This is review of security network paper available at CAIDA. We can notice from the following plot that this type of paper is growing overall on CAIDA.
2014
1. Traffic Identification Engine: An Open Platform for Traffic Classification
About:
Describe Traffic Identification Engine (TIE), an open source tool for network traffic classification. TIE focuses on the evaluation, comparison, and combination of different traffic classification techniques, which can be applied to both live traffic and previously captured traffic traces.
Methods (surveyed)
Port-based approaches
Payload-based approaches (pose privacy)
Machine-learning techniques (promising when dealing with obfuscated and encrypted traffic)
Conclusion:
TIE Focus:
Comparing the accuracy of different classifiers
Comparing their classification performance
Investigating multi-classification and combination strategies
2. Estimating Internet Address Space Usage through Passive Measurements
Problem:
The lack of reliable mechanisms to monitor actual utilization of addresses.
Dataset used:
Two types of passive traffic data
1. Internet Background Radiation (IBR) packet traffic
2. Traffic (net) flow summaries in operational networks.
Full packet traces collected from a /8 network telescope operated by the University of California San Diego (UCSD)
Full packet traces collected from a ≈/8 network telescope (space covering 14M different addresses) operated by Merit Network (MERIT)
unsampled NetFlow traces collected at SWITCH, a regional academic backbone network that serves 46 single-homed universities and research institutes in Switzerland
Method:
Analyze the usage of the IPv4 address space with /24 address-block granularity (/24 blocks, in the following), i.e., we consider a /24 block as either active (or inactive) if we observe traffic from at least one (or exactly zero) IP address from that address block. (Compared with ICMP echo requests to every single IPv4 address to track the active IP address population.)
3. Analysis of Country-wide Internet Outages Caused by Censorship
Problem:
Analyze the episode of Internet communication disruptions (response to civilian protests and threats of civil war) in Egypt and Libya.
Dataset used:
BGP interdomain routing control plane data; unsolicited data plane traffic to unassigned address space; active macroscopic traceroute measurements; (used for outages dectection)
RIR delegation files; MaxMind’s geolocation database (detect IP address ranges allocated to entities within each country)
Conclusion:
Libya’s attempts to test firewall-based blocking before they executed more aggressive BGP-based disconnection.
4. Nightlights: Entropy-based Metrics for Classifying Darkspace Traffic Patterns
Problem:
An IP darkspace is a globally routed IP address space with no active hosts. Configure a way to detect darkspace traffic pattern. Also, a sudden increases of different types of darkspace traffic can serve as indicator of new vulnerabilities, misconfigurations or large scale attacks.
Datasets:
Use traffic from five months from a large /8 darkspace monitor.
Methods:
Use entropy vector as feature for IP darkspace traffic classification because darkspace originates from process that use randomly chosen addresses or ports or target a specific address or port.
Statistics Model:
Use iatmon[2] as baseline and use Coraro and Statistics R packages.
Conclusion:
Large probing events and outbreak of the new worm is clearly visible in entropy vectors. Entropy-based metrics can reveal noteworthy events in IP darkspace.
5. A coordinated view of the temporal evolution of large-scale Internet events
About:
Present a method to visualize large-scale Internet Event, such as a large region losing connectivity or stealth probe of the entire IPv4 address space.
Method:
A well-developed technique in information visualization: multiple coordinates views to different Internet-specific data sources.
Datasets:
Traffic collected by the UCSD Network Telescope—a large darknet passively capturing traffic sourced mainly by malware infected hosts around the world.
Conclusion:
Animate the coordinated views (geographic spread, topological Hilbert space, and traffic impact) to study the temporal evaluation of an event. Then use the large Internet outage (Egypt Internet Blackout) and Internet-wide address space scan (botnet-coordinated scan) as two examples. This paper is highly related to the paper 4 and digs into the botnet-coordinated scan.
6. Analysis of a “/0” Stealth Scan from a Botnet
About:
Provide a detailed dissection of botnet’s (the most common vehicle of cyber-criminal activity) scanning behavior, including general method to correlate, visualize, and extrapolate botnet behavior across the global Internet. Sality botnet known to target SIP (Section Initiation protocol) server.
7. Analysis of Unidirectional IP Traffic to Darkspace with an Educational Data Kit
About:
A tutorial describes methods for analyzing unsolicited one-way Internet Protocol (IP) traffic destined to unassigned address space. A dark space is a segment of globally routable Internet address space that has no active hosts.
