Your search keyword '"Network traffic analysis"' showing total 128 results

1. NETWORK ATTACK RECOGNITION USING FUZZY LOGIC

Author

Borisova, Angela and Borisova, Angela

Abstract

The following research paper presents a fuzzy logic system model related to classifying network traffic as malicious or normal. The relevance of the problem stems from the increasingly widespread worldwide problem, namely cyber threats against various companies, organizations, individuals, etc. and at the same time the use of artificial intelligence systems as a means of detecting and preventing various types of cybercrime. To accomplish the task, several basic work methods are followed: first, the development goal is defined - building a fuzzy logic system that supports and automates decision-making about the type of network traffic (malicious or normal traffic), second, appropriate software is selected to perform the task, in this case MATLAB and specifically the Fuzzy Logic Designer toolbox, third, the actual system is built consisting of pre-obtained network traffic inputs that are taken from a pre-collected and compiled .pcap file (the data in it are captured and modified to contain only some network information fields from the set of packets necessary for the experiment to run successfully), the system itself consists of nine input linguistic variables, one output linguistic variable and a knowledge base (the core of the project, namely if-then rules). The studied system is compared with other similar fuzzy output systems of other researchers. Based on this, it is concluded that the approach proposed in the present work to categorize network traffic, based on pre-selected network information fields, in collaboration with other means of cyber protection gives very good results in the context of cyber security. The present project proposes a fuzzy inference system to classify network packet types and detect TCP-SYN attack. The fully built fuzzy source system provides a different perspective to solve the present problem by defining the abstract solution and facilitating the work of specialized personnel charged with such tasks by automating the process of providi

Published

2024

2. Enhancing Network Security through Investigative Traffic Analysis: A Case Study

Author

SUNNY, WINLIYA JEWEL, MOHAN, ANJANA, SUNNY, WINLIYA JEWEL, and MOHAN, ANJANA

Abstract

In this time of increasing cyber risks, robust intrusion detection systems (IDS) arefundamentally necessary for protecting network systems. This master thesis compares twoprimary network intrusion detection resources to clarify their effectiveness, advantages, andboundaries. The investigation follows a thorough approach, including reviewing existingliterature, practical experimentation, and assessing their performance. The primary goal revolves around a deeper comprehension of the operational procedures, threatdetection capacity, and scalability of the chosen IDS solutions. Through carefulexperimentation and scrutiny, this study investigates various elements such as detection accuracy, false favorable rates, the usage of resources, and resilience in varied networksituations. Real-life data sets and contrived attack situations are harnessed to measure the proficiency of these tools in identifying both identified and fresh intrusion efforts. Finally, our experimentation did not identify a single optimal tool due to certain imperfections in both evaluated tools. However, these findings were instrumental in concluding the properties that would constitute an ideal tool. In the end, this study propels the forward arena of networksecurity, offering a detailed insight into the capabilities and limitations of day-to-day intrusion detection tools. This study aims to strengthen cybersecurity defenses and nurture improved decision-making capabilities. These efforts mitigate the constantly changing threats caused byharmful entities in our digital world.

Published

2024

3. Strengthening Cyber Defense : A Comparative Study of Smart Home Infrastructure for Penetration Testing and National Cyber Ranges

Author

Shamaya, Nina, Tarcheh, Gergo, Shamaya, Nina, and Tarcheh, Gergo

Abstract

This thesis addresses the critical issue of security vulnerabilities within the Internet of Things (IoT) ecosystem, with a particular emphasis on everyday devices such as refrigerators, vacuum cleaners, and cameras. The widespread adoption of IoT devices across various sectors has raised significant concerns regarding their security, underscoring the need for more effective penetration testing methods to mitigate potential cyberattacks. In response to this need, the first part of this thesis presents an approach to creating a penetration testing environment specifically tailored for IoT devices. Unlike existing studies that primarily focus on isolated or specific device testing, this work integrates various common household IoT appliances into a single testbed, enabling the testing of a complex system. This setup not only reflects a more realistic usage scenario but also allows for a comprehensive analysis of network traffic and interactions between different devices, thereby potentially identifying new, complex security vulnerabilities. The second part of the thesis undertakes a comparative study of cyber range infrastructures and architectures, an area relatively unexplored in existing literature. This study aims to provide nuanced insights and practical recommendations for developing robust, scalable cyber range infrastructures at a national level. By examining different frameworks, this research contributes to the foundational knowledge necessary for advancing national cybersecurity defenses. Overall, the findings from this research aim to contribute to improving IoT security and guiding the development of robust national cyber range frameworks., Denna avhandling tar upp de säkerhetsbrister som finns inom det ekosystem som omfattar Internet of Things (IoT) enheter, med särskilt fokus på vardagliga apparater som kylskåp, dammsugare och kameror. Den stora spridningen av IoT-enheter inom olika sektorer har väckt många säkerhetsfrågor, vilka betonar behovet av effektivare metoder för penetrationstestning för att förhindra möjliga cyberattacker. För att möta detta behov presenterar den första delen av avhandlingen en metod för att skapa en penetrationstestningsmiljö särskilt anpassad för IoT-enheter. Till skillnad från tidigare studier, vilka främst fokuserar på enskilda eller specifika enhetstestningar, kombinerar detta arbete olika hushållsapparater i en enda testbädd, vilket möjliggör testningen av ett komplext system. Detta upplägg speglar inte bara en mer realistisk användningssituation, utan tillåter också en mer omfattande analys av nätverkstrafik och interaktioner mellan olika enheter, vilket potentiellt kan identifiera nya, komplexa säkerhetsbrister. Den andra delen av avhandlingen genomför en jämförande studie av cyberanläggningars infrastrukturer och arkitekturer, ett område som är relativt outforskat i befintlig litteratur. Denna studie syftar till att ge insikter och praktiska rekommendationer för att utveckla robusta, skalbara infrastrukturer för cyberanläggningar på nationell nivå. Genom att undersöka olika ramverk bidrar denna forskning till den grundläggande kunskap som behövs för att förbättra nationella cybersäkerhetsförsvar. Sammanfattningsvis syftar resultaten från denna forskning till att förbättra IoT-säkerheten och vägleda utvecklingen av robusta nationella ramverk för cyberanläggningar.

