Introduction

Internet traffic monitoring and analysis entails monitoring the Internet network links and understanding their behavior. This course will cover the techniques and tools being developed for Internet traffic monitoring and analysis. Active and passive monitoring techniques will be studied. In this course, students will get to develop algorithms and a prototype system for capturing packets and analyzing them for various purposes.

Instructor:

Prof. Won-Ki Hong (PIRL 434) : 279-2244, jwkhong@postech.ac.kr

Lectures:

Mon. & Wed. 09:30-10:45 (PIRL-222)

Pre-requisites:

A course on computer or telecommunication networks is required. A course on network management is recommended.

Required Textbook:

There will not be a textbook for this course. Lecture materials and research papers will be used for the course.

Recommended Books:

• Alberto Leon-Garcia, Communication Networks: Fundamental Concepts and Key Architectures, McGraw-Hill, ISBN: 0070228396, 2003.
• Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols, Addison-Wesley, ISBN: 0-201-63346-9, 1994.
• Douglas E. Comer, Computer Networks and Internets, Prentice Hall, ISBN 0-13-599010-6, 1997.
• D. Comer, Internetworking with TCP/IP, Vol I: Principles, Protocols, and Architecture, Second edition, Prentice-Hall, Englewood Cliffs, NJ, ISBN 0-13-468505-9 1991.
• D. Comer and D. Stevens, Internetworking with TCP/IP, Vol II: Design, Implementation, and Internals, Prentice-Hall, Englewood Cliffs, NJ, ISBN 0-13-472242-6 1991.
• William Stallings, Data and Computer Communications, Fifth Edition, Prentice Hall, ISBN 0-02-415425-3, 1997.
• William Stallings, SNMP, SNMPv2, SNMPv3 and RMON 1 and 2, Third Edition, Addison-Wesley, 1999.

Suggested Reference Journals and Conferences:

• IEEE, IEEE eTransactions on Network and Service Management
• IEEE/ACM, IEEE/ACM Transactions on Networking
• Plenum Press, Journal of Network and Systems Management, ISSN 1064-7570.
• IEEE Communications Society, IEEE Network, ISSN 0890-8044.
• IEEE Communications Society, IEEE Communications Magazine, ISSN 0163-6084.
• John Wiley & Sons, International Journal of Network Management, ISSN 1055-7148.
• Passive and Active Measurement Workshop (PAM): 2006, 2005, 2004, 2003, 2002, 2001, 2000
• Internet Measurement Conference (IMC): 2001-2005

Evaluation:

• Evaluation on each student will be done based on the following:
  1. Assignments - 50%
  2. Term Project - 45%
  3. Class Participation - 5%
• Note: the above evaluation scheme may change slightly during the course.

Term Project:

There will be a major term project (worth 45% of the final mark) on developing a traffic monitoring and analysis system. The topics will be discussed in class. Students will be asked to prepare, present and submit materials related to the project throughout the course.
1. Project Proposals(Due: Nov. 9, 2005)
2. Requirements Document (Due: Nov. 16, 2005)
3. Detailed Design Document (Due: Nov. 30, 2005)
4. Demo & Implementation Document (Due: Dec. 14, 2005)

Assignments:

• There will be a few assignments (worth 50% of the final mark).
  • Assignment 1 (1%) (Out: Sept. 5, Due: Sept. 12 in class)
  • Assignment 2 (6%) (Out: Sept. 7, Due: Sept. 21 in class)
  • Assignment 3 (6%) (Out: Sept. 21, Due: Oct. 5 in class)
  • Assignment 4 (6%) (Out: Oct. 10, Due: Oct. 17 in class)
  • Assignment 5 (6%) (Out: Oct. 17, Due: Nov. 2 in class)
  • Assignment 6 (6%) (Out: Oct. 17, Due: Nov. 2 in class)
  • Assignment 7 (6%) (Out: Nov. 9, Due: Nov. 14 in class)
  • Assignment 8 (6%) (Out: Nov. 14, Due: Nov. 21 in class)
  • Assignment 9 (7%) (Out: Nov. 23, Due: Dec. 5 in class)

• Note: the above assignment schedule may change slightly during the course.

• Late assignments may be handed in, but there will be a penalty of 20% of the mark for assignments turned in less than one day late, and an additional penalty of 10% for each day thereafter.

• Cheating Policy -- Cheating will not be tolerated in this course. Students are encouraged discuss things related to courses and assignments but the materials handed in must be his/her own. The maximum penalty for the first offense is for the assignment in question. For subsequent offenses may result in an automatic failure of the course and possibly other academic punishments.

Class Participation:

Students are strongly encouraged to attend all lectures and to participate in discussions during lectures. 5% of the final mark is assigned for good and active class participation.

Reading the BBS:

A BBS has been set up for this course. In this BBS you will find changes to the lecture schedule, clarifications to the assignments, etc. You can also post questions to the TA or to the whole class. It is your responsibility to read this BBS on a regular basis. There is likely to be little information at the beginning, but more as the course progresses. Click here to enter the BBS.

