Angelos K. Marnerides

Traffic anomaly diagnosis in Internet backbone networks

Computer networks are becoming increasingly important in supporting business and everyday activities. In particular, the Internet has become part of the critical infrastructure and has a strategic importance in our society and in the digital economy. These developments have led to a highly dynamic network utilization, where traffic fluctuations and seemingly random and anomalous traffic patterns are commonly manifested and hard to diagnose. In order to ensure the protection and resilience of such networks, it is necessary to better analyze and observe network traffic. Thus, anomaly diagnosis aims to discover and characterize critical anomalies affecting the network infrastructure, where the source of these anomalies may be deliberately malicious (e.g. attacks) or unintentional (e.g. failures, misconfigurations or legitimate but abnormal use of the network such as in flash crowds). However, although there is a multitude of algorithms and techniques looking at different elements of the analysis of network traffic anomalies, most research typically focuses on a specific aspect or methodology and there is very little regard for the overall context. This survey aims to present a comprehensive investigation of the current state of the art within the network anomaly diagnosis domain, in particular for Internet backbone networks. We decompose the overall anomaly diagnosis problem spectrum into four main dimensions, namely, processing costs, diagnosis granularity, theoretical methodologies and traffic features. Subsequently the anomaly diagnosis research area is structured further and an overview of the most relevant research is provided by individually reviewing each component of the problem spectrum and proposed solutions with a deeper focus on methodologies and features. Further, we also present and review seminal pieces of work that are considered cornerstones of the anomaly diagnosis research domain.

Malware analysis in cloud computing: Network and system characteristics

The deployment of cloud computing environments is increasingly common, and we are implicitly reliant on them for many services. However, their dependence on virtualised computer and network infrastructures introduces risks related to system resilience. In particular, the virtualised nature of the cloud has not yet been thoroughly studied with respect to security issues including vulnerabilities and appropriate anomaly detection. This paper proposes an approach for the investigation and analysis of malware in virtualised environments. We carry out an analysis, on a system and network-wide scale, and further pinpoint some system and network features specifically by studying the example of the Kelihos malware.

Power Consumption Profiling Using Energy Time-Frequency Distributions in Smart Grids

Smart grids are power distribution networks that include a significant communication infrastructure, which is used to collect usage data and monitor the operational status of the grid. As a consequence of this additional infrastructure, power networks are at an increased risk of cyber-attacks. In this letter, we address the problem of detecting and attributing anomalies that occur in the sub-meter power consumption measurements of a smart grid, which could be indicative of malicious behavior. We achieve this by clustering a set of statistical features of power measurements that are determined using the Smoothed Pseudo Wigner Ville (SPWV) energy Time-Frequency (TF) distribution. We show how this approach is able to more accurately distinguish clusters of energy consumption than simply using raw power measurements. Our ultimate goal is to apply the principles of profiling power consumption measurements as part of an enhanced anomaly detection system for smart grids.

Short term power load forecasting using Deep Neural Networks

Accurate load forecasting greatly influences the planning processes undertaken in operation centres of energy providers that relate to the actual electricity generation, distribution, system maintenance as well as electricity pricing. This paper exploits the applicability of and compares the performance of the Feed-forward Deep Neural Network (FF-DNN) and Recurrent Deep Neural Network (R-DNN) models on the basis of accuracy and computational performance in the context of time-wise short term forecast of electricity load. The herein proposed method is evaluated over real datasets gathered in a period of 4 years and provides forecasts on the basis of days and weeks ahead. The contribution behind this work lies with the utilisation of a time-frequency (TF) feature selection procedure from the actual “raw” dataset that aids the regression procedure initiated by the aforementioned DNNs. We show that the introduced scheme may adequately learn hidden patterns and accurately determine the short-term load consumption forecast by utilising a range of heterogeneous sources of input that relate not necessarily with the measurement of load itself but also with other parameters such as the effects of weather, time, holidays, lagged electricity load and its distribution over the period. Overall, our generated outcomes reveal that the synergistic use of TF feature analysis with DNNs enables to obtain higher accuracy by capturing dominant factors that affect electricity consumption patterns and can surely contribute significantly in next generation power systems and the recently introduced SmartGrid.

