11 research outputs found
Meta-Generalization for Multiparty Privacy Learning to Identify Anomaly Multimedia Traffic in Graynet
Identifying anomaly multimedia traffic in cyberspace is a big challenge in
distributed service systems, multiple generation networks and future internet
of everything. This letter explores meta-generalization for a multiparty
privacy learning model in graynet to improve the performance of anomaly
multimedia traffic identification. The multiparty privacy learning model in
graynet is a globally shared model that is partitioned, distributed and trained
by exchanging multiparty parameters updates with preserving private data. The
meta-generalization refers to discovering the inherent attributes of a learning
model to reduce its generalization error. In experiments, three
meta-generalization principles are tested as follows. The generalization error
of the multiparty privacy learning model in graynet is reduced by changing the
dimension of byte-level imbedding. Following that, the error is reduced by
adapting the depth for extracting packet-level features. Finally, the error is
reduced by adjusting the size of support set for preprocessing traffic-level
data. Experimental results demonstrate that the proposal outperforms the
state-of-the-art learning models for identifying anomaly multimedia traffic.Comment: Correct some typo
Reviewing effectivity in security approaches towards strengthening internet architecture
The usage of existing Internet architecture is shrouded by various security loopholes and hence is highly ineffective towards resisting potential threats over internet. Hence, it is claimed that future internet architecture has been evolved as a solution to address this security gaps of existing internet architecture. Therefore, this paper initiates its discussion by reviewing the existing practices of web security in conventional internet architecture and has also discussed about some recent solutions towards mitigating potentially reported threats e.g. cross-site scripting, SQL inject, and distributed denial-of-service. The paper has also discussed some of the recent research contribution towards security solution considering future internet architecture. The proposed manuscripts contributes to showcase the true effectiveness of existing approaches with respect to advantages and limitation of existing approaches along with explicit highlights of existing research problems that requires immediate attention
A countermeasure approach for brute-force timing attacks on cache privacy in named data networking architectures
One key feature of named data networks (NDN) is supporting in-network caching to increase the content distribution for today’s Internet needs. However, previously cached contents may be threatened by side-channel timing measurements/attacks. For example, one adversary can identify previously cached contents by distinguishing between uncached and cached contents from the in-network caching node, namely the edge NDN router. The attacks can be mitigated by the previously proposed methods effectively. However, these countermeasures may be against the NDN paradigm, affecting the content distribution performance. This work studied the side-channel timing attack on streaming over NDN applications and proposed a capable approach to mitigate it. Firstly, a recent side-channel timing attack, designated by brute-force, was implemented on ndnSIM using the AT&T network topology. Then, a multi-level countermeasure method, designated by detection and defense (DaD), is proposed to mitigate this attack. Simulation results showed that DaD distinguishes between legitimate and adversary nodes. During the attack, the proposed DaD multi-level approach achieved the minimum cache hit ratio (≈0.7%) compared to traditional countermeasures (≈4.1% in probabilistic and ≈3.7% in freshness) without compromising legitimate requests.This work has been supported by FCT - Fundação para a Ciência e Tecnologia within the R&D Units Project Scope: UIDB/00319/2020
Privacy-preserving network path validation
The end-users communicating over a network path currently have no control over the path. For a better quality of service, the source node often opts for a superior (or premium) network path in order to send packets to the destination node. However, the current Internet architecture provides no assurance that the packets indeed follow the designated path. Network path validation schemes address this issue and enable each node present on a network path to validate whether each packet has followed the specific path so far. In this work, we introduce two notions of privacy -- path privacy and index privacy -- in the context of network path validation. We show that, in case a network path validation scheme does not satisfy these two properties, the scheme is vulnerable to certain practical attacks (that affect the reliability, neutrality and quality of service offered by the underlying network). To the best of our knowledge, ours is the first work that addresses privacy issues related to network path validation. We design PrivNPV, a privacy-preserving network path validation protocol, that satisfies both path privacy and index privacy. We discuss several attacks related to network path validation and how PrivNPV defends against these attacks. Finally, we discuss the practicality of PrivNPV based on relevant parameters
Mecanismos de autenticação e controle de acesso para uma arquitetura de Internet do Futuro
Even with evolutions, the current Internet can not properly handle requirements such
as multihoming, Quality of Service, mobility, multicasting and security. Several research
groups around the world are involved in experimentally and incrementally creating the
next generation of Internet architecture.
