A Churn for the Better: Localizing Censorship using Network-level Path Churn and Network Tomography

Recent years have seen the Internet become a key vehicle for citizens around the globe to express political opinions and organize protests. This fact has not gone unnoticed, with countries around the world repurposing network management tools (e.g., URL filtering products) and protocols (e.g., BGP, DNS) for censorship. However, repurposing these products can have unintended international impact, which we refer to as "censorship leakage". While there have been anecdotal reports of censorship leakage, there has yet to be a systematic study of censorship leakage at a global scale. In this paper, we combine a global censorship measurement platform (ICLab) with a general-purpose technique -- boolean network tomography -- to identify which AS on a network path is performing censorship. At a high-level, our approach exploits BGP churn to narrow down the set of potential censoring ASes by over 95%. We exactly identify 65 censoring ASes and find that the anomalies introduced by 24 of the 65 censoring ASes have an impact on users located in regions outside the jurisdiction of the censoring AS, resulting in the leaking of regional censorship policies

Designing and optimization of VOIP PBX infrastructure

In the recent decade, communication has stirred from the old wired medium such as public switched telephone network (PSTN) to the Internet. Present, Voice over Internet Protocol (VoIP) Technology used for communication on internet by means of packet switching technique. Several years ago, an internet protocol (IP) based organism was launched, which is known as Private Branch Exchange "PBX", as a substitute of common PSTN systems. For free communication, probably you must have to be pleased with starting of domestic calls. Although, fairly in few cases, VoIP services can considerably condense our periodical phone bills. For instance, if someone makes frequent global phone calls, VoIP talk service is the actual savings treat which cannot achieve by using regular switched phone. VoIP talk services strength help to trim down your phone bills if you deal with a lot of long-distance (international) and as well as domestic phone calls. However, with the VoIP success, threats and challenges also stay behind. In this dissertation, by penetration testing one will know that how to find network vulnerabilities how to attack them to exploit the network for unhealthy activities and also will know about some security techniques to secure a network. And the results will be achieved by penetration testing will indicate of proven of artefact and would be helpful to enhance the level of network security to build a more secure network in future

Consistent SDNs through Network State Fuzzing

The conventional wisdom is that a software-defined network (SDN) operates under the premise that the logically centralized control plane has an accurate representation of the actual data plane state. Nevertheless, bugs, misconfigurations, faults or attacks can introduce inconsistencies that undermine correct operation. Previous work in this area, however, lacks a holistic methodology to tackle this problem and thus, addresses only certain parts of the problem. Yet, the consistency of the overall system is only as good as its least consistent part. Motivated by an analogy of network consistency checking with program testing, we propose to add active probe-based network state fuzzing to our consistency check repertoire. Hereby, our system, PAZZ, combines production traffic with active probes to continuously test if the actual forwarding path and decision elements (on the data plane) correspond to the expected ones (on the control plane). Our insight is that active traffic covers the inconsistency cases beyond the ones identified by passive traffic. PAZZ prototype was built and evaluated on topologies of varying scale and complexity. Our results show that PAZZ requires minimal network resources to detect persistent data plane faults through fuzzing and localize them quickly

Consistent SDNs through Network State Fuzzing

The conventional wisdom is that a software-defined network (SDN) operates under the premise that the logically centralized control plane has an accurate representation of the actual data plane state. Unfortunately, bugs, misconfigurations, faults or attacks can introduce inconsistencies that undermine correct operation. Previous work in this area, however, lacks a holistic methodology to tackle this problem and thus, addresses only certain parts of the problem. Yet, the consistency of the overall system is only as good as its least consistent part. Motivated by an analogy of network consistency checking with program testing, we propose to add active probe-based network state fuzzing to our consistency check repertoire. Hereby, our system, PAZZ, combines production traffic with active probes to periodically test if the actual forwarding path and decision elements (on the data plane) correspond to the expected ones (on the control plane). Our insight is that active traffic covers the inconsistency cases beyond the ones identified by passive traffic. PAZZ prototype was built and evaluated on topologies of varying scale and complexity. Our results show that PAZZ requires minimal network resources to detect persistent data plane faults through fuzzing and localize them quickly while outperforming baseline approaches.Comment: Added three extra relevant references, the arXiv later was accepted in IEEE Transactions of Network and Service Management (TNSM), 2019 with the title "Towards Consistent SDNs: A Case for Network State Fuzzing

Localizing Security for Distributed Firewalls

In complex networks, filters may be applied at different nodes to control how packets flow. In this paper, we study how to locate filtering functionality within a network. We show how to enforce a set of security goals while allowing maximal service subject to the security constraints. Our contributions include a way to specify security goals for how packets traverse the network and an algorithm to distribute filtering functionality to different nodes in the network to enforce a given set of security goals

What Constitutes the Success or Failure of Multinational Corporations (MNCs) in Foreign Markets? A Case Study of Chinese and American MNCs

