Anonymous Networking amidst Eavesdroppers

The problem of security against timing based traffic analysis in wireless networks is considered in this work. An analytical measure of anonymity in eavesdropped networks is proposed using the information theoretic concept of equivocation. For a physical layer with orthogonal transmitter directed signaling, scheduling and relaying techniques are designed to maximize achievable network performance for any given level of anonymity. The network performance is measured by the achievable relay rates from the sources to destinations under latency and medium access constraints. In particular, analytical results are presented for two scenarios: For a two-hop network with maximum anonymity, achievable rate regions for a general m x 1 relay are characterized when nodes generate independent Poisson transmission schedules. The rate regions are presented for both strict and average delay constraints on traffic flow through the relay. For a multihop network with an arbitrary anonymity requirement, the problem of maximizing the sum-rate of flows (network throughput) is considered. A selective independent scheduling strategy is designed for this purpose, and using the analytical results for the two-hop network, the achievable throughput is characterized as a function of the anonymity level. The throughput-anonymity relation for the proposed strategy is shown to be equivalent to an information theoretic rate-distortion function

On packet marking and Markov modeling for IP Traceback: A deep probabilistic and stochastic analysis

From many years, the methods to defend against Denial of Service attacks have been very attractive from different point of views, although network security is a large and very complex topic. Different techniques have been proposed and so-called packet marking and IP tracing procedures have especially demonstrated a good capacity to face different malicious attacks. While host-based DoS attacks are more easily traced and managed, network-based DoS attacks are a more challenging threat. In this paper, we discuss a powerful aspect of the IP traceback method, which allows a router to mark and add information to attack packets on the basis of a fixed probability value. We propose a potential method for modeling the classic probabilistic packet marking algorithm as Markov chains, allowing a closed form to be obtained for evaluating the correct number of received marked packets in order to build a meaningful attack graph and analyze how marking routers must behave to minimize the overall overhead

On traffic analysis attacks and countermeasures

Security and privacy have gained more and more attention with the rapid growth and public acceptance of the Internet as a means of communication and information dissemination. Security and privacy of a computing or network system may be compromised by a variety of well-crafted attacks. In this dissertation, we address issues related to security and privacy in computer network systems. Specifically, we model and analyze a special group of network attacks, known as traffic analysis attacks, and develop and evaluate their countermeasures. Traffic analysis attacks aim to derive critical information by analyzing traffic over a network. We focus our study on two classes of traffic analysis attacks: link-load analysis attacks and flow-connectivity analysis attacks. Our research has made the following conclusions: 1. We have found that an adversary may effectively discover link load by passively analyzing selected statistics of packet inter-arrival times of traffic flows on a network link. This is true even if some commonly used countermeasures (e.g., link padding) have been deployed. We proposed an alternative effective countermeasure to counter this passive traffic analysis attack. Our extensive experimental results indicated this to be an effective approach. 2. Our newly proposed countermeasure may not be effective against active traffic analysis attacks, which an adversary may also use to discover the link load. We developed methodologies in countering these kinds of active attacks. 3. To detect the connectivity of a flow, an adversary may embed a recognizable pattern of marks into traffic flows by interference. We have proposed new countermeasures based on the digital filtering technology. Experimental results have demonstrated the effectiveness of our method. From our research, it is obvious that traffic analysis attacks present a serious challenge to the design of a secured computer network system. It is the objective of this study to develop robust but cost-effective solutions to counter link-load analysis attacks and flow-connectivity analysis attacks. It is our belief that our methodology can provide a solid foundation for studying the entire spectrum of traffic analysis attacks and their countermeasures

A survey of defense mechanisms against distributed denial of service (DDOS) flooding attacks

Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack. © 1998-2012 IEEE

Software Defined Based Pure VPN Protocol for Preventing IP Spoofing Attacks in IOT

The Internet of things (IoT) is the network of devices, vehicles, and home appliances that contain electronics, software, actuators, and connectivity which allows these things to connect, interact and exchange data. IoT involves extending Internet connectivity beyond standard devices, such as desktops, laptops, smart phones and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. Embedded with technology, these devices can communicate and interact over the Internet, and they can be remotely monitored and controlled. Traditionally, current internet packet delivery only depends on packet destination IP address and forward devices neglect the validation of packet’s IP source address. It makes attacks can leverage this flow to launch attacks with forge IP source address so as to meet their violent purpose and avoid to be tracked. In order to reduce this threat and enhance internet accountability, many solution proposed in the inter domain and intra domain aspects. Furthermore, most of them faced with some issues hard to cope, i.e., data security, data privacy. And most importantly code cover PureVPN protocol for both inter and intra domain areas. The novel network architecture of SDN possess whole network PureVPN protocol rule instead of traditional SDN switches, which brings good opportunity to solve IP spoofing problems. However, use authentication based on key exchange between the machines on your network; something like IP Security protocol will significantly cut down on the risk of spoofing. This paper proposes a SDN based PureVPN protocol architecture, which can cover both inter and intra domain areas with encrypted format effectively than SDN devices. The PureVPN protocol scheme is significant in improving the security and privacy in SDN for IoT