Biblio

Software Defined Network (SDN) is a revolutionary idea to realize software-driven network with the separation of control and data planes. In essence, SDN addresses the problems faced by the traditional network architecture; however, it may as well expose the network to new attacks. Among other attacks, distributed denial of service (DDoS) attacks are hard to contain in such software-based networks. Existing DDoS mitigation techniques either lack in performance or jeopardize the accuracy of the attack detection. To fill the voids, we propose in this paper a machine learning-based DDoS mitigation technique for SDN. First, we create a model for DDoS detection in SDN using NSL-KDD dataset and then after training the model on this dataset, we use real DDoS attacks to assess our proposed model. Obtained results show that the proposed technique equates favorably to the current techniques with increased performance and accuracy.

Distributed Denial of Service (DDoS) attacks are intense and are targeted to major infrastructure, governments and military organizations in each country. There are a lot of mitigations about DDoS, and the concept of Content Delivery Network (CDN) has been able to avoid attacks on websites. However, since the existing CDN system is fundamentally centralized, it may be difficult to prevent DDoS. This paper describes the distributed CDN Schema using Private Blockchain which solves the problem of participation of existing transparent and unreliable nodes. This will explain DDoS mitigation that can be used by military and government agencies.

The emergence of Software Defined Network (SDN) and its promises in networking technology has gotten every stakeholder excited. However, it is believed that every technological development comes with its own challenges of which the most prominent in this case is security. This paper presents a real time detection of the distributed denial of service (DDoS) attacks on the SDN and a control method based on the sFlow mitigation technology. sFlow analyses samples of packets collected from the network traffic and generates handling rules to be sent to the controller in case of an attack detection. The implementation was done by emulating the network in Mininet which runs on a Virtual Machine (VM) and it was shown that the proposed method effectively detects and mitigates DDoS attacks.

Recently Distributed Denial-of-Service (DDoS) are becoming more and more sophisticated, which makes the existing defence systems not capable of tolerating by themselves against wide-ranging attacks. Thus, collaborative protection mitigation has become a needed alternative to extend defence mechanisms. However, the existing coordinated DDoS mitigation approaches either they require a complex configuration or are highly-priced. Blockchain technology offers a solution that reduces the complexity of signalling DDoS system, as well as a platform where many autonomous systems (Ass) can share hardware resources and defence capabilities for an effective DDoS defence. In this work, we also used a Deep learning DDoS detection system; we identify individual DDoS attack class and also define whether the incoming traffic is legitimate or attack. By classifying the attack traffic flow separately, our proposed mitigation technique could deny only the specific traffic causing the attack, instead of blocking all the traffic coming towards the victim(s).

Cloud computing is an assured progression inside the future of facts generation. It's far a sub-domain of network security. These days, many huge or small organizations are switching to cloud which will shop and arrange their facts. As a result, protection of cloud networks is the want of the hour. DDoS is a killer software for cloud computing environments on net today. It is a distributed denial of carrier. we will beat the ddos attacks if we have the enough assets. ddos attacks can be countered by means of dynamic allocation of the assets. In this paper the attack is detected as early as possible and prevention methods is done and also mitigation method is also implemented thus attack can be avoided before it may occur.

Vehicular ad hoc networks (VANETs) are eminent type of Mobile ad hoc Networks. The network created in VANETs is quite prone to security problem. In this work, a new mechanism is proposed to study the security of VANETs against DDoS attack. The proposed mechanism focuses on distributed denial of service attacks. The main idea of the paper is to detect the DDoS attack and mitigate it. The work consists of two stages, initially attack topology and network congestion is created. The second stage is to detect and mitigate the DDoS attack. The existing method is compared with the proposed method for mitigating DDoS attacks in VANETs. The existing solutions presented by the various researchers are also compared and analyzed. The solution for such kind of problem is provided which is used to detect and mitigate DDoS attack by using greedy approach. The network environment is created using NS-2. The results of simulation represent that the proposed approach is better in the terms of network packet loss, routing overhead and network throughput.

