Martin Andreoni - Academia.edu (original) (raw)

Papers by Martin Andreoni

Research paper thumbnail of JamRF: Performance Analysis, Evaluation, and Implementation of RF Jamming over Wi-Fi

Jamming attacks significantly degrade the performance of wireless communication systems and can l... more Jamming attacks significantly degrade the performance of wireless communication systems and can lead to significant overhead in terms of re-transmissions and increased power consumption. Although different jamming techniques are discussed in the literature, numerous open-source implementations have used expensive equipment in the range of thousands of dollars with the exception of a few. These implementations have also tended to be partial band, and do not cover the whole available bandwidth of the system under attack. In this work, we demonstrate that flexible, reliable, and low priced software-defined radio (SDR) jamming is feasible by designing and implementing different types of jammers against IEEE 802.11n networks. First, to demonstrate the optimal jamming waveform, we present an analytical bit error rate expression of the system under attack by employing two common jamming waveforms: Gaussian noise and digitally modulated. Then, we validate this analysis through simulations u...

Research paper thumbnail of Análise de Dados em Redes Sem Fio de Grande Porte: Processamento em Fluxo em Tempo Real, Tendências e Desafios

Minicursos do XXXVII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, 2019

In this chapter, we focus on knowledge extraction from large wireless networks through stream pro... more In this chapter, we focus on knowledge extraction from large wireless networks through stream processing. We present the primary methods of sampling, data collection and monitoring of wireless networks and we characterize knowledge extraction as a machine learning problem on big data stream processing. The Apache Spark and Apache Flink are the main trends on big data stream processing frameworks and, thus, are discussed in this chapter. We explore the data preprocessing, the feature engineering and the machine learning algorithms applied to the scenario of wireless network analytics. We address challenges and research projects in wireless network monitoring and stream processing. Finally, future perspectives, such as deep learning and reinforcement learning in stream processing, are anticipated.

Research paper thumbnail of Um Mecanismo de Aprendizado Incremental para Detecção e Bloqueio de Mineração de Criptomoedas em Redes Definidas por Software

Anais do XIX Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2019), 2019

A mineração não autorizada de criptomoedas implica o uso de valiosos recursos de computação e o a... more A mineração não autorizada de criptomoedas implica o uso de valiosos recursos de computação e o alto consumo de energia. Este artigo propõe o mecanismo MineCap, um mecanismo dinâmico e em linha para detectar e bloquear fluxos de mineração não autorizada de criptomoedas, usando o aprendizado de máquina em redes definidas por software. O MineCap desenvolve a técnica de super aprendizado incremental, uma variante do super learner aplicada ao aprendizado incremental. O super aprendizado incremental proporciona ao MineCap precisão para classificar os fluxos de mineração ao passo que o mecanismo aprende com dados recebidos. Os resultados revelam que o mecanismo alcança 98% de acurácia, 99% de precisão, 97% de sensibilidade e 99,9% de especificidade e evita problemas relacionados ao desvio de conceito.

Research paper thumbnail of A cooperation-aware virtual network function for proactive detection of distributed port scanning

2017 1st Cyber Security in Networking Conference (CSNet), 2017

One of the strongest defenses from cyber-threats today is the use of intrusion detection systems.... more One of the strongest defenses from cyber-threats today is the use of intrusion detection systems. Port scanning is usually the first action that precedes an intrusion. In turn, the use of virtual network functions (VNF) for cloud computing has become a powerful tool for tenants to provide network functions in high-speed networks. In this paper, we propose a virtual network function to detect distributed port scanning based on a cooperative architecture and on the programmable open source intrusion detection system Bro. The contribution of this paper are fourfold: i) the detection of ACK and NULL scan techniques; ii) the detection of the scan techniques TCP Connect, SYN, FIN, XMAS, ACK and NULL performed in a slow and distributed manner; iii) an architecture for cooperation between VNFs that shares historical logs of scans to improve scan detection in the cloud; iv) an implementation of a prototype of the proposed VNF in the Open Platform for Network Function Virtualization (OPNFV). Our prototype uses the Network Function Virtualization architecture from ETSI and respects the Service Function Chaining standards from IETF. We evaluate our prototype and the results show that we are able to detect all port scanning techniques with a high precision rate.

