Traffic measurement and analysis

Measurement and analysis of real traffic is important to gain knowledge about the characteristics of the traffic. Without measurement, it is impossible to build realistic traffic models. It is recent that data traffic was found to have self-similar properties. In this thesis work traffic captured on the network at SICS and on the Supernet, is shown to have this fractal-like behaviour. The traffic is also examined with respect to which protocols and packet sizes are present and in what proportions. In the SICS trace most packets are small, TCP is shown to be the predominant transport protocol and NNTP the most common application. In contrast to this, large UDP packets sent between not well-known ports dominates the Supernet traffic. Finally, characteristics of the client side of the WWW traffic are examined more closely. In order to extract useful information from the packet trace, web browsers use of TCP and HTTP is investigated including new features in HTTP/1.1 such as persistent connections and pipelining. Empirical probability distributions are derived describing session lengths, time between user clicks and the amount of data transferred due to a single user click. These probability distributions make up a simple model of WWW-sessions

Performance evaluation of an open distributed platform for realistic traffic generation

Network researchers have dedicated a notable part of their efforts to the area of modeling traffic and to the implementation of efficient traffic generators. We feel that there is a strong demand for traffic generators capable to reproduce realistic traffic patterns according to theoretical models and at the same time with high performance. This work presents an open distributed platform for traffic generation that we called distributed internet traffic generator (D-ITG), capable of producing traffic (network, transport and application layer) at packet level and of accurately replicating appropriate stochastic processes for both inter departure time (IDT) and packet size (PS) random variables. We implemented two different versions of our distributed generator. In the first one, a log server is in charge of recording the information transmitted by senders and receivers and these communications are based either on TCP or UDP. In the other one, senders and receivers make use of the MPI library. In this work a complete performance comparison among the centralized version and the two distributed versions of D-ITG is presented

Dataplane Specialization for High-performance OpenFlow Software Switching

OpenFlow is an amazingly expressive dataplane program- ming language, but this expressiveness comes at a severe performance price as switches must do excessive packet clas- sification in the fast path. The prevalent OpenFlow software switch architecture is therefore built on flow caching, but this imposes intricate limitations on the workloads that can be supported efficiently and may even open the door to mali- cious cache overflow attacks. In this paper we argue that in- stead of enforcing the same universal flow cache semantics to all OpenFlow applications and optimize for the common case, a switch should rather automatically specialize its dat- aplane piecemeal with respect to the configured workload. We introduce ES WITCH , a novel switch architecture that uses on-the-fly template-based code generation to compile any OpenFlow pipeline into efficient machine code, which can then be readily used as fast path. We present a proof- of-concept prototype and we demonstrate on illustrative use cases that ES WITCH yields a simpler architecture, superior packet processing speed, improved latency and CPU scala- bility, and predictable performance. Our prototype can eas- ily scale beyond 100 Gbps on a single Intel blade even with complex OpenFlow pipelines