Published

2024

4. Strengthening Cyber Defense : A Comparative Study of Smart Home Infrastructure for Penetration Testing and National Cyber Ranges

Author

Shamaya, Nina, Tarcheh, Gergo, Shamaya, Nina, and Tarcheh, Gergo

Abstract

This thesis addresses the critical issue of security vulnerabilities within the Internet of Things (IoT) ecosystem, with a particular emphasis on everyday devices such as refrigerators, vacuum cleaners, and cameras. The widespread adoption of IoT devices across various sectors has raised significant concerns regarding their security, underscoring the need for more effective penetration testing methods to mitigate potential cyberattacks. In response to this need, the first part of this thesis presents an approach to creating a penetration testing environment specifically tailored for IoT devices. Unlike existing studies that primarily focus on isolated or specific device testing, this work integrates various common household IoT appliances into a single testbed, enabling the testing of a complex system. This setup not only reflects a more realistic usage scenario but also allows for a comprehensive analysis of network traffic and interactions between different devices, thereby potentially identifying new, complex security vulnerabilities. The second part of the thesis undertakes a comparative study of cyber range infrastructures and architectures, an area relatively unexplored in existing literature. This study aims to provide nuanced insights and practical recommendations for developing robust, scalable cyber range infrastructures at a national level. By examining different frameworks, this research contributes to the foundational knowledge necessary for advancing national cybersecurity defenses. Overall, the findings from this research aim to contribute to improving IoT security and guiding the development of robust national cyber range frameworks., Denna avhandling tar upp de säkerhetsbrister som finns inom det ekosystem som omfattar Internet of Things (IoT) enheter, med särskilt fokus på vardagliga apparater som kylskåp, dammsugare och kameror. Den stora spridningen av IoT-enheter inom olika sektorer har väckt många säkerhetsfrågor, vilka betonar behovet av effektivare metoder för penetrationstestning för att förhindra möjliga cyberattacker. För att möta detta behov presenterar den första delen av avhandlingen en metod för att skapa en penetrationstestningsmiljö särskilt anpassad för IoT-enheter. Till skillnad från tidigare studier, vilka främst fokuserar på enskilda eller specifika enhetstestningar, kombinerar detta arbete olika hushållsapparater i en enda testbädd, vilket möjliggör testningen av ett komplext system. Detta upplägg speglar inte bara en mer realistisk användningssituation, utan tillåter också en mer omfattande analys av nätverkstrafik och interaktioner mellan olika enheter, vilket potentiellt kan identifiera nya, komplexa säkerhetsbrister. Den andra delen av avhandlingen genomför en jämförande studie av cyberanläggningars infrastrukturer och arkitekturer, ett område som är relativt outforskat i befintlig litteratur. Denna studie syftar till att ge insikter och praktiska rekommendationer för att utveckla robusta, skalbara infrastrukturer för cyberanläggningar på nationell nivå. Genom att undersöka olika ramverk bidrar denna forskning till den grundläggande kunskap som behövs för att förbättra nationella cybersäkerhetsförsvar. Sammanfattningsvis syftar resultaten från denna forskning till att förbättra IoT-säkerheten och vägleda utvecklingen av robusta nationella ramverk för cyberanläggningar.

Published

2024

5. Enhancing Network Security through Investigative Traffic Analysis: A Case Study

Author

SUNNY, WINLIYA JEWEL, MOHAN, ANJANA, SUNNY, WINLIYA JEWEL, and MOHAN, ANJANA

Abstract

In this time of increasing cyber risks, robust intrusion detection systems (IDS) arefundamentally necessary for protecting network systems. This master thesis compares twoprimary network intrusion detection resources to clarify their effectiveness, advantages, andboundaries. The investigation follows a thorough approach, including reviewing existingliterature, practical experimentation, and assessing their performance. The primary goal revolves around a deeper comprehension of the operational procedures, threatdetection capacity, and scalability of the chosen IDS solutions. Through carefulexperimentation and scrutiny, this study investigates various elements such as detection accuracy, false favorable rates, the usage of resources, and resilience in varied networksituations. Real-life data sets and contrived attack situations are harnessed to measure the proficiency of these tools in identifying both identified and fresh intrusion efforts. Finally, our experimentation did not identify a single optimal tool due to certain imperfections in both evaluated tools. However, these findings were instrumental in concluding the properties that would constitute an ideal tool. In the end, this study propels the forward arena of networksecurity, offering a detailed insight into the capabilities and limitations of day-to-day intrusion detection tools. This study aims to strengthen cybersecurity defenses and nurture improved decision-making capabilities. These efforts mitigate the constantly changing threats caused byharmful entities in our digital world.

Published

2024

6. ANOMALY DETECTION ON FLOWS AND INCOMING PACKETS WITH GAUSSIAN MIXTURES

Author

Barton, Armon C., Singh, Gurminder, Computer Science (CS), Menon, Tarun, Barton, Armon C., Singh, Gurminder, Computer Science (CS), and Menon, Tarun

Abstract

Firewalls are key for maintaining a secure network, but it cannot be assumed that network traffic that manages to get through one is completely safe. Anomaly detection refers to methods that can be used to discover unique or uncommon occurrences within a particular dataset. Unsupervised machine learning techniques involve machine learning with unlabeled data, and can be utilized in order to perform anomaly detection by ingesting a given set of data and finding instances that diverge from the rest in meaningful ways that may not be obvious to the human eye. In this study we aim to analyze anomalies that are detected in incoming packet and flow network traffic data that successfully passed through a firewall and determine what significance there may be within such anomalies. Considering the vast amount of malicious traffic that exists and gets generated regularly, this study shows that Gaussian Mixtures can be used for discovery of anomalies within network traffic that passed through a firewall to discover potential undesirable or malicious traffic., Civilian, Approved for public release. Distribution is unlimited.

