Your search keyword '"Deep packet inspection"' showing total 1,366 results

401. Fast Packet Inspection for End-To-End Encryption

Author

So-Yeon Kim, Sun-Woo Yun, Eun-Young Lee, So-Hyeon Bae, and Il-Gu Lee

Subjects

end-to-end encryption (E2EE), Computer Networks and Communications, Computer science, 0211 other engineering and technologies, lcsh:TK7800-8360, security, 02 engineering and technology, computer.software_genre, Encryption, malware detection, End-to-end encryption, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, 021103 operations research, Network packet, business.industry, lcsh:Electronics, packet inspection, 020206 networking & telecommunications, Eavesdropping, Deep packet inspection, Information security, confidentiality, Hardware and Architecture, Control and Systems Engineering, Signal Processing, integrity, Malware, The Internet, business, computer, Computer network

Abstract

With the recent development and popularization of various network technologies, communicating with people at any time, and from any location, using high-speed internet, has become easily accessible. At the same time, eavesdropping, data interception, personal data leakage, and distribution of malware during the information transfer process have become easier than ever. Recently, to respond to such threats, end-to-end encryption (E2EE) technology has been widely implemented in commercial network services as a popular information security system. However, with the use of E2EE technology, it is difficult to check whether an encrypted packet is malicious in an information security system. A number of studies have been previously conducted on deep packet inspection (DPI) through trustable information security systems. However, the E2EE is not maintained when conducting a DPI, which requires a long inspection time. Thus, in this study, a fast packet inspection (FPI) and its frame structure for quickly detecting known malware patterns while maintaining E2EE are proposed. Based on the simulation results, the proposed FPI allows for inspecting packets approximately 14.4 and 5.3 times faster, respectively, when the inspection coverage is 20% and 100%, as compared with a DPI method under a simulation environment in which the payload length is set to 640 bytes.

Published

2020

402. DSCA

Author

Morteza Noferesti, Rasool Jalili, and Ziaeddin Nazari

Subjects

Ground truth, business.industry, Computer science, 020206 networking & telecommunications, Deep packet inspection, Feature selection, 02 engineering and technology, Encryption, computer.software_genre, Execution time, Random forest, Statistical classification, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Data mining, business, Classifier (UML), computer

Abstract

Adaptive application detection in today's high-bandwidth networks is resource consuming and inaccurate due to the high volume, velocity, and variety characteristics of the networks traffic. To generate a robust classifier for identifying applications over encrypted traffic, we proposed DSCA as a DPI-based Stream Classification Algorithm. DSCA utilizes applications detected by the DPI, Deep Packet Inspection technique, as ground truth data and updates the classification model accordingly. To reduce the classification algorithms overhead without accuracy reduction, a feature selection method, named CfsSubsetEval, is deployed in DSCA. The proposed approach is implemented via the MOA tool and the performance is evaluated through UNB ISCX VPN-nonVPN and UNB ISCX Tor-nonTor datasets. 10 different stream and traditional classification algorithms are integrated with DSCA. The simulation results represent DSCA with Adaptive Random Forest stream classification algorithm has the best performance over UNB ISCX VPN-nonVPN which processed the dataset in 8.63 seconds with 96.75% accuracy. About UNB ISCX Tor-nonTor dataset, DSCA and Knn with PAW classification algorithm have the best performance (86.92% accuracy and 12.05 seconds execution time).

Published

2019

403. An Approach for Detecting Spear Phishing Using Deep Packet Inspection and Deep Flow Inspection

Author

A. Senthilrajan and Argha Ghosh

Subjects

Password, Advanced persistent threat, Computer science, business.industry, InformationSystems_INFORMATIONSYSTEMSAPPLICATIONS, Social engineering (security), Deep packet inspection, Hyperlink, Computer security, computer.software_genre, Credential, Phishing, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, ComputingMilieux_COMPUTERSANDSOCIETY, The Internet, business, computer

Abstract

In the era of Internet Banking, most of the people may hear the term called “Phishing”, it is related to fraudulent over the Internet as well as Social Engineering. It is commonly done by sending an e-mail to target user with an embedded hyperlink to steal their user-name, password, transaction password, etc. Moreover, Phishers used to gain the access in personal credentials of targeted user for stealing cash from user’s bank account. Phishing can be done by using several other ways like sending text messages (called “Smishing” for SMS-Phishing), or via Phone Calls (often called “Vishing” for Voice-Phishing) or sometimes via social-media itself including sending an e-mail to user or organization. Phishing has several types in terms of the used medium as well as in terms of victim. Spear Phishing is a prevalent method of phishing and comes under the Advanced Persistent Threat (APT) category. The term “Spear Phishing” mainly defines that stealing the credential of a specific user or a specific company at a time by sending e-mail. This paper deals with Spear Phishing Emails that mainly organizations, companies and most of the time common people used to get by Phishers. This paper proposes an approach to detect the Spear Phishing e-mails with the help of Deep Packet Inspection and Deep Flow Inspection using Packet Filtering and Network Traffic Identification technique.

Published

2019

404. Generation of Network Traffic Using WGAN-GP and a DFT Filter for Resolving Data Imbalance

Author

Bong-Nam Noh, Kimoon Jeong, Yeonsu Kim, and Woo Ho Lee

Subjects

business.industry, Computer science, Deep learning, Deep packet inspection, Filter (signal processing), Intrusion detection system, Data imbalance, computer.software_genre, Class (biology), Traffic classification, The Internet, Artificial intelligence, Data mining, business, computer

Abstract

The intrinsic features of Internet networks lead to imbalanced class distributions when datasets are conformed, phenomena called Class Imbalance and that is attaching an increasing attention in many research fields. In spite of performance losses due to Class Imbalance, this issue has not been thoroughly studied in Network Traffic Classification and some previous works are limited to few solutions and/or assumed misleading methodological approaches. In this study, we propose a method for generating network attack traffic to address data imbalance problems in training datasets. For this purpose, traffic data was analyzed based on deep packet inspection and features were extracted based on common traffic characteristics. Similar malicious traffic was generated for classes with low data counts using Wasserstein generative adversarial networks (WGAN) with a gradient penalty algorithm. The experiment demonstrated that the accuracy of each dataset was improved by approximately 5% and the false detection rate was reduced by approximately 8%. This study has demonstrated that enhanced learning and classification can be achieved by solving the problem of degraded performance caused by data imbalance in datasets used in deep learning based intrusion detection systems.

Published

2019

405. A parser for deep packet inspection of IEC-104: A practical solution for industrial applications

Author

Justyna Joanna Chromik, Gerard Geist, Boudewijn R. Haverkort, and Anne Remke

Subjects

021110 strategic, defence & security studies, Parsing, Computer science, Network packet, Real-time computing, Zeek, 0211 other engineering and technologies, Deep packet inspection, Throughput, 02 engineering and technology, parser, IDS, computer.software_genre, Extensibility, Field (computer science), SCADA, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, IEC-104, Monitoring tool, computer

Abstract

We present a practical solution for deep packet inspection for IEC-104 SCADA traffic, which can be used in monitoring approaches to ensure the dependable operation of critical systems. We re-implement an outdated parser and extend it to also parse the content of individual IEC-104 packets and to extract information relevant for monitoring and securing the physical processes being controlled. The deep packet inspection framework Spicy was used for the implementation, which allows for easy extensibility in the future. To illustrate the feasibility of the proposed solution, the throughput obtained when using the parser in combination with the monitoring tool Zeek has been evaluated for traces of different lengths. The traces have been captured in an operating electrical distribution field station with a single RTU.

Published

2019

406. FLIP:FLexible IoT Path Programming Framework for Large-scale IoT

Author

Eun-Sung Jung and Shahzad Shahzad

Subjects

Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Network complexity, Computer science, business.industry, Smart objects, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, computer.software_genre, User requirements document, Computer Science - Networking and Internet Architecture, Software framework, Computer Science - Distributed, Parallel, and Cluster Computing, Computer architecture, Datapath, 0202 electrical engineering, electronic engineering, information engineering, The Internet, Distributed, Parallel, and Cluster Computing (cs.DC), business, Software-defined networking, computer

Abstract

With the rapid increase in smart objects forming IoT fabric, it is inevitable to see billions of devices connected together, forming large-scale IoT networks. This expeditious increase in IoT devices is giving rise to increased user requirements and network complexity. Collecting big data from these IoT devices with optimal network utilization and simplicity is becoming more and more challenging. This paper proposes FLIP- FLexible IoT Path Programming Framework for Large-scale IoT. The distinctive feature of FLIP is that it focuses on the IoT fabric from the perspective of user requirements and uses SDN techniques along with DPI technology to efficiently fulfill the user requirements and establish datapath in the network in an automated and distributed manner. FLIP utilizes SDN structure to optimize network utilization through in-network computing and automated datapath establishment, also hiding network complexity along the way. We evaluated our framework through experiments, and results indicate that FLIP has the potential to fulfill user requirements in an automated fashion and optimize network utilization., Comment: 10 pages, 8 Figures, conference

