Biblio

Distributed Denial of Services (DDoS) attacks continue to be one of the most challenging threats to the Internet. The intensity and frequency of these attacks are increasing at an alarming rate. Numerous schemes have been proposed to mitigate the impact of DDoS attacks. This paper presents a comprehensive empirical evaluation of Machine Learning (ML)based DDoS detection techniques, to gain better understanding of their performance in different types of environments. To this end, a framework is developed, focusing on different attack scenarios, to investigate the performance of a class of ML-based techniques. The evaluation uses different performance metrics, including the impact of the “Class Imbalance Problem” on ML-based DDoS detection. The results of the comparative analysis show that no one technique outperforms all others in all test cases. Furthermore, the results underscore the need for a method oriented feature selection model to enhance the capabilities of ML-based detection techniques. Finally, the results show that the class imbalance problem significantly impacts performance, underscoring the need to address this problem in order to enhance ML-based DDoS detection capabilities.

For controllers of Software Defined Network (SDN), Distributed Denial of Service (DDoS) attacks are still the simplest and most effective way to attack. Aiming at this problem, a real-time DDoS detection attack method for SDN controller is proposed. The method first uses the entropy to detect whether the flow is abnormal. After the abnormal warning is issued, the flow entry of the OpenFlow switch is obtained, and the DDoS attack feature in the SDN environment is analyzed to extract important features related to the attack. The BiLSTM-RNN neural network algorithm is used to train the data set, and the BiLSTM model is generated to classify the real-time traffic to realize the DDoS attack detection. Experiments show that, compared with other methods, this method can efficiently implement DDoS attack traffic detection and reduce controller overhead in SDN environment.

It is important to provide strong security for IoT devices with limited security related resources. We introduce a new dynamic security agent management framework, which dynamically chooses the best security agent to support security functions depending on the applications' security requirements of IoT devices in the system. This framework is designed to overcome the challenges including high computation costs, multiple security protocol compatibility, and efficient energy management in IoT system.

We consider the problem of attack detection for IoT networks based only on passively collected network parameters. For the first time in the literature, we develop a blind attack detection method based on data conformity evaluation. Network parameters collected passively, are converted to their conformity values through iterative projections on refined L1-norm tensor subspaces. We demonstrate our algorithmic development in a case study for a simulated star topology network. Type of attack, affected devices, as well as, attack time frame can be easily identified.

The amount of connected devices in the industrial environment is growing continuously, due to the ongoing demands of new features like predictive maintenance. New business models require more data, collected by IIoT edge node sensors based on inexpensive and low performance Microcontroller Units (MCUs). A negative side effect of this rise of interconnections is the increased attack surface, enabled by a larger network with more network services. Attaching badly documented and cheap devices to industrial networks often without permission of the administrator even further increases the security risk. A decent method to monitor the network and detect “unwanted” devices is network scanning. Typically, this scanning procedure is executed by a computer or server in each sub-network. In this paper, we introduce network scanning and mapping as a building block to scan directly from the Industrial Internet of Things (IIoT) edge node devices. This module scans the network in a pseudo-random periodic manner to discover devices and detect changes in the network structure. Furthermore, we validate our approach in an industrial testbed to show the feasibility of this approach.

Named Data Networking (NDN) is a new network architecture that has been projected as the future of internet architecture. Unlike the traditional internet approach which currently relies on client-server communication models to communicate each other, NDN relies on data as an entity. Hence the users only need the content and applications based on data naming, as there is no IP addresses needed. NDN is different than TCP/IP technology as NDN signs the data with Digital Signature to secure each data authenticity. Regarding huge number of uses on IP-based network, and the minimum number of NDN-based network implementation, the NDN-IP gateway are needed to map and forward the data from IP-based network to NDN-based network, and vice versa. These gateways are called Custom-Router Gateway in this study. The Custom-Router Gateway requires a new mechanism in conducting Digital Signature so that authenticity the data can be verified when it passes through the NDN-IP Custom-Router Gateway. This study propose a method to process the Digital Signature for the packet flows from IP-based network through NDN-based network. Future studies are needed to determine the impact of Digital Signature processing on the performance in forwarding the data from IP-based to NDN-based network and vice versa.

