Securing the Edges of IoT Networks: a Scalable SIP DDoS Defense Framework with VNF, SDN, and Blockchain

An unintended consequence of the global deployment of IoT devices is that they provide a fertile breeding ground for IoT botnets. An adversary can take advantage of an IoT botnet to launch DDoS attacks against telecommunication services. Due to the magnitude of such an attack, legacy security systems are not able to provide adequate protection. The impact ranges from loss of revenue for businesses to endangering public safety. This risk has prompted academia, government, and industry to reevaluate the existing de- fence model. The current model relies on point solutions and the assumption that adversaries and their attacks are readily identifiable. But adversaries have challenged this assumption, building a botnet from thousands of hijacked IoT devices to launch DDoS attacks. With bot- net DDoS attacks there are no clear boundary where the attacks originate and what defensive measures to use. The research question is: in what ways programmable networks could defend against Session Initiation Protocol (SIP) Distributed Denial-of-Service (DDoS) flooding attacks from IoT botnets? My significant and original contribution to the knowledge is a scalable and collaborative defence framework that secures the edges of IoT networks with Virtual Network Function (VNF), Software-Defined Networking (SDN), and Blockchain technology to prevent, detect, and mitigate SIP DDoS flooding attacks from IoT botnets. Successful experiments were performed using VNF, SDN, and Blockchain. Three kinds of SIP attacks (scan, brute force, and DDoS) were launched against a VNF running on a virtual switch and each was successfully detected and mitigated. The SDN controller gathers threat intelligence from the switch where the attacks originate and installs them as packet filtering rules on all switches in the organisation. With the switches synchronised, the same botnet outbreak is prevented from attacking other parts of the organisation. A distributed application scales this framework further by writing the threat intelligence to a smart contract on the Ethereum Blockchain so that it is available for external organisations. The receiving organisation retrieves the threat intelligence from the smart contract and installs them as packet filtering rules on their switches. In this collaborative framework, attack detection/mitigation efforts by one organisation can be leveraged as attack prevention efforts by other organisations in the community

IoT-MQTT based denial of service attack modelling and detection

Internet of Things (IoT) is poised to transform the quality of life and provide new business opportunities with its wide range of applications. However, the bene_ts of this emerging paradigm are coupled with serious cyber security issues. The lack of strong cyber security measures in protecting IoT systems can result in cyber attacks targeting all the layers of IoT architecture which includes the IoT devices, the IoT communication protocols and the services accessing the IoT data. Various IoT malware such as Mirai, BASHLITE and BrickBot show an already rising IoT device based attacks as well as the usage of infected IoT devices to launch other cyber attacks. However, as sustained IoT deployment and functionality are heavily reliant on the use of e_ective data communication protocols, the attacks on other layers of IoT architecture are anticipated to increase. In the IoT landscape, the publish/- subscribe based Message Queuing Telemetry Transport (MQTT) protocol is widely popular. Hence, cyber security threats against the MQTT protocol are projected to rise at par with its increasing use by IoT manufacturers. In particular, the Internet exposed MQTT brokers are vulnerable to protocolbased Application Layer Denial of Service (DoS) attacks, which have been known to cause wide spread service disruptions in legacy systems. In this thesis, we propose Application Layer based DoS attacks that target the authentication and authorisation mechanism of the the MQTT protocol. In addition, we also propose an MQTT protocol attack detection framework based on machine learning. Through extensive experiments, we demonstrate the impact of authentication and authorisation DoS attacks on three opensource MQTT brokers. Based on the proposed DoS attack scenarios, an IoT-MQTT attack dataset was generated to evaluate the e_ectiveness of the proposed framework to detect these malicious attacks. The DoS attack evaluation results obtained indicate that such attacks can overwhelm the MQTT brokers resources even when legitimate access to it was denied and resources were restricted. The evaluations also indicate that the proposed DoS attack scenarios can signi_cantly increase the MQTT message delay, especially in QoS2 messages causing heavy tail latencies. In addition, the proposed MQTT features showed high attack detection accuracy compared to simply using TCP based features to detect MQTT based attacks. It was also observed that the protocol _eld size and length based features drastically reduced the false positive rates and hence, are suitable for detecting IoT based attacks