Published

2019

407. Overshadow PLC to Detect Remote Control-Logic Injection Attacks

Author

Sushma Kalle, Hyunguk Yoo, Irfan Ahmed, and Jared M. Smith

Subjects

business.industry, Computer science, Network packet, Programmable logic controller, 020207 software engineering, Deep packet inspection, 02 engineering and technology, Industrial control system, SCADA, Embedded system, Shadow memory, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, State (computer science), business, Control logic

Abstract

Programmable logic controllers (PLCs) in industrial control systems (ICS) are vulnerable to remote control logic injection attacks. Attackers target the control logic of a PLC to manipulate the behavior of a physical process such as nuclear plants, power grids, and gas pipelines. Control logic attacks have been studied extensively in the literature, including hiding the transfer of a control logic over the network from both packet header-based signatures, and deep packet inspection. For instance, these attacks transfer a control logic code as data, into small fragments (one-byte per packet), that are further padded with noise data. To detect control logic in ICS network traffic, this paper presents Shade, a novel shadow memory technique that observes the network traffic to maintain a local copy of the current state of a PLC memory. To analyze the memory contents, Shade employs a classification algorithm with 42 unique features categorized into five types at different semantic levels of a control logic code, such as number of rungs, number of consecutive decompiled instructions, and n-grams. We then evaluate Shade against control logic injection attacks on two PLCs, Modicon M221 and MicroLogix 1400 from two ICS vendors, Schneider electric and Allen-Bradley, respectively. The evaluation results show that Shade can detect an attack instance (i.e., identifying at least one attack packet during the transfer of a malicious control logic) accurately without any false alarms.

Published

2019

408. A Fresh Look at Combining Logs and Network Data to Detect Anomalous Activity

Author

Qi Shi, Matthew Banton, Nathan Shone, and William Hurst

Subjects

Network packet, Computer science, business.industry, Deep learning, intrusion detection, Real-time computing, log input, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, Intrusion detection system, 010501 environmental sciences, 01 natural sciences, SDN, Data point, Deep Learning, Data quality, 0202 electrical engineering, electronic engineering, information engineering, Artificial intelligence, business, Software-defined networking, 0105 earth and related environmental sciences, Abstraction (linguistics), DNN

Abstract

As data rates have increased, network administrators have increasingly turned to Software Defined Networking (SDN) to increase efficiency, as well as to react quicker to changing network states. However, as SDN flows become the norm to manage network traffic, Network Intrusion Detection Systems (NIDS) still rely on processing packet data directly using techniques such as Deep Packet Inspection (DPI). SDN flows provide only a high level representation of the packets traversing the network, reducing the amount of data available to NIDS. In particular Deep Learning based NIDS may be affected. Deep Learning has been proposed as a solution to 0-day attacks, but these models typically require large volumes of training data with many data points. This paper proposes a solution to this dilemma, by providing more data points for an IDS to monitor through the abstraction of log data generated by the flows. Past papers have shown that the quality of training data can have a marked effect on performance of Deep Learning models. This paper builds on these works by showing that high quality data points can be added in a computationally inexpensive manner, and through adding these data points, accuracy on a real world dataset can be increased by upwards of 10

Published

2019

409. Novel Traffic Classification Mechanism in Software Defined Networks with Experimental Analysis

Author

Syed M. Raza, Hyunseung Choo, Van Vi Vo, and Youngkyoung Kim

Subjects

Emulation, Computer science, business.industry, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, Load balancing (computing), Network management, Traffic classification, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, business, Software-defined networking, 5G, Computer network

Abstract

Recently, the usage of Internet through mobile devices has surpassed the access through wired network. It makes extremely difficult for the network operators to manage their network in resource efficient manner. Software Defined Networking (SDN), a key 5G enabling technology, makes network management easier for the network operators through logically centralized control plane. One of the benefits of SDN is specific treatment for different network traffic type, however it requires an efficient traffic classification solution. Comprehensive research has been done on deep packet inspection or machine learning based traffic classification methods which are unsuitable for delay intolerant networks due much overhead. This paper proposes a simple traffic classification mechanism using different IP addresses which are assigned to Mobile Node (MN). Different applications in MN uses one of the assigned IP addresses based on the type of network traffic they generate. Centralized SDN controller uses these IP addresses to classify the network traffic. This method is useful for various network functions such as load balancing, security and mobility. In this paper we take mobility as a use case and through emulation results establish that traffic classification significantly improves MN mobility performance.

Published

2019

410. High-Speed Pattern Matching Algorithm with CPU/GPU Cooperation for Network Intrusion Detection Systems

Author

Guan-Zhang Chen, Kai-Ping Lu, and Chun-Liang Lee

Subjects

Matching (graph theory), Network packet, Network security, business.industry, Computer science, Filter (video), ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Payload (computing), Real-time computing, Deep packet inspection, Pattern matching, String searching algorithm, business

Abstract

Network intrusion detection systems (NIDSs) have been widely deployed in the Internet to protect Internet-enabled devices from malicious attacks by performing deep packet inspection (DPI). Pattern matching plays an important role in DPI, and consumes a significant portion of system execution time for NIDSs. In this paper, we propose a high-speed pattern matching algorithm with CPU/GPU cooperation. Incoming packets are first inspected by CPU to quickly filter out suspicious packets that may contain malicious patterns. Then GPU, which has superior parallel computing power, takes over to determine if a suspicious packet does contain malicious patterns. In addition, in our proposed algorithm, GPU does not have to inspect the entire payload of a packet, but instead can bypass the partial packet payload that has been inspected by CPU. Through the cooperation between CPU and GPU, our proposed algorithm can achieve higher pattern mating speeds than other algorithms. Simulation results show that even in the case that all packets contain malicious patterns, our proposed algorithm can achieve a matching speed of 15 Gbps.

Published

2019

411. A Policy-based Framework for Privacy-respecting Deep Packet Inspection in TLS Implementations

Author

Renjan, Arya

Subjects

Deep Packet Inspection, Perfect Forward Secrecy

Abstract

Deep Packet Inspection (DPI) is instrumental in investigating the presence of malicious activity in network traffic, and most existing DPI tools work on unencrypted payloads. As the internet is moving towards fully encrypted data-transfer, there is a critical requirement for privacy-aware techniques to efficiently decrypt network payloads. With the introduction of TLS 1.3 standard that only supports protocols with Perfect Forward Secrecy (PFS), many existing techniques for decryption to do further DPI analysis will become ineffective. We have developed an ABAC (Attribute Based Access Control) framework that efficiently supports existing DPI tools while respecting user's privacy requirements and organizational policies. It gives the user the ability to accept or decline access decision based on his privileges. Our solution evaluates various observed and derived meta-characteristics of network connections against user access privileges using policies described with semantic technologies. Network meta-characteristics like IP intelligence is one of the many attributes that can be used in defining access control policies. We also present Dynamic Attribute based Reputation (DAbR), a Euclidean distance based technique, to generate reputation scores for IP addresses by assimilating meta-data from known bad IP addresses. This approach is based on our observation that many bad IP's share similar attributes and the requirement for a lightweight technique for reputation scoring. DAbR generates reputation scores for IP addresses on a 0-10 scale which represents its trustworthiness based on known bad IP address attributes. To evaluate DAbR, we calculated reputation scores on a dataset of 87k IP addresses and used them to classify IP addresses as good/bad based on a threshold. An F-1 score of 78% in this classification task demonstrates our technique's performance. The reputation scores when used in conjunction with the policy enforcement module, can provide high performance and non privacy-invasive malicious traffic filtering. In this thesis, we also describe our framework and demonstrate the efficacy of our technique with the help of use-case scenarios to identify network connections that are candidates for Deep Packet Inspection. Since our overall ABAC technique makes selective identification of connections based on policies, both processing and memory load at the gateway will be reduced significantly.

Published

2019

412. Detecting cryptocurrency miners with NetFlow/IPFIX network measurements

Author

José Suárez-Varela, Pere Barlet-Ros, Jordi Zayuelas i Munoz, Universitat Politècnica de Catalunya. Doctorat en Arquitectura de Computadors, Universitat Politècnica de Catalunya. Departament d'Arquitectura de Computadors, and Universitat Politècnica de Catalunya. CBA - Sistemes de Comunicacions i Arquitectures de Banda Ampla

Subjects

Cryptocurrency, Cryptocurrencies, Ordinadors, Xarxes d' -- Mesures de seguretat, business.industry, Network packet, Computer science, Information processing, Deep packet inspection, Telecommunication -- Traffic, NetFlow measurements, Permission, Cryptojacking detection, Informàtica::Seguretat informàtica [Àrees temàtiques de la UPC], Computer networks -- Security measures, Server, NetFlow, Machine learning, Telecomunicació -- Tràfic, The Internet, Cryptocurrency mining, Mineria de dades, business, Data mining, Computer network

Abstract

In the last few years, cryptocurrency mining has become more and more important on the Internet activity and nowadays is even having a noticeable impact on the global economy. This has motivated the emergence of a new malicious activity called cryptojacking, which consists of compromising other machines connected to the Internet and leverage their resources to mine cryptocurrencies. In this context, it is of particular interest for network administrators to detect possible cryptocurrency miners using network resources without permission. Currently, it is possible to detect them using IP address lists from known mining pools, processing information from DNS traffic, or directly performing Deep Packet Inspection (DPI) over all the traffic. However, all these methods are still ineffective to detect miners using unknown mining servers or result too expensive to be deployed in real-world networks with large traffic volume. In this paper, we present a machine learning-based method able to detect cryptocurrency miners using NetFlow/IPFIX network measurements. Our method does not require to inspect the packets' payload; as a result, it achieves cost-efficient miner detection with similar accuracy than DPI-based techniques. This work has been supported by the Spanish MINECO under contract TEC2017-90034-C2-1-R (ALLIANCE).

