Tutorial 1: Traffic Modeling 101.  Methods and Results for Single Links and Whole Networks
Tutorial 2: Unwanted Traffic: Attacks, Detection and Potential Solutions
Tutorial 3: Architectural Considerations for Unusual and Challenged Networks

Traffic Modelling 101: Methods and Results for Single Links and Whole Networks

Mark Crovella, Boston University

Monday, August 30, 9:00-12:30


This tutorial will provide an introduction to traffic models and traffic modeling for network researchers and engineers.  The tutorial will present an overview of practical methods for analyzing network traffic, and will in tandem survey important results in the area of traffic modeling.

The traffic we are concerned with is expressed in terms of bytes, packets, or flows.  We will look at flows at the IP level (as defined by the 5-tuple) and at the level of network ingress-egress (origin-destination flows) such as are used in traffic matrix estimation.  Along the way we'll consider methods and results that apply to traffic measured on a single link, as well as methods and results that apply to traffic measured simultaneously on all links of a network.

Traffic models can be used for describing normal traffic behavior, or for identifying when traffic is behaving unusually.  Throughout the tutorial we will consider the use of traffic models both for characterizing typical traffic as well as for anomaly detection.


  1. Introduction
    1. What are the uses for traffic modeling?
    2. What are the different varieties of traffic models?
  2. Traffic Modeling for Performance Analysis
    1. Methods
      1. Measuring and analyzing marginals and autocorrelation
      2. Examining heavy tails and self-similarity
    2. Results - Properties of Observed Traffic on short timescales
      1. Reference models: poisson, fractional gaussian noise, alpha/beta
      2. Relationship to multiplexing levels and bottlenecks
      3. Properties of bytes, packets, and flows
  3. Traffic Modeling for Network Engineering - Single Link
    1. Methods
      1. Separating trends and noise
      2. Frequency domain analysis and wavelet transforms
    1. Results
      1. Reference models for nonstationary traffic
      2. Forecasting and anomaly detection
  4. Traffic Modeling for Network Engineering - Multiple Links
    1. Methods
      1. Separating trends and noise
      2. Spatial domain analysis and subspace methods
      3. Tracking trends in time
    1. Results
      1. Intrinsic dimensionality of bytes, packets, and flows
      2. Anomaly detection


Researchers and engineers who want to understand what is known about network traffic and how results have been obtained.  Attendees will learn analysis methods useful for network researchers and engineers, as well as essential background for development of anomaly detection methods. Familiarity with basic probability is assumed; linear algebra is helpful but not required.


Mark Crovella is Associate Professor of Computer Science at Boston University.  He has been working in Internet measurement for 10 years, in areas including bandwidth and topology measurement, heavy tails and self-similarity, the World Wide Web, and network traffic.  He is an editor for IEEE/ACM Transactions on Networ-king and IEEE Transactions on Computers, and was the Program Chair for the 2003 ACM SIGCOMM Internet Measurement Conference. His paper "Self-Similarity in World Wide Web Traffic: Evidence and Possible Causes" is listed by Cite seer as one of the 100 most cited papers in Computer Science, and his paper "Critical Path Analysis of TCP Transactions" was nominated for the 2002 William Bennett Prize.

Unwanted traffic: Attacks, detection, and potential solutions

Dina Katabi, MIT
Balachander Krishnamurthy, AT&T Research

Monday, August 30, 1:30-5:00


Unwanted packets are any undesirable data or control traffic that the network delivers to a system. They may deplete the link bandwidth of a victim in a denial of service attack, mount a SYN flood attack, waste user's time on spam email messages, etc. Unwanted packets have been at the heart of most of the problems on the Internet in the last few years.  What began as small scale attacks on individual network nodes has spread to every layer of the protocol stack through many popular applications.  Many compromised machines are used to launch a wide range of distributed attacks. Spam has clogged networks and tied up the productivity of many uses while lowering the overall value of email communication. Wastage of resources, both human and computational, is on the increase due to these attacks. Attacks on the DNS infrastructure, on BGP, and popular Web sites have brought into question the stability of the Internet architecture.

In this half-day tutorial, we present a taxonomy of the attacks as well as a variety of existing and proposed mechanisms to deter them.  As targets of attacks we examine routers, links, the protocol infrastructure, and popular applications. We explore the different forms of attacks: probes, denial of service, worms, spam etc.  For each of the attacks, we examine a range of solutions. While there have been legal and social solutions offered, we concentrate on the technical portion of the solution space ranging from prevention, establishing identity, intrusion and anomaly detection, deflection, filtering, and traceback.  The tutorial covers the lower and higher layers of the Internet protocol stack. Examples at all layers will be used to indicate similarities both in the attacks and the proposed solutions.

