Introduction

Internet traffic monitoring and analysis entails monitoring the Internet network links and understanding their behavior. This course will cover the techniques and tools being developed for Internet traffic monitoring and analysis. Active and passive monitoring techniques will be studied. In this course, students will get to develop algorithms and a prototype system for capturing packets and analyzing them for various purposes.

Instructor:

Prof. James Won-Ki Hong (RIST R4 4427) : 279-2244, jwkhong(@)postech.ac.kr

Lectures:

Tue. & Thu. 15:30-16:45 (RIST R4 4406)

Pre-requisites:

A course on computer or telecommunication networks is required. A course on network management is recommended.

Required Textbook:

There will not be a textbook for this course. Lecture materials and research papers will be used for the course.

Recommended Books:

• Alberto Leon-Garcia, Communication Networks: Fundamental Concepts and Key Architectures, McGraw-Hill, ISBN: 0070228396, 2003.
• Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols, Addison-Wesley, ISBN: 0-201-63346-9, 1994.
• Douglas E. Comer, Computer Networks and Internets, Prentice Hall, ISBN 0-13-599010-6, 1997.
• D. Comer, Internetworking with TCP/IP, Vol I: Principles, Protocols, and Architecture, Second edition, Prentice-Hall, Englewood Cliffs, NJ, ISBN 0-13-468505-9 1991.
• D. Comer and D. Stevens, Internetworking with TCP/IP, Vol II: Design, Implementation, and Internals, Prentice-Hall, Englewood Cliffs, NJ, ISBN 0-13-472242-6 1991.
• William Stallings, Data and Computer Communications, Fifth Edition, Prentice Hall, ISBN 0-02-415425-3, 1997.
• William Stallings, SNMP, SNMPv2, SNMPv3 and RMON 1 and 2, Third Edition, Addison-Wesley, 1999.

Suggested Reference Journals and Conferences:

• IEEE, IEEE eTransactions on Network and Service Management
• IEEE/ACM, IEEE/ACM Transactions on Networking
• Plenum Press, Journal of Network and Systems Management, ISSN 1064-7570.
• IEEE Communications Society, IEEE Network, ISSN 0890-8044.
• IEEE Communications Society, IEEE Communications Magazine, ISSN 0163-6084.
• John Wiley & Sons, International Journal of Network Management, ISSN 1055-7148.
• Passive and Active Measurement Workshop (PAM): 2006, 2005, 2004, 2003, 2002, 2001, 2000
• Internet Measurement Conference (IMC): 2001-2005

Evaluation:

• Evaluation on each student will be done based on the following:
  1. Assignments - 40%
  2. Term Project - 50%
  3. Class Participation - 10%
• Note: the above evaluation scheme may change slightly during the course.

Term Project:

There will be a major term project (worth 50% of the final mark) on developing a traffic monitoring and analysis system. The topics will be discussed in class. Students will be asked to prepare, present and submit materials related to the project throughout the course.
1. Project Proposals
2. Requirements Document
3. Detailed Design Document
4. Demo & Implementation Document

Assignments:

• There will be a few assignments (worth 40% of the final mark).
  • Assignment 1 (1%) (Out: Mar. 3, Due: Mar. 10 in class)
  • Assignment 2 (5%) (Out: Mar. 15, Due: Mar. 29 in class)
  • Assignment 3 (3%) (Out: Mar. 31, Due: Apr. 7 in class)
  • Assignment 4 (5%) (Out: Apr. 7, Due: Apr. 19 in class)

• Note: the above assignment schedule may change slightly during the course.

• Late assignments may be handed in, but there will be a penalty of 20% of the mark for assignments turned in less than one day late, and an additional penalty of 10% for each day thereafter.

• Cheating Policy -- Cheating will not be tolerated in this course. Students are encouraged discuss things related to courses and assignments but the materials handed in must be his/her own. The maximum penalty for the first offense is for the assignment in question. For subsequent offenses may result in an automatic failure of the course and possibly other academic punishments.

Class Participation:

Students are strongly encouraged to attend all lectures and to participate in discussions during lectures. 5% of the final mark is assigned for good and active class participation.

Research Papers:

• Surveys
  1. "A Survey on Internet Traffic Identification," Callado, Carlos Kamienski, Geza Szabo, Balazs Gero, Judith Kelner, Stenio Fernandes, Djamel Sadok, IEEE Communications Surveys & Tutorials, Vol. 11, No. 3. (2009), pp. 37-52.
  2. "A Survey of Techniques for Internet Traffic Classification Using Machine Learning," T. Naguyen and G. Armitage, IEEE Communications Surveys and Tutorials, 2008
  3. "A Taxonomy of DDoS attacks and DDoS defense Mechanisms," Jelena Mirkovic and Peter Reiher. ACM Computer Communication Review, Volume 34 Issue 2, April 2004, pp. 39-53.
  4. "Anomaly detection: A survey," V. Chandola, A. Banerjee and V. Kumar, ACM Computing Surveys, Vol. 41, Issue 3, July 2009, pp. 15:1-15:58.

