Biblio

For the intra-pulse modulation classification of radar signal, traditional deep learning algorithms have poor recognition performance without numerous training samples. Meanwhile, the receiver may intercept few pulse radar signals in the real scenes of electronic reconnaissance. To solve this problem, a structure which is made up of signal pretreatment by Smooth Pseudo Wigner-Ville (SPWVD) analysis algorithm, convolution neural network (CNN) and relation network (RN) is proposed in this study. The experimental results show that its classification accuracy is 94.24% under 20 samples per class training and the signal-to-noise ratio (SNR) is -4dB. Moreover, it can classify the novel types without further updating the network.

Modulated signal identification plays a crucial role in both military reconnaissance and civilian signal regulation. Traditionally, modulated signal identification is based on high-order statistics, but this approach has many drawbacks. With the development of deep learning, its advantages are fully exploited by combining it with modulated signals to avoid the complex process of computing a priori knowledge while having good fault tolerance. In this paper, ten digital modulated signals are classified and recognized, and improvements are made on the basis of convolutional neural networks, using feature reuse to increase the depth of the convolutional layer and extract signal features with better results. After experimental analysis, the recognition accuracy increases with the rise of the signal-to-noise ratio, and can reach 90% and above when the signal-to-noise ratio is 30dB.

The exponential increase in the use of Internet of Things (IoT) devices has been accompanied by a spike in cyberattacks on IoT networks. In this research, we investigate the Bot-IoT dataset with a focus on classifying IoT reconnaissance attacks. Reconnaissance attacks are a foundational step in the cyberattack lifecycle. Our contribution is centered on the building of predictive models with the aid of Random Undersampling (RUS) and ensemble Feature Selection Techniques (FSTs). As far as we are aware, this type of experimentation has never been performed for the Reconnaissance attack category of Bot-IoT. Our work uses the Area Under the Receiver Operating Characteristic Curve (AUC) metric to quantify the performance of a diverse range of classifiers: Light GBM, CatBoost, XGBoost, Random Forest (RF), Logistic Regression (LR), Naive Bayes (NB), Decision Tree (DT), and a Multilayer Perceptron (MLP). For this study, we determined that the best learners are DT and DT-based ensemble classifiers, the best RUS ratio is 1:1 or 1:3, and the best ensemble FST is our ``6 Agree'' technique.

In electronic warfare, communication may not counter reconnaissance and jamming without the help of network-station selection of frequency hopping. The competition in the field of electromagnetic spectrum is becoming more and more fierce with the increasingly complex electromagnetic environment of modern battlefield. The research on detection, identification, parameter estimation and network station selection of frequency hopping communication network has aroused the interest of scholars both at home and abroad, which has been summarized in this paper. Firstly, the working mode and characteristics of two kinds of FH communication networking modes synchronous orthogonal network and asynchronous non orthogonal network are introduced. Then, through the analysis of FH signals time hopping, frequency hopping, bandwidth, frequency, direction of arrival, bad time-frequency analysis, clustering analysis and machine learning method, the feature-based method is adopted Parameter selection technology is used to sort FH network stations. Finally, the key and difficult points of current research on FH communication network separation technology and the research status of blind source separation technology are introduced in details in this paper.

With the rapid development of mobile communication technology, the reconnaissance on terminal capability and identity information is not only an important guarantee to maintain the normal order of mobile communication, but also an essential means to ensure the electromagnetic space security. According to the characteristics of 5G mobile communication terminal's transporting capability and identity information, the smart jamming is first used to make the target terminal away from the 5G network, and then the jamming is turned off at once. Next the terminal will return to the 5G network. Through the time-frequency matching detection method, interactive signals of random access process and network registration between the terminal and the base station are quickly captured in this process, and the scheduling information in Physical Downlink Control Channel (PDCCH) and the capability and identity information in Physical Uplink Shared Channel (PUSCH) are demodulated and decoded under non-cooperative conditions. Finally, the experiment is carried out on the actual 5G communication terminal of China Telecom. The capability and identity information of this terminal are extracted successfully in the Stand Alone (SA) mode, which verifies the effectiveness and correctness of the method. This is a significant technical foundation for the subsequent development on the 5G terminal control equipment.

