Sonification of Network Traffic Flow for Monitoring and Situational Awareness

Maintaining situational awareness of what is happening within a network is challenging, not least because the behaviour happens within computers and communications networks, but also because data traffic speeds and volumes are beyond human ability to process. Visualisation is widely used to present information about the dynamics of network traffic dynamics. Although it provides operators with an overall view and specific information about particular traffic or attacks on the network, it often fails to represent the events in an understandable way. Visualisations require visual attention and so are not well suited to continuous monitoring scenarios in which network administrators must carry out other tasks. Situational awareness is critical and essential for decision-making in the domain of computer network monitoring where it is vital to be able to identify and recognize network environment behaviours.Here we present SoNSTAR (Sonification of Networks for SiTuational AwaReness), a real-time sonification system to be used in the monitoring of computer networks to support the situational awareness of network administrators. SoNSTAR provides an auditory representation of all the TCP/IP protocol traffic within a network based on the different traffic flows between between network hosts. SoNSTAR raises situational awareness levels for computer network defence by allowing operators to achieve better understanding and performance while imposing less workload compared to visual techniques. SoNSTAR identifies the features of network traffic flows by inspecting the status flags of TCP/IP packet headers and mapping traffic events to recorded sounds to generate a soundscape representing the real-time status of the network traffic environment. Listening to the soundscape allows the administrator to recognise anomalous behaviour quickly and without having to continuously watch a computer screen.Comment: 17 pages, 7 figures plus supplemental material in Github repositor

Characteristics of agent-based hierarchical diff-EDF schedulability over heterogeneous real-time Packet networks

Packet networks are currently enabling the integration of heterogeneous traffic with a wide range of characteristics that extend from video traffic with stringent QoS requirements to best-effort traffic requiring no guarantees. QoS guarantees can be provided in packet networks by the use of proper packet scheduling algorithms. In this paper, we propose a new priority assignment scheduling algorithm, Hierarchical Diff-EDF, which can meet the real-time needs while continuing to provide best effort service over heterogeneous network traffic environment. The Hierarchical Diff-EDF service meets the flow miss rate requirements through the combination of single step hierarchal scheduling for the different network flows and the admission control mechanism that detects the overload conditions to adjust packets' priorities. To examine the proposed scheduler, we introduced an attempt to provide an exact analytical solution. The attempt showed that the solution was apparently very complicated due to the high interdependences between the system queues' service. Hence, the use of simulation seems inevitable. A multi-agent simulation that takes the inspiration from object-oriented programming is adopted. The simulation itself is aimed to the construction of a set of elements which, when fully elaborated, define an agent system specification. When evaluating our proposed scheduler, it was extremely obvious that the Hierarchical Diff-EDF scheduler performs over both of the EDF and Diff-EDF schedulers

An Improved TESLA Protocol Based on Queuing Theory and Benaloh-Leichter SSS in WSNs

Broadcast authentication is a fundamental security technology in wireless sensor networks (ab. WSNs). As an authentication protocol, the most widely used in WSN, TESLA protocol, its publication of key is based on a fixed time interval, which may lead to unsatisfactory performance under the unstable network traffic environment. Furthermore, the frequent network communication will cause the delay authentication for some broadcast packets while the infrequent one will increase the overhead of key computation. To solve these problems, this paper improves the traditional TESLA by determining the publication of broadcast key based on the network data flow rather than the fixed time interval. Meanwhile, aiming at the finite length of hash chain and the problem of exhaustion, a self-renewal hash chain based on Benaloh-Leichter secret sharing scheme (SRHC-BL SSS) is designed, which can prolong the lifetime of network. Moreover, by introducing the queue theory model, we demonstrate that our scheme has much lower key consumption than TESLA through simulation evaluations. Finally, we analyze and prove the security and efficiency of the proposed self-renewal hash chain, comparing with other typical schemes

Distinguishing DDoS attacks from flash crowds using probability metrics

Both Flash crowds and DDoS (Distributed Denial-of-Service) attacks have very similar properties in terms of internet traffic, however Flash crowds are legitimate flows and DDoS attacks are illegitimate flows, and DDoS attacks have been a serious threat to internet security and stability. In this paper we propose a set of novel methods using probability metrics to distinguish DDoS attacks from Flash crowds effectively, and our simulations show that the proposed methods work well. In particular, these mathods can not only distinguish DDoS attacks from Flash crowds clearly, but also can distinguish the anomaly flow being DDoS attacks flow or being Flash crowd flow from Normal network flow effectively. Furthermore, we show our proposed hybrid probability metrics can greatly reduce both false positive and false negative rates in detection.<br /

