Cellular and Wi-Fi technologies evolution: from complementarity to competition

This PhD thesis has the characteristic to span over a long time because while working on it, I was working as a research engineer at CTTC with highly demanding development duties. This has delayed the deposit more than I would have liked. On the other hand, this has given me the privilege of witnessing and studying how wireless technologies have been evolving over a decade from 4G to 5G and beyond. When I started my PhD thesis, IEEE and 3GPP were defining the two main wireless technologies at the time, Wi-Fi and LTE, for covering two substantially complementary market targets. Wi-Fi was designed to operate mostly indoor, in unlicensed spectrum, and was aimed to be a simple and cheap technology. Its primary technology for coexistence was based on the assumption that the spectrum on which it was operating was for free, and so it was designed with interference avoidance through the famous CSMA/CA protocol. On the other hand, 3GPP was designing technologies for licensed spectrum, a costly kind of spectrum. As a result, LTE was designed to take the best advantage of it while providing the best QoE in mainly outdoor scenarios. The PhD thesis starts in this context and evolves with these two technologies. In the first chapters, the thesis studies radio resource management solutions for standalone operation of Wi-Fi in unlicensed and LTE in licensed spectrum. We anticipated the now fundamental machine learning trend by working on machine learning-based radio resource management solutions to improve LTE and Wi-Fi operation in their respective spectrum. We pay particular attention to small cell deployments aimed at improving the spectrum efficiency in licensed spectrum, reproducing small range scenarios typical of Wi-Fi settings. IEEE and 3GPP followed evolving the technologies over the years: Wi-Fi has grown into a much more complex and sophisticated technology, incorporating the key features of cellular technologies, like HARQ, OFDMA, MU-MIMO, MAC scheduling and spatial reuse. On the other hand, since Release 13, cellular networks have also been designed for unlicensed spectrum. As a result, the two last chapters of this thesis focus on coexistence scenarios, in which LTE needs to be designed to coexist with Wi-Fi fairly, and NR, the radio access for 5G, with Wi-Fi in 5 GHz and WiGig in 60 GHz. Unlike LTE, which was adapted to operate in unlicensed spectrum, NR-U is natively designed with this feature, including its capability to operate in unlicensed in a complete standalone fashion, a fundamental new milestone for cellular. In this context, our focus of analysis changes. We consider that these two technological families are no longer targeting complementarity but are now competing, and we claim that this will be the trend for the years to come. To enable the research in these multi-RAT scenarios, another fundamental result of this PhD thesis, besides the scientific contributions, is the release of high fidelity models for LTE and NR and their coexistence with Wi-Fi and WiGig to the ns-3 open-source community. ns-3 is a popular open-source network simulator, with the characteristic to be multi-RAT and so naturally allows the evaluation of coexistence scenarios between different technologies. These models, for which I led the development, are by academic citations, the most used open-source simulation models for LTE and NR and havereceived fundings from industry (Ubiquisys, WFA, SpiderCloud, Interdigital, Facebook) and federal agencies (NIST, LLNL) over the years.Aquesta tesi doctoral té la característica d’allargar-se durant un llarg període de temps ja que mentre treballava en ella, treballava com a enginyera investigadora a CTTC amb tasques de desenvolupament molt exigents. Això ha endarrerit el dipositar-la més del que m’hagués agradat. D’altra banda, això m’ha donat el privilegi de ser testimoni i estudiar com han evolucionat les tecnologies sense fils durant més d’una dècada des del 4G fins al 5G i més enllà. Quan vaig començar la tesi doctoral, IEEE i 3GPP estaven definint les dues tecnologies sense fils principals en aquell moment, Wi-Fi i LTE, que cobreixen dos objectius de mercat substancialment complementaris. Wi-Fi va ser dissenyat per funcionar principalment en interiors, en espectre sense llicència, i pretenia ser una tecnologia senzilla i barata. La seva tecnologia primària per a la convivència es basava en el supòsit que l’espectre en el que estava operant era de franc, i, per tant, es va dissenyar simplement evitant interferències a través del famós protocol CSMA/CA. D’altra banda, 3GPP estava dissenyant tecnologies per a espectres amb llicència, un tipus d’espectre costós. Com a resultat, LTE està dissenyat per treure’n el màxim profit alhora que proporciona el millor QoE en escenaris principalment a l’aire lliure. La tesi doctoral comença amb aquest context i evoluciona amb aquestes dues tecnologies. En els primers capítols, estudiem solucions de gestió de recursos de radio per a operacions en espectre de Wi-Fi sense llicència i LTE amb llicència. Hem anticipat l’actual tendència fonamental d’aprenentatge automàtic treballant solucions de gestió de recursos de radio basades en l’aprenentatge automàtic per millorar l’LTE i Wi-Fi en el seu espectre respectiu. Prestem especial atenció als desplegaments de cèl·lules petites destinades a millorar la eficiència d’espectre llicenciat, reproduint escenaris de petit abast típics de la configuració Wi-Fi. IEEE i 3GPP van seguir evolucionant les tecnologies al llarg dels anys: El Wi-Fi s’ha convertit en una tecnologia molt més