Load Transformations and their Usage for Traffic Prediction and Understanding in Networks with Security Requirements

 

Team Leader

Prof. Dr. Georg Carle

Scientists

Gerhard Münz
Lothar Braun

Partners

Telecommunications And Computer Networks, University of Hamburg

Funding

Deutsche Forschungsgemeinschaft (German Research Foundation)

Project Time

01.11.2007 - 31.10.2010

Project Description

Realistic modeling and prediction of traffic in complex networking environments, as well as network monitoring and traffic analysis for traffic characterization and network security are two research areas with many unsolved problems. The LUPUS research project is to find novel modeling and analysis solutions by combining know-how and expertise of both areas. Work on new traffic models concentrates on the load transformation approach which allows translating arrival sequences at the application layer into arrival sequences at the network layer. With respect to traffic analysis, one research goal is to find ways to invert the load transformation in order to infer application layer loads from monitored traffic. Further traffic analysis methods to be considered are network data mining and payload-based traffic identification. Traffic analysis relies on monitoring data collected with help of adaptive passive and active network monitoring techniques. The scientific outcome of the project is to enable improved security management and performance monitoring in communication networks.

Research Topics

Traffic Measurement
The open-source monitoring toolkit VERMONT provides the basis for packet and flow-based traffic measurements in LUPUS. VERMONT deploys the IPFIX protocol to transport traffic measurement data from an observation point to a remote collector.
Within the LUPS project, VERMONT has been extended to protect the IPFIX data transfer using DTLS for UDP and SCTP. We discuss issues and recommendations regarding the implementation of DTLS for IPFIX in an Internet draft. Further research activities deal with scalable connection-based packet sampling which can be used in combination with signature detection and deep packet inspection, as well as traffic monitoring in 10GE network.

Traffic Classification
We are working on statistical traffic classification methods which do not rely on the inspection of packet payload. One of our classification approaches is based on visible Markov models which, in contrast to hidden Markov models (HMMs), are easier to estimate. Moreover, we are studying whether the transformation of packet traces into request sequences on higher protocol layers allows improving the classification results.

[1] Robert Kulzer. Untersuchung und Vergleich von Client-Honeypots. BA, October 2010.
[2] Philipp Lowack. Verteilte Untersuchung von Botnetzen. BA, October 2010.
[3] Franz Saller. Dynamische Malware-Analyse mittels transparenter Emulation von Internet-Diensten. BA, October 2010.
[4] Alexander Didebulidze. Leistungsbewertung und Verbesserung des Packet-Capturings mit PC-Hardware. Diplomarbeit, April 2010. [ .pdf ]
[5] Yukun Huang. Verkehrsklassifizierung mit Methoden des maschinellen Lernens. Diplomarbeit, January 2010.
[6] Sebastian Krebs. Untersuchung von DNS-Verkehr durch passive Verkehrsmessungen. BA, 2010. [ .pdf ]
[7] Daniel Mentz. Sichere und effiziente Übertragung von Verkehrsmessdaten. Diplomarbeit, January 2010.
[8] Benjamin Wiesmüller. Untersuchung von TCP-Eigenschaften zur Rekonstruktion von Nachrichtenlängen. Bachelorarbeit, September 2009.
[9] Hui Dai. Verkehrscharakterisierung anhand von Flow-Eigenschaften. Diplomarbeit, May 2009. [ .pdf ]
[10] Lothar Braun. Verkehrscharakterisierung und Wurmerkennung mit gesampelten Paketen. Diplomarbeit, University of Tübingen, May 2008.

