114 research outputs found
Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures
Abstract—Software-Defined Networking (SDN) is a new net-working paradigm that grants a controller and its applications an omnipotent power to have holistic network visibility and flexible network programmability, thus enabling new innovations in network protocols and applications. One of the core advantages of SDN is its logically centralized control plane to provide the entire network visibility, on which many SDN applications rely. For the first time in the literature, we propose new attack vectors unique to SDN that seriously challenge this foundation. Our new attacks are somewhat similar in spirit to spoofing attacks in legacy networks (e.g., ARP poisoning attack), however with significant differences in exploiting unique vulnerabilities how current S-DN operates differently from legacy networks. The successful attacks can effectively poison the network topology information, a fundamental building block for core SDN components and topology-aware SDN applications. With the poisoned network visibility, the upper-layer OpenFlow controller services/apps may be totally misled, leading to serious hijacking, denial of service or man-in-the-middle attacks. According to our study, all current major SDN controllers we find in the market (e.g., Floodlight, OpenDaylight, Beacon, and POX) are affected, i.e., they are subject to the Network Topology Poisoning Attacks. We then investigate the mitigation methods against the Network Topology Poisoning Attacks and present TopoGuard, a new security exten-sion to SDN controllers, which provides automatic and real-time detection of Network Topology Poisoning Attacks. Our evaluation on a prototype implementation of TopoGuard in the Floodlight controller shows that the defense solution can effectively secure network topology while introducing only a minor impact on normal operations of OpenFlow controllers. I
Automation for network security configuration: state of the art and research trends
The size and complexity of modern computer networks are progressively increasing, as a consequence of novel architectural paradigms such as the Internet of Things and network virtualization. Consequently, a manual orchestration and configuration of network security functions is no more feasible, in an environment where cyber attacks can dramatically exploit breaches related to any minimum configuration error. A new frontier is then the introduction of automation in network security configuration, i.e., automatically designing the architecture of security services and the configurations of network security functions, such as firewalls, VPN gateways, etc. This opportunity has been enabled by modern computer networks technologies, such as virtualization. In view of these considerations, the motivations for the introduction of automation in network security configuration are first introduced, alongside with the key automation enablers. Then, the current state of the art in this context is surveyed, focusing on both the achieved improvements and the current limitations. Finally, possible future trends in the field are illustrated
Secure Virtual Machine Migration in Cloud Data Centers
While elasticity represents a valuable asset in cloud computing environments, it may bring critical security issues. In the cloud, virtual machines (VMs) are dynamically and frequently migrated across data centers from one host to another. This frequent modification in the topology requires
constant reconfiguration of security mechanisms particularly as we consider, in terms of firewalls, intrusion detection/prevention as well as IPsec policies. However, managing manually complex security rules is time-consuming and error-prone. Furthermore, scale and complexity of data centers are continually increasing, which makes it difficult to rely on the cloud provider administrators to update and validate the security mechanisms.
In this thesis, we propose a security verification framework with a particular interest in the abovementioned security mechanisms to address the issue of security policy preservation in a highly dynamic context of cloud computing. This framework enables us to verify that the global security policy after the migration is consistently preserved with respect to the initial one. Thus, we propose a systematic procedure to verify security compliance of firewall policies, intrusion detection/prevention, and IPsec configurations after VM migration. First, we develop a process algebra called cloud calculus, which allows specifying network topology and security configurations. It
also enables specifying the virtual machines migration along with their security policies.
Then, the distributed firewall configurations in the involved data centers are defined according to the network topology expressed using cloud calculus. We show how our verification problem can be reduced to a constraint satisfaction problem that once solved allows reasoning about firewall traffic filtering preservation. Similarly, we present our approach to the verification of intrusion
detection monitoring preservation as well as IPsec traffic protection preservation using constraint satisfaction problem. We derive a set of constraints that compare security configurations before and after migration.
The obtained constraints are formulated as constraint satisfaction problems and then submitted to a SAT solver, namely Sugar, in order to verify security preservation properties and to pinpoint the configuration errors, if any, before the actual migration of the security context and the
virtual machine. In addition, we present case studies for the given security mechanisms in order to show the applicability and usefulness of our framework, and demonstrate the scalability of our approach
Vérification et configuration automatiques de pare-feux par Model Checking et synthèse de contrôleur
RÉSUMÉ
Les pare-feux jouent un rôle crucial dans le renforcement de la politique de sécurité d’un réseau. Cependant, leur configuration, qui nécessite souvent l’intervention humaine, est une source majeure de failles de sécurité. Par conséquent, des solutions automatisées sont nécessaires afin de détecter les incohérences de configuration des pare-feux.
