Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ranveer Chandra and Dina Katabi Learning Communication Rules Srikanth Kandula.

Published byNathaniel McCulloch Modified over 10 years ago

Similar presentations

Presentation on theme: "Ranveer Chandra and Dina Katabi Learning Communication Rules Srikanth Kandula."— Presentation transcript:

1 Ranveer Chandra and Dina Katabi Learning Communication Rules Srikanth Kandula

2 Network Admins. are Groping in the Dark Focus on Traffic Volume TCP=80%, HTTP=30% Adapt report categories (e.g., AutoFocus) – Much traffic from ports 500-600 But, Whats Going On? Traffic follows plan? Misconfigurations Suspicious Traffic (Active) user browsing web, reading/sending mail (Automatic) SMS scan on a network, outlook refresh Besides focusing on volume, learn rules underlying the traffic

3 Infer the actual behavior of applications – AFS root servers direct traffic to volume servers evenly – mail to the incoming MX, is forwarded onto group MXes Notice misconfigurations and badness – these clients shld not be talking on known command-control ports this server shld not be responding to DHCP requests – this mail server shld not attempt connections to non-existent MXes flow Y flow X Whenever flow y happens, flow x is likely to occur Rule t X X X X Y Y Y If you could learn such rules directly from a trace, (http DNS)

4 Report all significant rules with no specific knowledge about a trace

5 Mining for Rules is Hard How to define significance? – When is a group of flows interesting enough to report? Avoid observer bias but cannot evaluate everything – Focus on one server, miss what you are not looking for Practical, deal with noise, search quickly eXpose 1.A scoring function for significance 2.Heuristics that bias search toward high hit-rate 3.Empirical validation on enterprise traces eXpose 1.A scoring function for significance 2.Heuristics that bias search toward high hit-rate 3.Empirical validation on enterprise traces

6 Overview Packet trace to Activity Matrix o Rows are 1s windows; Columns are flows o Is flow active in [time i-1, time i )? (at least one packet) Association rule mining (X,Y are r.v. for columns) Need not worry about interleaving Dependencies are at these time-scales (an rtt, a server response) Packet Trace flow 1 …flow K time 1 … time R Activity Matrix Rules All windows in [.25s, 2s] range yield similar rules

7 Which Rules are Significant? High Joint Probability? o X, Y may occur very often individually (e.g., breeze, sun shining) High Conditional Probability? o Say Y occurs only when X does, but both are rare (lottery, buy a jet) X Y

8 * Measures fraction of change in Y due to X High Joint Probability? High Conditional Probability? We use mutual information (combines the two) * Trades off dependency & frequency Score=0, if Y is independent of X Score=Max, if Y is fully dependent on X * Encodes Directionality Kerberos Reservation Which Rules are Significant? X Y

9 Negative Correlation – Flows with little overlap Y … X … P( Y|X) 1 leads to high score Modifying Scores for Networking

10 Negative Correlation – Flows with little overlap Long Running Flows – Large downloads, ssh/remote desktop – Trivial overlaps with long flow – Distinguish new vs. present – Present rules reported only if small mismatch in freq. Too Many Possibilities – Bias, focus on pairs with at least one common IP – Miss rules, but hit-rate up 1000x and costs down 10x Y … … Y … X … X P(Y|X) 1 Modifying Scores for Networking

11 Generics - Miss, if no client accesses server often + Rules that abstract away parts of a flow Server Database Client : Server Server : Database Reservation Kerberos Client : Server Server : Database * Client : Rsrv. Client : Kerberos * * (any client) (any client, but same on both sides) To do this automatically, what to abstract? (IP addresses at non-server port) which pairs to consider for rule? –flows match IP, generics match abstracted IP To do this automatically, what to abstract? (IP addresses at non-server port) which pairs to consider for rule? –flows match IP, generics match abstracted IP

12 Techniques extend to arbitrary sized rules Instead, 1.Focus on pair-wise rules (simpler is likelier) 2.Group similar rules – Eliminate weak rules between strongly connected groups – Transitive closure to read off clusters Rule Mining Mining for Rules O(f 2 )O(f n+1 ) RuleScore Recursive Spectral Partitioning (VKV00) Digests 10 5 10 6 flows into 10 2 10 3 rule clusters

13 … flow i.new flow j.present... Packet Trace flow 1 …flow K time 1 present |new … time R Activity Matrix Rules Recap: eXpose Mines for Rules Learn all significant rules without prior knowledge oScoring function for rule significance oAvoids observer bias, yet stays feasible by focusing on high hit-rate oAlgorithms to mine and prune Rule Clusters Contributions

14 Related Work Semi-Automated Discovery of App. Session Structure (KJPK06) Sherlock (Diagnosing Performance Problems, BCGKMZ07) Autofocus (ESV03) BLINC (KPF05) Stepping Stones (ZP00) Learn all significant rules without prior knowledge oAvoids observer bias, yet stays feasible by focusing on high hit-rate oScoring function for rule significance oAlgorithms to mine and prune

15 Results

16 Evaluation Setup Traces at access and internal server-facing links – Packet Headers, Connection Records (Bro), some anon. Operational n/w with 10 3 clients, diverse traffic mix Corroborated on test-bed traffic & vetted by admins. Ran eXpose on a 2.4GHz x86 with 8GB RAM Inside MicrosoftBefore CSAILs Servers Access Link of Conf. LANsCSAILs Access

17 Dependencies for Major Applications Rules Discovered by eXpose Client.* – Mail.135 Client.* – DC.88Client.* – Mail.X Client.* – PFS 1.XClient.* – PFS 2.XClient.* – Proxy.80 email @ microsoft

