Atlantic : a framework for anomaly traffic detection, classification, and mitigation in SDN / Atlantic : um framework para detecção, classificação e mitigação de tráfego anômalo em SDN

Silva, Anderson Santos da

January 2015

Software-Defined Networking (SDN) objetiva aliviar as limitações impostas por redes IP tradicionais dissociando tarefas de rede executadas em cada dispositivo em planos específicos. Esta abordagem oferece vários benefícios, tais como a possibilidade de uso de protocolos de comunicação padrão, funções de rede centralizadas, e elementos de rede mais específicos e modulares, tais como controladores de rede. Apesar destes benefícios, ainda há uma falta de apoio adequado para a realização de tarefas relacionadas à classificação de tráfego, pois (i) as características de fluxo nativas disponíveis no protocolo OpenFlow, tais como contadores de bytes e pacotes, não oferecem informação suficiente para distinguir de forma precisa fluxos específicos; (ii) existe uma falta de suporte para determinar qual é o conjunto ótimo de características de fluxo para caracterizar um dado perfil de tráfego; (iii) existe uma necessidade de estratégias flexíveis para compor diferentes mecanismos relacionados à detecção, classificação e mitigação de anomalias de rede usando abstrações de software; (iv) existe uma necessidade de monitoramento de tráfego em tempo real usando técnicas leves e de baixo custo; (v) não existe um framework capaz de gerenciar detecção, classificação e mitigação de anomalias de uma forma coordenada considerando todas as demandas acima. Adicionalmente, é sabido que mecanismos de detecção e classificação de anomalias de tráfego precisam ser flexíveis e fáceis de administrar, a fim de detectar o crescente espectro de anomalias. Detecção e classificação são tarefas difíceis por causa de várias razões, incluindo a necessidade de obter uma visão precisa e abrangente da rede, a capacidade de detectar a ocorrência de novos tipos de ataque, e a necessidade de lidar com erros de classificação. Nesta dissertação, argumentamos que SDN oferece ambientes propícios para a concepção e implementação de esquemas mais robustos e extensíveis para detecção e classificação de anomalias. Diferentemente de outras abordagens na literatura relacionada, que abordam individualmente detecção ou classificação ou mitigação de anomalias, apresentamos um framework para o gerenciamento e orquestração dessas tarefas em conjunto. O framework proposto é denominado ATLANTIC e combina o uso de técnicas com baixo custo computacional para monitorar tráfego e técnicas mais computacionalmente intensivas, porém precisas, para classificar os fluxos de tráfego. Como resultado, ATLANTIC é um framework flexível capaz de categorizar anomalias de tráfego utilizando informações coletadas da rede para lidar com cada perfil de tráfego de um modo específico, como por exemplo, bloqueando fluxos maliciosos. / Software-Defined Networking (SDN) aims to alleviate the limitations imposed by traditional IP networks by decoupling network tasks performed on each device in particular planes. This approach offers several benefits, such as standard communication protocols, centralized network functions, and specific network elements, such as controller devices. Despite these benefits, there is still a lack of adequate support for performing tasks related to traffic classification, because (i) the native flow features available in OpenFlow, such as packet and byte counts, do not convey sufficient information to accurately distinguish between some types of flows; (ii) there is a lack of support to determine what is the optimal set of flow features to characterize different types of traffic profiles; (iii) there is a need for a flexible way of composing different mechanisms to detect, classify and mitigate network anomalies using software abstractions; (iv) there is a need of online traffic monitoring using lightweight/low-cost techniques; (v) there is no framework capable of managing anomaly detection, classification and mitigation in a coordinated manner and considering all these demands. Additionally, it is well-known that anomaly traffic detection and classification mechanisms need to be flexible and easy to manage in order to detect the ever growing spectrum of anomalies. Detection and classification are difficult tasks because of several reasons, including the need to obtain an accurate and comprehensive view of the network, the ability to detect the occurrence of new attack types, and the need to deal with misclassification. In this dissertation, we argue that Software-Defined Networking (SDN) form propitious environments for the design and implementation of more robust and extensible anomaly classification schemes. Different from other approaches from the literature, which individually tackle either anomaly detection or classification or mitigation, we present a management framework to perform these tasks jointly. Our proposed framework is called ATLANTIC and it combines the use of lightweight techniques for traffic monitoring and heavyweight, but accurate, techniques to classify traffic flows. As a result, ATLANTIC is a flexible framework capable of categorizing traffic anomalies and using the information collected to handle each traffic profile in a specific manner, e.g., blocking malicious flows.

