User login

Search Projects

Examining the Impact of the Copyright Amendment Act

On the first of September this year, the New Zealand Government's Copyright Amendment Act (more colloquially known as the "Skynet law") came into effect. Briefly, the Act promises harsh penalties for Internet users who download copyrighted content illegally, culminating in the cancellation of their Internet account. This law unsurprisingly received a lot of media attention in New Zealand and there were conflicting accounts as to whether the law was having any effect on traffic levels (http://arstechnica.com/tech-policy/news/2011/09/nz-traffic-down-as-three...).

Now that it has been a while since the law has been passed, the obvious question is "what effect did the law change really have?". Using captures taken from a New Zealand ISP and the libprotoident traffic classification library, this project attempts to address this question.

26

Nov

2012

The week before I left for IMC:
* Finished my draft of the libprotoident paper for TMA. Because of the broken Auckland box, I wasn't able to re-run my analysis using the more up-to-date classification software. Instead, I've just submitted a draft based on the old results, with an eye to possibly updating them should we get accepted.
* Released a new version of libprotoident including all the new protocol rules that I'd added over the past couple of weeks.
* Started working on a little project to measure exactly how hopeless L7 Filter is for traffic classification. So many papers and tools use L7 Filter as either the basis for their rules or as ground truth for validation, which I think is a very bad idea. Hoping to get a paper out of it all. The initial phase of my evaluation involves capturing traffic from a number of common Internet applications and testing whether L7 Filter can correctly identify them. So far, it has managed to get 1/3 right :)

Spent the week before last in Boston for IMC. Managed to successfully present my paper on the Copyright Amendment Act and got a fairly good reception. Also got a chance to meet a few folks and put some faces to names. Some of the presentations were interesting, but there was also a lot of stuff that I found to be less useful (social networks lol).

29

Oct

2012

Finished up my basic analysis of the libprotoident data from last month. Wrote a blog post (that's on the front page of the website) presenting and discussing the latest results. Some pretty interesting trends are becoming apparent - the surge in HTTPS traffic and the movement towards UDP BitTorrent being the two main ones - which are begging for further investigation.

Continued looking at unknown traffic in libprotoident -- spent much of Friday investigating Korean P2P apps to try and resolve a mystery application that has a very obvious payload pattern, but had little success. Did get to watch a few Starcraft championship games though :)

Wrote and presented a practice version of my IMC talk. Got a few refinements to make but mostly I need to streamline the whole thing so I can deliver it in around 10 minutes without sounding like I'm hyped up on amphetamines.

25

Oct

2012

Updated on October 26, 2012 to reflect that the P2P_Structure category was not entirely reliable.

Introduction

Earlier this year, we managed to generate a bit of interest by studying changes in application protocol usage at one New Zealand ISP after the Copyright Amendment Act came into effect. This eventually led to a publication at IMC 2012, which can be accessed here.

One outstanding question from this work was whether the changes that we observed would persist, particularly given that there have been no notable instances of people being brought before the Copyright Tribunal and punished. Would people eventually revert back to their old methods of file-sharing or would they continue to use more obfuscated methods? Would those people that stopped file sharing return once they felt more secure in not being caught out?

With this in mind, we have updated our results with data captured from the same New Zealand ISP during September 2012, one year on from the CAA coming into force. Again, we have looked at the traffic for a subset of the ISP's DSL subscribers only. Unfortunately, we do not have detailed information about the number of subscribers using each protocol, but we do have statistics about the number of flows and bytes for each protocol (both incoming and outgoing) which we can make use of. In this blog post, I'll be comparing the most recent measurements with our earlier results to determine if anything has changed in the past few months.

23

Oct

2012

Spent a fair chunk of my week reading over various chapters from Brad and Joe's Honour's reports, as well as Meenakshee's interim report.

In between times, continued poking at my recent libprotoident analysis looking at the "unknown" traffic. Managed to add quite a few new protocols to libprotoident as a result, including Runescape, Spotify, Fring, Roblox and FASP. Starting to think about a new release with all the protocols I've added over the past couple of weeks.

Also continued my analysis of the September LPI statistics - getting closer to producing some graphs and a blog post discussing the changes over the past year :)

27

Aug

2012

Managed to get the ArimaShewhart detector fully integrated into the anomaly detection system and producing "correct" results. Now started turning my attention to using Nathan's software to provide suitable input and store measurements in a database that can be queried by the presentation / graphing side of the project.

The latest 301 assignment was due on Friday, so spent a fair bit of time helping out students who were having a few pointer difficulties.

Finished a draft revised version of my IMC paper - turns out I hadn't gone over the page limit by as much as I had feared so it was relatively easy to get the paper down to a suitable length.

Fixed a bug in libtrace relating to the use of Linux native on loopback interfaces that was reported by Asad. Might be time to think about a new release soon.

20

Aug

2012

Marked the first 301 assignment. Generally, the students did really well - hopefully because of my teaching skills. Managed to run out of pre-prepared lectures, so spent a bit of time working on next week's lecture.

Started working on the camera-ready version of my IMC paper. Added quite a bit of content to address the review comments - now I just need to edit it all down to fit under the page limit.

Finished writing the C++ version of my Arima-Shewhart anomaly detector. Tracked down and fixed a few bugs in the Arima forecasting portion of the detector - now the forecasts match those produced by the original python scripts.

30

Jul

2012

My IMC paper on the effect of the Copyright Amendment Act was accepted! However, it looks like I have a fair bit of work to do on it, mainly softening the conclusions. The reviewers felt the results suggested, but did not prove, that the CAA was the cause of the observed behaviour, which I feel is a fair response.