This work takes a novel approach to classifying the behavior of devices by exploiting the single-purpose nature of IoT devices and analyzing the complexity and variance of their network traffic. We develop a formalized measurement of complexity for IoT devices, and use this measurement to precisely tune an anomaly detection algorithm for each device. We postulate that IoT devices with low complexity lead to a high confidence in their behavioral model and have a correspondingly more precise decision boundary on their predicted behavior. Conversely, complex general purpose devices have lower confidence and a more generalized decision boundary. We show that there is a positive correlation to our complexity measure and the number of outliers found by an anomaly detection algorithm. By tuning this decision boundary based on device complexity we are able to build a behavioral framework for each device that reduces false positive outliers. Finally, we propose an architecture that can use this tuned behavioral model to rank each flow on the network and calculate a trust score ranking of all traffic to and from a device which allows the network to autonomously make access control decisions on a per-flow basis.

The paper introduces a method of efficient partial firmware update with several advantages compared to common methods. The amount of data to transfer for an update is reduced, the energetic efficiency is increased and as the method is designed for over the air update, the radio spectrum occupancy is decreased. Herein described approach uses Lua scripting interface to introduce updatable fragments of invokable native code. This requires a dedicated memory layout, which is herein introduced. This method allows not only to distribute patches for deployed systems, but also on demand add-ons. At the end, the security aspects of proposed firmware update system is discussed and its limitations are presented.

Quick UDP Internet Connections (QUIC) is an experimental transport protocol designed to primarily reduce connection establishment and transport latency, as well as to improve security standards with default end-to-end encryption in HTTPbased applications. QUIC is a multiplexed and secure transport protocol fostered by Google and its design emerged from the urgent need of innovation in the transport layer, mainly due to difficulties extending TCP and deploying new protocols. While still under standardisation, a non-negligble fraction of the Internet's traffic, more than 7% of a European Tier1-ISP, is already running over QUIC and it constitutes more than 30% of Google's egress traffic [1].

Originally implemented by Google, QUIC gathers a growing interest by providing, on top of UDP, the same service as the classical TCP/TLS/HTTP/2 stack. The IETF will finalise the QUIC specification in 2019. A key feature of QUIC is that almost all its packets, including most of its headers, are fully encrypted. This prevents eavesdropping and interferences caused by middleboxes. Thanks to this feature and its clean design, QUIC is easier to extend than TCP. In this paper, we revisit the reliable transmission mechanisms that are included in QUIC. More specifically, we design, implement and evaluate Forward Erasure Correction (FEC) extensions to QUIC. These extensions are mainly intended for high-delays and lossy communications such as In-Flight Communications. Our design includes a generic FEC frame and our implementation supports the XOR, Reed-Solomon and Convolutional RLC error-correcting codes. We also conservatively avoid hindering the loss-based congestion signal by distinguishing the packets that have been received from the packets that have been recovered by the FEC. We evaluate its performance by applying an experimental design covering a wide range of delay and packet loss conditions with reproducible experiments. These confirm that our modular design allows the protocol to adapt to the network conditions. For long data transfers or when the loss rate and delay are small, the FEC overhead negatively impacts the download completion time. However, with high packet loss rates and long delays or smaller files, FEC allows drastically reducing the download completion time by avoiding costly retransmission timeouts. These results show that there is a need to use FEC adaptively to the network conditions.

