Adatbiztonság és adatvédelem a mindent átható számítógépes technológia világában = Security and Privacy Issues in Pervasive Computing

(1) Több ugrásos vezeték nélküli hálózatok biztonsága: Ad hoc és szenzorhálózatokban használt útvonalválasztó protokollok biztonágának analízise, új bizonyíthatóan biztonságos protokollok tervezése (enairA, Secure tinyLUNAR). Új támadás-ellenálló adataggregációs algoritmusok tervezése (RANBAR, CORA) és analízise. Spontán kooperáció kialakulása feltételeinek vizsgálata ad hoc és szenzorhálózatokban, kooperáció ösztönzése késleltetéstűrő ad hoc hálózatokban (Barter). (2) Személyes biztonsági tokenek: A nem-megbízható terminál probléma vizsgálata, feltételes aláírásra épülő megoldás tervezése és analízise. (3) RFID biztonsági és adatvédelmi kérdések: Kulcsfa alapú azonosító-rejtő hitelesítés analízise, a privacy szintjének meghatározása. Optimális kulcsfa tervezése. Új azonosító-rejtő hitelesítő protokoll tervezése és összehasonlítása a kulcsfa alapú módszerrel. (4) Formális biztonsági modellek: Szimulációs paradigmára épülő biztonsági modell útvonalválasztó protokollok analízisére. Támadó-modellek és analízis módszer támadás-ellenálló adataggregáció vizsgálatára. Formális modell kidolgozása a korlátozott számítási képességekkel rendelkező humán felhasználó leírására. Privacy metrika kidolgozása azonosító-rejtő hitekesítő protokollok számára. Játékelméleti modellek a spontán koopráció vizsgálatára ad hoc és szenzor hálózatokban, valamint spam és DoS elleni védelmi mechanizmusok analízisére. | (1) Security of multi-hop wireless networks: Security analysis of routing protocols proposed for mobile ad hoc and sensor networks, development of novel routing protocols with provable security (enairA, Secure tinyLUNAR). Development of novel resilient aggregation algorithms for sensor networks (RANBAR, CORA). Analysis of conditions for the emergence of spontaneous cooperation in ad hoc and sensor networks, novel algorithm to foster cooperation in opportunistic ad hoc networks (Barter). (2) Security tokens: Analysis of the untrusted terminal problem, mitigation by using conditional signature based protocols. (3) RFID security and privacy: Analysis of key-tree based private authentication, novel metrics to measure the level of privacy. Design of optimal key-trees, novel private authentication protocols based on group keys. (4) Formal models: Modeling framework for routing protocols based on the simulation paradigm, proof techniques for analyzing the security of routing. Attacker models and analysis techniques for resilient aggregation in sensor networks. Formal model for representing the limited computing capacity of humans. Metrics for determining the level of privacy provided by private authentication protocols. Game theoretic models for studying cooperation in ad hoc and sensor networks, and for analysisng the performance of spam and DoS protection mechanisms

A Bridge between Legacy Wireless Communication Systems and Internet of Things

The software-defined radio (SDR) is a flexible platform that can adapt to various wireless telecommunication frequencies. It is able to provide a reconfigurable communication infrastructure for wireless systems. Hence, SDR is proposed here as a bridge between legacy wireless communication systems and the Internet of Things (IoT) via standard telecommunication protocols. The standard protocols are hypertext transfer protocol (HTTP), simple mail transfer protocol (SMTP), and message queuing telemetry transport (MQTT). Data collected from legacy wireless systems have been formatted via JavaScript object notation (JSON) for interoperability and categorized according to the application and the communication pattern. The extracted data are then transferred over MQTT for machine-to-machine (M2M) communication, over SMTP for machine-to-human (M2H) notification, and over HTTP for human-to-machine (H2M) communication. However, received audio signals from FM-based broadcasting stations have been transferred to the Internet servers over extensible messaging and presence protocol (XMPP), in live audio streaming. The objective is to introduce an SDR-IoT bridge that is inexpensive, scalable, and interoperable. The analyses show that the environment has good-performance, and can be used for many applications of smart city sectors, for Internet Radio, and for Internet-based monitoring of airplanes and vessel navigation

