Risk analysis of information-leakage through interest packets in NDN

International audienceInformation-leakage is one of the most importantsecurity issues in the current Internet. In Named-Data Networking(NDN), Interest names introduce novel vulnerabilities thatcan be exploited. By setting up a malware, Interest names can beused to encode critical information (steganography embedded) andto leak information out of the network by generating anomalousInterest traffic. This security threat based on Interest names doesnot exist in IP network, and it is essential to solve this issue tosecure the NDN architecture. This paper performs risk analysisof information-leakage in NDN. We first describe vulnerabilitieswith Interest names and, as countermeasures, we propose a namebasedfilter using search engine information, and another filterusing one-class Support Vector Machine (SVM). We collectedURLs from the data repository provided by Common Crawland we evaluate the performances of our per-packet filters. Weshow that our filters can choke drastically the throughput ofinformation-leakage, which makes it easier to detect anomalousInterest traffic. It is therefore possible to mitigate informationleakagein NDN network and it is a strong incentive for futuredeployment of this architecture at the Internet scale

Network-Based Detection and Prevention System against DNS-Based Attacks

Individuals and organizations rely on the Internet as an essential environment for personal or business transactions. However, individuals and organizations have been primary targets for attacks that steal sensitive data. Adversaries can use different approaches to hide their activities inside the compromised network and communicate covertly between the malicious servers and the victims. The domain name system (DNS) protocol is one of these approaches that adversaries use to transfer stolen data outside the organization\u27s network using various forms of DNS tunneling attacks. The main reason for targeting the DNS protocol is because DNS is available in almost every network, ignored, and rarely monitored. In this work, the primary aim is to design a reliable and robust network-based solution as a detection system against DNS-based attacks using various techniques, including visualization, machine learning techniques, and statistical analysis. The network-based solution acts as a DNS proxy server that provides DNS services as well as detection and prevention against DNS-based attacks, which are either embedded in malware or used as stand-alone attacking tools. The detection system works in two modes: real-time and offline modes. The real-time mode relies on the developed Payload Analysis (PA) module. In contrast, the offline mode operates based on two of the contributed modules in this dissertation, including the visualization and Traffic Analysis (TA) modules. We conducted various experiments in order to test and evaluate the detection system against simulated real-world attacks. Overall, the detection system achieved high accuracy of 99.8% with no false-negative rate. To validate the method, we compared the developed detection system against the open-source detection system, Snort intrusion detection system (IDS). We evaluated the two detection systems using a confusion matrix, including the recall, false-negatives rate, accuracy, and others. The detection system detects all case scenarios of the attacks while Snort missed 50% of the performed attacks. Based on the results, we can conclude that the detection system is significant and original improvement of the present methods used for detecting and preventing DNS-based attacks

Name Filter: A Countermeasure against Information Leakage Attacks in Named Data Networking

International audienceNamed Data Networking (NDN) has emerged as a future networking architecture having thepotential to replace the Internet. In order to do so, NDN needs to cope with inherent problems of the Internetsuch as attacks that cause information leakage from an enterprise. Since NDN has not yet been deployed ona large scale, it is currently unknown how such attacks can occur, let alone what countermeasures can betaken against them. In this study, we first show that information leakage in NDN, can be caused by malwareinside an enterprise, which uses steganography to produce malicious Interest names encoding confidentialinformation. We investigate such attacks by utilizing a content name dataset based on uniform resourcelocators (URLs) collected by a web crawler. Our main contribution is a name filter based on anomalydetection that takes the dataset as input and classifies a name in the Interest as legitimate or not. Ourevaluation shows that malware can exploit the path part in the URL-based NDN name to create maliciousnames, thus, information leakage in NDN cannot be prevented completely. However, we illustrate for thefirst time that our filter can dramatically choke the leakage throughput causing the malware to be 137 timesless efficient at leaking information. This finding opens up an interesting avenue of research that could resultin a safer future networking architecture

Analysing and visualising data sets of cybercrime investigations using structured occurrence nets

Ph. D. Thesis.Structured Occurrence Nets (SONs) are a Petri net based formalism for portraying the behaviour of complex evolving systems. As a concept, SONs are derived from Occurrence Nets (ONs). SONs provide a powerful framework for evolving system analysis and are supported by the existing SONCraft toolset. On the other hand, modelling of cybercrime investigations has become of interest in recent years, and large-scale criminal investigations have been considered as complex evolving systems. Right now, they present a significant challenge for police investigators and analysts. The current thesis contributes to addressing this challenge in two different ways: (i) by presenting an algorithm and an implemented tool that visualise data sets using maximal concurrency; and (ii) by detecting DNS tunnelling through a novel SON-based technique and tool. Moreover, the theoretical contribution of this thesis focuses on model extensions and abstraction; in particular, it introduces a new class of SONs based on multi-coloured tokens

A Comparative Performance Evaluation of DNS Tunneling Tools

DNS Tunnels are built through proper tools that allow embedding data on DNS queries and response. Each tool has its own approach to the building tunnels in DNS that differently affects the network performance. In this paper, we propose a brief architectural analysis of the current state-of-the-art of DNS Tunneling tools. Then, wepropose the first comparative analysis of such tools in term of performance, as a first step towardsthe possibility to relateeach tool with a proper behavior of DNS traffic. To this aim, we define an assessment of the toolsin three different network configurationswith three different performance metrics. We finallysummarize the most interesting results and provide some considerations on the performance of each tool