Detecção de ataques syn-flooding em redes definidas por software

With the amount of information available on the Internet, one can easily perform a DoS attack by just following an available tutorial, without having to have much computational knowledge for this action. Syn-flooding is a simple attack to be carried out, but has disastrous consequences, making it impossible to access a site or other resources on a network. In Software Defined Networks (SDN), this type of attack can also affect the entire infrastructure and can stop a network altogether, from the denial of the service of the controller itself. Thi swork proposes the detection of Syn-flooding attacks in na SDN network by measuring the variation of the amount of flows in a pre-established time interval and the monitoring the TCP ports, helping the network administrator to perform corrective and preventive actions from the detection of the attack. To implement the proposal, a tool called FindFlows has been developed that displays a list of all the active hosts in an SDN network, informing the amount of flows of each host in different time intervals, the variation of the flows in those intervals and, finally, the classification of this host as an attacker, victim or legitimate user. Of the tests performed, the FindFlows was able to detect the Syn-flooding attack in 90% of cases.NenhumaCom a quantidade de informações disponíveis na Internet, internautas podem facilmente realizar um ataque DoS apenas seguindo um tutorial disponível, sem precisar ter muito conhecimento computacional para esta ação. O Syn-flooding é um ataque simples de ser realizado, porém tem consequências desastrosas, podendo impossibilitar o acesso a um site ou outros recursos em uma rede. Em Redes Definidas por Software (SDN), este tipo de ataque também pode afetar toda a infraestrutura, podendo parar uma rede por completo, a partir da negação do serviço do próprio controlador. Este trabalho propõe uma detecção de ataques Syn-flooding, em uma rede SDN, através da medição da variação da quantidade de fluxos em um intervalo de tempo pré-estabelecido e o monitoramento das portas TCP, auxiliando ao administrador de rede a realizar ações corretivas e preventivas a partir da detecção do ataque. Para a realização da proposta, foi desenvolvida uma ferramenta chamada FindFlows que exibe uma lista de todos os hosts ativos em uma rede SDN, informando a quantidade de fluxos de cada host em intervalos de tempo diferentes, a variação dos fluxos nesses intervalos e, por fim, a classificação deste host como atacante, vítima ou usuário legítimo. Dos testes realizados, o FindFlows conseguiu detectar o ataque Syn-flooding em 90% dos casos

Application-based authentication on an inter-VM traffic in a Cloud environment

Cloud Computing (CC) is an innovative computing model in which resources are provided as a service over the Internet, on an as-needed basis. It is a large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet. Since cloud is often enabled by virtualization and share a common attribute, that is, the allocation of resources, applications, and even OSs, adequate safeguards and security measures are essential. In fact, Virtualization creates new targets for intrusion due to the complexity of access and difficulty in monitoring all interconnection points between systems, applications, and data sets. This raises many questions about the appropriate infrastructure, processes, and strategy for enacting detection and response to intrusion in a Cloud environment. Hence, without strict controls put in place within the Cloud, guests could violate and bypass security policies, intercept unauthorized client data, and initiate or become the target of security attacks. This article shines the light on the issues of security within Cloud Computing, especially inter-VM traffic visibility. In addition, the paper lays the proposition of an Application Based Security (ABS) approach in order to enforce an application-based authentication between VMs, through various security mechanisms, filtering, structures, and policies

IntelliFlow : um enfoque proativo para adicionar inteligência de ameaças cibernéticas a redes definidas por software

Orientador: Christian Rodolfo Esteve RothenbergDissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de ComputaçãoResumo: Segurança tem sido uma das principais preocupações enfrentadas pela computação em rede principalmente, com o aumento das ameaças à medida que a Internet comercial e economias afins crescem rapidamente. Tecnologias de virtualização que permitem serviços em nuvem em escala colocam novos desafios para a segurança das infraestruturas computacionais, exigindo novos mecanismos que combinem o best-of-breed para reagir contra as metodologias de ataque emergentes. Nosso trabalho busca explorar os avanços na Cyber Threat Intelligence (CTI) no contexto da arquitetura de redes definidas por software, ou em inglês, Software Defined Networking (SDN). Enquanto a CTI representa uma abordagem recente para o combate de ameaças baseada em fontes confiáveis, a partir do compartihamento de informação e conhecimento sobre atividades criminais virtuais, a SDN é uma tendência recente na arquitetura de redes computacionais baseada em princípios de modulação e programabilidade. Nesta dissertação, nós propomos IntelliFlow, um sistema de detecção de inteligência para SDN que segue a abordagem proativa usando OpenFlow para efetivar contramedidas para as ameaças aprendidas a partir de um plano de inteligência distribuida. Nós mostramos a partir de uma implementação de prova de conceito que o sistema proposto é capaz de trazer uma série de benefícios em termos de efetividade e eficiência, contribuindo no plano geral para a segurança de projetos de computação de rede modernosAbstract: Security is a major concern in computer networking which faces increasing threats as the commercial Internet and related economies continue to grow. Virtualization technologies enabling scalable Cloud services pose further challenges to the security of computer infrastructures, demanding novel mechanisms combining the best-of-breed to counter certain types of attacks. Our work aims to explore advances in Cyber Threat Intelligence (CTI) in the context of Software Defined Networking (SDN) architectures. While CTI represents a recent approach to combat threats based on reliable sources, by sharing information and knowledge about computer criminal activities, SDN is a recent trend in architecting computer networks based on modularization and programmability principles. In this dissertation, we propose IntelliFlow, an intelligent detection system for SDN that follows a proactive approach using OpenFlow to deploy countermeasures to the threats learned through a distributed intelligent plane. We show through a proof of concept implementation that the proposed system is capable of delivering a number of benefits in terms of effectiveness and efficiency, altogether contributing to the security of modern computer network designsMestradoEngenharia de ComputaçãoMestre em Engenharia Elétrica159905/2013-3CNP

