Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Identification in Information-poor Environments Charalampos (Haris) Rotsos Computer Laboratory University of Cambridge

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Application Identification in Information-poor Environments Charalampos (Haris) Rotsos Computer Laboratory University of Cambridge"— Presentation transcript:

1 Application Identification in Information-poor Environments Charalampos (Haris) Rotsos Computer Laboratory University of Cambridge charalampos.rotsos@cl.cam.ac.uk

2 Overview Application Identification allows: New Services (QoS/QoE) Administration (SLA) Understanding But it is difficult in a large network because: VPN / Multihoming where can I monitor your data? Data (2+TB/day/University) Sophisticated Users and Complex Networks Encrypted Applications & Overlay Networks Internet

3 What is the problem How can I Identify the application class from a flow of packets? Can I do this with sampled and summarised flow records(Netflow)? – Available in most routers – ISPs collect this as standard and often have been for many years – 25Gb per day for a 1 st layer ISP (x000’s of routers)

4 Current technologies Can we fuse these different approaches to achieve better performance by reducing the effect of the disadvantages and keeping the advantages? IDS / Anomaly detection fast depends on protocol implementations specifications, task specific Deep packet inspectionaccurate results Full payload, fails on encryption & protocol changes Statistical analysis Flow granularity, can run online on fast link Requires diverse ground truth data for training Connection Pattern / BLINC low information requirement host granularity, fails to adjust on small protocol changes, complex design

5 First Approach Using ground truth flow records and machine learning discover patterns from : Flow statistics Connection Pattern Host behavior (roles) G.T. DATA FLOW RECORDS

6 First Problems Netflow records have 20 fields. Some of them have no value for the identification. Flow records are unclear about client - server role and simplex Hints: Extract more information from the context of the network. Infer extra fields by analyzing ground truth data. What extra statistics can make a difference?

7 Time and space variance Space and time problems An example of temporal decay in accuracy A model with 92% accuracy decays to 62-81% accuracy 18 months later A naïve example of spatial decay A model with near 100% accuracy for one site might achieve 87- 99% Long-term fragility comes from changes in IP addresses coding as AS numbers and subnets help a little (but not much)

8 More Issues Netflow data tend to be able to describe the situation for short time While many servers are stabile for long periods, the heavy-tail is not... (p2p, keyloggers, botnets). Solutions: Mix in prior knowledge; diverse datasets Capture behavior with better Mach.-Learn. Semi supervised learning to automatic- update

9 Behavioural models What is important for a behavioural model? Can we describe it in a compact way? Difficult to build automatically

10 Summary NetFlow (flow summary) records are a rich source of data, fused with other network data we can build a useful Application Identification System Machine-learning works – at least in the short-term Stabile/useful models need continuous update Behavioural model hold promise too… THANK YOU

11 More Issues Capitalizing on the short-term/high-accuracy of NetFlow type data Servers can be alive for (very) long periods of time, but not for the applications you WANT to detect (p2p, evil) semi-supervised learning can boost knowledge Behavioral Models Challenge to build automatically

Download ppt "Application Identification in Information-poor Environments Charalampos (Haris) Rotsos Computer Laboratory University of Cambridge"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
Chapter 8 Managing Windows Server 2008 Network Services

Chapter 8 Managing Windows Server 2008 Network Services
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.

Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.
Internet Traffic Patterns Learning outcomes –Be aware of how information is transmitted on the Internet –Understand the concept of Internet traffic –Identify.

Internet Traffic Patterns Learning outcomes –Be aware of how information is transmitted on the Internet –Understand the concept of Internet traffic –Identify.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Subnetting.

Subnetting.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
1 An Information Theoretic Approach to Network Trace Compression Y. Liu, D. Towsley, J. Weng and D. Goeckel.

1 An Information Theoretic Approach to Network Trace Compression Y. Liu, D. Towsley, J. Weng and D. Goeckel.
Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.

Passive traffic measurement Capturing actual Internet packets in order to measure: –Packet sizes –Traffic volumes –Application utilisation –Resource utilisation.
Lecture Week 7 Implementing IP Addressing Services.

Lecture Week 7 Implementing IP Addressing Services.
RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao.

RelSamp: Preserving Application Structure in Sampled Flow Measurements Myungjin Lee, Mohammad Hajjat, Ramana Rao Kompella, Sanjay Rao.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Similar presentations

Ads by Google