Network Monitoring Insights

NM2
Network Monitoring and
Measurements:
some new perspectives (?!?!)

COMICS Research Group
Dipartimento di Informatica e Sistemistica
Università degli Studi di Napoli Federico II

COMICS (COMputer for Interaction and CommunicationS) Research Group – DIS, University of Napoli Federico II 1

Agenda
Ø  COMICS (COMputers for Interaction and
CommunicationS ) presentation
Ø  COMICS research topics
Ø  Network Monitoring and Measurements
Ø People Involved
Ø Approach
Ø Contributions
Ø Traffic Monitoring and Analysis
Ø Network Measurements
Ø Contacts
Ø Publications
Ø Large Scale projects

2
COMICS (COMputer for Interaction and CommunicationS) Research Group – DIS, University of Napoli Federico II

COMICS
Ø  COMICS (COMputers for Interaction and
CommunicationS ) headed by Prof. Giorgio Ventre
Ø  Work spans 2 laboratories and Spin-Offs:
ü UoN/DIS
•  @ University of Napoli
ü CINI/ITEM
•  a research lab of the Italian University Consortium in Computer
Science & Engineering
ü Academic Spin-Offs
Ø  Funding mainly from EU, Industry, with some money (?)
from national and local government

3

People@COMICS

Ø  Today around 20 people in the group
ü Seven of them with tenure and permanent positions
•  Giorgio Ventre
•  Roberto Canonico
•  Simon Pietro Romano
•  Stefano Avallone
•  Antonio Pescapè
•  Maurizio D Arienzo
•  Salvatore D Antonio
Ø  Collaborations with industries (Telecom Italia, Telefonica O2,
Vodafone, H3G, Alcatel, Engineering Ingegneria Informatica,
Accenture, Finmeccanica, Selex Sistemi Integrati, Juniper,
Ericsson, IBM, Intel, Skylogic, ACCANTO, ALTO, several other
SMEs, etc.) and AGCOM, Poste Italiane, and PA.
4

Research Projects@COMICS (1/2)
Ø Former EU Projects: Ø Former National Projects:
ü Guardians ü COSMIC
ü Cadenus ü ESALAB
ü Intermon ü NADIR
ü E-NET, E-Next ü QUASAR
ü Cost 263 ü WEBMINDS
ü Cost 290 ü RECIPE
ü OneLab ü LATINO
ü NetQoS
ü Content
ü OneLab2
ü Intersection 5

Research Projects@COMICS (2/2)

Ø Current EU Projects: Ø Current National Projects:
ü Inspire ü LINCE
ü COST Action
IC0703 "Data
Traffic Monitoring
and Analysis (TMA)

6

Research@Comics
Ø Research areas:
ü Traffic Measurements and Analysis
ü Network Monitoring and Anomaly Detection
ü Perfomance Evaluation of Networked Systems
ü Security, Reliability and Resiliency
ü QoS and QoE in Heterogeneous Networks
ü Analysis and Detection of Network Outages
ü Traffic Engineering
ü Wireless Mesh Networks
•  P2P overlay networks
ü Management and control of network infrastructures
•  SLA, SLS, Policy based management
ü Multimedia services engineering (IETF activities)
ü Emulation, Virtualization and Cloud
ü Green Networking
7

NM2, Network Monitoring
and Measurements

8

Network Monitoring and Measurements (NM2)
² NM2 is part of the COMICS research group of the Dipartimento
di Informatica e Sistemistica at University of Napoli Federico II
² People Involved

Giuseppe Aceto
Alessio Botta
Antonio Pescapè

Pietro Marchetta
Walter de Donato
Alberto Dainotti
9

NM2 approach and vision

Topologies
Links

Applications
Traffic
/
Services

http://www.grid.unina.it/Traffic/

10

NM2 philosophy, where we are

OSS/BSS Integration
•  Customer Service Assurance

NM2 Distributed NOC •  Perfomance Monitoring Third Parties NTMA Other
•  Service Quality Management

•  CRM

NM2 Network/Traffic Monitoring and Analysis (NTMA)

Probe Probe Probe Probe Probe
NM2
Network/IT Wired/Wireless Infrasctructure

11

Traffic Monitoring and
Analysis

12

NM2: Contributions in Traffic Monitoring and Analysis

Ø Heterogeneous Network Scenarios (Home Networks, 3G/
4G, Wireless Metropolitan Mesh Networks, Overlay Networks, gaming
consoles, PDAs, household appliances, smartphones, etc)
ü Traffic Capture
ü Traffic Characterization
•  Novel applications (IPTV, games, streaming video, social
networks, etc.)
•  Malware traffic
ü Traffic Modeling
ü Traffic Generation and Active Probing
ü Traffic and Service Classification
•  New techniques for traffic classification
ü Security and Anomaly Detection
ü Analysis and Detection of Network Outages
13