• Network Security
  1. *"Snort Lightweight Intrusion Detection for Networks," M. Roesch, Proceedings of LISA '99: 13th Systems Administration Conference Seattle, Washington, USA, November 1999, pp. 229-238.
  2. *"Diagnosing network-wide traffic anomalies," A. Lakhina, M. Crovella, and C. Diot, ACM SIGCOMM 20004, pp. 219-230.
  3. *"A Taxonomy of DDoS attacks and DDoS defense Mechanisms," Jelena Mirkovic and Peter Reiher. ACM Computer Communication Review, Volume 34 Issue 2, April 2004, pp. 39-53.
  4. *"Botnet Detection Based on Network Behavior", W. Strayer, David Lapsely, Robert Walsh and Carl Livadas, Advances in Information Security, 2008, Volume 36, 1-24.
  5. "DDoS attack detection method using cluster analysis," K. Lee, J. Kim, K. Kwon, Y. Han and S. Kim, Expert Systems with Applications, Volume 34, Issue 3, April 2008, Pages 1659-1665.
  6. *Modeling and Automated Containment of Worms," IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, Vol. 5, No. 2, APRIL-JUNE 2008, pp. 71-86.
  7. *BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection," G. Gu, R. Perdisci, J. Zhang and W. Lee, 17th USENIX Security Symposium, 2008, pp. 139-154.
  8. *"Anomaly-based network intrusion detection: Techniques, systems and challenges", P. Garcia-Tedodro, J. Diaz-Verdejo, G.Macia-Fernandez and E. Vazquez, Computers & Security, Vol. 28, 2009, pp. 18-28.
  9. "Anomaly detection: A survey," V. Chandola, A. Banerjee and V. Kumar, ACM Computing Surveys, Vol. 41, Issue 3, July 2009, pp. 15:1-15:58.
  10. "BotGrep: Finding P2P Bots with Structured Graph Analysis," S. Nagaraja, P. Mittal, C. Hong, M. Caesar, and N. Borisov, USENIX Security 2010, Washington DC, USA, August 2010, pp. 1-16.
  11. *Top 10 Computer Viruses and Worms, ABC News, Sept. 2009.

