iTeleScope: Intelligent Video Telemetry and Classification in Real-Time using Software Defined Networking

Video continues to dominate network traffic, yet operators today have poor visibility into the number, duration, and resolutions of the video streams traversing their domain. Current approaches are inaccurate, expensive, or unscalable, as they rely on statistical sampling, middle-box hardware, or packet inspection software. We present {\em iTelescope}, the first intelligent, inexpensive, and scalable SDN-based solution for identifying and classifying video flows in real-time. Our solution is novel in combining dynamic flow rules with telemetry and machine learning, and is built on commodity OpenFlow switches and open-source software. We develop a fully functional system, train it in the lab using multiple machine learning algorithms, and validate its performance to show over 95\% accuracy in identifying and classifying video streams from many providers including Youtube and Netflix. Lastly, we conduct tests to demonstrate its scalability to tens of thousands of concurrent streams, and deploy it live on a campus network serving several hundred real users. Our system gives unprecedented fine-grained real-time visibility of video streaming performance to operators of enterprise and carrier networks at very low cost.Comment: 12 pages, 16 figure

A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection

Enterprise networks that host valuable assets and services are popular and frequent targets of distributed network attacks. In order to cope with the ever-increasing threats, industrial and research communities develop systems and methods to monitor the behaviors of their assets and protect them from critical attacks. In this paper, we systematically survey related research articles and industrial systems to highlight the current status of this arms race in enterprise network security. First, we discuss the taxonomy of distributed network attacks on enterprise assets, including distributed denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing methods in monitoring and classifying network behavior of enterprise hosts to verify their benign activities and isolate potential anomalies. Third, state-of-the-art detection methods for distributed network attacks sourced from external attackers are elaborated, highlighting their merits and bottlenecks. Fourth, as programmable networks and machine learning (ML) techniques are increasingly becoming adopted by the community, their current applications in network security are discussed. Finally, we highlight several research gaps on enterprise network security to inspire future research.Comment: Journal paper submitted to Elseive

Enterprise Network Security via Data-driven Methods and Programmable Network Telemetry

Enterprise networks are both complex and dynamic, with various kinds of servers (web, email, VPN, storage), clients (fixed, wireless), and Internet-of-Things devices (cameras, printers, sensors) being deployed, moved, and removed continuously. Furthermore, these assets are spread across various network segments (e.g., VLANs), often managed by different departments, with complex interconnection rules between segments, to public/private cloud services, and to the general Internet. It is therefore not surprising that organizational IT departments struggle to track their connected assets, monitor their operational health, understand the attack surface they expose, and protect them from external as well as internal threats. Current enterprise security systems such as Next-Generation-Firewalls (NGFW) and intrusion detection systems (IDS) are unable to cope with the growing volumes and diversity of emerging cyber-threats. Hardware appliance-based solutions are not just expensive, but also inflexible as their high-speed performance is optimized for relatively static rulesets. Software solutions on the other hand have great flexibility, but struggle to cope with high data rates which limit the granularity at which they analyze traffic for embedded threats. To advance the state-of-the-art of enterprise asset monitoring and distributed network attack detection, my thesis proposes a new approach that combines hardware performance with software flexibility, by leveraging the concepts of Programmable Network (PN) and Machine Learning (ML). Telemetry from Terabit-speed Programmable Switches is used to extract key attributes of traffic streams, and this is combined with ML models of enterprise asset behavior to monitor their health and to detect attacks. I make four key contributions. My first contribution focuses on the Domain Name System (DNS). I analyze DNS traffic from two large organizations to identify the behavioral aspects of various DNS assets. Using the behavioral attributes, I develop a clustering method to classify assets (e.g., recursive resolvers and authoritative name servers) and track their health through a set of well-articulated monitoring metrics. I demonstrate that my method successfully identifies over 100 key DNS assets in the two organizations and is further able to make recommendations on how these assets can be better secured against misuse. The second contribution extends my enterprise asset classification beyond DNS to include other asset types such as web servers, VPN servers, and file storage servers. For this, I develop a system that uses Programmable Network techniques to extract telemetry efficiently, feeds the attributes to a multi-grained ML-based scheme that classifies the assets in real-time, and reactively collects packet-level telemetry of suspicious hosts for forensics analysis. My method identifies hundreds of typical servers and thousands of less common assets (e.g., LDAP server and Redis proxy) across the two organizations. It additionally highlights instances of atypical behavior that provide advance warnings to IT staff on potentially anomalous assets. The third contribution detects DNS-based network attacks on enterprise hosts. To this end, I analyze incoming DNS traffic to the two organizations, and develop a hierarchical anomaly detection method that profiles incoming DNS traffic at various levels of hierarchy (e.g., host, subnet, and AS) to isolate DNS attackers that could be stealthy and distributed. The models I train detect DNS attacks in lab data with over 99% accuracy at each level of the hierarchy, and in a 1-month trial in the wild reveal hundreds of attacks that were missed by the organizational firewalls. My fourth contribution expands the attack detection from DNS to the whole dimension of network traffic. To achieve both detection effectiveness and operational practicality, I develop a multi-stage progressive inference architecture to optimally detect network attacks through a series of stages (e.g., active enterprise hosts, victims, distributed attackers, and malicious flows) each with increasing telemetry cost but narrowing focus. Evaluations using real distributed denial-of-service (DDoS) attacks and large-scale enterprise traffic traces demonstrate the ability of my system in detecting distributed network attacks to the finest flow-level with practically low computational costs as around 30% CPU and 8% RAM usage on a typical blade server, which is not achievable by its counterpart solutions. Taken together, my contributions apply Programmable Network and Machine Learning to develop new practical and effective ways that give enterprise IT departments continuous visibility of their assets, advance warning of the threat surface they expose, and real-time alarms when network attacks unfold