Towards sFlow and adaptive polling sampling for deep learning based DDoS detection in SDN

Distributed Denial of Service (DDoS) is one of the most rampant attacks in the modern Internet of Things (IoT) network infrastructures. Security plays a very vital role for an ever-growing heterogeneous network of IoT nodes, which are directly connected to each other. Due to the preliminary stage of Software Defined Networking (SDN), in the IoT network, sampling based measurement approaches currently results in low-accuracy, higher memory consumption, higher-overhead in processing and network, and low attack-detection. To deal with these aforementioned issues, this paper proposes sFlow and adaptive polling based sampling with Snort Intrusion Detection System (IDS) and deep learning based model, which helps to lower down the various types of prevalent DDoS attacks inside the IoT network. The flexible decoupling property of SDN enables us to program network devices for required parameters without utilizing third-party propriety based hardware or software. Firstly, in data-plane, to lower down processing and network overhead of switches, we deployed sFlow and adaptive polling based sampling individually. Secondly, in control-plane, to optimize detection accuracy, we deployed Snort IDS collaboratively with Stacked Autoencoders (SAE) deep learning model. Furthermore, after applying performance metrics on collected traffic streams, we quantitatively investigate trade off among attack detection accuracy and resources overhead. The evaluation of the proposed system demonstrates higher detection accuracy with 95% of True Positive rate with less than4% of False Positive rate within sFlow based implementation compared to adaptive polling

Defending Against IoT-Enabled DDoS Attacks at Critical Vantage Points on the Internet

The number of Internet of Things (IoT) devices continues to grow every year. Unfortunately, with the rise of IoT devices, the Internet is also witnessing a rise in the number and scale of IoT-enabled distributed denial-of-service (DDoS) attacks. However, there is a lack of network-based solutions targeted directly for IoT networks to address the problem of IoT-enabled DDoS. Unlike most security approaches for IoT which focus on hardening device security through hardware and/or software modification, which in many cases is infeasible, we introduce network-based approaches for addressing IoT-enabled DDoS attacks. We argue that in order to effectively defend the Internet against IoT-enabled DDoS attacks, it is necessary to consider network-wide defense at critical vantage points on the Internet. This dissertation is focused on three inherently connected and complimentary components: (1) preventing IoT devices from being turned into DDoS bots by inspecting traffic towards IoT networks at an upstream ISP/IXP, (2) detecting DDoS traffic leaving an IoT network by inspecting traffic at its gateway, and (3) mitigating attacks as close to the devices in an IoT network originating DDoS traffic. To this end, we present three security solutions to address the three aforementioned components to defend against IoT-enabled DDoS attacks

Dynamic Security Orchestration System Leveraging Machine Learning

A Content Delivery Network (CDN) employs edge-servers caching content close to end-users to provide high Quality of Service (QoS) in serving digital content. Attacks against edge-servers are known to cause QoS degradation and disruption in serving end-users. Attacks are becoming more sophisticated, and new attacks are being introduced. Protecting edge-servers in the face of these attacks is vital but represents a complex task. Not only must the attack mitigation be immediately effective, but the corresponding overhead should also not negatively affect the QoS of legitimate users. We propose a software-based security system for CDN edge-servers to detect and mitigate various attacks. The approach is to detect threats and automatically react by deploying and managing security services. The desired system behavior is governed by high-level security policies dictated by a network operator. Leveraging advanced machine learning techniques, our system can detect new and sophisticated attacks and generate alerts that trigger policies. Policy enforcement can result in the deployment of mitigation services realized using virtualized security function chains created, configured, and removed dynamically. We demonstrate how our system can be programmed using these policies to automatically handle real-world attacks. Our evaluation shows that our system not only detects known sophisticated attacks accurately but is capable of detecting new attacks. Moreover, the results show that our system is low-overhead, immediately responds to threats, and quickly recovers legitimate traffic throughput

