Uncovering Vulnerable Industrial Control Systems from the Internet Core

Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure but also the Internet ecosystem (e.g., DRDoS~attacks). In this paper, we uncover unprotected inter-domain ICS traffic at two central Internet vantage points, an IXP and an ISP. This traffic analysis is correlated with data from honeypots and Internet-wide scans to separate industrial from non-industrial ICS traffic. We provide an in-depth view on Internet-wide ICS communication. Our results can be used i) to create precise filters for potentially harmful non-industrial ICS traffic, and ii) to detect ICS sending unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks

On mitigating distributed denial of service attacks

Denial of service (DoS) attacks and distributed denial of service (DDoS) attacks are probably the most ferocious threats in the Internet, resulting in tremendous economic and social implications/impacts on our daily lives that are increasingly depending on the wellbeing of the Internet. How to mitigate these attacks effectively and efficiently has become an active research area. The critical issues here include 1) IP spoofing, i.e., forged source lIP addresses are routinely employed to conceal the identities of the attack sources and deter the efforts of detection, defense, and tracing; 2) the distributed nature, that is, hundreds or thousands of compromised hosts are orchestrated to attack the victim synchronously. Other related issues are scalability, lack of incentives to deploy a new scheme, and the effectiveness under partial deployment. This dissertation investigates and proposes effective schemes to mitigate DDoS attacks. It is comprised of three parts. The first part introduces the classification of DDoS attacks and the evaluation of previous schemes. The second part presents the proposed IP traceback scheme, namely, autonomous system-based edge marking (ASEM). ASEM enhances probabilistic packet marking (PPM) in several aspects: (1) ASEM is capable of addressing large-scale DDoS attacks efficiently; (2) ASEM is capable of handling spoofed marking from the attacker and spurious marking incurred by subverted routers, which is a unique and critical feature; (3) ASEM can significantly reduce the number of marked packets required for path reconstruction and suppress false positives as well. The third part presents the proposed DDoS defense mechanisms, including the four-color-theorem based path marking, and a comprehensive framework for DDoS defense. The salient features of the framework include (1) it is designed to tackle a wide spectrum of DDoS attacks rather than a specified one, and (2) it can differentiate malicious traffic from normal ones. The receiver-center design avoids several related issues such as scalability, and lack of incentives to deploy a new scheme. Finally, conclusions are drawn and future works are discussed

The Good, the Bad, and the Actively Verified

We believe that we can use active probing for compromise recovery. Our intent is to exploit the differences in behavior between compromised and uncompromised systems and use that information to identify those which are not behaving as expected. Those differences may indicate a deviation in either con figuration or implementation from what we expect on the network, either of which suggests that the misbehaving entity might not be trustworthy. In this work, we propose and build a case for a method for using altered behavior directly resulting from or introduced as a side-effect of the compromise of a network service to detect the presence of such a compromise. We use several case studies to illustrate our technique, and demonstrate its feasibility with a software tool developed using our method

Ethical Hacking Using Penetration Testing

This thesis provides details of the hardware architecture and the software scripting, which are employed to demonstrate penetration testing in a laboratory setup. The architecture depicts an organizational computing asset or an environment.¬¬¬ With the increasing number of cyber-attacks throughout the world, the network security is becoming an important issue. This has motivated a large number of “ethical hackers” to indulge and develop methodologies and scripts to defend against the security attacks. As it is too onerous to maintain and monitor attacks on individual hardware and software in an organization, the demand for the new ways to manage security systems invoked the idea of penetration testing. Many research groups have designed algorithms depending on the size, type and purpose of application to secure networks [55]. In this thesis, we create a laboratory setup replicating an organizational infrastructure to study penetration testing on real time server-client atmosphere. To make this possible, we have used Border Gateway Protocol (BGP) as routing protocol as it is widely used in current networks. Moreover, BGP exhibits few vulnerabilities of its own and makes the security assessment more promising. Here, we propose (a) computer based attacks and (b) actual network based attacks including defense mechanisms. The thesis, thus, describes the way penetration testing is accomplished over a desired BGP network. The procedural generation of the packets, exploit, and payloads involve internal and external network attacks. In this thesis, we start with the details of all sub-fields in the stream of penetration testing, including their requirements and outcomes. As an informative and learning research, this thesis discusses the types of attacks over the routers, switches and physical client machines. Our work also deals with the limitations of the implementation of the penetration testing, discussing over the vulnerabilities of the current standards in the technology. Furthermore, we consider the possible methodologies that require attention in order to accomplish most efficient outcomes with the penetration testing. Overall, this work has provided a great learning opportunity in the area of ethical hacking using penetration testing

