A Defense Framework Against Denial-of-Service in Computer Networks

Denial-of-Service (DoS) is a computer security problem that poses a serious challenge totrustworthiness of services deployed over computer networks. The aim of DoS attacks isto make services unavailable to legitimate users, and current network architectures alloweasy-to-launch, hard-to-stop DoS attacks. Particularly challenging are the service-level DoSattacks, whereby the victim service is flooded with legitimate-like requests, and the jammingattack, in which wireless communication is blocked by malicious radio interference. Theseattacks are overwhelming even for massively-resourced services, and effective and efficientdefenses are highly needed. This work contributes a novel defense framework, which I call dodging, against service-level DoS and wireless jamming. Dodging has two components: (1) the careful assignment ofservers to clients to achieve accurate and quick identification of service-level DoS attackersand (2) the continuous and unpredictable-to-attackers reconfiguration of the client-serverassignment and the radio-channel mapping to withstand service-level and jamming DoSattacks. Dodging creates hard-to-evade baits, or traps, and dilutes the attack "fire power".The traps identify the attackers when they violate the mapping function and even when theyattack while correctly following the mapping function. Moreover, dodging keeps attackers"in the dark", trying to follow the unpredictably changing mapping. They may hit a fewtimes but lose "precious" time before they are identified and stopped. Three dodging-based DoS defense algorithms are developed in this work. They are moreresource-efficient than state-of-the-art DoS detection and mitigation techniques. Honeybees combines channel hopping and error-correcting codes to achieve bandwidth-efficientand energy-efficient mitigation of jamming in multi-radio networks. In roaming honeypots, dodging enables the camouflaging of honeypots, or trap machines, as real servers,making it hard for attackers to locate and avoid the traps. Furthermore, shuffling requestsover servers opens up windows of opportunity, during which legitimate requests are serviced.Live baiting, efficiently identifies service-level DoS attackers by employing results fromthe group-testing theory, discovering defective members in a population using the minimumnumber of tests. The cost and benefit of the dodging algorithms are analyzed theoretically,in simulation, and using prototype experiments

Game-Theoretic Frameworks and Strategies for Defense Against Network Jamming and Collocation Attacks

Modern networks are becoming increasingly more complex, heterogeneous, and densely connected. While more diverse services are enabled to an ever-increasing number of users through ubiquitous networking and pervasive computing, several important challenges have emerged. For example, densely connected networks are prone to higher levels of interference, which makes them more vulnerable to jamming attacks. Also, the utilization of software-based protocols to perform routing, load balancing and power management functions in Software-Defined Networks gives rise to more vulnerabilities that could be exploited by malicious users and adversaries. Moreover, the increased reliance on cloud computing services due to a growing demand for communication and computation resources poses formidable security challenges due to the shared nature and virtualization of cloud computing. In this thesis, we study two types of attacks: jamming attacks on wireless networks and side-channel attacks on cloud computing servers. The former attacks disrupt the natural network operation by exploiting the static topology and dynamic channel assignment in wireless networks, while the latter attacks seek to gain access to unauthorized data by co-residing with target virtual machines (VMs) on the same physical node in a cloud server. In both attacks, the adversary faces a static attack surface and achieves her illegitimate goal by exploiting a stationary aspect of the network functionality. Hence, this dissertation proposes and develops counter approaches to both attacks using moving target defense strategies. We study the strategic interactions between the adversary and the network administrator within a game-theoretic framework. First, in the context of jamming attacks, we present and analyze a game-theoretic formulation between the adversary and the network defender. In this problem, the attack surface is the network connectivity (the static topology) as the adversary jams a subset of nodes to increase the level of interference in the network. On the other side, the defender makes judicious adjustments of the transmission footprint of the various nodes, thereby continuously adapting the underlying network topology to reduce the impact of the attack. The defender\u27s strategy is based on playing Nash equilibrium strategies securing a worst-case network utility. Moreover, scalable decomposition-based approaches are developed yielding a scalable defense strategy whose performance closely approaches that of the non-decomposed game for large-scale and dense networks. We study a class of games considering discrete as well as continuous power levels. In the second problem, we consider multi-tenant clouds, where a number of VMs are typically collocated on the same physical machine to optimize performance and power consumption and maximize profit. This increases the risk of a malicious virtual machine performing side-channel attacks and leaking sensitive information from neighboring VMs. The attack surface, in this case, is the static residency of VMs on a set of physical nodes, hence we develop a timed migration defense approach. Specifically, we analyze a timing game in which the cloud provider decides when to migrate a VM to a different physical machine to mitigate the risk of being compromised by a collocated malicious VM. The adversary decides the rate at which she launches new VMs to collocate with the victim VMs. Our formulation captures a data leakage model in which the cost incurred by the cloud provider depends on the duration of collocation with malicious VMs. It also captures costs incurred by the adversary in launching new VMs and by the defender in migrating VMs. We establish sufficient conditions for the existence of Nash equilibria for general cost functions, as well as for specific instantiations, and characterize the best response for both players. Furthermore, we extend our model to characterize its impact on the attacker\u27s payoff when the cloud utilizes intrusion detection systems that detect side-channel attacks. Our theoretical findings are corroborated with extensive numerical results in various settings as well as a proof-of-concept implementation in a realistic cloud setting