Redes : Computadores

Trafego : Redes : Computadores

Gerencia : Redes : Computadores

Anomaly detection

Traffic classification

Traffic monitoring

Management framework

Machine learning

Atlantic : a framework for anomaly traffic detection, classification, and mitigation in SDN / Atlantic : um framework para detecção, classificação e mitigação de tráfego anômalo em SDN

Silva, Anderson Santos da

January 2015

Software-Defined Networking (SDN) objetiva aliviar as limitações impostas por redes IP tradicionais dissociando tarefas de rede executadas em cada dispositivo em planos específicos. Esta abordagem oferece vários benefícios, tais como a possibilidade de uso de protocolos de comunicação padrão, funções de rede centralizadas, e elementos de rede mais específicos e modulares, tais como controladores de rede. Apesar destes benefícios, ainda há uma falta de apoio adequado para a realização de tarefas relacionadas à classificação de tráfego, pois (i) as características de fluxo nativas disponíveis no protocolo OpenFlow, tais como contadores de bytes e pacotes, não oferecem informação suficiente para distinguir de forma precisa fluxos específicos; (ii) existe uma falta de suporte para determinar qual é o conjunto ótimo de características de fluxo para caracterizar um dado perfil de tráfego; (iii) existe uma necessidade de estratégias flexíveis para compor diferentes mecanismos relacionados à detecção, classificação e mitigação de anomalias de rede usando abstrações de software; (iv) existe uma necessidade de monitoramento de tráfego em tempo real usando técnicas leves e de baixo custo; (v) não existe um framework capaz de gerenciar detecção, classificação e mitigação de anomalias de uma forma coordenada considerando todas as demandas acima. Adicionalmente, é sabido que mecanismos de detecção e classificação de anomalias de tráfego precisam ser flexíveis e fáceis de administrar, a fim de detectar o crescente espectro de anomalias. Detecção e classificação são tarefas difíceis por causa de várias razões, incluindo a necessidade de obter uma visão precisa e abrangente da rede, a capacidade de detectar a ocorrência de novos tipos de ataque, e a necessidade de lidar com erros de classificação. Nesta dissertação, argumentamos que SDN oferece ambientes propícios para a concepção e implementação de esquemas mais robustos e extensíveis para detecção e classificação de anomalias. Diferentemente de outras abordagens na literatura relacionada, que abordam individualmente detecção ou classificação ou mitigação de anomalias, apresentamos um framework para o gerenciamento e orquestração dessas tarefas em conjunto. O framework proposto é denominado ATLANTIC e combina o uso de técnicas com baixo custo computacional para monitorar tráfego e técnicas mais computacionalmente intensivas, porém precisas, para classificar os fluxos de tráfego. Como resultado, ATLANTIC é um framework flexível capaz de categorizar anomalias de tráfego utilizando informações coletadas da rede para lidar com cada perfil de tráfego de um modo específico, como por exemplo, bloqueando fluxos maliciosos. / Software-Defined Networking (SDN) aims to alleviate the limitations imposed by traditional IP networks by decoupling network tasks performed on each device in particular planes. This approach offers several benefits, such as standard communication protocols, centralized network functions, and specific network elements, such as controller devices. Despite these benefits, there is still a lack of adequate support for performing tasks related to traffic classification, because (i) the native flow features available in OpenFlow, such as packet and byte counts, do not convey sufficient information to accurately distinguish between some types of flows; (ii) there is a lack of support to determine what is the optimal set of flow features to characterize different types of traffic profiles; (iii) there is a need for a flexible way of composing different mechanisms to detect, classify and mitigate network anomalies using software abstractions; (iv) there is a need of online traffic monitoring using lightweight/low-cost techniques; (v) there is no framework capable of managing anomaly detection, classification and mitigation in a coordinated manner and considering all these demands. Additionally, it is well-known that anomaly traffic detection and classification mechanisms need to be flexible and easy to manage in order to detect the ever growing spectrum of anomalies. Detection and classification are difficult tasks because of several reasons, including the need to obtain an accurate and comprehensive view of the network, the ability to detect the occurrence of new attack types, and the need to deal with misclassification. In this dissertation, we argue that Software-Defined Networking (SDN) form propitious environments for the design and implementation of more robust and extensible anomaly classification schemes. Different from other approaches from the literature, which individually tackle either anomaly detection or classification or mitigation, we present a management framework to perform these tasks jointly. Our proposed framework is called ATLANTIC and it combines the use of lightweight techniques for traffic monitoring and heavyweight, but accurate, techniques to classify traffic flows. As a result, ATLANTIC is a flexible framework capable of categorizing traffic anomalies and using the information collected to handle each traffic profile in a specific manner, e.g., blocking malicious flows.

