Network-aware Active Wardens in IPv6

Every day the world grows more and more dependent on digital communication. Technologies like e-mail or the World Wide Web that not so long ago were considered experimental, have first become accepted and then indispensable tools of everyday life. New communication technologies built on top of the existing ones continuously race to provide newer and better functionality. Even established communication media like books, radio, or television have become digital in an effort to avoid extinction. In this torrent of digital communication a constant struggle takes place. On one hand, people, organizations, companies and countries attempt to control the ongoing communications and subject them to their policies and laws. On the other hand, there oftentimes is a need to ensure and protect the anonymity and privacy of the very same communications. Neither side in this struggle is necessarily noble or malicious. We can easily imagine that in presence of oppressive censorship two parties might have a legitimate reason to communicate covertly. And at the same time, the use of digital communications for business, military, and also criminal purposes gives equally compelling reasons for monitoring them thoroughly. Covert channels are communication mechanisms that were never intended nor designed to carry information. As such, they are often able to act ``below\u27\u27 the notice of mechanisms designed to enforce security policies. Therefore, using covert channels it might be possible to establish a covert communication that escapes notice of the enforcement mechanism in place. Any covert channel present in digital communications offers a possibility of achieving a secret, and therefore unmonitored, communication. There have been numerous studies investigating possibilities of hiding information in digital images, audio streams, videos, etc. We turn our attention to the covert channels that exist in the digital networks themselves, that is in the digital communication protocols. Currently, one of the most ubiquitous protocols in deployment is the Internet Protocol version 4 (IPv4). Its universal presence and range make it an ideal candidate for covert channel investigation. However, IPv4 is approaching the end of its dominance as its address space nears exhaustion. This imminent exhaustion of IPv4 address space will soon force a mass migration towards Internet Protocol version 6 (IPv6) expressly designed as its successor. While the protocol itself is already over a decade old, its adoption is still in its infancy. The low acceptance of IPv6 results in an insufficient understanding of its security properties. We investigated the protocols forming the foundation of the next generation Internet, Internet Protocol version 6 (IPv6) and Internet Control Message Protocol (ICMPv6) and found numerous covert channels. In order to properly assess their capabilities and performance, we built cctool, a comprehensive covert channel tool. Finally, we considered countermeasures capable of defeating discovered covert channels. For this purpose we extended the previously existing notions of active wardens to equip them with the knowledge of the surrounding network and allow them to more effectively fulfill their role

IPv6: a new security challenge

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O Protocolo de Internet versão 6 (IPv6) foi desenvolvido com o intuito de resolver alguns dos problemas não endereçados pelo seu antecessor, o Protocolo de Internet versão 4 (IPv4), nomeadamente questões relacionadas com segurança e com o espaço de endereçamento disponível. São muitos os que na última década têm desenvolvido estudos sobre os investimentos necessários à sua adoção e sobre qual o momento certo para que o mesmo seja adotado por todos os players no mercado. Recentemente, o problema da extinção de endereçamentos públicos a ser disponibilizado pelas diversas Region Internet registry – RIRs - despertou o conjunto de entidades envolvidas para que se agilizasse o processo de migração do IPv4 para o IPv6. Ao contrário do IPv4, esta nova versão considera a segurança como um objetivo fundamental na sua implementação, nesse sentido é recomendado o uso do protocolo IPsec ao nível da camada de rede. No entanto, e devido à imaturidade do protocolo e à complexidade que este período de transição comporta, existem inúmeras implicações de segurança que devem ser consideradas neste período de migração. O objetivo principal deste trabalho é definir um conjunto de boas práticas no âmbito da segurança na implementação do IPv6 que possa ser utilizado pelos administradores de redes de dados e pelas equipas de segurança dos diversos players no mercado. Nesta fase de transição, é de todo útil e conveniente contribuir de forma eficiente na interpretação dos pontos fortes deste novo protocolo assim como nas vulnerabilidades a ele associadas.IPv6 was developed to address the exhaustion of IPv4 addresses, but has not yet seen global deployment. Recent trends are now finally changing this picture and IPv6 is expected to take off soon. Contrary to the original, this new version of the Internet Protocol has security as a design goal, for example with its mandatory support for network layer security. However, due to the immaturity of the protocol and the complexity of the transition period, there are several security implications that have to be considered when deploying IPv6. In this project, our goal is to define a set of best practices for IPv6 Security that could be used by IT staff and network administrators within an Internet Service Provider. To this end, an assessment of some of the available security techniques for IPv6 will be made by means of a set of laboratory experiments using real equipment from an Internet Service Provider in Portugal. As the transition for IPv6 seems inevitable this work can help ISPs in understanding the threats that exist in IPv6 networks and some of the prophylactic measures available, by offering recommendations to protect internal as well as customers’ networks