Scholars have identified multinational corporations (MNCs) as increasingly important and influential actors in international politics. However, mainstream international studies scholarship has failed to explain why MNCs succeed or fail in entering foreign markets. Market entry is a particularly vexing question for U.S. and Chinese firms seeking to compete for each other\u27s consumers. As this study shows, surprising differences in success among U.S. firms in China, as well as Chinese firms in the U.S., suggest that statist and market factors interact with corporate strategies in confounding ways. Through case studies in the internet, automobile and fast food industries, this dissertation builds a theoretical framework that better explains why some MNCs succeed in foreign markets while others fail. Empirical studies show that two contrasting cultures (universalism vs. particularism, individualism vs. collectivism, and rule-based vs. relation-based governance) make it more difficult for Chinese MNCs and American MNCs to adapt to their counterpart\u27s market. Although the study finds some support for the cultural dissimilarity argument, it finds that culture alone is an insufficient explanation. The results suggest that statist and market factors like ownership, sector industry, interest groups, entry mode and choice of location are also determinants of a MNC\u27s success in a foreign market. Based on those findings, the study provides suggestions for both Chinese MNCs and American MNCs seeking to compete in each other\u27s markets

Synergistic policy and virtual machine consolidation in cloud data centers

In modern Cloud Data Centers (DC)s, correct implementation of network policies is crucial to provide secure, efficient and high performance services for tenants. It is reported that the inefficient management of network policies accounts for 78% of DC downtime, challenged by the dynamically changing network characteristics and by the effects of dynamic Virtual Machine (VM) consolidation. While there has been significant research in policy and VM management, they have so far been treated as disjoint research problems. In this paper, we explore the simultaneous, dynamic VM and policy consolidation, and formulate the Policy-VM Consolidation (PVC) problem, which is shown to be NP-Hard. We then propose Sync, an efficient and synergistic scheme to jointly consolidate network policies and virtual machines. Extensive evaluation results and a testbed implementation of our controller show that policy and VM migration under Sync significantly reduces flow end-to-end delay by nearly 40%, and network-wide communication cost by 50% within few seconds, while adhering strictly to the requirements of network policies

Graph-based feature enrichment for online intrusion detection in virtual networks

The increasing number of connected devices to provide the required ubiquitousness of Internet of Things paves the way for distributed network attacks at an unprecedented scale. Graph theory, strengthened by machine learning techniques, improves an automatic discovery of group behavior patterns of network threats often omitted by traditional security systems. Furthermore, Network Function Virtualization is an emergent technology that accelerates the provisioning of on-demand security function chains tailored to an application. Therefore, repeatable compliance tests and performance comparison of such function chains are mandatory. The contributions of this dissertation are divided in two parts. First, we propose an intrusion detection system for online threat detection enriched by a graph-learning analysis. We develop a feature enrichment algorithm that infers metrics from a graph analysis. By using different machine learning techniques, we evaluated our algorithm for three network traffic datasets. We show that the proposed graph-based enrichment improves the threat detection accuracy up to 15.7% and significantly reduces the false positives rate. Second, we aim to evaluate intrusion detection systems deployed as virtual network functions. Therefore, we propose and develop SFCPerf, a framework for an automatic performance evaluation of service function chaining. To demonstrate SFCPerf functionality, we design and implement a prototype of a security service function chain, composed of our intrusion detection system and a firewall. We show the results of a SFCPerf experiment that evaluates the chain prototype on top of the open platform for network function virtualization (OPNFV).O crescente número de dispositivos IoT conectados contribui para a ocorrência de ataques distribuídos de negação de serviço a uma escala sem precedentes. A Teoria de Grafos, reforçada por técnicas de aprendizado de máquina, melhora a descoberta automática de padrões de comportamento de grupos de ameaças de rede, muitas vezes omitidas pelos sistemas tradicionais de segurança. Nesse sentido, a virtualização da função de rede é uma tecnologia emergente que pode acelerar o provisionamento de cadeias de funções de segurança sob demanda para uma aplicação. Portanto, a repetição de testes de conformidade e a comparação de desempenho de tais cadeias de funções são obrigatórios. As contribuições desta dissertação são separadas em duas partes. Primeiro, é proposto um sistema de detecção de intrusão que utiliza um enriquecimento baseado em grafos para aprimorar a detecção de ameaças online. Um algoritmo de enriquecimento de características é desenvolvido e avaliado através de diferentes técnicas de aprendizado de máquina. Os resultados mostram que o enriquecimento baseado em grafos melhora a acurácia da detecção de ameaças até 15,7 % e reduz significativamente o número de falsos positivos. Em seguida, para avaliar sistemas de detecção de intrusões implantados como funções virtuais de rede, este trabalho propõe e desenvolve o SFCPerf, um framework para avaliação automática de desempenho do encadeamento de funções de rede. Para demonstrar a funcionalidade do SFCPerf, ´e implementado e avaliado um protótipo de uma cadeia de funções de rede de segurança, composta por um sistema de detecção de intrusão (IDS) e um firewall sobre a plataforma aberta para virtualização de função de rede (OPNFV)

Development of a quality assurance prototype for intrusion detection systems

Thesis (Master)-- Izmir Institute of Technology, Computer Engineering, Izmir, 2002Includes bibliographical references (leaves: 75-79)Text in English; Abstract: Turkish and Englishix, 97 leavesQuality assurance is an essential activity for any business interacting with consumers. There are considerable number of projects going on to develop intrusion detection systems (IDSs). However, efforts to establish standards and practices to ensure the quality of such systems are comparatively less significant. The quality assurance activities for IDSs should ensure the conformance of explicitly stated functional and performance requirements as well as implicit characteristics that are expected from information security tools. This dissertation establishes guidelines to review, evaluate and possibly to develop an IDS. To establish guidelines, generic IDS and software requirements, software quality factors and design principles are used which are available in related literature and these requirements are presented both on developed generic IDS model and in Common Criteria Protection Profile format. First, the guidelines are developed, then they are implemented on a specific IDS product evaluation