►
From YouTube: IETF96-NMRG-20160718-1400
Description
NMRG meeting session at IETF96
2016/07/18 1400
B
C
B
D
B
Well,
we
have
tight
schedule
so
this
year
we
only
get
one
love
almost
for
the
workshop
unlike
past
years,
so
let's
likely
start
so
for
the
first
four
speakers
I
have
read,
you
should
stay
here
this
area
in
this
area
for
the
camera,
don't
forget
that
everything
you
say
is
recorded
and
broadcaster
and-
and
we
also
passing
around
this
blue
sheet,
where
you
write
well
conservatism.
Okay,
so
I
would
like.
B
So
I
would
I
like
to
ask
the
first
speaker
people
to
start,
since
we
have
only
one
of
I
want
to
speak,
very
careful
with
how
much
time
you
use
we
calculated
20
minutes.
First,
a
committee
need
not
seek
relief,
including
question,
sir,
so
the
more
questions
you
want,
which
is
actually
the
interesting
part
right
when
you
come
to
an
ITF
needy
as
I
shorter.
You
should
make
your
speech
speech.
A
A
My
advisor
is
Professor
Steven,
a
tray
and
also
the
Xandra
from
Brazil,
and
this
work
I
made
in
my
Master's
with
designer
and
yurgin
in
at
University
in
Brazil,
and
it's
about
interactive
monitoring,
visualization
and
configuration
of
a
playful
blades
sdn.
So
Ricardo
can
so
basically
we
consider
it
that
sdn
is
based
on
four
fundamental
principles.
The
first
one
is
the
network
control
and
folding
the
Seas
farting
planes
are
clearly
the
copepod.
The
second
one
is
the
14.
Decisions
are
flow
based
instead
of
this
nation
based
the
third
one
is
the
network.
A
Farting
logic
is
obstructed
from
hardware
to
program
all
programmable
software
layer
and
also
a
control
element
is
introduced.
It
to
coordinate
network-wide
14
decisions
and
also
a
sdn
has
a
flexible
architecture
with
four
planes.
The
application
plane
lick
on
the
control
plane,
the
folding
plane
and
also
the
management
plane.
The
application
plane
comprehends
the
net
applications
and
services.
A
The
control
plane
comprehends
the
SDN
controllers,
the
folding
plane
comprehends
the
set
of
simple
farting
devices,
and
the
management
plane
comprehends
the
management
solutions,
for
example,
solutions
to
resource
allocation
and
monitoring
device
status
and
nowadays,
the
most
relevant
as
the
end.
Implementation
is
stay
open
for
protocol
because
of
these
principles
and
it's
flexible
architecture
as
the
end
a
reduces
or
even
eliminate
some
traditional
management
problems,
for
example,
enabling
network
configuration
in
a
high-level
language
and
also
providing
support
for
enhancing
nectar
by
diagnosis
and
troubleshooting
activities.
A
I
mean
to
reduce
control
traffic
overhead
and
also
protecting
the
network,
but
in
what
proportion,
the
SDN
controller
behavior
can
affect
both
research
consumption
and
also
traffic
forwarding
performance.
To
best
of
our
knowledge,
there
is
no
solution
available
that
to
integrate
the
monitoring
information
with
interactive
visualization
and
configuration
tools
for
Sdn,
and
we
are
with
such
a
solution.
The
are
the
administrator,
could
better
understand
and
interact
with
sdn.
So
basically,
we
have
two
contributions.
A
The
first
one
is
the
control
channel
analysis
that
we
quantify
the
overheads
by
impulse
it
by
Oakland
full
control
message,
and
then
we
propose
an
interactive
approach
of
two
Sdn
management
through
monitoring,
visualization
and
configuration
activities
by
including
the
administrator
in
a
management
loop.
So
basically
we'll
start
with
the
control
channel
analysis.
A
So,
in
our
control
channel
analysis,
we
quantify
the
overheads
imposed
by
openflow
1.0
and
we
use
the
controller
forwarding
behavior
implementation
in
a
compass,
natesan
area
we
analyze
it.
The
control,
channel,
load,
metric
related
to
the
installation
and
monitoring,
forwarding
rules
and
also
resource
usage
related
to
active
and
either
rules,
and
it's
important
to
emphasize
Ricardo,
that
is
an
idle
rule,
is
considered
idle
when
its
counters
do
not
change
between
two
monitoring
poles.
A
A
A
The
controller
receives
this
packet
in
the
controller
calculates
all
the
the
the
pad
and
sends
modified
state
messages
to
all.
Switzerland
Pat
accepts
the
switch
that
originates
the
packet
in
and
then
the
controller
send
a
modified
state
with
the
send
packet
to
the
switch
that
originates
the
packet
in
to
in
order
to
install
the
rules
and
all
the
switches
along
the
path.
And
then
the
message
goes
to
the
file
server
normally
and
the
next
packets
goes
without
requesting
the
controller
okay.
A
Okay,
the
this
results
show
that
a
single
factor-
configuring
the
controller-
can
make
a
huge
difference
and
in
the
amount
of
rules
installed
in
the
later,
this
chart
illustrates
the
amount
of
rules
install
in
the
network
and
which
of
those
arrival,
giving
a
idle
timeout
configuration,
and
it's
clearly
to
observe
when
we
set
this
idle
timeout
to
120
seconds.
We
have
more
than
1,000
rules
installing
the
network
and
being
seventy-seven
percent
of
these
rules.
I'll.
The
reason
of
this
amount
of
idle
rules
is
because
most
of
users
are
request
a
web
file
web.
A
State
requests
going
from
the
controller
to
the
thing
in
the
direction
from
the
controller
to
the
foreign
devices
and
the
packet
in
in
which
states
replies
messages
goes
from
the
devices
in
the
controller's
direction,
and
the
height
of
each
bar
represents
the
control
channel
old
and
the
package
processes
per
second
in
both
directions.
So
we
can
see
that
if
we
set
the
other
time
out
to
a
lower
value,
we
have
more
traffic
related
to
installation
process.
A
The
message
that
our
exchanges
to
install
more
rules
are
more
often
and
but
the
overhead
imposed
for
monitoring
is
lower
because
we
don't
have
too
many
rules
to
monitor.
Do
it,
too,
and
if
we
set
to
a
higher
values,
we
have
more
overhead
related
to
monitoring,
because
you
have
more
rules
to
to
monitor.
But
we
have
more
less
installation
process
in
this
in
this
case,
and
this
means
that
the
administration
needs
to
watch
over
this
parameter
in
order
to
avoid
some
bottleneck,
because
it's
correlated
so
now,
I
will
present
our
watch
and
go
regard.
A
So
this
is
the
SDN
architecture,
along
with
the
components
that
we
added
and
on
our
approach
inside
a
management
plane.
We
have
basically
two
main
to
main
components:
the
monitoring
manager,
the
visualization
manager
and
the
configuration
manager
by
creating
a
loop
with
the
administrator
interactions.
A
The
monitoring
manager
is
responsible
to
retrieve
information
about
the
network
and
store
it
in
the
local
database
and
to
do
that.
The
monitoring
manager
communicates
with
the
controller
through
the
management
interface
and
it's
module.
Is
the
infrastructure
synchronizer,
the
visualization
manager,
aggregates
data
provided
by
the
monitoring
manager
and
also
provides
an
interactive
visualizations
to
the
administrator
to
the
graphical
user
interface
and
each
models
is
the
chart
visualizations
and
the
statistics
processing
the
last
one.