Multiple-input multiple-output (MIMO) techniques are currently the de facto approach for increasing the capacity and reliability of communication systems. Spatial modulation (SM) is presently one of the most eminent MIMO techniques. As, it combines the advantages of having higher spectral efficiency than repetition coding (RC) while overcoming the inter-channel interference (ICI) faced by spatial multiplexing (SMP). Moreover, SM reduces system complexity. In this paper, for the first time in literature, the use of MIMO techniques is explored in Internet-of-Things(IoT) deployments by introducing a novel technique called security aware spatial modulation (SA-SM).SA-SM provides a low complexity, secure and spectrally efficient technique that harvests the advantages of SM, while facing the arising security concerns of IoT systems. Using an undemanding modification at the receiver, SA-SM gives an extra degree of technology independent physical layer security. Our results show that SA-SM forces the bit-error-rate (BER) of an eavesdropper to not exceed the range of 10-2, which is below the forward-error-correction (FEC) threshold. Hence, it eradicates the ability of an eavesdropper to properly decode the transmitted signal. Additionally, the efficiency of SA-SM is verified in both the radio and visible light ranges. Furthermore, SA-SM is capable of reducing the peak-to-average-power-ratio (PAPR) by 26.2%.

With the continuous development of information technology, our country has achieved great progress and development in Electronic Science and technology. Nowadays mobile embedded systems are gradually coming into people's vision. Mobile embedded system is a brand-new computer technology in the current computer technology. Now it has been widely used in enterprises. Mobile embedded system extends its functions mainly by combining the access capability of the Internet. Nowadays, embedded system network is widely welcomed by people. But for the embedded system network, there are also a variety of network attacks. Therefore, in the research process of this paper, we mainly start with the way of embedded network security and network attack, and then carry out the countermeasures to improve the network security of embedded system, which is to provide a good reference for improving the security and stability of embedded system.

Today, network security is a world hot topic in computer security and defense. Intrusions and attacks in network infrastructures lead mostly in huge financial losses, massive sensitive data leaks, thus decreasing efficiency, competitiveness and the quality of productivity of an organization. Network Intrusion Detection System (NIDS) is valuable tool for the defense-in-depth of computer networks. It is widely deployed in network architectures in order to monitor, to detect and eventually respond to any anomalous behavior and misuse which can threat confidentiality, integrity and availability of network resources and services. Thus, the presence of NIDS in an organization plays a vital part in attack mitigation, and it has become an integral part of a secure organization. In this paper, we propose to optimize a very popular soft computing tool widely used for intrusion detection namely Back Propagation Neural Network (BPNN) using a novel hybrid Framework (GASAA) based on improved Genetic Algorithm (GA) and Simulated Annealing Algorithm (SAA). GA is improved through an optimization strategy, namely Fitness Value Hashing (FVH), which reduce execution time, convergence time and save processing power. Experimental results on KDD CUP' 99 dataset show that our optimized ANIDS (Anomaly NIDS) based BPNN, called “ANIDS BPNN-GASAA” outperforms several state-of-art approaches in terms of detection rate and false positive rate. In addition, improvement of GA through FVH has saved processing power and execution time. Thereby, our proposed IDS is very much suitable for network anomaly detection.

The emergence of integrated space-ground network (ISGN), with more complex network conditions compared with tradition network, requires packet classification to achieve high performance. Packet classification plays an important role in the field of network security. Although several existing classification schemes have been proposed recently to improve classification performance, the performance of these schemes is unable to meet the high-speed packet classification requirement in ISGN. To tackle this problem, a hybrid packet classification algorithm based on hash table and geometric space partition (HGSP) is proposed in this paper. HGSP falls into two sections: geometric space partition and hash matching. To improve the classification speed under the same accuracy, a parallel structure of hash table is designed to match the huge packets for classifying. The experimental results demonstrate that the matching time of HGSP algorithm is reduced by 40%-70% compared with traditional Hicuts algorithm. Particularly, with the growth of ruleset, the advantage of HGSP algorithm will become more obvious.

NEMESIS provides powerful and cost-effective defenses against extreme Distributed Denial of Service (DDos) attacks through a number of network maneuvers. However, selection of which maneuvers to deploy when and with what parameters requires great care to achieve optimal outcomes in the face of overwhelming attack. Analytical wargaming allows game theoretic optimal Courses of Action (COA) to be created real-time during live operations, orders of magnitude faster than packet-level simulation and with equivalent outcomes to even expert human hand-crafted COAs.