Denial of service attack detection through machine learning for the IoT

Sustained Internet of Things (IoT) deployment and functioning are heavily reliant on the use of effective data communication protocols. In the IoT landscape, the publish/subscribe-based Message Queuing Telemetry Transport (MQTT) protocol is popular. Cyber security threats against the MQTT protocol are anticipated to increase at par with its increasing use by IoT manufacturers. In particular, IoT is vulnerable to protocol-based Application layer Denial of Service (DoS) attacks, which have been known to cause widespread service disruption in legacy systems. In this paper, we propose an Application layer DoS attack detection framework for the MQTT protocol and test the scheme on legitimate and protocol compliant DoS attack scenarios. To protect the MQTT message brokers from such attacks, we propose a machine learning-based detection framework developed for the MQTT protocol. Through experiments, we demonstrate the impact of such attacks on various MQTT brokers and evaluate the effectiveness of the proposed framework to detect these malicious attacks. The results obtained indicate that the attackers can overwhelm the server resources even when legitimate access was denied to MQTT brokers and resources have been restricted. In addition, the MQTT features we have identified showed high attack detection accuracy. The field size and length-based features drastically reduced the false-positive rates and are suitable in detecting IoT based attacks

Application-layer denial of service attacks: taxonomy and survey

The recent escalation of application-layer denial of service (DoS) attacks has attracted a significant interest of the security research community. Since application-layer DoS attacks usually do not manifest themselves at the network level, they avoid traditional network-layer-based detection. Therefore, the security community has focused on specialised application-layer DoS attacks detection and mitigation mechanisms. However, the deployment of reliable and efficient defence mechanisms against these attacks requires the comprehensive understanding of the existing application-layer DoS attacks supported by a unified terminology. Thus, in this paper we address this issue and devise a taxonomy of application-layer DoS attacks. By devising the proposed taxonomy, we intend to give researchers a better understanding of these attacks and provide a foundation for organising research efforts within this specific field

Empirical Analysis of Denial of Service Attack Against SMTP Servers ABSTRACT

In this paper we show that the performance of the generic SMTP servers are more limited than we previously thought. We implemented a environment to test SMTP server performance focusing on Denial of Service (DoS) attacks. Our measurements show that a standard SMTP server can be easily overloaded by sending simple email messages and the overload can occur without consuming all network bandwidth. Our measurements also show that the usage of content filtering applications can harm the performance so much that the server become even more vulnerable to DoS attacks. In the paper we describe the problems of performance measurements in SMTP environment and we also give a detailed background about the performed measurements. KEYWORDS: E-mail, SMTP, DoS attack, bechmark, throughpu

