Clasificación de tráfico de Internet mediante análisis de datos

Poder clasificar de manera precisa la aplicación o programa del que provienen los flujos que conforman el tráfico de uso de Internet dentro de una red permite tanto a empresas como a organismos una útil herramienta de gestión de los recursos de sus redes, así como la posibilidad de establecer políticas de prohibición o priorización de tráfico específico. La proliferación de nuevas aplicaciones y de nuevas técnicas han dificultado el uso de valores conocidos (well-known) en puertos de aplicaciones proporcionados por la IANA (Internet Assigned Numbers Authority) para la detección de dichas aplicaciones. Las redes P2P (Peer to Peer), el uso de puertos no conocidos o aleatorios, y el enmascaramiento de tráfico de muchas aplicaciones en tráfico HTTP y HTTPS con el fin de atravesar firewalls y NATs (Network Address Translation), entre otros, crea la necesidad de nuevos métodos de detección de tráfico. El objetivo de este estudio es desarrollar una serie de prácticas que permitan realizar dicha tarea a través de técnicas que están más allá de la observación de puertos y otros valores conocidos. Existen una serie de metodologías como Deep Packet Inspection (DPI) que se basa en la búsqueda de firmas, signatures, en base a patrones creados por el contenido de los paquetes, incluido el payload, que caracterizan cada aplicación. Otras basadas en el aprendizaje automático de parámetros de los flujos, Machine Learning, que permite determinar mediante análisis estadísticos a qué aplicación pueden pertenecer dichos flujos y, por último, técnicas de carácter más heurístico basadas en la intuición o el conocimiento propio sobre tráfico de red. En concreto, se propone el uso de alguna de las técnicas anteriormente comentadas en conjunto con técnicas de minería de datos como son el Análisis de Componentes Principales (PCA por sus siglas en inglés) y Clustering de estadísticos extraídos de los flujos procedentes de ficheros de tráfico de red. Esto implicará la configuración de diversos parámetros que precisarán de un proceso iterativo de prueba y error que permita dar con una clasificación del tráfico fiable. El resultado ideal sería aquel en el que se pudiera identificar cada aplicación presente en el tráfico en un clúster distinto, o en clusters que agrupen grupos de aplicaciones de similar naturaleza. Para ello, se crearán capturas de tráfico dentro de un entorno controlado e identificando cada tráfico con su aplicación correspondiente, a continuación se extraerán los flujos de dichas capturas. Tras esto, parámetros determinados de los paquetes pertenecientes a dichos flujos serán obtenidos, como por ejemplo la fecha y hora de llagada o la longitud en octetos del paquete IP. Estos parámetros serán cargados en una base de datos MySQL y serán usados para obtener estadísticos que ayuden, en un siguiente paso, a realizar una clasificación de los flujos mediante minería de datos. Concretamente, se usarán las técnicas de PCA y clustering haciendo uso del software RapidMiner. Por último, los resultados obtenidos serán plasmados en una matriz de confusión que nos permitirá que sean valorados correctamente. ABSTRACT. Being able to classify the applications that generate the traffic flows in an Internet network allows companies and organisms to implement efficient resource management policies such as prohibition of specific applications or prioritization of certain application traffic, looking for an optimization of the available bandwidth. The proliferation of new applications and new technics in the last years has made it more difficult to use well-known values assigned by the IANA (Internet Assigned Numbers Authority), like UDP and TCP ports, to identify the traffic. Also, P2P networks and data encapsulation over HTTP and HTTPS traffic has increased the necessity to improve these traffic analysis technics. The aim of this project is to develop a number of techniques that make us able to classify the traffic with more than the simple observation of the well-known ports. There are some proposals that have been created to cover this necessity; Deep Packet Inspection (DPI) tries to find signatures in the packets reading the information contained in them, the payload, looking for patterns that can be used to characterize the applications to which that traffic belongs; Machine Learning procedures work with statistical analysis of the flows, trying to generate an automatic process that learns from those statistical parameters and calculate the likelihood of a flow pertaining to a certain application; Heuristic Techniques, finally, are based in the intuition or the knowledge of the researcher himself about the traffic being analyzed that can help him to characterize the traffic. Specifically, the use of some of the techniques previously mentioned in combination with data mining technics such as Principal Component Analysis (PCA) and Clustering (grouping) of the flows extracted from network traffic captures are proposed. An iterative process based in success and failure will be needed to configure these data mining techniques looking for a reliable traffic classification. The perfect result would be the one in which the traffic flows of each application is grouped correctly in each cluster or in clusters that contain group of applications of similar nature. To do this, network traffic captures will be created in a controlled environment in which every capture is classified and known to pertain to a specific application. Then, for each capture, all the flows will be extracted. These flows will be used to extract from them information such as date and arrival time or the IP length of the packets inside them. This information will be then loaded to a MySQL database where all the packets defining a flow will be classified and also, each flow will be assigned to its specific application. All the information obtained from the packets will be used to generate statistical parameters in order to describe each flow in the best possible way. After that, data mining techniques previously mentioned (PCA and Clustering) will be used on these parameters making use of the software RapidMiner. Finally, the results obtained from the data mining will be compared with the real classification of the flows that can be obtained from the database. A Confusion Matrix will be used for the comparison, letting us measure the veracity of the developed classification process.