The
configuration
manager
is
responsible
to
check
and
configure
as
the
end
related
parameters,
unnatural
controllers,
and
to
do
that.
A
So
this
is
our
interface
at
the
interface
of
our
prototype.
We
have
configuration
configurations,
possibilities,
also
a
topology
view
and
with
node
information
and
also
interactive
charts.
That
represents
the
graphs
that
I
showed
previously
and
we
evaluated
our
prototype
by
simulating
some
administrator
configurations.
A
A
This
is
to
increase
the
idle
timeout
to
6
60
seconds,
and
this
configuration
in
blinds
in
a
in
more
rules
installing
the
network
and
more
idle
rules
also-
and
we
can
see
that
also
the
traffic
that
goes
to
the
controller
traffic
related
to
the
monitoring
also
grows
because
those
this
traffic
is
also
related
to
the
amount
of
rules
that
we
have
in
the
network.
But
we
can
see
the
traffic
that
is
related
to
the
rules.
Installation
decrease
because
the
installation
process
is
more
rare
in
this
case.
So
then
the
administrator
try
to
decrease
this
traffic.
A
That
goes
to
the
controller
by
increasing
the
polling
frequency,
for
example,
to
40
seconds.
Then
we
can
see
that
the
traffic
test
is
related
to
monitoring
decrease,
but
we
can
see
also
that
we
lose.
We
have
a
precision
loss.
We
cannot
identify
any
more
the
idle
rules,
because
the
monitoring
poles
are
too
sparse,
and
it's
also
interesting
to
to
see
that
in
the
last
configuration
that
mr.
A
So
to
our
control
channel
analysis,
we
identified
that
a
single
factor
configure
that
the
controller
can
make
all
the
difference
on
both
resource
consumption
and
also
control,
channel
load
and
through
our
prototype,
we
we
were
able
to
retrieve
statistic
about
the
control
channel.
That
is
a
feature
that
most
sdn
approaches
did
not
consider.
Also,
we
allowed
them
in
stata
to
interact
with
as
the
end
to
the
interactive
graphs
and
based
off
this
interactive
visualizations,
then
stator
could
could
be
able
to
identify
potential
issues
and
change
configurations
in
in
the
SDN.
A
E
So
Pedro
you,
you
are
talking
about
different
controllers
implementation
in
a
campus
network.
Was
your
test
bed.
Let's
say
where
you
deploy
your
your
prototype
or
you're,
seeing
your
simulations,
but
why
we
hope.
How
would
you
imagine
open
flow
network
deployment
using
different
controllers?
Why
would
an
administrator
try
to
use
only
a
single
controller.
A
A
We
only
consider
one
only
one
controller,
but
if,
if
you
consider
more
than
one
yeah,
we
should
implement
more
drivers
because
there
are
different
implementations
and
we
could
not
address.
For
example,
we
used
floodlight
our
modified
food
light.
If
you
want
to
use
box
or
you,
you
need
to
implement
a
specific
driver
to
retrieve
this
same
information
to
to
use
in
our
prototype.
E
Okay
and
about
the
measurements,
do
you
envision
or
do
you
see
any
sort
of
traffic
measurements
that
open
flow
controllers
provides
Ord
open
flow
switch,
provide
actually
like
at
the
table
at
the
forwarding
table
there?
They
are
supposed
to
do
some
/
flow
measurements
number
of
packets
number
of
Vice?
Did
you
ever
use
those?
Do
you
have
any
consideration
on
that?
We.
A
E
F
Thank
you
for
the
injured
children
good
afternoon.
My
name
is
Anne
busca
I
am
safely
candidate
at
burning
university
of
technology
and
I'm
also
on
void
at
society,
which
is
an
enron
provider
for
czech
republic.
Today.
I
would
like
to
speak
about
detection
and
this
in
this
case
of
the
prototype,
but
it
can
be
generalized
on
any
other
kinds
of
attacks
and
on
100g
technology
at
them
which
have
been
developed
also
by
it's
a
snap
and
incorporation
with
including
detection
system.
Denis
me
act
so
establish
the
inflection
and
the
motivation
he
employed.
F
A
traditional
system
no
flow
based
monitoring.
This
is
very
beneficial
because
of
its
security
analysis,
performance,
evaluation,
accounting
and
so
on,
but
it
has
some
caveats
like.
If
you
want
to
do
some
forensic
analysis,
you
want
to
learn
from
others
that
are
already
detected
or
improve
your
techniques
or
verify.
If
the
attack
is
to
positive
or
both
negative,
it's
a
trap
how
it
can
be
done
very
cool
with
only
flow
based
unless
so,
our
goal
was
to
pick.
F
So
our
goal
is
to
automate
the
light
capturing
on
demand
and
to
include
some
additional
part
or
capturing
from
so-called
technology,
the
time
machine.
So
altogether.
We
would
like
to
combine
the
combination
of
a
kid
capturing
with
flow
based
analysis
principles.
So
this
is
the
basic
we
have
a
turn
up
for
computation
on
some
probe
and
we
can
work
with
that.
So
this
is
the
typical
scenario
that's
involved
and
by
all
networks.
So
we
extend
this
to
sdn.
We
call
it
software-defined
monitoring
this.
Our
concept
we
create
a
special
network
are
on
100g.
F
It
includes
a
pga
core
and
this
capable
of
filtration
medication
and
computation
of
flows.
So
using
this
technology
we
can
offload,
the
computation
of
IP
fix,
fall
to
the
fpga,
and
we
can
spare
some
resources
on
the
combination
hardware
that
we
can
utilize
for
other
computations.
So,
on
a
highlight
principle,
we
have
the
mercury
Pro,
the
SDM.
We
want
to
observe
the
flow
data.
That's
are
generated.
F
This
faux
data
are
analyzed
by
some
application
identifier,
for
example,
if
the
same
position,
initiation
protocol,
we've
analyzed
by
URL
and
so
on,
and
we
want
to
analyze
and
detect
these
network
incidents,
and
we
want
to
give
the
feedback
the
alert
when
the
incident
is
detected
back
to
the
monitoring
probe
with
SDM
and
start
the
full
packet
capture
it.
So
from
now
on,
the
full
packet
capturing
will
be
initiated.
But
if
you
want
to
observe
the
beginnings
of
the
vector
attack,
we
need
data
from
the
past,
so
the
time
machine
technology.
F
So
our
real-time
approach,
we've
included,
will
give
the
film
are
implemented
on
the
car,
the
light
drink
so
getting
to
the
time
machine
we've
looked
at
the
technology
or
the
proposal
based
on
coordinates
lamp,
axons,
building
a
time
machine
for
action
recordings
and
receive
a
high-volume
networking,
traffic
and
2005.
They
use
the
storage
of
packages
on
hard
drive,
which
is
nowadays
some
hopefully
because
we
can
store
so
much
data
on
the
beat
on
hard
drives
and
they
use
it
for
long
range.
F
3
g's,
the
coronas
was
that
not
all
packets
have
been
captured,
but
only
the
beginnings
of
the
floor
because
the
beginnings
of
the
flow
contained
heather's
or
diverted
the
vector
of
the
attacks,
and
they
can
be
further
observed
and
are
more
the
most
interesting
for
us.
So
our
modification
to
the
SVM
time
machine.
We
use
the
principles
but
and
I
sit
by
storing
the
traffic
or
the
beginning,
the
zoo
traffic
into
DRAM,
which
is
much
faster.
