Use case system 2 - RoutScout

[divyapathak24]

1. Design: Component 1: Config file
   • Features - Delay monitor: RTT and Loss monitor: flow size and flow duration
   • Registers - registers/metadata that provides a hash range of x% of monitored flows

Component 2: Control Plane collecting features after regular intervals

• Python delay monitor: After every 1 secs
• Python loss monitor: Not yet decided

Component 3: ML model

-Delay monitor:

1. Isolation Forest
2. Training data: Normal instances (instances with normal RTT/delays)
3. Testing data: Normal + attack instances
4. Question: Issue with the function of features

-Loss monitor:

1. Isolation Forest

2. Training data: Normal instances (normal, congestion/packet loss, link failure)

3. Testing data: Normal + attack instances

4. Question: Issue with the function of features

5. RoutScout experiments: - Work done so far and to-do items:

-Delay monitor:

Component 1: Implementation of collection logic for RTT - Delay monitor itself keeps a track of RTT Component 2: Todo: Features collected for normal (no congestion/pkt loss), normal link failure and attack experiments Component 3:Todo: plots 2&3

[divyapathak24]

Dataset for delay monitor:

• Our plan is to use single prefix pcap
• To do so, we extract top prefix based on highest number of 3-way ACKs following respective SYNs from 2018 CAIDA dirA /16
• pcap.
• In our case, we got 237.42.. as the top-1 prefix /16 prefix and fortunelatey, 237.42.. is the top-1 prefix for all for 2018 dirA /16 pcaps.
• The reason for choosing only this prefix is that it will be easy to train and test IF on single prefix since RTT variation will be less

Steps to generate normal pcap:

1. Extract 237.42.. prefix from all CAIDA 2018 dirA pcaps
2. Extract only 3-way SYN-ACKs packets
3. Use this new pcap to measure avg RTT across the whole pcap (attached plot) as well as avg RTT per second (see the table)

Pcap(2018 dir A)Top-1 prefix (/16) with highest syn-acks	Total SYNs	Total ACKs following SYNS / Total TCP flows Delay monitor monitors	% of SYNs followed by ACks	Avg of the Avg delay collected from aggregator every 1 sec
130000	13770	13463	97.77%	222 msec
130100	13480	13274	98.47%	226 msec
130200	13539	13254	97.89%	229 msec
130300	13366	13241	99.06%	227 msec

[divyapathak24]

Attack generation steps for Routscout:

1. Delay monitor:
   • We have an average delay noted per second from a original legitimate pcap as 250 msec,we denote this as present_avg
   • We get the total number of SYN-ACKs in original legitimate pcap as denote it as present_packets
   • To make an attack success, we calculate the # attack SYN-ACK packets (attack_packets_req) required by fixing delay=5000 ms and get the new average as follows: New Avg = (present_avgpresent_packets + attack_packets_req5000ms) / (present_packets + attack_packets_req)
   • So, if the required SYN+ACK packets is 120, packets per sec = 120/60 = 2 packets per sec. We send SYN packets for first 5 secs and start sending corresponding ACKs along with new SYNs for next 5 secs and so on with # packets per sec as 2.

Note: Here, variables are delay and # packets per sec