47 research outputs found
Monitoring security of enterprise hosts via DNS data analysis
Enterprise Networks are growing in scale and complexity, with heterogeneous connected assets needing to be secured in different ways. Nevertheless, virtually all connected assets use the Domain Name System (DNS) for address resolution. Thus DNS has become a convenient vehicle for attackers to covertly perform Command and Control (C&C) communication, data theft, and service disruption across a wide range of assets. Enterprise security appliances that monitor network traffic typically allow all DNS traffic through as it is vital for accessing any web
service; they may at best match against a database of known malicious patterns, and are therefore ineffective against zero-day attacks. This thesis focuses on three high-impact cyber-attacks that leverage DNS, specifically data exfiltration, malware C&C communication, and service disruption. Using big data (over 10B packets) of DNS network traffic collected from a University campus and a Government research organization over six months, we illustrate the anatomy of these attacks, train machines for automatically detecting such attacks, and evaluate their efficacy in the field. The contributions of this thesis are three-fold: Our first contribution tackles data exfiltration using DNS. We analyze outgoing DNS queries to identify many stateless attributes such as the number of characters, the number of labels, and the entropy of the domain name to distinguish malicious data exfiltration queries from legitimate ones. We train our machines using ground-truth obtained from a public list of top 10K legitimate domains and empirically validate and tune our models to achieve over 98% accuracy in correctly distinguish legitimate DNS queries from malicious ones, the latter coming from known malware domains as well as synthetically generated using popular DNS exfiltration tools. Our second contribution tackles malware C&C communication using DNS. We analyze DNS outgoing queries to identify more than twenty families of DGA (Domain Generation Algorithm)-enabled malware when communicating with their C&C servers. We identify attributes of network traffic that commences following the resolution of a DGA-based DNS query. We train three protocol-specific one-class classifier models, for HTTP, HTTPS and UDP flows, using
public packet traces of known malware. We develop a monitoring system
that uses reactive rules to automatically and selectively mirror TCP/UDP
flows (between internal hosts and malware servers) pertinent to DGA queries for diagnosis by the trained models. We deploy our system in the field and evaluate its performance to show that it flags more than 2000 internal assets as potentially infected, generating more than a million suspicious flows, of which more than 97% are verified to be malicious by an off-the-shelf intrusion detection system. Our third contribution studies the use of DNS for service disruption. We analyze incoming DNS messages, with a specific focus on non-existent (NXD) DNS responses, to distinguish benign from malicious NXDs. We highlight two attack scenarios based on their requested domain names. Using NXD behavioral attributes of internal hosts, we develop multi-staged iForest classification models to detect internal hosts launching service disruption attacks. We show how our models can detect infected hosts that generate high-volume and low-volume distributed NXD-based attacks on public resolvers and/or authoritative name servers with an accuracy of over 99% in correctly classifying legitimate hosts.
Our work shines a light on a critical vector in enterprise security
and equips the enterprise network operator with the means to detect and block sophisticated attackers who use DNS as a vehicle for malware C&C communication, data exfiltration, and service disruption
Security plane for data authentication in information-centric networks
Orientadores: MaurĂcio Ferreira MagalhĂŁes, Jussi KangasharjuTese (doutorado) - Universidade Estadual de Campinas, Faculdade de Engenharia ElĂ©trica e de ComputaçãoResumo: A segurança da informação Ă© responsĂĄvel pela proteção das informaçÔes contra o acesso nĂŁoautorizado, uso, modificação ou a sua destruição. Com o objetivo de proteger os dados contra esses ataques de segurança, vĂĄrios protocolos foram desenvolvidos, tais como o Internet Protocol Security (IPSEC) e o Transport Layer Security (TLS), provendo mecanismos de autenticação, integridade e confidencialidade dos dados para os usuĂĄrios. Esses protocolos utilizam o endereço IP como identificador de hosts na Internet, tornando-o referĂȘncia e identificador no estabelecimento de conexĂ”es seguras para a troca de dados entre aplicaçÔes na rede. Com o advento da Web e o aumento exponencial do consumo de conteĂșdos, como vĂdeos e ĂĄudios, hĂĄ indĂcios da migração gradual do uso predominante da Internet, passando da ĂȘnfase voltada para a conexĂŁo entre hosts para uma ĂȘnfase voltada para a obtenção de conteĂșdo da rede, paradigma esse conhecido como information-centric networking. Nesse paradigma, usuĂĄrios buscam por documentos e recursos na Internet sem se importarem com o conhecimento explĂcito da localização do conteĂșdo. Como consequĂȘncia, o endereço IP que previamente era utilizado como ponto de referĂȘncia do provedor de dados, torna-se meramente um identificador efĂȘmero do local onde o conteĂșdo estĂĄ armazenado, resultando em implicaçÔes para a autenticação correta dos dados. Nesse contexto, a simples autenticação de um endereço IP nĂŁo garante a autenticidade dos dados, uma vez que o servidor identificado por um dado endereço IP nĂŁo Ă© necessariamente o endereço do produtor do conteĂșdo. No contexto de redes orientadas Ă informação, existem propostas na literatura que possibilitam a autenticação dos dados utilizando somente o conteĂșdo propriamente dito, como a utilização de assinaturas digitais por bloco de dado e a construção de ĂĄrvores de hash sobre os blocos de dados. A ideia principal dessas abordagens Ă© atrelar uma informação do provedor original do conteĂșdo nos blocos de dados transportados, por exemplo, uma assinatura digital, possibilitando a autenticação direta dos dados com o provedor, independentemente do host onde o dado foi obtido. Apesar do mecanismo citado anteriormente possibilitar tal verificação, esse procedimento Ă© muito oneroso do ponto de vista de processamento, especialmente quando o nĂșmero de blocos Ă© grande, tornando-o inviĂĄvel de ser utilizado na prĂĄtica. Este trabalho propĂ”e um novo mecanismo de autenticação utilizando ĂĄrvores de hash com o objetivo de prover a autenticação dos dados de forma eficiente e explĂcita com o provedor original e, tambĂ©m, de forma independente do host onde os dados foram obtidos. Nesta tese, propomos duas tĂ©cnicas de autenticação de dados baseadas em ĂĄrvores de hash, chamadas de skewed hash tree (SHT) e composite hash tree (CHT), para a autenticação de dados em redes orientadas Ă informação. Uma vez criadas, parte dos dados de autenticação Ă© armazenada em um plano de segurança e uma outra parte permanece acoplada ao dado propriamente dito, possibilitando a verificação baseada no conteĂșdo e nĂŁo no host de origem. AlĂ©m disso, essa tese apresenta o modelo formal, a especificação e a implementação das duas tĂ©cnicas de ĂĄrvore de hash para autenticação dos dados em redes de conteĂșdo atravĂ©s de um plano de segurança. Por fim, esta tese detalha a instanciação do modelo de plano de segurança proposto em dois cenĂĄrios de autenticação de dados: 1) redes Peer-to-Peer e 2) autenticação paralela de dados sobre o HTTPAbstract: Information security is responsible for protecting information against unauthorized access, use, modification or destruction. In order to protect such data against security attacks, many security protocols have been developed, for example, Internet Protocol Security (IPSec) and Transport Layer Security (TLS), providing mechanisms for data authentication, integrity and confidentiality for users. These protocols use the IP address as host identifier on the Internet, making it as a reference and identifier during the establishment of secure connections for data exchange between applications on the network. With the advent of the Web and the exponential increase in content consumption (e.g., video and audio), there is an evidence of a gradual migration of the predominant usage of the Internet, moving the emphasis on the connection between hosts to the content retrieval from the network, which paradigm is known as information-centric networking. In this paradigm, users look for documents and resources on the Internet without caring about the explicit knowledge of the location of the content. As a result, the IP address that was used previously as a reference point of a data provider, becomes merely an ephemeral identifier of where the content is stored, resulting in implications for the correct authentication data. In this context, the simple authentication of an IP address does not guarantee the authenticity of the data, because a hosting server identified by a given IP address is not necessarily the same one that is producing the requested content. In the context of information-oriented networks, some proposals in the literature proposes authentication mechanisms based on the content itself, for example, digital signatures over a data block or the usage of hash trees over data blocks. The main idea of these approaches is to add some information from the original provider in the transported data blocks, for example, a digital signature, enabling data authentication directly with the original provider, regardless of the host where the data was obtained. Although the mechanism mentioned previously allows for such verification, this procedure is very costly in terms of processing, especially when the number of blocks is large, making it unfeasible in practice. This thesis proposes a new authentication mechanism using hash trees in order to provide efficient data authentication and explicitly with the original provider, and also independently of the host where the data were obtained. We propose two techniques for data authentication based on hash trees, called skewed hash tree (SHT) and composite hash tree (CHT), for data authentication in information-oriented networks. Once created, part of the authentication data is stored in a security plane and another part remains attached to the data itself, allowing for the verification based on content and not on the source host. In addition, this thesis presents the formal model, specification and implementation of two hash tree techniques for data authentication in information-centric networks through a security plane. Finally, this thesis details the instantiation of the security plane model in two scenarios of data authentication: 1) Peer-to-Peer and 2) parallel data authentication over HTTPDoutoradoEngenharia de ComputaçãoDoutor em Engenharia ElĂ©tric
