Heuristics to Classify Internet Backbone Traffic based on Connection Patterns

1
Heuristics to Classify Internet Backbone Traffic
based on Connection Patterns

• Wolfgang John and Sven TafvelinDept. of Computer
  Science and EngineeringChalmers University of
  TechnologyGöteborg, Sweden

2
Introduction Measurement location
Internet

• 2x 10 Gbit/s (OC-192)
• capturing headers only
• IP addresses anonymized
• tightly synchronized
• bidirectional per-flow analysis

Stockholm
Student-Net
Regional ISPs
Göteborg
Göteborgs Univ.
Chalmers Univ.
Other smaller Univ. and Institutes
3
Introduction Motivation

• Problem
• Operators dont know the type of their traffic
• How to
• Improve network design and provisioning?
• Support QoS support or security monitoring?
• Enhance accounting possibilities?
• Reveal trends and changes in network
  applications?

4
Introduction Classification

• Solution Traffic classification
• Four basic approaches
• Port numbers easy to implement - unreliable
  (P2P, malicious traffic)
• Packet payloads accurate- requires updated
  payload signatures- privacy and legal issues-
  high processing requirements - does not work on
  encrypted traffic (P2P)

5
Introduction Classification (2)

• Solution Traffic classification (contd.)
• Statistical fingerprinting no detailed packet
  information needed - depending on quality of
  training data- promising, but still immature
• Connection patterns no payload required no
  training data required- not perfect accuracy

6
Methodology Traffic Classification

• Two articles classify P2P flows according to
  connection patterns
• Karagiannis et al., 2004
• Perenyi et al., 2006
• Updated classification heuristics
• Refined the heuristics in prior articles
• Added new, necessary heuristics

7
Methodology Proposed Heuristics

• Rules based on connection patterns and port
  numbers
• 5 rules for P2P traffic (H1-H5)
• 10 rules to classify other traffic types (F1-F10)
• remove false positives from P2P
• Rules are applied
• On flows in 10 minute intervals
• Independently on all flows and
• prioritized when fetched from the database

8
Methodology Proposed Heuristics (2)

• Heuristics for potential P2P traffic (H1-H5)
• All traffic to and from potential P2P hosts is
  marked as P2P traffic
• H1 TCP and UDP traffic between IP pair
• H2 Well known P2P ports
• H3 Re-usage of source Port within short time
• H4 Non-parallel connections to endpoint
  (IP/Port)
• H5 unclassified, long flows
• unclassified by H1-H4 and F1-F9
• more than 1MB in one direction or
• duration of more than 10 minutes

9
Methodology Proposed Heuristics (3)

• Heuristics for other traffic (F1-F10)
• F1 and F2 Web servers
• parallel connections to web Ports
• All traffic to and from Web server is Web-traffic
• F3 common services (DNS, BGP)
• Equal source and destination port and portlt501
• F4 Mail servers
• Hosts receiving traffic on mail ports (smtp,
  imap, pop) while sending traffic via smtp
• All traffic to and from Mail servers is
  Mail-traffic

10
Methodology Proposed Heuristics (4)

• Heuristics for other traffic (F1-F10)
• F5 and F6 Messenger and Gaming
• Hosts, connected to by a number of different IPs
  on well-known messenger, chat or gaming ports
  within a period of 10 days
• All traffic to and from these hosts is messenger
  or gaming
• F7 FTP
• Active FTP with initiating port number of 20
• F8 non P2P ports
• Some well-known, privileged port number,
  typically not used by P2P like dns, telnet, ssh,
  ftp, mail, rtp, bgp

11
Methodology Proposed Heuristics (5)

• Heuristics for other traffic (F1-F10)
• F9 malicious and attack traffic
• Scans (scan from one source through port ranges)
• Sweeps (scans from one source through IP ranges)
• DoS attacks (hammering attacks from one source
  to few hosts in high frequency)
• F10 unclassified, known non-P2P Port
• unclassified by H1-H4 and F1-F9 (no connection
  pattern)
• Well known ports including Web, messenger and
  gaming

12
Verification of proposed rule-set

• Comparison of classification methods for P2P
  traffic

13
Results

• Application Breakdown April 2006

14
Results (2)

• Detailed results will be published at PAM 2008
• W. John and S. Tafvelin and Tomas Olovsson,
  Trends and Differences in Connection Behavior
  within Classes ofInternet Backbone Traffic, to
  be presented at the Passive and Active
  Measurement Conference,Cleveland, Ohio, USA,
  April 2008.(Proceedings to be published in
  Springer LNSC)http//pam2008.cs.wpi.edu/
• Documentation about measurements (raw data)
• DatCat Internet Measurement Data Catalog by
  CAIDAhttp//www.datcat.org (search for SUNET)

15
Conclusions

• Previous classification methods on packet header
  traces dont work well on backbone data
• Proposal of refined and updates heuristics
• Combining previous approaches
• Extension and adjustment of heuristics
• Including a rule for attack traffic
• Simple and fast method to decompose traffic
• no payload required (encryption, header data,
  etc.)
• Effectively used even on short traces (10 min)
• 0.2 of the data left unclassified

16
Thank you very much for you attention!

• Questions?