Transcript SMARTxAC

SMARTxAC: A Passive Monitoring and Analysis
System for High-Speed Networks
TERENA Networking Conference 2006
Advanced Broadband
Communications Center (CCABA)
Universitat Politècnica
de Catalunya (UPC)
Pere Barlet-Ros
Josep Solé-Pareta
Javier Barrantes
Eva Codina
Jordi Domingo-Pascual
{pbarlet, pareta, jbarranp, ecodina, jordid}@ac.upc.edu
http://www.ccaba.upc.edu/smartxac
Acknowledgment: This work has been partially supported by CESCA (SMARTxAC agreement) and the Spanish MEC (ref. TSI2005-07520-C03-02)
SMARTxAC

SMARTxAC: Traffic Monitoring and Analysis System for
the Anella Científica




Main objectives





Operative since July 2003
Developed under a collaboration agreement CESCA-UPC
Tailor-made traffic monitoring system for the Anella Científica
Low-cost platform
Continuous monitoring of high-speed links without packet loss
Detection of network anomalies and irregular usage
Multi-user system: Network operators and Institutions
Measurement of two full-duplex GigE links


Connection between Anella Científica and RedIRIS
Current load: ≈ 1.5 Gbps / ≈ 270 Kpps
Anella Científica
Measurement point
2 x GigE full-duplex
Daily Network Usage
System Architecture

Monitoring high-speed links is challenging


Collection of Gbps and storage of Terabytes of data per day
Limitations of current technology
– CPU power, memory access speeds, bus and disk bandwidth,
storage capacity, etc.

Tailor-made system divided according to real-time
constraints and running on different computers




Capture System (severe real-time constraints)
Traffic Analysis System (soft real-time constraints)
Result Visualization System (user driven)
Data reduction: Early discard unnecessary information


Improve performance
Reduce storage requirements
Measurement Scenario
ANELLA
CIENTÍFICA
GÉANT
Global
Internet
ESPANIX
Juniper M-20
(RedIRIS)
2 x 2Gbps
REDIRIS
Other
Regional
Nodes
RedIRIS
RedIRIS
(Madrid)
Private network
2 Gbps
CISCO 6513
(Anella
Científica)
Management
network
dag0
Internet
Connection
dag1
Result Visualization
System
Traffic Analysis
System (Linux)
Capture System
(DAG 4.3GE + GPS)
2 Gbps
Capture System

Capture hardware





Capture software





Intel Xeon 2.4 GHz. + 1 GB. RAM
2 x Endace DAG 4.3GE
4 x Optical splitters
Precise timestamping using GPS (Trimble Acutime 2000)
Multi-threaded implementation
Collection of packet-headers without loss (no sampling)
5-tuple flow aggregation
Aggregated flows are sent to the Analysis System
Data Reduction



Header collection: ≈1:10 (90 GB/min 9 GB/min)
Flow aggregation: ≈1:200 (45 GB/5 min 200 MB/5 min)
Some data is kept to analyze anomalies (window of ≈ 20 GB.)
Measurement Scenario
ANELLA
CIENTÍFICA
GÉANT
Global
Internet
ESPANIX
Juniper M-20
(RedIRIS)
2 x 2Gbps
REDIRIS
Other
Regional
Nodes
RedIRIS
RedIRIS
(Madrid)
Private network
2 Gbps
CISCO 6513
(Anella
Científica)
Management
network
dag0
Internet
Connection
dag1
Result Visualization
System
Traffic Analysis
System
Capture System
(DAG 4.3GE + GPS)
2 Gbps
Traffic Analysis System

Analysis hardware


Pentium IV 2.6 GHz. + 1 GB. RAM
Analysis Software

Aggregation of 5-tuple flows into classified flows
–
–
–
–


<srcIP, dstIP, srcPort, dstPort, proto>  <origin, dest., app>
Origins: Institutions (also Network access points)
Destinations: External networks RedIRIS is connected to
Bidirectional aggregation
This classification can be useful for charging/cost-sharing
Data reduction


Classified flows: >1:1000 (≈ 60 GB/day  ≈ 50 MB/day)
Compared with header traces: > 1:250000 (≈ 13 TB/day)
Measurement Scenario
ANELLA
CIENTÍFICA
GÉANT
Global
Internet
ESPANIX
Juniper M-20
(RedIRIS)
2 x 2Gbps
REDIRIS
Other
Regional
Nodes
RedIRIS
RedIRIS
(Madrid)
Private network
2 Gbps
CISCO 6513
(Anella
Científica)
Management
network
dag0
Internet
Connection
dag1
Result Visualization
System
Traffic Analysis
System
Capture System
(DAG 4.3GE + GPS)
2 Gbps
Result Visualization System

