DPI Solutions in Practice: Benchmark and Comparison

Having a clear insight on the protocols carrying traffic is crucial for network applications. Deep Packet Inspection (DPI) has been a key technique to provide visibility into traffic. DPI has proven effective in various scenarios, and indeed several open source DPI solutions are maintained by the community. Yet, these solutions provide different classifications, and it is hard to establish a common ground truth. Independent works approaching the question of the quality of DPI are already aged and rely on limited datasets. Here, we test if open source DPI solutions can provide useful information in practical scenarios, e.g., supporting security applications. We provide an evaluation of the performance of four open-source DPI solutions, namely nDPI, Libprotoident, Tstat and Zeek. We use datasets covering various traffic scenarios, including operational networks, IoT scenarios and malware. As no ground truth is available, we study the consistency of classification across the solutions, investigating root-causes of conflicts. Important for on-line security applications, we check whether DPI solutions provide reliable classification with a limited number of packets per flow. All in all, we confirm that DPI solutions still perform satisfactorily for well-known protocols. They however struggle with some P2P traffic and security scenarios (e.g., with malware traffic). All tested solutions reacha final classification after observing few packets with payload, showing adequacy for on-line application

Attacking DoH and ECH: Does Server Name Encryption Protect Users’ Privacy?

Privacy on the Internet has become a priority, and several efforts have been devoted to limit the leakage of personal information. Domain names, both in the TLS Client Hello and DNS traffic, are among the last pieces of information still visible to an observer in the network. The Encrypted Client Hello extension for TLS, DNS over HTTPS or over QUIC protocols aim to further increase network confidentiality by encrypting the domain names of the visited servers. In this article, we check whether an attacker able to passively observe the traffic of users could still recover the domain name of websites they visit even if names are encrypted. By relying on large-scale network traces, we show that simplistic features and off-the-shelf machine learning models are sufficient to achieve surprisingly high precision and recall when recovering encrypted domain names. We consider three attack scenarios, i.e., recovering the per-flow name, rebuilding the set of visited websites by a user, and checking which users visit a given target website. We next evaluate the efficacy of padding-based mitigation, finding that all three attacks are still effective, despite resources wasted with padding. We conclude that current proposals for domain encryption may produce a false sense of privacy, and more robust techniques should be envisioned to offer protection to end users

Sensing the Noise: Uncovering Communities in Darknet Traffic

Darknets are ranges of IP addresses advertised without answering any traffic. Darknets help to uncover inter- esting network events, such as misconfigurations and network scans. Interpreting darknet traffic helps against cyber-attacks – e.g., malware often reaches darknets when scanning the Internet for vulnerable devices. The traffic reaching darknets is however voluminous and noisy, which calls for efficient ways to represent the data and highlight possibly important events. This paper evaluates a methodology to summarize packets reaching darknets. We represent the darknet activity as a graph, which captures remote hosts contacting the darknet nodes ports, as well as the frequency at which each port is reached. From these representations, we apply community detection algorithms in the search for patterns that could represent coordinated activity. By highlighting such activities we are able to group together, for example, groups of IP addresses that predominantly engage in contacting specific targets, or, vice versa, to identify targets which are frequently contacted together, for exploiting the vulnerabilities of a given service. The network analyst can recognize from the community detection results, for example, that a group of hosts has been infected by a botnet and it is currently scanning the network in search of vulnerable services (e.g., SSH and Telnet among the most commonly targeted). Such piece of information is impossible to obtain when analyzing the behavior of single sources, or packets one by one. All in all, our work is a first step towards a comprehensive aggregation methodology to automate the analysis of darknet traffic, a fundamental aspect for the recognition of coordinated and anomalous events

The New Abnormal: Network Anomalies in the AI Era

Anomaly detection aims at finding unexpected patterns in data. It has been used in several problems in computer networks, from the detection of port scans and DDoS attacks to the monitoring of time-series collected from Internet monitoring systems. Data-driven approaches and machine learning have seen widespread application on anomaly detection too, and this trend has been accelerated by the recent developments on Artificial Intelligence research. This chapter summarizes ongoing recent progresses on anomaly detection research. In particular, we evaluate how developments on AI algorithms bring new possibilities for anomaly detection. We cover new representation learning techniques such as Generative Artificial Networks and Autoencoders, as well as techniques that can be used to improve models learned with machine learning algorithms, such as reinforcement learning. We survey both research works and tools implementing AI algorithms for anomaly detection. We found that the novel algorithms, while successful in other fields, have hardly been applied to networking problems. We conclude the chapter with a case study that illustrates a possible research direction

