DNS Firewall Data Visualization

Common security tools generate a lot of data suitable for further analysis. However, the raw form of the data is often too complex and useful information gets lost in a large volume of records. In this paper, we propose a system for visualization of the data generated by a DNS firewall and outline a process of visually emphasizing information important to incident handlers. Our prototype suggests that such visualization is possible, keeping the balance between the amount of displayed information and the level of detail

Verifying and Monitoring IoTs Network Behavior using MUD Profiles

IoT devices are increasingly being implicated in cyber-attacks, raising community concern about the risks they pose to critical infrastructure, corporations, and citizens. In order to reduce this risk, the IETF is pushing IoT vendors to develop formal specifications of the intended purpose of their IoT devices, in the form of a Manufacturer Usage Description (MUD), so that their network behavior in any operating environment can be locked down and verified rigorously. This paper aims to assist IoT manufacturers in developing and verifying MUD profiles, while also helping adopters of these devices to ensure they are compatible with their organizational policies and track devices network behavior based on their MUD profile. Our first contribution is to develop a tool that takes the traffic trace of an arbitrary IoT device as input and automatically generates the MUD profile for it. We contribute our tool as open source, apply it to 28 consumer IoT devices, and highlight insights and challenges encountered in the process. Our second contribution is to apply a formal semantic framework that not only validates a given MUD profile for consistency, but also checks its compatibility with a given organizational policy. We apply our framework to representative organizations and selected devices, to demonstrate how MUD can reduce the effort needed for IoT acceptance testing. Finally, we show how operators can dynamically identify IoT devices using known MUD profiles and monitor their behavioral changes on their network.Comment: 17 pages, 17 figures. arXiv admin note: text overlap with arXiv:1804.0435

Network-Based Detection and Prevention System against DNS-Based Attacks

Individuals and organizations rely on the Internet as an essential environment for personal or business transactions. However, individuals and organizations have been primary targets for attacks that steal sensitive data. Adversaries can use different approaches to hide their activities inside the compromised network and communicate covertly between the malicious servers and the victims. The domain name system (DNS) protocol is one of these approaches that adversaries use to transfer stolen data outside the organization\u27s network using various forms of DNS tunneling attacks. The main reason for targeting the DNS protocol is because DNS is available in almost every network, ignored, and rarely monitored. In this work, the primary aim is to design a reliable and robust network-based solution as a detection system against DNS-based attacks using various techniques, including visualization, machine learning techniques, and statistical analysis. The network-based solution acts as a DNS proxy server that provides DNS services as well as detection and prevention against DNS-based attacks, which are either embedded in malware or used as stand-alone attacking tools. The detection system works in two modes: real-time and offline modes. The real-time mode relies on the developed Payload Analysis (PA) module. In contrast, the offline mode operates based on two of the contributed modules in this dissertation, including the visualization and Traffic Analysis (TA) modules. We conducted various experiments in order to test and evaluate the detection system against simulated real-world attacks. Overall, the detection system achieved high accuracy of 99.8% with no false-negative rate. To validate the method, we compared the developed detection system against the open-source detection system, Snort intrusion detection system (IDS). We evaluated the two detection systems using a confusion matrix, including the recall, false-negatives rate, accuracy, and others. The detection system detects all case scenarios of the attacks while Snort missed 50% of the performed attacks. Based on the results, we can conclude that the detection system is significant and original improvement of the present methods used for detecting and preventing DNS-based attacks

Systemization of Pluggable Transports for Censorship Resistance

An increasing number of countries implement Internet censorship at different scales and for a variety of reasons. In particular, the link between the censored client and entry point to the uncensored network is a frequent target of censorship due to the ease with which a nation-state censor can control it. A number of censorship resistance systems have been developed thus far to help circumvent blocking on this link, which we refer to as link circumvention systems (LCs). The variety and profusion of attack vectors available to a censor has led to an arms race, leading to a dramatic speed of evolution of LCs. Despite their inherent complexity and the breadth of work in this area, there is no systematic way to evaluate link circumvention systems and compare them against each other. In this paper, we (i) sketch an attack model to comprehensively explore a censor's capabilities, (ii) present an abstract model of a LC, a system that helps a censored client communicate with a server over the Internet while resisting censorship, (iii) describe an evaluation stack that underscores a layered approach to evaluate LCs, and (iv) systemize and evaluate existing censorship resistance systems that provide link circumvention. We highlight open challenges in the evaluation and development of LCs and discuss possible mitigations.Comment: Content from this paper was published in Proceedings on Privacy Enhancing Technologies (PoPETS), Volume 2016, Issue 4 (July 2016) as "SoK: Making Sense of Censorship Resistance Systems" by Sheharbano Khattak, Tariq Elahi, Laurent Simon, Colleen M. Swanson, Steven J. Murdoch and Ian Goldberg (DOI 10.1515/popets-2016-0028