A conversational agent to detect anomalous traffic in consumer IoT networks is presented. The agent accepts two inputs in the form of user speech received by Amazon Alexa enabled devices, and classified IDS logs stored in a DynamoDB Table. Aural analysis is used to query the database of network traffic, and respond accordingly. In doing so, this paper presents a solution to the problem of making consumers situationally aware when their IoT devices are infected, and anomalous traffic has been detected. The proposed conversational agent addresses the issue of how to present network information to non-technical users, for better comprehension, and improves awareness of threats derived from the mirai botnet malware.

Today's extensive use of Internet creates huge volumes of data by users in both client and server sides. Normally users don't want to store all the data in local as well as keep archive in the server. For some unwanted data, such as trash, cache and private data, needs to be deleted periodically. Explicit deletion could be applied to the local data, while it is a troublesome job. But there is no transparency to users on the personal data stored in the server. Since we have no knowledge of whether they're cached, copied and archived by the third parties, or sold by the service provider. Our research seeks to provide an automatic data sanitization system to make data could be self-destructing. Specifically, we give data a life cycle, which would be erased automatically when at the end of its life, and the destroyed data cannot be recovered by any effort. In this paper, we present FlashGhost, which is a system that meets this challenge through a novel integration of cryptography techniques with the frequent colliding hash table. In this system, data will be unreadable and rendered unrecoverable by overwriting multiple times after its validity period has expired. Besides, the system reliability is enhanced by threshold cryptography. We also present a mathematical model and verify it by a number of experiments, which demonstrate theoretically and experimentally our system is practical to use and meet the data auto-sanitization goal described above.

The present paper describes some of the results obtained in the Faculty of Computer Systems and Technology at Technical University of Sofia in the implementation of project related to the application of intelligent methods for increasing the security in computer networks. Also is made a survey about existing hybrid methods, which are using several artificial intelligent methods for cyber defense. The paper introduces a model for intrusion detection systems where multi agent systems are the bases and artificial intelligence are applicable by the means simple real-time models constructed in laboratory environment.

The concept of Virtualized Network Functions (VNFs) aims to move Network Functions (NFs) out of dedicated hardware devices into software that runs on commodity hardware. A single NF consists of multiple VNF instances, usually running on virtual machines in a cloud infrastructure. The elastic management of an NF refers to load management across the VNF instances and the autonomic scaling of the number of VNF instances as the load on the NF changes. In this paper, we present EL-SEC, an autonomic framework to elastically manage security NFs on a virtualized infrastructure. As a use case, we deploy the Snort Intrusion Detection System as the NF on the GENI testbed. Concepts from control theory are used to create an Elastic Manager, which implements various controllers - in this paper, Proportional Integral (PI) and Proportional Integral Derivative (PID) - to direct traffic across the VNF Snort instances by monitoring the current load. RINA (a clean-slate Recursive InterNetwork Architecture) is used to build a distributed application that monitors load and collects Snort alerts, which are processed by the Elastic Manager and an Attack Analyzer, respectively. Software Defined Networking (SDN) is used to steer traffic through the VNF instances, and to block attack traffic. Our results show that virtualized security NFs can be easily deployed using our EL-SEC framework. With the help of real-time graphs, we show that PI and PID controllers can be used to easily scale the system, which leads to quicker detection of attacks.

The Software Defined Networks (SDN) paradigm, often referred to as a radical new idea in networking, promises to dramatically simplify network management by enabling innovation through network programmability. However, notable security issues, such as app-to-control threats, remain a significant concern that impedes SDN from being widely adopted. To cope with those app-to-control threats, this paper proposes a solution to securely deploy valid network applications while protecting the SDN controller against the injection of the malicious application. This problem is mitigated by proposing a novel SDN architecture, dubbed SENAD, which splits the well-known SDN controller into: (1) a data plane controller (DPC), and (2) an application plane controller (APC), to secure this latter by design. The role of the DPC is dedicated for interpreting the network rules into OpenFlow entries and maintaining the communication with the data plane. The role of the APC, however, is to provide a secured runtime for deploying the network applications, including authentication, access control, resource isolation, control, and monitoring applications. We show that this approach can easily shield against any deny of service, caused for instance by the resource exhaustion attack or the malicious command injection, that is caused by the co-existence of a malicious application on the controller's runtime. The evaluation of our architecture shows that the packet\_in messages take less than 5 ms to be delivered from the data plane to the application plane on the long range.