Diseño y configuración de una red de comunicaciones en un Centro de Contactos - Contact Center

Este proyecto muestra una solución de red para una empresa que presta servicios de Contact Center desde distintas sedes distribuidas geográficamente, utilizando la tecnología de telefonía sobre IP. El objetivo de este proyecto es el de convertirse en una guía de diseño para el despliegue de soluciones de red utilizando los actuales equipos de comunicaciones desarrollados por el fabricante Cisco Systems, Inc., los equipos de seguridad desarrollados por el fabricante Fortinet y los sistemas de telefonía desarrollados por Avaya Inc. y Oracle Corporation, debido a su gran penetración en el mercado y a las aportaciones que cada uno ha realizado en el sector de Contact Center. Para poder proveer interconexión entre las sedes de un Contact Center se procede a la contratación de un acceso a la red MPLS perteneciente a un operador de telecomunicaciones, quien provee conectividad entre las sedes utilizando la tecnología VPN MPLS con dos accesos diversificados entre sí desde cada una de las sedes del Contact Center. El resultado de esta contratación es el aprovechamiento de las ventajas que un operador de telecomunicaciones puede ofrecer a sus clientes, en relación a calidad de servicio, disponibilidad y expansión geográfica. De la misma manera, se definen una serie de criterios o niveles de servicio que aseguran a un Contact Center una comunicación de calidad entre sus sedes, entendiéndose por comunicación de calidad aquella que sea capaz de transmitirse con unos valores mínimos de pérdida de paquetes así como retraso en la transmisión, y una velocidad acorde a la demanda de los servicios de voz y datos. Como parte de la solución, se diseña una conexión redundante a Internet que proporciona acceso a todas las sedes del Contact Center. La solución de conectividad local en cada una de las sedes de un Contact Center se ha diseñado de manera general acorde al volumen de puestos de usuarios y escalabilidad que pueda tener cada una de las sedes. De esta manera se muestran varias opciones asociadas al equipamiento actual que ofrece el fabricante Cisco Systems, Inc.. Como parte de la solución se han definido los criterios de calidad para la elección de los Centros de Datos (Data Center). Un Contact Center tiene conexiones hacia o desde las empresas cliente a las que da servicio y provee de acceso a la red a sus tele-trabajadores. Este requerimiento junto con el acceso y servicios publicados en Internet necesita una infraestructura de seguridad. Este hecho da lugar al diseño de una solución que unifica todas las conexiones bajo una única infraestructura, dividiendo de manera lógica o virtual cada uno de los servicios. De la misma manera, se ha definido la utilización de protocolos como 802.1X para evitar accesos no autorizados a la red del Contact Center. La solución de voz elegida es heterogénea y capaz de soportar los protocolos de señalización más conocidos (SIP y H.323). De esta manera se busca tener la máxima flexibilidad para establecer enlaces de voz sobre IP (Trunk IP) con proveedores y clientes. Esto se logra gracias a la utilización de SBCs y a una infraestructura interna de voz basada en el fabricante Avaya Inc. Los sistemas de VoIP en un Contact Center son los elementos clave para poder realizar la prestación del servicio; por esta razón se elige una solución redundada bajo un entorno virtual. Esta solución permite desplegar el sistema de VoIP desde cualquiera de los Data Center del Contact Center. La solución llevada a cabo en este proyecto está principalmente basada en mi experiencia laboral adquirida durante los últimos siete años en el departamento de comunicaciones de una empresa de Contact Center. He tenido en cuenta los principales requerimientos que exigen hoy en día la mayor parte de empresas que desean contratar un servicio de Contact Center. Este proyecto está dividido en cuatro capítulos. El primer capítulo es una introducción donde se explican los principales escenarios de negocio y áreas técnicas necesarias para la prestación de servicios de Contact Center. El segundo capítulo describe de manera resumida, las principales tecnologías y protocolos que serán utilizados para llevar a cabo el diseño de la solución técnica de creación de una red de comunicaciones para una empresa de Contact Center. En el tercer capítulo se expone la solución técnica necesaria para permitir que una empresa de Contact Center preste sus servicios desde distintas ubicaciones distribuidas geográficamente, utilizando dos Data Centers donde se centralizan las aplicaciones de voz y datos. Finalmente, en el cuarto capítulo se presentan las conclusiones obtenidas tras la elaboración de la presente memoria, así como una propuesta de trabajos futuros, que permitirían junto con el proyecto actual, realizar una solución técnica completa incluyendo otras áreas tecnológicas necesarias en una empresa de Contact Center. Todas las ilustraciones y tablas de este proyecto son de elaboración propia a partir de mi experiencia profesional y de la información obtenida en diversos formatos de la bibliografía consultada, excepto en los casos en los que la fuente es mencionada. ABSTRACT This project shows a network solution for a company that provides Contact Center services from different locations geographically distributed, using the Telephone over Internet Protocol (ToIP) technology. The goal of this project is to become a design guide for performing network solutions using current communications equipment developed