18 Rules Discovered by eXpose Dependencies for Major Applications afs @ csail C.7001 – Root.7003 C.7001 – *.* C.7001 – AFS1.7000 C.7001 – AFS2.7000 AFS1.7000 – Root.7002

19 Rules Discovered by eXpose Dependencies for Major Applications – web, e-mail, file-servers, IM, print, video broadcast web @ microsoft Proxy1.80 – *.* Proxy2.80 – *.* Proxy3.80 – *.* Proxy4.80 – *.*

20 Rules Discovered by eXpose Dependencies for Major Applications – web, e-mail, file-servers, IM, print, video broadcast Configuration Errors & Other Badness Client.* – MailServer.25 Client.113 – MailServer.* smtp + IDENT @ csail

21 Dependencies for Major Applications – web, e-mail, file-servers, IM, print, video broadcast Configuration Errors & Other Badness – IDENT, Legacy emails, ssh scans, wingate Rules Discovered by eXpose Legacy email ids @ csail UnivMail.* – Old2.25 UnivMail.* – Old1.25 UnivMail.* – Old3.25

22 Rules Discovered by eXpose Dependencies for Major Applications – web, e-mail, file-servers, IM, print, video broadcast Configuration Errors & Other Badness – IDENT, Legacy emails, ssh scans, wingate Rules for stuff we didnt know before Nagios monitors @ csail Nagios.7001 – AFS1.7000 Nagios.7001 – AFS2.7000 Nagios.* – Mail2.25 Nagios.* – Mail1.25

23 Rules Discovered by eXpose Dependencies for Major Applications – web, e-mail, file-servers, IM, print, video broadcast Configuration Errors & Other Badness – IDENT, Legacy emails, ssh scans, wingate Rules for stuff we didnt know before – Nagios, LLMNR, iTunes Link level multicast name resolution @ hotspots H.* – DNS.53 H.137 – Wins.137 H.* – Multicast.5355 Black box: Little prior knowledge about servers, applications, or users Can evolve

24 Correctness & Completeness False Positives – 13% of rule-clusters in CSAIL trace, we couldnt explain False Negatives – Main CSAIL Web Server (too many different activities) – Dependencies on Personal Web Pages (too few traffic) – PlanetLab Traffic (punted) Other Limitations – IPSec, Anonymized, Cover Traffic Extensions – Rules repeat over time, and across traces – Application whitelisting, Customize Generics

25 Time to Mine for Rules At CSAILs access link, high fan-out with many distinct flows Stream Mining Appears Feasible! # Flows (x 10 6 ).6.2.6.9 2.8

26 Packet Trace Rules for frequently reoccurring flow sets Learn all significant rules with no specific knowledge oAvoids observer bias, but feasible by focusing on high hit-rate oScoring function for rule significance oAlgorithms to mine and prune Empirical validation on enterprise traces found configurations & protocols that we didnt know existed learnt rules for actual behavior of applications found config. errors, bot scans, infected machines eXpose http://research.microsoft.com/~srikanth

27 Backup

28 Rule Score (Modified JMeasure) # of Discovered Rules Expanding Search Space (# of flows)… … exposes few significant rules!

29 Expanding Search Space (# of flows)… # Top Active Flows Time to Mine Rules (s) Memory Footprint (million rules) … exposes few rules & costs a lot in time, memory

30 Varying Size of Time Windows # of Discovered Rules Rule Score (Modified JMeasure) All window sizes in [.25s, 2s] produce similar rules!

31 For all rules X Y Prob. (X)Prob. (Y) Joint Probability

Download ppt "Ranveer Chandra and Dina Katabi Learning Communication Rules Srikanth Kandula."

Similar presentations

Presented by Ben Serebin www.reefsolutions.com Tue, June 15, 2005. Every 2 nd Tuesday of the Month. Same Time and Place Visit www.nyexug.com for Presentation.

Presented by Ben Serebin Tue, June 15, Every 2 nd Tuesday of the Month. Same Time and Place Visit for Presentation.
Sherlock – Diagnosing Problems in the Enterprise Srikanth Kandula Victor Bahl, Ranveer Chandra, Albert Greenberg, David Maltz, Ming Zhang.

Sherlock – Diagnosing Problems in the Enterprise Srikanth Kandula Victor Bahl, Ranveer Chandra, Albert Greenberg, David Maltz, Ming Zhang.
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Network Systems Sales LLC

Network Systems Sales LLC
Kalpesh Vyas & Seward Khem

Kalpesh Vyas & Seward Khem
Computer networks Fundamentals of Information Technology Session 6.

Computer networks Fundamentals of Information Technology Session 6.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Lecture 2: Servers and Services Network Design & Administration.

Lecture 2: Servers and Services Network Design & Administration.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
An Empirical Study of Real Audio Traffic A. Mena and J. Heidemann USC/Information Sciences Institute In Proceedings of IEEE Infocom Tel-Aviv, Israel March.

An Empirical Study of Real Audio Traffic A. Mena and J. Heidemann USC/Information Sciences Institute In Proceedings of IEEE Infocom Tel-Aviv, Israel March.
The Application Layer Chapter 7. Where are we now?

The Application Layer Chapter 7. Where are we now?
CLIENT / SERVER ARCHITECTURE AYRİS UYGUR & NİLÜFER ÇANGA.

CLIENT / SERVER ARCHITECTURE AYRİS UYGUR & NİLÜFER ÇANGA.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Wi-Fi Structures.

Wi-Fi Structures.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
TCP Sockets Reliable Communication. TCP As mentioned before, TCP sits on top of other layers (IP, hardware) and implements Reliability In-order delivery.

TCP Sockets Reliable Communication. TCP As mentioned before, TCP sits on top of other layers (IP, hardware) and implements Reliability In-order delivery.
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Similar presentations

Ads by Google