Mario Di Mauro

A framework for Internet data real-time processing: A machine-learning approach

Nowadays, the Internet Service Providers have to keep track of and in some cases to analyze for legal issues, a great amount of Internet data. Real-time big data processing and analysis introduce new challenges that must be addressed by system engineers. This is because: 1) traditional technologies exploiting databases are not designed to process a huge amount of data in real-time 2) classic machine learning algorithms implemented by widely adopted tools as Weka or R are not designed to perform “on the fly” analysis on streamed data. In this paper the authors propose an architecture that makes the real-time big data processing and analysis possible. The proposed architecture is based on two main components: a stream processing engine called Apache Storm and a framework called Yahoo SAMOA allowing to perform data analysis through distributed streaming machine learning algorithms. Our architecture is tested for Skype traffic recognition within network traffic generated by several Personal Computers in a streamed way. Experimental results have shown the effectiveness of proposed solution.

Skype traffic detection: A decision theory based tool

The classification of data sessions on the Internet is a crucial issue for Authorities involved in lawful interception. Some Internet Service Providers (ISP) can provide a panel of IP nodes that, tuned to detect specific data patterns, are able to send an alert when a data session in a targeted class is found. Unluckily, several applications generate a bulk of IP traffic not characterized by a recognizable sequence of information segments, except, may be, for some short phases such as setup and release. Whenever such phases are not intercepted, no specific pattern in the IP traffic can help toward semantic recognition and hence statistical pattern recognition is in force. This is actually the case of Skype, the popular application for VoIP communications. In this paper we propose and evaluate a decision theory based system allowing to recognize Skype traffic with the help of an open-source machine learning tool: Weka.

DDoS Attacks With Randomized Traffic Innovation: Botnet Identification Challenges and Strategies

Distributed Denial-of-Service (DDoS) attacks are usually launched through the botnet, an “army” of compromised nodes hidden in the network. Inferential tools for DDoS mitigation should accordingly enable an early and reliable discrimination of the normal users from the compromised ones. Unfortunately, the recent emergence of attacks performed at the application layer has multiplied the number of possibilities that a botnet can exploit to conceal its malicious activities. New challenges arise, which cannot be addressed by simply borrowing the tools that have been successfully applied so far to earlier DDoS paradigms. In this paper, we offer basically three contributions: 1) we introduce an abstract model for the aforementioned class of attacks, where the botnet emulates normal traffic by continually learning admissible patterns from the environment; 2) we devise an inference algorithm that is shown to provide a consistent (i.e., converging to the true solution as time elapses) estimate of the botnet possibly hidden in the network; and 3) we verify the validity of the proposed inferential strategy on a test-bed environment. Our tests show that, for several scenarios of implementation, the proposed botnet identification algorithm needs an observation time in the order of (or even less than) 1 min to identify correctly almost all bots, without affecting the normal users’ activity.

Botnet identification in randomized DDoS attacks

Recent variants of Distributed Denial-of-Service (DDoS) attacks leverage the flexibility of application-layer protocols to disguise malicious activities as normal traffic patterns, while concurrently overwhelming the target destination with a large request rate. New countermeasures are necessary, aimed at guaranteeing an early and reliable identification of the compromised network nodes (the botnet). In this work we introduce a formal model for the aforementioned class of attacks, and we devise an inference algorithm that estimates the botnet hidden in the network, converging to the true solution as time progresses. Notably, the analysis is validated over real network traces.

Revealing encrypted WebRTC traffic via machine learning tools

The detection of encrypted real-time traffic, both streaming and conversational, is an increasingly important issue for agencies in charge of lawful interception. Aside from well established technologies used in real-time communication (e.g. Skype, Facetime, Lync etc.) a new one is recently spreading: Web Real-Time Communication (WebRTC), which, with the support of a robust encryption method such as DTLS, offers capabilities for encrypted voice and video without the need of installing a specific application but using a common browser, like Chrome, Firefox or Opera. Encrypted WebRTC traffic cannot be recognized through methods of semantic recognition since it does not exhibit a discernible sequence of information pieces and hence statistical recognition methods are called for. In this paper we propose and evaluate a decision theory based system allowing to recognize encrypted WebRTC traffic by means of an open-source machine learning environment: Weka. Besides, a reasoned comparison among some of the most credited algorithms (J48, Simple Cart, Naïve Bayes, Random Forests) in the field of decision systems has been carried out, indicating the prevalence of Random Forests.

