SMARTxAC / Network Polygraph

“A Network Visibility Service

born at Anella Científica”

Maria Isabel Gandía – mariaisabel.gandia@csuc.cat

Josep Sanjuas – jsanjuas@polygraph.io

Companies depend on Networks

e-mail, databases, shared folders, VoIP, cloud...

Networks are complex and hard to manage

Network Downtime equals Cost

$42,000/havg cost of downtime

$5,600/minavg cost of downtime(datacenters)

87 hoursavg downtime per year

200 minMTTR per medium outage itpi

Network Visibility

• To properly manage a network, you need to

see what happens inside it

• First step to...– identify congested links

– remove unwanted network traffic

– disconnect bandwidth hogs

– troubleshoot performance issues

– plan for future needs

New User Interface

Network Visibility Technologies

• Hardware-based («Deep Packet

Inspection»)

– Brute-force approach: inspect all packets

– High visibility, but very high cost

• Software-based (NetFlow, SNMP)

– Use traffic statistics exported by routers

– Mid visibility & low cost

Network Polygraph - Technology

• Best of both worlds: high visibility, low cost

• How? NetFlow + artificial intelligence

NetFlow on steroids: application identification, SSL domain ID, attack & anomaly detection capabilities

History: SMARTxAC to Polygraph

Commercial

Internet

1999-2003: Inception

Previous monitoring and analysis projects:

• CASTBA

• MEHARI

• MIRA

With the colaboración among several universities

• UPM (Universidad Politécnica de Madrid)

• UC3M (Universidad Carlos III de Madrid)

• UPC (Universitat Politècnica de Catalunya)

And the participation of:

• RedIRIS

• CESCA

• Telefónica Investigación y Desarrollo

• Institut Català de Tecnologia

Focus: monitoring ATM networks

Approach: deep packet inspection with sampling

2003: The Birth of SMARTxAC

Collaboration: CESCA + CCABA/UPC

Objective: monitoring Anella Cientifica-RedIRIS connection

Roles

• CESCA: requirements, testbed

• CCABA/UPC: research, development

Objectives:

• Low-cost platform

• Continuously monitor Anella Científica

• Detect anomalies and irregular usage

• Multi-tenant: accessible by many institutions– each institution can see their own traffic only

2003: Architecture

CaptureEndace

DAG card

Optical Spitter

Analysis

Port Number Machine learning

2003: User Interface

47.39%

10.34%

0.43%

0.10%

19.65%

7.97%

0.08%

2.48%0.55%

1.84%

2.26%

0.10%

0.53%

6.04%0.23%

40.07%

2.43%

2.97%

18.47%

0.30%8.17%

0.48%

9.67%

1.22%

0.51%

0.30%

1.52%

8.48%

5.42%

A_UKNWN

DNS

FTP

GAMES

IRC

MAIL

MULTIMEDIA

NETFS

NETWORK

NEWS

NO_TCPUDP

OTHERS

P2P

T_UKNWN

TELNET

UNIX

WWW

2003-2011: Network Scales Up

More network interfaces monitored at Anella Científica:

• RedIRIS

• Commercial internet connection

• CATNIX

Internal traffic not monitored

Increasing bandwidth usage

Realization: DPI is not cost effective!

Last straw: switching to 10Gbps links

Distributed core with to main nodes (Campus Nord &

Telvent)

Solution: NetFlow

2011: Upgrade to 10Gbps - NetFlow

Flow-based analysis

2x10GbpsNetFlow

User Interface Redesign

2013: Commercial Stage & Spin-off

• Research group gathers commercial interest

• Received public funding for tech transfer

– SMARTxAC to generalized product

• From a research product to a commercial one

– Talaia Networks, S.L.: a spin-off of UPC

– Network Polygraph: «spin-off of SMARTxAC»

Network Polygraph

Deployment Models: Cloud

Customer Network

Cloud

Deployment Models: On-Premises

Customer’sDatacenter

Multi-Tenancy Module

Customer A

Customer BCustomer C

Subscription Models

Service (SaaS)

• Monthly or yearly billing

• Includes support

• Externally managed

• Regularly updated

Perpetual License

• Payable upfront

• Support & maintenance fee

• Not accessible by our personnel

The SaaS Advantage

• No upfront costs for end customer

– Lower barrier of entry (esp. small-mid customers)

– No need to “commit” to our solution

– Simply configure routers to send NetFlow to us

• Managed solution

– Zero maintenance, zero hardware, zero software

– Always upgraded to latest version

Main Large-scale Deployments

• CSUC (Anella Científica network)– Connects ≈90 public institutions in Catalonia

– Offered as value-added service to >80 admins

• Red.es (RedIRIS network)– Handles all Spanish academic network traffic

– Connects ≈450 public institutions in Spain

– Won as customer in competitive tender

Use Cases

• Small-medium companies

– Bandwidth is a precious resource, Polygraph helps optimize its usage

• “Why is the network so slow? Should we invest in more bandwidth?”

• Found 1 user constantly downloading files from Mega

• Link was shared with other offices, affecting whole company

Use Cases (2)

• Large companies– Moving a single “hardware DPI probe” around

• Deploying full DPI was too expensive

• With Polygraph they could cover all branches!

– Realized most attacks come from China• ISP can block certain IP subnets

• Attacks do not consume customer bandwidth

– Detected covert bitcoin mining operations• Users were pumping the electricity bill for their

personal gain

Use Cases (3)

• ISP & Managed Network Service Providers– Important customer with an office in North Africa:

• Bandwidth: precious resource

• Wanted to check it is spent wisely – no unwanted traffic

– Receiving large # of copyright violation notices!?• Traffic analysis reveals P2P traffic

• Particularly, upstream traffic: serving illegal content!

– Use our product to detect network attacks• Offer product as value-added service to corporate

customers

• Sell anti-virus solutions to their own customers

Deployment at CATNIX: Proposal

Member A

Member BMember C

Website + On-Line Demo

https://polygraph.io

Network Polygraph

Talaia Networks, S.L.

K2M – Parc UPC Campus Nord

Jordi Girona, 1-3

Barcelona (08034)

Spain

Telephone: +34 93 405 45 87

contact@polygraph.io

https://polygraph.io

traffic volume, breakdown by application

protocol breakdown

top talkers (addresses, ports, autonomous systems)

traffic geolocation

anomaly and attack detection with automatic baselining

indexed traffic database for forensic analysis

automated downloadable reports