An integrated security Protocol communication scheme for Internet of Things using the Locator/ID Separation Protocol Network
Internet of Things communication is mainly based on a machine-to-machine pattern, where devices are globally addressed and identified. However, as the number of connected devices increase, the burdens on the network infrastructure increase as well. The major challenges are the size of the routing tables and the efficiency of the current routing protocols in the Internet backbone. To address these problems, an Internet Engineering Task Force (IETF) working group, along with the research group at Cisco, are still working on the Locator/ID Separation Protocol as a routing architecture that can provide new semantics for the IP addressing, to simplify routing operations and improve scalability in the future of the Internet such as the Internet of Things. Nonetheless, The Locator/ID Separation Protocol is still at an early stage of implementation and the security Protocol e.g. Internet Protocol Security (IPSec), in particular, is still in its infancy.
Based on this, three scenarios were considered: Firstly, in the initial stage, each Locator/ID Separation Protocol-capable router needs to register with a Map-Server. This is known as the Registration Stage. Nevertheless, this stage is vulnerable to masquerading and content poisoning attacks. Secondly, the addresses resolving stage, in the Locator/ID Separation Protocol the Map Server (MS) accepts Map-Request from Ingress Tunnel Routers and Egress Tunnel Routers. These routers in trun look up the database and return the requested mapping to the endpoint user. However, this stage lacks data confidentiality and mutual authentication. Furthermore, the Locator/ID Separation Protocol limits the efficiency of the security protocol which works against
redirecting the data or acting as fake routers. Thirdly, As a result of the vast increase in the different Internet of Things devices, the interconnected links between these devices increase vastly as well. Thus, the communication between the devices can be easily exposed to disclosures by attackers such as Man in the Middle Attacks (MitM) and Denial of Service Attack (DoS).
This research provided a comprehensive study for Communication and Mobility in the Internet of Things as well as the taxonomy of different security protocols. It went on to investigate the security threats and vulnerabilities of Locator/ID Separation Protocol using X.805 framework standard. Then three Security protocols were provided to secure the exchanged transitions of communication in Locator/ID Separation Protocol. The first security protocol had been implemented to secure the Registration stage of Locator/ID separation using ID/Based cryptography method. The second security protocol was implemented to address the Resolving stage in the Locator/ID Separation Protocol between the Ingress Tunnel Router and Egress Tunnel Router using Challenge-Response authentication and Key Agreement technique. Where, the third security protocol had been proposed, analysed and evaluated for the Internet of Things communication devices. This protocol was based on the authentication and the group key agreement via using the El-Gamal concept. The developed protocols set an interface between each level of the phase to achieve security refinement architecture to Internet of Things based on Locator/ID Separation Protocol. These protocols were verified using Automated Validation Internet Security Protocol and Applications (AVISPA) which is a push button tool for the automated validation of security protocols and achieved results demonstrating that they do not have any security flaws. Finally, a performance analysis of security refinement protocol analysis and an evaluation were conducted using Contiki and Cooja simulation tool. The results of the performance analysis showed that the security refinement was highly scalable and the memory was quite efficient as it needed only 72 bytes of memory to store the keys in the Wireless Sensor Network (WSN) device
Side-channel timing attack on content privacy of named data networking
Tese de Doutoramento em Engenharia ElectrĂłnica e de ComputadoresA diversity of current applications, such as Netflix, YouTube, and social media, have used the Internet mainly
as a content distribution network. Named Data Networking (NDN) is a network paradigm that attempts to
answer todayâs applications need by naming the content. NDN promises an optimized content distribution
through a named content-centric design. One of the NDN key features is the use of in-network caching
to improve network efficiency in terms of content distribution. However, the cached contents may put the
consumer privacy at risk. Since the time response of cached contents is different from un-cached contents,
the adversary may distinguish the cached contents (targets) from un-cached ones, through the side-channel
timing responses. The scope of attack can be towards the content, the name, or the signature. For instance,
the adversary may obtain the call history, the callee or caller location on a trusted Voice over NDN (VoNDN)
and the popularity of contents in streaming applications (e.g. NDNtube, NDNlive) through side-channel
timing responses of the cache.