In the upcoming advent of 6G networks, underwater communications are expected to play a relevant role in the context of overlapping hybrid wireless networks, following a multilayer architecture i.e., aerial-ground-underwater. The concept of Internet of Underwater Things defines different communication and networking technologies, as well as positioning and tracking services, suitable for harsh underwater scenarios. In this paper, we present a footprinting localization algorithm based on optical wireless signals in the visible range. The proposed technique is based on a hybrid Radio Frequency (RF) and Visible Light Communication (VLC) network architecture, where a central RF sensor node holds an environment channel gain map i.e., database, that is exploited for localization estimation computation. A recursive localization algorithm allows to estimate user positions with centimeter-based accuracy, in case of different turbidity scenarios.

Most of existing signal modulation recognition methods attempt to establish a machine learning mechanism by training with a large number of annotated samples, which is hardly applied to the real-world electronic reconnaissance scenario where only a few samples can be intercepted in advance. Few-Shot Learning (FSL) aims to learn from training classes with a lot of samples and transform the knowledge to support classes with only a few samples, thus realizing model generalization. In this paper, a novel FSL framework called Attention Relation Network (ARN) is proposed, which introduces channel and spatial attention respectively to learn a more effective feature representation of support samples. The experimental results show that the proposed method can achieve excellent performance for fine-grained signal modulation recognition even with only one support sample and is robust to low signal-to-noise-ratio conditions.

Automatic modulation recognition (AMR) plays an important role in cognitive radio and electronic reconnaissance applications. In order to solve the problem that the lack of modulation signal data sets, the labeled data sets are generated by the software radio equipment NI-USRP 2920 and LabVIEW software development tool. In this paper, a combined network based on deep learning is proposed to identify ten types of digital modulation signals. Convolutional neural network (CNN) and Inception network are trained on different data sets, respectively. We combine CNN with Inception network to distinguish different modulation signals well. Experimental results show that our proposed method can recognize ten types of digital modulation signals with high identification accuracy, even in scenarios with a low signal-to-noise ratio (SNR).

Thanks to advances in network architecture with Software-Defined Networking (SDN) paradigm, there are various approaches for eliminating attack surface in the largescale networks relied on the essence of the SDN principle. They are ranging from intrusion detection to moving target defense, and cyber deception that leverages the network programmability. Therein, cyber deception is considered as a proactive defense strategy for the usual network operation since it makes attackers spend more time and effort to successfully compromise network systems. In this paper, we concentrate on reconnaissance attacks in SDN-enabled networks to collect the sensitive information for hackers to conduct further attacks. In more details, we introduce SDNRecon tool to perform reconnaissance attacks, which can be useful in evaluating cyber deception techniques deployed in SDN-aware networks.

Advanced persistent threat (APT) attackers usually conduct a large number of network reconnaissance before a formal attack to discover exploitable vulnerabilities in the target network and system. The static configuration in traditional network systems provides a great advantage for adversaries to find network targets and launch attacks. To reduce the effectiveness of adversaries' continuous reconnaissance attacks, this paper develops a moving target defense (MTD) enhanced cyber deception defense system based on software-defined networks (SDN). The system uses virtual network topology to confuse the target network and system information collected by adversaries. Also Besides, it uses IP address randomization to increase the dynamics of network deception to enhance its defense effectiveness. Finally, we implemented the system prototype and evaluated it. In a configuration where the virtual network topology scale is three network segments, and the address conversion cycle is 30 seconds, this system delayed the adversaries' discovery of vulnerable hosts by an average of seven times, reducing the probability of adversaries successfully attacking vulnerable hosts by 83%. At the same time, the increased system overhead is basically within 10%.

