Workshop and poster

FAN: FAst Netflows analyser

Andrea Cosentino, Angelo Spognardi, Antonio Villani, Domenico Vitali and Luigi V. Mancini

The 32nd IEEE International Conference on Computer Communications (INFOCOM2013), Turin, Italy

Abstract Cisco NetFlow protocol is a valid alternative to Deep Packet Inspection (DPI) for network monitoring, since it provides a lightweight picture of exchanged traffic, avoiding the burden of payload access, like privacy concerns and high resource demand. The NetFlow protocol is able to condensate in a single record (called netflow) a unidirectional sequence of packets that share the source-destination addresses and that have the same ports, IP protocol, ingress interface, and IP type of service. Actually, NetFlow can be used for many applications, including Intrusion Detection Systems, DoS and anomaly detection and more.

This is why we propose FAN, an open-source, general-purpose and lightweight framework for fast netflows analysis. FAN is written in C and can run any kind of plugins for slotted netflow analysis. It has a plugin manager able to customize the plugin dependencies, in order to optimise the computations during the analysis. Moreover, it pays a particular attention to netflow timeout management, that is a critical aspect of the Netflow technology.

Obsidian: A Scalable and Efficient Framework for NetFlow Obfuscation

Antonio Villani, Domenico Vitali, Daniele Riboni, Claudio Bettini and Luigi V. Mancini

The 32nd IEEE International Conference on Computer Communications (INFOCOM2013), Turin, Italy

Abstract The availability of real-world network traces is a fundamental requirement for networking research. Indeed, real network traces can help to effectively model the network behavior, to identify security attacks, and to validate research results. Unfortunately, network flows are extremely sensitive information; as a consequence, security and privacy concerns discourage the publication of such datasets.

In our previous research, we presented (k,j)-obfuscation: a new obfuscation technique for network flows,

that provides formal confidentiality guarantees under realistic assumptions about the adversary’s knowledge, while

preserving the utility of released data. This extended abstract briefly introduces Obsidian, a scalable and efficient

Python implementation of the extended version of the (k,j)-obfuscation technique. Obsidian improves the previous version by supporting the incremental obfuscation of network flows.

This extension enables the obfuscation of larger dataset of network flows as required by networking researcg. As such it has been evaluated with billions of flows generated by the border router of a commercial Autonomous System (AS).

MhRep: Multi-hop Replication Scheme for Data Survival in Unattended Wireless Sensor Networks

D. Vitali, A. Spognardi, L. V. Mancini and A. Villani,

published at 4th International Workshop on Dependable Network Computing and Mobile Systems (DNCMS 2011) in conjunction with SRDS 2011, Madrid, Spain

Abstract Unattended Wireless Sensors Networks (UWSNs) are emerging Wireless Sensor Networks (WSNs) characterized by periodic absence of trusted entities, like the Sink Collectors. The time periods with no sink attendance, force the network sensors to locally store collected data until the next sink visit. This means that data collection is not performed in real time, but it falls at regular intervals. Such conditions define a different paradigm regarding traditional WSNs and introduce several new security issues, data survival above all.

At the best of our knowledge, only two strategies were proposed to mitigate mobile adversary data deletion attack : encryption protocols (implementing backward and/or forward secrecy) and replication. While encryption protocols can impose an extensive computational effort and experience several security issues (like key exposure), replication schemes seem to capture a renewed interest from researchers, since their power requirement seem

compatible with the constraints of wireless sensors. In this paper we focus on a new replication scheme and compare its performances with some other proposals, previously presented in literature. The schemes share some model assumptions, in terms of network and adversary attack strategy and objectives.