180 Park Ave - Building 103
Florham Park, NJ
Automatically Inferring the Evolution of Malicious Activity on the Internet.
Shobha Venkataraman, David Brumley, Subhabrata Sen, Oliver Spatscheck
NDSS,
2013.
[PDF]
[BIB]
ISOC Copyright
The definitive version was published in 2013, Volume $vol, 2013-02-24, http://www.cs.unc.edu/~amw/ndss2013/ISOC_copyright_forms.txt
{Internet-based services routinely contend with a range of
malicious activity (e.g., spam, scans, botnets) that can potentially
arise from virtually any part of the global Internet
infrastructure and that can shift longitudinally over time. In
this paper, we develop the first algorithmic techniques to automatically
infer regions of the internet with shifting security
characteristics in an online fashion. Conceptually, our
key idea is to model the malicious activity on the Internet as
a decision tree over the IP address space, and identify the
dynamics of the malicious activity by inferring the dynamics
of the decision tree. Our evaluations on large corpuses of
mail data and botnet data indicate that our algorithms are
fast, can keep up with Internet-scale traffic data, and can
extract changes in sources of malicious activity substantially
better (a factor of 2.5) than approaches based on using
predetermined levels of aggregation such as BGP-based
network-aware clusters. Our case studies demonstrate our
algorithm’s ability to summarize large shifts in malicious
activity to a small number of IP regions (by as much as two
orders of magnitude), and thus help focus limited operator
resources. Using our algorithms, we find that some regions
of the Internet are prone to much faster changes than others,
such as a set of small and medium-sized hosting providers
that are of particular interest to mail operators.}
Can you GET me now? Estimating the Time-to-First-Byte of HTTP transactions with Passive Measurements
Emir Halepovic, Jeffrey Pang, Oliver Spatscheck
ACM Internet Measurement Conference 2012,
2012.
[PDF]
[BIB]
ACM Copyright
(c) ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in 2012 , 2012-11-14.
{Cellular network operators have a compelling interest to monitor HTTP transaction latency because it is an important component of the user experience. Existing techniques to monitor latency require active probing or use passive analysis to estimate round-trip time (RTT). Unfortunately, it is impractical to use active probing to monitor entire cellular networks, and RTT is only one component of HTTP latency in cellular networks. This paper presents a new passive tech- nique to estimate HTTP transaction latency that overcomes the scaling and completeness limitations of prior approaches. We validate our technique in an operational cellular network and present results for traffic in the wild.}
To Cache or not to Cache: The 3G case
Jeffrey Erman, Alexandre Gerber, Mohammad Hajiaghayi, Dan Pei, Subhabrata Sen, Oliver Spatscheck
IEEE Internet Computing,
2011.
[PDF]
[BIB]
IEEE Copyright
This version of the work is reprinted here with permission of IEEE for your personal use. Not for redistribution. The definitive version was published in IEEE Internet Computing, 2011. , 2011-01-01
{Cellular networks have witnessed tremendous traffic growth
recently, fueled by the rapid proliferation of smartphones,
laptops with mobile data cards, and new technologies improving
the performance of these networks. However, unlike
the wired world, there exists a rather limited understanding
of the application mixes and the characteristics of this traffic.
Recent studies have shown that in the wired broadband
world, HTTP traffic accounts for the vast majority of the application
traffic and that forward caching of HTTP objects
results in substantial savings in network resources. What
about cellular networks? The answer is a function of the
traffic characteristics, network architecture, as well as the
various cost points associated with delivering traffic in these
networks. In this paper, we examine the characteristics of
HTTP traffic generated by millions of users across one of
the world�s largest 3G cellular networks, and explore the potential
of forward caching. We provide a simple cost model
that third parties can easily use to determine the cost-benefit
tradeoffs for their own cellular network settings. This is the
first large scale caching analysis in cellular networks.}
Profiling Resource Usage for Mobile Applications: A Cross-layer Approach
Feng Qian, Zhaoguang Wang, Alexandre Gerber, Z. Morley Mao, Subhabrata Sen, Oliver Spatscheck
in Proc. of ACM MobiSys,
2011.
[PDF]
[BIB]
ACM Copyright
(c) ACM, 2011. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Proc of ACM MobiSys , 2011-06-27.
