Limiting DNS covert channels and network validated DNS

Despite the variety and number of network security devices and policies available, sensitive data, such as intellectual property and business data, can still be surreptitiously sent via the Internet to unscrupulous receivers. Furthermore, few security mechanisms address securing or limiting covert channels. This study defines a framework for determining a rule set to minimize covert channel capacity on the DNS protocol specifically. The information and techniques used in this study may be useful in aiding security professionals and developers with enforcing security policies on DNS and other Internet protocols.;This research resulted in the development of a rudimentary tool, referred to as NV-DNS, capable of detecting and effectively limiting the capability of covert channels in DNS communication packets

SnapCatch: Automatic Detection of Covert Timing Channels Using Image Processing and Machine Learning

With the rapid growth of data exfiltration carried out by cyber attacks, Covert Timing Channels (CTC) have become an imminent network security risk that continues to grow in both sophistication and utilization. These types of channels utilize inter-arrival times to steal sensitive data from the targeted networks. CTC detection relies increasingly on machine learning techniques, which utilize statistical-based metrics to separate malicious (covert) traffic flows from the legitimate (overt) ones. However, given the efforts of cyber attacks to evade detection and the growing column of CTC, covert channels detection needs to improve in both performance and precision to detect and prevent CTCs and mitigate the reduction of the quality of service caused by the detection process. In this article, we present an innovative image-based solution for fully automated CTC detection and localization. Our approach is based on the observation that the covert channels generate traffic that can be converted to colored images. Leveraging this observation, our solution is designed to automatically detect and locate the malicious part (i.e., set of packets) within a traffic flow. By locating the covert parts within traffic flows, our approach reduces the drop of the quality of service caused by blocking the entire traffic flows in which covert channels are detected. We first convert traffic flows into colored images, and then we extract image-based features for detection covert traffic. We train a classifier using these features on a large data set of covert and overt traffic. This approach demonstrates a remarkable performance achieving a detection accuracy of 95.83% for cautious CTCs and a covert traffic accuracy of 97.83% for 8 bit covert messages, which is way beyond what the popular statistical-based solutions can achieve

Application of information theory and statistical learning to anomaly detection

In today\u27s highly networked world, computer intrusions and other attacks area constant threat. The detection of such attacks, especially attacks that are new or previously unknown, is important to secure networks and computers. A major focus of current research efforts in this area is on anomaly detection.;In this dissertation, we explore applications of information theory and statistical learning to anomaly detection. Specifically, we look at two difficult detection problems in network and system security, (1) detecting covert channels, and (2) determining if a user is a human or bot. We link both of these problems to entropy, a measure of randomness information content, or complexity, a concept that is central to information theory. The behavior of bots is low in entropy when tasks are rigidly repeated or high in entropy when behavior is pseudo-random. In contrast, human behavior is complex and medium in entropy. Similarly, covert channels either create regularity, resulting in low entropy, or encode extra information, resulting in high entropy. Meanwhile, legitimate traffic is characterized by complex interdependencies and moderate entropy. In addition, we utilize statistical learning algorithms, Bayesian learning, neural networks, and maximum likelihood estimation, in both modeling and detecting of covert channels and bots.;Our results using entropy and statistical learning techniques are excellent. By using entropy to detect covert channels, we detected three different covert timing channels that were not detected by previous detection methods. Then, using entropy and Bayesian learning to detect chat bots, we detected 100% of chat bots with a false positive rate of only 0.05% in over 1400 hours of chat traces. Lastly, using neural networks and the idea of human observational proofs to detect game bots, we detected 99.8% of game bots with no false positives in 95 hours of traces. Our work shows that a combination of entropy measures and statistical learning algorithms is a powerful and highly effective tool for anomaly detection

Teleoperation of passivity-based model reference robust control over the internet

