-
Non-uniformity is All You Need: Efficient and Timely Encrypted Traffic Classification With ECHO
Authors:
Shilo Daum,
Tal Shapira,
Anat Bremler-Barr,
David Hay
Abstract:
With 95% of Internet traffic now encrypted, an effective approach to classifying this traffic is crucial for network security and management. This paper introduces ECHO -- a novel optimization process for ML/DL-based encrypted traffic classification. ECHO targets both classification time and memory utilization and incorporates two innovative techniques.
The first component, HO (Hyperparameter Op…
▽ More
With 95% of Internet traffic now encrypted, an effective approach to classifying this traffic is crucial for network security and management. This paper introduces ECHO -- a novel optimization process for ML/DL-based encrypted traffic classification. ECHO targets both classification time and memory utilization and incorporates two innovative techniques.
The first component, HO (Hyperparameter Optimization of binnings), aims at creating efficient traffic representations. While previous research often uses representations that map packet sizes and packet arrival times to fixed-sized bins, we show that non-uniform binnings are significantly more efficient. These non-uniform binnings are derived by employing a hyperparameter optimization algorithm in the training stage. HO significantly improves accuracy given a required representation size, or, equivalently, achieves comparable accuracy using smaller representations.
Then, we introduce EC (Early Classification of traffic), which enables faster classification using a cascade of classifiers adapted for different exit times, where classification is based on the level of confidence. EC reduces the average classification latency by up to 90\%. Remarkably, this method not only maintains classification accuracy but also, in certain cases, improves it.
Using three publicly available datasets, we demonstrate that the combined method, Early Classification with Hyperparameter Optimization (ECHO), leads to a significant improvement in classification efficiency.
△ Less
Submitted 5 June, 2024; v1 submitted 3 June, 2024;
originally announced June 2024.
-
Dynamic Layer Tying for Parameter-Efficient Transformers
Authors:
Tamir David Hay,
Lior Wolf
Abstract:
In the pursuit of reducing the number of trainable parameters in deep transformer networks, we employ Reinforcement Learning to dynamically select layers during training and tie them together. Every few iterations, the RL agent is asked whether to train each layer $i$ independently or to copy the weights of a previous layer $j<i$. This facilitates weight sharing, reduces the number of trainable pa…
▽ More
In the pursuit of reducing the number of trainable parameters in deep transformer networks, we employ Reinforcement Learning to dynamically select layers during training and tie them together. Every few iterations, the RL agent is asked whether to train each layer $i$ independently or to copy the weights of a previous layer $j<i$. This facilitates weight sharing, reduces the number of trainable parameters, and also serves as an effective regularization technique. Experimental evaluations validate that our model modestly outperforms the baseline transformer model with regard to perplexity and drastically reduces the number of trainable parameters. In particular, the memory consumption during training is up to one order of magnitude less than the conventional training method.
△ Less
Submitted 23 January, 2024;
originally announced January 2024.
-
It Is Not Where You Are, It Is Where You Are Registered: IoT Location Impact
Authors:
Bar Meyuhas,
Anat Bremler-Barr,
David Hay,
Shoham Danino
Abstract:
This paper investigates how and with whom IoT devices communicate and how their location affects their communication patterns. Specifically, the endpoints an IoT device communicates with can be defined as a small set of domains. To study how the location of the device affects its domain set, we distinguish between the location based on its IP address and the location defined by the user when regis…
▽ More
This paper investigates how and with whom IoT devices communicate and how their location affects their communication patterns. Specifically, the endpoints an IoT device communicates with can be defined as a small set of domains. To study how the location of the device affects its domain set, we distinguish between the location based on its IP address and the location defined by the user when registering the device. We show, unlike common wisdom, that IP-based location has little to no effect on the set of domains, while the user-defined location changes the set significantly. Unlike common approaches to resolving domains to IP addresses at close-by geo-locations (such as anycast), we present a distinctive way to use the ECS field of EDNS to achieve the same differentiation between user-defined locations. Our solution streamlines the network design of IoT manufacturers and makes it easier for security appliances to monitor IoT traffic. Finally, we show that with one domain for all locations, one can achieve succinct descriptions of the traffic of the IoT device across the globe. We will discuss the implications of such description on security appliances and specifically, on the ones using the Manufacturer Usage Description (MUD) framework.
△ Less
Submitted 15 December, 2022; v1 submitted 3 December, 2022;
originally announced December 2022.
-
Chopin: Combining Distributed and Centralized Schedulers for Self-Adjusting Datacenter Networks
Authors:
Neta Rozen Schiff,
Klaus-Tycho Foerster,
Stefan Schmid,
David Hay
Abstract:
The performance of distributed and data-centric applications often critically depends on the interconnecting network. Emerging reconfigurable datacenter networks (RDCNs) are a particularly innovative approach to improve datacenter throughput. Relying on a dynamic optical topology which can be adjusted towards the workload in a demand-aware manner, RDCNs allow to exploit temporal and spatial locali…
▽ More
The performance of distributed and data-centric applications often critically depends on the interconnecting network. Emerging reconfigurable datacenter networks (RDCNs) are a particularly innovative approach to improve datacenter throughput. Relying on a dynamic optical topology which can be adjusted towards the workload in a demand-aware manner, RDCNs allow to exploit temporal and spatial locality in the communication pattern, and to provide topological shortcuts for frequently communicating racks. The key challenge, however, concerns how to realize demand-awareness in RDCNs in a scalable fashion.