complexa i sofisticada, incorporant les característiques clau de les tecnologies cel·lulars, com ara HARQ i la reutilització espacial. D’altra banda, des de la versió 13, també s’han dissenyat xarxes cel·lulars per a espectre sense llicència. Com a resultat, els dos darrers capítols d’aquesta tesi es centren en aquests escenaris de convivència, on s’ha de dissenyar LTE per conviure amb la Wi-Fi de manera justa, i NR, l’accés a la radio per a 5G amb Wi-Fi a 5 GHz i WiGig a 60 GHz. A diferència de LTE, que es va adaptar per funcionar en espectre sense llicència, NR-U està dissenyat de forma nativa amb aquesta característica, inclosa la seva capacitat per operar sense llicència de forma autònoma completa, una nova fita fonamental per al mòbil. En aquest context, el nostre focus d’anàlisi canvia. Considerem que aquestes dues famílies de tecnologia ja no estan orientades cap a la complementarietat, sinó que ara competeixen, i afirmem que aquesta serà el tendència per als propers anys. Per permetre la investigació en aquests escenaris multi-RAT, un altre resultat fonamental d’aquesta tesi doctoral, a més de les aportacions científiques, és l’alliberament de models d’alta fidelitat per a LTE i NR i la seva coexistència amb Wi-Fi a la comunitat de codi obert ns-3. ns-3 és un popular simulador de xarxa de codi obert, amb la característica de ser multi-RAT i, per tant, permet l’avaluació de manera natural d’escenaris de convivència entre diferents tecnologies. Aquests models, pels quals he liderat el desenvolupament, són per cites acadèmiques, els models de simulació de codi obert més utilitzats per a LTE i NR i que han rebut finançament de la indústria (Ubiquisys, WFA, SpiderCloud, Interdigital, Facebook) i agències federals (NIST, LLNL) al llarg dels anys.Esta tesis doctoral tiene la característica de extenderse durante mucho tiempo porque mientras trabajaba en ella, trabajaba como ingeniera de investigación en CTTC con tareas de desarrollo muy exigentes. Esto ha retrasado el depósito más de lo que me hubiera gustado. Por otro lado, gracias a ello, he tenido el privilegio de presenciar y estudiar como las tecnologías inalámbricas han evolucionado durante una década, de 4G a 5G y más allá. Cuando comencé mi tesis doctoral, IEEE y 3GPP estaban definiendo las dos principales tecnologías inalámbricas en ese momento, Wi-Fi y LTE, cumpliendo dos objetivos de mercado sustancialmente complementarios. Wi-Fi fue diseñado para funcionar principalmente en interiores, en un espectro sin licencia, y estaba destinado a ser una tecnología simple y barata. Su tecnología primaria para la convivencia se basaba en el supuesto en que el espectro en el que estaba operando era gratis, y así fue diseñado simplemente evitando interferencias a través del famoso protocolo CSMA/CA. Por otro lado, 3GPP estaba diseñando tecnologías para espectro con licencia, un tipo de espectro costoso. Como resultado, LTE está diseñado para aprovechar el espectro al máximo proporcionando al mismo tiempo el mejor QoE en escenarios principalmente al aire libre. La tesis doctoral parte de este contexto y evoluciona con estas dos tecnologías. En los primeros capítulos, estudiamos las soluciones de gestión de recursos de radio para operación en espectro Wi-Fi sin licencia y LTE con licencia. Anticipamos la tendencia ahora fundamental de aprendizaje automático trabajando en soluciones de gestión de recursos de radio para mejorar LTE y funcionamiento deWi-Fi en su respectivo espectro. Prestamos especial atención a las implementaciones de células pequeñas destinadas a mejorar la eficiencia de espectro licenciado, reproduciendo los típicos escenarios de rango pequeño de la configuración Wi-Fi. IEEE y 3GPP siguieron evolucionando las tecnologías a lo largo de los años: Wi-Fi se ha convertido en una tecnología mucho más compleja y sofisticada, incorporando las características clave de las tecnologías celulares, como HARQ, OFDMA, MU-MIMO, MAC scheduling y la reutilización espacial. Por otro lado, desde la Release 13, también se han diseñado redes celulares para espectro sin licencia. Como resultado, los dos últimos capítulos de esta tesis se centran en estos escenarios de convivencia, donde LTE debe diseñarse para coexistir con Wi-Fi de manera justa, y NR, el acceso por radio para 5G con Wi-Fi en 5 GHz y WiGig en 60 GHz. A diferencia de LTE, que se adaptó para operar en espectro sin licencia, NR-U está diseñado de forma nativa con esta función, incluyendo su capacidad para operar sin licencia de forma completamente independiente, un nuevo hito fundamental para los celulares. En este contexto, cambia nuestro enfoque de análisis. Consideramos que estas dos familias tecnológicas ya no tienen como objetivo la complementariedad, sino que ahora están compitiendo, y afirmamos que esta será la tendencia para los próximos años. Para permitir la investigación en estos escenarios de múltiples RAT, otro resultado fundamental de esta tesis doctoral, además de los aportes científicos, es el lanzamiento de modelos de alta fidelidad para LTE y NR y su coexistencia con Wi-Fi y WiGig a la comunidad de código abierto de ns-3. ns-3 es un simulador popular de red de código abierto, con la característica de ser multi-RAT y así, naturalmente, permite la evaluación de escenarios de convivencia entre diferentes tecnologías. Estos modelos, para los cuales lideré el desarrollo, son por citas académicas, los modelos de simulación de código abierto más utilizados para LTE y NR y han recibido fondos de la industria (Ubiquisys, WFA, SpiderCloud, Interdigital, Facebook) y agencias federales (NIST, LLNL) a lo largo de los años.Postprint (published version

