Time Series Analysis of Network Traffic

Transcription

1 Time Series Analysis of Network Traffic Cyriac James IIT MADRAS February 9, 211 Cyriac James (IIT MADRAS) February 9, / 31

2 Outline of the presentation Background Motivation for the Work Network Trace Analysis and Results Conclusion Drawbacks and Future Work Cyriac James (IIT MADRAS) February 9, / 31

3 Background Traffic Analysis: Looking for Invariants Modeling and Prediction: Linear Models Features Assumptions: Stationarity Predictability Linear fit Cyriac James (IIT MADRAS) February 9, / 31

4 Motivation for the Work Network Traffic is bursty and non-poisson. (Ref: W. E. Leland et al, V. Paxson et al) Can contradict assumptions: Stationarity Linear fit Predictability Stationarity doesn t imply Predictability. Experiments: In the context of TCP SYN Flood attack Cyriac James (IIT MADRAS) February 9, / 31

5 25 Polling Interval = 1s Actual data Predicted data 25 Polling Interval = 1s Actual data Predicted data Data set Data set Polling Interval (a) Prediction Polling Interval (b) Prediction-2 Figure: Time Series and Prediction Cyriac James (IIT MADRAS) February 9, / 31

6 Polling Interval = 1s Predicted data Actual data 8 Attack Period Data set Polling Interval (a) Detection-1 12 Polling Interval = 1s Predicted data Actual data 1 8 Attack Period 6 Model Getting Adjusted to Attack Data set Polling Interval (b) Detection-2 Cyriac James (IIT MADRAS) February 9, / 31

7 4 3 2 Actual Vs Predicted : Gaussian White Noise Actual Predicted Magnitude of the process Sampling Interval Figure: Prediction of WGN Ideally: Stationary and Predictable Cyriac James (IIT MADRAS) February 9, / 31

8 Unanswered Questions Are the assumptions true? Quantify Predictability? Good Feature? Across networks at all times? How often model parameters need to re-estimated? Relation between Stability, Stationarity, ACF, Hurst Exponent etc. Currently lacking: A systematic approach Cyriac James (IIT MADRAS) February 9, / 31

9 Network Trace Figure: Tenet Network Architecture Traces collected using tcpdump. Link Bandwidth: 4Mbps Feature: SYN - SYN/ACK Data Set-1: 26 th July 21 to 3 th July 21 Data Set-2: 23 rd August 21 to 27 th August 21 Data Set-3: 2 th September 21 to 24 th September 21 Cyriac James (IIT MADRAS) February 9, / 31

10 35 Data Set 1,Monday 35 Data Set 1,Tuesday 3 3 Half open count Half open count Sampling Interval (Seconds) Sampling Interval (Seconds) 35 Data Set 1,Wednesday 35 Data Set 1,Thursday 3 3 Half open count Half open count Sampling Interval (Seconds) Sampling Interval (Seconds) Figure: Original Time Series Cyriac James (IIT MADRAS) February 9, / 31

11 Time Series Transformations Study on Time invariant feature - inconclusive. Transformation of Time Series Differencing and Averaging Cyriac James (IIT MADRAS) February 9, / 31

12 Half open count:first difference Data Set 1,Monday Sampling Interval (Seconds) Half open count:first difference Data Set 1,Tuesday Sampling Interval (Seconds) Half open count:first difference Data Set 1,Wednesday Sampling Interval (Seconds) Half open count:first difference Data Set 1,Thursday Sampling Interval (Seconds) Figure: Difference Time Series Cyriac James (IIT MADRAS) February 9, / 31

13 35 Data Set 1,Monday 35 Data Set 1,Tuesday Average half open count Sampling Interval (Seconds) Average half open count Sampling Interval (Seconds) 35 Data Set 1,Wednesday 35 Data Set 1,Thursday Average half open count Average half open count Sampling Interval (Seconds) Sampling Interval (Seconds) Figure: Average Time Series Cyriac James (IIT MADRAS) February 9, / 31

14 Analysis and Results Cyriac James (IIT MADRAS) February 9, / 31

15 Stationarity Check First and second order moments should be invariant of time Day Data Set-1 Dat Set-2 Data Set-3 Monday Tuesday Wednesday Thursday Friday Average (a) Mean: Original Series Day Data Set-1 Dat Set-2 Data Set-3 Monday Tuesday Wednesday Thursday Friday Average (c) Mean: Average Series Day Data Set-1 Dat Set-2 Data Set-3 Monday Tuesday Wednesday Thursday Friday Average (b) Mean: Difference Series Cyriac James (IIT MADRAS) February 9, / 31

16 Stationarity and Auto-Correlation Function(ACF) Studies define stationarity in terms of ACF (Ref: H. Liu and M. S. Kim, G. Kirchgassner and J. Wolters) Fast decaying ACF > Stationary Slow decaying ACF > Non-Stationary Remember: All time series are found non-stationary. Cyriac James (IIT MADRAS) February 9, / 31

17 Data Set 1, Ensemble Average Lag Data Set 2, Ensemble Average Lag Data Set 3, Ensemble Average Lag ACF Plot: Original Series ACF ACF ACF Cyriac James (IIT MADRAS) February 9, / 31

18 Data Set 1, Ensemble Average Lag Data Set 2, Ensemble Average Lag Data Set 3, Ensemble Average Lag ACF Plot: Difference Series ACF ACF ACF Cyriac James (IIT MADRAS) February 9, / 31