by the manufacturer Cisco Systems, Inc., firewalls developed by the manufacturer Fortinet and telephone systems developed by Avaya Inc. and Oracle Corporation, due to their great market reputation and their contributions that each one has made in the field of Contact Center. In order to provide interconnection between its different sites, the Contact Center needs to hire the services of a telecommunications’ operator, who will use the VPN MPLS technology, with two diversified access from each Contact Center’s site. The result of this hiring is the advantage of the benefits that a telecommunications operator can offer to its customers, regarding quality of service, availability and geographical expansion. Likewise, Service Level Agreement (SLA) has to be defined to ensure the Contact Center quality communication between their sites. A quality communication is understood as a communication that is capable of being transmitted with minimum values of packet loss and transmission delays, and a speed according to the demand for its voice and data services. As part of the solution, a redundant Internet connection has to be designed to provide access to every Contact Center’s site. The local connectivity solution in each of the Contact Center’s sites has to be designed according to its volume of users and scalability that each one may have. Thereby, the manufacturer Cisco Systems, Inc. offers several options associated with the current equipment. As part of the solution, quality criteria are being defined for the choice of the Data Centers. A Contact Center has connections to/from the client companies that provide network access to teleworkers. This requires along the access and services published on the Internet, needs a security infrastructure. Therefore is been created a solution design that unifies all connections under a single infrastructure, dividing each services in a virtual way. Likewise, is been defined the use of protocols, such as 802.1X, to prevent unauthorized access to the Contact Center’s network. The voice solution chosen is heterogeneous and capable of supporting best-known signaling protocols (SIP and H.323) in order to have maximum flexibility to establish links of Voice over IP (IP Trunk) with suppliers and clients. This can be achieved through the use of SBC and an internal voice infrastructure based on Avaya Inc. The VoIP systems in a Contact Center are the key elements to be able to provide the service; for this reason a redundant solution under virtual environment is been chosen. This solution allows any of the Data Centers to deploy the VoIP system. The solution carried out in this project is mainly based on my own experience acquired during the past seven years in the communications department of a Contact Center company. I have taken into account the main requirements that most companies request nowadays when they hire a Contact Center service. This project is divided into four chapters. The first chapter is an introduction that explains the main business scenarios and technical areas required to provide Contact Center services. The second chapter describes briefly the key technologies and protocols that will be used to carry out the design of the technical solution for the creation of a communications network in a Contact Center company. The third chapter shows a technical solution required that allows a Contact Center company to provide services from across geographically distributed locations, using two Data Centers where data and voice applications are centralized. Lastly, the fourth chapter includes the conclusions gained after making this project, as well as a future projects proposal, which would allow along the current project, to perform a whole technical solution including other necessary technologic areas in a Contact Center company All illustrations and tables of this project have been made by myself from my professional experience and the information obtained in various formats of the bibliography, except in the cases where the source is indicated.

Detecting Danger: Applying a Novel Immunological Concept to Intrusion Detection Systems'

INTRODUCTION In recent years computer systems have become increasingly complex and consequently the challenge of protecting these systems has become increasingly difficult. Various techniques have been implemented to counteract the misuse of computer systems in the form of firewalls, antivirus software and intrusion detection systems. The complexity of networks and dynamic nature of computer systems leaves current methods with significant room for improvement. Computer scientists have recently drawn inspiration from mechanisms found in biological systems and, in the context of computer security, have focused on the human immune system (HIS). The human immune system provides an example of a robust, distributed system that provides a high level of protection from constant attacks. By examining the precise mechanisms of the human immune system, it is hoped the paradigm will improve the performance of real intrusion detection systems. This paper presents an introduction to recent developments in the field of immunology. It discusses the incorporation of a novel immunological paradigm, Danger Theory, and how this concept is inspiring artificial immune systems (AIS). Applications within the context of computer security are outlined drawing direct reference to the underlying principles of Danger Theory and finally, the current state of intrusion detection systems is discussed and improvements suggested.