Unsupervised Intrusion Detection with Cross-Domain Artificial Intelligence Methods

Cybercrime is a major concern for corporations, business owners, governments and citizens, and it continues to grow in spite of increasing investments in security and fraud prevention. The main challenges in this research field are: being able to detect unknown attacks, and reducing the false positive ratio. The aim of this research work was to target both problems by leveraging four artificial intelligence techniques. The first technique is a novel unsupervised learning method based on skip-gram modeling. It was designed, developed and tested against a public dataset with popular intrusion patterns. A high accuracy and a low false positive rate were achieved without prior knowledge of attack patterns. The second technique is a novel unsupervised learning method based on topic modeling. It was applied to three related domains (network attacks, payments fraud, IoT malware traffic). A high accuracy was achieved in the three scenarios, even though the malicious activity significantly differs from one domain to the other. The third technique is a novel unsupervised learning method based on deep autoencoders, with feature selection performed by a supervised method, random forest. Obtained results showed that this technique can outperform other similar techniques. The fourth technique is based on an MLP neural network, and is applied to alert reduction in fraud prevention. This method automates manual reviews previously done by human experts, without significantly impacting accuracy

The case for validating ADDIE model as a digital forensic model for peer to peer network investigation

Rapid technological advancement can substantially impact the processes of digital forensic investigation and present a myriad of challenges to the investigator. With these challenges, it is necessary to have a standard digital forensic framework as the foundation of any digital investigation. State-of-the-art digital forensic models assume that it is safe to move from one investigation stage to the next. It guides the investigators with the required steps and procedures. This brings a great stride to validate a non-specific framework to be used in most digital investigation procedures. This paper considers a new technique for detecting active peers that participate in a peer-to-peer (P2P) network. As part of our study, we crawled the μTorrent P2P client over ten days in different instances while logging all participating peers. We then employed digital forensic techniques to analyse the popular users and generate evidence within them with high accuracy. We evaluated our approach against the standard Analysis, Design, Development, Implementation, and Evaluation (ADDIE) model for the digital investigation to achieve the credible digital evidence presented in this paper. Finally, we presented a validation case for the ADDIE model using the United States Daubert Test and the United Kingdom’s Forensic Science Regulator Guidance – 218 (FSR-G-218) and Forensic Science Regulator Guidance – 201 (FSR-G-201) to formulate it as a standard digital forensic model

Monitoring and testing in LTE networks: from experimental analysis to operational optimisation