This paper presents and evaluates Chopin, a hybrid scheduler for self-adjusting networks that provides demand-awareness at low overhead, by combining centralized and distributed approaches. Chopin allocates optical circuits to elephant flows, through its slower centralized scheduler, utilizing global information. Chopin's distributed scheduler is orders of magnitude faster and can swiftly react to changes in the traffic and adjust the optical circuits accordingly, by using only local information and running at each rack separately.
△ Less
Submitted 11 November, 2022;
originally announced November 2022.
-
NFV-based IoT Security for Home Networks using MUD
Authors:
Yehuda Afek,
Anat Bremler-Barr,
David Hay,
Ran Goldschmidt,
Lior Shafir,
Gafnit Abraham,
Avraham Shalev
Abstract:
A new scalable ISP level system architecture to secure and protect all IoT devices in a large number of homes is presented. The system is based on whitelisting, as in the Manufacturer Usage Description (MUD) framework, implemented as a VNF. Unlike common MUD suggestions that place the whitelist application at the home/enterprise network, our approach is to place the enforcement upstream at the pro…
▽ More
A new scalable ISP level system architecture to secure and protect all IoT devices in a large number of homes is presented. The system is based on whitelisting, as in the Manufacturer Usage Description (MUD) framework, implemented as a VNF. Unlike common MUD suggestions that place the whitelist application at the home/enterprise network, our approach is to place the enforcement upstream at the provider network, combining an NFV (Network Function Virtualization) with router/switching filtering capabilities, e.g., ACLs. The VNF monitors many home networks simultaneously, and therefore, is a highly-scalable managed service solution that provides both the end customers and the ISP with excellent visibility and security of the IoT devices at the customer premises.
The system includes a mechanism to distinguish between flows of different devices at the ISP level despite the fact that most home networks (and their IoT devices) are behind a NAT and all the flows from the same home come out with the same source IP address. Moreover, the NFV system needs to receive only the first packet of each connection at the VNF, and rules space is proportional to the number of unique types of IoT devices rather than the number of IoT devices. The monitoring part of the solution is off the critical path and can also uniquely protect from incoming DDoS attacks.
To cope with internal traffic, that is not visible outside the customer premise and often consists of P2P communication, we suggest a hybrid approach, where we deploy a lightweight component at the CPE, whose sole purpose is to monitor P2P communication. As current MUD solution does not provide a secure solution to P2P communication, we also extend the MUD protocol to deal also with peer-to-peer communicating devices. A PoC with a large national level ISP proves that our technology works as expected.
△ Less
Submitted 1 November, 2019;
originally announced November 2019.
-
Power Grid Vulnerability to Geographically Correlated Failures - Analysis and Control Implications
Authors:
Andrey Bernstein,
Daniel Bienstock,
David Hay,
Meric Uzunoglu,
Gil Zussman
Abstract:
We consider power line outages in the transmission system of the power grid, and specifically those caused by a natural disaster or a large scale physical attack. In the transmission system, an outage of a line may lead to overload on other lines, thereby eventually leading to their outage. While such cascading failures have been studied before, our focus is on cascading failures that follow an ou…
▽ More
We consider power line outages in the transmission system of the power grid, and specifically those caused by a natural disaster or a large scale physical attack. In the transmission system, an outage of a line may lead to overload on other lines, thereby eventually leading to their outage. While such cascading failures have been studied before, our focus is on cascading failures that follow an outage of several lines in the same geographical area. We provide an analytical model of such failures, investigate the model's properties, and show that it differs from other models used to analyze cascades in the power grid (e.g., epidemic/percolation-based models). We then show how to identify the most vulnerable locations in the grid and perform extensive numerical experiments with real grid data to investigate the various effects of geographically correlated outages and the resulting cascades. These results allow us to gain insights into the relationships between various parameters and performance metrics, such as the size of the original event, the final number of connected components, and the fraction of demand (load) satisfied after the cascade. In particular, we focus on the timing and nature of optimal control actions used to reduce the impact of a cascade, in real time. We also compare results obtained by our model to the results of a real cascade that occurred during a major blackout in the San Diego area on Sept. 2011. The analysis and results presented in this paper will have implications both on the design of new power grids and on identifying the locations for shielding, strengthening, and monitoring efforts in grid upgrades.
△ Less
Submitted 5 June, 2012;
originally announced June 2012.
-
Maximum Bipartite Matching Size And Application to Cuckoo Hashing
Authors:
Yossi Kanizo,
David Hay,
Isaac Keslassy
Abstract:
Cuckoo hashing with a stash is a robust multiple choice hashing scheme with high memory utilization that can be used in many network device applications. Unfortunately, for memory loads beyond 0.5, little is known on its performance.
In this paper, we analyze its average performance over such loads. We tackle this problem by recasting the problem as an analysis of the expected maximum matching s…
▽ More
Cuckoo hashing with a stash is a robust multiple choice hashing scheme with high memory utilization that can be used in many network device applications. Unfortunately, for memory loads beyond 0.5, little is known on its performance.
In this paper, we analyze its average performance over such loads. We tackle this problem by recasting the problem as an analysis of the expected maximum matching size of a given random bipartite graph. We provide exact results for any finite system, and also deduce asymptotic results as the memory size increases. We further consider other variants of this problem, and finally evaluate the performance of our models on Internet backbone traces. More generally, our results give a tight lower bound on the size of the stash needed for any multiple-choice hashing scheme.
△ Less
Submitted 9 August, 2011; v1 submitted 12 July, 2010;
originally announced July 2010.