Disambiguation of Residential Wired and Wireless Access in a
Download
Report
Transcript Disambiguation of Residential Wired and Wireless Access in a
Forensic and Management
Challenges in Wireless and
Mobile Network Environments
Thesis defense presented by
Sookhyun Yang
Advisor: Jim Kurose
UNIVERSITY
UNIVERSITY
OF MASSACHUSETTS
OF MASSACHUSETTS
, AMHERST
, AMHERST
• College
• Department
of Information
of Computer
and Computer
Science
Sciences
Outline
Introduction
Mobility Management
Chapter 3. Measurement and Modeling Study of User
Transitioning among Networks
Chapter 4. Group Mobility Indirection
What have been added, since proposal
Conclusions
2
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Mobility is the key driver of networking
Historic shift from PC’s to mobile/embedded devices
~1B server/PC’s
~1B smartphones
INTERNET
(2011)
~2B server/PC’s
~1B Internet
-connected PC’s
~5B cell phones
~10B mobiles
INTERNET
(2020)
[1] Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2014–2019
[2] Pew Research Center, The Internet of Things Will Thrive by 2025, 2014
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
3
Wireless and mobile forensics
Chapter 1. Identifying a malicious node during data forwarding
in a wireless ad hoc network.
witness
witness
data
data
data
ack
ack
ack
witness
witness
witness
data
ack
Broadcast nature of
wireless
communication
Our witness-based detection identifies a malicious node or exposes
the existence of an attack under various threat scenarios.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
4
Wireless and mobile forensics
Chapter 2. Remotely and legally locating a network misuser inside a
building, from the perspective of law enforcement.
Someone
used my
open Wi-Fi!
Wired
access?
Openness of
an AP
Illegal content
distributor
Law
enforcement
Wireless
router
We develop techniques to determine (remotely, consistent with
US wiretap law) whether a home Internet access user is via
wired or wireless access; extensive validation
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
5
Mobility management
Chapter 3. Measurement and modeling study of user
transitioning among networks.
Name/location resolution
(e.g., home agent, GNS)
Location-tracking
traffic
Bob→ Verizon
Bob→ UMass
Bob→ Comcast &
UMass
⁞
Bob
Multi-homed or multipledevice carrying
Mobility among access
networks
Our quantitative study gives insights and implications on
location-independent architectures.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
6
Mobility management
Chapter 4. Efficiently handle group mobility
A large burst of
location-tracking
traffic
simultaneously
Name/location
resolution
Group mobility
We introduce the notion of group mobility indirection and quantify
its reduction in location-tracking (signaling) traffic
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
7
Outline
Introduction
Mobility Management
Chapter 3. Measurement and Modeling Study of User
Transitioning among Networks
Chapter 4. Group Mobility Indirection
What have been added, since proposal
Conclusions
8
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Physical mobility among access points
to
Internet
VLR
Mobile
Switching
Center
mobile
user
visited
network
Cellular network mobility (e.g., [5])
Wi-Fi network mobility (e.g., [6])
Device mobility within the same type of a network
[5] U. Paul et al, Understanding traffic dynamics in cellular data networks, INFOCOM 2011
[6] M. Kim et al, Extracting a mobility model from real user traces, INFOCOM 2006
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
9
Mobility in, and among, among networks
Virtual mobility among access networks
Move among edge and provider networks
Persistently keep his/her ID (name) across networks
Cable network
Enterprise network
via VPN
Cellular network
For instance, a stationary user with multi-homing,
multiple devices
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
10
Our contributions in Chapter 3
Quantitative understanding of virtual mobility
Sequence of associated networks
Network residence time
Degree of multi-homing
Network transition rate
Gives insights and implications on locationindependent architectures
Mobile IP, MobilityFirst [3], XIA [4]
[3] A. Venkataramani, J. Kurose, D. Raychaudhuri, K. Nagaraja, M. Mao, and S. Banerjee. Mobilityfirst: A mobilitycentric and trustworthy internet architecture. ACM CCR, 2014
[4] D. Han et al. XIA: Efficient support for evolvable internetworking. USENIX NSDI, 2012
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
11
How to get traces of virtual mobility?