Published

2023

7. MalBoT-DRL: Malware botnet detection using deep reinforcement learning in IoT networks

Author

Al-Fawa'Reh, Mohammad, Abu-Khalaf, Jumana, Szewczyk, Patryk, Kang, James J., Al-Fawa'Reh, Mohammad, Abu-Khalaf, Jumana, Szewczyk, Patryk, and Kang, James J.

Abstract

In the dynamic landscape of cyber threats, multi-stage malware botnets have surfaced as significant threats of concern. These sophisticated threats can exploit Internet of Things (IoT) devices to undertake an array of cyberattacks, ranging from basic infections to complex operations such as phishing, cryptojacking, and distributed denial of service (DDoS) attacks. Existing machine learning solutions are often constrained by their limited generalizability across various datasets and their inability to adapt to the mutable patterns of malware attacks in real world environments, a challenge known as model drift. This limitation highlights the pressing need for adaptive Intrusion Detection Systems (IDS), capable of adjusting to evolving threat patterns and new or unseen attacks. This paper introduces MalBoT-DRL, a robust malware botnet detector using deep reinforcement learning. Designed to detect botnets throughout their entire lifecycle, MalBoT-DRL has better generalizability and offers a resilient solution to model drift. This model integrates damped incremental statistics with an attention rewards mechanism, a combination that has not been extensively explored in literature. This integration enables MalBoT-DRL to dynamically adapt to the ever-changing malware patterns within IoT environments. The performance of MalBoT-DRL has been validated via trace-driven experiments using two representative datasets, MedBIoT and N-BaIoT, resulting in exceptional average detection rates of 99.80% and 99.40% in the early and late detection phases, respectively. To the best of our knowledge, this work introduces one of the first studies to investigate the efficacy of reinforcement learning in enhancing the generalizability of IDS.

Published

2023

8. Impact of replacing TCP by QUIC in Tor on website fingerprinting resistance

Author

Trap, Cyril (author) and Trap, Cyril (author)

Abstract

Privacy is a human right, yet, people’s behavior on the web is constantly tracked. Tor, an anonymity network, is an effective defence against tracking. However, Tor’s multiplexing of logically independent data streams into a single TCP connection causes issues. Tor with QUIC has been implemented as an alternative with better performance but it has not been studied whether and by how much QUIC increases the vulnerability to timing-based attacks. The most threatening attacks are website fingerprinting attacks, which can track a Tor user by only controlling the guard node, first of the relays that forward traffic in Tor. In this work, Tor with QUIC is evaluated against website fingerprinting attacks with various levels of defences active. Without defences, Tor is vulnerable to website fingerprinting for both TCP and QUIC but the attacks are more effective on QUIC. On the positive side, defences against website fingerprinting remain effective for QUIC in that they decrease the effectiveness of the attack by a similar fraction as for TCP., Computer Science | Cyber Security

Published

2023

9. Detection, Quantification, and Mitigation of Network Side Channels

Author

Kadron, Ismet Burak, Bultan, Tevfik1, Kadron, Ismet Burak, Kadron, Ismet Burak, Bultan, Tevfik1, and Kadron, Ismet Burak

Abstract

Modern software systems such as web clients and Internet of Things (IoT) devices regularly access and transmit private and sensitive data such as location information or user actions. Although these systems use secure and encrypted communications to transmit this information, the information can be recovered by observing the side effects of the communication such as packet sizes, timings and source and destination information which is public to any eavesdropper. These side effects can be obfuscated by delaying packet timings, padding packet contents or injecting dummy packets. These obfuscations also impact the quality of transmission, therefore a balance between user privacy and network overhead is needed.In this dissertation, we provide methods for (1) detecting and quantifying network side-channel information leakages, (2) input generation for automating analysis of network side-channels, (3) automating side-channel mitigation with user constraints. Firstly, we present how the network side-channels can be detected and quantified by identifying relevant features with trace analysis. Our approach quantifies the information leakage of each feature using Shannon entropy and probability estimation methods, and provides a ranking of features based on the amount of leakage. Secondly, we discuss how the detection and quantification can be improved by dynamically generating inputs based on user provided mutators and seed inputs. Our method determines which features are affecting the information leakage and picks the mutators that influence those features or the secret. Thirdly, we present approaches on measuring the amount of information leakage using upper and lower bounds on the estimates. We also present techniques that synthesize side-channel attacks using classifiers and provide upper bounds on classifier accuracy. Then, we present a search-based method to generate mitigation strategies to information leakages based on user constraints to balance network overhead and

Published

2022

10. Multiple Strategies Differential Privacy on Sparse Tensor Factorization for Network Traffic Analysis in 5G

Author

Wang, Jin (author), Han, Hui (author), Li, H. (author), He, Shiming (author), Sharma, Pradip Kumar (author), Chen, Lydia Y. (author), Wang, Jin (author), Han, Hui (author), Li, H. (author), He, Shiming (author), Sharma, Pradip Kumar (author), and Chen, Lydia Y. (author)

