75 research outputs found
FAIR: Forwarding Accountability for Internet Reputability
This paper presents FAIR, a forwarding accountability mechanism that
incentivizes ISPs to apply stricter security policies to their customers. The
Autonomous System (AS) of the receiver specifies a traffic profile that the
sender AS must adhere to. Transit ASes on the path mark packets. In case of
traffic profile violations, the marked packets are used as a proof of
misbehavior.
FAIR introduces low bandwidth overhead and requires no per-packet and no
per-flow state for forwarding. We describe integration with IP and demonstrate
a software switch running on commodity hardware that can switch packets at a
line rate of 120 Gbps, and can forward 140M minimum-sized packets per second,
limited by the hardware I/O subsystem.
Moreover, this paper proposes a "suspicious bit" for packet headers - an
application that builds on top of FAIR's proofs of misbehavior and flags
packets to warn other entities in the network.Comment: 16 pages, 12 figure
Adaptive Response System for Distributed Denial-of-Service Attacks
The continued prevalence and severe damaging effects of the Distributed Denial of Service (DDoS)
attacks in today’s Internet raise growing security concerns and call for an immediate response to come
up with better solutions to tackle DDoS attacks. The current DDoS prevention mechanisms are usually
inflexible and determined attackers with knowledge of these mechanisms, could work around them.
Most existing detection and response mechanisms are standalone systems which do not rely on
adaptive updates to mitigate attacks. As different responses vary in their “leniency” in treating
detected attack traffic, there is a need for an Adaptive Response System.
We designed and implemented our DDoS Adaptive ResponsE (DARE) System, which is a
distributed DDoS mitigation system capable of executing appropriate detection and mitigation
responses automatically and adaptively according to the attacks. It supports easy integrations for both
signature-based and anomaly-based detection modules. Additionally, the design of DARE’s individual
components takes into consideration the strengths and weaknesses of existing defence mechanisms,
and the characteristics and possible future mutations of DDoS attacks. These components consist of an
Enhanced TCP SYN Attack Detector and Bloom-based Filter, a DDoS Flooding Attack Detector and
Flow Identifier, and a Non Intrusive IP Traceback mechanism. The components work together
interactively to adapt the detections and responses in accordance to the attack types. Experiments
conducted on DARE show that the attack detection and mitigation are successfully completed within
seconds, with about 60% to 86% of the attack traffic being dropped, while availability for legitimate
and new legitimate requests is maintained. DARE is able to detect and trigger appropriate responses in
accordance to the attacks being launched with high accuracy, effectiveness and efficiency.
We also designed and implemented a Traffic Redirection Attack Protection System (TRAPS), a
stand-alone DDoS attack detection and mitigation system for IPv6 networks. In TRAPS, the victim
under attack verifies the authenticity of the source by performing virtual relocations to differentiate the
legitimate traffic from the attack traffic. TRAPS requires minimal deployment effort and does not
require modifications to the Internet infrastructure due to its incorporation of the Mobile IPv6
protocol. Experiments to test the feasibility of TRAPS were carried out in a testbed environment to
verify that it would work with the existing Mobile IPv6 implementation. It was observed that the
operations of each module were functioning correctly and TRAPS was able to successfully mitigate an
attack launched with spoofed source IP addresses
Provenance-enabled Packet Path Tracing in the RPL-based Internet of Things
The interconnection of resource-constrained and globally accessible things
with untrusted and unreliable Internet make them vulnerable to attacks
including data forging, false data injection, and packet drop that affects
applications with critical decision-making processes. For data trustworthiness,
reliance on provenance is considered to be an effective mechanism that tracks
both data acquisition and data transmission. However, provenance management for
sensor networks introduces several challenges, such as low energy, bandwidth
consumption, and efficient storage. This paper attempts to identify packet drop
(either maliciously or due to network disruptions) and detect faulty or
misbehaving nodes in the Routing Protocol for Low-Power and Lossy Networks
(RPL) by following a bi-fold provenance-enabled packed path tracing (PPPT)
approach. Firstly, a system-level ordered-provenance information encapsulates
the data generating nodes and the forwarding nodes in the data packet.
