Although the use of software-defined networking (SDN) enables routes of packets to be controlled with finer granularity (down to the individual flow level) by using traffic engineering (TE) and thereby enables better balancing of the link loads, the corresponding increase in the number of states that need to be managed at routers and controller is problematic in large-scale networks. Aggregating flows into macro flows and assigning routes by macro flow should be an effective approach to solving this problem. However, when macro flows are constructed as TE targets, variations of traffic rates in each macro flow should be minimized to improve route stability. We propose two methods for generating macro flows: one is based on a greedy algorithm that minimizes the variation in rates, and the other clusters micro flows with similar traffic variation patterns into groups and optimizes the traffic ratio of extracted from each cluster to aggregate into each macro flow. Evaluation using traffic demand matrixes for 48 hours of Internet2 traffic demonstrated that the proposed methods can reduce the number of TE targets to about 1/50 ∼ 1/400 without degrading the link-load balancing effect of TE.

Distributed denial-of-service attacks on public servers have recently become more serious. The most effective way to prevent this type of traffic is to identify the attack nodes and detach (or block) attack nodes at their egress routers. However, existing traceback mechanisms are currently not widely used for several reasons, such as the necessity of replacement of many routers to support traceback capability, or difficulties in distinguishing between attacks and legitimate traffic. In this paper, we propose a new scheme that enables a traceback from a victim to the attack nodes. More specifically, we identify the egress routers that attack nodes are connecting to by estimating the traffic matrix between arbitral source-destination edge pairs. By monitoring the traffic variations obtained by the traffic matrix, we identify the edge routers that are forwarding the attack traffic, which have a sharp traffic increase to the victim. We also evaluate the effectiveness of our proposed scheme through simulation, and show that our method can identify attack sources accurately.

In recent years, the time variation of Internet traffic has increased due to the growth of streaming and cloud services. Backbone networks must accommodate such traffic without congestion. Traffic engineering with traffic prediction is one approach to stably accommodating time-varying traffic. In this approach, routes are calculated from predicted traffic to avoid congestion, but predictions may include errors that cause congestion. We propose prediction-based traffic engineering that is robust against prediction errors. To achieve robust control, our method uses model predictive control, a process control method based on prediction of system dynamics. Routes are calculated so that future congestion is avoided without sudden route changes. We apply calculated routes for the next time slot, and observe traffic. Using the newly observed traffic, we again predict traffic and re-calculate the routes. Repeating these steps mitigates the impact of prediction errors, because traffic predictions are corrected in each time slot. Through simulations using backbone network traffic traces, we demonstrate that our method can avoid the congestion that the other methods cannot.

Distributed denial-of-service attacks on public servers have recently become more serious. Most of them are SYN flood attacks, since the malicious attackers can easily exploit the TCP specification to generate traffic making public servers unavailable. We need a defense method which can protect legitimate traffic so that end users can connect the target servers during such attacks. In this paper, we propose a new framework, in which all of the TCP connections to the victim servers from a domain are maintained at the gateways of the domain (i.e., near the clients). We call the nodes maintaining the TCP connection defense nodes. The defense nodes check whether arriving packets are legitimate or not by maintaining the TCP connection. That is, the defense nodes delegate reply packets to the received connection request packets and identify the legitimate packets by checking whether the clients reply to the reply packets. Then, only identified traffic are relayed via overlay networks. As a result, by deploying the defense nodes at the gateways of a domain, the legitimate packets from the domain are relayed apart from other packets including attack packets and protected. Our simulation results show that our method can protect legitimate traffic from the domain deploying our method. We also describe the deployment scenario of our defense mechanism.

Obtaining current traffic matrices is essential to traffic engineering (TE) methods. Because it is difficult to monitor traffic matrices, several methods for estimating them from link loads have been proposed. The models used in these methods, however, are incorrect for some real networks. Thus, methods improving the accuracy of estimation by changing routes also have been proposed. However, existing methods for estimating the traffic matrix by changing routes can only capture long-term variations and cannot obtain current traffic matrices accurately. In this paper, we propose a method for estimating current traffic matrices that uses route changes introduced by a TE method. In this method, we first estimate the long-term variations of traffic by using the link loads monitored at previous times. Then, we adjust the estimated long-term variations so as to fit the current link loads. In addition, when the traffic variation trends change and the estimated long-term variations fail to match the current traffic, our method detects mismatch. Then, so as to capture the current traffic variations, the method re-estimates the long-term variations after removing monitored data corresponding to the end-to-end traffic causing the mismatches. We evaluate our method through simulation. The results show that our method can estimate current traffic matrices accurately even when some end-to-end traffic changes suddenly.

