Biblio

Distributed Denial of Service (DDoS) attacks routinely disrupt access to critical services. Mitigation of these attacks often relies on planned over-provisioning or elastic provisioning of resources, and third-party monitoring, analysis, and scrubbing of network traffic. While volumetric attacks which saturate a victim's network are most common, non-volumetric, low and slow, DDoS attacks can achieve their goals without requiring high traffic volume by targeting vulnerable network protocols or protocol implementations. Non-volumetric attacks, unlike their noisy counterparts, require more sophisticated detection mechanisms, and typically have only post-facto and targeted protocol/application mitigations. In this paper, we introduce our work under the Adaptive Resource Management Enabling Deception (ARMED) effort, which is developing a network-level approach to automatically mitigate sophisticated DDoS attacks through deception-focused adaptive maneuvering. We describe the concept, implementation, and initial evaluation of the ARMED Network Actors (ANAs) that facilitate transparent interception, sensing, analysis, and mounting of adaptive responses that can disrupt the adversary's decision process.

The Internet is vulnerable to bandwidth distributed denial-of-service (BW-DDoS) attacks, wherein many hosts send a huge number of packets to cause congestion and disrupt legitimate traffic. So far, BW-DDoS attacks have employed relatively crude, inefficient, brute force mechanisms; future attacks might be significantly more effective and harmful. To meet the increasing threats, we must deploy more advanced defenses.

Servers in a network are typically assigned a static identity. Static assignment of identities is a cornerstone for adversaries in finding targets. Moving Target Defense (MTD) mutates the environment to increase unpredictability for an attacker. On another side, Software Defined Networks (SDN) facilitate a global view of a network through a central control point. The potential of SDN can not only make network management flexible and convenient, but it can also assist MTD to enhance attack surface obfuscation. In this paper, we propose an effective framework for the prevention, detection, and mitigation of flooding-based Denial of Service (DoS) attacks. Our framework includes a light-weight SDN assisted MTD strategy for network reconnaissance protection and an efficient approach for tackling DoS attacks using Software Defined-Internet Exchange Point (SD-IXP). To assess the effectiveness of the MTD strategy and DoS mitigation scheme, we set two different experiments. Our results confirm the effectiveness of our framework. With the MTD strategy in place, at maximum, barely 16% reconnaissance attempts were successful while the DoS attacks were accurately detected with false alarm rate as low as 7.1%.

Nowadays, most of the world's population has become much dependent on computers for banking, healthcare, shopping, and telecommunication. Security has now become a basic norm for computers and its resources since it has become inherently insecure. Security issues like Denial of Service attacks, TCP SYN Flooding attacks, Packet Dropping attacks and Distributed Denial of Service attacks are some of the methods by which unauthorized users make the resource unavailable to authorized users. There are several security mechanisms like Intrusion Detection System, Anomaly detection and Trust model by which we can be able to identify and counter the abuse of computer resources by unauthorized users. This paper presents a survey of several security mechanisms which have been implemented using Fuzzy logic. Fuzzy logic is one of the rapidly developing technologies, which is used in a sophisticated control system. Fuzzy logic deals with the degree of truth rather than the Boolean logic, which carries the values of either true or false. So instead of providing only two values, we will be able to define intermediate values.

Android is the most commonly used mobile device operation system. The core of Android, the System Server (SS), is a multi-threaded process that provides most of the system services. Based on a new understanding of the security risks introduced by the callback mechanism in system services, we have discovered a general type of design flaw. A vulnerability detection tool has been designed and implemented based on static taint analysis. We applied the tool on all the 80 system services in the SS of Android 5.1.0. With its help, we have discovered six previously unknown vulnerabilities, which are further confirmed on Android 2.3.7-6.0.1. According to our analysis, about 97.3% of the entire 1.4 billion real-world Android devices are vulnerable. Our proof-of-concept attack proves that the vulnerabilities can enable a malicious app to freeze critical system functionalities or soft-reboot the system immediately. It is a neat type of denial-of-service at-tack. We also proved that the attacks can be conducted at mission critical moments to achieve meaningful goals, such as anti anti-virus, anti process-killer, hindering app updates or system patching. After being informed, Google confirmed our findings promptly. Several suggestions on how to use callbacks safely are also proposed to Google.

