-
Notifications
You must be signed in to change notification settings - Fork 0
/
bibliography.bib
4585 lines (3876 loc) · 315 KB
/
bibliography.bib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
% This file was created with JabRef 2.10.
% Encoding: UTF8
@Article{Ciflikli-2012-Packet,
Title = {{Packet traffic features of IPv6 and IPv4 protocol traffic}},
Author = {\c{C}iflikli, Cebrail and Gerzer, Ali and {\"{O}z\c{s}ahin}, Abdulah Tuncay},
Journal = {Turkish Journal of Electrical Engineering \& Computer Sciences},
Year = {2012},
Number = {5},
Pages = {727--749},
Volume = {20},
Doi = {10.3906/elk-1008-696},
Issue_date = {September 2012},
Numpages = {23},
Owner = {velan},
Timestamp = {2017.10.25}
}
@InProceedings{Aazam-2010-Comparison,
Title = {{Comparison of IPv6 Tunneled Traffic of Teredo and ISATAP over Test-bed Setup}},
Author = {Aazam, Mohammad and Khan, Imran and Alam, Muhammad and Qayyum, Amir},
Booktitle = {2010 International Conference on Information and Emerging Technologies},
Year = {2010},
Month = jun,
Pages = {1-4},
Doi = {10.1109/ICIET.2010.5625689},
Keywords = {IP networks;Linux;ICMP-ping traffic;IPv6 tunneled traffic comparison;ISATAP;Linux operating systems;MS Windows Server 2003;MS Windows XP;audio streaming;test bed setup;video streaming;Linux;Routing protocols;Servers;Tunneling;IPv6 tunneling;ISATAP;Teredo},
Owner = {velan},
Timestamp = {2017.10.25}
}
@InProceedings{Abt-2013-Passive,
Title = {{Passive Remote Source NAT Detection Using Behavior Statistics Derived from Netflow}},
Author = {Abt, Sebastian and Dietz, Christian and Baier, Harald and Petrovi\'{c}, Slobodan},
Booktitle = {Proceedings of the 7th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security: Emerging Management Mechanisms for the Future Internet - Volume 7943},
Year = {2013},
Address = {Berlin, Heidelberg},
Pages = {148--159},
Publisher = {Springer-Verlag},
Series = {AIMS'13},
Acmid = {2525047},
Doi = {10.1007/978-3-642-38998-6_18},
ISBN = {978-3-642-38997-9},
Keywords = {C4.5, NAT detection, NetFlow, SVM, network address translation},
Location = {Barcelona, Spain},
Numpages = {12},
Owner = {velan},
Timestamp = {2017.05.25},
Url = {http://dx.doi.org/10.1007/978-3-642-38998-6_18}
}
@Article{skype-hunter,
Title = {{Skype-Hunter: A real-time system for the detection and classification of Skype traffic}},
Author = {Adami, Davide and Callegar, Christian and Giordano, Stefano and Pagano, Michele and Pepe, Teresa},
Journal = {International Journal of Communication Systems},
Year = {2011},
Month = Feb,
Number = {3},
Pages = {386--403},
Volume = {25},
Abstract = {In the previous years, Skype has gained more and more popularity, since it is seen as the best VoIP software with good quality of sound, ease of use and one that works everywhere and with every OS. Because of its great diffusion, both the operators and the users are, for different reasons, interested in
detecting Skype traffic.
In this paper we propose a real-time algorithm (named Skype-Hunter) to detect and classify Skype traffic. In more detail, this novel method, by means of both signature-based and statistical procedures, is able to correctly reveal and classify the signaling traffic as well as the data traffic (calls and file transfers). To assess the effectiveness of the algorithm, experimental tests have been performed with several traffic data sets, collected in different network scenarios. Our system outperforms the ‘classical’ statistical traffic classifiers as well as the state-of-the-art ad hoc Skype classifier.},
Doi = {10.1002/dac.1247},
Keywords = {Skype, detection, traffic description},
Owner = {Milan},
Timestamp = {2014.11.03},
Url = {http://onlinelibrary.wiley.com/doi/10.1002/dac.1247/pdf}
}
@InProceedings{Akhawe-2013-Heres,
Title = {{Here's My Cert, So Trust Me, Maybe?: Understanding TLS Errors on the Web}},
Author = {Akhawe, Devdatta and Amann, Bernhard and Vallentin, Matthias and Sommer, Robin},
Booktitle = {Proceedings of the 22Nd International Conference on World Wide Web},
Year = {2013},
Address = {Republic and Canton of Geneva, Switzerland},
Pages = {59--70},
Publisher = {International World Wide Web Conferences Steering Committee},
Series = {WWW '13},
Abstract = {When browsers report TLS errors, they cannot distinguish between attacks and harmless server misconfigurations; hence they leave it to the user to decide whether continuing is safe. However, actual attacks remain rare. As a result, users quickly become used to "false positives" that deplete their attention span, making it unlikely that they will pay sufficient scrutiny when a real attack comes along. Consequently, browser vendors should aim to minimize the number of low-risk warnings they report. To guide that process, we perform a large-scale measurement study of common TLS warnings. Using a set of passive network monitors located at different sites, we identify the prevalence of warnings for a total population of about 300,000 users over a nine-month period. We identify low-risk scenarios that consume a large chunk of the user attention budget and make concrete recommendations to browser vendors that will help maintain user attention in high-risk situations. We study the impact on end users with a data set much larger in scale than the data sets used in previous TLS measurement studies. A key novelty of our approach involves the use of internal browser code instead of generic TLS libraries for analysis, providing more accurate and representative results.},
Acmid = {2488395},
ISBN = {978-1-4503-2035-1},
Keywords = {tls, warnings},
Location = {Rio de Janeiro, Brazil},
Numpages = {12},
Owner = {velan},
Review = {Authors study TLS errors reported by common browsers. They passively monitor certificates of servers contacted by users and evaluate errors encountered during validation. Unlike other works, they use the same TLS library as browsers, which gives different validation results than OpenSSL. Authors provide recommendation for browser authors to reduce number of TLS related error messages.},
Timestamp = {2014.06.18},
Url = {http://dl.acm.org/citation.cfm?id=2488388.2488395}
}
@TechReport{Alcock-2012-libprotoident,
Title = {{Libprotoident: Traffic Classification Using Lightweight Packet Inspection}},
Author = {Alcock, Shane and Nelson, Richard},
Institution = {WAND Network Research Group},
Year = {2012},
Abstract = {At present, accurate traffic classification usually requires the use of deep packet inspection to analyse packet payload. This requires significant CPU and memory resources and are invasive of network user privacy. In this paper, we propose an alternative traffic classification approach that is lightweight and
only examines the first four bytes of packet payload observed in each direction. We have implemented as an open-source library called libprotoident, which we evaluate by comparing its performance against existing traffic classifiers that use deep packet inspection. Our results show that our approach offers comparable (if not better) accuracy than tools that have access to full packet payload, yet requires less processing resources and is more acceptable, from a privacy standpoint, to network operators and users.},
Keywords = {libprotoident},
Owner = {velan},
Timestamp = {2017.04.28},
Url = {http://www.wand.net.nz/~salcock/lpi/lpi.pdf},
Urldate = {2017-04-28}
}
@Book{Alpaydin-2010-Introduction,
Title = {{Introduction to Machine Learning}},
Author = {Alpaydin, Ethem},
Publisher = {The MIT Press},
Year = {2010},
Edition = {2nd},
Abstract = {The goal of machine learning is to program computers to use example data or past experience to solve a given problem. Many successful applications of machine learning exist already, including systems that analyze past sales data to predict customer behavior, optimize robot behavior so that a task can be completed using minimum resources, and extract knowledge from bioinformatics data. Introduction to Machine Learning is a comprehensive textbook on the subject, covering a broad array of topics not usually included in introductory machine learning texts. In order to present a unified treatment of machine learning problems and solutions, it discusses many methods from different fields, including statistics, pattern recognition, neural networks, artificial intelligence, signal processing, control, and data mining. All learning algorithms are explained so that the student can easily move from the equations in the book to a computer program. The text covers such topics as supervised learning, Bayesian decision theory, parametric methods, multivariate methods, multilayer perceptrons, local models, hidden Markov models, assessing and comparing classification algorithms, and reinforcement learning. New to the second edition are chapters on kernel machines, graphical models, and Bayesian estimation; expanded coverage of statistical tests in a chapter on design and analysis of machine learning experiments; case studies available on the Web (with downloadable results for instructors); and many additional exercises. All chapters have been revised and updated. Introduction to Machine Learning can be used by advanced undergraduates and graduate students who have completed courses in computer programming, probability, calculus, and linear algebra. It will also be of interest to engineers in the field who are concerned with the application of machine learning methods. Adaptive Computation and Machine Learning series},
ISBN = {978-0262012430},
Owner = {velan},
