Biblio

Network covert channels are used in various cyberattacks, including disclosure of sensitive information and enabling stealth tunnels for botnet commands. With time and technology, covert channels are becoming more prevalent, complex, and difficult to detect. The current methods for detection are protocol and pattern specific. This requires the investment of significant time and resources into application of various techniques to catch the different types of covert channels. This paper reviews several patterns of network storage covert channels, describes generation of network traffic dataset with covert channels, and proposes a generic, protocol-independent approach for the detection of network storage covert channels using a supervised machine learning technique. The implementation of the proposed generic detection model can lead to a reduction of necessary techniques to prevent covert channel communication in network traffic. The datasets we have generated for experimentation represent storage covert channels in the IP, TCP, and DNS protocols and are available upon request for future research in this area.

In the last few years, cryptocurrency mining has become more and more important on the Internet activity and nowadays is even having a noticeable impact on the global economy. This has motivated the emergence of a new malicious activity called cryptojacking, which consists of compromising other machines connected to the Internet and leverage their resources to mine cryptocurrencies. In this context, it is of particular interest for network administrators to detect possible cryptocurrency miners using network resources without permission. Currently, it is possible to detect them using IP address lists from known mining pools, processing information from DNS traffic, or directly performing Deep Packet Inspection (DPI) over all the traffic. However, all these methods are still ineffective to detect miners using unknown mining servers or result too expensive to be deployed in real-world networks with large traffic volume. In this paper, we present a machine learning-based method able to detect cryptocurrency miners using NetFlow/IPFIX network measurements. Our method does not require to inspect the packets' payload; as a result, it achieves cost-efficient miner detection with similar accuracy than DPI-based techniques.

An emerging Internet business is residential proxy (RESIP) as a service, in which a provider utilizes the hosts within residential networks (in contrast to those running in a datacenter) to relay their customers' traffic, in an attempt to avoid server- side blocking and detection. With the prominent roles the services could play in the underground business world, little has been done to understand whether they are indeed involved in Cybercrimes and how they operate, due to the challenges in identifying their RESIPs, not to mention any in-depth analysis on them. In this paper, we report the first study on RESIPs, which sheds light on the behaviors and the ecosystem of these elusive gray services. Our research employed an infiltration framework, including our clients for RESIP services and the servers they visited, to detect 6 million RESIP IPs across 230+ countries and 52K+ ISPs. The observed addresses were analyzed and the hosts behind them were further fingerprinted using a new profiling system. Our effort led to several surprising findings about the RESIP services unknown before. Surprisingly, despite the providers' claim that the proxy hosts are willingly joined, many proxies run on likely compromised hosts including IoT devices. Through cross-matching the hosts we discovered and labeled PUP (potentially unwanted programs) logs provided by a leading IT company, we uncovered various illicit operations RESIP hosts performed, including illegal promotion, Fast fluxing, phishing, malware hosting, and others. We also reverse engi- neered RESIP services' internal infrastructures, uncovered their potential rebranding and reselling behaviors. Our research takes the first step toward understanding this new Internet service, contributing to the effective control of their security risks.

ASA systems (firewall, IDS, IPS) are probable to become communication bottlenecks in networks with growing network bandwidths. To alleviate this issue, we suggest to use Application-aware mechanism based on Deep Packet Inspection (DPI) to bypass chosen traffic around firewalls. The services of Internet video sharing gained importance and expanded their share of the multimedia market. The Internet video should meet strict service quality (QoS) criteria to make the broadcasting of broadcast television a viable and comparable level of quality. However, since the Internet video relies on packet communication, it is subject to delays, transmission failures, loss of data and bandwidth restrictions that may have a catastrophic effect on the quality of multimedia.

With the growing number of streaming services, internet providers are increasingly needing to be able to identify the types of data and content providers that are being used on their networks. Traditional methods, such as IP and port scanning, are not always available for clients using VPNs or with providers using varying IP addresses. As such, in this paper we explore a potential method using neural networks and Markov Decision Process in order to augment deep packet inspection techniques in identifying the source and class of video streaming services.