Management, Optimization and Evolution of the LHCb Online Network

The LHCb experiment is one of the four large particle detectors running at the Large Hadron Collider (LHC) at CERN. It is a forward single-arm spectrometer dedicated to test the Standard Model through precision measurements of Charge-Parity (CP) violation and rare decays in the b quark sector. The LHCb experiment will operate at a luminosity of 2x10^32cm-2s-1, the proton-proton bunch crossings rate will be approximately 10 MHz. To select the interesting events, a two-level trigger scheme is applied: the rst level trigger (L0) and the high level trigger (HLT). The L0 trigger is implemented in custom hardware, while HLT is implemented in software runs on the CPUs of the Event Filter Farm (EFF). The L0 trigger rate is dened at about 1 MHz, and the event size for each event is about 35 kByte. It is a serious challenge to handle the resulting data rate (35 GByte/s). The Online system is a key part of the LHCb experiment, providing all the IT services. It consists of three major components: the Data Acquisition (DAQ) system, the Timing and Fast Control (TFC) system and the Experiment Control System (ECS). To provide the services, two large dedicated networks based on Gigabit Ethernet are deployed: one for DAQ and another one for ECS, which are referred to Online network in general. A large network needs sophisticated monitoring for its successful operation. Commercial network management systems are quite expensive and dicult to integrate into the LHCb ECS. A custom network monitoring system has been implemented based on a Supervisory Control And Data Acquisition (SCADA) system called PVSS which is used by LHCb ECS. It is a homogeneous part of the LHCb ECS. In this thesis, it is demonstrated how a large scale network can be monitored and managed using tools originally made for industrial supervisory control. The thesis is organized as the follows: Chapter 1 gives a brief introduction to LHC and the B physics on LHC, then describes all sub-detectors and the trigger and DAQ system of LHCb from structure to performance. Chapter 2 first introduces the LHCb Online system and the dataflow, then focuses on the Online network design and its optimization. In Chapter 3, the SCADA system PVSS is introduced briefly, then the architecture and implementation of the network monitoring system are described in detail, including the front-end processes, the data communication and the supervisory layer. Chapter 4 first discusses the packet sampling theory and one of the packet sampling mechanisms: sFlow, then demonstrates the applications of sFlow for the network trouble-shooting, the traffic monitoring and the anomaly detection. In Chapter 5, the upgrade of LHC and LHCb is introduced, the possible architecture of DAQ is discussed, and two candidate internetworking technologies (high speed Ethernet and InfniBand) are compared in different aspects for DAQ. Three schemes based on 10 Gigabit Ethernet are presented and studied. Chapter 6 is a general summary of the thesis

Treatment-Based Classi?cation in Residential Wireless Access Points

IEEE 802.11 wireless access points (APs) act as the central communication hub inside homes, connecting all networked devices to the Internet. Home users run a variety of network applications with diverse Quality-of-Service requirements (QoS) through their APs. However, wireless APs are often the bottleneck in residential networks as broadband connection speeds keep increasing. Because of the lack of QoS support and complicated configuration procedures in most off-the-shelf APs, users can experience QoS degradation with their wireless networks, especially when multiple applications are running concurrently. This dissertation presents CATNAP, Classification And Treatment iN an AP , to provide better QoS support for various applications over residential wireless networks, especially timely delivery for real-time applications and high throughput for download-based applications. CATNAP consists of three major components: supporting functions, classifiers, and treatment modules. The supporting functions collect necessary flow level statistics and feed it into the CATNAP classifiers. Then, the CATNAP classifiers categorize flows along three-dimensions: response-based/non-response-based, interactive/non-interactive, and greedy/non-greedy. Each CATNAP traffic category can be directly mapped to one of the following treatments: push/delay, limited advertised window size/drop, and reserve bandwidth. Based on the classification results, the CATNAP treatment module automatically applies the treatment policy to provide better QoS support. CATNAP is implemented with the NS network simulator, and evaluated against DropTail and Strict Priority Queue (SPQ) under various network and traffic conditions. In most simulation cases, CATNAP provides better QoS supports than DropTail: it lowers queuing delay for multimedia applications such as VoIP, games and video, fairly treats FTP flows with various round trip times, and is even functional when misbehaving UDP traffic is present. Unlike current QoS methods, CATNAP is a plug-and-play solution, automatically classifying and treating flows without any user configuration, or any modification to end hosts or applications