Currently, knowledge and information are the factors of extreme importance for any
person, company or nation. Therefore, the information security is a prerequisite for any
information system. However, when the Internet was designed and security was not a
necessity at the moment, this became a chronic problem in the last decades.
Whenever new vulnerabilities emerge on the network, a new mechanism is created to
combat this threat, so the mechanism is added to the design of the Internet as an overlay,
rather than the architecture providing security intrinsically. In this way, including security
aspects is a fundamental requirement for the Future Internet architecture.
With regard to these architectures, Brazil has some initiatives and one of them in an
ETArch. It has a conceptual view very close to the definition of Software Defined Networks
and therefore since its first prototype uses the OpenFlow protocol to materialize this
vision. From its creation, researchers from several universities are working to incorporate
in the ETArch, in an incremental way, solutions that meet the requirements of the Future
Internet.
The mechanisms implementation proved viable with a reasonable average increase in
time, considering the resources acquired by the mechanisms of authentication and access
control incorporated into ETArch.CAPES - Coordenação de Aperfeiçoamento de Pessoal de Nível SuperiorDissertação (Mestrado)Mesmo com evoluções, a Internet atual não consegue tratar adequadamente requisitos
como multihoming, Quality of Service (QoS), mobilidade, multicast e segurança. Vários
grupos de pesquisa ao redor mundo estão envolvidos em criar, de forma experimental e
incremental, a próxima geração da arquitetura da Internet.
Atualmente, o conhecimento e a informação são fatores importantes para qualquer
pessoa, organização ou nação. Pensando nisso, a segurança é um pré-requisito para todo
e qualquer sistema de computação, mas quando a Internet foi projetada, a segurança não
era uma necessidade da época, provocando um problema crônico nas últimas décadas.
Sempre que surgem novas vulnerabilidades em um sistema computacional, um novo
mecanismo é criado para combater essa ameaça, sendo assim, o mecanismo é adicionado
ao projeto da Internet como uma sobreposição, em vez da arquitetura fornecer a segurança
de forma intrínseca.
No que tange à essas arquiteturas, o Brasil possui algumas iniciativas e uma delas é a
Entity Title Architecture (ETArch). Ela possui uma visão conceitual muito próxima da
abstração proposta pelas Redes Definidas por Software e portanto, desde o seu primeiro
protótipo utiliza o protocolo OpenFlow para materializar essa visão. Desde a sua criação,
pesquisadores de várias universidades vêm trabalhando para incorporar à ETArch, de
forma incremental, soluções que visam atender os requisitos de Internet do Futuro.
Apesar da segurança ser um requisito fundamental para implementações em arquiteturas
de Internet do Futuro, na ETArch tal requisito ainda não foi projetado. Deste modo,
as principais contribuições deste trabalho são elaborar e implementar dois mecanismos de
segurança: um para autenticação e outro para o controle de acesso.
A implementação dos mecanismos demonstraram-se viáveis com um acréscimo médio
relativamente pequeno em termos de tempo, se considerar os benefícios adquiridos pelos
mecanismos de autenticação e controle de acesso incorporados à ETArch
Side-channel timing attack on content privacy of named data networking
Tese de Doutoramento em Engenharia Electrónica e de ComputadoresA diversity of current applications, such as Netflix, YouTube, and social media, have used the Internet mainly
as a content distribution network. Named Data Networking (NDN) is a network paradigm that attempts to
answer today’s applications need by naming the content. NDN promises an optimized content distribution
through a named content-centric design. One of the NDN key features is the use of in-network caching
to improve network efficiency in terms of content distribution. However, the cached contents may put the
consumer privacy at risk. Since the time response of cached contents is different from un-cached contents,
the adversary may distinguish the cached contents (targets) from un-cached ones, through the side-channel
timing responses. The scope of attack can be towards the content, the name, or the signature. For instance,
the adversary may obtain the call history, the callee or caller location on a trusted Voice over NDN (VoNDN)
and the popularity of contents in streaming applications (e.g. NDNtube, NDNlive) through side-channel
timing responses of the cache.
