Biblio

Aiming at the operation characteristics of power industry control system, this paper deeply analyses the attack mechanism and characteristics of power industry control system intrusion. On the basis of classifying and sorting out the attack characteristics of power industrial control system, this paper also attaches importance to break the basic theory and consequential technologies of industrial control network space security, and constructs the network intrusion as well as attack model of power industrial control system to realize the precise characterization of attackers' attack behavior, which provides a theoretical model for the analysis and early warning of attack behavior analysis of power industrial control systems.

Flow-based network attack detection technology is able to identify many threats in network traffic. Existing techniques have several drawbacks: i) rule-based approaches are vulnerable because it needs all the signatures defined for the possible attacks, ii) anomaly-based approaches are not efficient because it is easy to find ways to launch attacks that bypass detection, and iii) both rule-based and anomaly-based approaches heavily rely on domain knowledge of networked system and cyber security. The major challenge to existing methods is to understand novel attack scenarios and design a model to detect novel and more serious attacks. In this paper, we investigate network attacks and unveil the key activities and the relationships between these activities. For that reason, we propose methods to understand the network security practices using theoretic concepts such as graph kernels. In addition, we integrate graph kernels over deep learning architecture to exploit the relationship expressiveness among network flows and combine ability of deep neural networks (DNNs) with deep architectures to learn hidden representations, based on the communication representation graph of each network flow in a specific time interval, then the flow-based network attack detection can be done effectively by measuring the similarity between the graphs to two flows. The proposed study provides the effectiveness to obtain insights about network attacks and detect network attacks. Using two real-world datasets which contain several new types of network attacks, we achieve significant improvements in accuracies over existing network attack detection tasks.

The Internet of Things (IoT) is increasingly being used in applications ranging from precision agriculture to critical national infrastructure by deploying a large number of resource-constrained devices in hostile environments. These devices are being exploited to launch attacks in cyber systems. As a result, security has become a significant concern in the design of IoT based applications. In this paper, we present a security architecture for IoT networks by leveraging the underlying features supported by Software Defined Networks (SDN). Our security architecture restricts network access to authenticated IoT devices. We use fine granular policies to secure the flows in the IoT network infrastructure and provide a lightweight protocol to authenticate IoT devices. Such an integrated security approach involving authentication of IoT devices and enabling authorized flows can help to protect IoT networks from malicious IoT devices and attacks.

The H2020 European research project GHOST - Safe-Guarding Home IoT Environments with Personalised Real-time Risk Control - aims to deploy a highly effective security framework for IoT smart home residents through a novel reference architecture for user-centric cyber security in smart homes providing an unobtrusive and user-comprehensible solution. The aforementioned security framework leads to a transparent cyber security environment by increasing the effectiveness of the existing cyber security services and enhancing system's self-defence through disruptive software-enabled network security solutions. In this paper, GHOST security framework for IoT-based smart homes is presented. It is aiming to address the security challenges posed by several types of attacks, such as network, device and software. The effective design of the overall multi-layered architecture is analysed, with particular emphasis given to the integration aspects through dynamic and re-configurable solutions and the features provided by each one of the architectural layers. Additionally, real-life trials and the associated use cases are described showcasing the competences and potential of the proposed framework.

Digital ant technology is a new distributed and self-organization cyberspace defense paradigm. This paper describes digital ants system's developing process, characteristics, system architecture and mechanisms to illustrate its superiority, searches the possible applications of digital ants system. The summary of the paper and the trends of digital ants system are pointed out.

Industrial Internet of Things (IIoT) is a fusion of industrial automation systems and IoT systems. It features comprehensive sensing, interconnected transmission, intelligent processing, self-organization and self-maintenance. Its applications span intelligent transportation, smart factories, and intelligence. Many areas such as power grid and intelligent environment detection. With the widespread application of IIoT technology, the cyber security threats to industrial IoT systems are increasing day by day, and information security issues have become a major challenge in the development process. In order to protect the industrial IoT system from network attacks, this paper aims to study the industrial IoT information security protection technology, and the typical architecture of industrial Internet of things system, and analyzes the network security threats faced by industrial Internet of things system according to the different levels of the architecture, and designs the security protection strategies applied to different levels of structures based on the specific means of network attack.

