Title:  Enabling line-rate network traffic analysis and device identification in large-scale networks

Date: Friday, May 16th, 2025
Time: 10:00am - 12:00pm EST
Location: KACB 3126
Zoom: https://gatech.zoom.us/j/99423817999

Thomas Papastergiou
Ph.D Student
School of Cybersecurity and Privacy
Georgia Institute of Technology

Committee:
Dr. Manos Antonakakis (Advisor), School of Electrical and Computer Engineering, Georgia Institute of Technology
Dr. Roberto Perdisci, School of Computing, University of Georgia
Dr. Angelos D. Keromytis, School of Electrical and Computer Engineering, Georgia Institute of Technology
Dr. Alberto Dainotti, School of Computer Science, Georgia Institute of Technology  
Dr. Panagiotis Kintis,  School of Electrical and Computer Engineering, Georgia Institute of Technology

Abstract:
Securing large networks involves monitoring traffic and maintaining awareness of the connected devices. As network speeds have greatly increased over the past decades, the supporting infrastructure for traffic collection and analysis has struggled to scale accordingly. As a result, security appliances, such as Intrusion Detection Systems (IDS), suffer from packet loss and reduced visibility of security-relevant events. At the same time, previously proposed device mapping techniques have become less effective, as collecting and storing unsampled, high-fidelity traffic data, like NetFlow records or full packet captures, at scale has become increasingly impractical. The steady proliferation of consumer-grade devices with potential security vulnerabilities further compounds the challenges and underscores the need to address the blind spots in visibility and awareness.

This dissertation demonstrates novel techniques designed to help network operators overcome these limitations by enhancing both monitoring efficiency and device visibility. First, it introduces a traffic sampling framework that reduces monitoring overhead for upstream applications by filtering out low-priority traffic streams based on their assigned security value. Designed to operate at a high throughput of up to 100Gbps using only commodity hardware, this system leverages local network patterns and external intelligence sources to dynamically adjust its sampling strategies. Next, I present a passive fingerprinting approach for identifying IoT devices using only DNS traffic, enabling accurate device mapping even under NAT conditions and packet loss, without requiring impractical data captures. Finally, this thesis tackles the challenge of detecting stealthy infrastructure, focusing on consumer routers, by proposing an active fingerprinting technique that leverages port-level response behaviors, even in the absence of exposed services.