DPI Solutions in Practice: Benchmark and Comparison

Having a clear insight on the protocols carrying traffic is crucial for network applications. Deep Packet Inspection (DPI) has been a key technique to provide visibility into traffic. DPI has proven effective in various scenarios, and indeed several open source DPI solutions are maintained by the community. Yet, these solutions provide different classifications, and it is hard to establish a common ground truth. Independent works approaching the question of the quality of DPI are already aged and rely on limited datasets. Here, we test if open source DPI solutions can provide useful information in practical scenarios, e.g., supporting security applications. We provide an evaluation of the performance of four open-source DPI solutions, namely nDPI, Libprotoident, Tstat and Zeek. We use datasets covering various traffic scenarios, including operational networks, IoT scenarios and malware. As no ground truth is available, we study the consistency of classification across the solutions, investigating root-causes of conflicts. Important for on-line security applications, we check whether DPI solutions provide reliable classification with a limited number of packets per flow. All in all, we confirm that DPI solutions still perform satisfactorily for well-known protocols. They however struggle with some P2P traffic and security scenarios (e.g., with malware traffic). All tested solutions reacha final classification after observing few packets with payload, showing adequacy for on-line application

Attacking DoH and ECH: Does Server Name Encryption Protect Users’ Privacy?

Privacy on the Internet has become a priority, and several efforts have been devoted to limit the leakage of personal information. Domain names, both in the TLS Client Hello and DNS traffic, are among the last pieces of information still visible to an observer in the network. The Encrypted Client Hello extension for TLS, DNS over HTTPS or over QUIC protocols aim to further increase network confidentiality by encrypting the domain names of the visited servers. In this article, we check whether an attacker able to passively observe the traffic of users could still recover the domain name of websites they visit even if names are encrypted. By relying on large-scale network traces, we show that simplistic features and off-the-shelf machine learning models are sufficient to achieve surprisingly high precision and recall when recovering encrypted domain names. We consider three attack scenarios, i.e., recovering the per-flow name, rebuilding the set of visited websites by a user, and checking which users visit a given target website. We next evaluate the efficacy of padding-based mitigation, finding that all three attacks are still effective, despite resources wasted with padding. We conclude that current proposals for domain encryption may produce a false sense of privacy, and more robust techniques should be envisioned to offer protection to end users

Sensing the Noise: Uncovering Communities in Darknet Traffic

Darknets are ranges of IP addresses advertised without answering any traffic. Darknets help to uncover inter- esting network events, such as misconfigurations and network scans. Interpreting darknet traffic helps against cyber-attacks – e.g., malware often reaches darknets when scanning the Internet for vulnerable devices. The traffic reaching darknets is however voluminous and noisy, which calls for efficient ways to represent the data and highlight possibly important events. This paper evaluates a methodology to summarize packets reaching darknets. We represent the darknet activity as a graph, which captures remote hosts contacting the darknet nodes ports, as well as the frequency at which each port is reached. From these representations, we apply community detection algorithms in the search for patterns that could represent coordinated activity. By highlighting such activities we are able to group together, for example, groups of IP addresses that predominantly engage in contacting specific targets, or, vice versa, to identify targets which are frequently contacted together, for exploiting the vulnerabilities of a given service. The network analyst can recognize from the community detection results, for example, that a group of hosts has been infected by a botnet and it is currently scanning the network in search of vulnerable services (e.g., SSH and Telnet among the most commonly targeted). Such piece of information is impossible to obtain when analyzing the behavior of single sources, or packets one by one. All in all, our work is a first step towards a comprehensive aggregation methodology to automate the analysis of darknet traffic, a fundamental aspect for the recognition of coordinated and anomalous events

Are Darknets All The Same? On Darknet Visibility for Security Monitoring

Darknets are sets of IP addresses that are advertised but do not host any client or server. By passively recording the incoming packets, they assist network monitoring activities. Since packets they receive are unsolicited by definition, darknets help to spot misconfigurations as well as important security events, such as the appearance and spread of botnets, DDoS attacks using spoofed IP address, etc. A number of organizations worldwide deploys darknets, ranging from a few dozens of IP addresses to large/8 networks. We here investigate how similar is the visibility of different darknets. By relying on traffic from three darknets deployed in different contintents, we evaluate their exposure in terms of observed events given their allocated IP addresses. The latter is particularly relevant considering the shortage of IPv4 addresses on the Internet. Our results suggest that some well-known facts about darknet visibility seem invariant across deployments, such as the most commonly contacted ports. However, size and location matter. We find significant differences in the observed traffic from darknets deployed in different IP ranges as well as according to the size of the IP range allocated for the monitoring

