Rippler: Delay injection for service dependency detection

Detecting dependencies among network services has been well-studied in previous research. These attempts at service dependency detection fall into two classes: active and passive approaches. While passive approaches suffer from high false positives, active approaches suffer from applicability problems. In this paper, we design a new application-independent active approach for detecting dependencies among services. We present a traffic watermarking approach with arbitrarily low false positives and easy applicability. We provide statistical tests for detecting watermarked flows, and we compute the false positive and false negative rates of these tests both analytically and experimentally. Furthermore, we implemented the proposed watermarking system (Rippler) in a small university lab network. We ran our system for four months and detected 38 dependencies among 54 services. Finally, we compared the efficiency of our approach against three previous systems by testing them on this real-world network data.

[1]  Xiaogang Wang,et al.  An efficient sequential watermark detection model for tracing network attack flows , 2012, Proceedings of the 2012 IEEE 16th International Conference on Computer Supported Cooperative Work in Design (CSCWD).

[2]  Spyros G. Denazis,et al.  Dependency Detection Using a Fuzzy Engine , 2007, DSOM.

[3]  Jaideep Chandrashekar,et al.  Macroscope: end-point approach to networked application dependency discovery , 2009, CoNEXT '09.

[4]  Paramvir Bahl,et al.  Towards highly reliable enterprise network services via inference of multi-level dependencies , 2007, SIGCOMM.

[5]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[6]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[7]  J. Lachin Introduction to sample size determination and power analysis for clinical trials. , 1981, Controlled clinical trials.

[8]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[9]  Sushil Jajodia,et al.  NSDMiner: Automated discovery of Network Service Dependencies , 2012, 2012 Proceedings IEEE INFOCOM.

[10]  Randy H. Katz,et al.  X-Trace: A Pervasive Network Tracing Framework , 2007, NSDI.

[11]  Leyla Bilge,et al.  Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat , 2012, RAID.

[12]  Peng Ning,et al.  Interval-based flow watermarking for tracing interactive traffic , 2012, Comput. Networks.

[13]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[14]  Theodore Coladarci,et al.  Fundamentals of Statistical Reasoning in Education , 2003 .

[15]  David A. Patterson,et al.  Path-Based Failure and Evolution Management , 2004, NSDI.

[16]  Ranveer Chandra,et al.  What's going on?: learning communication rules in edge networks , 2008, SIGCOMM '08.

[17]  Xu Chen,et al.  Automating Network Application Dependency Discovery: Experiences, Limitations, and New Solutions , 2008, OSDI.

[18]  Paramvir Bahl,et al.  Discovering Dependencies for Network Management , 2006, HotNets.

[19]  Aaron B. Brown,et al.  An active approach to characterizing dynamic dependencies for problem determination in a distributed environment , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[20]  D. Gantenbein,et al.  Relationship Discovery with NetFlow to Enable Business-Driven IT Management , 2006, 2006 IEEE/IFIP Business Driven IT Management.

[21]  Saurabh Bagchi,et al.  Dependency Analysis in Distributed Systems using Fault Injection: Application to Problem Determination in an e-commerce Environment , 2001, DSOM.