The side-channel timing attack can be mitigated by manipulating the time of the router responses. The
countermeasures proposed by other researches, such as additional delay, random/probabilistic caching,
group signatures, and no-caching can effectively be used to mitigate the attack. However, the content
distribution may be affected by pre-configured countermeasures which may go against the goal of the
original NDN paradigm. In this work, the detection and defense (DaD) approach is proposed to mitigate the
attack efficiently and effectively. With the DaD usage, an attack can be detected by a multi-level detection
mechanism, in order to apply the countermeasures against the adversarial faces. Also, the detections can
be used to determine the severity of the attack. In order to detect the behavior of an adversary, a brute-force
timing attack was implemented and simulated with the following applications and testbeds: i. a trusted
application that mimics the VoNDN and identifies the cached certificate on a worldwide NDN testbed, and
ii. a streaming-like NDNtube application to identify the popularity of videos on the NDN testbed and AT&T
company. In simulation primary results showed that the multi-level detection based on DaD mitigated the
attack about 39.1% in best-route, and 36.6% in multicast communications. Additionally, the results showed
that DaD preserves privacy without compromising the efficiency benefits of in-network caching in NDNtube
and VoNDN applications.VĂĄrias aplicaçÔes atuais, como o Netflix e o YouTube, tĂȘm vindo a usar a Internet como uma rede de
distribuição de conteĂșdos. O Named Data Networking (NDN) Ă© um paradigma recente nas redes de comunicaçÔes
que tenta responder às necessidades das aplicaçÔes modernas, através da nomeação dos
conteĂșdos. O NDN promete uma otimização da distribuição dos conteĂșdos usando uma rede centrada
nos conteĂșdos. Uma das caracterĂsticas principais do NDN Ă© o uso da cache disponivel nos nĂłs da rede
para melhorar a eficiĂȘncia desta em termos de distribuição de conteĂșdos. No entanto, a colocação dos
conteĂșdos em cache pode colocar em risco a privacidade dos consumidores. Uma vez que a resposta
temporal de um conteĂșdo em cache Ă© diferente do de um conteĂșdo que nĂŁo estĂĄ em cache, o adversĂĄrio
pode distinguir os conteĂșdos que estĂŁo em cache dos que nĂŁo estĂŁo em cache, atravĂ©s das respostas de
side-channel. O objectivo do ataque pode ser direcionado para o conteĂșdo, o nome ou a assinatura da
mensagem. Por exemplo, o adversårio pode obter o histórico de chamadas, a localização do callee ou do
caller num serviço seguro de voz sobre NDN (VoNDN) e a popularidade do conteĂșdos em aplicaçÔes de
streaming (e.g. NDNtube, NDNlive) através das respostas temporais de side-channel.