Question: What is the most feasible way to capture
such user’s virtual mobility?
Large population of users!
Difficult to install SW on all their devices!
Far too many servers and
application servers to be
monitored!
Mail server access logs might be an ideal choice.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
12
CS-only users
IMAP servers for UMass
School of CS
81 users, one year
405 IP prefixes, 387 ASes
UMass-wide users
Servers for all UMass
students (primarily),
faculty, and staff
7,137 users, 4 months
9,016 IP prefixes, 1,777
ASes
Fraction of Sign-in logs
IMAP mail access logs
ASes in decreasing order of the
fraction of Sign-in logs
(e.g., Comcast cable, Verizon, Five colleges
network incl. UMass, AT&T Wireless, Sprint
Wireless)
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
13
How to reconstruct a user’s session?
Given a series of IMAP logs,
Time window
At least one log for a time window indicates that a
user is connected for the entire time window
Alice made Verizon connections
Alice made Comcast connections
t1
∆t
t2
∆t
t3
∆t
t4
∆t
t5
∆t
t6 time
Alice has been connected to Comcast from t1 to t3.
Alice has been connected to Verizon from t2 to t3
contemporaneously .
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
14
Appropriate size of a time window?
Time window dilemma in session identification [7]
# of sessions as a function of time window sizes
Number of sessions
(X106)
Small window overestimates
Large window underestimates
Knee (elbow) at 15mins!
[7] J. Padhye and J. F. Kurose. Continuous-media courseware server: A study of client
interactions.
IEEE Internet
Computing,, A
1999
UNIVERSITY
OF MASSACHUSETTS
MHERST • Department of Computer Science
15
Mobility among networks
How frequently does a user switch a network in 15mins?
40%
70%
UMass-wide users
CS users
Daily number of a user’s mobility
among ASes
Approx. 70% of CS users (or 40% of UMass-wide users)
moves among networks at least once a day.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
16
Network residence time (over all users)
Comcast cable
Verizon online
Charter communications
Hughes network
Sprint Wireless
Five colleges
(incl. UMass)
WORK
MOBILE
Verizon Wireless
WORK
HOUSE
AT&T Wireless
MOBILE
MISC
MISC
HOUSE
80-to-90% from three categories only with “8” ASes
out of 400
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
17
An individual user’s network residence time?
75% of users spent more than 90% of their time
in their top three networks.
Fraction of a user’s
top three networks (ASes) residence time (%)
Overall, users spent more than 60% of their time in their top
three networks.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
18
Contemporaneous connections
In the traces, a series of IMAP logs produced
from “multiple” networks in 15mins implies
“contemporaneous connectivity”
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
19
User’s contemporaneous connections
UMass-wide users
UMass-wide
users
Contemporaneous users
CS users
80% of CS users
50% of UMass-wide users
Fraction of a user’s contemporaneous time to
connection time (%)
Most contemporaneous users spent up to 20% of their
connection time in multiple networks.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
20
User virtual mobility model
Predicts signaling overhead to the name and
location translation service
e.g., a home agent, GNS in MobilityFirst
Characterizes the transition rate at which a user
moves among networks
User model via a discrete-time Markov-chain
: # of networks newly attached at time t, w.r.t. time t-1
User’s mobility among networks
: # of networks connected at t
Signaling
overhead
at time t
Attachment
signaling
Detachment signaling
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
21
(Xt, Yt)-series data properties
Model estimation
(phase 1)
Model validation
(phase 2)
Time series plot
Investigate stationary, memoryless properties
KPSS test: data stationarity
Autocorrelation function (ACF): daily/weekly periodicity
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
22
CS users signaling overhead
How well does the model predict signaling overhead?
model (phase 1)
observed (phase 2)
Q-Q plot
Signaling overhead
over all users
Visually a good fit
Statistically a good fit
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
23
Conclusions
We performed a measurement study of user virtual
mobility and discussed insights and implications from the
measurements.