A decision theory based tool for detection of encrypted WebRTC traffic

The detection of encrypted streamed traffic (like VoIP or Video) is an increasingly important issue for authorities involved in lawful interception. Aside from well established technologies like Skype, Facetime and MSN Messenger a new one is recently spreading: Web Real-Time Communication (WebRTC), which, with the support of powerful encryption methods as DTLS, offers capabilities for encrypted streaming voice and video without the need of installing a specific application but using a common browser like Chrome, Firefox or Opera. WebRTC traffic cannot be detected through methods of semantic recognition since it does not exhibit a distinguishable sequence of information pieces and hence statistical recognition methods are called for. In this paper we propose and evaluate a decision theory based system allowing to recognize encrypted WebRTC traffic by means of an open-source machine learning environment: Weka.

Improving SIEM capabilities through an enhanced probe for encrypted Skype traffic detection

Nowadays, the Security Information and Event Management (SIEM) systems take on great relevance in handling security issues for critical infrastructures as Internet Service Providers. Basically, a SIEM has two main functions: i) the collection and the aggregation of log data and security information from disparate network devices (routers, firewalls, intrusion detection systems, ad hoc probes and others) and ii) the analysis of the gathered data by implementing a set of correlation rules aimed at detecting potential suspicious events as the presence of encrypted real-time traffic. In the present work, the authors propose an enhanced implementation of a SIEM where a particular focus is given to the detection of encrypted Skype traffic by using an ad-hoc developed enhanced probe (ESkyPRO) conveniently governed by the SIEM itself. Such enhanced probe, able to interact with an agent counterpart deployed into the SIEM platform, is designed by exploiting some machine learning concepts. The main purpose of the proposed ad-hoc SIEM is to correlate the information received by ESkyPRO and other types of data obtained by an Intrusion Detection System (IDS) probe in order to make the encrypted Skype traffic detection as accurate as possible.

Object Storage in Cloud Computing Environments: An Availability Analysis

Object Storage Systems (OSSs) have been conceived to manage a bulk of highly unstructured data (videos, images, social resources etc.) by storing them in the form of objects accessible via REST APIs. An interesting implementation of OSS is based on Swift, a component of OpenStack, the most important platform exploited to deploy the Infrastructure as a Service (IaaS) paradigm. The present work is aimed at characterizing a Swift-based OSS from the availability point of view, namely at finding out the best configuration able to guarantee the so-called “five nines” availability requirement allowing a maximum system downtime of a little more than five minutes per year. The availability analysis is faced by exploiting the Stochastic Reward Nets (SRNs) formalism, accounting for the probabilistic behavior of the underlying structure of the Object Storage System. More specifically, the OSS availability has been assessed by performing a steady-state analysis whereas a sensitivity analysis has been carried out to evaluate the robustness of the overall system with respect to variations of some key parameters.

Availability Modeling and Evaluation of a Network Service Deployed via NFV

The Network Function Virtualization (NFV) has been conceived as an enabler of novel network infrastructures and services that can be deployed by combining virtualized network elements. In particular, NFV is suited to boost the deployment flexibility of Service Function Chains (SFCs). In this paper, we address an availability evaluation of a chain of network nodes implementing a SFC managed by the Virtualized Infrastructure Manager (VIM), responsible for handling and controlling the system resources. A double-layer model is adopted, where Reliability Block Diagram describes the high-level dependencies among the architecture components, and Stochastic Reward Networks model the probabilistic behavior of each component. In particular, a steady-state availability analysis is carried out to characterize the minimal configuration of the overall system guaranteeing the so-called “five nines” requirement, along with a sensitivity analysis to evaluate the system robustness with respect to variations of some key parameters.

Data fusion strategies for mobile threats detection

Mobile equipments are an attractive target for network threats, due to their wide connectivity that expose them to various kinds of attacks. Besides specific security applications like mobile antiviruses installed into the devices, countermeasures can also be taken at the network operator side, where much larger computational power as well as management information are available. We dwell on possible improvements of systems for threats detection which may result from integrating several pieces of information, collected in different zones, in order to reduce the false alarm and the miss detection rates with respect to a single detector. In our proposal, each node involved in the system implements a threat detection based on the information it collects. Therefore the local decisions are gathered by a Fusion Center in charge of the final decision. Three different fusion strategies are compared, both in case of uncorrelated and correlated local detectors: (i) an optimal one based on the MAP rule, (ii) a majority voting rule having the merit of simplicity and turning out to achieve reasonable performances in the special case of independent detectors with comparable accuracies, (iii) an adaptive linear combiner followed by an hard limiter.