This dissertation offers a survey of a known theoretical approach and novel experimental results in establishing a live communication medium through the internet to host a virtual communication environment for use in Passivity-Based Model Reference Robust Control systems with delays. The controller which is used as a carrier to support a robust communication between input-to-state stability is designed as a control strategy that passively compensates for position errors that arise during contact tasks and strives to achieve delay-independent stability for controlling of aircrafts or other mobile objects. Furthermore the controller is used for nonlinear systems, coordination of multiple agents, bilateral teleoperation, and collision avoidance thus maintaining a communication link with an upper bound of constant delay is crucial for robustness and stability of the overall system. For utilizing such framework an elucidation can be formulated by preparing site survey for analyzing not only the geographical distances separating the nodes in which the teleoperation will occur but also the communication parameters that define the virtual topography that the data will travel through. This survey will first define the feasibility of the overall operation since the teleoperation will be used to sustain a delay based controller over the internet thus obtaining a hypothetical upper bound for the delay via site survey is crucial not only for the communication system but also the delay is required for the design of the passivity-based model reference robust control. Following delay calculation and measurement via site survey, bandwidth tests for unidirectional and bidirectional communication is inspected to ensure that the speed is viable to maintain a real-time connection. Furthermore from obtaining the results it becomes crucial to measure the consistency of the delay throughout a sampled period to guarantee that the upper bound is not breached at any point within the communication to jeopardize the robustness of the controller. Following delay analysis a geographical and topological overview of the communication is also briefly examined via a trace-route to understand the underlying nodes and their contribution to the delay and round-trip consistency. To accommodate the communication channel for the controller the input and output data from both nodes need to be encapsulated within a transmission control protocol via a multithreaded design of a robust program within the C language. The program will construct a multithreaded client-server relationship in which the control data is transmitted. For added stability and higher level of security the channel is then encapsulated via an internet protocol security by utilizing a protocol suite for protecting the communication by authentication and encrypting each packet of the session using negotiation of cryptographic keys during each session

ToR K-Anonymity against deep learning watermarking attacks

It is known that totalitarian regimes often perform surveillance and censorship of their communication networks. The Tor anonymity network allows users to browse the Internet anonymously to circumvent censorship filters and possible prosecution. This has made Tor an enticing target for state-level actors and cooperative state-level adversaries, with privileged access to network traffic captured at the level of Autonomous Systems(ASs) or Internet Exchange Points(IXPs). This thesis studied the attack typologies involved, with a particular focus on traffic correlation techniques for de-anonymization of Tor endpoints. Our goal was to design a test-bench environment and tool, based on recently researched deep learning techniques for traffic analysis, to evaluate the effectiveness of countermeasures provided by recent ap- proaches that try to strengthen Tor’s anonymity protection. The targeted solution is based on K-anonymity input covert channels organized as a pre-staged multipath network. The research challenge was to design a test-bench environment and tool, to launch active correlation attacks leveraging traffic flow correlation through the detection of in- duced watermarks in Tor traffic. To de-anonymize Tor connection endpoints, our tool analyses intrinsic time patterns of Tor synthetic egress traffic to detect flows with previ- ously injected time-based watermarks. With the obtained results and conclusions, we contributed to the evaluation of the security guarantees that the targeted K-anonymity solution provides as a countermeasure against de-anonymization attacks.Já foi extensamente observado que em vários países governados por regimes totalitários existe monitorização, e consequente censura, nos vários meios de comunicação utilizados. O Tor permite aos seus utilizadores navegar pela internet com garantias de privacidade e anonimato, de forma a evitar bloqueios, censura e processos legais impostos pela entidade que governa. Estas propriedades tornaram a rede Tor um alvo de ataque para vários governos e ações conjuntas de várias entidades, com acesso privilegiado a extensas zonas da rede e vários pontos de acesso à mesma. Esta tese realiza o estudo de tipologias de ataques que quebram o anonimato da rede Tor, com especial foco em técnicas de correlação de tráfegos. O nosso objetivo é realizar um ambiente de estudo e ferramenta, baseada em técnicas recentes de aprendizagem pro- funda e injeção de marcas de água, para avaliar a eficácia de contramedidas recentemente investigadas, que tentam fortalecer o anonimato da rede Tor. A contramedida que pre- tendemos avaliar é baseada na criação de multi-circuitos encobertos, recorrendo a túneis TLS de entrada, de forma a acoplar o tráfego de um grupo anonimo de K utilizadores. A solução a ser desenvolvida deve lançar um ataque de correlação de tráfegos recorrendo a técnicas ativas de indução de marcas de água. Esta ferramenta deve ser capaz de correla- cionar tráfego sintético de saída de circuitos Tor, realizando a injeção de marcas de água à entrada com o propósito de serem detetadas num segundo ponto de observação. Aplicada a um cenário real, o propósito da ferramenta está enquadrado na quebra do anonimato de serviços secretos fornecidos pela rede Tor, assim como os utilizadores dos mesmos. Os resultados esperados irão contribuir para a avaliação da solução de anonimato de K utilizadores mencionada, que é vista como contramedida para ataques de desanonimi- zação