Securing the software-defined networking control plane by using control and data dependency techniques

Software-defined networking (SDN) fundamentally changes how network and security practitioners design, implement, and manage their networks. SDN decouples the decision-making about traffic forwarding (i.e., the control plane) from the traffic being forwarded (i.e., the data plane). SDN also allows for network applications, or apps, to programmatically control network forwarding behavior and policy through a logically centralized control plane orchestrated by a set of SDN controllers. As a result of logical centralization, SDN controllers act as network operating systems in the coordination of shared data plane resources and comprehensive security policy implementation. SDN can support network security through the provision of security services and the assurances of policy enforcement. However, SDN’s programmability means that a network’s security considerations are different from those of traditional networks. For instance, an adversary who manipulates the programmable control plane can leverage significant control over the data plane’s behavior. In this dissertation, we demonstrate that the security posture of SDN can be enhanced using control and data dependency techniques that track information flow and enable understanding of application composability, control and data plane decoupling, and control plane insight. We support that statement through investigation of the various ways in which an attacker can use control flow and data flow dependencies to influence the SDN control plane under different threat models. We systematically explore and evaluate the SDN security posture through a combination of runtime, pre-runtime, and post-runtime contributions in both attack development and defense designs. We begin with the development a conceptual accountability framework for SDN. We analyze the extent to which various entities within SDN are accountable to each other, what they are accountable for, mechanisms for assurance about accountability, standards by which accountability is judged, and the consequences of breaching accountability. We discover significant research gaps in SDN’s accountability that impact SDN’s security posture. In particular, the results of applying the accountability framework showed that more control plane attribution is necessary at different layers of abstraction, and that insight motivated the remaining work in this dissertation. Next, we explore the influence of apps in the SDN control plane’s secure operation. We find that existing access control protections that limit what apps can do, such as role-based access controls, prove to be insufficient for preventing malicious apps from damaging control plane operations. The reason is SDN’s reliance on shared network state. We analyze SDN’s shared state model to discover that benign apps can be tricked into acting as “confused deputies”; malicious apps can poison the state used by benign apps, and that leads the benign apps to make decisions that negatively affect the network. That violates an implicit (but unenforced) integrity policy that governs the network’s security. Because of the strong interdependencies among apps that result from SDN’s shared state model, we show that apps can be easily co-opted as “gadgets,” and that allows an attacker who minimally controls one app to make changes to the network state beyond his or her originally granted permissions. We use a data provenance approach to track the lineage of the network state objects by assigning attribution to the set of processes and agents responsible for each control plane object. We design the ProvSDN tool to track API requests from apps as they access the shared network state’s objects, and to check requests against a predefined integrity policy to ensure that low-integrity apps cannot poison high-integrity apps. ProvSDN acts as both a reference monitor and an information flow control enforcement mechanism. Motivated by the strong inter-app dependencies, we investigate whether implicit data plane dependencies affect the control plane’s secure operation too. We find that data plane hosts typically have an outsized effect on the generation of the network state in reactive-based control plane designs. We also find that SDN’s event-based design, and the apps that subscribe to events, can induce dependencies that originate in the data plane and that eventually change forwarding behaviors. That combination gives attackers that are residing on data plane hosts significant opportunities to influence control plane decisions without having to compromise the SDN controller or apps. We design the EventScope tool to automatically identify where such vulnerabilities occur. EventScope clusters apps’ event usage to decide in which cases unhandled events should be handled, statically analyzes controller and app code to understand how events affect control plane execution, and identifies valid control flow paths in which a data plane attacker can reach vulnerable code to cause unintended data plane changes. We use EventScope to discover 14 new vulnerabilities, and we develop exploits that show how such vulnerabilities could allow an attacker to bypass an intended network (i.e., data plane) access control policy. This research direction is critical for SDN security evaluation because such vulnerabilities could be induced by host-based malware campaigns. Finally, although there are classes of vulnerabilities that can be removed prior to deployment, it is inevitable that other classes of attacks will occur that cannot be accounted for ahead of time. In those cases, a network or security practitioner would need to have the right amount of after-the-fact insight to diagnose the root causes of such attacks without being inundated with too much informa- tion. Challenges remain in 1) the modeling of apps and objects, which can lead to overestimation or underestimation of causal dependencies; and 2) the omission of a data plane model that causally links control and data plane activities. We design the PicoSDN tool to mitigate causal dependency modeling challenges, to account for a data plane model through the use of the data plane topology to link activities in the provenance graph, and to account for network semantics to appropriately query and summarize the control plane’s history. We show how prior work can hinder investigations and analysis in SDN-based attacks and demonstrate how PicoSDN can track SDN control plane attacks.Ope