Interception of Communications

This paper takes a brief look at reasons for monitoring computer networks and some of the methods by which this may be performed. An argument is made against the overuse of intrusive methods of eavesdropping, and recommends that network monitoring tools should be designed in such a way that they provide answers to questions supplied by network operators without providing the facilities to record unnecessary information which may in many cases be confidential. Even when using a network monitoring system for policing use of a network, it is possible to design systems in such a way that they perform a traffic classification process without releasing details of the traffic being monitored.     

Flow-based anomaly detection in high-speed links using modified GSA-optimized neural network

Ever growing Internet causes the availability of information. However, it also provides a suitable space for malicious activities, so security is crucial in this virtual environment. The network intrusion detection system (NIDS) is a popular tool to counter attacks against computer networks. This valuable tool can be realized using machine learning methods and intrusion datasets. Traditional datasets are usually packet-based in which all network packets are analyzed for intrusion detection in a time-consuming process. On the other hand, the recent spread of 1–10-Gbps-technologies have clearly pointed out that scalability is a growing problem. In this way, flow-based solutions can help to solve the problem by reduction of data and processing time, opening the way to high-speed detection on large infrastructures. Besides, NIDS should be capable of detecting new malicious activities. Artificial neural network-based NIDSs can detect unseen attacks, so a multi-layer perceptron (MLP) neural classifier is used in this study to distinguish benign and malicious traffic in a flow-based NIDS. In this way, a modified gravitational search algorithm (MGSA), as a modern heuristic technique, is employed to optimize the interconnection weights of the neural anomaly detector. The proposed scheme is trained using an enhanced version of the first labeled flow-based dataset for intrusion detection introduced in 2009. In addition, the particle swarm optimization (PSO) algorithm and traditional error back-propagation (EBP) algorithm are employed to train MLP, so performance comparison becomes possible. The experimental results based on the actual network data show that the MGSA-optimized neural anomaly detector is effective for monitoring abnormal traffic flows in the gigabytes traffic environment, and the accuracy is about 97.8 %.     

Real-time network monitoring scheme based on SNMP for dynamic information

An efficient and automated network management is required in large and complex networks since it is very difficult to manage them only with human effort. In response to this need, the Simple Network Management Protocol (SNMP) has been developed and adopted as the de facto standard. Some management information changes with time and the management station needs to monitor its value in real time. In such a case, polling is generally used in the SNMP because the management station can query agents periodically. However, the polling scheme needs both request and response messages for management information every time, which results in network traffic increase. In this paper, we suggest a real-time network monitoring method for dynamic information to reduce the network traffic in SNMP-based network management. In the proposed strategy, each agent first decides its own monitoring period. Then, the manager collects them and approves each agent's period without modification or adjusts it based on the total traffic generated by monitoring messages. After receiving a response message containing the monitoring period from the management station, each agent sends management information periodically without the request of management station. To evaluate the performance of the proposed real-time monitoring method, we implemented it and compared the network traffic and monitoring quality of the proposed scheme with the general polling method.     

高速网络超点检测的并行数据流方法

超点检测对于网络安全、网络管理等应用具有重要意义.由于存在着高速网络环境下海量网络流量与有限系统资源之间的矛盾,在线准确地监测网络流量是一个极大的挑战.随着多核处理器的发展,多核处理器的并行性成为算法性能提高的一种有效途径.目前,针对基于流抽样的超点检测方法存在计算负荷重、检测精度低、实时性差等问题,提出了一种并行数据流方法(parallel data streaming,简称PDS).该方法构造并行的可逆Sketch数据结构,建立紧凑的节点链接度概要,在未存储节点地址信息的情况下,通过简单地计算重构超点的地址,获得了良好的效率和精度.实验结果表明:与CSE(compact spread estimator),JM(joint data streaming and sampling method)方法相比,该方法具有较好的性能,能够满足高速网络流量监测的应用需求.     

