Shane Alcock's Blog
The week before I left for IMC:
* Finished my draft of the libprotoident paper for TMA. Because of the broken Auckland box, I wasn't able to re-run my analysis using the more up-to-date classification software. Instead, I've just submitted a draft based on the old results, with an eye to possibly updating them should we get accepted.
* Released a new version of libprotoident including all the new protocol rules that I'd added over the past couple of weeks.
* Started working on a little project to measure exactly how hopeless L7 Filter is for traffic classification. So many papers and tools use L7 Filter as either the basis for their rules or as ground truth for validation, which I think is a very bad idea. Hoping to get a paper out of it all. The initial phase of my evaluation involves capturing traffic from a number of common Internet applications and testing whether L7 Filter can correctly identify them. So far, it has managed to get 1/3 right :)
Spent the week before last in Boston for IMC. Managed to successfully present my paper on the Copyright Amendment Act and got a fairly good reception. Also got a chance to meet a few folks and put some faces to names. Some of the presentations were interesting, but there was also a lot of stuff that I found to be less useful (social networks lol).
Libprotoident 2.0.6 has been released today.
This release adds support for 17 new protocols including Spotify, Runescape, Cryptic and Apple Facetime. The rules for a further 7 protocols have been improved.
This release also fixes a couple of bugs - in particular one where lpi_live would report erroneously high packet or byte counts.
We've also deprecated the P2P_Structure category as it was no longer serving the intended purpose due to the rise in BitTorrent file transfers over UDP that are indistinguishable from DHT traffic. All protocols that used to be P2P_Structure are now placed in the P2P category.
The full list of changes can be found in the libprotoident ChangeLog.
Short week this week.
Managed to add a couple more protocols to libprotoident: SUPL and Cryptic (an MMO game company). Spent a lot of time still trying to hunt down the particular Korean P2P application that I'm seeing a lot of in my data, but no success. Nonetheless, I've written a rule for it and added it to our set of "mystery" protocols.
Started looking over our old libprotoident technical report with an eye to submitting it for publication again. There are a few problems with this approach though: 1) OpenDPI doesn't exist anymore. A fork called nDPI lives on, but I'll need to re-run all the validation/comparison tests using nDPI. 2) nDPI uses all the same function and variable names as PACE so these had to be all renamed to prevent horrible linking errors when building / running my comparison program, which links against both libraries. 3) The Auckland monitor that has the only copy of the full-payload traces I had used for part of the original validation is no longer responsive.
Finished up my basic analysis of the libprotoident data from last month. Wrote a blog post (that's on the front page of the website) presenting and discussing the latest results. Some pretty interesting trends are becoming apparent - the surge in HTTPS traffic and the movement towards UDP BitTorrent being the two main ones - which are begging for further investigation.
Continued looking at unknown traffic in libprotoident -- spent much of Friday investigating Korean P2P apps to try and resolve a mystery application that has a very obvious payload pattern, but had little success. Did get to watch a few Starcraft championship games though :)
Wrote and presented a practice version of my IMC talk. Got a few refinements to make but mostly I need to streamline the whole thing so I can deliver it in around 10 minutes without sounding like I'm hyped up on amphetamines.
Updated on October 26, 2012 to reflect that the P2P_Structure category was not entirely reliable.
Earlier this year, we managed to generate a bit of interest by studying changes in application protocol usage at one New Zealand ISP after the Copyright Amendment Act came into effect. This eventually led to a publication at IMC 2012, which can be accessed here.
One outstanding question from this work was whether the changes that we observed would persist, particularly given that there have been no notable instances of people being brought before the Copyright Tribunal and punished. Would people eventually revert back to their old methods of file-sharing or would they continue to use more obfuscated methods? Would those people that stopped file sharing return once they felt more secure in not being caught out?
With this in mind, we have updated our results with data captured from the same New Zealand ISP during September 2012, one year on from the CAA coming into force. Again, we have looked at the traffic for a subset of the ISP's DSL subscribers only. Unfortunately, we do not have detailed information about the number of subscribers using each protocol, but we do have statistics about the number of flows and bytes for each protocol (both incoming and outgoing) which we can make use of. In this blog post, I'll be comparing the most recent measurements with our earlier results to determine if anything has changed in the past few months.
Spent a fair chunk of my week reading over various chapters from Brad and Joe's Honour's reports, as well as Meenakshee's interim report.
In between times, continued poking at my recent libprotoident analysis looking at the "unknown" traffic. Managed to add quite a few new protocols to libprotoident as a result, including Runescape, Spotify, Fring, Roblox and FASP. Starting to think about a new release with all the protocols I've added over the past couple of weeks.
Also continued my analysis of the September LPI statistics - getting closer to producing some graphs and a blog post discussing the changes over the past year :)
Short week this week - took leave on Thursday and Friday.
Released a new version of libtrace (3.0.15) on Monday. Mostly just a few little bug and build fixes, but it had been a while since the last release. Also submitted a patch for the FreeBSD libtrace port which had been broken for a very long time.
Did a bit more refinement on my Plunge and ArimaShewhart event detectors. They're at a stage now where the number of false positives is close to none. False negatives are a bit harder to identify, of course. The next sensible step is probably to think about testing against real-time data and manually validate the events as they roll in.
Spent a day looking at the latest LPI data from a live analysis I have running on our ISP monitor. Managed to get some up-to-date stats on application usage for last September but haven't had a chance to look over it in detail yet.
I did note a bit of an increase in the amount of unknown UDP traffic, so chased up a few of the more common patterns. Have added 3 new protocols to libprotoident as a result: ZeroAccess (a trojan), VXWorks Exploit and Apple's Facetime / iMessage setup protocol.
Libtrace 3.0.15 has been released.
This release fixes a few bugs in the previous release and adds a few minor improvements. In particular, this release fixes the problem where libtrace will claim pcap transmit is unsupported and the bug where Linux Native capture does not work on the loopback address. It also fixes some potential build errors introduced in the last release as a result of creating a separate library for libwandio.
The full list of changes in this release can be found in the libtrace ChangeLog.
You can download the new version of libtrace from the libtrace website.
Added a new anomaly detector to our network event monitor: the Plunge Detector. The basic aim is to detect situations where an otherwise active time series plunges to a very low (or zero) value. Sounds simple, but kinda tricky to do in a generic fashion. The general algorithm is track the median and minimum observed values over the past N measurements and then raise an alarm when the current value is both significantly below the median and the minimum observed values.
Spent much of the week testing both the new Plunge detector and the Shewhart detector against the various LPI time series in my test data set. Lots of refinement going on with both detectors, but starting to get pretty happy with the results.
Started working towards a new libtrace release - mostly just a few little bug fixes and tidyups. Part of the release process is to test it on a FreeBSD machine, but the old emulation image doesn't work with the new emulation network. Set up a FreeBSD 9 machine so that Brendon could make a new image, which was a lot more painful than it should have been. Managed to get libtrace tested and passed the machine over to Brendon for imaging - I expect a decent rant in his weekly report about that step of the process to :)
Continued making tweaks and changes to the Shewhart anomaly detector in response to erroneous events produced when running it against the full set of protocols supported by libprotoident. It now tends to only pick up major or sudden changes in the time series, which is great when dealing with protocols that aren't very common but may not be the best for more popular protocols.
Finished my teaching load for 301 - final lecture was given on Monday and marked the last C programming assignment throughout the week. Definitely enjoyed the opportunity to do something a little different and hopefully it was valuable to the students too. It would be great if we could find a way to keep using some of the material I prepared in future courses.