Abstract—We present a per-flow packet sampling method that enables the real-time classification of high-speed network traffic. Our method, based upon the partial sampling of each flow (i.e., performing sampling at only early stages in each flow’s lifetime), provides a sufficient reduction in total traffic (e.g., a factor of five in packets, a factor of ten in bytes) as to allow practical implementations at one Gigabit/s, and, using limited hardware assistance, ten Gigabit/s. I.

Abstract—This paper proposes KISS, a novel Internet classification engine. Motivated by the expected raise of UDP traffic, which stems from the momentum of P2P streaming applications, we propose a novel classification framework which leverages on statistical characterization of payload. Statistical signatures are derived by the means of a Chi-Square like test, which extracts the protocol “format”, but ignores the protocol “semantic ” and “synchronization ” rules. The signatures feed a decision process based either on the geometric distance among samples, or on Support Vector Machines. KISS is very accurate, and its signatures are intrinsically robust to packet sampling, reordering, and flow asymmetry, so that it can be used on almost any network. KISS is tested in different scenarios, considering traditional client-server protocols, VoIP and both traditional and new P2P Internet applications. Results are astonishing. The average True Positive percentage is 99.6%, with the worst case equal 98.1,% while results are almost perfect when dealing with new P2P streaming applications. Index Terms—Traffic classification, Supervised learning algorithms I.

As the scope and scale of network data grows, security practitioners and network operators are increasingly turning to automated data analysis methods to extract meaningful information. Underpinning these methods are distance metrics that represent the similarity between two values or objects. In this paper, we argue that many of the obvious distance metrics used to measure behavioral similarity among network hosts fail to capture the semantic meaning imbued by network protocols. Furthermore, they also tend to ignore long-term temporal structure of the objects being measured. To explore the role of these semantic and temporal characteristics, we develop a new behavioral distance metric for network hosts and compare its performance to a metric that ignores such information. Specifically, we propose semantically meaningful metrics for common data types found within network data, show how these metrics can be combined to treat network data as a unified metric space, and describe a temporal sequencing algorithm that captures long-term causal relationships. In doing so, we bring to light several challenges inherent in defining behavioral metrics for network data, and put forth a new way of approaching network data analysis problems. Our proposed metric is empirically evaluated on a dataset of over 30 million network flows, with results that underscore the utility of a holistic approach to network data analysis. 1

System administrators regularly use the top utility for understanding the resource consumption of the processes running on UNIX computers. Top provides an accurate and real-time display of the computing and memory capacity of the system among the running processes, but it provides no information about the network traffic sent and received by the processes running on the system. Although we’ve seen a proliferation of network monitoring tools that help system administrators understand the traffic flowing through their networks, most of these tools have been designed for network deployment and can not easily, if at all, provide real-time attribution of network resources to individual processes running on end hosts. In this paper, we describe the design and implementation of Topnet, an extension of the top UNIX utility that provides a process-centric approach to traffic monitoring. Topnet presents users with an intuitive real-time attribution of network resources to individual processes. Our evaluation suggests that Topnet through (i) the familiar user interface of top and (ii) a reasonable performance overhead, provides an accurate way to attribute network traffic to individual processes, enabling users to have a more comprehensive process-aware understanding of network resource consumption in their systems.

Abstract: We discuss the need for adaptive load control in network security environments in order to cope with the increasing bandwidth requirements. In earlier work, we developed a simple model to study the behavior of feedback loops for self-configuring security environments. We primarily considered the traffic between the monitoring probes, the IDS systems, and associated firewalls. We now enhanced the model to study fully self-organized network security environments in a simulation model. First simulation results outline both the feasibility of the general approach and the possibilities of the simulation model. Index Terms: Network monitoring, self-organization, adaptive feedback loops, complex security environments.

Abstract—We discuss the need for accurate analysis of TCP connections based on aggregated flow information. Due to increasing bandwidths in the Internet, flow metering is thought to be the a promising solution for network monitoring, because packet-oriented state-based analysis reaches its limits and fast hardware support for flow metering is already integrated in modern routers. Motivated by earlier work on flow-based connection analysis, we investigate the quality of several stateless classifiers that can be used to determine the TCP connection state as either successful or failed. This information is strongly needed especially in the domain of attack detection and is usually produced by fine-grained analysis in the packet level. Furthermore, we determine appropriate configuration parameters for optimal flow metering by introducing a new statistical property, the maximum packet gap. We evaluated both, the classifiers and the packet gap analysis using a number of representative packet traces. Our best classifiers are able to correctly identify 95 % of all connections with a fraction of the processing costs required for packet-based stateful connection tracking. Keywords-TCP connection analysis; intrusion detection; flow analysis I.

Can we trust the inter-packet time for traffic classification?

Cette thèse industrielle présente une approche nouvelle vers l'identification et classification des flux réseaux dans le contexte des tunnels cryptés (VPN). Le bût est la découverte des grandeurs invariants par rapport à la fonction de cryptage des tunnels. La classification de trafic VPN se distingue de l'analyse de paquets classique car le contenu du paquet n'est pas disponible en texte claire. Pour extraire de l'information, on applique des méthodes du Traffic Mining, une filière du Data Mining. Le travail étude la statistique et le comportement temporel de différents protocoles réseaux basé sur la distribution des longueurs de paquets et leur temps inter-arrivé. La première partie de ce travail décrit en détail comment les tunnels VPN peuvent être analysé avec des méthodes du Traffic Mining, elle présente les informations qui peuvent être prise du trafic crypté et comment il faut les combiner pour extraire des données statistiques. Nous utilisons les transformations de Fourier pour extraire des caractéristiques qui ne sont pas visible dans le domaine temporel. Nous proposons une technique d'échantillonnage qui accentue les caractéristiques dans le Spectrum résultant.

Abstract—This paper proposes KISS, a novel Internet classification engines. Motivated by the expected raise of UDP traffic, which stems from the momentum of P2P streaming applications, we propose a novel payload-based classification framework which leverages on statistical characterization of payload. Statistical signatures are automatically inferred from training data, by the means of a Chi-Square like test, which extracts the protocol “format”, but ignores the protocol semantic and synchronization rules. The signatures feed a decision engine based either on a simple geometric decision process, or on Support Vector Machines. KISS is very efficient, and its signatures are intrinsically robust to packet sampling, reordering, and flow asymmetry, so that is can be used on almost any network. KISS is tested in different scenarios, considering both data, VoIP, and traditional P2P Internet applications. Results are astonishing. The average True Positive percentage is 99.6%, with the worst case equal 98.7%. Less than 0.05 % of False Positives are raised. But KISS is also proved to provide almost perfect results when facing new P2P streaming applications, such as Joost, PPLive, SopCast and TVants. I.

host profiling to refine statistical application identification