No NAT'd User left Behind: Fingerprinting Users behind NAT from NetFlow Records alone

It is generally recognized that the traffic generated by an individual connected to a network acts as his biometric signature. Several tools exploit this fact to fingerprint and monitor users. Often, though, these tools assume to access the entire traffic, including IP addresses and payloads. This is not feasible on the grounds that both performance and privacy would be negatively affected. In reality, most ISPs convert user traffic into NetFlow records for a concise representation that does not include, for instance, any payloads. More importantly, large and distributed networks are usually NAT'd, thus a few IP addresses may be associated to thousands of users. We devised a new fingerprinting framework that overcomes these hurdles. Our system is able to analyze a huge amount of network traffic represented as NetFlows, with the intent to track people. It does so by accurately inferring when users are connected to the network and which IP addresses they are using, even though thousands of users are hidden behind NAT. Our prototype implementation was deployed and tested within an existing large metropolitan WiFi network serving about 200,000 users, with an average load of more than 1,000 users simultaneously connected behind 2 NAT'd IP addresses only. Our solution turned out to be very effective, with an accuracy greater than 90%. We also devised new tools and refined existing ones that may be applied to other contexts related to NetFlow analysis

Intelligent Intrusion Detection System Using Genetic Algorithm

Intrusion detection is an essential and important technique in research field. One of the main challengesin the security system of large-scale high-speed networks is the detection of suspicious anomalies in network traffic patterns due to different kinds of network attack. We give attacks normally identified by intrusion detection systems. Differentiation can be done in existing intrusion detection methods and systems based on the underlying computational methods used. Intrusion detection methods started appearing in the last few years. In this paper we propose an Intrusion detection method using Genetic Algorithm (GA). In this research contribution of each of above mentioned techniques will be systematically summarized and compared that will allows us to clearly define existing research challenges, and to highlight promising new research directions

Tiresias: Online Anomaly Detection for Hierarchical Operational Network Data

Operational network data, management data such as customer care call logs and equipment system logs, is a very important source of information for network operators to detect problems in their networks. Unfortunately, there is lack of efficient tools to automatically track and detect anomalous events on operational data, causing ISP operators to rely on manual inspection of this data. While anomaly detection has been widely studied in the context of network data, operational data presents several new challenges, including the volatility and sparseness of data, and the need to perform fast detection (complicating application of schemes that require offline processing or large/stable data sets to converge). To address these challenges, we propose Tiresias, an automated approach to locating anomalous events on hierarchical operational data. Tiresias leverages the hierarchical structure of operational data to identify high-impact aggregates (e.g., locations in the network, failure modes) likely to be associated with anomalous events. To accommodate different kinds of operational network data, Tiresias consists of an online detection algorithm with low time and space complexity, while preserving high detection accuracy. We present results from two case studies using operational data collected at a large commercial IP network operated by a Tier-1 ISP: customer care call logs and set-top box crash logs. By comparing with a reference set verified by the ISP's operational group, we validate that Tiresias can achieve >94% accuracy in locating anomalies. Tiresias also discovered several previously unknown anomalies in the ISP's customer care cases, demonstrating its effectiveness

On the Interaction between TCP and the Wireless Channel in CDMA2000 Networks

In this work, we conducted extensive active measurements on a large nationwide CDMA2000 1xRTT network in order to characterize the impact of both the Radio Link Protocol and more importantly, the wireless scheduler, on TCP. Our measurements include standard TCP/UDP logs, as well as detailed RF layer statistics that allow observability into RF dynamics. With the help of a robust correlation measure, normalized mutual information, we were able to quantify the impact of these two RF factors on TCP performance metrics such as the round trip time, packet loss rate, instantaneous throughput etc. We show that the variable channel rate has the larger impact on TCP behavior when compared to the Radio Link Protocol. Furthermore, we expose and rank the factors that influence the assigned channel rate itself and in particular, demonstrate the sensitivity of the wireless scheduler to the data sending rate. Thus, TCP is adapting its rate to match the available network capacity, while the rate allocated by the wireless scheduler is influenced by the sender's behavior. Such a system is best described as a closed loop system with two feedback controllers, the TCP controller and the wireless scheduler, each one affecting the other's decisions. In this work, we take the first steps in characterizing such a system in a realistic environment