Uplink data measurement and analysis for 5G eCPRI radio unit

Abstract. The new 5G mobile network generation aims to enhance the performance of the cellular network in almost every possible aspect, offering higher data rates, lower latencies, and massive number of network connections. Arguably the most important change from LTE are the new RU-BBU split options for 5G promoted by 3GPP and other organizations. Another big conceptual shift introduced with 5G is the open RAN concept, pushed forward by organizations such as the O-RAN alliance. O-RAN aims to standardize the interfaces between different RAN elements in a way that promotes vendor interoperability and lowers the entry barrier for new equipment suppliers. Moreover, the 7-2x split option standardized by O-RAN has risen as the most important option within the different low layer split options. As the fronthaul interface, O-RAN has selected the packet-based eCPRI protocol, which has been designed to be more flexible and dynamic in terms of transport network and data-rates compared to its predecessor CPRI. Due to being a new interface, tools to analyse data from this interface are lacking. In this thesis, a new, Python-based data analysis tool for UL eCPRI data was created for data quality validation purposes from any O-RAN 7-2x functional split based 5G eCPRI radio unit. The main goal for this was to provide concrete KPIs from captured data, including timing offset, signal power level and error vector magnitude. The tool produces visual and text-based outputs that can be used in both manual and automated testing. The tool has enhanced eCPRI UL datapath testing in radio unit integration teams by providing actual quality metrics and enabling test automation.Uplink datamittaukset ja -analyysi 5G eCPRI radiolla. Tiivistelmä. Uusi 5G mobiiliverkkogeneraatio tuo mukanaan parannuksia lähes kaikkiin mobiiliverkon ominaisuuksiin, tarjoten nopeamman datasiirron, pienemmät viiveet ja valtavat laiteverkostot. Luultavasti tärkein muutos LTE teknologiasta ovat 3GPP:n ja muiden organisaatioiden ehdottamat uudet radion ja systeemimoduulin väliset funktionaaliset jakovaihtoehdot. Toinen huomattava muutos 5G:ssä on O-RAN:in ajama avoimen RAN:in konsepti, jonka tarkoituksena on standardisoida verkkolaitteiden väliset rajapinnat niin, että RAN voidaan rakentaa eri valmistajien laitteista, laskien uusien laitevalmistajien kynnystä astua verkkolaitemarkkinoille. O-RAN:n standardisoima 7-2x funktionaalinen jako on noussut tärkeimmäksi alemman tason jakovaihtoehdoista. Fronthaul rajapinnan protokollaksi O-RAN on valinnut pakettitiedonsiirtoon perustuvan eCPRI:n, joka on suunniteltu dynaamisemmaksi ja joustavammaksi datanopeuksien ja lähetysverkon suhteen kuin edeltävä CPRI protokolla. Uutena protokollana, eCPRI rajapinnalle soveltuvia data-analyysityökaluja ei ole juurikaan saatavilla. Tässä työssä luotiin uusi pythonpohjainen data-analyysityökalu UL suunnan eCPRI datalle, jotta datan laatu voidaan määrittää millä tahansa O-RAN 7-2x funktionaaliseen jakoon perustuvalla 5G eCPRI radiolla. Työkalun päätarkoitus on analysoida ja kuvata datan laatua laskemalla datan ajoitusoffsettia, tehotasoa, sekä EVM:ää. Työkalu tuottaa tulokset visuaalisena ja tekstipohjaisena, jotta analyysia voidaan tehdä niin manuaalisessa kuin automaattisessa testauksessa. Työkalun käyttöönotto on tehostanut UL suunnan dataputken testausta radio-integrointitiimeissä, tarjoten datan laatua kuvaavaa metriikkaa sekä mahdollistaen testauksen automatisoinnin

Multi-technology router for mobile networks : layer 2 overlay network over private and public wireless links

Tese de mestrado integrado. Engenharia Informática e Computação. Faculdade de Engenharia. Universidade do Porto. 201

Statistical methods used for intrusion detection

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2006Includes bibliographical references (leaves: 58-64)Text in English; Abstract: Turkish and Englishx, 71 leavesComputer networks are being attacked everyday. Intrusion detection systems are used to detect and reduce effects of these attacks. Signature based intrusion detection systems can only identify known attacks and are ineffective against novel and unknown attacks. Intrusion detection using anomaly detection aims to detect unknown attacks and there exist algorithms developed for this goal. In this study, performance of five anomaly detection algorithms and a signature based intrusion detection system is demonstrated on synthetic and real data sets. A portion of attacks are detected using Snort and SPADE algorithms. PHAD and other algorithms could not detect considerable portion of the attacks in tests due to lack of sufficiently long enough training data

The Dynamics of Internet Traffic: Self-Similarity, Self-Organization, and Complex Phenomena

The Internet is the most complex system ever created in human history. Therefore, its dynamics and traffic unsurprisingly take on a rich variety of complex dynamics, self-organization, and other phenomena that have been researched for years. This paper is a review of the complex dynamics of Internet traffic. Departing from normal treatises, we will take a view from both the network engineering and physics perspectives showing the strengths and weaknesses as well as insights of both. In addition, many less covered phenomena such as traffic oscillations, large-scale effects of worm traffic, and comparisons of the Internet and biological models will be covered.Comment: 63 pages, 7 figures, 7 tables, submitted to Advances in Complex System