Real-time detection of grid bulk transfer traffic

The current practice of physical science research has yielded a continuously growing demand for interconnection network bandwidth to support the sharing of large datasets. Academic research networks and internet service providers have provisioned their networks to handle this type of load, which generates prolonged, high-volume traffic between nodes on the network. Maintenance of QoS for all network users demands that the onset of these (Grid bulk) transfers be detected to enable them to be reengineered through resources specifically provisioned to handle this type of traffic. This paper describes a real-time detector that operates at full-line-rate on Gb/s links, operates at high connection rates, and can track the use of ephemeral or non-standard ports

Collaborative internet worm containment

Large-scale worm outbrakes that leads to distributed denial-of-dervice attacks pose a major threat to internet infrastructure security. To prevent computers from such attacks deployment of fast, scalable security overlay networks based on distributed hash tables to facilitate high-speed intrusion detection and alert-information exchange are proposed. An effective system for worm detection and cyberspace defence must have robustness, cooperation among multiple sites, responsiveness to unexpected worms and efficiency and scalability. Deployment of collaborative WormShield monitors on just 1 percent of the vulnerable edge networks can detect worm signatures roughly 10 times faster than with independent monitors.published_or_final_versio

Модель абстрактного мережевого пакетного фільтра з можливістю класифікації однорангової взаємодії

Використано математичне моделювання, імітаційне моделювання для методу групового врахування аргументів та методи математичної статистики. В роботі перевіряється ефективність запропонованих моделей та методів шляхом підрахунку метрик роботи класифікатора однорангової взаємодії. Поєднання різних підходів при синтезі правил мережевого фільтра дозволяє абстрагуватись від протоколів транспортного рівня, опис правил проводиться у вигляді бінарного дерева, по якому проводиться пошук за приналежністю мережевого пакету до класу однорангової взаємодії. В роботі запропоновано математичну модель абстрактного мережевого пакетного фільтра, що дозволяє проводити гнучку тарифну політику в мережах загального призначення. Під тарифною політикою мається на увазі можливість створення обмежень для ряду користувачів, які створюють найбільші об`єми інформаційних потоків, тим самим впливаючи на інших учасників мережевого сегменту. Встановлення ефективної процедури боротьби з таким явищем дозволить підвищити якість наданих послуг та мінімізує можливість перевищення рівня дозволеної смуги пропускання. Використання абстрактного мережевого фільтру може бути поєднано з системою моніторингу процесу роботи мультисервісної мережі, тим самим забезпечуючи системний підхід у виявленні проблем та порушень політики доступу. Запропонована модель за рахунок комбінаційного поєднання методів дозволяє виявляти однорангову взаємодію з підвищеною точністю. Особливого значення набуває процес створення правил класифікації, можливе використання зовнішніх інструментів, що надають сигнатури взаємодії прикладних додатків. Результати теоретичних досліджень були реалізовані у вигляді окремого програмного модуля системи класифікації для автоматичного визначення параметрів взаємодії додатків в одноранговій мережі. Процес навчання класифікаційної мережі проводиться в автоматичному режимі, чим досягається повна автономність системи.В работе использовано методы математического моделирования, имитационное моделирование для метода группового учета аргументов и методы математической статистики. Проверка эффективности предложенных моделей и методов производится путем подсчета разнообразных метрик работы классификатора однорангового взаимодействия. Сочетание различных подходов при синтезе правил сетевого фильтра позволяет абстрагироваться от протоколов транспортного уровня, описание правил проводится в виде бинарного дерева, по которому производится поиск с учетом свойств однорангового взаимодействия. В работе предложена математическая модель абстрактного сетевого пакетного фильтра, что позволяет использовать гибкую тарифную политику в сетях общего назначения. Под тарифной политикой имеется ввиду возможность создания ограничений для ряда пользователей, которые создают наибольшие объемы информационных потоков, тем самым влияя на других участников сетевого сегмента. Установление эффективной процедуры борьбы с таким явлением позволит повысить качество предоставляемых услуг и минимизирует возможность превышения уровня разрешенной полосы пропускания. Использование абстрактного сетевого фильтра может быть объединено с системой мониторинга процесса работы мультисервисной сети, тем самым обеспечивая системный подход в выявлении проблем и нарушений политики доступа. Предложенная модель за счет комбинационного сочетания предложенных методов позволяет идентифицировать одноранговое взаимодействие с повышенной точностью. Особое значение приобретает процесс создания правил фильтра классификации, возможно использование внешних инструментов, предоставляющих сигнатуры взаимодействия прикладных приложений. Результаты теоретических исследований были реализованы в виде отдельного программного модуля системы классификации пакетов для автоматического определения параметров взаимодействия прикладных приложений в одноранговой сети. Процесс обучения классификационной сети производится в автоматическом режиме, чем достигается полная автономность системы.Develop a mathematical model of an abstract network packet filter with the ability to classify Peer-to-Peer interactions. Used methods of mathematical modeling, simulation modeling for the method of group method of data handling and methods of mathematical statistics. Verification of effectiveness of the proposed models and methods is performed by comparing various metrics of the classifier of peer-to-peer interaction. The combination of different approaches in the synthesis of network filter rules allows us to abstract from the transport layer protocols, the rules are described as a binary tree that is searched for peer-to-peer interaction properties. The paper proposes a mathematical model of an abstract network packet filter, which allows the use of a flexible accounting policy in networks of general purpose. Under the accounting term we meant the possibility of creating restrictions for a number of users who create the largest volumes of information flows, thereby affecting other participants in the network segment. The establishment of an effective procedure to combat this phenomenon will improve the quality of the services provided and minimizes the possibility of exceeding the level of allowed bandwidth. The use of an abstract network filter can be combined with a system for monitoring proper work of a multiservice network, thereby providing a systematic approach in identifying problems and violations of access policies. The proposed model by combination of the reviewed methods allow us to identify peer-to-peer interaction with increased accuracy. Particular importance is vital as the process of creating classification filter rules, permits to use external tools that provide interaction signatures of applications. The results of theoretical studies were implemented as a separate software module of the packet classification system for automatically determining the parameters of interaction between applications in a peer-to-peer network. The learning process of the classification network is carried out automatically, which results in complete autonomy of the system

