Christian Doerr

OpenNetMon: Network monitoring in OpenFlow Software-Defined Networks

We present OpenNetMon, an approach and open-source software implementation to monitor per-flow metrics, especially throughput, delay and packet loss, in OpenFlow networks. Currently, ISPs over-provision capacity in order to meet QoS demands from customers. Software-Defined Networking and OpenFlow allow for better network control and flexibility in the pursuit of operating networks as efficiently as possible. Where OpenFlow provides interfaces to implement fine-grained Traffic Engineering (TE), OpenNetMon provides the monitoring necessary to determine whether end-to-end QoS parameters are actually met and delivers the input for TE approaches to compute appropriate paths. OpenNetMon polls edge switches, i.e. switches with flow end-points attached, at an adaptive rate that increases when flow rates differ between samples and decreases when flows stabilize to minimize the number of queries. The adaptive rate reduces network and switch CPU overhead while optimizing measurement accuracy. We show that not only local links serving variable bit-rate video streams, but also aggregated WAN links benefit from an adaptive polling rate to obtain accurate measurements. Furthermore, we verify throughput, delay and packet loss measurements for bursty scenarios in our experiment testbed.

Lognormal infection times of online information spread

The infection times of individuals in online information spread such as the inter-arrival time of Twitter messages or the propagation time of news stories on a social media site can be explained through a convolution of lognormally distributed observation and reaction times of the individual participants. Experimental measurements support the lognormal shape of the individual contributing processes, and have resemblance to previously reported lognormal distributions of human behavior and contagious processes.

Metric convergence in social network sampling

While enabling new research questions and methodologies, the massive size of social media platforms also poses a significant issue for the analysis of these networks. In order to deal with this data volume, researchers typically turn to samples of these graph structures to conduct their analysis. This however raises the question about the representativeness of such limited crawls, and the amount of data necessary to come to stable predictions about the underlying systems. This paper analyzes the convergence of six commonly used topological metrics as a function of the crawling method and sample size used. We find that graph crawling methods drastically over- and underestimate network metrics, and that a non-trivial amount of data is needed to arrive at a stable estimate of the underlying network.

All quiet on the internet front

With the proliferation and increasing dependence of many services and applications on the Internet, this network has become a vital societal asset. This creates the need to protect this critical infrastructure, and over the past years a variety of resilience schemes have been proposed. The effectiveness of protection schemes, however, highly depends on the causes and circumstances of Internet failures, but a detailed comprehensive study of this is not yet available to date. This article provides a high-level summary of an evaluation of Internet failures over the past six years, and presents a number of recommendations for future network resilience research.

Context-Sensitive sentiment classification of short colloquial text

The wide-spread popularity of online social networks and the resulting availability of data to researchers has enabled the investigation of new research questions, such as the analysis of information diffusion and how individuals are influencing opinion formation in groups. Many of these new questions however require an automatic assessment of the sentiment of user statements, a challenging task further aggravated by the unique communication style used in online social networks. This paper compares the sentiment classification performance of current analyzers against a human-tagged reference corpus, identifies the major challenges for sentiment classification in online social applications and describes a novel hybrid system that achieves higher accuracy in this type of environment.

How much do your friends know about you?: reconstructing private information from the friendship graph

After the early land rush and fast exponential growth of online social networking platforms, concerns about how data placed in online social networks may be exploited and abused have begun to appear among mainstream users. Social networking sites have responded to these new public sentiments by introducing privacy filters to their site, allowing users to specify which aspects of their profile are visible to whom. In this paper, we demonstrate that such an approach to privacy and informational self-determination is largely futile: as we form social relations and build networks with those alike us, much of who we are and what we do can be reconstructed from unhidden parts of the social graph.

Are friends overrated?: a study for the social aggregator digg.com

The key feature of online social networks is the ability of users to become active, make friends and interact with those around them. Such interaction is typically perceived as critical to these platforms; therefore, a significant share of research has investigated the characteristics of social links, friendship relations, community structure, searching for the role and importance of individual members. In this paper, we present results from a multi-year study of the online social network Digg.com, indicating that the importance of friends and the friend network in the propagation of information is less than originally perceived. While we note that users form and maintain social structure, the importance of these links and their contribution is very low: Even nearly identically interested friends are only activated with a probability of 2% and only in 50% of stories that became popular we find evidence that the social ties were critical to the spread.

eFuzz: A Fuzzer for DLMS/COSEM Electricity Meters

Smart grids enable new functionalities like remote and micro management and consequently, provide increased efficiency, easy management and effectiveness of the entire power grid infrastructure. In order to achieve this, smart meters are attached to the communication network, collecting fine granular data. Unfortunately, as the smart meters are limited devices connected to the network and running software, they also make the whole smart grid more vulnerable than the traditional grids in term of software problems and even possible cyber attacks. In this paper, we work towards an increased software security of smart metering devices and propose a fuzzing framework, eFuzz, built on the generic fuzzing framework Peach to detect software problems. eFuzz tests smart metering devices based on the communication protocol DLMS/COSEM, the standard protocol used in Europe, for possible faults. Our experiments prove the effectiveness of using an automated fuzzing framework compared to resource demanding, human made software protocol inspections. As an example, eFuzz detected between 10 and 40 bugs in different configurations in less than 3 hours while a manual inspection takes weeks. We also investigate the quality of the eFuzz results by comparing with the traditional non-automated evaluation of the same device with respect to scope and efficiency. Our analysis shows that eFuzz is a powerful tool for security inspections for smart meters, and embedded systems in general.

Discovering Bitcoin Mixing Using Anomaly Detection

Bitcoin is a peer-to-peer electronic currency system which has increased in popularity in recent years, having a market capitalization of billions of dollars. Due to the alleged anonymity of the Bitcoin ecosystem, it has attracted the attention of criminals. Mixing services are intended to provide further anonymity to the Bitcoin network, making it impossible to link the sender of some money with the receiver. These services can be used for money laundering or to finance terrorist groups without being detected. We propose to model the Bitcoin network as a social network and to use community anomaly detection to discover mixing accounts. Furthermore, we present the first technique for detecting Bitcoin accounts associated to money mixing, and demonstrate our proposal effectiveness on real data, using known mixing accounts.

Popularity-based Detection of Domain Generation Algorithms

In order to stay undetected and keep their operations alive, cyber criminals are continuously evolving their methods to stay ahead of current best defense practices. Over the past decade, botnets have developed from using statically hardcoded IP addresses and domain names to randomly-generated ones, so-called domain generation algorithms (DGA). Malicious software coordinated via DGAs leaves however a distinctive signature in network traces of high entropy domain names, and a variety of algorithms have been introduced to detect certain aspects about currently used DGAs. In this paper, we look ahead and evaluate the utility of todays detection mechanisms if botnets make the next obvious evolutionary step, and replace domain names generated from random letters with randomly selected, but actual dictionary words. We find that the performance of state-of-the-art solutions that rely on linguistic feature detection would significantly decline after this transition, and discuss an alternative novel approach to detect DGAs without making any assumptions on the internal structure and generating patterns of these algorithms.