Redes : Computadores

Trafego : Redes : Computadores

Gerencia : Redes : Computadores

Anomaly detection

Traffic classification

Traffic monitoring

Management framework

Machine learning

Classification of Video Traffic : An Evaluation of Video Traffic Classification using Random Forests and Gradient Boosted Trees

Andersson, Ricky

January 2017

Traffic classification is important for Internet providers and other organizations to solve some critical network management problems.The most common methods for traffic classification is Deep Packet Inspection (DPI) and port based classification. These methods are starting to become obsolete as more and more traffic are being encrypted and applications are starting to use dynamic ports and ports of other popular applications. An alternative method for traffic classification uses Machine Learning (ML).This ML method uses statistical features of network traffic flows, which solves the fundamental problems of DPI and port based classification for encrypted flows.The data used in this study is divided into video and non-video traffic flows and the goal of the study is to create a model which can classify video flows accurately in real-time.Previous studies found tree-based algorithms to work well in classifying network traffic. In this study random forest and gradient boosted trees are examined and compared as they are two of the best performing tree-based classification models.Random forest was found to work the best as the classification speed was significantly faster than gradient boosted trees. Over 93% correctly classified flows were achieved while keeping the random forest model small enough to keep fast classification speeds. / HITS, 4707

Machine Learning

Video Traffic Classification

Random Forest

Gradient Boosted Trees

Gradient Boosted Machine

Computer Sciences

Datavetenskap (datalogi)

Umělá inteligence pro klasifikaci aplikačních služeb v síťové komunikaci / Artificial intelligence for application services classification in network communication

Jelínek, Michael

January 2021

The master thesis focuses on the selection of a suitable algorithm for the classification of selected network traffic services and its implementation. The theoretical part describes the available classification approaches together with commonly used algorithms and selected network services. The practical part focuses on the preparation and preprocessing of the dataset, selection and optimization of the classification algorithm and verifying the classification capabilities of the algorithm in the various scenarios of the dataset.