  1. Tutorial overview
    1. Scope of the tutorial, takeaways, definitions
    2. Types of unwanted traffic
    3. Targets of unwanted traffic
    4. Forms of unwanted traffic
  2. Attacks - part I
    1. TCP misbehavior
    2. Routers Attacks
    3. Dential of Service Attacks
  3. Attacks - part II
    1. Peer-to-Peer
    2. Viruses & worms
    3. Spam
    4. Combination attacks
  4. Detection methods
    1. Intrusion detection
    2. Anomaly detection
    3. Audits & traceback
  5. Overview of countermeasures
    1. Classes of solutions
      1. Legal/social
      2. Technical
    2. Impact of solutions
  6. Countermeasures -- part I
    1. Firewalls
    2. Pushback
    3. Overlays
    4. Establishing Identity
  7. Countermeasures -- part II
    1. Spam fighting solutions
    2. Novel solutions in specific applications
      1. Economic disincentives for spam
      2. Attacking free rider problem (eMule)
    3. Impact on privacy
    4. Future


Students involved in research in related areas, practitioners who want a state of the art survey of proposed solutions along with their evaluation, and industry folks who are dealing with the problem of unwanted packets daily. No background is expected except some basics of networking.


Dina Katabi is an Assistant Professor in the Department of Electrical Engineering and Computer Science and a member of the Computer Science and Artificial Intelligence Laboratory (CSAIL) at MIT. She received her PhD and MS from MIT in 2003 and 1999, and her Bachelor of Science from Damascus University in 1995.  Her doctoral dissertation won a Sprowls award and an ACM Honorable Mention award. She is a co-chair of the SIGCOMM workshop on Practice and Theory of Incentives in Networked Systems (PINS).

Balachander Krishnamurthy has published nearly sixty papers in various conferences, has more than a dozen patents, and has given invited lectures in over thirty countries. He has given tutorials at SIGCOMM, WWW, and several other venues. He has co-written and edited a book on UNIX, and was series editor of the “Trends in Software” series of books. He co-authored “Web Protocols and Practice: HTTP/1.1, Networking Protocols, Caching, and Traffic Measurement” (Addison-Wesley, transla-ted into Portuguese, Japanese, and Russian). He is on the editorial board of ACM TOIT and SIGCOMM CCR, and on the Steering Commit-tee of the Internet Measurement Conference that he helped start.

Architectural Considerations for Unusual and Challenged Internetworks

Dr. Kevin Fall, Intel Research Berkeley.
Robert Durst, The MITRE Corporation.

Friday, September 3, 9:00-5:00


The current Internet architecture has scaled beyond the wildest dreams of its designers. However, it has a number of significant problems when employed to fulfill service requirements or when applied to some classes of networks for which it was not originally designed.  In this tutorial we will investigate the unique performance characteris-tics of some specialized networks that present significant challenges for supporting the Internet architecture.  We shall approach this investiga-tion with a focus on the architectural consequen-ces of these characteristics.  We will conclude with a review of the Delay Tolerant Networking Architecture and its architectural approach to handle these types of networks.


  1. Introduction
    1. Reviewing the Internet Architecture
  2. The Internet Model in Challenged Environments
    1. TCP with large RTTs or high loss
    2. DNS and application time-outs and related problems
    3. Performance enhancing proxies
    4. Protocol modifications
    5. Issues with naming and interoperability
  3. Some Interesting Challenged Environments
    1. Sensor Networks
    2. ZebraNet
    3. Deep Space Network
    4. Military Style Ad-hoc networks
    5. Acoustic underwater networks
    6. Sneakernet-type approaches (DakNet, Wizzy Courier)
  4. Elements of Delay and Disruption Tolerance
    1. Naming and interoperability
    2. Store and forward operation
    3. Reliability
    4. Routing
    5. Security
    6. Application interface
  5. Bundling Protocol and API Overview
  6. Status and Futures
    1. Other efforts in related areas and status
    2. Unsolved problems/research areas
    3. Potential applications


Researchers, network architects, and protocol implementers from government, academia or industry interested in the performance characteristics of unusual networks (sensor networks, epidemically-routed networks, space networks, battlefield ad-hoc networks, etc.) and how to interconnect them. 


Kevin Fall, PhD 1994 from UC San Diego, is a Research Scientist at Intel Research in Berkeley, CA.  He is presently chair of the IRTF Delay Tolerant Networking Research Group (DTNRG).  In collabora-tion with researchers at UC Berkeley, he is involved in a new project aimed at developing information and communication technologies for developing regions of the world.  Prior to his arrival at Intel, he was a co-founder of NetBoost Corporation, and an adjunct professor at UC Berkeley.

Robert C. Durst is a Senior Principal Network Engineer at The MITRE Corporation in McLean, VA.  He is a member of the IRTF Delay Tolerant Networking Research Group, and is director of the Space Internetworking Services area of the Consultative Committee for Space Data Systems, a standards organization addressing spacecraft communication and information systems.  Mr. Durst is involved with mobile ad hoc networking for military tactical communication systems, and was the lead designer for the Space Communication Protocol Standards (SCPS) enhancements to TCP and for the SCPS Network Protocol.  He holds a BSEE from the University of Missouri.

Last Modified: May 14, 2004