1,319 research outputs found
Recommended from our members
Techniques for the dynamic randomization of network attributes
Critical infrastructure control systems continue to foster predictable communication paths and static configurations that allow easy access to our networked critical infrastructure around the world. This makes them attractive and easy targets for cyber-attack. We have developed technologies that address these attack vectors by automatically reconfiguring network settings. Applying these protective measures will convert control systems into «moving targets» that proactively defend themselves against attack. This «Moving Target Defense» (MTD) revolves about the movement of network reconfiguration, securely communicating reconfiguration specifications to other network nodes as required, and ensuring that connectivity between nodes is uninterrupted. Software-defined Networking (SDN) is leveraged to meet many of these goals. Our MTD approach eliminates adversaries targeting known static attributes of network devices and systems, and consists of the following three techniques: (1) Network Randomization for TCP/UDP Ports; (2) Network Randomization for IP Addresses; (3) Network Randomization for Network Paths In this paper, we describe the implementation of the aforementioned technologies. We also discuss the individual and collective successes for the techniques, challenges for deployment, constraints and assumptions, and the performance implications for each technique
Towards Loop-Free Forwarding of Anonymous Internet Datagrams that Enforce Provenance
The way in which addressing and forwarding are implemented in the Internet
constitutes one of its biggest privacy and security challenges. The fact that
source addresses in Internet datagrams cannot be trusted makes the IP Internet
inherently vulnerable to DoS and DDoS attacks. The Internet forwarding plane is
open to attacks to the privacy of datagram sources, because source addresses in
Internet datagrams have global scope. The fact an Internet datagrams are
forwarded based solely on the destination addresses stated in datagram headers
and the next hops stored in the forwarding information bases (FIB) of relaying
routers allows Internet datagrams to traverse loops, which wastes resources and
leaves the Internet open to further attacks. We introduce PEAR (Provenance
Enforcement through Addressing and Routing), a new approach for addressing and
forwarding of Internet datagrams that enables anonymous forwarding of Internet
datagrams, eliminates many of the existing DDoS attacks on the IP Internet, and
prevents Internet datagrams from looping, even in the presence of routing-table
loops.Comment: Proceedings of IEEE Globecom 2016, 4-8 December 2016, Washington,
D.C., US
Poseidon: Mitigating Interest Flooding DDoS Attacks in Named Data Networking
Content-Centric Networking (CCN) is an emerging networking paradigm being
considered as a possible replacement for the current IP-based host-centric
Internet infrastructure. In CCN, named content becomes a first-class entity.
CCN focuses on content distribution, which dominates current Internet traffic
and is arguably not well served by IP. Named-Data Networking (NDN) is an
example of CCN. NDN is also an active research project under the NSF Future
Internet Architectures (FIA) program. FIA emphasizes security and privacy from
the outset and by design. To be a viable Internet architecture, NDN must be
resilient against current and emerging threats. This paper focuses on
distributed denial-of-service (DDoS) attacks; in particular we address interest
flooding, an attack that exploits key architectural features of NDN. We show
that an adversary with limited resources can implement such attack, having a
significant impact on network performance. We then introduce Poseidon: a
framework for detecting and mitigating interest flooding attacks. Finally, we
report on results of extensive simulations assessing proposed countermeasure.Comment: The IEEE Conference on Local Computer Networks (LCN 2013
TARANET: Traffic-Analysis Resistant Anonymity at the NETwork layer
Modern low-latency anonymity systems, no matter whether constructed as an
overlay or implemented at the network layer, offer limited security guarantees
against traffic analysis. On the other hand, high-latency anonymity systems
offer strong security guarantees at the cost of computational overhead and long
delays, which are excessive for interactive applications. We propose TARANET,
an anonymity system that implements protection against traffic analysis at the
network layer, and limits the incurred latency and overhead. In TARANET's setup
phase, traffic analysis is thwarted by mixing. In the data transmission phase,
end hosts and ASes coordinate to shape traffic into constant-rate transmission
using packet splitting. Our prototype implementation shows that TARANET can
forward anonymous traffic at over 50~Gbps using commodity hardware
Security in peer-to-peer communication systems
P2PSIP (Peer-to-Peer Session Initiation Protocol) is a protocol developed by the IETF (Internet Engineering Task Force) for the establishment, completion and modi¿cation of communication sessions that emerges as a complement to SIP (Session Initiation Protocol) in environments where the original SIP protocol may fail for technical, ¿nancial, security, or social reasons. In order to do so, P2PSIP systems replace all the architecture of servers of the original SIP systems used for the registration and location of users, by a structured P2P network that distributes these functions among all the user agents that are part of the system. This new architecture, as with any emerging system, presents a completely new security problematic which analysis, subject of this thesis, is of crucial importance for its secure development and future standardization.
