This document discusses internet traffic monitoring and analysis. It describes:
1) The growth of internet usage and evolving network environments that require reliable monitoring.
2) Real-world applications of monitoring including network usage analysis, planning, SLA monitoring, and security attack detection.
3) POSTECH's research activities including MRTG+, WebTrafMon, and their next-generation system NG-MON for high-speed monitoring.
The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
A 1-day short course developed for visiting guests from Tecsup on network forensics, prepared in a day : ]
The requirements/constraints were 5-7 hours of content and that the target audience had very little forensic or networking knowledge. [For that reason, flow analysis was not included as an exercise, discussion of network monitoring solutions was limited, and the focus was on end-node forensics, not networking devices/appliances themselves]
The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
A 1-day short course developed for visiting guests from Tecsup on network forensics, prepared in a day : ]
The requirements/constraints were 5-7 hours of content and that the target audience had very little forensic or networking knowledge. [For that reason, flow analysis was not included as an exercise, discussion of network monitoring solutions was limited, and the focus was on end-node forensics, not networking devices/appliances themselves]
These slides guides you through the tools and techniques one can use for footprinting websites or people.You will find amazing tools and techniques have a look
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.
Learning Objectives:
1. Understand how this unique, emergent form of evidence can be used for criminal investigations and civil litigation e-discovery.
2. Discover the DoJ memo to law enforcement uncovered by FOIA stressing why and how to use social media in criminal cases.
3. See social media evidence recovered from smart phones, personal computers, and the cloud.
4. Learn the ethics of social media evidence collection including what you can and cannot do, if you want to keep your license that is.
Packet capture is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network. Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to help diagnose and solve network problems and determine whether network security policies are being followed. Hackers can also use packet capturing techniques to steal data that is being transmitted over a network.
A firewall of any description is a must for any user connecting to the Internet.
DPI proves to be a better security centric technology than SPI. However, from a security point of view
However, for a truly effective platform a dedicated hardware firewall with DPI provides the best all-round solution and goes a long way to securing networks from the more sophisticated and damaging Internet threats.
Network traffic analysis with cyber securityKAMALI PRIYA P
We are students from SRM University pursuing B.TECH in Computer Science Department. We took a small initiative to make a PPT about how network traffic can be analyzed through Cyber Security. We have also mentioned the known network analyzers and future scope for network traffic analysis with cyber security.
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
These slides guides you through the tools and techniques one can use for footprinting websites or people.You will find amazing tools and techniques have a look
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Presentation on Investigating Emails to detect their spam free nature. Emails are a way to harm others or a social engineering way to fulfill wrong motives by some people. Awareness about the Forensics behind Email will give people an edge to protect themselves from fraud crimes.
Learning Objectives:
1. Understand how this unique, emergent form of evidence can be used for criminal investigations and civil litigation e-discovery.
2. Discover the DoJ memo to law enforcement uncovered by FOIA stressing why and how to use social media in criminal cases.
3. See social media evidence recovered from smart phones, personal computers, and the cloud.
4. Learn the ethics of social media evidence collection including what you can and cannot do, if you want to keep your license that is.
Packet capture is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network. Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to help diagnose and solve network problems and determine whether network security policies are being followed. Hackers can also use packet capturing techniques to steal data that is being transmitted over a network.
A firewall of any description is a must for any user connecting to the Internet.
DPI proves to be a better security centric technology than SPI. However, from a security point of view
However, for a truly effective platform a dedicated hardware firewall with DPI provides the best all-round solution and goes a long way to securing networks from the more sophisticated and damaging Internet threats.
Network traffic analysis with cyber securityKAMALI PRIYA P
We are students from SRM University pursuing B.TECH in Computer Science Department. We took a small initiative to make a PPT about how network traffic can be analyzed through Cyber Security. We have also mentioned the known network analyzers and future scope for network traffic analysis with cyber security.
While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.
This vulnerability stems from the world-wide access to computer systems via the Internet.
Computer and network security comes in many forms, including encryption algorithms, access to facilities, digital signatures, and using fingerprints and face scans as passwords.