NM2: Traffic Capture, Characterization and Modeling (1/2)

Ø  Why?
ü  Application and Service understanding and fingerprinting
ü  Security
ü  QoS requirements
ü  Performance Analysis
ü  Emulation
ü  etc.
Ø  What?
ü  High-Speed Packet Capture (COTS, DAG, etc.)
ü  Statistical characterization and modeling of traffic
properties
•  Multi-level but with specific focus on packet-level
•  Per-single application
14

NM2: Traffic Capture, Characterization and Modeling (2/2)

Ø  How? Hidden
States

Ø  Capture and Analysis
Ø  Plab
http://www.grid.unina.it/software/Plab
Ø  Characterization IPT and PS
conditional
Ø  Matlab toolset for statistical distributions

analysis of network traffic
http://www.grid.unina.it/Traffic/Tools/
statools.php
Ø  Modeling
Ø  Statistical Modeling of traffic
sources Hidden Markov Models for different network applications

15

NM2: Active Probing and Application Traffic Generation (1/4)

Ø  Why?
Ø  Network Performance
Ø  Testing/benchmarking
Ø  Network
Infrastructure
Ø  Device capabilities
Ø  Quality of Service
(QoS) architectures
Ø  Queuing disciplines
Ø  Traffic shapers
Ø  Etc.
Traffic generation scenario

Ø  What? Generation of realistic traffic replicating as accurately as
possible real applications and collection of information on how the
single packets have been processed by the SUT (system under test).
16


Ø  How?
ü  D-ITG (Distributed Internet Traffic Generator)
ü  http://www.grid.unina.it/software/ITG
ü  Distributed architecture: traffic senders and receivers can be spread
over the Internet and controlled by a central point
ü  Generation of traffic according to both statistical models of the
applications and traffic traces of real applications
ü  High performance, accuracy and flexibility
ü  Different kinds of hardware and operating systems supported
Trace-based

Measurement of performance Analytical model-based
indicators

Open-loop Application-level
Closed-loop
Flow-level
Automated & Configurable Packet-level
Repeatabile 17


18


Ø  Since year 2003 D-ITG has being:
§  Used for the Italian WiMax experimentations (FUB)
§  Used for Magnets Network (Berlin) design and testing
§  Used in more than 20 EU research projects (Demo)
§  Used by more the 50 companies and Telcos for testing their
networking solutions
§  Used by NASA for the NASA Crew Exploration Vehicle (CEV)
Space communication link sizing
§  Used in Labs for CISCO certifications
§  Cited in more than 300 papers/theses worldwide
§  Included in several Linux distributions: Debian, Slax, OpenWRT,
Linux Microcore, etc.

19

NM2: Traffic and Service Classification (1/3)
Ø  Why?
ü  Accounting
ü  QoS
ü  Security
ü  Network Analysis
ü  etc.
Ø  What?
Traffic and Service
Classification/Identification
ü  (new) Payload Inspection
ü  Statistical Properties &
Machine Learning Web report of online traffic classification of a network link

ü  Multi-Classification
20

Ø  How?
ü  TIE – Traffic Identification Engine
http://tie.comics.unina.it
ü  High-speed platform written in C
ü  Runs on Linux/FreeBSD/MacOSX
Packet Session Feature Decision
Output
Filter Builder Extractor Combiner

ü  Modular and Plugin-based Classiﬁcation Classiﬁcation
... Plugin #n
Plugin #1
ü  Large community

COST-TMA

21

Ø  Novel Classification Technique: PortLoad*
ü Port-based is fast and privacy-friendly because:
•  It needs the 1st packet only
•  It uses fixed fields (protocol and port)
•  It uses few data
It can be considered as a special case of packet-classification
techniques developed for routers, flow-monitors, etc.
ü Payload-based is accurate because relies on application-
level headers and other information from the payload
•  Payload-based signatures
Ø  Port + Payload = PortLoad
Ø  Some interest from industry: Telecom Italia, Seven One
Solutions, ACCANTO, Huawei
* Patent N.: NA2010AOOOO11
22

NM2: Security and Anomaly Detection (1/2)
Ø  Why?
ü  Security of network and critical infrastructures
ü  Security of users

Ø  What? Spread of the Slammer Worm in year 2001

ü  Traffic Analysis for Network/User Security
ü  Network Anomaly Detection
ü  Study of Malware Traffic
ü  Lawful Interception

23

NM2: Security and Anomaly Detection (2/2)
Ø  How?
ü  Anomaly Detection: traffic
analysis through the Wavelet
Transform

Detection of a Denial of Service attack through
ü  Study of Malware traffic: Analysis with the Wavelet Transform

characterization and detection of
computer worms

ü  Lawful Interception (traffic
monitoring, protocol
decapsulation, covert channel Witty Worm: Joint PS-IPT observed
detection, …) from MAWI WIDE link