Machine and deep learning techniques for detecting internet protocol version six attacks: a review

The rapid development of information and communication technologies has increased the demand for internet-facing devices that require publicly accessible internet protocol (IP) addresses, resulting in the depletion of internet protocol version 4 (IPv4) address space. As a result, internet protocol version 6 (IPv6) was designed to address this issue. However, IPv6 is still not widely used because of security concerns. An intrusion detection system (IDS) is one example of a security mechanism used to secure networks. Lately, the use of machine learning (ML) or deep learning (DL) detection models in IDSs is gaining popularity due to their ability to detect threats on IPv6 networks accurately. However, there is an apparent lack of studies that review ML and DL in IDS. Even the existing reviews of ML and DL fail to compare those techniques. Thus, this paper comprehensively elucidates ML and DL techniques and IPv6-based distributed denial of service (DDoS) attacks. Additionally, this paper includes a qualitative comparison with other related works. Moreover, this work also thoroughly reviews the existing ML and DL-based IDSs for detecting IPv6 and IPv4 attacks. Lastly, researchers could use this review as a guide in the future to improve their work on DL and ML-based IDS

A Deep Learning Based Approach To Detect Covert Channels Attacks and Anomaly In New Generation Internet Protocol IPv6

The increased dependence of internet-based technologies in all facets of life challenges the government and policymakers with the need for effective shield mechanism against passive and active violations. Following up with the Qatar national vision 2030 activities and its goals for “Achieving Security, stability and maintaining public safety” objectives, the present paper aims to propose a model for safeguarding the information and monitor internet communications effectively. The current study utilizes a deep learning based approach for detecting malicious communications in the network traffic. Considering the efficiency of deep learning in data analysis and classification, a convolutional neural network model was proposed. The suggested model is equipped for detecting attacks in IPv6. The performance of the proposed detection algorithm was validated using a number of datasets, including a newly created dataset. The performance of the model was evaluated for covert channel, DDoS attacks detection in IPv6 and for anomaly detection. The performance assessment produced an accuracy of 100%, 85% and 98% for covert channel detection, DDoS detection and anomaly detection respectively. The project put forward a novel approach for detecting suspicious communications in the network traffic

DYST (Did You See That?): An Amplified Covert Channel That Points To Previously Seen Data

Covert channels are unforeseen and stealthy communication channels that enable manifold adversary scenarios. However, they can also allow the exchange of confidential information by journalists. All covert channels described until now therefore need to craft seemingly legitimate information flows for their information exchange, mimicking unsuspicious behavior. In this paper, we present DYST, which represents a new class of covert channels we call history covert channels jointly with the new paradigm of covert channel amplification. History covert channels can communicate almost exclusively by pointing to unaltered legitimate traffic created by regular network nodes. Only a negligible fraction of the covert communication process requires the transfer of actual covert channel information by the covert channel's sender. This allows, for the first time, an amplification of the covert channel's message size, i.e., minimizing the fraction of actually transferred secret data by a covert channel's sender in relation to the overall secret data being exchanged. We extend the current taxonomy for covert channels to show how history channels can be categorized. We describe multiple scenarios in which history covert channels can be realized, theoretically analyze the characteristics of these channels and show how their configuration can be optimized for different implementations. We further evaluate the robustness and detectability of history covert channels.Comment: 18 pages, rev

