Rule-Based Synthesis of Chains of Security Functions for Software-Defined Networks

Software-defined networks (SDN) offer a high degree of programmability for handling and forwarding packets. In particular, they allow network administrators to combine different security functions, such as firewalls, intrusion detection systems, and external services, into security chains designed to prevent or mitigate attacks against end user applications.These chains can benefit from formal techniques for their automated construction and verification. We propose in this paper a rule-based system for automating the composition and configuration of such chains for Android applications. Given the network characterization of an application and the set of permissions it requires, our rules construct an abstract representation of a custom security chain. This representation is then translated into a concrete implementation of the chain in pyretic, a domain-specific language for programming SDN controllers. We prove that the chains produced by our rules satisfy a number of correctness properties such as the absence of black holes or loops, and shadowing freedom, and that they are coherent with the underlying security policy

Developing an Advanced IPv6 Evasion Attack Detection Framework

Internet Protocol Version 6 (IPv6) is the most recent generation of Internet protocol. The transition from the current Internet Version 4 (IPv4) to IPv6 raised new issues and the most crucial issue is security vulnerabilities. Most vulnerabilities are common between IPv4 and IPv6, e.g. Evasion attack, Distributed Denial of Service (DDOS) and Fragmentation attack. According to the IPv6 RFC (Request for Comment) recommendations, there are potential attacks against various Operating Systems. Discrepancies between the behaviour of several Operating Systems can lead to Intrusion Detection System (IDS) evasion, Firewall evasion, Operating System fingerprint, Network Mapping, DoS/DDoS attack and Remote code execution attack. We investigated some of the security issues on IPv6 by reviewing existing solutions and methods and performed tests on two open source Network Intrusion Detection Systems (NIDSs) which are Snort and Suricata against some of IPv6 evasions and attack methods. The results show that both NIDSs are unable to detect most of the methods that are used to evade detection. This thesis presents a detection framework specifically developed for IPv6 network to detect evasion, insertion and DoS attacks when using IPv6 Extension Headers and Fragmentation. We implemented the proposed theoretical solution into a proposed framework for evaluation tests. To develop the framework, “dpkt” module is employed to capture and decode the packet. During the development phase, a bug on the module used to parse/decode packets has been found and a patch provided for the module to decode the IPv6 packet correctly. The standard unpack function included in the “ip6” section of the “dpkt” package follows extension headers which means following its parsing, one has no access to all the extension headers in their original order. By defining, a new field called all_extension_headers and adding each header to it before it is moved along allows us to have access to all the extension headers while keeping the original parse speed of the framework virtually untouched. The extra memory footprint from this is also negligible as it will be a linear fraction of the size of the whole set of packet. By decoding the packet, extracting data from packet and evaluating the data with user-defined value, the proposed framework is able to detect IPv6 Evasion, Insertion and DoS attacks. The proposed framework consists of four layers. The first layer captures the network traffic and passes it to second layer for packet decoding which is the most important part of the detection process. It is because, if NIDS could not decode and extract the packet content, it would not be able to pass correct information into the Detection Engine process for detection. Once the packet has been decoded by the decoding process, the decoded packet will be sent to the third layer which is the brain of the proposed solution to make a decision by evaluating the information with the defined value to see whether the packet is threatened or not. This layer is called the Detection Engine. Once the packet(s) has been examined by detection processes, the result will be sent to output layer. If the packet matches with a type or signature that system admin chose, it raises an alarm and automatically logs all details of the packet and saves it for system admin for further investigation. We evaluated the proposed framework and its subsequent process via numerous experiments. The results of these conclude that the proposed framework, called NOPO framework, is able to offer better detection in terms of accuracy, with a more accurate packet decoding process, and reduced resources usage compared to both exciting NIDs

