Third International Symposium on Intelligent Information Technology and Security Informatics
An Integrated Network Performance Monitor System
Hongjie Sun
Chengdong College
Northeast Agriculture University
Harbin, CHINA
[email protected]
Abstract—Network performance monitor has now become a
central issue in network application and operation optimization.
This article describes an integrated network performance
monitor system using a combination of active and passive
measurement techniques. Active probing technique is used for
overall network performance monitor, and passive monitoring
technique is used for local network performance information
collection and analysis. The integrated network performance
monitor system combing two measurement techniques is a bran-
new idea. Experiment results indicate this system is effective and
of a definite practicability.
Keywords-network performance monitor, active probing,
passive monitoring, network tomography
I. INTRODUCTION
As Internet continues its explosive growth in size and
complexity, networks are more and more vulnerable to
malicious attacks from both the outside and the inside world.
Controlling an enterprise network requires significant technical
skills as well as an ongoing effort to keep up with the ever-
expanding universe of security exploits, threats, software,
methodologies and tools. Performance management tasks such
as problem determination-detecting system problems and
isolating their root causes are an increasingly important but
also extremely difficult task.
Because the great heterogeneity, rapid change, complex
connectivity and historical reason, network measurement has
become more difficult. The communication networks are
complex and constantly changing systems. There are both
practical and political reasons, different part is constructed by
different company or organization, and different ISPs may
have varied operational and security policies, such as trade
secrets, who operators do not provide information about their
networks. Internet is extremely heterogeneous and diverse,
both in terms of the technologies that form the network and the
applications that use it, large in size and complex in structure,
just likes a black clouds for final users. Many uncertainties lead
to the instability: unstable software, routing table and system,
etc. Most large ISPs currently collect basic statistics on the
performance of their own infrastructure, typically including
measurements of utilization, availability and possibly
rudimentary assessments of delay and throughput. It has
important meaning researching on measurement approach for
network performance monitor.
978-0-7695-4020-7/10 $26.00 © 2010 IEEE 88
DOI 10.1109/IITSI.2010.60
Therefore, how to construct an Internet performance
monitor system with reliable performance measurement
technique is so important for both ISPs and final users. At
present, there are few large-scale network performance monitor
systems in China, we need to develop our own network
performance monitor system for network performance monitor.
We present an integrated network performance monitor system
(INPMS) using a combination of active and passive
measurement techniques.
The rest of the paper is organized as follows: The next
section provides a brief overview of some of the literature
related to network performance monitor technique. Section 3
presents the implementation of INPMS and related techniques.
Section 4 presents the experiments and results. The last section
gives a brief summary of this research.
II. RELATED WORK
Network monitoring can be classified into active and
passive monitoring.
Active measurement, where controlled probe traffic is
generated, injected into a network, and measured at a receiving
node, has becoming increasingly important due to its great
flexibility, intrinsically end-to-end nature, and freedom from
the need to access core network switching elements. Existing
large scale active measurement programs have used probe
traffic to measure connectivity, delay, and loss statistics on
coarse time scales, seconds or more commonly, minutes.
Measurement packets can be encapsulated in existing protocols
such as the Internet Control Message Protocol(ICMP)[1], the
User Datagram Protocol(UDP)[2], and the Transmission
Control Protocol(TCP)[3]. Examples of packet probing
techniques that are encapsulated in these existing protocols are
ping, traceroute, and the IP Performance Metrics(IPPM)
group’s One-way Delay Protocol(OWDP)[4]. The protocols
used to encapsulate these measurement packets were not
designed with measurement as a consideration. There may be
serious limitations to measurements encapsulated in these
protocols.
There are many tools developed for network performance
active probing, such as bing[5], clink[6], netest[7], pathchar[8],
pchar [9], pipechar [10], etc.
In the passive scenario, on the other hand, packets are
sampled with the intention of gaining a better understanding of
the flow distribution in the network, identifying malicious
packets and determining on which routers they travel through A. Active Monitor Mechanism
the network. In terms of their mode of operation, passive We propose a new method to detect abnormal link based on
monitor can be classified as hardware-based and software- network tomography. EM algorithm is used to estimate the
based. Dedicated hardware can be used to tap directly into links distribution of link delay, RBF algorithm is used for link
and inspect the traffic passing over the link. Based on the activity profile learning and anomaly link detection. Fig. 2
traffic volume, the thoroughness of the inspection needs to be shows the detection mechanism.
adjusted from simple pattern recognition on gigabit links down
to state-run inspection on lesser utilized links. Another
hardware-based solution is the deployment of routers with
inherent built-in monitoring capabilities such as Cisco’s Alarm Model
NetFlow[11] solution. Software-based monitors, on the other
hand, are commonly deployed on the routers. In particular, Abnormal Detection Model
such monitors can be realized in autonomous software agents. threshold (θ)

