Network Traffic Measurements, Applications to Internet Services and Security

The Internet has become along the years a pervasive network interconnecting billions of users and is now playing the role of collector for a multitude of tasks, ranging from professional activities to personal interactions. From a technical standpoint, novel architectures, e.g., cloud-based services and content delivery networks, innovative devices, e.g., smartphones and connected wearables, and security threats, e.g., DDoS attacks, are posing new challenges in understanding network dynamics. In such complex scenario, network measurements play a central role to guide traffic management, improve network design, and evaluate application requirements. In addition, increasing importance is devoted to the quality of experience provided to final users, which requires thorough investigations on both the transport network and the design of Internet services. In this thesis, we stress the importance of users’ centrality by focusing on the traffic they exchange with the network. To do so, we design methodologies complementing passive and active measurements, as well as post-processing techniques belonging to the machine learning and statistics domains. Traffic exchanged by Internet users can be classified in three macro-groups: (i) Outbound, produced by users’ devices and pushed to the network; (ii) unsolicited, part of malicious attacks threatening users’ security; and (iii) inbound, directed to users’ devices and retrieved from remote servers. For each of the above categories, we address specific research topics consisting in the benchmarking of personal cloud storage services, the automatic identification of Internet threats, and the assessment of quality of experience in the Web domain, respectively. Results comprise several contributions in the scope of each research topic. In short, they shed light on (i) the interplay among design choices of cloud storage services, which severely impact the performance provided to end users; (ii) the feasibility of designing a general purpose classifier to detect malicious attacks, without chasing threat specificities; and (iii) the relevance of appropriate means to evaluate the perceived quality of Web pages delivery, strengthening the need of users’ feedbacks for a factual assessment

Personal Cloud Storage Benchmarks and Comparison

The large amount of space offered by personal cloud storage services (e.g., Dropbox and OneDrive), together with the possibility of synchronizing devices seamlessly, keep attracting customers to the cloud. Despite the high public interest, little information about system design and actual implications on performance is available when selecting a cloud storage service. Systematic benchmarks to assist in comparing services and understanding the effects of design choices are still lacking. This paper proposes a methodology to understand and benchmark personal cloud storage services. Our methodology unveils their architecture and capabilities. Moreover, by means of repeatable and customizable tests, it allows the measurement of performance metrics under different workloads. The effectiveness of the methodology is shown in a case study in which 11 services are compared under the same conditions. Our case study reveals interesting differences in design choices. Their implications are assessed in a series of benchmarks. Results show no clear winner, with all services having potential for improving performance. In some scenarios, the synchronization of the same files can take 20 times longer. In other cases, we observe a wastage of twice as much network capacity, questioning the design of some services. Our methodology and results are thus useful both as benchmarks and as guidelines for system design

A method for exploring traffic passive traces and grouping similar urls

Computer security method for the analysis of passive traces of HTTP and HTTPS traffic on the Internet, with extraction and grouping of similar Web transactions automatically generated by malware, malicious services, unsolicited advertising or other, comprises at least the following processing and control steps: a) URLs extraction from an operational network, using passive exploration of the HTTP e HTTPS traffic data and subsequent collection into batches of the extracted URLs; b) detection of similar URLs, by metrics calculation based on the distance among URLs, namely based on a measure of the degree of diversity among pairs of character strings composing the URLs; c) activation of one or more clustering algorithms used to group the URLs based on the similarity metrics and to obtain, within each group of URLs, elements with similar/homogeneous features, adapted to be analyzed as a single entity; d) visualization of elements according to a sorting based on the degree of cohesion of the URLs contained in each grouping

ScienceBox 2.0: Evolving the demonstrator package for CERN storage and analysis services

With containers being the de-facto standard to package, distribute, and run applications, Helm charts are on the rise for application deployment in managed clusters (e.g., Kubernetes, OpenShift), providing developers and operators with a rich ecosystem of tools to utilize, as well as the means to configure applications and roll changes out in a programmatic way. This paper describes the reboot of the ScienceBox project: The containerized software bundle providing the ability to deploy CERN storage and analysis services on any cloud or local infrastructure. While the service offering provided through ScienceBox remains unchanged, we evolved the original implementation to make use of Helm charts across the entire stack and incorporated a major architectural update to CERNBox, replacing the previous PHP backend with a distributed microservices architecture. ScienceBox maintains the flexibility to be deployed in a few clicks for demonstration purposes, or scaled out on managed clusters for the provisioning of a multi-user service. It also removes external dependencies by deploying additional services (e.g., IDP, DBs) and facilitates the configuration of the service stack by providing automated configuration scripts, making the package fully self-contained and easy to use