{Despite the popularity of mobile applications, their performance
and energy bottlenecks remain hidden due to a lack of visibility into
the resource-constrained mobile execution environment with po-
tentially complex interaction with the application behavior. We de-
sign and implement ARO, the mobile Application ResourceOptimizer,
the first tool that efficiently and accurately exposes the cross-layer
interaction among various layers including radio resource chan-
nel state, transport layer, application layer, and the user interac-
tion layer to enable the discovery of inefficient resource usage for
smartphone applications. To realize this, ARO provides three key
novel analyses: (i) accurate inference of lower-layer radio resource
control states, (ii) quantification of the resource impact of applica-
tion traffic patterns, and (iii) detection of energy and radio resource
bottlenecks by jointly analyzing cross-layer information. We have
implemented ARO and demonstrated its benefit on several essential
categories of popular Android applications to detect radio resource
and energy inefficiencies, such as unacceptably high (46%) energy
overhead of periodic audience measurements and inefficient con-
tent prefetching behavior.}
Over The Top Video: the Gorilla in Cellular Networks
Jeffrey Erman, Alexandre Gerber, Subhabrata Sen, Oliver Spatscheck, Kadangode Ramakrishnan
in Proc. of ACM Internet Measurement Conference (IMC),
2011.
[PDF]
[BIB]
ACM Copyright
(c) ACM, 20XX. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Proc. of ACM Internet Measurement Conference (IMC). , 2011-11-01.
{Cellular networks have witnessed tremendous traffic growth
recently, fueled by smartphones, tablets and new high speed
broadband cellular access technologies. A key application
driving that growth is video streaming. Yet very little is
known about the characteristics of this traffic class. In this
paper, we examine video traffic generated by three million
users across one of the world�s largest 3G cellular networks.
This first deep dive into cellular video streaming shows that
HLS, an adaptive bitrate streaming protocol, accounts for
one third of the streaming video traffic and that it is common
to see changes in encoding bitrates within a session. We also
observe that most of the content is streamed at less than 255
Kbps and that only 40% of the videos are fully downloaded.
Another key finding is that there exists significant potential
for caching to deliver this content.}
Internet-scale Visualization and Detection of Performance Events
Shobha Venkataraman, Jeffrey Pang, Subhabrata Sen, Oliver Spatscheck
Usenix Annual Technical Conference,
2011.
[PDF]
[BIB]
USENIX Copyright
The definitive version was published in Proceedings of the Annual Technical Conference, Usenix. , 2011-06-15
{Operators typically monitor the performance of network server farms
using rule-based scripts to automatically flag "events of interest" on
an array of active and passive performance measurement feeds.
However, such automatic detection is typically limited to events with
known properties. A different challenge involves detecting the
"unknown unknowns" -- the events of interest whose properties are
unknown, and therefore, cannot be defined beforehand. Visualization
can significantly aid the rapid discovery of such unknown patterns, as
network operators, with domain expertise, may quickly notice
unexpected shifts in traffic patterns when represented visually.
However, the volume of Internet-wide raw performance data can easily
overwhelm human comprehension, and therefore, an effective
visualization needs to be sparse in representation, yet discriminating
of good and poor performance.
This paper presents a tool that can be used to visualize performance metrics at Internet-scale. At its core, the tool builds decision trees over the IP address space using performance measurements, so that IP addresses with similar performance characteristics are clustered together, and those with significant performance differences are separated. These decision trees need to be dynamic -- i.e., learnt online, and adapt to changes in the underlying network. We build these adaptive decision trees by extending online decision-tree learning algorithms to the unique challenges of classifying performance measurements across the Internet, and
our tool then visualizes these adaptive decision trees, distinguishing parts of the
network with good performance from those with poor performance. We
show that the differences in the visualized decision trees helps us
quickly discover new patterns of usage and novel anomalies in latency
measurements at a large server farm.
}
Demo: Mobile Application Resource Optimizer (ARO)
Feng Qian, Zhaoguang Wang, Alexandre Gerber, Z. Morley Mao, Subhabrata Sen, Oliver Spatscheck
in Proc. of ACM MobiSys,
2011.
[PDF]
[BIB]
ACM Copyright
(c) ACM, 2011. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Proc. of ACM MobiSys , 2011-06-27.
