Beyond Counting: New Perspectives on the Active IPv4 Address Space

In this study, we report on techniques and analyses that enable us to capture Internet-wide activity at individual IP address-level granularity by relying on server logs of a large commercial content delivery network (CDN) that serves close to 3 trillion HTTP requests on a daily basis. Across the whole of 2015, these logs recorded client activity involving 1.2 billion unique IPv4 addresses, the highest ever measured, in agreement with recent estimates. Monthly client IPv4 address counts showed constant growth for years prior, but since 2014, the IPv4 count has stagnated while IPv6 counts have grown. Thus, it seems we have entered an era marked by increased complexity, one in which the sole enumeration of active IPv4 addresses is of little use to characterize recent growth of the Internet as a whole. With this observation in mind, we consider new points of view in the study of global IPv4 address activity. Our analysis shows significant churn in active IPv4 addresses: the set of active IPv4 addresses varies by as much as 25% over the course of a year. Second, by looking across the active addresses in a prefix, we are able to identify and attribute activity patterns to network restructurings, user behaviors, and, in particular, various address assignment practices. Third, by combining spatio-temporal measures of address utilization with measures of traffic volume, and sampling-based estimates of relative host counts, we present novel perspectives on worldwide IPv4 address activity, including empirical observation of under-utilization in some areas, and complete utilization, or exhaustion, in others.Comment: in Proceedings of ACM IMC 201

Altered rich club and frequency-dependent subnetworks organization in mild traumatic brain injury: A MEG resting-state study

Functional brain connectivity networks exhibit “small-world” characteristics and some of these networks follow a “rich-club” organization, whereby a few nodes of high connectivity (hubs) tend to connect more densely among themselves than to nodes of lower connectivity. The Current study followed an “attack strategy” to compare the rich-club and small-world network organization models using Magnetoencephalographic (MEG) recordings from mild traumatic brain injury (mTBI) patients and neurologically healthy controls to identify the topology that describes the underlying intrinsic brain network organization. We hypothesized that the reduction in global efficiency caused by an attack targeting a model’s hubs would reveal the “true” underlying topological organization. Connectivity networks were estimated using mutual information as the basis for cross-frequency coupling. Our results revealed a prominent rich-club network organization for both groups. In particular, mTBI patients demonstrated hypersynchronization among rich-club hubs compared to controls in the d band and the d-g1, "-g1, and b-g2 frequency pairs. Moreover, rich-club hubs in mTBI patients were overrepresented in right frontal brain areas, from " to g1 frequencies, and underrepresented in left occipital regions in the d-b, d-g1, "-b, and b-g2 frequency pairs. These findings indicate that the rich-club organization of resting-state MEG, considering its role in information integration and its vulnerability to various disorders like mTBI, may have a significant predictive value in the development of reliable biomarkers to help the validation of the recovery frommTBI. Furthermore, the proposed approachmight be used as a validation tool to assess patient recovery

POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting

Cyber threat intelligence (CTI) is being used to search for indicators of attacks that might have compromised an enterprise network for a long time without being discovered. To have a more effective analysis, CTI open standards have incorporated descriptive relationships showing how the indicators or observables are related to each other. However, these relationships are either completely overlooked in information gathering or not used for threat hunting. In this paper, we propose a system, called POIROT, which uses these correlations to uncover the steps of a successful attack campaign. We use kernel audits as a reliable source that covers all causal relations and information flows among system entities and model threat hunting as an inexact graph pattern matching problem. Our technical approach is based on a novel similarity metric which assesses an alignment between a query graph constructed out of CTI correlations and a provenance graph constructed out of kernel audit log records. We evaluate POIROT on publicly released real-world incident reports as well as reports of an adversarial engagement designed by DARPA, including ten distinct attack campaigns against different OS platforms such as Linux, FreeBSD, and Windows. Our evaluation results show that POIROT is capable of searching inside graphs containing millions of nodes and pinpoint the attacks in a few minutes, and the results serve to illustrate that CTI correlations could be used as robust and reliable artifacts for threat hunting.Comment: The final version of this paper is going to appear in the ACM SIGSAC Conference on Computer and Communications Security (CCS'19), November 11-15, 2019, London, United Kingdo

Applying a two-stage Bayesian dynamic model to a short lived species, the anchovy in the Aegean Sea (Eastern Mediterranean). Comparison with an Integrated Catch at Age stock assessment model.

Two different stock assessment models were applied to the North Aegean Sea anchovy stock (Eastern Mediterranean Sea): an Integrated Catch at age Analysis and a Bayesian two-stage biomass based model. Commercial catch data over the period 2000-2008 as well as acoustics and Daily Egg Production Method estimates over the period 2003-2008 were used. Both models results were consistent, indicating that anchovy stock is exploited sustainably in relation to an exploitation rate reference point. Further, the stock biomass appears stable or increasing. However, the limitations in age-composition data, potential problems related to misinterpretation of age readings along with the existence of missing values in the survey data seem to favour the two-stage biomass method, which is based on a simplified age structure.