F
We
use
technology
for
100g,
we
implemented
the
software
ring
buffer
that
give
us
as
much
space
as
we
need,
or
it's
given
in
the
ramp
and
restores
only
the
first
end
packets
of
each
flow
that
can
be
stored
as
long
as
possible,
always
with
the
ram
so
giving
this.
When
the
other
is
reported,
we
are
able
to
start
the
full
pocket
capturing
and
retrieve
the
data
back
from
passed
from
the
ring
buffer.
So
in
this
way
we
can
look
like
in
the
past.
F
So
if
an
hi
is
this
graph
or
diagram
with
the
time
machine,
so
the
measurements
or
what
we
have
done
with
this
technology,
with
the
state
on
detection
of
vertical
rizendough
network
scans,
the
detection
of
communication
tunnels
in
DNS
and
the
cipro
attack,
or
the
kissing
of
dialplan
with
pure
configure
Network
private
break
private
branch
exchange
ease
so
using
the
SDM.
If
they
machine,
we
can
get
evidence
and
verified
to
Detective
incidents
from
the
past.
F
So
you
might
ask,
are
the
end
but
gets
enough,
so
we've
done
some
monitoring
or
our
network
and
we
find
out
that
the
aggregation
is
the
red
line.
If
you
look,
if
you
kept
your
only
10
packet,
you
get
more
than
ninety
percent
of
all
flocks
of
all
communication
in
the
flows
and
the
rest
and
person
is
the
data
that
I'm
not
so
interesting
for
you
because
it
so
it
captured
all
of
its.
F
It
contains
a
very
big
payout
that
are
not
interested
for
this
analyzes,
because
this
attacks
also
about
the
shorts
or
have
short
Paoli
built.
So
if
you
look
also
on
the
10
or
we
choose
decision
threshold
at
10
packets,
we
can
see
that
we
eliminate
almost
ninety
percent
of
data
that
otherwise
would
have
to
be
captured
or
stored
in
the
ram.
So
with
the
decision
threshold,
then
we
only
store
about
ten
percent
of
all
data
that
needs
to
be
captured
or
given
in
the
time
machine.
F
It
also
diverse
on
different
l7
protocol-
that's
used,
but
in
general
it's
it's
this,
so
the
machine
that
we've
used
for
the
sting
it
contains.
Two
CPUs
overall
24
cpu
cores
about
60
or
get
busy
from
the
Bison
from
and
I
think
a
bit
over.
The
version
of
SDN
capable
card
used,
56k
bytes
of
RAM
for
a
ring
buffer
and
we've
captured
on
full
utilized
link.
Speed
based
are
only
ten
packets
of
each
flow,
and
we
observed
that
we
could
store
about
15
minutes
of
the
traffic.
F
So
in
this
configuration
we
are
able
to
see
back
15
minutes
of
the
traffic,
so
we
have
15
minutes
to
detect
the
incident
start
full
packet,
capturing
and
retrieve
the
data
from
the
past,
but
these
numbers
are
very
dependent
on
the
characteristic
of
the
networks
and
traffic
volume,
distribution,
etc.
So
it
might
differ
so
some
other
measurement
on
the
configuration,
how
many
or
how
much
time
you
can
capture
or
you
can
see
in
the
past
if
you
change
the
trade-off
for
capture
packets.
F
So
starting
with
you,
we
have
about
eight
thousand
seconds,
but
it's
unacceptable
most
dimes.
So
we
find
out
that
the
most
reasonable
trade
mole
is
around
10
minutes,
so
it
will
destroy
all
we
are.
We
have
the
most
success
rate
in
detective
of
the
incidents
so
but
look
at
the
use
case
of
see
fraud
attack.
F
The
basics
of
the
attack
is
a
pre-configured
private
branch
exchange
on
some
company
using
this
technology
on
our
network,
we
observe
around
or
video
observe
around
four
of
these
attacks
or
different
attacks
per
day
on
our
networks.
So,
as
you
can
see
it,
it
might
be
interesting
for
some
companies
to
know
that
they
are
vulnerable
for
this
kind
of
attacks.
It's
based
on
boot
configuration
because
some
administrators
just
forget
to
to
exclude
public
internet
from
the
private
prefix
goals
and
or
improper
configuration
of
authentication,
so
section
of
this
attack
and
its
effects
key.
We.
F
Computer,
that's
unfitted
by
malware
or
under
to
come
under
the
control
of
the
attacker.
We
have
the
private
branch
exchange
that's
connected
to
pstn,
which
is
the
total
communication
services.
The
attacker
just
rent
a
paid
service
does
the
premium
number
that
is
very
expensive
to
call
and
attacker
starts
to
guess.
The
secret
predicts
that
you
include
before
the
actual
number,
if
you
want
to
call
outside
outside
of
your
company.
So
when
the
attack
is
successful,
attacker
just
starts
the
call
and
withdraw
the
money
from
the
paid
service.
F
So
the
sip
session
initiation
protocol
is
text
based
protocol.
It
contains
just
a
few
messages
and
this
message
messages
can
be
parsed
on
the
computer
or
the
combination
hardware
that
that's
used
for
the
capturing
order
for
the
product.
So
we
just
extend
the
IP
fix
that
we
use
for
for
net
flow
exports,
and
we
include
the
URL
from
the
invite
messages
and
we
observe
because
that
rhv.
So
when
the
attack
is
successful,
the
server
results
they
or
return
the
message.
F
200,
okay
and
the
call
can't
start
so
typical
attack-
looks
like
this
other
concerns
very
large
amount
of
invites,
with
different
prefixes.
The
server
returns
this
message
and
when
the
attack
is
successful,
you
can
observe
this
pattern
so
perfect.
Guessing
you
can
imagine
in
this
way.
This
is
the
private
number
prefixes
and
attacker
tries
to
get
this
prefixes
so
how
we
can
detect
this
attack
from
point
of
network
architecture.
F
We
just
need
to
be
in
the
middle
into
interstellar
communication,
monitor
pro
export,
IP
fix
and
using
our
own
system
that
does
not
have
developed
the
nimiya,
the
intrusion
detection
system,
which
is
based
on
flow
processing
or
stream
processing
of
net
flows.
It
can
be
text,
this
kind
of
attacks
and
white
control
and
report
to
a
supervisor
and
give
the
feedback
through
monitoring
product
to
capture
all
data.
F
F
So
this
is
the
typical
pattern
of
this
attack,
our
monitoring
or
the
visualization.
So
we
can
conclude
this
dispute.
The
system
we've
used
the
open
source
network,
forensic
analysis,
tool
of
detective
that
been
developed
on
bro
faculty
or
below
your
selfish
maji.
This
tool
is
able
to
process
ticket
files,
extract
some
information
from
application
layer
and
it
mostly
they
are
used
for
network
forensic
analysis,
so
it
can
operate
with
vary
among
large
amount
of
a
certain
protocols
and
it
can
be
easily
easily
extended
so
for
the
visualization
path.
F
From
this
table,
the
unrest,
a
jury
could
see
able
to
attack,
was
successful,
all
filter
the
communication
and
find
out
if
it's
real
attack
or
not
so
this
tool
also
generates
the
prefix
trees.
So
you
can
easily
see
if
this
is
the
first
positive
or
both
negative
of
the
attack.
Also,
it
provides
some
additional
information.
Like
performance
statistics,
number
of
frames
or
bytes
transferred
up
down
statistic
on
TCP
hey.