Traffic State Estimation and Prediction under Heterogeneous Traffic ConditionsIDES Editor
The recent economic growth in developing countries
like India has resulted in an intense increase of vehicle
ownership and use, as witnessed by severe traffic congestion
and bottlenecks during peak hours in most of the metropolitan
cities. Intelligent Transportation Systems (ITS) aim to reduce
traffic congestion by adopting various strategies such as
providing pre-trip and en-route traffic information thereby
reducing demand, adaptive signal control for area wide
optimization of traffic flow, etc. The successful deployment
and the reliability of these systems largely depend on the
accurate estimation of the current traffic state and quick and
reliable prediction to future time steps. At a macroscopic level,
this involves the prediction of fundamental traffic stream
parameters which include speed, density and flow in spacetime
domain. The complexity of prediction is enhanced by
heterogeneous traffic conditions as prevailing in India due to
less lane discipline and complex interactions among different
vehicle types. Also, there is no exclusive traffic flow model for
heterogeneous traffic conditions which can characterize the
traffic stream at a macroscopic level. Hence, the present study
tries to explore the applicability of an existing macroscopic
model, namely the Lighthill-Whitham-Richards (LWR) model,
for short term prediction of traffic flow in a busy arterial in
the city of Chennai, India, under heterogeneous traffic
conditions. Both linear and exponential speed-density
relations were considered and incorporated into the
macroscopic model. The resulting partial differential
equations are solved numerically and the results are found to
be encouraging. This model can ultimately be helpful for the
implementation of ATIS/ATMS applications under
heterogeneous traffic environment.
Prevention based mechanism for attacks in Network SecurityEditor IJMTER
Network Security has become vital in today’s information technology era, as a result
of that numerous techniques are a unit adopted to bypass it. Network administrator has to be
compelled to manage with the recent advancements in each the hardware and software system fields
for their betterment of the user’s knowledge. This paper outlines the varied attack strategies in the
field of Networking and numerous prevention mechanisms against them.
A ROBUST MECHANISM FOR DEFENDING DISTRIBUTED DENIAL OF SERVICE ATTACKS ON WEB...IJNSA Journal
Distributed Denial of Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The relative ease and low costs of launching such attacks, supplemented by the current inadequate sate of any viable defense mechanism, have made them one of the top threats to the Internet community today. Since the increasing popularity of web-based applications has led to several critical services being provided over the Internet, it is imperative to monitor the network traffic so as to prevent malicious attackers from depleting the resources of the network and denying services to legitimate users. This paper first presents a brief discussion on some of the important types of DDoS attacks that currently exist and some existing mechanisms to combat these attacks. It then points out the major drawbacks of the currently existing defense mechanisms and proposes a new mechanism for protecting a web-server against a DDoS attack. In the proposed mechanism, incoming traffic to the server is continuously monitored and any abnormal rise in the inbound traffic is immediately detected. The detection algorithm is based on a statistical analysis of the inbound traffic on the server and a robust hypothesis testing framework. While the detection process is on, the sessions from the legitimate sources are not disrupted and the load on the server is restored to the normal level by blocking the traffic from the attacking sources. To cater to different scenarios, the detection algorithm has various modules with varying level of computational and memory overheads for
their execution. While the approximate modules are fast in detection and involve less overhead, they provide lower level of detection accuracy. The accurate modules employ complex detection logic and hence involve more overhead for their execution. However, they have very high detection accuracy. Simulations carried out on the proposed mechanism have produced results that demonstrate effectiveness of the proposed defense mechanism against DDoS attacks.
Impact of Flash Crowd Attack in Online Retail ApplicationsIJEACS
Now days the usage of internet has been enormously
increased. Online shopping has acquired widely in day today
event. Mean which these online shopping is affected by various
advanced network security attacks Flash Crowd Attack is the one
of the advanced attack, where huge amount of dummy requests
are sent at a time and thus putting lot of pressure on server
machine and degrade the efficiency. Also authorized client can’t
receive the acknowledgement notification. We found that this
attack might cause lot of problems to online buy user in the
coming days. This paper depicts the minimization Flash Crowd
Attack and discuses various issue of this attack.
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of nodes that interrelate with each other for switch over the information. This information is necessary for that node is reserved confidentially. Attacker in the system may capture this private information and distorted. So security is the major issue. There are several security attacks in network. One of the major intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two different behaviors they may happen obviously or it may due to some attackers .Various schemes are developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
Distributed-Denial of Service (DDoS) is a key intimidation to network security. Network is a group of
nodes that interrelate with each other for switch over the information. This information is necessary for
that node is reserved confidentially. Attacker in the system may capture this private information and
distorted. So security is the major issue. There are several security attacks in network. One of the major
intimidations to internet examine is DDoS attack. It is a malevolent effort to suspending or suspends
services to destination node. DDoS or DoS is an effort to create network resource or the machine is busy to
its intentional user. Numerous thoughts are developed for avoid the DDoS or DoS. DDoS occur in two
different behaviors they may happen obviously or it may due to some attackers .Various schemes are
developed defense against to this attack. The Main focus of paper is present basis of DDoS attack, DDoS
attack types, and DDoS attack components, intrusion prevention system for DDoS.
