Maurizio Dusi

Traffic classification through simple statistical fingerprinting

The classification of IP ows according to the application that generated them is at the basis of any modern network management platform. However, classical techniques such as the ones based on the analysis of transport layer or application layer information are rapidly becoming ineffective. In this paper we present a ow classification mechanism based on three simple properties of the captured IP packets: their size, inter-arrival time and arrival order. Even though these quantities have already been used in the past to define classification techniques, our contribution is based on new structures called protocol fingerprints, which express such quantities in a compact and efficient way, and on a simple classification algorithm based on normalized thresholds. Although at a very early stage of development, the proposed technique is showing promising preliminary results from the classification of a reduced set of protocols.

GT: picking up the truth from the ground for internet traffic

Much of Internet traffic modeling, firewall, and intrusion detection research requires traces where some ground truth regarding application and protocol is associated with each packet or flow. This paper presents the design, development and experimental evaluation of gt, an open source software toolset for associating ground truth information with Internet traffic traces. By probing the monitored hosts kernel to obtain information on active Internet sessions, gt gathers ground truth at the application level. Preliminary experimental results show that gts effectiveness comes at little cost in terms of overhead on the hosting machines. Furthermore, when coupled with other packet inspection mechanisms, gt can derive ground truth not only in terms of applications (e.g., e-mail), but also in terms of protocols (e.g., SMTP vs. POP3).

Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting

Application-layer tunnels nowadays represent a significant security threat for any network protected by firewalls and Application Layer Gateways. The encapsulation of protocols subject to security policies such as peer-to-peer, e-mail, chat and others into protocols that are deemed as safe or necessary, such as HTTP, SSH or even DNS, can bypass any network-boundary security policy, even those based on stateful packet inspection. In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol. Results from experiments conducted on a live network suggest that the technique can be very effective, even when the application-layer protocol used as a tunnel is encrypted, such as in the case of SSH.

Detecting HTTP Tunnels with Statistical Mechanisms

Application level gateways and firewalls are commonly used to enforce security policies at network boundaries, especially in large-sized business networks. However, several mechanisms can be used to circumvent these policies and bypass the whole security infrastructure: for example, tunneling an (otherwise blocked) application layer protocol into another one allowed by the policy, such as HTTP. In this paper we propose the application of a statistically-based traffic classification technique to solve this problem. By the analysis of inter-arrival time, size and order of the packets crossing a gateway, we show that it is possible to detect with high accuracy whether an observed flow is carrying a legitimate HTTP session, or the flow is being used to tunnel another protocol. This paper describes how this technique can be used effectively to enhance application level gateways and firewalls, helping to better apply network security policies.

Detection of Encrypted Tunnels Across Network Boundaries

The use of covert application-layer tunnels to bypass security gateways has become quite popular in recent years. By encapsulating blocked or controlled protocols such as peer- to-peer, chat and e-mail into others allowed by the security policies, such as HTTP, SSH or even DNS, both legitimate and malicious users can effectively neutralize many security restrictions enforced at the network edge. Traditional firewalling techniques, based on Application Layer Gateways and even pattern-matching mechanisms are becoming practically useless as tunneling tools grow more sophisticated. In this paper we propose an effective solution to this problem based on a statistical traffic classification technique. Our mechanism relies on the creation of a statistical fingerprint of legitimate usage of a given protocol, such as regular remote interactive logins or secure copying activities. Such fingerprint can then be used to detect with high accuracy non-legitimate sessions, i.e., sessions that tunnel other protocols. Results from experiments conducted on a live network suggest that the technique can be very effective, even when the application layer protocol used as a tunnel is encrypted, such as in the case of SSH.

Using GMM and SVM-Based Techniques for the Classification of SSH-Encrypted Traffic

When employing cryptographic tunnels such as the ones provided by Secure Shell (SSH) to protect their privacy on the Internet, users expect two forms of protection. First, they aim at preserving the privacy of their data. Second, they expect that their behavior, e.g., the type of applications they use, also remains private. In this paper we report on two statistical traffic analysis techniques that can be used to break the second type of protection when applied to SSH tunnels, at least under some restricting hypothesis. Experimental results show how current implementations of SSH can be susceptible to this type of analysis, and illustrate the effectiveness of our two classifiers both in terms of their capabilities in analyzing encrypted traffic and in terms of their relative computational complexity.

Quantifying the accuracy of the ground truth associated with Internet traffic traces

Ground truth information for Internet traffic traces is often derived by means of port analysis and payload inspection (Deep Packet Inspection - DPI). In this paper we analyze the errors that DPI and port analysis commit when assigning protocol labels to traffic traces. We compare the ground truth provided by these approaches with that derived by gt, a tool that we developed, which provides error-free ground truth at the application level by construction. Experimental results demonstrate that, depending on the protocols composing a trace, ground truth information from port analysis and DPI can be incorrect for up to 91% and 26% of the labeled bytes, respectively.

A Preliminary Look at the Privacy of SSH Tunnels

Secure Shell (SSH) tunnels are commonly used to provide two types of privacy protection to clear-text application protocols. First and foremost, they aim at protecting the privacy of the data being exchanged between two peers, such as passwords, details of monetary transactions and so on. Second, they are supposed to protect the privacy of the behavior of end-users, by preventing an unauthorized observer from detecting which application protocol is being transported by an SSH tunnel. In this paper we introduce a GMM-based (Gaussian Mixture Model) technique that, under a set of reasonable assumptions, can be used to identify which application is being tunneled inside an SSH session by simply observing the stream of encrypted packets. This technique can therefore break the presumption of privacy in its second incarnation as described above. Although still preliminary, experimental results show that the technique can be quite effective, and that the standard bodies might need to take this approach under consideration when designing new obfuscation techniques for SSH.

Stream-monitoring with blockmon: convergence of network measurements and data analytics platforms

Recent work in network measurements focuses on scaling the performance of monitoring platforms to 10Gb/s and beyond. Concurrently, IT community focuses on scaling the analysis of big-data over a cluster of nodes. So far, combinations of these approaches have targeted flexibility and usability over real-timeliness of results and efficient allocation of resources. In this paper we show how to meet both objectives with BlockMon, a network monitoring platform originally designed to work on a single node, which we extended to run distributed stream-data analytics tasks. We compare its performance against Storm and Apache S4, the state-of-the-art open-source stream-processing platforms, by implementing a phone call anomaly detection system and a Twitter trending algorithm: our enhanced BlockMon has a gain in performance of over 2.5x and 23x, respectively. Given the different nature of those applications and the performance of BlockMon as single-node network monitor [1], we expect our results to hold for a broad range of applications, making distributed BlockMon a good candidate for the convergence of network-measurement and IT-analysis platforms.

A closer look at thin-client connections: statistical application identification for QoE detection

Running desktop-as-a-service solutions in remote data centers is an emerging means of delivering virtual PCs in an inexpensive, secure, and easy-to-maintain way. The fact that such solutions rely on the presence of connectivity between users and their virtual PCs poses a challenging operational question: what is the quality of experience of the user when running a particular application inside the thin-client protocol? The challenge is to understand whether the path between the client and the server has enough resources to sustain the rendering of the specific application. To address this question, we propose a method that exploits statistical classification to infer on-the-fly the class of applications running inside a given thin-client connection. We then correlate such information with the key factor that limits thin-client performance (i.e., network latency) to obtain the current users QoE. We evaluate how machine-learning techniques can robustly detect applications that exchange data over the Microsoft Remote Desktop Protocol, with promising results (over 80 percent of accuracy for multimedia content). To the best of our knowledge, this is the first attempt of using statistical techniques to monitor thin-client applications for QoE detection.