Research paper thumbnail of Um Sistema Adaptativo de Detecção e Reação a Ameaças

Anais do XVII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2017)

Atacantes criam novas ameaças e constantemente mudam seu comportamento para enganar os sistemas d... more Atacantes criam novas ameaças e constantemente mudam seu comportamento para enganar os sistemas de segurança atuais. Aliás, as ameaças são detectadas em dias ou semanas, enquanto uma contramedida deve ser imediatamente efetuada para evitar ou reduzir prejuízos. Este artigo propõe um sistema adaptativo de detecção de ameaças que possui um esquema baseado em Redes Definidas por Software (SDN) para realizar contramedidas. As contribuições do trabalho são: i) a detecção e prevenção de ameaças analisando uma sequência de apenas cinco pacotes de cada fluxo; ii) o desenvolvimento de algoritmos de detecção treinados em tempo real, com comportamento adaptativo; iii) o imediato acionamento de contramedidas sem esperar o fim do fluxo; e iv) o efetivo bloqueio de ameaças mesmo em cenários nos quais o endereço do pacote IP é mascarado. Um esquema baseado na tecnologia SDN efetua o monitoramento da sequência de cinco pacotes e o rápido bloqueio do ataque ainda na origem, evitando que recursos de ...

Research paper thumbnail of BroFlow: Um Sistema Eficiente de Detecção e Prevenção de Intrusão em Redes Definidas por Software

Intrusion Detection and Prevention Systems are fundamental to in-spect real-time network traffic,... more Intrusion Detection and Prevention Systems are fundamental to in-spect real-time network traffic, seeking abnormal patterns caused by intruders or insider misuse, to ensure communication systems security. Moreover, this is the only effective mechanism to detect attacks from internal authenticated users. This paper proposes BroFlow, an Intrusion Detection and Prevention System based on Bro traffic analyzer, and on the global network-view feature of Open-Flow Application Programming Interface. BroFlow main contributions are: (i) intrusion detection through simple algorithms implemented by a modular and flexible architecture; (ii) immediate reaction to an attack and malicious packets dropping from its origin; and (iii) strategic sensor positioning for attack de-tection in an infrastructure network shared by multi-tenants. A system prototype was implemented and evaluated in the virtual environment Future Testbed Inter-net with Security (FITS). A system evaluation under attack shows that...

Research paper thumbnail of Minicursos do XXXVIII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos

O livro Minicursos do XXXV Simposio Brasileiro de Redes de Computadores e Sistemas Distribuidos c... more O livro Minicursos do XXXV Simposio Brasileiro de Redes de Computadores e Sistemas Distribuidos contem os minicursos selecionados para apresentacao no XXXV Simposio Brasileiro de Redes de Computadores e Sistemas Distribuidos (SBRC), realizado em Belem-PA, entre os dias 15 e 19 de maio de 2017. O Livro dos Minicursos do SBRC tem sido tradicionalmente utilizado como material de estudo de alta qualidade por alunos de graduacao e pos-graduacao, bem como por profissionais da area. As sessoes de apresentacoes dos minicursos sao tambem uma importante oportunidade para atualizacao de conhecimentos da comunidade cientifica e para complementacao da formacao dos participantes. O principal objetivo dos Minicursos do SBRC e oferecer treinamento e atualizacao de curto prazo em temas normalmente nao cobertos nas grades curriculares e que possuem grande interesse entre academicos e profissionais.

Research paper thumbnail of An evaluation of a virtual network function for real-time threat detection using stream processing

2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ)

Network Function Virtualization (NFV) provides new opportunities for efficient and low-cost secur... more Network Function Virtualization (NFV) provides new opportunities for efficient and low-cost security solutions. Real-time traffic monitoring and fast security threat detection is a challenge to reduce the risk of great damages. In this paper, we propose a virtualized network function in an Open Source Platform for providing a real-time threat detection service. Our function combines cloud computing and distributed stream processing techniques to accurately and quickly detect threats. The proposed virtualized network function shows a good elasticity shrinking and scaling accordingly to the required load. The results show that the proposed function is able to scale dynamically, analyzing more than five million messages per second. In addition, the function easily migrates sensor elements to reduce latency, allowing the sensor to be located as near as possible to the client.