Published

2019

413. Mobile Encrypted Traffic Classification Using Deep Learning: Experimental Evaluation, Lessons Learned, and Challenges

Author

Giuseppe Aceto, Antonio Pescape, Antonio Montieri, Domenico Ciuonzo, Aceto, Giuseppe, Ciuonzo, Domenico, Montieri, Antonio, and Pescape, Antonio

Subjects

Computer Networks and Communications, business.industry, Computer science, Deep learning, Feature extraction, 020206 networking & telecommunications, Cryptography, Deep packet inspection, 02 engineering and technology, Machine learning, computer.software_genre, Encryption, Traffic classification, 0202 electrical engineering, electronic engineering, information engineering, Android apps, automatic feature extraction, Cryptography, deep learning, encrypted traffic, Feature extraction, Internet, iOS apps, mobile apps, Performance evaluation, Protocols, Radio frequency, Static VAr compensators, traffic classification, Computer Networks and Communications, Electrical and Electronic Engineering, Profiling (information science), The Internet, Artificial intelligence, Electrical and Electronic Engineering, business, computer

Abstract

The massive adoption of hand-held devices has led to the explosion of mobile traffic volumes traversing home and enterprise networks, as well as the Internet. Traffic classification (TC), i.e., the set of procedures for inferring (mobile) applications generating such traffic, has become nowadays the enabler for highly valuable profiling information (with certain privacy downsides), other than being the workhorse for service differentiation/blocking. Nonetheless, the design of accurate classifiers is exacerbated by the raising adoption of encrypted protocols (such as TLS), hindering the suitability of (effective) deep packet inspection approaches. Also, the fast-expanding set of apps and the moving-target nature of mobile traffic makes design solutions with usual machine learning, based on manually and expert-originated features, outdated and unable to keep the pace. For these reasons deep learning (DL) is here proposed, for the first time, as a viable strategy to design practical mobile traffic classifiers based on automatically extracted features, able to cope with encrypted traffic, and reflecting their complex traffic patterns. To this end, different state-of-the-art DL techniques from (standard) TC are here reproduced, dissected (highlighting critical choices), and set into a systematic framework for comparison, including also a performance evaluation workbench. The latter outcome, although declined in the mobile context, has the applicability appeal to the wider umbrella of encrypted TC tasks. Finally, the performance of these DL classifiers is critically investigated based on an exhaustive experimental validation (based on three mobile datasets of real human users’ activity), highlighting the related pitfalls, design guidelines, and challenges.

Published

2019

414. MIMETIC: Mobile Encrypted Traffic Classification using Multimodal Deep Learning

Author

Giuseppe Aceto, Antonio Pescape, Antonio Montieri, Domenico Ciuonzo, Aceto, Giuseppe, Ciuonzo, Domenico, Montieri, Antonio, and Pescapé, Antonio

Subjects

Computer Networks and Communications, business.industry, Computer science, Deep learning, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, Encryption, Machine learning, computer.software_genre, Traffic classification, Mobile apps, Android apps, iOS apps, Encrypted traffic, Deep learning, Automatic feature extraction, Multimodal learning, Traffic classification, 0202 electrical engineering, electronic engineering, information engineering, Cellular network, Profiling (information science), 020201 artificial intelligence & image processing, Artificial intelligence, business, computer

Abstract

Mobile Traffic Classification (TC) has become nowadays the enabler for valuable profiling information, other than being the workhorse for service differentiation or blocking. Nonetheless, a main hindrance in the design of accurate classifiers is the adoption of encrypted protocols, compromising the effectiveness of deep packet inspection. Also, the evolving nature of mobile network traffic makes solutions with Machine Learning (ML), based on manually- and expert-originated features, unable to keep its pace. These limitations clear the way to Deep Learning (DL) as a viable strategy to design traffic classifiers based on automatically-extracted features, reflecting the complex patterns distilled from the multifaceted traffic nature, implicitly carrying information in “multimodal” fashion. Multi-modality in TC allows to inspect the traffic from complementary views, thus providing an effective solution to the mobile scenario. Accordingly, a novel multimodal DL framework for encrypted TC is proposed, named MIMETIC, able to capitalize traffic data heterogeneity (by learning both intra- and inter-modality dependences), overcome performance limitations of existing (myopic) single-modality DL-based TC proposals, and support the challenging mobile scenario. Using three (human-generated) datasets of mobile encrypted traffic, we demonstrate performance improvement of MIMETIC over (a) single-modality DL-based counterparts, (b) state-of-the-art ML-based (mobile) traffic classifiers, and (c) classifier fusion techniques.

Published

2019

415. Control Logic Injection Attacks on Industrial Control Systems

Author

Irfan Ahmed and Hyunguk Yoo

Subjects

050101 languages & linguistics, Computer science, business.industry, 05 social sciences, Ladder logic, Programmable logic controller, Deep packet inspection, 02 engineering and technology, Industrial control system, Intrusion detection system, Padding, Control system, Embedded system, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, business, Control logic

Abstract

Remote control-logic injection attacks on programmable logic controllers (PLCs) impose critical threats to industrial control system (ICS) environments. For instance, Stuxnet infects the control logic of a Siemens S7-300 PLC to sabotage nuclear plants. Several control logic injection attacks have been studied in the past. However, they focus on the development and infection of PLC control logic and do not consider the stealthy methods of transferring the logic to a PLC over the network. This paper is the first effort to explore the packet manipulation of control logic to achieve stealthiness without modifying PLC firmware to support new (obfuscation) functionality. It presents two new control logic injection attacks: (1) Data Execution and (2) Fragmentation and Noise Padding. Data Execution attack subverts signatures (based-on packet-header fields) by transferring control logic to the data blocks of a PLC and then, changes the PLC’s system control flow to execute the attacker’s logic. Fragmentation and Noise Padding attack subverts deep packet inspection (DPI) by appending a sequence of padding bytes in control logic packets while keeping the size of the attacker’s logic in packet payloads significantly small. We implement the attacks on two industry-scale PLCs of different vendors and demonstrate that these attacks can subvert intrusion detection methods successfully, such as signature-based intrusion detection and Anagram-based DPI. We also release the training and attack datasets to facilitate research in this direction.

Published

2019

416. Improved Flow Awareness by Intelligent Collaborative Sampling in Software Defined Networks

Author

He Cai, Xiaofei Wang, and Jun Deng

Subjects

Network management, Mobile edge computing, Edge device, business.industry, Computer science, Node (networking), Sampling (statistics), Deep packet inspection, business, Software-defined networking, Edge computing, Computer network

Abstract

To improve the specific quality of service, internal network management and security analysis in the future mobile network, accurate flow-awareness in the global network through packet sampling has been a viable solution. However, the current traffic measurement method with the five tuples cannot recognize the deep information of flows, and the Deep Packet Inspection (DPI) deployed at the gateways or access points is lack of traffic going through the internal nodes (e.g., base station, edge server). In this paper, by means of Deep Q-Network (DQN) and Software-Defined Networking (SDN) technique, we propose a flow-level sampling framework for edge devices in the Mobile Edge Computing (MEC) system. In the framework, an original learning-based sampling strategy considering the iterative influences of nodes is used for maximizing the long-term sampling accuracy of both mice and elephant flows. We present an approach to effectively collect traffic packets generated from base stations and edge servers in two steps: (1) adaptive node selection, and (2) dynamic sampling duration allocation by Deep Q-Learning. The results show that the approach can improve the sampling accuracy, especially for mice flows.