Steganography in IPV6

Steganography is the process of hiding a secret message within another message such that it is difficult to detect the presence of the secret message. In other words, the existence of the secret message is hidden. A covert channel refers to the actual medium that is used to communicate the information such as a message, image, or file. This honors thesis uses steganography within the source address fields of Internet Protocol Version 6 (IPv6) packets to create a covert channel through which clandestine messages are passed from one party to another. A fully functional computer program was designed and written that transparently embeds messages into the source address fields of packets and decodes embedded messages from these packets across IPv6 networks. This demonstrates the possibility of a covert channel within a protocol that will eventually be the default Internet protocol. This channel could be used for a malicious purpose such as stealing encryption keys, passwords, or other secrets from remote hosts in a manner not easily detectable, but it could also be used for a noble cause such as passing messages secretly under the watchful eyes of an oppressive regime. The demonstration of the covert channel in itself increases the overall information security of society by bringing awareness to the existence of such a steganographic medium

An adaptive approach to detecting behavioural covert channels in IPv6

One of the most important techniques in data hiding is (Metaferography) covert channel, which recently has shown potential impacts on network and data security. Encryption can only protect communication from being decoded, meanwhile, covert channel is the art of hiding information in an overt communication as a carrier of information. Covert channels are normally used for transferring information stealthily. They are used to leak information across the network and to ex/infiltrate classified information from legitimate targets. These hidden channels violate network security and privacy polices, it is easy to embed but unlikely and almost impossible to be detected. Despite of the obvious improvements in IPv6 components and functionality enhancements, there exist intrinsic security vulnerabilities. These vulnerabilities have ongoing implications on network security and traffic performance. Hence, they will create insecure environments in business and banking network, information security management and IT security. ICMPv6 is vital integral part in IPv6, as well as IPsec protocol, to mitigate and eliminate covert channels, the RFC standards and controls should be investigated intensively. Furthermore, incomplete implementation of IPv6 nowadays on all Operating Systems has not exposed the realm of this security protocol performance explicitly. In this thesis, we present a novel Hybrid Heuristic Intelligent Algorithm coupled with enhanced Polynomial Naïve Bayes machine Learning algorithm. The framework is implemented in a supervised learning model to detect and classify covert channels in IPv6. The proposed multi-threaded framework acts as an active security warden processing intelligent information gain and optimized decision trees technique to improve the security vulnerabilities in this new network generation protocol. This new approach develops intelligent heuristic techniques for in depth packet inspection to analyse and examine the header fields of IPv6 protocol. Some of these fields are designated by the designer for quality of service (QoS), future performance diagnostic analysis, unfortunately, they are misused by "bad guys and black hats" to perform various network security attacks against vulnerable targets. These attacks cause immediate and ongoing damage to classified data. In order to prevent and mitigate these types of breaches and threat risks, a multi-security prevention model was created. Furthermore, advanced machine learning technique was implemented to detect, classify and document all current and future unknown anomaly attacks. The suggested HeuBNet6 classiffier obtained highly significant results of 98% detection rate and showed better performance and accuracy with good True Positive Rate (TPR) and low False Positive Rate (FPR)

Análisis de esteganografía sobre el protocolo IPv6 como alternativa para una comunicación segura de datos.