Synchrophasor technology is used for real-time control and monitoring in smart grid. Previous works in literature identified critical vulnerabilities in IEEE C37.118.2 synchrophasor communication standard. To protect synchrophasor-based systems, stealthy cyber-attacks and effective defense mechanisms still need to be investigated.This paper investigates how an attacker can develop a custom tool to execute stealthy man-in-the-middle attacks against synchrophasor devices. In particular, four different types of attack capabilities have been demonstrated in a real synchrophasor-based synchronous islanding testbed in laboratory: (i) command injection attack, (ii) packet drop attack, (iii) replay attack and (iv) stealthy data manipulation attack. With deep technical understanding of the attack capabilities and potential physical impacts, this paper also develops and tests a distributed Intrusion Detection System (IDS) following NIST recommendations. The functionalities of the proposed IDS have been validated in the testbed for detecting aforementioned cyber-attacks. The paper identified that a distributed IDS with decentralized decision making capability and the ability to learn system behavior could effectively detect stealthy malicious activities and improve synchrophasor network security.

Industrial Internet of Things (IIoT) is a trend of the smart industry. By collecting field data from sensors, the industry can make decisions dynamically in time for better performance. In most cases, IIoT is built on private networks and cannot be reached from the Internet. Currently, data transmission in most of IIoT network protocols is in plaintext without encryption protection. Once an attacker breaks into the field, the attacker can intercept data and injects malicious commands to field agents. In this paper, we propose a compound approach for defending command injection attacks in IIOT. First, we leverage the power of Software Defined Networking (SDN) to detect the injection attack. When the injection attack event is detected, the system owner is alarmed that someone tries to pretend a controller or a field agent to deceive the other entity. Second, we develop a lightweight authentication scheme to ensure the identity of the command sender. Command receiver can verify commands first before processing commands.

We are exploring new ways to analyze phishing attacks. To do this, we investigate the change in the dynamics of the power of phishing attacks. We also analyze the effectiveness of detection of phishing attacks. We are considering the possibility of using new tools for analyzing phishing attacks. As such tools, the methods of chaos theory and the ideology of wavelet coherence are used. The use of such analysis tools makes it possible to investigate the peculiarities of the phishing attacks occurrence, as well as methods for their identification effectiveness. This allows you to expand the scope of the analysis of phishing attacks. For analysis, we use real data about phishing attacks.

Nowadays, the proliferation of smart, communication-enable devices is opening up many new opportunities of pervasive applications. A major requirement of pervasive applications is to be secured. The complexity to secure pervasive systems is to address a end-to-end security level: from the device to the services according to the entire life cycle of devices, applications and platform. In this article, we propose a solution combining both hardware and software elements to secure communications between devices and pervasive platform based on certificates issued from a Public Key Infrastructure. Our solution is implemented and validated with a real device extended by a secure element and our own Public Key Infrastructure.

Peer to Peer (P2P) is a dynamic and self-organized technology, popularly used in File sharing applications to achieve better performance and avoids single point of failure. The popularity of this network has attracted many attackers framing different attacks including Sybil attack, Routing Table Insertion attack (RTI) and Free Riding. Many mitigation methods are also proposed to defend or reduce the impact of such attacks. However, most of those approaches are protocol specific. In this work, we propose a Blockchain based security framework for P2P network to address such security issues. which can be tailored to any P2P file-sharing system.