24

NM2: Analysis of Network Outages (1/2)
Ø  BGP
ü  BGP updates from route collectors of RIPE-NCC RIS
and RouteViews
ü  We combined information from both databases
ü  Graphical Tools: REX, BGPlay, BGPviz

Ø  Active Traceroute Probing
ü  Archipelago Measurement
Infrastructure (ARK)
ü  Manually-initated traceroutes

Ø  Internet Background Radiation
ü  Traffic reaching the UCSD Network Telescope
ü  Capable of revealing different kinds of blocking

25

NM2: Analysis of Network Outages (2/2)

Telescopes vs BGP 14

12

number of visible prefixes
Ø  Contrasting telescope traffic with 10

8

BGP measurements can reveal a 6

mix of blocking techniques that 4

2

cannot be discovered by looking 0

02

02

02

02

02

02
only at BGP

-1

-1

-1

-2

-2

-2
8

9

9

0

0

1
12

00

12

00

12

00
:0

:0

:0

:0

:0

:0
0

0

0

0

0

0
AS30981 AS6762 AS21003

8

7

Ø  E.g. the second Libyan outage 6

packets per second
5

involved overlapping of BGP 4

withdrawals and packet filtering 3

2

1

0

02

02

02

02

02

02
-1

-1

-1

-2

-2

-2
8

9

9

0

0

1
12

00

12

00

12

00
:0

:0

:0

:0

:0

:0
0

0

0

0

0

0
26

Network Measurements

27

NM2: Contributions in Network Measurements
Ø  Network Performance Analysis and Improvement
ü Hybrid approaches (both active and passive)
ü QoS, QoE, KPI
ü Informed diversity for performance improvement
ü Compression and Reduction of network data
Ø  Broadband Benchmarking
ü In terms of both QoS parameters and protocols
Ø  Network Mapping
ü Hybrid and Distributed approaches (routers, links, subnets)
ü Accuracy, Discovery time, Intrusiveness
Ø  Bandwidth Monitoring
ü Wired and Wireless network scenarios
ü Distributed and Hybrid approaches
ü Accuracy, Discovery time, Intrusiveness
28

NM2: Network Performance Analysis (1/3)
Ø  Innovative measurement techniques and approaches
ü Active → purposely forge synthetic traffic
ü Passive → exploit user generated traffic
Ø  Able to work in emerging network scenarios
ü 3/4G cellular networks, satellite networks, wireless mesh
networks, etc.
Ø  Monitored parameters
ü One-way delay, round trip time, delay variation (aka jitter),
latency, packet loss, shaping rate, packet reordering, TCP
performance (e.g., 0-byte connections, reset segments, out-of-
order segments, retransmitted segments, 1-Byte segments
retransmitted), etc.
ü Specific Application Performance (DNS, Web, VoIP, IPTV, etc.)
ü KPIs synthesized from the parameters above
29

A novel technique called Multi-layer Root Cause Analysis of
TCP connections (MRCA)*
Ø Works analyzing the traffic generated by network users
Ø Allows to infer the performance of the TCP connections and
to determine the associated root causes (network, application,
OS configuration, etc.)
Ø Improves and integrates different techniques proposed in
literature providing an approach integrating different point of
view: aggregate, connection, and host
Ø Some interest from the industry: Telecom Italia, Skylogic,
ACCANTO, Telefonica O2, etc.

* Patent Under Submission
30

Ø Monitoring and modeling losses
ü Characteristics of the loss process on the Internet and on
satellite networks

Internet (through PlanetLab)
Satellite network

Ø Detecting and analyzing middleboxes

The effect of a PEP in a
The effect of a shaper in a cellular network satellite network
31

NM2: Network Performance Improvement (1/2)
Informed time diversity
Ø Allows to reduce loss burstiness, thus improving application
performance
Ø We developed an application to use the interleaving in real
networks
ü Realizes block interleaving
ü Has measurement capabilities to automatically configure and
adapt to varying network conditions

32

NM2: Network Performance Improvement (2/2)
Informed space diversity
Ø  Allows to improve performance and reliability using multiple
paths
Ø  A new packet scheduling policy measuring network status
ü  Working at IP layer with decisions on a packet-by-packet basis

Ø A tool to apply path diversity on real networks

33

NM2: Compression and Reduction of network data
Ø  Challenges and obstacles due to huge amount of !"#$%&'((%)*+)%,-,*.%/-$%,**.%.*0#*/*1%-)%)"*%1#.*2)#34%3&%5666%7388'4#2-)#34$%932#*

monitoring data (OSNs, p2p, high speed links, etc) from
both active form Y =topassive Pˆquery thatofcanthe thirdinrow of Table II, we obtain a reduction of 59%. In Fig.
the and P X, one can use approaches
more details, answer a specific be put 0.22
CCS/full
instead P and solve bzip2full/full
ˆ ˆ Y = P X = T CX. Remember that ||T ||0 and3(b) and 5(b)) we 0.2 see that the
||C||0 are can good approximation is quite
bzip2flt/full
Tot/full
for over the 99.9% of the distribution, and mean and standard
Ø  Compression
minimized by construction. Therefore, computing the product 0.18