Denial of Service in Web-Domains: Building Defenses Against Next-Generation Attack Behavior

The existing state-of-the-art in the field of application layer Distributed Denial of Service (DDoS) protection is generally designed, and thus effective, only for static web domains. To the best of our knowledge, our work is the first that studies the problem of application layer DDoS defense in web domains of dynamic content and organization, and for next-generation bot behaviour. In the first part of this thesis, we focus on the following research tasks: 1) we identify the main weaknesses of the existing application-layer anti-DDoS solutions as proposed in research literature and in the industry, 2) we obtain a comprehensive picture of the current-day as well as the next-generation application-layer attack behaviour and 3) we propose novel techniques, based on a multidisciplinary approach that combines offline machine learning algorithms and statistical analysis, for detection of suspicious web visitors in static web domains. Then, in the second part of the thesis, we propose and evaluate a novel anti-DDoS system that detects a broad range of application-layer DDoS attacks, both in static and dynamic web domains, through the use of advanced techniques of data mining. The key advantage of our system relative to other systems that resort to the use of challenge-response tests (such as CAPTCHAs) in combating malicious bots is that our system minimizes the number of these tests that are presented to valid human visitors while succeeding in preventing most malicious attackers from accessing the web site. The results of the experimental evaluation of the proposed system demonstrate effective detection of current and future variants of application layer DDoS attacks

Implementation of DoS and DDoS attacks on cloud servers

Cloud environments face many threats as traditional corporate networks, but due to the vast amount of data stored on cloud servers, providers become an attractive target. Thus the security level of data on the cloud servers is always a key issue from preventing potential attacks. This paper intends to show a relatively easy way to implement a Denial of Service (DoS) attack and/or a Distributed Denial of Service (DDoS) attack. The used Phyton scripts like HULK or XML-RPC are able to make several hundred requests to the server in short period of time. The HULK is better for DoS attack, while XML-RPC is for pure DDoS attack. It is concluded that with proper tools and applications, the access to the VM and DDoS can be implemented relatively easy way

Defence against Denial of Service (DoS) attacks using Identifier-Locator Network Protocol (ILNP) and Domain Name System (DNS)

This research considered a novel approach to network security by combining a new networking architecture based on the Identifier-Locator Network Protocol (ILNP) and the existing Domain Name System (DNS). Specifically, the investigations considered the mitigation of network-level and transport-level based Denial of Service (DoS) attacks. The solutions presented for DoS are applicable to secure servers that are visible externally from an enterprise network. DoS was chosen as an area of concern because in recent years DoS has become the most common and hard to defend against attacks. The novelty of this approach was to consider the way the DNS and ILNP can work together, transparently to the application, within an enterprise scenario. This was achieved by the introduction of a new application-level access control function - the Capability Management System (CMS) - which applies configuration at the application level (DNS data) and network level (ILNP namespaces). CMS provides dynamic, ephemeral identity and location information to clients and servers, in order to effectively partition legitimate traffic from attack traffic. This was achieved without modifying existing network components such as switches and routers and making standard use of existing functions, such as access control lists, and DNS servers, all within a single trust domain that is under the control of the enterprise. The prime objectives of this research were: • to defend against DoS attacks with the use of naming and DNS within an enterprise scenario. • to increase the attacker’s effort in launching a successful DoS attack. • to reduce the visibility of vulnerabilities that can be discovered by an attacker by active probing approaches. • to practically demonstrate the effectiveness of ILNP and DNS working together to provide a solution for DoS mitigation. The solution methodology is based on the use of network and transport level capabilities, dynamic changes to DNS data, and a Moving Target Defence (MTD) paradigm. There are three solutions presented which use ILNP namespaces. These solutions are referred to as identifier-based, locator-based, and combined identifier-locator based solutions, respectively. ILNP-based node identity values were used to provide transport-level per-client server capabilities, thereby providing per-client isolation of traffic. ILNP locator values were used to allow a provision of network-level traffic separation for externally accessible enterprise services. Then, the identifier and locator solutions were combined, showing the possibility of protecting the services, with per-client traffic control and topological traffic path separation. All solutions were site-based solutions and did not require any modification in the core/external network, or the active cooperation of an ISP, therefore limiting the trust domain to the enterprise itself. Experiments were conducted to evaluate all the solutions on a test-bed consisting of off-the-shelf hardware, open-source software, an implementation of the CMS written in C, all running on Linux. The discussion includes considering the efficacy of the solutions, comparisons with existing methods, the performance of each solution, and critical analysis highlighting future improvements that could be made