A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection

Enterprise networks that host valuable assets and services are popular and frequent targets of distributed network attacks. In order to cope with the ever-increasing threats, industrial and research communities develop systems and methods to monitor the behaviors of their assets and protect them from critical attacks. In this paper, we systematically survey related research articles and industrial systems to highlight the current status of this arms race in enterprise network security. First, we discuss the taxonomy of distributed network attacks on enterprise assets, including distributed denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing methods in monitoring and classifying network behavior of enterprise hosts to verify their benign activities and isolate potential anomalies. Third, state-of-the-art detection methods for distributed network attacks sourced from external attackers are elaborated, highlighting their merits and bottlenecks. Fourth, as programmable networks and machine learning (ML) techniques are increasingly becoming adopted by the community, their current applications in network security are discussed. Finally, we highlight several research gaps on enterprise network security to inspire future research.Comment: Journal paper submitted to Elseive

Analysis of Security Incidents from Network Traffic

Analýza bezpečnostních incidentů se stala velmi důležitým a zajímavým oborem počítačové vědy. Monitorovací nástroje a techniky pomáhají při detekci a prevenci proti tímto škodlivým aktivitám. Tento dokument opisuje počítačové útoky a jejich klasifikaci. Také jsou tady opsaný některé monitorovací nástroje jako Intrusion Detection System nebo NetFlow protokol a jeho monitorovací software. Tento dokument také opisuje konfiguraci experimentální topologie a prezentuje několik experimentů škodlivých aktivit, které byly detailně kontrolovány těmito monitorovacími nástroji.Analysis of network incidents have become a very important and interesting field in Computer Science. Monitoring tools and techniques can help detect and prevent against these malicious activities. This document describes computer attacks and their classification. Several monitoring tools such as Intrusion Detection System or NetFlow protocol and its monitoring software are introduced. It is also described the development of an experimental topology and the results obtained on several experiments involving malicious activity, that were overseen in detail by these monitoring tools.

Exploring security controls for ICS/SCADA environments

Trabalho de projeto de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2020Os Sistemas de Controlo Industriais (ICS) estão a começar a fundir-se com as soluções de IT, por forma a promover a interconectividade. Embora isto traga inúmeros benefícios de uma perspetiva de controlo, os ICS apresentam uma falta de mecanismos de segurança que consigam evitar possíveis ameaças informáticas, quando comparados aos comuns sistemas de informação [29], [64]. Dada a natureza crítica destes sistemas, e a ocorrências recentes de ciberataques desastrosos, a segurança ´e um tópico que deve ser incentivado. À luz deste problema, na presente dissertação apresentamos uma avaliação de possíveis aplicações e controlos de segurança a serem implantados nestes ambientes críticos e a implementação de uma solução de segurança extensível que dá resposta a certos ataques focados em sistemas industriais, capaz de ser implantada em qualquer rede industrial que permita a sua ligação. Com o auxilio de uma framework extensivel e portátil para testes de ICS, e outros ambientes industriais de testes, foi possível analisar diferentes cenários de ameaças, implantar mecanismos de segurança para os detetar e avaliar os resultados, com o intuito de fornecer uma ideia de como empregar estes mecanismos da melhor maneira possível num ambiente real de controlo industrial.Industrial Control Systems (ICS) are beginning to merge with IT solutions, in order to promote inter-connectivity. Although this brings countless benefits from a control perspective, ICS have been lacking in security mechanisms to ward off potential cyber threats, when compared to common information systems [29], [64]. Given the critical nature of these systems, and the recent occurrences of disastrous cyber-attacks, security is a topic that should be encouraged. In light of this problem, in this dissertation we present an assessment of possible security applications and controls that can be deployed in these critical environments and the implementation of an extensible security solution that responds to certain attacks focused on industrial systems, capable of being deployed in any industrial network that allows its connection. With the help of an extensible and portable framework for ICS testing, and other industrial testing environments, it was possible to analyze different threat scenarios, implement security mechanisms to detect them and evaluate the results in order to provide an idea on how to employ these mechanisms as best as possible in a real industrial control environment, without compromising it’s process