Compression Ratio
CX requires at most ||C||0 multiplications of coefficients. are well approximated (see third row of Table II).
deviation
Similarly, computing Y = T (CX) requires no more than
Figs. 4 and 5(b) 0.16
show that the two distributions are close in
ü  Reduced memory footprint for
||T ||0 multiplications. Thus, the complexity of answering a
query that can be put in the form Y = P X is equal to part and in the tail too.
the main 0.14
stored data ||T ||0 + ||C||0 operations. d) PSO: We sketch the Marginal Utility against the
0.12
Using this factorized format allows to answer numberof samples in Fig. 3(c). The QQ-plot in Fig. 3(d)
a range of
ü  A set of operations with reduced
queries. For instance, one can answer any max-k transaction
shows a good approximation up to about 500 bytes, which
query to find the k largest transactions in the log file. This
0.1

time complexity on coded data
can be solved by finding the k largest value of accounts1 for 99.2% of the original data set. In the fourth row
the N × 0.08
row of P that corresponds to the load. One can similarlyII a summary of the conducted analysis is reported.
ˆ of Table 0.001 0.01 0.1 1
lambda
find the total usage of a specific srcID, by summing all
ˆ ˆ
bytes value P (3, i) for which P (1, i) = srcID. The matrix Fig. 1. Compression Ratios Entire set 1500 Entire set
Reduced set
Reduced set

Ø  Reduction
500
C points to which patterns in T the user calls upon. Thus
similar users will have similar coefficient in the C matrix, and
400
1000

can be identified by observing this sparse matrix. Conversely, 1771 different destination URLs. The data set has the format
300

ü  There is no need to consider the
the underlying matrix of patterns T embeds some overall of a log file, each record of which represents a single HTTP
200

behavior of the system and can be used to identify abnormal session, and is constituted by four fields: timestamp (in UNIX Fig
500

entire data sets in the processing 100

usage. In particular, if after computing T over some period of epoch time, µs precision), source ID, destination URL, load 0

stage
0
0 2 4 6 8 10 12
time ∆ at regular intervals, one sees dramatic changes in the (in bytes).
0 0.005 0.01
[s]
0.015 0.02 0.025 [s]
x 10
−3

0.02
composition of T , say minπ ||T (t2 ) − πT (t1 )||2 > γ where π Entire Set
Entire set

is a column permutation and γ a threshold, then it might point B. Results Reduced Set
Reduced set

ü  Entropy-based methodology to
0.07

0.015
to some abnormal behavior in the system and call for some
0.06
1) Compression Ratio: The total size of the compressed co
reduce network traffic data
0.05
version, as well as the size of specific components, is com-
investigation. 0.04
0.01
da
In order to compute T and C, we use the technique pared against the size of the original data. The quantities
0.03
of
ü  Off-line approach
proposed by Zujovic et al [5] in the context of pattern matching whose ratio is considered are: CCS - size in bytes of Com-
0.02 0.005

algorithms (applied to query-by-example image retrieval). 0.01
pressed Column Sparse representation of C matrix alone; Tot =
0
0
- sum of the size in bytes of0CCS, T matrix, bzip2-compressed Th
0 20 40 50
60 100 150 80
Bytes
Bytes
200100 250 120300
34
140

III. E XPERIMENTAL EVALUATION ordered list of URLs, bzip2-compressed ordered list of source at

NM2: Broadband mapping (1/4)
Ø  Measuring from the edge → Independent point of view
Ø  Different approaches
Ø  Web-based (Speedtest.net, Netalizr, ...)
Ø  easy to use
Host
Ø  one-shot measure
Ø  affected by interferences
Ø  Client-based (Grenouille, Isposure,
Home Router
HoBBIT, ...)
network
Ø  repeated/periodical measures
Ø  easy large scale deployments
Modem Local
Ø  active only when the PC is turned on
loop
Ø  unable to account for interferences
Ø  Router-based (SamKnows, BISMark)
Ø  continous periodical measures
Ø  observes all traffic passing through network ISP
Ø  can take into account interfereces
Ø  difficult to obtain large scale deployments
35