Identifying services constituting traffic from given IP network flows is essential to various applications, such as the management of quality of service (QoS) and the prevention of security issues. Typical methods for achieving this objective include identifications based on IP addresses and port numbers. However, such methods are not sufficiently accurate and require improvement. Deep Packet Inspection (DPI) is one of the most promising methods for improving the accuracy of identification. In addition, many current IP flows are encrypted using Transport Layer Security (TLS). Hence, it is necessary for identification methods to analyze flows encrypted by TLS. For that reason, a service identification method based on DPI and n-gram that focuses only on the non-encrypted parts in the TLS session establishment was proposed. However, there is room for improvement in identification accuracy because this method analyzes all the non-encrypted parts including Random Values without protocol analyses. In this paper, we propose a method for identifying the service from given IP flows based on analysis of Server Name Indication (SNI). The proposed method clusters flow according to the value of SNI and identify services from the occurrences of all clusters. Our evaluations, which involve identifications of services on Google and Yahoo sites, demonstrate that the proposed method can identify services more accurately than the existing method.

In today's world the number of consumers of cloud computing is increasing day by day. So, security is a big concern for cloud computing environment to keep user's data safe and secure. Among different types of attacks in cloud one of the harmful and frequently occurred attack is Distributed Denial of Service (DDoS) attack. DDoS is one type of flooding attack which is initiated by sending a large number of invalid packets to limit the services of the victim server. As a result, server can not serve the legitimate requests. DDoS attack can be done by a lot of strategies like malformed packets, IP spoofing, smurf attack, teardrop attack, syn flood attack, local area network denial (LAND) attack etc. This paper focuses on IP spoofing and LAND based DDoS attack. The objective of this paper is to propose an algorithm to detect and prevent IP spoofing and LAND attack. To achieve this objective a new approach is proposed combining two existing solutions of DDoS attack caused by IP spoofing and ill-formed packets. The proposed approach will provide a transparent solution, filter out the spoofed packets and minimize memory exhaustion through minimizing the number of insertions and updates required in the datatable. Finally, the approach is implemented and simulated using CloudSim 3.0 toolkit (a virtual cloud environment) followed by result analysis and comparison with existing algorithms.

With the advent of the network economy and the network society, the network will enter a ubiquitous and omnipresent situation. Economic, cultural, military and social life will strongly depend on the network, while network security issues have become a common concern of all countries in the world. DDOS attack is undoubtedly one of the greatest threats to network security and the defense against DDOS attack is very important. In this paper, the principle of DDOS attack is summarized from the defensive purpose. Then the attack prevention in software definition network is analyzed, and the source, intermediate network, victim and distributed defense strategies are elaborated.

Content Delivery Networks(CDN) is a standout amongst the most encouraging innovations that upgrade performance for its clients' websites by diverting web demands from browsers to topographically dispersed CDN surrogate nodes. However, due to the variable nature of CDN, it suffers from various security and resource allocation issues. The most common attack which is used to bring down a whole network as well as CDN without even finding a loophole in the security is DDoS. In this proposal, we proposed a distributed virtual honeypot model for diminishing DDoS attacks and prevent intrusion in securing CDN. Honeypots are specially utilized to imitate the primary server with the goal that the attack is alleviated to the fake rather than the main server. Our proposed layer based model utilizes honeypot to be more effective reducing the cost of the system as well as maintaining the smooth delivery in geographically dispersed servers without performance degradation.

Distributed Denial of Service(DDoS) attacks have become most important network security threat as the number of devices are connected to internet increases exponentially and reaching an attack volume approximately very high compared to other attacks. To make the network safe and flexible a new networking infrastructure such as Software Defined Networking (SDN) has come into effect, which relies on centralized controller and decoupling of control and data plane. However due to it's centralized controller it is prone to DDoS attacks, as it makes the decision of forwarding of packets based on rules installed in switch by OpenFlow protocol. Out of all different DDoS attacks, UDP (User Datagram Protocol) flooding constitute the most in recent years. In this paper, we have proposed an entropy based DDoS detection and rate limiting based mitigation for efficient service delivery. We have evaluated using Mininet as emulator and Ryu as controller by taking switch as OpenVswitch and obtained better result in terms of bandwidth utilization and hit ratio which consume network resources to make denial of service.