2013
2013
8. The Day after Patch Tuesday: Effects Observable in IP Darkspace Traffic
About:
Investigated how Patch Tuesday (Microsoft releases accumulated security patches on the second Tuesday of each month, termed “Patch Tuesday”) affects the volume and characteristics of malicious and unwanted traffic as observed by a large IPv4 (/8) darkspace monitor over the first six months of 2012.
Datasets: Patch Tuesday Dataset
Methods:
1. Use corsaro, MatLab, and wireshark to analyze packet counts, number of unique source address, top destinations, and packet content.
2. Use IATmon tool to classify IP source hosts.
Conclusions:
1. Each month exhibits a significant increase in the number of unique source IPs shortly after the Patch Time.
2. Source of type “1 and 2” package and UDP unknown are increasing active sources after the Patch Time. And Patch Tuesday effects need more investigation.
9. Gaining Insight into AS-level Outages through Analysis of Internet Background Radiation
About:
Explore other Internet Background Radiation (IBR unsolicited network traffic caused by malicious software) derived metrics (Number of Packets per SYN Flow, the number of SYN retransmit per TCP flow and distribution of interpacket time between them) that provides insights into the cause of macroscopic connectivity disruption.
Datasets:
IBR traffic captured at the UCSD network Telescope, a /8 darknet of unassigned IP address.
Conclusion:
Can distinguish a transit bottleneck-induced outage from an intentional nation-wide disconnection caused by packet filtering.
2012
10. Issues and Future Directions in Traffic Classification
About:
Review recent achievements in traffic classification and discuss its future directions. Outline the persistently unsolved challenges in the field over the last decades and suggest several strategies for tackling.
Methods (Review)
Transport-layer (TCP and UDP) ports based flow classification (rendered unreliable by user behavior, application designer and exhaustion of IPV4)
Payload based approaches inspect package content (formidable for privacy challenges; circumvented by encryption, protocol obfuscation or encapsulation; computational expensive)
Machine learning approaches learn from empirical data to automatically associate objects with corresponding classes. (depend heavily on selection of classification features)
Obstacles
Lack of Available data and ground truth (tools for labeling ground truth is still in the early development and inconsistently label the same flow object to the same class)
Traffic evolution (Protocol encapsulation, Encrypted or encoded, multiple channel appplication)
Scalability (online traffic application involves trade off among accuracy, performance and cost)
11. Extracting Benefit from Harm: Using Malware Pollution to Analyze the Impact of Political and Geophysical Events on the Internet
About:
Use unsolicited one-way Internet traffic (also called Internet background radiation) to analyze macroscopic Internet events that are unrelated to malware but events such as country-level censorship and natural disaster. Then provide 2 cases study separately: Internet censorship in Libya and Egypt of year 2011; earthquakes of New Zealand and Japan in February and March 2011.
Datasets:
Data captured by the UCSD network telescope, which attract IBR for a /8 network or 1/256th of the IPV4 address. (about 16.7 million IP addresses). About 2-10 GB per hour with mostly packet header with no payload.
MaxMind GeoLite City database (calculate the great-circle distance from a given network to the epicenter of the earthquake)
Method:
By geolocating the source IP address of traffic destined to darknet address, Identify when sizable geographic regions appear to have lost connectivity.
Conclusion:
IBR traffic can be used to detect events such as country level censorship or natural disasters.
12. Analysis of Internet-wide Probing using Darknets
Related to Paper 4 and 5.
About:
Reveal a sophisticated botnet scanning event targeting SIP server (UDP port 5060). The sip scan last for 12 days and generate about 20 million probes with 3 million distinct source IP addresses. Also talk about the visualization methods mentioned at paper 4 and 5.
2011
13. Analysis of Country-wide Internet Outages Caused by Censorship
This paper is highly related to the topics and method mentioned in Paper 2.
About:
Analyze the Internet connection disruption occurred in Egypt and Libya.
Datasets:
BGP inter domain routing control plane data; (from Route View and RIPE NCC)
Unsolicited data plane traffic to unassigned address space; (collected from USCD telescope)
Active macroscopic trace route measurements; (form Ark)
RIR delegation files; MaxMind’s geolocation database (determine which IP allocated to which country)
Conclusion:
Detected what they believe were Libya’s attempts to test firewall-based blocking (in the data plane, require actively probing or monitoring the traffic) before they executed more aggressive BGP-based (easily detectable, changing global routing state of the network, in the control plane) disconnection.
