Teresa Pepe

Skype-Hunter: A real-time system for the detection and classification of Skype traffic

In the previous years, Skype has gained more and more popularity, since it is seen as the best VoIP software with good quality of sound, ease of use and one that works everywhere and with every OS. Because of its great diffusion, both the operators and the users are, for different reasons, interested in detecting Skype traffic. In this paper we propose a real-time algorithm (named Skype-Hunter) to detect and classify Skype traffic. In more detail, this novel method, by means of both signature-based and statistical procedures, is able to correctly reveal and classify the signaling traffic as well as the data traffic (calls and file transfers). To assess the effectiveness of the algorithm, experimental tests have been performed with several traffic data sets, collected in different network scenarios. Our system outperforms the ‘classical’ statistical traffic classifiers as well as the state-of-the-art ad hoc Skype classifier. Copyright

When randomness improves the anomaly detection performance

The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management. The problem has been faced by many researchers, but still remains an open field, since a general solution has not been found yet. In this paper we want to demonstrate as the performance of well-known methods for network anomaly detection can be improved, by performing a random aggregation of the data, before looking for the anomalies. In more detail, we show that, in two distinct cases (chosen as representative of the state-of-the-art in the field) the use of the sketches strongly improves the achieved performance.

A methodological overview on anomaly detection

In this Chapter we give an overview of statistical methods for anomaly detection (AD), thereby targeting an audience of practitioners with general knowledge of statistics. We focus on the applicability of the methods by stating and comparing the conditions in which they can be applied and by discussing the parameters that need to be set.

Improving PCA‐based anomaly detection by using multiple time scale analysis and Kullback–Leibler divergence

SUMMARY The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management. In this paper, we address the problem considering a method based on PCA for detecting network anomalies. In more detail, this paper presents a new technique that extends the state of the art in PCA-based anomaly detection. Indeed, by means of multi-scale analysis and Kullback–Leibler divergence, we are able to obtain great improvements with respect to the performance of the ‘classical’ approach. Moreover, we also introduce a method for identifying the flows responsible for an anomaly detected at the aggregated level. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed method.Copyright

WAVE-CUSUM: Improving CUSUM performance in network anomaly detection by means of wavelet analysis

The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management and many detection techniques, able to promptly reveal and identify network attacks, mainly detecting Heavy Changes in the network traffic, have been proposed. Among these, one of the most promising approach is based on the use of the CUSUM (CUmulative SUM). Nonetheless, CUSUM performance is strongly affected by its sensitivity to the presence of seasonal trends in the considered data. For this reason, in this paper we propose a novel detection method based on the idea of performing a pre-processing stage of the data by means of wavelets, aimed at filtering out such trends, before applying the CUSUM algorithm. The performance analysis, presented in the paper, demonstrates the efficiency of the proposed method, focusing on the performance improvements due to the pre-processing stage.

Combining sketches and wavelet analysis for multi time-scale network anomaly detection

With the rapid development and the increasing complexity of computer and communication systems and networks, traditional security technologies and measures can not meet the demand for integrated and dynamic security solutions. In this scenario, the use of Intrusion Detection Systems has emerged as a key element in network security. In this paper we address the problem proposing a wavelet-based technique able to detect network anomalies almost in real-time. In more detail, our approach is based on the combined use of sketches and wavelet analysis to reveal the anomalies in data collected at the router level. Moreover, to improve the detection rate we propose a multi time-scale analysis. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed method.

Entropy-based traffic filtering to support real-time Skype detection

We propose a novel approach for real-time privacy preserving traffic filtering based on entropy estimation. The decision of the real-time classifier is based on the entropy of the payload from first packet of a flow. The aim of the classifier is to detect traffic with encrypted payload. As a proof of concept we show the applicability of our approach as a traffic filter for a Skype detection engine. Traces collected in laboratory and real-world environments show that the traffic is reduced by a reasonable amount while achieving similar or even improved detection quality.

The LogLog counting reversible sketch: A distributed architecture for detecting anomalies in backbone networks

The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management and many detection techniques, able to promptly reveal and identify network attacks, mainly detecting Heavy Changes (HCs) in the network traffic, have been proposed. Nevertheless, the recent spread of coordinated attacks, that occur in multiple networks simultaneously, makes extremely difficult the detection, using isolated intrusion detection systems that only monitor a limited portion of the Internet. For this reason in this paper we propose a novel distributed architecture that represents a general framework for the detection of network anomalies. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed architecture.

Detecting Heavy Change in the Heavy Hitter distribution of network traffic

The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management. In this paper we present a novel method for network anomaly detection, based on the idea of discovering Heavy Change (HC) in the distribution of the Heavy Hitters in the network traffic. To assess the validity of the proposed method, we have performed an extensive experimental evaluation phase, during which our system performance have been compared to a more “classical” HC-based approach. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed method.

A Behavioral Study of TCP Linux Variants over Satellite Networks

The Transmission Control Protocol (TCP) is used by the vast majority of Internet applications. Since its introduction in the 70s, a lot of variants have been proposed to cope with the different network conditions we can have (e.g., wired networks, wireless networks, satellite links) and nowadays Linux OS includes 13 different TCP variants. The aim of this paper is to offer a detailed comparative analysis of the behavior offered by these variants over satellite networks, in terms of congestion window behavior and achieved throughput.