7,697 research outputs found
Verifying Isolation Properties in the Presence of Middleboxes
Great progress has been made recently in verifying the correctness of router
forwarding tables. However, these approaches do not work for networks
containing middleboxes such as caches and firewalls whose forwarding behavior
depends on previously observed traffic. We explore how to verify isolation
properties in networks that include such "dynamic datapath" elements using
model checking. Our work leverages recent advances in SMT solvers, and the main
challenge lies in scaling the approach to handle large and complicated
networks. While the straightforward application of model checking to this
problem can only handle very small networks (if at all), our approach can
verify simple realistic invariants on networks containing 30,000 middleboxes in
a few minutes.Comment: Under submission to NSD
Modified Apriori Approach for Evade Network Intrusion Detection System
Intrusion Detection System or IDS is a software or hardware tool that
repeatedly scans and monitors events that took place in a computer or a
network. A set of rules are used by Signature based Network Intrusion Detection
Systems or NIDS to detect hostile traffic in network segments or packets, which
are so important in detecting malicious and anomalous behaviour over the
network like known attacks that hackers look for new techniques to go unseen.
Sometime, a single failure at any layer will cause the NIDS to miss that
attack. To overcome this problem, a technique is used that will trigger a
failure in that layer. Such technique is known as Evasive technique. An Evasion
can be defined as any technique that modifies a visible attack into any other
form in order to stay away from being detect. The proposed system is used for
detecting attacks which are going on the network and also gives actual
categorization of attacks. The proposed system has advantage of getting low
false alarm rate and high detection rate. So that leads into decrease in
complexity and overhead on the system. The paper presents the Evasion technique
for customized apriori algorithm. The paper aims to make a new functional
structure to evade NIDS. This framework can be used to audit NIDS. This
framework shows that a proof of concept showing how to evade a self built NIDS
considering two publicly available datasets.Comment: 5 pages, 3 figure
Keeping the Smart Home Private with Smart(er) IoT Traffic Shaping
The proliferation of smart home Internet of Things (IoT) devices presents
unprecedented challenges for preserving privacy within the home. In this paper,
we demonstrate that a passive network observer (e.g., an Internet service
provider) can infer private in-home activities by analyzing Internet traffic
from commercially available smart home devices even when the devices use
end-to-end transport-layer encryption. We evaluate common approaches for
defending against these types of traffic analysis attacks, including firewalls,
virtual private networks, and independent link padding, and find that none
sufficiently conceal user activities with reasonable data overhead. We develop
a new defense, "stochastic traffic padding" (STP), that makes it difficult for
a passive network adversary to reliably distinguish genuine user activities
from generated traffic patterns designed to look like user interactions. Our
analysis provides a theoretical bound on an adversary's ability to accurately
detect genuine user activities as a function of the amount of additional cover
traffic generated by the defense technique.Comment: 21 pages, 9 figures, 4 tables. This article draws heavily from
arXiv:1705.06805, arXiv:1705.06809, and arXiv:1708.05044. Camera-ready
versio
The Challenges in SDN/ML Based Network Security : A Survey
Machine Learning is gaining popularity in the network security domain as many
more network-enabled devices get connected, as malicious activities become
stealthier, and as new technologies like Software Defined Networking (SDN)
emerge. Sitting at the application layer and communicating with the control
layer, machine learning based SDN security models exercise a huge influence on
the routing/switching of the entire SDN. Compromising the models is
consequently a very desirable goal. Previous surveys have been done on either
adversarial machine learning or the general vulnerabilities of SDNs but not
both. Through examination of the latest ML-based SDN security applications and
a good look at ML/SDN specific vulnerabilities accompanied by common attack
methods on ML, this paper serves as a unique survey, making a case for more
secure development processes of ML-based SDN security applications.Comment: 8 pages. arXiv admin note: substantial text overlap with
arXiv:1705.0056
Lightweight Hierarchical Model for HWSNET
Heterogeneous wireless sensor networks (HWSNET) are more suitable for real
life applications as compared to the homogeneous counterpart. Security of
HWSNET becomes a very important issue with the rapid development of HWSNET.
Intrusion detection system is one of the major and efficient defensive methods
against attacks in HWSNET. Because of different constraints of sensor networks,
security solutions have to be designed with limited usage of computation and
resources. A particularly devastating attack is the sleep deprivation attack.
Here a malicious node forces legitimate nodes to waste their energy by
resisting the sensor nodes from going into low power sleep mode. The target of
this attack is to maximize the power consumption of the affected node, thereby
decreasing its battery life. Existing works on sleep deprivation attack have
mainly focused on mitigation using MAC based protocols, such as S-MAC (sensor
MAC), T-MAC (timeout MAC), B-MAC (Berkley MAC), G-MAC (gateway MAC). In this
article, a brief review of some of the recent intrusion detection systems in
wireless sensor network environment is presented. Finally, a framework of
cluster based layered countermeasure for Insomnia Detection has been proposed
for heterogeneous wireless sensor network (HWSNET) to efficiently detect sleep
deprivation attack. Simulation results on MATLAB exhibit the effectiveness of
the proposed model.Comment: 14 pages, 7 figures, AIRCC Journa
SICS: Secure In-Cloud Service Function Chaining
There is an increasing trend that enterprises outsource their network
functions to the cloud for lower cost and ease of management. However, network
function outsourcing brings threats to the privacy of enterprises since the
cloud is able to access the traffic and rules of in-cloud network functions.
