DOCSLIB.ORG

Methods and Algorithms for Network Traffic Classification Marcin Pietrzyk

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Methods and Algorithms for Network Traffic Classification Marcin Pietrzyk Methods and Algorithms for Network Traffic Classification Th`esepr´esent´ee pour obtenir le grade de docteur de T´el´ecomParis Tech Marcin Pietrzyk April 2011 Directeurs de Th`ese: Professor Dr. Guillaume Urvoy-Keller, CNRS/UNSA Dr. Jean-Laurent Costeux, Orange Labs ii iii iv Abstract Traffic classification consists of associating network flows with the application that generated them. This subject, of crucial importance for service providers, network managers and companies in general has already received substantial attention in the research community. Despite these efforts, a number of issues still remain unsolved. The present work consists of three parts dealing with various aspects of the challenging task of traffic classification and some of its use cases. The first part presents an in-depth study of state-of-the-art statistical clas- sification methods which use passive traces collected at the access network of an ISP offering ADSL access to residential users. We critically evaluate the perfor- mance, including the portability aspect, which so far has been overlooked in the community. Portability is defined as the ability of the classifier to perform well on sites (networks) different than the one it was trained on. We uncover impor- tant, previously unknown issues, and analyze their root cause using numerous statistical tools. A last contribution of the first part is a method, which allows us to mine the unknown traffic (from a deep packet inspection tool perspective). The second part aims at providing a remedy for some of the problems un- covered in part one, mainly the ones concerning portability. We propose a self- learning hybrid classification method that enables synergy between a priori het- erogeneous sources of information (e.g. statistical flow features and the presence of a signature). We first extensively evaluate its performance using the data sets from part one. We then report the main findings for tool deployment in an oper- ational ADSL platform, where a hybrid classifier monitored the network for more than half a year. The last part presents a practical use case of traffic classification and focuses on profiling the customers of an ISP at the application level. The traffic classifier here is the input tool for the study. We propose to rely on the hierarchical clustering technique to group the users into a limited number of sets. We put emphasis both on heavy hitters and less active users, as the profile of the former (p2p) differs from the one of the second group. Our work complements recent findings of other works reporting an increasing trend of HTTP driven traffic becoming dominant at the expense of p2p traffic. v vi Acknowledgments First of all, I would like to express my deep gratitude to my thesis supervisor, Prof. Dr. Guillaume Urvoy-Keller, who suggested that I pursue this research direction and who convinced me it was possible, despite my doubts. You have continuously supported all my efforts, both in the research and in my personal projects, not to mention the invaluable support and countless contributions to this work. Thank you for everything, it was a truly great experience working with you! I would also like to thank my co-advisor in Orange, Dr. Jean-Laurent Cos- teux, who was my guide in the jungle of large corporations. Thanks for all your valuable input in this thesis. Big thanks are also due to all my collaborators, whose experience and knowl- edge contributed greatly to this work, especially Dr. Taoufik En-Najjary, whose brilliant ideas and incredible theoretical knowledge made many parts of this work possible, it was a great pleasure to have you on my side! Thanks to Louis Plis- sonneau for sharing the good and the difficult parts of a PhD students life. I would also like to thank Prof. Dr. Rui Valadas, Prof. Dr. Rosario de Oliveira and Denis Collange for their input on the features stability evaluation and the fruitful discussions. I would like to thank all my colleagues from Orange Labs, especially Frederic and Mike, my office mates, Chantal, Patrick, Olivier, Paul and Seb, as well as all the non-permanent people that I had the chance to meet during the three years spent at the Lab. Last but not least, I would like to thank my interns, especially Michal, for his great input in the development of the monitoring tools. Finally, I would like to express my deepest gratitude to my parents and girlfriend for their support in all my life choices. Well, I owe you everything! vii viii Contents List of Figures xv List of Tables xix 1 Introduction 1 1.1 Organization of the Thesis . 