Dans ce mémoire, nous proposons des approches d’aide à la configuration des pare-feux, basées sur des techniques formelles comme le model checking et la synthèse de contrôleur. La première approche permet de vérifier par model checking la cohérence des pare-feux vis-a-vis d’un objectif de sécurité et de détecter, le cas échéant, les incohérences. Elle permet notamment de vérifier l’incohérence de croisement de chemins (i.e. si un paquet est rejeté par l’un des pare-feux en direction de sa destination, il ne pourra pas l’atteindre en empruntant
un autre chemin).
Nous étendons cette approche, en utilisant SMC-UPPAAL, afin d’étudier les performances du réseau en fonction des paramètres de qualité de service tels que le délai d’acheminement des paquets, le délai d’attente et le taux de perte. Cette extension permet, entre autres, de calculer la probabilité qu’un paquet passant par un nœud malicieux soit accepté, la probabilité qu’un nœud tombe en panne, les taux d’acceptation et de rejet de paquets.
En outre, nous proposons une approche formelle permettant de configurer formellement les pare-feux privés sur un réseau, conformément à un objectif de sécurité donné, en utilisant la technique de synthèse de contrôleur implémentée par l’outil UPPAAL-TIGA. Par ailleurs, pour atténuer le problème d’explosion combinatoire inhérent au model checking et la synthèse de contrôleur, les approches proposées ici sont basées sur des abstractions. Des études
expérimentales sont conduites pour démontrer la performance de ces abstractions.----------ABSTRACT
Firewalls play a crucial role in the enforcement of network security policies. However, their configuration, which often requires human intervention, is a major source of security vulnerabilities. Therefore, automated solutions are needed in order to detect firewall configuration
inconsistencies.
In this master thesis, we propose support approaches of firewall configuration based on formal techniques such as model checking and controller synthesis. The first approach is used to check the firewalls consistency by model checking with respect to a security objective and to detect firewall configuration incoherencies such as cross path incoherence (i.e. if a packet is rejected by a firewall towards its destination, it cannot reach it by taking a different path). We extend this approach, using SMC UPPAAL to study the network performance according to QoS parameters such as end-to-end time routing, latency and loss rate. This extension allows, inter alia, the computation of the probability to accept a packet passing through a malicious node, the probability that a node fails and packets acceptance or rejection rates.
In addition, we propose another approach to formally configure private firewalls on a network, according to a given security policy, using the controller synthesis technique implemented in the UPPAAL TIGA tool. Furthermore, to alleviate the problem of combinatorial explosion inherent in model checking and controller synthesis, the approaches proposed here are based on abstractions. Experimental studies were conducted to demonstrate the performance of these abstractions
Towards Protection Against Low-Rate Distributed Denial of Service Attacks in Platform-as-a-Service Cloud Services
Nowadays, the variety of technology to perform daily tasks is abundant and different business
and people benefit from this diversity. The more technology evolves, more useful it gets and in
contrast, they also become target for malicious users. Cloud Computing is one of the technologies
that is being adopted by different companies worldwide throughout the years. Its popularity
is essentially due to its characteristics and the way it delivers its services. This Cloud expansion
also means that malicious users may try to exploit it, as the research studies presented throughout
this work revealed. According to these studies, Denial of Service attack is a type of threat
that is always trying to take advantage of Cloud Computing Services.
Several companies moved or are moving their services to hosted environments provided by Cloud
Service Providers and are using several applications based on those services. The literature on
the subject, bring to attention that because of this Cloud adoption expansion, the use of applications
increased. Therefore, DoS threats are aiming the Application Layer more and additionally,
advanced variations are being used such as Low-Rate Distributed Denial of Service attacks.
Some researches are being conducted specifically for the detection and mitigation of this kind
of threat and the significant problem found within this DDoS variant, is the difficulty to differentiate
malicious traffic from legitimate user traffic. The main goal of this attack is to exploit
the communication aspect of the HTTP protocol, sending legitimate traffic with small changes
to fill the requests of a server slowly, resulting in almost stopping the access of real users to
the server resources during the attack.
This kind of attack usually has a small time window duration but in order to be more efficient,
it is used within infected computers creating a network of attackers, transforming into
a Distributed attack. For this work, the idea to battle Low-Rate Distributed Denial of Service
attacks, is to integrate different technologies inside an Hybrid Application where the main goal
is to identify and separate malicious traffic from legitimate traffic. First, a study is done to
observe the behavior of each type of Low-Rate attack in order to gather specific information
related to their characteristics when the attack is executing in real-time. Then, using the Tshark
filters, the collection of those packet information is done. The next step is to develop combinations
of specific information obtained from the packet filtering and compare them. Finally,
each packet is analyzed based on these combinations patterns. A log file is created to store the
data gathered after the Entropy calculation in a friendly format.