El presente trabajo de investigación tuvo como objetivo diseñar un mecanismo esteganográfico en el protocolo IPv6. Se realizó un análisis de su arquitectura y características para establecer una comunicación cifrada, hasta llegar al despliegue de dos escenarios de pruebas donde se implementó el mecanismo y se validó su funcionalidad. Se empleó el tipo de investigación experimental y aplicativa; por medio de herramientas de simulación como GNS3, VIRTUALBOX y KALI-LINUX con la aplicación WIRESHARK; se implementó dos escenarios que demostraron el uso y aplicación de los protocolos DNS y SIP usando IPv6 en la capa de red. Se aprovechó dos características que posee el protocolo; la capacidad de autoconfiguración de la porción de ID de interfaz (aleatoria de 64 bits y EUI-64) con una máscara /64 y la gran cantidad de direcciones disponibles. Luego se diseñó un estegograma en la dirección global unicast de los emisores, que facilitó la incrustación de mensajes ocultos entre dos o más nodos. Para la evaluación del mecanismo se consideraron los parámetros de capacidad esteganográfica, probabilidad de detectabilidad, coste esteganográfico y robustez. La prueba de hipótesis de esta investigación consideró la probabilidad de detectabilidad como variable adecuada sobre la que se basó el criterio de decisión. Se utilizó la distribución estadística T-Student para la demostración de la hipótesis planteada y se concluyó que “existe evidencia estadística que la proporción de direcciones IPv6 utilizadas en el mecanismo de esteganografía tienen una probabilidad de detección menor al 50% con un nivel de significancia del 5%. Finalmente se presentó un mecanismo esteganográfico que utilizó la técnica de sustitución, basado en el paradigma “Modificar con precaución” en las direcciones IPv6 con una capacidad máxima de 1792 caracteres usando 256 direcciones.The present research work had as objective to design a stenographic mechanism in the IPv6 protocol. An analysis of its architecture and its characteristics was carried out to stablish an encrypted communication, until reach to the deployment of two tests scenarios where the mechanism was implemented and its functionality was validated. An experimental and applicative kind of researching was used; through simulation tools like GNS3, VIRTUALBOX and KALI-LINUX with the application WIRESHARK; two scenarios which proved the use and application of the DNS and SIP protocols using IPV6 in the network layer were implemented. It was seized two of the characteristics that the protocol has; the auto configuration capacity of the portion of the interface ID (aleatory of 64 bits and EUI-64) with a mask /64 and the great amount of possible directions. Then a steganogram in the unicast global direction of the emitters was designed, which made it easy the incrustation of hidden messages between two or more nodes. For the evaluation of the mechanism the stenographic capacity parameters, the detectability probability, the stenographic cost and sturdiness were considered. The hypothesis test of this researching considered the detectability probability like a suitable variable, on which, the decision criteria was based. It was used the statistic distribution T-student for the demonstration of the hypothesis raised and it was concluded that “there is statistic evidence that the proportion of directions IPv6 used in the steganogram mechanism have a detection probability less than 50% with a level of significance of the 5%. Finally, it was presented a stenographic mechanism, which used the substitution technique based on the paradigm “Modify with caution” in the directions IPv6 with a maximum capacity of 1792 characters using 256 directions

ICMPv6 Echo Request Ddos Attack Detection Framework Using Backpropagation Neural Network

Pertumbuhan pesat Internet dalam beberapa tahun kebelakangan ini telah mendedahkan had ruang alamat dalam protokol Internet semasa (IP), iaitu, IPv4. Permintaan yang semakin meningkat dalam penggunaan alamat IP telah mengakibatkan kehabisan alamat IPv4 seperti yang dijangkakan. Untuk menangani kebimbangan ini, IPv6 baru telah dibangunkan untuk menyediakan ruang alamat yang mencukupi. IPv6 dimuatkan dengan protokol baru, iaitu, versi Protokol Mesej Kawalan Internet 6 (ICMPv6), dan protokol baru ini membuka pintu bagi penyerang untuk menyerang rangkaian IPv6. Salah satu jenis serangan yang paling kerap dalam rangkaian IPv6 pada lapisan rangkaian adalah satu serangan banjir ICMPv6 DoS / DDoS. Laporan Arbor Network pada tahun 2014 menunjukkan bahawa ancaman terhadap IPv6 semakin meningkat (72% merupakan kebanjiran trafik/serangan DDoS). Di samping itu, ICMPv6 adalah protokol wajib dalam rangkaian IPv6 tidak seperti dalam IPv4, iaitu ICMP boleh disekat atau diturunkan melalui get laluan lalai. The rapid growth of the Internet in the last few years have exposed the limitation of address space in the current Internet protocol (IP) namely IPv4, due to the increasing consumption of IP addresses. The IPv6 has been developed to provide sufficient address space. It ships with a new protocol. i.e., the Internet Control Message Protocol version 6 (ICMPv6), this protocol is a mandatory protocol in IPv6 networks unlike in IPv4, in which ICMP can be blocked or dropped. ICMPv6 opens the door for attackers to attack IPv6 networks. The most frequent types of attack in IPv6 networks at the network layer is an ICMPv6 DDoS flooding attack. One of the main problem in ICMPv6 DDoS flooding attacks is accuracy detection, which suffers from a high false alarm rate. Thus, protecting infrastructure service is a critical issue that urgently needs to be addressed

