Building an Emulation Environment for Cyber Security Analyses of Complex Networked Systems

Computer networks are undergoing a phenomenal growth, driven by the rapidly increasing number of nodes constituting the networks. At the same time, the number of security threats on Internet and intranet networks is constantly growing, and the testing and experimentation of cyber defense solutions requires the availability of separate, test environments that best emulate the complexity of a real system. Such environments support the deployment and monitoring of complex mission-driven network scenarios, thus enabling the study of cyber defense strategies under real and controllable traffic and attack scenarios. In this paper, we propose a methodology that makes use of a combination of techniques of network and security assessment, and the use of cloud technologies to build an emulation environment with adjustable degree of affinity with respect to actual reference networks or planned systems. As a byproduct, starting from a specific study case, we collected a dataset consisting of complete network traces comprising benign and malicious traffic, which is feature-rich and publicly available

Packet analysis for network forensics: A comprehensive survey

Packet analysis is a primary traceback technique in network forensics, which, providing that the packet details captured are sufficiently detailed, can play back even the entire network traffic for a particular point in time. This can be used to find traces of nefarious online behavior, data breaches, unauthorized website access, malware infection, and intrusion attempts, and to reconstruct image files, documents, email attachments, etc. sent over the network. This paper is a comprehensive survey of the utilization of packet analysis, including deep packet inspection, in network forensics, and provides a review of AI-powered packet analysis methods with advanced network traffic classification and pattern identification capabilities. Considering that not all network information can be used in court, the types of digital evidence that might be admissible are detailed. The properties of both hardware appliances and packet analyzer software are reviewed from the perspective of their potential use in network forensics

Using the cell processor as an offload streaming assist for sessionization of network traffic for cross packet inspection

Deep packet inspection is a means of ensuring network security and eliminating malicious activity by scanning the contents of packets for threats. Deep packet inspection analyzes each packet on an individual basis to ensure that it does not exhibit a malicious signature. As network link speeds increase as well as the number of threats, it becomes increasingly difficult to scan for threats in real time. As a result, costly and very specialized hardware implementations were designed to handle the demand of scanning packets at high link rates. It is common that packets from the same session arrive out of order at inspection points. As a result it is possible that a signature can exist across the boundaries of two different packets and a scanner will miss a potential threat. The IBM Cell Broadband Engine was selected to group packets of the same session together prior to scanning because it offered a cost effective solution compared to specialized hardware. By having the ability to scan across packet boundaries one achieves a greater degree of threat detection and characterization of traffic. This thesis investigates the performance achieved by using the Cell processor as a preprocessor to group packets from the same network sessions together for scanning across packet boundaries. The implemented sessionizer was capable of processing network traffic at a worst case rate of 3 Gb/s and a best case of 20 Gb/s with four out of eight available synergistic processing elements