Keisuke Ishibashi

Detecting mass-mailing worm infected hosts by mining DNS traffic data

The Domain Name System (DNS) is a critical infrastructure in the Internet; thus, monitoring its traffic, and protecting DNS from malicious activities are important for security in cyberspace. However, it is often difficult to determine whether a DNS query is caused by malicious or normal activity, because information available in DNS traffic is limited.We focus on the activities of mass-mailing worms and propose a method to detect hosts infected by mass-mailing worms by mining DNS traffic data. Our method begins with a small amount of a priori knowledge about a signature query. By assuming that queries sent by most hosts that have sent the signature query of worms have been sent by worm behavior, we detect infected hosts using Bayesian estimation.We apply our method to DNS traffic data captured at one of the largest commercial Internet Service Providers in Japan, and the experimental result indicates that an 89% reduction of mail exchange queries can be achieved with the method.

A scalable and lightweight QoS monitoring technique combining passive and active approaches

To make a scalable and lightweight QoS monitoring system, we have proposed a new QoS monitoring technique, change-of-measure based passive/active monitoring (CoMPACT monitor), which is based on change-of-measure framework and is an active measurement transformed by using passively monitored data. This technique enables us to measure detailed QoS information for individual users, applications, and organizations, in a scalable and lightweight manner. In this paper, we present the mathematical foundation of CoMPACT monitor. In addition, we show its characteristics through simulations in terms of typical implementation issues for inferring the delay distributions. The results show that CoMPACT monitor gives accurate QoS estimations with only a small amount of extra traffic for active measurement.

Spatio-temporal factorization of log data for understanding network events

Understanding the impacts and patterns of network events such as link flaps or hardware errors is crucial for diagnosing network anomalies. In large production networks, analyzing the log messages that record network events has become a challenging task due to the following two reasons. First, the log messages are composed of unstructured text messages generated by vendor-specific rules. Second, network equipment such as routers, switches, and RADIUS severs generate various log messages induced by network events that span across several geographical locations, network layers, protocols, and services. In this paper, we have tackled these obstacles by building two novel techniques: statistical template extraction (STE) and log tensor factorization (LTF). STE leverages a statistical clustering technique to automatically extract primary templates from unstructured log messages. LTF aims to build a statistical model that captures spatial-temporal patterns of log messages. Such spatial-temporal patterns provide useful insights into understanding the impacts and root cause of hidden network events. This paper first formulates our problem in a mathematical way. We then validate our techniques using massive amount of network log messages collected from a large operating network. We also demonstrate several case studies that validate the usefulness of our technique.

Active/passive combination-type performance measurement method using change-of-measure framework

We propose a new method of performance measurement called the Change-of-Measure Based Passive/Active Monitoring (CoMPACT Monitor), in which estimates of the actual performance seen by users are obtained based on both active and passive measurement data. With this method, the performance experienced by an individual user, organization or application can be estimated from the results of scalable and lightweight measurements. The basic idea of our method is to weight the measurement value of an active-probe packet according to the number of user packets arriving near the active-probe packet. The number of user packets is measured passively. We give a mathematical background that supports the concept of the change-of-measure framework and propose an implementation of the method. Through simulation, we verify that the user performance can be estimated with a high degree of accuracy when the measurement interval is shorter than the mean burst duration. We also examine the accuracy of the method with respect to both the measurement interval and the number of probe packets and show that the accuracy itself can be roughly estimated by using the measured values.

Proactive failure detection learning generation patterns of large-scale network logs

With the growth of services in IP networks, network operators are required to perform proactive operation that quickly detects the signs of critical failures and prevents future problems. Network log data, including router syslog, are rich sources for such operations. However, it has become impossible to find genuinely important logs that lead to serious problems due to the large volume and complexity of log data. We propose a log analysis system for proactive detection of failures. Our key observation is that the abnormality of logs depends on not just the keywords in the messages (e.g. ERROR, FAIL), but generation patterns such as burstiness. Our system consists of three functions: (i) extracting log templates automatically and quickly from a massive amount of unstructured log data; (ii) constructing log feature vectors to characterize the generation patterns of logs; and (iii) using a supervised machine learning approach to associate failures with the log data that appeared before them. We validated our system using real log data collected from a large network and determined its effectiveness.

Effect of sampling rate and monitoring granularity on anomaly detectability

In this paper, we quantitatively evaluate how sampling decreases the detectability of anomalous traffic. We build equations to calculate the false positive ratio (FPR) and false negative ratio (FNR) for given values of the sampling rate, statistics of normal traffic, and volume of anomalies to be detected. We show that by changing the measurement granularity, we can detect anomalies even with a low sampling rate and give the equation to derive optimal granularity by using the relationship between the mean and variance of aggregated flows. With those equations, we can answer for the practical questions that arise in actual network operations; what sampling rate to set in order to find the given volume of anomaly, or, if the sampling is too high for actual operation, then what granularity is optimal to find the anomaly for a given lower limit of sampling rate.

CoMPACT-Monitor: change-of-measure based passive/active monitoring weighted active sampling scheme to infer QoS

The paper proposes a novel performance measurement scheme for the Internet which can infer performance and/or quality experienced by individual user, organization and application, via a scalable and lightweight measurement technique. The proposed scheme is based on a change-of-measure framework and is an active measurement transformed by using passively monitored data. We give the theoretical basis of the proposed scheme and show its typical implementations for inferring the delay distributions. The validation of the implementations of the proposed scheme is investigated through simulation with respect to both the accuracy of estimation and the amount of extra traffic added by active measurement.

Traffic measurement and analysis in an ATM-based internet backbone

This paper reports our measurements and analysis of traffic characteristics in an Internet backbone ATM network. In order to utilize network resource efficiently while satisfying the quality of service requirement, it is important to understand the traffic characteristics. We therefore monitored the traffic from the flow or application level to the cell level on a link between NTTs Open Computer Network (OCN) and the Science Information Network (SINET), which are two of the largest Internet backbone ATM-based networks in Japan. Using the monitored traffic, we also evaluated the performance of the aggregate traffic by real-time simulation. Results show that the performance (cell loss ratio) greatly depended not only on link utilization but also on the number of flows, flow size, and traffic composition in terms of applications. We also found that the degree of self-similarity in the Internet backbone was not large. In addition, we clarified that more statistical multiplexing gain could be obtained in the Internet backbone when more flows were multiplexed onto a link.

Measurement of DNS Traffic Caused by DDoS Attacks

We report the measurement results of Domain Name System (DNS) traffic during the periods of DDoS attacks against a Web server. The attack was caused by virus infected machines. We monitored DNS query packets at DNS cache servers of an Japanese ISP, Open Computer Networks (OCN). We especially focused on those sent by the virus to find the IP address of the target web server. By analyzing the measurement results in detail, we found that the DNS configuration change of the authoritative DNS servers of the target site caused a significant increase in the number of queries.We also show how the DNS operators mitigated those queries by changing the configuration of DNS cache servers and authoritative servers.

Detection accuracy of network anomalies using sampled flow statistics

We investigated the detection accuracy of network anomalies when using flow statistics obtained through packet sampling. Through a case study based on measurement data, we showed that network anomalies generating a large number of small flows, such as network scans or SYN flooding, become difficult to detect during packet sampling. We then developed an analytical model that enables us to quantitatively evaluate the effect of packet sampling and traffic conditions, such as anomalous traffic volume, on detection accuracy. We also investigated how the detection accuracy worsens when the packet sampling rate decreases. In addition, we show that, even with a low sampling rate, spatially partitioning monitored traffic into groups makes it possible to increase detection accuracy. We also developed a method of determining an appropriate number of partitioned groups, and we show its effectiveness. Copyright