Key Factors Influencing the Operationalization and Effectiveness of Telemedicine Services in Henan Province, China: Cross-Sectional Analysis

BackgroundTelemedicine has demonstrated its potential in alleviating the unbalanced distribution of medical resources across different regions. Henan, a province in China with a population of approximately 100 million, is especially affected by a health care divide. The province has taken a proactive step by establishing a regional collaborative platform for telemedicine services provided by top-tier provincial hospitals. ObjectiveWe aim to identify the key factors that influence the current operationalization and effectiveness of telemedicine services in Henan province. The insights gained from this study will serve as valuable references for enhancing the efficient operation of telemedicine platforms in low- and middle-income regions. MethodsWe analyzed service reports from the performance management system of telemedicine services in Henan province throughout 2020. Using descriptive statistics and graphical methods, we examined key influencing factors, such as management competency; device configuration; and hospital capability, capacity, and service efficacy, across hospitals at 2 different tiers. In addition, we used generalized linear models and multiple linear regression models to identify key operational factors that significantly affect the service volume and efficacy of 2 major telemedicine services, namely teleconsultation and tele-education. ResultsAmong the 89 tier 3 hospitals and 97 tier 2 hospitals connected to the collaborative telemedicine platform, 65 (73%) and 55 (57%), respectively, have established standardized management procedures for telemedicine services. As the primary delivery method for telemedicine services, 90% (80/89) of the tier 3 hospitals and 94% (91/97) of the tier 2 hospitals host videoconferencing consultations through professional hardware terminals rather than generic computers. Teleconsultation is the dominant service type, with an average annual service volume per institution of 173 (IQR 37-372) and 60 (IQR 14-271) teleconsultations for tier 3 and tier 2 hospitals, respectively. Key factors influencing the service volume at each hospital include available funding, management competency, the number of connected upper tiers, and the number of professional staff. After receiving teleconsultations from tier 3 (65/89, 73%) and tier 2 (61/97, 63%) hospitals, patients reported significant improvements in their medical conditions. In addition, we observed that service efficacy is positively influenced by management competency, financial incentives, the number of connected upper or lower tiers, and the involvement of participating medical professionals. ConclusionsTelemedicine has become increasingly popular in Henan province, with a notable focus on teleconsultation and tele-education services. Despite its popularity, many medical institutions, especially tier 2 hospitals, face challenges related to management competency. In addition to enhancing the effectiveness of existing telemedicine services, health care decision-makers in Henan province and other low- and middle-income regions should consider expanding the service categories, such as including remote emergency care and telesurgery, which have promise in addressing crucial health care needs in these regions

Application of Telemedicine Services Based on a Regional Telemedicine Platform in China From 2014 to 2020: Longitudinal Trend Analysis

BackgroundTelemedicine that combines information technology and health care augments the operational model of traditional medical services and brings new opportunities to the medical field. China promotes telemedicine with great efforts, and its practices in the deployment of telemedicine platforms and delivery of services have become important references for the research and development in this field. ObjectiveOur work described in this paper focuses on a regional telemedicine platform that was built in 2014. We analyzed the system design scheme and remote consultations that were conducted via the system to understand the deployment and service delivery processes of a representative telemedicine platform in China. MethodsWe collected information on remote consultations conducted from 2015 to 2020 via the regional telemedicine platform that employs a centralized architectural system model. We used graphs and statistical methods to describe the changing trends of service volume of remote consultation, geographical and demographic distribution of patients, and waiting time and duration of consultations. The factors that affect consultation duration and patient referral were analyzed by multivariable linear regression models and binary logistic regression models, respectively. The attitudes toward telemedicine of 225 medical practitioners and 225 patients were collected using the snowball sampling method. ResultsThe regional telemedicine platform covers all levels of medical institutions and hospitals in all 18 cities of Henan Province as well as some interprovince hospitals. From 2015 to 2020, 103,957 remote medical consultations were conducted via the platform with an annual increasing rate of 0.64%. A total of 86.64% (90,069/103,957) of medical institutions (as clients) that applied for remote consultations were tier 1 or 2 and from less-developed regions; 65.65% (68,243/103,945) of patients who applied for remote consultations were aged over 50 years. The numbers of consultations were high for departments focusing in the treatment of chronic diseases such as neurology, respiratory medicine, and oncology. The invited experts were mainly experienced doctors with senior professional titles. Year of consultation, tier of hospital, consultation department, and necessity of patient referral were the main factors affecting the duration of consultations. In surveys, we found that 60.4% (136/225) of medical practitioners and 53.8% (121/225) of patients had high satisfaction and believed that telemedicine is of vital importance for the treatment of illness. ConclusionsThe development of telemedicine in China shows a growing trend and provides great benefits especially to medical institutions located in less developed regions and senior citizens who have less mobility. Cases of remote consultations are mainly for chronic diseases. At present, the importance and necessity of telemedicine are well recognized by both patients and medical practitioners. However, the waiting time needs to be further reduced to improve the efficiency of remote medical services