1 / 16

Heuristics to Classify Internet Backbone Traffic based on Connection Patterns

Heuristics to Classify Internet Backbone Traffic based on Connection Patterns. Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology G öteborg, Sweden. Introduction: Measurement location. Internet. 2x 10 Gbit/s (OC-192)

cleary
Download Presentation

Heuristics to Classify Internet Backbone Traffic based on Connection Patterns

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven TafvelinDept. of Computer Science and EngineeringChalmers University of TechnologyGöteborg, Sweden

  2. Introduction: Measurement location Internet 2x 10 Gbit/s (OC-192) capturing headers only IP addresses anonymized tightly synchronized bidirectional per-flow analysis Stockholm Student-Net Regional ISPs Göteborg Göteborg’s Univ. Chalmers Univ. Other smaller Univ. and Institutes

  3. Introduction: Motivation • Problem: • Operators don’t know the type of their traffic • How to: • Improve network design and provisioning? • Support QoS support or security monitoring? • Enhance accounting possibilities? • Reveal trends and changes in network applications?

  4. Introduction: Classification • Solution: Traffic classification • Four basic approaches: • Port numbers+ easy to implement - unreliable (P2P, malicious traffic) • Packet payloads+ accurate- requires updated payload signatures- privacy and legal issues- high processing requirements - does not work on encrypted traffic (P2P)

  5. Introduction: Classification (2) • Solution: Traffic classification (contd.) • Statistical fingerprinting+ no detailed packet information needed - depending on quality of training data- promising, but still immature • Connection patterns+ no payload required+ no training data required- not perfect accuracy

  6. Methodology: Traffic Classification • Two articles classify P2P flows according to connection patterns: • Karagiannis et al., 2004 • Perenyi et al., 2006 • Updated classification heuristics: • Refined the heuristics in prior articles • Added new, necessary heuristics

  7. Methodology: Proposed Heuristics • Rules based on connection patterns and port numbers • 5 rules for P2P traffic (H1-H5) • 10 rules to classify other traffic types (F1-F10) • remove ‘false positives’ from P2P • Rules are applied: • On flows in 10 minute intervals • Independently on all flows and prioritized when fetched from the database

  8. Methodology: Proposed Heuristics (2) • Heuristics for potential P2P traffic (H1-H5) • All traffic to and from potential P2P hosts is marked as P2P traffic • H1: TCP and UDP traffic between IP pair • H2: Well known P2P ports • H3: Re-usage of source Port within short time • H4: Non-parallel connections to endpoint (IP/Port) • H5: unclassified, long flows • unclassified by H1-H4 and F1-F9 • more than 1MB in one direction or • duration of more than 10 minutes

  9. Methodology: Proposed Heuristics (3) • Heuristics for other traffic (F1-F10) • F1 and F2: Web servers: • parallel connections to web Ports • All traffic to and from Web server is Web-traffic • F3: common services (DNS, BGP) • Equal source and destination port and port<501 • F4: Mail servers: • Hosts receiving traffic on mail ports (smtp, imap, pop) while sending traffic via smtp • All traffic to and from Mail servers is Mail-traffic

  10. Methodology: Proposed Heuristics (4) • Heuristics for other traffic (F1-F10) • F5 and F6: Messenger and Gaming • Hosts, connected to by a number of different IPs on well-known messenger, chat or gaming ports within a period of 10 days • All traffic to and from these hosts is messenger or gaming • F7: FTP • Active FTP with initiating port number of 20 • F8: non P2P ports: • Some well-known, privileged port number, typically not used by P2P like dns, telnet, ssh, ftp, mail, rtp, bgp …

  11. Methodology: Proposed Heuristics (5) • Heuristics for other traffic (F1-F10) • F9: malicious and attack traffic • Scans (scan from one source through port ranges) • Sweeps (scans from one source through IP ranges) • DoS attacks (“hammering attacks” from one source to few hosts in high frequency) • F10: unclassified, known non-P2P Port • unclassified by H1-H4 and F1-F9 (no connection pattern) • Well known ports including Web, messenger and gaming

  12. # connections in 106 Amount of data in TB Verification of proposed rule-set Comparison of classification methods for P2P traffic

  13. Results Application Breakdown April 2006

  14. Results (2) Detailed results will be published at PAM 2008 W. John and S. Tafvelin and Tomas Olovsson, Trends and Differences in Connection Behavior within Classes ofInternet Backbone Traffic, to be presented at the Passive and Active Measurement Conference,Cleveland, Ohio, USA, April 2008.(Proceedings to be published in Springer LNSC)http://pam2008.cs.wpi.edu/ Documentation about measurements (raw data) DatCat – Internet Measurement Data Catalog by CAIDAhttp://www.datcat.org (search for SUNET)

  15. Conclusions • Previous classification methods on packet header traces don’t work well on backbone data • Proposal of refined and updates heuristics • Combining previous approaches • Extension and adjustment of heuristics • Including a rule for attack traffic • Simple and fast method to decompose traffic • no payload required (encryption, header data, etc.) • Effectively used even on short traces (10 min) • 0.2% of the data left unclassified

  16. Thank you very much for you attention! Questions?

More Related