Abstract

Due to high capacity and fast transmission speed, 5G plays a key role in modern electronic infrastructure. Meanwhile, sparse tensor factorization (STF) is a useful tool for dimension reduction to analyze high-order, high-dimension, and sparse tensor (HOHDST) data, which is transmitted on 5G Internet-of-things (IoT). Hence, HOHDST data relies on STF to obtain complete data and discover rules for real time and accurate analysis. From another view of computation and data security, the current STF solution seeks to improve the computational efficiency but neglects privacy security of the IoT data, e.g., data analysis for network traffic monitor system. To overcome these problems, this article proposes a multiple-strategies differential privacy framework on STF (MDPSTF) for HOHDST network traffic data analysis. MDPSTF comprises three differential privacy (DP) mechanisms, i.e., varepsilon - DP, concentrated DP, and local DP. Furthermore, the theoretical proof of privacy bound is presented. Hence, MDPSTF can provide general data protection for HOHDST network traffic data with high-security promise. We conduct experiments on two real network traffic datasets (Abilene and Ggrave{E}ANT). The experimental results show that MDPSTF has high universality on the various degrees of privacy protection demands and high recovery accuracy for the HOHDST network traffic data., Distributed Systems

Published

2021

11. USER IDENTIFICATION IN DYNAMIC WEB TRAFFIC VIA DEEP TEMPORAL FEATURES

Author

Monaco, John, Fulp, John D., Computer Science (CS), Kim, Jihye, Monaco, John, Fulp, John D., Computer Science (CS), and Kim, Jihye

Abstract

Web applications that process sensitive information have become prevalent. Modern web applications rely heavily on dynamic content (i.e., page updates made by the browser using an XMLHttpRequest, and more recently the JavaScript Fetch API). Ajax technology provides fast client-server communication, which generates web traffic that updates the document object model (DOM) object in the browser interface often induced by user input. Therefore, the user’s actions are strongly correlated with timing and size of packets that carry Ajax requests. This research aims to characterize the relationship between keystroke dynamics and Ajax packets in dynamic web traffic. We investigate several dynamic web applications and the ability to measure human behavior in encrypted network traffic. Two approaches to Ajax packet detection are proposed and evaluated: longest increasing subsequence (LIS), which uses packet sizes, and dynamic time warping (DTW), which uses keystroke and packet timings. From the detected packets of recognized patterns, we examine the extent to which remote user identification in dynamic web traffic can be performed. We use a recurrent neural network (RNN) trained with triplet loss to extract deep temporal features from the detected packet timings. Leveraging recent work in keystroke dynamics, we show that user identification can be performed with modest accuracy utilizing the packet timings invoked by a user typing in a web search engine., Outstanding Thesis, Captain, Republic of Korea Army, Approved for public release. distribution is unlimited

Published

2021

12. Multiple Strategies Differential Privacy on Sparse Tensor Factorization for Network Traffic Analysis in 5G

Author

Wang, Jin (author), Han, Hui (author), Li, H. (author), He, Shiming (author), Sharma, Pradip Kumar (author), Chen, Lydia Y. (author), Wang, Jin (author), Han, Hui (author), Li, H. (author), He, Shiming (author), Sharma, Pradip Kumar (author), and Chen, Lydia Y. (author)

Abstract

Due to high capacity and fast transmission speed, 5G plays a key role in modern electronic infrastructure. Meanwhile, sparse tensor factorization (STF) is a useful tool for dimension reduction to analyze high-order, high-dimension, and sparse tensor (HOHDST) data, which is transmitted on 5G Internet-of-things (IoT). Hence, HOHDST data relies on STF to obtain complete data and discover rules for real time and accurate analysis. From another view of computation and data security, the current STF solution seeks to improve the computational efficiency but neglects privacy security of the IoT data, e.g., data analysis for network traffic monitor system. To overcome these problems, this article proposes a multiple-strategies differential privacy framework on STF (MDPSTF) for HOHDST network traffic data analysis. MDPSTF comprises three differential privacy (DP) mechanisms, i.e., varepsilon - DP, concentrated DP, and local DP. Furthermore, the theoretical proof of privacy bound is presented. Hence, MDPSTF can provide general data protection for HOHDST network traffic data with high-security promise. We conduct experiments on two real network traffic datasets (Abilene and Ggrave{E}ANT). The experimental results show that MDPSTF has high universality on the various degrees of privacy protection demands and high recovery accuracy for the HOHDST network traffic data., Dataintensive Systems

Published

2021

13. VPN Fingerprinting: Network protocol detection inside virtual private network tunnels

Author

Graafmans, Roy (author) and Graafmans, Roy (author)

Abstract

Virtual private networks are often used to secure communication between two hosts and preserve privacy by tunneling all traffic over a single encrypted channel. Previous work has already shown that metadata of different secured channels can be used to fingerprint various kinds of information. In this work, we will dive into the encrypted tunnels as used by VPNs. We have collected automatically generated data of 9 network protocols sent over 8 different VPN solutions with 3 different rates for mixed traffic each. Due to the single combined traffic channel of the VPN, this work had to focus on packet-wise features instead of stream-wise ones, requiring the development of new features compared to related work. Both Random Forest and Markov Chains are trained to distinguish the network protocols by finding the patterns of the protocols in the developed features. We show that it is possible to fingerprint network protocols in all different scenarios based on the metadata available. Moreover, it was found that size features are more important than timing-related ones, especially when padding comes into place. Lastly, we show that obfuscations methods focussing on distorting size or timing patterns solely are not effective enough and future obfuscation methods should incorporate both features.

Published

2021

14. Statistical-entropy method of searching for fields in traffic of unknown protocols

Author

Sinadskiy, A. N., Domukhovsky, N. A., Синадский, А. Н., Домуховский, Н. А., Sinadskiy, A. N., Domukhovsky, N. A., Синадский, А. Н., and Домуховский, Н. А.