Hardware


Software




Pentium III 450 MHz.
Web-based graphical interface
Institutions only have access to their own statistics
Graphs are generated on demand
Available graphs



More than 300 combinations of graphs per institution and day
Statistics are updated every 5 minutes
Also weekly, monthly and yearly reports
Use case 1: Port Scanning

Traffic profile per application (bps)
Use case 1: Port Scanning

Traffic profile per application (flows/s)
Use case 1: Port Scanning

Destination port: MySQL (tcp/3306)
SRC IP
DST IP
SRC PORT
DST PORT
A.B.44.149
C.D.120.253
2153
3306
A.B.45.75
E.F.60.108
2526
3306
A.B.44.149
C.D.206.188
1907
3306
A.B.44.149
C.D.127.4
3694
3306
A.B.44.149
C.D.155.64
3525
3306
A.B.44.149
C.D.183.124
3353
3306
A.B.44.149
C.D.192.56
1891
3306
A.B.45.75
E.F.46.180
2672
3306
A.B.44.149
C.D.220.116
1719
3306
A.B.45.75
E.F.63.23
3212
3306
A.B.45.75
E.F.24.241
4415
3306
A.B.44.149
C.D.151.228
2667
3306
A.B.45.75
E.F.73.115
2201
3306
A.B.44.149
C.D.123.168
2833
3306
A.B.45.75
E.F.16.126
2239
3306
Use case 2: Warez Server

Traffic profile per application (bps)
Use case 2: Warez Server

Top-10 (bytes)
Use case 3: Denial-of-Service

Traffic profile per application (bps)
Anomaly Detection

Threshold-based anomaly detection




An upper and lower traffic threshold can be set per institution
Thresholds: bits/sec, packets/sec and flows/sec
Different intervals: day/night and workday/weekend
Once an anomaly is detected additional information is kept
– Additional information can be reviewed later offline

Profile-based anomaly detection (work in progress)




Time-series prediction (adaptive linear filter)
It is not needed to know the “ordinary” traffic profile
Anomalies are detected when actual traffic differs from its
predicted value
Thresholds mitigate limitations of adaptive prediction with longterm anomalies
Identification of Network Applications

Traffic classification in SMARTxAC is based on port
numbers



Port-based classification is no longer reliable
P2P, dynamic ports, tunnelling, web-based services, …
We are developing a classification method based on
machine learning techniques



It learns features of traffic flows that identify a given application
Packet payloads are only needed in the training phase
Once the system is trained only packet headers are needed
Preliminary Results (Accuracy)
99,62
97,86
100,00
95,43
95,20
98,40
97,22
96,87
92,98
90,32
99,88
96,20
90,14
84,56
90,00
80,73
80,00
70,00
60,00
50,00
40,00
30,00
20,00
10,00
Grups d'aplicació
TA
L
TO
W
W
W
NI
X
U
ET
N
TE
L
P2
P
S
O
TH
ER
EW
S
N
RK
ET
W
O
N
ET
FS
LT
IM
U
N
ED
IA
AI
L
M
M
C
IR
G
AM
ES
FT
P
NS
0,00
D
Precisió (%)
97,14
Port-based vs. Machine Learning
Port-based
Machine learning
Conclusions

SMARTxAC is a tailor-made network monitoring system that




Operates at gigabit speeds without packet loss
It is relatively low-cost
Provides very detailed information about the network usage
Multi-user system: network operators and institutions

Since 2003, SMARTxAC is daily used by CESCA to detect
anomalies, attacks, performance problems, network faults, etc.

Future work





Anomaly detection and application identification
Sampling, IPv6 support, …
Deployment of more measurement points in the Anella Científica
Release the source code under an open-source license
Collaboration with Intel’s CoMo: http://como.intel-research.net
SMARTxAC: A Passive Monitoring and Analysis
System for High-Speed Networks
TERENA Networking Conference 2006
Advanced Broadband
Communications Center (CCABA)
Universitat Politècnica
de Catalunya (UPC)
Pere Barlet-Ros
Josep Solé-Pareta
Javier Barrantes
Eva Codina
Jordi Domingo-Pascual
{pbarlet, pareta, jbarranp, ecodina, jordid}@ac.upc.edu
http://www.ccaba.upc.edu/smartxac
Acknowledgment: This work has been partially supported by CESCA (SMARTxAC agreement) and the Spanish MEC (ref. TSI2005-07520-C03-02)