Published

2019

417. Towards Efficient and Scalable Machine Learning-Based QoS Traffic Classification in Software-Defined Network

Author

Tan Saw Chin, K. Rizaluddin, M. Z. Fatimah Audah, Y. Zulfadzli, and C. K. Lee

Subjects

Network packet, Computer science, business.industry, Quality of service, Deep packet inspection, 02 engineering and technology, Machine learning, computer.software_genre, Traffic classification, Traffic engineering, Scalability, 0202 electrical engineering, electronic engineering, information engineering, Forwarding plane, 020201 artificial intelligence & image processing, Artificial intelligence, business, Software-defined networking, computer

Abstract

Internet Service Provider (ISP) has the responsibility to fulfill the Quality of Service (QoS) of various types of applications. The centralized network controller in Software Defined Networking (SDN) provides the chance to instil intelligence in managing network resources based on QoS requirements. A fined-grained QoS Traffic Engineering can be realized by identifying different traffic flow types and categorizing them according to various application/classes. Previous methods include port-based classification and Deep Packet Inspection (DPI), which have been found non-accurate and highly computational. Thus, machine learning (ML) based traffic classifier has gained much attention from the research community, which can be seen from an increase number of works being published. This paper identifies the issues in ML-based traffic classification (TC) in order to devised the best solution; i.e. the TC framework should be scalable to accommodate network expansion, can accurately identify flows according to their source applications/classes, while maintaining an efficient run-time and memory requirement. Therefore, based on these findings, this work proposed a TC engine comprises of Training and Feature Selection Module and Classifier Model, which is placed at the data plane. The training and feature selection will be done offline and regularly to keep the Classifier Model updated. In the proposed solution, the SDN switch forwards the packets the Classifier Model, which classify the packets with accurate applications and send them to the control plane. Finally, the controller will perform resource and queue management according to the labeled packets and updates the flow tables via the switch. The proposed solution will be the starting point in solving efficiency and scalability issues in SDN-ISP TC.

Published

2019

418. Virtual Security Functions and Their Placement in Software Defined Networks: A Survey

Author

Mehmet Demirci, Seref Sagiroglu, and Sedef Demirci

Subjects

Multidisciplinary, Cost efficiency, Computer science, Network security, business.industry, 020209 energy, General Engineering, Mühendislik, Deep packet inspection, 02 engineering and technology, Energy consumption, Intrusion detection system, Firewall (construction), Open research, Engineering, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, SDN, software defined networking, NFV, network function virtualization, cyber security, business, Software-defined networking, Computer network

Abstract

Software Defined Networking (SDN) and Network Functions Virtualization (NFV) are two important technologies gaining prominence thanks to their benefits for improving the flexibility and cost efficiency in networks. These technologies have been utilized extensively for providing new age security solutions in recent years. Through the use of SDN and NFV, network security functions are virtualized and deployed in a hardware-independent manner, thus reducing costs as well as enabling faster innovations and developments. Functions virtualized with NFV such as firewall, deep packet inspection, intrusion detection systems etc. can reside as applications in the SDN architecture. The issue of where to place these functions in the network is an important problem discussed in the literature. When placing these functions, objectives such as efficient use of network resources, energy consumption, cost, network load, delay etc. must be considered for each function, in addition to ensuring that network security requirements are met. This paper provides a critical survey on the placement of virtualized network security functions in software defined networks and identifies open problems in this field. We briefly describe SDN and NFV technologies, touch upon the relationship between them, exemplify and review the most common virtual security functions in SDN. We also examine and compare the studies on the optimal placement of virtual security functions. Finally, we identify several open research challenges in this area and suggest potential future directions to be considered by researchers.

Published

2019

419. Software-Defined Data Flow Detection and Control Approach for Industrial Modbus/TCP Communication

Author

Yan Song, Jianming Zhao, Zhaowei Wang, Ming Wan, Yuan Jing, and Zhongshui Zhang

Subjects

Data flow diagram, Flow control (data), Software, business.industry, Network packet, Computer science, Control system, Scalability, Deep packet inspection, business, Modbus, Computer network

Abstract

There is an increasing consensus that software-defined networking may become a successful case to provide fine scalability and availability for industrial Internet, and it also brings new opportunities for the development of industrial cyber security. Aligning with the defense in depth strategy, this paper proposes a software-defined data flow detection and control approach for industrial Modbus/TCP communication. Furthermore, this approach designs a novel security strategy configuration service in SDN controllers to publish the flow control rules, and SDN switches match Modbus/TCP data flows with these flow control rules to detect and control abnormal communication behaviors. Specifically, a flow control rule database which stores all flow control rules of the entire control system is managed by SDN controllers, and a security flow table is maintained by each SDN switch according to different requirements of industrial communication. By using the DPI (Deep Packet Inspection) technology, this approach can run a deep analysis of Modbus/TCP packets according to the protocol specification, and block the improper control commands or undesired technology parameters. The qualitative analysis shows that the proposed approach possesses certain advantages and feasibilities.

Published

2019

420. Using Burstiness for Network Applications Classification

Author

David J. Walker, Abdulrahman Alruban, Bogdan Ghita, Hussein Oudah, and Taimur Bakhshi

Subjects

Service (systems architecture), Article Subject, Computer Networks and Communications, Computer science, business.industry, Network packet, Real-time computing, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, Encryption, lcsh:QA75.5-76.95, Set (abstract data type), Task (computing), Traffic classification, Burstiness, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, lcsh:Electronic computers. Computer science, business, Information Systems

Abstract

Network traffic classification is a vital task for service operators, network engineers, and security specialists to manage network traffic, design networks, and detect threats. Identifying the type/name of applications that generate traffic is a challenging task as encrypting traffic becomes the norm for Internet communication. Therefore, relying on conventional techniques such as deep packet inspection (DPI) or port numbers is not efficient anymore. This paper proposes a novel flow statistical-based set of features that may be used for classifying applications by leveraging machine learning algorithms to yield high accuracy in identifying the type of applications that generate the traffic. The proposed features compute different timings between packets and flows. This work utilises tcptrace to extract features based on traffic burstiness and periods of inactivity (idle time) for the analysed traffic, followed by the C5.0 algorithm for determining the applications that generated it. The evaluation tests performed on a set of real, uncontrolled traffic, indicated that the method has an accuracy of 79% in identifying the correct network application.

Published

2019

421. A Wearable Machine Learning Solution for Internet Traffic Classification in Satellite Communications

Author

Mathieu Gineste, Ernesto Exposito, Fannia Pacheco, Laboratoire Informatique de l'Université de Pau et des Pays de l'Adour (LIUPPA), Université de Pau et des Pays de l'Adour (UPPA), Thales Alenia Space - TAS (Toulouse, France), and Thales (France)

Subjects

Computer science, business.industry, Wearable computer, Internet traffic classification, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, Machine learning, computer.software_genre, [INFO.INFO-NI]Computer Science [cs]/Networking and Internet Architecture [cs.NI], Architecture framework, [INFO.INFO-LG]Computer Science [cs]/Machine Learning [cs.LG], 0202 electrical engineering, electronic engineering, information engineering, Communications satellite, [INFO]Computer Science [cs], 020201 artificial intelligence & image processing, Satellite, The Internet, Artificial intelligence, Architecture, business, computer

Abstract

International audience; In this paper, we present an architectural framework to perform Internet traffic classification in Satellite Communications for QoS management. Such a framework is based on Machine Learning techniques. We propose the elements that the framework should include, as well as an implementation proposal. We define and validate some of its elements by evaluating an Internet dataset generated on an emulated Satellite Architecture. We also outline some discussions and future works that should be addressed to have an accurate Internet classification system .

Published

2019

422. News and the city: understanding online press consumption patterns through mobile data

Author

Daniela Paolotti, Leo Ferres, Salvatore Vilella, and Giancarlo Ruffo

Subjects

FOS: Computer and information sciences, Physics - Physics and Society, News consumption, Population, Distribution (economics), FOS: Physical sciences, 050801 communication & media studies, Context (language use), 02 engineering and technology, Physics and Society (physics.soc-ph), lcsh:Computer applications to medicine. Medical informatics, Mobile data, Computer Science - Computers and Society, 0508 media and communications, 020204 information systems, Computers and Society (cs.CY), 0202 electrical engineering, electronic engineering, information engineering, Urban, education, News media, Consumption (economics), education.field_of_study, business.industry, Mobile broadband, 05 social sciences, Advertising, Deep packet inspection, Geo-referenced analysis, Computer Science Applications, Computational Mathematics, Modeling and Simulation, lcsh:R858-859.7, Business

Abstract

The always increasing mobile connectivity affects every aspect of our daily lives, including how and when we keep ourselves informed and consult news media. By studying a DPI (deep packet inspection) dataset, provided by one of the major Chilean telecommunication companies, we investigate how different cohorts of the population of Santiago De Chile consume news media content through their smartphones. We find that some socio-demographic attributes are highly associated to specific news media consumption patterns. In particular, education and age play a significant role in shaping the consumers behaviour even in the digital context, in agreement with a large body of literature on off-line media distribution channels.