{Despite the popularity of mobile applications, their performance
and energy bottlenecks remain hidden due to a lack of visibility into
the resource-constrained mobile execution environment with potentially
complex interaction with the application behavior. We design
and implement ARO, mobile Application Resource Optimizer,
the first tool that efficiently and accurately exposes the cross-layer
interaction to enable the discovery of inefficient resource usage.}
TOP: Tail Optimization Protocol for Cellular Radio Resource Allocation
Alexandre Gerber, Oliver Spatscheck, Subhabrata Sen, Feng Qian (University Michigan), Zhaoguang Wang (University Michigan), Z. Morley Mao (University Michigan)
ICNP, 18th IEEE International Conference on Network Protocols,
2010.
[PDF]
[BIB]
IEEE Copyright
This version of the work is reprinted here with permission of IEEE for your personal use. Not for redistribution. The definitive version was published inICNP, 18th IEEE International Conference on Network Protocols, 2010 , 2010-10-05
{In 3G cellular networks, the release of radio resources
is controlled by inactivity timers. However, the timeout
value itself, also known as the tail time, can last up to 15 seconds
due to the necessity of trading off resource utilization efficiency
for low management overhead and good stability, thus wasting
considerable amount of radio resources and battery energy at
user handsets. In this paper, we propose Tail Optimization Protocol
(TOP), which enables cooperation between the phone and
the radio access network to eliminate the tail whenever possible.
Intuitively, applications can often accurately predict a long idle
time. Therefore the phone can notify the cellular network on such
an imminent tail, allowing the latter to immediately release radio
resources. To realize TOP, we utilize a recent proposal of 3GPP
specification called fast dormancy, a mechanism for a handset to
notify the cellular network for immediate radio resource release.
TOP thus requires no change to the cellular infrastructure
and only minimal changes to smartphone applications. Our
experimental results based on real traces show that with a
reasonable prediction accuracy, TOP saves the overall radio
energy (up to 17%) and radio resources (up to 14%) by reducing
tail times by up to 60%. For applications such as multimedia
streaming, TOP can achieve even more significant savings of
radio energy (up to 60%) and radio resources (up to 50%).}
Speed Testing without Speed Tests: Estimating Achievable Download Speed from Passive Measurements
Jeffrey Pang, Shobha Venkataraman, Oliver Spatscheck, Alexandre Gerber
in Proc. of ACM Internet Measurement Conference (IMC),
2010.
[PDF]
[BIB]
1 Copyright
(c) ACM, 2010. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution.
The definitive version was published in ACM Internet Measurement Conference , 2010-11-01.
{How fast is the network? The speed at which real users can download content at different locations and at different times is an important metric for service providers. Knowledge of this speed helps determine where to provision more capacity and helps detect network problems. However, most network-level estimates of these speeds today are obtained using active �speed tests� that place substantial load on the network and are not necessarily representative of actual user experiences due to limited vantage points. These problems are exacerbated in wireless networks where the physical locations of users play an important role in performance. To redress these problems, this paper presents a new technique to estimate achievable download speed using only flow records collected passively. Estimating achievable speed passively is non-trivial because the measured throughput of real flows is often not comparable to the achievable steady-state TCP rate. This can be because, for example, flows are small and never exit TCP slow start or are rate-limited by the content-provider. Our technique addresses these issues by constructing a Throughput Index, a list of flow types that accurately estimate achievable speed. We show that our technique estimates achievable throughput more accurately than other techniques in a large 3G wireless network.}
Network DVR: A Programmable Framework for Application-Aware Trace Collection
Chia-Wei Chang, Alexandre Gerber, University of California Bill Lin, Subhabrata Sen, Oliver Spatscheck
in Proc. Passive and Active Measurement Conference (PAM),
2010.
[PDF]
[BIB]
Springer Copyright
The definitive version was published in PAM/2010 (Springer, LNCS). , 2010-04-09
{Network traces are essential for a wide range of network applications,
including traffic analysis, network measurement, performance monitoring, and
security analysis. Existing capture tools do not have sufficient built-in intelligence
to understand these application requirements. Consequently, they are forced to
collect all packet traces that might be useful at the finest granularity to meet a
certain level of accuracy requirement. It is up to the network applications to process
the per-flow traffic statistics and extract meaningful information. But for a
number of applications, it is much more efficient to record packet sequences for
flows that match some application-specific signatures, specified using for example
regular expressions. A basic approach is to begin memory-copy (recording)
when the first character of a regular expression is matched. However, often times,
a matching eventually fails, thus consuming unnecessary memory resources during
the interim. In this paper, we present a programmable application-aware triggered
trace collection system called Network DVR that performs precisely the
function of packet content recording based on user-specified trigger signatures.