Research paper thumbnail of Attackers are not Stealthy: Statistical Analysis of the Well-Known and Infamous KDD Network Security Dataset

2020 4th Conference on Cloud and Internet of Things (CIoT)

Anomaly-based approaches for detecting network intrusions suffer from accurate evaluation, compar... more Anomaly-based approaches for detecting network intrusions suffer from accurate evaluation, comparison, and deployment due to the scarcity of adequate datasets. Consequently, researchers resort to suboptimal datasets that no longer relate to a real-world network nor provide insights for current network issues, such as the DARPA'98 dataset and its variants KDD'99 and NSL-KDD. In this article, we propose a statistical study over the NSL-KDD features, and we conclude that NSL-KDD and the old KDD'99 should not be used as a benchmark for creating novel anomaly-based approaches intrusion detection systems because they introduce a biased classification, since features are over-correlated. The proposed approach analyzes the correlation among features instead of checking for redundant values or the imbalance of data. Our results align with the performance of three machine learning techniques trained to discriminate attack from normal traffic. We show that biased classification occurs because there was a high correlation between features and classes. The syntactically-generated features are statistically different between normal and attack traffic classes, which implies that, in KDD-related datasets, attackers are not stealthy.

Research paper thumbnail of A statistical analysis of intrinsic bias of network security datasets for training machine learning mechanisms

Annals of Telecommunications

Research paper thumbnail of Resumo de Grandes Volumes de Dados com Filtro de Bloom: Uma Abordagem Eficiente para Aprendizado Profundo com Redes Neurais Convolucionais em Fluxos de Rede

Anais do XXXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC 2021)

Este artigo propõe a aplicação de filtros de Bloom para a geração de resumos de dados bidimensiona... more Este artigo propõe a aplicação de filtros de Bloom para a geração de resumos de dados bidimensionais a partir de fluxos em uma janela de uso da rede formando um mapa de bits. Após a geração dos resumos, o artigo aplica o aprendizado profundo, composto por camadas de rede neural convolucional, para a segmentação do mapa de bits. A segmentação do mapa de bits é uma tarefa da visão computacional que é eficientemente provida por redes neurais convolucionais. As principais contribuições do artigo são (i) a proposta de uma técnica de resumo bidimensional de dados em uma janela de fluxos através de filtros de Bloom; (ii) a aplicação do aprendizado profundo com redes neurais convolucionais em fluxos de redes e (iii) a execução otimizada da proposta em unidades de processamento gráfico (GPU). A proposta é avaliada sobre um conjunto de dados real de um provedor de acesso de banda larga e os resultados demonstram a eficiência dos filtros usados e a precisão superior a 0,90 do aprendizado profundo com t...

Research paper thumbnail of A Time-Bound Continuous Authentication Protocol for Mesh Networking

2021 4th International Conference on Advanced Communication Technologies and Networking (CommNet)

Research paper thumbnail of Design and Performance Evaluation of a Virtualized Network Function for Real-Time Threat Detection using Stream Processing

Network Function Virtualization (NFV) provides new opportunities for efficient and low cost secur... more Network Function Virtualization (NFV) provides new opportunities for efficient and low cost security solutions. Real-time traffic monitoring and fast security threat detection is a challenge to reduce the risk of great damages. In this paper, we propose a virtualized network function in the Open source Platform for providing a real-time threat detection service. Our function combines cloud computing and distributed stream processing techniques to accurately and quickly detect threats. The proposed virtualized network function shows a good elasticity shrinking and scaling accordingly to the required load. The results show that the proposed function is able to scale dynamically, analyzing more than five million messages per second. In addition, the function easily migrates sensor elements to reduce latency, allowing the sensor to be located as near as possible to the client.

Research paper thumbnail of A Security Framework for Smart-Grids

It is known that actual electrical grid is suffering change to become a new Smart Grid with thous... more It is known that actual electrical grid is suffering change to become a new Smart Grid with thousands of metering devices connected through telecommunications given intelligence to the grid. Having communication between the gadgets, will take in several cases the possibility of having the same attacks suffered in a normal network, such as Denail of Service (DoS), Man-InThe-Middle (MitM),etc. This paper will show a recompilation of methods to make a security framework focusing in the virtual authentication, with the objective of develop a future work in Security of Smart grids.

Research paper thumbnail of Coleta e Caracterização de um Conjunto de Dados de ∗ Tráfego Real de Redes de Acesso em Banda Larga

Broadband Internet access security lies in the implementation of perimeter policies and in the ad... more Broadband Internet access security lies in the implementation of perimeter policies and in the adoption of access control lists. These measures are precarious because they are based on common and poorly updated profiles, lacking residential users threat information. This article analyzes and characterizes residential user traffic from fixed broadband Internet access networks of a large communications operator, for a period of one week, and obtains the profile of the security alarms generated by an intrusion detection system on this traffic. The results show that the proposed characterization allows classification of the flows, with an alert sensitivity of 93% in the differentiation of the legitimate flows and the alarm generating flows, thus, validating the collected dataset, and allows a 73% reduction for the traffic directed to the traffic analyzer, enabling more dynamic and efficient access network security.

