IP Packet Header Research Articles

Online network traffic classification based on external attention and convolution by IP packet header

Network traffic classification is an important part of network monitoring and network management. Three traditional methods for network traffic classification are flow-based, session-based, and packet-based, while flow-based and session-based methods cannot meet the real-time requirements and existing packet-based methods will violate user’s privacy. To solve the above problems, we propose a network traffic classification method only by the IP packet header, which satisfies the requirements of both the user’s privacy protection and online classification performances. Through statistical analyses, we find that IP packet header information is effective on the network traffic classification tasks and this conclusion is also demonstrated by experiments. Furthermore, we propose a novel external attention and convolution mixed (ECM) model for online network traffic classification. This model adopts both low-computational complexity external attention and convolution to respectively extract the byte-level and packet-level characteristics for traffic classification. Therefore, it can achieve high classification accuracy and low time consumption. The experiments show that ECM can reach over 96% classification accuracy on four datasets and the classification time is 0.36 ms per packet which can meet the real-time requirements. The code is available at https://github.com/CNZZQ1030/ECM-for-Network-Traffic-Classification.

Hybrid Detection Technique for IP Packet Header Modifications Associated with Store-and-Forward Operations

The detection technique for IP packet header modifications associated with store-and-forward operation pertains to a methodology or mechanism utilized for the identification and detection of alterations made to packet headers within a network setting that utilizes a store-and-forward operation. The problem that led to employing this technique lies with the fact that previous research studies expected intrusion detection systems (IDSs) to perform everything associated with inspecting the entire network transmission session for detecting any modification. However, in the store-and-forward process, upon arrival at a network node such as a router or switch, a packet is temporarily stored prior to being transmitted to its intended destination. Throughout the duration of storage, IDS operation tasks would not be able to store that packet; however, it is possible that certain adjustments or modifications could be implemented to the packet headers that IDS does not recognize. For this reason, this current research uses a combination of a convolutional neural network and long short-term memory to predict the detection of any modifications associated with the store-and-forward process. The combination of CNN and LSTM suggests a significant improvement in the model’s performance with an increase in the number of packets within each flow: on average, 99% detection performance was achieved. This implies that when comprehending the ideal pattern, the model exhibits accurate predictions for modifications in cases where the transmission abruptly increases. This study has made a significant contribution to the identification of IP packet header modifications that are linked to the store-and-forward operation.

Mitigating TCP SYN flooding based EDOS attack in cloud computing environment using binomial distribution in SDN

Cloud Computing provides an auto-scaling feature for dynamic resource utilization to cope with their customers’ requirements and charge as ‘pay-per-use’. Attackers get the benefit of this auto-scaling feature by flooding DDoS attacks on the VMs or instances in the cloud environments. Such DDoS attacks give financial damages to the customers because of massive amount of resource utilization, known as the Economic Denial of Sustainability (EDOS) attack. Transmission Control Protocol (TCP) SYN flooding attack is known to be the most challenging attack resulting EDOS attack. Software Defined Network (SDN) being a cost-efficient solution for cloud service providers, uses the OpenFlow switches and flow tables to make rules for each incoming flow. In SDN, it is feasible to classify an incoming flow as an attack and block forwarding of this flow to the targeted VM. This research work proposes an SDN based fast and computationally cost-efficient statistical anomaly detection model, named EDOS-TCP SYN mitigation model (EDOS-TSM) to mitigate TCP SYN flooding attack from a single user and spoofed IPs. EDOS-TSM uses binomial probability, TTL field value of IP packet header and multi-TCP SYN requests to detect source-based and spoofing based attacks. The proposed model is implemented, and the performance is evaluated on an OpenStack production-based cloud with real-time traffic and attack generation. The attack mitigation results are compared with existing models in the literature. The results show a large number of false negatives in existing models and efficiency of EDOS-TSM is proved in both source based and spoofing attacks.

Sensor Initiated Healthcare Packet Priority in Congested IoT Networks

Currently healthcare data packets do not get any special priority while routing through the Internet of Things (IoT) networks. These data packets flow through routers using conventional QoS process which does not guarantee that a patient’s critical health data traveling in congested IoT network will actually be routed to doctors office on time. This leaves the remote medical treatment at risk with possible threat to patients’ lives. In this paper, we studied the current healthcare packet routing process in IoT and its performance issues in congested IoT networks, then proposed a sensor driven solution to prioritize healthcare data routing in congested IoT networks. In our proposed system, we add a healthcare data identifier in IP packet header at the sensor level, modify QoS software at the network router level, and provide the highest priority to healthcare data packet routing based on the healthcare data identifier seen at router QoS. A prototype has been built and tested by using TI Launchpads. Test data shows that healthcare packets with an identifier can route to doctors at 80% less latency than healthcare packets routed without an identifier. Additionally, the proposed system saves medical diagnostic cost, and more importantly, reduces the risk of losing human lives. A shorter version of this analysis has also been presented to IEEE conference. The detail analysis in this paper opens up multiple avenues for further research.