Operating system (OS) classification is of growing importance to network administrators and cybersecurity analysts alike. The composition of OSs on a network allows for a better quality of device management to be achieved. Additionally, it can be used to identify devices that pose a security risk to the network. However, the sheer number and diversity of OSs that comprise modern networks have vastly increased this management complexity. We leverage insights from social networking theory to provide an encryption-invariant OS classification technique that is quick to train and widely deployable on various network configurations. In particular, we show how an affiliation graph can be used as an input to a machine learning classifier to predict the OS of a device using only the IP addresses for which the device communicates with.We examine the effectiveness of our approach through an empirical analysis of 498 devices on a university campus’ wireless network. In particular, we show our methodology can classify different OS families (i.e., Apple, Windows, and Android OSs) with an accuracy of 99.3%. Furthermore, we extend this study by: 1) examining distinct OSs (e.g., iOS, OS X, and Windows 10); 2) investigating the interval of time required to make an accurate prediction; and, 3) determining the effectiveness of our approach after six months.

Software Defined Vehicular Networking (SDVN) could be the future of the vehicular networks, enabling interoperability between heterogeneous networks and mobility management. Thus, the deployment of large SDVN is considered. However, SDVN is facing major security issues, in particular, authentication and access control issues. Indeed, an unauthorized SDN controller could modify the behavior of switches (packet redirection, packet drops) and an unauthorized switch could disrupt the operation of the network (reconnaissance attack, malicious feedback). Due to the SDVN features (decentralization, mobility) and the SDVN requirements (flexibility, scalability), the Blockchain technology appears to be an efficient way to solve these authentication and access control issues. Therefore, many Blockchain-based approaches have already been proposed. However, two key challenges have not been addressed: authentication and access control for SDN controllers and high scalability for the underlying Blockchain network. That is why in this paper we propose an innovative and scalable architecture, based on a set of interconnected Blockchain sub-networks. Moreover, an efficient access control mechanism and a cross-sub-networks authentication/revocation mechanism are proposed for all SDVN devices (vehicles, roadside equipment, SDN controllers). To demonstrate the benefits of our approach, its performances are compared with existing solutions in terms of throughput, latency, CPU usage and read/write access to the Blockchain ledger. In addition, we determine an optimal number of Blockchain sub-networks according to different parameters such as the number of certificates to store and the number of requests to process.

A rapid rise in cyber-attacks on Cyber Physical Systems (CPS) has been observed in the last decade. It becomes even more concerning that several of these attacks were on critical infrastructures that indeed succeeded and resulted into significant physical and financial damages. Experimental testbeds capable of providing flexible, scalable and interoperable platform for executing various cybersecurity experiments is highly in need by all stakeholders. A container-based SCADA testbed is presented in this work as a potential platform for executing cybersecurity experiments. Through this testbed, a network traffic containing ARP spoofing is generated that represents a Man in the middle (MITM) attack. While doing so, scanning of different systems within the network is performed which represents a reconnaissance attack. The network traffic generated by both ARP spoofing and network scanning are captured and further used for preparing a dataset. The dataset is utilized for training a network classification model through a machine learning algorithm. Performance of the trained model is evaluated through a series of tests where promising results are obtained.

With the advent of networking technologies and increasing network attacks, Intrusion Detection systems are apparently needed to stop attacks and malicious activities. Various frameworks and techniques have been developed to solve the problem of intrusion detection, still there is need for new frameworks as per the challenging scenario of enormous scale in data size and nature of attacks. Current IDS systems pose challenges on the throughput to work with high speed networks. In this paper we address the issue of high computational overhead of anomaly based IDS and propose the solution using discretization as a data preprocessing step which can drastically reduce the computation overhead. We propose method to provide near real time detection of attacks using only basic flow level features that can easily be extracted from network packets.

Port scans are a persistent problem on contemporary communication networks. Typically used as an attack reconnaissance tool, they can also create problems with application performance and throughput. This paper describes an architecture that deploys sequential neural networks (NNs) to classify packets, separate TCP datagrams, determine the type of TCP packet and detect port scans. Sequential networks allow this lengthy task to learn from the current environment and to be broken up into component parts. Following classification, analysis is performed in order to discover scan attempts. We show that neural networks can be used to successfully classify general packetized traffic at recognition rates above 99% and more complex TCP classes at rates that are also above 99%. We demonstrate that this specific communications task can successfully be broken up into smaller work loads. When tested against actual NMAP scan pcap files, this model successfully discovers open ports and the scan attempts with the same high percentage and low false positives.