Abstract

The article considers traffic analysis with an unknown structure. A developed method of statistical entropy is proposed, based on existing entropy and statistical algorithms, and allowing you to select fields without knowing the protocol specification. The determination of the boundaries of significant fields is based on the entropy and mutual information of byte sets, as well as the use of estimates of the number of times a network packet appears in the traffic. The software implementation of the described method implements the separation of network traffic packets with zero knowledge of the protocols used in it into semantic fields., В статье рассматривается анализ трафика с неизвестной структурой. Предлагается разработанный метод статистической энтропии, основанный на существующих энтропийных и статистических алгоритмах, и позволяющий выделять поля без знания спецификации протокола. Определение границ значимых полей основывается на энтропии и взаимной информации наборов байтов, а также использовании оценок количества появлений частей сетевого пакета в трафике. Программная реализация описанного метода реализует разделение пакетов сетевого трафика с нулевым знанием используемых в нем протоколов на семантические поля.

Published

2020

15. CHARACTERIZING BGP COMMUNITY IRREGULARITIES TOWARD AN ANOMALY DETECTION ENGINE

Author

Beverly, Robert, Smaragdakis, Georgios, Technical University (TU) Berlin, Computer Science (CS), Hardt, Alexander, Beverly, Robert, Smaragdakis, Georgios, Technical University (TU) Berlin, Computer Science (CS), and Hardt, Alexander

Abstract

Prior work has demonstrated ways in which to attack the Border Gateway Protocol (BGP) system as well as vulnerabilities of the BGP and its configuration. Furthermore, BGP attacks, such as hijacking, are common in the wild, whether due to accidental misconfiguration or malintent. Recent work demonstrates the feasibility and potential for new BGP attacks based on the BGP community attribute (rerouting and blackholing). Very recently, there have been BGP attacks using BGP communities in the wild. The major issues with BGP communities (among others) are that there is no cryptographic protection, attribution is very difficult, and they are used both for signaling and triggering actions. These issues present opportunities for misconfiguration and, more concerningly, abuse. Not only have BGP communities been shown to potentially allow a third party to trigger remote blackholing, false BGP community announcements can be used to re-route traffic to include a hop controlled by an attacker. This re-routing allows an attacker to potentially examine traffic on its way to its intended destination. Despite this rich body of prior work, no one has analyzed the use and misuse of BGP communities over time. In this thesis, we characterize BGP community use and behavior over the course of a year to investigate the possibility of building a BGP community anomaly detector., http://archive.org/details/characterizingbg1094564179, Civilian, Approved for public release; distribution is unlimited.

Published

2020

16. Toward a sustainable cybersecurity ecosystem

Author

Sadik, Shahrin, Ahmed, Mohiuddin, Sikos, Leslie F., Islam, A.K.M. Najmul, Sadik, Shahrin, Ahmed, Mohiuddin, Sikos, Leslie F., and Islam, A.K.M. Najmul

Abstract

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. Cybersecurity issues constitute a key concern of today’s technology-based economies. Cybersecurity has become a core need for providing a sustainable and safe society to online users in cyberspace. Considering the rapid increase of technological implementations, it has turned into a global necessity in the attempt to adapt security countermeasures, whether direct or indirect, and prevent systems from cyberthreats. Identifying, characterizing, and classifying such threats and their sources is required for a sustainable cyber-ecosystem. This paper focuses on the cybersecurity of smart grids and the emerging trends such as using blockchain in the Internet of Things (IoT). The cybersecurity of emerging technologies such as smart cities is also discussed. In addition, associated solutions based on artificial intelligence and machine learning frameworks to prevent cyber-risks are also discussed. Our review will serve as a reference for policy-makers from the industry, government, and the cybersecurity research community.

Published

2020

17. Anomaly Detection in Network Traffic using Multivariate State Machines

Author

Serentellos, V. (author) and Serentellos, V. (author)

Abstract

Computer networks have nowadays assumed an increasingly important role in the expression of modern human activity through the ongoing rapid development in the field of Information and Communication Technologies (ICT). More and more individual users and businesses around the world are gaining access to networks online, while the range of services offered by these networks span multiple domains of human life, leading them to grow in terms of both size and complexity, and in parallel handle a constantly growing volume of user-generated data. As with every important aspect of human life, computer networks need to be protected from malicious adversaries aiming to degrade the quality of the offered services and acquire unauthorised access to them, so as for their intended functionality to be uneventfully maintained. The broad success of Machine Learning (ML) based techniques in applications originated from a wide range of fields has led to the wide adoption of such techniques in the premises of automated network traffic analysis systems aiming to detect malicious activity within computer networks, with a notable portion of these systems employing solutions inspired from the field of anomaly detection. Such an automated system for anomaly detection in network traffic, attempting to address as many of the major shortcomings of earlier relevant works as possible, constitutes the content of this thesis. In particular, the proposed system is designed to offer fine-grained analysis of the recorded traffic, by leveraging powerful sequential learning models, like multivariate state machines, equipped with well known anomaly detection algorithms in their structure, towards the extraction of benign behavioral profiles from NetFlow traces of aggregated network entities, like hosts or connections, so as to use these profiles towards the identification of any behavior not conforming to them as anomalous. Three publicly available Netflow-based datasets, incorporating a diverse set of c

Published

2020

18. INSTANT MESSAGE TRAFFIC META-DATA AND ITS SUSCEPTIBILITY TO TRAFFIC ANALYSIS

Author

Monaco, John, Beverly, Robert, Information Sciences (IS), Verkempinck, Jeana M., Arnell, Alexander, Bullock, Cassondra C., Monaco, John, Beverly, Robert, Information Sciences (IS), Verkempinck, Jeana M., Arnell, Alexander, and Bullock, Cassondra C.