L'avvento di LTE e LTE-Adavanced, e la loro integrazione con le esistenti tecnologie cellulari, GSM e UMTS, ha costretto gli operatori di rete radiomobile ad eseguire una meticolosa campagna di test e a dotarsi del giusto know-how per rilevare potenziali problemi durante il dispiegamento di nuovi servizi. In questo nuovo scenario di rete, la caratterizzazione e il monitoraggio del traffico nonchè la configurazione e l'affidibilità degli apparati di rete, sono di importanza fondamentale al fine di prevenire possibili insidie durante la distribuzione di nuovi servizi e garantire la migliore esperienza utente possibile. Sulla base di queste osservazioni, questa tesi di dottorato offre un percorso completo di studio che va da un'analisi sperimentale ad un'ottimizzazione operativa. Il punto di partenza del nostro lavoro è stato il monitoraggio del traffico di un eNodeB di campo con tre celle, operativo nella banda 1800 MHz. Tramite campagne di misura successive, è stato possibile seguire l'evoluzione della rete 4G dagli albori del suo dispiegamento nel 2012, fino alla sua completa maturazione nel 2015. I dati raccolti durante il primo anno, evidenziavano uno scarso utilizzo della rete LTE, dovuto essenzialmente alla limitata penetrazione dei nuovi smartphone 4G. Nel 2015, invece, abbiamo assistito ad un aumento netto e decisivo del numero di utenti che utilizzano la tecnolgia LTE, con statistiche aggregate (come gli indici di marketshare per i sistemi operativi degli smartphones, o la percentuale di traffico video) che rispecchiano i trend nazionali e internazionali. Questo importante risultato testimonia la maturità della tecnologia LTE, e ci permette di considerare il nostro eNodeB un punto di osservazione prezioso per l'analisi del traffico. Di pari passo con l'evoluzione dell'infrastruttura, anche i telefoni cellulari hanno avuto una sorprendente evoluzione nel corso degli ultimi due decenni, a partire da dispositivi semplici con servizi di sola voce, fino agli smartphone di ultima generazione che offrono servizi innovativi, come Internet mobile, geolocalizzazione e mappe, servizi multimediali, e molti altri. Monitorare il traffico reale ci ha quindi permesso di studiare il comportamento degli utenti e individuare i servizi maggiormente utilizzati. Per questo, sono state sviluppate diverse librerie software per l'analisi del traffico. In particolare, è stato sviluppato in C++14 un framework/tool per la classificazione del traffico. Il progetto, disponibile su github, si chiama MOSEC, un acronimo per MOdular SErvice Classifier. MOSEC consente di definire e utilizzare un numero arbitrario di plug-in, che processano il pacchetto secondo le loro logiche e possono o no ritornare un valore di classificazione. Una strategia di decisione finale consente di classificare i vari flussi, basandosi sulle classificazioni di ciascun plug-in. Abbiamo quindi validato la bontà del processi di classificazione di MOSEC utilizzando una traccia labellata come ground-truth di classificazione. I risultati mostrano una eccellente capacità di classificazione di traffico TCP-HTTP/HTTPS, mediamente superiore a quella di altri tool di classificazione (nDPI, PACE, Layer-7), ed evidenzia alcune lacune per quanto riguarda la classificazione di traffico UDP. Le carattistiche dei flussi di traffico utente (User Plane) hanno un impatto diretto sul consumo energetico dei terminali e indiretto sul traffico di controllo (Control Plane) che viene generato. Pertanto, la conoscenza delle proprietà statistiche dei vari flussi consente di affrontare un problema del cross-layer optimization, per ridurre il consumo energetico dei terminali variando dei parametri configurabili sugli eNodeB. E' noto che la durata della batteria dei nuovi smartphone, rappresenta uno dei maggiori limiti nell'utilizzo degli stessi. In particolare, lo sviluppo di nuovi servizi e applicazioni capaci di lavorare in background, senza la diretta interazione dell’utente, ha introdotto nuovi problemi riguardanti la durata delle batterie degli smartphone e il traffico di segnalazione necessario ad acquisire/rilasciare le risorse radio. In conformità a queste osservazioni, è stato condotto uno studio approfondito sul meccanismo DRX (Discontinuous Reception), usato in LTE per consentire all’utente di risparmiare energia quando nessun pacchetto è inviato o ricevuto. I parametri DRX e RRC Inactivity Timer influenzano notevolmente l’energia consumata dai vari device. A seconda che le risorse radio siano assegnate o meno, l’UE si trova rispettivamente negli stati di RRC Connected e RRC Idle. Per valutare il consumo energetico degli smartphone, è stato sviluppato un algoritmo che associa un valore di potenza a ciascuno degli stati in cui l’UE può trovarsi. La transizione da uno stato all’altro è regolata da diversi timeout che sono resettati ogni volta che un pacchetto è inviato o ricevuto. Utilizzando le tracce di traffico reale, è stata associata una macchina a stati a ogni UE per valutare il consumo energetico sulla base dei pacchetti inviati e ricevuti. Osservando le caratteristiche statistiche del traffico User Plane è stata ripetuta la simulazione utilizzando dei valori dell’Inactivity Timer diversi da quello impiegato negli eNodeB di rete reale, alla ricerca di un buon trade-off tra risparmio energetico e aumento del traffico di segnalazione. I risultati hanno permesso di determinare che l'Inactivity Timer, settato originariamente sull'eNodeB era troppo elevato e determinava un consumo energetico eccesivo sui terminali. Diminuendone il valore fino a 10 secondi, si può ottenere un risparmio energetico fino al 50\% (a secondo del traffico generato) senza aumentare considerevolemente il traffico di controllo. I risultati dello studio di cui sopra, tuttavia, non tengono in considerazione lo stato di stress cui può essere sottoposto un eNodeB per effetto dell'aumento del traffico di segnalazione, nè, tantomeno, dell'aumento della contesa di accesso alla rete durante la procedura di RACH, necessaria per ristabilire il bearer radio (o connessione RRC) tra terminale ed eNodeB. Valutare le performance di sistemi hardware e software per la rete mobile di quarta generazione, cosi come individuare qualsiasi possibile debolezza all’interno dell’architettura, è un lavoro complesso. Un possibile caso di studio, è proprio quello di valutare la robustezza delle Base Station quando riceve molte richieste di connessioni RRC, per effetto di una diminuzione dell'Inactivity Timer. A tal proposito, all’interno del Testing LAB di Telecom Italia, abbiamo utilizzato IxLoad, un prodotto sviluppato da Ixia, come generatore di carico per testare la robustezza di un eNodeB. I test sono consistiti nel produrre un differente carico di richieste RRC sull'interfaccia radio, similmente a quelle che si avrebbero diminuendo l'Inactivity Timer. Le proprietà statistiche del traffico di controllo sono ricavate a partire dall'analisi dalle tracce di traffico reale. I risultati hanno dimostrato che, anche a fronte di un carico sostenuto di richieste RRC solo una minima parte (percentuale inferiore all'1\% nel caso più sfavorevole) di procedure fallisce. Abbassare l'inactivity timer anche a valori inferiori ai 10 secondi non è quindi un problema per la Base Station. Rimane da valutare, infine, cosa succede a seguito dell'aumento delle richieste di accesso al canale RACH, dal punto di vista degli utenti. Quando due o più utenti tentano, simultaneamente, di accedere al canale RACH, utilizzando lo stesso preambolo, l’eNodeB potrebbe non essere in grado di decifrare il preambolo. Se i due segnali interferiscono costruttivamente, entrambi gli utenti riceveranno le stesse risorse per trasmettere il messaggio di RRC Request e, a questo punto, l’eNodeB può individuare la collisione e non trasmetterà nessun acknowledgement, forzando entrambi gli utenti a ricominciare la procedura dall’inizio. Abbiamo quindi proposto un modello analitico per calcolare la probabilità di collisione in funzione del numero di utenti e del carico di traffico offerto, quando i tempi d’interarrivo tra richieste successive é modellata con tempi iper-esponenziali. In più, abbiamo investigato le prestazioni di comunicazioni di tipo Machine-to-Machine (M2M) e Human-to-Human (H2H), valutando, al variare del numero di preamboli utilizzati, la probabilità di collisione su canale RACH, la probabilità di corretta trasmissione considerando sia il tempo di backoff che il numero massimo di ritrasmissioni consentite, e il tempo medio necessario per stabilire un canale radio con la rete di accesso. I risultati, valutati nel loro insieme, hanno consentito di esprimere delle linee guida per ripartire opportunamente il numero di preamboli tra comunicazioni M2M e H2H. The advent of LTE and LTE-Advanced, and their integration with existing cellular technologies, GSM and