Dinil Mon Divakaran

SLIC: Self-Learning Intelligent Classifier for network traffic

Abstract Internet traffic classification plays an important role in the field of network security and management. Past research works utilize flow-level statistical features for accurate and efficient classification, such as the nearest-neighbor based supervised classifier. However, classification accuracy of supervised approaches is significantly affected if the size of the training set is small. More importantly, the model built using a static training set will not be able to adapt to the non-static nature of Internet traffic. With the drastic evolution of the Internet, network traffic cannot be assumed to be static. In this paper, we develop the concept of ‘self-learning’ to deal with these two challenges. We propose, design and develop a new classifier called Self-Learning Intelligent Classifier (SLIC). SLIC starts with a small number of training instances, self-learns and rebuilds the classification model dynamically, with the aim of achieving high accuracy in classifying non-static traffic flows. We carry out performance evaluations using two real-world traffic traces, and demonstrate the effectiveness of SLIC. The results show that SLIC achieves significant improvement in accuracy compared to the state-of-the-art approach.

FACT: A Framework for Authentication in Cloud-Based IP Traceback

IP traceback plays an important role in cyber investigation processes, where the sources and the traversed paths of packets need to be identified. It has a wide range of applications, including network forensics, security auditing, network fault diagnosis, and performance testing. Despite a plethora of research on IP traceback, the Internet is yet to see a large-scale practical deployment of traceback. Some of the major challenges that still impede an Internet-scale traceback solution are, concern of disclosing Internet Service Provider (ISP’s) internal network topologies (in other words, concern of privacy leak), poor incremental deployment, and lack of incentives for ISPs to provide traceback services. In this paper, we argue that cloud services offer better options for the practical deployment of an IP traceback system. We first present a novel cloud-based traceback architecture, which possesses several favorable properties encouraging ISPs to deploy traceback services on their networks. While this makes the traceback service more accessible, regulating access to traceback service in a cloud-based architecture becomes an important issue. Consequently, we address the access control problem in cloud-based traceback. Our design objective is to prevent illegitimate users from requesting traceback information for malicious intentions (such as ISPs topology discovery). To this end, we propose a temporal token-based authentication framework, called FACT, for authenticating traceback service queries. FACT embeds temporal access tokens in traffic flows, and then delivers them to end-hosts in an efficient manner. The proposed solution ensures that the entity requesting for traceback service is an actual recipient of the packets to be traced. Finally, we analyze and validate the proposed design using real-world Internet data sets.

Opportunistic Piggyback Marking for IP Traceback

IP traceback is a solution for attributing cyber attacks, and it is also useful for accounting user traffic and network diagnosis. Marking-based traceback (MBT) has been considered a promising traceback approach, and has received considerable attention. However, we find that the traceback message delivery problem in MBT, which is important to the successful completion of a traceback, has not been adequately studied in the literature. To address this issue, we present the design, analysis, and evaluation of opportunistic piggyback marking (OPM) for IP traceback in this paper. The OPM distinguishes itself from the existing works by decoupling the traceback message content encoding and delivery functions in MBT, and efficiently achieves expedited and robust traceback message delivery by exploiting piggyback marking opportunities. Based on the proposed OPM scheme, we then present the flexible marking-based traceback framework, which is a novel design paradigm for IP traceback and has several favorable features for practical deployment of IP traceback. Through the numerical analysis and the comprehensive simulation evaluations, we demonstrate that our design effectively reduces the traceback completion delay and router processing overhead, and increases the message delivery ratio compared with other baseline approaches.

Insider threat detection and its future directions

The ability to detect insider threats is important for many organisations. However, the field of insider threat detection is not well understood. In this paper, we survey existing insider threat detection mechanisms to provide a better understanding of the field. We identify and categorise insider behaviours into four classes - biometric behaviours, cyber behaviours, communication behaviours, and psychosocial behaviours. Each class is further comprised of several independent research fields of anomaly detection. Our survey reveals that there is significant scope for further research in many of those research fields, with many machine learning algorithms and features that have not been explored. We identify and summarise the unexplored areas as future directions.

REX: Resilient and efficient data structure for tracking network flows

Abstract One of the important tasks for most network security solutions is to track network flows in real-time. The universe of flow identifiers being huge, hash tables with their fast operations are well suited for this task. In order to overcome the limitations of traditional hash tables, the research community have come up with different improved variants; two of the well-knowns being Cuckoo and Peacock hash tables. Yet, network flows have interesting characteristics that can be exploited for tracking flows more efficiently. Besides, the existing hash tables are vulnerable to attacks. In this context, we design, develop and evaluate REX, a resilient and efficient data structure for tracking of network flows. REX is designed to make good use of, both, the characteristics of Internet traffic, as well as the different memory technologies. REX stores most commonly updated flows in the faster and smaller SRAM, while storing the rest in DRAM. We conducted extensive experiments using real network traffic to evaluate and compare REX, Cuckoo and Peacock hash tables. The results demonstrate, under both normal and attack scenarios, that REX not only rejects the least number of packets, but also significantly reduces the total time taken for the important hash table operations.