1 / 22

Unconstrained Endpoint Profiling

Googling the Internet. Unconstrained Endpoint Profiling. Ionut Trestian , Supranamaya Ranjan , Alekandar Kuzmanovic , Antonio Nucci Reviewed by Lee Young Soo. Introduction. Obtaining ‘raw’ packet trace from operational networks can be very hard.

kimi
Télécharger la présentation

Unconstrained Endpoint Profiling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Googling the Internet Unconstrained Endpoint Profiling IonutTrestian, SupranamayaRanjan, AlekandarKuzmanovic, Antonio Nucci Reviewed by Lee Young Soo

  2. Introduction • Obtaining ‘raw’ packet trace from operational networks can be very hard. • Accurately classifying in an online fashion at high speeds is an inherently hard problem.

  3. Unconstrained Endpoint Profiling • Introduction of a novel methodology. • No operational traces are available • Packet-level traces are available • Sampled flow-level traces are available • Internet access trend analysis for four world regions.

  4. Methodology • Rule Generation • Querying Google using a sample ‘seed set’ ofrandom IP address from the networks in four world regions. • Constrain top N keywords that could be meaningfully used for endpoint classification.

  5. Methodology

  6. Methodology • Web Classifier • Rapid URL search • Hit text search • Example URL : www.robtex.com/dns/32.net.ru.html

  7. Methodology • IP tagging • URL based tagging • General hit text based tagging • Hit text based tagging for Forums • Post-date & username is in the vicinity of the IP address =>forum user • Presence of following keywords :http:\, ftp:\, ppstream:\, mms:\ => http share, ftp share, streaming node

  8. Methodology • Examples • 200.101.18.182-inforum.insite.com • URL based tagging • 61.172.249.13-ttzai.com • Hit text based tagging for Forum

  9. Information come from • Web logs • Proxy logs • Forums • Malicious list • Server list • P2P communication

  10. Evaluation • When No Traces are Available. • When Packet-Level Trace are Available. • When Sampled Trace are Available.

  11. When No Traces are Available • Applying the unconstrained endpoint approach on a subset of the IP range belonging to four ISPs shown in above table.

  12. When No Traces are Available

  13. When No Traces are Available

  14. When Packet-Level Trace are Available

  15. When Packet-Level Trace are Available • Collect most popular 5% of IP address and tag them by applying the methodology. • Use this information to classify the traffic flow.

  16. When Packet-Level Trace are Available

  17. When Sampled Trace are Available • Due to sampling, insufficient amount of data remains in the trace, and hence the graphlets approach simply does not work. • Popular endpoint are still present in the trace, despite sampling.

  18. When Sampled Trace are Available • Endpoint approach remains largely unaffected by sampling.

  19. Endpoint Profiling • Endpoint Clustering • Employ clustering in networking has been done before : Autoclass algorithm. • A set of tagged IP addresses from region’s network Input to the endpoint clustering algorithm.

  20. Endpoint Profiling • Browsing, browsing and chat or mail seems to be most common behavior.

  21. Endpoint Profiling • Traffic Locality

  22. Conclusion • UEP • Accurately predict application and protocol usage trends when no network traces are available. • Dramatically out perform when packet traces are available. • Retain high classification capabilities when flow-level traces are available. • Profile endpoints residing at four different world regions. • Network applications and protocols used in these region. • Characteristics of endpoint classes that share similar access patterns. • Clients’ locality properties.

More Related