2 I Statistical Methods Evaluation and Application 3 2 Introduction 5 2.1 Contributions - Part I . 6 2.2 Relevant Publications for Part I . 6 3 Background on Traffic Classification 7 3.1 Definition of the Traffic Classification Problem . 7 3.2 Performance Metrics . 7 3.3 Ground Truth . 8 3.4 Methods and Related Work . 10 4 Methods Evaluation - Background 13 4.1 Traffic Data . 13 4.1.1 Dataset . 13 4.1.2 Reference Point . 14 4.1.3 Traffic Breakdown . 14 4.2 Methodology . 16 4.2.1 Classification Algorithms . 16 4.2.2 Features . 17 4.2.3 Training Set . 18 4.2.4 Flow Definition - Data Cleaning . 18 ix CONTENTS 4.3 Summary . 19 5 Method Evaluation 21 5.1 Classification - Static Case . 21 5.1.1 Number of Packets - Set A . 21 5.1.2 Static Results . 22 5.1.3 Static Results - Discussion . 24 5.2 Classification - Cross Site . 25 5.2.1 Overall Results . 25 5.2.2 Detailed Results for Set A (packet sizes) . 26 5.2.3 Detailed Results for Set B (advanced statistics) . 27 5.3 Impact of the Port Numbers . 27 5.3.1 Impact of the Port Numbers - Static Case . 28 5.3.2 Impact of the Port Numbers - Cross Site Case . 29 5.4 Impact of the Algorithm . 30 5.5 Discussion . 31 6 Methods evaluation - Principal Components 33 6.1 PCA . 33 6.2 Description of the Flow Features . 34 6.3 Variable Logging . 37 6.4 Interpretation of the Principal Components . 37 6.5 Classification Results . 39 6.5.1 Static Case . 40 6.5.2 Cross Site Case . 41 6.6 Conclusions . 41 7 The Root Cause of the Cross-site Issue 43 7.1 Portability Problem . 43 7.2 Statistical Test and Effect Size . 43 7.2.1 Effect Size . 44 7.3 Stability Analysis . 46 7.3.1 EDONKEY and WEB . 47 7.3.2 BITTORRENT . 48 7.3.3 FTP . 51 7.3.4 CHAT and MAIL . 52 x M.Pietrzyk CONTENTS 7.4 Discussion . 52 8 Mining the Unknown Class 55 8.1 Unknown Mining Method . 55 8.2 Predictions . 56 8.3 Validation . 57 8.3.1 Peer-to-peer Predictions . 57 8.3.2 Web Predictions . 58 8.3.3 Throughput Distribution Comparison . 60 8.4 The Unknown Class - Discussion . 60 9 Conclusions of Part I 61 II Hybrid Classifier 63 10 Introduction 65 10.1 Contributions - Part II . 66 10.2 Relevant Publications for Part II . 66 11 Design and Evaluation 67 11.1 HTI - Hybrid Traffic Identification . 67 11.1.1 Features . 68 11.2 Machine Learning Algorithm . 69 11.2.1 Logistic Regression . 69 11.2.2 Training Phase . 71 11.2.3 Selection of Relevant Features . 72 11.3 Per Application Sub-models . 73 11.4 Off-line Evaluation: warming-up . 74 11.5 Off-line Evaluation: Performance Results . 76 11.5.1 Overall Results . 76 11.5.2 Multiple Classifications . 76 11.5.3 Which Method for Which Application? . 79 11.6 HTI vs. State of the Art Methods . 80 11.6.1 Legacy Ports Method . 80 11.6.2 Statistical Methods . 81 11.6.3 Impact of the Classification Algorithm . 81 xi CONTENTS 12 HTI in the Wild - Production Deployment 83 12.1 Implementation Details . 83 12.2 Platform Details . 84 12.3 Live Experiment Results . 85 12.3.1 One Week of Traffic . 88 12.3.2 Six Months of Traffic . 89 12.4 Model Validity . 89 12.5 Efficiency Issues . 91 12.5.1 CPU . 92 12.5.2 Memory . 93 12.5.3 Time to Classify . 93 12.6 Discussion and Limitations . 93 12.7 Conclusion . 94 III User Profiling 95 13 User Profiles 97 13.1 Introduction . 97 13.2 Relevant Publications for Part III . 97 13.3 Related Work . 97 13.4 Data Set . 98 13.5 Reliable Users Tracking . 99 13.6 Applications Classes and Traffic Breakdown . 99 13.6.1 Traffic Breakdown . 100 13.7 Distribution of Volumes Per User . 101 13.8 Users Profiling . 102 13.8.1 Users Dominating Application . 102 13.8.2 Top Ten Heavy Hitters . 104 13.9 Users Application Mix . 106 13.9.1 \Real" vs. \Fake" Usage . 106 13.9.2 Choice of Clustering . 108 13.9.3 Application Mix . 109 13.9.4 Profile Agreement . 110 13.9.5 Application Mix - Discussion . 111 13.10Conclusions.