Published

2019

423. Corrigendum to 'COIN: A fast packet inspection method over compressed traffic' [J. Netw. Comput. Appl. 127 (2019) 122–134]

Author

Hao Li, Chengchen Hu, Kaiyu Hou, Sun Xiuwen, Dan Zhao, and Xingxing Lu

Subjects

Computer Networks and Communications, Hardware and Architecture, Computer science, Deep packet inspection, Algorithm, Computer Science Applications

Published

2020

424. Packet analysis for network forensics: A comprehensive survey

Author

Leslie F. Sikos

Subjects

Network forensics, business.industry, Computer science, Network packet, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Deep packet inspection, Network monitoring, Intrusion detection system, computer.software_genre, Computer Science Applications, Pathology and Forensic Medicine, Medical Laboratory Technology, Traffic classification, Packet analyzer, Malware, business, Law, computer, Information Systems, Computer network

Abstract

Packet analysis is a primary traceback technique in network forensics, which, providing that the packet details captured are sufficiently detailed, can play back even the entire network traffic for a particular point in time. This can be used to find traces of nefarious online behavior, data breaches, unauthorized website access, malware infection, and intrusion attempts, and to reconstruct image files, documents, email attachments, etc. sent over the network. This paper is a comprehensive survey of the utilization of packet analysis, including deep packet inspection, in network forensics, and provides a review of AI-powered packet analysis methods with advanced network traffic classification and pattern identification capabilities. Considering that not all network information can be used in court, the types of digital evidence that might be admissible are detailed. The properties of both hardware appliances and packet analyzer software are reviewed from the perspective of their potential use in network forensics.

Published

2020

425. Arquitectura de seguridad para la red de próxima generación.

Author

Pérez Sierra, Raymundo and Reyes Roig, Deborah

Subjects

*DATA security, *COMPUTER network architectures, *NEXT generation networks, *INTERNET protocols, *CYBERTERRORISM, *TELEPHONE networks

Abstract

Next Generation Networks (NGN), supported in infrastructure by IP networks, are vulnerable to threats and risks of traditional data networks, as well as those specific to IP telephone networks; these constitute severe security issues that need to be addressed. With this goal in mind, a Security Architecture for NGN was proposed for ETECSA, with an integral, generic, and personalized focus adapted to the characteristics and conditions of the Cuban setting and, to the different foreseen stages of development for this network. These include a group of guidelines and interventions with these last embedded in its different layers. [ABSTRACT FROM AUTHOR]

Published

2012

426. A Network Security Situation Awareness Model Based on Risk Assessment

Author

Dejun Mu and Yixian Liu

Subjects

Risk level, Situation awareness, Network security, business.industry, Computer science, 05 social sciences, Vulnerability, Deep packet inspection, 02 engineering and technology, Computer security, computer.software_genre, Network security situation awareness, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 0501 psychology and cognitive sciences, business, Risk assessment, computer, 050107 human factors

Abstract

Network Security Situation Awareness (NSSA) can provide holistic status to administrator, and most related works rely on real time packet inspection technique to detect the security attacks which are happening and may already have caused some damage. In this paper, we propose the Risk Assessment NSSA model which collects the vulnerabilities information and uses corresponding risk level to qualitatively represent the security situation. This model is easy to apply and conveniently helps the administrator to monitor the whole network and be alerted to possible threat in future.

Published

2018

427. Institutional trustworthiness and national security governance : evidence from six European countries

Author

Kirstie Ball, Sara Degli Esposti, Elvira Santiago-Gómez, Vincenzo Pavone, Sally Dibb, University of St Andrews. School of Management, European Commission, Pavone, Vincenzo [0000-0002-2326-0118], and Pavone, Vincenzo

Subjects

National security, Public Administration, Sociology and Political Science, media_common.quotation_subject, NDAS, JN, Public administration, GeneralLiterature_MISCELLANEOUS, 0502 economics and business, 050602 political science & public administration, 050207 economics, JZ, ComputingMilieux_MISCELLANEOUS, media_common, Marketing, business.industry, Corporate governance, 05 social sciences, SDG 16 - Peace, Justice and Strong Institutions, Deep packet inspection, JN Political institutions (Europe), 16. Peace & justice, 0506 political science, Surprise, Trustworthiness, Business, JZ International relations, InformationSystems_MISCELLANEOUS, BDC

Abstract

Funding information: FP7 Security, Grant/Award Number: SurPRISE (Surveillance, Privacy, Security) Grant A. This article examines the relationship between the institutional trustworthiness of security agencies in the context of data‐intensive security practices. It focuses on the public's acceptance of the way digital surveillance technologies feed into large‐scale security data analytics. Using the case of deep packet inspection (DPI), survey data gathered in six European countries (n = 1,202) demonstrates that security agencies' institutional trustworthiness directly and indirectly influences public acceptance of DPI. Against a backdrop of declining public trust in government and a climate of intense international terrorist threat, governments around the world are appealing to citizens to trade privacy for enhanced security. This article supports calls for security agencies and their respective governments to engage with the democratic process to enrich security and privacy at all levels of public security governance and for the common good. Postprint

Published

2018

428. Synthesis of reconfigurable information security hardware on HPC platforms

Subjects

Firewall (construction), business.industry, Computer science, Network packet, Distributed computing, Cloud computing, Deep packet inspection, String searching algorithm, Pattern matching, Cache, business, Grid

Abstract

The main purpose of a signature-based network intrusion detection system (NIDS) is to inspect network packet contents against tens of thousands of predefined malicious patterns. Unlike the firewall, NIDS examines not only packet headers, but also the packet bodies. The multi-pattern string matching task is a specific type of string matching functionality to search an input stream for a set of patterns rather than a single pattern. Due to rising traffic rates, increasing number and sophistication of attacks and the collapse of Moore's law for sequential processing, traditional software solutions can no longer meet the high requirements of today’s security challenges. Therefore, hardware approaches are proposed to accelerate pattern matching. Combining the flexibility of software and the nearASIC performance, reconfigurable FPGA-based devices have become increasingly popular for this purpose. Unfortunately, the development of complex reconfigurable devices is a very difficult craft. Users of NIDS which are usually system administrators have not neither enough qualification, nor computing resources to fulfill such a work. On the other hand specificities of security tasks require frequent execution of dynamic re-synthesis of reconfigurable accelerators. To solve this problem, a centralized system based on GRID and Cloud platforms was proposed. Such approach moves design and computation complexities from LANs to HPC. An experimental system was constructed and tested. First results are received and discussed. Preliminary comparison of GRID and Cloud technologies is made. Besides cybersecurity, high-speed multi-pattern matching is required for such important applications as data mining, XML switching, QoS management, VoIP filtering, cache replication etc.

Published

2018

429. Data Inspection in SDN Network

Author

Ayman M. Bahaa-Eldin, Soliman Abd Elmonsef Sarhan, and Mohamed A. Sobh

Subjects

business.industry, Computer science, Quality of service, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, Asset (computer security), Automation, Software, Control theory, Server, 0202 electrical engineering, electronic engineering, information engineering, business, Software-defined networking, Computer network

Abstract

Software Defined Networks can be considered the most important development in Computer Networking in the last decade. Deep packet inspection (DPI) technology significantly enhances the security and management of current networks but combined with software-defined networking (SDN), DPI becomes an even more powerful tool can centralize network strategy control and quicken automation. The conversion from the traditional networks to the SDN network has a significant challenge that need a careful examination. We focus on Improved DPI can give the exhaustive data to notify the SDN controller about the situation of the network and its activity streams of traffic flows. This enables SDN to regard the network as a comprehensive asset as opposed to a different collection of devices. (e.g. switches, security and other Layer 4-7 elements). Ultimately, connecting SDN and DPI will let network pros apply policy control and automation to the whole network as opposed to individual components or elements. Leveraging a central DPI capability will give knowledge and intelligence to every important function (security, controller, policy, and so on.) -- instead of the current system of each functional box performing its own DPI. So, it became a must to inspect the data in SDN architecture that fit the benefits of central control.

Published

2018

430. Tearing Down the Face of Algorithmic Complexity Attacks for DPI Engines

Author

Jiantao Shi, Liu Likun, Xiangzhan Yu, and Hongli Zhang

Subjects

business.industry, Computer science, String (computer science), Vulnerability, 020206 networking & telecommunications, 020207 software engineering, Deep packet inspection, Denial-of-service attack, 02 engineering and technology, Adversary, Identification (information), 0202 electrical engineering, electronic engineering, information engineering, business, Computer network, Vulnerability (computing)

Abstract

Deep Packet Inspection (DPI) is the core of security devices, such as NIDS, NIPS, which is also an important target of the adversary. The vulnerability of DPI engine is that it relies heavily on pattern matching algorithms, which consume a lot of system resources. In order to make denial of service of DPI, the adversary leverages string repetitions to perform algorithmic complexity attacks. In this paper, we propose an attack identification method for automata and design three defensive strategies. Our attack identification method adopts a two-step threshold detection method, while defensive mechanisms include dropping, transferring and rescheduling the traffic. And the rescheduling traffic based on multi-core platform is a parallelization problem. To solve this problem, this paper proposes a traffic exchange strategy between threads, so that the attack traffic is allocated to dedicated threads. We demonstrate the effectiveness of our method by checking the packet loss rate of NIC and monitoring the utilization of CPU and memory. Upon different attack intensity, our experiments show a throughput boost of up to 11%-60% by comparing with the original system, and 4%-14% with the Level-1 threshold detection. In addition, the false negative rate under the diversified attack scenarios is lower than the original system and Level-1 threshold detection.