O side-channel timing attack pode ser mitigado manipulando o tempo das respostas dos routers. As
contramedidas propostas por outros pesquisadores, tais como o atraso adicional, o cache aleatĂłrio /probabilĂstico,
as assinaturas de grupo e nĂŁo fazer cache, podem ser efetivamente usadas para mitigar um
ataque. No entanto, a distribuição de conteĂșdos pode ser afetada por contramedidas prĂ©-configuradas
que podem ir contra o propósito original do paradigma NDN. Neste trabalho, a abordagem de detecção e
defesa (DaD) Ă© proposta para mitigar o ataque de forma eficiente e eficaz. Com o uso do DaD, um ataque
pode ser detectado por um mecanismo de detecção multi-nĂvel, a fim de aplicar as contramedidas contra
as interfaces dos adversårios. Além disso, as detecçÔes podem ser usadas para determinar a gravidade
do ataque. A fim de detectar o comportamento de um adversårio, um timing attack de força-bruta foi
implementado e simulado com as seguintes aplicaçÔes e plataformas (testbeds): i. uma aplicação segura
que implementa o VoNDN e identifica o certificado em cache numa plataforma NDN mundial; e ii. uma
aplicação de streaming do tipo NDNtube para identificar a popularidade de vĂdeos na plataforma NDN da
empresa AT&T. Os resultados da simulação mostraram que a detecção multi-nĂvel oferecida pelo DaD atenuou
o ataque cerca de 39,1% em best-route e 36,5% em comunicaçÔes multicast. Para avaliar o efeito nos
pedidos legĂtimos, comparou-se o DaD com uma contramedida estĂĄtica, tendo-se verificado que o DaD foi
capaz de preservar todos os pedidos legĂtimos
Recommended from our members
TOWARDS RELIABLE CIRCUMVENTION OF INTERNET CENSORSHIP
The Internet plays a crucial role in today\u27s social and political movements by facilitating the free circulation of speech, information, and ideas; democracy and human rights throughout the world critically depend on preserving and bolstering the Internet\u27s openness. Consequently, repressive regimes, totalitarian governments, and corrupt corporations regulate, monitor, and restrict the access to the Internet, which is broadly known as Internet \emph{censorship}. Most countries are improving the internet infrastructures, as a result they can implement more advanced censoring techniques. Also with the advancements in the application of machine learning techniques for network traffic analysis have enabled the more sophisticated Internet censorship. In this thesis, We take a close look at the main pillars of internet censorship, we will introduce new defense and attacks in the internet censorship literature.
Internet censorship techniques investigate usersâ communications and they can decide to interrupt a connection to prevent a user from communicating with a specific entity. Traffic analysis is one of the main techniques used to infer information from internet communications. One of the major challenges to traffic analysis mechanisms is scaling the techniques to today\u27s exploding volumes of network traffic, i.e., they impose high storage, communications, and computation overheads. We aim at addressing this scalability issue by introducing a new direction for traffic analysis, which we call \emph{compressive traffic analysis}. Moreover, we show that, unfortunately, traffic analysis attacks can be conducted on Anonymity systems with drastically higher accuracies than before by leveraging emerging learning mechanisms. We particularly design a system, called \deepcorr, that outperforms the state-of-the-art by significant margins in correlating network connections. \deepcorr leverages an advanced deep learning architecture to \emph{learn} a flow correlation function tailored to complex networks. Also to be able to analyze the weakness of such approaches we show that an adversary can defeat deep neural network based traffic analysis techniques by applying statistically undetectable \emph{adversarial perturbations} on the patterns of live network traffic.
We also design techniques to circumvent internet censorship. Decoy routing is an emerging approach for censorship circumvention in which circumvention is implemented with help from a number of volunteer Internet autonomous systems, called decoy ASes. We propose a new architecture for decoy routing that, by design, is significantly stronger to rerouting attacks compared to \emph{all} previous designs. Unlike previous designs, our new architecture operates decoy routers only on the downstream traffic of the censored users; therefore we call it \emph{downstream-only} decoy routing. As we demonstrate through Internet-scale BGP simulations, downstream-only decoy routing offers significantly stronger resistance to rerouting attacks, which is intuitively because a (censoring) ISP has much less control on the downstream BGP routes of its traffic. Then, we propose to use game theoretic approaches to model the arms races between the censors and the censorship circumvention tools. This will allow us to analyze the effect of different parameters or censoring behaviors on the performance of censorship circumvention tools. We apply our methods on two fundamental problems in internet censorship.