A DDoS attack is a spiteful attempt to disrupt legitimate traffic to a server by overwhelming the target with a flood of requests from geographically dispersed systems. Today attackers prefer DDoS attack methods to disrupt target services as they generate GBs to TBs of random data to flood the target. In existing mitigation strategies, because of lack of resources and not having the flexibility to cope with attacks by themselves, they are not considered to be that effective. So effective DDoS mitigation techniques can be provided using emerging technologies such as blockchain and SDN(Software-Defined Networking). We propose an architecture where a smart contract is deployed in a private blockchain, which facilitates a collaborative DDoS mitigation architecture across multiple network domains. Blockchain application is used as an additional security service. With Blockchain, shared protection is enabled among all hosts. With help of smart contracts, rules are distributed among all hosts. In addition, SDN can effectively enable services and security policies dynamically. This mechanism provides ASes(Autonomous Systems) the possibility to deploy their own DPS(DDoS Prevention Service) and there is no need to transfer control of the network to the third party. This paper focuses on the challenges of protecting a hybridized enterprise from the ravages of rapidly evolving Distributed Denial of Service(DDoS) attack.

Distributed Denial of Service attacks (DDoS) are used by attackers for their effectiveness. This type of attack is one of the most devastating attacks in the Internet. Every year, the intensity of DDoS attacks increases and attackers use sophisticated multi-target DDoS attacks. In this paper, a modular system that allows to increase the filtering capacity linearly and allows to protect against the combination of DDoS attacks is designed and implemented. The main motivation for development of the modular filtering system was to find a cheap solution for filtering DDoS attacks with possibility to increase filtering capacity. The proposed system is based on open-source detection and filtration tools.

SDN is new networking concept which has revolutionized the network architecture in recent years. It decouples control plane from data plane. Architectural change provides re-programmability and centralized control management of the network. At the same time it also increases the complexity of underlying physical infrastructure of the network. Unfortunately, the centralized control of the network introduces new vulnerabilities and attacks. Attackers can exploit the limitation of centralized control by DDoS attack on control plane. The entire network can be compromised by DDoS attack. Based on packet entropy, a solution for mitigation of DDoS attack provided in the proposed scheme.

The growing number of internet based services and applications along with increasing adoption rate of connected wired and wireless devices presents opportunities as well as technical challenges and threads. Distributed Denial of Service (DDoS) attacks have huge devastating effects on internet enabled services. It can be implemented diversely with a variety of tools and codes. Therefore, it is almost impossible to define a single solution to prevent DDoS attacks. The available solutions try to protect internet services from DDoS attacks, but there is no accepted best-practice yet to this security breach. On the other hand, distinguishing DDoS attacks from analogous Flash Events (FEs) wherein huge number of legitimate users try to access a specific internet based services and applications is a tough challenge. Both DDoS attacks and FEs result in unavailability of service, but they should be treated with different countermeasures. Therefore, it is worthwhile to investigate novel methods which can detect well disguising DDoS attacks from similar FE traffic. This paper will contribute to this topic by proposing a hybrid DDoS and FE detection scheme; taking 3 isolated approaches including Kernel Online Anomaly Detection (KOAD), Shannon Entropy and Mahalanobis Distance. In this study, Shannon entropy is utilized with an online machine learning technique to detect abnormal traffic including DDoS attacks and FE traffic. Subsequently, the Mahalanobis distance metric is employed to differentiate DDoS and FE traffic. the purposed method is validated using simulated DDoS attacks, real normal and FE traffic. The results revealed that the Mahalanobis distance metric works well in combination with machine learning approach to detect and discriminate DDoS and FE traffic in terms of false alarms and detection rate.

We have been investigating methods for establishing an effective, immediate defense mechanism against the DDoS attacks on Web applications via hacker botnets, in which this defense mechanism can be immediately active without preparation time, e.g. for training data, usually asked for in existing proposals. In this study, we propose a new mechanism, including new data structures and algorithms, that allow the detection and filtering of large amounts of attack packets (Web request) based on monitoring and capturing the suspect groups of source IPs that can be sending packets at similar patterns, i.e. with very high and similar frequencies. The proposed algorithm places great emphasis on reducing storage space and processing time so it is promising to be effective in real-time attack response.

