230 likes | 244 Views
SMARTxAC is a low-cost platform for continuous monitoring and analysis of high-speed network links, detecting anomalies and irregular usage. It provides real-time traffic monitoring and data reduction to improve performance and reduce storage requirements.
E N D
SMARTxAC: A Passive Monitoring and Analysis System for High-Speed NetworksTERENA Networking Conference 2006 Pere Barlet-Ros Josep Solé-Pareta Javier Barrantes Eva Codina Jordi Domingo-Pascual {pbarlet, pareta, jbarranp, ecodina, jordid}@ac.upc.edu http://www.ccaba.upc.edu/smartxac Acknowledgment: This work has been partially supported by CESCA (SMARTxAC agreement) and the Spanish MEC (ref. TSI2005-07520-C03-02)
SMARTxAC • SMARTxAC: Traffic Monitoring and Analysis System for the Anella Científica • Operative since July 2003 • Developed under a collaboration agreement CESCA-UPC • Tailor-made traffic monitoring system for the Anella Científica • Main objectives • Low-cost platform • Continuous monitoring of high-speed links without packet loss • Detection of network anomalies and irregular usage • Multi-user system: Network operators and Institutions • Measurement of two full-duplex GigE links • Connection between Anella Científica and RedIRIS • Current load: ≈ 1.5 Gbps / ≈ 270 Kpps
Anella Científica Measurement point 2 x GigE full-duplex
System Architecture • Monitoring high-speed links is challenging • Collection of Gbps and storage of Terabytes of data per day • Limitations of current technology • CPU power, memory access speeds, bus and disk bandwidth, storage capacity, etc. • Tailor-made system divided according to real-time constraints and running on different computers • Capture System (severe real-time constraints) • Traffic Analysis System (soft real-time constraints) • Result Visualization System (user driven) • Data reduction: Early discard unnecessary information • Improve performance • Reduce storage requirements
Measurement Scenario ANELLA CIENTÍFICA GÉANT Global Internet Juniper M-20 (RedIRIS) ESPANIX 2 x 2Gbps REDIRIS Other Regional Nodes RedIRIS RedIRIS (Madrid) CISCO 6513 (Anella Científica) Private network 2 Gbps Management network dag0 2 Gbps Internet Connection dag1 Result Visualization System Traffic Analysis System (Linux) Capture System(DAG 4.3GE + GPS)
Capture System • Capture hardware • Intel Xeon 2.4 GHz. + 1 GB. RAM • 2 x Endace DAG 4.3GE • 4 x Optical splitters • Precise timestamping using GPS (Trimble Acutime 2000) • Capture software • Multi-threaded implementation • Collection of packet-headers without loss (no sampling) • 5-tuple flow aggregation • Aggregated flows are sent to the Analysis System • Data Reduction • Header collection: ≈1:10 (90 GB/min 9 GB/min) • Flow aggregation: ≈1:200 (45 GB/5 min 200 MB/5 min) • Some data is kept to analyze anomalies (window of ≈ 20 GB.)
Measurement Scenario ANELLA CIENTÍFICA GÉANT Global Internet Juniper M-20 (RedIRIS) ESPANIX 2 x 2Gbps REDIRIS Other Regional Nodes RedIRIS RedIRIS (Madrid) CISCO 6513 (Anella Científica) Private network 2 Gbps Management network dag0 2 Gbps Internet Connection dag1 Result Visualization System Traffic Analysis System Capture System(DAG 4.3GE + GPS)
Traffic Analysis System • Analysis hardware • Pentium IV 2.6 GHz. + 1 GB. RAM • Analysis Software • Aggregation of 5-tuple flows into classified flows • <srcIP, dstIP, srcPort, dstPort, proto> <origin, dest., app> • Origins: Institutions (also Network access points) • Destinations: External networks RedIRIS is connected to • Bidirectional aggregation • This classification can be useful for charging/cost-sharing • Data reduction • Classified flows: >1:1000 (≈ 60 GB/day ≈ 50 MB/day) • Compared with header traces: > 1:250000 (≈ 13 TB/day)
Measurement Scenario ANELLA CIENTÍFICA GÉANT Global Internet Juniper M-20 (RedIRIS) ESPANIX 2 x 2Gbps REDIRIS Other Regional Nodes RedIRIS RedIRIS (Madrid) CISCO 6513 (Anella Científica) Private network 2 Gbps Management network dag0 2 Gbps Internet Connection dag1 Result Visualization System Traffic Analysis System Capture System(DAG 4.3GE + GPS)
Result Visualization System • Hardware • Pentium III 450 MHz. • Software • Web-based graphical interface • Institutions only have access to their own statistics • Graphs are generated on demand • Available graphs • More than 300 combinations of graphs per institution and day • Statistics are updated every 5 minutes • Also weekly, monthly and yearly reports
Use case 1: Port Scanning • Traffic profile per application (bps)
Use case 1: Port Scanning • Traffic profile per application (flows/s)
Use case 1: Port Scanning • Destination port: MySQL (tcp/3306)
Use case 2: Warez Server • Traffic profile per application (bps)
Use case 2: Warez Server • Top-10 (bytes)
Use case 3: Denial-of-Service • Traffic profile per application (bps)
Anomaly Detection • Threshold-based anomaly detection • An upper and lower traffic threshold can be set per institution • Thresholds: bits/sec, packets/sec and flows/sec • Different intervals: day/night and workday/weekend • Once an anomaly is detected additional information is kept • Additional information can be reviewed later offline • Profile-based anomaly detection (work in progress) • Time-series prediction (adaptive linear filter) • It is not needed to know the “ordinary” traffic profile • Anomalies are detected when actual traffic differs from its predicted value • Thresholds mitigate limitations of adaptive prediction with long-term anomalies
Identification of Network Applications • Traffic classification in SMARTxAC is based on port numbers • Port-based classification is no longer reliable • P2P, dynamic ports, tunnelling, web-based services, … • We are developing a classification method based on machine learning techniques • It learns features of traffic flows that identify a given application • Packet payloads are only needed in the training phase • Once the system is trained only packet headers are needed
Port-based vs. Machine Learning Port-based Machine learning
Conclusions • SMARTxAC is a tailor-made network monitoring system that • Operates at gigabit speeds without packet loss • It is relatively low-cost • Provides very detailed information about the network usage • Multi-user system: network operators and institutions • Since 2003, SMARTxAC is daily used by CESCA to detect anomalies, attacks, performance problems, network faults, etc. • Future work • Anomaly detection and application identification • Sampling, IPv6 support, … • Deployment of more measurement points in the Anella Científica • Release the source code under an open-source license • Collaboration with Intel’s CoMo: http://como.intel-research.net
SMARTxAC: A Passive Monitoring and Analysis System for High-Speed NetworksTERENA Networking Conference 2006 Pere Barlet-Ros Josep Solé-Pareta Javier Barrantes Eva Codina Jordi Domingo-Pascual {pbarlet, pareta, jbarranp, ecodina, jordid}@ac.upc.edu http://www.ccaba.upc.edu/smartxac Acknowledgment: This work has been partially supported by CESCA (SMARTxAC agreement) and the Spanish MEC (ref. TSI2005-07520-C03-02)