This in turn significantly reduces the number of memory copies that the system
has to consume for valid trace collection, which has been shown previously as
a key indicator of system performance [8]. We evaluated our Network DVR implementation
on a practical application using 10 real datasets that were gathered
from a large enterprise Internet gateway. In comparison to the basic approach in
which the memory-copy starts immediately upon the first character match without
triggered-recording, Network DVR was able to reduce the amount of memorycopies
by a factor of over 500x on average across the 10 datasets and over 800x
in the best case.}
Characterizing Radio Resource Allocation for 3G Networks
Oliver Spatscheck, Subhabrata Sen, Alexandre Gerber, Feng Qian, Zhaoguang Wang, Z. Morley Mao
in Proc. of ACM Internet Measurement Conference (IMC),
2010.
[PDF]
[BIB]
ACM Copyright
(c) ACM, 2010. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Internet Measurement Conference , 2010-11-01.
{3G cellular data networks have recently witnessed explosive
growth. In this work, we focus on UMTS, one of the
most popular 3G mobile communication technologies. Our
work is the first to accurately infer, for any UMTS network,
the state machine (both transitions and timer values)
that guides the radio resource allocation policy through a
light-weight probing scheme. We systematically characterize
the impact of operational state machine settings by analyzing
traces collected from a commercial UMTS network, and
pinpoint the inefficiencies caused by the interplay between
smartphone applications and the state machine behavior.
Besides the basic characterization, we explore the optimal
state machine settings in terms of several critical timer values
evaluated using real network traces.
Our findings suggest that the fundamental limitation of
the current state machine design is the static nature of treating
all traffic according to the same inactivity timer, making
it difficult to balance the tradeoffs among radio resource usage
efficiency, network management overhead, device radio
energy consumption, and performance. To the best of our
knowledge, our work is the first empirical study that employs
real cellular traces to investigate the optimality of the state
machine configurations. Our analysis also demonstrates that
traffic patterns impose significant impact on the radio resource
and energy consumption. In particular, We propose
a simple improvement that reduces YouTube streaming energy
by 80% by leveraging an existing feature called fast
dormancy supported by the 3GPP specifications.}
Tracking Dynamic Sources of Malicious Activity at Internet-Scale
Shobha Venkataraman, Subhabrata Sen, Oliver Spatscheck, Avrim Blum, Dawn Song
Neural Information Processing Systems (NIPS) 2009,
2009.
[PDF]
[BIB]
{We formulate and address the problem of discovering dynamic malicious regions on the Internet. We model this problem as one of adaptively pruning a known decision tree, but with additional challenges: (1) severe space requirements, since the underlying decision tree has over 4 billion leaves, and (2) a changing target function, since malicious activity on the Internet is dynamic. We present a novel algorithm that addresses this problem, by putting together a number of different "experts" algorithms and online paging algorithms. We prove guarantees on our algorithm?s performance as a function of the best possible pruning of a similar size, and our experiments show that our algorithmachieves high accuracy on large real-world data sets, with significant improvements over existing approaches. }
TCP Revisited: A Fresh Look at TCP in the Wild
Feng Qian, Alexandre Gerber, Z. Morley Mao, Subhabrata Sen, Oliver Spatscheck, Walter Willinger
in Proc. of ACM Internet Measurement Conference (IMC),
2009.
[PDF]
[BIB]
ACM Copyright
(c) ACM, 2009. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ACM Internet Measurement Conference, 2009-11-04
{Since the last in-depth studies of measured TCP traffic some 6-
8 years ago, the Internet has experienced significant changes, including
the rapid deployment of backbone links with 1-2 orders
of magnitude more capacity, the emergence of bandwidth-intensive
streaming applications, and the massive penetration of new TCP
variants. These and other changes beg the question whether the
characteristics of measured TCP traffic in today�s Internet reflect
these changes or have largely remained the same. To answer this
question, we collected and analyzed packet traces from a number of
Internet backbone and access links, focused on the �heavy-hitter�
flows responsible for the majority of traffic. Next we analyzed their
within-flow packet dynamics, and observed the following features:
(1) in one of our datasets, up to 15.8% of flows have an initial congestion
window (ICW) size larger than the upper bound specified
by RFC 3390. (2) Among flows that encounter retransmission rates
of more than 10%, 5% of them exhibit irregular retransmission behavior
where the sender does not slow down its sending rate during
retransmissions. (3) TCP flow clocking (i.e., regular spacing between
flights of packets) can be caused by both RTT and non-RTT
factors such as application or link layer, and 60% of flows studied
show no pronounced flow clocking. To arrive at these findings,
we developed novel techniques for analyzing unidirectional TCP
flows, including a technique for inferring ICW size, a method for
detecting irregular retransmissions, and a new approach for accurately
extracting flow clocks.}
Network-Aware Forward caching
Jeffrey Erman, Alexandre Gerber, Mohammad Hajiaghayi, Dan Pei, Oliver Spatscheck
in Proc. World Wide Web Conference (WWW),
2009.