Cognitive Radio for Smart Grid with Security Considerations

In this paper, we investigate how Cognitive Radio as a means of communication can be utilized to serve a smart grid deployment end to end, from a home area network to power generation. We show how Cognitive Radio can be mapped to integrate the possible different communication networks within a smart grid large scale deployment. In addition, various applications in smart grid are defined and discussed showing how Cognitive Radio can be used to fulfill their communication requirements. Moreover, information security issues pertained to the use of Cognitive Radio in a smart grid environment at different levels and layers are discussed and mitigation techniques are suggested. Finally, the well-known Role-Based Access Control (RBAC) is integrated with the Cognitive Radio part of a smart grid communication network to protect against unauthorized access to customer’s data and to the network at large

Synoptic analysis techniques for intrusion detection in wireless networks

Current system administrators are missing intrusion alerts hidden by large numbers of false positives. Rather than accumulation more data to identify true alerts, we propose an intrusion detection tool that e?ectively uses select data to provide a picture of ?network health?. Our hypothesis is that by utilizing the data available at both the node and cooperative network levels we can create a synoptic picture of the network providing indications of many intrusions or other network issues. Our major contribution is to provide a revolutionary way to analyze node and network data for patterns, dependence, and e?ects that indicate network issues. We collect node and network data, combine and manipulate it, and tease out information about the state of the network. We present a method based on utilizing the number of packets sent, number of packets received, node reliability, route reliability, and entropy to develop a synoptic picture of the network health in the presence of a sinkhole and a HELLO Flood attacker. This method conserves network throughput and node energy by requiring no additional control messages to be sent between the nodes unless an attacker is suspected. We intend to show that, although the concept of an intrusion detection system is not revolutionary, the method in which we analyze the data for clues about network intrusion and performance is highly innovative

QF-MAC: Adaptive, Local Channel Hopping for Interference Avoidance in Wireless Meshes

The throughput efficiency of a wireless mesh network with potentially malicious external or internal interference can be significantly improved by equipping routers with multi-radio access over multiple channels. For reliably mitigating the effect of interference, frequency diversity (e.g., channel hopping) and time diversity (e.g., carrier sense multiple access) are conventionally leveraged to schedule communication channels. However, multi-radio scheduling over a limited set of channels to minimize the effect of interference and maximize network performance in the presence of concurrent network flows remains a challenging problem. The state-of-the-practice in channel scheduling of multi-radios reveals not only gaps in achieving network capacity but also significant communication overhead. This paper proposes an adaptive channel hopping algorithm for multi-radio communication, QuickFire MAC (QF-MAC), that assigns per-node, per-flow ``local'' channel hopping sequences, using only one-hop neighborhood coordination. QF-MAC achieves a substantial enhancement of throughput and latency with low control overhead. QF-MAC also achieves robustness against network dynamics, i.e., mobility and external interference, and selective jamming attacker where a global channel hopping sequence (e.g., TSCH) fails to sustain the communication performance. Our simulation results quantify the performance gains of QF-MAC in terms of goodput, latency, reliability, communication overhead, and jamming tolerance, both in the presence and absence of mobility, across diverse configurations of network densities, sizes, and concurrent flows

A Lightweight Secure and Resilient Transmission Scheme for the Internet of Things in the Presence of a Hostile Jammer