III. INPMS (t+1)th forecast value

(t+1)th
In this section, we give a detailed introduction to the
implementation of INPMS and its related technologies. INPMS Forecast Model delay
uses a combination of active and passive measurement (RBF neural network) distribution
techniques. Active probing technique is used for overall
network performance monitor, and passive monitoring tth link delay distribution
technique is used for local network performance information
collection and analysis. Fig. 1 shows the architecture of
Link Delay Distribution Inferring
INPMS.
Model (EM algorithm)
The whole system is composed of three parts: graph
visualizing module, measurement module and alarm module.
Probing Engine
Measurement module first executes performance probing with
multiple threads using active method based on rules (including
probing interval, packet size and destination dataset). Data
analyzing module finds the abnormal link based on network Internet
tomography technique. Then passive method is used to collect
and process network traffic of abnormal link. Alarm module Figure 2. Detection mechanism
shows the result as graphic visualization. The basic measurement and inference idea is quite
straightforward. Suppose packets are sent from the source to
INPMS many different receivers. The paths to these receivers traverse a
common set of links, but at some point paths diverge (as the
Graph Visualizing Module tree branches). Packets should experience approximately the
same delay on each shared link in their path. This facilitates the
Graph Visualizing Interface
estimation of the delays occurring on each link. Under the
User Command API Graph Access API assumptions that link delays are spatially and temporally
independent, we propose a bias collected estimator for the
internal link delay based on end-to-end delay measurements.
Alerm Measurement Module The time delays are due to both propagation delays and router
Module
Active Monitor Passive Monitor processing delays along the path. The measured path delay is
the sum of the delays on the links comprising the path; the link
Active Data Data delay comprises both the propagation delay on that link and the
Analyzing Processing queuing delay at the routers lying along that link. A packet is
Passive
dropped if it does not successfully reach the input buffer of the
destination node. Link delays and occurrences of dropped
Probing Data packets are inherently random. Random link delays can be
Database

Engine Collection caused by router output buffer delays, router packet servicing
delays, and propagation delay variability.
The network topology is represented as a weighted tree
T=(V,L,D) comprising a set of nodes V joined by links in L. D
denotes the set of weight (delay, loss, traffic and delay jitter) on
Network Interface Card(NIC) each link. A packet source is located at the root node 0, while a
set of destinations are located at the leaf nodes R. The interior
Figure 1. Architecture of INPMS nodes of the tree represent the branch points of the routing tree
from the source to the destinations, and the links L are the

89
logical links that link these branch points. In this paper, we guaranteed to increase the likelihood. Let M xG be the number
select link delay as weight. The delay distributions inferring of times that a particular individual link delay set occurred.
problems can be roughly approximated by the linear model: G
Given an estimate of a , we can calculate new estimates of the
Y=Aθ+ε (1)
G
a and repeat the process. Formally, let the q-th step estimate
Where Y is a vector of end-to-end delays; A is a routing matrix; of the delay distribution of all the links in the tree topology be
G (q )
θ is a vector of link delay; ε is a noise term which can result denoted by a . Using this estimate, we can compute
from random perturbations of θ about its mean value and G G G G G
possibly also additive noise in the measured data Y. A is a
P ( q ) { X = x} and P ( q ) {Y = y ( x )} . With these values, we
binary matrix (the i,jth element is equal to one or zero) that can now impute the required quantities in the E-step:
captures the topology of the network. The problem of large- (q)
G G
scale network inference refers to the problem of estimating the ( q +1) P { X = x}
M G
x = N yG ( q ) G G G (2)
network parameters θ given Y and either a set of assumptions P {Y = y ( x )}
on the statistical distribution of the noise ε.
G
We focus on discrete delay distributions, on each link delay If we let X k ,i = {x ∈ X | xk = i} , then the M-step is :
falls in the set {0,q,2q, … ,bq}, where q is the unit of
1
measurement and b is an integer that defines the maximum
delay for each link. Hence, for a path containing k links, the
a k( q +1) (i ) = ∑ M xG( q +1)
n x∈ X k , i
G
(3)
end-to-end delay takes values in {0,q,2q, … ,kbq}. We will
consider inference under the stochastic assumption that the
individual link delays Xk are mutually independent. Let B. Passive Monitor Mechanism
ak(i)=P{Xk=iq}, i=1,…,b and k∈V. In the rest of the paper, for In our passive measurement methodology, we monitor
convenience, we will drop the use of the universal traffic through three directions. Fig. 3 shows the flow chart of
measurement unit q. Further, we will denote by passive data processing.
G
ak = (ak (1), ak (2),", ak (b))′ , a column vector containing all
G G
of the link k delay probabilities. Let a = {ak , k ∈V } , a column Link Input
vector containing all the parameters of interest that have to be
estimated. Only the accumulated (end-to-end) delays at the Link selection
G
receiver nodes are recorded, we observe only Y = {Y j ; j ∈ R} .
Note that for j∈R, Yj∈{0,…,Lb} where L is the number of Protocol Analysis
layers in the tree. Each multicast probe packet experiences a
delay on each link along its path. Let x = {0,1,", b}|ε | be the Destination IP Analysis
G
space of all possible link delays. Hence, x ∈ X is an |ε|-tuple
describing the individual link delays that the probe Source IP Analysis
G G
experienced. Let y (x ) be the multicast end-to-end
G
measurement that results when x occurs. Note that this is a Result Output
G
many-to-one function; there are several x outcomes that result
G G G G
in the same y . Denote by Y = { y ( x ); x ∈ X } the space of all Figure 3. Flow chart of passive data processing
possible multicast results.
We get abnormal link information from the alarm module,
We use the expectation-maximization (EM) algorithm to then select link that under passive monitor. Traffic is collected
compute the MLE of the delay distribution. through this link and protocol information is extracted. Choose
the abnormal protocol traffic and monitor destination IP
Let N yG be the number of probes that resulted in outcome address. Source IP address is monitored for abnormal
G G G G G
destination IP address, then give the result output to alarm
y ∈ Y . Let g ( y; a ) = P{Y = y} . Then the observed data
module.
correspond to a multinomial experiment in terms of the
observed end-to-end link delays, and the log-likelihood can be
G G G IV. EXPERIENCE
expressed as l (a ) = ∑
G
N yG log[ g ( y; a )] . This likelihood is a
y∈Y INPMS can be used for inter-domain and intra-domain
complicated function and is difficult to maximize directly. monitor. We use the active measurement data in [12]. Then put
the data on ns2. Fig. 4 shows the network topology. Abnormal
The EM algorithm is a natural approach for computing the traffic is sent from Hubei, Tibet and Yunnan. Active monitor
MLE in this kind of missing data problem. It is an iterative select link between Hubei and Henan, link between Tibet and
algorithm that starts with some initial estimate of the desired Sichuan, link between Yunnan and Guizhou as abnormal link,
parameter values. The process is repeated until the likelihood then passive monitor collects traffic from node Hubei, Henan,
converges to a maximum. Each step of the algorithm is

