Transcript View/Open
Traffic Analysis of Campus Network for
Classification of Broadcast Data
47th Annual National Convention of Computer Society of India
Presented By:
Raman Singh
[email protected]
University Institute of Engineering and Technology
Panjab University, Chandigarh
Panjab University Campus
Courtesy: Google Maps
Experiment Setup
Sub-network used for Capturing network traffic of three
boys hostels of Panjab University-Campus Area Network
(PU-CAN)
Short PU-CAN Profile
Managed
campus network of Panjab University.
Uses
proxy server, firewall and all other precautions
against security threats.
Proxy Server: Squid Server
Firewall: FireBox Hardware Firewall
Router Make: Cisco
Switches Make: D-Link
Access Points Make: Senao, Belkin, D-Link,TP-Link
Server Specifications
HP Proliant ML Server ( Xeon Processor, 8 GB RAM,
250 GB Hard Disk)
Operating System : Fedora 14
Data Capturing Tool :
◦ Tcpdump (www.tcpdump.org)
◦ Wireshark (www.wireshark.org)
Microsoft Office Excel 7.0
Duration of Pilot Study : 22 days
Methodology
• Network Traffic Capture
tcpdump
• Conversion - pcap to csv
Wireshark
Microsoft
Office - Excel
• Manually Classification
Methodology
Broadcast data used for investigation
Computers use broadcast for knowing name and IPs of
other computers,ARP, DHCP, DNS etc.
Unnecessary broadcast creates network congestion and
degrades bandwidth availability
Methodology
After manual investigation of captured data, four classes
are classified:
Total Broadcast Data
Genuine Broadcast
Identified Malicious Broadcast
Unidentified Suspected Broadcast
Result Discussion
Result Discussion
Three Networks are discovered:
Result Discussion
Results Discussion
Networks identified after study are:
1.
Official 172.16.40.0/22 network (33.91%)
1.
Network of miss-configured IPs 169.254.0.0 (3.84%)
2.
Unauthorized network of series 192.168.11.0(8.90%)
3.
Un-resolved IPs (53.33%)
Results Discussion
Need to minimize the remaining 66% (approx)
suspected malicious data. For this purpose intelligent
infrastructure may provide help to design the models.
Two unauthorized network found which operates on
official infrastructure, So Network traffic profiling is
required to discover these types of unauthorized
profiles.
Some hosts also broadcasts with both IP addresses of
IPv4 and IPv6, However official network supports only
IPv4. We can say that normality of a network is matter
of discussion.
Conclusion and Countermeasures
Malicious activities discussed are common but these
goes un-noticed which makes it a serious issue.
Most of firewalls and Intrusion Detection Systems
consider these patterns normal due to which a lot of
bandwidth goes for un-productive traffic.
Various countermeasures suggested by researchers but
main problem is to detect these patterns.
Machine learning algorithms are required to be
developed with relevance feedback from network
administrator to find out exact threat for that particular
network.
Conclusion and Countermeasures
Normality is matter of discussion.
Interactive security countermeasures are required.
Intelligent network infrastructure needs to be
developed with integration of artificial intelligence and
machine learning.
References
Abdun Naser Mahmood, Christopher Leckie and Parampalli Udaya, "An Efficient Clustering Scheme to Exploit
Hierarchical Data in Network Traffic Analysis", IEEE Transactions On Knowledge and Data Engineering,Vol. 20,
No. 6,June 2008, pp 752-767.
Liu Yingqiu, Li Wei and Li Yunchun,"Network Traffic Classification Using K-means Clustering", Second
International Multisymposium on Computer and Computational Sciences, Iowa City, IA, 13-15 Aug. 2007, pp 360
- 365.
Kuai Xu, Zhi-Li Zhang, and Supratik Bhattacharyya, "Internet Traffic Behavior Profiling for Network Security
Monitoring", IEEE/ACM Transactions On Networking, Vol. 16, No. 6, December 2008, pp 1241-1252.
Daniele Apiletti, Elena Baralis, Tania Cerquitelli and Vincenzo D’Elia, "Characterizing network traffic by means of
the NETMINE framework", Elsevier's Journal of Computer Networks, Volume 53, Issue 6, 23 April 2009, pp 774789.
Hamid Farvaresh and Mohammad Mehdi Sepehri, "A data mining framework for detecting subscription fraud in
telecommunication", Elsevier's Journal of Engineering Applications of Artificial Intelligence,Volume 24, Issue 1,
February 2011, pp 182-194.
Xin Li and Zhi-Hong Deng, "Mining frequent patterns from network flows for monitoring network", Elsevier's
Journal of Expert Systems with Applications, Volume 37, Issue 12, December 2010, pp 8850-8860.
P. Ravisankar,V. Ravi, G. Raghava Rao and I. Bose, "Detection of financial statement fraud and feature selection
using data mining techniques", Elsevier's Journal of Decision Support Systems, Volume 50, Issue 2, January 2011,
pp 491-500.
Ming-Yang Su, "Using clustering to improve the KNN-based classifiers for online anomaly network traffic
identification", Journal of Network and Computer Applications, Volume 34, Issue 2, March 2011, pp 722-730.
Jeffrey Ermana, Anirban Mahantib, Martin Arlitta,c, Ira Cohenc and Carey Williamsona, "Offline/realtime traffic
classification using semi-supervised learning", Elsevier's Journal of Performance Evaluation, Volume 64, Issues 9-12,
October 2007, pp 1194-1213.
References
Francesco Palmieri and Ugo Fiore, "A nonlinear, recurrence-based approach to traffic classification", Elsevier's
Journal of Computer Networks, Volume 53, Issue 6, 23 April 2009, pp 761-773.
Li-Yen Chang and Hsiu-Wen Wang, "Analysis of traffic injury severity: An application of non-parametric
classification tree techniques", Elsevier's Journal of Accident Analysis And Prevention,Volume 38, Issue 5,
September 2006, pp 1019-1027.
Jose Luis Garcia-Dorado, Jose Alberto Hernandez, Javier Aracil, Jorge E. Lopez de Vergara and Sergio LopezBuedo, "Characterization of the busy-hour traffic of IP networks based on their intrinsic features", Elsevier's
Journal of Computer Networks, Volume 55, Issue 9, 23 June 2011, pp 2111-2125.
Tao Qin , Xiaohong Guan, Wei Li Pinghui Wang and Qiuzhen Huang, "Monitoring abnormal network traffic
based on blind source separation approach", Elsevier's Journal of Network and Computer Applications, Volume
34, Issue 5, September 2011, pp 1732-1742.
W. Tavernier, D. Papadimitriou, D. Colle, M. Pickavet and P. Demeester, "Packet loss reduction during rerouting
using network traffic analysis", Springer's Journal of Telecommunication Systems, Online First™, 23 August
2011,No.of pages 19.
Fedora 14, "http://www.cyberciti.biz/tips/fedora-14-download-cd-dvd-iso.html", last seen on 1 July, 2012.
Tcpdump, "http://www.tcpdump.org/\#latest-release", last seen on 4 July, 2012.
Wireshark, "http://www.wireshark.org/download.html", last seen on 4 July, 2012.
Won Kim n, Ok-RanJeong, Chulyun Kim and Jungmin So, “The dark side of the Internet : Attacks, costs and
responses”, Elsevier’s Journal of Information Systems, Volume 36, Issue 3, May 2011, pp 675-705
THANK YOU