Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unconstrained Endpoint Profiling (Googling the Internet)‏

Published byChester Todd Modified over 5 years ago

Similar presentations

Presentation on theme: "Unconstrained Endpoint Profiling (Googling the Internet)‏"— Presentation transcript:

1 Unconstrained Endpoint Profiling (Googling the Internet)‏
Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University Narus Inc.

2

3 Huge amount of endpoint information available on the web
Introduction Can we use Google for networking research? Huge amount of endpoint information available on the web Can we systematically exploit search engines to harvest endpoint information available on the Internet?

4 Where Does the Information Come From?
Some popular proxy services also display logs Even P2P information is available on the Internet since the first point of contact with a P2P swarm is a publicly available IP address Websites run logging software and display statistics Blacklists, banlists, spamlists also have web interfaces Popular servers (e.g., gaming) IP addresses are listed Malicious P2P Servers Clients

5 Inferring Active IP Ranges in Target Networks
Problem – detecting active IP ranges Needed for large-scale measurements e.g., Iplane [OSDI’06] Current approaches Active Passive Our approach IP addresses that generate hits on Google could suggest active ranges

6 Detecting Application Usage Trends
Can we infer what applications people are using across the world without having access to network traces?

7 Traffic Classification
Problem – traffic classification Current approaches (port-based, payload signatures, numerical and statistical etc.) Our approach Use information about destination IP addresses available on the Internet

8 Methodology – Web Classifier and IP Tagging
IP Address xxx.xxx.xxx.xxx – QQ Chat Server Rapid Match IP tagging URL Hit text URL Hit text URL Hit text Domain name Keywords …. …. Domain name Keywords Search hits …. …. Website cache

9 Evaluation – Ground Truth
France ● No traces available China ● Packet level traces available United States ● Sampled NetFlow available Brasil ● Packet level traces available

10 Inferring Active IP Ranges in Target Networks

11 Inferring Active IP Ranges in Target Networks
Actual endpoints from trace Google hits XXX /17 network range Overlap is around 77%

12 Application Usage Trends

13 Correlation Between Network Traces and UEP

14 Traffic Classification

15 Traffic Classification
Mail server Website Router Tagged IP Cache Halo server Hold a small % of the IP addresses seen Look at source and destination IP addresses and classify traffic Is this scalable?

16 5% of the destinations sink 95% of traffic
Traffic Classification 5% of the destinations sink 95% of traffic

17 BLINC vs. UEP BLINC (SIGCOMM 2005)
Works “in the dark” (doesn’t examine payload) Uses “graphlets” to identify traffic patterns Uses thresholds to further classify traffic UEP (SIGCOMM 2008) Uses information available on the web Constructs a semantically rich endpoint database Very flexible (can be used in a variety of scenarios)

18 BLINC vs. UEP (cont.) UEP also provides better semantics
Traffic[%] UEP classifies twice as much traffic as BLINC BLINC doesn’t find some categories UEP also provides better semantics Classes can be further divided into different services

19 Each packet has a 1/Sampling rate chance of being kept
Working with Sampled Traffic Sampled data is considered to be poorer in information However ISPs consider scalable to gather only sampled data X X X X X X X X Each packet has a 1/Sampling rate chance of being kept (Cisco Netflow)

20 Working with Sampled Traffic
Most of the popular IP addresses still in the trace A quarter of the IP addresses still in the trace at sampling rate 100

21 Working with Sampled Traffic
UEP maintains a large classification ratio even at higher sampling rates When no sampling is done UEP outperforms BLINC BLINC stays in the dark 2% at sampling rate 100 UEP retains high classification capabilities with sampled traffic

22 Endpoint Clustering Performed clustering of endpoints in order to cluster out common behavior Please see the paper for detailed results Real strength: We managed to achieve similar results both by using the trace and only by using UEP

23 Conclusions Key contribution: Our approach can:
Shift research focus from mining operational network traces to harnessing information that is already available on the web Our approach can: Predict application and protocol usage trends in arbitrary networks Dramatically outperform classification tools Retain high classification capabilities when dealing with sampled data

Download ppt "Unconstrained Endpoint Profiling (Googling the Internet)‏"

Similar presentations

Google-based Traffic Classification Aleksandar Kuzmanovic Northwestern University IEEE Computer Communications Workshop (CCW 08) October 23, 2008

Google-based Traffic Classification Aleksandar Kuzmanovic Northwestern University IEEE Computer Communications Workshop (CCW 08) October 23, 2008
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Taming User-Generated Content in Mobile Networks via Drop Zones Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Taming User-Generated Content in Mobile Networks via Drop Zones Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
Measuring Serendipity: Connecting People, Locations and Interests in a Mobile 3G Network Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio.

Measuring Serendipity: Connecting People, Locations and Interests in a Mobile 3G Network Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.
Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Multi-level Application-based Traffic Characterization in a Large-scale Wireless Network Maria Papadopouli 1,2 Joint Research with Thomas Karagianis 3.

Multi-level Application-based Traffic Characterization in a Large-scale Wireless Network Maria Papadopouli 1,2 Joint Research with Thomas Karagianis 3.
1 A Comparison of Load Balancing Techniques for Scalable Web Servers Haakon Bryhni, University of Oslo Espen Klovning and Øivind Kure, Telenor Reserch.

1 A Comparison of Load Balancing Techniques for Scalable Web Servers Haakon Bryhni, University of Oslo Espen Klovning and Øivind Kure, Telenor Reserch.
CSCI 4550/8556 Computer Networks Comer, Chapter 3: Network Programming and Applications.

CSCI 4550/8556 Computer Networks Comer, Chapter 3: Network Programming and Applications.
Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.

Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.
Countering Large-Scale Internet Pollution and Poisoning Aleksandar Kuzmanovic Northwestern University

Countering Large-Scale Internet Pollution and Poisoning Aleksandar Kuzmanovic Northwestern University
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.
Internet Traffic Analysis for Threat Detection Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services Joshua Thomas,

Internet Traffic Analysis for Threat Detection Joshua Thomas, CISSP Thomas Conley, CISSP Ohio University Communication Network Services Joshua Thomas,
RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao.

RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao.
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.

Similar presentations

Ads by Google