[PDF]
[BIB]
IW3C2 Copyright
"Copyright is held by the International World Wide Web Conference Committee (IW3C2)."
{This paper proposes and evaluates a Network Aware Forward
Caching approach for determining the optimal deployment strategy
of forward caches to a network. A key advantage of this approach
is that we can reduce the network costs associated with forward
caching to maximize the benefit obtained from their deployment.
We show in our simulation that a 37% increase to net benefits could
be achieved over the standard method of full cache deployment to
cache all POPs traffic. In addition, we show that this maximal point
occurs when only 68% of the total traffic is cached.
Another contribution of this paper is the analysis we use to motivate
and evaluate this problem. We characterize the Internet traffic
of 100K subscribers of a US residential broadband provider. We
use both layer 4 and layer 7 analysis to investigate the traffic volumes
of the flows as well as study the general characteristics of
the applications used. We show that HTTP is a dominant protocol
and account for 68% of the total downstream traffic and that 34%
of that traffic is multimedia. In addition, we show that multimedia
content using HTTP exhibits a 83% annualized growth rate and
other HTTP traffic has a 53% growth rate versus the 26% over all
annual growth rate of broadband traffic. This shows that HTTP
traffic will become ever more dominant and increase the potential
caching opportunities. Furthermore, we characterize the core
backbone traffic of this broadband provider to measure the distance
traveled by content and traffic. We find that CDN traffic is much
more efficient than P2P content and that there is large skew in the
Air Miles between POP in a typical network. Our findings show
that there are many opportunities in broadband provider networks
to optimize how traffic is delivered and cached.}
Multimedia content growth: From IP networks to Medianets
Alexandre Gerber, Jeffrey Erman, Oliver Spatscheck
IEEE Communications Society Live Webinar: TRANSFORMING NEXT GENERATION IP NETWORKS INTO MEDIANETS,
2009.
[PPT]
[BIB]
{Multimedia Content growth is driving network evolution
Content hybrid delivery solutions will take advantage of information across layer boundaries:
+ Network-aware applications
+ Application-aware networks
The network will have the opportunity to become the information aggregator
+ Scalable solution to the problem of �who to tell� and �who to ask�
Medianets should not forget MediaNetworkManagement! }
Network-Aware Forward caching
Alexandre Gerber, Jeffrey Erman, Mohammad Hajiaghayi, Dan Pei, Oliver Spatscheck
2008.
[PPT]
[BIB]
Multicast Instant Channel Change in IPTV Systems
Kadangode Ramakrishnan, Alexandre Gerber, Oliver Spatscheck, Damodar Banodkar, Shivkumar Kalyanaraman
In Proc. of the Conference on COMmunication System softWAre and middlewaRE (COMSWARE),
2008.
[BIB]
{IPTV delivers television content over an IP infrastructure with the potential to enrich the viewing experience of users by integrating data applications with video delivery. From an engineering perspective, IPTV places both significant steady state and transient demands on network bandwidth. Typical IPTV streaming techniques incur delays to fill the play-out buffer. But, when viewers switch or surf channels, it is important to minimize this user-perceived latency. Traditional Instant Channel Change (ICC) techniques reduce this latency by having a separate unicast assist channel for every user changing channels. Instead, we propose a multicast-based approach using a secondary "channel change stream" in association with the multicast of the regular quality stream for the channel requested. During channel change events, the user does a multicast join to this new stream and experiences smaller display latency. In the background, the play-out buffer of the new full-quality multicast stream is filled. Then, the transition to the new channel is complete. We show that this approach has several performance benefits including lower bandwidth consumption even during flash crowds of channel changes, lower display latency (50% lower), and lower variability of network & server load. The tradeoff is a lower quality video during the play-out buffering period of a few seconds. Our results are based upon both synthetic channel change arrival patterns as well as traces collected from an operational IPTV environment. }
Characterizing large DNS traces using graphs
Charles D. Cranor, Emden R. Gansner, Balachander Krishnamurthy, Oliver Spatscheck
Internet Measurement Workshop,
pp 55-67,
2001.