Review = {The book contains description of the most common machine learning algorithms, such as RIPPER, Naive Bayesian, C4.5, clustering, Hidden Markov Models and boosting. Index can be found at http://mitpress.mit.edu/sites/default/files/titles/content/9780262012430_ind_0001.pdf},
Timestamp = {2014.10.17}
}
@InProceedings{Alshammari-2009-Classifying,
Title = {{Classifying SSH Encrypted Traffic with Minimum Packet Header Features Using Genetic Programming}},
Author = {Alshammari, Riyad and Lichodzijewski, Peter and Heywood, I. Malcolm and Zincir-Heywood, A. Nur},
Booktitle = {Proceedings of the 11th Annual Conference Companion on Genetic and Evolutionary Computation Conference: Late Breaking Papers},
Year = {2009},
Address = {New York, NY, USA},
Pages = {2539--2546},
Publisher = {ACM},
Series = {GECCO '09},
Abstract = {The classification of Encrypted Traffic, namely Secure Shell (SSH), on the fly from network TCP traffic represents a particularly challenging application domain for machine learning. Solutions should ideally be both simple - therefore efficient to deploy - and accurate. Recent advances to teambased Genetic Programming provide the opportunity to decompose the original problem into a subset of classifiers with non-overlapping behaviors, in effect providing further insight into the problem domain and increasing the throughput of solutions. Thus, in this work we have investigated the identification of SSH encrypted traffic based on packet header features without using IP addresses, port numbers and payload data. Evaluation of C4.5 and AdaBoost - representing current best practice - against the Symbiotic Bid-based (SBB) paradigm of team-based Genetic Programming (GP) under data sets common and independent from the training condition indicates that SBB based GP solutions are capable of providing simpler solutions without sacrificing accuracy.},
Acmid = {1570358},
Doi = {10.1145/1570256.1570358},
ISBN = {978-1-60558-505-5},
Keywords = {active learning, defense applications, encrypted traffic classification, genetic programming, packet, problem decomposition, security, supervised learning, teaming},
Location = {Montreal, Qu\&\#233;bec, Canada},
Numpages = {8},
Owner = {velan},
Review = {Comparison of AdaBoost and C4.5. Packet header features were selected using genetic programming. Authors used DARPA and custom data sets. SSH is the reference protocol that was identified in the data.},
Timestamp = {2014.10.17},
Url = {http://doi.acm.org/10.1145/1570256.1570358}
}
@Article{Alshammari-2011-Can,
Title = {{Can encrypted traffic be identified without port numbers, IP addresses and payload inspection?}},
Author = {Alshammari, Riyad and Zincir-Heywood, A. Nur},
Journal = {Computer Networks },
Year = {2011},
Number = {6},
Pages = {1326 - 1350},
Volume = {55},
Abstract = {Identifying encrypted application traffic represents an important issue for many network tasks including quality of service, firewall enforcement and security. Solutions should ideally be both simple – therefore efficient to deploy – and accurate. This paper presents a machine learning based approach employing simple packet header feature sets and statistical flow feature sets without using the \{IP\} addresses, source/destination ports and payload information to unveil encrypted application tunnels in network traffic. We demonstrate the effectiveness of our approach as a forensic analysis tool on two encrypted applications, Secure \{SHell\} (SSH) and Skype, using traces captured from entirely different networks. Results indicate that it is possible to identify encrypted traffic tunnels with high accuracy without inspecting payload, \{IP\} addresses and port numbers. Moreover, it is also possible to identify which services run in encrypted tunnels.},
Doi = {http://dx.doi.org/10.1016/j.comnet.2010.12.002},
ISSN = {1389-1286},
Keywords = {Encrypted traffic identification},
Owner = {velan},
Review = {Authors present a machine learning based approach to unveil encrypted application tunnels in network traffic. They show how to identify services running in such encrypted tunnels. Three machine learning algorithms are tested: AdaBoost, C4.5 and Genetic Programming. Authors use AMP, MAWI DARPA99 and Italy and custom created traffic traces for training and testing the classifiers. PacketSharper is used to classify the custom traces. Authors work with packet header attributes and flow features separately. They also show that the combination of both allow to improve the detection rate of encrypted traffic. They also discovered that the Genetic Programming approach achieved the best results.},
Timestamp = {2014.10.17},
Url = {http://www.sciencedirect.com/science/article/pii/S1389128610003695}
}
@InProceedings{Alshammari-2010-Investigation,
Title = {{An Investigation on the Identification of VoIP traffic: Case study on Gtalk and Skype}},
Author = {Alshammari, Riyad and Zincir-Heywood, A. Nur},
Booktitle = {Network and Service Management (CNSM), 2010 International Conference on},
Year = {2010},
Month = Oct,
Pages = {310-313},
Abstract = {The classification of encrypted traffic on the fly from network traces represents a particularly challenging application domain. Recent advances in machine learning provide the opportunity to decompose the original problem into a subset of classifiers with non-overlapping behaviors, in effect providing further insight into the problem domain. Thus, the objective of this work is to classify VoIP encrypted traffic, where Gtalk and Skype applications are taken as good representatives. To this end, three different machine learning based approaches, namely, C4.5, AdaBoost and Genetic Programming (GP), are evaluated under data sets common and independent from the training condition. In this case, flow based features are employed without using the IP addresses, source/destination ports and payload information. Results indicate that C4.5 based machine learning approach has the best performance.},
Doi = {10.1109/CNSM.2010.5691210},
Keywords = {Internet telephony;genetic algorithms;learning (artificial intelligence);telecommunication traffic;AdaBoost;C4.5;Gtalk;IP address;Skype;VoIP encrypted traffic;genetic programming;machine learning;source/destination port;Cryptography;Feature extraction;Internet;Machine learning;Machine learning algorithms;Protocols;Training data},
Location = {Niagara Falls, Canada},
Owner = {velan},
Review = {Authors use supervised machine learning methods: AdaBoost, C4.5 and Genetic Programming to destinguish between Skype, Gtalk and other traffic. Both Skype and Gtalk use encryption, therefore the methods must distinguish between several types of encrypted traffic. The data set contains other VoIP data, both encrypted and unencrypted. Moreover, it contains traces of other applications such as FTP, SSH, HTTP, and mail. Ground truth was established using commercial classification tool using DPI. Ground truth for manually generated traces is easily gained. 22 flow features are used by the classifiers. Experiments showed that the C4.5 classifier achieves the best detection rate with small false positive rate.},
Timestamp = {2015.03.23}
}
@InProceedings{Alshammari-2009-Machine,
Title = {{Machine learning based encrypted traffic classification: Identifying SSH and Skype}},
Author = {Alshammari, Riyad and Zincir-Heywood, A. Nur},
Booktitle = {Computational Intelligence for Security and Defense Applications, 2009. CISDA 2009. IEEE Symposium on},
Year = {2009},
Month = Jul,
Pages = {1-8},
Abstract = {The objective of this work is to assess the robustness of machine learning based traffic classification for classifying encrypted traffic where SSH and Skype are taken as good representatives of encrypted traffic. Here what we mean by robustness is that the classifiers are trained on data from one network but tested on data from an entirely different network. To this end, five learning algorithms - adaboost, support vector machine, Nai¿e Bayesian, RIPPER and C4.5 - are evaluated using flow based features, where IP addresses, source/destination ports and payload information are not employed. Results indicate the C4.5 based approach performs much better than other algorithms on the identification of both SSH and Skype traffic on totally different networks.},
Doi = {10.1109/CISDA.2009.5356534},
Keywords = {cryptography;learning (artificial intelligence);support vector machines;telecommunication traffic;C4.5 based approach;Nai¿e Bayesian;RIPPER;Skype;adaboost;encrypted traffic classification;flow based features;machine learning;secure shell;support vector machine;traffic classification;Bayesian methods;Cryptography;Financial management;Machine learning;Payloads;Robustness;Support vector machine classification;Support vector machines;Telecommunication traffic;Traffic control},
Location = {Ottawa, Canada},
Owner = {velan},
Review = {Authors compare five different machine learning algorithms for traffic classification: AdaBoost, Support Vector Machine, Naive Batesian, RIPPER, C4.5. Skype and SSH protocols are classified without the use of packet payloads, IP addresses of ports. The robustnest of the methods is tested by teaching each method on one network and running on another nework, with different properties. Authors use two public traces (no payload), DARPA99 trace (with payload, SSH identified by handshake) and one trace measured at their university campus (labeled using PacketShaper, which uses L7 filter). Authors sampled the data sets to lower the amount of processed data, training data set is chosen from the campus trace.