Impact of denial of service solutions on network quality of service

The Internet has become a universal communication network tool. It has evolved from a platform that supports best-effort traffic to one that now carries different traffic types including those involving continuous media with quality of service (QoS) requirements. As more services are delivered over the Internet, we face increasing risk to their availability given that malicious attacks on those Internet services continue to increase. Several networks have witnessed denial of service (DoS) and distributed denial of service (DDoS) attacks over the past few years which have disrupted QoS of network services, thereby violating the Service Level Agreement (SLA) between the client and the Internet Service Provider (ISP). Hence DoS or DDoS attacks are major threats to network QoS. In this paper we survey techniques and solutions that have been deployed to thwart DoS and DDoS attacks and we evaluate them in terms of their impact on network QoS for Internet services. We also present vulnerabilities that can be exploited for QoS protocols and also affect QoS if exploited. In addition, we also highlight challenges that still need to be addressed to achieve end-to-end QoS with recently proposed DoS/DDoS solutions

Interdomain Routing Security (BGP-4)

The Border Gateway Protocol (BGP) is the most important protocol for the interconnectivity of the Internet. Although it has shown acceptable performance, there are many issues about its capability to meet the scale of the growth of the Internet, mainly because of the security issues that surround interdomain routing. The Internet is important to many organisations in various contexts. Thus, it is required to provide a highly secure protocol to keep the normal operation of the Internet. BGP suffers from many security issues. In this dissertation, we cover those issues and provide the security requirements for this protocol. We enumerate the numerous attacks that can be conducted against BGP. The aim of this study is to examine two considerably discussed protocols. Secure-BGP (S-BGP) and secure origin BGP (soBGP) have shown a revolutionary view on interdomain routing since they endeavour to providing security mechanisms at the protocol level. The objective is extended to comparing these two solutions by examining their contribution to the Border Gateway Protocol in terms of security. Moreover, we study their interoperability, efficiency, performance, and the residual vulnerabilities that each solution failed to resolve. Our findings have revealed that ultimately, the solution chosen will be dependent on the desired level of security and deployability. As is often the case with security, a compromise between security and feasibility is of a major concern and cost-effectiveness is the main driver behind deployment

User Review Analysis for Requirement Elicitation: Thesis and the framework prototype's source code

Online reviews are an important channel for requirement elicitation. However, requirement engineers face challenges when analysing online user reviews, such as data volumes, technical supports, existing techniques, and legal barriers. Juan Wang proposes a framework solving user review analysis problems for the purpose of requirement elicitation that sets up a channel from downloading user reviews to structured analysis data. The main contributions of her work are: (1) the thesis proposed a framework to solve the user review analysis problem for requirement elicitation; (2) the prototype of this framework proves its feasibility; (3) the experiments prove the effectiveness and efficiency of this framework. This resource here is the latest version of Juan Wang's PhD thesis "User Review Analysis for Requirement Elicitation" and all the source code of the prototype for the framework as the results of her thesis

MFIRE-2: A Multi Agent System for Flow-based Intrusion Detection Using Stochastic Search

Detecting attacks targeted against military and commercial computer networks is a crucial element in the domain of cyberwarfare. The traditional method of signature-based intrusion detection is a primary mechanism to alert administrators to malicious activity. However, signature-based methods are not capable of detecting new or novel attacks. This research continues the development of a novel simulated, multiagent, flow-based intrusion detection system called MFIRE. Agents in the network are trained to recognize common attacks, and they share data with other agents to improve the overall effectiveness of the system. A Support Vector Machine (SVM) is the primary classifier with which agents determine an attack is occurring. Agents are prompted to move to different locations within the network to find better vantage points, and two methods for achieving this are developed. One uses a centralized reputation-based model, and the other uses a decentralized model optimized with stochastic search. The latter is tested for basic functionality. The reputation model is extensively tested in two configurations and results show that it is significantly superior to a system with non-moving agents. The resulting system, MFIRE-2, demonstrates exciting new network defense capabilities, and should be considered for implementation in future cyberwarfare applications