An Intelligent Management System for Hybrid Network between Visible Light Communication and Radio Frequency

This thesis investigates the challenges and potential solutions associated with hybrid Visible Light Communication (VLC) and Radio Frequency (RF) systems for indoor network environments. The rapid development of VLC technology, characterized by its high data rates, energy efficiency, and inherent security features, offers promising opportunities to complement RF networks in providing seamless connectivity and improved performance. However, integrating VLC and RF technologies effectively requires addressing a range of research and engineering challenges, including network coexistence, handover mechanisms, resource allocation, localization, and standardization.We begin by conducting a comprehensive literature review encompassing existing research, technologies, and solutions related to hybrid VLC/RF architectures, handover management, indoor localization techniques, and the challenges faced by these systems. This background provides a solid foundation for understanding the current state-of-the-art and identifying research gaps in the field of hybrid VLC/RF networks.Next, we propose a novel hybrid network architecture that integrates VLC and RF communication systems to enhance their strengths while mitigating their weaknesses. We discuss various types of hybrid VLC/RF architectures found in the literature and present our proposed design, which addresses the identified challenges through innovative strategies and mechanisms.To improve system performance in our hybrid system, we develop an enhanced priority feedback channel that optimizes the traffic priority based on user preferences and network conditions. This approach minimizes service disruptions, reduces latency, and maintains user Quality of Experience (QoE)\nomenclature{QoE}{Quality of Experience}.Furthermore, we introduce a novel intelligent management system architecture tailored for hybrid VLC/RF networks. This system employs advanced algorithms and techniques to optimize resource allocation, load balancing, localization, and handover management, ensuring efficient operation and seamless connectivity.We evaluate the performance of our proposed solutions through extensive simulations and testbed experiments, considering different network scenarios and metrics. The results demonstrate significant improvements in terms of data rate, latency, handover success rate, and localization accuracy, validating the effectiveness of our proposed architecture and management system.Lastly, we explore several real-world applications and case studies of our intelligent management system in various indoor environments, such as retail stores, offices, and hospitals. These examples illustrate the practical benefits of our solution in enhancing customer experiences, optimizing operational efficiency, facilitating targeted marketing, and improving energy management.In conclusion, this thesis contributes to the advancement of hybrid VLC/RF networks by proposing an innovative architecture and intelligent management system that address the key challenges faced by these systems in indoor environments. The findings and solutions presented in this work provided the backbone for the future research and development efforts aimed at fully harnessing the potential of VLC technology in combination with RF networks

Layered-MAC: An Energy-Protected and Efficient Protocol for Wireless Sensor Networks

In wireless sensor networks, the radio of the wireless sensor node happens to be the highest source of energy consumption. Hence, there is a need to focus on the MAC layer, as it controls access to the radio. While there are several existing techniques to make sensors more energy-efficient, not many of them consider the security aspects of energy efficiency. By this we mean, protecting energy from external attacks. The existing protocols focus mainly on either duty-cycling (Sensor-MAC, Time-out MAC) or clustering (Gateway MAC), as a way of conserving energy. One of such attacks to energy is the denial-of-sleep (DoSL) attack which is a specific kind of denial-of-service attacks designed to drain the energy of battery-powered sensors in a Wireless Sensor Network. This paper explains the development of a new MAC-layer protocol called Layered-MAC aimed at not just energy efficiency but energy protection against DoSL attacks. The protocol is implemented on the OMNET++ and Castalia simulator. The results from the simulation are then compared with two representative existing duty-cycled protocols (Time-out MAC and Sensor-MAC) and significant improvements are present. One of the benefits of the developed protocol is that, not only does it attempt to save energy, but it protects energy from DoSL attacks. There are two main contributions from this research – the first is the additional layer of network metrics (RSSI and LQI) consideration, based on the premise that protection/security is not possible without some form of measurement of assets, and the cluster head rotation which adds an extra layer of energy protection while considering energy efficiency

Mobile Ad-Hoc Networks

Being infrastructure-less and without central administration control, wireless ad-hoc networking is playing a more and more important role in extending the coverage of traditional wireless infrastructure (cellular networks, wireless LAN, etc). This book includes state-of the-art techniques and solutions for wireless ad-hoc networks. It focuses on the following topics in ad-hoc networks: vehicular ad-hoc networks, security and caching, TCP in ad-hoc networks and emerging applications. It is targeted to provide network engineers and researchers with design guidelines for large scale wireless ad hoc networks

