Christian Callegari

Skype-Hunter: A real-time system for the detection and classification of Skype traffic

In the previous years, Skype has gained more and more popularity, since it is seen as the best VoIP software with good quality of sound, ease of use and one that works everywhere and with every OS. Because of its great diffusion, both the operators and the users are, for different reasons, interested in detecting Skype traffic. In this paper we propose a real-time algorithm (named Skype-Hunter) to detect and classify Skype traffic. In more detail, this novel method, by means of both signature-based and statistical procedures, is able to correctly reveal and classify the signaling traffic as well as the data traffic (calls and file transfers). To assess the effectiveness of the algorithm, experimental tests have been performed with several traffic data sets, collected in different network scenarios. Our system outperforms the ‘classical’ statistical traffic classifiers as well as the state-of-the-art ad hoc Skype classifier. Copyright

DataTraffic Monitoring and Analysis: from measurement, classification, and anomaly detection to quality of experience

The Internet has opened new avenues for information accessing and sharing in a variety of media formats. Such popularity has resulted in an increase of the amount of resources consumed in backbone links, whose capacities have witnessed numerous upgrades to cope with the ever-increasing demand for bandwidth. Consequently, network traffic processing at today’s data transmission rates is a very demanding task, which has been traditionally accomplished by means of specialized hardware tailored to specific tasks. However, such approaches lack either of flexibility or extensibility—or both. As an alternative, the research community has pointed to the utilization of commodity hardware, which may provide flexible and extensible cost-aware solutions, ergo entailing large reductions of the operational and capital expenditure investments. In this chapter, we provide a survey-like introduction to high-performance network traffic processing using commodity hardware. We present the required background to understand the different solutions proposed in the literature to achieve high-speed lossless packet capture, which are reviewed and compared.High-Performance Network Traffic Processing Systems Using Commodity Hardware.- Active Techniques for Available Bandwidth Estimation: Comparison and Application.- Internet Topology Discovery.- Internet PoP Level Maps.- Analysis of Packet Transmission Processes in Peer-to-Peer Networks by Statistical Inference Methods.- Reviewing Traffic Classification.- A Methodological Overview on Anomaly Detection.- Changepoint Detection Techniques for VoIP Traffic.- Distribution-Based Anomaly Detection in Network Traffic.- From Packets to People: Quality of Experience as a New Measurement Challenge.- Internet Video Delivery in YouTube: From Traffic Measurements to Quality of Experience.- Quality Evaluation in Peer-to-Peer IPTV Services.- Cross-Layer FEC-Based Mechanism for Packet Loss Resilient Video Transmission.- Approaches for Utility-Based QoE-Driven Optimization of Network Resource Allocation for Multimedia Services.- Active Techniques for Available Bandwidth Estimation: Comparison and Application.- Internet Topology Discovery.- Internet PoP Level Maps.- Analysis of Packet Transmission Processes in Peer-to-Peer Networks by Statistical Inference Methods.- Reviewing Traffic Classification.- A Methodological Overview on Anomaly Detection.- Changepoint Detection Techniques for VoIP Traffic.- Distribution-Based Anomaly Detection in Network Traffic.- From Packets to People: Quality of Experience as a New Measurement Challenge.- Internet Video Delivery in YouTube: From Traffic Measurements to Quality of Experience.- Quality Evaluation in Peer-to-Peer IPTV Services.- Cross-Layer FEC-Based Mechanism for Packet Loss Resilient Video Transmission.- Approaches for Utility-Based QoE-Driven Optimization of Network Resource Allocation for Multimedia Services.

When randomness improves the anomaly detection performance

The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management. The problem has been faced by many researchers, but still remains an open field, since a general solution has not been found yet. In this paper we want to demonstrate as the performance of well-known methods for network anomaly detection can be improved, by performing a random aggregation of the data, before looking for the anomalies. In more detail, we show that, in two distinct cases (chosen as representative of the state-of-the-art in the field) the use of the sketches strongly improves the achieved performance.

