Network and Service Management Series: Series editorial

This is the ninth issue of the series on Network and Service Management, which is typically published twice a year. It was originally published in April and October, but since last year it is published in July and December. The series provides articles on the latest developments in this well established discipline, highlighting recent research achievements, and providing insight into both theoretical and practical issues related to the evolution of the discipline from different perspectives. The series provides a forum for the publication of both academic and industrial research, addressing the state of the art, theory, and practice in network and service management

Autonomic Parameter Tuning of Anomaly-Based IDSs: an SSH Case Study

Anomaly-based intrusion detection systems classify network traffic instances by comparing them with a model of the normal network behavior. To be effective, such systems are expected to precisely detect intrusions (high true positive rate) while limiting the number of false alarms (low false positive rate). However, there exists a natural trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing any false alarms). The parameters of a detection system play a central role in this trade-off, since they determine how responsive the system is to an intrusion attempt. Despite the importance of properly tuning the system parameters, the literature has put little emphasis on the topic, and the task of adjusting such parameters is usually left to the expertise of the system manager or expert IT personnel. In this paper, we present an autonomic approach for tuning the parameters of anomaly-based intrusion detection systems in case of SSH traffic. We propose a procedure that aims to automatically tune the system parameters and, by doing so, to optimize the system performance. We validate our approach by testing it on a flow-based probabilistic detection system for the detection of SSH attacks

IT Intrusion Detection Using Statistical Learning and Testbed Measurements

We study automated intrusion detection in an IT infrastructure, specifically the problem of identifying the start of an attack, the type of attack, and the sequence of actions an attacker takes, based on continuous measurements from the infrastructure. We apply statistical learning methods, including Hidden Markov Model (HMM), Long Short-Term Memory (LSTM), and Random Forest Classifier (RFC) to map sequences of observations to sequences of predicted attack actions. In contrast to most related research, we have abundant data to train the models and evaluate their predictive power. The data comes from traces we generate on an in-house testbed where we run attacks against an emulated IT infrastructure. Central to our work is a machine-learning pipeline that maps measurements from a high-dimensional observation space to a space of low dimensionality or to a small set of observation symbols. Investigating intrusions in offline as well as online scenarios, we find that both HMM and LSTM can be effective in predicting attack start time, attack type, and attack actions. If sufficient training data is available, LSTM achieves higher prediction accuracy than HMM. HMM, on the other hand, requires less computational resources and less training data for effective prediction. Also, we find that the methods we study benefit from data produced by traditional intrusion detection systems like SNORT.Comment: A shortened version of this paper will appear in the conference proceedings of NOMS 2024 (IEEE/IFIP Network Operations and Management Symposium

Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX

Flow monitoring has become a prevalent method for monitoring traffic in high-speed networks. By focusing on the analysis of flows, rather than individual packets, it is often said to be more scalable than traditional packet-based traffic analysis. Flow monitoring embraces the complete chain of packet observation, flow export using protocols such as NetFlow and IPFIX, data collection, and data analysis. In contrast to what is often assumed, all stages of flow monitoring are closely intertwined. Each of these stages therefore has to be thoroughly understood, before being able to perform sound flow measurements. Otherwise, flow data artifacts and data loss can be the consequence, potentially without being observed. This paper is the first of its kind to provide an integrated tutorial on all stages of a flow monitoring setup. As shown throughout this paper, flow monitoring has evolved from the early 1990s into a powerful tool, and additional functionality will certainly be added in the future. We show, for example, how the previously opposing approaches of deep packet inspection and flow monitoring have been united into novel monitoring approaches

Interim research assessment 2003-2005 - Computer Science

This report primarily serves as a source of information for the 2007 Interim Research Assessment Committee for Computer Science at the three technical universities in the Netherlands. The report also provides information for others interested in our research activities

LOCAL AND REGIONAL DISTRIBUTION OF POPS IN MOUNTAIN ENVIRONMENTSEVALUATION OF BURDEN AND FLUXES IN BIOTIC AND ABIOTIC MATRICES

In this work some of the main factors that influence the partition and distribution of POPs in mountain environments and the behaviour of pollutants inside a pasture environment are evidenced. The variability of contamination at a local scale has been deeply analyzed in the main study area of the Andossi plateau, giving some useful information about the dependence of contamination from seasonality, soil and meteorological features. With the findings of chapter II (which gave a good definition of the horizontal, vertical and seasonal variability of contamination at local scale) and the modeling of chapter III it is possible to integrate a set of simple data (about OM content and soil temperatures) with concentration data from few samples to obtain detailed maps of potential contamination and release in a mountain environment. By knowing the local variability with a high definition it is possible to draw realistic pictures of concentration into complex alpine environments and evaluate exposure risk for the local fauna or for the domestic animals grazing on alpine pastures. In chapter IV it is reported the first field work about the different retention potential of humic substances. OM is generally considered in POPs distribution papers as a whole indistinct component of soil and its effect is only viewed as quantitative (general direct relationship between OM content and POPs concentration), but the different retention potential of humin, humic acids and fulvic acids may change this view. Moreover the three humic substances have different behaviour in terms of mobility and general ability to distribute vertically and horizontally within the soil affecting the transport of the pollutants adsorbed. In chapters V and VI the distribution into biotic matrices has been evaluated, evidencing a strict relation between soil and vegetation contamination (taking also into account local variability due to different solar exposition) and also a good relation between POPs concentration in vegetation and milk. Seasonality of contamination and grazing location could lead to different intake of contaminants by cows and so higher or lower milk contamination. The first POPs contamination data in the Mt.Meru area (Tanzania) have been reported in chapter VII and some of the findings about regional scale distribution factors have been confirmed in an equatorial area