Towards the Deployment of Machine Learning Solutions in Network Traffic Classification: A Systematic Survey

International audienceTraffic analysis is a compound of strategies intended to find relationships, patterns, anomalies, and misconfigurations, among others things, in Internet traffic. In particular, traffic classification is a subgroup of strategies in this field that aims at identifying the application's name or type of Internet traffic. Nowadays, traffic classification has become a challenging task due to the rise of new technologies, such as traffic encryption and encapsulation, which decrease the performance of classical traffic classification strategies. Machine Learning gains interest as a new direction in this field, showing signs of future success, such as knowledge extraction from encrypted traffic, and more accurate Quality of Service management. Machine Learning is fast becoming a key tool to build traffic classification solutions in real network traffic scenarios; in this sense, the purpose of this investigation is to explore the elements that allow this technique to work in the traffic classification field. Therefore, a systematic review is introduced based on the steps to achieve traffic classification by using Machine Learning techniques. The main aim is to understand and to identify the procedures followed by the existing works to achieve their goals. As a result, this survey paper finds a set of trends derived from the analysis performed on this domain; in this manner, the authors expect to outline future directions for Machine Learning based traffic classification

A traffic classification method using machine learning algorithm

Applying concepts of attack investigation in IT industry, this idea has been developed to design a Traffic Classification Method using Data Mining techniques at the intersection of Machine Learning Algorithm, Which will classify the normal and malicious traffic. This classification will help to learn about the unknown attacks faced by IT industry. The notion of traffic classification is not a new concept; plenty of work has been done to classify the network traffic for heterogeneous application nowadays. Existing techniques such as (payload based, port based and statistical based) have their own pros and cons which will be discussed in this literature later, but classification using Machine Learning techniques is still an open field to explore and has provided very promising results up till now

From Intrusion Detection to Attacker Attribution: A Comprehensive Survey of Unsupervised Methods