No NAT'd User left Behind: Fingerprinting Users behind NAT from NetFlow Records alone

It is generally recognized that the traffic generated by an individual connected to a network acts as his biometric signature. Several tools exploit this fact to fingerprint and monitor users. Often, though, these tools assume to access the entire traffic, including IP addresses and payloads. This is not feasible on the grounds that both performance and privacy would be negatively affected. In reality, most ISPs convert user traffic into NetFlow records for a concise representation that does not include, for instance, any payloads. More importantly, large and distributed networks are usually NAT'd, thus a few IP addresses may be associated to thousands of users. We devised a new fingerprinting framework that overcomes these hurdles. Our system is able to analyze a huge amount of network traffic represented as NetFlows, with the intent to track people. It does so by accurately inferring when users are connected to the network and which IP addresses they are using, even though thousands of users are hidden behind NAT. Our prototype implementation was deployed and tested within an existing large metropolitan WiFi network serving about 200,000 users, with an average load of more than 1,000 users simultaneously connected behind 2 NAT'd IP addresses only. Our solution turned out to be very effective, with an accuracy greater than 90%. We also devised new tools and refined existing ones that may be applied to other contexts related to NetFlow analysis

Defending the SCADA Network Controlling the Electrical Grid from Advanced Persistent Threats

RÉSUMÉ Les civilisations modernes sont dépendantes des technologies de l'information et des communications. Par ce fait, elles requièrent une alimentation constante en électricité pour assurer leur prospérité. Un siècle de travaux acharnés par des ingénieurs en électronique de puissance permet de garantir la fiabilité des réseaux électriques. Un des outils pour arriver à cette fin est une augmentation de l'automatisation et du contrôle à distance des réseaux électriques. Cette technologie permet aux contrôleurs qui opèrent le réseau électrique d'ajuster automatiquement des paramètres opérationnels pour faire face aux contraintes extérieures au fur et à mesure que ces contraintes évoluent. Par exemple, une augmentation de la demande suite à une vague de froid va automatiquement entraîner une augmentation de l'approvisionnement par l'envoi de commandes à distance pour ouvrir les vannes à la centrale hydroélectrique et faire tourner les turbines plus rapidement. Ceci garanti que le réseau électrique fonctionne toujours à pleine capacité et livre l'énergie électrique avec fiabilité, sans égard aux conditions externes. Paradoxalement, les gains offerts par les systèmes automatisés ont introduit un risque jusqu'alors inconnu à la fiabilité du réseau électrique : les cyber attaques. Pour permettre l'automatisation, les opérateurs de réseaux électriques se sont tournés vers la technologie d'acquisition de données et de supervision, mieux connu sous le nom de système SCADA. De nos jours, la technologie SCADA se base sur du matériel et des logiciels commerciaux comme les communications TCP/IP via Ethernet ou comme le système d'exploitation Windows. Ceci permet aux entités malicieuses de faire usage de leur savoir concernant les techniques offensives qu'ils ont développé pour attaquer les systèmes traditionnels faisant usage de ces technologies. La majorité de ces entités sont des menaces diffuses cherchant principalement à acquérir de la capacité de stockage servant à héberger du contenu illégal, du temps machine pour envoyer du spam ou des mots de passe pour permettre la fraude. Cet objectif est plus facile à atteindre en attaquant des ordinateurs personnels plutôt que des machines d'un réseau SCADA. Toutefois, certains acteurs ciblent délibérément les réseaux SCADA puisque ceux-ci ont le potentiel de causer des dégâts dans le monde physique. Ces acteurs recherchent agressivement les vulnérabilités et persévèrent dans leurs attaques, même face à une amélioration de la capacité défensive du réseau. Ces acteurs se font affubler le qualificatif de menaces persistantes avancées ou APTs. À cause de cette volonté de cibler un réseau spécifique, il est plus difficile de détourner ces attaquants vers d'autres victimes. Si nous souhaitons empêcher ces APTs de s'attaquer aux réseaux SCADA qui contrôlent l'infrastructure critique, nous devons élaborer une stratégie qui ne repose pas sur la réduction complète des vulnérabilités. Un bon nombre de contraintes opérationnelles, comme le mode d'opération 24/7 qui rend la tenue de périodes de maintenance difficile, garantissent qu'il y aura toujours au moins une vulnérabilité potentiellement exploitable par un attaquant. Dans ce contexte, l'objectif de ce