The number of threats on the Internet is rapidly increasing, and anomaly detection has become of increasing importance. High-speed backbone traffic is particularly degraded, but their analysis is a complicated task due to the amount of data, the lack of payload data, the asymmetric routing and the use of sampling techniques. Most anomaly detection schemes focus on the statistical properties of network traffic and highlight anomalous traffic through their singularities. In this paper, we concentrate on unusual traffic distributions, which are easily identifiable in temporal-spatial space (e.g., time/address or port). We present an anomaly detection method that uses a pattern recognition technique to identify anomalies in pictures representing traffic. The main advantage of this method is its ability to detect attacks involving mice flows. We evaluate the parameter set and the effectiveness of this approach by analyzing six years of Internet traffic collected from a trans-Pacific link. We show several examples of detected anomalies and compare our results with those of two other methods. The comparison indicates that the only anomalies detected by the pattern-recognition-based method are mainly malicious traffic with a few packets.

Enterprises have paid attention to consortium blockchains like Hyperledger Fabric, which is one of the most promising platforms, for efficient decentralized transactions without depending on any particular organization. A consortium blockchain-based system will be typically built across multiple organizations. In such blockchain-based systems, system operations across multiple organizations in a decentralized manner are essential to maintain the value of introducing consortium blockchains. Decentralized system operations have recently been becoming realistic with the evolution of consortium blockchains. For instance, the release of Hyperledger Fabric v2.x, in which individual operational tasks for a blockchain network, such as command execution of configuration change of channels (Fabric's sub-networks) and upgrade of chaincodes (Fabric's smart contracts), can be partially executed in a decentralized manner. However, the operations workflows also include the preceding procedure of pre-sharing, coordinating, and pre-agreeing the operational information (e.g., configuration parameters) among organizations, after which operation executions can be conducted, and this preceding procedure relies on costly manual tasks. To realize efficient decentralized operations workflows for consortium blockchain-based systems in general, we propose a decentralized inter-organizational operations method that we call Operations Smart Contract (OpsSC), which defines an operations workflow as a smart contract. Furthermore, we design and implement OpsSC for blockchain network operations with Hyperledger Fabric v2.x. This paper presents OpsSC for operating channels and chaincodes, which are essential for managing the blockchain networks, through clarifying detailed workflows of those operations. A cost evaluation based on an estimation model shows that the total operational cost for executing a typical operational scenario to add an organization to a blockchain network having ten organizations could be reduced by 54 percent compared with a conventional script-based method. The implementation of OpsSC has been open-sourced and registered as one of Hyperledger Labs projects, which hosts experimental projects approved by Hyperledger.

In this paper, we discuss the validity of the multi-scale gamma model and characterize the differences in host-level application traffic with this model by using a real traffic trace collected on a 150-Mbps transpacific link. First, we investigate the dependency of the model (parameters α and β, and fitting accuracy ε) on time scale Δ, then find suitable time scales for the model. Second, we inspect the relations among α, β, and ε, in order to characterize the differences in the types of applications. The main findings of the paper are as follows. (1) Different types of applications show different dependencies of α, β, and ε on Δ, and display different suitable Δs for the model. The model is more accurate if the traffic consists of intermittently-sent packets than other. (2) More appropriate models are obtained with specific α and β values (e.g., 0.1 < α < 1, and β < 2 for Δ = 500 ms). Also, application-specific traffic presents specific ranges of α, β, and ε for each Δ, so that these characteristics can be used in application identification methods such as anomaly detection and other machine learning methods.

Tenant network provisioning in multi-tenancy data centers is time-consuming and error-prone due to the need to configure network devices with hundreds of parameter values (e.g., VLAN ID, IP address) determined according to complicated operational rules. Past works have aimed to automate such operational rule-based provisioning processes by implementing data center-specific provisioning programs, but a crucial problem is the high cost of adapting the programs to suit multiple data centers. In this paper, we aim to solve this problem by enabling to describe the provisioning processing, which has been hard-coded programs in conventional approaches, in easy-to-edit “provisioning template” files. The key component of the provisioning template is the parameter decision rule, which is a declarative abstract representation of parameter dependency and parameter assignment. We design the provisioning template so that it can handle various configuration items while preserving its editability for tenant provisioning. We design and implement the provisioning platform, and the evaluation based on a production data center shows that the provisioning platform can adopt multiple data centers with a single program, leading to less development cost compared to past approaches (i.e., program development for each data center).

Multi-tenant datacenter networking, with which multiple customer networks (tenants) are virtualized and consolidated in a single shared physical infrastructure, has recently become a promising approach to reduce device cost, thanks to advances of virtualization technologies for various networking devices (e.g., switches, firewalls, load balancers). Since network devices are configured with low-level commands (no context of tenants), network engineers need to manually manage the context of tenants in different stores such as spreadsheet and/or configuration management database (CMDB). The use of CMDB is also effective in increasing the ‘visibility’ of tenant configurations (e.g., information sharing among various teams); However, different from the ideal use, only limited portion of network configuration are stored in CMDB in order to reduce the amount of ‘double configuration management’ between device settings (running information) and CMDB (stored information). In this present work, we aim to bridge the gap between CDMB and device status. Our basic approach is to automatically analyze per-device configuration settings to recover per-tenant network-wide configuration (running information) based on a graph-traversal technique applied over abstracted graph representation of device settings (to handle various types of vendor-specific devices); The recovered running information of per-tenant network configurations is automatically uploaded to CMDB. An implementation of this methodology is applied to a datacenter environment that management of about 100 tenants involves approximately 5,000 CMDB records, and our practical experiences are that this methodology enables to double the amount of CMDB records. We also discuss possible use cases enabled with this methodology.

Managing SaaS systems requires administrators to monitor and analyze diverse types of log data collected from a variety of components such as applications and IT resources. Integrated monitoring systems, enabled with datastore capable of storing and query-based processing of semi-structured data (e.g., NOSQL - some specific document database), is a promising solution that can store and query any type of log data with a single unified set of management panes. However, due to the increasing scale of SaaS systems and their long service lives, integrated monitoring systems have faced the problems in response times of log analysis and storage consumption for logs. In this present work, we solve the problems by developing an efficient log management method for SaaS systems. Our empirical observation is that the problems are primarily derived from the unselective log processing of datastore, whereas there should be heterogeneities in log data that we can take advantage of for efficient log management. Based on this observation, we first confirm this insight by investigating the usage patterns of log data in a quantitative manner with an actual dataset of log access histories obtained from a SaaS system serving tens of thousands of enterprise users over the course of more than 1.5 years. We show that there are heterogeneities in required retention period of logs, response time of log analysis, and amount of data, and the heterogeneities depend on log data category and its analysis scenario. Armed with the evidence of the heterogeneities in log data and the usage patterns found from the investigation, we design a methodology of context-aware log data management, key features of which are to speculatively pre-cache the result of log analysis and to proactively archive log data, depending on log data category and analysis scenario. Evaluation with a prototype implementation shows that the proposed method reduces the response time by 47% compared to a conventional method and the storage consumption by approximately 40% compared to the original log data.