232 research outputs found

    Methods and Techniques for Dynamic Deployability of Software-Defined Security Services

    Get PDF
    With the recent trend of “network softwarisation”, enabled by emerging technologies such as Software-Defined Networking and Network Function Virtualisation, system administrators of data centres and enterprise networks have started replacing dedicated hardware-based middleboxes with virtualised network functions running on servers and end hosts. This radical change has facilitated the provisioning of advanced and flexible network services, ultimately helping system administrators and network operators to cope with the rapid changes in service requirements and networking workloads. This thesis investigates the challenges of provisioning network security services in “softwarised” networks, where the security of residential and business users can be provided by means of sets of software-based network functions running on high performance servers or on commodity devices. The study is approached from the perspective of the telecom operator, whose goal is to protect the customers from network threats and, at the same time, maximize the number of provisioned services, and thereby revenue. Specifically, the overall aim of the research presented in this thesis is proposing novel techniques for optimising the resource usage of software-based security services, hence for increasing the chances for the operator to accommodate more service requests while respecting the desired level of network security of its customers. In this direction, the contributions of this thesis are the following: (i) a solution for the dynamic provisioning of security services that minimises the utilisation of computing and network resources, and (ii) novel methods based on Deep Learning and Linux kernel technologies for reducing the CPU usage of software-based security network functions, with specific focus on the defence against Distributed Denial of Service (DDoS) attacks. The experimental results reported in this thesis demonstrate that the proposed solutions for service provisioning and DDoS defence require fewer computing resources, compared to similar approaches available in the scientific literature or adopted in production networks

    Linking Amplification DDoS Attacks to Booter Services

    Get PDF
    We present techniques for attributing amplification DDoS attacks to the booter services that launched the attack. Our k-Nearest Neighbor (k -NN) classification algorithm is based on features that are characteristic for a DDoS service, such as the set of reflectors used by that service. This allows us to attribute DDoS attacks based on observations from honeypot amplifiers, augmented with training data from ground truth attack-to-services mappings we generated by subscribing to DDoS services and attacking ourselves in a controlled environment. Our eval- uation shows that we can attribute DNS and NTP attacks observed by the honeypots with a precision of over 99% while still achieving recall of over 69% in the most challenging real-time attribution scenario. Fur- thermore, we develop a similarly precise technique that allows a victim to attribute an attack based on a slightly different set of features that can be extracted from a victim’s network traces. Executing our k -NN classifier over all attacks observed by the honeypots shows that 25.53% (49,297) of the DNS attacks can be attributed to 7 booter services and 13.34% (38,520) of the NTP attacks can be attributed to 15 booter ser- vices. This demonstrates the potential benefits of DDoS attribution to identify harmful DDoS services and victims of these services

    Improving the Security of Critical Infrastructure: Metrics, Measurements, and Analysis

    Get PDF
    In this work, we propose three important contributions needed in the process of improving the security of the critical infrastructure: metrics, measurement, and analysis. To improve security, metrics are key to ensuring the accuracy of the assessment and evaluation. Measurements are the core of the process of identifying the causality and effectiveness of various behaviors, and accurate measurement with the right assumptions is a cornerstone for accurate analysis. Finally, contextualized analysis essential for understanding measurements. Different results can be derived for the same data according to the analysis method, and it can serve as a basis for understanding and improving systems security. In this dissertation, we look at whether these key concepts are well demonstrated in existing (networked) systems and research products. In the first thrust, we verified the validity of volume-based contribution evaluation metrics used in threat information sharing systems. Further, we proposed a qualitative evaluation as an alternative to supplement the shortcomings of the volume-based evaluation method. In the second thrust, we measured the effectiveness of the low-rate DDoS attacks in a realistic environment to highlight the importance of establishing assumptions grounded in reality for measurements. Moreover, we theoretically analyzed the low-rate DDoS attacks and conducted additional experiments to validate them. In the last thrust, we conducted a large-scale measurement and analyzed the behaviors of open resolvers, to estimate the potential threats of them. We then went beyond just figuring out the number of open resolvers and explored new implications that the behavioral analysis could provide. We also experimentally shown the existence of forwarding resolvers and their behavior by precisely analyzing DNS resolution packets

    A testbed design for intrusion detection and mitigation in SDN architecture by using DPI