Starting with a study of the state of the art in network security and continuing with more speci¿c systems such as SIP and P2P, we identify the most important security services within the architecture of a P2PSIP communication system: access control, bootstrap, routing, storage and communication. Once the security services have been identi¿ed, we conduct an analysis of the attacks that can a¿ect each of them, as well as a study of the existing countermeasures that can be used to prevent or mitigate these attacks. Based on the presented attacks and the weaknesses found in the existing measures to prevent them, we design speci¿c solutions to improve the security of P2PSIP communication systems. To this end, we focus on the service that stands as the cornerstone of P2PSIP communication systems¿ security: access control. Among the new designed solutions stand out: a certi¿cation model based on the segregation of the identity of users and nodes, a model for secure access control for on-the-¿y P2PSIP systems
and an authorization framework for P2PSIP systems built on the recently published Internet Attribute Certi¿cate Pro¿le for Authorization.
Finally, based on the existing measures and the new solutions designed, we de¿ne a set of security recommendations that should be considered for the design, implementation and maintenance of P2PSIP communication systems.Postprint (published version
Hierarchical Design Based Intrusion Detection System For Wireless Ad hoc Network
In recent years, wireless ad hoc sensor network becomes popular both in civil
and military jobs. However, security is one of the significant challenges for
sensor network because of their deployment in open and unprotected environment.
As cryptographic mechanism is not enough to protect sensor network from
external attacks, intrusion detection system needs to be introduced. Though
intrusion prevention mechanism is one of the major and efficient methods
against attacks, but there might be some attacks for which prevention method is
not known. Besides preventing the system from some known attacks, intrusion
detection system gather necessary information related to attack technique and
help in the development of intrusion prevention system. In addition to
reviewing the present attacks available in wireless sensor network this paper
examines the current efforts to intrusion detection system against wireless
sensor network. In this paper we propose a hierarchical architectural design
based intrusion detection system that fits the current demands and restrictions
of wireless ad hoc sensor network. In this proposed intrusion detection system
architecture we followed clustering mechanism to build a four level
hierarchical network which enhances network scalability to large geographical
area and use both anomaly and misuse detection techniques for intrusion
detection. We introduce policy based detection mechanism as well as intrusion
response together with GSM cell concept for intrusion detection architecture.Comment: 16 pages, International Journal of Network Security & Its
Applications (IJNSA), Vol.2, No.3, July 2010. arXiv admin note: text overlap
with arXiv:1111.1933 by other author
Towards Securing Peer-to-peer SIP in the MANET Context: Existing Work and Perspectives
The Session Initiation Protocol (SIP) is a key building block of many social applications, including VoIP communication and instant messaging. In its original architecture, SIP heavily relies on servers such as proxies and registrars. Mobile Ad hoc NETworks (MANETs) are networks comprised of mobile devices that communicate over wireless links, such as tactical radio networks or vehicular networks. In such networks, no fixed infrastructure exists and server-based solutions need to be redesigned to work in a peer-to-peer fashion. We survey existing proposals for the implementation of SIP over such MANETs and analyze their security issues. We then discuss potential solutions and their suitability in the MANET context
Octopus: A Secure and Anonymous DHT Lookup
Distributed Hash Table (DHT) lookup is a core technique in structured
peer-to-peer (P2P) networks. Its decentralized nature introduces security and
privacy vulnerabilities for applications built on top of them; we thus set out
to design a lookup mechanism achieving both security and anonymity, heretofore
an open problem. We present Octopus, a novel DHT lookup which provides strong
guarantees for both security and anonymity. Octopus uses attacker
identification mechanisms to discover and remove malicious nodes, severely
limiting an adversary's ability to carry out active attacks, and splits lookup
queries over separate anonymous paths and introduces dummy queries to achieve
high levels of anonymity. We analyze the security of Octopus by developing an
event-based simulator to show that the attacker discovery mechanisms can
rapidly identify malicious nodes with low error rate. We calculate the
anonymity of Octopus using probabilistic modeling and show that Octopus can
achieve near-optimal anonymity. We evaluate Octopus's efficiency on Planetlab
with 207 nodes and show that Octopus has reasonable lookup latency and
manageable communication overhead
- …