Classification de flux applicatifs et détection d'intrusion dans le trafic Internet / Classifying Application Flows and Intrusion Detection in Internet Traffic

Korczynski, Maciej

26 November 2012

Le sujet de la classification de trafic r´eseau est d’une grande importance pourla planification de r´eseau efficace, la gestion de trafic `a base de r`egles, la gestionde priorit´e d’applications et le contrˆole de s´ecurit´e. Bien qu’il ait re¸cu une atten-tion consid´erable dans le milieu de la recherche, ce th`eme laisse encore de nom-breuses questions en suspens comme, par exemple, les m´ethodes de classificationdes flux de trafics chiffr´es. Cette th`ese est compos´ee de quatre parties. La premi`erepr´esente quelques aspects th´eoriques li´es `a la classification de trafic et `a la d´etec-tion d’intrusion. Les trois parties suivantes traitent des probl`emes sp´ecifiques declassification et proposent des solutions pr´ecises.Dans la deuxi`eme partie, nous proposons une m´ethode d’´echantillonnage pr´ecisepour d´etecter les attaques de type ”SYN flooding”et ”portscan”. Le syst`eme examineles segments TCP pour trouver au moins un des multiples segments ACK provenantdu serveur. La m´ethode est simple et ´evolutive, car elle permet d’obtenir unebonne d´etection avec un taux de faux positif proche de z´ero, mˆeme pour des tauxd’´echantillonnage tr`es faibles. Nos simulations bas´ees sur des traces montrent quel’efficacit´e du syst`eme propos´e repose uniquement sur le taux d’´echantillonnage,ind´ependamment de la m´ethode d’´echantillonnage.Dans la troisi`eme partie, nous consid´erons le probl`eme de la d´etection et de laclassification du trafic de Skype et de ses flux de services tels que les appels vocaux,SkypeOut, les vid´eo-conf´erences, les messages instantan´es ou le t´el´echargement defichiers. Nous proposons une m´ethode de classification pour le trafic Skype chiffr´ebas´e sur le protocole d’identification statistique (SPID) qui analyse les valeurs statis-tiques de certains attributs du trafic r´eseau. Nous avons ´evalu´e notre m´ethode surun ensemble de donn´ees montrant d’excellentes performances en termes de pr´eci-sion et de rappel. La derni`ere partie d´efinit un cadre fond´e sur deux m´ethodescompl´ementaires pour la classification des flux applicatifs chiffr´es avec TLS/SSL.La premi`ere mod´elise des ´etats de session TLS/SSL par une chaˆıne de Markov ho-mog`ene d’ordre 1. Les param`etres du mod`ele de Markov pour chaque applicationconsid´er´ee diff`erent beaucoup, ce qui est le fondement de la discrimination entreles applications. La seconde m´ethode de classification estime l’´ecart d’horodatagedu message Server Hello du protocole TLS/SSL et l’instant d’arriv´ee du paquet.Elle am´eliore la pr´ecision de classification des applications et permet l’identificationviiefficace des flux Skype. Nous combinons les m´ethodes en utilisant une ClassificationNaive Bay´esienne (NBC). Nous validons la proposition avec des exp´erimentationssur trois s´eries de donn´ees r´ecentes. Nous appliquons nos m´ethodes `a la classificationde sept applications populaires utilisant TLS/SSL pour la s´ecurit´e. Les r´esultatsmontrent une tr`es bonne performance. / The subject of traffic classification is of great importance for effective networkplanning, policy-based traffic management, application prioritization, and securitycontrol. Although it has received substantial attention in the research communitythere are still many unresolved issues, for example how to classify encrypted trafficflows. This thesis is composed of four parts. The first part presents some theoreticalaspects related to traffic classification and intrusion detection, while in the followingthree parts we tackle specific classification problems and propose accurate solutions.In the second part, we propose an accurate sampling scheme for detecting SYNflooding attacks as well as TCP portscan activity. The scheme examines TCPsegments to find at least one of multiple ACK segments coming from the server.The method is simple and scalable, because it achieves a good detection with aFalse Positive Rate close to zero even for very low sampling rates. Our trace-basedsimulations show that the effectiveness of the proposed scheme only relies on thesampling rate regardless of the sampling method.In the third part, we consider the problem of detecting Skype traffic and classi-fying Skype service flows such as voice calls, skypeOut, video conferences, chat, fileupload and download. We propose a classification method for Skype encrypted traf-fic based on the Statistical Protocol IDentification (SPID) that analyzes statisticalvalues of some traffic attributes. We have evaluated our method on a representativedataset to show excellent performance in terms of Precision and Recall.The last part defines a framework based on two complementary methods for clas-sifying application flows encrypted with TLS/SSL. The first one models TLS/SSLsession states as a first-order homogeneous Markov chain. The parameters of theMarkov models for each considered application differ a lot, which is the basis foraccurate discrimination between applications. The second classifier considers thedeviation between the timestamp in the TLS/SSL Server Hello message and thepacket arrival time. It improves the accuracy of application classification and al-lows efficient identification of Skype flows. We combine the methods using a NaiveBayes Classifier (NBC).We validate the framework with experiments on three recentdatasets—we apply our methods to the classification of seven popular applicationsthat use TLS/SSL for security. The results show a very good performance.

