Cristian Morariu

An Overview of IP Flow-Based Intrusion Detection

Intrusion detection is an important area of research. Traditionally, the approach taken to find attacks is to inspect the contents of every packet. However, packet inspection cannot easily be performed at high-speeds. Therefore, researchers and operators started investigating alternative approaches, such as flow-based intrusion detection. In that approach the flow of data through the network is analyzed, instead of the contents of each individual packet. The goal of this paper is to provide a survey of current research in the area of flow-based intrusion detection. The survey starts with a motivation why flow-based intrusion detection is needed. The concept of flows is explained, and relevant standards are identified. The paper provides a classification of attacks and defense techniques and shows how flow-based techniques can be used to detect scans, worms, Botnets and (DoS) attacks.

DiCAP: Distributed Packet Capturing architecture for high-speed network links

IP traffic measurements form the basis of several network management tasks, such as accounting, planning, intrusion detection, and charging. High-speed network links challenge traditional IP traffic analysis tools with their high amount of carried data that needs to be processed within a small amount of time. Centralized traffic measurements for high-speed links typically require high-performance capturing hardware that usually comes with a high cost. Software-based capturing solutions, such as libpcap or PFRING, cannot cope with those high data rates and experience high packet losses. Thus, this paper proposes a scalable architecture and its implementation for Distributed Packet Capturing (DiCAP) based on inexpensive off-the-shelf hardware running Linux operating system. The prototype designed has been tested as an implementation and was evaluated against other Linux capturing tools. The evaluation shows that DiCAP can perform loss-less IP packet header capture at high-speed packet rates when used alone and that it can highly improve the performance of libpcap of PFRING when used in combination with those.

LiveShift: Peer-to-Peer Live Streaming with Distributed Time-Shifting

The increasing assortment of devices with IP connectivity contributes to the high popularity of video sharing over the Internet. High traffic generated by such applications at the source can be better distributed using a peer-to-peer overlay, since every user forwards information to other users. Current implementations target either live or on demand video streaming. LiveShift is an application that combines both approaches. While video is transmitted through the peer-to-peer network in a live fashion, all peers participate in a distributed storage. This adds ability to replay time-shifted streams from other peers in a distributed and scalable manner. For the demonstration, a decentralized network is used, with peers running on EMANICSLab nodes and notebook computers.

DIPStorage: Distributed storage of IP flow records

The storage of IP traffic traces increasingly grows more complex, since data flows tend to increase largely over time. Network operatorpsilas backbones generate each day hundreds of gigabyte of IP flow records that need to be stored and analyzed. Handling such amount of data requires a high-performance hardware and software. One way to leverage performance requirements of a storing and analysis of traffic data is to design a distributed platform to replace centralized solutions existing today. This paper designs a scalable storage platform for IP flow records. The evaluation of the implemented prototype shows that such an approach can offer a good and practical solution for storing and retrieving high amounts of IP flow records.

An Integrated Accounting and Charging Architecture for Mobile Grids

The adoption of the Internet Protocol (IP) by a number of non-IP network operators, such as telecom or cable TV operators, opens the path toward new business models. IP will allow operators to provide a unified wired as well as wireless access to a wide range of services to their users. Additionally, using the same communication protocols and standard interfaces, enables different providers to coordinate any type of resources in virtual organizations (VO) and supports the composition of services aggregated across multiple domains. On one hand, such an open environment requires new business models to be adopted by the involved parties. On the other hand, grid middleware infrastructure supporting integrated accounting, charging, pricing, and billing across multiple domains has to be in place to facilitate service provisioning in multiple VOs. Based on the relevant set of requirements derived, a new and extended A4C Architecture (Authentication, Authorization, Accounting, Auditing, Charging) has been developed, implemented, and evaluated for mobile grids providing pervasive access to knowledge.

Mobility and QoS Support for a Commercial Mobile Grid in Akogrimo

Grid networks aim to build a future architecture for efficient resource sharing and distributed service provisioning in a multi-provider environment. However, mobility, QoS support, and commercial service provisioning -all essential issues in future networks -pose new challenges to grid networks, both from a technical and economic point of view. Therefore, the Akogrimo project aims at developing an integrated service architecture for commercial mobile grid networks. This paper presents the Akogrimo architecture and its key characteristics, integrating mobility and network layer QoS support in a commercial grid environment.

SCRIPT: A framework for Scalable Real-time IP Flow Record Analysis

Analysis of IP traffic is highly important, since it determines the starting point of many network management operations, such as intrusion detection, network planning, network monitoring, or accounting and billing. One of the most utilized metering data formats in analysis applications are IP (Internet Protocol) flow records. With the increase of IP traffic, such traffic analysis applications need to cope with a constantly increasing number of flow records. Typically, centralized approaches to IP traffic analysis have scalability problems, which are addressed by replacing existing hardware with more powerful CPUs and faster memory. In contrast, this paper developed and implemented SCRIPT (Scalable Real-time IP Flow Record Analysis), which defines a scalable analysis framework that can be used to distribute flow records to multiple nodes performing traffic analysis in order to balance the overall workload among those nodes. Due to its generic design, the framework developed can be extended and used to distribute other metering data, such as packet headers, payloads, or accounting records.

Grids in a Mobile World: Akogrimo's Network and Business Views

ABSTRACT The use of wireless networking technologies has emerged over recent years in many application domains. The area of grids determines a potentially huge application domain, since the typical centralized computing centers require access from anywhere, e.g., from field engineers who are situated in a wireless network domain. Thus, the integration of suitable business views on mobile grids, of grid views on available technologies, and network views in a fully IP-based network domain determines the key challenge. The Akogrimo projects architecture developed, is outlined and discussed in this paper and provides the major details required to offer a fully integrated and interoperable solution for those three views of concern.

Design and Implementation of a Distributed Platform for Sharing IP Flow Records

Experiments using real traffic traces are of key importance in many network management research fields, such as traffic characterization, intrusion detection, and accounting. Access to such traces is often restricted due to privacy issues; research institutions typically have to sign non-disclosure agreements before accessing such traces from a network operator. Having such restrictions, researchers rarely have more than one source of traffic traces on which to run and validate their experiments. Therefore, this paper develops a Distributed Platform for Sharing IP Flows (DipSIF) based on NetFlow records between multiple institutions. It is assumed that NetFlow traces collected by each participant are archived on separate storage hosts within their premises and then made available to others using a server that acts as a gateway to the storage. Due to privacy reasons the platform presented here uses a prefix-preserving, cryptography-based, and consistent anonymization algorithm in order to comply to different regulations determining the exchange of traffic traces data.

An open architecture for distributed IP traffic analysis (DITA)

This thesis investigated how performance of todays IP traffic metering and analysis applications can be improved by moving from a centralized, high-performance infrastructure, which executes these tasks, to distributed mechanisms, which combine available resources of multiple devices. The results achieved show that distributed IP traffic metering and analysis leverages bottleneck problems. The distributed IP traffic approach DITA does not solve all problems of handling such large amounts of data in very short time by itself, but proposes an orthogonal approach to existing solutions. DITA revelas that combining distributed IP traffic metering and analysis reaches better and higher performance sampling and aggregation mechanisms, which do provide a very flexible and the open solution to analyzing IP traffic in future high-speed networks. This has been achieved by the facts that all mechanisms designed for DITA — and their prototypical implementations — are based on standard protocols and open-source technologies. DITA determines the first approach to distributed IP traffic metering and analysis known today, which (a) addresses the different bottlenecks of traffic analysis in a generic way, and (b) is self-organizing, offering a scalable solution to regular traffic increases.