Abstract

Instant Message (IM) applications are commonly used by both civilian and DoD personnel for both communication and collaboration. The web-based variants of these applications generally ride encrypted channels for message security. However, these channels may be vulnerable to keystroke timing attacks whereby textual content is determined by the timing of network traffic induced by keyboard events. An example of this induced traffic is the activity notifications common to many of these platforms, indicating when a conversant begins typing. Our aim is to determine whether the network traffic that carries this metadata enables recovering portions of the message or leaks information about the sender's identity. Using a combination of network packet capture analysis and local keystroke logging, we characterize traffic patterns of three widely used web-based IM platforms: Facebook Messaging, Google Hangouts, and Internet Relay Chat (IRC) through the Kiwi IRC web client., Petty Officer First Class, United States Navy, Petty Officer First Class, United States Navy, Chief Petty Officer, United States Navy, Approved for public release. distribution is unlimited

Published

2020

19. Detecting Hidden Wireless Cameras through Network Traffic Analysis

Author

Cowan, KC Kaye and Cowan, KC Kaye

Abstract

Wireless cameras dominate the home surveillance market, providing an additional layer of security for homeowners. Cameras are not limited to private residences; retail stores, public bathrooms, and public beaches represent only some of the possible locations where wireless cameras may be monitoring people's movements. When cameras are deployed into an environment, one would typically expect the user to disclose the presence of the camera as well as its location, which should be outside of a private area. However, adversarial camera users may withhold information and prevent others from discovering the camera, forcing others to determine if they are being recorded on their own. To uncover hidden cameras, a wireless camera detection system must be developed that will recognize the camera's network traffic characteristics. We monitor the network traffic within the immediate area using a separately developed packet sniffer, a program that observes and collects information about network packets. We analyze and classify these packets based on how well their patterns and features match those expected of a wireless camera. We used a Support Vector Machine classifier and a secondary-level of classification to reduce false positives to design and implement a system that uncovers the presence of hidden wireless cameras within an area.

Published

2020

20. Toward a sustainable cybersecurity ecosystem

Author

Sadik, Shahrin, Ahmed, Mohiuddin, Sikos, Leslie F., Islam, A.K.M. Najmul, Sadik, Shahrin, Ahmed, Mohiuddin, Sikos, Leslie F., and Islam, A.K.M. Najmul

Abstract

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. Cybersecurity issues constitute a key concern of today’s technology-based economies. Cybersecurity has become a core need for providing a sustainable and safe society to online users in cyberspace. Considering the rapid increase of technological implementations, it has turned into a global necessity in the attempt to adapt security countermeasures, whether direct or indirect, and prevent systems from cyberthreats. Identifying, characterizing, and classifying such threats and their sources is required for a sustainable cyber-ecosystem. This paper focuses on the cybersecurity of smart grids and the emerging trends such as using blockchain in the Internet of Things (IoT). The cybersecurity of emerging technologies such as smart cities is also discussed. In addition, associated solutions based on artificial intelligence and machine learning frameworks to prevent cyber-risks are also discussed. Our review will serve as a reference for policy-makers from the industry, government, and the cybersecurity research community.

Published

2020

21. Anomaly Detection in Network Traffic using Multivariate State Machines

Author

Serentellos, V. (author) and Serentellos, V. (author)

Abstract

Computer networks have nowadays assumed an increasingly important role in the expression of modern human activity through the ongoing rapid development in the field of Information and Communication Technologies (ICT). More and more individual users and businesses around the world are gaining access to networks online, while the range of services offered by these networks span multiple domains of human life, leading them to grow in terms of both size and complexity, and in parallel handle a constantly growing volume of user-generated data. As with every important aspect of human life, computer networks need to be protected from malicious adversaries aiming to degrade the quality of the offered services and acquire unauthorised access to them, so as for their intended functionality to be uneventfully maintained. The broad success of Machine Learning (ML) based techniques in applications originated from a wide range of fields has led to the wide adoption of such techniques in the premises of automated network traffic analysis systems aiming to detect malicious activity within computer networks, with a notable portion of these systems employing solutions inspired from the field of anomaly detection. Such an automated system for anomaly detection in network traffic, attempting to address as many of the major shortcomings of earlier relevant works as possible, constitutes the content of this thesis. In particular, the proposed system is designed to offer fine-grained analysis of the recorded traffic, by leveraging powerful sequential learning models, like multivariate state machines, equipped with well known anomaly detection algorithms in their structure, towards the extraction of benign behavioral profiles from NetFlow traces of aggregated network entities, like hosts or connections, so as to use these profiles towards the identification of any behavior not conforming to them as anomalous. Three publicly available Netflow-based datasets, incorporating a diverse set of c

Published

2020

22. Slow Dos Attacks Detection And Mitigation

Author

Sikora, Marek and Sikora, Marek

Abstract

This article investigates the detection and mitigation methods against Slow DoS (Demand of Service) attacks. This research is focused on Slowloris, Slow POST, Slow Read, and Apache Range Header attacks. Detection methods are based on network traffic analysis and anomalous traffic monitoring. When the attack is detected, the attacker is blocked and web server resources are released. Methods are implemented as an intrusion prevention system software.

Published

2019

23. Privacy and security in internet-connected cameras

Author

Valente, J, Valente, J, Koneru, K, Cardenas, A, Valente, J, Valente, J, Koneru, K, and Cardenas, A

Abstract

The Internet of Things (IoT) enables us to sense and share information of real-world events, including potentially privacy-sensitive information about the users' choices and behaviors. In this paper we focus on the security and privacy problems of Internet-connected cameras. We study two cameras: a consumer camera marketed as a baby monitor, and a surveillance camera marketed for enterprise (physical) security. We show how a generic algorithm can be used to infer actions recorded by the camera, even if the traffic is encrypted, and we also show how both cameras have security vulnerabilities that allow a remote attacker to gain access to the video frames captured by the camera. We also discuss new findings such as the fact that one camera has multiple vendors and domains that connect to a single cloud system supported by a single company, which is a trend we have previously seen in other IoT devices with one company designing the core-functionality of the device and then multiple vendors selling the device under their own brand name and developing different mobile applications for them.