It was a case of one step forwards, two steps back with the event detection this week. I had added a new dataset to my testing, only to run into an old problem where a sharp change in the time series would cause the ARIMA modelling to perform undesirably. A large residual would enter the prediction calculations, which would cause the next prediction to be way off, which would cause a new large residual to enter the calculations, etc. etc.

Instead, I adjusted the ARIMA modelling to only use a small proportion of large residuals when updating the model. The proportion was calculated using a logarithmic algorithm, so that very large residuals would use a much smaller proportion. This resulted in a much better model that responded to change in the time series in a slower and smoother manner.

Previously, the response was very rapid and we detected events by looking for a single large residual (because the model would adapt so quickly, we usually only got one shot and seeing the change). Now, we tend to get several large (but much smaller than before) residuals as the predictive model slowly caught up with the change in traffic level produced by the event. Unfortunately, this meant that all of my event detection rules I had developed over the past month were useless, but I've been able to quickly adapt to the new approach and am getting results that aren't too different from what I was getting before I made this change.

One benefit of this change that I'm still investigating is that the smoother modelling may mean that we can drop the wavelet transform step. This was used to smooth the original data to remove random noise but had the downside of requiring over 20 measurements ahead to produce the smoothed value for a single point. In practical terms, this meant I couldn't report an event until 20 or more minutes after it had happened (assuming minutely measurements). If this works, I can report events much closer to the time that they happen.

23

Apr

2012

Finished up the proof-of-concept CAPWAP parser. ITS seemed pretty happy with the results so far, so I will probably be asked to develop a production version at some stage.

Turned my thoughts back to anomaly detection in noisy time series data. Measuring the autocorrelation of errors suggested that Holt-Winters forecasting alone was unlikely to be useful for our purposes in the long run. Started learning about using wavelets to denoise the data so that forecasting techniques might work better. I'm part of the way there -- I can apply a couple of wavelet transformations and get smoother data but I seem to start adding noise if I go any further than that.

Was interviewed by Radio NZ on the topic of my research into Internet usage following the CAA act.

Had a good chat with Sam Russell from REANNZ on Tuesday when he and Steve Cotter came to visit the group.

27

Feb

2012

Re-ran my CAA analysis using the updated libprotoident and updated the results in my paper accordingly.

Made a few tweaks to libtcpcsm, based on suggestions from a user. Looking towards rolling out a new release soon.

Set up a build environment for BSOD client on BIGMAC. This took a bit longer than expected due to the move to Xcode 4. Managed to find and fix a bug in libwandevent that was preventing looping input from working properly. Also got the client building and running on tkn as well after a painful Windows 7 + Visual Studio install.

Finished the week by adding WASD movement back into BSOD client and an option to the server that forces it to wait for a client to connect before reading from the input
source.

20

Feb

2012

Spent most of my week working on the draft version of the paper on the effect of the CAA on DSL users. Finished the draft on Friday, having included plenty of (hopefully) interesting results. Anyone interested in reading over the paper should get in touch with me and I give you a copy.

Patched libtrace to support --with-foo configure options for all the optional dependencies. Apparently this is a bit of an issue with some Linux distros, e.g. Gentoo.

Released a new version of BSOD server on Friday to fix a crash issue that was occurring with recent libprotoident releases.

Spent some time looking at traffic that was being classed as SSL by libprotoident. Turns out that, with a bit of port and payload size analysis, I can sub-classify the SSL as Google talk, Apple push notifications, Facebook chat, PSN store, POP3S and NNTPS.

13

Feb

2012

Started working on a paper describing the results of the study I presented at NZNOG. Managed to write half of a "short" paper so far, so making reasonably good progress.

Made the necessary changes to the libtrace CCR paper and submitted a final version. One of the reviewers wanted to see more stats from the performance testing but I didn't have space to put it in. I suggested that if the editor was able to grant me more space I would include the stats.

Seemed to have a busy week supporting various software: libtrace, libprotoident etc. Glad to see plenty of people using these libraries :)

07

Feb

2012

Worked on collecting some more numbers measuring the impact of the CAA, with an eye towards writing a paper on the topic. The number of users doing P2P has also dropped dramatically, with rises in the expected categories too (such as tunneling).

Looking at the results more closely, I decided that the HTTP_P2P classification was proving to be incorrect more often than not, so traffic matching that is now treated as web rather than P2P. This change should have only a minor effect on the numbers I had presented at NZNOG.

The libtrace paper was accepted for publication in CCR. This was my fifth attempt to publish that particular paper, so pretty pleased to finally get that one done.

02

Feb

2012

Donald Clark discussed the Copyright Amendment Act study that I presented at NZNOG 2012 on Radio New Zealand: National's Nine to Noon program this morning. He did an excellent job of summarising our results and the conclusions that can be drawn from them.

Anyone who would like to listen to Donald's segment can find it here. The discussion of our work begins around 9:30 but I would recommend listening to the whole segment if you have the time.

31

Jan

2012

At NZNOG 2012, I presented some slides showing a decrease of P2P traffic following the Copyright Amendment Act coming into effect in New Zealand in September 2011. By contrast, the same analysis showed a significant increase in Tunneling, FTP and Remote Access traffic. These results generated a lot of interest, so I am using this blog post to discuss our methodology and results in more detail.

31

Jan

2012

Last Friday, I presented a talk at NZNOG 2012 about libprotoident and presented some results showing the impact of the Copyright Amendment Act on New Zealand residential DSL usage.

The slide set from this talk has been attached to this blog post for anyone who missed the talk or wishes to look over the results in more detail.

Feel free to get in touch with me if you have any questions or comments about libprotoident or the results presented in the talk.