350 research outputs found

    Network Traffic Measurements, Applications to Internet Services and Security

    Get PDF
    The Internet has become along the years a pervasive network interconnecting billions of users and is now playing the role of collector for a multitude of tasks, ranging from professional activities to personal interactions. From a technical standpoint, novel architectures, e.g., cloud-based services and content delivery networks, innovative devices, e.g., smartphones and connected wearables, and security threats, e.g., DDoS attacks, are posing new challenges in understanding network dynamics. In such complex scenario, network measurements play a central role to guide traffic management, improve network design, and evaluate application requirements. In addition, increasing importance is devoted to the quality of experience provided to final users, which requires thorough investigations on both the transport network and the design of Internet services. In this thesis, we stress the importance of users’ centrality by focusing on the traffic they exchange with the network. To do so, we design methodologies complementing passive and active measurements, as well as post-processing techniques belonging to the machine learning and statistics domains. Traffic exchanged by Internet users can be classified in three macro-groups: (i) Outbound, produced by users’ devices and pushed to the network; (ii) unsolicited, part of malicious attacks threatening users’ security; and (iii) inbound, directed to users’ devices and retrieved from remote servers. For each of the above categories, we address specific research topics consisting in the benchmarking of personal cloud storage services, the automatic identification of Internet threats, and the assessment of quality of experience in the Web domain, respectively. Results comprise several contributions in the scope of each research topic. In short, they shed light on (i) the interplay among design choices of cloud storage services, which severely impact the performance provided to end users; (ii) the feasibility of designing a general purpose classifier to detect malicious attacks, without chasing threat specificities; and (iii) the relevance of appropriate means to evaluate the perceived quality of Web pages delivery, strengthening the need of users’ feedbacks for a factual assessment

    Performance Evaluation of UHCF Using TTL Probing for Packet Spoofing Detection in MANET

    Get PDF
    ABSTRACT: Now days various types of network came into existence which supports medium based communication such as wired and wireless. Among them the network which works for temporary basis and gets disconnected after the time limit or connection expires. Ad hoc network supports short durational connection between movable nodes and gets terminated after the communication is over. Mobile ad-hoc network is one of the ad-hoc network having movable nodes communicating with the help of mobility aware routing protocols without any infrastructural elements such as router or switches. Here the mobile nodes itself serves the functionality of router. These network support dynamic environment and sudden changes which causes various unauthenticated devices and services starts operating in normal environment. It causes degradation in normal performance of the network and their behaviour changes as planned by these attacks. IP Spoofing is known as one of these attack in which the normal packets is gets changed or affected by some attacker's packet in network. Quantity of this spoofed packet somewhere had been lost in normal traffic and the detection methodologies needs to make a clear separation between normal and spoofed traffic. The above functionality is achieved by some traditional methods works on the concept of Hop Count Filter (HCF) mechanism. But the traditional HCF method only measures the TTL maximum up to 30 hops limit and the packet coming from larger hops will be taken to be spoofed but it was not the case all the time. Sometimes actual packet might come from more hops. Its solution is been drafted as UHCF (Updated Hop Count Filtering) mechanism suggested i

    LZfuzz: a fast compression-based fuzzer for poorly documented protocols

    Get PDF
    Real-world infrastructure offers many scenarios where protocols (and other details) are not released due to being considered too sensitive or for other reasons. This situation makes it hard to apply fuzzing techniques to test their security and reliability, since their full documentation is only available to their developers, and domain developer expertise does not necessarily intersect with fuzz-testing expertise (nor deployment responsibility). State-of-the-art fuzzing techniques, however, work best when protocol specifications are available. Still, operators whose networks include equipment communicating via proprietary protocols should be able to reap the benefits of fuzz-testing them. In particular, administrators should be able to test proprietary protocols in the absence of end-to-end application-level encryption to understand whether they can withstand injection of bad traffic, and thus be able to plan adequate network protection measures. Such protocols can be observed in action prior to fuzzing, and packet captures can be used to learn enough about the structure of the protocol to make fuzzing more efficient. Various machine learning approaches, e.g. bioinformatics methods, have been proposed for learning models of the targeted protocols. The problem with most of these approaches to date is that, although sometimes quite successful, they are very computationally heavy and thus are hardly practical for application by network administrators and equipment owners who cannot easily dedicate a compute cluster to such tasks. We propose a simple method that, despite its roughness, allowed us to learn facts useful for fuzzing from protocol traces at much smaller CPU and time costs. Our fuzzing approach proved itself empirically in testing actual proprietary SCADA protocols in an isolated control network test environment, and was also successful in triggering flaws in implementations of several popular commodity Internet protocols. Our fuzzer, LZfuzz (pronounced ``lazy-fuzz\u27\u27) relies on a variant of Lempel--Ziv compression algorithm to guess boundaries between the structural units of the protocol, and builds on the well-known free software GPF fuzzer

