Automatic Test Framework Anomaly Detection in Home Routers

In a modern world most people have a home network and multiple devices behind it. These devices include simple IoT, that require external protection not to join a botnet. This protection can be granted by a security router with a feature of determining the usual network traffic of a device and alerting its unusual behaviour. This work is dedicated to creating a testbed to verify such router's work. The test bed includes tools to capture IoT traffic, edit and replay it. Created tool supports UDP, TCP, partially ICMP and is extendable to other protocols. UDP and TCP protocols are replayed using OS sockets at transport network layer. The methods described have proved to work on a real setup

Justifying the need for forensically ready protocols: a case study of identifying malicious web servers using client honeypots

Client honeypot technology can find malicious web servers that attack web browsers and push malware, so called drive-by-downloads, to the client machine. Merely recording the network traffic is insufficient to perform an efficient forensic analysis of the attack. Custom tools need to be developed to access and examine the embedded data of the network protocols. Once the information is extracted from the network data, it cannot be used to perform a behavioral analysis on the attack, therefore limiting the ability to answer what exactly happened on the attacked system. Implementation of a record / replay mechanism is proposed that allows the forensic examiner to easily extract application data from recorded network streams and allows applications to interact with such data for behavioral analysis purposes. A concrete implementation of such a setup for HTTP and DNS protocols using the HTTP proxy Squid and DNS proxy pdnsd is presented and its effect on digital forensic analysis demonstrated

Patterns and Interactions in Network Security

Networks play a central role in cyber-security: networks deliver security attacks, suffer from them, defend against them, and sometimes even cause them. This article is a concise tutorial on the large subject of networks and security, written for all those interested in networking, whether their specialty is security or not. To achieve this goal, we derive our focus and organization from two perspectives. The first perspective is that, although mechanisms for network security are extremely diverse, they are all instances of a few patterns. Consequently, after a pragmatic classification of security attacks, the main sections of the tutorial cover the four patterns for providing network security, of which the familiar three are cryptographic protocols, packet filtering, and dynamic resource allocation. Although cryptographic protocols hide the data contents of packets, they cannot hide packet headers. When users need to hide packet headers from adversaries, which may include the network from which they are receiving service, they must resort to the pattern of compound sessions and overlays. The second perspective comes from the observation that security mechanisms interact in important ways, with each other and with other aspects of networking, so each pattern includes a discussion of its interactions.Comment: 63 pages, 28 figures, 56 reference

ActiBot: A Botnet to Evade Active Detection

In recent years, botnets have emerged as a serious threat on the Internet. Botnets are commonly used for exploits such as distributed denial of service (DDoS) attacks, identity theft, spam, and click fraud. The immense size of botnets, some consisting of hundreds of thousands of compromised computers, increases the speed and severity of attacks. Unlike passive behavior anomaly detection techniques, active botnet detection aims to collect evidence actively, in order to reduce detection time and increase accuracy. In this project, we develop and analyze a botnet that we call ActiBot, which can evade some types of active detection mechanisms. Future research will focus on using ActiBot to strengthen existing detection techniques

Denial of Service (DoS) in Internet Protocol (IP) Network and Information Centric Network (ICN): An Impediment to Network Quality of Service (QoS).

This paper compares and analyses the Denial-of-Service attacks in the two different Network architectures. The two architectures are based on different routing approaches: Hop-by-Hop IP routing and source-routing using Bloom filters. In Hop-by-Hop IP routing, the packet header contains the address, and the route is decided node by node. Forwarding in this method requires a node to have a routing table which contains the port through which the packet should traverse depending on the address of the destination. Instead in source-routing, the forwarding identifier is encoded with the path a packet should take and it is placed in the packet header. The forwarding identifier in this approach does not require a forwarding table for look ups like the IP routing; it relies on Line Speed Publish/Subscribe (LIPSIN) forwarding solution that focuses on using named links not nodes or interfaces. The forwarding identifier encompasses a set of Link ID’s which specifies the path to the recipient and they are encoded in a Bloom filter. The In-packet Bloom filters serve as both path selectors and as capabilities, and they are generated dynamically. However, this thesis is going to focus on the latter network technology by looking at both its benefits and drawbacks as well as analysing the possibilities of having a Denial of service attack. Keywords: DoS, DDoS, TCP/IP Protocol Suite, ICMP flood, E-mail Bomb, Ping of Death, TCP and UD

On Event Reproduction Ratio in Stateless and Stateful Replay of Real-World Traffic

Capturing and replaying network flows are important for testing network devices. Replayed traffic should reproduce effects similar to live traffic. This work presents methods to measure the event reproduction ratio, and studies the effectiveness of stateless and stateful traffic replayers based on the events triggered by packets and connections. We use two replayers, SocketReplay and Tcpreplay, and a networking device supporting security services. SocketReplay is a stateful replayer which keeps the state of a connection during replay, while Tcpreplay is a stateless replayer that ignores the connection state. Results indicate that SocketReplay replayed a smaller ratio of the captured traffic and triggered fewer blocking events in subsequent replay tests. Triggering blocking events denotes the replayed traffic cannot fit the onsite context. SocketReplay only replayed 38.74% of the captured TCP traffic, and resulted in an effectiveness of 99.97% (0.00%) in passing (blocking) event ratio. In contrast, Tcpreplay replayed 99.99% of the captured TCP traffic, and resulted in an effectiveness of 99.73% (75.64%) in passing (blocking) event ratio. The choice of a proper replayer and the corresponding replay configuration should depend on the contents of captured traffic and avoid to a significant drop of event reproduction ratio and the effectiveness of replayers

LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed

Running off-site software middleboxes at third-party service providers has been a popular practice. However, routing large volumes of raw traffic, which may carry sensitive information, to a remote site for processing raises severe security concerns. Prior solutions often abstract away important factors pertinent to real-world deployment. In particular, they overlook the significance of metadata protection and stateful processing. Unprotected traffic metadata like low-level headers, size and count, can be exploited to learn supposedly encrypted application contents. Meanwhile, tracking the states of 100,000s of flows concurrently is often indispensable in production-level middleboxes deployed at real networks. We present LightBox, the first system that can drive off-site middleboxes at near-native speed with stateful processing and the most comprehensive protection to date. Built upon commodity trusted hardware, Intel SGX, LightBox is the product of our systematic investigation of how to overcome the inherent limitations of secure enclaves using domain knowledge and customization. First, we introduce an elegant virtual network interface that allows convenient access to fully protected packets at line rate without leaving the enclave, as if from the trusted source network. Second, we provide complete flow state management for efficient stateful processing, by tailoring a set of data structures and algorithms optimized for the highly constrained enclave space. Extensive evaluations demonstrate that LightBox, with all security benefits, can achieve 10Gbps packet I/O, and that with case studies on three stateful middleboxes, it can operate at near-native speed.Comment: Accepted at ACM CCS 201