• Traffic Measurement and Analysis
  1. "Seven Years and One Day: Sketching the Evolution of Internet Traffic," P. Borgnat, G. Dewael, K. Fukuda, P. Abry, and K. Cho, IEEE INFOCOM 2009, Rio de Janeiro, Brazil, April, 2009, pp.711--719.
  2. "On the stability of the information carried by traffic flow features at the packet level," A. Este, F. Gringoli, and L. Salgarelli. SIGCOMM Comput. Commun. Rev., 39(3):13.18, 2009.
  3. "Unveiling core network-wide communication patterns through application traffic activity graph decomposition," Y. Jin, E. Sharafuddin, and Z.-L. Zhang, ACM SIGMETRICS, 2009.
  4. "On Dominant Characteristics of Residential Broadband Internet Traffic," G. Maierm, A. Feldmann, V. Paxson and M. Allman, ACM SIGCOMM IMC, 2009
  5. "Profiling the End Host," T. Karagiannis and K. Papagiannaki, N. Taft and M. Faloutsos, Pasive and Active Measurement, 2007
  6. "Network Traffic Characteristics of Data Centers in the Wild," T. Benson, A. Akella and D. Maltz, ACM IMC, 2010.
  7. "Characterizing the Global Impact of the P2P Overlay on the AS-level Underlay," A. Rasti, R. Rejaie and W. Willinger, Passive and Active Measurement, Zurich, Switzerland, Apr. 7-9, 2010.
  8. "Youtube traffic characterization: a view from the edge," P. Gill, M. Arlitt, Z. Li and A. Mahanti, ACM IMC, 2007.
• Application Traffic Monitoring and Identification
  1. "Internet Traffic Classification Demystified: On the Sources of the Discriminative Power," Y. Lim, H. Kim, J. Jeong, C. Kim, T. Kwon, and Y. Choi, ACM SIGCOMM CoNEXT, Philadelphia, PA, Dec. 2010.
  2. "Early application identification," L. Bernaille, R. Teixeira, and K. Salamatian, ACM CoNEXT, 2006.
  3. "Traffic classification through simple statistical fingerprinting," M. Crotti, M. Dusi, F. Gringoli, and L. Salgarelli, SIGCOMM Comput. Commun. Rev., 37(1):5.16, 2007.
  4. "Graph-based p2p traffic classification at the internet backbone," M. Iliofotou, H.-c. Kim, M. Faloutsos, M. Mitzenmacher, P. Pappu, and G. Varghese, IEEE INFOCOM, 2009.
  5. "Comparing traffic classifiers," L. Salgarelli, F. Gringoli, and T. Karagiannis, SIGCOMM Comput. Commun. Rev., 37(3):65.68, 2007.
  6. "BLINC: Multilevel Traffic Classification in the Dark," T. Karagiannis, K. Papagiannaki, and M. Faloutsos, ACM SIGCOMM, Philadelphia, PA, August 2005. ¡¡
  7. "PortLoad: taking the best of two worlds in traffic classification," Giuseppe Aceto, Alberto Dainotti, Walter de Donato, Antonio Pescape, IEEE INFOCOM, 2010
  8. "Lightweight, payload-based traffic classification: An experimental evaluation," M. Morandi O. Baldini A. Monclus P. Risso, F. Baldi, ICC¡¯08, May 2008.
• Social Network & Mobile Traffic
  1. "An Analysis of Social Network-Based Sybil Defenses," Bimal Viswanath, Ansley Post, Krishna P. Gummadi, Alan Mislove, ACM SIGCOMM, 2010.
  2. "You are who you know: Inferring user profiles in online social networks," A. Mislove, B. Viswanath, K. P. Gummadi, and P. Druschel. In Proc. WSDM¡¯10, New York, NY, Feb 2010.
  3. " User Interactions in Social Networks and their Implications," C. Wilson, B. Boe, A. Sala, K. P. N. Puttaswamy, and B. Y. Zhao. In Proc. Eurosys¡¯09, Nuremberg, Germany, Apr 2009.
  4. "Comparison of Online Social Relations in Terms of Volume vs. Interaction: A Case Study of Cyworld", H. Chun, H. Kwak, Y. Eom, Y. Ahn, S. Moon, H. Jeong, ACM SIGCOMM IMC 200.
  5. "Analysis of topological characteristics of huge online social networking services," Y.-Y. Ahn, WWW ¡¯07, New York, NY, USA, 2007.
  6. "Statistical properties of community structure in large social and information networks," J. Leskovec, WWW¡¯08, New York, NY, USA, 2008.
  7. "A First Look at Traffic on Smartphones,¡± H. Falaki, D. Lymberopoulos, R. Mahajan, S. Kandula, and D. Estrin, ACM Internet Measurement Conference, Melbourne, Australia, Nov. 1-3, 2010.
  8. "A First Look at Mobile Hand-held Device Traffic," G. Maier, F. Schneider, and A. Feldmann, Passive and Active Measurement, Zurich, Switzerland, Apr. 7-9, 2010.
  9. "A Comparative Study of Handheld and Non-Handheld Traffic in Campus WiFi Networks," A. Gember, A. Anand, and A. Akella, Passive and Active Measurement, Atlanta, USA, Mar. 20-22, 2011.
  10. "Measurement Analysis of Mobile Data Networks," Young J. Won, B.C. Park, S.C. Hong, K.B. Jung, H.T. Ju, and James W. Hong, Passive and Active Measurement Conference (PAM 2007), Louvain-la-neuve, Belgium, Apr. 5-6, 2007, pp. 223-227.
• Network Performance / Virtualization
  1. "Characterizing user behavior and network performance in a public wireless LAN," A. Balachandran, G. Voelker, P. Bahl, P. Rangan, ACM SIGMETRICS, 2002.
  2. "Netgauge: A Network Performance Measurement Framework," T. Hoefler, T. Mehlan, A. Lumsdaine and W. Rehm, Proceedings of High Performance Computing and Communications (HPCC), Sep. 2007, pp.659--671.
  3. "WiMAX Performance Evaluation," P. Mach, R. Bestak, Sixth International Conference on Networking (ICN'07), Apr. 22-28, 2007, pp.17--20.
  4. "Mobile WiMAX systems: performance and evolution", F. Wang, A. Ghosh, C. Sankaran, P. Fleming, F. Hsieh, and S. Benes, IEEE Communications Magazine, Vol.46, Issue. 10, Oct. 2008, pp.41--49.
  5. "Best-case WiBro performance for a single flow," S. Woo, K. Jang, S. Kim, S. Cho, J. Lee, Y. Lee, S. Moon, ACM Workshop on Mobile Internet through Cellular Networks: Operations, Challenges, and Solutions (MICNET), October 2009, Beijing, China.
  6. "Evaluation of VoIP Quality over WiBro," M. Han, Y. Lee, S. Moon, K. Jang, D. Lee, Passive and Active Measurement Conference (PAM), April 2008.
  7. "Performance Impact of Large File Transfer on Web Proxy Caching: A Case Study in a High Bandwidth Campus Network Environment," H. Kim, D. Lee, K. Chon, B. Jang, T. Kwon, and Y. Choi, Journal of Communications and Networks, Volume 12, Number 1, Feb. 2010.

Topics Covered:

The following is a tentative list of lecture topics for the course.

1. Overview of Computer Networking
2. Networking Protocols
   • Data Link Layer
   • Network Layer
   • Transport Layer
   • Application Layer
3. Introduction to Traffic Monitoring and Analysis
4. Traffic Monitoring Metrics and Approaches
5. PCAP
6. Monitoring and Analysis Tools
7. DPNM Research Activities in Traffic Monitoring and Analysis (WebTrafMon & NG-Mon)
8. Peer-to-Peer Application Analysis
9. Sprint Lab IPMON
10. Project Presentations