5 research outputs found
Mining Network Events using Traceroute Empathy
In the never-ending quest for tools that enable an ISP to smooth
troubleshooting and improve awareness of network behavior, very much effort has
been devoted in the collection of data by active and passive measurement at the
data plane and at the control plane level. Exploitation of collected data has
been mostly focused on anomaly detection and on root-cause analysis. Our
objective is somewhat in the middle. We consider traceroutes collected by a
network of probes and aim at introducing a practically applicable methodology
to quickly spot measurements that are related to high-impact events happened in
the network. Such filtering process eases further in- depth human-based
analysis, for example with visual tools which are effective only when handling
a limited amount of data. We introduce the empathy relation between traceroutes
as the cornerstone of our formal characterization of the traceroutes related to
a network event. Based on this model, we describe an algorithm that finds
traceroutes related to high-impact events in an arbitrary set of measurements.
Evidence of the effectiveness of our approach is given by experimental results
produced on real-world data.Comment: 8 pages, 7 figures, extended version of Discovering High-Impact
Routing Events using Traceroutes, in Proc. 20th International Symposium on
Computers and Communications (ISCC 2015
CAIR: Using Formal Languages to Study Routing, Leaking, and Interception in BGP
The Internet routing protocol BGP expresses topological reachability and
policy-based decisions simultaneously in path vectors. A complete view on the
Internet backbone routing is given by the collection of all valid routes, which
is infeasible to obtain due to information hiding of BGP, the lack of
omnipresent collection points, and data complexity. Commonly, graph-based data
models are used to represent the Internet topology from a given set of BGP
routing tables but fall short of explaining policy contexts. As a consequence,
routing anomalies such as route leaks and interception attacks cannot be
explained with graphs.
In this paper, we use formal languages to represent the global routing system
in a rigorous model. Our CAIR framework translates BGP announcements into a
finite route language that allows for the incremental construction of minimal
route automata. CAIR preserves route diversity, is highly efficient, and
well-suited to monitor BGP path changes in real-time. We formally derive
implementable search patterns for route leaks and interception attacks. In
contrast to the state-of-the-art, we can detect these incidents. In practical
experiments, we analyze public BGP data over the last seven years
Measurement Methods for Fast and Accurate Blackhole Identification with Binary Tomography
International audienceBinary tomography - the process of identifying faulty network links through coordinated end-to-end probes - is a promising method for detecting failures that the network does not automatically mask (e.g., network "blackholes"). Because tomography is sensitive to the quality of the input, however, naĂŻve end-to-end measurements can introduce inaccuracies. This paper develops two methods for generating inputs to binary tomography algorithms that improve their inference speed and accuracy. Failure confirmation is a per-path probing technique to distinguish packet losses caused by congestion from persistent link or node failures. Aggregation strategies combine path measurements from unsynchronized monitors into a set of consistent observations. When used in conjunction with existing binary tomography algorithms, our methods identify all failures that are longer than two measurement cycles, while inducing relatively few false alarms. In two wide-area networks, our techniques decrease the number of alarms by as much as two orders of magnitude. Compared to the state of the art in binary tomography, our techniques increase the identification rate and avoid hundreds of false alarms
Measurement Methods for Fast and Accurate Blackhole Identification with Binary Tomography
Abstract: Binary tomography—the process of identifying faulty network links through coordinated end-to-end probes—is a promising method for detecting failures that the network does not automatically mask (e.g., network “blackholes”). Because tomography is sensitive to the quality of the input, however, naive end-to-end measurements can introduce inaccuracies. This paper develops two methods for generating inputs to binary tomography algorithms that improve their inference speed and accuracy. Failure confirmation is a per-path probing technique to distinguish packet losses caused by congestion from persistent link or node failures. Aggregation strategies combine path measurements from unsynchronized monitors into a set of consistent observations. When used in conjunction with existing binary tomography algorithms, our methods identify all failures that are longer than two measurement cycles while inducing relatively few false alarms. In two wide-area networks, our techniques decrease the number of alarms by as much as two orders of magnitude. Compared to the state of the art i