Model for generating TCP/SYN Flooding attack prevention alerts

Un ataque a la seguridad en la red ampliamente estudiado es el orientado a inundar con solicitudes ficticias a un recurso determinado con el fin de obligarlo a rechazar solicitudes verdaderas de prestación de un servicio. Este ataque denominado DoS (Denial of Service) tiene una modalidad basada en inundación de paquetes TCP conocida como TCP/SYN. En este trabajo se plantea un modelo de detección de ataques DoS y generación de alarmas mediante el análisis y filtrado de tráfico capturado en logs. La idea es realizar una detección tempanara con un sistema de alertas para minimizar el riesgo cuando se falsea la dirección de origen (faked/spoofed IP) y de esta manera poder identificar también el origen real del ataque. A diferencia de esquemas típicos como los que implementan los IDS, el modelo propuesto realiza un filtrado al tráfico en la red teniendo en cuenta las cabeceras TCP que tengan el bit SYN activo. De ésta manera, los sistemas de detección tradicionales reciben ese tráfico filtrado y pueden optimizar tiempos de respuesta y reducir la probabilidad de falsos positivos en la generación de alarmas. La esencia y efectividad de este modelo, está en su etapa final cuando se analizan los datos recopilados, los diálogos TCP interceptados mediante la aplicación de filtros a archivos pcap usando algún lenguaje específico que permita este tratamiento. El uso de interfaces GUI y aplicaciones Front-End para el análisis de registros, pueden dar efectividad cuando se trata de detectar ataques complejos y de difícil detección. El formato pcap que permite conversión de datos capturados en binario o en formato texto, es amplio para estas lecturas de cabeceras de datos mediante filtros, modificadores de tipo, de dirección, funciones de coordenadas en envíos y respuestas, sintaxis de primitivas y modificadores propias de cualquier lenguaje que permiten analizar cualquier dato capturado en la red. La pila TCP es afectada de forma diferente de acuerdo al ataque que se perpetre. El hecho de implementar soluciones en seguridad, implica sobrecarga pasiva y activa de servidores, host y sistemas de comunicación, sumándole a ello consumo de recursos en hardware y el uso de diversidad de herramientas, sobre todo los frameworks y los front-end que complementan la gestión de la mayoría de sistemas de NIDS. Producto de esta investigación fue la evidencia y presencia de “Falsos positivos” (ip's que no hacían flood) y la sobrecarga que genera a un sistema los registros de logs. Poder identificarlos de manera oportuna y acertada y establecer un mecanismo de diagnóstico y defensa que no sobrecargue al sistema, son procesos que llevarían análisis de tráfico con procesos de filtrado específico. Algoritmos basados en funciones de probabilidad y ocurrencia comparados con muestras basadas o referenciadas en el historial de comportamientos de un sistema que puede ser afectado por este tipo de ataques.Universitat Oberta de Catalunya UOCINTRODUCCION 12 CAPITULO I. CONTEXTO DE LA INVESTIGACION 14 1.1 Tema 14 1.2 Definición del Problema 15 1.3 Objetivos 18 CAPITULO 2. FUNDAMENTOS TEORICOS 19 2.1 Estado del Arte 19 2.2 Vulnerabilidades de la capa de transporte 25 2.3 Orígen de las vulnerabilidades 26 2.4 Herramientas de monitoreo 27 2.5 Sistemas de detección de intrusos 28 2.6 Tipos de IDS 28 2.7 Herramientas de gestión 30 2.8 Formato PCAP 32 CAPITULO 3. METODOLOGIA APLICADA 34 3.1 Denegación de servicio (DoS) / (DDoS) 34 3.2 Fuentes de orígen de los ataques (DoS) / (DDoS) 36 3.3 Plataformas afectadas 37 3.4 Caracterización de los ataques (DoS) 37 3.4.1 Uso de IP Source Spoofing 37 3.4.2 Similitud de tráfico legítimo 38 3.5 Fases previas a la realización del ataque 39 3.5.1 Topología o distribución física 40 3.5.2 Función de ICMP en los ataques (DoS) 41 3.5.3 Descubrimiento de usuarios 44 3.5.4 Información del dominio 44 3.5.5 Fingerprinting 45 3.5.6 Exploración de puertos 49 3.5.7 Escaneo basado en el protocolo ICMP 51 3.5.8 Fragmentación IP 52 3.6 Tipos de Atques (DoS) 57 3.6.1 Ataque TCP/SYN Flooding 57 3.6.2 Smurf 60 3.6.3 STeardrop 61 3.6.4 Snork 63 3.6.5 Ataque distribuído TRIN00 / TRIN00 64 3.7 Herramientas que ayudan a prevenir ataques (DoS) 66 CAPITULO 4. IMPLEMENTACION DE LA SOLUCION 71 4.1 Selección del sistema operativo 71 4.2 Testbed 71 4.3 Fases previas al ataque TCP/SYN Flooding 74 4.4 Consolidación del ataque 75 4.4.1 Análisis con Wireshark 79 4.4.2 Esquema del ataque 83 4.4.3 Detección del ataque 85 CAPITULO 5. DESCRIPCION DEL MODELO 89 5.1 Nivel 1. Escenario Típico red Ethernet. Testbed 90 5.2 Nivel 2. Núcleo para afectar la pila TCP/IP 90 5.3 Nivel 3. Análisis de tráfico a través de Logs. Sistema de alertas 101 5.3.1 Sistema de análisis de logs 104 5.4 Nivel 4. Firewall para minimizar ataques DoS y registro de logs 115 6. MARCO CONCEPTUAL 119 7. TRABAJOS FUTUROS 124 8. CONCLUSIONES 125 9. BIBLIOGRAFIA 126 10. REFERENCIAS BIBLIOGRAFICAS 130ANEXOS 132MaestríaA widely studied network security attack is one aimed at flooding a particular resource with fictitious requests in order to force it to reject true requests for the provision of a service. This attack called DoS (Denial of Service) has a mode based on flooding of TCP packets known as TCP / SYN. In this work, a DoS attack detection and alarm generation model is proposed by analyzing and filtering traffic captured in logs. The idea is to carry out an early detection with an alert system to minimize the risk when the source address is falsified (faked / spoofed IP) and thus also be able to identify the real origin of the attack. Unlike typical schemes such as those implemented by IDS, the proposed model filters network traffic taking into account the TCP headers that have the SYN bit active. In this way, traditional detection systems receive this filtered traffic and can optimize response times and reduce the probability of false positives in the generation of alarms. The essence and effectiveness of this model is in its final stage when the collected data is analyzed, the intercepted TCP dialogues by applying filters to pcap files using a specific language that allows this treatment. The use of GUI interfaces and Front-End applications for log analysis can be effective when it comes to detecting complex and difficult-to-detect attacks. The pcap format that allows the conversion of captured data in binary or text format, is broad for these readings of data headers through filters, type and address modifiers, coordinate functions in sends and responses, primitive syntax and modifiers typical of any language that allows you to analyze any data captured on the network. The TCP stack is affected differently according to the attack that is perpetrated. The fact of implementing security solutions implies passive and active overload of servers, hosts and communication systems, adding to it the consumption of hardware resources and the use of a variety of tools, especially the frameworks and front-end that complement the management of most NIDS systems. Being able to identify them in a timely and accurate manner and establish a diagnostic and defense mechanism that does not overload the system, are processes that would carry traffic analysis with specific filtering processes. Algorithms based on probability and occurrence functions compared with samples based or referenced on the behavior history of a system that can be affected by this type of attack. Front-End for log analysis can be effective when it comes to detecting attacks complex and difficult to detect. The pcap format that allows the conversion of captured data in binary or text format, is broad for these readings of data headers through filters, type and address modifiers, coordinate functions in sends and responses, primitive syntax and modifiers typical of any language that allows you to analyze any data captured on the network. The TCP stack is affected differently according to the attack that is perpetrated. The fact of implementing security solutions implies passive and active overload of servers, hosts and communication systems, adding to it the consumption of hardware resources and the use of a variety of tools, especially the frameworks and front-end that complement the management of most NIDS systems.Modalidad Presencia