Enabling Storage Business Continuity and Disaster Recovery with Ceph distributed storage

The Storage Group in the CERN IT Department operates several Ceph storage clusters with an overall capacity exceeding 100 PB. Ceph is a crucial component of the infrastructure delivering IT services to all the users of the Organization as it provides: i) Block storage for OpenStack, ii) CephFS, used as persistent storage by containers (OpenShift and Kubernetes) and as shared filesystems by HPC clusters and iii) S3 object storage for cloud-native applications, monitoring and software distribution across the WLCG. The Ceph infrastructure at CERN is being rationalized and restructured to allow for the implementation of a Business Continuity/Disaster Recovery plan. In this paper, we give an overview of how we transitioned from a single cluster providing block storage to multiple ones, enabling Storage Availability zones, and how block storage backups can be achieved. We also illustrate future plans for file systems backups through cback,a restic-based scalable orchestrator, and how S3 implements data immutability and provides a highly available, Multi-Data Centre object storage service

MAGMA network behavior classifier for malware traffic

Malware is a major threat to security and privacy of network users. A large variety of malware is typically spread over the Internet, hiding in benign traffic. New types of malware appear every day, challenging both the research community and security companies to improve malware identification techniques. In this paper we present MAGMA, MultilAyer Graphs for MAlware detection, a novel malware behavioral classifier. Our system is based on a Big Data methodology, driven by real-world data obtained from traffic traces collected in an operational network. The methodology we propose automatically extracts patterns related to a specific input event, i.e., a seed, from the enormous amount of events the network carries. By correlating such activities over (i) time, (ii) space, and (iii) network protocols, we build a Network Connectivity Graph that captures the overall “network behavior” of the seed. We next extract features from the Connectivity Graph and design a supervised classifier. We run MAGMA on a large dataset collected from a commercial Internet Provider where 20,000 Internet users generated more than 330 million events. Only 42,000 are flagged as malicious by a commercial IDS, which we consider as an oracle. Using this dataset, we experimentally evaluate MAGMA accuracy and robustness to parameter settings. Results indicate that MAGMA reaches 95% accuracy, with limited false positives. Furthermore, MAGMA proves able to identify suspicious network events that the IDS ignored

Beta-Blocker Use in Older Hospitalized Patients Affected by Heart Failure and Chronic Obstructive Pulmonary Disease: An Italian Survey From the REPOSI Register

Beta (β)-blockers (BB) are useful in reducing morbidity and mortality in patients with heart failure (HF) and concomitant chronic obstructive pulmonary disease (COPD). Nevertheless, the use of BBs could induce bronchoconstriction due to β2-blockade. For this reason, both the ESC and GOLD guidelines strongly suggest the use of selective β1-BB in patients with HF and COPD. However, low adherence to guidelines was observed in multiple clinical settings. The aim of the study was to investigate the BBs use in older patients affected by HF and COPD, recorded in the REPOSI register. Of 942 patients affected by HF, 47.1% were treated with BBs. The use of BBs was significantly lower in patients with HF and COPD than in patients affected by HF alone, both at admission and at discharge (admission, 36.9% vs. 51.3%; discharge, 38.0% vs. 51.7%). In addition, no further BB users were found at discharge. The probability to being treated with a BB was significantly lower in patients with HF also affected by COPD (adj. OR, 95% CI: 0.50, 0.37-0.67), while the diagnosis of COPD was not associated with the choice of selective β1-BB (adj. OR, 95% CI: 1.33, 0.76-2.34). Despite clear recommendations by clinical guidelines, a significant underuse of BBs was also observed after hospital discharge. In COPD affected patients, physicians unreasonably reject BBs use, rather than choosing a β1-BB. The expected improvement of the BB prescriptions after hospitalization was not observed. A multidisciplinary approach among hospital physicians, general practitioners, and pharmacologists should be carried out for better drug management and adherence to guideline recommendations

The “Diabetes Comorbidome”: A Different Way for Health Professionals to Approach the Comorbidity Burden of Diabetes