A methodological overview on anomaly detection

In this Chapter we give an overview of statistical methods for anomaly detection (AD), thereby targeting an audience of practitioners with general knowledge of statistics. We focus on the applicability of the methods by stating and comparing the conditions in which they can be applied and by discussing the parameters that need to be set.

Improving PCA‐based anomaly detection by using multiple time scale analysis and Kullback–Leibler divergence

SUMMARY The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management. In this paper, we address the problem considering a method based on PCA for detecting network anomalies. In more detail, this paper presents a new technique that extends the state of the art in PCA-based anomaly detection. Indeed, by means of multi-scale analysis and Kullback–Leibler divergence, we are able to obtain great improvements with respect to the performance of the ‘classical’ approach. Moreover, we also introduce a method for identifying the flows responsible for an anomaly detected at the aggregated level. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed method.Copyright

WAVE-CUSUM: Improving CUSUM performance in network anomaly detection by means of wavelet analysis

The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management and many detection techniques, able to promptly reveal and identify network attacks, mainly detecting Heavy Changes in the network traffic, have been proposed. Among these, one of the most promising approach is based on the use of the CUSUM (CUmulative SUM). Nonetheless, CUSUM performance is strongly affected by its sensitivity to the presence of seasonal trends in the considered data. For this reason, in this paper we propose a novel detection method based on the idea of performing a pre-processing stage of the data by means of wavelets, aimed at filtering out such trends, before applying the CUSUM algorithm. The performance analysis, presented in the paper, demonstrates the efficiency of the proposed method, focusing on the performance improvements due to the pre-processing stage.

Waterfall: Rapid Identification of IP Flows Using Cascade Classification

In the last years network traffic classification has attracted much research effort, given that it represents the foundation of many Internet functionalities such as Quality of Service (QoS) enforcement, monitoring, and security. Nonetheless, the proposed works are not able to satisfactorily solve the problem, usually being suitable for only addressing a given portion of the whole network traffic and thus none of them can be considered an ultimate solution for network classification.

Combining sketches and wavelet analysis for multi time-scale network anomaly detection

With the rapid development and the increasing complexity of computer and communication systems and networks, traditional security technologies and measures can not meet the demand for integrated and dynamic security solutions. In this scenario, the use of Intrusion Detection Systems has emerged as a key element in network security. In this paper we address the problem proposing a wavelet-based technique able to detect network anomalies almost in real-time. In more detail, our approach is based on the combined use of sketches and wavelet analysis to reveal the anomalies in data collected at the router level. Moreover, to improve the detection rate we propose a multi time-scale analysis. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed method.

G-RDM: A New Bandwidth Constraints Model for DS-TE Networks

MPLS traffic engineering (TE) allows the creation of end-to-end paths across the network with bandwidth reservations. The main drawback of the basic MPLS-TE model is that it operates at an aggregate level and so it is unaware of traffic classes. DiffServ-aware MPLS-TE (DS- TE) refines the MPLS-TE model by allowing bandwidth reservations to be carried out on a per-class basis. The result is the ability to give strict QoS guarantees while optimizing the use of network resources. Bandwidth constraints models play a key role in the DS-TE architecture, since they establish how bandwidth is distributed among different classes. In this paper, we first present a new bandwidth constraints model, called G-RDM. Then, we compare the performance of G-RDM with respect to MAM and RDM in different scenarios by means of an analytical model based on Markov-chains. The results show that G-RDM, joining the best features of MAM and RDM, allows to improve their performance.

A Survey of Congestion Control Mechanisms in Linux TCP

The Transmission Control Protocol (TCP) is used by the vast majority of Internet applications. Since its introduction in the 1970s, a lot of variants have been proposed to cope with the different network conditions we can have (e.g., wired networks, wireless networks, satellite links) and nowadays Linux OS includes 13 different TCP variants. The aim of this paper is to provide a complete survey of the different congestion control mechanisms used by the variants of the TCP implemented in the Linux Kernel 2.6.x.