IoT-MQTT based denial of service attack modelling and detection

Internet of Things (IoT) is poised to transform the quality of life and provide new business opportunities with its wide range of applications. However, the bene_ts of this emerging paradigm are coupled with serious cyber security issues. The lack of strong cyber security measures in protecting IoT systems can result in cyber attacks targeting all the layers of IoT architecture which includes the IoT devices, the IoT communication protocols and the services accessing the IoT data. Various IoT malware such as Mirai, BASHLITE and BrickBot show an already rising IoT device based attacks as well as the usage of infected IoT devices to launch other cyber attacks. However, as sustained IoT deployment and functionality are heavily reliant on the use of e_ective data communication protocols, the attacks on other layers of IoT architecture are anticipated to increase. In the IoT landscape, the publish/- subscribe based Message Queuing Telemetry Transport (MQTT) protocol is widely popular. Hence, cyber security threats against the MQTT protocol are projected to rise at par with its increasing use by IoT manufacturers. In particular, the Internet exposed MQTT brokers are vulnerable to protocolbased Application Layer Denial of Service (DoS) attacks, which have been known to cause wide spread service disruptions in legacy systems. In this thesis, we propose Application Layer based DoS attacks that target the authentication and authorisation mechanism of the the MQTT protocol. In addition, we also propose an MQTT protocol attack detection framework based on machine learning. Through extensive experiments, we demonstrate the impact of authentication and authorisation DoS attacks on three opensource MQTT brokers. Based on the proposed DoS attack scenarios, an IoT-MQTT attack dataset was generated to evaluate the e_ectiveness of the proposed framework to detect these malicious attacks. The DoS attack evaluation results obtained indicate that such attacks can overwhelm the MQTT brokers resources even when legitimate access to it was denied and resources were restricted. The evaluations also indicate that the proposed DoS attack scenarios can signi_cantly increase the MQTT message delay, especially in QoS2 messages causing heavy tail latencies. In addition, the proposed MQTT features showed high attack detection accuracy compared to simply using TCP based features to detect MQTT based attacks. It was also observed that the protocol _eld size and length based features drastically reduced the false positive rates and hence, are suitable for detecting IoT based attacks