Finally, to bring our ideas to practice, we designed a new censorship circumvention tool called \name. \name aims at increasing the collateral damage of censorship by employing a ``mass\u27\u27 of normal Internet users, from both censored and uncensored areas, to serve as circumvention proxies
CriptografĂa ligera en dispositivos de identificaciĂłn por radiofrecuencia- RFID
Esta tesis se centra en el estudio de la tecnologĂa de identificaciĂłn por radiofrecuencia (RFID), la cual puede ser considerada como una de las tecnologĂas mĂĄs prometedoras dentro del ĂĄrea de la computaciĂłn ubicua. La tecnologĂa RFID podrĂa ser el sustituto de los cĂłdigos de barras. Aunque la tecnologĂa RFID ofrece numerosas ventajas frente a otros sistemas de identificaciĂłn, su uso lleva asociados riesgos de seguridad, los cuales no son fĂĄciles de resolver. Los sistemas RFID pueden ser clasificados, atendiendo al coste de las etiquetas, distinguiendo principalmente entre etiquetas de alto coste y de bajo coste. Nuestra investigaciĂłn se centra fundamentalmente en estas Ășltimas. El estudio y anĂĄlisis del estado del arte nos ha permitido identificar la necesidad de desarrollar soluciones criptogrĂĄficas ligeras adecuadas para estos dispositivos limitados. El uso de soluciones criptogrĂĄficas estĂĄndar supone una aproximaciĂłn correcta desde un punto de vista puramente teĂłrico. Sin embargo, primitivas criptogrĂĄficas estĂĄndar (funciones resumen, cĂłdigo de autenticaciĂłn de mensajes, cifradores de bloque/flujo, etc.) exceden las capacidades de las etiquetas de bajo coste. Por tanto, es necesario el uso de criptografĂa ligera._______________________________________This thesis examines the security issues of Radio Frequency Identification
(RFID) technology, one of the most promising technologies in the field of
ubiquitous computing. Indeed, RFID technology may well replace barcode
technology. Although it offers many advantages over other identification
systems, there are also associated security risks that are not easy to address.
RFID systems can be classified according to tag price, with distinction
between high-cost and low-cost tags. Our research work focuses mainly
on low-cost RFID tags. An initial study and analysis of the state of the
art identifies the need for lightweight cryptographic solutions suitable for
these very constrained devices. From a purely theoretical point of view,
standard cryptographic solutions may be a correct approach. However,
standard cryptographic primitives (hash functions, message authentication
codes, block/stream ciphers, etc.) are quite demanding in terms of circuit
size, power consumption and memory size, so they make costly solutions
for low-cost RFID tags. Lightweight cryptography is therefore a pressing
need.
First, we analyze the security of the EPC Class-1 Generation-2 standard,
which is considered the universal standard for low-cost RFID tags.
Secondly, we cryptanalyze two new proposals, showing their unsuccessful
attempt to increase the security level of the specification without much further
hardware demands. Thirdly, we propose a new protocol resistant to
passive attacks and conforming to low-cost RFID tag requirements. In this
protocol, costly computations are only performed by the reader, and security
related computations in the tag are restricted to very simple operations.
The protocol is inspired in the family of Ultralightweight Mutual Authentication
Protocols (UMAP: M2AP, EMAP, LMAP) and the recently proposed
SASI protocol. The thesis also includes the first published cryptanalysis of
xi
SASI under the weakest attacker model, that is, a passive attacker. Fourthly,
we propose a new protocol resistant to both passive and active attacks and
suitable for moderate-cost RFID tags. We adapt Shieh et.âs protocol for
smart cards, taking into account the unique features of RFID systems. Finally,
because this protocol is based on the use of cryptographic primitives
and standard cryptographic primitives are not supported, we address the
design of lightweight cryptographic primitives. Specifically, we propose
a lightweight hash function (Tav-128) and a lightweight Pseudo-Random
Number Generator (LAMED and LAMED-EPC).We analyze their security
level and performance, as well as their hardware requirements and show that both could be realistically implemented, even in low-cost RFID tags