Polina Zilberman

Incremental deployment of network monitors based on Group Betweenness Centrality

In many applications we are required to increase the deployment of a distributed monitoring system on an evolving network. In this paper we present a new method for finding candidate locations for additional deployment in the network. This method is based on the Group Betweenness Centrality (GBC) measure that is used to estimate the influence of a group of nodes over the information flow in the network. The new method assists in finding the location of k additional monitors in the evolving network, such that the portion of additional traffic covered is at least (1-1/e) of the optimal.

Heuristics for Speeding Up Betweenness Centrality Computation

We propose and evaluate two complementary heuristics to speed up exact computation of the shortest-path between ness centrality. Both heuristics are relatively simple adaptations of the standard algorithm for between ness centrality. Consequently, they generalize the computation of edge between ness and most other variants, and can be used to further speed up between ness estimation algorithms, as well. In the first heuristic, structurally equivalent vertices are contracted based on the observation that they have the same centrality and also contribute equally to the centrality of others. In the second heuristic, we first apply a linear-time between ness algorithm on the block-cut point tree and then compute the remaining contributions separately in each biconnected component. Experiments on a variety of large graphs illustrate the efficiency and complementarity of our heuristics.

Analyzing group communication for preventing data leakage via email

Modern business activities rely on extensive email exchange. Various solutions attempt to analyze email exchange in order to prevent emails from being sent to the wrong recipients. However there are still no satisfying solutions; many email addressing mistakes are not detected and in many cases correct recipients are wrongly marked as potential addressing mistakes. In this paper we present a new approach for preventing emails addressing mistakes in organizations. The approach is based on analysis of emails exchange among members of the organization and the identification of groups based on common topics. Each members topics are then used during the enforcement phase for detecting potential leakage. When a new email is composed and about to be sent, each email recipient is analyzed. A recipient is approved if the emails content belongs to at least one of the topics common to the sender and the recipient. We evaluated the new approach using the Enron Email dataset. Our evaluation results suggest that the new approach easily copes with email recipients that have no previous direct connection with the sender.

Trawling Traffic under Attack, Overcoming DDoS Attacks by Target-Controlled Traffic Filtering

As more and more services are provided by servers via the Internet, Denial-of-Service (DoS) attacks pose an increasing threat to the Internet community. A DoS attack overloads the target server with a large volume of adverse requests, thereby rendering the server unavailable to “ well-behaved” users. Recently, the novel paradigm of traffic ownership that enables the clients of Internet service providers (ISP) to configure their own traffic processing policies has gained popularity. In this paper, we propose two algorithms belonging to this paradigm that allow attack targets to dynamically filter their incoming traffic based on a distributed policy. The proposed algorithms defend the target against DoS and distributed DoS (DDoS) attacks and simultaneously ensure that it continues to receive valuable users’ traffic. In a nutshell, a target can define a filtering policy which consists of a set of traffic classification rules and the corresponding amounts of traffic, measured in bandwidth units, which match each rule. The filtering algorithm is enforced by the ISP’s or the Network Service Provider’s (NSP) routers when a target is being overloaded with traffic. The goal is to maximize the amount of filtered traffic forwarded to the target, according to the filtering policy, from the ISP’s or the NSP’s network. The first algorithm we propose relies on complete collaboration among the ISP/NSP routers. It computes the filtering policy in polynomial time and delivers the best possible traffic mix to the target. The second algorithm is a distributed algorithm which assumes no collaboration among the ISP/NSP routers, each router only uses local information about its incoming traffic. We show the intuition behind the proof of lower bound on the second algorithm’s worst-case performance.

On Network Footprint of Traffic Inspection and Filtering at Global Scrubbing Centers

Traffic diversion through powerful cloud-based scrubbing centers provides a solution for protecting against various DDoS attacks. In one respect, such a solution enables sanitizing attack traffic close to its source and saves precious resources for the network service provider. Contrarily, the diversion of the inspected traffic toward the scrubbing centers may increase its footprint in the network. The location of the scrubbing centers greatly affects the network resource utilization and, therefore, should be carefully considered in the design of the security service. In this paper, we investigate four deployment strategies and compare their performance on a network of Points-of-Presence and on several router level topologies obtained from the RocketFuel project. The deployment quality was measured using the following criteria: the footprint of the inspected traffic, the redistribution of load on the links, and the increase in communication latency. Our results show that the deployment strategy that is considered to perform well for locating network monitors by maximizing flow coverage results in the worst footprint when traffic diversion is employed. Overall, we show that the deployment strategy that is tailored for traffic filtering is also suitable for traffic monitoring, but not the other way around.

