270 research outputs found
Encrypted mal-ware detection
Mal-ware such as viruses and worms are increasingly proliferating through out all networks. Existing schemes that address these issues either assume that the mal-ware is available in its plain-text format which can be detected directly with its signature or that its exploit-code execution is directly recognizable. Hence much of the development in this area has been focussed on generating more efficient signatures or in coming up with improved anomaly-based detection and pattern matching rules. However with secure data being the watch-word and several efficient encryption schemes being developed to obfuscate data and protect its privacy, encrypted mal-ware is very much a clear and present threat. While securing resources from encrypted threats is the need of the hour, equally critical is the privacy of content that needs to be protected. In this paper we discuss encrypted mal-ware detection and propose an efficient IP-packet level scheme for encrypted mal-ware detection that does not compromise the privacy of the data but at the same time helps detect the presence of hidden mal-ware in it. We also propose a new grammar for a generalized representation of all kinds of malicious-signatures. This signature grammar is inclusive of even polymorphic and metamorphic signatures which do not have a straight-forward one-to-one mapping between the signature string and worm-recognition. In a typical system model consisting of several co-operating hosts which are un-intentional senders of mal-ware traffic, where a centralized network monitor functions as the mal-ware detection entity, we show that for a very small memory and processing overhead and almost negligible time-requirements, we achieve a very high detection rate for even the most advanced multi-keyword polymorphic signatures
Formalizing evasion attacks against machine learning security detectors
Recent work has shown that adversarial examples can bypass machine learning-based threat detectors relying on static analysis by applying minimal perturbations.
To preserve malicious functionality, previous attacks either apply trivial manipulations (e.g. padding), potentially limiting their effectiveness, or require running computationally-demanding validation steps to discard adversarial variants that do not correctly execute in sandbox environments.
While machine learning systems for detecting SQL injections have been proposed in the literature, no attacks have been tested against the proposed solutions to assess the effectiveness and robustness of these methods.
In this thesis, we overcome these limitations by developing RAMEn, a unifying framework that (i) can express attacks for different domains, (ii) generalizes previous attacks against machine learning models, and (iii) uses functions that preserve the functionality of manipulated objects.
We provide new attacks for both Windows malware and SQL injection detection scenarios by exploiting the format used for representing these objects.
To show the efficacy of RAMEn, we provide experimental results of our strategies in both white-box and black-box settings.
The white-box attacks against Windows malware detectors show that it takes only the 2% of the input size of the target to evade detection with ease.
To further speed up the black-box attacks, we overcome the issues mentioned before by presenting a novel family of black-box attacks that are both query-efficient and functionality-preserving, as they rely on the injection of benign content, which will never be executed, either at the end of the malicious file, or within some newly-created sections, encoded in an algorithm called GAMMA.
We also evaluate whether GAMMA transfers to other commercial antivirus solutions, and surprisingly find that it can evade many commercial antivirus engines.
For evading SQLi detectors, we create WAF-A-MoLE, a mutational fuzzer that that exploits random mutations of the input samples, keeping alive only the most promising ones.
WAF-A-MoLE is capable of defeating detectors built with different architectures by using the novel practical manipulations we have proposed.
To facilitate reproducibility and future work, we open-source our framework and corresponding attack implementations.
We conclude by discussing the limitations of current machine learning-based malware detectors, along with potential mitigation strategies based on embedding domain knowledge coming from subject-matter experts naturally into the learning process
Communication Subsystems for Satellite Design
The objective of this chapter is to provide a comprehensive end-to-end overview of existing communication subsystems residing on both the satellite bus and payloads. These subsystems include command and mission data handling, telemetry and tracking, and the antenna payloads for both command, telemetry and mission data. The function of each subsystem and the relationships to the others will be described in detail. In addition, the recent application of software defined radio (SDR) to advanced satellite communication system design will be looked at with applications to satellite development, and the impacts on how SDR will affect future satellite missions are briefly discussed
Security in peer-to-peer multimedia communications
Le architetture peer-to-peer (p2p) sono diventate molto popolari negli ultimi anni in conseguenza della grande varietà di servizi che esse possono fornire. Nate principalmente per l'utilizzo come semplice metodo scalabile e decentralizzato per scambiarsi file, sono adesso diventate molto popolari anche per una gran quantità di altri servizi, sfruttando la possibilità di condividere tra peer la banda, la potenza computazionale, la capacità di memorizzazione ed altre risorse.