The operation and management of network is facing increasing complexities brought by the evolution of network protocols and the demands of rapid service delivery. In this paper, we propose a programmable network management architecture, which manages network based on NETCONF protocol and provides REST APIs to upper layer so that further programming can be done based on the APIs to implement flexible management. Functions of devices can be modeled based on YANG language, and the models can be translated into REST APIs. We apply it to the management of ADN (Address Driven Network), an innovative network architecture proposed by Tsinghua University to inhibit IP spoofing, improve network security and provide high service quality. We model the functions of ADN based on YANG language, and implement the network management functions based on the REST APIs. We deploy and evaluate it in a laboratory environment. Test result shows that the programmable network management architecture is flexible to implement management for new network services.

Network architecture design and verification has become increasingly complicated as a greater number of security considerations, implementations, and factors are included in the design process. In the design process, one must account for various costs of interwoven layers of security. Generally these costs are simplified for evaluation of risk to the network. The obvious implications of adding security are the need to account for the impacts of loss (risk) and accounting for the ensuing increased design costs. The considerations that are not traditionally examined are those of the adversary and the defender of a given system. Without accounting for the view point of the individuals interacting with a network architecture, one can not verify and select the most advantageous security implementation. This work presents a method for obtaining a security metric that takes into account not only the risk of the defender, but also the probability of an attack originating from the motivation of the adversary. We then move to a more meaningful metric based on a monetary unit that architects can use in choosing a best fit solution for a given network critical path design problem.

Today's virtual switches not only support legacy network protocols and standard network management interfaces, but also become adapted to OpenFlow as a prevailing communication protocol. This makes them a core networking component of today's virtualized infrastructures which are able to handle sophisticated networking scenarios in a flexible and software-defined manner. At the same time, these virtual SDN data planes become high-value targets because a compromised switch is hard to detect while it affects all components of a virtualized/SDN-based environment.Most of the well known programmable virtual switches in the market are open source which makes them cost-effective and yet highly configurable options in any network infrastructure deployment. However, this comes at a cost which needs to be addressed. Accordingly, this paper raises an alarm on how attackers may leverage white box analysis of software switch functionalities to lunch effective low profile attacks against it. In particular, we practically present how attackers can systematically take advantage of static and dynamic code analysis techniques to lunch a low rate saturation attack on virtual SDN data plane in a cloud data center.

Industrial control systems (ICS) are becoming more integral to modern life as they are being integrated into critical infrastructure. These systems typically lack application layer encryption and the placement of common network intrusion services have large blind spots. We propose the novel architecture, Cloud Based Intrusion Detection and Prevention System (CB-IDPS), to detect and prevent threats in ICS networks by using software defined networking (SDN) to route traffic to the cloud for inspection using network function virtualization (NFV) and service function chaining. CB-IDPS uses Amazon Web Services to create a virtual private cloud for packet inspection. The CB-IDPS framework is designed with considerations to the ICS delay constraints, dynamic traffic routing, scalability, resilience, and visibility. CB-IDPS is presented in the context of a micro grid energy management system as the test case to prove that the latency of CB-IDPS is within acceptable delay thresholds. The implementation of CB-IDPS uses the OpenDaylight software for the SDN controller and commonly used network security tools such as Zeek and Snort. To our knowledge, this is the first attempt at using NFV in an ICS context for network security.

The widespread adoption of social networking and cloud computing has transformed today's Internet to a trove of personal information. As a consequence, data breaches are expected to increase in gravity and occurrence. To counteract unintended data disclosure, a great deal of effort has been dedicated in devising methods for uncovering privacy leaks. Existing solutions, however, have not addressed the time- and data-intensive nature of leak detection. The shift from hardware-specific implementation to software-based solutions is the core idea behind the concept of Network Function Virtualization (NFV). On the other hand, the Software Defined Networking (SDN) paradigm is characterized by the decoupling of the forwarding and control planes. In this paper, an SDN/NFV-enabled architecture is proposed for improving the efficiency of leak detection systems. Employing a previously developed identification strategy, Personally Identifiable Information detector (PIID) and load balancer VNFs are packaged and deployed in OpenStack through an NFV MANO. Meanwhile, SDN controllers permit the load balancer to dynamically redistribute traffic among the PIID instances. In a physical testbed, tests are conducted to evaluate the proposed architecture. Experimental results indicate that the proportions of forwarding and parsing on total overhead is influenced by the traffic intensity. Furthermore, an NFV-enabled system with scalability features was found to outperform a non-virtualized implementation in terms of latency (85.1%), packet loss (98.3%) and throughput (8.41%).

