Distributed Denial of Service (DDoS) Analysis on Virtual Network and Real Network Traffic

Data communication, computers and computer networks increase the needs and facilitation offered by a variety of server services that are owned by individuals and companies. Servers are the core of continuous communication on the internet and the main factor in the life, development and death of individual businesses or companies that rely on the internet. The other side is also developing rapidly targeting server attacks from starting to weaken performance to crippled, the most popular in the hacker world, namely attacks by bombarding servers with many requests from one computer or more, with one machine to thousands of machines. This study implements several DDoS attack techniques targeted at virtual servers and real servers to determine the type of protocol used and its accuracy and reliability. The research method uses the concept of Robert Maribe Branch (2009) or ADDIE which consists of Analysis, Design, Development, Implementation and Evaluation with the results of successful attacks on the HTTP header on the virtual network and on the real network 85.68%, while the TCP has an accuracy value. 87.75% and the real network produces 90.02%. In addition, the attack using the ping of death on the virtual server was successfully carried out and the real server had an accuracy value of 41.45% so that the attack on the TCP protocol was declared very effective in crippling the target PC or server. 

Characterizing the IoT ecosystem at scale

Internet of Things (IoT) devices are extremely popular with home, business, and industrial users. To provide their services, they typically rely on a backend server in- frastructure on the Internet, which collectively form the IoT Ecosystem. This ecosys- tem is rapidly growing and offers users an increasing number of services. It also has been a source and target of significant security and privacy risks. One notable exam- ple is the recent large-scale coordinated global attacks, like Mirai, which disrupted large service providers. Thus, characterizing this ecosystem yields insights that help end-users, network operators, policymakers, and researchers better understand it, obtain a detailed view, and keep track of its evolution. In addition, they can use these insights to inform their decision-making process for mitigating this ecosystem’s security and privacy risks. In this dissertation, we characterize the IoT ecosystem at scale by (i) detecting the IoT devices in the wild, (ii) conducting a case study to measure how deployed IoT devices can affect users’ privacy, and (iii) detecting and measuring the IoT backend infrastructure. To conduct our studies, we collaborated with a large European Internet Service Provider (ISP) and a major European Internet eXchange Point (IXP). They rou- tinely collect large volumes of passive, sampled data, e.g., NetFlow and IPFIX, for their operational purposes. These data sources help providers obtain insights about their networks, and we used them to characterize the IoT ecosystem at scale. We start with IoT devices and study how to track and trace their activity in the wild. We developed and evaluated a scalable methodology to accurately detect and monitor IoT devices with limited, sparsely sampled data in the ISP and IXP. Next, we conduct a case study to measure how a myriad of deployed devices can affect the privacy of ISP subscribers. Unfortunately, we found that the privacy of a substantial fraction of IPv6 end-users is at risk. We noticed that a single device at home that encodes its MAC address into the IPv6 address could be utilized as a tracking identifier for the entire end-user prefix—even if other devices use IPv6 privacy extensions. Our results showed that IoT devices contribute the most to this privacy leakage. Finally, we focus on the backend server infrastructure and propose a methodology to identify and locate IoT backend servers operated by cloud services and IoT vendors. We analyzed their IoT traffic patterns as observed in the ISP. Our analysis sheds light on their diverse operational and deployment strategies. The need for issuing a priori unknown network-wide queries against large