Users spend most of their time in a few networks.
Large number of users are contemporaneously connected to
more than one networks.
We show the predictability of overall signaling overhead using an
individual user model.
More generally, we believe that this chapter is an
important step in deepening the understanding of
managing virtual mobility at global scale.
This work appeared in IEEE INFOCOM 2015.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
24
Outline
Introduction
Mobility Management
Chapter 3. Measurement and Modeling Study of User
Transitioning among Networks
Chapter 4. Group Mobility Indirection
What have been added, since proposal
Conclusions
25
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
Group mobility as opportunities
Group mobility
A group of users whose mobility among
networks may be correlated
Name/location
resolution
(e.g., GNS in
MobilityFirst,
Home agent in
Mobile IP)
I’m at UMass
I’m at UMass
I’m at UMass
I’m at UMass
I’m at UMass
I’m at UMass
Transportation
32
Social relation
Public crowd
Question: How can we efficiently handle such group mobility?
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
26
Group mobility indirection
A single group ID references
a group of users, keeping
such group’s location
That group ID’s
location is
Umass!
Name/location
resolution
(GNS)
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
27
Split challenge
What if users associated with a group ID are split from
the group location?
But I want to
reach Bob only
sender
GNS
That group is at
both Comcast
and UMass.
Bob
Users associated with a group ID
Thus, keep one network as the group location
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
28
Our contributions in Chapter 4
Design a group-mobility indirection
architecture
Propose several algorithms which determine
one network associated with a group location
Evaluate the reduction in location-tracking
traffic using synthetic traces and empirical
traces
29
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
29
Brief overview of our design
The GNS as a centralized controller!
1) Group membership
establishment
GNS
You’re
a group location
Individually
tracked
Gateway
router
2) Group location
determination
(using algorithms)
3) Location-tracking
traffic saving
Users
Bob
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
30
Algorithms (at the GNS)
Determine one network associated with a group ID
Time is evenly slotted with consecutive time windows.
Event-based algorithm
Periodicity-based algorithm
Each time window, elects a
leader among a group of
users
Reactively updates a
group’s location as that
leader’s new location
First-leader
Random-leader
Majority-leader
Historic network association
data
Exploits the periodicity in a
sequence of network
association
Each time window,
proactively updates a
group’s location as predicted
location according to a
periodic sequence
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
31
Examples of algorithms
User #1 connects to network A
Other users connect to network B
1
2
3
4
t
5
3
2
4
t+1
5
time
1) First-leader associates A as a group location for
time window t.
2) Random-leader associates B as a group
location for time window t.
3) Majority-leader associates
A as a group location for time
window t+1.
4) Given periodic sequence (B, A), periodicity-based algorithm
associates
for t• and
A for
t+1 Science
UNIVERSITY OF M
ASSACHUSETTS, AB
MHERST
Department
of Computer
32
Evaluation methodology
Event-based algorithm
No periodicity in
a sequence of
network associations
• Synthetic traces via group
mobility model
• Single group
Periodicity-based
algorithm
Periodicity in
a sequence of
vs.
network associations
• Empirical traces of
around 4000 users
• Multiple groups
Amount of location-tracking signaling w/ group,
normalized to that w/o group
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
33
Synthetic group mobility model
Each time window, each of n users associated with one
group is defined as two-state Markov chain
The users in this state are
located in the same network
𝐸[𝛽𝑖 ]
Group
=
coherence 𝐸[𝛼𝑖 ] + 𝐸[𝛽𝑖 ]
No-periodicity. A user equally likely moves to one of m networks
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
34
No periodicity: location-tracking signaling
For each of group coherences 0.1 ( ), 0.5 ( ), 0.9 ( ),
100 sets of traces by 1000 users moving among 20 networks
As the growth of group
coherence, more
reduction in signaling
35
Majority leader works best
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
35
Empirical traces
UMass-wide traces for Spring semester 9 weeks
3660 users associated with 1152 ASes
Approx. 96% of users spent most of their times in one or two ASes
Multiple groups
24hours or multiples of
24hours as periods
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
36
Clustering: Group membership identification
User’s one-week periodic
network sequence
EM clustering, K-means
clustering
Five clusters (Five group IDs)
User’s one most
frequently associated
network
Manual clustering
161 clusters (161 group
IDs)
Networks in oneweek periodic
network sequence
Weekdays 9am-to-6pm
(AS1249--UMass)
the rest of times
(AS7015—Comcast)
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
37
Periodicity: location-tracking signaling
As the number of
groups increases,
more reduction in
signaling
Event-based
algorithm
Periodicity-based
algorithm works best
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
38
Conclusions
We introduced the notion of group mobility
indirection and suggested algorithms to determine
one network associated with a group location.
