Distributed Network Anomaly Detection on an Event Processing Framework

Network Intrusion Detection Systems (NIDS) are an integral part of modern data centres to ensure high availability and compliance with Service Level Agreements (SLAs). Currently, NIDS are deployed on high-performance, high-cost middleboxes that are responsible for monitoring a limited section of the network. The fast increasing size and aggregate throughput of modern data centre networks have come to challenge the current approach to anomaly detection to satisfy the fast growing compute demand. In this paper, we propose a novel approach to distributed intrusion detection systems based on the architecture of recently proposed event processing frameworks. We have designed and implemented a prototype system using Apache Storm to show the benefits of the proposed approach as well as the architectural differences with traditional systems. Our system distributes modules across the available devices within the network fabric and uses a centralised controller for orchestration, management and correlation. Following the Software Defined Networking (SDN) paradigm, the controller maintains a complete view of the network but distributes the processing logic for quick event processing while performing complex event correlation centrally. We have evaluated the proposed system using publicly available data centre traces and demonstrated that the system can scale with the network topology while providing high performance and minimal impact on packet latency

Distributed Collaborative Monitoring in Software Defined Networks

We propose a Distributed and Collaborative Monitoring system, DCM, with the following properties. First, DCM allow switches to collaboratively achieve flow monitoring tasks and balance measurement load. Second, DCM is able to perform per-flow monitoring, by which different groups of flows are monitored using different actions. Third, DCM is a memory-efficient solution for switch data plane and guarantees system scalability. DCM uses a novel two-stage Bloom filters to represent monitoring rules using small memory space. It utilizes the centralized SDN control to install, update, and reconstruct the two-stage Bloom filters in the switch data plane. We study how DCM performs two representative monitoring tasks, namely flow size counting and packet sampling, and evaluate its performance. Experiments using real data center and ISP traffic data on real network topologies show that DCM achieves highest measurement accuracy among existing solutions given the same memory budget of switches

Uncovering the big players of the web

In this paper we aim at observing how today the Internet large organizations deliver web content to end users. Using one-week long data sets collected at three vantage points aggregating more than 30,000 Internet customers, we characterize the offered services precisely quantifying and comparing the performance of different players. Results show that today 65% of the web traffic is handled by the top 10 organiza- tions. We observe that, while all of them serve the same type of content, different server architectures have been adopted considering load bal- ancing schemes, servers number and location: some organizations handle thousands of servers with the closest being few milliseconds far away from the end user, while others manage few data centers. Despite this, the performance of bulk transfer rate offered to end users are typically good, but impairment can arise when content is not readily available at the server and has to be retrieved from the CDN back-en

Clathrin Adaptor Complex-interacting Protein Irc6 Functions through the Conserved C-Terminal Domain.

Clathrin coats drive transport vesicle formation from the plasma membrane and in pathways between the trans-Golgi network (TGN) and endosomes. Clathrin adaptors play central roles orchestrating assembly of clathrin coats. The yeast clathrin adaptor-interacting protein Irc6 is an orthologue of human p34, which is mutated in the inherited skin disorder punctate palmoplantar keratoderma type I. Irc6 and p34 bind to clathrin adaptor complexes AP-1 and AP-2 and are members of a conserved family characterized by a two-domain architecture. Irc6 is required for AP-1-dependent transport between the TGN and endosomes in yeast. Here we present evidence that the C-terminal two amino acids of Irc6 are required for AP-1 binding and transport function. Additionally, like the C-terminal domain, the N-terminal domain when overexpressed partially restores AP-1-mediated transport in cells lacking full-length Irc6. These findings support a functional role for Irc6 binding to AP-1. Negative genetic interactions with irc6∆ are enriched for genes related to membrane traffic and nuclear processes, consistent with diverse cellular roles for Irc6