Alfonso Iacovazzi

Optimum packet length masking

Application level traffic classification has been addressed in demonstrated recently based on statistical features of packet flows. Among the most significant characteristics is packet length. Even ciphered flows leak information about their content through the sequence of packet length values. There are obvious ways to destroy such side information, e.g. by setting all packet at maximum allowed length. This approach could ential an extremely large overhead, which makes it impractical. There is room to investigate the optimal trade-off between overhead/complexity of packet length masking and suppression of information leakage about flow content through packet length values. In this work we characterize the optimum first order statistical padding technique which guarantees indistinguishability of different application flows. We also discuss how to account for subsequent packet length correlation. Numerical results are shown with reference to real network traffic traces, specifically flows of HTTP, POP3, SSH, and FTP (control session) traffic.

Real Time Identification of SSH Encrypted Application Flows by Using Cluster Analysis Techniques

The identification of application flows is a critical task in order to manage bandwidth requirements of different kind of services (i.e. VOIP, Video, ERP). As network security functions spread, an increasing amount of traffic is natively encrypted due to privacy issues (e.g. VPN). This makes ineffective current traffic classification systems based on ports and payload inspection, e.g. even powerful Deep Packet Inspection is useless to classify application flow carried inside SSH sessions. We have developed a real time traffic classification method based on cluster analysis to identify SSH flows from statistical behavior of IP traffic parameters, such as length, arrival times and direction of packets. In this paper we describe our approach and relevant obtained results. We achieve detection rate up to 99.5 % in classifying SSH flows and accuracy up to 99.88 % for application flows carried within those flows, such as SCP, SFTP and HTTP over SSH.

Traffic matrix estimation enhanced by SDNs nodes in real network topology

Traffic matrix estimation in communication networks is challenging problem, whose solution provides a valuable management and planning tool. Given the range of technologies able to reconfigure the resource assignment, real-time knowledge of the traffic matrix enables smart adaptive traffic management functions. A new perspective is given to the traffic matrix estimation problem by the Software Defined Network (SDN) concept. We investigate an evolutionary approach, where SDN nodes are introduced into a traditional IP network, to understand how their new capabilities affect the statement and accuracy of the traffic matrix estimation problem. By referring to operational networks and benchmark measured data, we show that a major boost of estimate accuracy can be obtained with very few SDN nodes, performing very simple tasks. To that end we develop an underlying theory that helps locating SDN functionalities in the most convenient way.

A low complexity real-time Internet traffic flows neuro-fuzzy classifier

Traffic flow classification to identify applications and activity of users is widely studied both to understand privacy threats and to support network functions such as usage policies and QoS. For those needs, real time classification is required and classifiers complexity is as important as accuracy, especially given the increasing link speeds also in the access section of the network. We propose the application of a highly efficient classification system, specifically Min-Max neuro-fuzzy networks trained by PARC algorithm, and compare it with popular classification systems, by considering traffic data sets collected in different epochs and places. We show that Min-Max networks achieve high accuracy, in line with the best performing algorithms on Weka (SVM, Random Tree, Random Forest). The required classification model complexity is much lower with Min-Max networks with respect to the other models, enabling the implementation of effective classification algorithms in real time on inexpensive platforms.

Internet Traffic Privacy Enhancement with Masking: Optimization and Tradeoffs

An increasing number of recent experimental works have demonstrated that the supposedly secure channels in the Internet are prone to privacy breaking under many respects, due to packet traffic features leaking information on the user activity and traffic content. We aim at understanding if and how complex it is to obfuscate the information leaked by packet traffic features, namely packet lengths, directions, and times: we call this technique traffic masking. We define a security model that points out what the ideal target of masking is, and then define the optimized traffic masking algorithm that removes any leaking (full masking). Further, we investigate the tradeoff between traffic privacy protection and masking cost, namely required amount of overhead and realization complexity/feasibility. Numerical results are based on measured Internet traffic traces. Major findings are that: 1) optimized full masking achieves similar overhead values with padding only and in case fragmentation is allowed, and 2) if practical realizability is accounted for, optimized statistical masking attains only moderately better overhead than simple fixed pattern masking does, while still leaking correlation information that can be exploited by the adversary.