    Get PDF
    06.03.2018 tarihli ve 30352 sayılı Resmi Gazetede yayımlanan “Yükseköğretim Kanunu İle Bazı Kanun Ve Kanun Hükmünde Kararnamelerde Değişiklik Yapılması Hakkında Kanun” ile 18.06.2018 tarihli “Lisansüstü Tezlerin Elektronik Ortamda Toplanması, Düzenlenmesi ve Erişime Açılmasına İlişkin Yönerge” gereğince tam metin erişime açılmıştır.Son on yılda, ağları tasarlamak ve geliştirmek için kullanılan teknolojiler konusunda köklü değişiklikler yaşanmamıştır. Bu süre zarfında, ağa bağlı cihazlarının sayısı üstel olarak artarak bilgisayar ağlarının toplamı ve boyutunun artmasına yol açtı. Bu ise, veri merkezlerinde ve şirketlerde mevcut ağ yapılarının yönetimini daha da zorlaştırdı. Yazılım Tanımlı Ağ fikri, daha önce aynı cihazda sıkıştırılmış olan veri düzlemi ile denetim düzlemini birbirinden ayırmayı getirir ve böylece tüm ağ yapısının SDN denetleyici adı verilen merkezi bir yerden programlanmasına imkan verir. Bu yapı içerisindeki very düzlemi, kendisine gelen verileri SDN denetleyici tarafından belirlendiği şekilde bir sonraki düğüme ileten aptal cihazlardan oluşur. OpenFlow, SDN denetleyici ile very düzelmi cihazları arasındaki bağlantıyı sağlamak üzere yaygın olarak kullanılan haberleşme protokolüdür. Oluşturulan test düzeneği web uygulaması, anormal durum tespiti alt sistemi, floodlight denetleyiciye sahip SDN yapısı ve sFlow protokolü gibi çok sayıda bileşene sahiptir. Geliştirilen system, akan trafık üzerindeki tehditleri bulabilmek için paketlerin yük kısımlarını incelemektedir. Geliştirilen test düzeneğinin başarımını sorgulamak için DoS saldırısı göz önüne alınımıştır. Elde edilen sonuçlar SDN sistemlerin güvenliğiyle ilgili deneylerin oluşturulan bu test düzeneği ile kolayca gerçekleştirilebileceğini göstermektedir.For the last decade's technologies which is used to design and build networks have remained unchanged. In the meantime, the number of connected networking devices has raised exponentially which lead to that also the total and the size of computer networks has increased. Accordingly, the existing networks in data centers and companies have become much more difficult and harder to administrate. Software Defined Networking (SDN) idea brings the fact to separate the control plane from data plane which was previously tighten together in the same device, and thus allows the network to be programmed from a logically centralized place called SDN controller. The data plane in this structure consists of dump devices which are only capable of forwarding the data as instructed by the SDN controller. OpenFlow is the well-known protocol used to take the communication between the SDN controller and the forwarding devices. In this study, a new testbed has been implemented for anomaly detection in SDN. The testbed formed has several components such as a web based application, an anomaly detection sub-system, an SDN structure with floodlight controller and sFlow protocol. The system developed examines the payload of the packets in order to find any threats in ongoing traffic. In order to investigate the performance of the testbed developed, DoS attack has been considered. The results show that experiments related to security aspects of the SDN systems can be realized by the testbed, easily

    Using honeypots to trace back amplification DDoS attacks

    Get PDF
    In today’s interconnected world, Denial-of-Service attacks can cause great harm by simply rendering a target system or service inaccessible. Amongst the most powerful and widespread DoS attacks are amplification attacks, in which thousands of vulnerable servers are tricked into reflecting and amplifying attack traffic. However, as these attacks inherently rely on IP spoofing, the true attack source is hidden. Consequently, going after the offenders behind these attacks has so far been deemed impractical. This thesis presents a line of work that enables practical attack traceback supported by honeypot reflectors. To this end, we investigate the tradeoffs between applicability, required a priori knowledge, and traceback granularity in three settings. First, we show how spoofed attack packets and non-spoofed scan packets can be linked using honeypot-induced fingerprints, which allows attributing attacks launched from the same infrastructures as scans. Second, we present a classifier-based approach to trace back attacks launched from booter services after collecting ground-truth data through self-attacks. Third, we propose to use BGP poisoning to locate the attacking network without prior knowledge and even when attack and scan infrastructures are disjoint. Finally, as all of our approaches rely on honeypot reflectors, we introduce an automated end-to-end pipeline to systematically find amplification vulnerabilities and synthesize corresponding honeypots.In der heutigen vernetzten Welt können Denial-of-Service-Angriffe große Schäden verursachen, einfach indem sie ihr Zielsystem unerreichbar machen. Zu den stärksten und verbreitetsten DoS-Angriffen zählen Amplification-Angriffe, bei denen tausende verwundbarer Server missbraucht werden, um Angriffsverkehr zu reflektieren und zu verstärken. Da solche Angriffe jedoch zwingend gefälschte IP-Absenderadressen nutzen, ist die wahre Angriffsquelle verdeckt. Damit gilt die Verfolgung der Täter bislang als unpraktikabel. Diese Dissertation präsentiert eine Reihe von Arbeiten, die praktikable Angriffsrückverfolgung durch den Einsatz von Honeypots ermöglicht. Dazu untersuchen wir das Spannungsfeld zwischen Anwendbarkeit, benötigtem Vorwissen, und Rückverfolgungsgranularität in drei Szenarien. Zuerst zeigen wir, wie gefälschte Angriffs- und ungefälschte Scan-Datenpakete miteinander verknüpft werden können. Dies ermöglicht uns die Rückverfolgung von Angriffen, die ebenfalls von Scan-Infrastrukturen aus durchgeführt wurden. Zweitens präsentieren wir einen Klassifikator-basierten Ansatz um Angriffe durch Booter-Services mittels vorher durch Selbstangriffe gesammelter Daten zurückzuverfolgen. Drittens zeigen wir auf, wie BGP Poisoning genutzt werden kann, um ohne weiteres Vorwissen das angreifende Netzwerk zu ermitteln. Schließlich präsentieren wir einen automatisierten Prozess, um systematisch Schwachstellen zu finden und entsprechende Honeypots zu synthetisieren

    Fourteenth Biennial Status Report: März 2017 - February 2019

    No full text
    corecore