The paper contains very good related work chapter and description of classification algorithms with references.},
Timestamp = {2014.10.03}
}
@InCollection{Alshammari-2009-Preliminary,
Title = {{A Preliminary Performance Comparison of Two Feature Sets for Encrypted Traffic Classification}},
Author = {Alshammari, Riyad and Zincir-Heywood, A. Nur},
Booktitle = {Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems CISIS’08},
Publisher = {Springer Berlin Heidelberg},
Year = {2009},
Pages = {203-210},
Series = {Advances in Soft Computing},
Volume = {53},
Abstract = {The objective of this work is the comparison of two types of feature sets for the classification of encrypted traffic such as SSH. To this end, two learning algorithms – RIPPER and C4.5 – are employed using packet header and flow-based features. Traffic classification is performed without using features such as IP addresses, source/destination ports and payload information. Results indicate that the feature set based on packet header information is comparable with flow based feature set in terms of a high detection rate and a low false positive rate.},
Doi = {10.1007/978-3-540-88181-0_26},
ISBN = {978-3-540-88180-3},
Keywords = {Encrypted Traffic Classification; Packet; Flow; and Security},
Language = {English},
Location = {Genoa, Italy},
Owner = {velan},
Review = {Two types of feature sets are compared: packet header based and flow based. The SSH traffic is used as an etalon for the comparison. The packet header feature set contains information from packet headers with the exception of IP addresses and transport protocol ports. It also contains packet inter-arrival time. Flow feature set is calculated from one or more packets for each flow. RIPPER and C4.5 classification algorithms are used to compare selected feature sets. The C4.5 classifier showed better results in detection rate and false positive rate. The results provided by both feature sets seems to be comparable. Authors claim that SSH traffic detection is possible even without packet payload and that it requires less processing power.},
Timestamp = {2014.10.06},
Url = {http://dx.doi.org/10.1007/978-3-540-88181-0_26}
}
@InProceedings{Alshammari-2007-flow,
Title = {{A Flow Based Approach for SSH Traffic Detection}},
Author = {Alshammari, Riyad and Zincir-Heywood, A. Nur},
Booktitle = {Systems, Man and Cybernetics, 2007. ISIC. IEEE International Conference on},
Year = {2007},
Month = Oct,
Pages = {296-301},
Abstract = {The basic objective of this work is to assess the utility of two supervised learning algorithms AdaBoost and RIPPER for classifying SSH traffic from log files without using features such as payload, IP addresses and source/destination ports. Pre-processing is applied to the traffic data to express as traffic flows. Results of 10-fold cross validation for each learning algorithm indicate that a detection rate of 99\% and a false positive rate of 0.7\% can be achieved using RIPPER. Moreover, promising preliminary results were obtained when RIPPER was employed to identify which service was running over SSH. Thus, it is possible to detect SSH traffic with high accuracy without using features such as payload, IP addresses and source/destination ports, where this represents a particularly useful characteristic when requiring generic, scalable solutions.},
Doi = {10.1109/ICSMC.2007.4414006},
Keywords = {IP networks;learning (artificial intelligence);telecommunication network management;telecommunication security;telecommunication traffic;AdaBoost;IP address;RIPPER;SSH traffic detection;payload;source/destination ports;supervised learning algorithms;traffic data;traffic flows;Application software;Computer science;Cryptography;Engineering management;Financial management;Inspection;Payloads;Supervised learning;Telecommunication traffic;Traffic control},
Location = {Montreal, Quebec, Canada},
Owner = {velan},
Review = {AdaBoost and RIPPER classification algorithms were compared on traces of SSH traffic. No payload, IP addresses nor ports were used for the classification. First the authors concentrate on automatic recognition of SSH traffic. Then they develop automatic recognition of different services and applications running over SSH. NLARN and MAWI public data sets are used for the first phase (GT is gained from port numbers), private data set is used for the second phase, since authors need to establish a ground truth. NetMate is used to extract features from the traffic. Authors show that RIPPER provides better detection rate and lower false positive rate on their data sets for both SSH detection and application classification.},
Timestamp = {2014.10.17}
}
@InProceedings{Amoli-2013-real,
Title = {{A Real Time Unsupervised NIDS for Detecting Unknown and Encrypted Network Attacks in High Speed Network}},
Author = {Amoli, Payam Vahdani and Hamalainen, Timo},
Booktitle = {Measurements and Networking Proceedings (M N), 2013 IEEE International Workshop on},
Year = {2013},
Month = Oct,
Pages = {149-154},
Abstract = {Previously, Network Intrusion Detection Systems (NIDS) detected intrusions by comparing the behaviour of the network to the pre-defined rules or pre-observed network traffic, which was expensive in terms of both cost and time. Unsupervised machine learning techniques have overcome these issues and can detect unknown and complex attacks within normal or encrypted communication without any prior knowledge. NIDS monitors bytes, packets and network flow to detect intrusions. It is nearly impossible to monitor the payload of all packets in a high-speed network. On the other hand, the content of packets does not have sufficient information to detect a complex attack. Since the rate of attacks within encrypted communication is increasing and the content of encrypted packets is not accessible to NIDS, it has been suggested to monitor network flows. As most network intrusions spread within the network very quickly, in this paper we will propose a new real-time unsupervised NIDS for detecting new and complex attacks within normal and encrypted communications. To achieve having a real-time NIDS, the proposed model should capture live network traffic from different sensors and analyse specific metrics such as number of bytes, packets, network flows, and the time explicitly and implicitly, of packets and network flows, in the different resolutions. The NIDS will flag the time slot as an anomaly if any of those metrics passes the threshold, and it will send the time slot to the first engine. The first engine clusters different layers and dimensions of the network's behaviour and correlates the outliers to purge the intrusions from normal traffic. Detecting network attacks, which produce a huge amount of network traffic (e.g. DOS, DDOS, scanning) was the aim of proposing the first engine. Analysing statistics of network flows increases the feasibility of detecting intrusions within encrypted communications. The aim of proposing the second engine is to conduct a deeper analysis a- d correlate the traffic and behaviour of Bots (current attackers) during DDOS attacks to find the Bot-Master.},
Doi = {10.1109/IWMN.2013.6663794},
Keywords = {cryptography;telecommunication traffic;unsupervised learning;Bot-Master;DBScan algorithm;DOS;denial of service;encrypted communication;encrypted network traffic;high speed network;live network traffic;network flow monitoring;network intrusion detection systems;real time unsupervised NIDS;time slot;unsupervised machine learning;Clustering algorithms;Cryptography;Engines;IP networks;Monitoring;Real-time systems;Telecommunication traffic;Clustering;Encrypted Network Traffic;NIDS;Network Flows;Unsupervised Intelligent Engine},
Location = {Naples, Italy},
Owner = {velan},
Review = {In the introduction, authors describe possible approaches to detecting attacks in encrypted traffic. They propose a real-time unsupervised NIDS for detection attacks in ecrypted communication. First engine of the NIDS detects DoS, DDoS, etc. The second engine analyse the attack to identify a botnet master behind the attacks. To detect anomalies in the first engine, authors use multi-clustering algorithms. Encrypted traffic is not explicitly identified, but the attacks are detected in it.},
Timestamp = {2014.08.06}
}
@InProceedings{Antichi-2012-Enabling,
Title = {{Enabling open-source high speed network monitoring on NetFPGA}},
Author = {Antichi, Gianni and Giordano, Stefano and Miller, David J. and Moore, Andrew W.},
Booktitle = {Network Operations and Management Symposium (NOMS), 2012 IEEE},