Design of a Low Latency and High Throughput Packet Classification Module on FPGA Platform

The Packet classification method plays a significant role in most of the Network systems. These systems categories the incoming packets in various flows and takes suitable action based on the requirements. If the size of the network is vast and complexity will arise to perform the different operations, which affects the network performance and other constraints also. So there is the demand for high-speed packet classifiers to reduce the network complexity and improve the network performance. In this article, The Bit vector Packet classifier (BV-PC) Module is designed to improve the network system performance and overcome the existing limitation of Packet classification approaches on FPGA. The BV-PC Module contains Packet generation Unit (PGU) to receive the valid incoming packets, Memory Unit (MU) to store valid packets, Header Extractor Unit (HEU) extracts the IP Header address information from the Valid packets, The BV-Based Source and Destination Address (BV-SA, BV-DA) unit receives the IP packet header Information and Process with BV based rule set and aggregates the BV-SA and BV-DA outputs, Priority Encoder encodes the Highest priority BV Rule for the generation of Classified output. The BV-PC utilizes <2% Chip area (slices), works at 509.38MHz, and consumed Less 0.103 W of total Power on Artix-7 FPGA. The BV-PC operates with a latency of 5 clock cycles and works at 815.03Mpps throughput. The BV-PC is compared with existing approaches and provides Better improvements in Hardware constraints.

Real-Time Early Detection NTP Amplification Attack

This paper is the initials of DDoS mitigation, the goal of this research is to detect NTP Amplification as early as possible so that the victim have a data to do further eskalation process. We knows that the goal of the attacker using NTP Amplification Attack is to exhaust the bandwidth of the victim, in this research also simulate an NTP amplification scenario and detection method; the scenario is the attacker sends requests with spoofed IP MONLIST victim to the compromised NTP server NTP server then responds the large volumes of traffic (amplified traffic) towards Victim to consume the bandwidth so as the legitimate user could not access the services. We put DDoS detection device side of the victim, we combine several monitoring tools to detect NTP amplification i.e bandwidth gauge and netflow analyzer. Netflow analyzer (flow analysis) conduct analysis IP packet header that is sent by the router as a flow-exporter. In our experiment, we could perform early detection of the NTP amplification less than 2 minute.

A Solution to Incompatibility Between IPv6 and IPv4 Communications

Abstract It has been about one year since last hearing anything about the Internet Protocol v10 (IPv10) proposal while this week it’s now available in draft form. While IPv6 isn’t widely-adopted around the globe yet, IPv10 is already in development and helps to address some of the woes of IPv6. IPv10 is designed to allow IPv6 addresses to communicate to/from IPv4 addresses. IPv10 hopes to speed the adoption to IPv6 addressing by making it more backwards compatible with IPv4 with allowing the two Internet Protocol standards to better coexist. From the draft specification: “It solves the issue of allowing IPv6 only hosts to communicate to IPv4 only hosts and vice versa in a simple and very efficient way, especially when the communication is done using both direct IP addresses and when using hostnames between IPv10 hosts, as there is no need for protocol translations or getting the DNS involved in the communication process more than its normal address resolution function. IPv10 allows hosts from two IP versions (IPv4 and IPv6) to be able to communicate, and this can be accomplished by having an IPv10 packet containing a mixture of IPv4 and IPv6 addresses in the same IP packet header.”

SDI: a multi-domain SDN mechanism for fine-grained inter-domain routing

Software-defined networking (SDN) scheme decouples network control plane and data plane, which can improve the flexibility of traffic management in networks. OpenFlow is a promising implementation instance of SDN scheme and has been applied to enterprise networks and data center networks in practice. However, it has less effort to spread SDN control scheme over the Internet to conquer the ossification of inter-domain routing. In this paper, we further innovate to the SDN inter-domain routing inspired by the OpenFlow protocol. We apply SDN flow-based routing control to inter-domain routing and propose a fine-granularity inter-domain routing mechanism, named SDI (Software Defined Inter-domain routing). It enables inter-domain routing to support the flexible routing policy by matching multiple fields of IP packet header. We also propose a method to reduce redundant flow entries for inter-domain settings. And, we implement a prototype and deploy it on a multi-domain testbed.