ADVANCED MULTIMEDIA PLATFORM BASED ON BIG DATA AND ARTIFICIAL INTELLIGENCE IM...IJNSA Journal
The proposed work describes the design of a multimedia platform managing users and implementing cybersecurity. The paper describes in details the use cases of the whole platform embedding Big Data and artificial intelligence (AI) engine predicting network attacks. The platform has been tested by Tree Ensemble algorithm classifying and predicting anomalous server logs of possible attacks. The data logs are collected in Cassandra Big Data System enabling the AI training model. The work has been developed within the framework of a research industry project.
Similar to Internet Traffic Monitoring and Analysis (20)
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
35. WebTrafMon-II Architecture database Traffic analyzer (minutely, hourly, daily, monthly, yearly) probe network point promiscuous mode packet capture hash log format and save into DB user distributed environment request response packet header information log file log format port information port information make short term, long term traffic data minutely minutely hourly, daily, monthly, yearly statistics network traffic data analyzer Flow generator
Abstract Most Internet networking devices are now equipped with a Web server for providing Web-based element management so that an administrator may take advantage of this enhanced and powerful management interface. On the other hand, for network management, an administrator normally buys and deploys SNMP-based network management platform to be customized to his network. Each management scheme has mutually exclusive advantages; consequently, two schemes coexist in the real world. This results in both a high development cost and a dual management interface for administrator. We propose an embedded Web server (EWS)-based network management architecture as an alternative to an SNMP based network management and to leverage on already existing embedded web server. We extend EWS-based element management architecture to the network management architecture. Our proposed architecture uses HTTP as a communication protocol with management information and operation encoding. Further we designed a management system on the basis of our proposed architecture that supports basic management functions.
------------------------------------------------------------------------------------------------------------------------------------------------------------- [http://http://www.caida.org/outreach/metricswg/faq.xml] CAIDA Outreach Network Measurement FAQ 2.1. Why should I measure my network's behaviour? If you don't measure it, you have no objective record or benchmark of how it behaves. This could make it difficult to judge whether changes in the network have improved its performance, or degraded it. If you are buying Internet connectivity from an ISP you need to understand the kind of service being offered, and you need to measure the actual performance so as to verify that you're getting what you pay for. ------------------------------------------------------------------------------------------------------------------------------------------------------------- [KRNET Tutorial] http://dpnm.postech.ac.kr/webboard/ Internet Traffic Monitoring & Analysis User’s Needs * Monitor the performance experienced by one ’ s application - Why is the web page download so slow? - Why is my multicast video stream jerky? * Check if level of service meets one ’ s need - Do I have enough b/w? * Check if one experiences intrusions and attacks - Is someone attacking me? Service provider ’ s needs * Monitor the current level of activity * Enforce SLAs(service level agreements) * Detect faults and failures * Engineer the network for better performance * Plan for future capacity * Feedback to customers -----------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------------- [http://http://www.caida.org/outreach/metricswg/faq.xml] CAIDA Outreach Network Measurement FAQ 2.1. Why should I measure my network's behaviour? If you don't measure it, you have no objective record or benchmark of how it behaves. This could make it difficult to judge whether changes in the network have improved its performance, or degraded it. If you are buying Internet connectivity from an ISP you need to understand the kind of service being offered, and you need to measure the actual performance so as to verify that you're getting what you pay for. ------------------------------------------------------------------------------------------------------------------------------------------------------------- [KRNET Tutorial] http://dpnm.postech.ac.kr/webboard/ Internet Traffic Monitoring & Analysis User’s Needs * Monitor the performance experienced by one ’ s application - Why is the web page download so slow? - Why is my multicast video stream jerky? * Check if level of service meets one ’ s need - Do I have enough b/w? * Check if one experiences intrusions and attacks - Is someone attacking me? Service provider ’ s needs * Monitor the current level of activity * Enforce SLAs(service level agreements) * Detect faults and failures * Engineer the network for better performance * Plan for future capacity * Feedback to customers -----------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------------- [http://http://www.caida.org/outreach/metricswg/faq.xml] CAIDA Outreach Network Measurement FAQ 2.1. Why should I measure my network's behaviour? If you don't measure it, you have no objective record or benchmark of how it behaves. This could make it difficult to judge whether changes in the network have improved its performance, or degraded it. If you are buying Internet connectivity from an ISP you need to understand the kind of service being offered, and you need to measure the actual performance so as to verify that you're getting what you pay for. ------------------------------------------------------------------------------------------------------------------------------------------------------------- [KRNET