Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing.

Published byCharlotte Chambers Modified over 8 years ago

Similar presentations

Presentation on theme: "Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing."— Presentation transcript:

1 Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing Jiaotong University, China Maurizio Dusi Università degli Studi di Brescia, Italy kc claffy, Nevil Brownlee CAIDA, SDSC, UCSD, USA

2 2009-05-13TrefPunkt 20 Introduction ? ? ? ? ? HTTP Bittorrent SMTP ? Traffic classification (TC) ?

3 2009-05-13TrefPunkt 20 Introduction (cont.) Why traffic classification? –Network design and provisioning –QoS assignment and traffic shaping –Accounting –Security monitoring: IDS/IPS –Network Forensics –Trends and changes in network applications

4 2009-05-13TrefPunkt 20 Introduction (cont.) Today’s Internet –evolving in scope and complexity –applications adapt rapidly to detection attempts –emerging obfuscation techniques Many classification approaches in literature –using whatever traffic samples available –no systematic integration of results

5 2009-05-13TrefPunkt 20 Outline Classification Methods –Research review and taxonomy Survey analysis: P2P Pitfalls –Systematic shortcomings –Re-validate assumptions UDP rising Routing (a)symmetry on backbone links

6 2009-05-13TrefPunkt 20 Research Review and Taxonomy Research review –create a structured taxonomy of traffic classification papers and their datasets –help to answer popular questions –reveal open issues and challenges http://www.caida.org/research/traffic-analysis/classification-overview

7 2009-05-13TrefPunkt 20 Research review and taxonomy: Overview 64 papers published between 1994 and 2008 Definition: traffic classification “Methods to classify traffic data sets based on features passively observed in the traffic, according to specific classification goals.”

8 2009-05-13TrefPunkt 20 Research review and taxonomy: Datasets and Goals Data sets: >80 data sets used for 64 papers! –Time of collection, link type, capture environments, geographic location, (payload, anonymization), etc. Classification goals: –Coarse or fine-grained classification –Applications or protocols

9 2009-05-13TrefPunkt 20 Research review and taxonomy: Features Features –Reacting on application development

10 2009-05-13TrefPunkt 20 Research review and taxonomy: Methods Methods –exact matching port number, payload, etc –heuristic methods e.g. on connection patterns –machine learning methods supervised and unsupervised

11 2009-05-13TrefPunkt 20 Survey analysis: P2P How much P2P? 1.3% to 93% across the 18 (out of 64) papers

12 2009-05-13TrefPunkt 20 Survey analysis: P2P (contd.) So how much of modern Internet traffic is P2P? "there is a wide range of P2P traffic on Internet links; see your specific link of interest and classification technique you trust for more details."

13 2009-05-13TrefPunkt 20 Survey analysis: P2P (contd.) SUNET: April till Nov. 2006

14 2009-05-13TrefPunkt 20 Outline Methods –Research review and taxonomy Survey analysis: P2P Pitfalls –Systematic shortcomings –Re-validate assumtions UDP rising Routing (a)symmetry on backbone links

15 2009-05-13TrefPunkt 20 Systematic Shortcomings Poor comparability of results!!! –80 data sets by 64 papers → lack of shared, modern data sets as reference data –no clear definitions (P2P or file-sharing …) → lack of standardized measures → lack of defined classification goals

16 2009-05-13TrefPunkt 20 Assumption: TCP dominates traffic Current TC approaches consider mainly TCP –Assumptions TCP is dominating traffic Bulk (data) transfer is done via TCP –Advantage TCP has a clear notion of “sessions”

17 2009-05-13TrefPunkt 20 Assumption: TCP dominates traffic (cont.) There might be a shift (soon): –IPTV applications PPLive, PPStream: switched to UDP in Oct. 2008 VA (Video Accelerator): UDP for data transfer –P2P applications uTP: Micro Transport protocol, based on UDP –Part of uTorrent 1.9 beta, expected during 2010 All on high, random ports (of course …)

18 2009-05-13TrefPunkt 20 Assumption: TCP dominates traffic (cont.)

19 2009-05-13TrefPunkt 20 CDF of UDP flows per Port number Assumption: TCP dominates traffic (cont.) Indeed, high ephemeral ports are common today!