A novel intrusion detection system (IDS) architecture. Attack detection based on snort for multistage attack scenarios in a multi-cores environment.

Recent research has indicated that although security systems are developing, illegal intrusion to computers is on the rise. The research conducted here illustrates that improving intrusion detection and prevention methods is fundamental for improving the overall security of systems. This research includes the design of a novel Intrusion Detection System (IDS) which identifies four levels of visibility of attacks. Two major areas of security concern were identified: speed and volume of attacks; and complexity of multistage attacks. Hence, the Multistage Intrusion Detection and Prevention System (MIDaPS) that is designed here is made of two fundamental elements: a multistage attack engine that heavily depends on attack trees and a Denial of Service Engine. MIDaPS were tested and found to improve current intrusion detection and processing performances. After an intensive literature review, over 25 GB of data was collected on honeynets. This was then used to analyse the complexity of attacks in a series of experiments. Statistical and analytic methods were used to design the novel MIDaPS. Key findings indicate that an attack needs to be protected at 4 different levels. Hence, MIDaPS is built with 4 levels of protection. As, recent attack vectors use legitimate actions, MIDaPS uses a novel approach of attack trees to trace the attacker¿s actions. MIDaPS was tested and results suggest an improvement to current system performance by 84% whilst detecting DDOS attacks within 10 minutes

Selected Computing Research Papers Volume 2 June 2013

An Evaluation of Current Innovations for Solving Hard Disk Drive Vibration Problems (Isiaq Adeola) ........................................................................................................ 1 A Critical Evaluation of the Current User Interface Systems Used By the Blind and Visually Impaired (Amneet Ahluwalia) ................................................................................ 7 Current Research Aimed At Improving Bot Detection In Massive Multiplayer Online Games (Jamie Burnip) ........................................................................................................ 13 Evaluation Of Methods For Improving Network Security Against SIP Based DoS Attacks On VoIP Network Infrastructures (David Carney) ................................................ 21 An Evaluation of Current Database Encryption Security Research (Ohale Chidiebere) .... 29 A Critical Appreciation of Current SQL Injection Detection Methods (Lee David Glynn) .............................................................................................................. 37 An Analysis of Current Research into Music Piracy Prevention (Steven Hodgson) .......... 43 Real Time On-line Analytical Processing: Applicability Of Parallel Processing Techniques (Kushatha Kelebeng) ....................................................................................... 49 Evaluating Authentication And Authorisation Method Implementations To Create A More Secure System Within Cloud Computing Technologies (Josh Mallery) ................... 55 A Detailed Analysis Of Current Computing Research Aimed At Improving Facial Recognition Systems (Gary Adam Morrissey) ................................................................... 61 A Critical Analysis Of Current Research Into Stock Market Forecasting Using Artificial Neural Networks (Chris Olsen) ........................................................................... 69 Evaluation of User Authentication Schemes (Sukhdev Singh) .......................................... 77 An Evaluation of Biometric Security Methods for Use on Mobile Devices (Joe van de Bilt) .................................................................................................................. 8

Project BeARCAT : Baselining, Automation and Response for CAV Testbed Cyber Security : Connected Vehicle & Infrastructure Security Assessment