Tutorial] http://dpnm.postech.ac.kr/webboard/ Internet Traffic Monitoring & Analysis User’s Needs * Monitor the performance experienced by one ’ s application - Why is the web page download so slow? - Why is my multicast video stream jerky? * Check if level of service meets one ’ s need - Do I have enough b/w? * Check if one experiences intrusions and attacks - Is someone attacking me? Service provider ’ s needs * Monitor the current level of activity * Enforce SLAs(service level agreements) * Detect faults and failures * Engineer the network for better performance * Plan for future capacity * Feedback to customers -----------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------------- [http://http://www.caida.org/outreach/metricswg/faq.xml] CAIDA Outreach Network Measurement FAQ 2.1. Why should I measure my network's behaviour? If you don't measure it, you have no objective record or benchmark of how it behaves. This could make it difficult to judge whether changes in the network have improved its performance, or degraded it. If you are buying Internet connectivity from an ISP you need to understand the kind of service being offered, and you need to measure the actual performance so as to verify that you're getting what you pay for. ------------------------------------------------------------------------------------------------------------------------------------------------------------- [KRNET Tutorial] http://dpnm.postech.ac.kr/webboard/ Internet Traffic Monitoring & Analysis User’s Needs * Monitor the performance experienced by one ’ s application - Why is the web page download so slow? - Why is my multicast video stream jerky? * Check if level of service meets one ’ s need - Do I have enough b/w? * Check if one experiences intrusions and attacks - Is someone attacking me? Service provider ’ s needs * Monitor the current level of activity * Enforce SLAs(service level agreements) * Detect faults and failures * Engineer the network for better performance * Plan for future capacity * Feedback to customers -----------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------------- [http://http://www.caida.org/outreach/metricswg/faq.xml] CAIDA Outreach Network Measurement FAQ 2.1. Why should I measure my network's behaviour? If you don't measure it, you have no objective record or benchmark of how it behaves. This could make it difficult to judge whether changes in the network have improved its performance, or degraded it. If you are buying Internet connectivity from an ISP you need to understand the kind of service being offered, and you need to measure the actual performance so as to verify that you're getting what you pay for. ------------------------------------------------------------------------------------------------------------------------------------------------------------- [KRNET Tutorial] http://dpnm.postech.ac.kr/webboard/ Internet Traffic Monitoring & Analysis User’s Needs * Monitor the performance experienced by one’s application - Why is the web page download so slow? - Why is my multicast video stream jerky? * Check if level of service meets one’s need - Do I have enough b/w? * Check if one experiences intrusions and attacks - Is someone attacking me? Service provider’s needs * Monitor the current level of activity * Enforce SLAs(service level agreements) * Detect faults and failures * Engineer the network for better performance * Plan for future capacity * Feedback to customers -----------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------------- [http://http://www.caida.org/outreach/metricswg/faq.xml] CAIDA Outreach Network Measurement FAQ 2.1. Why should I measure my network's behaviour? If you don't measure it, you have no objective record or benchmark of how it behaves. This could make it difficult to judge whether changes in the network have improved its performance, or degraded it. If you are buying Internet connectivity from an ISP you need to understand the kind of service being offered, and you need to measure the actual performance so as to verify that you're getting what you pay for. ------------------------------------------------------------------------------------------------------------------------------------------------------------- [KRNET Tutorial] http://dpnm.postech.ac.kr/webboard/ Internet Traffic Monitoring & Analysis User’s Needs * Monitor the performance experienced by one ’ s application - Why is the web page download so slow? - Why is my multicast video stream jerky? * Check if level of service meets one ’ s need - Do I have enough b/w? * Check if one experiences intrusions and attacks - Is someone attacking me? Service provider ’ s needs * Monitor the current level of activity * Enforce SLAs(service level agreements) * Detect faults and failures * Engineer the network for better performance * Plan for future capacity * Feedback to customers -----------------------------------------------------------------------------------------------------------------------
To monitor high speed network such 10Gpbs link, the NG-MON should consider these 5 significant requirements. The first one, as stated, NG-MON needs distributed, load-balancing architecture. To distribute the processing load , we should divide monitoring and analysis task into several functional units, and we also need an efficient load sharing mechanism within each phase. For load distribution method , we considered the pipeline and parallel methods. The second is lossless packet capture . NG-MON should capture all packets without a loss to provide all the required information to various analysis applications. The fourth one is, to reduce processing load , flow based analysis is essential. by the flow-based analysis, NG-MON can aggregate packet information into flows for efficient processing. Also, limited storage at each phase should be considered. By the consideration of these requirements we designed the architecture of NG-MON.