There
have
been
some
packet
losses
or
some
other
information,
distribution
of
protocol
or
layers
etc.
F
Sometimes
in
my
views
will
to
see
some
packets
chance
to
detect
some
kind
of
attacks
and,
of
course,
the
last
functionality.
The
word
shark,
like
approach
to
see
the
inner
outer
pockets.
So
conclude,
this
presentation
we
developed
technology
to
monitor
100g
we've
extended
the
flow
records
of
the
application.
F
Antivirus
based
on
our
extension,
have
been
implemented
into
pga
and
the
present
system
provides
for
records
food
packet,
capturing
on
the
100
g,
and
it
enables
you
to
see
the
history
of
the
communication
from
the
point
where
the
attack
actually
occurred
on
the
network
and
to
reach
the
gap
before
the
detection.
So
you
get
all
the
data
in
the
cat
city.
So
thank
you
for
your
attention.
If
you
are
interested,
you
can
see
our
projects
I'd,
lab
router
or
follow
us
on
Twitter
or
so
on.
So
thanks
again
and
the
questions.
H
Alexandra
lemon
I'm,
sorry,
I'm
not
a
big
expert
on
sheep,
but
every
obvious
quase
of
the
pending
attack
on
your
system
when
you
pair
with
an
important
data
and
then
the
attack
vector,
passes
through
undetected.
Yeah,
do
you
have
anything
in
plans
to
avoid
that
or
is
it
your
system
even
susceptible
to
it?
Well,.
F
F
We
mainly
focus
on
the
most
common
attacks
on
our
network
and
to
provide
us
the
feedback
if
we
are
actually
able
to
do,
monitor
or
detect
this
kind
kind
of
sucks
actually
and
if
it,
if
the
detection
are
too
positive
or
we
are
just
observing
something
that
isn't
on
the
networks.
So
the
question
I'm
not
aware
if
we
tried
in
this
kind
of
attack,
can.
I
You
Geronimo
from
the
floor.
International
University
I
saw
you
use
a
network
tab.
So
it's
a
way
for
you
to
monitoring
the
communication,
but
you
guys
have
any
plans
you're
starting
to
review
the
case.
You
see
an
attack,
less
close,
a
call.
F
That
thank
you
for
excellent
question.
We
are
currently
developing
a
solution
that
would
be
able
to
filter
the
communication
and
divert
the
traffic
that
contains
the
attack
or
just
been
eight
or
so
on.
So
for
now
we
are
developing
the
solution
for
this
technology
and
it
should
be
available.
I
think,
in
december
this
year.
Ok,
thank
you.
Thanks.
G
F
G
F
Hello,
hey
this,
this
this
technology
can
be,
can
be
tested
on
virtual
machine,
so
not
not
on
the
G
bath.
You
can
avoid
on
some
small,
smaller
networks
and
all
the
tools
are
presented,
our
open
source.
So
we
don't
have
any
container
that
can
be
deployed
bath
with
the
reasonable
amount
of
work
it
can
be
deployed
under
the
sink
environment.
Show.
J
G
B
Other
questions,
look
okay.
We
still
have
time
to
look
okay,
either.
One
question:
when
you
showed
that
the
statistics
about
how
many
peckers
you
would
need
for
for
the
number
for
the
different
protocols
yeah,
but
ready
to
blow
blows
idea,
I
think
you
just
said
that
you
cannot
detect
the
protocol
right
or
online,
so
you
cannot
say.
F
B
B
On
okay,
so
I
use
the
time
to
ask
the
question:
how
many
people
are
subscribed
to
the
energy
mailing
list?
Raise
your
hand
please,
okay,
next
time,
I
want
next
year.
I
want
to
see
more
hands.
No,
so
just
joking.
So
if
you're
interested
in
the
works
at
emoji
is
doing
which
we
are
we
presenting
the
measurement
for
management
part,
which
is
what,
of
course,
the
entire
my
energy
here.
Actually
we
have
one
of
the
energy.
What
is
your
official
time
actually
chairs.
B
J
J
We
want
to
talk
about
the
challenge
of
measuring
the
region
with
the
already
available
right
atlas,
for
example
they're,
not
so
many
process
there.
So
I
won't
tell
how
we
overcame
that
problem
with
software
probes.
I
want
to
talk
you
about
the
experiment,
how
it
did
with
the
fine
connectivity,
since
we
don't
have
a
standard
definition
for
connectivity,
so
we
defined
there
and
I
want
to
talk
about
there.
Alson
discuss
a
little
bit
about
that
and
what
we
did
we
find
after
they
doing
these
measurements.
J
F
J
Line
down,
there
shows
a
very
pale
blue
color,
the
meaning
that
the
percentage
of
probes
covered
by
that
country
is
too
high
in
depth.
This
case,
zero-point-six
percent
of
the
total
probes
of
ripe
Atlas
and
and
if
we
compare
with
the
next
with
the
rest
of
the
world,
we
can
see,
for
example,
in
the
United,
States
and
Germany
their
whole
they're,
both
colored
with
dark
blue
meaning.
They
have
a
high
percentage
of
probes
being
available
for
measurements,
and
we
can
see
their
niche
in
Latin.
American.
J
J
In
a
with
with
software
probes
called
probe
API
with
which,
through
an
API,
we
can
control
measurement,
probes
and
gather
results
and
to
stuff
that
it's
not
a
up
a
level
with
other
measurements
and
since
their
software
probes,
they're
easily
to
spread
and
to
install
because
they're,
not
a
hardware
that
people
have
has
to
take
home
and
solve
themselves
and
and
they're
running
in
Windows
computers.
Real
users,
computers,
so
they
have
the
advantage
of
easy
deployment,
but
also
that
isn't
a
disadvantage
of
a
they
are
very
volatile.
J
J
So
we
can
see
in
this
graph
a
little
comparison
about
a
plus
and
pro
API
Atlas
is
the
leela
color
to
the
left
and
different
a
a
SMS,
so
the
vertical
line
is
are
just
different
ASNs
we
chose.
We
chose
to
compare
and
they're
very
highly
populated
ASNs
in
terms
of
users,
but
not
all
of
them
are
very
well
covered
by
either
by
not
atlas
or
api.
J
For
example,
if
we
take
the
top
asn,
we
have
46
probes
of
in
that
ESN
from
at
last
and
886
active
at
that
moment
when
we
took
the
screenshot
by
pro
api,
so
it
can
show.
This
can
shows
us
how
we
can
overcome
these
measurement
problems
with
some
hot
software
probes
and
what
we
did
in
this
region
using
this
kind
of
measurement
method.
J
Next
one,
like
I
said
before,
they
are
highly
volatile.
That's
why
we
require
high
number
of
probes
than
normal
to
make
reliable
measurements
because
because
they
appear
and
disappear
as
users,
normal
users,
you
open
and
close
their
laptops
or
computers
and
monitoring
from
the
users
perspective.
Yes,
lets
us
detect
problems
that
otherwise
aren't
really
easy
to
see
because
of
the
vantage
point
problem
in
measuring
networks
that,
depending
from
when
you,
where
you're
measuring
from
you,
will
be
able
to
see
some
things
happening
or
not
like
in
the
set
in
the
next.
J
In
this
case,
we
can
see
if
we
are
monitoring
from
inside
the
network
from
the
center
from
the
data
centers
of
room
servers
or
whatever.