Published

2018

431. Speeding-Up DPI Traffic Classification with Chaining

Author

Elnaz Alizadeh Jarchlo, Antonio Pescape, Andres Marin Lopez, Walter de Donato, Hossein Doroud, Cesar D. Guerrero, Giuseppe Aceto, Doroud, Hossein, Aceto, Giuseppe, de Donato, Walter, Jarchlo, Elnaz Alizadeh, Lopez, Andres Marin, Guerrero, Cesar D., and Pescape, Antonio

Subjects

business.industry, Computer science, Real-time computing, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, Network monitoring, Encryption, Port (computer networking), Term (time), Traffic classification, Chaining, Line (geometry), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business

Abstract

The importance of network traffic classification has grown over the last two decades in line with the increasing diver- sity of networked applications. Nowadays traditional approaches to traffic classification, relying on port numbers and on Deep Packet Inspection (DPI), are not very effective in real scenarios respectively due to the usage of random or non-standard port numbers and to the wide usage of end-to-end encryption. Despite their limitations, port- based and DPI approaches are still widely used in operational networks for a number of network monitoring and management tasks. This paper proposes a practical approach for improving the efficiency of traditional traffic classification techniques by chain- ing fast classification stages (port-based and machine-learning- based), combined to lower their false-positive rate, and a more precise - but time- and resource-demanding - stage based on DPI. Experimental results demonstrate that Chain obtains results in line with DPI approaches in term of Precision, Recall, Accuracy and Area Under the Curve (AUC), while it is 45% faster when compared to nDPIng, a well- known DPI implementation. The appealing of the proposed approach in Network Function Virtualization (NFV) contexts is also discussed.

Published

2018

432. SASD: A Self-Adaptive Stateful Decompression Architecture

Author

Da Li, Li Guo, Zhang Xi, Qingyun Liu, Zhou Zhou, and Yujia Zhu

Subjects

Computer science, business.industry, Network packet, 020206 networking & telecommunications, Throughput, Deep packet inspection, Data_CODINGANDINFORMATIONTHEORY, 02 engineering and technology, Software, 020401 chemical engineering, Stateful firewall, Transmission (telecommunications), Embedded system, 0202 electrical engineering, electronic engineering, information engineering, State (computer science), 0204 chemical engineering, business

Abstract

Due to the increasing threats in the current network environment, many researchers have shifted their interests to network content audit, which combines deep packet inspection and natural language processing. However, the performance of network content audit systems is becoming the bottle-neck because of the demand on processing fast growing compressed traffic. While compressed traffic is often split into multiple out-of-order packets for transmission, stateful decompression ensures that the compressed data are processed in a timely manner without waiting for all the compressed traffic to arrive before decompressing. In the meanwhile, hardware innovations lead to new type of devices being invented, which shows promise to fully handle the offloaded traffic for complex calculations at higher throughput than software-based solutions. We consider both software-based and hardware-based solutions for decompressing traffic from network content audit systems and study the workload. We notice that the performance is data-dependant: hardware-based decompression solutions perform better for longer compressed data than software method. On the contrary, software-based decompressing methods are more preferred for the short content in terms of the processing speed. So there is no one-size-fits-all solution. In this paper, we combine the advantages of hardware and software and propose a novel self-adaptive stateful decompression architecture to support fast decompression in accordance with the traffic status and system state. Experiments on real-world traffic show that our proposed architecture can achieve about three times of the data decompression efficiency, compared to the best pure software and hardware algorithm, which can significantly improve the detection efficiency of many network content audit systems.

Published

2018

433. Network Data Stream Classification by Deep Packet Inspection and Machine Learning

Author

Chunyong Yin, Hongyi Wang, and Jin Wang

Subjects

business.industry, Computer science, Network data, Deep packet inspection, Encryption, Machine learning, computer.software_genre, Port (computer networking), Field (computer science), Naive Bayes classifier, Classification methods, The Internet, Artificial intelligence, business, computer

Abstract

How to accurately and efficiently complete the classification of Network data stream is an important research topic and a huge challenge in the field of Internet data analysis. Traditional port-based and DPI-based classification methods have obvious disadvantages in the increase category of P2P services and the problem of poor encryption resistance, leading to a sharp drop in classification coverage. Based on the original DPI classification, this paper proposes a method of network data stream classification using the combination of DPI and machine learning. This method uses DPI to detect network data streams of known features and uses machine learning methods to analyze unknown features and encrypted network data streams. Experiments show that this method can effectively improve the accuracy of network data stream classification.

Published

2018

434. Deep packet inspection on large datasets : algorithmic and parallelization techniques for accelerating regular expression matching on many-core processors

Author

Xiaodong Yu

Subjects

Matching (statistics), Many core, Computer science, Deep packet inspection, Regular expression, Parallel computing

Published

2018

435. Benchmark Data for Mobile App Traffic Research

Author

Zhao Yang, Deyu Tang, Ruoyu Wang, Jin Yang, Zhen Liu, and Yongming Cai

Subjects

Ground truth, Computer science, Network packet, 020206 networking & telecommunications, Deep packet inspection, Sample (statistics), 02 engineering and technology, computer.software_genre, Traffic flow, Task (project management), Traffic classification, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Data mining, Baseline (configuration management), computer

Abstract

Mobile app traffic classification aims to automatically map mobile packets into apps. It has become an active task in mobile traffic engineering, and numerous algorithms have been proposed for this task, including machine learning, deep packet inspection methods. However, existing works mainly evaluate their methods on their own collected mobile traffic traces. There is no public benchmark data. The results in existing papers cannot be directly compared. This largely limits the development of mobile app traffic classification methods. This paper describes our Mobile Traffic Data(MTD): Android app traffic flow sample sets with ground truth. The goal of MTD is to advance the state-of-arts in mobile app traffic classification. For building MTD, we collected and annotated more than ten thousands of traffic flows using Mobilegt system. The popularity used flow features were also extracted to build flow samples for mobile traffic classification using machine learning. MTD sets have been shared in public. In addition, this paper provides the performance analysis of typical machine learning techniques on MTD, which can be served as the baseline results on this benchmark data.

Published

2018

436. Intelligent Security Monitoring in Time Series of DDoS attack on IoT Networks using Grammar base Filtering and Clustering

Author

Zie Eya Ekolle, Kuramitsu Kimio, and Kohno Ryuji

Subjects

MQTT, Emulation, Computer science, business.industry, Big data, 020206 networking & telecommunications, Denial-of-service attack, Deep packet inspection, 02 engineering and technology, Security policy, Computer security, computer.software_genre, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Regular grammar, Cluster analysis, business, computer

Abstract

The recent trend of Internet of Things (IoT) is taking the world by surprise with its high demand in resources and diverse applications. By integrating and connecting sensors, IoT makes it possible to link “anything” “anywhere” with the aide of specialized protocols. Nevertheless, the security in such a highly saturated network system is a call for concern. This paper illustrates an approach of tackling security on IoT networks by making use of a hybrid security strategy. This strategy defined a security policy against an IoT DDoS attacks by making use of a grammar base filtering technique for a deep packet inspection (DPI) and a clustering algorithm for an unsupervised detection of the attack. For the purpose of practical evaluation of this security technique, an emulation was carried out and the results were presented.

Published

2018

437. Exploiting System Model for Securing CPS: the Anomaly Based IDS Perspective

Author

Stefano Panzieri, Federica Pascucci, Riccardo Colelli, ETFA committee, Colelli, Riccardo, Panzieri, Stefano, and Pascucci, Federica

Subjects

Computer science, Anomaly-based intrusion detection system, Distributed computing, 05 social sciences, Legacy system, 050301 education, Deep packet inspection, Computer Science Applications1707 Computer Vision and Pattern Recognition, 02 engineering and technology, Industrial control system, Intrusion detection system, Network topology, Application layer, Automation System, New Implementation Approache, Industrial and Manufacturing Engineering, System model, Industrial Informatic, Control and Systems Engineering, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Electrical and Electronic Engineering, 0503 education

Abstract

Industrial Control systems traditionally achieved security by using isolation from the outside and proprietary protocols to communicate inside. This paradigm is changed with the advent of the Industrial Internet of Things that foresees flexible and interconnected systems. In this contribution, the threats coming from this new approach are analyzed and a framework for identify them is proposed. It is based on the common signature based intrusion detection system developed in the information technology domain, however, to cope with the constraints of the operation technology domain, it exploits anomaly based features. Specifically, it is able to analyze the traffic on the network at application layer by mean of deep packet inspection, parsing the information carried by the proprietary protocols. Two different topologies are adopted to cope also with legacy systems. A simple set up is considered to prove the effectiveness of the approach.

