Biblio

Software Defined Network (SDN) is a new type of network architecture solution, and its innovation lies in decoupling traditional network system into a control plane, a data plane, and an application plane. It logically implements centralized control and management of the network, and SDN is considered to represent the development trend of the network in the future. However, SDN still faces many security challenges. Currently, the number of insecure devices is huge. Distributed Denial of Service (DDoS) attacks are one of the major network security threats.This paper focuses on the detection and mitigation of DDoS attacks in SDN. Firstly, we explore a solution to detect DDoS using Renyi entropy, and we use exponentially weighted moving average algorithm to set a dynamic threshold to adapt to changes of the network. Second, to mitigate this threat, we analyze the historical behavior of each source IP address and score it to determine the malicious source IP address, and use OpenFlow protocol to block attack source.The experimental results show that the scheme studied in this paper can effectively detect and mitigate DDoS attacks.

In this article, the security problem in cyber-physical systems (CPSs) against denial-of-service (DoS) attacks is studied from the perspectives of the designs of communication topology and distributed controller. To resist the DoS attacks, a new construction algorithm of the k-connected communication topology is developed based on the proposed necessary and sufficient criteria of the k-connected graph. Furthermore, combined with the k-connected topology, a distributed event-triggered controller is designed to guarantee the consensus of CPSs under mode-switching DoS (MSDoS) attacks. Different from the existing distributed control schemes, a new technology, that is, the extended Laplacian matrix method, is combined to design the distributed controller independent on the knowledge and the dwell time of DoS attack modes. Finally, the simulation example illustrates the superiority and effectiveness of the proposed construction algorithm and a distributed control scheme.

Satellite networks play an important role in realizing the combination of the space networks and ground networks as well as the global coverage of the Internet. However, due to the limitation of bandwidth resource, compared with ground network, space backbone networks are more likely to become victims of DDoS attacks. Therefore, we hypothesize an attack scenario that DDoS attackers make reflection amplification attacks, colluding with terminal devices accessing space backbone network, and exhaust bandwidth resources, resulting in degradation of data transmission and service delivery. Finally, we propose some plain countermeasures to provide solutions for future researchers.

Communication is an essential part of everyday life, both as a social interaction and collaboration to achieve goals. Wireless technology has effectively release the users to roam more freely to achieving collaboration and communication. The principle attraction of mobile ad hoc networks (MANET) are their set-up less and decentralized action. However, mobile ad hoc networks are seen as relatively easy targets for attackers. Security in mobile ad hoc network is provided by encrypting the data when exchanging messages and key management. Cryptography is therefore vital to ensure privacy of message and robustness against disruption. The proposed scheme public string based threshold cryptography (PSTC) describes the new scheme based on threshold cryptography that provides reasonably secure and robust cryptography scheme for mobile ad hoc networks. The scheme is implemented and simulated in ns-2. The scheme is based on trust value and analyze against Denial of Service attack as node found the attacker, the node reject all packet from that attacker. In proposed scheme whole network is compromised only when all nodes of network is compromised because threshold nodes only sharing public string not the master private key. The scheme provides confidentiality and integrity. The default threshold value selected is 2 according to time and space analysis.

With rapid growth of network size and complexity, network defenders are facing more challenges in protecting networked computers and other devices from acute attacks. Traffic visualization is an essential element in an anomaly detection system for visual observations and detection of distributed DoS attacks. This paper presents an interactive visualization system called TVis, proposed to detect both low-rate and highrate DDoS attacks using Heron's triangle-area mapping. TVis allows network defenders to identify and investigate anomalies in internal and external network traffic at both online and offline modes. We model the network traffic as an undirected graph and compute triangle-area map based on incidences at each vertex for each 5 seconds time window. The system triggers an alarm iff the system finds an area of the mapped triangle beyond the dynamic threshold. TVis performs well for both low-rate and high-rate DDoS detection in comparison to its competitors.

The privacy of people on internet is getting reduced day by day. Data records of many prestigious organizations are getting corrupted due to computer malwares. Computer viruses are becoming more advanced. Hackers are able penetrate into a network and able to manipulate data. In this paper, describes the types of malwares like Trojans, boot sector virus, polymorphic virus, etc., and some of the hacking techniques which include DOS attack, DDoS attack, brute forcing, man in the middle attack, social engineering, information gathering tools, spoofing, sniffing. Counter measures for cyber attacks include VPN, proxy, tor (browser), firewall, antivirus etc., to understand the need of cyber security.

