The Dynamics of Internet Traffic: Self-Similarity, Self-Organization, and Complex Phenomena

The Internet is the most complex system ever created in human history. Therefore, its dynamics and traffic unsurprisingly take on a rich variety of complex dynamics, self-organization, and other phenomena that have been researched for years. This paper is a review of the complex dynamics of Internet traffic. Departing from normal treatises, we will take a view from both the network engineering and physics perspectives showing the strengths and weaknesses as well as insights of both. In addition, many less covered phenomena such as traffic oscillations, large-scale effects of worm traffic, and comparisons of the Internet and biological models will be covered.Comment: 63 pages, 7 figures, 7 tables, submitted to Advances in Complex System

Monitoring the initial DNS behavior of malicious domains

Attackers often use URLs to advertise scams or propagate mal-ware. Because the reputation of a domain can be used to identify malicious behavior, miscreants often register these domains “just in time ” before an attack. This paper explores the DNS behav-ior of attack domains, as identified by appearance in a spam trap, shortly after the domains were registered. We explore the behav-ioral properties of these domains from two perspectives: (1) the DNS infrastructure associated with the domain, as is observable from the resource records; and (2) the DNS lookup patterns from networks who are looking up the domains initially. Our analysis yields many findings that may ultimately be useful for early de-tection of malicious domains. By monitoring the infrastructure for these malicious domains, we find that about 55 % of scam domains occur in attacks at least one day after registration, suggesting the potential for early discovery of malicious domains, solely based on properties of the DNS infrastructure that resolves those domains. We also find that there are a few regions of IP address space that host name servers and other types of servers for only malicious domains. Malicious domains have resource records that are dis-tributed more widely across IP address space, and they are more quickly looked up by a variety of different networks. We also iden-tify a set of “tainted ” ASes that are used heavily by bad domains to host resource records. The features we observe are often evident before any attack even takes place; ultimately, they might serve as the basis for a DNS-based early warning system for attacks

Techniques of data prefetching, replication, and consistency in the Internet

Internet has become a major infrastructure for information sharing in our daily life, and indispensable to critical and large applications in industry, government, business, and education. Internet bandwidth (or the network speed to transfer data) has been dramatically increased, however, the latency time (or the delay to physically access data) has been reduced in a much slower pace. The rich bandwidth and lagging latency can be effectively coped with in Internet systems by three data management techniques: caching, replication, and prefetching. The focus of this dissertation is to address the latency problem in Internet by utilizing the rich bandwidth and large storage capacity for efficiently prefetching data to significantly improve the Web content caching performance, by proposing and implementing scalable data consistency maintenance methods to handle Internet Web address caching in distributed name systems (DNS), and to handle massive data replications in peer-to-peer systems. While the DNS service is critical in Internet, peer-to-peer data sharing is being accepted as an important activity in Internet.;We have made three contributions in developing prefetching techniques. First, we have proposed an efficient data structure for maintaining Web access information, called popularity-based Prediction by Partial Matching (PB-PPM), where data are placed and replaced guided by popularity information of Web accesses, thus only important and useful information is stored. PB-PPM greatly reduces the required storage space, and improves the prediction accuracy. Second, a major weakness in existing Web servers is that prefetching activities are scheduled independently of dynamically changing server workloads. Without a proper control and coordination between the two kinds of activities, prefetching can negatively affect the Web services and degrade the Web access performance. to address this problem, we have developed a queuing model to characterize the interactions. Guided by the model, we have designed a coordination scheme that dynamically adjusts the prefetching aggressiveness in Web Servers. This scheme not only prevents the Web servers from being overloaded, but it can also minimize the average server response time. Finally, we have proposed a scheme that effectively coordinates the sharing of access information for both proxy and Web servers. With the support of this scheme, the accuracy of prefetching decisions is significantly improved.;Regarding data consistency support for Internet caching and data replications, we have conducted three significant studies. First, we have developed a consistency support technique to maintain the data consistency among the replicas in structured P2P networks. Based on Pastry, an existing and popular P2P system, we have implemented this scheme, and show that it can effectively maintain consistency while prevent hot-spot and node-failure problems. Second, we have designed and implemented a DNS cache update protocol, called DNScup, to provide strong consistency for domain/IP mappings. Finally, we have developed a dynamic lease scheme to timely update the replicas in Internet

Ethercat tabanlı bir scada sisteminde kural ve makine öğrenmesine dayalı saldırı ve anomali tespiti

