A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection

Enterprise networks that host valuable assets and services are popular and frequent targets of distributed network attacks. In order to cope with the ever-increasing threats, industrial and research communities develop systems and methods to monitor the behaviors of their assets and protect them from critical attacks. In this paper, we systematically survey related research articles and industrial systems to highlight the current status of this arms race in enterprise network security. First, we discuss the taxonomy of distributed network attacks on enterprise assets, including distributed denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing methods in monitoring and classifying network behavior of enterprise hosts to verify their benign activities and isolate potential anomalies. Third, state-of-the-art detection methods for distributed network attacks sourced from external attackers are elaborated, highlighting their merits and bottlenecks. Fourth, as programmable networks and machine learning (ML) techniques are increasingly becoming adopted by the community, their current applications in network security are discussed. Finally, we highlight several research gaps on enterprise network security to inspire future research.Comment: Journal paper submitted to Elseive

iTeleScope: Intelligent Video Telemetry and Classification in Real-Time using Software Defined Networking

Video continues to dominate network traffic, yet operators today have poor visibility into the number, duration, and resolutions of the video streams traversing their domain. Current approaches are inaccurate, expensive, or unscalable, as they rely on statistical sampling, middle-box hardware, or packet inspection software. We present {\em iTelescope}, the first intelligent, inexpensive, and scalable SDN-based solution for identifying and classifying video flows in real-time. Our solution is novel in combining dynamic flow rules with telemetry and machine learning, and is built on commodity OpenFlow switches and open-source software. We develop a fully functional system, train it in the lab using multiple machine learning algorithms, and validate its performance to show over 95\% accuracy in identifying and classifying video streams from many providers including Youtube and Netflix. Lastly, we conduct tests to demonstrate its scalability to tens of thousands of concurrent streams, and deploy it live on a campus network serving several hundred real users. Our system gives unprecedented fine-grained real-time visibility of video streaming performance to operators of enterprise and carrier networks at very low cost.Comment: 12 pages, 16 figure

Optimal Witnessing of Healthcare IoT Data Using Blockchain Logging Contract

Verification of data generated by wearable sensors is increasingly becoming of concern to health service providers and insurance companies. There is a need for a verification framework that various authorities can request a verification service for the local network data of a target IoT device. In this paper, we leverage blockchain as a distributed platform to realize an on-demand verification scheme. This allows authorities to automatically transact with connected devices for witnessing services. A public request is made for witness statements on the data of a target IoT that is transmitted on its local network, and subsequently, devices (in close vicinity of the target IoT) offer witnessing service. Our contributions are threefold: (1) We develop a system architecture based on blockchain and smart contract that enables authorities to dynamically avail a verification service for data of a subject device from a distributed set of witnesses which are willing to provide (in a privacy-preserving manner) their local wireless measurement in exchange of monetary return; (2) We then develop a method to optimally select witnesses in such a way that the verification error is minimized subject to monetary cost constraints; (3) Lastly, we evaluate the efficacy of our scheme using real Wi-Fi session traces collected from a five-storeyed building with more than thirty access points, representative of a hospital. According to the current pricing schedule of the Ethereum public blockchain, our scheme enables healthcare authorities to verify data transmitted from a typical wearable device with the verification error of the order 0.01% at cost of less than two dollars for one-hour witnessing service.Comment: 12 pages, 12 figure

Verifying and Monitoring IoTs Network Behavior using MUD Profiles

IoT devices are increasingly being implicated in cyber-attacks, raising community concern about the risks they pose to critical infrastructure, corporations, and citizens. In order to reduce this risk, the IETF is pushing IoT vendors to develop formal specifications of the intended purpose of their IoT devices, in the form of a Manufacturer Usage Description (MUD), so that their network behavior in any operating environment can be locked down and verified rigorously. This paper aims to assist IoT manufacturers in developing and verifying MUD profiles, while also helping adopters of these devices to ensure they are compatible with their organizational policies and track devices network behavior based on their MUD profile. Our first contribution is to develop a tool that takes the traffic trace of an arbitrary IoT device as input and automatically generates the MUD profile for it. We contribute our tool as open source, apply it to 28 consumer IoT devices, and highlight insights and challenges encountered in the process. Our second contribution is to apply a formal semantic framework that not only validates a given MUD profile for consistency, but also checks its compatibility with a given organizational policy. We apply our framework to representative organizations and selected devices, to demonstrate how MUD can reduce the effort needed for IoT acceptance testing. Finally, we show how operators can dynamically identify IoT devices using known MUD profiles and monitor their behavioral changes on their network.Comment: 17 pages, 17 figures. arXiv admin note: text overlap with arXiv:1804.0435

Detecting Anomalous Microflows in IoT Volumetric Attacks via Dynamic Monitoring of MUD Activity