In this paper we propose ROS-Defender, a holistic approach to secure robotics systems, which integrates a Security Event Management System (SIEM), an intrusion prevention system (IPS) and a firewall for a robotic system. ROS-Defender combines anomaly detection systems at application (ROS) level and network level, with dynamic policy enforcement points using software defined networking (SDN) to provide protection against a large class of attacks. Although SIEMs, IPS, and firewall have been previously used to secure computer networks, ROSDefender is applying them for the specific use case of robotic systems, where security is in many cases an afterthought.

Policy based Security Management in an accepted practice in the industry, and required to simplify the administrative overhead associated with security management in complex systems. However, the growing dynamicity, complexity and scale of modern systems makes it difficult to write the security policies manually. Using AI, we can generate policies automatically. Security policies generated automatically can reduce the manual burden introduced in defining policies, but their impact on the overall security of a system is unclear. In this paper, we discuss the security metrics that can be associated with a system using generative policies, and provide a simple model to determine the conditions under which generating security policies will be beneficial to improve the security of the system. We also show that for some types of security metrics, a system using generative policies can be considered as equivalent to a system using manually defined policies, and the security metrics of the generative policy based system can be mapped to the security metrics of the manual system and vice-versa.

Software-Defined Networking (SDN) introduces a centralized network control and management by separating the data plane from the control plane which facilitates traffic flow monitoring, security analysis and policy formulation. However, it is challenging to choose a proper degree of traffic flow handling granularity while proactively protecting forwarding devices from getting overloaded. In this paper, we propose a novel traffic flow matching control framework called Q-DATA that applies reinforcement learning in order to enhance the traffic flow monitoring performance in SDN based networks and prevent traffic forwarding performance degradation. We first describe and analyse an SDN-based traffic flow matching control system that applies a reinforcement learning approach based on Q-learning algorithm in order to maximize the traffic flow granularity. It also considers the forwarding performance status of the SDN switches derived from a Support Vector Machine based algorithm. Next, we outline the Q-DATA framework that incorporates the optimal traffic flow matching policy derived from the traffic flow matching control system to efficiently provide the most detailed traffic flow information that other mechanisms require. Our novel approach is realized as a REST SDN application and evaluated in an SDN environment. Through comprehensive experiments, the results show that-compared to the default behavior of common SDN controllers and to our previous DATA mechanism-the new Q-DATA framework yields a remarkable improvement in terms of traffic forwarding performance degradation protection of SDN switches while still providing the most detailed traffic flow information on demand.

The Industrial Internet of Things (IIoT) is a term applied to the industrial application of M2M devices. The security of IIoT devices is a difficult problem and where the automation of critical infrastructure is intended, risks may be unacceptable. Remote attacks are a significant threat and solutions are sought which are secure by default. The problem space may be analyzed using threat modelling methods. Software Defined Networks (SDN) provide mitigation for remote attacks which exploit local area networks. Similar concepts applied to the WAN may improve availability and performance and provide granular data on link characteristics. Schemes such as the Software Defined Perimeter allow IIoT devices to communicate on the Internet, mitigating avenues of remote attack. Finally, separation of duties at the IIoT device may prevent attacks on the integrity of the device or the confidentiality and integrity of its communications. Work remains to be done on the mitigation of DDoS.