We
can
monitor
a
website
which
will
tell
us
that
it's
okay,
totally
okay
or
from
other
users,
even
it
will
be
okay.
But
if
the
an
ISP
has
connectivity
problems
or
it
has
an
outage,
then
the
only
way
to
detect.
That
is
from
that
perspective,
and
that's
one
advantage.
J
J
We
were
sending
between
probes
and
and
in
servers
in
different
countries
in
latin
america
and
caribbean
200
icmp
beings
over
12
months
over
20
21
countries,
the
geolocation
information
was
taken
from
Mozilla
and
max
mine
databases,
yeah
and
the
each
measurement
were
like
ten
things
so
to
say,
and
we
took
the
best
out
of
them
to
make
to
calculate
our
results
based
on
the
best
available
connectivity,
the
round
trip
times
and
after
getting
the
results.
We
group
the
countries
like
just
observing
the
results
like
clusters
emerged.
J
Very
there
were
very
evidence
to
the
eye,
and,
and
so
we
can
say
after
grouping
the
countries,
we
were
able
to
define
connectivity
of
them
using
these
three
measurements,
like
the
number
of
clusters
found
how
these
countries
how
these
clusters
relate
to
each
other
in
terms
of
connectivity,
how
did
the
latency
in
between
the
countries
in
this
cluster
is
or
outside
the
cluster?
How
the
connectivities,
so
we
have
here
to
the
up
and
the
upper
side
in
the
left.
J
We
have
the
graph
we
built
and
to
the
right
the
map
corresponding
to
go
to
the
graph,
for
example,
if
we
take
the
cluster
number
three
argentina,
brazil,
paraguay
and
or
why
we
can
see
that
that
cluster
internally,
like
between
Argentina
and
all
those
countries,
they
have
a
very
good
connectivity,
143
milliseconds
average
and
but
to
the
outside
of
the
cluster
like
going
to
other
countries.
We
have
problems,
not
a
problem
but
higher
latency
times
or
the
count
the
cluster
number
two,
which
is
Chile,
Bolivia
and
Peru.
J
They
have
really
not
to
encoding
compared
to
the
other
clusters.
The
internal
connectivity
or
external
connectivity
isn't
really
too
different,
and
it's
not
very
well
connected
to
the
region
in
that
aspect,
and
it
will
observe
cluster
0
and
number
one.
We
can
find
that
between
them.
They
have
very
good
connectivity
in
their
boundaries
are
very
evident.
In
that
sense,
we
can
also
consider
in
one
big
cluster,
but
at
the
same
time
they
have
some
some
differences.
J
Let
us
differentiate
them
so
to
the
rest
of
the
region
they
have
to
have
higher
times,
but
between
those
two,
the
between
zero
and
one.
They
have
only
157
blue
seconds
latency
in
average.
So
those
are
fairly
interesting
conclusions.
We
can
say
you
can
say
to
how
the
region
is
behaving
in
terms
of
latency
and
yeah.
This
is
a
similar,
simple
explanation
of
them
of
the
graph
and
the
I
think
I'll
explain
that
already.
J
Like
I
told
you
also
like
cluster
3a
has
very
internal
cluster
about
lighting
values,
but
outside
the
cluster.
It
isn't
very
good,
so
the
country
between
them
they
are
very
well
connected,
but
to
the
rest,
it
isn't
very
well
and,
like
I,
told
you
before,
clusters,
0
and
1.
Can
you
go
back
to
two
slides?
Yeah,
0
and
1
are
very
well
connected
between
them.
It's
not
very
clear
cluster
in
that
sense,
but
to
the
rest
of
the
countries
they
have
liar
a
higher
latency
values
and
yes,.
F
J
Back
three
XS,
so
we
followed
the
same
procedure
to
detect
bad
connectivity
or
so
to
say
we
use
the
same
value
of
round
3,
but
we
use
the
inverse
to
construct
the
same
graph,
and
so
it's
not
the
the
we
weren't
taking
actually
the
worst
results,
but
actually
it
a
comparing
the
least
good
of
them
like
that,
where
we're
always
taking
the
best
ICMP
measurements.
And
then
we
took
the
inverse
of
that
and
we
can
construct
the
graph
based
on
the
least
good
results.
J
So
web
connectivity
was
detected
in
between
Argentina
and
Chile,
which
is
surprising
in
some
sense
because
they
have
a
very
big
frontier,
very
large.
But
at
the
same
time,
if
you
think
you're,
geographically,
between
Argentina
and
Chile,
others
there's
the
end
is
in
between
and
it's
not
as
easy
to
lay
a
cable
between
the
going
through
the
and
s
which
are
very,
very
big
mountains.
Colombian
Venezuela.
They
don't
have
a
very
good
connectivity
between
them
and
Brazil
and
Peru.
Mostly
it's
because
normally
that
they're
preferring.
J
We
think
that,
like
our
key
SE
cables
are
being
preferred
to
connect
on
land
cables
and
probably
because
the
geography
of
the
region
isn't
really
that's
favorable
for
laying
cables
in
that.
That's
why
we
think
that
ocean
cables
are
being
used
and
that
results,
sometimes
in
very
long
trips,
for
things
that
could
have
been
lot
shorter
next
one
please
so
yeah
we're
coming
to
the
end.
Just
three
open
questions
we
have
after
after
doing
this
little
experiment,
it's
there
we
can.
J
We
summarize
is
anybody
have
an
idea
if
we
can
summarize
this
indexes
per
country
or
per
cluster,
so
we
can
in
one
number
we
can
compare
them
like
how
good
it
is
internally
externally
or
between
them.
Is
there
any
funny
idea
to
get
to
that
point?
Maybe
our
their
physical
connections
that
in
those
countries
are
not
really
being
fully
used
and
there's
like
infrastructure,
that's
being
misused
or
underused,
or
maybe
our
measurements
are
escaping
some
links.
J
E
M
G
J
No
not
really
up
to
now,
we've
been
concentrated
in
expanding
the
network
and
making
this
the
probes
as
functional
as
possible,
but
quality
assurance
and
measurements
is,
of
course,
is
a
an
important
task.
We
have
to
take
into
account,
but
of
course,
the
tower
running.
The
probes
is
very
diverse,
depending
on
everybody's
computers
or
Windows
installation.
How
healthy
is
the
installations
of
so
yes,.
F
I
Well,
Geronimo
from
Florida
International,
University
I
have
two
questions.
The
first
one
have
you
considered
testing
the
the
connective
the
last
mile
connectivity,
for
example,
to
understand
if
that
users,
using
a
Wi-Fi
that
could
easily
add
20,
milliseconds
or
using
wired
connectivity
and
the
second
one,
it
would
be
good
to
have
a
closer
in
US
and
other
you
monitoring,
Latin
America,
but
it
looks
like
at
least
between
Brazil,
Chile
and
Argentina.
All
of
the
traffic
intracluster
is
going
through
us
because
143
milliseconds
a
lot.
Yes.
F
J
I
The
last
mile,
for
example,
if
you
have
to
users
pinging
between
them,
each
one
of
the
each
users
connect
to
a
Wi-Fi.
You
have
easily
40
milliseconds,
just
for
the
last
mile.
Yes,
yes,
so
the
protest
is
the
connectivity
to
the
first
to
the
first
router
to
understand.
If
it's
it's
a
Wi-Fi
wireless,
we
haven't
done.