Mobiilse värkvõrgu protsessihaldus

Värkvõrk, ehk Asjade Internet (Internet of Things, lüh IoT) edendab lahendusi nagu nn tark linn, kus meid igapäevaselt ümbritsevad objektid on ühendatud infosüsteemidega ja ka üksteisega. Selliseks näiteks võib olla teekatete seisukorra monitoorimissüsteem. Võrku ühendatud sõidukitelt (nt bussidelt) kogutakse videomaterjali, mida seejärel töödeldakse, et tuvastada löökauke või lume kogunemist. Tavaliselt hõlmab selline lahendus keeruka tsentraalse süsteemi ehitamist. Otsuste langetamiseks (nt milliseid sõidukeid parasjagu protsessi kaasata) vajab keskne süsteem pidevat ühendust kõigi IoT seadmetega. Seadmete hulga kasvades võib keskne lahendus aga muutuda pudelikaelaks. Selliste protsesside disaini, haldust, automatiseerimist ja seiret hõlbustavad märkimisväärselt äriprotsesside halduse (Business Process Management, lüh BPM) valdkonna standardid ja tööriistad. Paraku ei ole BPM tehnoloogiad koheselt kasutatavad uute paradigmadega nagu Udu- ja Servaarvutus, mis tuleviku värkvõrgu jaoks vajalikud on. Nende puhul liigub suur osa otsustustest ja arvutustest üksikutest andmekeskustest servavõrgu seadmetele, mis asuvad lõppkasutajatele ja IoT seadmetele lähemal. Videotöötlust võiks teostada mini-andmekeskustes, mis on paigaldatud üle linna, näiteks bussipeatustesse. Arvestades IoT seadmete üha suurenevat hulka, vähendab selline koormuse jaotamine vähendab riski, et tsentraalne andmekeskust ülekoormamist. Doktoritöö uurib, kuidas mobiilsusega seonduvaid IoT protsesse taoliselt ümber korraldada, kohanedes pidevalt muutlikule, liikuvate seadmetega täidetud servavõrgule. Nimelt on ühendused katkendlikud, mistõttu otsuste langetus ja planeerimine peavad arvestama muuhulgas mobiilseadmete liikumistrajektoore. Töö raames valminud prototüüpe testiti Android seadmetel ja simulatsioonides. Lisaks valmis tööriistakomplekt STEP-ONE, mis võimaldab teadlastel hõlpsalt simuleerida ja analüüsida taolisi probleeme erinevais realistlikes stsenaariumites nagu seda on tark linn.The Internet of Things (IoT) promotes solutions such as a smart city, where everyday objects connect with info systems and each other. One example is a road condition monitoring system, where connected vehicles, such as buses, capture video, which is then processed to detect potholes and snow build-up. Building such a solution typically involves establishing a complex centralised system. The centralised approach may become a bottleneck as the number of IoT devices keeps growing. It relies on constant connectivity to all involved devices to make decisions, such as which vehicles to involve in the process. Designing, automating, managing, and monitoring such processes can greatly be supported using the standards and software systems provided by the field of Business Process Management (BPM). However, BPM techniques are not directly applicable to new computing paradigms, such as Fog Computing and Edge Computing, on which the future of IoT relies. Here, a lot of decision-making and processing is moved from central data-centers to devices in the network edge, near the end-users and IoT sensors. For example, video could be processed in mini-datacenters deployed throughout the city, e.g., at bus stops. This load distribution reduces the risk of the ever-growing number of IoT devices overloading the data center. This thesis studies how to reorganise the process execution in this decentralised fashion, where processes must dynamically adapt to the volatile edge environment filled with moving devices. Namely, connectivity is intermittent, so decision-making and planning need to involve factors such as the movement trajectories of mobile devices. We examined this issue in simulations and with a prototype for Android smartphones. We also showcase the STEP-ONE toolset, allowing researchers to conveniently simulate and analyse these issues in different realistic scenarios, such as those in a smart city.  https://www.ester.ee/record=b552551