UMTS, has forced the mobile radio network operators to perform meticulous tests and adopt the right know-how to detect potential new issues, before the activation of new services. In this new network scenario, traffic characterisation and monitoring as well as configuration and on-air reliability of network equipment, is of paramount relevance in order to prevent possible pitfalls during the deployment of new services and ensure the best possible user experience. Based on this observation, this research project offers a comprehensive study that goes from experimental analysis to operational optimization. The starting point of our work has been monitoring the traffic of an already deployed eNodeB with three cells, operative in the 1800 MHz band. Through subsequent measurement campaigns, it was possible to follow the evolution of the 4G network by the beginning of its deployment in 2012, until its full maturity in 2015. The data collected during the first year, showed a poor use of the LTE network, mainly due to the limited penetration of new 4G smartphone. In 2015, however, we appreciate a clear and decisive increase in the number of terminals using LTE, with aggregate statistics (e.g. marketshare for smartphone operating systems, or the percentage of video traffic) that reflect the national trend. This important outcome testifies the maturity of LTE technology, and allows us to consider our monitored eNodeB as a valuable vantage point for traffic analysis. Hand in hand with the evolution of the infrastructure, even mobile phones have had a surprising evolution over the past two decades, from simple devices with only voice services, towards smartphones offering novel services such as mobile Internet, geolocation and maps, multimedia services, and many more. Monitoring the real traffic has allowed us to study the users behavior and identify the services most used. To this aim, various software libraries for traffic analysis have been developed. In particular, we developed a C/C++ library that analyses Control Plane and User Plane traffic, which provides corse and fined-grained statistics at flow-level. Another framework/tool has been exclusively dedicated to the topic of traffic classification. Among the plethora of existing tool for traffic classification we provide our own solution, developed from scratch. The project, which is available on github, is named MOSEC, an acronym for Modular SErvice Classifier. The modularity is given by the possibility to implement multiple plug-ins, each one will process the packet according to its logic, and may or may not return a packet/flow classification. A final decision strategy allows to classify the various streams, based on the classifications of each plug-in. Despite previous approaches, the ability of keeping together multiple classifiers allows to mitigate the deficiency of each classifiers (e.g. DPI\nomenclature{DPI}{Deep Packet Inspection} does not work when packets are encrypted or DNS\nomenclature{DNS}{Domain Name Server} queries don't have to be sent if name resolution is cached in device memory) and exploit their full-capabilities when it is feasible. We validated the goodness of MOSEC using a labelled trace synthetically created by colleagues from UPC BarcelonaTech. The results show excellent TCP-HTTP/HTTPS traffic classification capabilities, higher, on average, than those of other classification tools (NDPI, PACE, Layer-7). On the other hand, there are some shortcomings with regard to the classification of UDP traffic. The characteristics of User Plane traffic have a direct impact on the energy consumed by the handset devices, and an indirect impact on the Control Plane traffic that is generated. Therefore, the acquaintances of the statistical properties of the various flows, allows us to deal with the problem of cross-layer optimization, that is reducing the power consumption of the terminals by varying some control plane parameters configurable on the eNodeB. It is well known that the battery life of the new smartphones is one of the major limitations in the use of the same. In particular, the birth of new services and applications capable of working in the background without direct user interaction, introduced new issues related to the battery lifetime and the signaling traffic necessary to acquire/release the radio resources. Based on these observations, we conducted a thorough study on the DRX mechanism (Discontinuous Reception), exploited by LTE to save smartphones energy when no packet is sent or received. The DRX configuration set and the RRC Inactivity Timer greatly affect the energy consumed by the various devices. Depending on which radio resources are allocated or not, the user equipment is in the states of RRC Connected and Idle, respectively. To evaluate the energy consumption of smartphones, an algorithm simulates the transition between all the possible states in which an UE can be and maps a power value to each of these states. The transition from one state to another is governed by different timeouts that are reset every time a packet is sent or received. Using the traces of real traffic, we associate a state machine to each for assessing the energy consumption on the basis of the sent and received packets. We repeated these simulations using different values of the inactivity timer, that appear to be more suitable than the one currently configured on the monitored eNodeB, looking for a good trade-off between energy savings and increased signaling traffic. The results highlighted that the Inactivity Timer set originally sull'eNodeB was too high and determined an excessive energy consumption on the terminals. Reducing the value up to 10 seconds permits to achieve energy savings of up to 50\% (depending on the underling traffic profile) without up considerably the control traffic. The results of the study mentioned above, however, do not consider neither the stress level which the eNodeB is subject to, given the raise of signaling traffic that could occur, nor the increase of collision probability during the RACH procedure, needed to re-establish the radio bearer (or RRC connection ) between the terminal and eNodeB . Evaluate the performance of hardware and software systems for the fourth-generation mobile network, as well as identify any possible weakness in the architecture, it is a complex job. A possible case study, is precisely to assess the robustness of the base station when it receives many requests for RRC connections, as effect of a decrease of the inactivity timer. In this regard, within the Testing LAB of Telecom Italia, we used IxLoad, a product developed by Ixia, as a load generator to test the robustness of one eNodeB. The tests consisted in producing a different load of RRC request on the radio interface, similar to those that would be produced by decreasing the inactivity timer to certain values. The statistical properties for the signalling traffic are derived from the analysis of real traffic traces. The main outcomes have shown that, even in the face of an high load of RRC requests only a small part (less than 1\% in the most unfavorable of the cases) of the procedure fails. Therefore, even lowering the inactivity timer at values lower than 10 seconds is not an issue for the Base Station. Finally, remains to be evaluated how such surge of RRC request impacts on users performance. If one of the users under coverage in the RRC Idle is paged for an incoming packet or need to send an uplink packet a state transition from RRC Idle to RRC Connected is needed. At this point, the UE initiates the random access procedure by sending the random access channel preamble (RACH Preamble). When two or more users attempt, simultaneously, to access the RACH channel, using the same preamble, the eNodeB may not be able to decipher the preamble. If the two signals interfere constructively, both users receive the same resources for transmitting the RRC Request message and, at this point, the eNodeB can detect the collision and will not send any acknowledgment, forcing both users to restart the procedure from the beginning. We have proposed an analytical model to calculate the probability of a collision based on the number of users and the offered traffic load, when the interarrival time between requests is modeled with hyper-exponential times. In addition, we investigated some performance for Machine-to-Machine (M2M) and Human-to-Human (H2H) type communications, including the probability of correct transmission considering either the backoff time either the maximum number of allowed retransmissions, and the average time required to established a radio bearer with the access network. The results, considered as a whole, have made possible to express the guidelines to properly distribute the number of preambles in H2H and M2M communications

