A Targeted Denial of Service Attack on Data Caching Networks

With the rise of data exchange over the Internet, information-centric networks have become a popular research topic in computing. One major research topic on Information Centric Networks (ICN) is the use of data caching to increase network performance. However, research in the security concerns of data caching networks is lacking. One example of a data caching network can be seen using a Mobile Ad Hoc Network (MANET). Recently, a study has shown that it is possible to infer military activity through cache behavior which is used as a basis for a formulated denial of service attack (DoS) that can be used to attack networks using data caching. Current security issues with data caching networks are discussed, including possible prevention techniques and methods. A targeted data cache DoS attack is developed and tested using an ICN as a simulator. The goal of the attacker would be to fill node caches with unpopular content, thus making the cache useless. The attack would consist of a malicious node that requests unpopular content in intervals of time where the content would have been just purged from the existing cache. The goal of the attack would be to corrupt as many nodes as possible without increasing the chance of detection. The decreased network throughput and increased delay would also lead to higher power consumption on the mobile nodes, thus increasing the effects of the DoS attack. Various caching polices are evaluated in an ICN simulator program designed to show network performance using three common caching policies and various cache sizes. The ICN simulator is developed using Java and tested on a simulated network. Baseline data are collected and then compared to data collected after the attack. Other possible security concerns with data caching networks are also discussed, including possible smarter attack techniques and methods

To NACK or not to NACK? Negative Acknowledgments in Information-Centric Networking

Information-Centric Networking (ICN) is an internetworking paradigm that offers an alternative to the current IP\nobreakdash-based Internet architecture. ICN's most distinguishing feature is its emphasis on information (content) instead of communication endpoints. One important open issue in ICN is whether negative acknowledgments (NACKs) at the network layer are useful for notifying downstream nodes about forwarding failures, or requests for incorrect or non-existent information. In benign settings, NACKs are beneficial for ICN architectures, such as CCNx and NDN, since they flush state in routers and notify consumers. In terms of security, NACKs seem useful as they can help mitigating so-called Interest Flooding attacks. However, as we show in this paper, network-layer NACKs also have some unpleasant security implications. We consider several types of NACKs and discuss their security design requirements and implications. We also demonstrate that providing secure NACKs triggers the threat of producer-bound flooding attacks. Although we discuss some potential countermeasures to these attacks, the main conclusion of this paper is that network-layer NACKs are best avoided, at least for security reasons.Comment: 10 pages, 7 figure

The Challenges in SDN/ML Based Network Security : A Survey

Machine Learning is gaining popularity in the network security domain as many more network-enabled devices get connected, as malicious activities become stealthier, and as new technologies like Software Defined Networking (SDN) emerge. Sitting at the application layer and communicating with the control layer, machine learning based SDN security models exercise a huge influence on the routing/switching of the entire SDN. Compromising the models is consequently a very desirable goal. Previous surveys have been done on either adversarial machine learning or the general vulnerabilities of SDNs but not both. Through examination of the latest ML-based SDN security applications and a good look at ML/SDN specific vulnerabilities accompanied by common attack methods on ML, this paper serves as a unique survey, making a case for more secure development processes of ML-based SDN security applications.Comment: 8 pages. arXiv admin note: substantial text overlap with arXiv:1705.0056

Enhancing Cache Robustness in Named Data Networks

Information-centric networks (ICNs) are a category of network architectures that focus on content, rather than hosts, to more effectively support the needs of today’s users. One major feature of such networks is in-network storage, which is realized by the presence of content storage routers throughout the network. These content storage routers cache popular content object chunks close to the consumers who request them in order to reduce latency for those end users and to decrease overall network congestion. Because of their prominence, network storage devices such as content storage routers will undoubtedly be major targets for malicious users. Two primary goals of attackers are to increase cache pollution and decrease hit rate by legitimate users. This would effectively reduce or eliminate the advantages of having in-network storage. Therefore, it is crucial to defend against these types of attacks. In this thesis, we study a specific ICN architecture called Named Data Networking (NDN) and simulate several attack scenarios on different network topologies to ascertain the effectiveness of different cache replacement algorithms, such as LRU and LFU (specifically, LFU-DA.) We apply our new per-face popularity with dynamic aging (PFP-DA) scheme to the content storage routers in the network and measure both cache pollution percentages as well as hit rate experienced by legitimate consumers. The current solutions in the literature that relate to reducing the effects of cache pollution largely focus on detection of attacker behavior. Since this behavior is very unpredictable, it is not guaranteed that any detection mechanisms will work well if the attackers employ smart attacks. Furthermore, current solutions do not consider the effects of a particularly aggressive attack against any single or small set of faces (interfaces.) Therefore, we have developed three related algorithms, namely PFP, PFP-DA, and Parameterized PFP-DA. PFP ensures that interests that ingress over any given face do not overwhelm the calculated popularity of a content object chunk. PFP normalizes the ranks on all faces and uses the collective contributions of these faces to determine the overall popularity, which in turn determines what content stays in the cache and what is evicted. PFP-DA adds recency to the original PFP algorithm and ensures that content object chunks do not remain in the cache longer than their true, current popularity dictates. Finally, we explore PFP-β, a parameterized version of PFP-DA, in which a β parameter is provided that causes the popularity calculations to take on Zipf-like characteristics, which in turn reduces the numeric distance between top rated items, and lower rated items, favoring items with multi-face contribution over those with single-face contributions and those with contributions over very few faces. We explore how the PFP-based schemes can reduce impact of contributions over any given face or small number of faces on an NDN content storage router. This in turn, reduces the impact that even some of the most aggressive attackers can have when they overwhelm one or a few faces, by normalizing the contributions across all contributing faces for a given content object chunk. During attack scenarios, we conclude that PFP-DA performs better than both LRU and LFU-DA in terms of resisting the effects of cache pollution and maintaining strong hit rates. We also demonstrate that PFP-DA performs better even when no attacks are being leveraged against the content store. This opens the door for further research both within and outside of ICN-based architectures as a means to enhance security and overall performance.Ph.D.College of Engineering & Computer ScienceUniversity of Michigan-Dearbornhttps://deepblue.lib.umich.edu/bitstream/2027.42/145175/1/John Baugh Final Dissertation.pdfDescription of John Baugh Final Dissertation.pdf : Dissertatio