Related Publications

[1] Gerhard Münz, Benoit Claise, and Paul Aitken. Configuration Data Model for the IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Protocols. RFC 6728, October 2012. [ http ]
[2] Thomas Dietz, Atsushi Kobayashi, Benoit Claise, and Gerhard Münz. Definitions of managed objects for IP flow information export. RFC 6615 (Obsoletes RFC 5815), June 2012. [ http ]
[3] Benoit Claise, Paul Aitken, Andrew Johnson, and Gerhard Münz. IP Flow Information Export (IPFIX) Per Stream Control Transmission Protocol (SCTP) Stream. RFC 6526, March 2012. [ http ]
[4] Daniel Mentz, Gerhard Münz, and Lothar Braun. Recommendations for Implementing IPFIX over DTLS. Internet-Draft (work in progress), draft-mentz-ipfix-dtls-recommendations-02, March 2011. [ http ]
[5] Gerhard Münz, Stephan Heckmüller, Lothar Braun, and Georg Carle. Improving Markov-based TCP Traffic Classification. In Proceedings of Communication in Distributed Systems (KiVS) 2011, Kiel, Germany, March 2011. [ .pdf ]
[6] Lothar Braun, Alexander Didebulidze, Nils Kammenhuber, and Georg Carle. Comparing and Improving Current Packet Capturing Solutions based on Commodity Hardware. In Proceedings of the Internet Measurement Conference (IMC 2010), Melbourne, Australia, November 2010.
[7] Stephan Heckmüller, Gerhard Münz, Lothar Braun, Aaron Kunde, Bernd E. Wolfinger, and Georg Carle. Lasttransformation durch Rekonstruktion von Auftragslängen anhand von Paketdaten. Praxis der Informationsverarbeitung und Kommunikation (PIK), 33(2), June 2010. [ http ]
[8] Gerhard Münz, Lothar Braun, Hui Dai, and Georg Carle. TCP-Verkehrsklassifizierung mit Markov-Modellen. Praxis der Informationsverarbeitung und Kommunikation (PIK), 33(2), June 2010. [ http ]
[9] Lothar Braun, Gerhard Münz, and Georg Carle. Packet Sampling for Worm and Botnet Detection in TCP Connections. In Proceedings of IEEE/IFIP Network Operations and Management Symposium (NOMS) 2010, Osaka, Japan, April 2010. [ .pdf ]
[10] Thomas Dietz, Atsushi Kobayashi, Benoit Claise, and Gerhard Münz. Definitions of managed objects for IP flow information export. RFC 5815, April 2010. [ http ]
[11] Gerhard Münz, Hui Dai, Lothar Braun, and Georg Carle. TCP traffic classification using Markov models. In Proceedings of Traffic Monitoring and Analysis Workshop (TMA) 2010, Zurich, Switzerland, April 2010. [ .pdf ]
[12] Hui Dai, Gerhard Münz, Lothar Braun, and Georg Carle. TCP-Verkehrsklassifizierung mit Markov-Modellen. In Proceedings of Leistungs-, Zuverlässigkeits- und Verlässlichkeitsbewertung von Kommunikationsnetzen und Verteilten Systemen, 5. GI/ITG-Workshop MMBnet 2009, Hamburg, Germany, September 2009. [ .pdf ]
[13] Stephan Heckmüller, Gerhard Münz, Lothar Braun, Aaron Kunde, Bernd E. Wolfinger, and Georg Carle. Lasttransformation durch Rekonstruktion von Auftragslängen anhand von Paketdaten. In Proceedings of Leistungs-, Zuverlässigkeits- und Verlässlichkeitsbewertung von Kommunikationsnetzen und Verteilten Systemen, 5. GI/ITG-Workshop MMBnet 2009, Hamburg, Germany, September 2009. [ .pdf ]
[14] Gerhard Münz and Georg Carle. Application of forecasting techniques and control charts for traffic anomaly detection. In Proceedings of the 19th ITC Specialist Seminar on Network Usage and Traffic, Berlin, Germany, October 2008. [ .pdf ]
[15] Gerhard Münz and Lothar Braun. Lossless Compression for IP Flow Information Export (IPFIX). Internet-Draft (work in progress), draft-muenz-ipfix-compression-00, July 2008. [ http ]
[16] Gerhard Münz and Georg Carle. Distributed network analysis using TOPAS and Wireshark. In Proceedings of IEEE Workshop on End-to-End Monitoring Techniques and Services (E2EMon 2008), Salvador-Bahia, Brazil, April 2008. [ .pdf ]
[17] Gerhard Münz, Nico Weber, and Georg Carle. Signature detection in sampled packets. In Proceedings of Workshop on Monitoring, Attack Detection and Mitigation (MonAM) 2007, Toulouse, France, November 2007. [ .pdf ]
[18] Gerhard Münz, Sa Li, and Georg Carle. Traffic anomaly detection using k-means clustering. In Proceedings of Leistungs-, Zuverlässigkeits- und Verlässlichkeitsbewertung von Kommunikationsnetzen und Verteilten Systemen, 4. GI/ITG-Workshop MMBnet 2007, Hamburg, Germany, September 2007. [ .pdf ]