BISMark (router-based) HoBBIT (client-based)
Ø  Linux-based firmware Ø  Multi-platform application
ü  customized OpenWRT distro ü  based on Qt libraries
ü  Netgear WNDR 3700v2 Ø  Extensible measurement
Ø  On-demand access to the framework
router console Ø  Supports any underlying
Ø  Active and passive measurement tool
measurements Ø  Active measurements
Ø  Current deployments Ø  Current deployment
ü  16 routers in Altanta ü  ~100 users in Italy
ü  15 routers in Cape Town
http://projectbismark.net http://hobbit.comics.unina.it

36


BISMark
Ø Network measurements taken from the home gateway
Ø Both active and passive measurements
Ø Main features
ü On-demand remote router
control/update
ü Measurements synchronization
Ø Allows to monitor
ü Factors affecting performance
(Local loop, ISP policies,
Home network)
ü Usage profiles

37

Ø Network measurements taken from the users' PC
ü large scale deployments
Ø Active measurements using standard tools
ü extensible measurement framework
ü geolocation and mapping
ü fine-grained management
ü multi-platform
ü automatic updates
ü per-application
measurements
Ø Users can
ü monitor their Internet connection
ü compare results with others in the
same location
38

NM2: Network Mapping (1/3)
Ø  Why?
ü  Network control and management
•  Fault isolation, performance analysis, service locations, etc.
ü  Network simulations
•  It is difficult to generate realistic topologies
ü  Network aware applications
•  E.g. to improve the performance
Ø  What?
ü  Automatic discovery of network maps in terms of: routers, links,
subnets, layer-2 devices, etc.
ü  Achieving
•  Completeness (i.e. discover the entire topology)
•  Accuracy (i.e. make no mistakes)
•  Low intrusiveness (i.e. reduce both the discovery duration and the
traffic overhead)
•  Integration with Network Inventory solutions 39

Ø  How?
ü  Combining multiple passive/active methodologies and techniques
ü  Hybrid approaches
ü  Novel techniques based on: IGMP, ParisTraceroute, IP Options, ...
ü  Hynetd (single vantage point)
•  http://www.grid.unina.it/software/TD
ü  MERLIN (multiple vantage points)
•  http://svnet.u-strasbg.fr/merlin

40

MERLIN: MEasure the Router Level of the Internet
Ø  Target a specific Autonomous System network
Ø  Multiple techniques integrated and optimized
Ø Improved IGMP probing
ü Paris traceroute
ü Alias resolution

Ø  Several input sources
Ø BGP dumps, CAIDA Archipelago
MERLIN Monitor
datasets, MaxMind repositories, ...
Ø  Geo-Location, DNS mapping, MERLIN Coordinator

IPtoAS mapping, ...
41

NM2: Bandwidth Monitoring (1/2)
Ø  Why?
ü  Network planning
ü  QoS
ü  Admission Control
ü  Support several kinds of applications
(P2P sharing, overlay networks, CDN, streaming, etc.)
Ø  What?
Estimation of capacity and available bandwidth
in modern heterogeneous networks
ü  Optimized approaches for each network scenario:
wired, wireless, broadband access, mixed
ü  Allowing for different deployments:
single probe / edge probes / instrumented path
ü  Tunable in intrusiveness / accuracy / response speed

42

NM2: Bandwidth Monitoring (2/2)
Ø  How?
Measurement platform: UANM
(Unified Architecture for Network Measurement)
http://grid.unina.it/Traffic/uanm.php
ü  Distributed
ü  Equipped with state-of-art
techniques
ü  Plugin-based (easily expandable
with experimental or cutting-edge
techniques)
ü  Decentralized synchronization
for interference avoidance
ü  API provided for embedding
in applications, monitoring
systems, appliances

43

Research Collaborations (not exaustive list)
Ø  Cooperative Association for Internet Data Analysis
(CAIDA), San Diego,USA
Ø  Georgia Tech, Atlanta, USA
Ø  Eurécom, Sophia Antipolis, France
Ø  Telefonica O2, (Spain and Germany)
Ø  TELECOM ParisTech (formerly known as ENST), France
Ø  Docomo Labs, Palo Alto, Stanford, USA
Ø  Deutsche Telekom Laboratories, Berlin, Germany
Ø  UCL, University of Louvain-la-neuve (Belgium)
Ø  Universitat Politècnica de Catalunya (Barcelona, Spain)
Ø  etc.