Security analysts implement various security mechanisms to protect systems from attackers. Even though these mechanisms try to secure systems, a talented attacker may use these same techniques to launch a sophisticated attack. This paper discuss about such an attack called as user account Denial of Service (DoS) where an attacker uses user account lockout features of the application to lockout all user accounts causing an enterprise wide DoS. The attack has being simulated usingastealthy attack mechanism called as Advanced Persistent Threats (APT) using a XMPP based botnet. Through the simulation, researchers discuss about the patterns associated with the attack which can be used to detect the attack in real time and how the attack can be prevented from the perspective of developers, system engineers and security analysts.

Hardware Trojan Threats (HTTs) are stealthy components embedded inside integrated circuits (ICs) with an intention to attack and cripple the IC similar to viruses infecting the human body. Previous efforts have focused essentially on systems being compromised using HTTs and the effectiveness of physical parameters including power consumption, timing variation and utilization for detecting HTTs. We propose a novel metric for hardware Trojan detection coined as HTT detectability metric (HDM) that uses a weighted combination of normalized physical parameters. HTTs are identified by comparing the HDM with an optimal detection threshold; if the monitored HDM exceeds the estimated optimal detection threshold, the IC will be tagged as malicious. As opposed to existing efforts, this work investigates a system model from a designer perspective in increasing the security of the device and an adversary model from an attacker perspective exposing and exploiting the vulnerabilities in the device. Using existing Trojan implementations and Trojan taxonomy as a baseline, seven HTTs were designed and implemented on a FPGA testbed; these Trojans perform a variety of threats ranging from sensitive information leak, denial of service to beat the Root of Trust (RoT). Security analysis on the implemented Trojans showed that existing detection techniques based on physical characteristics such as power consumption, timing variation or utilization alone does not necessarily capture the existence of HTTs and only a maximum of 57% of designed HTTs were detected. On the other hand, 86% of the implemented Trojans were detected with HDM. We further carry out analytical studies to determine the optimal detection threshold that minimizes the summation of false alarm and missed detection probabilities.

With the transition from IPv4 IPv6 protocol to improve network communications, there are concerns about devices and applications' security that must be dealt at the beginning of implementation or during its lifecycle. Automate the vulnerability assessment process reduces management overhead, enabling better management of risks and control of the vulnerabilities. Consequently, it reduces the effort needed for each test and it allows the increase of the frequency of application, improving time management to perform all the other complicated tasks necessary to support a secure network. There are several researchers involved in tests of vulnerability in IPv6 networks, exploiting addressing mechanisms, extension headers, fragmentation, tunnelling or dual-stack networks (using both IPv4 and IPv6 at the same time). Most existing tools use the programming languages C, Java, and Python instead of a language designed specifically to create a suite of tests, which reduces maintainability and extensibility of the tests. This paper presents a solution for IPv6 vulnerabilities scan tests, based on attack simulations, combining passive analysis (observing the manifestation of behaviours of the system under test) and an active one (stimulating the system to become symptomatic). Also, it describes a prototype that simulates and detects denial-of-service attacks on the ICMPv6 Protocol from IPv6. Also, a detailed report is created with the identified vulnerability and the possible existing solutions to mitigate such a gap, thus assisting the process of vulnerability management.

Underpinning the operation of Bitcoin is a peer-to-peer (P2P) network [1] that facilitates the execution of transactions by end users, as well as the transaction confirmation process known as bitcoin mining. The security of this P2P network is vital for the currency to function and subversion of the underlying network can lead to attacks on bitcoin users including theft of bitcoins, manipulation of the mining process and denial of service (DoS). As part of this paper the network protocol and bitcoin core software are analysed, with three bitcoin message exchanges (the connection handshake, GETHEADERS/HEADERS and MEMPOOL/INV) found to be potentially vulnerable to spoofing and use in distributed denial of service (DDoS) attacks. Possible solutions to the identified weaknesses and vulnerabilities are evaluated, such as the introduction of random nonces into network messages exchanges.

Web services use server-side input sanitization to guard against harmful input. Some web services publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this usability practice poses a security risk. Specifically, services may share the regexes they use to sanitize input strings - and regex-based denial of service (ReDoS) is an emerging threat. Although prominent service outages caused by ReDoS have spurred interest in this topic, we know little about the degree to which live web services are vulnerable to ReDoS. In this paper, we conduct the first black-box study measuring the extent of ReDoS vulnerabilities in live web services. We apply the Consistent Sanitization Assumption: that client-side sanitization logic, including regexes, is consistent with the sanitization logic on the server-side. We identify a service's regex-based input sanitization in its HTML forms or its API, find vulnerable regexes among these regexes, craft ReDoS probes, and pinpoint vulnerabilities. We analyzed the HTML forms of 1,000 services and the APIs of 475 services. Of these, 355 services publish regexes; 17 services publish unsafe regexes; and 6 services are vulnerable to ReDoS through their APIs (6 domains; 15 subdomains). Both Microsoft and Amazon Web Services patched their web services as a result of our disclosure. Since these vulnerabilities were from API specifications, not HTML forms, we proposed a ReDoS defense for a popular API validation library, and our patch has been merged. To summarize: in client-visible sanitization logic, some web services advertise Re-DoS vulnerabilities in plain sight. Our results motivate short-term patches and long-term fundamental solutions. “Make measurable what cannot be measured.” -Galileo Galilei