Year = {2012},
Month = apr,
Pages = {1029-1035},
Abstract = {Network measurement both as diagnostic and within measurement-based techniques of traffic engineering and management, alongside network measurement for security has maintained the needs of researchers and network operators for the ongoing development of measurement tools for traffic monitoring/characterisation and to support Intrusion Detection Systems (IDSs). Many such tools capitalise on the pricing of commodity hardware by operating on general purpose architectures. Many are based on the well known libpcap API, a de facto standard in this area. Despite the many improvements that have been applied to packet capturing, packet-monitoring implementations still suffer from either: performance flaws on commodity hardware due mainly to unresolvable hardware bottlenecks, or costly and inflexible niche systems. To address such issues, the paper proposes a system architecture based on the cooperation of NetFPGA and a general purpose host PC. The NetFPGA is an open networking platform accelerator that enables rapid development of hardware-accelerated packet processing applications. The objective is to combine the high performance of a hardware-oriented solution with the flexibility of general purpose PCs.},
Doi = {10.1109/NOMS.2012.6212025},
ISSN = {1542-1201},
Keywords = {application program interfaces;computer architecture;computer network management;computer network security;field programmable gate arrays;telecommunication traffic;IDS;NetFPGA;commodity hardware pricing;diagnostic technique;general purpose architectures;general purpose host PC;hardware-accelerated packet processing applications;intrusion detection systems;libpcap API;network measurement;niche systems;open networking platform accelerator;open-source high speed network monitoring;packet capturing;packet-monitoring;performance flaws;traffic characterisation;traffic engineering;traffic management;traffic monitoring;unresolvable hardware bottlenecks;within-measurement-based technique;Accuracy;Computer architecture;Hardware;Monitoring;Oscillators;Radiation detectors;Software},
Owner = {velan},
Timestamp = {2014.08.28}
}
@InProceedings{Arndt-2011-Comparison,
Title = {{A Comparison of Three Machine Learning Techniques for Encrypted Network Traffic Analysis}},
Author = {Arndt, Daniel J. and Zincir-Heywood, A. Nur},
Booktitle = {Computational Intelligence for Security and Defense Applications (CISDA), 2011 IEEE Symposium on},
Year = {2011},
Month = Apr,
Pages = {107-114},
Abstract = {This work evaluates three methods for encrypted traffic analysis without using the IP addresses, port number, and payload information. To this end, binary identification of SSH vs non-SSH traffic is used as a case study since the plain text initiation of the SSH protocol allows us to obtain data sets with a reliable ground truth. The methods are subject to several tests using different export options, feature sets, and training and test traffic traces for a total of 128 different configurations. Of particular interest are test cases which that use a test set from a different network than that which the model was trained on, i.e. robustness of the trained models. Results show that the multi-objective genetic algorithm (MOGA) based trained model is able to achieve the best performance among the three methods when each approach is tested on traffic traces that are captured on the same network as the training network trace. On the other hand, C4.5 achieved the best results among the three methods when tested on traffic traces which are captured on totally different networks than the training trace. Furthermore, it is shown that continuous sampling of the training data is no better than random sampling, but the training data is very important for how well the classifiers will perform on traffic traces captured from different networks. Moreover, the C4.5 based approach provides the fastest and the most human readable model, whereas the MOGA reduces the complexity of the k-means clustering algorithm tremendously.},
Doi = {10.1109/CISDA.2011.5945941},
Keywords = {IP networks;cryptography;genetic algorithms;learning (artificial intelligence);pattern clustering;protocols;telecommunication traffic;C4.5-based approach;IP addresses;MOGA-based trained model;SSH protocol;binary identification;encrypted network traffic analysis;feature sets;k-mean clustering;machine learning techniques;multiobjective genetic algorithm;nonSSH traffic;payload information;port number;random sampling;traffic traces;Clustering algorithms;Equations;Mathematical model;Payloads;Protocols;Robustness;Training},
Location = {Paris, France},
Owner = {velan},
Review = {Authors compare C4.5, k-means and multi-objective genetic algorithm (MOGA). All methods are evaluated on multiple data sets when identifying SSH traffic. Full flows are used, times to train the methods and evaluate testing data are compared. C4.5 provides the best robustness and MOGA has very low false positive rate when used on the same data set as it was trained on. C4.5 is recommended for forensic analysis by law enforcement.},
Timestamp = {2014.08.25}
}
@InProceedings{Augustin-2011-Traffic,
Title = {{On Traffic Patterns of HTTP Applications}},
Author = {Augustin, Brice and Mellouk, Abdelhamid},
Booktitle = {Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE},
Year = {2011},
Month = dec,
Doi = {10.1109/GLOCOM.2011.6134438},
ISSN = {1930-529X},
Keywords = {Internet;hypermedia;pattern classification;quality of service;telecommunication traffic;time series;transport protocols;HTTP application;Internet protocol;QoS;RRDTool database;Web application;audio streaming;browser-generated traffic;chat;documents editing;email;hypertext documents;pattern classification;plot time series;security policy;traffic pattern;video streaming;Bandwidth;Browsers;Electronic mail;Google;Protocols;Streaming media;YouTube},
Owner = {velan},
Timestamp = {2017.10.20}
}
@Online{mse-specification,
Title = {{Message Stream Encryption.} \textit{Vuze Wiki}},
Author = {{Azureus Software Inc.}},
Url = {http://wiki.vuze.com/w/Message_Stream_Encryption},
Urldate = {2014-10-31},
Month = May,
Year = {2014},
Keywords = {Message Stream Encryption, MSE, specification},
Owner = {Milan},
Timestamp = {2014.11.03}
}
@InProceedings{Bacquet-2011-Genetic,
Title = {{Genetic Optimization and Hierarchical Clustering Applied to Encrypted Traffic Identification}},
Author = {Bacquet, Carlos and Zincir-Heywood, A. Nur and Heywood, Malcolm I.},
Booktitle = {Computational Intelligence in Cyber Security (CICS), 2011 IEEE Symposium on},
Year = {2011},
Month = Apr,
Pages = {194-201},
Abstract = {An important part of network management requires the accurate identification and classification of network traffic for decisions regarding bandwidth management, quality of service, and security. This work explores the use of a Multi-Objective Genetic Algorithm (MOGA) for both, feature selection and cluster count optimization, for an unsupervised machine learning technique, K-Means, applied to encrypted traffic identification. Specifically, a hierarchical K-Means algorithm is employed, comparing its performance to the MOGA with a non-hierarchical (flat) K-Means algorithm. The latter has already been benchmarked against common unsupervised techniques found in the literature, where results have favored the proposed MOGA. The purpose of this paper is to explore the gains, if any, obtained by increasing cluster purity in the proposed model by means of a second layer of clusters. In this work, SSH is chosen as an example of an encrypted application. However, nothing prevents the proposed model to work with other types of encrypted traffic, such as SSL or Skype. Results show that with the hierarchical MOGA, significant gains are observed in terms of the classification performance of the system.},
Doi = {10.1109/CICYBS.2011.5949391},
Keywords = {genetic algorithms;pattern clustering;quality of service;telecommunication computing;telecommunication network management;telecommunication traffic;unsupervised learning;QoS;SSL;Skype;bandwidth management;cluster count optimization;encrypted traffic identification;feature selection;hierarchical clustering;k-means algorithm;multiobjective genetic algorithm;network management;network traffic;quality of service;unsupervised machine learning;Accuracy;Clustering algorithms;Cryptography;Genetic algorithms;Machine learning;Optimization;Payloads},
Location = {Paris, France},
Owner = {velan},