Enlightening the Darknets: Augmenting Darknet Visibility with Active Probes

Darknets collect unsolicited traffic reaching unused address spaces. They provide insights into malicious activities, such as the rise of botnets and DDoS attacks. However, darknets provide a shallow view, as traffic is never responded. Here we quantify how their visibility increases by responding to traffic with interactive responders with increasing levels of interaction. We consider four deployments: Darknets, simple, vertical bound to specific ports, and, a honeypot that responds to all protocols on any port. We contrast these alternatives by analyzing the traffic attracted by each deployment and characterizing how traffic changes throughout the responder lifecycle on the darknet. We show that the deployment of responders increases the value of darknet data by revealing patterns that would otherwise be unobservable. We measure Side-Scan phenomena where once a host starts responding, it attracts traffic to other ports and neighboring addresses. uncovers attacks that darknets and would not observe, e.g. large-scale activity on non-standard ports. And we observe how quickly senders can identify and attack new responders. The “enlightened” part of a darknet brings several benefits and offers opportunities to increase the visibility of sender patterns. This information gain is worth taking advantage of, and we, therefore, recommend that organizations consider this option

Identifikasi Batuan Megalit Terpendam Menggunakan Metode Geomagnet di Situs Megalitik Tadulako Kecamatan Lore Tengah Kabupaten Poso

Penelitian tentang identifikasi batuan megalit terpendam menggunakan metode geomagnet telah dilakukan di Situs Megalitik Tadulako Kecamatan Lore Tengah Kabupaten Poso. Penelitian ini bertujuan untuk menginterpretasi posisi dan kedalaman keberadaan batuan megalit terpendam. Pengambilan data dengan menggunakan metode geomagnet akan memperoleh kontur yang menggambarkan distribusi intensitas medan magnetik di bawah permukaan. Pengolahan data dilakukan dengan koreksi harian dan koreksi IGRF, sehingga diperoleh anomali magnetik total. Interpretasi data magnetik dilakukan dengan pemodelan kedepan 2D menggunakan software GM-SYS yang efektif untuk menentukan posisi dan kedalaman berdasarkan nilai suseptibilitas batuan. Hasil yang diperoleh dari ke 4 lintasan menunjukkan posisi keberadaan batuan beku granit di bawah permukaan yang diduga sebagai batuan megalit berada pada arah Barat Laut, Barat, dan Tenggara lokasi penelitian, dengan nilai suseptibilitas batuan 0,05 SI yang berada pada kedalaman 11-72 m bmt

La salute mentale negli studenti di medicina: il progetto del Servizio di Aiuto Psicologico (SAP) dell’Università degli Studi di Torino