As the dynamics of cyber warfare continue to change, it is very important to be aware of the issues currently confronting cyberspace. One threat which continues to grow in the danger it poses to cyber security are botnets. Botnets can launch massive Distributed Denial of Service (DDoS) attacks against internet connected hosts anonymously, undertake intricate spam campaigns, launch mass financial fraud campaigns, and even manipulate public opinion via social media bots. The network topology and technology undergirding each botnet varies greatly, as do the motivations commonly behind such networks. Furthermore, as botnets have continued to evolve, many newer ones demonstrate increased levels of anonymity and sophistication, making it more difficult to effectively counter them. Increases in the production of vulnerable Internet of Things (IoT) devices has made it easier for malicious actors to quickly assemble sizable botnets. Because of this, the steps necessary to stop botnets also vary, and in some cases, it may be extremely difficult to effectively defeat a fully functional and sophisticated botnet. While in some cases, the infrastructure supporting the botnet can be targeted and remotely disabled, other cases require the physical assistance of law enforcement to shut down the botnet. In the latter case, it is often a significant challenge to cheaply end a botnet. On the other hand, there are many steps and mitigations that can be taken by end-users to prevent their own devices from becoming part of a botnet. Many of these solutions involve implementing basic cybersecurity practices like installing firewalls and changing default passwords. More sophisticated botnets may require similarly sophisticated intrusion detection systems, to detect and remove malicious infections. Much research has gone into such systems and in recent years many researchers have begun to implement machine learning techniques to defeat botnets. This paper is intended present a review on botnet evolution, trends and mitigations, and offer related examples and research to provide the reader with quick access to a broad understanding of the issues at hand.

Open-source honeypots are a vital component in the protection of networks and the observation of trends in the threat landscape. Their open nature also enables adversaries to identify the characteristics of these honeypots in order to detect and avoid them. In this study, we investigate the prevalence of 14 open- source honeypots running more or less default configurations, making them easily detectable by attackers. We deploy 20 simple signatures and test them for false positives against servers for domains in the Alexa top 10,000, official FTP mirrors, mail servers in real operation, and real IoT devices running telnet. We find no matches, suggesting good accuracy. We then measure the Internet-wide prevalence of default open-source honeypots by matching the signatures with Censys scan data and our own scans. We discovered 19,208 honeypots across 637 Autonomous Systems that are trivially easy to identify. Concentrations are found in research networks, but also in enterprise, cloud and hosting networks. While some of these honeypots probably have no operational relevance, e.g., they are student projects, this explanation does not fit the wider population. One cluster of honeypots was confirmed to belong to a well-known security center and was in use for ongoing attack monitoring. Concentrations in an another cluster appear to be the result of government incentives. We contacted 11 honeypot operators and received response from 4 operators, suggesting the problem of lack of network hygiene. Finally, we find that some honeypots are actively abused by attackers for hosting malicious binaries. We notified the owners of the detected honeypots via their network operators and provided recommendations for customization to avoid simple signature-based detection. We also shared our results with the honeypot developers.

The integration of Internet-of-Things and pervasive computing in medical devices have made the modern healthcare system “smart.” Today, the function of the healthcare system is not limited to treat the patients only. With the help of implantable medical devices and wearables, Smart Healthcare System (SHS) can continuously monitor different vital signs of a patient and automatically detect and prevent critical medical conditions. However, these increasing functionalities of SHS raise several security concerns and attackers can exploit the SHS in numerous ways: they can impede normal function of the SHS, inject false data to change vital signs, and tamper a medical device to change the outcome of a medical emergency. In this paper, we propose HealthGuard, a novel machine learning-based security framework to detect malicious activities in a SHS. HealthGuard observes the vital signs of different connected devices of a SHS and correlates the vitals to understand the changes in body functions of the patient to distinguish benign and malicious activities. HealthGuard utilizes four different machine learning-based detection techniques (Artificial Neural Network, Decision Tree, Random Forest, k-Nearest Neighbor) to detect malicious activities in a SHS. We trained HealthGuard with data collected for eight different smart medical devices for twelve benign events including seven normal user activities and five disease-affected events. Furthermore, we evaluated the performance of HealthGuard against three different malicious threats. Our extensive evaluation shows that HealthGuard is an effective security framework for SHS with an accuracy of 91 % and an F1 score of 90 %.

Edge computing requires a flexible choice of data-processing and rapidly computation performed at the edge of networks. We proposed an edge computing platform with container-based virtualization technology. In the platform, data-processing instances are modularized and deployed to edge nodes suitable for user requirements with keeping the data-processing flows within wide area network. This paper reports the platform controller and the process modules implemented to realize the secure and flexible edge computing platform.