Review = {Authors use Multi-Objective Genetic Algorithm for feature selection as well as for improving K-means method. Authors add a second layer of clusters and study the improvements. SSH was chosen as an example of encrypted traffic, only the categories SSH and non-SSH are used. Authors use private data set with truncated payload and was labeled by commercial tools. Authors consider the ground truth 100\% accurate, although they do not justify this accuracy when the payload is removed. Training data contained SSH, MSN, HTTP, FTP, and DNS. The data set was randomly sampled. Test data set contained more protocols, such as IMAP, SNMP, LDAP, POP3. 38 flow features were available to MOGA algorithm, number of used flow features by the best individuals is not known.},
Timestamp = {2015.03.13}
}
@InCollection{Bacquet-2009-Investigation,
Title = {{An Investigation of Multi-objective Genetic Algorithms for Encrypted Traffic Identification}},
Author = {Bacquet, Carlos and Zincir-Heywood, A. Nur and Heywood, Malcolm I.},
Booktitle = {Computational Intelligence in Security for Information Systems},
Publisher = {Springer Berlin Heidelberg},
Year = {2009},
Pages = {93-100},
Series = {Advances in Intelligent and Soft Computing},
Volume = {63},
Abstract = {The increasing use of encrypted traffic combined with non-standard port associations makes the task of traffic identification increasingly difficult. This work adopts a multi-objective clustering approach to the problem in which a Genetic Algorithm performs both feature selection and cluster count optimization under a flow based representation. Solutions do not use port numbers, IP address or payload. Performance of the resulting model provides 90\% detection 0.8\% false positive rates with 13 clusters supported by 14 of the original 38 features.},
Doi = {10.1007/978-3-642-04091-7_12},
ISBN = {978-3-642-04090-0},
Language = {English},
Owner = {velan},
Review = {SSH is chosen as an example of encrypted traffic for this work. Multi-Objective Genetic Algorithm is used to determine the best flow feature subspace and clustering of traffic types. Based on previous works authors argue that the feature selection and number of clusters highly affect the overall accuracy. Authors selected four features and in 25 runs of the MOGA tried to find the best Pareto non-dominated solution. They managed to obtain a solution with 92\% detection rate and only 0.8\% false positive rate.},
Timestamp = {2014.10.06},
Url = {http://dx.doi.org/10.1007/978-3-642-04091-7_12}
}
@InProceedings{Bahaman-2012-Network,
Title = {{Network performance evaluation of 6to4 tunneling}},
Author = {Bahaman, Nazrulazhar and Hamid, Erman and Prabuwono, Anton Satria},
Booktitle = {2012 International Conference on Innovation Management and Technology Research},
Year = {2012},
Month = may,
Pages = {263-268},
Doi = {10.1109/ICIMTR.2012.6236400},
Keywords = {IP networks;computer network performance evaluation;data communication;transport protocols;6to4 tunneling;IPv4 protocol;IPv6 transition mechanisms;TCP data transmission;TCP transmission protocol;UDP transmission protocol;User Datagram Protocol;network performance evaluation;round trip time;throughput;tunneling overhead;user-to-user network performance software;Force;IP networks;Internet;Routing protocols;Throughput;Tunneling;6to4;Protocol-41;TCP;Tunneling;UDP},
Owner = {velan},
Timestamp = {2017.10.25}
}
@Online{hippie,
Title = {{HiPPIE}},
Author = {Ballard, Josh},
Url = {http://sourceforge.net/projects/hippie/},
Urldate = {2014-11-26},
Month = Apr,
Year = {2013},
Keywords = {hippie, traffic classification},
Owner = {Milan},
Timestamp = {2014.12.01}
}
@InProceedings{Barbette-2015-Fast,
Title = {{Fast Userspace Packet Processing}},
Author = {Barbette, Tom and Soldani, Cyril and Mathy, Laurent},
Booktitle = {Proceedings of the Eleventh ACM/IEEE Symposium on Architectures for Networking and Communications Systems},
Year = {2015},
Address = {Washington, DC, USA},
Pages = {5--16},
Publisher = {IEEE Computer Society},
Series = {ANCS '15},
Acmid = {2772727},
ISBN = {978-1-4673-6632-8},
Keywords = {click modular router, fast packet i/o, high-speed net- working, intel dpdk, multi-queue, netmap, network processing., numa, userspace i/o},
Location = {Oakland, California, USA},
Numpages = {12},
Owner = {velan},
Timestamp = {2018.02.13},
Url = {http://dl.acm.org/citation.cfm?id=2772722.2772727}
}
@InCollection{BarYanai-2010-Realtime,
Title = {{Realtime Classification for Encrypted Traffic}},
Author = {Bar-Yanai, Roni and Langberg, Michael and Peleg, David and Roditty, Liam},
Booktitle = {Experimental Algorithms},
Publisher = {Springer Berlin Heidelberg},
Year = {2010},
Pages = {373-385},
Series = {Lecture Notes in Computer Science},
Volume = {6049},
Abstract = {Classifying network flows by their application type is the backbone of many crucial network monitoring and controlling tasks, including billing, quality of service, security and trend analyzers. The classical “port-based” and “payload-based” approaches to traffic classification have several shortcomings. These limitations have motivated the study of classification techniques that build on the foundations of learning theory and statistics. The current paper presents a new statistical classifier that allows real time classification of encrypted data. Our method is based on a hybrid combination of the k-means and k-nearest neighbor (or k-NN) geometrical classifiers. The proposed classifier is both fast and accurate, as implied by our feasibility tests, which included implementing and intergrading statistical classification into a realtime embedded environment. The experimental results indicate that our classifier is extremely robust to encryption.},
Doi = {10.1007/978-3-642-13193-6_32},
ISBN = {978-3-642-13192-9},
Language = {English},
Owner = {velan},
Review = {Authors use combination of k-means and k-nearest neighbor classifiers to classify network flows. They claim the method to be fast, accurate and robust to encryption, asymmetric routing and packet ordering. The BitTorrent traffic is hard to identify since the community put a lot of effort into detection avoidance. First few packets of encrypted communication are often padded to avoid detection using only first packets. Authors stress that their method is applicable in realtime ienvironment and tested it on an ISP link. First 100 packets are used for the classification. The application protocols classified are HTTP, SMTP, POP3, Skype, eDonkey, BitTorrent, Encrypted Bittorrent, RTP, ICQ.},
Timestamp = {2014.10.06},
Url = {http://dx.doi.org/10.1007/978-3-642-13193-6_32}
}
@InProceedings{Benson-2010-Network,
Title = {{Network Traffic Characteristics of Data Centers in the Wild}},
Author = {Benson, Theophilus and Akella, Aditya and Maltz, David A.},
Booktitle = {Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement},
Year = {2010},
Address = {New York, NY, USA},
Pages = {267--280},
Publisher = {ACM},
Series = {IMC '10},
Abstract = {Although there is tremendous interest in designing improved networks for data centers, very little is known about the network-level traffic characteristics of data centers today. In this paper, we conduct an empirical study of the network traffic in 10 data centers belonging to three different categories, including university, enterprise campus, and cloud data centers. Our definition of cloud data centers includes not only data centers employed by large online service providers offering Internet-facing applications but also data centers used to host data-intensive (MapReduce style) applications). We collect and analyze SNMP statistics, topology and packet-level traces. We examine the range of applications deployed in these data centers and their placement, the flow-level and packet-level transmission properties of these applications, and their impact on network and link utilizations, congestion and packet drops. We describe the implications of the observed traffic patterns for data center internal traffic engineering as well as for recently proposed architectures for data center networks.},
Acmid = {1879175},
Doi = {10.1145/1879141.1879175},
ISBN = {978-1-4503-0483-2},
Keywords = {characterization, data center traffic},
Location = {Melbourne, Australia},
Numpages = {14},
Owner = {velan},
Timestamp = {2015.07.27}
}
@InProceedings{Bernaille-2007-Early,
Title = {{Early Recognition of Encrypted Applications}},
Author = {Bernaille, Laurent and Teixeira, Renata},
Booktitle = {Proceedings of the 8th International Conference on Passive and Active Network Measurement},
Year = {2007},
Address = {Berlin, Heidelberg},
Pages = {165--175},