06.03.2018 tarihli ve 30352 sayılı Resmi Gazetede yayımlanan “Yükseköğretim Kanunu İle Bazı Kanun Ve Kanun Hükmünde Kararnamelerde Değişiklik Yapılması Hakkında Kanun” ile 18.06.2018 tarihli “Lisansüstü Tezlerin Elektronik Ortamda Toplanması, Düzenlenmesi ve Erişime Açılmasına İlişkin Yönerge” gereğince tam metin erişime açılmıştır.Endüstriyel kontrol sistemleri (EKS) bulundukları konum ve bileşenleri bakımından kritik altyapıya sahip sistemler olup, bilişim teknolojilerinden (BT) bağımsız olarak uygulama alanına göre kendilerine ait kabul ve işleyişleri bulunmaktadır. Bu sistemler, günümüzde otomasyon hiyerarşisinde yer alan seviyeler arası yatay ve dikey entegrasyonun tek bir protokolle sağlanması fikrinden yola çıkılarak Ethernet ile de adapte edilmiş durumdadır. Dolayısıyla EKS'ler hem doğalarından hem de Ethernet üzerinden bilişim teknolojilerinin sunduğu hizmetlerin içerisine dahil edildiklerinden dolayı siber saldırılara karşı tehdit altındadır. Bu durum, çoğunlukla iletişim altyapısı üzerinden gelen saldırıların tespiti için özelinde EKS çözümlerini gerektirir. Bu çalışmada, otomasyon uygulamalarında yaygın bir kullanıma sahip olan, Ethernet tabanlı gerçek zamanlı EtherCAT protokolü için Snort saldırı tespit sistemi üzerinde bilinen ve bilinmeyen saldırıları tespit eden bütüncül bir yapı ve makine öğrenmesi teknikleriyle anomali tespiti olmak üzere ikisi kural biri anomali tespitine dayanan 3 farklı yaklaşım sunulmaktadır. Sistem, geliştirilen önişlemci yardımıyla, bilinen saldırılar için güvenli düğüm yaklaşımı, bilinmeyen saldırılar için ise saha veri yolu tekrar periyodunu tespit ederek istatistiksel tekniklerle ve özgün çözümlerle kural tabanlı olarak saldırı tespitini kapsamaktadır. Tespitler bir günlükleme ve izleme yapısı olan ELK yığını üzerinde kullanıcıya sunulmaktadır. Ayrıca, yine bilinmeyen saldırılar için oluşturulan su seviye kontrol otomasyonu test ortamı üzerinde olaylar gerçeklenerek bir veri seti hazırlanması ve çeşitli öğrenme tekniklerinin veri seti üzerinde anomali tespitini kapsamaktadır. Bilinmeyen saldırıların tespiti kapsamında uygulanan periyot tespitinin %95-%99 doğrulukla yapılabildiği görülmüştür. Önerilen sistem üzerinde ise MAC aldatma, veri enjeksiyonu, DoS, köle saldırıları gibi ataklar gerçeklenmiş, alarm ve günlüklemeler incelendiğinde saldırıların başarıyla tespit edildiği görülmüştür. Ayrıca, k-NN ve SVM GA tekniklerinin olay tespitinde başarılı sonuç verdikleri belirlenmiştir.Industrial control systems (ICS) are critical infrastructures in terms of their location and components. These systems have their own features and operation related to the application field independent from the information technologies (IT). They are also adapted with the Ethernet technologies based on the idea of providing horizontal and vertical integration between the levels in the automation hierarchy with a single protocol. Therefore, ICSs are threatened by cyber attacks, due to both their nature and support of IT services through Ethernet. This risk requires ICS specific solutions to detect and prevent attacks which use communication infrastructure. In this study, two rule based which detect known and unknown attacks on the Snort system and one anomaly based which uses machine learning techniques, in total of three different approaches were presented as a holistic structure for Ethernet based real-time EtherCAT protocol, which is widely used in automation applications. In the case of rule based intrusion detection, the EtherCAT preprocessor was proposed, which applies the trust node approach for known attacks, and identifies the field bus repetition period for unknown attacks, with statistical techniques and novel solutions. The findings were presented to the user on the ELK stack, which is a logging and monitoring structure. For anomaly based intrusion detection, the water level control automation testbed was developed, a dataset was prepared by generating events and various machine learning techniques were applied on the dataset. According to the findings obtained in this research, it was concluded that the period determination which was applied within the scope of unknown attack detection can be made with 95% - 99% accuracy. When the logs and alerts of the realized MAC spoofing, data injection, DoS, slave attacks were investigated, it was seen that the attacks were able to be detected successfully. For anomaly detection part of the study, k-NN and SVM GA techniques were found to be successful in detecting events