volumes of network flow capture data, which we used in our studies, motivated us to develop Flowyager. It is a system built on top of existing traffic capture utilities, and it relies on flow summarization techniques to reduce (i) the storage and transfer cost of flow captures and (ii) query response time. We deployed a prototype of Flowyager at both the IXP and ISP.Internet-of-Things-Geräte (IoT) sind aus vielen Haushalten, Büroräumen und In- dustrieanlagen nicht mehr wegzudenken. Um ihre Dienste zu erbringen, nutzen IoT- Geräte typischerweise auf eine Backend-Server-Infrastruktur im Internet, welche als Gesamtheit das IoT-Ökosystem bildet. Dieses Ökosystem wächst rapide an und bie- tet den Nutzern immer mehr Dienste an. Das IoT-Ökosystem ist jedoch sowohl eine Quelle als auch ein Ziel von signifikanten Risiken für die Sicherheit und Privatsphäre. Ein bemerkenswertes Beispiel sind die jüngsten groß angelegten, koordinierten globa- len Angriffe wie Mirai, durch die große Diensteanbieter gestört haben. Deshalb ist es wichtig, dieses Ökosystem zu charakterisieren, eine ganzheitliche Sicht zu bekommen und die Entwicklung zu verfolgen, damit Forscher, Entscheidungsträger, Endnutzer und Netzwerkbetreibern Einblicke und ein besseres Verständnis erlangen. Außerdem können alle Teilnehmer des Ökosystems diese Erkenntnisse nutzen, um ihre Entschei- dungsprozesse zur Verhinderung von Sicherheits- und Privatsphärerisiken zu verbes- sern. In dieser Dissertation charakterisieren wir die Gesamtheit des IoT-Ökosystems indem wir (i) IoT-Geräte im Internet detektieren, (ii) eine Fallstudie zum Einfluss von benutzten IoT-Geräten auf die Privatsphäre von Nutzern durchführen und (iii) die IoT-Backend-Infrastruktur aufdecken und vermessen. Um unsere Studien durchzuführen, arbeiten wir mit einem großen europäischen Internet- Service-Provider (ISP) und einem großen europäischen Internet-Exchange-Point (IXP) zusammen. Diese sammeln routinemäßig für operative Zwecke große Mengen an pas- siven gesampelten Daten (z.B. als NetFlow oder IPFIX). Diese Datenquellen helfen Netzwerkbetreibern Einblicke in ihre Netzwerke zu erlangen und wir verwendeten sie, um das IoT-Ökosystem ganzheitlich zu charakterisieren. Wir beginnen unsere Analysen mit IoT-Geräten und untersuchen, wie diese im Inter- net aufgespürt und verfolgt werden können. Dazu entwickelten und evaluierten wir eine skalierbare Methodik, um IoT-Geräte mit Hilfe von eingeschränkten gesampelten Daten des ISPs und IXPs präzise erkennen und beobachten können. Als Nächstes führen wir eine Fallstudie durch, in der wir messen, wie eine Unzahl von eingesetzten Geräten die Privatsphäre von ISP-Nutzern beeinflussen kann. Lei- der fanden wir heraus, dass die Privatsphäre eines substantiellen Teils von IPv6- Endnutzern bedroht ist. Wir entdeckten, dass bereits ein einzelnes Gerät im Haus, welches seine MAC-Adresse in die IPv6-Adresse kodiert, als Tracking-Identifikator für das gesamte Endnutzer-Präfix missbraucht werden kann — auch wenn andere Geräte IPv6-Privacy-Extensions verwenden. Unsere Ergebnisse zeigten, dass IoT-Geräte den Großteil dieses Privatsphäre-Verlusts verursachen. Abschließend fokussieren wir uns auf die Backend-Server-Infrastruktur und wir schla- gen eine Methodik zur Identifizierung und Lokalisierung von IoT-Backend-Servern vor, welche von Cloud-Diensten und IoT-Herstellern betrieben wird. Wir analysier- ten Muster im IoT-Verkehr, der vom ISP beobachtet wird. Unsere Analyse gibt Auf- schluss über die unterschiedlichen Strategien, wie IoT-Backend-Server betrieben und eingesetzt werden. Die Notwendigkeit a-priori unbekannte netzwerkweite Anfragen an große Mengen von Netzwerk-Flow-Daten zu stellen, welche wir in in unseren Studien verwenden, moti- vierte uns zur Entwicklung von Flowyager. Dies ist ein auf bestehenden Netzwerkverkehrs- Tools aufbauendes System und es stützt sich auf die Zusammenfassung von Verkehrs- flüssen, um (i) die Kosten für Archivierung und Transfer von Flow-Daten und (ii) die Antwortzeit von Anfragen zu reduzieren. Wir setzten einen Prototypen von Flowyager sowohl im IXP als auch im ISP ein

A classifier mechanism for host based intrusion detection and prevention system in cloud computing environment