Applied web traffic analysis for numerical encoding of SQL Injection attack features.

SQL Injection Attack (SQLIA) remains a technique used by a computer network intruder to pilfer an organisation’s confidential data. This is done by an intruder re-crafting web form’s input and query strings used in web requests with malicious intent to compromise the security of an organisation’s confidential data stored at the back-end database. The database is the most valuable data source, and thus, intruders are unrelenting in constantly evolving new techniques to bypass the signature’s solutions currently provided in Web Application Firewalls (WAF) to mitigate SQLIA. There is therefore a need for an automated scalable methodology in the pre-processing of SQLIA features fit for a supervised learning model. However, obtaining a ready-made scalable dataset that is feature engineered with numerical attributes dataset items to train Artificial Neural Network (ANN) and Machine Leaning (ML) models is a known issue in applying artificial intelligence to effectively address ever evolving novel SQLIA signatures. This proposed approach applies numerical attributes encoding ontology to encode features (both legitimate web requests and SQLIA) to numerical data items as to extract scalable dataset for input to a supervised learning model in moving towards a ML SQLIA detection and prevention model. In numerical attributes encoding of features, the proposed model explores a hybrid of static and dynamic pattern matching by implementing a Non-Deterministic Finite Automaton (NFA). This combined with proxy and SQL parser Application Programming Interface (API) to intercept and parse web requests in transition to the back-end database. In developing a solution to address SQLIA, this model allows processed web requests at the proxy deemed to contain injected query string to be excluded from reaching the target back-end database. This paper is intended for evaluating the performance metrics of a dataset obtained by numerical encoding of features ontology in Microsoft Azure Machine Learning (MAML) studio using Two-Class Support Vector Machines (TCSVM) binary classifier. This methodology then forms the subject of the empirical evaluation.

Detecting Danger: Applying a Novel Immunological Concept to Intrusion Detection Systems'

INTRODUCTION In recent years computer systems have become increasingly complex and consequently the challenge of protecting these systems has become increasingly difficult. Various techniques have been implemented to counteract the misuse of computer systems in the form of firewalls, antivirus software and intrusion detection systems. The complexity of networks and dynamic nature of computer systems leaves current methods with significant room for improvement. Computer scientists have recently drawn inspiration from mechanisms found in biological systems and, in the context of computer security, have focused on the human immune system (HIS). The human immune system provides an example of a robust, distributed system that provides a high level of protection from constant attacks. By examining the precise mechanisms of the human immune system, it is hoped the paradigm will improve the performance of real intrusion detection systems. This paper presents an introduction to recent developments in the field of immunology. It discusses the incorporation of a novel immunological paradigm, Danger Theory, and how this concept is inspiring artificial immune systems (AIS). Applications within the context of computer security are outlined drawing direct reference to the underlying principles of Danger Theory and finally, the current state of intrusion detection systems is discussed and improvements suggested.

Security Evaluation of Substation Network Architectures

In recent years, security of industrial control systems has been the main research focus due to the potential cyber-attacks that can impact the physical operations. As a result of these risks, there has been an urgent need to establish a stronger security protection against these threats. Conventional firewalls with stateful rules can be implemented in the critical cyberinfrastructure environment which might require constant updates. Despite the ongoing effort to maintain the rules, the protection mechanism does not restrict malicious data flows and it poses the greater risk of potential intrusion occurrence. The contributions of this thesis are motivated by the aforementioned issues which include a systematic investigation of attack-related scenarios within a substation network in a reliable sense. The proposed work is two-fold: (i) system architecture evaluation and (ii) construction of attack tree for a substation network. Cyber-system reliability remains one of the important factors in determining the system bottleneck for investment planning and maintenance. It determines the longevity of the system operational period with or without any disruption. First, a complete enumeration of existing implementation is exhaustively identified with existing communication architectures (bidirectional) and new ones with strictly unidirectional. A detailed modeling of the extended 10 system architectures has been evaluated. Next, attack tree modeling for potential substation threats is formulated. This quantifies the potential risks for possible attack scenarios within a network or from the external networks. The analytical models proposed in this thesis can serve as a fundamental development that can be further researched.