projet de recherche est d'aider les opérateurs de réseaux électriques à défendre leur réseau SCADA contre les menaces persistantes avancées. Pour atteindre cet objectif, nous visons à mieux comprendre comment le comportement des menaces persistantes avancées se manifeste dans un réseau SCADA et à développer, en se basant sur des preuves expérimentales, de nouveaux outils et techniques pour se défendre contre les comportements attendus. En analysant les travaux antérieurs, on reconnaît que la vraie nature d'un réseau SCADA est de servir de boucle de contrôle pour le réseau électrique. Une conséquence directe est que tout attaquant qui obtient accès au réseau SCADA peut altérer l'état du réseau électrique à sa guise. Si un APT voudrait poursuivre ce but, la recherche actuelle en sécurité des réseau SCADA ne parviendrait pas à prévenir cette attaque puisqu'elle n'est pas orientée vers stopper les attaquants hautement qualifiés. Ceci rend les réseaux SCADA invitants pour les états engagés dans une compétition agressive. Malgré cela, aucun cyber incident majeur causant des dégâts physiques n'est répertorié à ce jour. En se basant sur cette observation, nous avons développé un modèle d'attaque pour le comportement d'un APT dans un réseau SCADA qui n'implique pas nécessairement des dommages massifs dans le monde physique. Ainsi, nous avons introduit le scénario d'attaque par trou d'aiguilles, notre première contribution majeure, dans lequel un attaquant cause de petits dégâts qui s'accumulent sur une longue période pour éviter d'être détecté. À partir de ce scénario, nous avons développé une stratégie consistant à augmenter la capacité de surveillance, c'est-à-dire de renforcer la puissance de la détection, pour prévenir l'utilisation de ce scénario d'attaque par les APTs. En se basant sur notre intuition que la détection d'intrusion par anomalie sera particulièrement efficace dans le contexte hautement régulier d'un réseau SCADA, l'utilisation de cette technique est favorisée. Pour tester les capacités de notre détecteur, nous devons adresser le problème du manque d'infrastructures expérimentales adaptées à la recherche en sécurité des réseaux SCADA. Une revue de la littérature montre que les approches expérimentales courantes ne sont pas appropriées pour générer des données réseau avec une haute fidélité. Pour résoudre ce problème, nous avons introduit le concept du Carré de sable ICS, notre deuxième contribution majeure, qui utilise une approche hybride combinant la haute fidélité des résultats de l'émulation et le facteur d'échelle et le faible coût de la simulation pour créer un montage expérimental capable de produire des données réseau de haute fidélité, adaptées à l'usage expérimental. Finalement, nous avons été en mesure de tester une implémentation d'un système de détection d'intrusion par anomalies, notre troisième contribution majeure, en utilisant le Carré de sable ICS. En utilisant des caractéristiques simples, il est possible de détecter du trafic de commandement et contrôle dans un réseau SCADA, ce qui force les attaquant à utiliser pour leurs opérations routinières de maintenance de complexes canaux cachés dont la bande passante est limitée. Ceci atteste de la validité de notre intuition selon laquelle la détection par anomalie est particulièrement efficace dans les réseaux SCADA, revitalisant par le fait même une technique de défense qui a longtemps été délaissée à cause de sa piètre performance dans les réseaux corporatifs typiques. La somme de ces contributions représente une amélioration significative de l'état de la défense des réseaux SCADA contre les menaces persistantes avancées, incluant les menaces en provenance des services de renseignement étatiques. Ceci contribue à une augmentation de la fiabilité des infrastructure critiques, et des réseaux électriques en particulier, face à un intérêt grandissant de la part des cyber attaquants.----------ABSTRACT Modern civilization, with its dependency on information technology, require a steady supply of electrical power to prosper. A century of relentless work by power engineers has ensured that the power grid is reliable. One of tools they used to achieve that goal is increased automation and remote control of the electrical grid. This technology allows the controllers supervising the power grid to automatically adjust operational parameters to meet external constraints as they evolve. A new surge in demand from a cold night will trigger an automated increase in supply. Remote control commands will be sent to open sluice gates at the hydroelectric plant to make turbines spin faster and generate more power. This ensures the electric grid always functions at peak efficiency and reliably deliver power no matter what the external conditions are. Paradoxically, the gains provided by the automated systems invited a previously unknown risk to the