In Cooperative Networks based on simultaneous wireless information and power transfer (SWIPT), relay nodes collect the energy of radio signals received from source node and transmit the information of source nodes to destination nodes, which not only prolongs the service life of energy-constrained nodes, but also improves the ability of long-distance transmission of information. Due to the openness of energy harvesting, there may be eavesdropping users with malicious decoding. In order to study the security performance of the Cooperative Networks based on SWIPT, this paper mainly studies the physical layer security performance of this network, derives and simulates the expression of system security outage probability and throughput. The simulation results show that the system security performance is mainly influenced by time allocation parameter of SWIPT and decreases with the increase of target rate.

In this work we present a novel technique for physical layer security in the Internet-of-Things (IoT) networks. In the proposed architecture, each IoT node generates a phase-modulated random key/data and transmits it to a master node in the presence of an eavesdropper, referred to as Eve. The master node, simultaneously, broadcasts a high power signal using an omni-directional antenna, which is received as interference by Eve. This interference masks the generated key by the IoT node and will result in a higher bit-error rate in the data received by Eve. The two legitimate intended nodes communicate in a full-duplex manner and, consequently, subtract their transmitted signals, as a known reference, from the received signal (self-interference cancellation). We compare our proposed method with a conventional approach to physical layer security based on directional antennas. In particular, we show, using theoretical and measurement results, that our proposed approach provides significantly better security measures, in terms bit error rate (BER) at Eve's location. Also, it is proven that in our novel system, the possible eavesdropping region, defined by the region with BER \textbackslashtextless; 10-1, is always smaller than the reliable communication region with BER \textbackslashtextless; 10-3.

Failure to detect malware at its very inception leaves room for it to post significant threat and cost to cyber security for not only individuals, organizations but also the society and nation. However, the rapid growth in volume and diversity of malware renders conventional detection techniques that utilize feature extraction and comparison insufficient, making it very difficult for well-trained network administrators to identify malware, not to mention regular users of internet. Challenges in malware detection is exacerbated since complexity in the type and structure also increase dramatically in these years to include source code, binary file, shell script, Perl script, instructions, settings and others. Such increased complexity offers a premium on misjudgment. In order to increase malware detection efficiency and accuracy under large volume and multiple types of malware, this research adopts Convolutional Neural Networks (CNN), one of the most successful deep learning techniques. The experiment shows an accuracy rate of over 90% in identifying malicious and benign codes. The experiment also presents that CNN is effective with detecting source code and binary code, it can further identify malware that is embedded into benign code, leaving malware no place to hide. This research proposes a feasible solution for network administrators to efficiently identify malware at the very inception in the severe network environment nowadays, so that information technology personnel can take protective actions in a timely manner and make preparations for potential follow-up cyber-attacks.

Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Named Data Networking (NDN) intrinsically supports in-network caching and multipath forwarding. The two salient features offer the potential to simultaneously transmit content segments that comprise the requested content from original content publishers and in-network caches. However, due to the complexity of maintaining the reachability information of off-path cached content at the fine-grained packet level of granularity, the multipath forwarding and off-path cached copies are significantly underutilized in NDN so far. Network coding enabled NDN, referred to as NC-NDN, was proposed to effectively utilize multiple on-path routes to transmit content, but off-path cached copies are still unexploited. This work enhances NC-NDN with an On-demand Off-path Cache Exploration based Multipath Forwarding strategy, dubbed as O2CEMF, to take full advantage of the multipath forwarding to efficiently utilize off-path cached content. In O2CEMF, each network node reactively explores the reachability information of nearby off-path cached content when consumers begin to request a generation of content, and maintains the reachability at the coarse-grained generation level of granularity instead. Then the consumers simultaneously retrieve content from the original content publisher(s) and the explored capable off-path caches. Our experimental studies validate that this strategy improves the content delivery performance efficiently as compared to that in the present NC-NDN.

Due to the diversity and mobility of blockchain network nodes and the decentralized nature of blockchain networks, traditional trust value evaluation indicators cannot be directly used. In order to obtain trusted nodes, a trustworthiness calculation method based on trust blockchain nodes is proposed. Different from the traditional P2P network trust value calculation, the trust blockchain not only acquires the working state of the node, but also collects the special behavior information of the node, and calculates the joining time by synthesizing the trust value generated by the node transaction and the trust value generated by the node behavior. After the attenuation factor is comprehensively evaluated, the trusted nodes are selected to effectively ensure the security of the blockchain network environment, while reducing the average transaction delay and increasing the block rate.