In this work, we propose a novel approach for decentralized identifier distribution and synchronization in networks. The protocol generates network entity identifiers composed of timestamps and cryptographically secure random values with a significant reduction of collision probability. The distribution is inspired by Unique Universal Identifiers and Timestamp-based Concurrency Control algorithms originating from database applications. We defined fundamental requirements for the distribution, including: uniqueness, accuracy of distribution, optimal timing behavior, scalability, small impact on network load for different operation modes and overall compliance to common network security objectives. An implementation of the proposed approach is evaluated and the results are presented. Originally designed for a domain of proactive defense strategies known as Moving Target Defense, the general architecture of the protocol enables arbitrary applications where identifier distributions in networks have to be decentralized, rapid and secure.

Device management in large networks is of growing importance to network administrators and security analysts alike. The composition of devices on a network can help forecast future traffic demand as well as identify devices that may pose a security risk. However, the sheer number and diversity of devices that comprise most modern networks have vastly increased the management complexity. Motivated by a need for an encryption-invariant device management strategy, we use affiliation graphs to develop a methodology that reveals key insights into the devices acting on a network using only the source and destination IP addresses. Through an empirical analysis of the devices on a university campus network, we provide an example methodology to infer a device's characteristics (e.g., operating system) through the services it communicates with via the Internet.

An attacker's success crucially depends on the reconnaissance phase of Distributed Denial of Service (DDoS) attacks, which is the first step to gather intelligence. Although several solutions have been proposed against network reconnaissance attacks, they fail to address the needs of legitimate users' requests. Thus, we propose a cloud-based deception framework which aims to confuse the attacker with reconnaissance replies while allowing legitimate uses. The deception is based on for-warding the reconnaissance packets to a cloud infrastructure through tunneling and SDN so that the returned IP addresses to the attacker will not be genuine. For handling legitimate requests, we create a reflected virtual topology in the cloud to match any changes in the original physical network to the cloud topology using SDN. Through experimentations on GENI platform, we show that our framework can provide reconnaissance responses with negligible delays to the network clients while also reducing the management costs significantly.

The performance-driven design of SDN architectures leaves many security vulnerabilities, a notable one being the communication bottleneck between the controller and the switches. Functioning as a cache between the controller and the switches, the flow table mitigates this bottleneck by caching flow rules received from the controller at each switch, but is very limited in size due to the high cost and power consumption of the underlying storage medium. It thus presents an easy target for attacks. Observing that many existing defenses are based on simplistic attack models, we develop a model of intelligent attacks that exploit specific cache-like behaviors of the flow table to infer its internal configuration and state, and then design attack parameters accordingly. Our evaluations show that such attacks can accurately expose the internal parameters of the target flow table and cause measurable damage with the minimum effort.

Software Defined Networking (SDN) is a promising network architecture that aims at providing high flexibility through the separation between network logic (control plane) and forwarding functions (data plane). This separation provides logical centralization of controllers, global network overview, ease of programmability, and a range of new SDN-compliant services. In recent years, the adoption of SDN in enterprise networks has been constantly increasing. In the meantime, new challenges arise in different levels such as scalability, management, and security. In this paper, we elaborate on complex security issues in the current SDN architecture. Especially, reconnaissance attack where attackers generate traffic for the goal of exploring existing services, assets, and overall network topology. To eliminate reconnaissance attack in SDN environment, we propose SDN-based solution by utilizing distributed firewall application, security policy, and OpenFlow counters. Distributed firewall application is capable of tracking the flow based on pre-defined states that would monitor the connection to sensitive nodes toward malicious activity. We utilize Mininet to simulate the testing environment. We are able to detect and mitigate this type of attack at early stage and in average around 7 second.

