252 research outputs found
Automatic Test Framework Anomaly Detection in Home Routers
In a modern world most people have a home network and multiple devices behind it. These devices include simple IoT, that require external protection not to join a botnet. This protection can be granted by a security router with a feature of determining the usual network traffic of a device and alerting its unusual behaviour. This work is dedicated to creating a testbed to verify such router's work. The test bed includes tools to capture IoT traffic, edit and replay it. Created tool supports UDP, TCP, partially ICMP and is extendable to other protocols. UDP and TCP protocols are replayed using OS sockets at transport network layer. The methods described have proved to work on a real setup
Justifying the need for forensically ready protocols: a case study of identifying malicious web servers using client honeypots
Client honeypot technology can find malicious web servers that attack web browsers and push malware, so called drive-by-downloads, to the client machine. Merely recording the network traffic is insufficient to perform an efficient forensic analysis of the attack. Custom tools need to be developed to access and examine the embedded data of the network protocols. Once the information is extracted from the network data, it cannot be used to perform a behavioral analysis on the attack, therefore limiting the ability to answer what exactly happened on the attacked system. Implementation of a record / replay mechanism is proposed that allows the forensic examiner to easily extract application data from recorded network streams and allows applications to interact with such data for behavioral analysis purposes. A concrete implementation of such a setup for HTTP and DNS protocols using the HTTP proxy Squid and DNS proxy pdnsd is presented and its effect on digital forensic analysis demonstrated
Patterns and Interactions in Network Security
Networks play a central role in cyber-security: networks deliver security
attacks, suffer from them, defend against them, and sometimes even cause them.
This article is a concise tutorial on the large subject of networks and
security, written for all those interested in networking, whether their
specialty is security or not. To achieve this goal, we derive our focus and
organization from two perspectives. The first perspective is that, although
mechanisms for network security are extremely diverse, they are all instances
of a few patterns. Consequently, after a pragmatic classification of security
attacks, the main sections of the tutorial cover the four patterns for
providing network security, of which the familiar three are cryptographic
protocols, packet filtering, and dynamic resource allocation. Although
cryptographic protocols hide the data contents of packets, they cannot hide
packet headers. When users need to hide packet headers from adversaries, which
may include the network from which they are receiving service, they must resort
to the pattern of compound sessions and overlays. The second perspective comes
from the observation that security mechanisms interact in important ways, with
each other and with other aspects of networking, so each pattern includes a
discussion of its interactions.Comment: 63 pages, 28 figures, 56 reference
ActiBot: A Botnet to Evade Active Detection
In recent years, botnets have emerged as a serious threat on the Internet. Botnets are commonly used for exploits such as distributed denial of service (DDoS) attacks, identity theft, spam, and click fraud. The immense size of botnets, some consisting of hundreds of thousands of compromised computers, increases the speed and severity of attacks. Unlike passive behavior anomaly detection techniques, active botnet detection aims to collect evidence actively, in order to reduce detection time and increase accuracy. In this project, we develop and analyze a botnet that we call ActiBot, which can evade some types of active detection mechanisms. Future research will focus on using ActiBot to strengthen existing detection techniques
Denial of Service (DoS) in Internet Protocol (IP) Network and Information Centric Network (ICN): An Impediment to Network Quality of Service (QoS).
This paper compares and analyses the Denial-of-Service attacks in the two different Network architectures. The two architectures are based on different routing approaches: Hop-by-Hop IP routing and source-routing using Bloom filters. In Hop-by-Hop IP routing, the packet header contains the address, and the route is decided node by node. Forwarding in this method requires a node to have a routing table which contains the port through which the packet should traverse depending on the address of the destination. Instead in source-routing, the forwarding identifier is encoded with the path a packet should take and it is placed in the packet header. The forwarding identifier in this approach does not require a forwarding table for look ups like the IP routing; it relies on Line Speed Publish/Subscribe (LIPSIN) forwarding solution that focuses on using named links not nodes or interfaces. The forwarding identifier encompasses a set of Link ID’s which specifies the path to the recipient and they are encoded in a Bloom filter. The In-packet Bloom filters serve as both path selectors and as capabilities, and they are generated dynamically. However, this thesis is going to focus on the latter network technology by looking at both its benefits and drawbacks as well as analysing the possibilities of having a Denial of service attack. Keywords: DoS, DDoS, TCP/IP Protocol Suite, ICMP flood, E-mail Bomb, Ping of Death, TCP and UD
On Event Reproduction Ratio in Stateless and Stateful Replay of Real-World Traffic
Capturing and replaying network flows are important for testing network devices. Replayed traffic should reproduce effects similar to live traffic. This work presents methods to measure the event reproduction ratio, and studies the effectiveness of stateless and stateful traffic replayers based on the events triggered by packets and connections. We use two replayers, SocketReplay and Tcpreplay, and a networking device supporting security services. SocketReplay is a stateful replayer which keeps the state of a connection during replay, while Tcpreplay is a stateless replayer that ignores the connection state. Results indicate that SocketReplay replayed a smaller ratio of the captured traffic and triggered fewer blocking events in subsequent replay tests. Triggering blocking events denotes the replayed traffic cannot fit the onsite context. SocketReplay only replayed 38.74% of the captured TCP traffic, and resulted in an effectiveness of 99.97% (0.00%) in passing (blocking) event ratio. In contrast, Tcpreplay replayed 99.99% of the captured TCP traffic, and resulted in an effectiveness of 99.73% (75.64%) in passing (blocking) event ratio. The choice of a proper replayer and the corresponding replay configuration should depend on the contents of captured traffic and avoid to a significant drop of event reproduction ratio and the effectiveness of replayers
LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed
Running off-site software middleboxes at third-party service providers has
been a popular practice. However, routing large volumes of raw traffic, which
may carry sensitive information, to a remote site for processing raises severe
security concerns. Prior solutions often abstract away important factors
pertinent to real-world deployment. In particular, they overlook the
significance of metadata protection and stateful processing. Unprotected
traffic metadata like low-level headers, size and count, can be exploited to
learn supposedly encrypted application contents. Meanwhile, tracking the states
of 100,000s of flows concurrently is often indispensable in production-level
middleboxes deployed at real networks.
We present LightBox, the first system that can drive off-site middleboxes at
near-native speed with stateful processing and the most comprehensive
protection to date. Built upon commodity trusted hardware, Intel SGX, LightBox
is the product of our systematic investigation of how to overcome the inherent
limitations of secure enclaves using domain knowledge and customization. First,
we introduce an elegant virtual network interface that allows convenient access
to fully protected packets at line rate without leaving the enclave, as if from
the trusted source network. Second, we provide complete flow state management
for efficient stateful processing, by tailoring a set of data structures and
algorithms optimized for the highly constrained enclave space. Extensive
evaluations demonstrate that LightBox, with all security benefits, can achieve
10Gbps packet I/O, and that with case studies on three stateful middleboxes, it
can operate at near-native speed.Comment: Accepted at ACM CCS 201
- …