[BIB]
Reverse Firewall With Self-Provisioning,
Tue May 28 17:26:32 EDT 2013
An application provisioning device may be used to manage a profile of a host and provide data corresponding to a selected application for installation at a host. A reverse firewall may use the profile of the host to determine whether to allow or block particular network communication from an application running on the host. An indication of a selected application may be received at the application provisioning device. Configuration information may also be received at the application provisioning device. The application provisioning server may request an update to the profile of a host and transmit such a request. The profile may be updated to reflect the configuration information and/or information of the selected application. Data corresponding to the selected application may be updated and transmitted to a host computer, where it may be installed. Therefore, the installed application running on the host may operate without being prematurely blocked by the reverse firewall.
Systems, Methods, And Devices For Defending A Network,
Tue Jan 01 17:24:28 EST 2013
Certain exemplary embodiments comprise a method comprising: within a backbone network: for backbone network traffic addressed to a particular target and comprising attack traffic and non-attack traffic, the attack traffic simultaneously carried by the backbone network with the non-attack traffic: redirecting at least a portion of the attack traffic to a scrubbing complex; and allowing at least a portion of the non-attack traffic to continue to the particular target without redirection to the scrubbing complex.
Bulk Data Transport In A Network,
Tue Sep 25 16:11:53 EDT 2012
A network is configured to utilize available bandwidth to conduct bulk data transfers without substantially affecting the successful transmission of time-sensitive traffic in the network. In order to avoid this interference, the packets carrying data for bulk data transfers are associated with a low priority class such that the routers of the network will preferentially drop these packets over packets associated with the normal traffic of the network. As such, when the normal traffic peaks or there are link failures or equipment failures, the normal traffic is preferentially transmitted over the bulk-transfer traffic and thus the bulk-transfer traffic dynamically adapts to changes in the available bandwidth of the network. Further, to reduce the impact of dropped packets for the bulk-transfer traffic, the packets of the bulk-transfer traffic are encoded at or near the source component using a loss-resistant transport protocol so that the dropped packets can be reproduced at a downstream link.
Real-Time Content Detection In ISP Transmissions,
Tue May 29 16:10:35 EDT 2012
A method and system for detecting the transmission of preidentified content, such as copyrighted material, over an Internet Service Provider (ISP) network. A set of rules is provided to identify one or more traffic flow profiles of data streams transmitting preidentified content. Preferably the rules are adaptively created through analysis of actual ISP data in conjunction with data suggesting an initial set of profile characteristics. The rules are applied to data streams being transmitted in the ISP network, so that data streams fitting one or more of the profiles are identified. A database contains, e.g., as digital signatures or fingerprints, one or more items of content whose transmission is sought to be detected. Data streams identified as matching a profile are analyzed to determine if their content matches an item of content in the database, and if so, an action is taken which may include interrupting the transmission, suspending an ISP account, or reporting the transmission. An ISP with a system performing this method may offer services to content providers, and a plurality of ISPs may jointly use a single database of preidentified content to be compared to each ISP's identified data streams.
Progressive Wiretap,
Tue Apr 17 16:10:02 EDT 2012
Disclosed is a method and system for identifying a controller of a first computer transmitting a network attack to an attacked computer. To identify an attacker implementing the attack on the attacked computer, the present invention traces the attack back to the controller one hop at a time. The invention examines traces of the attacked computer to identify the first computer. Traffic transmitted to the first computer is redirected through a monitoring complex before being transmitted to the first computer. The controller is then detected from traffic monitoring by the monitoring complex.
Method And Apparatus For Providing An Application-Level Utility Metric,
Tue Jan 17 16:08:59 EST 2012
A method and apparatus for providing an application utility metric for an application by taking into account of multiple protocols used by the application as well as at least one interaction of the application at the application-level that is deemed to be useful are disclosed. For example, the method computes a protocol overhead of one or more underlying Internet Protocol suite protocols supporting the application. The method also computes an application-level overhead based on at least one application-level interaction. Finally, the method computes the application-level utility metric in accordance with the protocol overhead and the application-level overhead.
