Peter Dorfinger

Entropy estimation for real-time encrypted traffic identification

This paper describes a novel approach to classify network traffic into encrypted and unencrypted traffic. The classifier is able to operate in real-time as only the first packet of each flow is processed. The main metric used for classification is an estimation of the entropy of the first packet payload. The approach is evaluated based on encrypted ground truth traces and on real network traces. Encrypted traffic such as Skype, or encrypted eDonkey traffic are detected as encrypted with probability higher than 94%. Unencrypted protocols such as SMTP, HTTP, POP3 or FTP are detected as unencrypted with probability higher than 99.9%. The presented approach, named real-time encrypted traffic detector (RT-ETD), is well suited to operate as pre-filter for advanced classification approaches to enable their applicability on increased bandwidth.

Entropy-based traffic filtering to support real-time Skype detection

We propose a novel approach for real-time privacy preserving traffic filtering based on entropy estimation. The decision of the real-time classifier is based on the entropy of the payload from first packet of a flow. The aim of the classifier is to detect traffic with encrypted payload. As a proof of concept we show the applicability of our approach as a traffic filter for a Skype detection engine. Traces collected in laboratory and real-world environments show that the traffic is reduced by a reasonable amount while achieving similar or even improved detection quality.

Identifying skype traffic in a large-scale flow data repository

We present a novel method for identifying Skype clients and supernodes on a network using only flow data, based upon the detection of certain Skype control traffic. Flow-level identification allows long-term retrospective studies of Skype traffic as well as studies of Skype traffic on much larger scale networks than existing packet-based approaches. We use this method to identify Skype hosts and connection events to the network in a historical flow data set containing 182 full days of data over the six years from 2004 to 2009, in order to explore the evolution of the Skype network in general and a large observed portion thereof in particular. This represents, to the best of our knowledge, the first long-term retrospective analysis of the behavior of the Skype network based solely on flow data, and the first successful application of a Skype detection algorithm to flow data collected from a production network.

Network performance evaluation based on flow data

In this paper we present a flow-based method to evaluate network performance based on round-trip time (RTT). Using passively gathered flow-based data has advantages in both, performance and privacy, compared to active methods or passive packet-based approaches. The proposed algorithm is able to work on legacy Netflow v9 and IPFIX data, without being specifically collected for RTT measurements. To evaluate the method, results from packet-based passive RTT measurement implementations have been used for comparison.

One-way loss measurements from IPFIX records

In this work we describe a methodology to estimate one-way packet loss from IPFIX or NetFlow flow records collected at two monitoring points. The proposed method does not require tight synchronization between the two monitoring points, nor it relies upon external routing information. It can run online or offline, and can work on legacy IPFIX/NetFlow traces which were not collected for the specific purpose of loss estimation. In this preliminary work we describe the estimation procedure and present early validation results from a real testbed.

Sensor interoperability for disaster management

This paper describes how to use sensor information in international disaster management operations. The focus is on enabling sensor interoperability by using standardized interfaces. For this work the Open Geospatial Consortium (OGC) Sensor Observation Service (SOS) is used to exchange sensor information between different systems. Further individual sensor values have to be interpreted to bring benefit to commanders in disaster operations. We are proposing a Sensor Fusion Engine to combine sensor data stemming from heterogeneous sources and provide a condensed output in different standard formats and protocols. An example of such a format is the Common Alerting Protocol (CAP) which is a standardized interface used in disaster operations. Real world deployments in large scale disaster exercises have shown the applicability of the approach.

Simulation of a Robust Communication Protocol for Sensor Data Acquisition

For control systems the timely and dependable transmission of sensor data to a controlling instance is a necessary precondition to perform the intended control task. Yet the communication infrastructures used for this purpose usually have to work under difficult circumstances in the field, e.g., wireless networks might be lacking energy to successfully transmit data. In order to guarantee the robustness of communication infrastructures, several design principals have to be met. Most important, providing redundancy of all communication links and nodes keeps the infrastructure working in case of partly outages. In this paper we describe the simulative approach of our work to assess the robustness of redundant meshed networks.

Communication coverage awareness for self-aligning wireless communication in disaster operations

Broad band communication in international disaster response actions is becoming more and more important. The information exchange between field commanders and tactical commanders lead to a better situational awareness on all layers of disaster management. After large scale disasters the communication infrastructure is often destroyed. Setting up a communication infrastructure is essential in todays disaster response actions. As organizations in disaster response actions are not consisting of IT experts, the setup and installation has to be easy. For example [1] presents such a system. Furthermore the knowledge where to deploy wireless communication gateways and wireless relay nodes is essential. Consequently the positions of field commanders can not only be based on tactical needs but also on communication needs. In this paper we present a simulation based visualization tool which helps to evaluate deployment locations for communication equipment to achieve adequate communication coverage with respect to specific disaster related information. This allows an optimal positioning of relay nodes and field commanders in the field to ensure broad band communication in disaster response actions and thus faster help for the people.

An implementation of a service class providing assured TCP rates within the AQUILA framework

This paper investigates an attempt to establish a QoS class that supports long-lived, bulk-data TCP flows that require a minimum rate from the network. The approach is based on a model for TCP flows subject to token bucket marking at the network edge and preferential dropping in the core network. The service class adds admission control functionality and a model for multi-RED queue management to the token bucket marker. The difficulty of parameterizing the mechanisms is discussed and analyzed in an explorative simulation study. A set of configuration parameters that enables a successful operation of the service class is identified and the achievable service provisioning is shown.

A Rate Controller for Long-Lived TCP Flows

In this paper a new mechanism for providing an assured rate to a long-lived TCP flow is proposed. The mechanism is called TCP rate controller (TRC) and operates as a traffic conditioner at the edge of a network. The TRC seeks to achieve the requested rate by imposing well directed drops and (artificial) delays on the flows packets. The choice of drop probability and delay is based on an analytical model of TCP sending behavior. It is shown in a simulation study that the TRC performs well over a broad range of requested rates and network RTTs.