Despite bringing many benefits of global network configuration and control, Software Defined Networking (SDN) also presents potential challenges for both digital forensics and cybersecurity. In fact, there are various attacks targeting a range of vulnerabilities on vital elements of this paradigm such as controller, Northbound and Southbound interfaces. In addition to solutions of security enhancement, it is important to build mechanisms for digital forensics in SDN which provide the ability to investigate and evaluate the security of the whole network system. It should provide features of identifying, collecting and analyzing log files and detailed information about network devices and their traffic. However, upon penetrating a machine or device, hackers can edit, even delete log files to remove the evidences about their presence and actions in the system. In this case, securing log files with fine-grained access control in proper storage without any modification plays a crucial role in digital forensics and cybersecurity. This work proposes a blockchain-based approach to improve the security of log management in SDN for network forensics, called SDNLog-Foren. This model is also evaluated with different experiments to prove that it can help organizations keep sensitive log data of their network system in a secure way regardless of being compromised at some different components of SDN.

Routing Protocol for Low power and Lossy Network (RPL) is a light weight routing protocol designed for LLN (Low Power Lossy Networks). It is a source routing protocol. Due to constrained nature of resources in LLN, RPL is exposed to various attacks such as blackhole attack, wormhole attack, rank attack, version attack, etc. IDS (Intrusion Detection System) is one of the countermeasures for detection and prevention of attacks for RPL based loT. Traditional IDS techniques are not suitable for LLN due to certain characteristics like different protocol stack, standards and constrained resources. In this paper, we have presented various IDS research contribution for RPL based routing attacks. We have also classified the proposed IDS in the literature, according to the detection techniques. Therefore, this comparison will be an eye-opening stuff for future research in mitigating routing attacks for RPL based IoT.

The Internet of things networks is vulnerable to many DOS attacks. Among them, Blackhole attack is one of the severe attacks as it hampers communication among network devices. In general, the solutions presented in the literature for Blackhole detection are not efficient. In addition, the existing approaches do not factor-in, the consumption in resources viz. energy, bandwidth and network lifetime. Further, these approaches are also insensitive to the mechanism used for selecting a parent in on Blackhole formation. Needless to say, a blackhole node if selected as parent would lead to orchestration of this attack trivially and hence it is an important factor in selection of a parent. In this paper, we propose SIEWE (Strainer based Intrusion Detection of Blackhole in 6LoWPAN for the Internet of Things) - an Intrusion detection mechanism to identify Blackhole attack on Routing protocol RPL in IoT. In contrast to the Watchdog based approaches where every node in network runs in promiscuous mode, SIEWE filters out suspicious nodes first and then verifies the behavior of those nodes only. The results that we obtain, show that SIEWE improves the Packet Delivery Ratio (PDR) of the system by blacklisting malicious Blackhole nodes.

Advanced metering infrastructure (AMI) is a key component in the smart grid. Transmitting data robustly and reliably between the tremendous smart meters in the AMI is one of the most crucial tasks for providing various services in smart grid. Among the many efforts for designing practical routing protocols for the AMI, the Routing Protocol for Low-Power and Lossy Networks (RPL) proposed by the IETF ROLL working group is considered the most consolidated candidate. Resent research has shown cyber attacks such as blackhole attack and version number attack can seriously damage the performance of the network implementing RPL. The main reason that RPL is vulnerable to these kinds of attacks is the lack an authentication mechanism. In this paper, we study the impact of blackhole attacks on the performance of the AMI network and proposed a new blackhole attack that can bypass the existing defense mechanism. Then, we propose a cuckoo filter based RPL to defend the AMI network from blackhole attacks. We also give the security analysis of the proposed method.

