Bruno Bogaz Zarpelão

Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment

Detecting anomalies accurately is fundamental to rapid diagnosis and repair of problems. This paper proposes a novel Anomaly detection system based on the comparison of real traffic and DSNS (Digital Signature of Network Segment), generated by BLGBA (Baseline for Automatic Backbone Management) model, within a hysteresis interval using the residual mean and on the correlation of the detected deviations. Extensive experimental results on real network servers confirmed that our system is able to detect anomalies on the monitored devices, avoiding the high false alarms rate.

Parameterized Anomaly Detection System with Automatic Configuration

This work proposes a parameterized anomaly detection system, based on the method known as profile based. The analysis of network elements is performed in two levels: (i) analysis of Simple Network Management Protocol (SNMP) objects data using a hysteresis-based algorithm to detect behavior deviations; (ii) analysis of alerts generated in the first level using a dependency graph, which represents the relationships between the SNMP objects. The proposed system is also able to configure its own parameters automatically, aiming to meet the network administrator needs. Tests were performed in a real network environment and great results were obtained.

Inference of network anomaly propagation using spatio-temporal correlation

Many solutions have been proposed for network alarm correlation. However, they mainly have focused on alarm reduction and on root cause analysis. This paper presents an automated alarm correlation system composed of three layers, which obtains raw alarms and presents to network administrator a wide view of the scenario affected by the volume anomaly. In the preprocessing layer, it is performed the alarm compression using their spatial and temporal attributes, which are reduced into a unique alarm named Device Level Alarm (DLA). The correlation layer aims to infer the anomaly propagation path and its origin and destination using DLAs and network topology information. The presentation layer provides the visualization of the path and network elements affected by the anomaly propagation. Moreover, it is presented the Anomaly Propagation View (APV), a graphic tool developed to provide a wide visualization of the network status. In order to evaluate the effectiveness of the proposed solution, it was used real traffic data from State University of Londrina.

Authorship verification applied to detection of compromised accounts on online social networks

Compromising legitimate accounts has been the most used strategy to spread malicious content on OSN (Online Social Network). To address this problem, we propose a pure text mining approach to check if an account has been compromised based on its posts content. In the first step, the proposed approach extracts the writing style from the user account. The second step comprehends the k-Nearest Neighbors algorithm (k-NN) to evaluate the post content and identify the user. Finally, Baseline Updating (third step) consists of a continuous updating of the user baseline to support the current trends and seasonality issues of user’s posts. Experiments were carried out using a dataset from Twitter composed by tweets of 1000 users. All the three steps were individually evaluated, and the results show that the developed method is stable and can detect the compromised accounts. An important observation is the Baseline Updating contribution, which leads to an enhancement of accuracy superior of 60 %. Regarding average accuracy, the developed method achieved results over 93 %.

A Ubiquitous Model for Wireless Sensor Networks Monitoring

Wireless sensor networks (WSNs) belong to emerging technologies where network devices can interact with the surrounding environment by sensing physical parameters. Recently, with the dissemination of mobile devices to Internet connectivity, users can interact with sensor networks and collect environmental data, anytime, anywhere using user-friendly mobile applications. Following the Internet of Things vision, the integration of all sorts of Internet-based devices is considered a big challenge. New infrastructures are required in order to interconnect these devices independently of the used technologies. This paper proposes a model for WSNs monitoring based on a REST Web service and XML messages to provide a mobile ubiquitous approach for WSN monitoring. Data collected from a WSN is stored in a database. Then, mobile clients send XML based messages to a HTTP server through a well-defined REST interface, requesting WSN collected data. A WSN laboratory test bed was used to perform the evaluation, demonstration, and validation of the proposed model. Results show that proposed solution is able to collect and present data in a mobile environment, and it is ready for use.