    Dynamic monitoring of Android malware behavior: a DNS-based approach

    Get PDF
    The increasing technological revolution of the mobile smart devices fosters their wide use. Since mobile users rely on unofficial or thirdparty repositories in order to freely install paid applications, lots of security and privacy issues are generated. Thus, at the same time that Android phones become very popular and growing rapidly their market share, so it is the number of malicious applications targeting them. Yet, current mobile malware detection and analysis technologies are very limited and ineffective. Due to the particular traits of mobile devices such as the power consumption constraints that make unaffordable to run traditional PC detection engines on the device; therefore mobile security faces new challenges, especially on dynamic runtime malware detection. This approach is import because many instructions or infections could happen after an application is installed or executed. On the one hand, recent studies have shown that the network-based analysis, where applications could be also analyzed by observing the network traffic they generate, enabling us to detect malicious activities occurring on the smart device. On the other hand, the aggressors rely on DNS to provide adjustable and resilient communication between compromised client machines and malicious infrastructure. So, having rich DNS traffic information is very important to identify malevolent behavior, then using DNS for malware detection is a logical step in the dynamic analysis because malicious URLs are common and the present danger for cybersecurity. Therefore, the main goal of this thesis is to combine and correlate two approaches: top-down detection by identifying malware domains using DNS traces at the network level, and bottom-up detection at the device level using the dynamic analysis in order to capture the URLs requested on a number of applications to pinpoint the malware. For malware detection and visualization, we propose a system which is based on dynamic analysis of API calls. Thiscan help Android malware analysts in visually inspecting what the application under study does, easily identifying such malicious functions. Moreover, we have also developed a framework that automates the dynamic DNS analysis of Android malware where the captured URLs at the smartphone under scrutiny are sent to a remote server where they are: collected, identified within the DNS server records, mapped the extracted DNS records into this server in order to classify them either as benign or malicious domain. The classification is done through the usage of machine learning. Besides, the malicious URLs found are used in order to track and pinpoint other infected smart devices, not currently under monitoring

    Enabling Security Analysis and Education of the Ethereum Platform: A Network Traffic Dissection Tool

    Get PDF
    Ethereum, the decentralized global software platform powered by blockchain technology known for its native cryptocurrency, Ether (ETH), provides a technology stack for building apps, holding assets, transacting, and communicating without control by a central authority. At the core of Ethereum’s network is a suite of purpose-built protocols known as DEVP2P, which provides the underlying nodes in an Ethereum network the ability to discover, authenticate and communicate confidentiality. This document discusses the creation of a new Wireshark dissector for DEVP2P’s discovery protocols, DiscoveryV4 and DiscoveryV5, and a dissector for RLPx, an extensible TCP transport protocol for a range of Ethereum node capabilities. Network packet dissectors like Wireshark are commonly used to educate, develop, and analyze underlying network traffic. In support of creating the dissector, a custom private Ethereum docker network was also created, facilitating the communication amongst Go Ethereum execution clients and allowing the Wireshark dissector to capture live network data. Lastly, the dissector is used to understand the differences between DiscoveryV4 and DiscoveryV5, along with stepping through the network packets of RLPx to track a transaction executed on the network

    Moving target defense for securing smart grid communications: Architectural design, implementation and evaluation

    Get PDF
    Supervisory Control And Data Acquisition (SCADA) communications are often subjected to various kinds of sophisticated cyber-attacks which can have a serious impact on the Critical Infrastructure such as the power grid. Most of the time, the success of the attack is based on the static characteristics of the system, thereby enabling an easier profiling of the target system(s) by the adversary and consequently exploiting their limited resources. In this thesis, a novel approach to mitigate such static vulnerabilities is proposed by implementing a Moving Target Defense (MTD) strategy in a power grid SCADA environment, which leverages the existing communication network with an end-to-end IP Hopping technique among the trusted peer devices. This offers a proactive L3 layer network defense, minimizing IP-specific threats and thwarting worm propagation, APTs, etc., which utilize the cyber kill chain for attacking the system through the SCADA network. The main contribution of this thesis is to show how MTD concepts provide proactive defense against targeted cyber-attacks, and a dynamic attack surface to adversaries without compromising the availability of a SCADA system. Specifically, the thesis presents a brief overview of the different type of MTD designs, the proposed MTD architecture and its implementation with IP hopping technique over a Control Center–Substation network link along with a 3-way handshake protocol for synchronization on the Iowa State’s Power Cyber testbed. The thesis further investigates the delay and throughput characteristics of the entire system with and without the MTD to choose the best hopping rate for the given link. It also includes additional contributions for making the testbed scenarios more realistic to real world scenarios with multi-hop, multi-path WAN. Using that and studying a specific attack model, the thesis analyses the best ranges of IP address for different hopping rate and different number of interfaces. Finally, the thesis describes two case studies to explore and identify potential weaknesses of the proposed mechanism, and also experimentally validate the proposed mitigation alterations to resolve the discovered vulnerabilities. As part of future work, we plan to extend this work by optimizing the MTD algorithm to be more resilient by incorporating other techniques like network port mutation to further increase the attack complexity and cost