Published

2019

24. Multivariate network traffic analysis using clustered patterns

Author

Kim, J, Kim, J, Sim, A, Tierney, B, Suh, S, Kim, I, Kim, J, Kim, J, Sim, A, Tierney, B, Suh, S, and Kim, I

Abstract

Traffic analysis is a core element in network operations and management for various purposes including change detection, traffic prediction, and anomaly detection. In this paper, we introduce a new approach to online traffic analysis based on a pattern-based representation for high-level summarization of the traffic measurement data. Unlike the past online analysis techniques limited to a single variable to summarize (e.g., sketch), the focus of this study is on capturing the network state from the multivariate attributes under consideration. To this end, we employ clustering with its benefit of the aggregation of multidimensional variables. The clustered result represents the state of the network with regard to the monitored variables, which can also be compared with the observed patterns from previous time windows enabling intuitive analysis. We demonstrate the proposed method with two popular use cases, one for estimating state changes and the other for identifying anomalous states, to confirm its feasibility. Our extensive experimental results with public traces and collected monitoring measurements from ESnet traffic traces show that our pattern-based approach is effective for multivariate analysis of online network traffic with visual and quantitative tools.

Published

2019

25. A New Approach to Multivariate Network Traffic Analysis

Author

Kim, J, Kim, J, Sim, A, Kim, J, Kim, J, and Sim, A

Abstract

Network traffic analysis is one of the core functions in network monitoring for effective network operations and management. While online traffic analysis has been widely studied, it is still intensively challenging due to several reasons. One of the primary challenges is the heavy volume of traffic to analyze within a finite amount of time due to the increasing network bandwidth. Another important challenge for effective traffic analysis is to support multivariate functions of traffic variables to help administrators identify unexpected network events intuitively. To this end, we propose a new approach with the multivariate analysis that offers a high-level summary of the online network traffic. With this approach, the current state of the network will display patterns compiled from a set of traffic variables, and the detection problems in network monitoring (e.g., change detection and anomaly detection) can be reduced to a pattern identification and classification problem. In this paper, we introduce our preliminary work with clustered patterns for online, multivariate network traffic analysis with the challenges and limitations we observed. We then present a grid-based model that is designed to overcome the limitations of the clustered pattern-based technique. We will discuss the potential of the new model with respect to the technical challenges including streaming-based computation and robustness to outliers.

Published

2019

26. Android App Tracking: Investigating the feasibility of tracking user behavior on mobile phones by analyzing encrypted network traffic

Author

Meijer, Wilko (author) and Meijer, Wilko (author)

Abstract

The mobile phone has become an important part of people's lives and which apps are used says a lot about a person. Even though data is encrypted, meta-data of network traffic leaks private information about which apps are being used on mobile devices.Apps can be detected in network traffic using the network fingerprint of an app, which shows what a typical connection of the app resembles. In this work, we investigate whether fingerprinting apps is feasible in the real world. We collected automatically generated data from various versions of around 500 apps and real-world data from over 65 unique users. We learn the fingerprints of the apps by training a Random Forest on the collected data. This Random Forest is used to detect app fingerprints in network traffic. We show that it is possible to build a model that can classify a specific subset of apps in network traffic. We also show that it is very hard to build a complete model that can classify all possible apps traffic due to overlapping fingerprints. Updates to apps have a significant effect on the network fingerprint, such that models should be updated every one or two months. We show that by only selecting a subset of apps it is possible to successfully classify network traffic. Various countermeasures against network traffic analysis are investigated. We show that using a VPN is not an effective countermeasure because an effective classifier can be trained on VPN data. We conclude that fingerprinting in the real world is feasible, but only on specific sets of apps.

Published

2019

27. Automated data exfiltration detection using netflow metadata

Author

Etta Tabe, Takang Kajikaw (author) and Etta Tabe, Takang Kajikaw (author)

Abstract

The volume and sophistication of data exfiltration attacks over networks have significantly increased in the last decade. This has resulted in the need for defense mechanisms, to effectively detect both known and unknown data exfiltration scenarios over the network. While methods such as DPI (Deep Packet Inspection) are commonly used to detect data exfiltrations, this mechanism requires a thorough inspection of every payload or packet going out of the network, making it unsuitable for use in some environments, as it is quite resource intensive and can lead to severe data privacy implications. In our work, we use lightweight netflows which are non-privacy invasive to detect data exfiltrations at connection-level granularity. The key intuition behind our proposed solution is that connections involved in data exfiltration tend to differentiate themselves from normal network connections based on certain feature values. The result of this research shows that features extracted from netflows such as the duration of a netflow, the source bytes, the source bytes sent per second, the source bytes sent per packet and the producer-consumer ratio can be used to effectively detect data exfiltration. Subsequently, connections are grouped using k-means, and the robust Z-score of their distances from their respective cluster centroid is used as a statistical and distance-based technique to detect connections involved in a data exfiltration. While this method detects some data exfiltration scenarios, it results in a significant number of false positives. Combining this with the results from the LOF (local outlier factor) and the LoOP (local outlier probability), which are density-based techniques, leads to a more robust model, as it significantly reduces the number of false positives and false negatives. Also, we show that using the smallest clusters formed from k-means for analysis leads to similar detection results as the entire datasets, with a significant reduction in computatio, Computer Science | Cyber Security, Computer Science | Distributed Systems

Published

2019

28. MultiProxy: a collaborative approach to censorship circumvention

Author

Shi, Gaomei (author) and Shi, Gaomei (author)