90

Figure 4. Network Topology
(a) Input Traffic of Hebei
(b) Output Traffic of Hebei
(c) Input Traffic of Hunan
(d) Output Traffic of Hunan
Figure 5. TCP Traffic Chart of Node Hubei and Henan
Tibet, Sichuan, Yunnan and Guizhou. Fig. 5 shows the TCP
91
traffic chart of node Hubei and Henan. Input traffic of Henan
changes so sharply. We analysis the source IP address, then
find Hubei is abnormal node.
V. CONCLUSION
In this paper, we have proposed an investigated network
performance monitor system using a combination of active and
passive measurement techniques. Active probing technique is
used for overall network performance monitor, and passive
monitoring technique is used for local network performance
information collection and analysis. We then give the detail
introduction about mechanism of network performance
monitor. Finally we verify the validity of INPMS. Experiment
results indicate this system is effective and of a definite
practicability.
ACKNOWLEDGMENT
This work is supported by Foundation of Northeast
Agriculture University.
REFERENCES
[1] J.Postel, Internet control message protocol, RFC 792, IETF, 1981.
[2] J.Postel, User datagram protocol, RFC 768, IETF, 1980.
[3] J.Postel, Transmission control protocol, RFC 793, IETF, 1981.
[4] S.Shalunov, B.Teitelbaum, and M.Zekauskas, “A one-way delay
measurement protocol. IPPM work in progress”, IETF, 2001.
[5] http://www.freenix.fr/freenix/logiciels/bing.html
[6] http://allendowney.com/research/clink/
[7] G.Jin, B.Tierney, “Netest: A Tool to Measure axiom Burst Size,
Available Bandwidth and Achievable Throughput”, Proceedings of the
2003 International Conference on Information Technology Research and
Education, Aug.10-13,2003,Newark,New Jerse,LBNL-48350.
[8] http://www.caida.org/tools/utilities/others/pathchar
[9] http://www.kitchenlab.org/www/bmah/Software/pchar/
[10] http://www-didc.lbl.gov/NCS/
[11] http://en.wikipedia.org/wiki/Netflow
[12] SUN Hongjie, et al. “A Distributed Architecture for Network
Measurement and Evaluation System”, Proc. Of the 6th Int’l Conf. on
Parallel and Distributed Computing,Applications and Technologies.
Darlian:IEEE Press,2005,471-475.
[13] Hongjie Sun, et al. An Ant-based EM Algorithm for Network Link
Delay Distribution Inference. Jounal of Information and Computational
Science,2007,4(2):729-735.
[14] S.Y. Sun and M. Dong, Continuum Modeling of Supply Chain Networks
using Discontinuous Galerkin Methods, Computer Methods in Applied
Mechanics and Engineering,197 (13-16),1204-1218,2008.
[15] M. Abusubaih, S. Wiethoelter, J. Gross, and A. Wolisz, "A New Access
Point Selection Policy for Multi-Rate IEEE 802.11 WLANs",
International Journal of Parallel, Emergent and Distributed Systems
(IJPEDS),23:291-307,August 2008.