Over the last five years there has been an increase in the frequency and diversity of network attacks. This holds true, as more and more organisations admit compromises on a daily basis. Many misuse and anomaly based Intrusion Detection Systems (IDSs) that rely on either signatures, supervised or statistical methods have been proposed in the literature, but their trustworthiness is debatable. Moreover, as this work uncovers, the current IDSs are based on obsolete attack classes that do not reflect the current attack trends. For these reasons, this paper provides a comprehensive overview of unsupervised and hybrid methods for intrusion detection, discussing their potential in the domain. We also present and highlight the importance of feature engineering techniques that have been proposed for intrusion detection. Furthermore, we discuss that current IDSs should evolve from simple detection to correlation and attribution. We descant how IDS data could be used to reconstruct and correlate attacks to identify attackers, with the use of advanced data analytics techniques. Finally, we argue how the present IDS attack classes can be extended to match the modern attacks and propose three new classes regarding the outgoing network communicatio

Security Engineering of Patient-Centered Health Care Information Systems in Peer-to-Peer Environments: Systematic Review

Background: Patient-centered health care information systems (PHSs) enable patients to take control and become knowledgeable about their own health, preferably in a secure environment. Current and emerging PHSs use either a centralized database, peer-to-peer (P2P) technology, or distributed ledger technology for PHS deployment. The evolving COVID-19 decentralized Bluetooth-based tracing systems are examples of disease-centric P2P PHSs. Although using P2P technology for the provision of PHSs can be flexible, scalable, resilient to a single point of failure, and inexpensive for patients, the use of health information on P2P networks poses major security issues as users must manage information security largely by themselves. Objective: This study aims to identify the inherent security issues for PHS deployment in P2P networks and how they can be overcome. In addition, this study reviews different P2P architectures and proposes a suitable architecture for P2P PHS deployment. Methods: A systematic literature review was conducted following PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) reporting guidelines. Thematic analysis was used for data analysis. We searched the following databases: IEEE Digital Library, PubMed, Science Direct, ACM Digital Library, Scopus, and Semantic Scholar. The search was conducted on articles published between 2008 and 2020. The Common Vulnerability Scoring System was used as a guide for rating security issues. Results: Our findings are consolidated into 8 key security issues associated with PHS implementation and deployment on P2P networks and 7 factors promoting them. Moreover, we propose a suitable architecture for P2P PHSs and guidelines for the provision of PHSs while maintaining information security. Conclusions: Despite the clear advantages of P2P PHSs, the absence of centralized controls and inconsistent views of the network on some P2P systems have profound adverse impacts in terms of security. The security issues identified in this study need to be addressed to increase patients\u27 intention to use PHSs on P2P networks by making them safe to use

Machine and deep learning techniques for detecting internet protocol version six attacks: a review

The rapid development of information and communication technologies has increased the demand for internet-facing devices that require publicly accessible internet protocol (IP) addresses, resulting in the depletion of internet protocol version 4 (IPv4) address space. As a result, internet protocol version 6 (IPv6) was designed to address this issue. However, IPv6 is still not widely used because of security concerns. An intrusion detection system (IDS) is one example of a security mechanism used to secure networks. Lately, the use of machine learning (ML) or deep learning (DL) detection models in IDSs is gaining popularity due to their ability to detect threats on IPv6 networks accurately. However, there is an apparent lack of studies that review ML and DL in IDS. Even the existing reviews of ML and DL fail to compare those techniques. Thus, this paper comprehensively elucidates ML and DL techniques and IPv6-based distributed denial of service (DDoS) attacks. Additionally, this paper includes a qualitative comparison with other related works. Moreover, this work also thoroughly reviews the existing ML and DL-based IDSs for detecting IPv6 and IPv4 attacks. Lastly, researchers could use this review as a guide in the future to improve their work on DL and ML-based IDS

An Effective Conversation-Based Botnet Detection Method

A botnet is one of the most grievous threats to network security since it can evolve into many attacks, such as Denial-of-Service (DoS), spam, and phishing. However, current detection methods are inefficient to identify unknown botnet. The high-speed network environment makes botnet detection more difficult. To solve these problems, we improve the progress of packet processing technologies such as New Application Programming Interface (NAPI) and zero copy and propose an efficient quasi-real-time intrusion detection system. Our work detects botnet using supervised machine learning approach under the high-speed network environment. Our contributions are summarized as follows: (1) Build a detection framework using PF_RING for sniffing and processing network traces to extract flow features dynamically. (2) Use random forest model to extract promising conversation features. (3) Analyze the performance of different classification algorithms. The proposed method is demonstrated by well-known CTU13 dataset and nonmalicious applications. The experimental results show our conversation-based detection approach can identify botnet with higher accuracy and lower false positive rate than flow-based approach