Research paper thumbnail of A fast and accurate threat detection and prevention architecture using stream processing

Concurrency and Computation: Practice and Experience

Late detection of security breaches increases the risk of irreparable damages and limit any mitig... more Late detection of security breaches increases the risk of irreparable damages and limit any mitigation attempts. We propose a fast and accurate Threat Detection and Prevention Architecture that combines the advantages of real-time streaming with batch processing over a historical database. We create a dataset by capturing both legitimate and malicious traffic and propose two ways of combining packets into flows, one considering a time window and the other analyzing the first few packets of each flow per period. We also investigate the effectiveness of our proposal on real-world network traces obtained from a significant Brazilian network operator providing broadband Internet to their customers. We implement and evaluate three classification algorithms and two anomaly detection methods. The results show an accuracy higher than 95% and an excellent trade-off between attack detection and false-positive rates. We further propose an improved scheme based on Software Defined Networks, that automatically prevents threats by analyzing only the first few packets of a flow. The proposal promptly and efficiently blocks threats, is robust, and can scale up, even when the attacker employs spoofed IP.

Research paper thumbnail of An Accurate Threat Detection System through Real-Time Stream Processing

The late detection of security threats causes a significant increase in the risk of irreparable d... more The late detection of security threats causes a significant increase in the risk of irreparable damages, disabling any defense attempt. All attacks leave detectable traces, even though most of them are complex and very hard to analyze. This paper proposes a real-time threat detection system based on stream processing and machine learning algorithms. The system architecture combines the advantages of real-time streaming with the batch processing over a historical database and it does not require any intervention of security specialists. The proposed system allows both attack classification and anomalybased detection of known and zero-day attacks. The system was developed and evaluated with a dataset constructed by the capture of legitimate and malicious network traffic. Results show that the proposed system presents an accurate threat detection with low processing time, allowing prompt defense strategies.

Research paper thumbnail of An Entropy-based Hybrid Mechanism for Large-Scale Wireless Network Traffic Prediction

2021 International Symposium on Networks, Computers and Communications (ISNCC)

Research paper thumbnail of Um Algoritmo Não Supervisionado e Rápido para Seleção de Características em Classificação de Tráfego

Aplicacoes de seguranca como a deteccao de anomalias e a mitigacao de ataques precisam de monitor... more Aplicacoes de seguranca como a deteccao de anomalias e a mitigacao de ataques precisam de monitoramento em tempo real para a diminuicao dos riscos. Os tempos para o processamento das informacoes devem ser os menores possiveis para habilitar elementos de defesa. Este artigo apresenta um algoritmo rapido e eficiente de selecao de caracteristicas para a classificacao de trafego baseado na correlacao entre caracteristicas. Para a avaliacao do algoritmo, e utilizado um conjunto de dados contendo mais de 16 tipos de ameacas, alem de trafego normal. O algoritmo desenvolvido escolhe um subconjunto otimizado de caracteristicas que melhora a acuracia em mais do 11% com reducao de ate 100 vezes do tempo de processamento, quando comparado com algoritmos tradicionais de selecao e reducao de caracteristicas.

Research paper thumbnail of A Lightweight Network-based Android Malware Detection System

Over the last years, mobile devices became target of thousands of malicious applications. Since t... more Over the last years, mobile devices became target of thousands of malicious applications. Since then, several works have proposed and evaluated highly accurate machine-learning malware detection schemes. However, these schemes are hardly used in production, either because of their resource-intensive nature for deployment in mobile devices or due to high false alarm rates. This paper proposes a lightweight malware detection system by means of network behavior analysis. Our system relies on lightweight machine-learning techniques to monitor network behavior of suspicious applications. To evaluate our proposal, we construct a realistic and up-to-date network traffic dataset made of 359 goodware and malware applications. The evaluation results show that our proposal is able to detect new malware variants with accuracy near 90% and false-positive rates below 3% using only 14 features inferred directly from the TCP/IP packet header. In addition, when deployed in a Samsung Galaxy S9 +, our...