Sécurité

La classification du trafic réseau

Détection d'intrusion

Chiffrement

DDoS et scan de port

Échantillonnage

Security

Network traffic classification

Intrusion detection

Encryption

DDoS and portscan

Sampling

Traffic monitoring in home networks : from theory to practice / Supervision du trafic dans les réseaux domestiques : de la théorie à la pratique

Aouini, Zied

15 December 2017

Les réseaux domestiques sont confrontés à une évolution continue et deviennent de plus en plus complexes. Leur complexité a évolué selon deux dimensions interdépendantes. D'une part, la topologie du réseau domestique devient plus complexe avec la multiplication des équipements et des technologies de connectivité. D'autre part, l'ensemble des services accessibles via le réseau domestique ne cesse de s’élargir. Un tel contexte a rendu la gestion du réseau domestique plus difficile pour les Fournisseurs d’Accès Internet (FAI) et les utilisateurs finaux. Dans ce manuscrit, nous nous concentrons sur la deuxième dimension de la complexité décrite ci-dessus liée au trafic circulant depuis/vers le réseau domestique. Notre première contribution consiste à proposer une architecture pour la supervision du trafic dans les réseaux domestiques. Nous fournissons une étude comparative de certains outils open source existants. Ensuite, nous effectuons une évaluation de performances expérimentale d’un sous ensemble des processus impliqués dans notre architecture. Sur la base des résultats obtenus, nous discutons les limites et les possibilités de déploiement de ce type de solution. Dans notre deuxième contribution, nous présentons notre analyse à large échelle des usages et du trafic résidentiel basée sur une trace de trafic réelle impliquant plus de 34 000 clients. Premièrement, nous présentons notre méthode de collecte et de traitement des données. Deuxièmement, nous présentons nos observations statistiques vis-à-vis des différentes couches de l’architecture Internet. Ensuite, nous effectuons une analyse subjective auprès de 645 clients résidentiels. Enfin, nos résultats fournissent une synthèse complète des usages et des caractéristiques des applications résidentielles. Dans notre troisième contribution, nous proposons une nouvelle méthode pour la classification en temps réel du trafic résidentiel. Notre méthode, laquelle est basée sur l’utilisation d’un algorithme d’apprentissage statistique de type C5.0, vise à combler les carences identifiées dans la littérature. Ensuite, nous détaillons notre implémentation d’une sonde légère sur un prototype de passerelle résidentielle capable de capturer, de suivre et d'identifier d’une manière fine les applications actives dans le réseau domestique. Cette implémentation nous permet, en outre, de valider nos principes de conception via un banc d'essai réaliste mis en place à cet effet. Les résultats obtenus indiquent que notre solution est efficace et faisable. / Home networks are facing a continuous evolution and are becoming more and more complex. Their complexity has evolved according to two interrelated dimensions. On the one hand, the home network topology (devices and connectivity technologies) tends to produce more complex configurations. On the other hand, the set of services accessed through the home network is growing in a tremendous fashion. Such context has made the home network management more challenging for both Internet Service Provider (ISP) and end-users. In this dissertation, we focus on the traffic dimension of the above described complexity. Our first contribution consists on proposing an architecture for traffic monitoring in home networks. We provide a comparative study of some existing open source tools. Then, we perform a testbed evaluation of the main software components implied in our architecture. Based on the experiments results, we discuss several deployment limits and possibilities. In our second contribution, we conduct a residential traffic and usages analysis based on real trace involving more than 34 000 customers. First, we present our data collection and processing methodology. Second, we present our findings with respect to the different layers of the TCP/IP protocol stack characteristics. Then, we perform a subjective analysis across 645 of residential customers. The results of both evaluations provide a complete synthesis of residential usage patterns and applications characteristics. In our third contribution, we propose a novel scheme for real-time residential traffic classification. Our scheme, which is based on a machine learning approach called C5.0, aims to fulfil the lacks identified in the literature. At this aim, our algorithm is evaluated using several traffic inputs. Then, we detail how we implemented a lightweight probe able to capture, track and identify finely applications running in the home network. This implementation allowed us to validate our designing principles upon realistic test conditions. The obtained results show clearly the efficiency and feasibility of our solution.