Dynamic effective anisotropy: Asymptotics, simulations, and microwave experiments with dielectric fibers

International audienceWe investigate dynamic effective anisotropy in photonic crystals (PCs) through a combination of an effective medium theory, which is a high-frequency homogenization (HFH) method explicitly developed to operate for short waves, as well as through numerical simulations and microwave experiments. The HFH yields accurate predictions of the effective anisotropic properties of periodic structures when the wavelength is of comparable order to the pitch of the array; specifically, we investigate a square array of pitch 2 cm consisting of dielectric rods of radius 0.5 cm and refractive index n=6√ within an air matrix. This behaves as an effective medium, with strong artificial anisotropy, at a frequency corresponding to a flat band emerging from a Dirac-like point in transverse magnetic (TM) polarization. At this frequency, highly directive emission is predicted for an electric source placed inside this PC, and this artificial anisotropy can be shown to coincide with a change of character of the underlying effective equation from isotropic to unidirective, with coefficients of markedly different magnitudes appearing in the effective equation tensor. In transverse electric (TE) polarization, we note a second radical change of character of the underlying effective equation, this time from elliptic to hyperbolic, near a frequency at which a saddle point occurs in the corresponding dispersion curves. Delicate microwave experiments are performed in both polarizations for such a PC consisting of 80 rods, and we demonstrate that a directive emission in the form of a + (respectively, an X) is indeed seen experimentally at the predicted frequency 9.5 GHz in TM polarization (respectively, 5.9 GHz in TE polarization). These are clearly dynamic effects since in the quasistatic regime the PC just behaves as an isotropic medium

Data-driven topological filtering based on orthogonal minimal spanning trees: application to multi-group MEG resting-state connectivity

In the present study, a novel data-driven topological filtering technique is introduced to derive the backbone of functional brain networks relying on orthogonal minimal spanning trees (OMSTs). The method aims to identify the essential functional connections to ensure optimal information flow via the objective criterion of global efficiency minus the cost of surviving connections. The OMST technique was applied to multichannel, resting-state neuromagnetic recordings from four groups of participants: healthy adults (n = 50), adults who have suffered mild traumatic brain injury (n = 30), typically developing children (n = 27), and reading-disabled children (n = 25). Weighted interactions between network nodes (sensors) were computed using an integrated approach of dominant intrinsic coupling modes based on two alternative metrics (symbolic mutual information and phase lag index), resulting in excellent discrimination of individual cases according to their group membership. Classification results using OMST-derived functional networks were clearly superior to results using either relative power spectrum features or functional networks derived through the conventional minimal spanning tree algorithm

An asymptotic theory for waves guided by diffraction gratings or along microstructured surfaces

An effective surface equation, that encapsulates the detail of a microstructure, is developed to model microstructured surfaces. The equations deduced accurately reproduce a key feature of surface wave phenomena, created by periodic geometry, that are commonly called Rayleigh-Bloch waves, but which also go under other names such as Spoof Surface Plasmon Polaritons in photonics. Several illustrative examples are considered and it is shown that the theory extends to similar waves that propagate along gratings. Line source excitation is considered and an implicit long-scale wavelength is identified and compared to full numerical simulations. We also investigate non-periodic situations where a long-scale geometric variation in the structure is introduced and show that localised defect states emerge which the asymptotic theory explains

Clust-IT:Clustering-Based Intrusion Detection in IoT Environments

Low-powered and resource-constrained devices are forming a greater part of our smart networks. For this reason, they have recently been the target of various cyber-attacks. However, these devices often cannot implement traditional intrusion detection systems (IDS), or they can not produce or store the audit trails needed for inspection. Therefore, it is often necessary to adapt existing IDS systems and malware detection approaches to cope with these constraints. We explore the application of unsupervised learning techniques, specifically clustering, to develop a novel IDS for networks composed of low-powered devices. We describe our solution, called Clust-IT (Clustering of IoT), to manage heterogeneous data collected from cooperative and distributed networks of connected devices and searching these data for indicators of compromise while remaining protocol agnostic. We outline a novel application of OPTICS to various available IoT datasets, composed of both packet and flow captures, to demonstrate the capabilities of the proposed techniques and evaluate their feasibility in developing an IoT IDS

A haystack full of needles: scalable detection of IoT devices in the wild

Consumer Internet of Things (IoT) devices are extremely popular, providing users with rich and diverse functionalities, from voice assistants to home appliances. These functionalities often come with significant privacy and security risks, with notable recent large scale coordinated global attacks disrupting large service providers. Thus, an important first step to address these risks is to know what IoT devices are where in a network. While some limited solutions exist, a key question is whether device discovery can be done by Internet service providers that only see sampled flow statistics. In particular, it is challenging for an ISP to efficiently and effectively track and trace activity from IoT devices deployed by its millions of subscribers --all with sampled network data. In this paper, we develop and evaluate a scalable methodology to accurately detect and monitor IoT devices at subscriber lines with limited, highly sampled data in-the-wild. Our findings indicate that millions of IoT devices are detectable and identifiable within hours, both at a major ISP as well as an IXP, using passive, sparsely sampled network flow headers. Our methodology is able to detect devices from more than 77% of the studied IoT manufacturers, including popular devices such as smart speakers. While our methodology is effective for providing network analytics, it also highlights significant privacy consequences