Experimental analysis of WiMAX and meshed Wi-Fi quality of service

Mestrado em Engenharia Electrónica e TelecomunicaçõesA indústria das telecomunicações tem sofrido uma evolução enorme nosúltimos anos. Tanto em termos de comunicações sem fios, como em termos deligações de banda larga, assistiu-se a uma adesão massiva por parte domercado, o que se traduziu num crescimento enorme, já que a tecnologia temque estar um passo à frente da procura, de forma a suprir as carências dosconsumidores. Assim, a evolução persegue um objectivo claro: possibilidadede possuir conectividade de banda larga em qualquer lugar e instante. Nestecontexto, aparecem as tecnologias WiMAX (Worldwide Interoperability forMicrowave Access) e WI-FI em Malha como possibilidades para atingir estefim. O tema desta dissertação incide no estudo das tecnologias de WiMAX e WI-FIem Malha, mais concretamente no estudo da Qualidade de Serviço (QoS)providenciada pelas normas IEEE 802.16 e IEEE 802.11s para serviços deVoIP e VoD. Esta tese apresenta a arquitectura desenvolvida para a correcta integração deQoS para serviços em tempo real no acesso à banda larga sem fios depróxima geração. De seguida, apresenta testes efectuados com osequipamentos disponíveis de WiMAX e WI-FI em Malha, de forma a mostrar ocorrecto comportamento da atribuição extremo-a-extremo de QoS nos cenáriosescolhidos com serviços em tempo real, bem como os efeitos da mobilidade natecnologia WI-FI em Malha. ABSTRACT: The telecommunication industry has suffered a massive evolution throughoutpast years. In terms of wireless communications, as well as broadbandconnections, we’ve seen a massive adoption by the market, which conductedinto an enormous growth, since the technology must always be one step aheadof the demand, in order to be to fulfill the needs of the consumers. Therefore,the evolution pursues one clear goal: the possibility to establish a broadbandconnection anywhere and anytime. In this context, the WiMAX (WorldwideInteroperability for Microwave Access) and Meshed WI-FI technologies appearas possibilities to reach this goal. The subject of this thesis is the study of both the WiMAX and Meshed WI-FItechnologies, and more concretely the study of the QoS provided by theIEEE802.16 and IEEE 802.11s standards to VoIP and VoD services. This thesis presents the architecture developed to provide the correctintegration of QoS for real-media traffic in next generation broadband wirelessaccess. It presents tests carried out with the available WiMAX and Meshed WI-FI equipments, to show the correct behavior in the attribution of end-to-endQoS in selected scenarios with real-time services, as well as mobility effects onWI-FI Wireless Mesh technology

Intrusion Detection System against Denial of Service attack in Software-Defined Networking

Das exponentielle Wachstum der Online-Dienste und des über die Kommunikationsnetze übertragenen Datenvolumens macht es erforderlich, die Struktur traditioneller Netzwerke durch ein neues Paradigma zu ersetzen, das sich den aktuellen Anforderungen anpasst. Software-Defined Networking (SDN) ist hierfür eine fortschrittliche Netzwerkarchitektur, die darauf abzielt, das traditionelle Netzwerk in ein flexibleres Netzwerk umzuwandeln, das sich an die wachsenden Anforderungen anpasst. Im Gegensatz zum traditionellen Netzwerk ermöglicht SDN die Entkopplung von Steuer- und Datenebene, um Netzwerkressourcen effizient zu überwachen, zu konfigurieren und zu optimieren. Es verfügt über einen zentralisierten Controller mit einer globalen Netzwerksicht, der seine Ressourcen über programmierbare Schnittstellen verwaltet. Die zentrale Steuerung bringt jedoch neue Sicherheitsschwachstellen mit sich und fungiert als Single Point of Failure, den ein böswilliger Benutzer ausnutzen kann, um die normale Netzwerkfunktionalität zu stören. So startet der Angreifer einen massiven Datenverkehr, der als Distributed-Denial-of-Service Angriff (DDoSAngriff) von der SDN-Infrastrukturebene in Richtung des Controllers bekannt ist. Dieser DDoS-Angriff führt zu einer Sättigung der Steuerkanal-Bandbreite und belegt die Ressourcen des Controllers. Darüber hinaus erbt die SDN-Architektur einige Angriffsarten aus den traditionellen Netzwerken. Der Angreifer fälscht beispielweise die Pakete, um gutartig zu erscheinen, und zielt dann auf die traditionellen DDoS-Ziele wie Hosts, Server, Anwendungen und Router ab. In dieser Arbeit wird das Verhalten von böswilligen Benutzern untersucht. Anschließend wird ein Intrusion Detection System (IDS) zum Schutz der SDN-Umgebung vor DDoS-Angriffen vorgestellt. Das IDS berücksichtigt dabei drei Ansätze, um ausreichendes Feedback über den laufenden Verkehr durch die SDN-Architektur zu erhalten: die Informationen von einem externen Gerät, den OpenFlow-Kanal und die Flow-Tabelle. Daher besteht das vorgeschlagene IDS aus drei Komponenten. Das Inspector Device verhindert, dass böswillige Benutzer einen Sättigungsangriff auf den SDN-Controller starten. Die Komponente Convolutional Neural Network (CNN) verwendet eindimensionale neuronale Faltungsnetzwerke (1D-CNN), um den Verkehr des Controllers über den OpenFlow-Kanal zu analysieren. Die Komponente Deep Learning Algorithm(DLA) verwendet Recurrent Neural Networks (RNN), um die vererbten DDoS-Angriffe zu erkennen. Sie unterstützt auch die Unterscheidung zwischen bösartigen und gutartigen Benutzern als neue Gegenmaßnahme. Am Ende dieser Arbeit werden alle vorgeschlagenen Komponenten mit dem Netzwerkemulator Mininet und der Programmiersprache Python modelliert, um ihre Machbarkeit zu testen. Die Simulationsergebnisse zeigen hierbei, dass das vorgeschlagene IDS im Vergleich zu mehreren Benchmarking- und State-of-the-Art-Vorschlägen überdurchschnittliche Leistungen erbringt.The exponential growth of online services and the data volume transferred over the communication networks raises the need to change the structure of traditional networks to a new paradigm that adapts to the development’s demands. Software- Defined Networking (SDN) is an advanced network architecture aiming to evolve and transform the traditional network into a more flexible network that responds to the new requirements. In contrast to the traditional network, SDN allows decoupling of the control and data planes functionalities to monitor, configure, and optimize network resources efficiently. It has a centralized controller with a global network view to manage its resources using programmable interfaces. The central control brings new security vulnerabilities and acts as a single point of failure, which the malicious user might exploit to disrupt the network functionality. Thus, the attacker launches massive traffic known as Distributed Denial of Service (DDoS) attack from the SDN infrastructure layer towards the controller. This DDoS attack leads to saturation of control channel bandwidth and destroys the controller resources. Furthermore, the SDN architecture inherits some attacks types from the traditional networks. Therefore, the attacker forges the packets to appear benign and then targets the traditional DDoS objectives such as hosts, servers, applications, routers. This work observes the behavior of malicious users. It then presents an Intrusion Detection System (IDS) to safeguard the SDN environment against DDoS attacks. The IDS considers three approaches to obtain sufficient feedback about the ongoing traffic through the SDN architecture: the information from an external device, the OpenFlow channel, and the flow table. Therefore, the proposed IDS consists of three components; Inspector Device prevents the malicious users from launching the saturation attack towards the SDN controller. Convolutional Neural Network (CNN) Component employs the One- Dimensional Convolutional Neural Networks (1D-CNN) to analyze the controller’s traffic through the OpenFlow Channel. The Deep Learning Algorithm (DLA) component employs Recurrent Neural Networks (RNN) to detect the inherited DDoS attacks. The IDS also supports distinguishing between malicious and benign users as a new countermeasure. At the end of this work, the network emulator Mininet and the programming language python model all the proposed components to test their feasibility. The simulation results demonstrate that the proposed IDS outperforms compared several benchmarking and state-of-the-art suggestions