Réseau domestique

Performances réseau

Mesures passives

Classification du trafic

Algorithmes d'apprentissage statistique

Passerelle domestique

Analyse du trafic

Supervision des flux

Home network

Network performances

Passive measurements

Traffic classification

Machine Learning algorithms

Home gateway

Traffic analysis

Flow monitoring

Bezpečnostní analýza síťového provozu pomocí behaviorálních signatur / Security analysis of network traffic using behavioral signatures

Barabas, Maroš

January 2016

This thesis focuses on description of the current state of research in the detection of network attacks and subsequently on the improvement of detection capabilities of specific attacks by establishing a formal definition of network metrics. These metrics approximate the progress of network connection and create a signature, based on behavioral characteristics of the analyzed connection. The aim of this work is not the prevention of ongoing attacks, or the response to these attacks. The emphasis is on the analysis of connections to maximize information obtained and definition of the basis of detection system that can minimize the size of data collected from the network, leaving the most important information for subsequent analysis. The main goal of this work is to create the concept of the detection system by using defined metrics for reduction of the network traffic to signatures with an emphasis on the behavioral aspects of the communication. Another goal is to increase the autonomy of the detection system by developing an expert knowledge of honeypot system, with the condition of independence to the technological aspects of analyzed data (e.g. encryption, protocols used, technology and environment). Defining the concept of honeypot system's expert knowledge in the role of the teacher of classification algorithms creates autonomy of the~system for the detection of unknown attacks. This concept also provides the possibility of independent learning (with no human intervention) based on the knowledge collected from attacks on these systems. The thesis describes the process of creating laboratory environment and experiments with the defined network connection signature using collected data and downloaded test database. The results are compared with the state of the art of the network detection systems and the benefits of the proposed approximation methods are highlighted.

Rozšíření behaviorální analýzy síťové komunikace určené pro detekci útoků / Extension of Behavioral Analysis of Network Traffic Focusing on Attack Detection

Teknős, Martin

January 2015

This thesis is focused on network behavior analysis (NBA) designed to detect network attacks. The goal of the thesis is to increase detection accuracy of obfuscated network attacks. Methods and techniques used to detect network attacks and network traffic classification were presented first. Intrusion detection systems (IDS) in terms of their functionality and possible attacks on them are described next. This work also describes principles of selected attacks against IDS. Further, obfuscation methods which can be used to overcome NBA are suggested. The tool for automatic exploitation, attack obfuscation and collection of this network communication was designed and implemented. This tool was used for execution of network attacks. A dataset for experiments was obtained from collected network communications. Finally, achieved results emphasized requirement of training NBA models by obfuscated malicious network traffic.