USC/CS TECHNICAL REPORT 1 Spectral Characteristics of Saturated Links Xinming He, Christos Papadopoulos, John Heidemann, Aleﬁya Hussain Computer Science Department, University of Southern California 941 W.37th Place, Los Angeles, CA 90089 xhe@usc.edu, christos,johnh,hussain @isi.edu Abstract— Internet protocols frequently create periodic patterns in trafﬁc. Examples included packets paced by bottleneck links, periodic exchange of information such as routing, transport-layer effects such as TCP self-clocking, and application-level effects. Although measurement of such periodicities could shed light on Internet trafﬁc, cur- rent understanding of periodic behavior in general trafﬁc is quite limited. This paper explores this area by studying the spectral behavior of these kinds of trafﬁc. Our technique is completely passive and can be applied to aggregate traces gathered at various observation points on the network. Unlike techniques measuring packet inter-arrival time, our technique does not require per-ﬂow separation. Our experiments show that the signature of a saturated link persists in the presence of background trafﬁc or when we observe only a portion of the trafﬁc through the saturated link. We investigate how such signatures evolve as the trafﬁc traverses through the network and identify the major inﬂuential factors that affect the signatures. Developing a technique to detect saturated links is part of our future work. Index Terms— Spectral Analysis, Network Trafﬁc Anal- ysis, Saturated Links I. I NTRODUCTION There exist several processes that govern the gen- eration and shaping of Internet trafﬁc. Some of these processes are periodic and operate at all communica- tion layers: at the link layer, periodicities are imposed due to ﬁxed link speeds; at the protocol layer, due to behavior such as windowing mechanisms and other periodic protocol operations such as routing updates; and at the application layer, due to behavior such as continuous media transmission. Such periodic processes imprint a unique periodic signature on their trafﬁc. Periodicities are visible at several timescales, ranging from microseconds (e.g., clocking out packets on gigabit links) to days and years (e.g., diurnal cycles to seasonal trafﬁc variations). Studying such periodicities may provide useful in- formation about the health of a network. For example, a highly utilized transit or peering link will impose a strong frequency proportional to the link speed and inversely proportional to the average packet size. This signal may be analyzed to distinguish a denial-of-service attack from congestion due to high normal trafﬁc load. Typical attacks use very small packet sizes and thus an attack would impose a much higher frequency compared to normal trafﬁc of similar intensity Another example is detecting attacks attempting to overload a web server through repeated requests. A machine carrying out this attack will exhibit a strong frequency in requests. Unlike traditional network analysis techniques, spec- tral techniques focus on the periodic behavior of a phe- nomenon and are arguably more informative when ana- lyzing dynamic behavior. Spectral analysis is a mature ﬁeld used in statistics for several decades to detect hid- den patterns and trends in time-series. Such techniques, however, have not been widely applied to the analy- sis of aggregate network trafﬁc. Recent work presents strong evidence that applying such techniques to the analysis of network trafﬁc is a very promising approach to study denial-of-service attacks [1], [2], DNS trafﬁc behavior [3], trafﬁc anomalies [4], and even protocol behavior in encrypted trafﬁc [5]. Although this work has begun to explore the area, there has been relatively little work in applying spectral analysis to “typical” network conditions. In this paper we use spectral analysis to study the signatures of saturated links. Our long-term goal is to develop a tool that can examine aggregate trafﬁc to identify ﬂows that pass through saturated links, even if the problem is several hops away and obscured by cross-trafﬁc. Automating such a tool is future work; the immediate goal explored in this paper is to understand when a known signal is observable in the spectra of aggregate trafﬁc when confronted by these challenges. Such an approach would be advantageous compared to current techniques such as SNMP data since it is based on passive measurement, and compared to inter-arrival studies [6] since it does not require separating trafﬁc by ﬂow and full spectral analysis can capture more information from the trafﬁc arrival process. In our approach, we ﬁrst collect the time-stamped packet trace at an observation point, sample it based on an appropriate sampling rate to produce a time- series, and then use discrete Fourier transformation to retrieve prominent frequencies in the power spectrum which reﬂect periodic phenomena on the network trafﬁc. At a high level, we explore the following questions: (a) are spectral techniques capable of capturing periodic phenomena on the network? (b) How do they compare to current techniques, such as histograms of packet inter- arrival time? (c) What are the inﬂuential factors on the power spectrum and what is their impact?