Análisis de esteganografía sobre el protocolo IPv6 como alternativa para una comunicación segura de datos.

El presente trabajo de investigación tuvo como objetivo diseñar un mecanismo esteganográfico en el protocolo IPv6. Se realizó un análisis de su arquitectura y características para establecer una comunicación cifrada, hasta llegar al despliegue de dos escenarios de pruebas donde se implementó el mecanismo y se validó su funcionalidad. Se empleó el tipo de investigación experimental y aplicativa; por medio de herramientas de simulación como GNS3, VIRTUALBOX y KALI-LINUX con la aplicación WIRESHARK; se implementó dos escenarios que demostraron el uso y aplicación de los protocolos DNS y SIP usando IPv6 en la capa de red. Se aprovechó dos características que posee el protocolo; la capacidad de autoconfiguración de la porción de ID de interfaz (aleatoria de 64 bits y EUI-64) con una máscara /64 y la gran cantidad de direcciones disponibles. Luego se diseñó un estegograma en la dirección global unicast de los emisores, que facilitó la incrustación de mensajes ocultos entre dos o más nodos. Para la evaluación del mecanismo se consideraron los parámetros de capacidad esteganográfica, probabilidad de detectabilidad, coste esteganográfico y robustez. La prueba de hipótesis de esta investigación consideró la probabilidad de detectabilidad como variable adecuada sobre la que se basó el criterio de decisión. Se utilizó la distribución estadística T-Student para la demostración de la hipótesis planteada y se concluyó que “existe evidencia estadística que la proporción de direcciones IPv6 utilizadas en el mecanismo de esteganografía tienen una probabilidad de detección menor al 50% con un nivel de significancia del 5%. Finalmente se presentó un mecanismo esteganográfico que utilizó la técnica de sustitución, basado en el paradigma “Modificar con precaución” en las direcciones IPv6 con una capacidad máxima de 1792 caracteres usando 256 direcciones.The present research work had as objective to design a stenographic mechanism in the IPv6 protocol. An analysis of its architecture and its characteristics was carried out to stablish an encrypted communication, until reach to the deployment of two tests scenarios where the mechanism was implemented and its functionality was validated. An experimental and applicative kind of researching was used; through simulation tools like GNS3, VIRTUALBOX and KALI-LINUX with the application WIRESHARK; two scenarios which proved the use and application of the DNS and SIP protocols using IPV6 in the network layer were implemented. It was seized two of the characteristics that the protocol has; the auto configuration capacity of the portion of the interface ID (aleatory of 64 bits and EUI-64) with a mask /64 and the great amount of possible directions. Then a steganogram in the unicast global direction of the emitters was designed, which made it easy the incrustation of hidden messages between two or more nodes. For the evaluation of the mechanism the stenographic capacity parameters, the detectability probability, the stenographic cost and sturdiness were considered. The hypothesis test of this researching considered the detectability probability like a suitable variable, on which, the decision criteria was based. It was used the statistic distribution T-student for the demonstration of the hypothesis raised and it was concluded that “there is statistic evidence that the proportion of directions IPv6 used in the steganogram mechanism have a detection probability less than 50% with a level of significance of the 5%. Finally, it was presented a stenographic mechanism, which used the substitution technique based on the paradigm “Modify with caution” in the directions IPv6 with a maximum capacity of 1792 characters using 256 directions