Research paper thumbnail of JamRF: Performance Analysis, Evaluation, and Implementation of RF Jamming over Wi-Fi

Jamming attacks significantly degrade the performance of wireless communication systems and can l... more Jamming attacks significantly degrade the performance of wireless communication systems and can lead to significant overhead in terms of re-transmissions and increased power consumption. Although different jamming techniques are discussed in the literature, numerous open-source implementations have used expensive equipment in the range of thousands of dollars with the exception of a few. These implementations have also tended to be partial band, and do not cover the whole available bandwidth of the system under attack. In this work, we demonstrate that flexible, reliable, and low priced software-defined radio (SDR) jamming is feasible by designing and implementing different types of jammers against IEEE 802.11n networks. First, to demonstrate the optimal jamming waveform, we present an analytical bit error rate expression of the system under attack by employing two common jamming waveforms: Gaussian noise and digitally modulated. Then, we validate this analysis through simulations u...

Research paper thumbnail of Análise de Dados em Redes Sem Fio de Grande Porte: Processamento em Fluxo em Tempo Real, Tendências e Desafios

Minicursos do XXXVII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, 2019

In this chapter, we focus on knowledge extraction from large wireless networks through stream pro... more In this chapter, we focus on knowledge extraction from large wireless networks through stream processing. We present the primary methods of sampling, data collection and monitoring of wireless networks and we characterize knowledge extraction as a machine learning problem on big data stream processing. The Apache Spark and Apache Flink are the main trends on big data stream processing frameworks and, thus, are discussed in this chapter. We explore the data preprocessing, the feature engineering and the machine learning algorithms applied to the scenario of wireless network analytics. We address challenges and research projects in wireless network monitoring and stream processing. Finally, future perspectives, such as deep learning and reinforcement learning in stream processing, are anticipated.

Research paper thumbnail of Um Mecanismo de Aprendizado Incremental para Detecção e Bloqueio de Mineração de Criptomoedas em Redes Definidas por Software

Anais do XIX Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2019), 2019

A mineração não autorizada de criptomoedas implica o uso de valiosos recursos de computação e o a... more A mineração não autorizada de criptomoedas implica o uso de valiosos recursos de computação e o alto consumo de energia. Este artigo propõe o mecanismo MineCap, um mecanismo dinâmico e em linha para detectar e bloquear fluxos de mineração não autorizada de criptomoedas, usando o aprendizado de máquina em redes definidas por software. O MineCap desenvolve a técnica de super aprendizado incremental, uma variante do super learner aplicada ao aprendizado incremental. O super aprendizado incremental proporciona ao MineCap precisão para classificar os fluxos de mineração ao passo que o mecanismo aprende com dados recebidos. Os resultados revelam que o mecanismo alcança 98% de acurácia, 99% de precisão, 97% de sensibilidade e 99,9% de especificidade e evita problemas relacionados ao desvio de conceito.

Research paper thumbnail of A cooperation-aware virtual network function for proactive detection of distributed port scanning

2017 1st Cyber Security in Networking Conference (CSNet), 2017

One of the strongest defenses from cyber-threats today is the use of intrusion detection systems.... more One of the strongest defenses from cyber-threats today is the use of intrusion detection systems. Port scanning is usually the first action that precedes an intrusion. In turn, the use of virtual network functions (VNF) for cloud computing has become a powerful tool for tenants to provide network functions in high-speed networks. In this paper, we propose a virtual network function to detect distributed port scanning based on a cooperative architecture and on the programmable open source intrusion detection system Bro. The contribution of this paper are fourfold: i) the detection of ACK and NULL scan techniques; ii) the detection of the scan techniques TCP Connect, SYN, FIN, XMAS, ACK and NULL performed in a slow and distributed manner; iii) an architecture for cooperation between VNFs that shares historical logs of scans to improve scan detection in the cloud; iv) an implementation of a prototype of the proposed VNF in the Open Platform for Network Function Virtualization (OPNFV). Our prototype uses the Network Function Virtualization architecture from ETSI and respects the Service Function Chaining standards from IETF. We evaluate our prototype and the results show that we are able to detect all port scanning techniques with a high precision rate.

