Heuristics to Classify Internet Backbone Traffic
based on Connection Patterns
Wolfgang John and Sven Tafvelin
Dept. of Computer Science and Engineering
Chalmers University of Technology
Göteborg, Sweden
Introduction: Measurement location
• 2x 10 Gbit/s (OC-192)
• capturing headers only
• IP addresses anonymized
• tightly synchronized
• bidirectional per-flow analysis
Stockholm
StudentNet
Göteborg
Göteborg’s Univ.
Chalmers Univ.
Other smaller Univ. and Institutes
ICOIN 2008
2008-01-23
Introduction: Motivation
• Problem:
– Operators don’t know the type of their traffic
– How to:
•
•
•
•
Improve network design and provisioning?
Support QoS support or security monitoring?
Enhance accounting possibilities?
Reveal trends and changes in network applications?
ICOIN 2008
2008-01-23
Introduction: Classification
•
Solution: Traffic classification
– Four basic approaches:
1. Port numbers
+ easy to implement
- unreliable (P2P, malicious traffic)
2. Packet payloads
+ accurate
- requires updated payload signatures
- privacy and legal issues
- high processing requirements
- does not work on encrypted traffic (P2P)
ICOIN 2008
2008-01-23
Introduction: Classification (2)
•
Solution: Traffic classification (contd.)
3. Statistical fingerprinting
+ no detailed packet information needed
- depending on quality of training data
- promising, but still immature
4. Connection patterns
+ no payload required
+ no training data required
- not perfect accuracy
ICOIN 2008
2008-01-23
Methodology: Traffic Classification
• Two articles classify P2P flows according
to connection patterns:
– Karagiannis et al., 2004
– Perenyi et al., 2006
• Updated classification heuristics:
– Refined the heuristics in prior articles
– Added new, necessary heuristics
ICOIN 2008
2008-01-23
Methodology: Proposed Heuristics
• Rules based on connection patterns
and port numbers
– 5 rules for P2P traffic (H1-H5)
– 10 rules to classify other traffic types (F1-F10)
• remove ‘false positives’ from P2P
– Rules are applied:
• On flows in 10 minute intervals
• Independently on all flows and
prioritized when fetched from the database
ICOIN 2008
2008-01-23
Methodology: Proposed Heuristics (2)
– Heuristics for potential P2P traffic (H1-H5)
•
All traffic to and from potential P2P hosts is marked
as P2P traffic
•
•
•
•
•
H1: TCP and UDP traffic between IP pair
H2: Well known P2P ports
H3: Re-usage of source Port within short time
H4: Non-parallel connections to endpoint (IP/Port)
H5: unclassified, long flows
– unclassified by H1-H4 and F1-F9
– more than 1MB in one direction or
– duration of more than 10 minutes
ICOIN 2008
2008-01-23
Methodology: Proposed Heuristics (3)
– Heuristics for other traffic (F1-F10)
•
F1 and F2: Web servers:
– parallel connections to web Ports
– All traffic to and from Web server is Web-traffic
•
F3: common services (DNS, BGP)
– Equal source and destination port and port<501
•
F4: Mail servers:
– Hosts receiving traffic on mail ports (smtp, imap, pop)
while sending traffic via smtp
– All traffic to and from Mail servers is Mail-traffic
ICOIN 2008
2008-01-23
Methodology: Proposed Heuristics (4)
– Heuristics for other traffic (F1-F10)
•
F5 and F6: Messenger and Gaming
– Hosts, connected to by a number of different IPs on wellknown messenger, chat or gaming ports within a period of
10 days
– All traffic to and from these hosts is messenger or gaming
•
F7: FTP
– Active FTP with initiating port number of 20
•
F8: non P2P ports:
– Some well-known, privileged port number, typically not
used by P2P like dns, telnet, ssh, ftp, mail, rtp, bgp …
ICOIN 2008
2008-01-23
Methodology: Proposed Heuristics (5)
– Heuristics for other traffic (F1-F10)
•
F9: malicious and attack traffic
– Scans (scan from one source through port ranges)
– Sweeps (scans from one source through IP ranges)
– DoS attacks (“hammering attacks” from one source to few
hosts in high frequency)
•
F10: unclassified, known non-P2P Port
– unclassified by H1-H4 and F1-F9 (no connection pattern)
– Well known ports including Web, messenger and gaming
ICOIN 2008
2008-01-23
Verification of proposed rule-set
Comparison of classification methods for P2P traffic
# connections in 106
Amount of data in TB
ICOIN 2008
2008-01-23
Results
Application Breakdown April 2006
ICOIN 2008
2008-01-23
Results (2)
Detailed results will be published at PAM 2008
W. John and S. Tafvelin and Tomas Olovsson,
Trends and Differences in Connection Behavior within Classes of
Internet Backbone Traffic,
to be presented at the Passive and Active Measurement Conference,
Cleveland, Ohio, USA, April 2008.
(Proceedings to be published in Springer LNSC)
http://pam2008.cs.wpi.edu/
Documentation about measurements (raw data)
DatCat – Internet Measurement Data Catalog by CAIDA
http://www.datcat.org (search for SUNET)
ICOIN 2008
2008-01-23
Conclusions
• Previous classification methods on packet
header traces don’t work well on backbone data
• Proposal of refined and updates heuristics
– Combining previous approaches
– Extension and adjustment of heuristics
– Including a rule for attack traffic
• Simple and fast method to decompose traffic
– no payload required (encryption, header data, etc.)
• Effectively used even on short traces (10 min)
• 0.2% of the data left unclassified
ICOIN 2008
2008-01-23
Thank you very much for you attention!
Questions?