Research Papers:

• Network Security
  1. "Internet Infrastructure Security: A Taxonomy," Anirban Chakrabarti, and G. Manimaran, IEEE Network, Vol. 16, Nov. 2002, pp 13-21.
  2. "A taxonomy of computer worms," Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham, 2003 ACM workshop on Rapid Malcode, Oct. 2003, pp.11-18.
  3. "Recent worms: a survey and trends," Darrell M. Kienzle, and Matthew C. Elder, 2003 ACM workshop on Rapid Malcode, Oct. 2003, pp. 1-10.
  4. "Effect of Malicious Traffic on the Network," Kun-chan Lan, Alefiya Hussain, and Debojyoti Dutta, 2003 Passive and Active Measurement Workshop, La Jolla, California, April 2003.
  5. "Monitoring and Early Warning for Internet Worms," Cliff Changchun Zou, Lixin Gao, Weibo Gong and Don Towsley, 10th ACM Conference on Computer and Communication Security (CCS'03), Oct. 27-31, Washington DC, USA, 2003.
  6. "Network Traffic Anomaly Detection Based on Packet Bytes", Matthew V. Mahoney, 2003 ACM symposium on Applied computing, Melbourne, Florida, 2003, pp. 346-350.
  7. "A Framework for Malicious Workload Generation," Joel Sommers, Vinod Yegneswaran, Paul Barford, IMC 2004, Oct. 2004, Sicily, Italy, pp. 82-87.
  8. "Characterization of Network-Wide Anomalies in Traffic Flows," Anukool Lakhina, Mark Crovella, and Christophe Diot, IMC 2004, Oct. 2004, Sicily, Italy, pp. 201-206.
  9. "Real-time visualization of network attacks on high-speed links," H. Kim, I. Kang, and Saewoong Bahk, IEEE Network, Vol. 18, No. 5, Sept. 2004, pp.30-39.
  10. "Can we contain Internet worms?" Manuel Costa; Jon Crowcroft; Miguel Castro; Antony Rowstron Microsoft Research Technical Report MSR-TR-2004-83, August 2004
• Traffic Measurement and Analysis
  1. "Packet-level Traffic Measurement from the Sprint IP backbone," C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll, R. Rockell, T. Seely, and C. Diot, IEEE Network Magazine, 2003.
  2. "Introducing Scalability in Network Measurement: Toward 10 Gbps with Commodity Hardware", Loris Degioanni and Gianluca Varenni, Internet Measurement Conference, Taormina, Sicily, Italy, October 2004.
  3. "A Nonstationary Poisson View of Internet Traffic", Thomas Karagiannis, Mart Molle, Michalis Faloutsos, and Andre Broido, IEEE Infocom, Hong Kong, March 2004.
  4. "An Analysis of Live Streaming Workloads on the Internet", Kunwadee Sripanidkulchai, Bruce Maggs, and Hui Zhang, Internet Measurement Conference, Taormina, Sicily, Italy, October 2004.
  5. "Comparison of Public End-to-End Bandwidth Estimation Tools on High-Speed Links", Alok Shriram, Margaret Murray, Young Hyun, Nevil Brownlee, Andre Broido, Marina Fomenkov, and kc claffy, Passive and Active Measurements Workshop, Boston, MA, USA, March 31 - April 1, 2005.
• Application Traffic Monitoring and Identification
  1. "File-sharing in the Internet: A characterization of P2P traffic in the backbone", Thomas Karagiannis, Andre Broido, Nevil Brownlee, kc claffy, and Michalis Faloutsos, Technical Report, November 2003.
  2. "Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures", S. Sen, O. Spatscheck, and D. Wang, WWW 2004 Conference.
  3. "High Performance Intrusion Detection using Traffic Classification", Tarek Abbes, Alakesh Haloi, and Michael Rusinowitch, AISTA 2004 in Cooperation with the IEEE Computer Society Proceedings, Nov. 2004.
  4. "Measurement-based traffic profile of the eDonkey filesharing service", K. Tutschku, Passive and Active Measurements Workshop, Antibes Juan-les-Pins, France, April 19-20, 2004.
  5. "Transport layer identification of p2p traffic", Thomas Karagiannis, Andre Broido, Michalis Faloutsos, and kc Claffy, Internet Measurement Conference, Taormina, Sicily, Italy, October 2004.
  6. "BLINC: Multilevel Traffic Classification in the Dark", T. Karagiannis, K. Papagiannaki, and M. Faloutsos, ACM SIGCOMM, Philadelphia, PA, August 2005. กก
  7. "Internet Traffic Classification Using Bayesian Analysis Techniques", Andrew W. Moore and Denis Zuev, ACM SIGMETRICS, Banff, Canada, June 2005. กก
  8. "A Traffic Identification Method and Evaluations for a Pure P2P Application", Satoshi Ohzahata, Yoichi Hagiwara, Matsuaki Terada, and Konosuke Kawashima, Passive and Active Measurements Workshop, Boston, MA, USA, March 31 - April 1, 2005. กก
  9. "Toward the Accurate Identification of Network Applications", Andrew W. Moore and Konstantina Papagiannaki, Passive and Active Measurements Workshop, Boston, MA, USA, March 31 - April 1, 2005. กก
  10. "Packet Classification in Large ISPs: Design and Evaluation of Decision Tree Classifiers", Edith Cohen, Carsten Lund, ACM SIGMETRICS Performance Evaluation Review 2005.

Topics Covered:

The following is a tentative list of lecture topics for the course.

1. Overview of Computer Networking
2. Networking Protocols
   • Data Link Layer
   • Network Layer
   • Transport Layer
   • Application Layer
   • Multimedia Networking
3. Introduction to Traffic Monitoring and Analysis
4. Traffic Monitoring Metrics and Approaches
5. Active Monitoring Techniques
6. Passive Monitoring Techniques
7. Standards Activities
8. Monitoring and Analysis Tools
9. DPNM Research Activities in Traffic Monitoring and Analysis (WebTrafMon & NG-Mon)
10. Peer-to-Peer Application Analysis
11. Sprint Lab IPMON
12. Project Presentations