Load more

Recommended publications
  • Security Analytics 8.1.X Reference Guide
    Security Analytics 8.1.x Reference Guide Updated: Friday, November 15, 2019 Security Analytics Reference Guide Security Analytics 8.1 Copyrights, Trademarks, and Intellectual Property Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.
    [Show full text]
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • University of South Florida
    Case Study www.ellacoya.com University of South Florida University of South Florida (USF), one of the top research universities in the US, is INTRODUCTION committed to formulating bold ideas and creating innovative solutions for its global community of 45,000 students, staff, and faculty. To provide its community with reliable, quality network service, USF needed an effective, flexible, and scalable way to prevent aggressive peer-to-peer (P2P) applications from using more than their fair share of bandwidth, to enable sophisticated control of individual abusers, and to support significant growth in traffic volumes. University of South Florida turned to Ellacoya’s IP Service Control System for an effective, flexible and scalable way to control bandwidth congestion in its network. As of late 2002, USF was experiencing significant network congestion due to P2P traffic. THE TRAFFIC CONTROL Its network was hit particularly hard by KaZaA 2.0, which USF’s enterprise-class PROBLEM appliance application could not reliably detect, and by a new P2P application its current firmware failed to detect at all. Network administrators also began to realize the limitations of application-based aggregate traffic management in the face of increasingly evasive emerging applications and the desirability of being able to enforce policies on specific individuals. Additionally, USF was in the process of upgrading its Internet connection to Gigabit speeds and needed a platform with the capacity for Gigabit throughput and the flexibility to scale with the university’s growing needs. Like many universities, USF had initially used an enterprise-class appliance to control EARLY ATTEMPTS TO P2P traffic, but the device was unable to consistently classify KaZaA traffic.
    [Show full text]
  • P2P Protocols
    CHAPTER 1 P2P Protocols Introduction This chapter lists the P2P protocols currently supported by Cisco SCA BB. For each protocol, the following information is provided: • Clients of this protocol that are supported, including the specific version supported. • Default TCP ports for these P2P protocols. Traffic on these ports would be classified to the specific protocol as a default, in case this traffic was not classified based on any of the protocol signatures. • Comments; these mostly relate to the differences between various Cisco SCA BB releases in the level of support for the P2P protocol for specified clients. Table 1-1 P2P Protocols Protocol Name Validated Clients TCP Ports Comments Acestream Acestream PC v2.1 — Supported PC v2.1 as of Protocol Pack #39. Supported PC v3.0 as of Protocol Pack #44. Amazon Appstore Android v12.0000.803.0C_642000010 — Supported as of Protocol Pack #44. Angle Media — None Supported as of Protocol Pack #13. AntsP2P Beta 1.5.6 b 0.9.3 with PP#05 — — Aptoide Android v7.0.6 None Supported as of Protocol Pack #52. BaiBao BaiBao v1.3.1 None — Baidu Baidu PC [Web Browser], Android None Supported as of Protocol Pack #44. v6.1.0 Baidu Movie Baidu Movie 2000 None Supported as of Protocol Pack #08. BBBroadcast BBBroadcast 1.2 None Supported as of Protocol Pack #12. Cisco Service Control Application for Broadband Protocol Reference Guide 1-1 Chapter 1 P2P Protocols Introduction Table 1-1 P2P Protocols (continued) Protocol Name Validated Clients TCP Ports Comments BitTorrent BitTorrent v4.0.1 6881-6889, 6969 Supported Bittorrent Sync as of PP#38 Android v-1.1.37, iOS v-1.1.118 ans PC exeem v0.23 v-1.1.27.