Tra i possibili usi per cui una tale architettura può essere sfruttata, un campo emergente è lo studio dell’applicazione di tecnologie p2p a comunicazioni VoIP in modo da superare alcuni dei problemi di cui soffrono correntemente le piattaforme centralizzate basate su SIP.
Sfortunatamente, i problemi di sicurezza delle reti p2p sono ancora un campo di studio aperto, sia per il recente sviluppo di una tale piattaforma, sia per i rischi intrinseci di un ambiente distribuito stesso.
Questa tesi ha lo scopo di studiare i problemi di sicurezza e le possibili soluzioni in modo da garantire una comunicazione sicura p2p. La ricerca è stata condotta in due direzioni:
sicurezza a livello di routing e sicurezza a livello applicativo.
Questi rappresentano I due possibili step di uno scenario di comunicazione: prima di tutto si deve trovare in modo sicuro la posizione di chi si vuole chiamare (che può essere memorizzata in una rete p2p stessa), e questo è un problema di lookup sicuro; in un secondo momento bisogna assicurarsi che la persona con cui si sta andando a parlare è veramente chi si voleva e che la comunicazione stessa sia confidenziale e non possa essere modificata; questi sono problemi di autenticazione e confidenzialità .
Per quanto riguarda il primo punto, si sono studiati molti possibili attacchi a reti p2p strutturate e non strutturate, concentrandosi particolarmente sul Sybil attack da cui molti altri attacchi possono derivare.
Dopo un analisi delle possibili contromisure presentate negli anni, ci siamo focalizzati sull’algoritmo DHT Kademlia, uno dei più usati nel mondo, studiando tramite simulazioni la degradazione delle performance in presenza di nodi malevoli. Si sono inoltre studiate contromisure basate su fiducia e reputazione e si è cercato di applicarle ad una rete Kademlia operante in un ambiente con un numero crescente di nodi malevoli.
Per quanto riguarda il secondo punto, come prima cosa abbiamo studiato gli attuali key agreement protocol, focalizzandoci sul numero di messaggi scambiati e cercando di trovare possibili punti deboli persino in protocolli ed algoritmi largamente utilizzati. In un secondo tempo si è proposto un nuovo key agreement protocol basato su MIKEY e ZRTP che li integra nella procedura standard di INVITE di SIP. E’ stata inoltre fatta un’analisi del protocollo proposto. Su queste basi, si è andati oltre, aggiungendo anche metodi di autenticazione basati sui certificati ed un modo per gestire in maniera p2p certificati e firme. Infine, si è anche pensato ad un’architettura dove i certificati sono memorizzati in una rete p2p stessa tramite l’utilizzo di DHT.Peer-to-peer (P2P) architectures became very popular in the last years as a consequence of the great variety of services they can provide. When they were born, they were mainly deployed as a simple, decentralized and scalable way to exchange files, but they have now become very popular also for a lot of different services, exploiting the possibility of sharing bandwidth, computing power, storage capacity and other resources between peers.
Among the possible uses such an architecture can be deployed for, an emerging field of study is the application of P2P technologies to VoIP communication scenarios in order to overcome some of the current issues centralized SIP-based platforms suffer of.
Unfortunately, security issues in P2P networks are still an open field of investigation both because of the recent development of such a platform and for the inherent risks of a distributed environment itself.
This thesis is meant to investigate the security issues and the possible solutions in order to setup a secure P2P communication. The research was conducted into two directions:
- Security issues at routing level;
- Security issues at application level.
They represent the two steps of a possible communication scenario: first of all one must find in a secure way the location of the callee (maybe stored in a peer-to-peer network), this is a problem of secure lookup; then one must ensure that the person he is going to talk with is really who he wanted and that the communication itself is secret and cannot be tampered, these are problems of authentication and confidentiality.
As regards the first point, we studied several possible attacks to structured and unstructured peer-to-peer networks particularly focalizing onto the disruptive Sybil attack from which many other attack can be derived.
After an analysis of the possible countermeasures presented over the years, we focalized onto the Kademlia algorithm, one of the most used in the world, studying through simulations the degradation of performances in presence of malicious nodes.
We also studied trust and reputation countermeasures and tried to apply them to a Kademlia-based network operating in an environment where there is a growing number of malicious nodes.
