14 research outputs found
A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection
Enterprise networks that host valuable assets and services are popular and
frequent targets of distributed network attacks. In order to cope with the
ever-increasing threats, industrial and research communities develop systems
and methods to monitor the behaviors of their assets and protect them from
critical attacks. In this paper, we systematically survey related research
articles and industrial systems to highlight the current status of this arms
race in enterprise network security. First, we discuss the taxonomy of
distributed network attacks on enterprise assets, including distributed
denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing
methods in monitoring and classifying network behavior of enterprise hosts to
verify their benign activities and isolate potential anomalies. Third,
state-of-the-art detection methods for distributed network attacks sourced from
external attackers are elaborated, highlighting their merits and bottlenecks.
Fourth, as programmable networks and machine learning (ML) techniques are
increasingly becoming adopted by the community, their current applications in
network security are discussed. Finally, we highlight several research gaps on
enterprise network security to inspire future research.Comment: Journal paper submitted to Elseive
iTeleScope: Intelligent Video Telemetry and Classification in Real-Time using Software Defined Networking
Video continues to dominate network traffic, yet operators today have poor
visibility into the number, duration, and resolutions of the video streams
traversing their domain. Current approaches are inaccurate, expensive, or
unscalable, as they rely on statistical sampling, middle-box hardware, or
packet inspection software. We present {\em iTelescope}, the first intelligent,
inexpensive, and scalable SDN-based solution for identifying and classifying
video flows in real-time. Our solution is novel in combining dynamic flow rules
with telemetry and machine learning, and is built on commodity OpenFlow
switches and open-source software. We develop a fully functional system, train
it in the lab using multiple machine learning algorithms, and validate its
performance to show over 95\% accuracy in identifying and classifying video
streams from many providers including Youtube and Netflix. Lastly, we conduct
tests to demonstrate its scalability to tens of thousands of concurrent
streams, and deploy it live on a campus network serving several hundred real
users. Our system gives unprecedented fine-grained real-time visibility of
video streaming performance to operators of enterprise and carrier networks at
very low cost.Comment: 12 pages, 16 figure
Optimal Witnessing of Healthcare IoT Data Using Blockchain Logging Contract
Verification of data generated by wearable sensors is increasingly becoming
of concern to health service providers and insurance companies. There is a need
for a verification framework that various authorities can request a
verification service for the local network data of a target IoT device. In this
paper, we leverage blockchain as a distributed platform to realize an on-demand
verification scheme. This allows authorities to automatically transact with
connected devices for witnessing services. A public request is made for witness
statements on the data of a target IoT that is transmitted on its local
network, and subsequently, devices (in close vicinity of the target IoT) offer
witnessing service.
Our contributions are threefold: (1) We develop a system architecture based
on blockchain and smart contract that enables authorities to dynamically avail
a verification service for data of a subject device from a distributed set of
witnesses which are willing to provide (in a privacy-preserving manner) their
local wireless measurement in exchange of monetary return; (2) We then develop
a method to optimally select witnesses in such a way that the verification
error is minimized subject to monetary cost constraints; (3) Lastly, we
evaluate the efficacy of our scheme using real Wi-Fi session traces collected
from a five-storeyed building with more than thirty access points,
representative of a hospital. According to the current pricing schedule of the
Ethereum public blockchain, our scheme enables healthcare authorities to verify
data transmitted from a typical wearable device with the verification error of
the order 0.01% at cost of less than two dollars for one-hour witnessing
service.Comment: 12 pages, 12 figure
Verifying and Monitoring IoTs Network Behavior using MUD Profiles
IoT devices are increasingly being implicated in cyber-attacks, raising
community concern about the risks they pose to critical infrastructure,
corporations, and citizens. In order to reduce this risk, the IETF is pushing
IoT vendors to develop formal specifications of the intended purpose of their
IoT devices, in the form of a Manufacturer Usage Description (MUD), so that
their network behavior in any operating environment can be locked down and
verified rigorously. This paper aims to assist IoT manufacturers in developing
and verifying MUD profiles, while also helping adopters of these devices to
ensure they are compatible with their organizational policies and track devices
network behavior based on their MUD profile. Our first contribution is to
develop a tool that takes the traffic trace of an arbitrary IoT device as input
and automatically generates the MUD profile for it. We contribute our tool as
open source, apply it to 28 consumer IoT devices, and highlight insights and
challenges encountered in the process. Our second contribution is to apply a
formal semantic framework that not only validates a given MUD profile for
consistency, but also checks its compatibility with a given organizational
policy. We apply our framework to representative organizations and selected
devices, to demonstrate how MUD can reduce the effort needed for IoT acceptance
testing. Finally, we show how operators can dynamically identify IoT devices
using known MUD profiles and monitor their behavioral changes on their network.Comment: 17 pages, 17 figures. arXiv admin note: text overlap with
arXiv:1804.0435
Detecting Anomalous Microflows in IoT Volumetric Attacks via Dynamic Monitoring of MUD Activity
IoT networks are increasingly becoming target of sophisticated new
cyber-attacks. Anomaly-based detection methods are promising in finding new
attacks, but there are certain practical challenges like false-positive alarms,
hard to explain, and difficult to scale cost-effectively. The IETF recent
standard called Manufacturer Usage Description (MUD) seems promising to limit
the attack surface on IoT devices by formally specifying their intended network
behavior. In this paper, we use SDN to enforce and monitor the expected
behaviors of each IoT device, and train one-class classifier models to detect
volumetric attacks.
