Tanja Zseby

Analysis of network traffic features for anomaly detection

Anomaly detection in communication networks provides the basis for the uncovering of novel attacks, misconfigurations and network failures. Resource constraints for data storage, transmission and processing make it beneficial to restrict input data to features that are (a) highly relevant for the detection task and (b) easily derivable from network observations without expensive operations. Removing strong correlated, redundant and irrelevant features also improves the detection quality for many algorithms that are based on learning techniques. In this paper we address the feature selection problem for network traffic based anomaly detection. We propose a multi-stage feature selection method using filters and stepwise regression wrappers. Our analysis is based on 41 widely-adopted traffic features that are presented in several commonly used traffic data sets. With our combined feature selection method we could reduce the original feature vectors from 41 to only 16 features. We tested our results with five fundamentally different classifiers, observing no significant reduction of the detection performance. In order to quantify the practical benefits of our results, we analyzed the costs for generating individual features from standard IP Flow Information Export records, available at many routers. We show that we can eliminate 13 very costly features and thus reducing the computational effort for on-line feature generation from live traffic observations at network nodes.

Charging and Accounting for QoS-Enhanced IP Multicast

We developed a reference model for classifying charging, accounting and closely related processes, and for describing their interaction (see Figure 1). At the right, five layers are shown that encompass processing for charging and accounting. A configuration plane allows for providing configuration parameters for the processing layers. The configuration can be done on-line using signalling, as for Integrated Services, or off-line using management tools, as for Differentiated Services. Configuration parameters are derived from pricing policy, accounting policy and metering policy. These policies are provided by interaction of dedicated servers with the corresponding entities of the configuration plane. The metering layer performs metering of resource usage. Metering must allow to distinguish the two types of network resource: reservation of network resources, and actual usage of network resources. This distinction is useful as resources that are reserved but not used by a user may be offered to a different user, but usually under different conditions (lower price). Charging schemes may reflect this difference, e.g. by charging separately for reservation, and for actual usage. In case of multicast, depending on the cost sharing schemes, the meters can be placed at the edge routers only or also at the splitting points. The meter reader layer encompasses functional entities that access data provided by metering entities and forwards it for further processing to the Accounting Processing Layer. For supporting multicast charging, this layer is also responsible for selection of appropriate meters (meter placement). Transfer of metering data to the meter reader can be initiated explicitly (the meter reader initiates transfer of metering data) or implicitly (after a triggering event such as detection of a new flow, the meter initiates transfer of metering data to the meter reader). Entities of the accounting processing layer process usage data collected by meter readers, try to consolidate them based on service parameters and create accounting data sets (i.e., accounting records) which will be passed to the charging layer for pricing assignment. For supporting multicast charging, this layer is also responsible for reconstructing the multicast topology including splitting points where required by the cost sharing scheme. Additionally, the layer is also responsible for distributing collected usage data to other domains in a multi-provider environment. The charging layer derives costs for accounting data sets based on service specific tariffing parameters. Different cost metrics may be applied to the same usage of resources, and may be evaluated in parallel. A detailed evaluation of the resource usage can be used for generating bills to the customer, or for internal analysis (auditing) by the service provider. A simple evaluation of current costs can be used for displaying an estimation of accumulated costs for the service user, or for control purposes by the customer organisation or by the provider. For charging of multicast services, cost allocation assigns costs to specific endpoints, such as sender(s) and receivers of a multicast group.

Resilience and Security: A Qualitative Survey of Urban Smart Grid Architectures

Smart grids require information and communication technology (ICT) in order to control dynamics in the power grid. However, adding ICT creates additional entry points in vulnerable hard- and software, increasing the attack surface, and provides distribution paths that can be used by malware for attacks. This paper provides a qualitative evaluation of smart grid architectures for urban environments, comparing four topology types based on six quality indicators: resource control, security, resilience, quality of service, compatibility, and cost. The impact of each power grid topology on the applicability of ICT components in communication topologies is also considered. We summarize the benefits and drawbacks of each topology with a focus on the implementation of decentralized and self-organizing structures.

Security Challenges for Wide Area Monitoring in Smart Grids

Wide Area Monitoring Systems (WAMS) improve situational awareness in the electric grid. They support planning and optimizing of grid operations and provide valuable information to prevent critical incidents. Communication demands for WAMS have been elevated by the variety of applications that rely on measurement data from distributed sensors. Besides bounds on tolerated end-to-end latencies for some applications, security is a major concern in todays Wide Area Monitoring Systems. We review recent approaches for WAMS communication and point out security challenges that need to be addressed in future communication solutions for WAMS.ZusammenfassungWide Area Monitoring-Systeme (WAMS) formen Netze aus verteilten Sensoren zur Überwachung von intelligenten Stromnetzen (Smart Grids). Sie unterstützen Planung und Optimierung von Prozessen im Elektrizitätsnetz und liefern wertvolle Informationen zur Prävention von kritischen Ereignissen. Viele Anwendungen benötigen aktuelle Messdaten, um auf neue Situationen in intelligenten Stromnetzen reagieren zu können. Damit steigen auch die Kommunikationsanforderungen für Wide Area Monitoring-Systeme. Neben Anforderungen bezüglich der maximal tolerierbaren Ende-zu-Ende-Verzögerungszeiten sind heutzutage vor allem Sicherheitsmechanismen von hoher Bedeutung für Wide Area Monitoring-Systeme. Wir vergleichen verschiedene Ansätze für WAMS-Kommunikation und zeigen, welche Sicherheitsanforderungen in zukünftigen Kommunikationslösungen für WAMS berücksichtigt werden müssen.