For the second point, first of all we studied current key agreement protocols focusing on the number of messages and trying to find out possible drawbacks even in widely accepted protocols and algorithms. In a second time we proposed a new key agreement protocol based upon MIKEY and ZRTP integrating them into the standard SIP invite procedure. An analysis of the proposed protocol is also provided. On this basis we got further, adding also certificate-based authentication to our model and a way to manage in a P2P way certificates and signatures. Finally we also provided an architecture where certificates are stored in a P2P network itself with the use of a DHT
Discovery and Group Communication for Constrained Internet of Things Devices using the Constrained Application Protocol
The ubiquitous Internet is rapidly spreading to new domains. This expansion of
the Internet is comparable in scale to the spread of the Internet in the ’90s. The
resulting Internet is now commonly referred to as the Internet of Things (IoT) and
is expected to connect about 50 billion devices by the year 2020. This means that
in just five years from the time of writing this PhD the number of interconnected
devices will exceed the number of humans by sevenfold. It is further expected that
the majority of these IoT devices will be resource constrained embedded devices
such as sensors and actuators. Sensors collect information about the physical world
and inject this information into the virtual world. Next processing and reasoning
can occur and decisions can be taken to enact upon the physical world by injecting
feedback to actuators.
The integration of embedded devices into the Internet introduces new challenges,
since many of the existing Internet technologies and protocols were not
designed for this class of constrained devices. These devices are typically optimized
for low cost and power consumption and thus have very limited power,
memory, and processing resources and have long sleep periods. The networks
formed by these embedded devices are also constrained and have different characteristics
than those typical in todays Internet. These constrained networks have
high packet loss, low throughput, frequent topology changes and small useful payload
sizes. They are referred to as LLN. Therefore, it is in most cases unfeasible to
run standard Internet protocols on this class of constrained devices and/or LLNs.
New or adapted protocols that take into consideration the capabilities of the constrained
devices and the characteristics of LLNs, are required.
In the past few years, there were many efforts to enable the extension of the
Internet technologies to constrained devices. Initially, most of these efforts were
focusing on the networking layer. However, the expansion of the Internet in the
90s was not due to introducing new or better networking protocols. It was a result
of introducing the World Wide Web (WWW), which made it easy to integrate services
and applications. One of the essential technologies underpinning the WWW
was the Hypertext Transfer Protocol (HTTP). Today, HTTP has become a key
protocol in the realization of scalable web services building around the Representational
State Transfer (REST) paradigm. The REST architectural style enables
the realization of scalable and well-performing services using uniform and simple
interfaces. The availability of an embedded counterpart of HTTP and the REST
architecture could boost the uptake of the IoT.
Therefore, more recently, work started to allow the integration of constrained
devices in the Internet at the service level. The Internet Engineering Task Force
(IETF) Constrained RESTful Environments (CoRE) working group has realized
the REST architecture in a suitable form for the most constrained nodes and networks.
To that end the Constrained Application Protocol (CoAP) was introduced,
a specialized RESTful web transfer protocol for use with constrained networks and
nodes. CoAP realizes a subset of the REST mechanisms offered by HTTP, but is
optimized for Machine-to-Machine (M2M) applications.
This PhD research builds upon CoAP to enable a better integration of constrained
devices in the IoT and examines proposed CoAP solutions theoretically
and experimentally proposing alternatives when appropriate. The first part of this
PhD proposes a mechanism that facilitates the deployment of sensor networks
and enables the discovery, end-to-end connectivity and service usage of newly
deployed sensor nodes. The proposed approach makes use of CoAP and combines
it with Domain Name System (DNS) in order to enable the use of userfriendly
Fully Qualified Domain Names (FQDNs) for addressing sensor nodes. It
includes the automatic discovery of sensors and sensor gateways and the translation
of HTTP to CoAP, thus making the sensor resources globally discoverable and
accessible from any Internet-connected client using either IPv6 addresses or DNS
names both via HTTP or CoAP. As such, the proposed approach provides a feasible
and flexible solution to achieve hierarchical self-organization with a minimum
of pre-configuration. By doing so we minimize costly human interventions and
eliminate the need for introducing new protocols dedicated for the discovery and
organization of resources. This reduces both cost and the implementation footprint
on the constrained devices.
The second, larger, part of this PhD focuses on using CoAP to realize communication
with groups of resources. In many IoT application domains, sensors
or actuators need to be addressed as groups rather than individually, since individual
resources might not be sufficient or useful. A simple example is that all
lights in a room should go on or off as a result of the user toggling the light switch.