    [Show full text]
  • Peer to Peer Resources
    Peer To Peer Resources By Marcus P. Zillman, M.S., A.M.H.A. Executive Director – Virtual Private Library [email protected] This January 2009 column Peer To Peer Resources is a comprehensive list of peer to peer resources, sources and sites available over the Internet and the World Wide Web including peer to peer, file sharing, and grid and matrix search engines. The below list is taken from the peer to peer research section of my Subject Tracer™ Information Blog titled Deep Web Research and is constantly updated with Subject Tracer™ bots at the following URL: http://www.DeepWebResearch.info/ These resources and sources will help you to discover the many pathways available to you through the Internet for obtaining and locating peer to peer sources in todays rapidly changing data procurement society. This is a MUST information keeper for those seeking the latest and greatest peer to peer resources! Peer To Peer Resources: ALPINE Network - SourceForge: Project http://sourceforge.net/projects/alpine/ An Efficient Scheme for Query Processing on Peer-to-Peer Networks http://aeolusres.homestead.com/files/index.html angrycoffee.com http://www.AngryCoffee.com/ Azureus - Vuze Java Bittorrent Client http://azureus.sourceforge.net/ 1 January 2009 Zillman Column – Peer To Peer Resources http://www.zillmancolumns.com/ [email protected] © 2009 Marcus P. Zillman, M.S., A.M.H.A. BadBlue http://badblue.com/ Between Rhizomes and Trees: P2P Information Systems by Bryn Loban http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/1182
    [Show full text]
  • Internet Contract
    Diocese of Youngstown Office of Catholic Schools Our Lady of Peace Revised 2005 Student use of the INTERNET Educational Acceptable Use Policy and Agreement Student use of the Internet on school computer hardware, on school premises, or through school obtained accounts, both on-site and through remote connections, is governed in accordance with Diocesan Policy, the policies of the Administrators’ Handbook and the Student/ Family Handbook. The MISSION of OLOP school Technology Committee, working in partnership with faculty, students and administrators, is to research and deploy common everyday technology into the infrastructure in such a way as to benefit the students and staff not by teaching technology, but teaching how to utilize existing technologies to gain a richer learning experience and understanding of how to most effectively utilize the technology that is now so common place in our everyday lives. Please read the following carefully before signing the attached agreement. INTRODUCTION: The Our Lady Of Peace School (OLOP) offers world wide web Internet access to your child at his/her school. OLOP provides computer equipment, computer services, and Internet access to its students and staff for educational purposes only, offering vast, diverse, and unique resources to promote educational excellence at OLOP School. The purpose of this document is to inform parents, guardians and students and all users of the availability of the Internet resources, as well as the rules governing its use, and to obtain express parental or guardian permission for an individual student to use technology and the Internet while at school. The computer system and all computer software and hardware is the property of the school.