(1) Background: The disease burden related to diabetes is increasing greatly, particularly in older subjects. A more comprehensive approach towards the assessment and management of diabetes’ comorbidities is necessary. The aim of this study was to implement our previous data identifying and representing the prevalence of the comorbidities, their association with mortality, and the strength of their relationship in hospitalized elderly patients with diabetes, developing, at the same time, a new graphic representation model of the comorbidome called “Diabetes Comorbidome”. (2) Methods: Data were collected from the RePoSi register. Comorbidities, socio-demographic data, severity and comorbidity indexes (Cumulative Illness rating Scale CIRS-SI and CIRS-CI), and functional status (Barthel Index), were recorded. Mortality rates were assessed in hospital and 3 and 12 months after discharge. (3) Results: Of the 4714 hospitalized elderly patients, 1378 had diabetes. The comorbidities distribution showed that arterial hypertension (57.1%), ischemic heart disease (31.4%), chronic renal failure (28.8%), atrial fibrillation (25.6%), and COPD (22.7%), were the more frequent in subjects with diabetes. The graphic comorbidome showed that the strongest predictors of death at in hospital and at the 3-month follow-up were dementia and cancer. At the 1-year follow-up, cancer was the first comorbidity independently associated with mortality. (4) Conclusions: The “Diabetes Comorbidome” represents the perfect instrument for determining the prevalence of comorbidities and the strength of their relationship with risk of death, as well as the need for an effective treatment for improving clinical outcomes

Antidiabetic Drug Prescription Pattern in Hospitalized Older Patients with Diabetes

Objective: To describe the prescription pattern of antidiabetic and cardiovascular drugs in a cohort of hospitalized older patients with diabetes. Methods: Patients with diabetes aged 65 years or older hospitalized in internal medicine and/or geriatric wards throughout Italy and enrolled in the REPOSI (REgistro POliterapuie SIMI—Società Italiana di Medicina Interna) registry from 2010 to 2019 and discharged alive were included. Results: Among 1703 patients with diabetes, 1433 (84.2%) were on treatment with at least one antidiabetic drug at hospital admission, mainly prescribed as monotherapy with insulin (28.3%) or metformin (19.2%). The proportion of treated patients decreased at discharge (N = 1309, 76.9%), with a significant reduction over time. Among those prescribed, the proportion of those with insulin alone increased over time (p = 0.0066), while the proportion of those prescribed sulfonylureas decreased (p < 0.0001). Among patients receiving antidiabetic therapy at discharge, 1063 (81.2%) were also prescribed cardiovascular drugs, mainly with an antihypertensive drug alone or in combination (N = 777, 73.1%). Conclusion: The management of older patients with diabetes in a hospital setting is often sub-optimal, as shown by the increasing trend in insulin at discharge, even if an overall improvement has been highlighted by the prevalent decrease in sulfonylureas prescription

Clinical features and outcomes of elderly hospitalised patients with chronic obstructive pulmonary disease, heart failure or both

Background and objective: Chronic obstructive pulmonary disease (COPD) and heart failure (HF) mutually increase the risk of being present in the same patient, especially if older. Whether or not this coexistence may be associated with a worse prognosis is debated. Therefore, employing data derived from the REPOSI register, we evaluated the clinical features and outcomes in a population of elderly patients admitted to internal medicine wards and having COPD, HF or COPD + HF. Methods: We measured socio-demographic and anthropometric characteristics, severity and prevalence of comorbidities, clinical and laboratory features during hospitalization, mood disorders, functional independence, drug prescriptions and discharge destination. The primary study outcome was the risk of death. Results: We considered 2,343 elderly hospitalized patients (median age 81 years), of whom 1,154 (49%) had COPD, 813 (35%) HF, and 376 (16%) COPD + HF. Patients with COPD + HF had different characteristics than those with COPD or HF, such as a higher prevalence of previous hospitalizations, comorbidities (especially chronic kidney disease), higher respiratory rate at admission and number of prescribed drugs. Patients with COPD + HF (hazard ratio HR 1.74, 95% confidence intervals CI 1.16-2.61) and patients with dementia (HR 1.75, 95% CI 1.06-2.90) had a higher risk of death at one year. The Kaplan-Meier curves showed a higher mortality risk in the group of patients with COPD + HF for all causes (p = 0.010), respiratory causes (p = 0.006), cardiovascular causes (p = 0.046) and respiratory plus cardiovascular causes (p = 0.009). Conclusion: In this real-life cohort of hospitalized elderly patients, the coexistence of COPD and HF significantly worsened prognosis at one year. This finding may help to better define the care needs of this population