OpenFlow is a widely adopted implementation of the Software-Defined Networking (SDN) architecture. Since conventional network monitoring systems are unable to cope with OpenFlow networks, researchers have developed various monitoring systems tailored for OpenFlow networks. However, these existing systems either rely on a specific controller framework or an API, both of which are not part of the OpenFlow specification, and thus limit their applicability. This article proposes a transparent and low-overhead monitoring system for OpenFlow networks, referred to as Opimon. Opimon monitors the network topology, switch statistics, and flow tables in an OpenFlow network and visualizes the result through a web interface in real-time. Opimon monitors a network by interposing a proxy between the controller and switches and intercepting every OpenFlow message exchanged. This design allows Opimon to be compatible with any OpenFlow switch or controller. We tested the functionalities of Opimon on a virtual network built using Mininet and a large-scale international OpenFlow testbed (PRAGMA-ENT). Furthermore, we measured the performance overhead incurred by Opimon and demonstrated that the overhead in terms of latency and throughput was less than 3% and 5%, respectively.

Active network monitoring based on Boolean network tomography is a promising technique to localize link failures instantly in transport networks. However, the required set of monitoring trails must be recomputed after each link failure has occurred to handle succeeding link failures. Existing heuristic methods cannot compute the required monitoring trails in a sufficiently short time when multiple-link failures must be localized in the whole of large-scale managed networks. This paper proposes an approach for computing the required monitoring trails within an allowable expected period specified beforehand. A random walk-based analysis estimates the number of monitoring trails to be computed in the proposed approach. The estimated number of monitoring trails are computed by a lightweight method that only guarantees partial localization within restricted areas. The lightweight method is repeatedly executed until a successful set of monitoring trails achieving unambiguous localization in the entire managed networks can be obtained. This paper demonstrates that the proposed approach can compute a small number of monitoring trails for localizing all independent dual-link failures in managed networks made up of thousands of links within a given expected short period.

Due to the legal reform on the protection of personal information in US/Japan and the enforcement of the General Data Protection Regulation (GDPR) in Europe, service providers are obliged to more securely manage the sensitive data stored in their server. In order to protect this kind of data, they generally employ a cryptographic encryption scheme and secure key management schemes such as a Hardware Security Module (HSM) and Trusted Platform Module (TPM). In this paper, we take a different approach based on the space-hard cipher. The space-hard cipher has an interesting property called the space hardness. Space hardness guarantees sufficient security against the adversary who gains a part of key data, e.g., 1/4 of key data. Combined with a simple network monitoring technique, we develop a practical leakage resilient scheme Virtual Vault, which is secure against the snapshot adversary who has full access to the memory in the server for a short period. Importantly, Virtual Vault is deployable by only a low-price device for network monitoring, e.g. L2 switch, and software of space-hard ciphers and packet analyzer, while typical solutions require a dedicated hardware for secure key managements such as HSM and TPM. Thus, Virtual Vault is easily added on the existing servers which do not have such dedicated hardware.

Finding widespread events in a distributed network is crucial when detecting cyber-attacks or network malfunctions. We propose a new detection scheme for widespread events based on bitmaps that can succinctly record and deliver event information between monitoring agents and a central coordinator. Our proposed scheme reduces communication overhead as well as total number of rounds, and achieves even higher accuracy, compared with the current state of the art.

A number of network monitoring sensors such as honeypot and web crawler have been launched to observe increasingly-sophisticated cyber attacks. Based on these technologies, there have been several large scale network monitoring projects launched to fight against cyber threats on the Internet. Meanwhile, these projects are facing some problems such as Difficulty of collecting wide range darknet, Burden of honeypot operation and Blacklisting problem of honeypot address. In order to address these problems, this paper proposes a novel proactive cyber attack monitoring platform called GHOST sensor, which enables effective utilization of physical and logical resources such as hardware of sensors and monitoring IP addresses as well as improves the efficiency of attack information collection. The GHOST sensor dynamically allocates targeted IP addresses to appropriate sensors so that the sensors can flexibly monitor attacks according to profiles of each attacker. Through an evaluation in a experiment environment, this paper presents the efficiency of attack observation and resource utilization.

This paper describes an architectural design and related services of a new Japanese academic backbone network, called SINET5, which will be launched in April 2016. The network will cover all 47 prefectures with 100-Gigabit Ethernet technology and connect each pair of prefectures with a minimized latency. This will enable users to leverage evolving cloud-computing powers as well as draw on a high-performance platform for data-intensive applications. The transmission layer will form a fully meshed, SDN-friendly, and reliable network. The services will evolve to be more dynamic and cloud-oriented in response to user demands. Cyber-security measures for the backbone network and tools for performance acceleration and visualization are also discussed.