Publisher = {Springer-Verlag},
Series = {PAM'07},
Abstract = {Most tools to recognize the application associated with network connections use well-known signatures as basis for their classification. This approach is very effective in enterprise and campus networks to pinpoint forbidden applications (peer to peer, for instance) or security threats. However, it is easy to use encryption to evade these mechanisms. In particular, Secure Sockets Layer (SSL) libraries such as OpenSSL are widely available and can easily be used to encrypt any type of traffic. In this paper, we propose a method to detect applications in SSL encrypted connections. Our method uses only the size of the first few packets of an SSL connection to recognize the application, which enables an early classification. We test our method on packet traces collected on two campus networks and on manually-encrypted traces. Our results show that we are able to recognize the application in an SSL connection with more than 85\% accuracy.},
Acmid = {1762911},
ISBN = {978-3-540-71616-7},
Location = {Louvain-la-Neuve, Belgium},
Numpages = {11},
Owner = {velan},
Review = {Authors 1) detect and describe encrypted traffic (SSL) in a campus network and 2) use clustering method to detect SSL and identify the underlying application. The detection of encrypted traffic in 1) is done using first 4 bytes of payload to read SSL version and packet length. Authors use traffic traces from live networks and manually generated packet trace to verify their approach. The traffic classification uses clustering algorithm (Gaussian Mixture Model). First they use sizes and directions of first P packets to determine whether the flow is SSL. Using first three packets and 35 clusters gives good results. The method then searches for first data packet in the connection and uses the same clustering on data packet sizes to detect underlying application. However, the packet sizes are modified to allow for encryption overhead. Using combination of clustering and port numbers to differentiate applications in clusters provides better results that clustering alone.},
Timestamp = {2014.09.26},
Url = {http://dl.acm.org/citation.cfm?id=1762888.1762911}
}
@Article{Bhuyan-2011-Surveying,
Title = {{Surveying Port Scans and Their Detection Methodologies}},
Author = {Bhuyan, Monowar H. and Bhattacharyya, D.K. and Kalita, J.K.},
Journal = {Comput. J.},
Year = {2011},
Month = oct,
Number = {10},
Pages = {1565--1581},
Volume = {54},
Acmid = {2061885},
Address = {Oxford, UK},
ISSN = {0010-4620},
Issue_date = {October 2011},
Numpages = {17},
Owner = {velan},
Publisher = {Oxford University Press},
Timestamp = {2017.10.20}
}
@InProceedings{Billig-2008-Evaluation,
Title = {{Evaluation of Google Hacking}},
Author = {Billig, Justin and Danilchenko, Yuri and Frank, Charles E.},
Booktitle = {Proceedings of the 5th Annual Conference on Information Security Curriculum Development},
Year = {2008},
Address = {New York, NY, USA},
Pages = {27--32},
Publisher = {ACM},
Series = {InfoSecCD '08},
ISBN = {978-1-60558-333-4},
Keywords = {Google hacking, hacking, information assurance, information security, web security},
Location = {Kennesaw, Georgia},
Numpages = {6},
Owner = {velan},
Timestamp = {2017.10.20}
}
@Online{Bittel-2014-httpry,
Title = {{httpry - HTTP logging and information retrieval tool}},
Author = {Bittel, Jason},
Url = {http://github.com/jbittel/httpry},
Urldate = {2017-10-18},
Month = oct,
Year = {2014},
Owner = {velan},
Timestamp = {2017.10.18}
}
@MastersThesis{Blatter-2011-Extending,
Title = {{Extending HAPviewer: Time Window, Flow Classification, and Geolocation}},
Author = {Blatter, Raphael Thomas},
School = {University of Zurich, Department of Informatics},
Year = {2011},
Owner = {velan},
Timestamp = {2017.10.25},
Url = {ftp://ftp.tik.ee.ethz.ch:21/pub/students/2011-FS/MA-2011-12.pdf}
}
@InProceedings{Bonelli-2012-Multi,
Title = {{On Multi---gigabit Packet Capturing with Multi---core Commodity Hardware}},
Author = {Bonelli, Nicola and Di Pietro, Andrea and Giordano, Stefano and Procissi, Gregorio},
Booktitle = {Proceedings of the 13th International Conference on Passive and Active Measurement},
Year = {2012},
Address = {Berlin, Heidelberg},
Pages = {64--73},
Publisher = {Springer-Verlag},
Series = {PAM'12},
Acmid = {2238905},
Doi = {10.1007/978-3-642-28537-0_7},
ISBN = {978-3-642-28536-3},
Location = {Vienna, Austria},
Numpages = {10},
Owner = {velan},
Timestamp = {2018.02.13},
Url = {http://dx.doi.org/10.1007/978-3-642-28537-0_7}
}
@InProceedings{Bonelli-2017-Enabling,
Title = {{Enabling Packet Fan-Out in the libpcap Library for Parallel Traffic Processing}},
Author = {Bonelli, Nicola and Giordano, Stefano and Procissi, Gregorio},
Booktitle = {2017 Network Traffic Measurement and Analysis Conference (TMA)},
Year = {2017},
Month = jun,
Pages = {1-9},
Doi = {10.23919/TMA.2017.8002904},
Keywords = {IP networks;Linux;application program interfaces;multi-threading;multiprocessing systems;network interfaces;parallel architectures;telecommunication computing;telecommunication traffic;user interfaces;API;Bro;Linux operating-system;PFQ accelerated engine;Tstat;accelerated capture engines;application level parallelism;capture technologies;commodity PC;computation intensive operations;declarative grammar configuration;legacy applications;libpcap library;multicore architecture;multigigabit network cards;multiple processing cores;multiprocess applications;multithreaded applications;native multicore support;network applications;packet fan-out;parallel traffic processing;pcap library interface;standard Linux socket;traffic rates;Acceleration;Engines;Instruction sets;Libraries;Linux;Sockets;Standards},
Owner = {velan},
Timestamp = {2018.02.13}
}
@Article{Bonelli-2016-Network,
Title = {{Network Traffic Processing With PFQ}},
Author = {Bonelli, Nicola and Giordano, Stefano and Procissi, Gregorio},
Journal = {IEEE Journal on Selected Areas in Communications},
Year = {2016},
Month = jun,
Number = {6},
Pages = {1819-1833},
Volume = {34},
Doi = {10.1109/JSAC.2016.2558998},
ISSN = {0733-8716},
Keywords = {Linux;computer networks;operating system kernels;queueing theory;telecommunication traffic;Linux kernel;PFQ;network device drivers;network traffic processing;open-source module;packet family queue;packet processing;pcap library;programming interfaces;software-accelerated packet;Acceleration;Kernel;Linux;Monitoring;Parallel processing;Performance evaluation;Application Offload;Concurrent Programming;Early Stage Processing;Multi–Core Architectures;Multi–Queue NICs;Network Monitoring;Network monitoring;application offload;concurrent programming;early stage processing;multi–core architectures;multi–queue NICs},
Owner = {velan},
Timestamp = {2018.02.13}
}
@InProceedings{Bonelli-2014-Purely,
Title = {{A Purely Functional Approach to Packet Processing}},
Author = {Bonelli, Nicola and Giordano, Stefano and Procissi, Gregorio and Abeni, Luca},
Booktitle = {Proceedings of the Tenth ACM/IEEE Symposium on Architectures for Networking and Communications Systems},
Year = {2014},
Address = {New York, NY, USA},
Pages = {219--230},
Publisher = {ACM},
Series = {ANCS '14},
Acmid = {2658269},
Doi = {10.1145/2658260.2658269},
ISBN = {978-1-4503-2839-5},
Keywords = {pfq, software defined networking},
Location = {Los Angeles, California, USA},
Numpages = {12},
Owner = {velan},
Timestamp = {2018.02.13},
Url = {http://doi.acm.org/10.1145/2658260.2658269}
}
@InProceedings{Brauckhoff-2006-Impact,
Title = {{Impact of Packet Sampling on Anomaly Detection Metrics}},
Author = {Brauckhoff, Daniela and Tellenbach, Bernhard and Wagner, Arno and May, Martin and Lakhina, Anukool},
Booktitle = {Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement},
Year = {2006},
Address = {New York, NY, USA},
Pages = {159--164},
Publisher = {ACM},
Series = {IMC '06},