APIC: A method for automated pattern identification and classification

Machine Learning (ML) is a transformative technology at the forefront of many modern research endeavours. The technology is generating a tremendous amount of attention from researchers and practitioners, providing new approaches to solving complex classification and regression tasks. While concepts such as Deep Learning have existed for many years, the computational power for realising the utility of these algorithms in real-world applications has only recently become available. This dissertation investigated the efficacy of a novel, general method for deploying ML in a variety of complex tasks, where best feature selection, data-set labelling, model definition and training processes were determined automatically. Models were developed in an iterative fashion, evaluated using both training and validation data sets. The proposed method was evaluated using three distinct case studies, describing complex classification tasks often requiring significant input from human experts. The results achieved demonstrate that the proposed method compares with, and often outperforms, less general, comparable methods designed specifically for each task. Feature selection, data-set annotation, model design and training processes were optimised by the method, where less complex, comparatively accurate classifiers with lower dependency on computational power and human expert intervention were produced. In chapter 4, the proposed method demonstrated improved efficacy over comparable systems, automatically identifying and classifying complex application protocols traversing IP networks. In chapter 5, the proposed method was able to discriminate between normal and anomalous traffic, maintaining accuracy in excess of 99%, while reducing false alarms to a mere 0.08%. Finally, in chapter 6, the proposed method discovered more optimal classifiers than those implemented by comparable methods, with classification scores rivalling those achieved by state-of-the-art systems. The findings of this research concluded that developing a fully automated, general method, exhibiting efficacy in a wide variety of complex classification tasks with minimal expert intervention, was possible. The method and various artefacts produced in each case study of this dissertation are thus significant contributions to the field of ML

Accountable infrastructure and its impact on internet security and privacy

The Internet infrastructure relies on the correct functioning of the basic underlying protocols, which were designed for functionality. Security and privacy have been added post hoc, mostly by applying cryptographic means to different layers of communication. In the absence of accountability, as a fundamental property, the Internet infrastructure does not have a built-in ability to associate an action with the responsible entity, neither to detect or prevent misbehavior. In this thesis, we study accountability from a few different perspectives. First, we study the need of having accountability in anonymous communication networks as a mechanism that provides repudiation for the proxy nodes by tracing back selected outbound traffic in a provable manner. Second, we design a framework that provides a foundation to support the enforcement of the right to be forgotten law in a scalable and automated manner. The framework provides a technical mean for the users to prove their eligibility for content removal from the search results. Third, we analyze the Internet infrastructure determining potential security risks and threats imposed by dependencies among the entities on the Internet. Finally, we evaluate the feasibility of using hop count filtering as a mechanism for mitigating Distributed Reflective Denial-of-Service attacks, and conceptually show that it cannot work to prevent these attacks.Die Internet-Infrastrutur stützt sich auf die korrekte Ausführung zugrundeliegender Protokolle, welche mit Fokus auf Funktionalität entwickelt wurden. Sicherheit und Datenschutz wurden nachträglich hinzugefügt, hauptsächlich durch die Anwendung kryptografischer Methoden in verschiedenen Schichten des Protokollstacks. Fehlende Zurechenbarkeit, eine fundamentale Eigenschaft Handlungen mit deren Verantwortlichen in Verbindung zu bringen, verhindert jedoch, Fehlverhalten zu erkennen und zu unterbinden. Diese Dissertation betrachtet die Zurechenbarkeit im Internet aus verschiedenen Blickwinkeln. Zuerst untersuchen wir die Notwendigkeit für Zurechenbarkeit in anonymisierten Kommunikationsnetzen um es Proxyknoten zu erlauben Fehlverhalten beweisbar auf den eigentlichen Verursacher zurückzuverfolgen. Zweitens entwerfen wir ein Framework, das die skalierbare und automatisierte Umsetzung des Rechts auf Vergessenwerden unterstützt. Unser Framework bietet Benutzern die technische Möglichkeit, ihre Berechtigung für die Entfernung von Suchergebnissen nachzuweisen. Drittens analysieren wir die Internet-Infrastruktur, um mögliche Sicherheitsrisiken und Bedrohungen aufgrund von Abhängigkeiten zwischen den verschiedenen beteiligten Entitäten zu bestimmen. Letztlich evaluieren wir die Umsetzbarkeit von Hop Count Filtering als ein Instrument DRDoS Angriffe abzuschwächen und wir zeigen, dass dieses Instrument diese Art der Angriffe konzeptionell nicht verhindern kann

Enabling knowledge-defined networks : deep reinforcement learning, graph neural networks and network analytics