Deep IP flow inspection to detect beyond network anomalies

Abstract Taking into account the accelerated rate of network growth, the occurrence of anomalies becomes inevitable. A single anomaly can affect the network performance so it is crucial to detect its origin. However, when different kinds of anomalies are present at the same time, it becomes more complicated to detect their root causes. In addition, the network administrator has to deal with questions related to network health, such as bandwidth bottlenecks, and network misuse. Detecting these problems quickly is essential to take appropriate countermeasures. Although many solutions have been proposed to detect anomalies, they do not address other important questions related to network health. In this paper, a system capable of detecting and classifying the anomalies, and extracting detailed information from the network usage, is presented. A graph representation is used, allowing a deep inspection of the IP flows exchanged between the active devices in the network. The Tsallis entropy is applied to detect anomalies. Furthermore, the proposed system allows the network administrator to create metrics to monitor and acquire detailed information about the network equipment, services, and users. Tests using real and artificial datasets demonstrate the effectiveness of the proposed system to detect simultaneous anomalies, and to provide useful information for network-management tasks.

Ubiquitous monitoring solution for Wireless Sensor Networks with push notifications and end-to-end connectivity

Wireless Sensor Networks WSNs belongs to a new trend in technology in which tiny and resource constrained devices are wirelessly interconnected and are able to interact with the surrounding environment by collecting data such as temperature and humidity. Recently, due to the huge growth in the use of mobile devices with Internet connection, smartphones are becoming the center of future ubiquitous wireless networks. Interconnecting WSNs with smartphones and the Internet is a big challenge and new architectures are required due to the heterogeneity of these devices. Taking into account that people are using smartphones with Internet connection, there is a good opportunity to propose a new architecture for wireless sensors monitoring using push notifications and smartphones. Then, this paper proposes a ubiquitous approach for WSN monitoring based on a REST Web Service, a relational database, and an Android mobile application. Real-time data sensed by WSNs are sent directly to a smartphone or stored in a database and requested by the mobile application using a well-defined RESTful interface. A push notification system was created in order to alert mobile users when a sensor parameter overcomes a given threshold. The proposed architecture and mobile application were evaluated and validated using a laboratory WSN testbed and are ready for use.

Networking Anomaly Detection Using DSNs and Particle Swarm Optimization with Re-Clustering

This paper presents an anomaly detection method using Digital Signature of Network Segment (DSNS) and Par- ticle Swarm Optimization-based clustering (PSO-Cls). The PSO algorithm is an evolutionary computation technique whose main characteristics include low computational complexity, ability to escape from local optima, and small number of input parameters dependence, when compared to other evolutionary algorithms, e.g. genetic algorithms (GA). In the PSO-Cls algorithm, swarm intelligence is combined with K-means clustering, in order to achieve high convergence rates. On the other hand, DSNS consists of normal network traffic behavior profiles, generated by the application of Baseline for Automatic Backbone Management (BLGBA) model in SNMP historical network data set. The proposed approach identifies and classifies data clusters from DSNS and real traffic, using swarm intelligence. Anomalous behaviors can be easily identified by comparing real traffic and cluster centroids. Tests were performed in the network of State University of Londrina and the obtained detection and false alarm rates are promising.

Relationships between information security metrics: an empirical study

Finding relevant metrics in information security is an important but difficult problem. In this paper, we propose to empirically investigate the relevance of different security metrics that could be derived from intrusion prevention system (IPS) alert events and computer security incident data. Based on the data provided by the University of Maryland, we show that IPS metrics are linked to security incidents, and also that different types of security incidents have different significant metrics. These results can be used for identifying possible candidates for security incident indicators, developing methods to improve incident prevention and helping organizations interpret their IPSs better in the future.

Construction of baselines for VoIP traffic management on open MANs

SUMMARY In the last century, owing to the constant evolution of technologies telecommunication networks have become increasingly robust, being able to support multiple services. These services are part of the heterogeneous network traffic that can be carried through the Internet. Many of these services, including VoIP, are latency sensitive. In other words, this means that their quality depends directly on the network quality of service. Since users tend to become more sensitive with the instability and unavailability of the network, it is important to improve traffic management. A particular type of data that could be used to improve VoIP traffic management is the Internet Protocol Detail Record (IPDR). IPDRs are tickets created by all VoIP call attempts which contain a group of information related to the call history. Because of its full range of information, IPDRs can be used to create VoIP traffic baselines. This paper presents the development of baselines based on IPDRs to support VoIP traffic management in open-access Metropolitan Area Networks (MAN). Copyright