44

Contacts
Antonio Pescape'
Dipartimento di Informatica e Sistemistica
University of Napoli ''Federico II''
Via Claudio, 21 - 80125, Napoli (Italy) [Room n. 3.10]
tel. +39 081 7683856
fax +39 081 7683816
e-mail : pescape@unina.it (or pescape@ieee.org)
Personal web-page: http://wpage.unina.it/pescape
Teaching web-site (in Italian): http://www.docenti.unina.it/antonio.pescape

45

Selected Publications (not exaustive list)
Ø  Srikanth Sundaresan, Walter de Donato, Nick Feamster, Renata Teixeira, Sam Crawford,
Antonio Pescapè, "Broadband Internet Performance: A View From the Gateway", to appear
in ACM SIGCOMM 2011 proceedings, Toronto, ON, Canada, August 15-19, 2011.
Ø  A. Dainotti, A. Pescapé, K. C. Claffy, “Issues and Future Directions in Traffic Classification",
IEEE Network, 2011, to appear
Ø  Pietro Marchetta, Pascal Mérindol, Benoit Donnet, Antonio Pescapé and Jean-Jacques
Pansiot. "Topology Discovery at the Router Level: A New Hybrid Tool Targeting ISP
Networks". IEEE Journal on Selected Areas in Communication (JSAC), Special Issue on
Measurement of Internet Topologies, 2011, to appear
Ø  Alessio Botta, Antonio Pescape', Vinh Bui, Weiping Zhu, "A Markovian Approach to Multi-
path Data Transfer in Overlay Networks'', IEEE Transactions on Parallel and Distributed
Systems, vol.21, no.10, pp.1398-1411, Oct. 2010
Ø  Alessio Botta, Alberto Dainotti, Antonio Pescape', "Do You Trust Your Software-based
Traffic Generator?'', IEEE Communications Magazine, vol.48, no.9, pp.158-165, Sept. 2010.
Ø  A. Botta, R. Canonico, G. Di Stasi, A. Pescapè, G. Ventre, S. Fdida., "Integration of 3G
connectivity in PlanetLab Europe - A step of an evolutionary path towards heterogeneous
large scale network testbeds", ACM Springer Mobile Networks and Applications Journal,
Special Issue on "Advances In Wireless Test beds and Research Infrastructures", Volume
15, Issue 3, June 2010, Pages 344-355.
Ø  Alberto Dainotti, Antonio Pescapè, Giorgio Ventre, "A cascade architecture for DoS attacks
detection based on the wavelet transform'', Journal of Computer Security, Volume 17,
Number 6/2009, Pages 945-968
46

Ø  Marco Mellia, Antonio Pescapè, Luca Salgarelli, Traffic classification and its applications to
modern networks, Computer Networks, Volume 53, Issue 6, 23 April 2009, Pages 759-760.
Ø  A. Thomas Silverston, Olivier Fourmaux, Alessio Botta, Alberto Dainotti, Antonio Pescapè,
Giorgio Ventre, Kavè Salamatian, " Traffic Analysis of Peer-to-Peer IPTV Communities ,"
Computer Networks, Volume 53, Issue 4, 18 March 2009, Pages 470-484.
Ø  Alessio Botta, Antonio Pescapè, Giorgio Ventre, "An approach to the identification of
network elements composing heterogeneous end-to-end paths", Computer Networks,
Volume 52, Issue 15, 23 October 2008, Pages 2975-2987, Elsevier.
Ø  A. Dainotti, A. Pescapè, P. Salvo Rossi, F. Palmieri, G. Ventre, "Internet Traffic Modeling by
means of Hidden Markov Models"; Computer Networks (Elsevier), Volume 52, Issue 14, 9
October 2008, Pages 2645-2662
Ø  A. Botta, A. Pescapè, R. Karrer, “High-speed backhaul networks: myth or reality?”,
Computer Communication Journal (Elsevier), Volume 31, Issue 8, 25 May 2008, Pages
1540-1550.
Ø  A. Pescapè, “Entropy-Based Reduction of Traffic Data”, IEEE Communications Letters, pp.
191-193, Vol.11, No.2 - February 2007.
Ø  S. Avallone, D. Emma, A. Pescapè, and G. Ventre, “Performance evaluation of an open
distributed platform for realistic traffic generation”, Performance Evaluation (Elsevier), ISSN:
0166-5316 – Vol. 60, Issues 1-4, May 2005, pp 359-392
Ø  Massimo Bernaschi, Filippo Cacace, Giulio Iannello, Antonio Pescapè, and Stefano Za,
“Seamless Internetworking of WLANs and Cellular Networks: architecture and performance
issues in a Mobile IPv6 scenario”, IEEE Wireless Communication Magazine (WCM) Journal,
pp. 73-80, June 2005
47