The Power of SDN to Improve the Estimation of the ISP Traffic Matrix Through the Flow Spread Concept

Traffic matrix estimation in communication network is a long standing problem for its intrinsic difficulty and potential benefit to a vast number of network optimization and management functions. We address the improvement of the traffic matrix estimation by means of selected traffic flow measurements, besides the easily obtained link load measurements. The key contribution of this paper is the definition and assessment of an effective criterion, based on the flow spread parameter, to identify the flows to be measured that reduce the estimation error most. It turns out that a small percentage of flows are enough to drive the estimation error an order of magnitude lower than the one obtained with the classical solution solely based on link load measurements. Our algorithm, referred to as flow spread-based algorithm (FSBA), is also able to distribute measurement tasks fairly among network nodes, taking into account the available forwarding tables space. We also show that FSBA outperforms the state-of-the-art similar approaches. A detailed discussion on how the observation of the desired flows can be performed is done as well, by addressing the SDN paradigm. This is in fact a rapidly growing concept that enables individual flow measurements, though for only a limited number of flows to be practical with current technology.

Protecting traffic privacy for massive aggregated traffic

Traffic analysis has definitely shown that encryption is not enough to protect the privacy of communications implemented over packet networks. The very features of packet traffic, like packet lengths statistics, inter-packet times, volumes of exchanged traffic, communication patterns, leak information. Leakage ranges from the kind of application that generates the information flow carried into the supposedly secure connection to parts of its content. We propose traffic masking as a countermeasure. Full confidentiality protection is discussed and the traffic masking framework is introduced and motivated. The optimization and performance assessment of the masking device is evaluated both through a general analytical model, mainly useful to gain basic insight, and by a real network emulation of a distributed secure multiparty computation application, where confidentiality requirements are key to the application itself. It is shown that essentially full confidentiality can be attained for a practical distributed security application by accepting an increase of the traffic volume by a factor 2.4 and an increase of the task completion time of 30%. Hence, (almost) full privacy appears to be more appealing for contexts where delay constraints are more valuable than bandwidth.

Investigating the trade-off between overhead and delay for full packet traffic privacy

It has been demonstrated that traffic analysis can disclose information supposedly secured by encrypted channels. Key feature of packetized traffic exploited to that purpose are packet lengths, inter-packet times, direction of packets. This work aims at assessing the overhead and delay implied by traffic masking algorithms that conceal the information leakage exploited by statistical traffic analysis. Traffic masking is obtained by reshaping packet lengths and inter-arrival times in a masking device. It is shown that the overhead-delay trade-off of the masking device is optimized by using circuit like traffic shaping, under the constraint of removing information leakage entirely (full privacy). Numerical examples are provided with real traffic traces both for full privacy and for a relaxed heuristic masking algorithm that leaks some information on packet lengths to mitigate the overhead.

Padding and fragmentation for masking packet length statistics

We aim at understanding if and how complex it is to obfuscate traffic features exploited by statistical traffic flow classification tools. We address packet length masking and define perfect masking as an optimization problem, aiming at minimizing overhead. An explicit efficient algorithm is given to compute the optimum masking sequence. Numerical results are provided, based on measured traffic traces. We find that fragmenting requires about the same overhead as padding does.

From ideality to practicability in statistical packet features masking

Traffic flow features like packet lengths, direction, gap times have been shown to carry significant information on conveyed the traffic flows they belong to, e.g. enabling application classification with high accuracy and even privacy breaking, even if encryption is used. Such a leakage of user related information can be stopped by modifying the traffic flow features, e.g. for packet lengths by padding, fragmenting or inserting dummy packets. We outline a general approach aiming at full masking of an application layer traffic flow; then, we address the trade-off between information leakage and overhead and we define a practical algorithm to achieve partial traffic masking. Experiments are carried out with traffic, captured on real networks. It turns out that overhead can be substantially reduced if requirements on information leakage are not too strict.