Flooding attacks are well-known security threats that can lead to a denial of service (DoS) in computer networks. These attacks consist of an excessive traffic generation, by which an attacker aim to disrupt or interrupt some services in the network. The impact of flooding attacks is not just about some nodes, it can be also the whole network. Many routing protocols are vulnerable to these attacks, especially those using reactive mechanism of route discovery, like AODV. In this paper, we propose a statistical approach to defense against RREQ flooding attacks in MANETs. Our detection mechanism can be applied on AODV-based ad hoc networks. Simulation results prove that these attacks can be detected with a low rate of false alerts.

Always-On Denial of Service (DoS) Trojans with power drain payload can be disastrous in systems where on-chip power resources are limited. These Trojans are designed so that they have no impact on system behavior and hence, harder to detect. A formal verification method is presented to detect sequential always-on DoS Trojans in pipelined circuits and pipelined microprocessors. Since the method is proof-based, it provides a 100% accurate classification of sequential Trojan components. Another benefit of the approach is that it does not require a reference model, which is one of the requirements of many Trojan detection techniques (often a bottleneck to practical application). The efficiency and scalability of the proposed method have been evaluated on 36 benchmark circuits. The most complex of these benchmarks has as many as 135,898 gates. Detection times are very efficient with a 100% rate of detection, i.e., all Trojan sequential elements were detected and all non-trojan sequential elements were classified as such.

This paper provides hardware-independent authentication named as Intelligent Authentication Scheme, which rectifies the design weaknesses that may be exploited by various security attacks. The Intelligent Authentication Scheme protects against various types of security attacks such as password-guessing attack, replay attack, streaming bots attack (denial of service), keylogger, screenlogger and phishing attack. Besides reducing the overall cost, it also balances both security and usability. It is a unique authentication scheme.

Intrusion Detection System (IDS) is a system that could detect suspicious activity in a network. Two approaches are known for IDS, namely signature-based and anomaly-based. The anomaly-based detection method was chosen to detect suspicious and abnormal activity for the system that cannot be performed by the signature-based method. In this study, attack testing was carried out using three DoS tools, namely the LOIC, Torshammer, and Xerxes tools, with a test scenario using IDS and without IDS. From the test results that have been carried out, IDS has successfully detected the attacks that were sent, for the delivery of the most consecutive attack packages, namely Torshammer, Xerxes, and LOIC. In the detection of Torshammer attack tools on the target FTP Server, 9421 packages were obtained, for Xerxes tools as many as 10618 packages and LOIC tools as many as 6115 packages. Meanwhile, attacks on the target Web Server for Torshammer tools were 299 packages, for Xerxes tools as many as 530 packages, and for LOIC tools as many as 103 packages. The accuracy of the IDS performance results is 88.66%, the precision is 88.58% and the false positive rate is 63.17%.

Software Defined Network (SDN) architecture is a new and novel way of network management mechanism. In SDN, switches do not process the incoming packets like conventional network computing environment. They match for the incoming packets in the forwarding tables and if there is none it will be sent to the controller for processing which is the operating system of the SDN. A Distributed Denial of Service (DDoS) attack is a biggest threat to cyber security in SDN network. The attack will occur at the network layer or the application layer of the compromised systems that are connected to the network. In this paper a machine learning based intelligent method is proposed which can detect the incoming packets as infected or not. The different machine learning algorithms adopted for accomplishing the task are Naive Bayes, K-Nearest neighbor (KNN) and Support vector machine (SVM) to detect the anomalous behavior of the data traffic. These three algorithms are compared according to their performances and KNN is found to be the suitable one over other two. The performance measure is taken here is the detection rate of infected packets.

Supervisory control and data acquisition system is an important part of the country's critical infrastructure, but its inherent network characteristics are vulnerable to attack by intruders. The vulnerability of supervisory control and data acquisition system was analyzed, combining common attacks such as information scanning, response injection, command injection and denial of service in industrial control systems, and proposed an intrusion detection model based on graphical features. The time series of message transmission were visualized, extracting the vertex coordinates and various graphic area features to constitute a new data set, and obtained classification model of intrusion detection through training. An intrusion detection experiment environment was built using tools such as MATLAB and power protocol testers. IEC 60870-5-104 protocol which is widely used in power systems had been taken as an example. The results of tests have good effectiveness.