Underpinning the operation of Bitcoin is a peer-to-peer (P2P) network [1] that facilitates the execution of transactions by end users, as well as the transaction confirmation process known as bitcoin mining. The security of this P2P network is vital for the currency to function and subversion of the underlying network can lead to attacks on bitcoin users including theft of bitcoins, manipulation of the mining process and denial of service (DoS). As part of this paper the network protocol and bitcoin core software are analysed, with three bitcoin message exchanges (the connection handshake, GETHEADERS/HEADERS and MEMPOOL/INV) found to be potentially vulnerable to spoofing and use in distributed denial of service (DDoS) attacks. Possible solutions to the identified weaknesses and vulnerabilities are evaluated, such as the introduction of random nonces into network messages exchanges.

Peer-to-Peer botnets have become one of the significant threat against network security due to their distributed properties. The decentralized nature makes their detection challenging. It is important to take measures to detect bots as soon as possible to minimize their harm. In this paper, we propose PeerGrep, a novel system capable of identifying P2P bots. PeerGrep starts from identifying hosts that are likely engaged in P2P communications, and then distinguishes P2P bots from P2P hosts by analyzing their active ratio, packet size and the periodicity of connection to destination IP addresses. The evaluation shows that PeerGrep can identify all P2P bots with quite low FPR even if the malicious P2P application and benign P2P application coexist within the same host or there is only one bot in the monitored network.

Software Defined Networking (SDN) has emerged as a revolutionary paradigm to manage cloud infrastructure. SDN lacks scalable trust setup and verification mechanism between Data Plane-Control Plane elements, Control Plane elements, and Control Plane-Application Plane. Trust management schemes like Public Key Infrastructure (PKI) used currently in SDN are slow for trust establishment in a larger cloud environment. We propose a distributed trust mechanism - TRUFL to establish and verify trust in SDN. The distributed framework utilizes parallelism in trust management, in effect faster transfer rates and reduced latency compared to centralized trust management. The TRUFL framework scales well with the number of OpenFlow rules when compared to existing research works.

Traditionally, a Certification Authority (CA) is required to sign, manage, verify and revoke public key certificates. Multiple CAs together form the CA-based Public Key Infrastructure (PKI). The use of a PKI forces one to place trust in the CAs, which have proven to be a single point-of-failure on multiple occasions. Blockchain has emerged as a transformational technology that replaces centralized trusted third parties with a decentralized, publicly verifiable, peer-to-peer data store which maintains data integrity among nodes through various consensus protocols. In this paper, we deploy three blockchain-based alternatives to the CA-based PKI for supporting IoT devices, based on Emercoin Name Value Service (NVS), smart contracts by Ethereum blockchain, and Ethereum Light Sync client. We compare these approaches with CA-based PKI and show that they are much more efficient in terms of computational and storage requirements in addition to providing a more robust and scalable PKI.

Cyber defense can no longer be limited to intrusion detection methods. These systems require malicious activity to enter an internal network before an attack can be detected. Having advanced, predictive knowledge of future attacks allow a potential victim to heighten security and possibly prevent any malicious traffic from breaching the network. This paper investigates the use of Auto-Regressive Integrated Moving Average (ARIMA) models and Bayesian Networks (BN) to predict future cyber attack occurrences and intensities against two target entities. In addition to incident count forecasting, categorical and binary occurrence metrics are proposed to better represent volume forecasts to a victim. Different measurement periods are used in time series construction to better model the temporal patterns unique to each attack type and target configuration, seeing over 86% improvement over baseline forecasts. Using ground truth aggregated over different measurement periods as signals, a BN is trained and tested for each attack type and the obtained results provided further evidence to support the findings from ARIMA. This work highlights the complexity of cyber attack occurrences; each subset has unique characteristics and is influenced by a number of potential external factors.