Abstract = {Packet sampling methods such as Cisco's NetFlow are widely employed by large networks to reduce the amount of traffic data measured. A key problem with packet sampling is that it is inherently a lossy process, discarding (potentially useful) information. In this paper, we empirically evaluate the impact of sampling on anomaly detection metrics. Starting with unsampled flow records collected during the Blaster worm outbreak, we reconstruct the underlying packet trace and simulate packet sampling at increasing rates. We then use our knowledge of the Blaster anomaly to build a baseline of normal traffic (without Blaster), against which we can measure the anomaly size at various sampling rates. This approach allows us to evaluate the impact of packet sampling on anomaly detection without being restricted to (or biased by) a particular anomaly detection method.We find that packet sampling does not disturb the anomaly size when measured in volume metrics such as the number of bytes and number of packets, but grossly biases the number of flows. However, we find that recently proposed entropy-based summarizations of packet and flow counts are affected less by sampling, and expose the Blaster worm outbreak even at higher sampling rates. Our findings suggest that entropy summarizations are more resilient to sampling than volume metrics. Thus, while not perfect, sampling still preserves sufficient distributional structure, which when harnessed by tools like entropy, can expose hard-to-detect scanning anomalies.},
Acmid = {1177101},
Doi = {10.1145/1177080.1177101},
ISBN = {1-59593-561-4},
Keywords = {anomaly detection, network traffic analysis, sampling},
Location = {Rio de Janeriro, Brazil},
Numpages = {6},
Owner = {velan},
Timestamp = {2016.03.03},
Url = {http://doi.acm.org/10.1145/1177080.1177101}
}
@InProceedings{Braun-2010-Comparing,
Title = {{Comparing and Improving Current Packet Capturing Solutions Based on Commodity Hardware}},
Author = {Braun, Lothar and Didebulidze, Alexander and Kammenhuber, Nils and Carle, Georg},
Booktitle = {Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement},
Year = {2010},
Address = {New York, NY, USA},
Pages = {206--217},
Publisher = {ACM},
Series = {IMC '10},
Acmid = {1879168},
Doi = {10.1145/1879141.1879168},
ISBN = {978-1-4503-0483-2},
Keywords = {measurement, operating systems, packet capturing},
Location = {Melbourne, Australia},
Numpages = {12},
Owner = {velan},
Timestamp = {2018.02.13},
Url = {http://doi.acm.org/10.1145/1879141.1879168}
}
@Article{Brownlee-2011-Flow,
Title = {{Flow-Based Measurement: IPFIX Development and Deployment}},
Author = {Brownlee, Nevil},
Journal = {IEICE Transactions on Communications},
Year = {2011},
Month = sep,
Number = {8},
Pages = {2190--2198},
Volume = {E94.B},
Doi = {10.1587/transcom.E94.B.2190},
Owner = {velan},
Timestamp = {2017.04.27}
}
@Article{Bujlow-2015-classification,
Title = {{Independent Comparison of Popular DPI Tools for Traffic Classification}},
Author = {Bujlow, Tomasz and Carela-Espanol, Valentín and Barlet-Ros, Pere},
Journal = {Computer Networks},
Year = {2015},
Number = {0},
Pages = {75 - 89},
Volume = {76},
Abstract = {Deep Packet Inspection (DPI) is the state-of-the-art technology for traffic classification. According to the conventional wisdom, DPI is the most accurate classification technique. Consequently, most popular products, either commercial or open-source, rely on some sort of DPI for traffic classification. However, the actual performance of DPI is still unclear to the research community, since the lack of public datasets prevent the comparison and reproducibility of their results. This paper presents a comprehensive comparison of 6 well-known DPI tools, which are commonly used in the traffic classification literature. Our study includes 2 commercial products (PACE and NBAR) and 4 open-source tools (OpenDPI, L7-filter, nDPI, and Libprotoident). We studied their performance in various scenarios (including packet and flow truncation) and at different classification levels (application protocol, application and web service). We carefully built a labeled dataset with more than 750 K flows, which contains traffic from popular applications. We used the Volunteer-Based System (VBS), developed at Aalborg University, to guarantee the correct labeling of the dataset. We released this dataset, including full packet payloads, to the research community. We believe this dataset could become a common benchmark for the comparison and validation of network traffic classifiers. Our results present PACE, a commercial tool, as the most accurate solution. Surprisingly, we find that some open-source tools, such as nDPI and Libprotoident, also achieve very high accuracy.},
Doi = {http://dx.doi.org/10.1016/j.comnet.2014.11.001},
Keywords = {Deep packet inspection, DPI, traffic classification},
Owner = {velan},
Timestamp = {2014.12.02},
Url = {http://www.sciencedirect.com/science/article/pii/S1389128614003909}
}
@InProceedings{Caballero-2007-Polyglot,
Title = {{Polyglot: Automatic Extraction of Protocol Message Format Using Dynamic Binary Analysis}},
Author = {Caballero, Juan and Yin, Heng and Liang, Zhenkai and Song, Dawn},
Booktitle = {Proceedings of the 14th ACM Conference on Computer and Communications Security},
Year = {2007},
Address = {New York, NY, USA},
Pages = {317--329},
Publisher = {ACM},
Series = {CCS '07},
Acmid = {1315286},
Doi = {10.1145/1315245.1315286},
ISBN = {978-1-59593-703-2},
Keywords = {binary analysis, protocol reverse engineering},
Location = {Alexandria, Virginia, USA},
Numpages = {13},
Owner = {velan},
Timestamp = {2017.08.25},
Url = {http://doi.acm.org/10.1145/1315245.1315286}
}
@Online{CAIDA-2013-Cyber,
Title = {{Cyber-security Research Ethics Dialog \& Strategy Workshop}},
Author = {{CAIDA}},
Url = {http://www.caida.org/workshops/creds/1305/},
Urldate = {2018-02-22},
Month = may,
Year = {2013},
Owner = {velan},
Timestamp = {2014.12.03}
}
@Article{Callado-2009-Survey,
Title = {{A Survey on Internet Traffic Identification}},
Author = {Callado, Arthur and Kamienski, Carlos and Szabo, Geza and Gero, Balazs Peter and Kelner, Judith and Fernandes, Stenio and Sadok, Djamel},
Journal = {Communications Surveys \& Tutorials, IEEE},
Year = {2009},
Month = Aug,
Number = {3},
Pages = {37-52},
Volume = {11},
Abstract = {The area of Internet traffic measurement has advanced enormously over the last couple of years. This was mostly due to the increase in network access speeds, due to the appearance of bandwidth-hungry applications, due to the ISPs' increased interest in precise user traffic profile information and also a response to the enormous growth in the number of connected users. These changes greatly affected the work of Internet service providers and network administrators, which have to deal with increasing resource demands and abrupt traffic changes brought by new applications. This survey explains the main techniques and problems known in the field of IP traffic analysis and focuses on application detection. First, it separates traffic analysis into packet-based and flow-based categories and details the advantages and problems for each approach. Second, this work cites the techniques for traffic analysis accessible in the literature, along with the analysis performed by the authors. Relevant techniques include signature-matching, sampling and inference. Third, this work shows the trends in application classification analysis and presents important and recent references in the subject. Lastly, this survey draws the readers' interest to open research topics in the area of traffic analysis and application detection and makes some final remarks.},
Doi = {10.1109/SURV.2009.090304},
ISSN = {1553-877X},
Keywords = {Internet;telecommunication traffic;ISP;Internet service provider;Internet traffic identification;bandwidth-hungry applications;flow-based traffic analysis;packet-based traffic analysis;Area measurement;Availability;IP networks;Loss measurement;Peer to peer computing;Performance analysis;Sampling methods;Telecommunication traffic;Video sharing;Web and internet services;Measurement, Application Identification, Traffic Analysis, Classification},
Owner = {velan},
Timestamp = {2014.10.24}
}
@InCollection{Cao-2014-Survey,
Title = {{A Survey on Encrypted Traffic Classification}},
Author = {Cao, Zigang and Xiong, Gang and Zhao, Yong and Li, Zhenzhen and Guo, Li},
Booktitle = {Applications and Techniques in Information Security},
Publisher = {Springer Berlin Heidelberg},
Year = {2014},
Editor = {Batten, Lynn and Li, Gang and Niu, Wenjia and Warren, Matthew},
Pages = {73-81},
Series = {Communications in Computer and Information Science},
Volume = {490},
Abstract = {With the widespread use of encryption techniques in network applications, encrypted network traffic has recently become a great challenge for network management. Studies on encrypted traffic classification not only help to improve the network service quality, but also assist in enhancing network security. In this paper, we first introduce the basic information of encrypted traffic classification, emphasizing the influences of encryption on current classification methodology. Then, we summarize the challenges and recent advances in encrypted traffic classification research. Finally, the paper is ended with some conclusions.},