    [Show full text]
  • The Copyright Crusade
    The Copyright Crusade Abstract During the winter and spring of 2001, the author, chief technology officer in Viant's media and entertainment practice, led an extensive inqUiry to assess the potential impact of extant Internet file-sharing capabilities on the business models of copyright owners and holders. During the course of this project he and his associates explored the tensions that exist or may soon exist among peer-to-peer start-ups, "pirates" and "hackers," intellectual property companies, established media channels, and unwitting consumers caught in the middle. This research report gives the context for the battleground that has emerged, and calls upon the players to consider new, productive solutions and business models that support profitable, legal access to intellectual property via digital media. by Andrew C Frank. eTO [email protected] Viant Media and Entertainment Reinhold Bel/tIer [email protected] Aaron Markham [email protected] assisted by Bmre Forest ~ VI ANT 1 Call to Arms Well before the Internet. it was known that PCs connected to two-way public networks posed a problem for copyright holders. The problem first came to light when the Software Publishers Association (now the Software & Information Industry Association), with the backing of Microsoft and others, took on computer Bulletin Board System (BBS) operators in the late 1980s for facilitating trade in copyrighted computer software, making examples of "sysops" (as system operators were then known) by assisting the FBI in orchestrat­ ing raids on their homes. and taking similar legal action against institutional piracy in high profile U.S. businesses and universities.' At the same time.
    [Show full text]
  • Instructions for Using Your PC ǍʻĒˊ Ƽ͔ūś
    Instructions for using your PC ǍʻĒˊ ƽ͔ūś Be careful with computer viruses !!! Be careful of sending ᡅĽ/ͼ͛ᩥਜ਼ƶ҉ɦϹ࿕ZPǎ Ǖễƅ͟¦ᰈ Make sure to install anti-virus software in your PC personal profile and ᡅƽញƼɦḳâ 5☦ՈǍʻPǎᡅ !!! information !!! It is very dangerous !!! ᫬ΚTẝ«ŵ┭ՈT Stop violation of copyright concerning illegal acts of ơųጛňƿՈ☢ͩ ⚷<ǕO਍ᜐ&« transmitting music and ₑᡅՈϔǒ]ᡅ others through the Don’t forget to backup ඡȭ]dzÑՈ Internet !!! important data !!! Ȥᩴ̣é If another person looks in at your E-mail, it’s a big ὲâΞȘᝯɣ׏r problem !!! Don’t install software in dz]ǣrPǎᡅ ]ᡅîPéḳâ╓ ͛ƽញ4̶ᾬϹ࿕ ۅTake care of keeping your some other PCs without ੥ˊΙǺ password !!! permission !!! ₐ Stop sending the followings !!! ؄ŌՈϹوInformation against public order and Somebody targets on your PC for Pǎ]ᡅǕễạǑ͘͝ࢭÛ ΞȘƅ¦Ƿń morals illegal access !!! Ոƅ͟ǻᢊ᫁᫨ĐՈ ࿕Ϭ⓶̗ʵ£࿁îƷljĈ Information about discrimination, Shut out those attacks with firewall untruth and bad reputation against