An event-based algorithm reduces location-tracking traffic,
as long as a group of users move together frequently
enough.
A periodicity-based algorithm works best, for the case that
the sequence of networks associated with a group of users
has periodicity.
We also showed the gain in reducing the locationtracking traffic as the number of groups increases.
39
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
39
Outline
Introduction
Mobility Management
Chapter 3. Measurement and Modeling Study of User
Transitioning among Networks
Chapter 4. Group Mobility Indirection
What have been added, since proposal
Conclusions
40
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
What have been added, since proposal
Chapter 1 contains a collusion attack scenario and its
analysis.
Chapter 2 contains an analytic model which explains
why/how our classifier works, and also has additional
classification results under p2p application rate control and
under 10Mbps wireless channel contention.
Chapter 3 contains measurement and modeling results of a
large population of approximately 7200 users.
Chapter 4 is completely new.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
41
Future work
Chapter 1. Detecting forwarding misbehavior
in a wireless ad hoc network
What happens in mobility scenarios?
Chapter 2. Disambiguating wired and wireless
access in a forensic setting
What about distinguishing wireless outside versus
wireless inside?
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
42
Future work
Chapter 3. Modeling and measurement of user
transitioning among edge and provider
networks
What about the impact of user transitioning among
access networks on the data-plane (e.g., session
continuity)?
Chapter 4. Group mobility indirection:
approach and analysis
What about the gain of latency reduction between the
GNS and a user, among GNSes?
What about the impact of the level of network granularity
(e.g., AP, BS) on performance?
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
43
Thank You!
Questions or comments
welcome!
UNIVERSITY
UNIVERSITY
OF MASSACHUSETTS
OF MASSACHUSETTS
, AMHERST
, AMHERST
• College
• Department
of Information
of Computer
and Computer
Science
Sciences
Can we log virtual mobility via mail server?
User frequently accesses his/her mailboxes
mail periodically pushed (e.g., every 5mins) to user
Same user ID is used across multiple networks
and sessions.
Mail server logs allow us to identify the network
address where a user is resident.
IMAP mail access server logs
Contain sign-in logs with user ID, IP address, and
timestamp
Informal lower-bound of the actual amount of
network-transitioning performed.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
45
UMass-wide signaling overhead
Heavy user cluster of
721users
EM
clustering
Signaling overhead
No fit!
But a mixture of Gaussian
distributions.
Signaling overhead
Visually a better fit
These results suggest proper clustering can improve the
model’s signaling overhead predictability.
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
46
What is the best number of clusters?
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
47
Similarity of network locations between days
of the week
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
48
All 161 clusters?
Seven clusters having more than 100 users show
similar reduction to K-means five clusters
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
49
Prior work: hierarchy techniques
Hierarchy. Define a static and rigid subnet associated with
wireless users
to
Internet
Mobility group
Mobile
gateway
router
Network mobility
(e.g., [8])
(e.g., [9])
[8] V. Devarapalli et al. Network mobility basic support protocol. RFC 3963, January 2005
[9] Cisco wireless lan controller configuration guide, release 7.0
UNIVERSITY OF MASSACHUSETTS, AMHERST • Department of Computer Science
50