Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

Published byLora Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,"— Presentation transcript:

1 Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring, 2003

2 pb@cs.wisc.edu2 Talk Objectives Motivate and describe Wisconsin Advanced Internet Lab (WAIL) –Internal lab environment –External lab environment Provide some detail on three current projects –Anomaly detection and characterization –Distributed intrusion monitoring –Understanding packet loss

3 pb@cs.wisc.edu3 Motivation for New Tools Any area of scientific research is limited by the tools available for experimental study –“If your only tool is a hammer then everything looks like a nail” 2001 NRC report: “network research community is in danger of ossification due to strictures of experimental systems” –Challenge: “Capturing a day in the life of the Internet” New experimental tools can open up areas of research that have not previously been accessible

4 pb@cs.wisc.edu4 An Internet Instance Lab A hands-on test environment designed to recreate paths and conditions identical to those in the Internet from end-to-end-through-core –Requires large amount of routing and end host equipment Network and host equipment able to recreate (not emulate) a wide range of services, configurations and traffic conditions –Complete instrumentation of end-to-end paths –Deployment of disruptive prototypes

5 pb@cs.wisc.edu5 Key Challenges Design Configurations and management Traffic generation Propagation delay Validation

6 pb@cs.wisc.edu6 The Wisconsin Advanced Internet Lab Our realization of an IIL Developed over past 18 months by UW/Cisco team Supported by $3.5M equipment grant from Cisco and UW matching funds –Used to purchase over 75 pieces of networking equipment Phase 1 nearing completion => Abilene recreation Other partners: EMC, Spirent, Intel, Fujitsu, Sun Research initiatives in many areas…

7 pb@cs.wisc.edu7 External Environment Essential complement to internal environment Existing infrastructure –DOMINO systems (1 class A + 2 class B’s + Dshield) –Surveyor + WAWM systems (~70 nodes) New database and front end by summer ‘03 Partnerships and other available systems –Condor/Grid Infrastructures Passive flow measurements –FlowScan data from UW, Internet2, others…

8 pb@cs.wisc.edu8 Project 1: Detecting Anomalies in IP Flows Motivation: Anomaly detection remains difficult Objective: Improve understanding of traffic anomalies Approach: Multiresolution analysis of data set that includes IP flow, SNMP and an anomaly catalog Method: Integrated Measurement Analysis Platform for Internet Traffic (IMAPIT) Results: Identify anomaly characteristics using wavelets and develop new method for exposing short-lived events

9 pb@cs.wisc.edu9 Our Data Sets Consider anomalies in IP flow and SNMP data –Collected at UW border router (Juniper M10) –Archive of ~6 months worth of data (packets, bytes, flows) –Includes catalog of anomalies (after-the-fact analysis) Group observed anomalies into four categories –Network anomalies (41) Steep drop offs in service followed by quick return to normal behavior –Flash crowd anomalies (4) Steep increase in service followed by slow return to normal behavior –Attack anomalies (46) Steep increase in flows in one direction followed by quick return to normal behavior –Measurement anomalies (18) Short-lived anomalies which are not network anomalies or attacks

10 pb@cs.wisc.edu10 Multiresolution Analysis Wavelets provide a means for describing time series data that considers both frequency and time –Powerful means for characterizing data with sharp spikes and discontinuities –Using wavelets can be quite tricky We use tools developed at UW which together make up IMAPIT –FlowScan software –The IDR Framenet software

11 pb@cs.wisc.edu11 Ambient IP Flow Traffic

12 pb@cs.wisc.edu12 Flow Traffic During DoS Attacks

13 pb@cs.wisc.edu13 Deviation Score for Three Anomalies

14 pb@cs.wisc.edu14 Project 2: Coordinated Intrusion Detection Motivation: Intrusion detection is a moving target Objective: Coordinate intrusion monitoring between multiple sites around the Internet Approach: Share data from firewalls, NIDS and tarpits (on unused IP space) Method: Distributed Overlay for Monitoring Internet Outbreaks (DOMINO) Results: Blacklists can be rapidly generated, false positives can be substantially lowered, new outbreaks can be easily identified

15 pb@cs.wisc.edu15 DOMINO: A new approach to DNIDS Partnership with dshield.org –1600 firewall and NIDS logs Tarpits –Active monitor of unused IP space –1 class A (this week), 2 class B’s A protocol for node participation, data sharing and alert clustering –Chord-based overlay network –Extension of Intrusion Detection Message Exchange Format – Various clustering methods

16 pb@cs.wisc.edu16 Marginal Utility of Adding Nodes

17 pb@cs.wisc.edu17 SQL-Sapphire Analysis

18 pb@cs.wisc.edu18 Project 3: Understanding Packet Loss Motivation: Many of the most basic aspects of packet loss are not understood –Where, when, how long, how often? Focus: Developing a comprehensive understanding of packet loss in the Internet Approach: Combine understanding of protocols and queue behavior to create a probe train which can accurately measure delay and loss. Implications: End-to-end tools for pin-pointing loss, better transport protocols, better network management for congestion

19 pb@cs.wisc.edu19 Active versus Passive Loss Measures Hypothesis: Active measures of loss are correlated with passive measures of loss Assessment in Abilene –SNMP loss measures on all backbone routers –Active probes via Ping/Zing in Surveyor nodes at 10Hz, 20Hz and 100Hz –Tests in full mesh over one month period

20 pb@cs.wisc.edu20 Result: Active <> Passive

21 pb@cs.wisc.edu21 Summary Both internal lab building initiatives and external measurement initiatives in WAIL Internal facilities are intended to be open We are seeking partnerships in external measurement projects. –DOMINO in particular

Download ppt "Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.

The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.
LOTUS to SharePoint Migration Services. © 2010 Star Knowledge Technology Team Alliance 2 Key Discussion Points Star Knowledge Value Proposition Microsoft.

LOTUS to SharePoint Migration Services. © 2010 Star Knowledge Technology Team Alliance 2 Key Discussion Points Star Knowledge Value Proposition Microsoft.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Internet Intrusions: Global Characteristics and Prevalence Presented By: Zhichun Li Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS 2003.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Zhichun Li Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS 2003.
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Internet Traffic Patterns Learning outcomes –Be aware of how information is transmitted on the Internet –Understand the concept of Internet traffic –Identify.

Internet Traffic Patterns Learning outcomes –Be aware of how information is transmitted on the Internet –Understand the concept of Internet traffic –Identify.
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.

Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Similar presentations

Ads by Google