416 research outputs found
A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection
Enterprise networks that host valuable assets and services are popular and
frequent targets of distributed network attacks. In order to cope with the
ever-increasing threats, industrial and research communities develop systems
and methods to monitor the behaviors of their assets and protect them from
critical attacks. In this paper, we systematically survey related research
articles and industrial systems to highlight the current status of this arms
race in enterprise network security. First, we discuss the taxonomy of
distributed network attacks on enterprise assets, including distributed
denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing
methods in monitoring and classifying network behavior of enterprise hosts to
verify their benign activities and isolate potential anomalies. Third,
state-of-the-art detection methods for distributed network attacks sourced from
external attackers are elaborated, highlighting their merits and bottlenecks.
Fourth, as programmable networks and machine learning (ML) techniques are
increasingly becoming adopted by the community, their current applications in
network security are discussed. Finally, we highlight several research gaps on
enterprise network security to inspire future research.Comment: Journal paper submitted to Elseive
A Survey of Network Requirements for Enabling Effective Cyber Deception
In the evolving landscape of cybersecurity, the utilization of cyber
deception has gained prominence as a proactive defense strategy against
sophisticated attacks. This paper presents a comprehensive survey that
investigates the crucial network requirements essential for the successful
implementation of effective cyber deception techniques. With a focus on diverse
network architectures and topologies, we delve into the intricate relationship
between network characteristics and the deployment of deception mechanisms.
This survey provides an in-depth analysis of prevailing cyber deception
frameworks, highlighting their strengths and limitations in meeting the
requirements for optimal efficacy. By synthesizing insights from both
theoretical and practical perspectives, we contribute to a comprehensive
understanding of the network prerequisites crucial for enabling robust and
adaptable cyber deception strategies
Automating Mitigation of Amplification Attacks in NFV Services
The combination of virtualization techniques with capillary computing and storage resources allows the instantiation of Virtual Network Functions throughout the network infrastructure, which brings more agility in the development and operation of network services. Beside forwarding and routing, this can be also used for additional functions, e.g., for security purposes. In this paper, we present a framework to systematically create security analytics for virtualized network services, specifically targeting the detection of cyber-attacks. Our framework largely automates the deployment of security sidecars into existing service templates and their interconnection to an external analytics platform. Notably, it leverages code augmentation techniques to dynamically inject and remove inspection probes without affecting service operation. We describe the implementation of a use case for the detection of DNS amplification attacks in virtualized 5G networks, and provide extensive evaluation of our innovative inspection and detection mechanisms. Our results demonstrate better efficiency with respect to existing network monitoring tools in terms of CPU usage, as well as good accuracy in detecting attacks even with variable traffic patterns
Distributed reflection denial of service attack: A critical review
As the world becomes increasingly connected and the number of users grows exponentially and “things” go online, the prospect of cyberspace becoming a significant target for cybercriminals is a reality. Any host or device that is exposed on the internet is a prime target for cyberattacks. A denial-of-service (DoS) attack is accountable for the majority of these cyberattacks. Although various solutions have been proposed by researchers to mitigate this issue, cybercriminals always adapt their attack approach to circumvent countermeasures. One of the modified DoS attacks is known as distributed reflection denial-of-service attack (DRDoS). This type of attack is considered to be a more severe variant of the DoS attack and can be conducted in transmission control protocol (TCP) and user datagram protocol (UDP). However, this attack is not effective in the TCP protocol due to the three-way handshake approach that prevents this type of attack from passing through the network layer to the upper layers in the network stack. On the other hand, UDP is a connectionless protocol, so most of these DRDoS attacks pass through UDP. This study aims to examine and identify the differences between TCP-based and UDP-based DRDoS attacks
Why (and How) Networks Should Run Themselves
The proliferation of networked devices, systems, and applications that we
depend on every day makes managing networks more important than ever. The
increasing security, availability, and performance demands of these
applications suggest that these increasingly difficult network management
problems be solved in real time, across a complex web of interacting protocols
and systems. Alas, just as the importance of network management has increased,
the network has grown so complex that it is seemingly unmanageable. In this new
era, network management requires a fundamentally new approach. Instead of
optimizations based on closed-form analysis of individual protocols, network
operators need data-driven, machine-learning-based models of end-to-end and
application performance based on high-level policy goals and a holistic view of
the underlying components. Instead of anomaly detection algorithms that operate
on offline analysis of network traces, operators need classification and
detection algorithms that can make real-time, closed-loop decisions. Networks
should learn to drive themselves. This paper explores this concept, discussing
how we might attain this ambitious goal by more closely coupling measurement
with real-time control and by relying on learning for inference and prediction
about a networked application or system, as opposed to closed-form analysis of
individual protocols
The Closed Resolver Project: Measuring the Deployment of Source Address Validation of Inbound Traffic
Source Address Validation (SAV) is a standard aimed at discarding packets
with spoofed source IP addresses. The absence of SAV for outgoing traffic has
been known as a root cause of Distributed Denial-of-Service (DDoS) attacks and
received widespread attention. While less obvious, the absence of inbound
filtering enables an attacker to appear as an internal host of a network and
may reveal valuable information about the network infrastructure. Inbound IP
spoofing may amplify other attack vectors such as DNS cache poisoning or the
recently discovered NXNSAttack. In this paper, we present the preliminary
results of the Closed Resolver Project that aims at mitigating the problem of
inbound IP spoofing. We perform the first Internet-wide active measurement
study to enumerate networks that filter or do not filter incoming packets by
their source address, for both the IPv4 and IPv6 address spaces. To achieve
this, we identify closed and open DNS resolvers that accept spoofed requests
coming from the outside of their network. The proposed method provides the most
complete picture of inbound SAV deployment by network providers. Our
measurements cover over 55 % IPv4 and 27 % IPv6 Autonomous Systems (AS) and
reveal that the great majority of them are fully or partially vulnerable to
inbound spoofing. By identifying dual-stacked DNS resolvers, we additionally
show that inbound filtering is less often deployed for IPv6 than it is for
IPv4. Overall, we discover 13.9 K IPv6 open resolvers that can be exploited for
amplification DDoS attacks - 13 times more than previous work. Furthermore, we
enumerate uncover 4.25 M IPv4 and 103 K IPv6 vulnerable closed resolvers that
could only be detected thanks to our spoofing technique, and that pose a
significant threat when combined with the NXNSAttack.Comment: arXiv admin note: substantial text overlap with arXiv:2002.0044
- …