Big-DAMA: Big Data Analytics for Network Traffic Monitoring and Analysis

The complexity of the Internet has dramatically increased in the last few years, making it more important and challenging to design scalable Network Traffic Monitoring and Analysis (NTMA) applications and tools. Critical NTMA applications such as the detection of anomalies, network attacks and intrusions, require fast mechanisms for online analysis of thousands of events per second, as well as efficient techniques for offline analysis of massive historical data. We are witnessing a major development in Big Data Analysis Frameworks (BDAFs), but the application of BDAFs and scalable analysis techniques to the NTMA domain remains poorly understood and only in-house and difficult to benchmark solutions are conceived. In this position paper we describe the basis of the Big-DAMA research project, which aims at tackling this growing need by benchmarking and developing novel scalable techniques and frameworks capable to analyze both online network traffic data streams and offline massive traffic datasets.

A Network Steganography Lab on Detecting TCP/IP Covert Channels

This paper presents a network security laboratory to teach data analysis for detecting TCP/IP covert channels. The laboratory is mainly designed for students of electrical engineering, but is open to students of other technical disciplines with similar background. Covert channels provide a method for leaking data from protected systems, which is a major concern for big enterprises and governments. The inclusion of covert channels in the curricula of network security students and network data analysts is therefore considered a valuable extension. In the lab exercises presented, students learn how covert channels in TCP/IP network traffic can be hidden and detected. Since the detection of covert channels requires an in-depth understanding of protocol standards and typical behavior of TCP/IP flows, the lab also provides a “playground” in which students can deepen their communication networks knowledge. Students learn how to use and interpret statistical analysis to discover abnormal patterns and footprints in network data. They are also trained to deal with noisy scenarios that increase ambiguity and uncertainty. The laboratory was first implemented during the winter semester 2014 with a class of 18 students at TU Wien, Austria. This experience showed that students consolidated the targeted skills as well as increased their interest in the topics explored. All exercises and datasets for the introduced “Network Security Advanced” lab are made publicly available.

Teaching Network Security With IP Darkspace Data

This paper presents a network security laboratory project for teaching network traffic anomaly detection methods to electrical engineering students. The project design follows a research-oriented teaching principle, enabling students to make their own discoveries in real network traffic, using data captured from a large IP darkspace monitor operated at the University of California, San Diego (UCSD). Although darkspace traffic does not include bidirectional conversations (only attempts to initiate them), it contains traffic related to or actually perpetrating a variety of network attacks originating from millions of Internet addresses around the world. This breadth of coverage makes this darkspace data an excellent choice for a hands-on study of Internet attack detection techniques. In addition, darkspace data is less privacy-critical than other network traces, because it contains only unwanted network traffic and no legitimate communication. In the lab exercises presented, students learn about network security challenges, search for suspicious anomalies in network traffic, and gain experience in presenting and interpreting their own findings. They acquire not only security-specific technical skills but also general knowledge in statistical data analysis and data mining techniques. They are also encouraged to discover new phenomena in the data, which helps to ignite their general interest in science and engineering research. The Vienna University of Technology, Austria, first implemented this laboratory during the summer semester 2014, with a class of 41 students. With the help of the Center for Applied Internet Data Analysis (CAIDA) at UCSD, all exercises and IP darkspace data are publicly available.

Traffic flow measurements within IP networks: requirements, technologies, and standardization

This article gives an overview of applications requiring detailed flow-based traffic measurements within IP routers or probes. From the applications, requirements for these measurements are derived and compared to the capabilities of existing technologies. Finally, current activities at the IETF on standardizing the export of flow information out of routers to data collectors are summarized.

Is IPv6 Ready for the Smart Grid

Smart grids are progressively adopting the Internet Protocol (IP) as underlying convergence layer for the communication within and among smart grid domains. The need to interconnect millions of devices calls for the use of IPv6, which holds the key for the establishment of well-structured routing-efficient large scale networks. But smart grids are critical infrastructures and have high security demands. When deploying IPv6 in smart grid environments, we need to take care of IPv6 specific security concerns and adjust security measures to the needs of smart grid installations. In this paper we discuss IPv6 features and mechanisms with respect to their applicability to smart grid environments and provide guidelines for the establishment of a secure smart grid communication infrastructure based on IPv6.

A measurement framework for inter-domain SLA validation

Validating network services conformance to the guarantees given in an SLA becomes particularly challenging in inter-domain environments. We propose a system that enables the remote configuration of measurement processes across domains, allowing providers to perform coordinated non-intrusive inter-domain measurements. The system incorporates AAA functions for authorization of neighbor providers. Since the amount of result data can grow immense for non-intrusive measurements, we propose the use of sampling techniques to reduce the exported traffic load. The efficiency of the system has been validated through measurements obtained during a distributed gaming session.