Published

2018

438. GoldenEye: stream-based network packet inspection using GPUs

Author

Qian Gong, Phil DeMar Fermi, and Wenji Wu

Subjects

Network packet, Computer science, business.industry, Retransmission, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Packet processing, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, Stateful firewall, Packet analyzer, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Computer network

Abstract

High-performance packet analysis systems have attracted great interest as tools to deal with security concerns in high-speed networks. Recently, researchers have utilized GPUs to improve packet processing performance. However, most existing work has been targeted at per-packet analysis level. Flow-centric operations have been challenging for GPUs because they require sequential operations and large buffers for flow reassembly. In this work, we present the GoldenEye GPU Packet Processing System (GoldenEye), a deep packet inspection (DPI) system that tracks out-of-order TCP packets and provides stream-based signature matching. When a batch of packets arrives, GoldenEye sorts packets into flow-reassembled streams and normalizes retransmission through a GPU-implemented reordering module. For signatures that straddle batch boundaries, GoldenEye couples a small set of metadata with a functionally-equivalent minimal regular expression retrieval algorithm to connect the partial matches. Results show that GoldenEye can reassemble tens of millions of packets/sec and conduct stateful DPI operations on TCP streams at multi-ten Gbit/sec rates.

Published

2018

439. EDSGuard: Enforcing Network Security Requirements for Energy Delivery Systems

Author

Ziming Zhao, Vu Coughlin, Carlos E. Rubio-Medrano, and Gail-Joon Ahn

Subjects

Network security, business.industry, Computer science, 05 social sciences, Energy delivery, 050801 communication & media studies, Deep packet inspection, 02 engineering and technology, Network Communication Protocols, Computer security, computer.software_genre, Firewall (construction), 0508 media and communications, Countermeasure, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer

Abstract

Recently, energy delivery systems (EDS) have been targeted by sophisticated network-based attacks tailored to disrupt the proper distribution of energy among different geographical regions, resulting in non-trivial socio-economical loses and a loss of public confidence in EDS infrastructures. Such attacks were facilitated by the lack of native security measures regarding existing network communication protocols for EDS, which allowed attackers to deliberately manipulate the state of network connections between control modules and field devices. In order to address these concerns, this paper presents EDSGuard, a state-based firewall and monitoring tool that leverages state-of the-art packet inspection techniques along with software-defined networks (SDN), to intelligently implement a set of security requirements and best practices for protecting EDS networks, as issued by regulatory organizations within the EDS community in the last years. In addition, EDSGuard implements a series of first-response countermeasure strategies, which can automatically react to anomalies and attacks, thus effectively mitigating their consequences and impact as a result. We provide the overall rationale behind our approach, as well as a description of our experimental results depicting a set of attack scenarios inspired by recent incidents affecting EDS infrastructures, which provide evidence of the suitability of EDSGuard for being fully adopted in practice.

Published

2018

440. An Analysis of real-time network traffic for identification of browser and application of user using clustering algorithm

Author

Anshu Priya, Sunit Kumar Nandi, and R S Goswami

Subjects

Identification (information), business.industry, Computer science, Network security, k-means clustering, Unsupervised learning, The Internet, Deep packet inspection, business, Cluster analysis, Encryption, Computer network

Abstract

The Internet is drastically becoming part of our life as well as work. Every aspect of life is somehow associated with Internet due to which communication and technology needs to be getting advanced day by day. With the affluent usage of encrypted network data, its classification has been predominantly accepted these days. The Classification of network traffic can be defined as the procedure of identification and analysis of application and protocol in the network. It has power to manage and solve different types of problem related to network. It can also provide network security by blocking the malicious traffic. This shows a challenge for measurement of traffic, especially for analysis method which are basically dependent on the types of traffic present in the network. In this paper we analysed real time traffic data of educational institute to identify browser and application of user using clustering algorithm basically KMeans. KMeans is basically the unsupervised Machine Learning algorithm.

Published

2018

441. An Approach to URL Filtering in SDN

Author

G. Subrahmanya Vrk Rao, K. Archana Janani, V. Vetriselvi, and Ranjani Parthasarathi

Subjects

Information retrieval, business.industry, Computer science, Controller (computing), Deep packet inspection, computer.software_genre, Phishing, Proxy server, Domain (software engineering), Categorization, Identity (object-oriented programming), The Internet, business, computer

Abstract

Phishing is considered as a form of the Internet crime. To detect a phishing website, human experts compare the claimed identity of the website with the features of the website along with its content. Every website URL has its own lexical features like length, domain names, etc. The phishing websites may appear to perform the same activities of another website but the content of the two websites will be different. In traditional networks, a proxy server handles the URL requests and determines whether an URL is malicious or not. In this paper, URL filtration is incorporated into an SDN framework as a security application. The proposed system uses deep packet inspection and machine learning techniques at the controller and the rule installation in the switches for efficient URL phishing detection. The phishing system analyzes the lexical and content-based features of the URLs. Based on the categorization, the rules are formed and installed in the switches. The performance of the system is evaluated based on the response time and accuracy in the detection of phishing URLs using a simulation framework.

Published

2018

442. An Architecture for Flow-Based Traffic Analysis in a Cloud Environment

Author

Giovanni Curiel, Tiago Octaviano Primini, Matheus Ribeiro, Leonardo Mariote, and Eric Baum

Subjects

Profiling (computer programming), Traffic analysis, Computer science, business.industry, Real-time computing, Hypervisor, Deep packet inspection, Cloud computing, Intrusion detection system, computer.software_genre, Virtualization, Virtual machine, business, computer

Abstract

In today’s cloud environments, where thousands of virtual machines are executed simultaneously, it can be very complicated and complex to identify and trace, in real time, suspicious or malicious traffic. Performing a per-packet analysis or doing a deep packet inspection in such high volume of traffic may impact the hypervisor’s performance negatively, which can render the unfeasible instantiation of a large amount of virtual machines. In order to enhance this procedure, this paper proposes an architecture that is able to collect flow-based information from all running virtual machines. In addition, its intent is to be easily pluggable to cognitive analysis tools, such as network intrusion detection systems, traffic profiling and classification, behavior prediction, and so forth.

Published

2018

443. HEX Switch

Author

Taejune Park, Zhaoyan Xu, and Seungwon Shin

Subjects

OpenFlow, NetFPGA, SIMPLE (military communications protocol), business.industry, Network security, Computer science, media_common.quotation_subject, 05 social sciences, 050801 communication & media studies, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, Set (abstract data type), 0508 media and communications, 0202 electrical engineering, electronic engineering, information engineering, Forwarding plane, business, Function (engineering), Computer network, media_common

Abstract

Software-defined networking (SDN) and Network Function Virtualization (NFV) have inspired security researchers to devise new security applications for these new network technology. However, since SDN and NFV are basically faithful to operating a network, they only focus on providing features related to network control. Therefore, it is challenging to implement complex security functions such as packet payload inspection. Several studies have addressed this challenge through an SDN data plane extension, but there were problems with performance and control interfaces. In this paper, we introduce a new data plane architecture, HEX which leverages existing data plane architectures for SDN to enable network security applications in an SDN environment efficiently and effectively. HEX provides security services as a set of OpenFlow actions ensuring high performance and a function of handling multiple SDN actions with a simple control command. We implemented a DoS detector and Deep Packet Inspection (DPI) as the prototype features of HEX using the NetFPGA-1G-CML, and our evaluation results demonstrate that HEX can provide security services as a line-rate performance.

Published

2018

444. Regular Expression Matching with Memristor TCAMs for Network Security

Author

Sai Rahul Chalamalasetti, Matthew P. Hardy, Le Zheng, Xia Sheng, Catherine Graves, Martin Foltin, Brent Buchanan, Si-Ty Lam, Xuema Li, Wen Ma, John Paul Strachan, and Lennie Kiyama

Subjects

020203 distributed computing, Finite-state machine, Network security, business.industry, Computer science, 020208 electrical & electronic engineering, Deep packet inspection, 02 engineering and technology, Memristor, Content-addressable memory, Telecommunications network, law.invention, Computer architecture, law, 0202 electrical engineering, electronic engineering, information engineering, Regular expression, Field-programmable gate array, business

Abstract

We propose using memristor-based TCAMs (Ternary Content Addressable Memory) to accelerate Regular Expression (RegEx) matching. RegEx matching is a key function in network security, where deep packet inspection finds and filters out malicious actors. However, RegEx matching latency and power can be incredibly high and current proposals are challenged to perform wire-speed matching for large scale rulesets. Our approach dramatically decreases RegEx matching operating power, provides high throughput, and the use of mTCAMs enables novel compression techniques to expand ruleset sizes and allows future exploitation of the multi-state (analog) capabilities of memristors. We fabricated and demonstrated nanoscale memristor TCAM cells. SPICE simulations investigate mTCAM performance at scale and a mTCAM power model at 22nm demonstrates 0.2 fJ/bit/search energy for a 36×400 mTCAM. We further propose a tiled architecture which implements a Snort rule-set and assess the application performance. Compared to a state-of-the-art FPGA approach (2 Gbps, −1W), we show ×4 throughput (8 Gbps) at 60% the power (0.62W) before applying standard TCAM power-saving techniques. Our performance comparison improves further when striding (searching multiple characters) is considered, resulting in 47.2 Gbps at 1.3W for our approach compared to 3.9 Gbps at 630mW for the strided FPGA NFA, demonstrating a promising path to wire-speed RegEx matching on large scale rulesets.

