Traffic generator for firewall testing

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2009Includes bibliographical references (leaves: 52-56)Text in English; Abstract: Turkish and Englishix, 92 leavesFirewalls lead at the front line of a computer network to restrict unauthorized access. The desired security level is determined by a policy and implemented by a firewall which not only has to be effective but also stable and reliable service is expected. In order to verify the level of security of the system, testing is required. The objective of this thesis is to test a firewall with software testing techniques taking into consideration the nominated policy and the firewall. Iptables software was examined and tested by two different algorithms that were modified according to software testing techniques, and the results were observed. Packets sent through the Firewall Under Test (FUT) are compared to packets passed through the FUT and test results were observed. The security performance of the modified algorithms proved to be successful

Performance Evaluation of Optimized Predictive Model for Software Defined Network Traffic Management using Machine Learning

Communication channel is essential in any type of engagement for delivering and receiving data via the internet. To determine the most efficient and safe way through which network data may travel while minimizing the danger of network breaches or cyber-attacks. The objective is to build an optimized network traffic management predictive model that can predict the ideal path in real-time while accounting through the dynamic nature of software defined network traffic and the continuously changing danger of landscaping. To design a robust model of the data and scalable system that can suggest accurate suggestions of route to the network managers, a thorough grasp of network’s infrastructure, data analysis, and machine learning techniques are applied. Choosing the optimum path route data from the sdn based network traffic dataset, the model suggests an optimal path to avoid network communication traffic and congestion. Here nine Machine Learning algorithms are explored and analysed their performance by using the percentage split, resampling and cross validation which originally recorded as 92.76% and after training with cross validation it improved to 98.40% providing the best optimal path with minimum congestions. Building the optimized network traffic management model not only provide network security but also contribute to environmental sustainability. Their capacity to properly filter and manage network traffic helps to decrease energy usage by predicting the optimal routes for software defined network traffic

Context transfer support for mobility management in all-IP networks.

This thesis is a description of the research undertaken in the course of the PhD and evolves around a context transfer protocol which aims to complement and support mobility management in next generation mobile networks. Based on the literature review, it was identified that there is more to mobility management than handover management and the successful change of routing paths. Supportive mechanisms like fast handover, candidate access router discovery and context transfer can significantly contribute towards achieving seamless handover which is especially important in the case of real time services. The work focused on context transfer motivated by the fact that it could offer great benefits to session re-establishment during the handover operation of a mobile user and preliminary testbed observations illustrated the need for achieving this. Context transfer aims to minimize the impact of certain transport, routing, security-related services on the handover performance. When a mobile node (MN) moves to a new subnet it needs to continue such services that have already been established at the previous subnet. Examples of such services include AAA profile, IPsec state, header compression, QoS policy etc. Re-establishing these services at the new subnet will require a considerable amount of time for the protocol exchanges and as a result time- sensitive real-time traffic will suffer during this time. By transferring state to the new domain candidate services will be quickly re-established. This would also contribute to the seamless operation of application streams and could reduce susceptibility to errors. Furthermore, re-initiation to and from the mobile node will be avoided hence wireless bandwidth efficiency will be conserved. In this research an extension to mobility protocols was proposed for supporting state forwarding capabilities. The idea of forwarding states was also explored for remotely reconfiguring middleboxes to avoid any interruption of a mobile users' sessions or services. Finally a context transfer module was proposed to facilitate the integration of such a mechanism in next generation architectures. The proposals were evaluated analytically, via simulations or via testbed implementation depending on the scenario investigated. The results demonstrated that the proposed solutions can minimize the impact of security services like authentication, authorization and firewalls on a mobile user's multimedia sessions and thus improving the overall handover performance