Research paper thumbnail of Um Sistema Adaptativo de Detecção e Reação a Ameaças

Anais do XVII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2017)

Atacantes criam novas ameaças e constantemente mudam seu comportamento para enganar os sistemas d... more Atacantes criam novas ameaças e constantemente mudam seu comportamento para enganar os sistemas de segurança atuais. Aliás, as ameaças são detectadas em dias ou semanas, enquanto uma contramedida deve ser imediatamente efetuada para evitar ou reduzir prejuízos. Este artigo propõe um sistema adaptativo de detecção de ameaças que possui um esquema baseado em Redes Definidas por Software (SDN) para realizar contramedidas. As contribuições do trabalho são: i) a detecção e prevenção de ameaças analisando uma sequência de apenas cinco pacotes de cada fluxo; ii) o desenvolvimento de algoritmos de detecção treinados em tempo real, com comportamento adaptativo; iii) o imediato acionamento de contramedidas sem esperar o fim do fluxo; e iv) o efetivo bloqueio de ameaças mesmo em cenários nos quais o endereço do pacote IP é mascarado. Um esquema baseado na tecnologia SDN efetua o monitoramento da sequência de cinco pacotes e o rápido bloqueio do ataque ainda na origem, evitando que recursos de ...

Research paper thumbnail of BroFlow: Um Sistema Eficiente de Detecção e Prevenção de Intrusão em Redes Definidas por Software

Intrusion Detection and Prevention Systems are fundamental to in-spect real-time network traffic,... more Intrusion Detection and Prevention Systems are fundamental to in-spect real-time network traffic, seeking abnormal patterns caused by intruders or insider misuse, to ensure communication systems security. Moreover, this is the only effective mechanism to detect attacks from internal authenticated users. This paper proposes BroFlow, an Intrusion Detection and Prevention System based on Bro traffic analyzer, and on the global network-view feature of Open-Flow Application Programming Interface. BroFlow main contributions are: (i) intrusion detection through simple algorithms implemented by a modular and flexible architecture; (ii) immediate reaction to an attack and malicious packets dropping from its origin; and (iii) strategic sensor positioning for attack de-tection in an infrastructure network shared by multi-tenants. A system prototype was implemented and evaluated in the virtual environment Future Testbed Inter-net with Security (FITS). A system evaluation under attack shows that...

Research paper thumbnail of Minicursos do XXXVIII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos

O livro Minicursos do XXXV Simposio Brasileiro de Redes de Computadores e Sistemas Distribuidos c... more O livro Minicursos do XXXV Simposio Brasileiro de Redes de Computadores e Sistemas Distribuidos contem os minicursos selecionados para apresentacao no XXXV Simposio Brasileiro de Redes de Computadores e Sistemas Distribuidos (SBRC), realizado em Belem-PA, entre os dias 15 e 19 de maio de 2017. O Livro dos Minicursos do SBRC tem sido tradicionalmente utilizado como material de estudo de alta qualidade por alunos de graduacao e pos-graduacao, bem como por profissionais da area. As sessoes de apresentacoes dos minicursos sao tambem uma importante oportunidade para atualizacao de conhecimentos da comunidade cientifica e para complementacao da formacao dos participantes. O principal objetivo dos Minicursos do SBRC e oferecer treinamento e atualizacao de curto prazo em temas normalmente nao cobertos nas grades curriculares e que possuem grande interesse entre academicos e profissionais.

Research paper thumbnail of An evaluation of a virtual network function for real-time threat detection using stream processing

2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ)

Network Function Virtualization (NFV) provides new opportunities for efficient and low-cost secur... more Network Function Virtualization (NFV) provides new opportunities for efficient and low-cost security solutions. Real-time traffic monitoring and fast security threat detection is a challenge to reduce the risk of great damages. In this paper, we propose a virtualized network function in an Open Source Platform for providing a real-time threat detection service. Our function combines cloud computing and distributed stream processing techniques to accurately and quickly detect threats. The proposed virtualized network function shows a good elasticity shrinking and scaling accordingly to the required load. The results show that the proposed function is able to scale dynamically, analyzing more than five million messages per second. In addition, the function easily migrates sensor elements to reduce latency, allowing the sensor to be located as near as possible to the client.