Distributed denial-of-service (DDoS) attacks are incidents in a cloud computing environment that cause major performance disturbances. Intrusion-detection and prevention system (IDPS) are tools to protect against such incidents, and the correct placement of ID/IP systems on networks is of great importance for optimal monitoring and for achieving maximum effectiveness in protecting a system. Even with such systems in place, however, the security level of general cloud computing must be enhanced. More potent attacks attempt to take control of the cloud environment itself; such attacks include malicious virtual-machine (VM) hyperjacking as well as traditional network-security threats such as traffic snooping (which intercepts network traffic), address spoofing and the forging of VMs or IP addresses. It is difficult to manage a host-based IDPS (H-IDPS) because information must be configured and managed for every host, so it is vital to ensure that security analysts fully understand the network and its context in order to distinguish between false positives and real problems. For this, it is necessary to know the current most important classifiers in machine learning, as these offer feasible protection against false-positive alarms in DDoS attacks. In order to design a more efficient classifier, it is necessary to develop a system for evaluating the classifier. In this thesis, a new mechanism for an H-IDPS classifier in a cloud environment has desigend. The mechanism’s design is based on the hybrid Antlion Optimization Algorithm (ALO) with Multilayer Perceptron (MLP) to protect against DDoS attacks. To implement the proposed mechanism, we demonstrate the strength of the classifier using a dimensionally reduced dataset using NSL-KDD. Furthermore, we focus on a detailed study of the NSL-KDD dataset that contains only selected records. This selected dataset provides a good analysis of various machine-learning techniques for H-IDPS. The evaluation process H-IDPS system shows the increases of intrusion detection accuracy and decreases the false positive alarms when compared to other related works. This is epitomized by the skilful use of the confusion matrix technique for organizing classifiers, visualizing their performance, and assessing their overall behaviour

Cyber Security

This open access book constitutes the refereed proceedings of the 16th International Annual Conference on Cyber Security, CNCERT 2020, held in Beijing, China, in August 2020. The 17 papers presented were carefully reviewed and selected from 58 submissions. The papers are organized according to the following topical sections: access control; cryptography; denial-of-service attacks; hardware security implementation; intrusion/anomaly detection and malware mitigation; social network security and privacy; systems security

Cyber Security

This open access book constitutes the refereed proceedings of the 16th International Annual Conference on Cyber Security, CNCERT 2020, held in Beijing, China, in August 2020. The 17 papers presented were carefully reviewed and selected from 58 submissions. The papers are organized according to the following topical sections: access control; cryptography; denial-of-service attacks; hardware security implementation; intrusion/anomaly detection and malware mitigation; social network security and privacy; systems security

Cyber Security

This open access book constitutes the refereed proceedings of the 18th China Annual Conference on Cyber Security, CNCERT 2022, held in Beijing, China, in August 2022. The 17 papers presented were carefully reviewed and selected from 64 submissions. The papers are organized according to the following topical sections: ​​data security; anomaly detection; cryptocurrency; information security; vulnerabilities; mobile internet; threat intelligence; text recognition

Artificial Intelligence in Computer Networks : Role of AI in Network Security

Artificial Intelligence (AI) in computer networks has been emerging for the last decade, there are revolutionary inventions that have created automation and digitalization in the fields of the Internet. The layout of computer networks works in layers of topologies with the help of AI, a virtual layer of software has been added that runs predictive algorithms of Artificial Neural Networks (ANNs) with the help of Machine Learning (ML) and Deep Learning (DL). This thesis describes the relation between AI algorithms and duplication of human cognitive behavior in emerging technologies. The advantages of AI in computer networks include automation, digitalization, Internet of Things (IoT), centralization of data, etc. At the same time, the biggest disadvantage is the ethical violation of privacy and the security of data. It is further discussed in the thesis that Artificial Intelligence uses many security protocols, including Next-Generation Firewalls, to prevent security violations. The Software Network Analysis (SNA) and Software Defined Networks (SDN) play an important role in Artificial Intelligence in computer Networks. This thesis aims to analyze the relationship between the development of AI algorithms and the duplication of the human cognitive behavior in various emerging technologies. Software Network Analysis (SNA) and Software Defined Networks (SDN) are critical components of computer network artificial intelligence. The purpose of this dissertation is to investigate the relationship between AI algorithms and network security. The thesis analyzes 2 main aspects, the role of Artificial Intelligence in Computer Networks and how Artificial Intelligence is helping in securing computer networks to deal with the modern network threats. Security today has become one of the main concerns, everyday a production networks receives arounds thousands of attacks of different scales, and proper network security measures are not configured and taken, a lot can be compromised. Network virtualization, Cloud Computing, has seen exponentially growth in few past years, because of the trend of less human interaction, and minimizing of doing repeated tasks over and over. Data in today’s world is now more important than it has been in decades earlier, this is because today everything is moving towards digitalization, proper Information Security policies are derived and implemented all over the world to ensure the protection of Data. Europe has its own General Data Protection Regulation (GDPR) which ensures that every company who deals with data is to implement certain measures to ensure the data is protected which also involves implementing the right network security measures so that the right people have the access to the sensitive information. This thesis covers the overall impact of Artificial Intelligence in Computer Networks and Network Security