Ø  A. Dainotti, A. Pescapè, C. Sansone, "Early Classification of Network Traffic through Multi-
Classification", Third International Workshop on Traffic Monitoring and Analysis (TMA'11) -
April 2011, Vienna (Austria).
Ø  A. Botta, A. Pescapè, "Monitoring and measuring wireless network performance in the
presence of middleboxes", The 8th International Conference on Wireless On-demand
Network Systems and Services (WONS), Bardonecchia (TO), Italy, January 2011.
(Download the poster).
Ø  A. Pescape', D.Rossi, D. Tammaro, S. Valenti, "On the Impact of Sampling on Traffic
Monitoring and Analysis", 22nd International Teletraffic Congress, September 7 - 9, 2010 in
Amsterdam, The Netherlands.
Ø  A. Botta, A. Pescape', G.Ventre, E. Biersack, S. Rugel, "Performance footprints of heavy
users in 3G networks via empirical measurement", The 6th International workshop on
Wireless Network Measurements, May 31st, 2010, Avignon, France.
Ø  A. Botta, A. Pescapè, G. Aceto, M. D'Arienzo, "UANM: a platform for experimenting with
available bandwidth estimation tools", 15th IEEE Symposium on Computer and
Communications, June 2010 Riccione (ITALY)
Ø  A. Dainotti, F. Gargiulo, L. Kuncheva, A. Pescapè, C. Sansone, "Identification of traffic flows
hiding behind TCP port 80", IEEE ICC 2010 - May 2010, Capetown (South Africa)
Ø  G. Aceto, A. Dainotti, W. de Donato, A. Pescapè, "PortLoad: taking the best of two worlds in
traffic classification", IEEE INFOCOM 2010 - WIP Track - March 2010, San Diego (CA, USA)
Ø  V. Carela-Español, P. Barlet-Ros, M. Solè-Simò, A. Dainotti, W. de Donato, A. Pescapè, "K-
dimensional trees for continuous traffic classification", 2nd International Workshop on Traffic
Monitoring and Analysis (TMA'10), Zurich, Switzerland, April 7, 2010. 48

Ø  A. Dainotti, W. De Donato, A. Pescapè “TIE: a Community-Oriented Traffic Classification
Platform", International Workshop on Traffic Monitoring and Analysis (TMA'09) @ IFIP
Networking 2009 - May 2009, Aachen (Germany)
Ø  A. Dainotti, W. De Donato, A. Pescapè, P. Salvo Rossi, "Classification of Network Traffic via
Packet-Level Hidden Markov Models", IEEE GLOBECOM 2008 - Dec 2008, New Orleans
(LA, USA)
Ø  Alessio Botta, Walter de Donato, Antonio Pescapè, Giorgio Ventre, "Networked Embedded
Systems: a Quantitative Performance Comparison", IEEE Globecom 2008, New Orleans
(LA), USA, 30 November - 4 December, 2008.
Ø  Alessio Botta, Roberto Canonico, Giovanni Di Stasi, Antonio Pescapè, Giorgio Ventre,
"Providing UMTS connectivity to PlanetLab nodes", 3rd International Workshop on Real
Overlays & Distributed Systems, collocated with ACM CoNEXT 2008, Madrid, Spain, 9 - 12
December, 2008.
Ø  Alessio Botta, Antonio Pescapè, Vinh Q Bui, Weiping Zhu, "An MDP-based Approach for
Multipath Data Transmission over Wireless Networks", 2008 IEEE International Conference
on Communications (ICC 2008), page(s): 268 - 274
Ø  M.K. Afzal, Aman-Ullah-Khan, A. Pescape', Y. Bin Zikria, S. Loreto, "SCTP vs. TCP Delay
and Packet Loss," Multitopic Conference, 2007. INMIC 2007. IEEE International , vol., no.,
pp.1-5, 28-30 Dec. 2007
Ø  Roger Karrer and Antonio Pescape', "2nd generation wireless mesh networks: technical,
economical and social challenges". In Proceedings of the 2007 IEEE International
Conference on Future Generation Communication and Networking, Jeju Island, Korea,
December 2007.
49

Ø  A. Botta, W. de Donato, A. Pescapé and G. Ventre, “Discovering Topologies at Router Level:
Part II”, Globecom 2007, Washington, D.C., 26-30 November, 2007
Ø  Alessio Botta, Antonio Pescapè, Giorgio Ventre, Roger P. Karrer, "High-speed wireless
backbones: measurements from MagNets” in proceedings of the Fourth IEEE International
Conference on Broadband Communications, Networks, and Systems (Broadnets),
September 2007, Raileigh, North Carolina (USA).
Ø  Vinh Q Bui, Weiping Zhu, Antonio Pescape', Alessio Botta, "Long Horizon End-to-End Delay
Forecasts: A Multi-Step-Ahead Hybrid Approach", 12th IEEE Symposium on Computers and
Communications, 2007
Ø  Roger P. Karrer, Istvan Matyasovszki, Alessio Botta, Antonio Pescapè, "MagNets -
experiences from deploying a joint research-operational next-generation wireless access
network testbed”, TRIDENTCOM 2007, May 2007, Orlando, Florida (USA).
Ø  Alberto Dainotti, Antonio Pescapè, Giorgio Ventre, "Worm Traffic Analysis and
Characterization", 2007 IEEE International Conference on Communications (ICC 2007)
Ø  A. Dainotti, A. Pescapè, P. Salvo Rossi, G. Iannello, G. Ventre, F. Palmieri “An HMM
Approach to Internet Traffic Modeling", 2006 IEEE Globecom Conference, Quality, Reliability
and Performance Modeling for Emerging Network Services Symposium
Ø  A. Dainotti, A. Pescapè, G. Ventre, “Wavelet-based Detection of DoS Attacks", 2006 IEEE
Globecom Conference, Network Security Systems Symposium
Ø  Giulio Iannello, Francesco Palmieri, Antonio Pescapè, and Pierluigi Salvo Rossi,“End-to-End
Packet-Channel Bayesian Model applied to Heterogeneous Wireless Networks”, IEEE
Globecom 2005 General Conference - ISBN 0-7803-9415-1 - December 2005, St. Louis
(MO, USA) 50