As not all IoT applications may need group communication, the CoRE working
group did not include it in the base CoAP specification. This way the base protocol
is kept as efficient and as simple as possible so it would run on even the most
constrained devices. Group communication and other features that might not be
needed by all devices are standardized in a set of optional separate extensions. We
first examined the proposed CoAP extension for group communication, which utilizes
Internet Protocol version 6 (IPv6) multicasts. We highlight its strengths and
weaknesses and propose our own complementary solution that uses unicast to realize
group communication. Our solution offers capabilities beyond simple group
communication. For example, we provide a validation mechanism that performs
several checks on the group members, to make sure that combining them together
is possible. We also allow the client to request that results of the individual members
are processed before they are sent to the client. For example, the client can
request to obtain only the maximum value of all individual members.
Another important optional extension to CoAP allows clients to continuously
observe resources by registering their interest in receiving notifications from CoAP
servers once there are changes to the values of the observed resources. By using
this publish/subscribe mechanism the client does not need to continuously poll the
resource to find out whether it has changed its value. This typically leads to more
efficient communication patterns that preserve valuable device and LLN resources.
Unfortunately CoAP observe does not work together with the CoAP group communication
extension, since the observe extension assumes unicast communication
while the group communication extension only support multicast communication.
In this PhD we propose to extend our own group communication solution to offer
group observation capabilities. By combining group observation with group
processing features, it becomes possible to notify the client only about certain
changes to the observed group (e.g., the maximum value of all group members has
changed).
Acknowledging that the use of multicast as well as unicast has strengths and
weaknesses we propose to extend our unicast based solution with certain multicast
features. By doing so we try to combine the strengths of both approaches to obtain
a better overall group communication that is flexible and that can be tailored
according to the use case needs.
Together, the proposed mechanisms represent a powerful and comprehensive
solution to the challenging problem of group communication with constrained devices.
We have evaluated the solutions proposed in this PhD extensively and in
a variety of forms. Where possible, we have derived theoretical models and have
conducted numerous simulations to validate them. We have also experimentally
evaluated those solutions and compared them with other proposed solutions using
a small demo box and later on two large scale wireless sensor testbeds and under
different test conditions. The first testbed is located in a large, shielded room,
which allows testing under controlled environments. The second testbed is located
inside an operational office building and thus allows testing under normal operation
conditions. Those tests revealed performance issues and some other problems.
We have provided some solutions and suggestions for tackling those problems.
Apart from the main contributions, two other relevant outcomes of this PhD are
described in the appendices. In the first appendix we review the most important
IETF standardization efforts related to the IoT and show that with the introduction
of CoAP a complete set of standard protocols has become available to cover the
complete networking stack and thus making the step from the IoT into the Web
of Things (WoT). Using only standard protocols makes it possible to integrate
devices from various vendors into one bigWoT accessible to humans and machines
alike.
In the second appendix, we provide an alternative solution for grouping constrained
devices by using virtualization techniques. Our approach focuses on the
objects, both resource-constrained and non-constrained, that need to cooperate
by integrating them into a secured virtual network, named an Internet of Things
Virtual Network or IoT-VN. Inside this IoT-VN full end-to-end communication
can take place through the use of protocols that take the limitations of the most
resource-constrained devices into account. We describe how this concept maps to
several generic use cases and, as such, can constitute a valid alternative approach
for supporting selected applications
Secure channel establishment in disadvantaged networks : TLS optimization using intercepting proxies
Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2009.Cataloged from PDF version of thesis.Includes bibliographical references (p. 65-66).Transport Layer Security (TLS) is a secure communication protocol that is used in many secure electronic applications. In order to establish a TLS connection, a client and server engage in a handshake, which usually involves the transmission of digital certificates. In this thesis we develop a practical speedup of TLS handshakes over bandwidth-constrained, high-latency (i.e. disadvantaged) links by reducing the communication overhead associated with the transmission of digital certificates. This speedup is achieved by deploying two specialized TLS proxies across such links. Working in tandem, one proxy will replace certificate data in packets being sent across the disadvantaged link with a short reference, while the proxy on the other side of the link will restore the certificate data in the packet. The certificate data will be supplied by local or remote caches. Our solution preserves the end-to-end security of TLS and is designed to be transparent to third-party applications, and will thus facilitate rapid deployment by removing the need to modify existing installations of TLS clients and TLS servers. Testing shows that this technique can reduce the overall bandwidth used during a handshake by over 50%, and can reduce the time required to establish a secure channel by over 40% across Iridium links.by Sam McVeety.M.Eng
- …