Traffic engineering refers to techniques to accommodate traffic efficiently by dynamically configuring traffic routes so as to adjust to changes in traffic. If traffic changes frequently and drastically, the interval of route reconfiguration should be short. However, with shorter intervals, obtaining traffic information is problematic. To calculate a suitable route, accurate traffic information of the whole network must be gathered. This is difficult in short intervals, owing to the overhead incurred to monitor and collect traffic information. In this paper, we propose a framework for traffic engineering in cases where only partial traffic information can be obtained in each time slot. The proposed framework is inspired by the human brain, and uses conditional probability to make decisions. In this framework, a controller is deployed to (1) obtain a limited amount of traffic information, (2) estimate and predict the probability distribution of the traffic, (3) configure routes considering the probability distribution of future predicted traffic, and (4) select traffic that should be monitored during the next period considering the system performance yielded by route reconfiguration. We evaluate our framework with a simulation. The results demonstrate that our framework improves the efficiency of traffic accommodation even when only partial traffic information is monitored during each time slot.

To efficiently use network resources, internet service providers need to conduct traffic engineering that dynamically controls traffic routes to accommodate traffic change with limited network resources. The performance of traffic engineering (TE) depends on the accuracy of traffic prediction. However, the size of traffic change has been drastically increasing in recent years due to the growth in various types of network services, which has made traffic prediction difficult. Our approach to tackle this issue is to separate traffic into predictable and unpredictable parts and to apply different control policies. However, there are two challenges to achieving this: dynamically separating traffic according to predictability and dynamically controlling routes for each separated traffic part. In this paper, we propose a macroflow-based TE scheme that uses different routing policies in accordance with traffic predictability. We also propose a traffic-separation algorithm based on real-time traffic analysis and a framework for controlling separated traffic with software-defined networking technology, particularly OpenFlow. An evaluation of actual traffic measured in an Internet2 network shows that compared with current TE schemes the proposed scheme can reduce the maximum link load by 34% (at the most congested time) and the average link load by an average of 11%.

Distributed denial-of-service attacks on public servers have recently become more serious. More are SYN Flood attacks, since the malicious attackers can easily exploit the TCP specification to generate traffic making public servers unavailable. To assure that network services will not be interrupted, we need faster and more accurate defense mechanisms against malicious traffic, especially SYN Floods. One of the problems in detecting SYN Flood traffic is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections from those of SYN Flood attack. Moreover, since the rate of normal network traffic may vary, we cannot use an explicit threshold of SYN arrival rates to detect SYN Flood traffic. In this paper we introduce a mechanism for detecting SYN Flood traffic more accurately by taking into consideration the time variation of arrival traffic. We first investigate the statistics of the arrival rates of both normal TCP SYN packets and SYN Flood attack packets. We then describe our new detection mechanism based on the statistics of SYN arrival rates. Our analytical results show that the arrival rate of normal TCP SYN packets can be modeled by a normal distribution and that our proposed mechanism can detect SYN Flood traffic quickly and accurately regardless of time variance of the traffic.

The number of infected hosts on enterprise networks has been increased by drive-by download attacks. In these attacks, users of compromised popular websites are redirected toward websites that exploit vulnerabilities of a browser and its plugins. To prevent damage, detection of infected hosts on the basis of proxy logs rather than blacklist-based filtering has started to be researched. This is because blacklists have become difficult to create due to the short lifetime of malicious domains and concealment of exploit code. To detect accesses to malicious websites from proxy logs, we propose a system for detecting malicious URL sequences on the basis of three key ideas: focusing on sequences of URLs that include artifacts of malicious redirections, designing new features related to software other than browsers, and generating new training data with data augmentation. To find an effective approach for classifying URL sequences, we compared three approaches: an individual-based approach, a convolutional neural network (CNN), and our new event de-noising CNN (EDCNN). Our EDCNN reduces the negative effects of benign URLs redirected from compromised websites included in malicious URL sequences. Evaluation results show that only our EDCNN with proposed features and data augmentation achieved a practical classification performance: a true positive rate of 99.1%, and a false positive rate of 3.4%.

Cloud storage has become popular and is being used to hold important data. As a result, availability to become important; cloud storage providers should allow users to upload or download data even if some part of the system has failed. In this paper, we discuss distributed cloud storage that is robust against failures. In distributed cloud storage, multiple replicas of each data chunk are stored in the virtual storage at geographically different locations. Thus, even if one of the virtual storage systems becomes unavailable, users can access the data chunk from another virtual storage system. In distributed cloud storage, the placement of the virtual storage system is important; if the placement of the virtual cloud storage system means that a large number of virtual storages are possible could become unavailable from a failure, a large number of replicas of each data chunk should be prepared to maintain availability. In this paper, we propose a virtual storage placement method that assures availability with a small number of replicas. We evaluated our method by comparing it with three other methods. The evaluation shows that our method can maintain availability while requiring only with 60% of the network costs required by the compared methods.