Connected, software-based systems are a driver in advancing the technology of transportation systems. Advanced automated and autonomous vehicles, together with electrification, will help reduce congestion, accidents and emissions. Meanwhile, vehicle manufacturers see advanced technology as enhancing their products in a competitive market. However, as many decades of using home and enterprise computer systems have shown, connectivity allows a system to become a target for criminal intentions. Cyber-based threats to any system are a problem; in transportation, there is the added safety implication of dealing with moving vehicles and the passengers within

A Game-Theoretic Decision-Making Framework for Engineering Self-Protecting Software Systems

Targeted and destructive nature of strategies used by attackers to break down a software system require mitigation approaches with dynamic awareness. Making a right decision, when facing today’s sophisticated and dynamic attacks, is one of the most challenging aspects of engineering self-protecting software systems. The challenge is due to: (i) the consideration of the satisfaction of various security and non-security quality goals and their inherit conflicts with each other when selecting a countermeasure, (ii) the proactive and dynamic nature of these security attacks which make their detection and consequently their mitigation challenging, and (iii) the incorporation of uncertainties such as the intention and strategy of the adversary to attack the software system. These factors motivated the need for a decision-making engine that facilitates adaptive security from a holistic view of the software system and the attacker. Inspired by game theory, in this research work, we model the interactions between the attacker and the software system as a two-player game. Using game-theoretic techniques, the self-protecting software systems is able to: (i) fuse the strategies of attackers into the decision-making model, and (ii) refine the strategies in dynamic attack scenarios by utilizing what has learned from the system’s and adversary’s interactions. This PhD research devises a novel framework with three phases: (i) modeling quality/malicious goals aiming at quantifying them into the decision-making engine, (ii) designing game-theoretic techniques which build the decision model based on the satisfaction level of quality/malicious goals, and (iii) realizing the decision-making engine in a working software system. The framework aims at exhibiting a plug-and-play capability to adapt a game-theoretic technique that suite security goals and requirements of the software. In order to illustrate the plug-and-play capability of our proposed framework, we have designed and developed three decision-making engines. Each engine aims at addressing a different challenge in adaptive security. Hence, three distinct techniques are designed: (i) incentive-based (“IBSP”), (ii) learning-based (“MARGIN”), and (iii) uncertainty-based (“UBSP”). For each engine a game-theoretic approach is taken considering the security requirements and the input information. IBSP maps the quality goals and the incentives of the attacker to the interdependencies among defense and attack strategies. MARGIN, protects the software system against dynamic strategies of attacker. UBSP, handles adversary-type uncertainty. The evaluations of these game-theoretic approaches show the benefits of the proposed framework in terms of satisfaction of security and non-security goals of the software system

Trustworthy Federated Learning: A Survey

Federated Learning (FL) has emerged as a significant advancement in the field of Artificial Intelligence (AI), enabling collaborative model training across distributed devices while maintaining data privacy. As the importance of FL increases, addressing trustworthiness issues in its various aspects becomes crucial. In this survey, we provide an extensive overview of the current state of Trustworthy FL, exploring existing solutions and well-defined pillars relevant to Trustworthy . Despite the growth in literature on trustworthy centralized Machine Learning (ML)/Deep Learning (DL), further efforts are necessary to identify trustworthiness pillars and evaluation metrics specific to FL models, as well as to develop solutions for computing trustworthiness levels. We propose a taxonomy that encompasses three main pillars: Interpretability, Fairness, and Security & Privacy. Each pillar represents a dimension of trust, further broken down into different notions. Our survey covers trustworthiness challenges at every level in FL settings. We present a comprehensive architecture of Trustworthy FL, addressing the fundamental principles underlying the concept, and offer an in-depth analysis of trust assessment mechanisms. In conclusion, we identify key research challenges related to every aspect of Trustworthy FL and suggest future research directions. This comprehensive survey serves as a valuable resource for researchers and practitioners working on the development and implementation of Trustworthy FL systems, contributing to a more secure and reliable AI landscape.Comment: 45 Pages, 8 Figures, 9 Table