Published

2018

445. Measuring the Growth in Complexity of Models from Industrial Control Networks

Author

Alvaro A. Cardenas and Mustafa Amir Faisal

Subjects

Ethernet, 021110 strategic, defence & security studies, Computer science, Distributed computing, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Testbed, 0211 other engineering and technologies, Markov process, Deep packet inspection, 02 engineering and technology, symbols.namesake, Deterministic finite automaton, DNP3, 0202 electrical engineering, electronic engineering, information engineering, symbols, 020201 artificial intelligence & image processing, Communication complexity, Modbus

Abstract

Profiling communication patterns between industrial devices is important for detecting anomalies and potential cyber-attacks. In this paper we do deep-packet inspection of various industrial protocols to generate models of communications between pairs of devices; in particular, we use two models (deterministic finite automata and discrete-time Markov chains) applied to three different industrial networks: (1) an electrical substation, (2) a small-scale water testbed, and (3) a large-scale water treatment facility. Overall these datasets represent a variety of industrial protocols, including EtherNet/IP, DNP3, and Modbus/TCP.

Published

2018

446. Accelerating VNF-based Deep Packet Inspection with the use of GPUs

Author

Diego Lisboa Cardoso, Carlos Natalino, Ádamo Lima de Santana, and Igor M. Araujo

Subjects

Speedup, Computer science, Network packet, business.industry, Embedded system, Packet processing, Graphics processing unit, Deep packet inspection, Throughput, Intrusion detection system, business, Communication channel

Abstract

Network Function Virtualization (NFV) replaces the hardware that supports packet processing in network operation from specific- by general-purpose ones, reducing costs and bringing more flexibility and agility to the network operation. However, this shift can cause performance losses due to the non-optimal packet processing capabilities of the general-purpose hardware. Moreover, supporting the line rate of optical network channels with Virtualized Network Functions (VNFs) is a challenging task. This work analyzes the benefits of using Graphics Processing Units (GPUs) to support the execution of a Deep Packet Inspection (DPI) VNF towards supporting the line rate of an optical channel. The use of GPUs in VNFs has a great potential to increase throughput, but the delay incurred might be an issue for some functions. Our simulation was performed using an Intrusion Detection Systems (IDS) which performs DPI deployed as a VNF under real-world traffic scaled to high bit rates. Results show that the packet processing speedup achieved by using GPUs can reach up to 19 times, at the expense of a higher packet delay.

Published

2018

447. A Power-Efficient Approach to TCAM-Based Regular Expression Matching

Author

Kun Huang and Xuelin Chen

Subjects

Matching (statistics), Hardware_MEMORYSTRUCTURES, Memory management, Computer science, 0202 electrical engineering, electronic engineering, information engineering, Deep packet inspection, 02 engineering and technology, Pattern matching, Regular expression, Parallel computing, Content-addressable memory, Throughput (business), 020202 computer hardware & architecture

Abstract

Ternary content addressable memories (TCAMs) have been used to implement high-speed regular expression (Regex) matching for deep packet inspection. However, one major drawback of TCAMs is their high power consumption, which is becoming critical with the increasing number of Regex patterns. In this paper, we present GreenCAM, a power-efficient approach to TCAM-based Regex matching for reducing the power consump-tion of TCAMs. We introduce a simple yet effective idea of sepa-rating input characters from states in TCAMs to develop a three-stage architecture for low-power Regex matching. For this archi-tecture, we propose two techniques of character indexing and table partitioning to minimize the number of TCAM blocks acti-vated for each transition lookup in average and worst cases. Ex-periments on real Regex pattern sets show that GreenCAM re-quires only two active TCAM blocks per transition lookup on average, and achieves significant power reductions of up to sever-al orders of magnitude as well as higher matching throughput compared to previous schemes.

Published

2018

448. Network service chaining using segment routing in multi-layer networks

Author

Francesco Paolucci

Subjects

OpenFlow, Computer Networks and Communications, computer.internet_protocol, Computer science, Path computation element, Multiprotocol Label Switching, 02 engineering and technology, Network topology, Network service chaining, Software defined networking, 020210 optoelectronics & photonics, 0202 electrical engineering, electronic engineering, information engineering, Border gateway protocol, Flow steering, LSP, Multi-layer networks, Open database, OpenFlow protocol, Segment routing, business.industry, 020206 networking & telecommunications, Deep packet inspection, Network service, Border Gateway Protocol, business, Software-defined networking, computer, Computer network

Abstract

Network service chaining, originally conceived in the network function virtualization (NFV) framework for software defined networks (SDN), is becoming an attractive solution for enabling service differentiation enforcement to microflows generated by data centers, 5G fronthaul and Internet of Things (IoT) cloud/fog nodes, and traversing a metro-core network. However, the current IP/MPLS-over optical multi-layer network is practically unable to provide such service chain enforcement. First, MPLS granularity prevents microflows from being conveyed in dedicated paths. Second, service configuration for a huge number of selected flows with different requirements is prone to scalability concerns, even considering the deployment of a SDN network. In this paper, effective service chaining enforcement along traffic engineered (TE) paths is proposed using segment routing and extended traffic steering mechanisms for mapping micro-flows. The proposed control architecture is based on an extended SDN controller encompassing a stateful path computation element (PCE) handling microflow computation and placement supporting service chains, whereas segment routing allows automatic service enforcement without the need for continuous configuration of the service node. The proposed solution is experimentally evaluated in segment routing over an elastic optical network (EON) network testbed with a deep packet inspection service supporting dynamic and automatic flow enforcement using Border Gateway Protocol with Flow Specification (BGP Flowspec) and OpenFlow protocols as alternative traffic steering enablers. Scalability of flow computation, placement, and steering are also evaluated showing the effectiveness of the proposed solution.

Published

2018

449. Silhouette

Author

Mark Claypool, Jae Won Chung, and Feng Li

Subjects

Forcing (recursion theory), Computer science, Mobile wireless, computer.internet_protocol, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Real-time computing, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, QUIC, 020206 networking & telecommunications, Deep packet inspection, 02 engineering and technology, Encryption, Silhouette, Identification (information), Encoding (memory), 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, computer

Abstract

Video streaming traffic often dominates mobile wireless networks, forcing Internet Service Providers (ISPs) to deploy video shaping to identify and then manage traffic during congested periods Unfortunately, the increasing use of end-to-end encryption (e.g., TSL/SSL) makes it difficult to identify video flows even with deep packet inspection. As an alternative, this paper presents Silhouette -- a real-time, lightweight video classification method suitable for ISP middle-boxes. Silhouette uses only flow statistics (i.e., "shape") for video identification making it payload-agnostic, effective for identifying video flow even when encrypted. Preliminary results with pre-classified YouTube traffic shows the promise of the Silhouette approach, yielding high identification accuracy over a range of video content and encoding qualities.

Published

2018

450. Pilnų paketų analizės metodo ir požymių dalijimosi platformos integracija tinklo incidentų aptikimo ir tyrimo automatizavimui

Author

Bartkevičius, Karolis and Venčkauskas, Algimantas

Subjects

deep packet inspection, malware detection, MISP, network security, Moloch, tinklo sauga, pilnų paketų gaudyklė, incidentų aptikimas ir analizė

Abstract

Šio darbo tikslas yra sukurti automatizuotą incidentų aptikimo ir tyrimo priemonę, integravus pilnųjų paketų gaudyklę bei srauto analizės įrankį „Moloch“ su incidentų tyrimo rezultatų ir požymių dalijimosi platforma – MISP. Tokios priemonės poreikis pagrindžiamas apžvelgus incidentų valdymo metodiką, šiuolaikinės tinklo saugos priemones ir nustačius, kad dauguma priemonių yra skirtos prevencijos, aptikimo ir grėsmių neutralizavimo etapams, tačiau incidentų tyrimo sritis vis dar paremta daugiausia rankiniu darbu ir primityviomis priemonėmis. Sėkmingai atlikus integraciją, sukurta priemonė leidžia žymiai efektyviau aptikti ir tirti incidentus, kadangi incidentų požymiai pažymimi automatiškai, atkrinta žmogiškosios klaidos faktorius. Darbo pabaigoje pateikiami 3 pagrindiniai integruotos priemonės pritaikymo scenarijai: naudojimas kartu su incidentų aptikimo ir prevencijos sistemomis didelės svarbos tinkluose, naudojimas kaip pagrindinė incidentų aptikimo priemonė mažos svarbos tinkluose ir tik incidentų aptikimo bei analizės dalies panaudojimas incidentų tyrimui post factum., The goal of this paper is to create an incident detection and examination tool by integrating a full packet capturing, indexing, and database system Moloch with malware sharing platform MISP. The need for such tool is based on the conclusion of contemporary network security appliances analysis that most of them are aimed for incident prevention and protection, but the analysis and forensics parts are neglected. The integrated tool successfully detects incidents automatically and thus greatly improves investigation, because investigator no longer needs to enter queries and filters by hand, what also eliminates human error factor. In the final chapter, 3 possible use case scenarios are provided: using newly created tool along with IDPS, using it alone as low-cost but also less-effective IDS and using Moloch and MISP integration as an analysis tool for imported pcap files only.

Published

2018