RESULTADOS Y DISCUSIÓN

Network traffic commonly conforms to one of two patterns, namely a burst of impulses or an on-going transfer of information (a step). Both these transmission characteristics are problematic in terms of traffic identification and differentiation. Burst transmission exhibits both random payload and random time intervals, whilst a step function has no particular pattern, especially when there are applications transmitting at the same payload per second. To illustrate that these transmissions become even more difficult when their characteristics change over time, we present the effect of regular periodic sampling in the standard network situation (Figure 6.6).

174

Figure 6.6 Discrete Fourier transform on the four applications communication, the hacker DoS attack shows up overloading all transmission payload even when the transmission is contained in the first virtual network

Figure 6.7 Discrete Fourier transform on the four applications communication, the hacker DoS attack shows up clearly using this analysis, this allows

application firewall sampling, monitoring and filtering

101 102 103 104 105 100 101 102 103 104 105

Single-Sided Amplitude Spectrum of Fast Fourier Transform of Application Bandwidth

Frequency (Hz) P a y lo a d ( b it ) NetworkAirTrafficPlanner1 NetworkRadarOperator1 NetworkResourceManager1 Networkhacker 101 102 103 104 105 10-4 10-3 10-2 10-1 100 101 102

Single-Sided Amplitude Spectrum of Fast Fourier Transform of Application Bandwidth

Frequency (Hz) P a y lo a d CriticalNetworkAirTrafficPlanner CriticalNetworkingRadarOperator CriticalNetworkResourceManager CriticalNetworkinghacker

175

As may be observed, this is ineffective in capturing detail, because each snapshot cannot model the rapidly changing traffic patterns. In contrast, the effect of first regulates a high intensity impulse transmission to a fixed payload step function by a large buffer, which is then fed into the network oscillator for upper and lower boundary payload transmission for easy capture by a traffic sampling tool. In Figure 6.6, the DoS cyber-attack is successful by building up network traffic congestion. The utilisation of the network oscillator means that the application transmissions in Figure 6.7 are unaffected by the cyber-attack, which can be easily removed by a selective band-pass payload filter. The previous transport protocol algorithm is only designed to operate for the benefits of its application connectivity and retransmission. To the hacker, retransmission presents a network weakness by triggering out-of-bound time window transmissions, which build up, causing a ramp-like transmission function of congestion, exponential delay time increase and buffer overflow. The DoS attack is much harder to separate from the normal transmission in Figure 6.7 because of its unknown high intensity multiple impulse transmission characteristic. This triggers a reaction as just described, resulting in network congestion, which is further amplified by other application retransmissions. Targeting cyber-attacks from the original transmission traffic is nearly impossible, but is made straightforward by the network oscillator.

6.3 Conclusions

We have presented a method of critical networking by taking a new view of the process of packet transmission. Germane to our approach it the realisation of the separation

176

between physical bandwidth and application bandwidth, coupled with the consideration of the application payload per packet. This insight permits the design of a combination of buffer, converter and flow controller that permits application layer filtering and control for the first time. This NTO allows a higher effective communication rate from servers to clients. By taking a step further than standard buffering by introducing the payload per packet ratio and the flow controller, the resonant NTO delivers a much less random packet stream. By delivering a fixed payload per packet and a more predicable response time, the method is ideal for real time, and safety critical communication. The simulation results include Ethernet for medium access control so offer the prospect of near-deterministic Ethernet. This is illustrated here by application to air traffic control radar data but the method is generic offering any control and monitoring task the possibility of employing standard Ethernet hardware but delivering safety critical performance.

In the past, real time monitoring has been ineffective in network monitoring and organization, because each application only operated for its own benefit, particularly when application transmissions were totally unmanaged and unrelated. The NTO device described here offers tailored operation parameters to every application, so that each has very distinctive payload sizes and transmission patterns. We have demonstrated the first framework for the classification of network traffic by packet, payload per packet and payload per second within sensitive networks using the NTO as a hybrid firewall. Patterns are observed in the Fourier domain, using the FFT illuminating application performance via fixed unified sampling intervals, thus revealing them without observing their overheads. This process facilitates identification of applications by their transmission characteristics (time-interval frequency) in addition to be header cross-correlation (self-identified packet system). Trojans, spyware and

177

any unauthorized application transmissions can no longer disguise themselves by fake protocol headers, because their transmission parameters are mismatched, and by not having been critically assigned.

The non-deterministic nature of the traffic is accommodated by the NTO by use of its buffer and flow controller in tandem to generate deterministic Ethernet patterns. Ultimately, this work addresses the fundamentals of critical networking research. the main goal of which is to reduce the overhead used in Ethernet traffic. This framework allows better understanding of each component. such as the difference between payload and packets.

To enable the discrimination between applications, the NTO acts as a ZOH, and a digital filter is placed at network checkpoints to identify small variances in application transmissions. A critical network device can additionally adjust its time- interval transmission by increasing/decreasing buffer sizes and flow rate. The effect of an increase in buffer size is to increase the hold-time and the relative payload per packet during the critical transmission. An increase in flow rate increases the hold time between critical transmissions, and spontaneously increases the level of payload per packet rate of change.

We have shown the utility of the approach by network simulation, which clearly illustrated that a cyber-attacker’s traffic that would normally be buried, was revealed by use of the NTO. This new insight into network monitoring and security provides a toolkit for designing more complex networks, as opposed to more complex analysis tools.

178