20 2009-05-13TrefPunkt 20 Avg. Packets/Flow for top 10 UDP ports Assumption: TCP dominates traffic (cont.) No substantial data portions carried (on these links - yet)

21 2009-05-13TrefPunkt 20 Assumption: TCP dominates traffic (cont.) Current situation (on the links measured) –TCP dominating pkts (bytes), UDP dominating flows UDP for P2P overlay signaling This might change soon: –UDP based IPTV already common in China, uTP … UDP for bulk and streaming data transfer → TC methods can no longer ignore UDP?

22 2009-05-13TrefPunkt 20 Assumption: routing symmetry Current approaches consider bidirectional traffic –Assumption Traffic is routed symmetrically –Same path for forward and backward direction –Advantage Bi-directional information offers more features for classification For TCP, bi-directional information allows easier inference of sessions (connections)

23 2009-05-13TrefPunkt 20 Assumption: routing symmetry (cont.) Degree of symmetry –4 link locations (Sweden and USA) –2 samples each

24 2009-05-13TrefPunkt 20 Assumption: routing symmetry (cont.) Beyond Intranets and access links (edge networks), there is little symmetry Degree of symmetry decreases with level of “coreness” of the link → TC methods for backbone links need to master unidirectional data flows

25 2009-05-13TrefPunkt 20 Summary Research review –structured taxonomy of traffic classification papers Current systematic shortcomings → lack of shared, modern data sets as reference data → lack of standardized measures → lack of defined classification goals Upcoming technical challenges → TC methods can no longer ignore UDP → TC methods should handle unidirectional flows

26 Traffic classification overview: http://www.caida.org/research/traffic-analysis/classification-overview/ Observations on UDP traffic on Internet backbone links: soon to be published on www.caida.org (“News” section) Estimation of routing asymmetry on Internet links: http://www.caida.org/research/traffic-analysis/asymmetry/ or Email: johnwolf@chalmers.se http://www.caida.org/research/traffic-analysis/classification-overview/www.caida.org http://www.caida.org/research/traffic-analysis/asymmetry/

Download ppt "Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing."

Similar presentations

Multicast Traffic Monitoring on a Nationwide Backbone Network Tao He New Generation Network (NGN) Lab. Department of Electronic and Engineering Tsinghua.

Multicast Traffic Monitoring on a Nationwide Backbone Network Tao He New Generation Network (NGN) Lab. Department of Electronic and Engineering Tsinghua.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—8-1 MPLS TE Overview Introducing the TE Concept.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—8-1 MPLS TE Overview Introducing the TE Concept.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.

Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.
Merit Network: Connecting People and Organizations Since 1966 CALEA Compliance – A Feasibility Study October 25, 2006 Mary Eileen McLaughlin Director –

Merit Network: Connecting People and Organizations Since 1966 CALEA Compliance – A Feasibility Study October 25, 2006 Mary Eileen McLaughlin Director –
Internet Inter-Domain Traffic 生機四 謝宗廷 歷史三 胡秩瑋. Introduction  Internet is always changing dramatically.  In the new Internet economy, content providers.

Internet Inter-Domain Traffic 生機四 謝宗廷 歷史三 胡秩瑋. Introduction  Internet is always changing dramatically.  In the new Internet economy, content providers.
PROMISE: Peer-to-Peer Media Streaming Using CollectCast Mohamed Hafeeda, Ahsan Habib et al. Presented By: Abhishek Gupta.

PROMISE: Peer-to-Peer Media Streaming Using CollectCast Mohamed Hafeeda, Ahsan Habib et al. Presented By: Abhishek Gupta.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Copyright © 2005 Department of Computer Science CPSC 641 Winter 20111 WAN Traffic Measurements There have been several studies of wide area network traffic.

Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.

Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
Chapter 1 Read (again) chapter 1.

Chapter 1 Read (again) chapter 1.
Networking Basics: A Review Carey Williamson iCORE Chair and Professor Department of Computer Science University of Calgary.

Networking Basics: A Review Carey Williamson iCORE Chair and Professor Department of Computer Science University of Calgary.
5-1 Data Link Layer r Today, we will study the data link layer… r This is the last layer in the network protocol stack we will study in this class…

5-1 Data Link Layer r Today, we will study the data link layer… r This is the last layer in the network protocol stack we will study in this class…
1 Last Class! Today: r what have we learned? r where is the networking world going? r question and answers r evaluation.

1 Last Class! Today: r what have we learned? r where is the networking world going? r question and answers r evaluation.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
1 Networking Basics: A Review Carey Williamson iCORE Professor Department of Computer Science University of Calgary.

1 Networking Basics: A Review Carey Williamson iCORE Professor Department of Computer Science University of Calgary.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.

1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.

Similar presentations

Ads by Google