Automated Approaches for Program Verification and Repair

Formal methods techniques, such as verification, analysis, and synthesis,allow programmers to prove properties of their programs, or automatically derive programs from specifications. Making such techniques usable requires care: they must provide useful debugging information, be scalable, and enable automation. This dissertation presents automated analysis and synthesis techniques to ease the debugging of modular verification systems and allow easy access to constraint solvers from functional code. Further, it introduces machine learning based techniques to improve the scalability of off-the-shelf syntax-guided synthesis solvers and techniques to reduce the burden of network administrators writing and analyzing firewalls. We describe the design and implementationof a symbolic execution engine, G2, for non-strict functional languages such as Haskell. We extend G2 to both debug and automate the process of modular verification, and give Haskell programmers easy access to constraints solvers via a library named G2Q. Modular verifiers, such as LiquidHaskell, Dafny, and ESC/Java,allow programmers to write and prove specifications of their code. When a modular verifier fails to verify a program, it is not necessarily because of an actual bug in the program. This is because when verifying a function f, modular verifiers consider only the specification of a called function g, not the actual definition of g. Thus, a modular verifier may fail to prove a true specification of f if the specification of g is too weak. We present a technique, counterfactual symbolic execution, to aid in the debugging of modular verification failures. The approach uses symbolic execution to find concrete counterexamples, in the case of an actual inconsistency between a program and a specification; and abstract counterexamples, in the case that a function specification is too weak. Further, a counterexample-guided inductive synthesis (CEGIS) loop based technique is introduced to fully automate the process of modular verification, by using found counterexamples to automatically infer needed function specifications. The counterfactual symbolic execution and automated specification inference techniques are implemented in G2, and evaluated on existing LiquidHaskell errors and programs. We also leveraged G2 to build a library, G2Q, which allows writing constraint solving problemsdirectly as Haskell code. Users of G2Q can embed specially marked Haskell constraints (Boolean expressions) into their normal Haskell code, while marking some of the variables in the constraint as symbolic. Then, at runtime, G2Q automatically derives values for the symbolic variables that satisfy the constraint, and returns those values to the outside code. Unlike other constraint solving solutions, such as directly calling an SMT solver, G2Q uses symbolic execution to unroll recursive function definitions, and guarantees that the use of G2Q constraints will preserve type correctness. We further consider the problem of synthesizing functions viaa class of tools known as syntax-guided synthesis (SyGuS) solvers. We introduce a machine learning based technique to preprocess SyGuS problems, and reduce the space that the solver must search for a solution in. We demonstrate that the technique speeds up an existing SyGuS solver, CVC4, on a set of SyGuS solver benchmarks. Finally, we describe techniques to ease analysis and repair of firewalls.Firewalls are widely deployed to manage network security. However, firewall systems provide only a primitive interface, in which the specification is given as an ordered list of rules. This makes it hard to manually track and maintain the behavior of a firewall. We introduce a formal semantics for iptables firewall rules via a translation to first-order logic with uninterpreted functions and linear integer arithmetic, which allows encoding of firewalls into a decidable logic. We then describe techniques to automate the analysis and repair of firewalls using SMT solvers, based on user provided specifications of the desired behavior. We evaluate this approach with real world case studies collected from StackOverflow users

Framework For Modeling Attacker Capabilities with Deception

In this research we built a custom experimental range using opensource emulated and custom pure honeypots designed to detect or capture attacker activity. The focus is to test the effectiveness of a deception in its ability to evade detection coupled with attacker skill levels. The range consists of three zones accessible via virtual private networking. The first zone houses varying configurations of opensource emulated honeypots, custom built pure honeypots, and real SSH servers. The second zone acts as a point of presence for attackers. The third zone is for administration and monitoring. Using the range, both a control and participant-based experiment were conducted. We conducted control experiments to baseline and empirically explore honeypot detectability amongst other systems through adversarial testing. We executed a series of tests such as network service sweep, enumeration scanning, and finally manual execution. We also selected participants to serve as cyber attackers against the experiment range of varying skills having unique tactics, techniques and procedures in attempting to detect the honeypots. We have concluded the experiments and performed data analysis. We measure the anticipated threat by presenting the Attacker Bias Perception Profile model. Using this model, each participant is ranked based on their overall threat classification and impact. This model is applied to the results of the participants which helps align the threat to likelihood and impact of a honeypot being detected. The results indicate the pure honeypots are significantly difficult to detect. Emulated honeypots are grouped in different categories based on the detection and skills of the attackers. We developed a framework abstracting the deceptive process, the interaction with system elements, the use of intelligence, and the relationship with attackers. The framework is illustrated by our experiment case studies and the attacker actions, the effects on the system, and impact to the success

Unknown Threat Detection With Honeypot Ensemble Analsyis Using Big Datasecurity Architecture

The amount of data that is being generated continues to rapidly grow in size and complexity. Frameworks such as Apache Hadoop and Apache Spark are evolving at a rapid rate as organizations are building data driven applications to gain competitive advantages. Data analytics frameworks decomposes our problems to build applications that are more than just inference and can help make predictions as well as prescriptions to problems in real time instead of batch processes. Information Security is becoming more important to organizations as the Internet and cloud technologies become more integrated with their internal processes. The number of attacks and attack vectors has been increasing steadily over the years. Border defense measures (e.g. Intrusion Detection Systems) are no longer enough to identify and stop attackers. Data driven information security is not a new approach to solving information security; however there is an increased emphasis on combining heterogeneous sources to gain a broader view of the problem instead of isolated systems. Stitching together multiple alerts into a cohesive system can increase the number of True Positives. With the increased concern of unknown insider threats and zero-day attacks, identifying unknown attack vectors becomes more difficult. Previous research has shown that with as little as 10 commands it is possible to identify a masquerade attack against a user\u27s profile. This thesis is going to look at a data driven information security architecture that relies on both behavioral analysis of SSH profiles and bad actor data collected from an SSH honeypot to identify bad actor attack vectors. Honeypots should collect only data from bad actors; therefore have a high True Positive rate. Using Apache Spark and Apache Hadoop we can create a real time data driven architecture that can collect and analyze new bad actor behaviors from honeypot data and monitor legitimate user accounts to create predictive and prescriptive models. Previously unidentified attack vectors can be cataloged for review