Research paper thumbnail of Attackers are not Stealthy: Statistical Analysis of the Well-Known and Infamous KDD Network Security Dataset

2020 4th Conference on Cloud and Internet of Things (CIoT)

Anomaly-based approaches for detecting network intrusions suffer from accurate evaluation, compar... more Anomaly-based approaches for detecting network intrusions suffer from accurate evaluation, comparison, and deployment due to the scarcity of adequate datasets. Consequently, researchers resort to suboptimal datasets that no longer relate to a real-world network nor provide insights for current network issues, such as the DARPA'98 dataset and its variants KDD'99 and NSL-KDD. In this article, we propose a statistical study over the NSL-KDD features, and we conclude that NSL-KDD and the old KDD'99 should not be used as a benchmark for creating novel anomaly-based approaches intrusion detection systems because they introduce a biased classification, since features are over-correlated. The proposed approach analyzes the correlation among features instead of checking for redundant values or the imbalance of data. Our results align with the performance of three machine learning techniques trained to discriminate attack from normal traffic. We show that biased classification occurs because there was a high correlation between features and classes. The syntactically-generated features are statistically different between normal and attack traffic classes, which implies that, in KDD-related datasets, attackers are not stealthy.

Research paper thumbnail of A statistical analysis of intrinsic bias of network security datasets for training machine learning mechanisms

Annals of Telecommunications

Research paper thumbnail of Resumo de Grandes Volumes de Dados com Filtro de Bloom: Uma Abordagem Eficiente para Aprendizado Profundo com Redes Neurais Convolucionais em Fluxos de Rede

Anais do XXXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC 2021)

Este artigo propõe a aplicação de filtros de Bloom para a geração de resumos de dados bidimensiona... more Este artigo propõe a aplicação de filtros de Bloom para a geração de resumos de dados bidimensionais a partir de fluxos em uma janela de uso da rede formando um mapa de bits. Após a geração dos resumos, o artigo aplica o aprendizado profundo, composto por camadas de rede neural convolucional, para a segmentação do mapa de bits. A segmentação do mapa de bits é uma tarefa da visão computacional que é eficientemente provida por redes neurais convolucionais. As principais contribuições do artigo são (i) a proposta de uma técnica de resumo bidimensional de dados em uma janela de fluxos através de filtros de Bloom; (ii) a aplicação do aprendizado profundo com redes neurais convolucionais em fluxos de redes e (iii) a execução otimizada da proposta em unidades de processamento gráfico (GPU). A proposta é avaliada sobre um conjunto de dados real de um provedor de acesso de banda larga e os resultados demonstram a eficiência dos filtros usados e a precisão superior a 0,90 do aprendizado profundo com t...

Research paper thumbnail of A Time-Bound Continuous Authentication Protocol for Mesh Networking

2021 4th International Conference on Advanced Communication Technologies and Networking (CommNet)

Research paper thumbnail of Design and Performance Evaluation of a Virtualized Network Function for Real-Time Threat Detection using Stream Processing

Network Function Virtualization (NFV) provides new opportunities for efficient and low cost secur... more Network Function Virtualization (NFV) provides new opportunities for efficient and low cost security solutions. Real-time traffic monitoring and fast security threat detection is a challenge to reduce the risk of great damages. In this paper, we propose a virtualized network function in the Open source Platform for providing a real-time threat detection service. Our function combines cloud computing and distributed stream processing techniques to accurately and quickly detect threats. The proposed virtualized network function shows a good elasticity shrinking and scaling accordingly to the required load. The results show that the proposed function is able to scale dynamically, analyzing more than five million messages per second. In addition, the function easily migrates sensor elements to reduce latency, allowing the sensor to be located as near as possible to the client.

Research paper thumbnail of A Security Framework for Smart-Grids

It is known that actual electrical grid is suffering change to become a new Smart Grid with thous... more It is known that actual electrical grid is suffering change to become a new Smart Grid with thousands of metering devices connected through telecommunications given intelligence to the grid. Having communication between the gadgets, will take in several cases the possibility of having the same attacks suffered in a normal network, such as Denail of Service (DoS), Man-InThe-Middle (MitM),etc. This paper will show a recompilation of methods to make a security framework focusing in the virtual authentication, with the objective of develop a future work in Security of Smart grids.

Research paper thumbnail of Coleta e Caracterização de um Conjunto de Dados de ∗ Tráfego Real de Redes de Acesso em Banda Larga

Broadband Internet access security lies in the implementation of perimeter policies and in the ad... more Broadband Internet access security lies in the implementation of perimeter policies and in the adoption of access control lists. These measures are precarious because they are based on common and poorly updated profiles, lacking residential users threat information. This article analyzes and characterizes residential user traffic from fixed broadband Internet access networks of a large communications operator, for a period of one week, and obtains the profile of the security alarms generated by an intrusion detection system on this traffic. The results show that the proposed characterization allows classification of the flows, with an alert sensitivity of 93% in the differentiation of the legitimate flows and the alarm generating flows, thus, validating the collected dataset, and allows a 73% reduction for the traffic directed to the traffic analyzer, enabling more dynamic and efficient access network security.