Are Darknets All The Same? On Darknet Visibility for Security Monitoring

Darknets are sets of IP addresses that are advertised but do not host any client or server. By passively recording the incoming packets, they assist network monitoring activities. Since packets they receive are unsolicited by definition, darknets help to spot misconfigurations as well as important security events, such as the appearance and spread of botnets, DDoS attacks using spoofed IP address, etc. A number of organizations worldwide deploys darknets, ranging from a few dozens of IP addresses to large/8 networks. We here investigate how similar is the visibility of different darknets. By relying on traffic from three darknets deployed in different contintents, we evaluate their exposure in terms of observed events given their allocated IP addresses. The latter is particularly relevant considering the shortage of IPv4 addresses on the Internet. Our results suggest that some well-known facts about darknet visibility seem invariant across deployments, such as the most commonly contacted ports. However, size and location matter. We find significant differences in the observed traffic from darknets deployed in different IP ranges as well as according to the size of the IP range allocated for the monitoring

Enlightening the Darknets: Augmenting Darknet Visibility with Active Probes

Darknets collect unsolicited traffic reaching unused address spaces. They provide insights into malicious activities, such as the rise of botnets and DDoS attacks. However, darknets provide a shallow view, as traffic is never responded. Here we quantify how their visibility increases by responding to traffic with interactive responders with increasing levels of interaction. We consider four deployments: Darknets, simple, vertical bound to specific ports, and, a honeypot that responds to all protocols on any port. We contrast these alternatives by analyzing the traffic attracted by each deployment and characterizing how traffic changes throughout the responder lifecycle on the darknet. We show that the deployment of responders increases the value of darknet data by revealing patterns that would otherwise be unobservable. We measure Side-Scan phenomena where once a host starts responding, it attracts traffic to other ports and neighboring addresses. uncovers attacks that darknets and would not observe, e.g. large-scale activity on non-standard ports. And we observe how quickly senders can identify and attack new responders. The “enlightened” part of a darknet brings several benefits and offers opportunities to increase the visibility of sender patterns. This information gain is worth taking advantage of, and we, therefore, recommend that organizations consider this option

La didattica aumentata digitalmente: studio qualitativo sulla percezione di infermieri e ostetriche del corso di Laurea magistrale durante la pandemia SARS-CoV-2 in Italia