This is an overall architecture of NG-MON design. The key feature in our design is an pipelined distribution and load balancing technique. Whole tasks are divided into 5 phases like this. Packet capture, Flow Generation, Flow Store, Traffic Analysis and Presentation phase. The entire raw packets are captured in the Packet Capture phase. And packet header information extracted from raw packets are delivered to the second phase: Flow Generation phase, The flow information is generated in this Flow Generation phase. the flow information is stored in the Flow Store phase. Traffic Analyzer queries to Flow Store and store analyzed data, provide them to Presenter. Load distribution mechanism used in each phase will be explained in the following slides in detail.
This slide shows the first phase of our NG-MON design: packet capture phase. Large bulk traffic on the network links is distributed over probe systems and sent to next phase, Flow Generation. In the distribution of raw packets we can use one of these methods. First one is by using splitting function provided by an optical splitter. And Using mirroring functions provided by network devices is the second one. These probe systems captures incoming packets and extract packet header information form layered headers of each raw packet, then push into the export buffer-queues by packet header’s 5-tuple based hashing. Each probe system maintain the same number of buffer queues corresponding to the number of flow generators. If a buffer queue becomes full , probe constructs packet header messages then export to next phase. The raw packets with the same color indicates that they belong to the same flow. As you can see, packets which belong to the same flow put together into the same packet header messages. ( 5-tuple : src & dst address, protocol number, src & dst port number )
This and next slides shows the second phases of our NG-MON design. In this phase, packet headers are compressed into flows. For the distribution of packet header information, we used 5-tuple based hashing and buffer queue for each flow generator. Therefore the packet header information of potentially the same flow get delivered to the same flow generator. There can’t be the case that same flow is generated in different flow generator at a certain moment. Flow generators simply generate flow messages from incoming packet header messages, then exports these to next phase, flow store.
This slide shows the third phase of our NG-MON architecture: Flow Store phase The main role of Flow Store phase is to store flow information and handle the request from analyzer: those are write operation and read operation . For the load distribution and efficient processing , we considered a method that prevent write operations from occurring with read operations at the same time in a single flow store system. In order to do this, the destination address of flow messages should be changed over to Flow Store sequentially depending on the time slot changes. While one or more flow stores are inserting flow data, the other flow stores are queried by the traffic analyzers. As you can see here , at the time slot t1, Flow Store 1 only receives flow messages and the other Flow Stores are processing queries from Analyzers. Before the time slot changes from t1 to t2, queries to Flow Store 2 should be finished. Then the time slot becomes t2, flow messages will go into the Flow Store 2, and queries to Flow Store 1 will be started. In our earlier work , we realized that one of the bottleneck of the monitoring process is a huge storage space required. So, Flow Store keeps flow information for only several time slots, and then discard them when they are finished an analysis by traffic analyzers. Therefore, flow store only requires a small and fixed amount of disk space. Flow store provides traffic information to support various analysis applications and provide an analysis API to analyzers.
This slide shows the fourth and fifth phases of our NG-MON architecture. These two phases are tightly coupled according to the analysis purpose; such as Traffic Throughput Analysis, Usage-based billing analysis, DDOS and DOS attack analysis, such like that. Analyzer extracts information from Flow Stores and can perform application specific analysis . Separate analyzer is needed for each application. we separated the presenter from traffic analyzer, because more than one systems tend to be allocated in the traffic analysis phase.
In this summer We implemented a prototype of NG-MON and deployed our system in our campus backbone network. In the implementation, we used Net Optics’ Gigabit Fiber Optic tap to split the traffic and used GE Card to get it. The hardware configuration we used are, P-III 800MHz, 256 Mbytes memory, 20Gbytes HD. And we developed our system on Redhat Linux 7.2 OS. And used C language with pcap library in Packet Capture phase. In the Flow Store, we used MySQL Database to store flows. Presenter uses PHP with jpgraph library to present the analysis result through the web.
This and other two slides show some selected screen shots of our prototype implementation. Our analyzer shows various throughput information according to the HOST, SUBNET, and PROTOCOL. This screen shot shows the throughput of host received in one minute, and total throughput changes by the time in one hour is illustrated in the form of line graph.
This and other two slides show some selected screen shots of our prototype implementation. Our analyzer shows various throughput information according to the HOST, SUBNET, and PROTOCOL. This screen shot shows the throughput of host received in one minute, and total throughput changes by the time in one hour is illustrated in the form of line graph.
This is a detailed subnet data sent view in a certain minute.
Left one is an application protocol view in a certain minute. And right one is Time series graph of the throughput at each protocol layer during a certain hour.
Left one is an application protocol view in a certain minute. And right one is Time series graph of the throughput at each protocol layer during a certain hour.