Project BeARCAT : Baselining, Automation and Response for CAV Testbed Cyber Security : Connected Vehicle & Infrastructure Security Assessment

Connected, software-based systems are a driver in advancing the technology of transportation systems. Advanced automated and autonomous vehicles, together with electrification, will help reduce congestion, accidents and emissions. Meanwhile, vehicle manufacturers see advanced technology as enhancing their products in a competitive market. However, as many decades of using home and enterprise computer systems have shown, connectivity allows a system to become a target for criminal intentions. Cyber-based threats to any system are a problem; in transportation, there is the added safety implication of dealing with moving vehicles and the passengers within

Building a Secure Software Supply Chain

Nowadays more and more companies use agile software development to build software in short release cycles. Monolithic applications are split into microservices, which can independently be maintained and deployed by agile teams. Modern platforms like Docker support this process. Docker offers services to containerize such services and orchestrate them in a container cluster. A software supply chain is the umbrella term for the process of developing, automated building and testing, as well as deploying a complete application. By combining a software supply chain and Docker, those processes can be automated in standardized environments. Since Docker is a young technology and software supply chains are critical processes in organizations, security needs to be reviewed. In this work a software supply chain based on Docker is built and a threat modeling process is used to assess its security. The main components are modeled and threats are identified using STRIDE. Afterwards risks are calculated and methods to secure the software supply chain based on security objectives confidentiality, integrity and availability are discussed. As a result, some components require special treatments in security context since they have a high residual risk of being targeted by an attacker. This work can be used as basis to build and secure the main components of a software supply chain. However additional components such as logging, monitoring as well as integration into existing business processes need to be reviewed.Heutzutage nutzen mehr und mehr Firmen agile Softwareentwicklung, um Software in kurzen Release-Zyklen zu entwickeln. Monotlithische Anwendungen werden in Microservices aufgeteilt, welche unabhängig voneinander erstellt und veröffentlicht werden können. Moderne Plattformen wie Docker unterstützen diesen Prozess. Docker bietet Dienste an, um solche Anwendungen in Container zu verpacken und sie auf Container Clustern zu orchestrieren. Eine Software Supply Chain ist der Überbegriff für den Prozess der Herstellung, des automatisierten Bauens und Testens, sowie der Veröffentlichung von Software. Durch die Kombination aus Software Supply Chains und Docker können diese Prozesse in standardisierten Umgebungen automatisiert werden. Da Docker eine junge Technologie ist und Software Supply Chains einen kritischen Prozess im Unternehmen darstellen, muss zunächst die Sicherheit überprüft werden. In dieser Arbeit wird Bedrohungsmodellierung verwendet, um eine Software Supply Chain auf Basis von Docker zu bauen und abzusichern. Die Hauptkomponenten werden modelliert und Bedrohungen mit Hilfe von STRIDE identifiziert. Daraufhin werden Risiken berechnet und Möglichkeiten diskutiert, die Software Supply Chain auf Basis der Sicherheitsziele Vertraulichkeit, Integrität und Verfügbarkeit abzusichern. Als Resultat dieser Arbeit stellte sich heraus, dass einige Komponenten eine spezielle Behandlung im Sicherheitskontext benötigen, da sie über ein hohes Restrisiko verfügen, Ziel eines Angriffes zu werden. Diese Arbeit kann als Basis für den Bau und die Absicherung einer Software Supply Chain genutzt werden. Jedoch müssen zusätzliche Komponenten, wie beispielsweise ein Monitoring- und Logging-Prozess, oder die Integration in bestehende Business-Prozesse überprüft werden

On Security and Privacy for Networked Information Society : Observations and Solutions for Security Engineering and Trust Building in Advanced Societal Processes

