Characterizing Scanning Behavior

Last week, Tom Dooner and Brian Stack, two undergraduates we're working with at Case Western Reserve University, presented a poster at Case's Intersections: SOURCE Undergraduate Symposium and Poster Session. The work presented is a preliminary characterization of scanning patterns as observed over 12+ years at LBNL. You can view the poster here.

Followup: Tom and Brian's poster won second place among posters from the College of Engineering at this event. Congrats!

IMC'10 Paper on Illuminating Edge Networks

Earlier this month we presented the ICSI Netalyzr at the Internet Measurement Conference in Melbourne, Australia. The Netalyzr is a public edge network measurement and debugging service that evaluates the functionality provided by people's Internet connectivity. Its tests include outbound port filtering, hidden in-network HTTP caches, DNS manipulations, NAT behavior, path MTU issues, access-modem buffer capacity, and growing IPv6 support and performance. The paper is available here:

• Christian Kreibich, Nicholas Weaver, Boris Nechaev, and Vern Paxson. Netalyzr: Illuminating The Edge Network. Internet Measurement Conference, 2010, Melbourne, Australia. (bib)

The Netalyzr has been one of our major research efforts over the past two years, and we're thrilled by the popularity it has gained since we launched it—to date, Netalyzr has collected 160,000 sessions from 6,800 different organisations in 190 countries: The study is ongoing, so visit the Netalyzr website and run it yourself!

Paper on Emergency Notification

We recently published a paper that discusses a special-purpose social network for communicating during an wide-scale emergency situation (e.g., an earthquake).

• Mark Allman. On Building Special-Purpose Social Networks for Emergency Communication. ACM Computer Communication Review, 40(5), October 2010.

The CCR public review of the paper is also available here.

Dealing with Tussle

At HotNets this week Aditya Akella presented our joint paper outlining an architectural framework for dealing with the tussle that naturally arise between networks that want to control resources and enforce policies, on the one hand, and users who are trying to accomplish some work, on the other. The paper is:

• Chitra Muthukrishnan, Vern Paxson, Mark Allman, Aditya Akella. Using Strongly Typed Networking to Architect for Tussle. ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets), October 2010.

While many of the details of a practical implementation would need to be worked out we'd appreciate feedback on this thought experiment.

Postdoctoral Fellowship Opening

The International Computer Science Institute (ICSI) invites applications for a Postdoctoral Fellow position in the area of applying modern compiler technology to the domain of high-performance network security monitoring.

The Fellow will be working with ICSI's Networking Group on designing, implementing, and evaluating novel approaches for efficient monitoring of large-scale network environments. The position's primary research focus is on developing strategies for compiling high-level analysis descriptions into highly optimized code for execution on current multi-core architectures.

Please see the full posting for more information.

Major NSF Funding for Bro Development

The Bro team is jazzed to announce that the National Science Foundation has awarded a grant of almost $3M to the International Computer Science Institute (ICSI) and the National Center for Supercomputing Applications (NCSA) for extensive Bro development.

The funded project aims specifically at addressing much of the feedback that we have received from Bro users over the years. It will enable us to refine many of the rough edges that the system has accumulated over time[*], improve Bro's performance significantly, and also make it much easier for the community to contribute to the project.

For further information, see the joint ICSI/NCSA press release.

Thanks to everybody who helped make this happen!

[*] Yes, that includes documentation!

Cybercasing the Joint

Earlier this month, we presented a paper on how geotagging can leave users vulnerable to what we termed "cybercasing":

Gerald Friedland, Robin Sommer
Cybercasing the Joint: On the Privacy Implications of Geo-Tagging
Proc. USENIX Workshop on Hot Topics in Security, 2010

This work was featured by the New York Times, ABC News, Toronto Star, and New Scientist.

Machine Learning For Network Intrusion Detection

At last week's IEEE Symposium on Security & Privacy, we presented some thoughts on using machine learning for intrusion detection:

Robin Sommer, Vern Paxson
Outside the Closed World: On Using Machine Learning For Network Intrusion Detection
Proc. IEEE Symposium on Security and Privacy, 2010

Slides are here.

LEET'10 paper on proactive domain blacklisting

At last week's LEET'10 workshop we presented our recent work on proactive domain blacklisting based on registration patterns of domain names used in scams.

• M. Felegyhazi, C. Kreibich, and V. Paxson. On the Potential of Proactive Domain Blacklisting. Third USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '10), 2010, San Jose, CA, USA. (bib)

TCP Performance in Enterprise Networks

Last week at INM/WREN Vern presented our paper (as a proxy for Boris who was stranded in Finland by volcanic ash) on TCP performance observed within the LBNL enterprise network. The paper is:

• Boris Nechaev, Mark Allman, Vern Paxson, Andrei Gurtov. A Preliminary Analysis of TCP Performance in an Enterprise Network. USENIX Internet Network Management Workshop/Workshop on Research on Enterprise Networking (INM/WREN), April 2010.

Early Retransmit

After many years our Early Retransmit specification is now an RFC.

• Mark Allman, Konstantin Avrachenkov, Urtzi Ayesta, Josh Blanton, Per Hurtig. Early Retransmit for TCP and SCTP, April 2010. RFC 5827.

An Assessment of Web Timeouts

Two weeks ago at PAM Zak presented our work in assessing the length and implications of various timeouts associated with the process of downloading web pages. The paper are slides:

• Zakaria Al-Qudah, Michael Rabinovich, Mark Allman. Web Timeouts and Their Implications. Passive and Active Measurement Conference, April 2010. Zak's slides.

A Longitudinal Look at Web Traffic

A couple weeks back at PAM Tom presented our initial analysis of 3.5 years of HTTP traffic from ICSI's border. The paper and slides from the talk:

• Tom Callahan, Mark Allman, Vern Paxson. A Longitudinal View of HTTP Traffic. Passive and Active Measurement Conference, April 2010. Tom's slides.

ICSI Netalyzr leaves beta

Today we are taking the ICSI Netalyzr out of the beta stage. Among the changes we are rolling out are:

• New tests. We now provide a path MTU test, IP fragmentation support, improved DNS examination, and look up additional names. Besides the client-side transcript you can now inspect the server-side one, which is useful for debugging highly troubled sessions. In addition, we have improved the overall robustness of the existing tests.
• Interface improvements. A frequent complaint we received was that the results summary is overwhelming. As a first step to improve the situation, you can now selectively show or hide result summary detail. On the summary page, you find clickable plus/minus symbols that will expand/collapse test results on the entire page, in a particular test class, or on a particular test. When you first arrive at the summary page, any issues we have noticed remain expanded by default.
• Updated info pages. Each of our tests comes with an info page, available by clicking on the test's name (such as "Path MTU" in the above). We have given those info pages a makeover, which will hopefully make them easier to understand and more useful to less technical users.

We hope you will enjoy the new Netalyzr. Many thanks to everyone who has tried out the tool in the past!