J
That
that
part,
we
are
assuming,
like
the
users,
point
of
view,
no
matter
what
what
is
between
them
and
the
server,
because
there
may
be
more
than
one
Wi-Fi
in
between
there
there's
an
undetermined
number
of
things
between
them.
So
until
now
we
haven't
done
that
part
but
yeah.
It
sounds
very
interesting
thing
to
do,
of
course,
like
to
get
that
part
of
the
of
the
charts.
N
K
J
Yes,
we
have,
you
can
communicate
with
the
speed,
checker
XYZ
and
you
can
download
your
own
profits
at
speed,
checking
software
which
users
download
and
most
of
the
time
the
software
doesn't
really
do.
Much
then
check
your
dsl
speed
and,
at
the
same
time,
the
software
is
available
to
us
as
a
probe
to
to
make
measurements
most
of
the
time
the
software
isn't
doing
anything,
but
when
it
receives
a
measurement,
I
command,
it
will
measure
very
shortly
and
we
deploy
that
way.
O
O
Back
if
you
are
running
high
part
as
probes,
you
are
getting
access
for
your
measurements
to
all
of
ripe,
Arthur's
probes.
You
are
getting
credits
and
you
can
use
it.
Do
you
provide
some
kind
of
such
service
for
users
that
are
running
your
software,
so
if
I'm
tomorrow,
I
will
run
your
software,
will
I
be
able
to
create
measurements
not
only
with
my
computer,
but
also
with
other
probes
that
are
connected
to
your
national?
Yes,
right.
J
Now
we're
not
offering
that
kind
of
exchange,
but
will
be.
It
would
be
very
interesting
if
people
are
interested
in
measuring
themselves.
We
are
open,
of
course,
for
research
to
use
our
platform
for
free
and
in
that
sense,
but
like
the
users
of
the
present
selves,
don't
have
a
direct
exchange
of
credits
like
like
you
described
mostly
you
can
you
can
you
can
make
an
account
with
us
for
free
and
use
the
to
a
certain
point,
the
measurement
system,
but
such
a
system?
As
you
say,
we
haven't
implemented
that
it's
hard.
O
O
J
We
have
every
probe
has
very
different
measurement
methods.
We
can
make
page
load
measurements
like
we're,
using
a
real
instance
of
Explorer
or
Chrome,
the
the
probe
response,
an
instance
loads,
the
page,
and
it
kills
itself
then
and
yeah.
We
can
download
single
objects
or
thing
and
in
there
are
customizable
innocence
that
they
are
available
either
as
a
ready
product
we
have
like,
with
a
GUI
or
as
I
as
an
API,
that
one
day
one
they
used
in
this
in
latnok
to
make
this
measurement,
which
they
as
an
API.
J
O
P
I'm,
where
to
I,
saw
Katie
FL,
so
I
don't
know
if
you
are
aware,
but
in
Brazil
dig
deep
what
the
art
is
having
a
project
to
perform
measurements,
the
project
is
called
cnet
dar,
so
the
idea
is
basically
do
essentially
the
same,
but
using
the
end
user
to
start
application
and
perform
measurements
from
the
desktop
from
the
pie
or
whatever.
So
maybe
a
as
a
suggestion.
Maybe
would
be
nice
you
to
get
this.
P
This
data
I
think
it's
open
to
the
public
is
much
better
to
use
this
data
then
use
the
right
probes,
and
another
comment
is
that
some
answer
to
their
questions
input
did
think.
There's
there
are
some
operators
in
Latin,
America
I,
remember
from
inter
Nexus
they
have
direct
connection
from
Brazil
to
Colombia
and
I.
Remember
another
one
that
which
has
connection
from
San
Paulo
to
Santiago
passing
through
Argentina.
So
maybe
it
wasn't
included
to
your
study.
So
you
could
consider
this
working.
Q
Javani
am
the
next
speaker
actually
work
for
SI
the
end,
so
you
did
your
measurements
using
ICMP
right,
very
good.
Yes,
there's
a
lot
of
criticism
in
regards
to
i7
b,
because
it's
heavily
shaped,
sometimes
it's
the
lower
key
last.
Yes,
you
know
this
criticism
problem
so
have
you
considered
using
other
protocols
instead
and
compare
the
results
like.
J
Personally
and
internally
at
the
company,
not
this
is
a
study
done
by
lack
Nick
and
we're
presenting
this
as
a
cooperation
they
had
their
own.
They
made
an
over
their
own
decision
of
using
ICMP,
but
normally
we
use
time
to
first
byte
using
HTTP
directly
because
it's
the
protocol
we're
using
so
normally
with
we
measure
either
I
won
by
its
file
downloading
it
just
like
that
or
just
we
measure
the
time
it
take
to
download
the
first
I'd
and
that's
mostly
equivalent
to
a
cmp
but
using
the
HTTP
stack.
Yes,
thank
you.
A.
D
Last
one
please
pet
line:
it
Huawei
I
work
with
ripe,
NCC
and
working
on
the
iPad
last
project.
So
it's
good
the
work
that
you
did,
but
if
you
guys,
you
know
in
Latin,
America
are
interested
in
more
probes,
I'm
sure
they're
willing
to
send
more
pro.
You
know
if
you
need
contacts,
I'm
sure
you
have
contacts,
but
if
you
do
need
more
context,
please
feel
free
to
check
with
me.
Please.
E
E
Also
I
I
do
agree
that
a
ripe,
ripe
Atlas
also
have
a
worldwide
coverage,
but
it's
nice
to
always
have
at
diversity
to
measurement
infrastructure
even
more
when
it
goes
to
developing
regions
or
poorer
regions
of
the
country
of
the
world
where
it's
difficult
to
get
the
right
ship
to
ship.
At
you,
I'd
like
just
to
complete
the
question
session
with
one
question:
is
your
measurement
running
over
time
or
you
do
it
once
and
stop
or
is
it
running
for,
for
example,
I
year
already?
It.
J
E
Like
suggest,
perhaps
for
a
talk
for
an
NMR
G
next
year,
if
you
can
see
the
impacts
of
social
and
political
decisions
that
are
going
on,
South
America
I'm
from
South
America,
so
I
know
that
there
are
these
problems
going
on
there.
Quite
often,
if
you
can
see
from
your
measurement
framework
the
impacts
that
it
have
on
it
has
on
the
connectivity
of
people,
it's
always
nice.
E
E
Q
Yeah,
so
I
figure
can
start
just
give
you
some
context.
So
the
working
on
represent
here
is
not
say,
letter
purely
academic.
This
is
a
paper.
We
publish
up
the
AP
WG
e
cron
conference
on
the
industrial
track.
So
it's
a
bit
mixed
is
like
more
hands-on
practical
than
research
questions.
So
this
is
a
paper
collaborate
with
you
to
the
team
they're
inside
yen.
Q
We
have
a
big
data
platform
for
jeunesse
traffic,
and
this
paper
shows
a
couple
of
applications
that
it
what
things
you
can
do
quickly,
but
that
should
go
next.
One,
okay,
give
you
some
context
here.
What
do
you
do
if
you
I
think
how
many?
How
many
people
here?
Actually
they
have
a
big
data
problem
like
volume
of
data?
That's,
like
you
have
shown
Eliza's
fangs.
Q
Can
you
raise
our
hands
with
those
big
data
analysis
here
and
big
data
is
very
vague
but
yeah
there
we
go
alright,
so
I
mean
if
you
have
a
terabytes
of
data
and
specially
pcap
files
have
generalizes
thing.