AQM과 ECN을 사용한 TCP 변종의 성능 분석

Transmission Control Protocol as a transport layer protocol provides steady data transfer service. There are some serious concerns about the performance of TCP over diverse networks. The vital concern in TCP network environment is congestion which may occur due to quick transmission rates or because of large number of new connections entering the network at the same time. Size of queues in routers grows thus resulting in packet drops. Retransmission of the dropped packets, and reduced throughput can prove costly. Explicit Congestion Notification (ECN) in conjunction with Active Queue Management mechanisms (AQM) such as Random early detection (RED) is used for packet marking rather than dropping. In IP packet header ECN bits can be added as a sign of congestion thus avoiding needless packet drops. The proposed ECN and AQM mechanism can be implemented with help of ns2 simulator and the performance can be tested on different TCP variants.

Gateway Redundancy Protocol

When there is a packet loss in given network, it cannot change the route all by itself. Administrator manually have to configure the given network and thereby provide access to the router which has efficient route to the client. By using Hot standby routing Protocol (HSRP), it automatically configures the router (also called auto redundancy) which is facing user traffic, with router which has highest priority after active router. It is enabled through HSRP. It reduces network congestion and enables soft operation. We use Open short path first (OSPF) protocol in this projectas it has higher convergence rate which leads to very less packet loss. Based on the IP address present in the IP packet header, OSPF transmits the packets. Our main agenda of the project is to reduce packet loss and provide efficient transport of information to the clients who expect more accuracy round the clock and also provide auto redundancy, low cost.

Network malware classification comparison using DPI and flow packet headers

In order to counter cyber-attacks and digital threats, security experts must generate, share, and exploit cyber-threat intelligence generated from malware. In this research, we address the problem of fingerprinting maliciousness of traffic for the purpose of detection and classification. We aim first at fingerprinting maliciousness by using two approaches: Deep Packet Inspection (DPI) and IP packet headers classification. To this end, we consider malicious traffic generated from dynamic malware analysis as traffic maliciousness ground truth. In light of this assumption, we present how these two approaches are used to detect and attribute maliciousness to different threats. In this work, we study the positive and negative aspects for Deep Packet Inspection and IP packet headers classification. We evaluate each approach based on its detection and attribution accuracy as well as their level of complexity. The outcomes of both approaches have shown promising results in terms of detection; they are good candidates to constitute a synergy to elaborate or corroborate detection systems in terms of run-time speed and classification precision.

Coloring networks for attacker identification and response

Network-based attacks such as denial-of-service attacks are usually performed by spoofing the source IP address. Packet marking techniques are used to trace such attackers as close as possible to their source. A packet mark consists of some traceback information pertaining to a router being embedded in the IP packet header. In this work, we use the concept of star coloring to assign reusable colors marks to routers but at the same time limits false positives and false negatives. The proposed scheme minimizes the bit space required for marking in the IP header. We introduce the concept of path identifier, to identify an attack path. The path identifiers are used to provide an elegant solution to collect attack packets in the midst of a distributed denial-of-service attack and then traceback. Although identifying the attacker is crucial to institute protection measures against future attacks, it cannot mitigate the effects of an ongoing attack. We establish the use of path identifiers, to filter packets during an ongoing attack. We present a validation of the proposed techniques in an emulated environment using real attack traffic. Copyright © 2014 John Wiley & Sons, Ltd.

The Improvement Scheme Based on SIPT

Speedy IP Traceback method (SIPT) is deficient in monitoring and position attack sources, this paper puts forward an improvement scheme based on SIPT, it only marks two-three times for the packet on the key locations, and the propose also overload rarely used fields on IP packet header to store the checkpoint information, which can traceback the attack source use these marking information, which would help to attack path-reconstruction with a low false-positive rate as a guid.

A method for QoS differentiation in DiffServ networks based on the long-term properties of a video stream

This paper presents a method for adjusting the level of services offered by the network with quality of service differentiation for the long-term characteristics of a transmitted video stream. The Drop Precedence (DP) field located in the header of IP packet for this purpose was used.The DP field is set dynamically, based on the measurement of the long-term properties of a source video stream entering the network. The level of traffic perturbations present in a stream is expressed by the Hurst parameter, and then mapped to the size of a priority encoded in the DP field. By that means, an adaptive differentiation of the preferences of individual streams within the same AF PHB class of service is implemented, depending on the size of perturbations existing in the flow. The use of the long-term Hurst parameter, as a criterion of classification, makes the treatment of packets marked with a given priority value does the job well on a larger time scale.