OpenFlow has been the main standard protocol of software defined networking (SDN) since the launch of this new networking paradigm. It is a programmable network protocol that controls traffic flows among switches and routers regardless of their platforms. Its security relies on the optional implementation of Transport Layer Security (TLS) which has been proven vulnerable. The aim of this research was to develop a secured OpenFlow, so-called Secured-OF. A stateful firewall was used to store state information for further analysis. Dynamic Bayesian Network (DBN) was used to learn denial-of-service attack and distributed denial-of-service attack. It analyzes packet states to determine the nature of an attack and adds that piece of information to the flow table entry. The proposed Secured-OF model in Ryu controller was evaluated with several performance metrics. The analytical evaluation of the proposed Secured-OF scheme was performed on an emulated network. The results showed that the proposed Secured-OF scheme offers a high attack detection accuracy at 99.5%. In conclusion, it was able to improve the security of the OpenFlow controller dramatically with trivial performance degradation compared to an SDN with no security implementation.

With the tighter integration of power system and Information and Communication Technology (ICT), power grid is becoming a typical cyber physical system (CPS). It is important to analyze the impact of the cyber event on power system, so that it is necessary to build a co-simulation system for studying the interaction between power system and ICT. In this paper, a cyber physical power system (CPPS) co-simulation platform is proposed, which includes the hardware-in-the-loop (HIL) simulation function. By using flexible interface, various simulation software for power system and ICT can be interconnected into the platform to build co-simulation tools for various simulation purposes. To demonstrate it as a proof, one simulation framework for real life cyber-attack on power system control is introduced. In this case, the real life denial-of-service attack on a router in automatic voltage control (AVC) is simulated to demonstrate impact of cyber-attack on power system.

With the advent of the network economy and the network society, the network will enter a ubiquitous and omnipresent situation. Economic, cultural, military and social life will strongly depend on the network, while network security issues have become a common concern of all countries in the world. DDOS attack is undoubtedly one of the greatest threats to network security and the defense against DDOS attack is very important. In this paper, the principle of DDOS attack is summarized from the defensive purpose. Then the attack prevention in software definition network is analyzed, and the source, intermediate network, victim and distributed defense strategies are elaborated.

The application of the concept of software-defined networks (SDN) has, on the one hand, led to the simplification and reduction of switches price, and on the other hand, has created a significant number of problems related to the security of the SDN network. In several studies was noted that these problems are related to the lack of flexibility and programmability of the data plane, which is likely first to suffer potential denial-of-service (DoS) attacks. One possible way to overcome this problem is to increase the flexibility of the data plane by increasing the depth of programmability of the packet-switching nodes below the level of flow table management. Therefore, this paper investigates the opportunity of using the architecture of deeply programmable packet-switching nodes (DPPSN) in the implementation of a firewall. Then, an architectural model of the firewall based on a hybrid FPGA/CPU data plane architecture has been proposed and implemented. Realized firewall supports three models of DoS attacks mitigation: DoS traffic filtering on the output interface, DoS traffic filtering on the input interface, and DoS attack redirection to the honeypot. Experimental evaluation of the implemented firewall has shown that DoS traffic filtering at the input interface is the best strategy for DoS attack mitigation, which justified the application of the concept of deep network programmability.

Content Delivery Networks(CDN) is a standout amongst the most encouraging innovations that upgrade performance for its clients' websites by diverting web demands from browsers to topographically dispersed CDN surrogate nodes. However, due to the variable nature of CDN, it suffers from various security and resource allocation issues. The most common attack which is used to bring down a whole network as well as CDN without even finding a loophole in the security is DDoS. In this proposal, we proposed a distributed virtual honeypot model for diminishing DDoS attacks and prevent intrusion in securing CDN. Honeypots are specially utilized to imitate the primary server with the goal that the attack is alleviated to the fake rather than the main server. Our proposed layer based model utilizes honeypot to be more effective reducing the cost of the system as well as maintaining the smooth delivery in geographically dispersed servers without performance degradation.

Distributed Denial of Service(DDoS) attacks have become most important network security threat as the number of devices are connected to internet increases exponentially and reaching an attack volume approximately very high compared to other attacks. To make the network safe and flexible a new networking infrastructure such as Software Defined Networking (SDN) has come into effect, which relies on centralized controller and decoupling of control and data plane. However due to it's centralized controller it is prone to DDoS attacks, as it makes the decision of forwarding of packets based on rules installed in switch by OpenFlow protocol. Out of all different DDoS attacks, UDP (User Datagram Protocol) flooding constitute the most in recent years. In this paper, we have proposed an entropy based DDoS detection and rate limiting based mitigation for efficient service delivery. We have evaluated using Mininet as emulator and Ryu as controller by taking switch as OpenVswitch and obtained better result in terms of bandwidth utilization and hit ratio which consume network resources to make denial of service.

