Abstract:The network behavior typically describes the interaction process among different kinds of network elements, which is based on different kinds of network service protocols and applications, formulates evolving and diverse network behavior, and reflects attributes of network scenarios during certain periods on the network topology. Network behavior emulation includes runtime framework, background traffic emulation, and foreground traffic emulation which project network behaviors in the production network environment to the test cyber environment, and provides the mirroring capability of on-demand and flexible design specifications. The application scenarios of network behavior emulation continuously evolve, including performance analysis and evaluation, product and technique evaluation, network intrusion detection, and the research and development of network attack and defense techniques. To summarize existing research results and limitations, and analyze future development trends, this study seeks to category relevant definitions and research frameworks on simulating network behaviors, summarizes the state-of-the-art research progress in terms of the framework, background traffic, and foreground traffic, and systematically surveys both commercial and open-sourced software tools. Finally, this study proposes future research topics on network behavior simulation.

Abstract:The rapid increase of P2P traffic worsens the congestion of network while P2P traffic identification becomes the basic technical support for network management. The types of P2P traffic and main challenges of traffic identification are introduced first. Next, the main techniques and research progresses of P2P traffic identification are summarized. Finally, the future trend is put forward.

Abstract:Based on the Chi-Square Statistics and Test, this paper proposes a method named ABSA (application behavior significance assessment) to analyze the traffic behavior characteristics of applications. The ABSA method does not focus on any certain applications; in contrast, it aims at providing a quantitative standard for describing the behavior distribution differences among applications, so that the traffic behavior characteristics and their corresponding significances can be determined. The theoretical analysis and experiments results show that 1) ABSA can present the information about characteristics more precisely and copiously to improve the accuracy of application identification; 2) the significance of characteristic is independent of its proportion in sample totals; 3) ABSA can keep the relative significance sequence of behavior characteristics unchanged in a packet sampling environment, which is often used by NetFlow and many other flow information collecting systems to simplify the characteristic re-selecting process when sampling ratio is changed.

Abstract:As Internet bandwidth is increasing at an exponential rate, its impossible to keep up with the speed of networks by just increasing the speed of processors. In addition, those complex intrusion detection methods also further add to the pressure on network intrusion detection system (NIDS) platforms, and then the continuous increasing speed and throughput of network pose new challenges to NIDS. In order to make NIDS effective in Gigabit Ethernet, the ideal policy is to use a load balancer to split the traffic and forward them to different detection sensors, and these sensors can analyze the splitting data in parallel. If the load balancer is required to make each slice containing all the necessary evidence to detect a specific attack, it has to be designed complicatedly and becomes a new bottleneck of NIDS. To simplify the load balancer, this paper puts forward a distributed neural network learning algorithm. By using the learning algorithm, a large data set can be split randomly and each slice data is handled by an independent neural network in parallel. The first experiment tests the algorithms learning ability on the benchmark of circle-in-the-square and compares it with ARTMAP (adaptive resonance theory supervised predictive mapping) and BP (back propagation) neural network; the second experiment is performed on the KDD99 Data Set which is a standard intrusion detection benchmark. Comparisons with other approaches on the same benchmark show that it can perform detection at a high detection speed and low false alarm rate.