Network anomaly detection with incomplete audit data

With the ever increasing deployment and usage of gigabit networks, traditional network anomaly detection based Intrusion Detection Systems (IDS) have not scaled accordingly. Most, if not all IDS assume the availability of complete and clean audit data. We contend that this assumption is not valid. Factors like noise, mobility of the nodes and the large amount of network traffic make it difficult to build a traffic profile of the network that is complete and immaculate for the purpose of anomaly detection. In this paper, we attempt to address these issues by presenting an anomaly detection scheme, called SCAN (Stochastic Clustering Algorithm for Network Anomaly Detection), that has the capability to detect intrusions with high accuracy even with incomplete audit data. To address the threats posed by network-based denial-of-service attacks in high speed networks, SCAN consists of two modules: an anomaly detection module that is at the core of the design and an adaptive packet sampling scheme that intelligently samples packets to aid the anomaly detection module. The noteworthy features of SCAN include: (a) it intelligently samples the incoming network traffic to decrease the amount of audit data being sampled while retaining the intrinsic characteristics of the network traffic itself; (b) it computes the missing elements of the sampled audit data by utilizing an improved expectation–maximization (EM) algorithm-based clustering algorithm; and (c) it improves the speed of convergence of the clustering process by employing Bloom filters and data summaries.     

可靠洋葱路由方案的设计与实现

在公开的计算机网络中采用洋葱路由能提供隐蔽网络连接,使得攻击者既不能窃听到机密也不能实施流量分析。然而现有的洋葱路由方案只能隐藏信息,并不能保证抵御以扰乱为目的的破坏性攻击。文中应用群签密技术,提出了一个既能隐藏信息又能防扰乱攻击的新的方案,并分析了其安全性。     

一种基于BT 的域间P2P 流量优化方法

随着P2P软件的普及,P2P成为影响Internet网络结构的关键应用．在中国运营商的长途骨干网上,P2P流量占一半以上,不仅给ISP带来了巨大的压力,也使网络拥塞现象日益严重．据此本文以P2P常用协议BT为对象提出一种优化方案,通过用户协作与估算模拟底层网络相综合的方法,在不影响性能下,引导流量更多地在本地网络上发生,降低域间及主干网络上的P2P流量．测试表明,该机制不仅能尽量将域间流量本地化达到整体优化的目的。而且更能增强用户系统的性能．     

Visualizing big network traffic data using frequent pattern mining and hypergraphs

Visualizing communication logs, like NetFlow records, is extremely useful for numerous tasks that need to analyze network traffic traces, like network planning, performance monitoring, and troubleshooting. Communication logs, however, can be massive, which necessitates designing effective visualization techniques for large data sets. To address this problem, we introduce a novel network traffic visualization scheme based on the key ideas of (1) exploiting frequent itemset mining (FIM) to visualize a succinct set of interesting traffic patterns extracted from large traces of communication logs; and (2) visualizing extracted patterns as hypergraphs that clearly display multi-attribute associations. We demonstrate case studies that support the utility of our visualization scheme and show that it enables the visualization of substantially larger data sets than existing network traffic visualization schemes based on parallel-coordinate plots or graphs. For example, we show that our scheme can easily visualize the patterns of more than 41 million NetFlow records. Previous research has explored using parallel-coordinate plots for visualizing network traffic flows. However, such plots do not scale to data sets with thousands of even millions of flows.     

Critical infrastructure protection: Resource efficient sampling to improve detection of less frequent patterns in network traffic

Networked critical infrastructures are of national importance. However, such infrastructures are running 24/7. The supervisory control and data acquisition system (SCADA) of the critical infrastructure will generate enormous network traffic continuously. It is vital in such environments that only useful data are stored while redundant data are discarded to reduce the huge data storage demand. However it is technically challenging to reduce the demand on data storage while losing little information. In this paper, a resource conserving sampling technique is proposed to improve detection of less frequent patterns from huge network traffic under the fixed data storage capacity of the system. Such less frequent patterns are often related to subtle network intrusion activities. Experiments using the 1998 DARPA intrusion Detection Dataset have validated the effectiveness of the proposed scheme.     

Signal transmission model for the substations grounding grid

The signal of the wireless sensor network in grounding grid, owing to energy loss, network congestion, path constraints and other factors, is easy to delay even partially losing. In order to ensure that the signal can be transmitted effectively in grounding grids for the substation, this paper presents a method based on traffic model of back-off balanced multiple sensor network cooperation model. As we all know, cognitive radio (CR) technology is adopted in multi-channel wireless networks to provide enough channels for data transmission. The MAC protocols should enable the secondary users to maintain the accurate channel state information to identify and utilize the leftover frequency spectrum in a way that constrains the level of interference to the primary users. We proposed a novel cooperation spectrum sensing scheme in which the secondary users adopt backoff-based sensing policy based on the traffic model of the primary users to maximum the throughput of the network. To obtain the full accurate information of the spectrum is a difficult task so that we propose the backoff sensing as a sub-optimal strategy. Since the secondary users sense only a subset of the channels in our proposed scheme, less time is spent to get the channel state information as more time is saved for the data transmission. And while dealing the signal data, I combine the intensity transfer method instead of the priority method. This can effectively reduce the network congestion, to ensure that the main information can be transfer well. It is also very useful to signal transmission for the Multi-sensor in Substations Grounding Grid (SGG).     