You
know
how
but
a
nightmare
is
or
the
costs
are
going
to
have
to
do
that.
You
need
to
do
that
inefficient.
Q
In
a
cheap
way,
so
the
engineers
are
going
to
company
that
I
work,
for
they
start
to
use
and
stuff
from
other
disciplines
like
the
data
engineering
people
to
optimize
that
then
bring
that
to
that
next
working
community
and
they
call
this
in
product.
This
is
a
product.
That's
build
on
open
source
code,
I'm
going
to
give
the
details
later
one
and
what
it
does.
On
top
of
that
it
is
designed
to
ingest
DNS
traffic.
Q
We
work
for
a
company
that
does
dining
out
the
top
level
domain,
the
netherlands,
so
we
collect
of
the
authoritative
traffic
and
a
store
in
our
cluster
for
analysis
for
research
purposes.
So
a
couple
things
you
can
do
you
can
put
on
a
single
table.
If
you
have
this
terabytes
of
data
set
since
things
you
don't
scare,
so
you
need
something
that
will
I
scales
and
once
you
need
more
hardware,
just
two
more
hari
on
that
and
fro
more
hard.
When
you
know
you
keep
the
speed.
Q
So
that's
next
lifeless,
and
so
that's
pretty
much.
What
they've
done
that,
since
we
need,
is
a
response
type
interactive
times
they
build
his
own
thing,
x1,
please!
So
entrada
is
basically
an
optimized
for
matta
in
a
platform
for
performing
data
analysis
on
track.
Internet
trafficking
out
roland
also
uses
some
of
the
detector,
but
not
and
try
to
buy
like
Hadoop
and
Impala
and
the
same
file
on
his
project.
There
too.
Q
But
if
you
have
stuff
like
that,
it's
going
to
be
real,
quick,
like
a
question
of
minutes,
yeah
or
seconds
and
yeah,
that's
like
with
so
in
try
to
buy
us
down
to
get
a
DP
caps.
Converting
that
thing
to
an
optimized
for
map
which
is
park.
A
park
is
implemented
by
apache
foundation,
which
is
based
on
google's
a
dremel
file
system
and
which
is
optimized
callenders
file
format.
Q
In
short,
if
you
need
to
like
do
a
radio
Mir
file,
if
you
want
to
just
figure
it
out
what
the
packet
size
for
all
your
files
for
our
your
packet
to
this
internet
work,
you
don't
actually
to
read
the
entire
file.
You
just
need
to
read
the
entire
column
they're
interested
in.
So
it
saves
a
lot
of
time
and
you,
the
beauty
of
this
Fang.
It
can
query
that
thing
with
Impala
and
Impala.
Q
It's
a
call
data
product
open
source
as
well,
which
allows
you
to
send
sick
of
co2
analyzer,
pique
pique
pique
pique
rivlin
files.
So
it's
very
easy
for
anyone
who
want
to
do
a
data
analysis
fast
as
well,
yeah
next
one
please
and
the
thing
that
they
did
in
the
confidence
just
like
rapid
all
those
things
together
and
this
in
implemented
a
data
model
to
incorporate
DNS
traffic
and
to
a
constant
in
chaste
as
faim.
Q
That's
what
Colorado
and
you
use
this
thing
now
for
over
two
years
now
have
liked
videos
of
cures
there
21
terabytes
of
data
and
it's
already
converted
and
it
captured
a
date.
They
get
it
from
our
miam
service.
That's
it!
Next
one,
please
do
get
a
paper
published
chef
noms,
which
is
from
this
measurement
community
as
well
conference.
We
just
talked
about
more
the
details
of
this.
Q
So
we
have
a
page,
the
first
one,
there
I,
don't
think
I
hands
vital
evident
if
you
check
it
out
the
webpage
where
everyone
starts
at
the
side,
the
N
labs
that
are
now
we
update
every
day
this
page,
using
this
glossary
entrada
with
our
statistics
over
done
an
hour
traffic,
so
the
number
of
countries
or
tunnel
systems
there's
a
bunch
of
stuff
there.
If
you're
interested
just
check
it
out,
sell
public
I
will
also
have
some
stuff
from
malicious
domains
and
I'm
going
to
cover
this.
This
one's
in
bold
here
next
one
place.
Q
So
one
of
the
things
we
need
to
do
in
a
company
in
the
labs
is
to
use
this
data.
We
collect
to
improve
both
security
and
performance
and
stability
of
the
you
know
the
service
that
we
maintained,
that
in
El,
authoritative
service
and
there's
a
paper
from
Nick,
Finster
name
c2011.
If
I'm
not
mistaken,
they
figured
out
that
domains
that
they're
using
for
fishing,
typically
on
the
very
first
days
or
hours
after
registrations,
they
have
a
peek
on
the
number
of
queries
that
they
get
and
you'll
deserve
the
same
for
that
now.
Q
So,
for
example,
the
red
the
figure
on
the
right
over
there.
It
has
an
average
number
of
150,
curious
or
200.
These
are
domains
that
were
provided
by
netcraft
that
were
found
in
fishing
on
a
dianella
zone.
So
we
look
at
today
our
authoritative
servers
and
you
see
hey
how
many
queries
we'd
seen
for
those
particular
domains
after
the
registration-
and
you
see
there
is
a
pic
and
after
10
days
it
really
dies
down
while
the
normal,
regular
domains.
Q
You
have
an
average
of
five
queries
a
day
on
the
first
day
is
a
tree
or
whatever
so
there's
a
clear,
distinct
pattern:
Nick
feemster
found
stuff
and
publish
whatever
we
kind
of
went
a
step
further.
When
you
run
a
different
algorithm
to
classify
that
k-means
on
top
of
that
and
had
a
paper
and
on
this
particular
thing
so
next
slide
please,
and
what
do
you
do
again
every
day,
all
the
domains
that
were
added
to
our
data
nodes
on
they
were
registered?
Q
We'll
look
for
a
couple
features
the
number
of
queries,
the
number
of
countries
resolvers
that
are
creating
that
thing.
In
the
first
day,
we
run
k-means
on
top
of
that
and
classify
to
to
cluster
suspicious
and
normal
normal,
and
once
you
get
a
suspicious
one,
we
notify
our
registrar's
and
red
stars.
Are
the
confidence
actually
do
the
registration
for
us?
Q
It's
a
pilot's
is
in
a
pilot
stage
right
now,
there's
a
couple
false
positives,
of
course,
because
you're
trying
to
identify
fishing
only
from
the
query
pattern
of
the
domains
as
like
it's
because
the
Fisher's,
usually
they
rely
upon
spam
to
notify
their
domains
in
the
first
days
so
usually
have
a
huge
number
of
queries.
But
any
political
motivated
website
also
get
this
thing.
So
we
are
working
to
improve
this,
but
it's
it's
working
on
a
kind
of
status,
a
prototype
phase.
Q
That
is
the
whole
thing.
We
notify
what
we
call
it
sedition
in
each
initiative,
which
is
called
abuse
information
exchange.
So
it's
the
place
in
the
federal
level
that
collects
information
about
abuse,
it's
run
by
the
government
and
it
shares
back
with
the
people
responsible
for
those
IP
addresses
for
those
autonomous
systems.
So
they
can
clean
up
the
network's
next
one,
please
just
worship
to
start
cases,
and
this
is
the
number
to
see
the
time
series
and
the
counters
that
was
bought.