a !!! Ǎʻ ᰻ǡT person ᤘἌ᭔ ᆘჍഀ ጠᅼૐᾑ ᭼᭨᭞ᮞęɪᬡ෉ᬡǰɟ ᆘȐೈ࿴ ᾑ૥ ጠᅼ3ظ ᤘἌ᭔ ǰɟᯓۀ᭞ᮞ᭿ᮐᮧ᭪᭑᭎ᮖ᭤ᬞᬢ ഄᅤ Έʡȩîᬡ͒ͮᬢـ ᅼܘᆘȐೈ ǸᆜሹظᤘἌ᭔࿴ ཬᴔ ᭼᭨᭞ᮞᬞᬢŽᬍ᭑᭎ᮖ᭤̛ɏ᭨ᮀ᭳ᭅ ரἨ᳜ᄌ࿘Π ؼ˨ഀ ୈ᡼ὼ$ ഄጵ↬3L ʍ୰ᬞᯓ ᄨῼ33 Ȋථᬚᬌᬻᯓ ഄ˽ ઁǢᬝຨϙଙͮـᅰჴڹެ ሤᆵͨ˜Ɍ ጵႸᾀ żᆘ᭔ ᬝᬜ᫞Ϊ̎UઁɃᬢ ࡶ୰ᬝ᭲ᮧ᭪ᬢ ᄨؼᾭᄨ ᾑ૥ ٕ࿩ᅨ ΰ̛ᬞ᭫ᮌᯓ ᭻᭮᭚᭍᭮ᮂᭅ ሬČ ཬȴ3 ᾘɤɟ3 Ƌᬿᬍᬞᯓ ᫾ᬿᬒᬼۏąഄᅼ Ѹᆠᅨ ᮌᮧᮖᭅ ⃸ᛴܠ ఼ ᆬð3 ᤘἌ᭔࿴ ƂŬᯓ ᭨ᮀ᭳᭑᭒᭍ᭅƖ̳ᬞ ĩᬡ᭼᭨᭞ᮞᬞٴ ரἨ᳜ᄌ࿘ ᭼᭤ᮚᮧ᭴ᬡɼǂᬢ ڹެ ᵌೈჰ˨ ˜ϐ ᛄሤ↬3 ᆜೈᯌ ϤᏤ ᬊᬖ᫾ᬽᬊᬻ᫹ᯓ ᭏ᮞ᭤᭳ᮧᮖᬊᬝ᫷ᬚ ሬČʀ ͌ǜ ąഄᅼ ΰ̛ᬞ ޅ᫾᫿᫵ᬝᬒᬡ᭼᭨᭞ᮞᭅ ᤘἌ᭔Π ͬϐʼ ᆬð3 ʏͦᬞɃᬌᬾȩî ēᬖᬙ᫷ᬾᯓ ܘˑˑᏬୀΠ ᄨؼὼ ሹ ߍɋᬞ᫵ᬒᬾȩî ᮀᭌ᭏᭍᭑᭔ᮧᮖwƫᬚފᴰᆘ࿘ჸ $±ᅠʀ =Ė ܘ૥Čٍᅨ ᙌۨ5ࡨٍὼ ሹ ഄϤᏤ ᤘἌ᭔ ኩ˰Π3 ᬢ͒ͮᬊᬝ᫷ᯓ ᭢ᮎ᭮᭳᭍᭑᭳ᬊᬻ᫹ᯓـ ʧʧ¥¥ᬚᬚP2PP2P᭨᭨ᮀᮀ᭳᭳᭑᭑᭒᭒᭍᭍ᬢᬢ DODO NOTNOT useuse P2PP2P softwaresoftware ̦̦ɪɪᬚᬚᬀᬀᬱᬱᬎᬎᭆᭆᯓᯓ inin campuscampus networknetwork !!!! Z ʧ¥᭸᭮᭳ᮚᮧ᭚ᬞ᫽ᬄᬾ੒ͮᬢȴƏΜˉ᭢᭤᭱ Z All communications in our campus network are ᬈᬿᬙ᫷ᬱᬌ᫟ʧ¥ᬚP2P᭨ᮀ always monitored automatically.
    [Show full text]
  • State of the Art in Peer-To-Peer Performance Testing
    State of the Art in Peer-to-Peer Performance Testing European Advanced Networking Test Center About EANTC The European Advanced Networking Test Center (EANTC) offers vendor independent network quality assurance since 1991 Business Areas Test and certification of network components for manufacturers Network design consultancy and proof of concept testing for service providers Request for Proposal (RfP) support, acceptance testing and network audits for large enterprises and government organizations EANTC Berlin, Germany Agenda 1. How much P2P traffic is out there today? 2. What categories of DPI detection solutions exist? 3. How is EANTC testing P2P filters? What are the key performance indicators? 4. What were the results of the InternetEvolution test? P2P Internet Statistics Traffic Statistics Germany P2P Protocols in Germany P2P 74% BitTorrent 66% eDonkey 29% HTTP 11% Tunnel/ Other df Encryption Media Streaming 0% Gnutella 0% DirectConnect NNTP DDL* 8% 4% 1% 0% 5% FTP E-Mail IM VoIP/Skype 1% 0% 0% 1% * DDL: Direct download links of one-click file hoster like RapidShare.com or MegaUpload.com Source: ipoque Internet study 2007 P2P Detection – Signature Based Each P2P protocol has its own mechanism to manage the P2P network and coordinate the traffic distribution P2P filter devices search for protocol specific pattern (signature) in each IP packet to identify P2P traffic Deep Packet Inspection (DPI) - once the signature is identified the detection reliability is high Encrypted P2P traffic is hard to identify with this method BitTorrent Signature Example BitTorrent Signature P2P Detection – Behavior Based P2P software implements mechanism to avoid detection – obfuscation (e.g. encrypted transfer) P2P traffic has specific behavior: Each client opens connections to many other clients file/tracker requests and file search (mostly not encrypted) File Search/Request (not encrypted) .