When Intrusion Detection Meets Blockchain Technology: A Review

With the purpose of identifying cyber threats and possible incidents, intrusion detection systems (IDSs) are widely deployed in various computer networks. In order to enhance the detection capability of a single IDS, collaborative intrusion detection networks (or collaborative IDSs) have been developed, which allow IDS nodes to exchange data with each other. However, data and trust management still remain two challenges for current detection architectures, which may degrade the effectiveness of such detection systems. In recent years, blockchain technology has shown its adaptability in many fields, such as supply chain management, international payment, interbanking, and so on. As blockchain can protect the integrity of data storage and ensure process transparency, it has a potential to be applied to intrusion detection domain. Motivated by this, this paper provides a review regarding the intersection of IDSs and blockchains. In particular, we introduce the background of intrusion detection and blockchain, discuss the applicability of blockchain to intrusion detection, and identify open challenges in this direction

Towards the Deployment of Machine Learning Solutions in Network Traffic Classification: A Systematic Survey

International audienceTraffic analysis is a compound of strategies intended to find relationships, patterns, anomalies, and misconfigurations, among others things, in Internet traffic. In particular, traffic classification is a subgroup of strategies in this field that aims at identifying the application's name or type of Internet traffic. Nowadays, traffic classification has become a challenging task due to the rise of new technologies, such as traffic encryption and encapsulation, which decrease the performance of classical traffic classification strategies. Machine Learning gains interest as a new direction in this field, showing signs of future success, such as knowledge extraction from encrypted traffic, and more accurate Quality of Service management. Machine Learning is fast becoming a key tool to build traffic classification solutions in real network traffic scenarios; in this sense, the purpose of this investigation is to explore the elements that allow this technique to work in the traffic classification field. Therefore, a systematic review is introduced based on the steps to achieve traffic classification by using Machine Learning techniques. The main aim is to understand and to identify the procedures followed by the existing works to achieve their goals. As a result, this survey paper finds a set of trends derived from the analysis performed on this domain; in this manner, the authors expect to outline future directions for Machine Learning based traffic classification

A deep learning approach for intrusion detection in Internet of Things using bi-directional long short-term memory recurrent neural network

Internet-of-Things connects every ‘thing’ with the Internet and allows these ‘things’ to communicate with each other. IoT comprises of innumerous interconnected devices of diverse complexities and trends. This fundamental nature of IoT structure intensifies the amount of attack targets which might affect the sustainable growth of IoT. Thus, security issues become a crucial factor to be addressed. A novel deep learning approach have been proposed in this thesis, for performing real-time detections of security threats in IoT systems using the Bi-directional Long Short-Term Memory Recurrent Neural Network (BLSTM RNN). The proposed approach have been implemented through Google TensorFlow implementation framework and Python programming language. To train and test the proposed approach, UNSW-NB15 dataset has been employed, which is the most up-to-date benchmark dataset with sequential samples and contemporary attack patterns. This thesis work employs binary classification of attack and normal patterns. The experimental result demonstrates the proficiency of the introduced model with respect to recall, precision, FAR and f-1 score. The model attains over 97% detection accuracy. The test result demonstrates that BLSTM RNN is profoundly effective for building highly efficient model for intrusion detection and offers a novel research methodology

Detection and Discrimination of Injected Network Faults

Abstract Although the present work does in fact employ training data, it does so in the interest of calibrating the results Six hundred faults were induced by injection into five live obtained from an experimental detection and diagnostic campus networks at Carnegie Mellon University in order system designed specifically to accommodate noisy, to determine whether or not particular network faults nonstationary, nonspecific domains. The system have unique signatures as determined by out-of-band generalizes by virtue of its log analysis capabilities; all monitoring instrumentation. If unique signatures span monitored data and events are recorded in log files. networks, then the monitoring instrumentation can be These files are processed by the system, resulting in used to diagnose network faults, or distinguish among testable and reproducible detections and diagnoses of fault classes, without human intervention, using anomalous conditions. Any monitored process or machine-generated diagnostic decision rules. This device can be used to populate the logs with data. would be especially useful in large, unmanned systems in which the occurrence of novel or unanticipated faults The specific objective of the present work is to conduct could be catastrophic. Results indicate that significant a designed experiment to test the detection and diagaccuracy in automated detection and discrimination nosis capabilities of a system for handling faults in local among fault types can be obtained using anomaly sigarea networks. Networks were selected as a test natures as described here. domain because their operating characteristics include nonlinear, nonstationary dynamic behavior. The experiment uses automated injection techniques to induc