Internet traffic classification using energy time-frequency distributions

We present a fundamentally new approach to classify application flows based on the mapping of aggregate transport-layer volume information onto the Time-Frequency (TF) plane. We initially show that the volume persona (i.e. counts of packets and bytes) of traffic flows at the transport layer exhibits highly non-stationary characteristics, hence rendering many typical classification methods inapplicable. By virtue of this constraint, we present a novel application classification method based on the Cohen energy TF distributions for such highly non-stationary signals. We have used the Rényi information to measure the distinct complexity of any given application signal, and to subsequently construct a robust training model for every application protocol within our scheme. The effectiveness of our approach is demonstrated using real backbone and edge link network traces captured in US and Japan. Our results show that for the majority of applications, aggregate volume-based classification can reach up to 96% accuracy, while considering significantly less features in comparison with existing approaches.

Content Relevance Opportunistic Routing for Wireless Multimedia Sensor Networks

Wireless Multimedia Sensor Networks (WMSNs) are considered as one of the most prominent infrastructures for human-centric multimedia applications due to the wide availability of low-cost hardware such as microphones and CMOS cameras. By virtue of the energy limitations on sensor nodes alongside the explicit highly demanding bandwidth requirements of real-time multimedia applications, these particular networks foster a set of non-trivial challenges that need to be confronted. In this paper we define a level of relevance in regards with the content of a multimedia packet and we further introduce a dynamic routing protocol that optimizes the overall network performance in terms of energy efficiency and packet delay. We present the design, implementation and applicability of our Content Relevance Opportunistic Routing (CROR) protocol under experimental results that show an increase in network lifetime of up to 20% compared with traditional routing.

Detection and mitigation of abnormal traffic behaviour in autonomic networked environments

Autonomic network environments are required to be resilient. Resilience is defined as the ability for a network to provide and maintain an acceptable level of service in the face of various challenges to normal operation [1]. Traffic abnormalities are a great challenge and it is vital for any network to be supported by resilient mechanisms in order to detect and mitigate such events. In this document we present our measurement-based resilience architecture and we argue that the correct combination of already proposed theoretical methodologies and mechanisms present in our architecture compose a powerful defence mechanism that satisfies autonomic properties such as self-protection and self-optimization. In addition we refer to our intentions of testing our proposed architecture within the ANA project [2] in order to justify our hypothesis.

Towards a Distributed, Self-organising Approach to Malware Detection in Cloud Computing

Cloud computing is an increasingly popular platform for both industry and consumers. The cloud presents a number of unique security issues, such as a high level of distribution and system homogeneity, which require special consideration. In this paper we introduce a resilience architecture consisting of a collection of self-organising resilience managers distributed within the infrastructure of a cloud. More specifically we illustrate the applicability of our proposed architecture under the scenario of malware detection. We describe our multi-layered solution at the hypervisor level of the cloud nodes and consider how malware detection can be distributed to each node.

Autonomic diagnosis of anomalous network traffic

Network traffic abnormalities pose one of the greatest threats for networked environments. Autonomic communications offer a solution: it should be possible to design network mechanisms that behave adaptively and respond to any anomalous phenomenon that threatens normal network behaviour. In this paper we present the design of an adaptive anomaly detection component that has been built as part of an autonomic network system. We have implemented an entropy estimator to predict the onset of anomalous traffic behaviour within an autonomic resilience framework, and a Supervised Naive Bayesian classifier which synergistically empower the core properties of self-adaptation, self-learning and self-protection for next generation networks. Being part of an always-on, automated measurement and control infrastructure, such mechanism enforces the adaptive system reaction to suboptimal network operation and its subsequent restoration, while requiring minimal static (re)configuration and operator intervention.

Analysis and characterisation of botnet scan traffic

Botnets compose a major source of malicious activity over a network and their early identification and detection is considered as a top priority by security experts. The majority of botmasters rely heavily on a scan procedure in order to detect vulnerable hosts and establish their botnets via a command and control (C&C) server. In this paper we examine the statistical characteristics of the scan process invoked by the Mariposa and Zeus botnets and demonstrate the applicability of conditional entropy as a robust metric for profiling it using real pre-captured operational data. Our analysis conducted on real datasets demonstrates that the distributional behaviour of conditional entropy for Mariposa and Zeus-related scan flows differs significantly from flows manifested by the commonly used NMAP scans. In contrast with the typically used by attackers Stealth and Connect NMAP scans, we show that consecutive scanning flows initiated by the C&C servers of the examined botnets exhibit a high dependency between themselves in regards of their conditional entropy. Thus, we argue that the observation of such scan flows under our proposed scheme can sufficiently aid network security experts towards the adequate profiling and early identification of botnet activity.