Next Generation Application-Aware Flow Monitoring Petr Velan velan@ics.muni.cz AIMS 2014 July 3, 2014 Brno Petr Velan (AIMS 2014) Next Generation Flow Monitoring July 3, 2014, Brno 1/10 Application Flow Monitoring Passive network monitoring IP flow monitoring + application protocol information More accurate traffic classification Threat detection on application level • Phishing • Invalid X.509 certificates • ... Emerging trend in network monitoring More work in implementation than research Petr Velan (AIMS 2014) Next Generation Flow Monitoring July Application Flow Monitoring Metering Process L2-L4 Header Processing Application Processing Flow Cache Flow Processing Exporting Process IPFIX Transport Flow Message Protocol records' IP flow example Flow start Duration Proto Src IP Addr:Port 09:41:21.763 0.101 Dst IP Addr:Port Flags Packets Bytes .AP.SF 4 715 Application flow extension example HTTP RT HTTP Host HTTP Path HTTP Code HTTP Type GET www.seznam.cz /favicons/019/194-DBrJCJ.png HTTP - - 200 OK image/x-icon Application Flow Impacts • R.Q. (1): What are the impacts of application protocol measurement on flow exporters? • CPU intensive processing • Flow cache memory requirements • Increasing bandwidth requirements • Results • Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement1 • FlowMon - Plugins for HTTP Monitoring (2012) • Future work • Quantify the impacts • Propose solution for flow cache size • Specific compression of flow data stream [1] Petr Velan, Tomas Jirsik and Pavel Celeda. Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement. In Lecture Notes in Computer Science, Vol. 8115, pages 136-147, Chemnitz, Germany, 2013. Petr Velan (AIMS 2014) Next Generation Flow Monitoring July 3, 2014, Brno 4/10 HTTP Parsers Performance Decline n 7 6 K 2 5 x U) w 4 o Q_ ° 2 1 0 -i-1-1-1-1-1- no HTTP ------- / optimized strcmp -------- strom p ...... optimized flex ...... flex ------- pore - 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Portion of HTTP traffic in the mix (0% - no HTTP 100% - only HTTP headers) Petr Velan (AIMS 2014) Next Generation Flow Monitoring July 3, 2014, Brno 5/10 Application Flow Performance • R.Q. (2): What are the limits of application protocol measurement on high-speed networks? • IP flow is capable of monitoring 40/100 Gbps • Application flow causes significant performance decline • No framework for performance comparison of flow measurement • Different results on different data sets • Future Work • Create a methodology for comparison of flow measurement performance • Create data sets for testing application protocol parsers Petr Velan (AIMS 2014) Next Generation Flow Monitoring July 3, 2014, Brno 6/10 Application Flow Benefits • R.Q. (3): How can application protocol information be used to improve flow measurement quality? • Use application information to improve flow measurement • Better flow aggregation • Results • Large-Scale Geolocation for NetFlow1 • An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis2 • Future Work • Split flows based on application • Application protocol specific timeouts [1] Pavel Celeda, Petr Velan, Martin Rabek, Rick Hofstede and Aiko Pras. Large-Scale Geolocation for NetFlow. In IFIP/IEEE International Symposium on Integrated Network Management (IM 2013), pages 1015-1020, Ghent, Belgium, 2013. [2] Martin Elich, Petr Velan, Tomas Jirsik and Pavel Celeda. An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis. In 38th Annual IEEE Conference on Local Computer Networks (LCN2013), pages 1046-1052, Sydney, Australia, 2013. Petr Velan (AIMS 2014) Next Generation Flow Monitoring July 3, 2014, Brno 7/10 Next Generation Flow R.Q. (4): How can information from multiple packet streams be aggregated to single application event and how can we utilize application events to design the next generation flow monitoring? 208.80.154.224 °Pen wikipedia.org 91.198.174.208 Plan of Work Research Questions (1) Application Flow Impacts (2) Application Flow Performance (3) Application Flow Benefits (4) Next Generation Flow Spring '14 Autumn '14 Spring '15 Autumn '15 Spring '16^ ....................r"q"T"** """ "r.q." 2 _>" rTq! 4 *~ Petr Velan (AIMS 2014) Next Generation Flow Monitoring July 3, 2014, Brno 9/10 Thank You For Your Attention! Next Generation Application-Aware Flow Monitoring fQh /*"\ W WJ W Petr Velan velan@ics.muni.cz Petr Velan (AIMS 2014) Next Generation Flow Monitoring July 3, 2014, Brno 10/10