Processing Network Traffic at Line Rate Overview

In this presentation by Jorge Crichigno at the University of South Carolina, the focus is on processing network traffic at line rate using streaming analytics. The system tracks and stores flow information, anonymizes traffic for analysis, and removes personally identifiable information at line rate. Examples include detecting compromised devices on campus and analyzing global distribution of exploited IoT devices. The work involves passive data analytics and research on malware exploiting default credentials.

• Network Traffic
• Streaming Analytics
• Line Rate
• IoT Devices
• Malware

kadenl Follow

Uploaded on Mar 02, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Processing Network Traffic at Line Rate Jorge Crichigno Presentation to the Department of Information Technology at University of South Carolina Online October 21, 2020 1

2. Streaming Analytics Streaming analytics of a campus network at line rate (100 Gbps) The topology consists of a Barefoot s Tofino switch that receives traffic from two taps reading traffic to/from Internet and Internet2 An analyzer and storage server are also attached to the Tofino switch to collect the data processed by the switch Traffic flows Internet Campus network BR Internet2 Barefoots Tofino Switch Analyzer / Storage 2

3. Streaming Analytics The Barefoot s Tofino switch will process packet headers only; payload is discarded The switch will track and store flow information only (for example, src-dst IPs, src-dst ports, application layer protocol, TCP flags, number of bytes, inter-packet arrival time, flow duration, latency between src-dst pair) The system can anonymize traffic to feed to streaming analytics (analyzer), if needed (for example, anonymizing src / dst IP or portions of them) Switch can remove all Personally Identifiable Information (PII) at line rate Traffic flows Internet Campus network BR Internet2 Barefoots Tofino Switch Analyzer / Storage 3

4. Streaming Analytics There is no campus network doing data analytics at line rate The following is an example of the type of work that can be executed Detect compromised devices on campus at line rate, using passive data Similar work has been conducted on non-real time, using traffic from the Center and Center for Applied Internet Data Analysis (CAIDA, www.caida.org) (University of California San Diego) Global distribution of exploited IoT devices; results from UofSC research Malware exploiting default credentials 4

5. Streaming Analytics Global distribution of exploited IoT devices by passively analyzing packet headers from CAIDA Exploited IoT devices: these devices are contacting unavailable IP addresses (this IP block is referred to as Darknet. No healthy device would contact this IP block) Global distribution of exploited IoT devices; results from UofSC research Malware exploiting default credentials 5

6. Streaming Analytics Global distribution of exploited IoT devices by passively analyzing packet headers from CAIDA Exploited IoT devices: these devices are contacting unavailable IP addresses (this IP block is referred to as Darknet. No healthy device would contact this IP block) Top sectors hosting exploited IoT devices Top ten manufacturers of exploited IoT devices 6

7. Streaming Analytics This data will enable undergraduate and graduate research work Novel results regarding the type of threats faced by a large campus network Processing and detection at line rate or near line rate Strengthen the results of current funded project Funding opportunities 7

8. Streaming Analytics This data will enable undergraduate and graduate research work Novel results regarding the type of threats faced by a large campus network Processing and detection at line rate or near line rate Strengthen the results of current funded project Funding opportunities 8

9. Honeypot Flow-based intrusion detection uses flow information to detect malicious activities Payload is not used Some legacy networks use Netflow to collect flow statistics; for example, SSH compromise detection 9

10. Honeypot The main idea is to use the programmable switch as an instrument to detect malicious activities in real time or near real time Customized processing (no dependency on Netflow implementations) Granular time resolution Traffic flows Internet Campus network BR Internet2 Honeypot Barefoots Tofino Switch 10

11. Honeypot + Streaming Analytics Network topology Traffic flows Internet Campus network BR Internet2 Honeypot Barefoots Tofino Switch Analyzer / Storage 11