unconstrained endpoint profiling
DESCRIPTION
Googling the Internet. Unconstrained Endpoint Profiling. Ionut Trestian , Supranamaya Ranjan , Alekandar Kuzmanovic , Antonio Nucci Reviewed by Lee Young Soo. Introduction. Obtaining ‘raw’ packet trace from operational networks can be very hard. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/1.jpg)
Unconstrained Endpoint Profiling
Googling the Internet
Ionut Trestian, Supranamaya Ranjan, Alekandar Kuzmanovic, Antonio Nucci
Reviewed by Lee Young Soo
![Page 2: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/2.jpg)
Introduction
Obtaining ‘raw’ packet trace from operational networks can be very hard.
Accurately classifying in an online fashion at high speeds is an inher-ently hard problem.
For under-standing
what people are doing on the Internet
Analyze opera-
tional net-work trace.
![Page 3: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/3.jpg)
Unconstrained Endpoint Profiling
Introduction of a novel methodology. No operational traces are available Packet-level traces are available Sampled flow-level traces are available
Internet access trend analysis for four world regions.
![Page 4: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/4.jpg)
Methodology
Rule Generation Querying Google using a sample ‘seed set’ of
random IP address from the networks in four world regions.
Constrain top N keywords that could be meaningfully used for endpoint classification.
![Page 5: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/5.jpg)
Methodology
![Page 6: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/6.jpg)
Methodology
Web Classifier Rapid URL search Hit text search
Example URL : www.robtex.com/dns/32.net.ru.html
![Page 7: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/7.jpg)
Methodology IP tagging
URL based tagging General hit text based tagging Hit text based tagging for Forums
Post-date & username is in the vicinity of the IP address=> forum user
Presence of following keywords:http:\, ftp:\, ppstream:\, mms:\=> http share, ftp share, streaming node
![Page 8: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/8.jpg)
Methodology Examples
200.101.18.182-inforum.insite.com URL based tagging
61.172.249.13-ttzai.com Hit text based tagging for Forum
![Page 9: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/9.jpg)
Information come from Web logs Proxy logs Forums Malicious list Server list P2P communication
![Page 10: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/10.jpg)
Evaluation When No Traces are Available. When Packet-Level Trace are Avail-
able. When Sampled Trace are Available.
![Page 11: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/11.jpg)
When No Traces are Avail-able
Applying the unconstrained endpoint approach on a subset of the IP range belonging to four ISPs shown in above table.
![Page 12: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/12.jpg)
When No Traces are Avail-able
![Page 13: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/13.jpg)
When No Traces are Available
Correlation with operational traces.Correlation with other sources.
Unconstrained endpoint profiling approach can be effec-tively used to estimate application popularity trends.
![Page 14: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/14.jpg)
When Packet-Level Trace are Available
BLINC
Off-line tool
Cannot classify par-ticularly at application
level
Variable quality result for different traces
UEP
Superior classifi-cation result
Efficiently operate online
![Page 15: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/15.jpg)
When Packet-Level Trace are Available
Collect most popular 5% of IP address and tag them by applying the methodology.
Use this information to classify the traffic flow.
![Page 16: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/16.jpg)
When Packet-Level Trace are Available
![Page 17: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/17.jpg)
When Sampled Trace are Available
Due to sampling, insufficient amount of data remains in the trace, and hence the graphlets approach simply does not work.
Popular endpoint are still present in the trace, despite sampling.
![Page 18: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/18.jpg)
When Sampled Trace are Available
Endpoint approach remains largely unaffected by sampling.
![Page 19: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/19.jpg)
Endpoint Profiling Endpoint Clustering
Employ clustering in networking has been done before : Autoclass algorithm.
A set of tagged IP addresses from re-gion’s network Input to the endpoint clustering algorithm.
![Page 20: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/20.jpg)
Endpoint Profiling
Browsing, browsing and chat or mail seems to be most common behavior.
![Page 21: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/21.jpg)
Endpoint Profiling Traffic Locality
![Page 22: Unconstrained Endpoint Profiling](https://reader036.vdocuments.mx/reader036/viewer/2022062411/5681671c550346895ddb94b5/html5/thumbnails/22.jpg)
Conclusion UEP
Accurately predict application and protocol usage trends when no network traces are available.
Dramatically out perform when packet traces are available. Retain high classification capabilities when flow-level traces
are available. Profile endpoints residing at four different world re-
gions. Network applications and protocols used in these region. Characteristics of endpoint classes that share similar ac-
cess patterns. Clients’ locality properties.