In this paper, we discuss the validity of the multi-scale gamma model and characterize the differences in host-level application traffic with this model by using a real traffic trace collected on a 150-Mbps transpacific link. First, we investigate the dependency of the model (parameters α and β, and fitting accuracy ε) on time scale Δ, then find suitable time scales for the model. Second, we inspect the relations among α, β, and ε, in order to characterize the differences in the types of applications. The main findings of the paper are as follows. (1) Different types of applications show different dependencies of α, β, and ε on Δ, and display different suitable Δs for the model. The model is more accurate if the traffic consists of intermittently-sent packets than other. (2) More appropriate models are obtained with specific α and β values (e.g., 0.1 < α < 1, and β < 2 for Δ = 500 ms). Also, application-specific traffic presents specific ranges of α, β, and ε for each Δ, so that these characteristics can be used in application identification methods such as anomaly detection and other machine learning methods.

This paper introduces a method to estimate latent traffic from its origin to destination from the link packet loss rate and traffic volume. In addition, we propose a method for the joint optimization of routing and link provisioning based on the estimated latent traffic. Observed traffic could deviate from the original traffic demand and become latent when the traffic passes through congested links because of changes in user behavioral and/or applications as a result of degraded quality of experience (QoE). The latent traffic is actualized by improving congested link capacity. When link provisioning is based on observed traffic, actual traffic might cause new congestion at other links. Thus, network providers need to estimate the origin-destination (OD) original traffic demand for network planning. Although the estimation of original traffic has been well studied, the estimation was only applicable for links. In this paper, we propose a method to estimate latent OD traffic by combining and expanding techniques. The method consists of three steps. The first step is to estimate the actual OD traffic and loss rate from the actual traffic and packet loss rate of the links. The second step is to estimate the latent traffic demand. Finally, using this estimated demand, the link capacity and routing matrix are optimized. We evaluate our method by simulation and confirm that congestion could be avoided by capacity provisioning based on estimated latent traffic, while provisioning based on observed traffic retains the congestion. The combined method can avoid congestion with an increment of 23% compared with capacity provisioning only. We also evaluated our method's adaptability, i.e., the ability to estimate the required parameter for the estimations using fewer given values, but values obtained in the environment.

This paper proposes an advanced hybrid network architecture and a comprehensive network design of the next-generation science information network, called SINET3. Effectively combining layer-1 switches and IP/MPLS routers, the network provides layer-1 end-to-end circuit services as well as IP and Ethernet services and enables flexible resource allocation in response to service demands. The detailed network design focuses on the tangible achievement of providing a wide range of network services, such as multiple layer services, multiple virtual private network services, advanced qualities of service, and layer-1 bandwidth on demand services. It also covers high-availability capabilities and effective resource assignment in the hybrid network. The cost reduction effect of our network architecture is also shown in this paper.

Detecting a variety of anomalies caused by attacks or accidents in computer networks has been one of the real challenges for both researchers and network operators. An effective technique that could quickly and accurately detect a wide range of anomalies would be able to prevent serious consequences for system security or reliability. In this article, we characterize detection techniques on the basis of learning models and propose an unsupervised learning model for real-time anomaly detection in computer networks. We also conducted a series of experiments to examine capabilities of the proposed model by employing three well-known machine learning algorithms, namely multivariate normal distribution, k-nearest neighbor, and one-class support vector machine. The results of these experiments on real network traffic suggest that the proposed model is a promising solution and has a number of flexible capabilities to detect several types of anomalies in real time.

This paper describes an architectural design and related services of a new Japanese academic backbone network, called SINET5, which will be launched in April 2016. The network will cover all 47 prefectures with 100-Gigabit Ethernet technology and connect each pair of prefectures with a minimized latency. This will enable users to leverage evolving cloud-computing powers as well as draw on a high-performance platform for data-intensive applications. The transmission layer will form a fully meshed, SDN-friendly, and reliable network. The services will evolve to be more dynamic and cloud-oriented in response to user demands. Cyber-security measures for the backbone network and tools for performance acceleration and visualization are also discussed.

Increased demand for DNS privacy has driven the creation of several encrypted DNS protocols, such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ). Recently, DoT and DoH have been deployed by some vendors like Google and Cloudflare. This paper addresses privacy leakage in these three encrypted DNS protocols (especially DoQ) with different DNS recursive resolvers (Google, NextDNS, and Bind) and DNS proxy (AdGuard). More particularly, we investigate encrypted DNS traffic to determine whether the adversary can infer the category of websites users visit for this purpose. Through analyzing packet traces of three encrypted DNS protocols, we show that the classification performance of the websites (i.e., user's privacy leakage) is very high in terms of identifying 42 categories of the websites both in public (Google and NextDNS) and local (Bind) resolvers. By comparing the case with cache and without cache at the local resolver, we confirm that the caching effect is negligible as regards identification. We also show that discriminative features are mainly related to the inter-arrival time of packets for DNS resolving. Indeed, we confirm that the F1 score decreases largely by removing these features. We further investigate two possible countermeasures that could affect the inter-arrival time analysis in the local resolver: AdBlocker and DNS prefetch. However, there is no significant improvement in results with these countermeasures. These findings highlight that information leakage is still possible even in encrypted DNS traffic regardless of underlying protocols (i.e., HTTPS, TLS, QUIC).

