Wireless Network Security:
Probabilistic Network Anomaly Detection:
I am much more interested in probabilistic network anomaly detection as opposed to signature based detection, and am excited as this field moves from the early tasks of finding anomalies such as Denial of Service attacks, to more subtle behaviors.
  • Xu, Zang, Bharracharyya in ACM SIGCOMM 2005 discussed Profiling Internet Backbone Traffic: Behaviour Models and Applications where they used netflow data, and entropy of features to create clusters. They discover structure in the clusters and built common behavior models for profiling. The behavior was classfied based on communication patterns and dominant state analysis was used to model interaction between features. They were able to isolate clusters such as servers, heavy hitters, and port scans.

  • Karagiannis, Papagiannaki, and Faloutsos in ACM SIGCOMM 2005 discussed BLINC: Multilevel Traffic Classification in the Dark. They also use Netflow data, and have developed an very interesting set of heuristics to associate hosts with applications, then classify flows using that knowledge. They capture the host behavior at three views, social, functional, and application.

  • Lakhina, Crovella, and Diot in ACM SIGCOMM 2005 discussed Mining Anomalies Using Traffic Feature Distributions. They used sampled Netflow data, and showed the ability to use unsupervised clustering (they demonstrate hierarchical agglomerative, and k-means) by building up multidimensional vectors of the entropy for several features, and used Euclidian distance between the vectors as a distance function. They have a good algorithm for determining the "correct" number of clusters given the data.

  • Moore and Zuev in ACM SIGMETRICS 05 discussed Internet Traffic Classification Using Bayesian Analysis Techniques which used packet level traces, and lots of features. They performed supervised classification using a Naive Bayes Classifier.

  • Estan, Savage, and Varghese present in ACM SIGCOMM 2003 Automatically Inferring Patterns of Resource Consumption in Network Traffic a new method of traffic characterization that performs an automatic clustering in a system called AutoFocus. The representations of networks they present are very interesting.

  • I co-developed and tested the first full rate OC-3 (155Mbps) proxy firewall for Trusted Information Systems using their Gauntlet Internet Firewall product as reported in Fast Firewalls for ATM in Data Communications Magazine, September 1996.

  • I wrote a now very dated article on building a proxy based firewall on a UNIX bastion host titled Creating A Linux Firewall Using the TIS Firewall Toolkit in the Linux Journal, May 1996. I still feel very strongly about the advantages of using proxy based systems, and in general the philosphy of explictly allowing behavior, instead of trying to make a list of bad behaviors.