Mobile crowdsensing (MCS) is a distributed sensing paradigm that uses a variety of built-in sensors in smart mobile devices to enable ubiquitous acquisition of sensory data from surroundings. However, non-dedicated nature of MCS results in vulnerabilities in the presence of malicious participants to compromise the availability of the MCS components, particularly the servers and participants' devices. In this paper, we focus on Denial of Service attacks in MCS where malicious participants submit illegitimate task requests to the MCS platform to keep MCS servers busy while having sensing devices expend energy needlessly. After reviewing Artificial Intelligence-based security solutions for MCS systems, we focus on a typical location-based and energy-oriented DoS attack, and present a security solution that applies ensemble techniques in machine learning to identify illegitimate tasks and prevent personal devices from pointless energy consumption so as to improve the availability of the whole system. Through simulations, we show that ensemble techniques are capable of identifying illegitimate and legitimate tasks while gradient boosting appears to be a preferable solution with an AUC performance higher than 0.88 in the precision-recall curve. We also investigate the impact of environmental settings on the detection performance so as to provide a clearer understanding of the model. Our performance results show that MCS task legitimacy decisions with high F-scores are possible for both illegitimate and legitimate tasks.

The rapid deployment of IoT systems on the public Internet is not without concerns for the security and privacy of consumers. Security in IoT systems is often poorly engineered and engineering for privacy does notseemtobea concern for vendors at all. Thecombination of poor security hygiene and access to valuable knowledge renders IoT systems a much-sought target for attacks. IoT systems are not only Internet-accessible but also play the role of servers according to the established client-server communication model and are thus configured with static and/or easily predictable IPv6 addresses, rendering them an easy target for attacks. We present 6HOP, a novel addressing scheme for IoT devices. Our proposal is lightweight in operation, requires minimal administration overhead, and defends against reconnaissance attacks, address based correlation as well as denial-of-service attacks. 6HOP therefore exploits the ample address space available in IPv6 networks and provides effective protection this way.

Security is a key component of the network. Software Defined Networking (SDN) is a refined form of traditional network management system. It is a new encouraging approach to design-build and manage networks. SDN decouples control plane (software-based router) and data plane (software-based switch), hence it is programmable. Consequently, it facilitates implementation of security based applications for the prevention of DOS attacks. Various solutions have been proposed by researches for handling of DOS attacks in SDN. However, these solutions are very limited in scope, complex, time consuming and change resistant. In this article, we have proposed a novel model driven framework i.e. MDAP (Model Based DOS Attacks Prevention) Framework. Particularly, a meta model is proposed. As tool support, a tree editor and a Sirius based graphical modeling tool with drag drop palette have been developed in Oboe designer community edition. The tool support allows modeling and visualization of simple and complex network topology scenarios. A Model to Text transformation engine has also been made part of framework that generates java code for the Floodlight SDN controller from the modeled scenario. The validity of proposed framework has been demonstrated via case study. The results prove that the proposed framework can effectively handle DOS attacks in SDN with simplicity as per the true essence of MDSE and can be reliably used for the automation of security based applications in order to deny DOS attacks in SDN.

Microgrids' dependency on communication links exposes the control systems to cyber attack threats. In this work, instead of designing reactive defense approaches, a proacitve moving target defense mechanism is proposed for securing microgrid secondary frequency control from denial of service (DoS) attack. The sensor data is transmitted by following a Markov process, not in a deterministic way. This uncertainty will increase the difficulty for attacker's decision making and thus significantly reduce the attack space. As the system parameters are constantly changing, a gain scheduling based secondary frequency controller is designed to sustain the system performance. Case studies of a microgrid with four inverter-based DGs show the proposed moving target mechanism can enhance the resiliency of the microgrid control systems against DoS attacks.

Nowadays, the Network on Chip (NoC) is widely adopted by multi-core System on Chip (SoC) to meet its communication needs. With the gradual popularization of the Internet of Things (IoT), the application of NoC is increasing. Due to its distribution characteristics on the chip, NoC has gradually become the focus of potential security attacks. Denial of service (DoS) is a typical attack and it is caused by malicious intellectual property (IP) core with unnecessary data packets causing communication congestion and performance degradation. In this article, we propose a novel approach to detect DoS attacks on-line based on random forest algorithm, and detect the router where the attack enters the sensitive communication path. This method targets malicious third-party vendors to implant a DoS Hardware Trojan into the NoC. The data set is generated based on the behavior of multi-core routers triggered by normal and Hardware Trojans. The detection accuracy of the proposed scheme is in the range of 93% to 94%.