In order to test the efficiency of the application, a Cloud virtual infrastructure was built using
OpenNebula Sandbox and Apache Web Server. Two tests were done against the infrastructure,
the first test had the objective to verify the effectiveness of the tool proportionally against the
Cloud environment created. Based on the results of this test, a second test was proposed to
demonstrate how the Hybrid Application works against the attacks performed. The conclusion
of the tests presented how the types of Slow-Rate DDoS can be disruptive and also exhibited
promising results of the Hybrid Application performance against Low-Rate Distributed Denial of
Service attacks. The Hybrid Application was successful in identify each type of Low-Rate DDoS,
separate the traffic and generate few false positives in the process. The results are displayed
in the form of parameters and graphs.Actualmente, a variedade de tecnologias que realizam tarefas diárias é abundante e diferentes
empresas e pessoas se beneficiam desta diversidade. Quanto mais a tecnologia evolui, mais
usual se torna, em contraposição, essas empresas acabam por se tornar alvo de actividades maliciosas.
Computação na Nuvem é uma das tecnologias que vem sendo adoptada por empresas
de diferentes segmentos ao redor do mundo durante anos. Sua popularidade se deve principalmente
devido as suas caracterĂsticas e a maneira com o qual entrega seus serviços ao cliente.
Esta expansão da Computação na Nuvem também implica que usuários maliciosos podem tentar
explorá-la, como revela estudos de pesquisas apresentados ao longo deste trabalho. De acordo
também com estes estudos, Ataques de Negação de Serviço são um tipo de ameaça que sempre
estão a tentar tirar vantagens dos serviços de Computação na Nuvem.
Várias empresas moveram ou estão a mover seus serviços para ambientes hospedados fornecidos
por provedores de Computação na Nuvem e estão a utilizar várias aplicações baseadas nestes
serviços. A literatura existente sobre este tema chama atenção sobre o fato de que, por conta
desta expansão na adopção à serviços na Nuvem, o uso de aplicações aumentou. Portanto,
ameaças de Negação de Serviço estão visando mais a camada de aplicação e também, variações
de ataques mais avançados estĂŁo sendo utilizadas como Negação de Serviço DistribuĂda de Baixa
Taxa. Algumas pesquisas estão a ser feitas relacionadas especificamente para a detecção e mitigação
deste tipo de ameaça e o maior problema encontrado nesta variante é diferenciar tráfego
malicioso de tráfego legĂtimo. O objectivo principal desta ameaça Ă© explorar a maneira como o
protocolo HTTP trabalha, enviando tráfego legĂtimo com pequenas modificações para preencher
as solicitações feitas a um servidor lentamente, tornando quase impossĂvel para usuários legĂtimos
aceder os recursos do servidor durante o ataque.
Este tipo de ataque geralmente tem uma janela de tempo curta mas para obter melhor eficiĂŞncia,
o ataque Ă© propagado utilizando computadores infectados, criando uma rede de ataque,
transformando-se em um ataque distribuĂdo. Para este trabalho, a ideia para combater Ataques
de Negação de Serviço DistribuĂda de Baixa Taxa Ă© integrar diferentes tecnologias dentro de uma
Aplicação HĂbrida com o objectivo principal de identificar e separar tráfego malicioso de tráfego
legĂtimo. Primeiro, um estudo Ă© feito para observar o comportamento de cada tipo de Ataque
de Baixa Taxa, a fim de recolher informações especĂficas relacionadas Ă s suas caracterĂsticas
quando o ataque Ă© executado em tempo-real. EntĂŁo, usando os filtros do programa Tshark, a
obtenção destas informações Ă© feita. O prĂłximo passo Ă© criar combinações das informações especĂficas
obtidas dos pacotes e compará-las. Então finalmente, cada pacote é analisado baseado
nos padrões de combinações feitos. Um arquivo de registo é criado ao fim para armazenar os
dados recolhidos após o cálculo da Entropia em um formato amigável.
A fim de testar a eficiĂŞncia da Aplicação HĂbrida, uma infra-estrutura Cloud virtual foi construĂda
usando OpenNebula Sandbox e servidores Apache. Dois testes foram feitos contra a
infra-estrutura, o primeiro teste teve o objectivo de verificar a efectividade da ferramenta
proporcionalmente contra o ambiente de Nuvem criado. Baseado nos resultados deste teste,
um segundo teste foi proposto para verificar o funcionamento da Aplicação HĂbrida contra os
ataques realizados. A conclusão dos testes mostrou como os tipos de Ataques de Negação de
Serviço DistribuĂda de Baixa Taxa podem ser disruptivos e tambĂ©m revelou resultados promissores relacionados ao desempenho da Aplicação HĂbrida contra esta ameaça. A Aplicação HĂbrida
obteve sucesso ao identificar cada tipo de Ataque de Negação de Serviço DistribuĂda de Baixa
Taxa, em separar o tráfego e gerou poucos falsos positivos durante o processo. Os resultados
são exibidos em forma de parâmetros e grafos
Recommended from our members
A Comprehensive Survey of Voice over IP Security Research
We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems
- …