Characterization of peer-to-peer (P2P) traffic is an essential step to develop workload models towards capacity planning and cyber-threat countermeasure over P2P networks. In this paper, we present a classification scheme for characterizing P2P file-sharing hosts based on transport layer statistical features. The proposed scheme is accessed on a virtualized environment that simulates a P2P-friendly cloud system. The system shows high accuracy in differentiating P2P file-sharing hosts from ordinary hosts. Its tunability regarding monitoring cost, system response time, and prediction accuracy is demonstrated by a series of experiments. Further study on feature selection is pursued to identify the most essential discriminators that contribute most to the classification. Experimental results show that an equally accurate system could be obtained using only 3 out of the 18 defined discriminators, which further reduces the monitoring cost and enhances the adaptability of the system.

This paper proposes a bit-split string matcher architecture for a memory-efficient hardware-based parallel pattern matching engine. In the proposed bit-split string matcher, multiple finite-state machine (FSM) tiles share match vectors to reduce the required number of stored match vectors. By decreasing the memory size for storing match vectors, the total memory requirement can be minimized.

The number of SIP-based services provided by network service providers (NSPs) is increasing. SIP allows NSPs to control services and to collect the information relating to charging for the usage of their customer communications. Monitoring SIP messages (exchanged between SIP proxy servers and user terminals) is vital for providing the stable SIP-based services. Monitoring SIP messages enables NSPs to quickly discover a fault location where SIP messages are lost, and to determine the subsequent recovery solutions. This paper proposes a lightweight method for determining the location of SIP message loss through relationships based on the SIP's retransmission mechanism. Numerical analyses show that the proposed method can locate the lossy links of SIP messages with a low probability of detection failure.

This paper proposes a pattern partitioning algorithm that maps multiple target patterns onto homogeneous memory-based string matchers. The proposed algorithm adopts the greedy search based on lexicographical sorting. By mapping as many target patterns as possible onto each string matcher, the memory requirements are greatly reduced.

This paper proposes a hardware-based parallel pattern matching engine using a memory-based bit-split string matcher architecture. The proposed bit-split string matcher separates the transition table from the state table, so that state transitions towards the initial state are not stored. Therefore, total memory requirements can be minimized.

Considering rapid increase of recent highly organized and sophisticated malwares, practical solutions for the countermeasures against malwares especially related to zero-day attacks should be effectively developed in an urgent manner. Several research activities have been already carried out focusing on statistic calculation of network events by means of global network sensors (so-called macroscopic approach) as well as on direct malware analysis such as code analysis (so-called microscopic approach). However, in the current research activities, it is not clear at all how to inter-correlate between network behaviors obtained from macroscopic approach and malware behaviors obtained from microscopic approach. In this paper, in one side, network behaviors observed from darknet are strictly analyzed to produce scan profiles, and in the other side, malware behaviors obtained from honeypots are correctly analyzed so as to produce a set of profiles containing malware characteristics. To this end, inter-relationship between above two types of profiles is practically discussed and studied so that frequently observed malwares behaviors can be finally identified in view of scan-malware chain.

In this paper, we propose new methods which detect tampered-TCP connections at edge routers and protect well-behaved TCP connections from tampered-TCP connections, which results in fairness among TCP connections. The proposed methods monitor the TCP packets at an edge router and estimate the window size or the throughput for each TCP connection. By using estimation results, the proposed methods assess whether each TCP connection is tampered or not and drop packets intentionally if necessary to improve the fairness amongst TCP connections. From the results of simulation experiments, we confirm that the proposed methods can accurately identify tampered-TCP connections and regulate throughput ratio between tampered-TCP connections and competing TCP Reno connections to about 1.

In this paper, we present a novel technique to detect and defeat kernel backdoors which cannot be identified by conventional security solutions. We focus on the fact that since the packet flows of common network applications go up and down through the whole network subsystem but kernel backdoors utilize only the lower layers of the subsystem, we can detect kernel backdoors by employing two host-based monitoring sensors (one at higher layer and the other at lower layer) and by inspecting the packet flow differentials. We also provide strategies to mitigate false positives and negatives and to defeat kernel backdoors. To evaluate the effectiveness of the proposed technique, we implemented a detection system (KbGuard) and performed experiments in a simulated environment. The evaluation results indicate that our approach can effectively detect and deactivate kernel backdoors with a high detection rate. We also believe that our research can help prevent stealthy threats of kernel backdoors.