Methodologies for bandwidth allocation,transmission scheduling,and congestion avoidance in broadband ATM networks

The call types supported in high-speed packet networks vary widely in their bandwidth requirements and tolerance to message delay and loss. In this paper, we classify various traffic sources which are likely to be integrated in broadband ATM networks, and suggest schemes for bandwidth allocation and transmission scheduling to meet the quality and performance objectives. We propose ATM cell-multiplexing using a Dynamic Time-Slice (DTS) scheme which guarantees a required bandwidth for each traffic class and/or virtual circuit (VC), and is dynamic in that it allows the different traffic classes or VCs to share the bandwidth with a soft boundary. Any bandwidth momentarily unused by a class or a VC is made available to the other traffic present in the multiplexer. The scheme guarantees a desired bandwidth to connections which require a fixed wide bandwidth. Thus, it facilitates setting up circuit-like connections in a network using the ATM protocol for transport. The DTS scheme is an efficient way of combining constant bit-rate (CBR) services with variable bit-rate (VBR) stastically multiplexed services. We also described methodologies to schedule delivery of delay-tolerant data traffic within the framework of the DTS scheme. Important issues such as buffer allocations, guarantee of service quality, and ease of implementation are also discussed.     

基于样条权函数神经网络P2P流量识别方法

样条权函数神经网络是一种新兴的神经网络,克服了很多传统神经网络（如BP、RBF）的缺点：比如局部极小、收敛速度慢等。它具有拓扑结构简单,精确记忆训练过的样本,反映样本的信息特征,求得全局最小值等优点。基于这些优点,文中提出了一种基于样条权函数神经网络P2P流量识别方法。通过提取P2P流量特征,运用样条权函数神经网络结构对P2P流识别。Matlab仿真和模拟实验结果表明了这种方案的可行性,与传统神经网络相比,样条权函数神经网络在时间效率上具有明显优势。     

基于粒子滤波的移动物体定位和追踪算法

提出一种基于粒子滤波的目标定位算法PFTL(particle filter based target localization)以及一种基于网络覆盖问题的节点组织策略SAC(sampling aware tracking cluster formation).PFTL 的基本思想是,采用一系列带权粒子(weighted particles)来预测移动物体位置的后验分布空间,每个新时刻根据传感器的测量数据来权衡和定位目标.PFTL 通过引入误差容忍(error tolerant)的方式来存储和发送目标位置数据,使汇聚点关于物体位置信息的数据误差在一个可控的范围内,进而极大地减少网络通信负荷.SAC基于传感器采样离散化的特点来制订数据融合策略,并以最大化覆盖物体运动轨的方式动态地选取节点和进行节点簇的有效组织.模拟实验结果表明,与现有的几种定位算法和追踪协议相比,结合PFTL 算法和SAC 策略能够以较小的代价取得更好的定位效果和网络负载均衡,进而延长网络寿命.     

Implementation of an energy-efficient scheduling scheme based on pipeline flux leak monitoring networks

Flow against pipeline leakage and the pipe network sudden burst pipe to pipeline leakage flow for the application objects,an energy-efficient real-time scheduling scheme is designed extensively used in pipeline leak monitoring. The proposed scheme can adaptively adjust the network rate in real-time and reduce the cell loss rate,so that it can efficiently avoid the traffic congestion. The recent evolution of wireless sensor networks has yielded a demand to improve energy-efficient scheduling algorithms and e...     

一种改进的基于Smith原则的计算机高速通信网络的拥塞控制方案

1.引言 ATM网络是一类虚拟的电路交换网络,它融入了电路交换技术和包交换技术。在这两个系统融入以前它们是独立的,若要互相通信必须获得彼此的通信参数才能建立虚拟连接。而ATM网络通过存储技术和统计复用来共享网络资源,网络资源的共享使得通信费用大大减少。ATM是以定长的信元(cell)作为高速通信信息的载体,它具有高速、低比特错误率、动态分配带宽和高复合能力的优点,这些使得它非常适宜于需要保证服务质量(Quality of Service,QoS)的多媒体数据流。由于多媒体业务流的特性,常引起网络拥塞并降低服务的质量。因此必须采取一定的流量管理控制机制来避免网络的拥塞。     