Our society has developed into a networked information society, in which all aspects of human life are interconnected via the Internet — the backbone through which a significant part of communications traffic is routed. This makes the Internet arguably the most important piece of critical infrastructure in the world. Securing Internet communications for everyone using it is extremely important, as the continuing growth of the networked information society relies upon fast, reliable and secure communications. A prominent threat to the security and privacy of Internet users is mass surveillance of Internet communications. The methods and tools used to implement mass surveillance capabilities on the Internet pose a danger to the security of all communications, not just the intended targets. When we continue to further build the networked information upon the unreliable foundation of the Internet we encounter increasingly complex problems,which are the main focus of this dissertation. As the reliance on communication technology grows in a society, so does the importance of information security. At this stage, information security issues become separated from the purely technological domain and begin to affect everyone in society. The approach taken in this thesis is therefore both technical and socio-technical. The research presented in this PhD thesis builds security in to the networked information society and provides parameters for further development of a safe and secure networked information society. This is achieved by proposing improvements on a multitude of layers. In the technical domain we present an efficient design flow for secure embedded devices that use cryptographic primitives in a resource-constrained environment, examine and analyze threats to biometric passport and electronic voting systems, observe techniques used to conduct mass Internet surveillance, and analyze the security of Finnish web user passwords. In the socio-technical domain we examine surveillance and how it affects the citizens of a networked information society, study methods for delivering efficient security education, examine what is essential security knowledge for citizens, advocate mastery over surveillance data by the targeted citizens in the networked information society, and examine the concept of forced trust that permeates all topics examined in this work.Yhteiskunta, jossa elämme, on muovautunut teknologian kehityksen myötä todelliseksi tietoyhteiskunnaksi. Monet verkottuneen tietoyhteiskunnan osa-alueet ovat kokeneet muutoksen tämän kehityksen seurauksena. Tämän muutoksen keskiössä on Internet: maailmanlaajuinen tietoverkko, joka mahdollistaa verkottuneiden laitteiden keskenäisen viestinnän ennennäkemättömässä mittakaavassa. Internet on muovautunut ehkä keskeisimmäksi osaksi globaalia viestintäinfrastruktuuria, ja siksi myös globaalin viestinnän turvaaminen korostuu tulevaisuudessa yhä enemmän. Verkottuneen tietoyhteiskunnan kasvu ja kehitys edellyttävät vakaan, turvallisen ja nopean viestintäjärjestelmän olemassaoloa. Laajamittainen tietoverkkojen joukkovalvonta muodostaa merkittävän uhan tämän järjestelmän vakaudelle ja turvallisuudelle. Verkkovalvonnan toteuttamiseen käytetyt menetelmät ja työkalut eivät vain anna mahdollisuutta tarkastella valvonnan kohteena olevaa viestiliikennettä, vaan myös vaarantavat kaiken Internet-liikenteen ja siitä riippuvaisen toiminnan turvallisuuden. Kun verkottunutta tietoyhteiskuntaa rakennetaan tämän kaltaisia valuvikoja ja haavoittuvuuksia sisältävän järjestelmän varaan, keskeinen uhkatekijä on, että yhteiskunnan ydintoiminnot ovat alttiina ulkopuoliselle vaikuttamiselle. Näiden uhkatekijöiden ja niiden taustalla vaikuttavien mekanismien tarkastelu on tämän väitöskirjatyön keskiössä. Koska työssä on teknisen sisällön lisäksi vahva yhteiskunnallinen elementti, tarkastellaan tiukan teknisen tarkastelun sijaan aihepiirä laajemmin myös yhteiskunnallisesta näkökulmasta. Tässä väitöskirjassa pyritään rakentamaan kokonaiskuvaa verkottuneen tietoyhteiskunnan turvallisuuteen, toimintaan ja vakauteen vaikuttavista tekijöistä, sekä tuomaan esiin uusia ratkaisuja ja avauksia eri näkökulmista. Työn tavoitteena on osaltaan mahdollistaa entistä turvallisemman verkottuneen tietoyhteiskunnan rakentaminen tulevaisuudessa. Teknisestä näkökulmasta työssä esitetään suunnitteluvuo kryptografisia primitiivejä tehokkaasti hyödyntäville rajallisen laskentatehon sulautetuviiille järjestelmille, analysoidaan biometrisiin passeihin, kansainväliseen passijärjestelmään, sekä sähköiseen äänestykseen kohdistuvia uhkia, tarkastellaan joukkovalvontaan käytettyjen tekniikoiden toimintaperiaatteita ja niiden aiheuttamia uhkia, sekä tutkitaan suomalaisten Internet-käyttäjien salasanatottumuksia verkkosovelluksissa. Teknis-yhteiskunnallisesta näkökulmasta työssä tarkastellaan valvonnan teoriaa ja perehdytään siihen, miten valvonta vaikuttaa verkottuneen tietoyhteiskunnan kansalaisiin. Lisäksi kehitetään menetelmiä parempaan tietoturvaopetukseen kaikilla koulutusasteilla, määritellään keskeiset tietoturvatietouden käsitteet, tarkastellaan mahdollisuutta soveltaa tiedon herruuden periaatetta verkottuneen tietoyhteiskunnan kansalaisistaan keräämän tiedon hallintaan ja käyttöön, sekä tutkitaan luottamuksen merkitystä yhteiskunnan ydintoimintojen turvallisuudelle ja toiminnalle, keskittyen erityisesti pakotetun luottamuksen vaikutuksiin