    [Show full text]
  • Peer-To-Peer Protocol and Application Detection Support
    Peer-to-Peer Protocol and Application Detection Support This appendix lists all the protocols and applications currently supported by Cisco ASR 5500 ADC. • Supported Protocols and Applications, on page 1 Supported Protocols and Applications This section lists all the supported P2P protocols, sub-protocols, and the applications using these protocols. Important Please note that various client versions are supported for the protocols. The client versions listed in the table below are the latest supported version(s). Important Please note that the release version in the Supported from Release column has changed for protocols/applications that are new since the ADC plugin release in August 2015. This will now be the ADC Plugin Build number in the x.xxx.xxx format. The previous releases were versioned as 1.1 (ADC plugin release for December 2012 ), 1.2 (ADC plugin release for April 2013), and so on for consecutive releases. New in this Release This section lists the supported P2P protocols, sub-protocols and applications introduced in the ADC Plugin release for November 28, 2019. None in this release. All Supported Protocols and Applications This section lists all the supported P2P protocols, sub-protocols and applications supported until ADC Plugin release on October 31, 2019. Peer-to-Peer Protocol and Application Detection Support 1 Peer-to-Peer Protocol and Application Detection Support All Supported Protocols and Applications Protocol / Client Client Version Group Classification Supported from Application Release 120Sports 120Sports 1.6
    [Show full text]
  • IBM Qradar : Qradar Application Configuration Guide Chapter 1
    IBM QRadar Version 7.4.1 Application Configuration Guide IBM Note Before you use this information and the product that it supports, read the information in “Notices” on page 51. Product information This document applies to IBM® QRadar® Security Intelligence Platform 7.4.2 and subsequent releases unless superseded by an updated version of this document. © Copyright International Business Machines Corporation 2014, 2020. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents About this guide.................................................................................................... v Chapter 1. Application mappings........................................................................... 1 Defining new applications............................................................................................................................1 Defining application mappings...............................................................................................................2 Defining application signatures..............................................................................................................4 Chapter 2. Default applications..............................................................................9 ICMP type and code IDs............................................................................................................................ 40 Port IDs.....................................................................................................................................................
    [Show full text]
  • Listening in Cyberspace
    CHAPTER EIGHT LISTENING IN CYBERSPACE I am exercising at the University Recreation Center and hear some unfa- miliar rap coming from the weight room stereo. The attendant, a stu- dent, tells me that we’re listening to a homemade compilation CD of songs he downloaded from the Internet. The music reminds me of another rapper, and I take out my portable MP3 player and bring up a song. I hand the headphones to the attendant, who listens, bobbing his head in appreciation. I receive an e-mail from a professor of musicology in Rio De Janeiro who had recently downloaded my dissertation from the Internet. He wants to assign a chapter to his students but doesn’t have access to certain record- ings I cite. Could I possibly e-mail them to him as MP3s? I do, and within seconds he is able to listen to these recordings, now better able to make use of my work, whether to share, discuss, confirm, or contest it. I am in a store and hear an unfamiliar R&B song that piques my inter- est, as it unexpectedly quotes a classical piano piece, Erik Satie’s Gymno- pedies, no. 1. When I get home to my computer I go to a search engine and enter a fragment of the lyrics I remember; I quickly find that the song is Janet Jackson’s “Someone to Call My Lover.” I then call up one of a 158 series of file-sharing programs I’ve used since the demise of Napster and search for the song.
    [Show full text]