SDN is new networking concept which has revolutionized the network architecture in recent years. It decouples control plane from data plane. Architectural change provides re-programmability and centralized control management of the network. At the same time it also increases the complexity of underlying physical infrastructure of the network. Unfortunately, the centralized control of the network introduces new vulnerabilities and attacks. Attackers can exploit the limitation of centralized control by DDoS attack on control plane. The entire network can be compromised by DDoS attack. Based on packet entropy, a solution for mitigation of DDoS attack provided in the proposed scheme.

Distributed Denial of Services (DDoS) attacks continue to be one of the most challenging threats to the Internet. The intensity and frequency of these attacks are increasing at an alarming rate. Numerous schemes have been proposed to mitigate the impact of DDoS attacks. This paper presents a comprehensive empirical evaluation of Machine Learning (ML)based DDoS detection techniques, to gain better understanding of their performance in different types of environments. To this end, a framework is developed, focusing on different attack scenarios, to investigate the performance of a class of ML-based techniques. The evaluation uses different performance metrics, including the impact of the “Class Imbalance Problem” on ML-based DDoS detection. The results of the comparative analysis show that no one technique outperforms all others in all test cases. Furthermore, the results underscore the need for a method oriented feature selection model to enhance the capabilities of ML-based detection techniques. Finally, the results show that the class imbalance problem significantly impacts performance, underscoring the need to address this problem in order to enhance ML-based DDoS detection capabilities.

Wireless Networks-on-Chips (NoCs) have emerged as a panacea to the non-scalable multi-hop data transmission paths in traditional wired NoC architectures. Using low-power transceivers in NoC switches, novel Wireless NoC (WiNoC) architectures have been shown to achieve higher energy efficiency with improved peak bandwidth and reduced on-chip data transfer latency. However, using wireless interconnects for data transfer within a chip makes the on-chip communications vulnerable to various security threats from either external attackers or internal hardware Trojans (HTs). In this work, we propose a mechanism to make the wireless communication in a WiNoC secure against persistent jamming based Denial-of-Service attacks from both external and internal attackers. Persistent jamming attacks on the on-chip wireless medium will cause interference in data transfer over the duration of the attack resulting in errors in contiguous bits, known as burst errors. Therefore, we use a burst error correction code to monitor the rate of burst errors received over the wireless medium and deploy a Machine Learning (ML) classifier to detect the persistent jamming attack and distinguish it from random burst errors. In the event of jamming attack, alternate routing strategies are proposed to avoid the DoS attack over the wireless medium, so that a secure data transfer can be sustained even in the presence of jamming. We evaluate the proposed technique on a secure WiNoC in the presence of DoS attacks. It has been observed that with the proposed defense mechanisms, WiNoC can outperform a wired NoC even in presence of attacks in terms of performance and security. On an average, 99.87% attack detection was achieved with the chosen ML Classifiers. A bandwidth degradation of \textbackslashtextless;3% is experienced in the event of internal attack, while the wireless interconnects are disabled in the presence of an external attacker.

In this paper, security of networked control system (NCS) under denial of service (DoS) attack is considered. Different from the existing literatures from the perspective of control systems, this paper considers a novel method of dynamic allocation of network bandwidth for NCS under DoS attack. Firstly, time-constrained DoS attack and its impact on the communication channel of NCS are introduced. Secondly, details for the proposed dynamic bandwidth allocation structure are presented along with an implementation, which is a bandwidth allocation strategy based on error between current state and equilibrium state and available bandwidth. Finally, a numerical example is given to demonstrate the effectiveness of the proposed bandwidth allocation approach.

This paper proposes a compensation control scheme against DoS attack for nonlinear cyber-physical systems (CPSs). The dynamical process of the nonlinear CPSs are described by T-S fuzzy model that regulated by the corresponding fuzzy rules. The communication link between the controller and the actuator under consideration may be unreliable, where Denialof-Service (DoS) attack is supposed to invade the communication link randomly. To compensate the negative effect caused by DoS attack, a compensation control scheme is designed to maintain the stability of the closed-loop system. With the aid of the Lyapunov function theory, a sufficient condition is established to ensure the stochastic stability and strict dissipativity of the closed-loop system. Finally, an iterative linearization algorithm is designed to determine the controller gain and the effectiveness of the proposed approach is evaluated through simulations.

Widespread use of Wireless Sensor Networks (WSNs) introduced many security threats due to the nature of such networks, particularly limited hardware resources and infrastructure less nature. Denial of Service attack is one of the most common types of attacks that face such type of networks. Building an Intrusion Detection and Prevention System to mitigate the effect of Denial of Service attack is not an easy task. This paper proposes the use of two machine learning techniques, namely decision trees and Support Vector Machines, to detect attack signature on a specialized dataset. The used dataset contains regular profiles and several Denial of Service attack scenarios in WSNs. The experimental results show that decision trees technique achieved better (higher) true positive rate and better (lower) false positive rate than Support Vector Machines, 99.86% vs 99.62%, and 0.05% vs. 0.09%, respectively.