Current tools for secure network function outsourcing either incur large
performance overhead or do not support real-time updates. In this paper, we
present SICS, a secure service function chain outsourcing framework. SICS
encrypts each packet header and use a label for in-cloud rule matching, which
enables the cloud to perform its functionalities correctly with minimum header
information leakage. Evaluation results show that SICS achieves higher
throughput, faster construction and update speed, and lower resource overhead
at both enterprise and cloud sides, compared to existing solutions.Comment: 12 page
Passive TCP Identification for Wired and WirelessNetworks: A Long-Short Term Memory Approach
Transmission control protocol (TCP) congestion control is one of the key
techniques to improve network performance. TCP congestion control algorithm
identification (TCP identification) can be used to significantly improve
network efficiency. Existing TCP identification methods can only be applied to
limited number of TCP congestion control algorithms and focus on wired
networks. In this paper, we proposed a machine learning based passive TCP
identification method for wired and wireless networks. After comparing among
three typical machine learning models, we concluded that the 4-layers Long
Short Term Memory (LSTM) model achieves the best identification accuracy. Our
approach achieves better than 98% accuracy in wired and wireless networks and
works for newly proposed TCP congestion control algorithms
Hardware/Software Co-monitoring
Hardware/Software (HW/SW) interfaces, mostly implemented as devices and
device drivers, are pervasive in various computer systems. Nowadays HW/SW
interfaces typically undergo intensive testing and validation before release,
but they are still unreliable and insecure when deployed together with computer
systems to end users. Escaped logic bugs, hardware transient failures, and
malicious exploits are prevalent in HW/SW interactions, making the entire
system vulnerable and unstable.
We present HW/SW co-monitoring, a runtime co-verification approach to
detecting failures and malicious exploits in device/driver interactions. Our
approach utilizes a formal device model (FDM), a transaction-level model
derived from the device specification, to shadow the real device execution.
Based on the co-execution of the device and FDM, HW/SW co-monitoring carries
out two-tier runtime checking: (1) device checking checks if the device
behaviors conform to the FDM behaviors; (2) property checking detects invalid
driver commands issued to the device by verifying system properties against
driver/device interactions. We have applied HW/SW co-monitoring to five
widely-used devices and their Linux drivers, discovering 9 real bugs and
vulnerabilities while introducing modest runtime overhead. The results
demonstrate the major potential of HW/SW co-monitoring in improving system
reliability and security
Network intrusion detection systems for in-vehicle network - Technical report
Modern vehicles are complex safety critical cyber physical systems, that are
connected to the outside world, with all security implications that brings. To
enhance vehicle security several network intrusion detection systems (NIDS)
have been proposed for the CAN bus, the predominant type of in-vehicle network.
The in-vehicle CAN bus, however, is a challenging place to do intrusion
detection as messages provide very little information; interpreting them
requires specific knowledge about the implementation that is not readily
available. In this technical report we collect how existing solutions address
this challenge by providing an organized inventory of various CAN NIDSs present
in the literature, categorizing them based on what information they extract
from the network and how they build their model
Spatiotemporal patterns and predictability of cyberattacks
A relatively unexplored issue in cybersecurity science and engineering is
whether there exist intrinsic patterns of cyberattacks. Conventional wisdom
favors absence of such patterns due to the overwhelming complexity of the
modern cyberspace. Surprisingly, through a detailed analysis of an extensive
data set that records the time-dependent frequencies of attacks over a
relatively wide range of consecutive IP addresses, we successfully uncover
intrinsic spatiotemporal patterns underlying cyberattacks, where the term
"spatio" refers to the IP address space. In particular, we focus on analyzing
{\em macroscopic} properties of the attack traffic flows and identify two main
patterns with distinct spatiotemporal characteristics: deterministic and
stochastic. Strikingly, there are very few sets of major attackers committing
almost all the attacks, since their attack "fingerprints" and target selection
scheme can be unequivocally identified according to the very limited number of
unique spatiotemporal characteristics, each of which only exists on a
consecutive IP region and differs significantly from the others. We utilize a
number of quantitative measures, including the flux-fluctuation law, the Markov
state transition probability matrix, and predictability measures, to
characterize the attack patterns in a comprehensive manner. A general finding
is that the attack patterns possess high degrees of predictability, potentially
paving the way to anticipating and, consequently, mitigating or even preventing
large-scale cyberattacks using macroscopic approaches
- …