IoT networks are increasingly becoming target of sophisticated new cyber-attacks. Anomaly-based detection methods are promising in finding new attacks, but there are certain practical challenges like false-positive alarms, hard to explain, and difficult to scale cost-effectively. The IETF recent standard called Manufacturer Usage Description (MUD) seems promising to limit the attack surface on IoT devices by formally specifying their intended network behavior. In this paper, we use SDN to enforce and monitor the expected behaviors of each IoT device, and train one-class classifier models to detect volumetric attacks. Our specific contributions are fourfold. (1) We develop a multi-level inferencing model to dynamically detect anomalous patterns in network activity of MUD-compliant traffic flows via SDN telemetry, followed by packet inspection of anomalous flows. This provides enhanced fine-grained visibility into distributed and direct attacks, allowing us to precisely isolate volumetric attacks with microflow (5-tuple) resolution. (2) We collect traffic traces (benign and a variety of volumetric attacks) from network behavior of IoT devices in our lab, generate labeled datasets, and make them available to the public. (3) We prototype a full working system (modules are released as open-source), demonstrates its efficacy in detecting volumetric attacks on several consumer IoT devices with high accuracy while maintaining low false positives, and provides insights into cost and performance of our system. (4) We demonstrate how our models scale in environments with a large number of connected IoTs (with datasets collected from a network of IP cameras in our university campus) by considering various training strategies (per device unit versus per device type), and balancing the accuracy of prediction against the cost of models in terms of size and training time.Comment: 18 pages, 13 figure

Virtualizing the access network via open APIs

Residential broadband consumption is growing rapidly, in-creasing the gap between ISP costs and revenues. Mean-while, proliferation of Internet-enabled devices is congesting access networks, frustrating end-users and content providers. We propose that ISPs virtualize access infrastructure, using open APIs supported through SDN, to enable dynamic and controlled sharing amongst user streams. Content providers can programmatically provision capacity to user devices to ensure quality of experience, users can match the degree of virtualization to their usage pattern, and ISPs can real-ize per-stream revenues by slicing their network resources. Using video streaming and bulk transfers as examples, we develop an architecture that specifies the interfaces between the ISP, content provider, and user. We propose an algo-rithm for optimally allocating network resources, leveraging bulk transfer time elasticity and access path space diver-sity. Simulations using real traces show that virtualization can reduce video degradation by over 50%, for little extra bulk transfer delay. Lastly, we prototype our system and validate it in a test-bed with real video streaming and file transfers. Our proposal is a first step towards the long-term goal of realizing open and agile access network service quality management that is acceptable to users, ISPs and content providers alike

Broadband Fast Lanes and Slow Lanes Powered by Software Defined Networking

Today's residential Internet is a bundled best-effort service, and does not distinguish between the different types of applications (video streaming, web-browsing, and large file transfers), nor does it cater to varying needs of household devices (entertainment-tablet, work-laptop, or connected-appliance). This is a problem for users, who want differentiation amongst applications and devices; for content providers (CPs), who want to exercise control over streams of high monetary value; and for Internet service providers (ISPs) who have to carry growing traffic volumes without additional revenues. Solutions for this problem have been elusive to-date due to economic, regulatory, and technical challenges, touching upon aspects such as who pays for the ``fast-lane" service differentiation, how is network neutrality affected, and what mechanisms are used for service differentiation. We believe that the emerging paradigm of software defined networking (SDN) has the potential to address these challenges, since it allows the network to be reconfigured dynamically using open interfaces that can be aligned with business objectives.In this thesis, we first survey the various perspectives on differentiated service delivery, covering the technical, economic, social and regulatory viewpoints, and how they differ in various parts of the world. We also argue why we believe SDN can inspire new solutions that can address these viewpoints in a way that is acceptable to ISPs, content providers, and users alike. Second, we propose an architecture for fast- and slow-lanes controlled by content providers, and perform evaluations to show that it can yield better control of service quality for video streaming, web-browsing, and bulk transfer flows. Third, we develop an economic model to support our architecture, showing that it can benefit three entities – ISP, content provider, and end-user. Fourth, we extend our system to have two-sided control, wherein flow-level control by content providers is augmented with device-level control by end-users; we develop methods to resolve conflicts based on economic incentives. Finally, we show how user-level control can be extended beyond fast- and slow-lanes to offer value-add services such as quota management and parental controls, that can be executed in today's home networks, with or without ISP support. This thesis paves the way towards dynamic and agile management of the broadband access network in a way that is beneficial for all

Virtualizing the access network via open APIs

Residential broadband consumption is growing rapidly, in-creasing the gap between ISP costs and revenues. Mean-while, proliferation of Internet-enabled devices is congesting access networks, frustrating end-users and content providers. We propose that ISPs virtualize access infrastructure, using open APIs supported through SDN, to enable dynamic and controlled sharing amongst user streams. Content providers can programmatically provision capacity to user devices to ensure quality of experience, users can match the degree of virtualization to their usage pattern, and ISPs can real-ize per-stream revenues by slicing their network resources. Using video streaming and bulk transfers as examples, we develop an architecture that specifies the interfaces between the ISP, content provider, and user. We propose an algo-rithm for optimally allocating network resources, leveraging bulk transfer time elasticity and access path space diver-sity. Simulations using real traces show that virtualization can reduce video degradation by over 50%, for little extra bulk transfer delay. Lastly, we prototype our system and validate it in a test-bed with real video streaming and file transfers. Our proposal is a first step towards the long-term goal of realizing open and agile access network service quality management that is acceptable to users, ISPs and content providers alike