The side-channel timing attack can be mitigated by manipulating the time of the router responses. The
countermeasures proposed by other researches, such as additional delay, random/probabilistic caching,
group signatures, and no-caching can effectively be used to mitigate the attack. However, the content
distribution may be affected by pre-configured countermeasures which may go against the goal of the
original NDN paradigm. In this work, the detection and defense (DaD) approach is proposed to mitigate the
attack efficiently and effectively. With the DaD usage, an attack can be detected by a multi-level detection
mechanism, in order to apply the countermeasures against the adversarial faces. Also, the detections can
be used to determine the severity of the attack. In order to detect the behavior of an adversary, a brute-force
timing attack was implemented and simulated with the following applications and testbeds: i. a trusted
application that mimics the VoNDN and identifies the cached certificate on a worldwide NDN testbed, and
ii. a streaming-like NDNtube application to identify the popularity of videos on the NDN testbed and AT&T
company. In simulation primary results showed that the multi-level detection based on DaD mitigated the
attack about 39.1% in best-route, and 36.6% in multicast communications. Additionally, the results showed
that DaD preserves privacy without compromising the efficiency benefits of in-network caching in NDNtube
and VoNDN applications.Várias aplicações atuais, como o Netflix e o YouTube, têm vindo a usar a Internet como uma rede de
distribuição de conteúdos. O Named Data Networking (NDN) é um paradigma recente nas redes de comunicações
que tenta responder às necessidades das aplicações modernas, através da nomeação dos
conteúdos. O NDN promete uma otimização da distribuição dos conteúdos usando uma rede centrada
nos conteúdos. Uma das características principais do NDN é o uso da cache disponivel nos nós da rede
para melhorar a eficiência desta em termos de distribuição de conteúdos. No entanto, a colocação dos
conteúdos em cache pode colocar em risco a privacidade dos consumidores. Uma vez que a resposta
temporal de um conteúdo em cache é diferente do de um conteúdo que não está em cache, o adversário
pode distinguir os conteúdos que estão em cache dos que não estão em cache, através das respostas de
side-channel. O objectivo do ataque pode ser direcionado para o conteúdo, o nome ou a assinatura da
mensagem. Por exemplo, o adversário pode obter o histórico de chamadas, a localização do callee ou do
caller num serviço seguro de voz sobre NDN (VoNDN) e a popularidade do conteúdos em aplicações de
streaming (e.g. NDNtube, NDNlive) através das respostas temporais de side-channel.
O side-channel timing attack pode ser mitigado manipulando o tempo das respostas dos routers. As
contramedidas propostas por outros pesquisadores, tais como o atraso adicional, o cache aleatório /probabilístico,
as assinaturas de grupo e não fazer cache, podem ser efetivamente usadas para mitigar um
ataque. No entanto, a distribuição de conteúdos pode ser afetada por contramedidas pré-configuradas
que podem ir contra o propósito original do paradigma NDN. Neste trabalho, a abordagem de detecção e
defesa (DaD) é proposta para mitigar o ataque de forma eficiente e eficaz. Com o uso do DaD, um ataque
pode ser detectado por um mecanismo de detecção multi-nível, a fim de aplicar as contramedidas contra
as interfaces dos adversários. Além disso, as detecções podem ser usadas para determinar a gravidade
do ataque. A fim de detectar o comportamento de um adversário, um timing attack de força-bruta foi
implementado e simulado com as seguintes aplicações e plataformas (testbeds): i. uma aplicação segura
que implementa o VoNDN e identifica o certificado em cache numa plataforma NDN mundial; e ii. uma
aplicação de streaming do tipo NDNtube para identificar a popularidade de vídeos na plataforma NDN da
empresa AT&T. Os resultados da simulação mostraram que a detecção multi-nível oferecida pelo DaD atenuou
o ataque cerca de 39,1% em best-route e 36,5% em comunicações multicast. Para avaliar o efeito nos
pedidos legítimos, comparou-se o DaD com uma contramedida estática, tendo-se verificado que o DaD foi
capaz de preservar todos os pedidos legítimos