KISS: Stochastic Packet Inspection for UDP Traffic Classification - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

KISS: Stochastic Packet Inspection for UDP Traffic Classification

Description:

Title: PowerPoint Presentation Last modified by. Created Date: 1/1/1601 12:00:00 AM Document presentation format: Presentazione su schermo Other titles – PowerPoint PPT presentation

Number of Views:168
Avg rating:3.0/5.0
Slides: 22
Provided by: tmaporta
Category:

less

Transcript and Presenter's Notes

Title: KISS: Stochastic Packet Inspection for UDP Traffic Classification


1
KISS Stochastic Packet Inspection for UDP
Traffic Classification
  • Dario Bonfiglio, Alessandro Finamore, Marco
    Mellia, Michela Meo, Dario Rossi

2
Traffic classification
Look at the packets
Tell me what protocol and/or application generate
d them
3
Typical approach Deep Packet Inspection (DPI)
PPLive
Bittorrent
?
?
Port
Port
?
Payload bittorrent
Payload
Gtalk
eMule
?
?
Port 4662/4672
Port
Payload E4/E5
Payload
RTP protocol
4
It fails more and more P2P Encryption Proprietary
solutions Many different flavours
Typical approach Deep Packet Inspection (DPI)
PPLive
Bittorrent
?
?
Port
Port
?
Payload bittorrent
Payload
Gtalk
eMule
?
?
Port 4662/4672
Port
Payload E4/E5
Payload
RTP protocol
5
Possible Solution Behavioral Classifier
Feature
Decision
  1. Statistical characterization of traffic (given
    source)
  2. Look for the behaviour of unknown traffic and
    assign the class that better fits it
  3. Check for possible classification mistakes

6
Phase 1 Statistical characterization
Feature
Decision
  • Statistical characterization of bits in a flow
  • Test

Do NOT look at the SEMANTIC and TIMING but
rather look at the protocol FORMAT
7
Chunking and
Expected distribution (uniform)
Observed distribution
UDP header
First N payload bytes
C chunks each of b bits
Vector of Statistics
8
Chi square statistics
9
Chi square statistics
24 Chunks 12 payload bytes, 4bit x Chunk
Deterministic
Deterministic
Deterministic
Deterministic
Random
Deterministic
Counter
Time
10
Protocol format as seen from the
c
2
11
Phase 2 Decision process
Feature
Decision
  • Statistical characterization of bits in a flow
  • Test
  • Decision process
  • Minimum distance / maximum likelihood

12
C-dimension space
Hyperspace
Classification Regions
?
My Point
13
Example
14
Phase 3 Performance
Feature
Decision
  • Statistical characterization of bits in a flow
  • Test
  • Decision process
  • Minimum distance / maximum likelihood
  • Performance evaluation
  • How accurate is all this?

15
Real traffic traces
Trace
1 day long trace
RTP eMule DNS
gt 90 of tot. volume
Oracle (Manual DPI)
20 GByte of UDP traffic
Training
  • Known Other

False Negatives
  • Known Traffic

False Positives
  • Unknown traffic

16
Definition of false positive/negative
Classifing known
Classifing other
true positives
true negatives
false negatives
false positives
17
Results (local)
Euclidean Distance
SVM
Case A Case B
Rtp 0.08 0.23
Edk 13.03 7.97
Dns 6.57 19.19
Case A Case B
- 0.05
0.98 0.54
0.12 2.14
Known traffic (False Neg.)
Case A Case B
other 13.6 17.01
Case A Case B
- 0.18
Other (False Pos.)
18
Real traffic trace
RTP errors are oracle mistakes (do not identify
RTP v1) DNS errors are due to impure training set
(for the oracle all port 53 is DNS traffic) EDK
errors are (maybe) Xbox Live (proper training for
other)
FN are always below 3!!!
19
P2P-TV applications
  • P2P-TV applications are becoming popular
  • They heavily rely on UDP at the transport
    protocol
  • They are based on proprietary protocols
  • They are evolving over time very quickly

Tot. Vectors FN
Joost 33514 1.9
PPLive 84452 -
SopCast 84473 0.1
Tvants 27184 -
Tot. Vectors FP
Other 1.2M 0.3
20
Pros and Cons
  • KISS is good because
  • Blind approach
  • Completely automated
  • Works with many protocols
  • Works even with small training
  • Statistics can start at any point
  • Robust w.r.t. packet drops
  • Bypasses some DPI problems
  • but
  • Learn (other) properly
  • Needs volumes of traffic
  • May require memory (for now)
  • Only UDP (for now)
  • Only offline (for now)

21
Papers
  • D. Bonfiglio, M. Mellia, M. Meo, D. Rossi, P.
    Tofanelli Revealing skype traffic when
    randomness plays with you, ACM SIGCOMM Computer
    Communication Review "4", Vol. 37, pp. 37-48,
    ISSN 0146-4833, October 2007
  • D. Rossi, M. Mellia, M. Meo, Following Skype
    Signaling Footsteps, IT-NEWS - QoS-IP 2008 -
    The Fourth International Workshop on QoS in
    Multiservice IP Networks, Venice, 13-15
    Febbruary
  • D. Rossi, M. Mellia, M. Meo, A Detailed
    Measurement of Skype Network Traffic, 7th
    International Workshop on Peer-to-Peer Systems
    (IPTPS '08), Tampa Bay, Florida, 25-26/2/2008
  • D. Bonfiglio, M. Mellia, M. Meo, N. Ritacca, D.
    Rossi, Tracking Down Skype Traffic, IEEE
    Infocom, Phoenix, AZ, 15,17 April 2008
  • D.Bonfiglio, A. Finamore, M. Mellia, M. Meo, D.
    Rossi, KISS Stochastic Packet Inspection for
    UDP Traffic Classification, submitted to
    InfoCom09
Write a Comment
User Comments (0)
About PowerShow.com