Analyzing group E-mail exchange to detect data leakage

Todays organizations spend a great deal of time and effort on e‐mail leakage prevention. However, there are still no satisfactory solutions; addressing mistakes are not detected and in some cases correct recipients are wrongly marked as potential mistakes. In this article we present a new approach for preventing e‐mail addressing mistakes in organizations. The approach is based on an analysis of e‐mail exchanges among members of an organization and the identification of groups based on common topics. When a new e‐mail is about to be sent, each recipient is analyzed. A recipient is approved if the e‐mails content belongs to at least one common topic to both the sender and the recipient. This can be applied even if the sender and recipient have never communicated directly before. The new approach was evaluated using the Enron e‐mail data set and was compared with a well known method for the detection of e‐mail addressing mistakes. The results show that the proposed approach is capable of detecting 87% of nonlegitimate recipients while incorrectly classifying only 0.5% of the legitimate recipients. These results outperform previous work, which reports a detection rate of 82% without reference to the false positive rate.

Anti-forensic = Suspicious: Detection of Stealthy Malware that Hides Its Network Traffic

Stealthy malware hides its presence from the users of a system by hooking the relevant libraries, drivers, system calls or manipulating the services commonly used to monitor system behaviour. Tampering the network sensors of host-based intrusion detection systems (HIDS) may impair their ability to detect malware and significantly hinders subsequent forensic investigations. Nevertheless, the mere attempt to hide the traffic indicates malicious intentions. In this paper we show how comparison of the data collected by multiple sensors at different levels of resilience may reveal these intentions. At the lowest level of resilience, information from untrusted sensors such as netstat and process lists are used. At the highest resilience level, we analyse mirrored traffic using a secured hardware device. This technique can be considered as fully trusted. The detection of a discrepancy between what is reported by these common tools and what is observed on a trusted system operating at a different level is a good way to force a dilemma on malware writers: either apply hiding techniques, with the risk that the discrepancy is detected, or keep the status of network connections untouched, with a greater ability for the administrator to recognize the presence and to understand the behaviour of malware. The proposed method was implemented on an evaluation testbed and is able to detect stealthy malware that hides its communication from the HIDS. The false positive rate is 0.01% of the total traffic analysed, and barring a few exceptions that can easily be white-listed, there are no legitimate processes which raise false alerts.

DiscOF: Balanced flow discovery in OpenFlow

Flexibility and extendibility of Software Defined Networks allows development of diverse network management and flow monitoring techniques. Yet, there are inherent tradeoffs between the quality of flow monitoring and the required network resources. In particular, collecting flow statistics, at the level of specific source-destination addresses (and, moreover, specific protocols and ports), requires too many flow table entries. This problem is emphasized by the difficulty of anticipating the individual flows that need to be monitored. In this paper we propose a method for dynamic flow discovery at any required spatial resolution. In addition, we propose a method for balancing the monitoring effort among the switches. These methods allow increasing the spatial resolution of traffic monitoring with minimal effects of the network performance.

TRAWLING TRAFFIC UNDER ATTACK OVERCOMING DDoS ATTACKS BY TARGET-CONTROLLED TRAFFIC FILTERING

As more and more services are provided by servers via the Internet, Denial-of-Service (DoS) attacks pose an increasing threat to the Internet community. A DoS attack overloads the target server with a large volume of adverse requests, thereby rendering the server unavailable to “ well-behaved” users. Recently, the novel paradigm of traffic ownership that enables the clients of Internet service providers (ISP) to configure their own traffic processing policies has gained popularity. In this paper, we propose two algorithms belonging to this paradigm that allow attack targets to dynamically filter their incoming traffic based on a distributed policy. The proposed algorithms defend the target against DoS and distributed DoS (DDoS) attacks and simultaneously ensure that it continues to receive valuable users’ traffic. In a nutshell, a target can define a filtering policy which consists of a set of traffic classification rules and the corresponding amounts of traffic, measured in bandwidth units, which match each rule. The filtering algorithm is enforced by the ISP’s or the Network Service Provider’s (NSP) routers when a target is being overloaded with traffic. The goal is to maximize the amount of filtered traffic forwarded to the target, according to the filtering policy, from the ISP’s or the NSP’s network. The first algorithm we propose relies on complete collaboration among the ISP/NSP routers. It computes the filtering policy in polynomial time and delivers the best possible traffic mix to the target. The second algorithm is a distributed algorithm which assumes no collaboration among the ISP/NSP routers, each router only uses local information about its incoming traffic. We show the intuition behind the proof of lower bound on the second algorithm’s worst-case performance.