COMPACT

2024/05/20 - COMPACT Newsletter #1

The COMPACT research team is happy to publish this first e-newsletter about the status of the project! COMPACT is a PRIN-funded project that will propose methodologies aimed at compressing feature-based representations of network traffic in edge (e.g., IoT) and core (e.g., backbone) scenarios. The entire research team met in Trieste at the end of April, to discuss the recent activities and the latest updates. It was a very productive meeting, with many fruitful discussions. We report in this letter a summary of the activities that have been discussed.

• Optimal storage-accuracy management for IoT forensics: POLIMI is actively working on optimizing traffic storage for IoT forensics tasks, which require capturing, storing, and analyzing network traffic exchanged by consumer IoT devices. The focus has been mainly on Wi-Fi-enabled IoT devices, although the team has recently started working with Zigbee traffic as well. The main objective of this activity is to develop techniques to efficiently store traffic and traffic characteristics relative to IoT devices so that forensic analysis built on such data can be performed with high levels of accuracy. To this end, we built a Wi-Fi access point able to perform online traffic feature extraction and compression (so far using lossy techniques based on quantization) and evaluated its performance on several forensics tasks such as presence and movement detection. At the moment, the team is working on a theoretical framework for optimizing the storage/accuracy performance of the proposed access point as well as on extending the architecture to Zigbee devices, integrating the compression and forensic analysis algorithms into a Zigbee gateway.
• Probe request compression and matching: POLIMI is also actively working towards a compression algorithm tailored to Probe Request frames, which are transmitted by Wi-Fi devices. Such frames are particularly interesting for forensics activities such as localizing or tracking devices. Since the source MAC address contained in Probe Requests is generally randomized for privacy reasons, the objective of the work is to design a fingerprint algorithm that can determine the emitting device of a set of probe requests with high precision while requiring just a fraction of the bits needed to store the entire probe request frame. At the moment, techniques from the field of audio and video fingerprinting are being studied and adapted to the task at hand.
• Darknets traffic analysis and compression: UniTS is working towards implementing effective representation and compression techniques for darknet traffic. Darknets are IP addresses that function as passive probes, recording all received packets without hosting services. The traffic they capture, being unsolicited, makes darknets akin to “network telescopes”. On the web, there exist many open-source lists containing a set of known malicious IP addresses. They are a great resource for network administrators and practitioners, helping to build blocklists to prevent or block cyber attacks. During the first months of the project, the UniTS team has worked to understand to what extent lists can be used to explain darknet traffic — i.e., how many endpoints contacting a darknet appear in the public lists, thus are known malicious actors. Our results have shown that public lists can explain up to 3% of the sources of darknet traffic, but up to the 30% of volume. We are currently working to extend the set of lists considered in the studies and to include the lists of IP addresses of public legitimate scanners. Our next steps include a thorough methodology to group and cluster darknet traffic based on the information contained in public lists, to filter out uninteresting traffic, allowing storing only salient events thus achieving effective compression of the darknet traffic.

Stay tuned on our website for more news on our website!

The COMPACT team