Design and Evaluation of Primitives for Passive Link Assessment and Route Selection in Static Wireless Networks

Communication in wireless networks elementally comprises of packet exchanges over individual wireless links and routes formed by these links. To this end, two problems are fundamental: assessment of link quality and identification of the least-cost (optimal) routes. However, little is known about achieving these goals without incurring additional overhead to IEEE 802.11 networks. In this thesis, I design and experimentally evaluate two frameworks that enable individual 802.11 nodes to characterize their wireless links and routes by employing only local and passively collected information. First, I enable 802.11 nodes to assess their links by characterizing packet delivery failures and failure causes. The key problem is that nodes cannot individually observe many factors that affect the packet delivery at both ends of their links and in both directions of 802.11 communication. To this end, instead of relying on the assistance of other nodes, I design the first practical framework that extrapolates the missing information locally from the nodes' overhearing, the observable causal relationships of 802.11 operation and characterization of the corrupted and undecodable packets. The proposed framework employs only packet-level information generally reported by commodity 802.11 wireless cards. Next, I design and evaluate routing primitives that enable individual nodes to suppress their poor route selections. I refer to a route selection as poor whenever the employed routing protocol fails to establish the existing least-cost path according to an employed routing metric. This thesis shows that an entire family of the state-of-the art on-demand distance-vector routing protocols, including the standards-proposed protocol for IEEE 802.11s mesh networks, suffers from frequent and long-term poor selections having arbitrary path costs. Consequently, such selections generally induce severe throughput degradations for network users. To address this problem, I design mechanisms that identify optimal paths locally by employing only the information readily available to the affected nodes. The proposed mechanisms largely suppress occurrence of inferior routes. Even when such routes are selected their durations are reduced by several orders of magnitude, often to sub-second time scales. My work has implications on several key areas of wireless networking: It removes systematic failures from wireless routing and serves as a source of information for a wide range of protocols including the protocols for network management and diagnostics

MAGMA network behavior classifier for malware traffic

Malware is a major threat to security and privacy of network users. A large variety of malware is typically spread over the Internet, hiding in benign traffic. New types of malware appear every day, challenging both the research community and security companies to improve malware identification techniques. In this paper we present MAGMA, MultilAyer Graphs for MAlware detection, a novel malware behavioral classifier. Our system is based on a Big Data methodology, driven by real-world data obtained from traffic traces collected in an operational network. The methodology we propose automatically extracts patterns related to a specific input event, i.e., a seed, from the enormous amount of events the network carries. By correlating such activities over (i) time, (ii) space, and (iii) network protocols, we build a Network Connectivity Graph that captures the overall “network behavior” of the seed. We next extract features from the Connectivity Graph and design a supervised classifier. We run MAGMA on a large dataset collected from a commercial Internet Provider where 20,000 Internet users generated more than 330 million events. Only 42,000 are flagged as malicious by a commercial IDS, which we consider as an oracle. Using this dataset, we experimentally evaluate MAGMA accuracy and robustness to parameter settings. Results indicate that MAGMA reaches 95% accuracy, with limited false positives. Furthermore, MAGMA proves able to identify suspicious network events that the IDS ignored

The Online Tracking Horde: A View from Passive Measurements

During the visit to any website, the average internaut may face scripts that upload personal information to so called online trackers, invisible third party services that collect information about users and profile them. This is no news, and many works in the past tried to measure the extensiveness of this phenomenon. All of them ran active measurement campaigns via crawlers. In this paper, we observe the phenomenon from a passive angle, to naturally factor the diversity of the Internet and of its users. We analyze a large dataset of passively collected traffic summaries to observe how pervasive online tracking is. We see more than 400 tracking services being contacted by unaware users, of which the top 100 are regularly reached by more than 50% of Internauts, with top three that are practically impossible to escape. Worse, more than 80% of users gets in touch the first tracker within 1 second after starting navigating. And we see a lot of websites that hosts hundreds of tracking services. Conversely, those popular web extensions that may improve personal protection, e.g., DoNotTrackMe, are actually installed by a handful of users (3.5 %). The resulting picture witnesses how pervasive the phenomenon is, and calls for an increase of the sensibility of people, researchers and regulators toward privacy in the Interne

Network Connectivity Graph for Malicious Traffic Dissection

International audienceMalware is a major threat to security and privacy of network users. A huge variety of malware typically spreads over the Internet, evolving every day, and challenging the research community and security practitioners to improve the effectiveness of countermeasures. In this paper, we present a system that automatically extracts patterns of network activity related to a specific malicious event, i.e., a seed. Our system is based on a methodology that correlates network events of hosts normally connected to the Internet over (i) time (i.e., analyzing different samples of traffic from the same host), (ii) space (i.e., correlating patterns across different hosts), and (iii) network layers (e.g., HTTP, DNS, etc.). The result is a Network Connectivity Graph that captures the overall "network behavior" of the seed. That is a focused and enriched representation of the malicious pattern infected hosts exhibit, purified from ordinary network activities and background traffic. We applied our approach on a large dataset collected in a real commercial ISP where the aggregated traffic produced by more than 20,000 households has been monitored. A commercial IDS has been used to complement network data with alerts related to malicious activities. We use such alerts to trigger our processing system. Results shows that the richness of the Network Connectivity Graph provides a much more detailed picture of malicious activities, considerably enhancing our understanding