Q
This
is
thoughts
were
observed
in
the
sent
information
regards
timestamp,
so
they
can
take
a
look
on
that
a
very
mind
that
the
way
the
DNS
works
once
we
see
a
query
on
the
Oratory
ticket
service
might
not
be
the
actual
client
might
be
the
resolver
of
the
client
on
the
ISP
network.
So
they
would
have
to
do
a
little
more
investigation
on
that
next,
one!
Please
and
they're
there,
this
two-hour
season
that
standardized
different
things
policy
and
pre-made
security.
Q
This
try
to
improve
inmate
security
in
a
way
to
define
who
can
send
email
for
a
particular
domain.
And
what
is
the
policy?
Was
you
get
mail
from
a
different
IP
address
for
the
domain?
You
can
actually
measure
their
that
the
adoption
of
that
using
simply
SQL
queries
in
our
platform,
because
we
get
a
traffic
so
you're,
just
one
sicko
run
over
the
days,
and
you
see
like
how
this
thing
is
growing
a
next
one
please.
Q
So
we
have
a
couple
results
here
and
it
as
a
percentage
like
there's
a
lot
of
percentage
of
adoption
in
us
and
of
course
this
is,
the
cloud
providers
means
chimayo.
Most
of
people
use
gmail,
so
yeah
in
a
cloud
providers.
That's
why
you
see
this
is
fixing
right
have
cloud.
We
have
the
Spanx
once
the
adult,
that's
it
next
one
please
do,
or
it
is
our
tunnel
systems
where
they're
located
all
these
things.
It
can
be
easily
be
done
as
well.
Q
Next,
one
yeah
so
I
think
they
did
you
showcase
a
cup
of
case
studies,
which
you
can
do
so.
If
you
have
a
big
data
problem,
you
should
consider
yourself
to
use
the
tools
that
have
been
developed
at
the
data
engineering
community
chop,
two
mice
queries-
and
this
is
one
case
only
that
uses
Impala
and
uses
parquet
I'll,
open
source
and
rapid
apps
together
to
constantly
jazz
DNS
traffic
in
open
source.
We
open
starts
the
whole
thing.
The
finger
would
develop.
It's
all
on
the
website.
Q
E
Q
Q
So
there's
there's
a:
we
have
a
privacy
policy
that
defines
what
you
can
share,
what
it
cannot
and
how
we
can
use
the
data.
We
provide
aggregated
data
on
our
stats
web
page,
but
provided
to
research,
a
fix
that,
by
that
its
case
by
case
we
haven't
done
that
yet
because
it's
pretty
strict,
no,
they
might
be
classified
a
personal
ended
file
of
data.
So
its
case
by
kid
I
think,
if
you
have
an
idea,
just
contact
us,
a
nice,
you
can
do
and.
E
On
your
malicious
domain
research,
you
said
that
you
would
you
take
only
the
new
domains
registered
per
day
and
then
you
classify
them
as
malicious
or
not.
Do
you
have
any
idea,
or
can
you
close
an
idea
of
the
relation,
the
ratio
between
register
domains
per
day
and
how
many
actually
are
malicious
up.
Q
So
I
think
it
depends
a
lot
on
the
day
and
per
day
usually
see
like
1015
domains
on
average
and
there's
a
bunch
of
false
some
false
positives
to
and
I
think
also
depends,
will
definition
of
malicious
than
50
malicious
suspicious
that
suspicious-
and
let's
say
I
don't
know-
depends
on
the
day
how
many
going
to
be
malicious
but
there's
a
different
definition.
Definition
of
malicious.
Q
This
thing
detects
based
on
the
volume
of
a
curious,
so
spam
phishing
is
one
case,
but
there
are
cases
that
they
create,
like
you,
know,
websites
and
sell,
and
counterfeit
products
like
shoes
or
pharmaceutical
drugs.
So
it's
as
malicious.
This
is
illegal.
It's
kind
of
gray
area
so
does
all
of
those
things
too.
So
it's
yeah.
E
F
L
Q
I
mean
we
can
see
some
stuff.
I
mean
we
seen
a
cup
of
politically
motivated
websites
after
some
terrorist
attacks
that
he
came
up
and
they
kind
of
spread
like
fire
on
twitter
and,
of
course,
to
see
this
thing's
next
day
in
aqueous
patterns
as
well,
because
they
go
insane
so
they
can.
A
domain
is
very
popular
on
the
first
day,
Kim
can
be
for
different
reasons.
Q
E
E
B
Yeah,
thank
you
for
having
attended
energy
workshop
as
usual.
We
would
like
to
ask
your
opinion
on
on
on
on
the
event
right
and
also
on
future
events.
For
example,
we
originally
started
several
years
ago
that
this
kind
of
meeting
was
strictly
on
a
flow
based
measurement
form,
network
management
and
based
on
the
feedback
of
the
audience.
B
We
have
extended
that
from
first
full
flow
based
net
flow
based
measurement
to
flow
based
measurement,
and
this
year
we
have
extended
tool
to
any
kind
of
measurement
based
network
management,
so
feel
free
to
give
us
your
feedback,
whether
you
like
this
direction,
whether
you
want
to
have
other
other
topics
in
the
next.
Probably
next
year's
instance
of
direction,
George
now
or
send
us
an
email
or
joins
imaginating.
This
fight
right,
which
is
of
course
appreciated.
R
B
R
R
Maybe
some
interactions
which
there
is
this
map
research
group
that
has
been
recently
created,
they're
also
looking
at
measurement
from
a
quite
different
perspective,
but
I
think
there
is
also
a
community
they're
also
going
to
the
scientific
conferences.
So
maybe
the
two
activities
can
also
be
a
bit
more
of
interactions
that
can
be
a
topic
for
another,
either
an
emoji
or
ma
perché
joint
session,
and
so
what
ramming
mentioned
there
is
a
second
energy
joint
meeting
with
NF
v
RG
and
energy
energy
on
friday
morning.
So
it's
the
first
morning
session.
R
The
topic
is
on
the
managing
virtualized
and
programmer
network.
So
we
will
have
different
kind
of
talks
that
are
more
oriented
towards
what
are
the
challenges
of
managing
the
new
type
of
environments
with
an
avian
sdn,
but
also
all
these
virtualization
and
programmable
techniques
can
change
a
bit
the
way
we
manage
networks.
So
please
join
this
most
interesting
session.
Google
app.
Q
Yeah,
just
a
feedback,
but
aloha
already
talked
a
little
about
that.
Like
the
map,
RG
group
is
not
really
chartered
yet
so
not
sure.
What's
gonna
happen
in
there,
but
just
to
make
sure
that's
no
more
refuses
to
go
should
have
overlap
or
how
are
you
gonna
handle
if
they
go
chartered
and
they
also
had
started
a
workshop
that
took
place
in
Saturday,
so
just
to
be
aware
that
you
know
not
sure
all
I
know
them.
R
We
try
to
have
some
discussion
with
the
chairs
of
Mukherjee,
first
to
I-95
the
deliverer
of
overlap
and
what
could
be
the
areas
of
collaboration
interactions.
So
since,
as
you
mentioned,
it's
still
developing
Mukherjee,
some
kyria
or
two
things
can
interact.
But
as
you
mentioned,
we
have
seen
that
there
there
were
also
part
of
the
workshops.
They
have
been
some
they're
already
at
some
meeting,
so
we
see
that
things
may
grow
there,
so
it
would
be
nice
to
at
least
discuss
all
together.