Load characterization and anomaly detection for voice over IP traffic

We consider the problem of traffic anomaly detection in IP networks. Traffic anomalies typically arise when there is focused overload or when a network element fails and it is desired to infer these purely from the measured traffic. We derive new general formulae for the variance of the cumulative traffic over a fixed time interval and show how the derived analytical expression simplifies for the case of voice over IP traffic, the focus of this paper. To detect load anomalies, we show it is sufficient to consider cumulative traffic over relatively long intervals such as 5 min. We also propose simple anomaly detection tests including detection of over/underload. This approach substantially extends the current practice in IP network management where only the first-order statistics and fixed thresholds are used to identify abnormal behavior. We conclude with the application of the scheme to field data from an operational network.     

一种改进的自适应流量采样方法

高速链路对实时网络流量监测提出挑战.由于流量采集分析设备性能的限制,采用精确、高效的采样方法进行流量监测分析已成为必然.最简单的固定概率采样能监测较大业务流,但往往忽略掉比例几乎超过80%的较小业务流.数据流算法可以实时高效采集高速链路数据,基于该算法的SGS(sketch guided sampling)采样技术可以实时准确估计流大小分布,但当采样速率增大到监测系统处理能力最大值时,该方法的准确性迅速降低.基于SGS方法,提出一种自适应实时网络流量的采样方法SRGS(sketch and resources guided sampling).该方法将监测系统处理能力作为采样概率调节的一个重要参数.实验结果显示,SRGS方法能够及时根据当前流大小和监测系统处理能力,调节数据包采样概率,准确性高于SGS方法.     

高速网络流量测量方法

高速网络流量测量是目前实施实时准确地监测、管理和控制网络的基础.基于网络流量测量的应用,将网络流量测量分为抽样方法和数据流方法.从不同的层次,将抽样方法分为分组抽样和流抽样,分别介绍了两类抽样方法;从测度角度介绍了数据流方法.详细介绍了高速网络流量测量的常用数据结构,以及抽样、数据流方法在高速网络流量测量中的应用,比较了各种方法的优劣.概述了高速网络流量测量技术的研究进展.最后,就现有的网络流量测量方法的不足,对网络流量测量的发展趋势和进一步的研究方向进行了讨论.     

Mean–variance relationship of the number of flows in traffic aggregation and its application to traffic management

We consider the mean–variance relationship of the number of flows in traffic aggregation, where flows are divided into several groups randomly, based on a predefined flow aggregation index, such as source IP address. We first derive a quadratic relationship between the mean and the variance of the number of flows belonging to a randomly chosen traffic aggregation group. Note here that the result is applicable to sampled flows obtained through packet sampling. We then show that our analytically derived mean–variance relationship fits well those in actual packet trace data sets. Next, we present two applications of the mean–variance relationship to traffic management. One is an application to detecting network anomalies through monitoring a time series of traffic. Using the mean–variance relationship, we determine the traffic aggregation level in traffic monitoring so that it meets two predefined requirements on false positive and false negative ratios simultaneously. The other is an application to load balancing among network equipments that require per-flow management. We utilize the mean–variance relationship for estimating the processing capability required in each network equipment.     

A study of overheads and accuracy for efficient monitoring of wireless mesh networks

IEEE 802.11-based wireless mesh networks are being increasingly deployed in enterprize and municipal settings. A lot of work has been done on developing measurement-based schemes for resource provisioning and fault management in these networks. The above goals require an efficient monitoring infrastructure to be deployed, which can provide the maximum amount of information regarding the network status, while utilizing the least possible amount of network resources. However, network monitoring involves overheads, which can adversely impact performance from the perspective of the end user. The impact of monitoring overheads on data traffic has been overlooked in most of the previous works. It remains unclear as to how parameters such as number of monitoring agents, or frequency of reporting monitoring data, among others, impact the performance of a wireless network. In this work, we first evaluate the impact of monitoring overheads on data traffic, and show that even small amounts of overhead can cause a large degradation in the network performance. We then explore several different techniques for reducing monitoring overheads, while maintaining the objective (resource provisioning, fault management, and others) that needs to be achieved. Via extensive simulations and experiments, we validate the efficiency of our proposed approaches in reducing overheads, their impact on the quality of data collected from the network, and the impact they have on the performance of the applications using the collected data. Based on results, we conclude that it is feasible to make the current monitoring techniques more efficient by reducing the communication overheads involved while still achieving the desired application-layer objectives.