     Dalla letteratura emerge come gli studenti di medicina spesso presentino livelli di ansia, stress e de-pressione superiori alla popolazione generale. Si rende quindi sempre più necessario un supporto psi-cologico gratuito e fruibile interno alle università. La facoltà di Medicina e Chirurgia dell’Università de-gli Studi di Torino può vantare un servizio di aiuto psicologico (SAP) dedicato. Il presente studio ha lo scopo di illustrare in termini sociodemografici, clinici e psicopatologici la coorte di studenti che ha usufruito del servizio. Il progetto prevede un colloquio conoscitivo al termine del quale, se necessario, seguirà una presa in carico dal punto di vista psicologico e/o psichiatrico; agli studenti inoltre viene chiesto di compilare alcuni test psicometrici per valutare depressione, ansia e stress. Da gennaio 2019 ad agosto 2020, 166 studenti hanno fatto richiesta per un primo colloquio. Dal nostro studio emerge come, in linea con la letteratura, una sintomatologia depressiva e/o di tipo ansioso sia presen-te negli utenti. I dati raccolti e altresì il feedback ricevuto dagli studenti dimostrano l’utilità del servi-zio.      Dalla letteratura emerge come gli studenti di medicina spesso presentino livelli di ansia, stress e de-pressione superiori alla popolazione generale. Si rende quindi sempre più necessario un supporto psi-cologico gratuito e fruibile interno alle università. La facoltà di Medicina e Chirurgia dell’Università de-gli Studi di Torino può vantare un servizio di aiuto psicologico (SAP) dedicato. Il presente studio ha lo scopo di illustrare in termini sociodemografici, clinici e psicopatologici la coorte di studenti che ha usufruito del servizio. Il progetto prevede un colloquio conoscitivo al termine del quale, se necessario, seguirà una presa in carico dal punto di vista psicologico e/o psichiatrico; agli studenti inoltre viene chiesto di compilare alcuni test psicometrici per valutare depressione, ansia e stress. Da gennaio 2019 ad agosto 2020, 166 studenti hanno fatto richiesta per un primo colloquio. Dal nostro studio emerge come, in linea con la letteratura, una sintomatologia depressiva e/o di tipo ansioso sia presen-te negli utenti. I dati raccolti e altresì il feedback ricevuto dagli studenti dimostrano l’utilità del servi-zio.&nbsp

The Association of childhood asthma and <i>Helicobacter pylori</i> infection in Sardinia

Background: It has been suggested that Helicobacter pylori infection might reduce the risk of atopic conditions, such as asthma, in childhood. This risk reduction could relate to the “hygiene hypothesis” which proposes an association between childhood exposure to microbes and risk of atopy. Objectives: To examine the association between Hp infection and childhood acquired asthma in Sardinia. Patients and Methods: Children from Northern Sardinia who were between the ages of 10 months to 6 years and were screened for Hp infection in 1994-1995 using IgG serology, were asked in 2012, whether they had developed asthma and/or allergic disease in pediatric age, using the global initiative on asthma guidelines questionnaire. Results: A total of 64 children participated in the study. The sero-positivity for Hp infection was 14.1%. Eleven (17.2%) children had a confirmed diagnosis of asthma with onset before the age of 5 years, 85.9% were Hp negative and 14.1% Hp positive. Eight children of the 53 without asthma were Hp positive (15%) compare to one children positive for the infection of the 11 patients (0.09%) with asthma (8/53 vs. 1/11; P = 0.6). The majority of children (73%) were from urban areas and 43.8% had a family history of asthma or allergies. Multiple logistic regression analysis was not able to find a studied variable, including Hp infection, significantly associated with pediatric asthma. Conclusions: Our results speak against Hp infection itself playing a role to protect from the risk to develop childhood asthma although household hygiene was not directly assessed

The Association of Childhood Asthma and Helicobacter pylori Infection in Sardinia

Background: It has been suggested that Helicobacter pylori infection might reduce the risk of atopic conditions, such as asthma, in childhood. This risk reduction could relate to the &quot;hygiene hypothesis&quot; which proposes an association between childhood exposure to microbes and risk of atopy. Objectives: To examine the association between Hp infection and childhood acquired asthma in Sardinia. Patients and Methods: Children from Northern Sardinia who were between the ages of 10 months to 6 years and were screened for Hp infection in 1994-1995 using IgG serology, were asked in 2012, whether they had developed asthma and/or allergic disease in pediatric age, using the global initiative on asthma guidelines questionnaire. Results: A total of 64 children participated in the study. The sero-positivity for Hp infection was 14.1%. Eleven (17.2%) children had a confirmed diagnosis of asthma with onset before the age of 5 years, 85.9% were Hp negative and 14.1% Hp positive. Eight children of the 53 without asthma were Hp positive (15%) compare to one children positive for the infection of the 11 patients (0.09%) with asthma (8/53 vs. 1/11; P = 0.6). The majority of children (73%) were from urban areas and 43.8% had a family history of asthma or allergies. Multiple logistic regression analysis was not able to find a studied variable, including Hp infection, significantly associated with pediatric asthma. Conclusions: Our results speak against Hp infection itself playing a role to protect from the risk to develop childhood asthma although household hygiene was not directly assessed