System Health Monitoring and Proactive Response Activation

RÉSUMÉ Les services réseau sont de plus en plus étendus et de plus en plus complexes à gérer. Il est extrêmement important de maintenir la qualité de service pour les utilisateurs, en particulier le temps de réponse des applications et services critiques en forte demande. D'autre part, il y a une évolution dans la manière avec laquelle les attaquants accèdent aux systèmes et infectent les ordinateurs. Le déploiement d'un outil de détection d'intrusion (IDS) est donc essentiel pour surveiller et analyser les systèmes en opération. Une composante importante à associer à un outil de détection d'intrusion est un sous-système de calcul de la sévérité des attaques et de sélection d'une réponse adéquate au bon moment. Ce composant est nommé système d'intervention et de réponse aux intrusions (IRS). Un IRS doit évaluer avec précision la valeur de la perte que pourrait subir une ressource compromise ainsi que le coût des réponses envisagées. Sans cette information, un IRS automatique risque de sérieusement réduire les performances du réseau, déconnecter à tort les utilisateurs du réseau, causer un résultat impliquant des coûts élevés pour le rétablissement des services par les administrateurs, et ainsi devenir une attaque par déni de service de notre réseau. Dans cette thèse, nous abordons ces défis et nous proposons un IRS qui tient compte de ces coûts. Dans la première partie de cette thèse, nous présentons une évaluation dynamique des coûts de réponse. L'évaluation des coûts d'intervention est un élément important du système d'intervention et de réponse aux intrusion. Bien que de nombreux IRS automatisés aient été proposés, la plupart d'entre eux choisissent statiquement les réponses en fonction des attaques, évitant la nécessité d'une évaluation dynamique des coûts de réponse. Toutefois, avec une évaluation dynamique des réponses, on peut atténuer les inconvénients du modèle statique. En outre, il sera alors plus efficace de défendre un système contre une attaque car la réponse sera moins prévisible. Un modèle dynamique offre une meilleure réponse choisie selon la situation actuelle du réseau. Ainsi, l'évaluation des effets positifs et des effets négatifs des réponses doit être calculée en ligne, au moment de l'attaque, dans un modèle dynamique. Nous évaluons le coût de réponse en ligne en fonction des liens de dépendance entre les ressources, du nombre d'utilisateurs en ligne, et du niveau de privilège de chaque utilisateur. Dans la deuxième partie, un IRS a justement été proposé qui fonctionne avec une composante d'évaluation en ligne du risque d'attaque. Une coordination parfaite entre le mécanisme d'évaluation des risques et le système de réponse dans le modèle proposé a conduit à un cadre efficace qui est capable de : (1) tenter de réduire les risques d'intrusion, (2) calculer l'efficacité des réponses, et (3) décider de l'activation et la désactivation des réponses en fonction de facteurs dont plusieurs qui ont rarement été couverts dans les précédents modèles impliquant ce type de coopération. Pour démontrer l'efficacité et la faisabilité du modèle proposé dans les environnements de production réels, une attaque sophistiquée, exploitant une combinaison de vulnérabilités afin de compromettre un ordinateur cible, a été mise en oeuvre. Dans la troisième partie, nous présentons une méthode en ligne pour calculer le coût de l'attaque à l'aide d'une combinaison de graphe d'attaque dynamique et de graphe de dépendances de services en mode direct. Dans ce travail, la détection et la génération du graphe d'attaque sont basées sur les évènements d'une trace d'exécution au niveau du noyau, ce qui est nouveau dans ce travail. En effet, notre groupe (Laboratoire DORSAL) a conçu un traceur à faible impact pour le système d'exploitation Linux, appelé LTTng (Linux Trace Toolkit prochaine génération). Tous les cadres proposés sont basés sur le traceur LTTng. Le noyau Linux est instrumenté avec l'infrastructure des points de trace. Ainsi, il peut fournir beaucoup d'information sur les appels système. Aussi, ce mécanisme est disponible en espace utilisateur. Après avoir recueilli toutes les traces, il faut les synchroniser puisque chaque noeud sur lequel une trace est générée possè de sa propre horloge. Finalement, nous utilisons un algorithme d'abstraction pour faire face aux énormes fichiers de trace et synthétiser les informations utiles pour un mécanisme de détection d'attaques et de déclenchement de mesures correctives visant à atténuer l'effet des attaques.---------ABSTRACT Network services are becoming larger and increasingly complex to manage. It is extremely important to maintain the users QoS, the response time of applications, and critical services in high demand. On the other hand, we see impressive changes in the ways in which attackers gain access to systems and infect computers. Deployment of intrusion detection tools (IDS) is critical to monitor and analyze running systems. An important component needed to complement intrusion detection tools is a subsystem to evaluate the severity of each attack and select a correct response at the right time. This component is called Intrusion Response System (IRS). An IRS has to accurately assess the value of the loss incurred by a compromised resource and have an accurate evaluation of the responses cost. Otherwise, our automated IRS will reduce network performance, wrongly disconnect users from the network, or result in high costs for administrators reestablishing services, and become a DoS attack for our network, which will eventually have to be disabled. In this thesis, we address this challenges and we propose a cost-sensitive framework for IRS. In the rst part of this dissertation, we present a dynamic response cost evaluation. Response cost evaluation is a major part of the Intrusion Response System. Although many automated IRSs have been proposed, most of them use statically evaluated responses, avoiding the need for dynamic evaluation of response cost. However, by designing a dynamic evaluation for the responses, we can alleviate the drawbacks of the static model. Furthermore,it will be more eective at defending a system from an attack as it will be less predictable. A dynamic model oers the best response based on the current situation of the network. Thus, the evaluation of the positive eects and negative impacts of the responses must be computed online, at attack time, in a dynamic model. We evaluate the response cost online with respect to the resources dependencies and the number of online users. In the second part, an IRS has been proposed that works with an online risk assessment component. Perfect coordination between the risk assessment mechanism and the response system in the proposed model has led to an ecient framework that is able to: (1) manage risk reduction issues; (2) calculate the response Goodness; and (3) perform response activation and deactivation based on factors that have rarely been seen in previous models involving this kind of cooperation. To demonstrate the eciency and feasibility of using the proposed model in real production environments, a sophisticated attack exploiting a combination of vulnerabilities to compromise a target machine was implemented. In the third part, we present an online method to calculate the attack cost using a combination of dynamic attack graph and service dependency graph in live mode. In this work, detecting and generating the attack graph is based on kernel level events which is new in this work.Our group (DORSAL Lab) has designed a low impact tracer in the Linux operating system called LTTng (Linux Trace Toolkit next generation). All the proposed frameworks are based on the LTTng tracer. The Linux kernel is instrumented with the tracepoint infrastructure. Thus, it can provide a lot of information about system call entry and exit. Also, this mechanism is available at user-space level. After gathering all traces, we have to synchronize them because each trace is generated on a node with its own clock. We use an abstraction algorithm, to deal with huge trace les, to prepare useful information for the detection mechanism and nally to trigger corrective measures to mitigate attack