Internet of Things (IoT) device authentication is weighed as a very important step from security perspective. Privacy and security of the IoT devices and applications is the major issue. From security perspective, important issue that needs to be addressed is the authentication mechanism, it has to be secure from different types of attacks and is easy to implement. The paper gives general idea about how different authentication mechanisms work, and then secure and efficient multi-factor device authentication scheme idea is proposed. The proposed scheme idea uses digital signatures and device capability to authenticate a device. In the proposed scheme device will only be allowed into the network if it is successfully authenticated through multi-factor authentication otherwise the authentication process fails and whole authentication process will restart. By analyzing the proposed scheme idea, it can be seen that the scheme is efficient and has less over head. The scheme not only authenticates the device very efficiently through multi-factor authentication but also authenticates the authentication server with the help of digital signatures. The proposed scheme also mitigates the common attacks like replay and man in the middle because of nonce and timestamp.

With the rapid development of Internet of Things (IoT), distributed denial of service (DDoS) attacks become the important security threat of the IoT. Characteristics of IoT, such as large quantities and simple function, which have easily caused the IoT devices or servers to be attacked and be turned into botnets for launching DDoS attacks. In this paper, we use software-defined networking (SDN) to develop moving target defense (MTD) architecture that increases uncertainty because of ever changing attack surface. In addition, we deploy SDN-based honeypots to mimic IoT devices, luring attackers and malwares. Finally, experimental results show that combination of MTD and SDN-based honeypots can effectively hide network asset from scanner and defend against DDoS attacks in IoT.

With the emergence of the Internet of Things (IoT) and the increasing number of resource-constrained interconnected smart devices, there is a noticeable increase in the number of cyber security crimes. In the face of the possible attacks on IoT networks such as network intrusion, denial of service, spoofing and so on, there is a need to develop efficient methods to locate vulnerabilities and mitigate attacks in IoT networks. Without loss of generality, we consider only intrusion-related threats to IoT. A honeypot is a system used to understand the potential dynamic threats and act as a proactive measure to detect any intrusion into the network. It is used as a trap for intruders to control unauthorized access to the network by analyzing malicious traffic. However, a sophisticated attacker can detect the presence of a honeypot and abort the intrusion mission. Therefore it is essential for honeypots to be undetectable. In this paper, we study and analyze possible techniques for SSH and telnet honeypot detection. Moreover, we propose a new methodology for probabilistic estimation of honeypot detection and an automated software implemented this methodology.

With the tremendous growth of IoT botnet DDoS attacks in recent years, IoT security has now become one of the most concerned topics in the field of network security. A lot of security approaches have been proposed in the area, but they still lack in terms of dealing with newer emerging variants of IoT malware, known as Zero-Day Attacks. In this paper, we present a honeypot-based approach which uses machine learning techniques for malware detection. The IoT honeypot generated data is used as a dataset for the effective and dynamic training of a machine learning model. The approach can be taken as a productive outset towards combatting Zero-Day DDoS Attacks which now has emerged as an open challenge in defending IoT against DDoS Attacks.

A honeypot system is used to trapping hackers, track and analyze new hacking methods. However, it does not only take time for construction and deployment but also costs for maintenance because these systems are always online even when there is no attack. Since the main purpose of honeypot systems is to collect more and more attack trafc if possible, the limitation of system capacity is also a major problem. In this paper, we propose Dynamic Virtual Network Honeypot (DVNH) which leverages emerging technologies, Network Function Virtualization and Software-Defined Networking. DVNH redirects the attack to the honeypot system thereby protects the targeted system. Our experiments show that DVNH enables efficient resource usage and dynamic provision of the Honeypot system.

Honeypots have become an important tool for capturing attacks. Hybrid honeypots, including the front end and the back end, are widely used in research because of the scalability of the front end and the high interactivity of the back end. However, traditional hybrid honeypots have some problems that the flow control is difficult and topology simulation is not realistic. This paper proposes a new architecture based on SDN applied to the hybrid honeypot system for network topology simulation and attack traffic migration. Our system uses the good expansibility and controllability of the SDN controller to simulate a large and realistic network to attract attackers and redirect high-level attacks to a high-interaction honeypot for attack capture and further analysis. It improves the deficiencies in the network spoofing technology and flow control technology in the traditional honeynet. Finally, we set up the experimental environment on the mininet and verified the mechanism. The test results show that the system is more intelligent and the traffic migration is more stealthy.