> By Antoine Mazières, Clémence Magnien and Fabien Tarissan
The dataset used in this experiment is built on an ego-centeric view of the network from one of our monitors, built with a dedicated tool (tracetree). Each of our monitors usually work with a set of 3000 destinations that it will try to reach every 15 minutes (rounds), registering every IP address on the routes from the monitor to the destinations.
Every round may observe different IP address sets: some of the IP addresses may be observed at each round while others may be seen only once for instance. To study this, the plot presented in this video is the distribution of the number of distinct rounds in which each IP address was observed (also presented in this plot).
A point with coordinates (x,y) means that: y IP addresses are seen in x distinct rounds. This plot corresponds to 500 rounds (approximately 5 days) and our measurement window slides one round at a time (i.e. the first frame corresponds to rounds 0 to 500, the second to rounds 1 to 501, the third 2 to 502…, and so on until rounds 100 to 600).
The 600 measurement rounds are represented by the green horizontal line, and the measurement window is represented by the two vertical red lines, sliding upon all the observed data.
Before 0:13, we observe 1) a great number of IP addresses are seen at a very small number of rounds (volatile IP addresses), 2) a great number of IP addresses are seen at almost all rounds (stable IP addresses), and 3) very few IP addresses are seen between those two areas. Those are the common characteristics observed in radar dynamics.
From 0:13, an event occurs, represented by the blue highlighted horizontal line, which lasts approximately 35 rounds. On both extremities of the x-axis, we can see two symmetric peaks appearing in the plots. This probably results from a set of IP addresses that were not observed before and replace some addresses that were observed in all rounds.
While the measurement window slides on the event, the peaks move one round at a time to the expected number or rounds (on the left (0+35), on the right (500-35)) and stop moving horizontally when the measurement window fully contains the event.