reliability of power delivery: cyber attacks. In order to achieve automation, utility operators have turned to Supervisory Control and Data Acquisition, or SCADA, technology. In this era, SCADA technology is built on top of commercial off the shelf hardware and software such as TCP/IP over Ethernet networks and Windows operating system. This enables malicious entities to leverage their pre-existing knowledge of offensive techniques known to work on these platform to attack the SCADA networks controlling critical infrastructure. Of those entities, the majority are unfocused attackers searching for commodity assets such as storage capacity to store illegal materials, processing power to send spam or credentials to enable fraud. However, some actors are deliberatively targeting the SCADA networks for their ability to cause damage in the physical realm. These actors aggressively search for vulnerabilities and are stubborn in the face of an increase in defensive measures and are dubbed advanced persistent threats, or APTs. As such, it is more difficult to turn them away. If we want to prevent these advanced persistent threats from preying on the SCADA networks controlling our critical infrastructure, we need to devise a defense that does not rely on completely removing vulnerabilities. A number of operational constraints, such as the need to operate 24/7 precluding the opening of maintenance windows, ensure that there will always be a vulnerability that can be exploited by an attacker. In that light, the goal of this research project is to is to help power grid operators defend their SCADA networks against advanced persistent threats. To achieve that goal we aim to better understand how the behaviour of advanced persistent threats will manifest itself in a SCADA network and to develop, based on evidence derived from experiments, new tools and techniques to defeat the expected behaviour. By analyzing prior work, we recognize that the true nature of SCADA networks is to serve as a basic control loop for the electric grid. A direct consequence is that any attacker gaining access to the SCADA network could send the grid into any state he wishes. We also showed that, should advanced persistent threats attempt to pursue this goal, current research in SCADA security would not provide significant help, not being focused on preventing the exploitation of SCADA network by skilled attackers. This makes SCADA networks attractive to nation states engaged in aggressively competitive behaviour. However, no evidence of major cyber incidents causing physical damage is forthcoming. From that observation, we developed an attacker model for advanced persistent threat behaviour in SCADA networks that did not necessarily involve causing massive physical damage. So, we introduced the pinprick attack scenario, our first major contribution, in which an attacker causes small amounts of damage that accumulate over time in order to stay under the radar. From this scenario, we developed a strategy of increasing the capability of surveillance, or boosting the radar so to speak, in order to prevent advanced persistent threats from using this scenario. The use of anomaly-based intrusion detection was favored based on our intuition that it would prove very effective in the highly regimented context of SCADA networks. To test the capability of our detector, we needed to address the lack of experimental infrastructure suitable for network security. However, a study of the literature shows that current experimental approaches are not appropriate to generate high fidelity network data. To solve this problem, we introduced the ICS sandbox concept, our second major contribution, that used a hybrid approach combining the high fidelity results of emulation and the scalability and cost reduction of simulation to create an experimental setup able to produce high fidelity network data sets for experimentation. Finally, we were able to test an implementation of anomaly-based intrusion detection, our third major contribution, using the ICS sandbox. Using only simple features, it was possible to detect command and control traffic in a SCADA network and push attackers to use complex covert channels with limited bandwidth to perform their routine maintenance operations. This attests to the validity of our intuition that anomaly-based detection is particularly effective in SCADA network, revivifying a defensive technique that suffers from poor performance in typical corporate networks. The sum of these contributions represent a significant improvement in the defense of SCADA networks against advanced persistent threats, including threats from nation state sponsored intelligence agencies. This contributes to the increased reliability of critical infrastructure, and of the electrical grid in particular, in the face of an increasing interest by cyber attackers