Federated Deep Learning for Cyber Security in the Internet of Things: Concepts, Applications, and Experimental Analysis

In this article, we present a comprehensive study with an experimental analysis of federated deep learning approaches for cyber security in the Internet of Things (IoT) applications. Specifically, we first provide a review of the federated learning-based security and privacy systems for several types of IoT applications, including, Industrial IoT, Edge Computing, Internet of Drones, Internet of Healthcare Things, Internet of Vehicles, etc. Second, the use of federated learning with blockchain and malware/intrusion detection systems for IoT applications is discussed. Then, we review the vulnerabilities in federated learning-based security and privacy systems. Finally, we provide an experimental analysis of federated deep learning with three deep learning approaches, namely, Recurrent Neural Network (RNN), Convolutional Neural Network (CNN), and Deep Neural Network (DNN). For each deep learning model, we study the performance of centralized and federated learning under three new real IoT traffic datasets, namely, the Bot-IoT dataset, the MQTTset dataset, and the TON_IoT dataset. The goal of this article is to provide important information on federated deep learning approaches with emerging technologies for cyber security. In addition, it demonstrates that federated deep learning approaches outperform the classic/centralized versions of machine learning (non-federated learning) in assuring the privacy of IoT device data and provide the higher accuracy in detecting attacks

Cyber Security

This open access book constitutes the refereed proceedings of the 18th China Annual Conference on Cyber Security, CNCERT 2022, held in Beijing, China, in August 2022. The 17 papers presented were carefully reviewed and selected from 64 submissions. The papers are organized according to the following topical sections: ​​data security; anomaly detection; cryptocurrency; information security; vulnerabilities; mobile internet; threat intelligence; text recognition

An OSINT Approach to Automated Asset Discovery and Monitoring

The main objective of this thesis is to improve the efficiency of security operations centersthrough the articulation of different publicly open sources of security related feeds. This ischallenging because of the different abstraction models of the feeds that need to be madecompatible, of the range of control values that each data source can have and that will impactthe security events, and of the scalability of computational and networking resources that arerequired to collect security events.Following the industry standards proposed by the literature (OSCP guide, PTES andOWASP), the detection of hosts and sub-domains using an articulation of several sources isregarded as the first interaction in an engagement. This first interaction often misses somesources that could allow the disclosure of more assets. This became important since networkshave scaled up to the cloud, where IP address range is not owned by the company, andimportant applications are often shared within the same IP, like the example of Virtual Hoststo host several application in the same server.We will focus on the first step of any engagement, the enumeration of the target network.Attackers often use several techniques to enumerate the target to discover vulnerable services.This enumeration could be improved by the addition of several other sources and techniquesthat are often left aside from the literature. Also, by creating an automated process it ispossible for security operation centers to discover these assets and map the applicationsin use to keep track of said vulnerabilities using OSINT techniques and publicly availablesolutions, before the attackers try to exploit the service. This gives a vision of the Internetfacing services often seen by attackers without querying the service directly evading thereforedetection. This research is in frame with the complete engagement process and should beintegrate in already built solutions, therefore the results should be able to connect to additionalapplications in order to reach forward in the engagement process.By addressing these challenges we expect to come in great aid of sysadmin and securityteams, helping them with the task of securing their assets and ensuring security cleanlinessof the enterprise resulting in a better policy compliance without ever connecting to the clienthosts