Gregor Schaffrath

An Overview of IP Flow-Based Intrusion Detection

Intrusion detection is an important area of research. Traditionally, the approach taken to find attacks is to inspect the contents of every packet. However, packet inspection cannot easily be performed at high-speeds. Therefore, researchers and operators started investigating alternative approaches, such as flow-based intrusion detection. In that approach the flow of data through the network is analyzed, instead of the contents of each individual packet. The goal of this paper is to provide a survey of current research in the area of flow-based intrusion detection. The survey starts with a motivation why flow-based intrusion detection is needed. The concept of flows is explained, and relevant standards are identified. The paper provides a classification of attacks and defense techniques and shows how flow-based techniques can be used to detect scans, worms, Botnets and (DoS) attacks.

Network virtualization architecture: proposal and initial prototype

The tussle between reliability and functionality of the Internet is firmly biased on the side of reliability. New enabling technologies fail to achieve traction across the majority of ISPs. We believe that the greatest challenge is not in finding solutions and improvements to the Internets many problems, but in how to actually deploy those solutions and re-balance the tussle between reliability and functionality. Network virtualization provides a promising approach to enable the coexistence of innovation and reliability. We describe a network virtualization architecture as a technology for enabling Internet innovation. This architecture is motivated from both business and technical perspectives and comprises four main players. In order to gain insight about its viability, we also evaluate some of its components based on experimental results from a prototype implementation.

Competitive analysis for service migration in VNets

Network virtualization promises a high flexibility by decoupling services from the underlying substrate network and allowing the virtual network to adapt to the needs of the service, e.g., by migrating servers or/and parts of the network. We study a system (e.g., a gaming application) where network virtualization is used to support thin client applications for mobile devices to improve their QoS. To deal with the dynamics of both the mobile clients as well as the ability to migrate services closer to the client location we advocate, in this paper, the use of competitive analysis. After identifying the parameters that characterize the cost-benefit tradeoff for this kind of application we propose an online migration strategy. The strength of the strategy is that it is robust with regards to any arbitrary request access pattern. In particular, it is close to the optimal offline algorithm that knows the access pattern in advance. In this paper we present both an optimal offline algorithm based on dynamic programming techniques to find the best migration paths for a given request sequence, and a O(¼ log n)-competitive migration strategy MIG where ¼ is the ratio between maximal and minimal link capacity in the substrate network for a simplified model. This is almost optimal for small ¼, as we also show that there are networks where no online algorithm can achieve a ratio below ©(log n/log log n). In contrast, the optimal solution without migration can only achieve a competitive ratio that is linear in the network diameter. Our simulations indicate that the competitive ratio of MIG is robust to the network size, and that the ratio is small if the request dynamics are limited and the requests are correlated.

Optimizing Long-Lived CloudNets with Migrations

This paper attends to the problem of embedding flexibly specified virtual networks connecting cloud resources (e.g, storage or computation) on a given substrate (e.g., a data center, an ISP backbone, a router site, or a virtual provider network). We study a scenario where a substrate provider (or a potential intermediate broker or reseller) wants to optimize the embedding of these so-called CloudNets by migrating them to more suitable locations. For instance, such re-embeddings can be useful if the CloudNets were requested at short notice and initially placed heuristically. Subsequent optimizations can, e.g., reduce the peak resource loads in the network by spreading CloudNets across the infrastructure or save energy by moving CloudNets together and switching off unused components. We present the generic mathematical programming algorithm used in our CloudNet prototype to compute optimal embeddings. For example, this algorithm supports different objective functions (such as load minimization or energy conservation), arbitrary resource combinations and the mapping of multiple virtual nodes of a CloudNet to a single substrate node, cost-aware migrations, and it can deal with all link types that arise in practice (e.g., fullduplex or even wireless or wired broadcast links with multiple endpoints). Of course, such rigorous CloudNet optimizations are time consuming, and we report on the time complexities obtained from our experiments with our network virtualization prototype architecture. It turns out that optimizing CloudNets over moderate sized infrastructures is feasible, even for scenarios with high flexibility and without tuning the solver software to speed up computations further.

Online strategies for intra and inter provider service migration in virtual networks

Network virtualization allows one to build dynamic distributed systems in which resources can be dynamically allocated at locations where they are most useful. In order to fully exploit the benefits of this new technology, protocols need to be devised which react efficiently to changes in the demand. This paper argues that the field of online algorithms and competitive analysis provides useful tools to deal with and reason about the uncertainty in the request dynamics, and to design algorithms with provable performance guarantees. As a case study, we describe a system (e.g., a gaming application) where network virtualization is used to support thin client applications for mobile devices to improve their Quality-of-Service (QoS). By decoupling the service from the underlying resource infrastructure, it can be migrated closer to the current client locations while taking into account migration cost. This paper identifies the major cost factors in such a system, and formalizes the corresponding optimization problem. Both randomized and deterministic, gravity center based online algorithms are presented which achieve a good tradeoff between improved QoS and migration cost in the worst-case, both for service migration within an infrastructure provider as well as for networks supporting cross-provider migration. We report on our simulation results and also present an explicit construction of an optimal offline algorithm which can be used, e.g., to evaluate the competitive ratio empirically.

