Sylvain Martin

RADAR: Ring-Based Adaptive Discovery of Active Neighbour Routers

The RADAR protocol and its underlying neighbourhood discovery framework extend the ANTS toolkit by giving active nodes the ability to discover dynamically other active nodes close to them without relying on any configuration file. Such an automatic discovery is the key to administration of large or sparse active networks and the first step towards an efficient active routing.Active nodes will use their local IP routing table to run an extended ring search in their domain. An Additive Increase Multiplicative Decrease control allows RADAR to discover several neighbours per physical interface without searching too far away or fixing a maximum distance a priori. The protocol is complemented by a traffic-driven discovery that can grab capsules coming from unknown nodes (mainly outside the local domain) and trigger targetted probing of those addresses.

Using decision trees for generating adaptive SPIT signatures

With the spread of new and innovative Internet services such as SIP-based communications, the challenge of protecting and defending these critical applications has been raised. In particular, SIP firewalls attempt to filter the signaling unwanted activities and attacks based on the knowledge of the SIP protocol. Optimizing the SIP firewall configuration at real-time by selecting the best filtering rules is problematic because it depends on both natures of the legal traffic and the unwanted activities. More precisely, we do not know exactly how the unwanted activities are reflected in the SIP messages and in what they differ from the legal ones. In this paper, we address the case of Spam over Internet Telephony (SPIT) mitigation. We propose an adaptive solution based on extracting signatures from learnt decision trees. Our simulations show that quickly learning the optimal configuration for a SIP firewall leads to reduce at lowest the unsolicited calls as reported by the users under protection. Our results promote the application of machine learning algorithms for supporting network and service resilience against such new challenges.

Outbound SPIT filter with optimal performance guarantees

This paper presents a formal framework for identifying and filtering SPIT calls (SPam in Internet Telephony) in an outbound scenario with provable optimal performance. In so doing, our work is largely different from related previous work: our goal is to rigorously formalize the problem in terms of mathematical decision theory, find the optimal solution to the problem, and derive concrete bounds for its expected loss (number of mistakes the SPIT filter will make in the worst case). This goal is achieved by considering an abstracted scenario amenable to theoretical analysis, namely SPIT detection in an outbound scenario with pure sources. Our methodology is to first define the cost of making an error (false positive and false negative), apply Walds sequential probability ratio test to the individual sources, and then determine analytically error probabilities such that the resulting expected loss is minimized. The benefits of our approach are: (1) the method is optimal (in a sense defined in the paper); (2) the method does not rely on manual tuning and tweaking of parameters but is completely self-contained and mathematically justified; (3) the method is computationally simple and scalable. These are desirable features that would make our method a component of choice in larger, autonomic frameworks.

SPRT for SPIT: using the sequential probability ratio test for spam in VoIP prevention

This paper presents the first formal framework for identifying and filtering SPIT calls (SPam in Internet Telephony) in an outbound scenario with provable optimal performance. In so doing, our work deviates from related earlier work where this problem is only addressed by ad-hoc solutions. Our goal is to rigorously formalize the problem in terms of mathematical decision theory, find the optimal solution to the problem, and derive concrete bounds for its expected loss (number of mistakes the SPIT filter will make in the worst case). This goal is achieved by considering a scenario amenable to theoretical analysis, namely SPIT detection in an outbound scenario with pure sources. Our methodology is to first define the cost of making an error, apply Walds sequential probability ratio test, and then determine analytically error probabilities such that the resulting expected loss is minimized. The benefits of our approach are: (1) the method is optimal (in a sense defined in the paper); (2) the method does not rely on manual tuning and tweaking of parameters but is completely self-contained and mathematically justified; (3) the method is computationally simple and scalable. These are desirable features that would make our method a component of choice in larger, autonomic frameworks.

Interpreted Active Packets for Ephemeral State Processing Routers

We propose WASP (lightweight and World-friendly Active packets for ephemeral State Processing), a new active platform based on Ephemeral State designed to allow bytecode interpretation on programmable datapath elements. We designed WASP to be a good compromise between flexibility (e.g. offering solutions in quality-adaptive multimedia flows, service discovery or mobility support) and safety (i.e. protection of router and network resource).

An active platform as middleware for services and communities discovery

In an increasing number of cases, network hosts need to locate a machine based on its role in a service or community rather than based on a well-known address. We propose and evaluate WASP, a lightweight active platform where ephemeral state left in the network can help locate service providers such as request dispatchers or computation aggregators. In an active grid architecture, WASP can also help locate participants, build and manage overlays.

A Dynamic Neighbourhood Discovery Protocol for Active Overlay Networks

d-RADAR is a neighbourhood discovery protocol for overlay network environments designed for (but not limited to) active network overlays. The core of the algorithm is an expanding ring-search based on the IP routing table content augmented with traffic-based and dynamic refreshing techniques that allows it to react to virtual topology changes (nodes joining/leaving the overlay) as well as IP topology changes (broken and repaired link, route changes and moving nodes).

Contextual multi-armed bandits for web server defense

In this paper we argue that contextual multi-armed bandit algorithms could open avenues for designing self-learning security modules for computer networks and related tasks. The paper has two contributions: a conceptual and an algorithmical one. The conceptual contribution is to formulate the real-world problem of preventing HTTP-based attacks on web servers as a one-shot sequential learning problem, namely as a contextual multi-armed bandit. Our second contribution is to present CMABFAS, a new and computationally very cheap algorithm for general contextual multi-armed bandit learning that specifically targets domains with finite actions. We illustrate how CMABFAS could be used to design a fully self-learning meta filter for web servers that does not rely on feedback from the end-user (i.e., does not require labeled data) and report first convincing simulation results.

DISco: A distributed information store for network challenges and their outcome

We present the design of DISco, a storage and communication middleware that enables distributed and task-centric autonomic control of networks. DISco allows multi-agent identification of anomalous situations (challenges) and assists coordinated remediation that will maintain service at an acceptable level, although degraded. The history of agents decisions, their context and outcomes is tracked as the situation evolves, and information is automatically gathered and organised to ease further human-assisted diagnosis. We then explore the feasibility of using state of the art peer-to-peer publish/subscribe and storage systems as building blocks for this service. The ability of those systems to support range queries and aggregation will be a key factor for their suitability to the task.