Eduardo Rocha

Detection of Illicit Network Activities Based on Multivariate Gaussian Fitting of Multi-Scale Traffic Characteristics

Methodologies that are able to accurately identify Internet attacks and intrusions are becoming vital to assure secure on-line communications. Such methodologies must be able to act under strict confidentiality restrictions, such as traffic encryption, which are increasingly used in current communication environments. Proposed approaches must be able to analyze the traffic profiles in order to determine if the network is under a security attack or not. In this paper, we propose an approach that was designed to cope with the previously mentioned restrictions and is able to perform a pseudo real-time identification of illicit traffic: by passively analyzing some statistical properties of captured IP traffic, the methodology calculates and analyses the multi-scale properties of each traffic flow in order to infer multi-dimensional probability distributions for each one of studied protocols, allowing the analysis of the correlation between the values of several dimensions. By doing this, more exact approximations are inferred, enabling the assignment of unknown traffic to the corresponding protocol and the identification of illicit flows. The results obtained prove that the proposed technique can accurately classify Internet traffic and identify illicit flows on a quasi real-time basis. Besides, the fact that the analysis is performed over statistics that were collected for each traffic flow makes it suitable for scenarios where the packet payload is not accessible.

Using multiscale traffic analysis to detect WPS attacks

The worldwide adoption of the IEEE 802.11 standard as the solution to provide efficient network coverage with high data-rates raised several security concerns. In a first stage, Wired Equivalent Privacy (WEP) was used to protect wireless networks from intrusions, whose main motivations ranged from simply getting free Internet access to the perpetration of complex attacks in order to retrieve confidential information. However, due to multiple technical flaws, this approach was not sufficient, leading to the emergence of the Wi-Fi Protected Access (WPA) and WPA2 technologies, which provided more secure mechanisms at the cost of requiring more complicated configuration tasks. In order to create a simple configuration interface, the Wi-Fi Alliance proposed a simple configuration approach: the Wi-Fi Protected Setup (WPS), which is used by major network products manufacturers and provides a much easier configuration setup, although in a less efficient security environment. Actually, this implementation is vulnerable to brute force attacks, which are very quick to execute, have little complexity and are difficult to detect. After cracking WPS, attackers can access to WPA/WPA2 login information and illicitly connect to the target wireless network. There are several technical requirements and legal constrains that limit access to the contents of wireless frames, thus preventing their deep analysis. This paper presents a method to detect attacks over WPA-enabled routers with Wi-Fi Protected Setup, based only on the amount of generated traffic. The detection methodology uses a monitoring station that exclusively analyzes traffic flows from the router: by monitoring traffic and using a multiscale analysis procedure, the approach is able to accurately identify each intrusion attempt.

Detecting DDoS attacks at the source using multiscaling analysis

The proliferation of Distributed Denial of Service (DDoS) attacks is a constant threat to business and individuals. Existing systems proved to be inefficient when deploying counter-measures at the target of the attacks. In fact, efficient counteractions should be applied at the networks that contain the sources of the attack. However, the detection of such type of attacks at the source is extremely difficult. In this work, we propose a novel and more efficient methodology to detect DDoS attacks at the source that relies on the inherent periodicity of the traffic generated by DDoS attack sources. Detecting and quantifying the traffic periodic components using multiscaling traffic analysis based on wavelet scalograms allows an efficient detection of DDoS attacks at the source, even when the attacks are performed using encrypted channels or are embedded within licit traffic.

A Facebook event collector framework for profile monitoring purposes

Social networks have recently emerged to become vital tools for information and content dissemination among connections. Indeed, the immense increase of the number of users of Facebook made it rise to become the largest existing social network with more than 1.2 billion active users. However, these numbers also rose the attention of hackers and attackers who aim at propagating malware and viruses for obtaining confidential information regarding social network users. In this manner, it is crucial that each Facebook user is able to easily access, control and analyse the information shared on the corresponding profile so that profile usage deviations can be more efficiently detected. However, despite the fact that Facebook allows an analysis of all user actions through the Timeline Review, this information is not comprehensively organized and there is no statistical analysis of the user generated data. In this paper, we propose a novel framework comprising a Facebook event collector, which by being provided with an authentication token for a user profile obtained through a Facebook application developed for this purpose, collects all the corresponding posted information and stores it in a relational database for a posteriori analysis. Through the graphical interface of the developed application, users can access all stored information in a comprehensible manner, according to the type of event, thus facilitating the analysis of the users behaviour. By storing each event with the corresponding timestamp, we are able to perform an efficient and comprehensive analysis of all posted contents and compute statistical models over the obtained data. In this manner, we can create a notion of normal usage profile and detect possible deviations which may be indicative of a compromised user account.

