocus help you? • Understand your regular traffic mix better • Better planning of network growth • Better traffic policing • Understand unusual events • More effective reactions to worms, DoS attacks • Notice effects of route changes on traffic AutoFocus - NANOG 29

  30. Benefits w.r.t. existing tools • Multi-field aggregation • Automatically finds right granularity • Drill-down • Per category reports • Using filter AutoFocus - NANOG 29

  31. Thank you! Beta version of AutoFocus downloadable from http://ial.ucsd.edu/AutoFocus/ Any questions? Acknowledgements: Stefan Savage, George Varghese, Vern Paxson, David Moore, Liliana Estan, Mike Hunter, Pat Wilson, Jennifer Rexford, K Claffy, Alex Snoeren, Geoff Voelker, NIST,NSF AutoFocus - NANOG 29

  32. AutoFocus - NANOG 29

  33. Definition: unexpectedness • To highlight non-obvious traffic clusters by using unexpectedness label • 50% of all traffic is web • Prefix B receives 20% of all traffic • The web traffic received by prefix B is 15% instead of 50%*20%=10%, unexpectedness label is 15%/10%=150% AutoFocus - NANOG 29

More Related