The Wide-Area Virtual Service Migration Problem: A Competitive Analysis Approach

Todays trend toward network virtualization and software-defined networking enables flexible new distributed systems where resources can be dynamically allocated and migrated to locations where they are most useful. This paper proposes a competitive analysis approach to design and reason about online algorithms that find a good tradeoff between the benefits and costs of a migratable service. A competitive online algorithm provides worst-case performance guarantees under any demand dynamics, and without any information or statistical assumptions on the demand in the future. This is attractive especially in scenarios where the demand is hard to predict and can be subject to unexpected events. As a case study, we describe a service (e.g., an SAP server or a gaming application) that uses network virtualization to improve the quality of service (QoS) experienced by thin client applications running on mobile devices. By decoupling the service from the underlying resource infrastructure, it can be migrated closer to the current client locations while taking into account migration costs. We identify the major cost factors in such a system and formalize the wide-area service migration problem. Our main contributions are a randomized and a deterministic online algorithm that achieve a competitive ratio of O(logn) in a simplified scenario, where n is the size of the substrate network. This is almost optimal. We complement our worst-case analysis with simulations in different specific scenarios and also sketch a migration demonstrator.

A Resource Description Language with Vagueness Support for Multi-Provider Cloud Networks

The concept of CloudNets, virtual networks connecting cloud resources, has recently attracted much interest from both academic as well as business sides. CloudNets can realize the vision of affordable customized infrastructures. In particular, such networks are expected to be offered even in federated environments with multiple providers. Inter-provider communication about requirements or provisioning of truly customized virtual environments however require a powerful flexible resource description language (RDL). While extensibility and expressiveness seem to be natural requirements for such a language, we identify another less intuitive requirement affecting all actors (or stakeholders) in their economic benefits: the possibility to omit arbitrary specification details and to remain vague while at the same time describing real world scenarios. Not only may a description language ignoring this constraint easily become too bulky to use, it is also likely to force players to focus on details they are not interested in or lack the knowledge to map their actual requirements to. This paper identifies detailed requirements for an RDL to allow for topology and requirement communication in business scenarios. Furthermore, we present the FleRD flexible resource description language for multi-provider virtual network architectures. FleRD is fully incorporated in our own CloudNet prototype architecture.

Conceptual Integration of Flow-Based and Packet-Based Network Intrusion Detection

Network-based Intrusion Detection Systems aim at the detection of malicious activities by an inspection of network traffic. Since network link speeds and traffic volume grew over the last years, payload-based analysis became difficult, leading to the development of alternative approaches for flowbased analysis. Although each approach alone suffers a set of drawbacks, a few experiments with hybrid approaches show potential for synergies. This work analyses these drawbacks in order to develop a conceptual framework for hybrid approaches, integrating the two concepts in a fashion to compensate for their respective weaknesses proposed.

A Federated CloudNet Architecture: The PIP and the VNP Role

Abstract We present a generic and flexible architecture to realize CloudNets: virtual networks connecting geographically distributed cloud resources (such as storage or CPU) with resource guarantees. Our architecture is federated and supports different (and maybe even competing) economical roles, by providing explicit negotiation and provisioning interfaces. Contract-based interactions and a resource description language that allows for aggregation and abstraction, preserve the different roles´ autonomy without sacrificing flexibility. Moreover, since our CloudNet architecture is plugin based, essentially all cloud operating systems (e. g., OpenStack) or link technologies (e. g., VLANs, OpenFlow, VPLS) can be used within the framework. This paper describes two roles in more detail: The Physical Infrastructure Providers (PIP) which own the substrate network and resources, and the Virtual Network Providers (VNP) which can act as resource and CloudNet brokers and resellers. Both roles are fully implemented in our wide-area prototype that spans remote sites and resources. Zusammenfassung Wir beschreiben eine generische und flexible Architektur, um Cloud Netzwerke (kurz: CloudNets) zu realisieren. CloudNets sind virtuelle Netzwerke, die weltweit verteilte Cloud-Ressourcen verbinden (mit Qualitätsgarantien). Unsere Architektur ist föderiert und unterstützt mehrere (eventuell sogar konkurrierende) ökonomische Spieler, indem sie explizite Verhandlungs- und Administrationsschnittstellen anbietet. Durch vertragsbasierte Interaktionen und eine Ressourcenbeschreibungssprache, welche Aggregationen und Abstraktionen zulässt, ist die Autonomie der unterschiedlichen Rollen ohne Flexibilitätsverluste gewährleistet. Durch einen Plugin-basierten Aufbau kann die CloudNets-Architektur mit beliebigen Cloud-Betriebssystemen (z. B. OpenStack) und Linktechnologien (z. B. VLANs, OpenFlow, VPLS) umgesetzt werden. Dieser Artikel befasst sich insbesondere mit den folgenden zwei Rollen: Dem Provider der physikalischen Infrastruktur (PIP)}, welcher das Substrat und dessen Ressourcen besitzt und unterhält, und dem Virtuellen Netzwerk Provider (VNP), welcher als Ressourcen- oder CloudNet-Broker auftreten kann. Die VNP-Rolle kann dabei sogar rekursiv sein. Sowohl die PIP- als auch die VNP-Rolle sind in unserem wide-area Prototyp vollständig implementiert.