Implementing and evaluating improved MAC efficiency through payload extension in 802.11n networks

Currently, the default size of Internet packets is set at a legacy value of 1500 bytes, since Ethernet was the dominant connection technology. Increasing this size, and thus using larger frames, brings several advantages such as less header overhead and CPU processing. However, the transmission of larger frames also raises several issues impacting data transmission, such as packet loss. With the increase in performance gained from recent wireless technology advances, solutions, such as Frame Aggregation, begin to exploit this increased bandwidth. However, the legacy value is still the dominant one. This paper evaluates the feasibility of increasing the Maximum Transfer Unit for a more efficient data transfer and bandwidth consumption in wireless 802.11n networks. We focus particularly in the experimental implementation and evaluation of the usage of Jumbo-Frames between an Access Point and the connected nodes, featuring a modified kernel that allows the usage of larger payloads, via enhancements to the existing wireless kernel modules. Network performance parameters including bandwidth usage, delay and packet losses are used to assess the benefits and drawbacks of the usage of Jumbo Frames in the wireless medium. Obtained results show that a more efficient medium usage can be achieved by increasing the payload size, when compared with standardized aggregation mechanisms. In addition, the measured packet losses decrease due to a considerable reduction on the number of packets sent for the same bandwidth consumption. To conclude, we perform an evaluation of the proposed enhancement in wireless video streaming scenarios and evaluate the performance gains that such module enables.

Discriminating Internet Applications based on Multiscale Analysis

In the last few years, several new IP applications and protocols emerged as the capability of the networks to provide new services increased. The rapid increase in the number of users of Peer-to-Peer (P2P) network applications, due to the fact that users are easily able to use network resources over these overlay networks, also lead to a drastic increase in the overall Internet traffic volume. An accurate mapping of Internet traffic to applications can be important for a broad range of network management and measurement tasks, including traffic engineering, service differentiation, performance/failure monitoring and security. Traditional mapping approaches have become increasingly inaccurate because many applications use non-default or ephemeral port numbers, use well-known port numbers associated with other applications, change application signatures or use traffic encryption. This paper presents a novel framework for identifying IP applications based on the multiscale behavior of the generated traffic: by performing clustering analysis over the multiscale parameters that are inferred from the measured traffic, we are able to efficiently differentiate different IP applications. Besides achieving accurate identification results, this approach also avoids some of the limitations of existing identification techniques, namely their inability do deal with stringent confidentiality requirements.

Classification of Hidden Users’ Profiles in Wireless Communications

The Internet can be seen as a mix of several services and applications running on top of common protocols. The emergence of several web-applications changed the users’ interaction paradigm by placing them in a more active role allowing them to share photos, videos and much more. The analysis of the profile of each user, both in wired and wireless networks, becomes very interesting for tasks such as network resources optimization, service personalization and security. In this paper, we propose a promiscuous wireless passive monitoring classification approach that can accurately create users’ profiles in terms of the used web-applications and does not require authentication with the wireless Access Point. By extracting appropriate layer 2 traffic metrics, performing a Wavelet Decomposition and analyzing the obtained scalograms, it is possible to analyze the traffic’s time and frequency components. An appropriate communication profile can then be defined in order to describe this frequency spectrum which is characteristic to each web-based application. Consequently, it is possible to identify the applications that are being used by the different connected clients and build user-profiles. Wireless traffic generated by several connected clients running some of the most significant web-based applications was captured and analyzed and the obtained results show that it is possible to obtain an accurate application traffic mapping and an accurate user profiling.

Can multiscale traffic analysis be used to differentiate Internet applications

An accurate mapping of Internet traffic to applications can be important for a broad range of network management and measurement tasks, including traffic engineering, service differentiation, performance/failure monitoring and security. Traditional mapping approaches have become increasingly inaccurate because many applications use non-default or ephemeral port numbers, use well-known port numbers associated with other applications, change application signatures or use traffic encryption. In this paper we will demonstrate that multiscale traffic analysis based on multi-order wavelet spectrum can be used as a discriminator of Internet applications traffic profiles. By performing clustering analysis over the multiscale wavelet spectrum coefficients that are inferred from the measured traffic, the proposed methodology is able to efficiently differentiate different IP applications without using any payload information. This characteristic will allow the differentiation of traffic flows in unencrypted and encrypted scenarios. In order to compare the differentiating potential of different traffic application data, upload, download and joint upload and download flow statistics are considered to evaluate the identification approach for each selected protocol. Moreover, we also evaluate which timescales and spectrum orders are more relevant for the traffic differentiation. From the analysis of the obtained results we can conclude that the proposed methodology is able to achieve good identification results using a small set of timescales of a single order wavelet spectrum of a general raw traffic statistic.