Efficient Predicate Prefilter For High Speed Data Analysis,
Tue Nov 01 16:06:22 EDT 2011
A method and system are disclosed for operating a high speed data stream management system which runs a query plan including a set of queries on a data feed in the form of a stream of tuples. A predicate prefilter is placed outside the query plan upstream of the set of queries, and includes predicates selected from those used by the queries. Predicates are selected for inclusion in the prefilter based on a cost heuristic, and predicates are combined into composites using a rectangle mapping heuristic. The prefilter evaluates the presence of individual and composite predicates in the tuples and returns a bit vector for each tuple with bits representing the presence or absence of predicates in the tuple. A bit signature is assigned to each query to represent the predicates related to that query, and a query is invoked when the tuple bit vector and the query bit signature are compatible.
Method And Apparatus For Large-Scale Automated Distributed Denial Of Service Attack Detection,
Tue Aug 16 16:05:58 EDT 2011
A multi-staged framework for detecting and diagnosing Denial of Service attacks is disclosed in which a low-cost anomaly detection mechanism is first used to collect coarse data, such as may be obtained from Simple Network Management Protocol (SNMP) data flows. Such data is analyzed to detect volume anomalies that could possibly be indicative of a DDoS attack. If such an anomaly is suspected, incident reports are then generated and used to trigger the collection and analysis of fine grained data, such as that available in Netflow data flows. Both types of collection and analysis are illustratively conducted at edge routers within the service provider network that interface customers and customer networks to the service provider. Once records of the more detailed information have been retrieved, they are examined to determine whether the anomaly represents a distributed denial of service attack, at which point an alarm is generated.
System And Method For Real-Time Diagnosis Of Routing Problems,
Tue Mar 01 16:04:33 EST 2011
A system and method for detecting and diagnosing routing problems in a network in real-time by recording TCP flow information from at least one server to at least one prefix, and observing retransmission packets communicated from the at least one server to the at least one prefix. When a predetermined threshold for TCP flows to a prefix is reached, traceroutes may be triggered to a destination in the prefix, and the traceroutes analyzed to determine whether to issue an alarm for a routing failure. The system includes a real-time data collection engine for recording unidirectional TCP flow information, a real-time detection engine for observing the retransmission packets and issuing a warning upon a retransmission counter exceeding a predetermined threshold, and a real-time diagnosis engine for triggering at least one traceroute to a destination in the prefix that is randomly selected from TCP flows in retransmission states.
Systems And Methods For Proactive Surge Protection,
Tue Dec 28 15:05:24 EST 2010
A system for protecting a network from a traffic surge includes a data collection module, an allocation module, and a traffic flow module. The data collection module is configured to obtain network utilization information for a plurality of traffic flows. The allocation module is configured to determine a bandwidth allocation to minimize a drop probability for the plurality of traffic flows. The traffic flow module is configured to preferentially drop network packets for a traffic flow exceeding the optimal bandwidth allocation.
Sampling And Analyzing Packets In A Network,
Tue Dec 14 15:05:20 EST 2010
The preferred embodiments of the present invention can include sampling packets transmitted over a network based on the content of the packets. If a packet is sampled, the sampling unit can add one or more fields to the sampled packet that can include a field for a number of bytes contained in the packet, a packet count, a flow count, a sampling type, and the like. The sampled packets can be analyzed to discern desired information from the packets. The additional fields that are added to the sampled packets can be used during the analysis.
Estimating Origin-Destination Flow Entropy,
Tue Aug 10 15:04:23 EDT 2010
The preferred embodiments of the present invention are directed to estimating entropy of origin-destination (OD) data flows in a network. To achieve this, first and second sketches are created corresponding to ingress (i.e. origin) and egress (i.e. destination) flows. The sketches allow estimating entropy associated with data streams as well as entropy associated with an intersection of two or more of the data streams, which provides a mechanism for estimating the entropy OD flows in a network.
Method And Apparatus For Limiting Reuse Of Domain Name System Information,
Tue May 25 15:03:55 EDT 2010
A method of limiting reuse of domain name information is disclosed. In accordance with the method, domain name information is received at a first domain name sewer. The domain name information includes a time limit and a request limit associated with subsequent distribution of the domain name information to at least one requestor. The received domain name information is validated from a second domain name server based on earliest expiration of the time limit and the request limit.
