SMARTxAC és una eina desenvolupada pel CCABA (UPC), en col·laboració amb el CSUC (abans CESCA), que permet el monitoratge i l'anàlisi del tràfic de la xarxa, donant diferents vistes als usuaris perquè vegin exclusivament el seu. Des de l'any 2003 ha evolucionat i ha servit, d'una banda, com a catalitzador per a la recerca dins la universitat i, de l'altra, com a potent eina per a la detecció d'anomalies i patrons de tràfic anormals per als seus gestors i usuaris. L'evolució d'SMARTxAC és Network Polygraph. En aquesta presentació s'explica quina ha estat la utilització de la plataforma al CSUC, en el context de l'Anella Científica, la seva evolució, la seva nova imatge i funcionalitats.

1. SMARTxAC / Network Polygraph
“A Network Visibility Service
born at Anella Científica”
Maria Isabel Gandía – mariaisabel.gandia@csuc.cat
Josep Sanjuas – jsanjuas@polygraph.io

2. Companies depend on Networks
e-mail, databases, shared folders, VoIP, cloud...

3. Networks are complex and hard to manage

4. Network Downtime equals Cost
$42,000/h
avg cost of downtime
$5,600/min
avg cost of downtime
(datacenters)
87 hours
avg downtime per year
200 min
MTTR per medium
outage itpi

5. Network Visibility
• To properly manage a network, you need to
see what happens inside it
• First step to...
– identify congested links
– remove unwanted network traffic
– disconnect bandwidth hogs
– troubleshoot performance issues
– plan for future needs

6. New User Interface

7. Network Visibility Technologies
• Hardware-based («Deep Packet
Inspection»)
– Brute-force approach: inspect all packets
– High visibility, but very high cost
• Software-based (NetFlow, SNMP)
– Use traffic statistics exported by routers
– Mid visibility & low cost

8. Network Polygraph - Technology
• Best of both worlds: high visibility, low cost
• How? NetFlow + artificial intelligence
NetFlow on steroids: application identification, SSL
domain ID, attack & anomaly detection capabilities

9. History: SMARTxAC to Polygraph
Commercial
Internet

10. 1999-2003: Inception
 Previous monitoring and analysis projects:
• CASTBA
• MEHARI
• MIRA
 With the colaboración among several universities
• UPM (Universidad Politécnica de Madrid)
• UC3M (Universidad Carlos III de Madrid)
• UPC (Universitat Politècnica de Catalunya)
 And the participation of:
• RedIRIS
• CESCA
• Telefónica Investigación y Desarrollo
• Institut Català de Tecnologia
 Focus: monitoring ATM networks
 Approach: deep packet inspection with sampling

11. 2003: The Birth of SMARTxAC
Collaboration: CESCA + CCABA/UPC
Objective: monitoring Anella Cientifica-RedIRIS connection
Roles
• CESCA: requirements, testbed
• CCABA/UPC: research, development
Objectives:
• Low-cost platform
• Continuously monitor Anella Científica
• Detect anomalies and irregular usage
• Multi-tenant: accessible by many institutions
– each institution can see their own traffic only

12. 2003: Architecture
Optical Spitter
Capture
Endace
DAG card
Analysis

13. 2003: User Interface
Port Number Machine learning
47.39%
0.10%
0.43%
10.34%
19.65%
7.97%
2.48%
0.08%
0.55%
1.84%
2.26%
0.10%
0.53%
6.04%
0.23%
40.07%
2.97%
2.43%
18.47%
8.17% 0.30%
1.52%
0.48%
9.67%
1.22%
0.51%
0.30%
8.48%
5.42%
A_UKNWN
DNS
FTP
GAMES
IRC
MAIL
MULTIMEDIA
NETFS
NETWORK
NEWS
NO_TCPUDP
OTHERS
P2P
T_UKNWN
TELNET
UNIX
WWW

14. 2003-2011: Network Scales Up
More network interfaces monitored at Anella Científica:
• RedIRIS
• Commercial internet connection
• CATNIX
 Internal traffic not monitored
Increasing bandwidth usage
Realization: DPI is not cost effective!
Last straw: switching to 10Gbps links
 Distributed core with to main nodes (Campus Nord &
Telvent)
Solution: NetFlow

15. 2011: Upgrade to 10Gbps - NetFlow
2x10Gbps
NetFlow
Flow-based analysis

16. User Interface Redesign

17. 2013: Commercial Stage & Spin-off
• Research group gathers commercial interest
• Received public funding for tech transfer
– SMARTxAC to generalized product
• From a research product to a commercial one
– Talaia Networks, S.L.: a spin-off of UPC
– Network Polygraph: «spin-off of SMARTxAC»

18. Network Polygraph

19. Deployment Models: Cloud
Customer Network
Cloud

20. Deployment Models: On-Premises
Customer’s
Datacenter

21. Multi-Tenancy Module
Customer A
Customer B
Customer C

22. Subscription Models
Service (SaaS)
• Monthly or yearly billing
• Includes support
• Externally managed
• Regularly updated
Perpetual License
• Payable upfront
• Support & maintenance
fee
• Not accessible by our
personnel

23. The SaaS Advantage
• No upfront costs for end customer
– Lower barrier of entry (esp. small-mid customers)
– No need to “commit” to our solution
– Simply configure routers to send NetFlow to us
• Managed solution
– Zero maintenance, zero hardware, zero software
– Always upgraded to latest version

24. Main Large-scale Deployments
• CSUC (Anella Científica network)
– Connects ≈90 public institutions in Catalonia
– Offered as value-added service to >80 admins
• Red.es (RedIRIS network)
– Handles all Spanish academic network traffic
– Connects ≈450 public institutions in Spain
– Won as customer in competitive tender

25. Use Cases
• Small-medium companies
– Bandwidth is a precious resource, Polygraph helps
optimize its usage
• “Why is the network so slow? Should we invest in more
bandwidth?”
• Found 1 user constantly downloading files from Mega
• Link was shared with other offices, affecting whole
company

26. Use Cases (2)
• Large companies
– Moving a single “hardware DPI probe” around
• Deploying full DPI was too expensive
• With Polygraph they could cover all branches!
– Realized most attacks come from China
• ISP can block certain IP subnets
• Attacks do not consume customer bandwidth
– Detected covert bitcoin mining operations
• Users were pumping the electricity bill for their
personal gain

27. Use Cases (3)
• ISP & Managed Network Service Providers
– Important customer with an office in North Africa:
• Bandwidth: precious resource
• Wanted to check it is spent wisely – no unwanted traffic
– Receiving large # of copyright violation notices!?
• Traffic analysis reveals P2P traffic
• Particularly, upstream traffic: serving illegal content!
– Use our product to detect network attacks
• Offer product as value-added service to corporate
customers
• Sell anti-virus solutions to their own customers

28. Deployment at CATNIX: Proposal
Member A
Member B
Member C

29. Website + On-Line Demo
https://polygraph.io

30. Network Polygraph
Talaia Networks, S.L.
K2M – Parc UPC Campus Nord
Jordi Girona, 1-3
Barcelona (08034)
Spain
Telephone: +34 93 405 45 87
contact@polygraph.io
https://polygraph.io

31. traffic volume, breakdown by application

32. protocol breakdown

33. top talkers (addresses, ports, autonomous systems)

34. traffic geolocation

35. anomaly and attack detection with automatic baselining

36. indexed traffic database for forensic analysis

37. automated downloadable reports