Significant breakthroughs in the last decade in the Machine Learning (ML) field have ushered in a new era of Artificial Intelligence (AI). Particularly, recent advances in Deep Learning (DL) have enabled to develop a new breed of modeling and optimization tools with a plethora of applications in different fields like natural language processing, or computer vision. In this context, the Knowledge-Defined Networking (KDN) paradigm highlights the lack of adoption of AI techniques in computer networks and – as a result – proposes a novel architecture that relies on Software-Defined Networking (SDN) and modern network analytics techniques to facilitate the deployment of ML-based solutions for efficient network operation. This dissertation aims to be a step forward in the realization of Knowledge-Defined Networks. In particular, we focus on the application of AI techniques to control and optimize networks more efficiently and automatically. To this end, we identify two components within the KDN context whose development may be crucial to achieve self-operating networks in the future: (i) the automatic control module, and (ii) the network analytics platform. The first part of this thesis is devoted to the construction of efficient automatic control modules. First, we explore the application of Deep Reinforcement Learning (DRL) algorithms to optimize the routing configuration in networks. DRL has recently demonstrated an outstanding capability to solve efficiently decision-making problems in other fields. However, first DRL-based attempts to optimize routing in networks have failed to achieve good results, often under-performing traditional heuristics. In contrast to previous DRL-based solutions, we propose a more elaborate network representation that facilitates DRL agents to learn efficient routing strategies. Our evaluation results show that DRL agents using the proposed representation achieve better performance and learn faster how to route traffic in an Optical Transport Network (OTN) use case. Second, we lay the foundations on the use of Graph Neural Networks (GNN) to build ML-based network optimization tools. GNNs are a newly proposed family of DL models specifically tailored to operate and generalize over graphs of variable size and structure. In this thesis, we posit that GNNs are well suited to model the relationships between different network elements inherently represented as graphs (e.g., topology, routing). Particularly, we use a custom GNN architecture to build a routing optimization solution that – unlike previous ML-based proposals – is able to generalize well to topologies, routing configurations, and traffic never seen during the training phase. The second part of this thesis investigates the design of practical and efficient network analytics solutions in the KDN context. Network analytics tools are crucial to provide the control plane with a rich and timely view of the network state. However this is not a trivial task considering that all this information turns typically into big data in real-world networks. In this context, we analyze the main aspects that should be considered when measuring and classifying traffic in SDN (e.g., scalability, accuracy, cost). As a result, we propose a practical solution that produces flow-level measurement reports similar to those of NetFlow/IPFIX in traditional networks. The proposed system relies only on native features of OpenFlow – currently among the most established standards in SDN – and incorporates mechanisms to maintain efficiently flow-level statistics in commodity switches and report them asynchronously to the control plane. Additionally, a system that combines ML and Deep Packet Inspection (DPI) identifies the applications that generate each traffic flow.La evolución del campo del Aprendizaje Maquina (ML) en la última década ha dado lugar a una nueva era de la Inteligencia Artificial (AI). En concreto, algunos avances en el campo del Aprendizaje Profundo (DL) han permitido desarrollar nuevas herramientas de modelado y optimización con múltiples aplicaciones en campos como el procesado de lenguaje natural, o la visión artificial. En este contexto, el paradigma de Redes Definidas por Conocimiento (KDN) destaca la falta de adopción de técnicas de AI en redes y, como resultado, propone una nueva arquitectura basada en Redes Definidas por Software (SDN) y en técnicas modernas de análisis de red para facilitar el despliegue de soluciones basadas en ML. Esta tesis pretende representar un avance en la realización de redes basadas en KDN. En particular, investiga la aplicación de técnicas de AI para operar las redes de forma más eficiente y automática. Para ello, identificamos dos componentes en el contexto de KDN cuyo desarrollo puede resultar esencial para conseguir redes operadas autónomamente en el futuro: (i) el módulo de control automático y (ii) la plataforma de análisis de red. La primera parte de esta tesis aborda la construcción del módulo de control automático. En primer lugar, se explora el uso de algoritmos de Aprendizaje Profundo por Refuerzo (DRL) para optimizar el encaminamiento de tráfico en redes. DRL ha demostrado una capacidad sobresaliente para resolver problemas de toma de decisiones en otros campos. Sin embargo, los primeros trabajos que han aplicado DRL a la optimización del encaminamiento en redes no han conseguido rendimientos satisfactorios. Frente a dichas soluciones previas, proponemos una representación más elaborada de la red que facilita a los agentes DRL aprender estrategias de encaminamiento eficientes. Nuestra evaluación muestra que cuando los agentes DRL utilizan la representación propuesta logran mayor rendimiento y aprenden más rápido cómo encaminar el tráfico en un caso práctico en Redes de Transporte Ópticas (OTN). En segundo lugar, se presentan las bases sobre la utilización de Redes Neuronales de Grafos (GNN) para construir herramientas de optimización de red. Las GNN constituyen una nueva familia de modelos de DL específicamente diseñados para operar y generalizar sobre grafos de tamaño y estructura variables. Esta tesis destaca la idoneidad de las GNN para modelar las relaciones entre diferentes elementos de red que se representan intrínsecamente como grafos (p. ej., topología, encaminamiento). En particular, utilizamos una arquitectura GNN específicamente diseñada para optimizar el encaminamiento de tráfico que, a diferencia de las propuestas anteriores basadas en ML, es capaz de generalizar correctamente sobre topologías, configuraciones de encaminamiento y tráfico nunca vistos durante el entrenamiento La segunda parte de esta tesis investiga el diseño de herramientas de análisis de red eficientes en el contexto de KDN. El análisis de red resulta esencial para proporcionar al plano de control una visión completa y actualizada del estado de la red. No obstante, esto no es una tarea trivial considerando que esta información representa una cantidad masiva de datos en despliegues de red reales. Esta parte de la tesis analiza los principales aspectos a considerar a la hora de medir y clasificar el tráfico en SDN (p. ej., escalabilidad, exactitud, coste). Como resultado, se propone una solución práctica que genera informes de medidas de tráfico a nivel de flujo similares a los de NetFlow/IPFIX en redes tradicionales. El sistema propuesto utiliza sólo funciones soportadas por OpenFlow, actualmente uno de los estándares más consolidados en SDN, y permite mantener de forma eficiente estadísticas de tráfico en conmutadores con características básicas y enviarlas de forma asíncrona hacia el plano de control. Asimismo, un sistema que combina ML e Inspección Profunda de Paquetes (DPI) identifica las aplicaciones que generan cada flujo de tráfico.Postprint (published version