Statistical, Signature-Based Approach To IP Traffic Classification,
Tue Feb 09 15:03:27 EST 2010
A signature-based traffic classification method maps traffic into preselected classes of service (CoS). By analyzing a known corpus of data that clearly belongs to identified ones of the preselected classes of service, in a training session the method develops statistics about a chosen set of traffic features. In an analysis session, relative to traffic of the network where QoS treatments are desired (target network), the method obtains statistical information relative to the same chosen set of features for values of one or more predetermined traffic attributes that are associated with connections that are analyzed in the analysis session, yielding a statistical features signature of each of the values of the one or more attributes. A classification process then establishes a mapping between values of the one or more predetermined traffic attributes and the preselected classes of service, leading to the establishment of QoS treatment rules.
Method And Apparatus For Content Distribution Network Brokering And Peering,
Tue Jul 14 16:07:34 EDT 2009
The present invention provides an architecture that advantageously leverages multiple content distribution networks to provide enhanced services. In accordance with an embodiment of the present invention, a share of content requests are served by each of a plurality of content distribution networks. The fraction of content requests served by a particular content distribution network can be determined dynamically, depending on the offered load or other traffic characteristics.
Method and apparatus for packet analysis in a network,
Tue Nov 11 18:13:14 EST 2008
A method and system for monitoring traffic in a data communication network and for extracting useful statistics and information is disclosed. In accordance with an embodiment of the invention, a network interface card has a run-time system and one or more processing blocks executing on the network interface. The run-time system module feeds information derived from a network packet to the processing modules which process the information and generate output such as condensed statistics about the packets traveling through the network.
Method and apparatus for limiting reuse of domain name system response information,
Tue Oct 28 18:13:06 EDT 2008
A method of limiting reuse of domain name information includes the steps of requesting the information by a local domain name server from an authoritative domain name server, and providing this information to a requestor, such as a client or server. The domain name information includes an allowable usage limit that represents a maximum number of times that the information can be provided to the requestor before revalidating the information. A system for limiting reuse of domain name information includes an authoritative domain name server, a local domain name server, and a requestor. The authoritative server provides the information, which includes the allowable usage limit, in response to a request by the local server. The request from the local server may include the number of times that the local server provided the information to one or more requestors as an observed usage.
Apparatus and methods for providing translucent proxies in a communications network,
Tue Jun 10 18:12:53 EDT 2008
The Translucent Proxying of TCP (TPOT) device and methods use TCP-OPTIONS and IP tunneling to guarantee that all IP packets belonging to a specific TCP connection will traverse the proxy which intercepts the first packet of data. This guarantee allows the ad-hoc deployment of TPOT devices anywhere within the communication network, and does not restrict the placement of proxy devices at the edge of the network. Furthermore, no extra signaling support is required for the TPOT device to properly function while the addition of TPOT devices to communication networks significantly improves the throughput of intercepted TCP packets of data.
Method and apparatus for packet analysis in a network,
Tue Jan 16 18:11:49 EST 2007
A method and system for monitoring traffic in a data communication network and for extracting useful statistics and information is disclosed. In accordance with an embodiment of the invention, a network interface card has a run-time system and one or more processing blocks executing on the network interface. The run-time system module feeds information derived from a network packet to the processing modules which process the information and generate output such as condensed statistics about the packets traveling through the network.
Method for content distribution in a network supporting a security protocol,
Tue Dec 12 18:11:45 EST 2006
The present invention is directed to a method of providing content distribution services while minimizing the processing time required for security protocols such as the Secure Sockets Layer.
Apparatus and methods for providing translucent proxies in a communications network,
Tue Mar 21 18:11:03 EST 2006
The Translucent Proxying of TCP (TPOT) device and methods use TCP-OPTIONS and IP tunneling to guarantee that all IP packets belonging to a specific TCP connection will traverse the proxy which intercepts the first packet of data. This guarantee allows the ad-hoc deployment of TPOT devices anywhere within the communication network, and does not restrict the placement of proxy devices at the edge of the network. Furthermore, no extra signaling support is required for the TPOT device to properly function while the addition of TPOT devices to communication networks significantly improves the throughput of intercepted TCP packets of data.
AT&T Fellow, 2012.
For ground breaking contributions in network and service management, including monitoring, service architecture and application design.
Science & Technology Medal, 2007.
Honored for invention and innovative application of GS Tool deep packet inspection technology.