Reducing burst packet loss through route-free forwarding

It is well known that today’s inter-domain routing protocol, Border Gateway Protocol (BGP), converges slowly during network failures. Due to the distribution nature of Internet routing decisions and the rate-limiting timer Minimum Route Advertisement Interval (MRAI) of BGP, unavoidable convergence latency is introduced in reaction to network changes. During the period of convergence temporarily routing table inconsistencies cause short-term routing blackholes and loops which result in widespread temporary burst packet loss. In this paper, we present ROute-Free Forwarding (ROFF) — a novel technique for packet delivering continuously during periods of convergence. With slightly modifications on IP packet header and BGP, route loops and blackholes can be avoided. Our preliminary evaluation demonstrates that ROFF succeeds in reducing the number of Autonomous Systems (ASes) which experience burst packet loss and the duration of packet loss.

Composable, scalable, and accurate weight summarization of unaggregated data sets

Many data sets occur as unaggregated data sets , where multiple data points are associated with each key. In the aggregate view of the data, the weight of a key is the sum of the weights of data points associated with the key. Examples are measurements of IP packet header streams, distributed data streams produced by events registered by sensor networks, and Web page or multimedia requests to context distribution servers. We aim to combine sampling and aggregation to provide accurate and efficient summaries of the aggregate view. However, data points are scattered in time or across multiple servers and hence aggregation is subject to resource constraints on the size of summaries that can be stored or transmitted. We develop a summarization framework for unaggregated data where summarization is a scalable and composable operator, and as such, can be tailored to meet resource constraints. Our summaries support unbiased estimates of the weight of subpopulations of keys specified using arbitrary selection predicates. While we prove that under such scenarios there is no variance optimal scheme, our estimators have the desirable properties that the variance is progressively closer to the minimum possible when applied to a "more" aggregated data set. An extensive evaluation using synthetic and real data sets shows that our summarization framework outperforms all existing schemes for this fundamental problem, even for the special and well-studied case of data streams.

Quality-of-Service Mechanisms for Flow-Based Routers

In this paper, we propose quality of service mechanisms for flow-based routers which have to handle several million flows at wire speed in high-speed networks. Traffic management mechanisms are proposed for guaranteed traffic and non-guaranteed traffic separately, and then the effective harmonization of the two mechanisms is introduced for real networks in which both traffic types are mixed together. A simple non-work-conserving fair queuing algorithm is proposed for guaranteed traffic, and an adaptive flow-based random early drop algorithm is proposed for non-guaranteed traffic. Based on that basic architecture, we propose a dynamic traffic identification method to dynamically prioritize traffic according to the traffic characteristics of applications. In a high-speed router system, the dynamic traffic identification method could be a good alternative to deep packet inspection, which requires handling of the IP packet header and payload. Through numerical analysis, simulation, and a real system experiment, we demonstrate the performance of the proposed mechanisms.

Algorithms and protocols for stateless constrained-based routing

Quality of service (QoS) routing has generally been addressed in the context of reservation-based network services (e.g. ATM, IntServ), which require explicit (out of band) signaling of reservation requests and maintenance of per-flow state information. It has been recognized that the processing of per-flow state information poses scalability problems, especially at core routers. To remedy this situation, in this paper we introduce an approach for stateless QoS routing in IP networks that assumes no support for signaling or reservation from the network. Instead, our approach makes use of the currently unused two bits in the DiffServ (DS) byte of the IP packet header. Simple heuristics are used to identify a low-cost delay-constrained path. These heuristics essentially divide the end-to-end path into at most two ‘superedges’ that are connected by a ‘relay node’. Routers that lie on the same superedge use either the cost metric or the delay metric (but not both) to forward the packet. Standard hop-by-hop forwarding is performed with respect to either metric. Two different approaches are presented for implementing the relay-based forwarding. In the first approach, a probing protocol is used to identify the relay node and the routing metrics of the superedges. Tunneling and packet encapsulation are then used to forward packets from the source node to the relay node and then from the relay node to the destination node. The second approach does not require probing, but instead relies on the time-to-live (TTL) field in the header of the IP packet. Simulations are presented to evaluate the cost performance of the various approaches.

TCP and explicit congestion notification

This paper discusses the use of Explicit Congestion Notification (ECN) mechanisms in the TCP/IP protocol. The first part proposes new guidelines for TCP's response to ECN mechanisms (e.g., Source Quench packets, ECN fields in packet headers). Next, using simulations, we explore the benefits and drawbacks of ECN in TCP/IP networks. Our simulations use RED gateways modified to set an ECN bit in the IP packet header as an indication of congestion, with Reno-style TCP modified to respond to ECN as well as to packet drops as indications of congestion. The simulations show that one advantage of ECN mechanisms is in avoiding unnecessary packet drops, and therefore avoiding unnecessary delay for packets from low-bandwidth delay-sensitive TCP connections. A second advantage of ECN mechanisms is in networks (generally LANs) where the effectiveness of TCP retransmit timers is limited by the coarse granularity of the TCP clock. The paper also discusses some implementation issues concerning specific ECN mechanisms in TCP/IP networks.