Over the last decade, a technology called Internet of Things (IoT) has been evolving at a rapid pace. It enables the development of endless applications in view of availability of affordable components which provide smart ecosystems. The IoT devices are constrained devices which are connected to the internet and perform sensing tasks. Each device is identified by their unique address and also makes use of the Constrained Application Protocol (CoAP) as one of the main web transfer protocols. It is an application layer protocol which does not maintain secure channels to transfer information. For authentication and end-to-end security, Datagram Transport Layer Security (DTLS) is one of the possible approaches to boost the security aspect of CoAP, in addition to which there are many suggested ways to protect the transmission of sensitive information. CoAP uses DTLS as a secure protocol and UDP as a transfer protocol. Therefore, the attacks on UDP or DTLS could be assigned as a CoAP attack. An attack on DTLS could possibly be launched in a single session and a strong authentication mechanism is needed. Man-In-The-Middle attack is one the peak security issues in CoAP as cited by Request For Comments(RFC) 7252, which encompasses attacks like Sniffing, Spoofing, Denial of Service (DoS), Hijacking, Cross-Protocol attacks and other attacks including Replay attacks and Relay attacks. In this work, a client-server architecture is setup, whose end devices communicate using CoAP. Also, a proxy system was installed across the client side to launch an active interception between the client and the server. The work will further be enhanced to provide solutions to mitigate these attacks.

This research was an experimental analysis of the Intrusion Detection Systems(IDS) with Honey Pot conducting through a study of using Honey Pot in tricking, delaying or deviating the intruder to attack new media broadcasting server for IPTV system. Denial of Service(DoS) over wire network and wireless network consisted of three types of attacks: TCP Flood, UDP Flood and ICMP Flood by Honey Pot, where the Honeyd would be used. In this simulation, a computer or a server in the network map needed to be secured by the inactivity firewalls or other security tools for the intrusion of the detection systems and Honey Pot. The network intrusion detection system used in this experiment was SNORT (www.snort.org) developed in the form of the Open Source operating system-Linux. The results showed that, from every experiment, the internal attacks had shown more threat than the external attacks. In addition, attacks occurred through LAN network posted 50% more disturb than attacks occurred on WIFI. Also, the external attacks through LAN posted 95% more attacks than through WIFI. However, the number of attacks presented by TCP, UDP and ICMP were insignificant. This result has supported the assumption that Honey Pot was able to help detecting the intrusion. In average, 16% of the attacks was detected by Honey Pot in every experiment.

Bluetooth technologies have widespread applications in personal area networks, device-to-device communications and forming ad hoc networks. Studying Bluetooth devices security is a challenging task as they lack support for monitor mode available with other wireless networks (e.g. 802.11 WiFi). In addition, the frequency-hoping spread spectrum technique used in its operation necessitates special hardware and software to study its operation. This investigation examines methods for analyzing Bluetooth devices' security and presents a proof-of-concept DoS attack on the Link Manager Protocol (LMP) layer using the InternalBlue framework. Through this study, we demonstrate a method to study Bluetooth device security using existing tools without requiring specialized hardware. Consequently, the methods proposed in the paper can be used to study Bluetooth security in many applications.

Software Defined Networking (SDN) is a paradigm shift that changes the working principles of IP networks by separating the control logic from routers and switches, and logically centralizing it within a controller. In this architecture the control plane (controller) communicates with the data plane (switches) through a control channel using a standards-compliant protocol, that is, OpenFlow. While having a centralized controller creates an opportunity to monitor and program the entire network, as a side effect, it causes the control plane to become a single point of failure. Denial of service (DoS) attacks or even heavy control traffic conditions can easily become real threats to the proper functioning of the controller, which indirectly detriments the entire network. In this paper, we propose a solution to reduce the control traffic generated primarily during table-miss events. We utilize the buffer\_id feature of the OpenFlow protocol, which has been designed to identify individually buffered packets within a switch, reusing it to identify flows buffered as a series of packets during table-miss, which happens when there is no related rule in the switch flow tables that matches the received packet. Thus, we allow the OpenFlow switch to send only the first packet of a flow to the controller for a table-miss while buffering the rest of the packets in the switch memory until the controller responds or time out occurs. The test results show that OpenFlow traffic is significantly reduced when the proposed method is used.