Universities collect and process a massive amount of Personal Identifiable Information (PII) at registration and throughout interactions with individuals. However, student PII can be exposed to the public by uploading documents along with university notice without consent and awareness, which could put individuals at risk of a variety of different scams, such as identity theft, fraud, or phishing. In this paper, we perform an in-depth analysis of student PII leakage at Vietnamese universities. To the best of our knowledge, we are the first to conduct a comprehensive study on student PII leakage in higher educational institutions. We find that 52.8% of Vietnamese universities leak student PII, including one or more types of personal data, in documents on their websites. It is important to note that the compromised PII includes sensitive types of data, student medical record and religion. Also, student PII leakage is not a new phenomenon and it has happened year after year since 2005. Finally, we present a study with 23 Vietnamese university employees who have worked on student PII to get a deeper understanding of this situation and envisage concrete solutions. The results are entirely surprising: the employees are highly aware of the concept of student PII. However, student PII leakage still happens due to their working habits or the lack of a management system and regulation. Therefore, the Vietnamese university should take a more active stand to protect student data in this situation.

In DHT network, a node can get/put a requested data by only log N look-up steps. However, conventional DHT network only supports single query look-up to search data. From the reason, each node in a DHT network must execute look-up process for each query even if a large number of put and get operations are executed. Therefore, this results in high network load in massive data management such as MapReduce, sensor network, and web information. To address the problem, we propose multiple queries look-up architecture using range information feedback (MARIF). MARIF extends the conventional KBR protocol to supports range information that is a scope of ID space a node keeps. When a source node receives range information from a destination node, the source node checks all queries in the range information and forwards queries matching the range information to the destination node directly. This effectively reduces the number of look-up queries and the network load for the IP network. In addition, MARIF can be implemented into conventional DHT networks and can easily be combined to effective DHT routing algorithms such as Chord, Kademlia, Pastry, and one-hop DHT. In evaluation, we implement MARIF into three DHT networks and compare its performance with that of conventional query bundling mechanisms based on the KBR protocol. The results show that MARIF reduces by up to 40% the total number of forwarding queries to put data compared with other mechanisms. In addition, MARIF saves the number of forwarding queries per look-up process by up to 85% compared to other mechanisms with low bundling overhead.

System logs are useful to understand the status of and detect faults in large scale networks. However, due to their diversity and volume of these logs, log analysis requires much time and effort. In this paper, we propose a log event anomaly detection method for large-scale networks without pre-processing and feature extraction. The key idea is to embed a large amount of diverse data into hidden states by using latent variables. We evaluate our method with 12 months of system logs obtained from a nation-wide academic network in Japan. Through comparisons with Kleinberg's univariate burst detection and a traditional multivariate analysis (i.e., PCA), we demonstrate that our proposed method achieves 14.5% higher recall and 3% higher precision than PCA. A case study shows detected anomalies are effective information for troubleshooting of network system faults.

The number of threats on the Internet is rapidly increasing, and anomaly detection has become of increasing importance. High-speed backbone traffic is particularly degraded, but their analysis is a complicated task due to the amount of data, the lack of payload data, the asymmetric routing and the use of sampling techniques. Most anomaly detection schemes focus on the statistical properties of network traffic and highlight anomalous traffic through their singularities. In this paper, we concentrate on unusual traffic distributions, which are easily identifiable in temporal-spatial space (e.g., time/address or port). We present an anomaly detection method that uses a pattern recognition technique to identify anomalies in pictures representing traffic. The main advantage of this method is its ability to detect attacks involving mice flows. We evaluate the parameter set and the effectiveness of this approach by analyzing six years of Internet traffic collected from a trans-Pacific link. We show several examples of detected anomalies and compare our results with those of two other methods. The comparison indicates that the only anomalies detected by the pattern-recognition-based method are mainly malicious traffic with a few packets.

This paper proposes a new method of estimating real-time traffic matrices that only incurs small errors in estimation. A traffic matrix represents flows of traffic in a network. It is an essential tool for capacity planning and traffic engineering. However, the high costs involved in measurement make it difficult to assemble an accurate traffic matrix. It is therefore important to estimate a traffic matrix using limited information that only incurs small errors. Existing approaches have used IP-related information to reduce the estimation errors and computational complexity. In contrast, our method, called spike flow measurement (SFM) reduces errors and complexity by focusing on spikes. A spike is transient excessive usage of a communications link. Spikes are easily monitored through an SNMP framework. This reduces the measurement costs compared to that of other approaches. SFM identifies spike flows from traffic byte counts by detecting pairs of incoming and outgoing spikes in a network. A matrix is then constructed from collected spike flows as an approximation of the real traffic matrix. Our experimental evaluation reveals that the average error in estimation is 28%, which is sufficiently small for the method to be applied to a wide range of network nodes, including Ethernet switches and IP routers.