TCP over CDMA2000 Networks: A Cross-Layer Measurement Study

Modern cellular channels in 3G networks incorporate sophisticated power control and dynamic rate adaptation which can have significant impact on adaptive transport layer protocols, such as TCP. Though there exists studies that have evaluated the performance of TCP over such networks, they are based solely on observations at the transport layer and hence have no visibility into the impact of lower layer dynamics, which are a key characteristic of these networks. In this work, we present a detailed characterization of TCP behavior based on cross-layer measurement of transport layer, as well as RF and MAC layer parameters. In particular, through a series of active TCP/UDP experiments and measurement of the relevant variables at all three layers, we characterize both, the wireless scheduler and the radio link protocol in a commercial CDMA2000 network and assess their impact on TCP dynamics. Somewhat surprisingly, our findings indicate that the wireless scheduler is mostly insensitive to channel quality and sector load over short timescales and is mainly affected by the transport layer data rate. Furthermore, with the help of a robust correlation measure, Normalized Mutual Information, we were able to quantify the impact of the wireless scheduler and the radio link protocol on various TCP parameters such as the round trip time, throughput and packet loss rate

Distinguishing DDoS attacks from flash crowds using probability metrics

Both Flash crowds and DDoS (Distributed Denial-of-Service) attacks have very similar properties in terms of internet traffic, however Flash crowds are legitimate flows and DDoS attacks are illegitimate flows, and DDoS attacks have been a serious threat to internet security and stability. In this paper we propose a set of novel methods using probability metrics to distinguish DDoS attacks from Flash crowds effectively, and our simulations show that the proposed methods work well. In particular, these mathods can not only distinguish DDoS attacks from Flash crowds clearly, but also can distinguish the anomaly flow being DDoS attacks flow or being Flash crowd flow from Normal network flow effectively. Furthermore, we show our proposed hybrid probability metrics can greatly reduce both false positive and false negative rates in detection.<br /

Traffic measurement and analysis of Wide Area Network (WAN) link usage: a case study of UiTM Perlis campus network / Abidah Mat Taib, Rafiza Ruslan and Abdul Hadi Kamel Abdullah

Network users normally will start complaining when the response time for the network access is intolerable or their network access is intermittently interrupted due to unclear reasons. Knowing how the network bandwidth is being utilized by the users will give the administrator some ideas of possible reasons for the network access problems and how to alleviate the problems. Some users may just use the network for running non bandwidth intensive applications like email and telnet and some users may use the network for running bandwidth intensive application such as video streaming and downloading big files using ftp application. Many users may visit popular web sites that are not related to their work during office hours. The above information about bandwidth utilization on a network link can be acquired through measurement and analysis of the network traffic that pass through the link. This paper discuss real time passive measurement of the network traffic on the WAN link that connects UiTM Perlis campus network to the main campus of UiTM in Shah Alam. The analysis of the traffic helped us to know some aspects of the WAN link utilization. This includes the average bandwidth utilization, popular application layer protocols and popular websites among different user segments and also some anomalies found in the captured trace

PENGELOMPOKAN TRAFIK BERDASARKAN WAKTU DENGAN ALGORITMA CLUSTREAM UNTUK DETEKSI ANOMALI PADA ALIRAN TRAFIK

Pada perkembangan teknologi jaringan internet sekarang ini banyak membahas tentang fenomena-fenomena serangan atapun ancaman terhadap sebuah komputer atau server. Banyak sekali macam-macam tipe ancaman pada komputer dalam sebuah jaringan internet seperti DoS (Denial of Service), DDoS (Distributed Denial of Service), flash-crowd, dan sebagainya. Oleh karena itu, untuk memudahkan dalam pengambilan informasi agar sesuai dengan keinginan, perlu adanya pengelompokan dalam anomali trafik tersebut untuk mengenali tipe-tipe serangan yang baru. Dari permasalahan tersebut perlu suatu sistem deteksi anomali trafik yang mempunyai kemampuan untuk mendeteksi anomali dan mengenali setiap serangan yang datang dengan dilakukan pengelompokkan berdasarkan waktu dan grup. Waktu dan grup adalah parameter untuk meningkatkan akurasi deteksi algoritma. Pada penelitian ini dibangun sebuah metode IDS yang menggunakan algoritma clustream. Hasil dari penelitian ini, sistem yang dibangun secara real-time dapat bekerja dengan baik dalam deteksi dan membedakan antara trafik normal dan anomali trafik. Pengelompokan trafik dilakukan per-2 detik, setelah itu akan dianalisis dengan algoritma clustream. Algoritma ini terbagi menjadi online (micro-clustering) dan offline (macro-clustering). Di mana macro-clustering akan menggunakan data hasil dari micro-clustering. Kata Kunci : anomali trafik, clustering, algoritma clustream, stream traffi

Traffic anomaly detection and characterization in the tunisian national university network

Abstract. Traffic anomalies are characterized by unusual and significant changes in a network traffic behavior. They can be malicious or unintentional. Malicious traffic anomalies can be caused by attacks, abusive network usage and worms or virus propagations. However unintentional ones can be caused by failures, flash crowds or router misconfigurations. In this paper, we present an anomaly detection system derived from the anomaly detection schema presented by Mei-Ling Shyu i