Background. The SARS-CoV-2 pandemic has necessitated a rapid transition to digitally augmented education, generating a phenomenon that is unprecedented in the history of university education of healthcare professionals. The purpose of this study is to understand the effects of online teaching on the learning of students of the Master's Degree, to collect the significant elements of their experience and stimulate reflection on teaching practices. Objective. To describe perceptions and experiences of nurses and midwives in the Master's degree on digitally augmented learning during the SARS-CoV-2 pandemic. Method. A descriptive qualitative study was performed on a proactive sample of 34 nurse practitioners, pediatric nurses and midwives. The data was collected in January-February 2021 through an online form, built ad hoc. The answers were analyzed with deductive content analysis. Results. 4 main categories emerge from the analysis of the texts: educational impact, time management, disadvantages of online teaching, distance learning-teaching. The results partly confirm what is reported in the literature about virtual learning, with better time management and the usefulness of video recordings. However, learning is strongly conditioned by the difficulties of interaction and communication between the students and between the teachers and the students. Conclusion. The digitally augmented learning allowed the continuation of the training course of health professionals engaged during the SARS-CoV-2 emergency. However, distance learning if used exclusively for a long time is a limited tool as it modifies the didactic processes preventing the development of meaningful relationships, dialogue and educational relationships which are important and essential outcomes in the master's course. Key words: Digitally augmented learning, students’ experiences, nurses/midwives, SARS-CoV-2, Qualitative study.Introduzione. La pandemia da SARS-CoV-2 ha reso necessaria una rapida transizione alla didattica aumentata digitalmente, generando un fenomeno che non vede precedenti nella storia della formazione universitaria dei professionisti sanitari. La finalità del presente studio è di comprendere gli effetti della didattica online sugli apprendimenti degli studenti del corso di Laurea magistrale per raccogliere gli elementi significativi della loro esperienza e stimolare la riflessione sulle pratiche didattiche. Obiettivo. Descrivere le percezioni e i vissuti dei professionisti in formazione magistrale circa la didattica aumentata digitalmente durante la pandemia da SARS-CoV-2. Metodi. È stato condotto uno studio qualitativo descrittivo su un campione propositivo di 34 professionisti infermieri, infermieri pediatrici e ostetriche. I dati sono stati raccolti nel periodo gennaio-febbraio 2021 attraverso un modulo online, costruito ad hoc. Le risposte sono state analizzate con la content analysis deduttiva. Risultati. Dall’analisi dei testi emergono 4 categorie principali: impatto educativo, gestione del tempo, svantaggi della didattica online, apprendimento-insegnamento a distanza. I risultati confermano quanto riportato in letteratura, una migliore gestione del tempo e l’utilità delle videoregistrazioni. L’apprendimento è però fortemente condizionato dalle difficoltà di interazione e di comunicazione tra studenti e tra docenti e studenti. Conclusioni. La didattica aumentata digitalmente ha consentito di continuare il percorso formativo dei professionisti sanitari impegnati durante l’emergenza da SARS-CoV-2. Tuttavia, la formazione a distanza se utilizzata per lungo tempo in modo esclusivo è uno strumento limitato poichè modifica i processi didattici impedendo di sviluppare relazioni significative, il dialogo e la relazione educativa che nel percorso magistrale sono importanti e imprescindibili outcomes. Parole chiave. Didattica Aumentata Digitalmente, esperienza degli studenti, infermieri/ostetriche, SARS-CoV-2, Studio qualitativo

Marine phycotoxin levels in shellfish-14 years of data gathered along the Italian coast

Along the Italian coasts, toxins of algal origin in wild and cultivated shellfish have been reported since the 1970s. In this study, we used data gathered by the Veterinary Public Health Institutes (IZS) and the Italian Environmental Health Protection Agencies (ARPA) from 2006 to 2019 to investigate toxicity events along the Italian coasts and relate them to the distribution of potentially toxic species. Among the detected toxins (OA and analogs, YTXs, PTXs, STXs, DAs, AZAs), OA and YTX were those most frequently reported. Levels exceeding regulatory limits in the case of OA (≤2,448 μg equivalent kg-1) were associated with high abundances of Dinophysis spp., and in the case of YTXs (≤22 mg equivalent kg-1) with blooms of Gonyaulax spinifera, Lingulodinium polyedra, and Protoceratium reticulatum. Seasonal blooms of Pseudo-nitzschia spp. occur all along the Italian coast, but DA has only occasionally been detected in shellfish at concentrations always below the regulatory limit (≤18 mg kg-1). Alexandrium spp. were recorded in several areas, although STXs (≤13,782 μg equivalent kg-1) rarely and only in few sites exceeded the regulatory limit in shellfish. Azadinium spp. have been sporadically recorded, and AZAs have been sometimes detected but always in low concentrations (≤7 μg equivalent kg-1). Among the emerging toxins, PLTX-like toxins (≤971 μg kg-1 OVTX-a) have often been detected mainly in wild mussels and sea urchins from rocky shores due to the presence of Ostreopsis cf. ovata. Overall, Italian coastal waters harbour a high number of potentially toxic species, with a few HAB hotspots mainly related to DSP toxins. Nevertheless, rare cases of intoxications have occurred so far, reflecting the whole Mediterranean Sea conditions

Effects of Cadmium chloride on human fetal cells in vitro

The principal aim of this work was to demonstrate the feasibility of tests with substances known as teratogenic in vivo on cell types which are the real target of their teratogenic effects. To this purpose Cadmium chloride has been tested on human amniotic fluid cells using the Chromosome aberrations (CA) and Sister chromatid exchanges (SCE) tests