Routers are important devices in the networks that carry the burden of transmitting information among the communication devices on the Internet. If a malicious adversary wants to intercept the information or paralyze the network, it can directly attack the routers and then achieve the suspicious goals. Thus, preventing router security is of great importance. However, router systems are notoriously difficult to understand or diagnose for their inaccessibility and heterogeneity. The common way of gaining access to the router system and detecting the anomaly behaviors is to inspect the router syslogs or monitor the packets of information flowing to the routers. These approaches just diagnose the routers from one aspect but do not consider them from multiple views. In this paper, we propose an approach to detect the anomalies and faults of the routers with multiple information learning. We try to use the routers' information not from the developer's view but from the user' s view, which does not need any expert knowledge. First, we do the offline learning to transform the benign or corrupted user actions into the syslogs. Then, we try to decide whether the input routers' conditions are poor or not with clustering. During the detection phase, we use the distance between the event and the cluster to decide if it is the anomaly event and we can provide the corresponding solutions. We have applied our approach in a university network which contains Cisco, Huawei and Dlink routers for three months. We aligned our experiment with former work as a baseline for comparison. Our approach can gain 89.6% accuracy in detecting the attacks which is 5.1% higher than the former work. The results show that our approach performs in limited time as well as memory usages and has high detection and low false positives.

Security research has made extensive use of exhaustive Internet-wide scans over the recent years, as they can provide significant insights into the overall state of security of the Internet, and ZMap made scanning the entire IPv4 address space practical. However, the IPv4 address space is exhausted, and a switch to IPv6, the only accepted long-term solution, is inevitable. In turn, to better understand the security of devices connected to the Internet, including in particular Internet of Things devices, it is imperative to include IPv6 addresses in security evaluations and scans. Unfortunately, it is practically infeasible to iterate through the entire IPv6 address space, as it is 2ˆ96 times larger than the IPv4 address space. Therefore, enumeration of active hosts prior to scanning is necessary. Without it, we will be unable to investigate the overall security of Internet-connected devices in the future. In this paper, we introduce a novel technique to enumerate an active part of the IPv6 address space by walking DNSSEC-signed IPv6 reverse zones. Subsequently, by scanning the enumerated addresses, we uncover significant security problems: the exposure of sensitive data, and incorrectly controlled access to hosts, such as access to routing infrastructure via administrative interfaces, all of which were accessible via IPv6. Furthermore, from our analysis of the differences between accessing dual-stack hosts via IPv6 and IPv4, we hypothesize that the root cause is that machines automatically and by default take on globally routable IPv6 addresses. This is a practice that the affected system administrators appear unaware of, as the respective services are almost always properly protected from unauthorized access via IPv4. Our findings indicate (i) that enumerating active IPv6 hosts is practical without a preferential network position contrary to common belief, (ii) that the security of active IPv6 hosts is currently still lagging behind the security state of IPv4 hosts, and (iii) that unintended IPv6 connectivity is a major security issue for unaware system administrators.

As the technology reliance increases, computer networks are getting bigger and larger and so are threats and attacks. Therefore Network security becomes a major concern during this last decade. Network Security requires a combination of hardware devices and software applications. Namely, Firewalls and IPsec gateways are two technologies that provide network security protection and repose on security policies which are maintained to ensure traffic control and network safety. Nevertheless, security policy misconfigurations and inconsistency between the policy's rules produce errors and conflicts, which are often very hard to detect and consequently cause security holes and compromise the entire system functionality. In This paper, we review the related approaches which have been proposed for security policy management along with surveying the literature for conflicts detection and resolution techniques. This work highlights the advantages and limitations of the proposed solutions for security policy verification in IPsec and Firewalls and gives an overall comparison and classification of the existing approaches.

The complete digitization of telecommunications allows new attack scenarios, which have not been possible with legacy phone technologies before. The reason is that physical access to legacy phone technologies was necessary. Regarding internet-based communication like voice over the internet protocol (VoIP), which can be established between random nodes, eavesdropping can happen everywhere and much easier. Additionally, injection of undesirable communication like SPAM or SPIT in digital networks is simpler, too. Encryption is not sufficient because it is also necessary to know which participants are talking to each other. For that reason, the research project INTEGER has been started with the main goals of providing secure authentication and integrity of a VoIP communication by using a digital signature. The basis of this approach is the Trusted Platform Module (TPM) of the Trusted Computing Group (TCG) which works as a hardware-based trusted anchor. The TPM will be used inside of wireless IP devices with VoIP softphones. The question is if it is possible to fulfill the main goals of the project in wireless scenarios with Wi-Fi technologies. That is what this contribution aims to clarify.