Verifying Isolation Properties in the Presence of Middleboxes

Great progress has been made recently in verifying the correctness of router forwarding tables. However, these approaches do not work for networks containing middleboxes such as caches and firewalls whose forwarding behavior depends on previously observed traffic. We explore how to verify isolation properties in networks that include such "dynamic datapath" elements using model checking. Our work leverages recent advances in SMT solvers, and the main challenge lies in scaling the approach to handle large and complicated networks. While the straightforward application of model checking to this problem can only handle very small networks (if at all), our approach can verify simple realistic invariants on networks containing 30,000 middleboxes in a few minutes.Comment: Under submission to NSD

Modified Apriori Approach for Evade Network Intrusion Detection System

Intrusion Detection System or IDS is a software or hardware tool that repeatedly scans and monitors events that took place in a computer or a network. A set of rules are used by Signature based Network Intrusion Detection Systems or NIDS to detect hostile traffic in network segments or packets, which are so important in detecting malicious and anomalous behaviour over the network like known attacks that hackers look for new techniques to go unseen. Sometime, a single failure at any layer will cause the NIDS to miss that attack. To overcome this problem, a technique is used that will trigger a failure in that layer. Such technique is known as Evasive technique. An Evasion can be defined as any technique that modifies a visible attack into any other form in order to stay away from being detect. The proposed system is used for detecting attacks which are going on the network and also gives actual categorization of attacks. The proposed system has advantage of getting low false alarm rate and high detection rate. So that leads into decrease in complexity and overhead on the system. The paper presents the Evasion technique for customized apriori algorithm. The paper aims to make a new functional structure to evade NIDS. This framework can be used to audit NIDS. This framework shows that a proof of concept showing how to evade a self built NIDS considering two publicly available datasets.Comment: 5 pages, 3 figure

Keeping the Smart Home Private with Smart(er) IoT Traffic Shaping

The proliferation of smart home Internet of Things (IoT) devices presents unprecedented challenges for preserving privacy within the home. In this paper, we demonstrate that a passive network observer (e.g., an Internet service provider) can infer private in-home activities by analyzing Internet traffic from commercially available smart home devices even when the devices use end-to-end transport-layer encryption. We evaluate common approaches for defending against these types of traffic analysis attacks, including firewalls, virtual private networks, and independent link padding, and find that none sufficiently conceal user activities with reasonable data overhead. We develop a new defense, "stochastic traffic padding" (STP), that makes it difficult for a passive network adversary to reliably distinguish genuine user activities from generated traffic patterns designed to look like user interactions. Our analysis provides a theoretical bound on an adversary's ability to accurately detect genuine user activities as a function of the amount of additional cover traffic generated by the defense technique.Comment: 21 pages, 9 figures, 4 tables. This article draws heavily from arXiv:1705.06805, arXiv:1705.06809, and arXiv:1708.05044. Camera-ready versio

The Challenges in SDN/ML Based Network Security : A Survey

Machine Learning is gaining popularity in the network security domain as many more network-enabled devices get connected, as malicious activities become stealthier, and as new technologies like Software Defined Networking (SDN) emerge. Sitting at the application layer and communicating with the control layer, machine learning based SDN security models exercise a huge influence on the routing/switching of the entire SDN. Compromising the models is consequently a very desirable goal. Previous surveys have been done on either adversarial machine learning or the general vulnerabilities of SDNs but not both. Through examination of the latest ML-based SDN security applications and a good look at ML/SDN specific vulnerabilities accompanied by common attack methods on ML, this paper serves as a unique survey, making a case for more secure development processes of ML-based SDN security applications.Comment: 8 pages. arXiv admin note: substantial text overlap with arXiv:1705.0056

Lightweight Hierarchical Model for HWSNET

Heterogeneous wireless sensor networks (HWSNET) are more suitable for real life applications as compared to the homogeneous counterpart. Security of HWSNET becomes a very important issue with the rapid development of HWSNET. Intrusion detection system is one of the major and efficient defensive methods against attacks in HWSNET. Because of different constraints of sensor networks, security solutions have to be designed with limited usage of computation and resources. A particularly devastating attack is the sleep deprivation attack. Here a malicious node forces legitimate nodes to waste their energy by resisting the sensor nodes from going into low power sleep mode. The target of this attack is to maximize the power consumption of the affected node, thereby decreasing its battery life. Existing works on sleep deprivation attack have mainly focused on mitigation using MAC based protocols, such as S-MAC (sensor MAC), T-MAC (timeout MAC), B-MAC (Berkley MAC), G-MAC (gateway MAC). In this article, a brief review of some of the recent intrusion detection systems in wireless sensor network environment is presented. Finally, a framework of cluster based layered countermeasure for Insomnia Detection has been proposed for heterogeneous wireless sensor network (HWSNET) to efficiently detect sleep deprivation attack. Simulation results on MATLAB exhibit the effectiveness of the proposed model.Comment: 14 pages, 7 figures, AIRCC Journa