Mecanismos dinâmicos de segurança para redes softwarizadas e virtualizadas

The relationship between attackers and defenders has traditionally been asymmetric, with attackers having time as an upper hand to devise an exploit that compromises the defender. The push towards the Cloudification of the world makes matters more challenging, as it lowers the cost of an attack, with a de facto standardization on a set of protocols. The discovery of a vulnerability now has a broader impact on various verticals (business use cases), while previously, some were in a segregated protocol stack requiring independent vulnerability research. Furthermore, defining a perimeter within a cloudified system is non-trivial, whereas before, the dedicated equipment already created a perimeter. This proposal takes the newer technologies of network softwarization and virtualization, both Cloud-enablers, to create new dynamic security mechanisms that address this asymmetric relationship using novel Moving Target Defense (MTD) approaches. The effective use of the exploration space, combined with the reconfiguration capabilities of frameworks like Network Function Virtualization (NFV) and Management and Orchestration (MANO), should allow for adjusting defense levels dynamically to achieve the required security as defined by the currently acceptable risk. The optimization tasks and integration tasks of this thesis explore these concepts. Furthermore, the proposed novel mechanisms were evaluated in real-world use cases, such as 5G networks or other Network Slicing enabled infrastructures.A relação entre atacantes e defensores tem sido tradicionalmente assimétrica, com os atacantes a terem o tempo como vantagem para conceberem uma exploração que comprometa o defensor. O impulso para a Cloudificação do mundo torna a situação mais desafiante, pois reduz o custo de um ataque, com uma padronização de facto sobre um conjunto de protocolos. A descoberta de uma vulnerabilidade tem agora um impacto mais amplo em várias verticais (casos de uso empresarial), enquanto anteriormente, alguns estavam numa pilha de protocolos segregados que exigiam uma investigação independente das suas vulnerabilidades. Além disso, a definição de um perímetro dentro de um sistema Cloud não é trivial, enquanto antes, o equipamento dedicado já criava um perímetro. Esta proposta toma as mais recentes tecnologias de softwarização e virtualização da rede, ambas facilitadoras da Cloud, para criar novos mecanismos dinâmicos de segurança que incidem sobre esta relação assimétrica utilizando novas abordagens de Moving Target Defense (MTD). A utilização eficaz do espaço de exploração, combinada com as capacidades de reconfiguração de frameworks como Network Function Virtualization (NFV) e Management and Orchestration (MANO), deverá permitir ajustar dinamicamente os níveis de defesa para alcançar a segurança necessária, tal como definida pelo risco actualmente aceitável. As tarefas de optimização e de integração desta tese exploram estes conceitos. Além disso, os novos mecanismos propostos foram avaliados em casos de utilização no mundo real, tais como redes 5G ou outras infraestruturas de Network Slicing.Programa Doutoral em Engenharia Informátic

Adaptive security

Automated runtime security adaptation has great potential in providing timely and fine grained security control. In this thesis we study the practical utility of a runtime security-performance trade off for the pervasive Secure Socket Layer (SSL/TLS) protocol. To that end we address a number of research challenges. We develop an Adaptive Security methodology to extend non-adaptive legacy security systems with adaptive features. We also create a design of such an extended system to support the methodology. The design aids in identifying additional key components necessary for the creation of an adaptive security system. We furthermore apply our methodology to the Secure Socket Layer (SSL) protocol to create a design and implementation of a practical Adaptive SSL (ASSL) solution that supports runtime security adaptation in response to cross-cutting environmental concerns. The solution effectively adapts security at runtime, only reducing maximum server load by 15% or more depending on adaptation decision complexity. Next we address the security-performance trade off research challenge. Following our methodology we conduct an offline study of factors affecting server performance when security is adapted. These insights allow for the creation of policies that can trade off security and performance by taking into account the expected future state of the system under adaptation. In so doing we found that client SSL session duration, requested file size and current security algorithm play roles predicting future system state. Notably, performance deviation is smaller when sessions are longer and files are smaller and vice versa. A complete Adaptive Security solution which successfully demonstrates our methodology is implemented with trade-off policies and ASSL as key components. We show that the solution effectively utilises available processing resources to increase security whilst still respecting performance guarantees.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Intrusion Detection System against Denial of Service attack in Software-Defined Networking