Doi = {10.1007/978-3-662-45670-5_8},
ISBN = {978-3-662-45669-9},
Keywords = {traffic classification; encrypted traffic; statistical classification; fine-grained; behavior based},
Language = {English},
Owner = {velan},
Review = {The survey provides brief introduction into encrypted traffic classification and points out main challenges in the field. Authors differentiate advances in acurate classification, multi-phased fine-grained classification and behavior based fine-grained classification. Brief section is dedicated to countermeasures of statistical traffic analysis. Authors conclude that use of multiple player classification framework may be a way to achieve fine-grained classification.},
Timestamp = {2015.03.11},
Url = {http://dx.doi.org/10.1007/978-3-662-45670-5_8}
}
@InProceedings{Cejka-2015-Using,
Title = {{Using Application-Aware Flow Monitoring for SIP Fraud Detection}},
Author = {Cejka, Tomas and Bartos, Vaclav and Truxa, Lukas and Kubatova, Hana},
Booktitle = {Intelligent Mechanisms for Network Configuration and Security: 9th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2015, Ghent, Belgium, June 22-25, 2015. Proceedings},
Year = {2015},
Address = {Cham},
Editor = {Latr{\'e}, Steven and Charalambides, Marinos and Fran{\c{c}}ois, J{\'e}r{\^o}me and Schmitt, Corinna and Stiller, Burkhard},
Pages = {87--99},
Publisher = {Springer International Publishing},
Doi = {10.1007/978-3-319-20034-7_10},
ISBN = {978-3-319-20034-7},
Owner = {velan},
Timestamp = {2017.04.27},
Url = {http://dx.doi.org/10.1007/978-3-319-20034-7_10}
}
@InProceedings{Celeda-2013-Large,
Title = {{Large-Scale Geolocation for NetFlow}},
Author = {Čeleda, Pavel and Velan, Petr and Rábek, Martin and Hofstede, Rick and Pras, Aiko},
Booktitle = {IFIP/IEEE International Symposium on Integrated Network Management (IM 2013)},
Year = {2013},
Address = {Ghent, Belgium},
Editor = {De Turck, Filip and Diao, Yixin and Se on Hong, Choong and Medhi, Deep and Sadre, Ramin},
Month = May,
Pages = {1015-1020},
Publisher = {IEEE Xplore Digital Library},
Abstract = {Current approaches perform geolocation mostly on-demand and in a small-scale fashion. As soon as geolocation needs to be performed in real-time in high-speed and large-scale networks, these approaches are not scalable anymore. To solve this pro
blem, we propose two approaches to large-scale geolocation. Firstly, we present an exporter-based approach, which adds geolocation data to flow records in a way that is transparent to any flow collector. Secondly, we present a flow collector-based approach, which adds nativ
e geolocation to NetFlow data from any flow exporter. After presenting prototypes for both approaches, we demonstrate the applicability of large-scale geolocation by means of use cases.},
ISBN = {978-1-4673-5229-1},
Keywords = {geolocation; GeoIP; ISO 3166; NetFlow; NFDUMP; NfSen; security; detection; anomaly},
Location = {Ghent, Belgium},
Owner = {velan},
Timestamp = {2014.04.23},
Url = {http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6573124}
}
@Online{CSIS-2013-Economic,
Title = {{The Economic Impact of Cubercrime and Cyber Espionage}},
Author = {{Center for Strategic and International Studies}},
Url = {http://csis.org/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf},
Urldate = {2018-03-02},
Month = jul,
Year = {2013},
Owner = {velan},
Timestamp = {2018.03.02}
}
@InProceedings{Cermak-2016-Performance,
Title = {{A Performance Benchmark for NetFlow Data Analysis on Distributed Stream Processing Systems}},
Author = {Čermák, Milan and Tovarňák, Daniel and Laštovička, Martin and Čeleda, Pavel},
Booktitle = {NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium},
Year = {2016},
Month = Apr,
Pages = {919-924},
Doi = {10.1109/NOMS.2016.7502926},
Keywords = {IP networks;computer network security;data analysis;NetFlow data analysis;distributed stream processing systems;network flow processing;security analysis algorithms;Benchmark testing;Data processing;Distributed databases;Fasteners;Real-time systems;Sparks;Storms},
Owner = {velan},
Timestamp = {2017.08.04}
}
@Online{CERTNSAGET--yaf,
Title = {{yaf application labeling}},
Author = {{CERT Network Situational Awareness Group Engineering Team}},
Url = {https://tools.netsa.cert.org/yaf/applabel.html},
Urldate = {2017-09-27},
Owner = {velan},
Timestamp = {2017.09.27}
}
@Online{CERTNSAT--SiLK,
Title = {{SiLK}},
Author = {{CERT Network Situational Awareness Team (NetSA)}},
Url = {http://tools.netsa.cert.org/silk/},
Urldate = {2012-12-13},
Owner = {velan},
Timestamp = {2017.10.25}
}
@Article{Chandola-2009-Anomaly,
Title = {{Anomaly Detection: A Survey}},
Author = {Chandola, Varun and Banerjee, Arindam and Kumar, Vipin},
Journal = {ACM Comput. Surv.},
Year = {2009},
Month = jul,
Number = {3},
Pages = {15:1--15:58},
Volume = {41},
Acmid = {1541882},
Address = {New York, NY, USA},
Articleno = {15},
Doi = {10.1145/1541880.1541882},
ISSN = {0360-0300},
Issue_date = {July 2009},
Keywords = {Anomaly detection, outlier detection},
Numpages = {58},
Owner = {velan},
Publisher = {ACM},
Timestamp = {2017.08.09},
Url = {http://doi.acm.org/10.1145/1541880.1541882}
}
@Article{Cheng-2012-Evasion,
Title = {{Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems}},
Author = {Cheng, Tsung-Huan and Lin, Ying-Dar and Lai, Yuan-Cheng and Lin, Po-Ching},
Journal = {IEEE Communications Surveys Tutorials},
Year = {2012},
Month = {10},
Number = {4},
Pages = {1011-1020},
Volume = {14},
Doi = {10.1109/SURV.2011.092311.00082},
ISSN = {1553-877X},
Keywords = {Computer crime;Cryptography;Handwriting recognition;IP networks;Intrusion detection;Payloads;IDS/IPS;attacks;evasion;signature},
Owner = {velan},
Timestamp = {2017.06.22}
}
@Online{CiscoSystems--Cisco,
Title = {{Cisco Application Visibility and Control (AVC)}},
Author = {{Cisco Systems, Inc., San Jose, CA and USA}},
Url = {https://www.cisco.com/c/en/us/products/routers/avc-control.html},
Urldate = {2017-09-27},
Owner = {velan},
Timestamp = {2017.09.27}
}
@Online{CiscoSystems--Network,
Title = {{Network Based Application Recognition (NBAR)}},
Author = {{Cisco Systems, Inc., San Jose, CA and USA}},
Url = {https://www.cisco.com/c/en/us/products/ios-nx-os-software/network-based-application-recognition-nbar/index.html},
Urldate = {2018-03-02},
Owner = {velan},
Timestamp = {2018.03.02}
}
@Online{CiscoSystems-2017-Cisco,
Title = {{Cisco Visual Networking Index: Forecast and Methodology, 2016–2021}},
Author = {{Cisco Systems, Inc., San Jose, CA and USA}},
Url = {https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/complete-white-paper-c11-481360.pdf},
Urldate = {2018-03-02},
Month = jun,
Year = {2017},
Owner = {velan},
Timestamp = {2018.03.02}
}
@Online{CiscoSystems-2013-Cisco,
Title = {{Cisco IOS Flexible NetFlow Command Reference}},
Author = {{Cisco Systems, Inc., San Jose, CA and USA}},
Url = {http://www.cisco.com/c/en/us/td/docs/ios/fnetflow/command/reference/fnf_book/fnf_01.html},
Urldate = {2017-06-21},
Month = nov,
Year = {2013},
Owner = {velan},
Timestamp = {2017.06.21}
}
@Online{CiscoSystems--NBAR2,
Title = {{NBAR2 Protocol Library}},
Author = {{Cisco Systems, Inc., San Jose, CA and USA}},
Url = {https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/network-based-application-recognition-nbar/product_bulletin_c25-627831.html},
Urldate = {2017-09-27},
Month = Jun,
Year = {2013},
Owner = {velan},
Timestamp = {2017.09.27}
}
@Online{CiscoSystems-2008-Cisco,
Title = {{Cisco IOS Flexible NetFlow}},
Author = {{Cisco Systems, Inc., San Jose, CA and USA}},
Url = {http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/flexible-netflow/product_data_sheet0900aecd804b590b.html},
Urldate = {2017-04-27},
Month = dec,
Year = {2008},
Owner = {velan},
Timestamp = {2017.04.27}
}
@Online{CiscoSystems-2007-NetFlow,
Title = {{NetFlow Services Solutions Guide}},
Author = {{Cisco Systems, Inc., San Jose, CA and USA}},
Url = {http://www.cisco.com/en/US/docs/ios/solutions_docs/netflow/nfwhite.html},
Urldate = {2017-04-27},
Month = jan,
Year = {2007},
Owner = {velan},
Timestamp = {2017.04.27}
}
@Online{CiscoSystems-2005-Cisco,
Title = {{Cisco IOS NetFlow and Security}},
Author = {{Cisco Systems, Inc., San Jose, CA and USA}},
Url = {http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_presentation0900aecd80311f49.pdf},
Urldate = {2017-04-27},
Month = feb,
Year = {2005},
Owner = {velan},
Timestamp = {2017.04.27}
}
@Article{Claffy-2011-Tracking,
Title = {{Tracking IPv6 Evolution: Data We Have and Data We Need}},
Author = {Claffy, Kimberly C.},