5G Security Challenges and Solutions: A Review by OSI Layers

The Fifth Generation of Communication Networks (5G) envisions a broader range of servicescompared to previous generations, supporting an increased number of use cases and applications. Thebroader application domain leads to increase in consumer use and, in turn, increased hacker activity. Dueto this chain of events, strong and efficient security measures are required to create a secure and trustedenvironment for users. In this paper, we provide an objective overview of5G security issues and theexisting and newly proposed technologies designed to secure the5G environment. We categorize securitytechnologies usingOpen Systems Interconnection (OSI)layers and, for each layer, we discuss vulnerabilities,threats, security solutions, challenges, gaps and open research issues. While we discuss all sevenOSIlayers, the most interesting findings are in layer one, the physical layer. In fact, compared to other layers,the physical layer between the base stations and users’ device presents increased opportunities for attackssuch as eavesdropping and data fabrication. However, no singleOSI layer can stand on its own to provideproper security. All layers in the5G must work together, providing their own unique technology in an effortto ensure security and integrity for5G data

Availability, Integrity, and Confidentiality for Content Centric Network internet architectures

The Internet as we know it today, despite being ``the result of a series of accidents of choices'' in Prof. Jon Crowcroft's words, has undoubtedly been an amazing success story. However, it has been constantly challenged by the demands of the overwhelming evolution of data traffic types, non-functional needs of applications and users, and device diversity. The phrase ``future internet architecture'' can be interpreted as referring to a revised set of design principles. As Dr David Clark rightfully suggested, we need to ``allow for the future in the face of the present''. Content Centric Networking (CCN) is one of the candidates for a future internet architecture. Security is one of the most significant considerations while designing a future internet architecture. Availability, Integrity, and Confidentiality (AIC) are considered the three most crucial components of security: 1) availability is the assurance of continuous, reliable, and uninterrupted access to the information by authorized people, 2) integrity is the preservation of information and prevention of any change in it caused via accident or malicious intent, and 3) confidentiality is the ability to keep the information secret from unintended audience, intruders, and adversaries. This thesis discusses AIC related security threats and corresponding remedies for Named Data Networking (NDN) which is a promising example of CCN. It also presents a system dynamics modelling approach to bridge the gap between the technical solutions and business strategy by quantifying some of the qualitative variables salient to technology architects, policymakers, lawmakers, regulators, and internet service providers for the design of a future-proof internet architecture

A Content Poisoning Attack Detection and Prevention System in Vehicular Named Data Networking

Named data networking (NDN) is gaining momentum in vehicular ad hoc networks (VANETs) thanks to its robust network architecture. However, vehicular NDN (VNDN) faces numerous challenges, including security, privacy, routing, and caching. Specifically, the attackers can jeopardize vehicles’ cache memory with a Content Poisoning Attack (CPA). The CPA is the most difficult to identify because the attacker disseminates malicious content with a valid name. In addition, NDN employs request–response-based content dissemination, which is inefficient in supporting push-based content forwarding in VANET. Meanwhile, VNDN lacks a secure reputation management system. To this end, our contribution is three-fold. We initially propose a threshold-based content caching mechanism for CPA detection and prevention. This mechanism allows or rejects host vehicles to serve content based on their reputation. Secondly, we incorporate a blockchain system that ensures the privacy of every vehicle at roadside units (RSUs). Finally, we extend the scope of NDN from pull-based content retrieval to push-based content dissemination. The experimental evaluation results reveal that our proposed CPA detection mechanism achieves a 100% accuracy in identifying and preventing attackers. The attacker vehicles achieved a 0% cache hit ratio in our proposed mechanism. On the other hand, our blockchain results identified tempered blocks with 100% accuracy and prevented them from storing in the blockchain network. Thus, our proposed solution can identify and prevent CPA with 100% accuracy and effectively filters out tempered blocks. Our proposed research contribution enables the vehicles to store and serve trusted content in VNDN

Denial of Service (DoS) in Internet Protocol (IP) Network and Information Centric Network (ICN): An Impediment to Network Quality of Service (QoS).

This paper compares and analyses the Denial-of-Service attacks in the two different Network architectures. The two architectures are based on different routing approaches: Hop-by-Hop IP routing and source-routing using Bloom filters. In Hop-by-Hop IP routing, the packet header contains the address, and the route is decided node by node. Forwarding in this method requires a node to have a routing table which contains the port through which the packet should traverse depending on the address of the destination. Instead in source-routing, the forwarding identifier is encoded with the path a packet should take and it is placed in the packet header. The forwarding identifier in this approach does not require a forwarding table for look ups like the IP routing; it relies on Line Speed Publish/Subscribe (LIPSIN) forwarding solution that focuses on using named links not nodes or interfaces. The forwarding identifier encompasses a set of Link ID’s which specifies the path to the recipient and they are encoded in a Bloom filter. The In-packet Bloom filters serve as both path selectors and as capabilities, and they are generated dynamically. However, this thesis is going to focus on the latter network technology by looking at both its benefits and drawbacks as well as analysing the possibilities of having a Denial of service attack. Keywords: DoS, DDoS, TCP/IP Protocol Suite, ICMP flood, E-mail Bomb, Ping of Death, TCP and UD