    Intrusion detection system in software-defined networks

    Get PDF
    Mestrado de dupla diplomação com a UTFPR - Universidade Tecnológica Federal do ParanáSoftware-Defined Networking technologies represent a recent cutting-edge paradigm in network management, offering unprecedented flexibility and scalability. As the adoption of SDN continues to grow, so does the urgency of studying methods to enhance its security. It is the critical importance of understanding and fortifying SDN security, given its pivotal role in the modern digital ecosystem. With the ever-evolving threat landscape, research into innovative security measures is essential to ensure the integrity, confidentiality, and availability of network resources in this dynamic and transformative technology, ultimately safeguarding the reliability and functionality of our interconnected world. This research presents a novel approach to enhancing security in Software-Defined Networking through the development of an initial Intrusion Detection System. The IDS offers a scalable solution, facilitating the transmission and storage of network traffic with robust support for failure recovery across multiple nodes. Additionally, an innovative analysis module incorporates artificial intelligence (AI) to predict the nature of network traffic, effectively distinguishing between malicious and benign data. The system integrates a diverse range of technologies and tools, enabling the processing and analysis of network traffic data from PCAP files, thus contributing to the reinforcement of SDN security.As tecnologias de Redes Definidas por Software representam um paradigma recente na gestão de redes, oferecendo flexibilidade e escalabilidade sem precedentes. À medida que a adoção de soluções SDN continuam a crescer, também aumenta a urgência de estudar métodos para melhorar a sua segurança. É de extrema importância compreender e fortalecer a segurança das SDN, dado o seu papel fundamental no ecossistema digital moderno. Com o cenário de ameaças em constante evolução, a investigação de medidas de segurança inovadoras é essencial para garantir a integridade, a confidencialidade e a disponibilidade dos recursos da rede nesta tecnologia dinâmica e transformadora. Esta investigação apresenta uma nova abordagem para melhorar a segurança nas redes definidas por software através do desenvolvimento de um sistema inicial de deteção de intrusões. O IDS oferece uma solução escalável, facilitando a transmissão e o armazenamento do tráfego de rede com suporte robusto para recuperação de falhas em vários nós. Além disso, um módulo de análise inovador incorpora inteligência artificial (IA) para prever a natureza do tráfego de rede, distinguindo efetivamente entre dados maliciosos e benignos. O sistema integra uma gama diversificada de tecnologias e ferramentas, permitindo o processamento e a análise de dados de tráfego de rede a partir de ficheiros PCAP, contribuindo assim para o reforço da segurança SDN

    Parallel Network Alert Management System For IDS False Positive Reduction

    Get PDF
    Every secure system has the possibility to fail. Therefore, extra effort should be taken to protect these systems. Intrusion detection systems (IDSs) had been proposed with the aim of providing extra protection to security systems. IDS is a powerful computer security system used to secure the computer environments. These systems trigger thousands of alerts per day, which prompt security analysts to verify each alert for relevance and severity based on an aggregation and correlation criterion. Several aggregation and correlation methods have been proposed to collect these alerts

    Towards secure message systems

    Get PDF
    Message systems, which transfer information from sender to recipient via communication networks, are indispensable to our modern society. The enormous user base of message systems and their critical role in information delivery make it the top priority to secure message systems. This dissertation focuses on securing the two most representative and dominant messages systems---e-mail and instant messaging (IM)---from two complementary aspects: defending against unwanted messages and ensuring reliable delivery of wanted messages.;To curtail unwanted messages and protect e-mail and instant messaging users, this dissertation proposes two mechanisms DBSpam and HoneyIM, which can effectively thwart e-mail spam laundering and foil malicious instant message spreading, respectively. DBSpam exploits the distinct characteristics of connection correlation and packet symmetry embedded in the behavior of spam laundering and utilizes a simple statistical method, Sequential Probability Ratio Test, to detect and break spam laundering activities inside a customer network in a timely manner. The experimental results demonstrate that DBSpam is effective in quickly and accurately capturing and suppressing e-mail spam laundering activities and is capable of coping with high speed network traffic. HoneyIM leverages the inherent characteristic of spreading of IM malware and applies the honey-pot technology to the detection of malicious instant messages. More specifically, HoneyIM uses decoy accounts in normal users\u27 contact lists as honey-pots to capture malicious messages sent by IM malware and suppresses the spread of malicious instant messages by performing network-wide blocking. The efficacy of HoneyIM has been validated through both simulations and real experiments.;To improve e-mail reliability, that is, prevent losses of wanted e-mail, this dissertation proposes a collaboration-based autonomous e-mail reputation system called CARE. CARE introduces inter-domain collaboration without central authority or third party and enables each e-mail service provider to independently build its reputation database, including frequently contacted and unacquainted sending domains, based on the local e-mail history and the information exchanged with other collaborating domains. The effectiveness of CARE on improving e-mail reliability has been validated through a number of experiments, including a comparison of two large e-mail log traces from two universities, a real experiment of DNS snooping on more than 36,000 domains, and extensive simulation experiments in a large-scale environment
    corecore