Secondly, to closely monitor the dropped packets, a node-level provenance in
the form of the packet sequence number is enclosed as a routing entry in the
routing table of each participating node. Lossless in nature, both approaches
conserve the provenance size satisfying processing and storage requirements of
IoT devices. Finally, we evaluate the efficacy of the proposed scheme with
respect to provenance size, provenance generation time, and energy consumption.Comment: 14 pages, 18 Figure
RIDES: Robust Intrusion Detection System for IP-Based Ubiquitous Sensor Networks
The IP-based Ubiquitous Sensor Network (IP-USN) is an effort to build the “Internet of things”. By utilizing IP for low power networks, we can benefit from existing well established tools and technologies of IP networks. Along with many other unresolved issues, securing IP-USN is of great concern for researchers so that future market satisfaction and demands can be met. Without proper security measures, both reactive and proactive, it is hard to envisage an IP-USN realm. In this paper we present a design of an IDS (Intrusion Detection System) called RIDES (Robust Intrusion DEtection System) for IP-USN. RIDES is a hybrid intrusion detection system, which incorporates both Signature and Anomaly based intrusion detection components. For signature based intrusion detection this paper only discusses the implementation of distributed pattern matching algorithm with the help of signature-code, a dynamically created attack-signature identifier. Other aspects, such as creation of rules are not discussed. On the other hand, for anomaly based detection we propose a scoring classifier based on the SPC (Statistical Process Control) technique called CUSUM charts. We also investigate the settings and their effects on the performance of related parameters for both of the components
SAVAH: Source address validation with Host Identity Protocol
Abstract. Explosive growth of the Internet and lack of mechanisms that validate the authenticity of a packet source produced serious security and accounting issues. In this paper, we propose validating source addresses in LAN using Host Identity Protocol (HIP) deployed in a first-hop router. Compared to alternative solutions such as CGA, our approach is suitable both for IPv4 and IPv6. We have implemented SAVAH in Wi-Fi access points and evaluated its overhead for clients and the first-hop router
Implementing Flash Event Discrimination in IP Traceback using Shark Smell Optimisation Algorithm
Denial of service attack and its variants are the largest ravaging network problems. They are used to cause damage to network by disrupting its services in order to harm a business or organization. Flash event is a network phenomenon that causes surge in normal network flow due to sudden increase in number of network users, To curtail the menace of the Denial of service attack it is pertinent to expose the perpetrator and take appropriate action against it. Internet protocol traceback is a network forensic tool that is used to identify source of an Internet protocol packet. Most of presently available Internet protocol traceback tools that are based on bio-inspired algorithm employ flow-based search method for tracing source of a Denial of service attack without facility to differentiate flash event from the attack. Surge in network due to flash event can mislead such a traceback tool that uses flow-based search. This work present a solution that uses hop-by-hop search with an incorporated discrimination policy implemented by shark smell optimization algorithm to differentiate the attack traffic from other traffics. It was tested on performance and convergence against an existing bio-inspired traceback tool that uses flow-base method and yielded outstanding results in all the test
Patterns and Interactions in Network Security
Networks play a central role in cyber-security: networks deliver security
attacks, suffer from them, defend against them, and sometimes even cause them.
This article is a concise tutorial on the large subject of networks and
security, written for all those interested in networking, whether their
specialty is security or not. To achieve this goal, we derive our focus and
organization from two perspectives. The first perspective is that, although
mechanisms for network security are extremely diverse, they are all instances
of a few patterns. Consequently, after a pragmatic classification of security
attacks, the main sections of the tutorial cover the four patterns for
providing network security, of which the familiar three are cryptographic
protocols, packet filtering, and dynamic resource allocation. Although
cryptographic protocols hide the data contents of packets, they cannot hide
packet headers. When users need to hide packet headers from adversaries, which
may include the network from which they are receiving service, they must resort
to the pattern of compound sessions and overlays. The second perspective comes
from the observation that security mechanisms interact in important ways, with
each other and with other aspects of networking, so each pattern includes a
discussion of its interactions.Comment: 63 pages, 28 figures, 56 reference
End-to-end security in active networks
Active network solutions have been proposed to many of the problems caused by the increasing heterogeneity of the Internet. These ystems allow nodes within the network to process data passing through in several ways. Allowing code from various sources to run on routers introduces numerous security concerns that have been addressed by research into safe languages, restricted execution environments, and other related areas. But little attention has been paid to an even more critical question: the effect on end-to-end security of active flow manipulation. This thesis first examines the threat model implicit in active networks. It develops a framework of security protocols in use at various layers of the networking stack, and their utility to multimedia transport and flow processing, and asks if it is reasonable to give active routers access to the plaintext of these flows. After considering the various security problem introduced, such as vulnerability to attacks on intermediaries or coercion, it concludes not. We then ask if active network systems can be built that maintain end-to-end security without seriously degrading the functionality they provide. We describe the design and analysis of three such protocols: a distributed packet filtering system that can be used to adjust multimedia bandwidth requirements and defend against denial-of-service attacks; an efficient composition of link and transport-layer reliability mechanisms that increases the performance of TCP over lossy wireless links; and a distributed watermarking servicethat can efficiently deliver media flows marked with the identity of their recipients. In all three cases, similar functionality is provided to designs that do not maintain end-to-end security. Finally, we reconsider traditional end-to-end arguments in both networking and security, and show that they have continuing importance for Internet design. Our watermarking work adds the concept of splitting trust throughout a network to that model; we suggest further applications of this idea
- …