Our specific contributions are fourfold. (1) We develop a multi-level
inferencing model to dynamically detect anomalous patterns in network activity
of MUD-compliant traffic flows via SDN telemetry, followed by packet inspection
of anomalous flows. This provides enhanced fine-grained visibility into
distributed and direct attacks, allowing us to precisely isolate volumetric
attacks with microflow (5-tuple) resolution. (2) We collect traffic traces
(benign and a variety of volumetric attacks) from network behavior of IoT
devices in our lab, generate labeled datasets, and make them available to the
public. (3) We prototype a full working system (modules are released as
open-source), demonstrates its efficacy in detecting volumetric attacks on
several consumer IoT devices with high accuracy while maintaining low false
positives, and provides insights into cost and performance of our system. (4)
We demonstrate how our models scale in environments with a large number of
connected IoTs (with datasets collected from a network of IP cameras in our
university campus) by considering various training strategies (per device unit
versus per device type), and balancing the accuracy of prediction against the
cost of models in terms of size and training time.Comment: 18 pages, 13 figure
Virtualizing the access network via open APIs
Residential broadband consumption is growing rapidly, in-creasing the gap between ISP costs and revenues. Mean-while, proliferation of Internet-enabled devices is congesting access networks, frustrating end-users and content providers. We propose that ISPs virtualize access infrastructure, using open APIs supported through SDN, to enable dynamic and controlled sharing amongst user streams. Content providers can programmatically provision capacity to user devices to ensure quality of experience, users can match the degree of virtualization to their usage pattern, and ISPs can real-ize per-stream revenues by slicing their network resources. Using video streaming and bulk transfers as examples, we develop an architecture that specifies the interfaces between the ISP, content provider, and user. We propose an algo-rithm for optimally allocating network resources, leveraging bulk transfer time elasticity and access path space diver-sity. Simulations using real traces show that virtualization can reduce video degradation by over 50%, for little extra bulk transfer delay. Lastly, we prototype our system and validate it in a test-bed with real video streaming and file transfers. Our proposal is a first step towards the long-term goal of realizing open and agile access network service quality management that is acceptable to users, ISPs and content providers alike
Broadband Fast Lanes and Slow Lanes Powered by Software Defined Networking
Today's residential Internet is a bundled best-effort service, and does not distinguish between the different types of applications (video streaming, web-browsing, and large file transfers), nor does it cater to varying needs of household devices (entertainment-tablet, work-laptop, or connected-appliance). This is a problem for users, who want differentiation amongst applications and devices; for content providers (CPs), who want to exercise control over streams of high monetary value; and for Internet service providers (ISPs) who have to carry growing traffic volumes without additional revenues. Solutions for this problem have been elusive to-date due to economic, regulatory, and technical challenges, touching upon aspects such as who pays for the ``fast-lane" service differentiation, how is network neutrality affected, and what mechanisms are used for service differentiation. We believe that the emerging paradigm of software defined networking (SDN) has the potential to address these challenges, since it allows the network to be reconfigured dynamically using open interfaces that can be aligned with business objectives.In this thesis, we first survey the various perspectives on differentiated service delivery, covering the technical, economic, social and regulatory viewpoints, and how they differ in various parts of the world. We also argue why we believe SDN can inspire new solutions that can address these viewpoints in a way that is acceptable to ISPs, content providers, and users alike. Second, we propose an architecture for fast- and slow-lanes controlled by content providers, and perform evaluations to show that it can yield better control of service quality for video streaming, web-browsing, and bulk transfer flows. Third, we develop an economic model to support our architecture, showing that it can benefit three entities – ISP, content provider, and end-user. Fourth, we extend our system to have two-sided control, wherein flow-level control by content providers is augmented with device-level control by end-users; we develop methods to resolve conflicts based on economic incentives. Finally, we show how user-level control can be extended beyond fast- and slow-lanes to offer value-add services such as quota management and parental controls, that can be executed in today's home networks, with or without ISP support. This thesis paves the way towards dynamic and agile management of the broadband access network in a way that is beneficial for all
Virtualizing the access network via open APIs
Residential broadband consumption is growing rapidly, in-creasing the gap between ISP costs and revenues. Mean-while, proliferation of Internet-enabled devices is congesting access networks, frustrating end-users and content providers. We propose that ISPs virtualize access infrastructure, using open APIs supported through SDN, to enable dynamic and controlled sharing amongst user streams. Content providers can programmatically provision capacity to user devices to ensure quality of experience, users can match the degree of virtualization to their usage pattern, and ISPs can real-ize per-stream revenues by slicing their network resources. Using video streaming and bulk transfers as examples, we develop an architecture that specifies the interfaces between the ISP, content provider, and user. We propose an algo-rithm for optimally allocating network resources, leveraging bulk transfer time elasticity and access path space diver-sity. Simulations using real traces show that virtualization can reduce video degradation by over 50%, for little extra bulk transfer delay. Lastly, we prototype our system and validate it in a test-bed with real video streaming and file transfers. Our proposal is a first step towards the long-term goal of realizing open and agile access network service quality management that is acceptable to users, ISPs and content providers alike