19 Data Set 1, Ensemble Average Lag Data Set 2, Ensemble Average Lag Data Set 3, Ensemble Average Lag ACF Plot: Average Series ACF ACF ACF Cyriac James (IIT MADRAS) February 9, / 31

20 Stationarity and Stability Definition: Stability > Stationarity (Ref: G. Kirchgassner and J. Wolters) Consider the series as Linear Prediction (LP) process a t = α 1 a t 1 +α 2 a t 2 +ǫ t (1) where a t,a t 1,... is the time series data, α 1 and α 2 are the model coefficients and ǫ t is the random shock or residual at time t. Characteristic Equation: Yule-Walker Estimation: α 1 and α 2 x 2 α 1 x α 2 = (2) Table: Roots of Original Series Data Set Magnitude of the Root Cyriac James (IIT MADRAS) February 9, / 31

21 Smoothness Factor Matthew Roughan et al in their work on modeling backbone traffic have quantified the smoothness of the time series. Relative Variance (variance divided by the mean) Lower RV implies smoother series Table: Smoothness Data Set Original Series Difference Series Average Series Cyriac James (IIT MADRAS) February 9, / 31

22 Hurst Exponent Estimation Measure of the burstiness H =.5, is a white gaussian noise < H <.5, is a mean reverting and less bursty series.5 < H < 1, is a bursty and trend reinforcing series Rescaled Range Estimator used Table: Hurst exponent Data Set Original Series Difference Series Average Series Cyriac James (IIT MADRAS) February 9, / 31

23 Modeling and Prediction LP model with order 2 Parameter Estimation: Yule-Walker Method Training data: Monday - Thursday Testing: Friday Table: Average Relative Error Data Set Original Series Difference Series Average Series Cyriac James (IIT MADRAS) February 9, / 31

24 Modeling and Prediction Actual Vs Predicted : Data Set 1 Actual Predicted 14 Half open count Sampling Interval ( in seconds) 2 Actual vs Predicted : Data Set Actual Predicted Half open count : First difference Sampling Interval (in seconds) Average half open count Actual Vs Predicted : Data Set 1 Actual Predicted Sampling Interval ( in seconds) Cyriac James (IIT MADRAS) February 9, / 31

25 Detection Probability of False Negative (FN) Probability of False Positive (FP) Probability Threshold Value of Zero FN and 3% FP Threshold Figure: FP vs FN Cyriac James (IIT MADRAS) February 9, / 31

26 Detection 35 Prediction Error During an Attack: Data Set 1 3 Prediction Error Attack Period Sampling Interval (in seconds) Figure: FP vs FN Cyriac James (IIT MADRAS) February 9, / 31

27 Conclusion Assumption of stationarity is not correct in all cases Stability does not imply stationarity. ACF graph alone cannot conclude stationarity. Transformations appear promising. Predictable Series : Slowly decaying ACF, low Hurst exponent and low Relative variance. Window over which series is stationary? Cyriac James (IIT MADRAS) February 9, / 31

28 Drawbacks and Future Work Statistical Significance tests Other transformations: Median smoothening and Mean differencing. Hour based Analysis. Repeat experiments with traffic traces from a different source or network. Compare the traffic characteristics at the edge and core network. Application: Anomaly detection, Bandwidth management. Cyriac James (IIT MADRAS) February 9, / 31

29 Publications 1 Cyriac James and Hema A. Murthy, Time Series Analysis of Network Data: A Case Study, in Third International Workshop on Network Science for Communication Networks, In Conjuction with IEEE Infocom 211 Status: Submitted on 15th January 211 Cyriac James (IIT MADRAS) February 9, / 31

30 References G. E. P. Box, G. M. Jenkins, and G. C. Reinsel, Time Series Analysis: Forecasting and Control. Pearson Education, D. M. Divakaran, H. A. Murthy, and T. A. Gonsalves, Detection of SYN flooding attacks using linear prediction analysis, 14th IEEE International Conference on Networks, pp. 16, September 26. G. Zhang, S. Jiang, G. Wei, and Q. Guan, A prediction-based detection algorithm against distributed denial-of-service attacks, in Proceedings of the International Conference on Wireless Communications and Mobile Computing (IWCMC), June 29. J. Cheng, J. Yin, C. Wu, B. Zhang, and Y. Liu, DDOS attack detection method based on linear prediction model, in ICIC, 29. W. U. Qing-tao and S. Zhi-qing, Detecting DD O S attacks against web server using time series analysis, Wuhan Univesity Journal of Natural Sciences, vol. 11, no. 1, pp , 26. W. E. Leland, M. S. Taqqu, W. Willinger, and D. V. Wilson, On the self-similar nature of ethernet traffic, Cyriac James (IIT MADRAS) February 9, / 31

31 References V. Paxson and S. Floyd, Wide-Area Traffic: The Failure of Poisson Modeling, T. Karagiannis, M. Molle, and M. Faloutsos, Long-range dependence ten years of internet traffic modeling, in IEEE INTERNET COMPUT- ING, vol. 8, Sept 24, pp M. Roughan and J. Gottlieb, Large Scale Measurement and Modeling of Backbone Interent Traffic, in Internet Performance and Control of Network Systems, 22. B. Qian and K. Rasheed, Hurst Exponent And Financial Market Predictability, in IASTED conference on Financial Engineering and Applications, 24. H. Liu and M. S. Kim, Real-time detection of stealthy DD O S attacks using time-series decomposition, in Proceedings of ICC, July 21. G. Kirchgassner and J. Wolters, Introduction to Modern Time Series Analysis. Springer, 27. Cyriac James (IIT MADRAS) February 9, / 31