Das exponentielle Wachstum der Online-Dienste und des über die Kommunikationsnetze übertragenen Datenvolumens macht es erforderlich, die Struktur traditioneller Netzwerke durch ein neues Paradigma zu ersetzen, das sich den aktuellen Anforderungen anpasst. Software-Defined Networking (SDN) ist hierfür eine fortschrittliche Netzwerkarchitektur, die darauf abzielt, das traditionelle Netzwerk in ein flexibleres Netzwerk umzuwandeln, das sich an die wachsenden Anforderungen anpasst. Im Gegensatz zum traditionellen Netzwerk ermöglicht SDN die Entkopplung von Steuer- und Datenebene, um Netzwerkressourcen effizient zu überwachen, zu konfigurieren und zu optimieren. Es verfügt über einen zentralisierten Controller mit einer globalen Netzwerksicht, der seine Ressourcen über programmierbare Schnittstellen verwaltet. Die zentrale Steuerung bringt jedoch neue Sicherheitsschwachstellen mit sich und fungiert als Single Point of Failure, den ein böswilliger Benutzer ausnutzen kann, um die normale Netzwerkfunktionalität zu stören. So startet der Angreifer einen massiven Datenverkehr, der als Distributed-Denial-of-Service Angriff (DDoSAngriff) von der SDN-Infrastrukturebene in Richtung des Controllers bekannt ist. Dieser DDoS-Angriff führt zu einer Sättigung der Steuerkanal-Bandbreite und belegt die Ressourcen des Controllers. Darüber hinaus erbt die SDN-Architektur einige Angriffsarten aus den traditionellen Netzwerken. Der Angreifer fälscht beispielweise die Pakete, um gutartig zu erscheinen, und zielt dann auf die traditionellen DDoS-Ziele wie Hosts, Server, Anwendungen und Router ab. In dieser Arbeit wird das Verhalten von böswilligen Benutzern untersucht. Anschließend wird ein Intrusion Detection System (IDS) zum Schutz der SDN-Umgebung vor DDoS-Angriffen vorgestellt. Das IDS berücksichtigt dabei drei Ansätze, um ausreichendes Feedback über den laufenden Verkehr durch die SDN-Architektur zu erhalten: die Informationen von einem externen Gerät, den OpenFlow-Kanal und die Flow-Tabelle. Daher besteht das vorgeschlagene IDS aus drei Komponenten. Das Inspector Device verhindert, dass böswillige Benutzer einen Sättigungsangriff auf den SDN-Controller starten. Die Komponente Convolutional Neural Network (CNN) verwendet eindimensionale neuronale Faltungsnetzwerke (1D-CNN), um den Verkehr des Controllers über den OpenFlow-Kanal zu analysieren. Die Komponente Deep Learning Algorithm(DLA) verwendet Recurrent Neural Networks (RNN), um die vererbten DDoS-Angriffe zu erkennen. Sie unterstützt auch die Unterscheidung zwischen bösartigen und gutartigen Benutzern als neue Gegenmaßnahme. Am Ende dieser Arbeit werden alle vorgeschlagenen Komponenten mit dem Netzwerkemulator Mininet und der Programmiersprache Python modelliert, um ihre Machbarkeit zu testen. Die Simulationsergebnisse zeigen hierbei, dass das vorgeschlagene IDS im Vergleich zu mehreren Benchmarking- und State-of-the-Art-Vorschlägen überdurchschnittliche Leistungen erbringt.The exponential growth of online services and the data volume transferred over the communication networks raises the need to change the structure of traditional networks to a new paradigm that adapts to the development’s demands. Software- Defined Networking (SDN) is an advanced network architecture aiming to evolve and transform the traditional network into a more flexible network that responds to the new requirements. In contrast to the traditional network, SDN allows decoupling of the control and data planes functionalities to monitor, configure, and optimize network resources efficiently. It has a centralized controller with a global network view to manage its resources using programmable interfaces. The central control brings new security vulnerabilities and acts as a single point of failure, which the malicious user might exploit to disrupt the network functionality. Thus, the attacker launches massive traffic known as Distributed Denial of Service (DDoS) attack from the SDN infrastructure layer towards the controller. This DDoS attack leads to saturation of control channel bandwidth and destroys the controller resources. Furthermore, the SDN architecture inherits some attacks types from the traditional networks. Therefore, the attacker forges the packets to appear benign and then targets the traditional DDoS objectives such as hosts, servers, applications, routers. This work observes the behavior of malicious users. It then presents an Intrusion Detection System (IDS) to safeguard the SDN environment against DDoS attacks. The IDS considers three approaches to obtain sufficient feedback about the ongoing traffic through the SDN architecture: the information from an external device, the OpenFlow channel, and the flow table. Therefore, the proposed IDS consists of three components; Inspector Device prevents the malicious users from launching the saturation attack towards the SDN controller. Convolutional Neural Network (CNN) Component employs the One- Dimensional Convolutional Neural Networks (1D-CNN) to analyze the controller’s traffic through the OpenFlow Channel. The Deep Learning Algorithm (DLA) component employs Recurrent Neural Networks (RNN) to detect the inherited DDoS attacks. The IDS also supports distinguishing between malicious and benign users as a new countermeasure. At the end of this work, the network emulator Mininet and the programming language python model all the proposed components to test their feasibility. The simulation results demonstrate that the proposed IDS outperforms compared several benchmarking and state-of-the-art suggestions