Sandrine Vaton

A scalable, efficient and informative approach for anomaly-based intrusion detection systems: theory and practice

In this paper, we present the design and implementation of a new approach for anomaly detection and classification over high speed networks. The proposed approach is based first of all on a data reduction phase through flow sampling by focusing mainly on short lived flows. The second step is then a random aggregation of some descriptors such as a number of SYN packets per flow in two different data structures called Count Min Sketch and Multi-Layer Reversible Sketch. A sequential change point detection algorithm continuously monitors the sketch cell values. An alarm is raised if a significant change is identified in cell values. With an appropriate definition of the combination of IP header fields that should be used to identify one flow, we are able not only to detect the anomaly but also to classify the anomaly as DoS, DDoS or flash crowd, network scanning and port scanning. We validate our framework for anomaly detection on various real world traffic traces and demonstrate the accuracy of our approach on these real-life case studies. Our analysis results from online implementation of our algorithm over measurements gathered by a DAG sniffing card are very attractive in terms of accuracy and response time. The proposed approach is very effective in detecting and classifying anomalies, and in providing information by extracting the culprit flows with a high level of accuracy. Copyright

Quick Traffic Matrix Estimation Based on Link Count Covariances

In this paper we consider the problem of traffic matrix estimation. As the problem is underconstrained, some additional information has to be brought in to obtain a solution. If we have a sequence of link count measurements available, a natural candidate is to use the link count sample covariance matrix under the assumption of a functional relationship between the mean and the variance of the traffic. We propose two computationally light-weight methods for traffic matrix estimation based on the covariance matrix, the projection method and constrained minimization method. The accuracy of these methods is compared with that of other methods using second order moment estimates by simulation under synthetic traffic scenarios.

Optimal volume anomaly detection and isolation in large-scale IP networks using coarse-grained measurements

Recent studies from major network technology vendors forecast the advent of the Exabyte era, a massive increase in network traffic driven by high-definition video and high-speed access technology penetration. One of the most formidable difficulties that this forthcoming scenario poses for the Internet is congestion problems due to traffic volume anomalies at the core network. In the light of this challenging near future, we develop in this work different network-wide anomaly detection and isolation algorithms to deal with volume anomalies in large-scale network traffic flows, using coarse-grained measurements as a practical constraint. These algorithms present well-established optimality properties in terms of false alarm and miss detection rate, or in terms of detection/isolation delay and false detection/isolation rate, a feature absent in previous works. This represents a paramount advantage with respect to current in-house methods, as it allows to generalize results independently of particular evaluations. The detection and isolation algorithms are based on a novel linear, parsimonious, and non-data-driven spatial model for a large-scale network traffic matrix. This model allows detecting and isolating anomalies in the Origin-Destination traffic flows from aggregated measurements, reducing the overhead and avoiding the challenges of direct flow measurement. Our proposals are analyzed and validated using real traffic and network topologies from three different large-scale IP backbone networks.

A markovian signature-based approach to IP traffic classification

In this paper we present a real-time automatic process to traffic classification and to the detection of abnormal behaviors in IP traffic. The proposed method aims to detect anomalies in the traffic associated to a particular service, or to automatically recognize the service associated to a given sequence of packets at the transport layer. Service classification is becoming a central issue because of the emergence of new services (P2P, VoIP, Streaming video, etc...) which raises new challenges in resource reservation, pricing, network monitoring, etc... In order to identify a specific signature to an application, we first of all model the sequence of its packets at the transport layer by means of a first order Markov chain. Then, we decide which service should be associated to any new sequence by means of standard decision techniques (Maximum Likelihood criterion, Neyman-Pearson test). The evaluation of our automatic recognition procedure using live GPRS Orange France traffic traces demonstrates the feasibility and the excellent performance of this approach.

Performance modelling of GSM/GPRS cells with different radio resource allocation strategies

In this paper, we present an analytical model for the performance evaluation of GSM/GPRS cells with different resource allocation schemes. The presented model is based on the modified Engset model with a finite number of users generating ON/OFF sessions in the cell. The closed formula following from the model is applicable for calculating different performance parameters like user throughput, blocking probability and radio resource utilization. Our study is focused on two main radio resource allocation strategies: complete partitioning and partial sharing.

