Title: Heuristics to Classify Internet Backbone Traffic based on Connection Patterns
1Heuristics to Classify Internet Backbone Traffic
based on Connection Patterns
- Wolfgang John and Sven TafvelinDept. of Computer
Science and EngineeringChalmers University of
TechnologyGöteborg, Sweden
2Introduction Measurement location
Internet
- 2x 10 Gbit/s (OC-192)
- capturing headers only
- IP addresses anonymized
- tightly synchronized
- bidirectional per-flow analysis
Stockholm
Student-Net
Regional ISPs
Göteborg
Göteborgs Univ.
Chalmers Univ.
Other smaller Univ. and Institutes
3Introduction Motivation
- Problem
- Operators dont know the type of their traffic
- How to
- Improve network design and provisioning?
- Support QoS support or security monitoring?
- Enhance accounting possibilities?
- Reveal trends and changes in network
applications?
4Introduction Classification
- Solution Traffic classification
- Four basic approaches
- Port numbers easy to implement - unreliable
(P2P, malicious traffic) - Packet payloads accurate- requires updated
payload signatures- privacy and legal issues-
high processing requirements - does not work on
encrypted traffic (P2P)
5Introduction Classification (2)
- Solution Traffic classification (contd.)
- Statistical fingerprinting no detailed packet
information needed - depending on quality of
training data- promising, but still immature - Connection patterns no payload required no
training data required- not perfect accuracy
6Methodology Traffic Classification
- Two articles classify P2P flows according to
connection patterns - Karagiannis et al., 2004
- Perenyi et al., 2006
- Updated classification heuristics
- Refined the heuristics in prior articles
- Added new, necessary heuristics
7Methodology Proposed Heuristics
- Rules based on connection patterns and port
numbers - 5 rules for P2P traffic (H1-H5)
- 10 rules to classify other traffic types (F1-F10)
- remove false positives from P2P
- Rules are applied
- On flows in 10 minute intervals
- Independently on all flows and
- prioritized when fetched from the database
8Methodology Proposed Heuristics (2)
- Heuristics for potential P2P traffic (H1-H5)
- All traffic to and from potential P2P hosts is
marked as P2P traffic - H1 TCP and UDP traffic between IP pair
- H2 Well known P2P ports
- H3 Re-usage of source Port within short time
- H4 Non-parallel connections to endpoint
(IP/Port) - H5 unclassified, long flows
- unclassified by H1-H4 and F1-F9
- more than 1MB in one direction or
- duration of more than 10 minutes
9Methodology Proposed Heuristics (3)
- Heuristics for other traffic (F1-F10)
- F1 and F2 Web servers
- parallel connections to web Ports
- All traffic to and from Web server is Web-traffic
- F3 common services (DNS, BGP)
- Equal source and destination port and portlt501
- F4 Mail servers
- Hosts receiving traffic on mail ports (smtp,
imap, pop) while sending traffic via smtp - All traffic to and from Mail servers is
Mail-traffic
10Methodology Proposed Heuristics (4)
- Heuristics for other traffic (F1-F10)
- F5 and F6 Messenger and Gaming
- Hosts, connected to by a number of different IPs
on well-known messenger, chat or gaming ports
within a period of 10 days - All traffic to and from these hosts is messenger
or gaming - F7 FTP
- Active FTP with initiating port number of 20
- F8 non P2P ports
- Some well-known, privileged port number,
typically not used by P2P like dns, telnet, ssh,
ftp, mail, rtp, bgp
11Methodology Proposed Heuristics (5)
- Heuristics for other traffic (F1-F10)
- F9 malicious and attack traffic
- Scans (scan from one source through port ranges)
- Sweeps (scans from one source through IP ranges)
- DoS attacks (hammering attacks from one source
to few hosts in high frequency) - F10 unclassified, known non-P2P Port
- unclassified by H1-H4 and F1-F9 (no connection
pattern) - Well known ports including Web, messenger and
gaming
12Verification of proposed rule-set
- Comparison of classification methods for P2P
traffic
13Results
- Application Breakdown April 2006
14Results (2)
- Detailed results will be published at PAM 2008
- W. John and S. Tafvelin and Tomas Olovsson,
Trends and Differences in Connection Behavior
within Classes ofInternet Backbone Traffic, to
be presented at the Passive and Active
Measurement Conference,Cleveland, Ohio, USA,
April 2008.(Proceedings to be published in
Springer LNSC)http//pam2008.cs.wpi.edu/ - Documentation about measurements (raw data)
- DatCat Internet Measurement Data Catalog by
CAIDAhttp//www.datcat.org (search for SUNET)
15Conclusions
- Previous classification methods on packet header
traces dont work well on backbone data - Proposal of refined and updates heuristics
- Combining previous approaches
- Extension and adjustment of heuristics
- Including a rule for attack traffic
- Simple and fast method to decompose traffic
- no payload required (encryption, header data,
etc.) - Effectively used even on short traces (10 min)
- 0.2 of the data left unclassified
16Thank you very much for you attention!