Distributed Denial of Service (DDoS) attack is one of the major threats to the network services. In this paper, we propose a DDoS attack detection algorithm based on the probability distributions of source IP addresses and destination IP addresses. According to the behavior of source and destination IP addresses during DDoS attack, the distance between these features is calculated and used.It is calculated with using the Greedy algorithm which eliminates some requirements associated with Kullback-Leibler divergence such as having the same rank of the probability distributions. Then frequency modulation is proposed in the detection phase to reduce false alarm rates and to avoid using static threshold. This algorithm is tested on the real data collected from Boğaziçi University network.

Named Data Networking (NDN) is a new network architecture that has been projected as the future of internet architecture. Unlike the traditional internet approach which currently relies on client-server communication models to communicate each other, NDN relies on data as an entity. Hence the users only need the content and applications based on data naming, as there is no IP addresses needed. NDN is different than TCP/IP technology as NDN signs the data with Digital Signature to secure each data authenticity. Regarding huge number of uses on IP-based network, and the minimum number of NDN-based network implementation, the NDN-IP gateway are needed to map and forward the data from IP-based network to NDN-based network, and vice versa. These gateways are called Custom-Router Gateway in this study. The Custom-Router Gateway requires a new mechanism in conducting Digital Signature so that authenticity the data can be verified when it passes through the NDN-IP Custom-Router Gateway. This study propose a method to process the Digital Signature for the packet flows from IP-based network through NDN-based network. Future studies are needed to determine the impact of Digital Signature processing on the performance in forwarding the data from IP-based to NDN-based network and vice versa.

Efficient monitoring of high speed computer networks operating with a 100 Gigabit per second (Gbps) data throughput requires a suitable hardware acceleration of its key components. We present a platform capable of automated designing of hash functions suitable for network flow hashing. The platform employs a multi-objective linear genetic programming developed for the hash function design. We evolved high-quality hash functions and implemented them in a field programmable gate array (FPGA). Several evolved hash functions were combined together in order to form a new reconfigurable hash function. The proposed reconfigurable design significantly reduces the area on a chip while the maximum operation frequency remains very close to the fastest hash functions. Properties of evolved hash functions were compared with the state-of-the-art hash functions in terms of the quality of hashing, area and operation frequency in the FPGA.

With the rapid development of Internet of Things (IoT), distributed denial of service (DDoS) attacks become the important security threat of the IoT. Characteristics of IoT, such as large quantities and simple function, which have easily caused the IoT devices or servers to be attacked and be turned into botnets for launching DDoS attacks. In this paper, we use software-defined networking (SDN) to develop moving target defense (MTD) architecture that increases uncertainty because of ever changing attack surface. In addition, we deploy SDN-based honeypots to mimic IoT devices, luring attackers and malwares. Finally, experimental results show that combination of MTD and SDN-based honeypots can effectively hide network asset from scanner and defend against DDoS attacks in IoT.

Honeypots have become an important tool for capturing attacks. Hybrid honeypots, including the front end and the back end, are widely used in research because of the scalability of the front end and the high interactivity of the back end. However, traditional hybrid honeypots have some problems that the flow control is difficult and topology simulation is not realistic. This paper proposes a new architecture based on SDN applied to the hybrid honeypot system for network topology simulation and attack traffic migration. Our system uses the good expansibility and controllability of the SDN controller to simulate a large and realistic network to attract attackers and redirect high-level attacks to a high-interaction honeypot for attack capture and further analysis. It improves the deficiencies in the network spoofing technology and flow control technology in the traditional honeynet. Finally, we set up the experimental environment on the mininet and verified the mechanism. The test results show that the system is more intelligent and the traffic migration is more stealthy.

NDN has been widely regarded as a promising representation and implementation of information- centric networking (ICN) and serves as a potential candidate for the future Internet architecture. However, the security of NDN is threatened by a significant safety hazard known as an IFA, which is an evolution of DoS and distributed DoS attacks on IP-based networks. The IFA attackers can create numerous malicious interest packets into a named data network to quickly exhaust the bandwidth of communication channels and cache capacity of NDN routers, thereby seriously affecting the routers' ability to receive and forward packets for normal users. Accurate detection of the IFAs is the most critical issue in the design of a countermeasure. To the best of our knowledge, the existing IFA countermeasures still have limitations in terms of detection accuracy, especially for rapidly volatile attacks. This article proposes a TC to detect the distributions of normal and malicious interest packets in the NDN routers to further identify the IFA. The trace back method is used to prevent further attempts. The simulation results show the efficiency of the TC for mitigating the IFAs and its advantages over other typical IFA countermeasures.