Research paper thumbnail of A fast and accurate threat detection and prevention architecture using stream processing

Concurrency and Computation: Practice and Experience

Late detection of security breaches increases the risk of irreparable damages and limit any mitig... more Late detection of security breaches increases the risk of irreparable damages and limit any mitigation attempts. We propose a fast and accurate Threat Detection and Prevention Architecture that combines the advantages of real-time streaming with batch processing over a historical database. We create a dataset by capturing both legitimate and malicious traffic and propose two ways of combining packets into flows, one considering a time window and the other analyzing the first few packets of each flow per period. We also investigate the effectiveness of our proposal on real-world network traces obtained from a significant Brazilian network operator providing broadband Internet to their customers. We implement and evaluate three classification algorithms and two anomaly detection methods. The results show an accuracy higher than 95% and an excellent trade-off between attack detection and false-positive rates. We further propose an improved scheme based on Software Defined Networks, that automatically prevents threats by analyzing only the first few packets of a flow. The proposal promptly and efficiently blocks threats, is robust, and can scale up, even when the attacker employs spoofed IP.

Research paper thumbnail of An Accurate Threat Detection System through Real-Time Stream Processing

The late detection of security threats causes a significant increase in the risk of irreparable d... more The late detection of security threats causes a significant increase in the risk of irreparable damages, disabling any defense attempt. All attacks leave detectable traces, even though most of them are complex and very hard to analyze. This paper proposes a real-time threat detection system based on stream processing and machine learning algorithms. The system architecture combines the advantages of real-time streaming with the batch processing over a historical database and it does not require any intervention of security specialists. The proposed system allows both attack classification and anomalybased detection of known and zero-day attacks. The system was developed and evaluated with a dataset constructed by the capture of legitimate and malicious network traffic. Results show that the proposed system presents an accurate threat detection with low processing time, allowing prompt defense strategies.

Research paper thumbnail of An Entropy-based Hybrid Mechanism for Large-Scale Wireless Network Traffic Prediction

2021 International Symposium on Networks, Computers and Communications (ISNCC)

Research paper thumbnail of Um Algoritmo Não Supervisionado e Rápido para Seleção de Características em Classificação de Tráfego

Aplicacoes de seguranca como a deteccao de anomalias e a mitigacao de ataques precisam de monitor... more Aplicacoes de seguranca como a deteccao de anomalias e a mitigacao de ataques precisam de monitoramento em tempo real para a diminuicao dos riscos. Os tempos para o processamento das informacoes devem ser os menores possiveis para habilitar elementos de defesa. Este artigo apresenta um algoritmo rapido e eficiente de selecao de caracteristicas para a classificacao de trafego baseado na correlacao entre caracteristicas. Para a avaliacao do algoritmo, e utilizado um conjunto de dados contendo mais de 16 tipos de ameacas, alem de trafego normal. O algoritmo desenvolvido escolhe um subconjunto otimizado de caracteristicas que melhora a acuracia em mais do 11% com reducao de ate 100 vezes do tempo de processamento, quando comparado com algoritmos tradicionais de selecao e reducao de caracteristicas.

Research paper thumbnail of A Lightweight Network-based Android Malware Detection System

Over the last years, mobile devices became target of thousands of malicious applications. Since t... more Over the last years, mobile devices became target of thousands of malicious applications. Since then, several works have proposed and evaluated highly accurate machine-learning malware detection schemes. However, these schemes are hardly used in production, either because of their resource-intensive nature for deployment in mobile devices or due to high false alarm rates. This paper proposes a lightweight malware detection system by means of network behavior analysis. Our system relies on lightweight machine-learning techniques to monitor network behavior of suspicious applications. To evaluate our proposal, we construct a realistic and up-to-date network traffic dataset made of 359 goodware and malware applications. The evaluation results show that our proposal is able to detect new malware variants with accuracy near 90% and false-positive rates below 3% using only 14 features inferred directly from the TCP/IP packet header. In addition, when deployed in a Samsung Galaxy S9 +, our...