Dragos Comaneci

Application Protocol Engineer at BreakingPoint Systems - Ixia

Software Engineer with a strong background in computer networks, object oriented programming, operating systems, security, parallel and distributed algorithms and embedded development.
My main focus area is on Distributed Computer Systems and the intricacies they entail. I like understanding, designing, building, optimising and securing such systems as well as working on all of the abstraction layers involved.

Presentation: Securing Networks using SDN and Machine Learning

Software Defined Networking (SDN) holds the key for building networks that can adapt effectively and efficiently to ever changing conditions: traffic flows, network policies, security constraints, etc. Although it has this power, defining security policies that take into account all of the different scenarios and new applications that are running on the network can be an overwhelming task even if you use high level abstraction languages based on reactive programming.
In this paper we try to alleviate this complexity by using machine learning traffic flow classification techniques and defining high level SDN policies based on the derived flow classes. We employ both supervised learning techniques in which you have some pre-trained models for different types of traffic as well as unsupervised learning where we try to cluster together different traffic flows. If the clusters are pure enough, we can attempt to use them to automatically train a new supervised flow model. Finally, after classifying the flows, we run a flow grouping algorithm that will determine which flows are generally seen together in the same time frame. For supervised learning we’re using C4.5 decision tree classifiers having as features for a flow: inter-packet arrival time, packet size, packet count, flow tuple and other statistical information derived from these: means, sums, minimums, maximums, standard deviations. For the unsupervised case we use the k-means algorithm on the same group of features.
After obtaining the traffic flow information derived via machine learning we explore how to integrate it in a high level SDN language such as Nettle and provide an overview of the hardware and software architecture needed to support such a system.
From a security standpoint we also explore how we can leverage such information for the scenarios of network anomaly detection, botnet detection and rerouting interesting traffic to a network honeypot. For each of these scenarios we outline how a basic proof of concept Nettle based SDN controller would be implemented.
We also evaluate and discuss different aspects of the overall system such as classification accuracy, system response time, resource usage, traffic flow delays and scalability issues. The experimental testbed for these results is based on Mininet virtual machines (that also run the Diffuse ML traffic classifier) through which different legitimate and malicious application traffic generated by the BreakingPoint system is routed.
Finally, we conclude the paper by emphasizing the different working aspects of the system as well as the challenges it faces with regards to scalability and accuracy.

Presentation @DefCamp 2014