Nowadays, most of the world's population has become much dependent on computers for banking, healthcare, shopping, and telecommunication. Security has now become a basic norm for computers and its resources since it has become inherently insecure. Security issues like Denial of Service attacks, TCP SYN Flooding attacks, Packet Dropping attacks and Distributed Denial of Service attacks are some of the methods by which unauthorized users make the resource unavailable to authorized users. There are several security mechanisms like Intrusion Detection System, Anomaly detection and Trust model by which we can be able to identify and counter the abuse of computer resources by unauthorized users. This paper presents a survey of several security mechanisms which have been implemented using Fuzzy logic. Fuzzy logic is one of the rapidly developing technologies, which is used in a sophisticated control system. Fuzzy logic deals with the degree of truth rather than the Boolean logic, which carries the values of either true or false. So instead of providing only two values, we will be able to define intermediate values.

Contemporary vehicles are getting equipped with an increasing number of Electronic Control Units (ECUs) and wireless connectivities. Although these have enhanced vehicle safety and efficiency, they are accompanied with new vulnerabilities. In this paper, we unveil a new important vulnerability applicable to several in-vehicle networks including Control Area Network (CAN), the de facto standard in-vehicle network protocol. Specifically, we propose a new type of Denial-of-Service (DoS), called the bus-off attack, which exploits the error-handling scheme of in-vehicle networks to disconnect or shut down good/uncompromised ECUs. This is an important attack that must be thwarted, since the attack, once an ECU is compromised, is easy to be mounted on safety-critical ECUs while its prevention is very difficult. In addition to the discovery of this new vulnerability, we analyze its feasibility using actual in-vehicle network traffic, and demonstrate the attack on a CAN bus prototype as well as on two real vehicles. Based on our analysis and experimental results, we also propose and evaluate a mechanism to detect and prevent the bus-off attack.

Remote user authentication using smart cards is a method of verifying the legitimacy of remote users accessing the server through insecure channel, by using smart cards to increase the efficiency of the system. During last couple of years many protocols to authenticate remote users using smart cards have been proposed. But unfortunately, most of them are proved to be unsecure against various attacks. Recently this year, Yung-Cheng Lee improved Shin et al.'s protocol and claimed that their protocol is more secure. In this article, we have shown that Yung-Cheng-Lee's protocol too has defects. It does not provide user anonymity; it is vulnerable to Denial-of-Service attack, Session key reveal, user impersonation attack, Server impersonation attack and insider attacks. Further it is not efficient in password change phase since it requires communication with server and uses verification table.
 

By exploiting the communication infrastructure among the sensors, actuators, and control systems, attackers may compromise the security of smart-grid systems, with techniques such as denial-of-service (DoS) attack, random attack, and data-injection attack. In this paper, we present a mathematical model of the system to study these pitfalls and propose a robust security framework for the smart grid. Our framework adopts the Kalman filter to estimate the variables of a wide range of state processes in the model. The estimates from the Kalman filter and the system readings are then fed into the χ2-detector or the proposed Euclidean detector. The χ2-detector is a proven effective exploratory method used with the Kalman filter for the measurement of the relationship between dependent variables and a series of predictor variables. The χ2-detector can detect system faults/attacks, such as DoS attack, short-term, and long-term random attacks. However, the studies show that the χ2-detector is unable to detect the statistically derived false data-injection attack. To overcome this limitation, we prove that the Euclidean detector can effectively detect such a sophisticated injection attack.

Security issues in computer networks have focused on attacks on end systems and the control plane. An entirely new class of emerging network attacks aims at the data plane of the network. Data plane forwarding in network routers has traditionally been implemented with custom-logic hardware, but recent router designs increasingly use software-programmable network processors for packet forwarding. These general-purpose processing devices exhibit software vulnerabilities and are susceptible to attacks. We demonstrate-to our knowledge the first-practical attack that exploits a vulnerability in packet processing software to launch a devastating denial-of-service attack from within the network infrastructure. This attack uses only a single attack packet to consume the full link bandwidth of the router's outgoing link. We also present a hardware-based defense mechanism that can detect situations where malicious packets try to change the operation of the network processor. Using a hardware monitor, our NetFPGA-based prototype system checks every instruction executed by the network processor and can detect deviations from correct processing within four clock cycles. A recovery system can restore the network processor to a safe state within six cycles. This high-speed detection and recovery system can ensure that network processors can be protected effectively and efficiently from this new class of attacks.