Conflict detection in software-defined networks

The SDN architecture facilitates the flexible deployment of network functions. While promoting innovation, this architecture induces yet a higher chance of conflicts compared to conventional networks. The detection of conflicts in SDN is the focus of this work. Restrictions of the formal analytical approach drive our choice of an experimental approach, in which we determine a parameter space and a methodology to perform experiments. We have created a dataset covering a number of situations occurring in SDN. The investigation of the dataset yields a conflict taxonomy composed of various classes organized in three broad types: local, distributed and hidden conflicts. Interestingly, hidden conflicts caused by side-effects of control applications‘ behaviour are completely new. We introduce the new concept of multi-property set, and the ·r (“dot r”) operator for the effective comparison of SDN rules. With these capable means, we present algorithms to detect conflicts and develop a conflict detection prototype. The evaluation of the prototype justifies the correctness and the realizability of our proposed concepts and methodologies for classifying as well as for detecting conflicts. Altogether, our work establishes a foundation for further conflict handling efforts in SDN, e.g., conflict resolution and avoidance. In addition, we point out challenges to be explored. Cuong Tran won the DAAD scholarship for his doctoral research at the Munich Network Management Team, Ludwig-Maximilians-Universität München, and achieved the degree in 2022. He loves to do research on policy conflicts in networked systems, IP multicast and alternatives, network security, and virtualized systems. Besides, teaching and sharing are also among his interests