Large Scale Projects

51

NM2: Large Scale Projects
Ø  BISMark
ü  Router-based platform for performing measurements of ISP performance,
as well as traffic inside the home
ü  http://projectbismark.net
ü  http://www.bufferbloat.net
Ø  HobbIT
ü  User-based platform for performing measurements of ISP performance
ü  http://hobbit.comics.unina.it
Ø  MERLIN
ü  Distributed platform to MEasure the Router Level of the Internet
ü  http://svnet.u-strasbg.fr/merlin
Ø  MagNets
ü  Berlin Wireless MAN design and analysis
ü  http://www.net.t-labs.tu-berlin.de/~roger/magnets.html
Ø  Distributed Monitoring and Measurements Architectures for
ü  Operational 3G Networks
ü  Operational Satellite Networks
52

NM2: BISMark (1/3)
Ø Network measurements taken from the home gateway
ü A vantage point into the home network
Ø Both active and passive measurements
ü Customized to user profile Currently Supported devices
ü Data anonymization Netgear WNDR3700

Ø Main features 680Mhz MIPS CPU
64 MB RAM
ü On-demand remote router 8MB Flash
control/update
Custom OpenWrt OS
ü Measurements synchronization
Ø Allows to monitor NOX Box
500Mhz Geode CPU
ü Factors affecting performance
256 MB RAM
•  Local loop 2GB Flash
•  ISP policies Custom Debian OS
•  Home network
ü Usage profiles 53

NM2: BISMark (2/3)

54

NM2: BISMark (3/3)
Current worldwide deployment status
  2 management servers
  more than 50 routers
  more than 50 measurement servers (Universities, MLab)

55

NM2: HobbIT (1/2)
Ø Network measurements taken from the users' PC
ü large scale deployments
Ø Active measurements using standard tools
ü extensible measurement framework About 90 clients in Italy
ü data geolocation and mapping
ü fine-grained resource management
ü multi-platform client
ü automatic updates
ü per-application measurements
Ø Users can
ü monitor their Internet connection
ü compare results with others in the
same location
56

NM2: HobbIT (2/2)

57

NM2: MERLIN
MEasure the Router Level of the Internet
Ø  Target: a specific Autonomous System network
Ø  Efficient joint among the state-of-art techniques in the router
level topology discovery field:
ü Improved IGMP probing
ü Traceroute (paris-variant)
ü Alias resolution technique
Ø  Optimizations:
ü Overcome technique's limitation while preserving benefits
ü Limit the intrusiveness with a central smart coordination
Ø  Several input sources: BGP dumps, CAIDA Archipelago
datasets, MaxMind repositories, ...
Ø  Geo-Location, DNS mapping, IPtoAS mapping, ...
58

NM2: MERLIN

Internet

MERLIN Monitor

MERLIN Coordinator

Sprint Network
59

MagNets: Berlin Wireless MAN
Comprises a wireless backbone and different wireless mesh
networks
Specific active measurement techniques
designed to infer
Ø  Throughput, latency, and loss of the links
Ø  Impact of enhanced transmission modes
Ø  Impact of the environment

http://www.net.t-labs.tu-berlin.de/~roger/magnets.html

Joint research with Deutsche Telekom Laboratories, Berlin 60

Operational 3G networks

Ø Different kinds of (passive ) analyses on the user traffic
Ø  Traffic classification and application identification
Ø  TCP performance
Ø  Root cause analysis
Ø  Impact of middleboxes
Ø On different operational networks from different European
telecom operators 61

Operational satellite networks
Ø Distributed architecture for
passive and active monitoring
and measurements
Ø Different kinds of passive and
active analyses
Ø  End-to-end TCP and UDP
performance
Ø  TCP performance through
passive analysis
Ø  Influence of traffic shaping http://broadband-satellite.atrexx.com/
mechanisms and middleboxes
Ø  Impact of meteorological
conditions on performance
62

Network Monitoring Insights

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to Network Monitoring Insights

Similar to Network Monitoring Insights (20)

Network Monitoring Insights