SICS: Secure In-Cloud Service Function Chaining

There is an increasing trend that enterprises outsource their network functions to the cloud for lower cost and ease of management. However, network function outsourcing brings threats to the privacy of enterprises since the cloud is able to access the traffic and rules of in-cloud network functions. Current tools for secure network function outsourcing either incur large performance overhead or do not support real-time updates. In this paper, we present SICS, a secure service function chain outsourcing framework. SICS encrypts each packet header and use a label for in-cloud rule matching, which enables the cloud to perform its functionalities correctly with minimum header information leakage. Evaluation results show that SICS achieves higher throughput, faster construction and update speed, and lower resource overhead at both enterprise and cloud sides, compared to existing solutions.Comment: 12 page

Passive TCP Identification for Wired and WirelessNetworks: A Long-Short Term Memory Approach

Transmission control protocol (TCP) congestion control is one of the key techniques to improve network performance. TCP congestion control algorithm identification (TCP identification) can be used to significantly improve network efficiency. Existing TCP identification methods can only be applied to limited number of TCP congestion control algorithms and focus on wired networks. In this paper, we proposed a machine learning based passive TCP identification method for wired and wireless networks. After comparing among three typical machine learning models, we concluded that the 4-layers Long Short Term Memory (LSTM) model achieves the best identification accuracy. Our approach achieves better than 98% accuracy in wired and wireless networks and works for newly proposed TCP congestion control algorithms

Hardware/Software Co-monitoring

Hardware/Software (HW/SW) interfaces, mostly implemented as devices and device drivers, are pervasive in various computer systems. Nowadays HW/SW interfaces typically undergo intensive testing and validation before release, but they are still unreliable and insecure when deployed together with computer systems to end users. Escaped logic bugs, hardware transient failures, and malicious exploits are prevalent in HW/SW interactions, making the entire system vulnerable and unstable. We present HW/SW co-monitoring, a runtime co-verification approach to detecting failures and malicious exploits in device/driver interactions. Our approach utilizes a formal device model (FDM), a transaction-level model derived from the device specification, to shadow the real device execution. Based on the co-execution of the device and FDM, HW/SW co-monitoring carries out two-tier runtime checking: (1) device checking checks if the device behaviors conform to the FDM behaviors; (2) property checking detects invalid driver commands issued to the device by verifying system properties against driver/device interactions. We have applied HW/SW co-monitoring to five widely-used devices and their Linux drivers, discovering 9 real bugs and vulnerabilities while introducing modest runtime overhead. The results demonstrate the major potential of HW/SW co-monitoring in improving system reliability and security

Network intrusion detection systems for in-vehicle network - Technical report

Modern vehicles are complex safety critical cyber physical systems, that are connected to the outside world, with all security implications that brings. To enhance vehicle security several network intrusion detection systems (NIDS) have been proposed for the CAN bus, the predominant type of in-vehicle network. The in-vehicle CAN bus, however, is a challenging place to do intrusion detection as messages provide very little information; interpreting them requires specific knowledge about the implementation that is not readily available. In this technical report we collect how existing solutions address this challenge by providing an organized inventory of various CAN NIDSs present in the literature, categorizing them based on what information they extract from the network and how they build their model

Spatiotemporal patterns and predictability of cyberattacks

A relatively unexplored issue in cybersecurity science and engineering is whether there exist intrinsic patterns of cyberattacks. Conventional wisdom favors absence of such patterns due to the overwhelming complexity of the modern cyberspace. Surprisingly, through a detailed analysis of an extensive data set that records the time-dependent frequencies of attacks over a relatively wide range of consecutive IP addresses, we successfully uncover intrinsic spatiotemporal patterns underlying cyberattacks, where the term "spatio" refers to the IP address space. In particular, we focus on analyzing {\em macroscopic} properties of the attack traffic flows and identify two main patterns with distinct spatiotemporal characteristics: deterministic and stochastic. Strikingly, there are very few sets of major attackers committing almost all the attacks, since their attack "fingerprints" and target selection scheme can be unequivocally identified according to the very limited number of unique spatiotemporal characteristics, each of which only exists on a consecutive IP region and differs significantly from the others. We utilize a number of quantitative measures, including the flux-fluctuation law, the Markov state transition probability matrix, and predictability measures, to characterize the attack patterns in a comprehensive manner. A general finding is that the attack patterns possess high degrees of predictability, potentially paving the way to anticipating and, consequently, mitigating or even preventing large-scale cyberattacks using macroscopic approaches