In recent years, persistent cyber adversaries have developed increasingly sophisticated techniques to evade detection. Once adversaries have established a foothold within the target network, using seemingly-limited passive reconnaissance techniques, they can develop significant network reconnaissance capabilities. Cyber deception has been recognized as a critical capability to defend against such adversaries, but, without an accurate model of the adversary's reconnaissance behavior, current approaches are ineffective against advanced adversaries. To address this gap, we propose a novel model to capture how advanced, stealthy adversaries acquire knowledge about the target network and establish and expand their foothold within the system. This model quantifies the cost and reward, from the adversary's perspective, of compromising and maintaining control over target nodes. We evaluate our model through simulations in the CyberVAN testbed, and indicate how it can guide the development and deployment of future defensive capabilities, including high-interaction honeypots, so as to influence the behavior of adversaries and steer them away from critical resources.

Through time inference attacks, adversaries fingerprint SDN controllers, estimate switches flow-table size, and perform flow state reconnaissance. In fact, timing a SDN and analyzing its results can expose information which later empowers SDN resource-consumption or saturation attacks. In the real world, however, launching such attacks is not easy. This is due to some challenges attackers may encounter while attacking an actual SDN deployment. These challenges, which are not addressed adequately in the related literature, are investigated in this paper. Accordingly, practical solutions to mitigate such attacks are also proposed. Discussed challenges are clarified by means of conducting extensive experiments on an actual cloud data center testbed. Moreover, mitigation schemes have been implemented and examined in details. Experimental results show that proposed countermeasures effectively block time inference attacks.

In this paper we investigate deceptive defense strategies for web servers. Web servers are widely exploited resources in the modern cyber threat landscape. Often these servers are exposed in the Internet and accessible for a broad range of valid as well as malicious users. Common security strategies like firewalls are not sufficient to protect web servers. Deception based Information Security enables a large set of counter measures to decrease the efficiency of intrusions. In this work we depict several techniques out of the reconnaissance process of an attacker. We match these with deceptive counter measures. All proposed measures are implemented in an experimental web server with deceptive counter measure abilities. We also conducted an experiment with honeytokens and evaluated delay strategies against automated scanner tools.

Military reconnaissance in 1999 has paved the way to establish its own, self-reliant and indigenous navigation system. The strategic necessity has been accomplished in 2013 by launching seven satellites in Geo-orbit and underlying Network control center in Bangalore and a new NavIC control center at Lucknow, later in 2016. ISTRAC is one of the premier and amenable center to track the Indian as well as external network satellite launch vehicle and provide house-keeping and inertial navigation (INC) data to launch control center in real time and to project team in off-line. Over the ISTRAC Launch network, Simple Network Management Protocol (SNMP) was disabled due to security and bandwidth reasons. The cons of SNMP comprise security risks that are normal trait whenever applied as an open standard. There is "security through obscurity" linked with any slight-used communications standard in SNMP. Detailed messages are being sent between devices, not just miniature pre-set codes. These cons in the SNMP are found in majority applications and more bandwidth seizure is another contention. Due to the above pros and cones in SNMP in form of open source, available network monitoring system (NMS) could not be employed for link monitoring and immediate decision making in ISTRAC network. The situation has made requisitions to evolve an in-house network monitoring system (NMS). It was evolved for real-time network monitoring as well as communication link performance explication. The evolved system has the feature of Internet control message protocol (ICMP) based link monitoring, 24/7 monitoring of all the nodes, GUI based real-time link status, Summary and individual link statistics on the GUI. It also identifies total downtime and generates summary reports. It does identification for out of order or looped packets, Email and SMS alert to Prime and Redundant system which one is down and repeat alert if the link is failed for more than 30 minutes. It has easy file based configuration and no application restart required. Generation of daily and monthly link status, offline link analysis plot of any day, less consumption of system resources are add-on features. It is fully secured in-house development, calculates total data flow over a network and co-relate data vs link percentage.

We consider a cloud based multiserver system consisting of a set of replica application servers behind a set of proxy (indirection) servers which interact directly with clients over the Internet. We study a proactive moving-target defense to thwart a DDoS attacker's reconnaissance phase and consequently reduce the attack's impact. The defense is effectively a moving-target (motag) technique in which the proxies dynamically change. The system is evaluated using an AWS prototype of HTTP redirection and by numerical evaluations of an “adversarial” coupon-collector mathematical model, the latter allowing larger-scale extrapolations.