Hardware acceleration of SVM-based traffic classification on FPGA

Understanding the composition of the Internet traffic has many applications nowadays, mainly tracking bandwidth consuming applications, QoS-based traffic engineering and lawful interception of illegal traffic. Although many classification methods such as Support Vector Machines (SVM) have demonstrated their accuracy, not enough attention has been paid to the practical implementation of lightweight classifiers. In this paper, we consider the design of a real-time SVM classifier at many Gbps to allow online detection of categories of applications. Our solution is based on the design of a hardware accelerated SVM classifier on a FPGA board.

Robust and Reactive Traffic Engineering for Dynamic Traffic Demands

Traffic engineering (TE) has become a challenging mechanism for network management and resources optimization due to uncertain and difficult to predict traffic patterns. Recent works have proposed robust optimization techniques to cope with uncertain traffic, computing a stable routing configuration that is immune to demand variations within certain uncertainty set. However, using a single routing configuration for longtime periods can be highly inefficient. Even more, the presence of abnormal and malicious traffic has magnified the network operation problem, claiming for solutions which not only deal with traffic uncertainty but also allow to detect and identify faulty traffic to take the appropriate countermeasures. In this paper, we introduce the Reactive Robust Routing (RRR) for TE, an approach that combines both proactive and reactive techniques to tackle the problem. Based on expected traffic patterns, we adapt the uncertainty set and build a multi-hour yet robust routing scheme that outperforms the stable robust approach. For the case of anomalous and unexpected traffic, we propose a fast anomaly detection/isolation algorithm to detect and localize abrupt changes in traffic flows and decide routing changes. This algorithm is optimal in the sense that it minimizes the decision delay for a given mean false alarm rate and false isolation probability. We validate these proposals using real data from two different backbone networks and we show how the RRR can handle uncertain and highly dynamic traffic in an automatic fashion, simplifying network operation.

Flooding attacks detection and victim identification over high speed networks

With the rapid dependency on the internet for business, and the fast spread of powerful destructive DoS/DDoS attack tools, the detection and thwarting of these attacks is primordial for ISP, enterprises, hosting centers, etc. In this paper, we present the implementation of a new framework, for efficient detection and identification of flooding attacks over high speed links. To accomplish that, we apply multi-channel nonparametric CUSUM (MNP-CUSUM) over the shared counters in the proposed reversible sketch, in order to pinpoint flows with abrupt change via a new approach for sketch inversion. Shared counters are used to minimize the memory requirements and to identify the victim of flooding attacks. We apply our system at various real traces, some traces are provided by France Telecom (FT) within the framework of ANR-RNRT OSCAR project, other traces are collected in FT backbone network, during online experiments for testing and adjusting the proposed detection algorithms in this project. Our analysis results from real internet traffic, and from online implementation over Endace DAG 3.6ET sniffing card, show that our proposed architecture is able to quickly detect various kinds of flooding attacks and to disclose culprit flows with a high level of accuracy.

Energy-efficient FPGA implementation for binomial option pricing using OpenCL

Energy efficiency of financial computations is a performance criterion that can no longer be dismissed, and is as crucial as raw acceleration and accuracy of the solution. In order to reduce the energy consumption of financial accelerators, FPGAs offer a good compromise with low power consumption and high parallelism. However, designing and prototyping an application on an FPGA-based platform are typically very time-consuming and requires significant skills in hardware design. This issue constitutes a major drawback with respect to software-centric acceleration platforms and approaches. A high-level approach has been chosen, using Alteras implementation of the OpenCL standard, to answer this issue. We present two FPGA implementations of the binomial option pricing model on American options. The results obtained on a Terasic DE4 - Stratix IV board form a solid basis to hold all the constraints necessary for a real world application. The best implementation can evaluate more than 2000 options/s with an average power of less than 20W.

Advanced Methods for the Estimation of the Origin Destination Traffic Matrix

For lots of traffic engineering tasks, telecommunications operators need good knowledge about the traffic which transit through their networks. This information is fully represented by the matrix of the volumes of data which go from any entry node to any exit node during a period of time. This matrix is called the origin-destination (OD) traffic matrix. However such a matrix is not directly available. Only measures of the volumes of data which transit through a link between routers can be obtained easily with the help of Simple Network Management Protocol (SNMP). These measures are called link counts.