Prob. Traffic analysis

Question 1

Flow identifier

Answer 1

FID {Src IP, Dst IP, Src Port, Dst Port, Protocol}
Some applications interested in subset of header fields:
- DoS {*, Dst IP, *, *, *}
- source bandwith monitorin {Src IP, *, *, *, *}

Question 2

why is traffic monitoring difficult?

Answer 2

• traffic grows fast
• traffic increase during attacks -> system fails when it’s needed
• attacker can target monitoring system

Question 3

algorithm to select one individual with uniform probability 1/n out of population of unknown size n.
You have a cache of 1 to temp. keep 1 individual

Answer 3

keep i-th individual in cache with prob. 1/i

-> prob. of selection is exactly 1/n for each ind.

Question 4

sampled NetFlow

Answer 4

sample every k-th packet
keep record for every flow: {#sampled packets, #sampled bytes}
–> multiply recorded values by k
ISSUES:
- memory overhead (worst case one entry per flow)
- imprecise for short lived flows

Question 5

Large Flow detection

Answer 5

• Sampling based: Sample & Hold
• Sketch based: Multistage filters
• Eviction based: EARDetection

Question 6

Sample and hold

Answer 6

Large flow detection
1. for every packet, check if flow record exists, yes->hold packet (update record), no->sample with ps
2. Flows in the cache = identified large flows
+ no overcounting
- inspect all headers

Question 7

multistage filter

Answer 7

Large flow detection
1. keep array of n counters
2. map flow id to number 1…n
3. increase i-th counter if hash output is i
4. flows with counter over a threshold are considered large flows
ISSUE:
- hash collisions can give false positives
Solution: use mult independent hash functions, flow only large flow if counter reaches threshold in all hash functions
+ low FP, no FN, fixed memory resource

Question 8

EARDet Algo

Answer 8

Large flow detection

1. Like Frequent Item Finding algo Slide-10-36
2. instead of number of items track packet size
3. introduce virtual flows when link is idle

Question 9

Bloom filter

Answer 9

Finding duplicate elements
1. setup bit vector V with m bits
2. for element e evaluate k Hash functions Hi(e)=hi and set all bits V[hi]=1
3. to check for duplicates evaluate hash functions again and see if bits set to 1
–> no FN, might have FP
ISSUE: Bloom filter fills up –> keep multiple bloom filters and reset and fill based on time

Question 10

Estimate number of flows

Answer 10

1. hash each flow uniformly to value between [0,1)
2. estimate number of flows with k-th min. value
3. n = i/minval -1

Question 11

intrusion detection vs traffic monitoring

Answer 11

both can detect malicious activities such as DoS

Intrusion detection

• deployed at network edges
• destination based diagnosis
• can analyze detailed payload data

traffic monitoring

• deployed at high speed backbone routers
• diagnoses network-wide anomalies
• analyses packet header only

Question 12

remaining challenges traffic monitoring

Answer 12

• TM increases risk of DoS
• needs IP source auth.
• monitoring schemes should be secure against attacks
• need to detect attacker that crafts certain input to bias estimate