In this article, we propose a lightweight security scheme for ensuring both information confidentiality and transmission resiliency in the Internet-of-Things (IoT) communication. A single-Antenna transmitter communicates with a half-duplex single-Antenna receiver in the presence of a sophisticated multiple-Antenna-Aided passive eavesdropper and a multiple-Antenna-Assisted hostile jammer (HJ). A low-complexity artificial noise (AN) injection scheme is proposed for drowning out the eavesdropper. Furthermore, for enhancing the resilience against HJ attacks, the legitimate nodes exploit their own local observations of the wireless channel as the source of randomness to agree on shared secret keys. The secret key is utilized for the frequency hopping (FH) sequence of the proposed communication system. We then proceed to derive a new closed-form expression for the achievable secret key rate (SKR) and the ergodic secrecy rate (ESR) for characterizing the secrecy benefits of our proposed scheme, in terms of both information secrecy and transmission resiliency. Moreover, the optimal power sharing between the AN and the message signal is investigated with the objective of enhancing the secrecy rate. Finally, through extensive simulations, we demonstrate that our proposed system model outperforms the state-of-The-Art transmission schemes in terms of secrecy and resiliency. Several numerical examples and discussions are also provided to offer further engineering insights

An Energy Aware and Secure MAC Protocol for Tackling Denial of Sleep Attacks in Wireless Sensor Networks

Wireless sensor networks which form part of the core for the Internet of Things consist of resource constrained sensors that are usually powered by batteries. Therefore, careful energy awareness is essential when working with these devices. Indeed,the introduction of security techniques such as authentication and encryption, to ensure confidentiality and integrity of data, can place higher energy load on the sensors. However, the absence of security protection c ould give room for energy drain attacks such as denial of sleep attacks which have a higher negative impact on the life span ( of the sensors than the presence of security features. This thesis, therefore, focuses on tackling denial of sleep attacks from two perspectives A security perspective and an energy efficiency perspective. The security perspective involves evaluating and ranking a number of security based techniques to curbing denial of sleep attacks. The energy efficiency perspective, on the other hand, involves exploring duty cycling and simulating three Media Access Control ( protocols Sensor MAC, Timeout MAC andTunableMAC under different network sizes and measuring different parameters such as the Received Signal Strength RSSI) and Link Quality Indicator ( Transmit power, throughput and energy efficiency Duty cycling happens to be one of the major techniques for conserving energy in wireless sensor networks and this research aims to answer questions with regards to the effect of duty cycles on the energy efficiency as well as the throughput of three duty cycle protocols Sensor MAC ( Timeout MAC ( and TunableMAC in addition to creating a novel MAC protocol that is also more resilient to denial of sleep a ttacks than existing protocols. The main contributions to knowledge from this thesis are the developed framework used for evaluation of existing denial of sleep attack solutions and the algorithms which fuel the other contribution to knowledge a newly developed protocol tested on the Castalia Simulator on the OMNET++ platform. The new protocol has been compared with existing protocols and has been found to have significant improvement in energy efficiency and also better resilience to denial of sleep at tacks Part of this research has been published Two conference publications in IEEE Explore and one workshop paper

A Survey on the Security and the Evolution of Osmotic and Catalytic Computing for 5G Networks

The 5G networks have the capability to provide high compatibility for the new applications, industries, and business models. These networks can tremendously improve the quality of life by enabling various use cases that require high data-rate, low latency, and continuous connectivity for applications pertaining to eHealth, automatic vehicles, smart cities, smart grid, and the Internet of Things (IoT). However, these applications need secure servicing as well as resource policing for effective network formations. There have been a lot of studies, which emphasized the security aspects of 5G networks while focusing only on the adaptability features of these networks. However, there is a gap in the literature which particularly needs to follow recent computing paradigms as alternative mechanisms for the enhancement of security. To cover this, a detailed description of the security for the 5G networks is presented in this article along with the discussions on the evolution of osmotic and catalytic computing-based security modules. The taxonomy on the basis of security requirements is presented, which also includes the comparison of the existing state-of-the-art solutions. This article also provides a security model, "CATMOSIS", which idealizes the incorporation of security features on the basis of catalytic and osmotic computing in the 5G networks. Finally, various security challenges and open issues are discussed to emphasize the works to follow in this direction of research.Comment: 34 pages, 7 tables, 7 figures, Published In 5G Enabled Secure Wireless Networks, pp. 69-102. Springer, Cham, 201