Nowadays network applications have more focus on content distribution which is hard to tackle in IP based Internet. Information Centric Network (ICN) have the ability to overcome this problem for various scenarios, specifically for Vehicular Ad Hoc Networks (VANETs). Conventional IP based system have issues like mobility management hence ICN solve this issue because data fetching is not dependent on a particular node or physical location. Many initial investigations have performed on an instance of ICN commonly known as Named Data Networking (NDN). However, NDN exposes the new type of security susceptibilities, poisoning cache attack, flooding Interest attack, and violation of privacy because the content in the network is called by the name. This paper focused on mitigation of Interest flooding attack by proposing new scheme, named Interest Flooding Attack Mitigation Scheme (IFAMS) in Vehicular Named Data Network (VNDN). Simulation results depict that proposed IFAMS scheme mitigates the Interest flooding attack in the network.

Vehicular ad hoc network (VANET) has recently become one of the highly active research areas for wireless networking. Since VANET is a multi-hop wireless network with very high mobility and intermittent connection lifetime, it is important to effectively handle the data dissemination issue in this rapidly changing environment. However, the existing TCP/IP implementation may not fit into such a highly dynamic environment because the nodes in the network must often perform rerouting due to their inconsistency of connectivity. In addition, the drivers in the vehicles may want to acquire some data, but they do not know the address/location of such data storage. Hence, the named data networking (NDN) approach may be more desirable here. The NDN architecture is proposed for the future Internet, which focuses on the delivering mechanism based on the message contents instead of relying on the host addresses of the data. In this paper, a new protocol named roadside unit (RSU) assisted of named data network (RA-NDN) is presented. The RSU can operate as a standalone node [standalone RSU (SA-RSU)]. One benefit of deploying SA-RSUs is the improved network connectivity. This study uses the NS3 and SUMO software packages for the network simulator and traffic simulator software, respectively, to verify the performance of the RA-NDN protocol. To reduce the latency under various vehicular densities, vehicular transmission ranges, and number of requesters, the proposed approach is compared with vehicular NDN via a real-world data set in the urban area of Sathorn road in Bangkok, Thailand. The simulation results show that the RA-NDN protocol improves the performance of ad hoc communications with the increase in data received ratio and throughput and the decrease in total dissemination time and traffic load.

Now-a-days Internet has become mostly content centric. Named Data Network (NDN) has emerged as a promising candidate to cope with the use of today's Internet. Several NDN features such as in-network caching, easier data forwarding, etc. in the routing method bring potential advantages over conventional networks. Despite the advantages, there are many challenges in NDN which are yet to be addressed. In this paper, we address two of such challenges in NDN routing: (1) Huge storage overhead in NDN router (2) High communication over-heads in the network during propagation of routing information updates. We propose changes in existing NDN routing with the aim to provide a low-overhead solution to these problems. Here instead of storing the Link State Data Base (LSDB) in all the routers, it is kept in selected special nodes only. The use of special nodes lowers down the overall storage and update overheads. We also provide supporting algorithms for data forwarding and update for grid network. The performance of the proposed method is evaluated in terms of storage and communication overheads. The results show the overheads are reduced by almost one third as compared to the existing routing method in NDN.

Now-a-days vehicular information network technology is receiving a lot of attention due to its practical as well as safety related applications. By using this technology, participating vehicles can communicate among themselves on the road in order to obtain any interested data or emergency information. In Vehicular Ad-Hoc Network (VANET), due to the fast speed of the vehicles, the traditional host centric approach (i.e. TCP/IP) fails to provide efficient and robust communication between large number of vehicles. Therefore, Named Data Network (NDN) newly proposed Internet architecture is applied in VANET, named as VNDN. In which, the vehicles can communicate with the help of content name rather than vehicle address. In this paper, we explored the concepts and identify the main packet forwarding issues in VNDN. Furthermore, we proposed a protocol, named Control of Useless Interests Flooding (CUIF) in Vehicular Named Data Network. In which, it provides the best and efficient communication environment to users while driving on the highway. CUIF scheme reduces the Interest forwarding storm over the network and control the flooding of useless packets against the direction of a Producer vehicle. Our simulation results show that CUIF scheme decreases the number of outgoing Interest packets as well as data download time in the network.