Abstract

In recent years, many countries and administrative domains exploit control over their communication infrastructures to censor online materials. The concrete reasons behind the Internet censorship remain poorly understood due to the opaque nature of the systems. Generally, Internet censorship is to disrupt the free flow of information. It involves a series of steps to stop the dissemination of information, or prevent the access to information, for example, disrupt the link between the users and providers. These technologies bring significant inconvenience for legitimate users. The goal of the thesis is to undertake a recent study to measure the behaviour of the Great Firewall of China (GFW). Based on that, this work designs a Peer-to-Peer (P2P) circumvention system called MultiProxy which exploits the blockchain-based economical model in order to create a balanced environment for resources providing and consuming. The system also uses multi-hop messaging to protect the privacy of the request initiators. The evaluation results show that MultiProxy can evade censorship while protecting users privacy., Computer Science

Published

2019

29. A New Approach to Multivariate Network Traffic Analysis

Author

Kim, J, Kim, J, Sim, A, Kim, J, Kim, J, and Sim, A

Abstract

Network traffic analysis is one of the core functions in network monitoring for effective network operations and management. While online traffic analysis has been widely studied, it is still intensively challenging due to several reasons. One of the primary challenges is the heavy volume of traffic to analyze within a finite amount of time due to the increasing network bandwidth. Another important challenge for effective traffic analysis is to support multivariate functions of traffic variables to help administrators identify unexpected network events intuitively. To this end, we propose a new approach with the multivariate analysis that offers a high-level summary of the online network traffic. With this approach, the current state of the network will display patterns compiled from a set of traffic variables, and the detection problems in network monitoring (e.g., change detection and anomaly detection) can be reduced to a pattern identification and classification problem. In this paper, we introduce our preliminary work with clustered patterns for online, multivariate network traffic analysis with the challenges and limitations we observed. We then present a grid-based model that is designed to overcome the limitations of the clustered pattern-based technique. We will discuss the potential of the new model with respect to the technical challenges including streaming-based computation and robustness to outliers.

Published

2019

30. Multivariate network traffic analysis using clustered patterns

Author

Kim, J, Kim, J, Sim, A, Tierney, B, Suh, S, Kim, I, Kim, J, Kim, J, Sim, A, Tierney, B, Suh, S, and Kim, I

Abstract

Traffic analysis is a core element in network operations and management for various purposes including change detection, traffic prediction, and anomaly detection. In this paper, we introduce a new approach to online traffic analysis based on a pattern-based representation for high-level summarization of the traffic measurement data. Unlike the past online analysis techniques limited to a single variable to summarize (e.g., sketch), the focus of this study is on capturing the network state from the multivariate attributes under consideration. To this end, we employ clustering with its benefit of the aggregation of multidimensional variables. The clustered result represents the state of the network with regard to the monitored variables, which can also be compared with the observed patterns from previous time windows enabling intuitive analysis. We demonstrate the proposed method with two popular use cases, one for estimating state changes and the other for identifying anomalous states, to confirm its feasibility. Our extensive experimental results with public traces and collected monitoring measurements from ESnet traffic traces show that our pattern-based approach is effective for multivariate analysis of online network traffic with visual and quantitative tools.

Published

2019

31. Privacy and security in internet-connected cameras

Author

Valente, J, Valente, J, Koneru, K, Cardenas, A, Valente, J, Valente, J, Koneru, K, and Cardenas, A

Abstract

The Internet of Things (IoT) enables us to sense and share information of real-world events, including potentially privacy-sensitive information about the users' choices and behaviors. In this paper we focus on the security and privacy problems of Internet-connected cameras. We study two cameras: a consumer camera marketed as a baby monitor, and a surveillance camera marketed for enterprise (physical) security. We show how a generic algorithm can be used to infer actions recorded by the camera, even if the traffic is encrypted, and we also show how both cameras have security vulnerabilities that allow a remote attacker to gain access to the video frames captured by the camera. We also discuss new findings such as the fact that one camera has multiple vendors and domains that connect to a single cloud system supported by a single company, which is a trend we have previously seen in other IoT devices with one company designing the core-functionality of the device and then multiple vendors selling the device under their own brand name and developing different mobile applications for them.

Published

2019

32. Slow Dos Attacks Detection And Mitigation

Abstract

This article investigates the detection and mitigation methods against Slow DoS (Demand of Service) attacks. This research is focused on Slowloris, Slow POST, Slow Read, and Apache Range Header attacks. Detection methods are based on network traffic analysis and anomalous traffic monitoring. When the attack is detected, the attacker is blocked and web server resources are released. Methods are implemented as an intrusion prevention system software.

Published

2019

33. Slow Dos Attacks Detection And Mitigation

Abstract

This article investigates the detection and mitigation methods against Slow DoS (Demand of Service) attacks. This research is focused on Slowloris, Slow POST, Slow Read, and Apache Range Header attacks. Detection methods are based on network traffic analysis and anomalous traffic monitoring. When the attack is detected, the attacker is blocked and web server resources are released. Methods are implemented as an intrusion prevention system software.

Published

2019

34. Slow Dos Attacks Detection And Mitigation

Abstract

This article investigates the detection and mitigation methods against Slow DoS (Demand of Service) attacks. This research is focused on Slowloris, Slow POST, Slow Read, and Apache Range Header attacks. Detection methods are based on network traffic analysis and anomalous traffic monitoring. When the attack is detected, the attacker is blocked and web server resources are released. Methods are implemented as an intrusion prevention system software.

Published

2019

35. Slow Dos Attacks Detection And Mitigation

Author

Sikora, Marek and Sikora, Marek

Abstract

This article investigates the detection and mitigation methods against Slow DoS (Demand of Service) attacks. This research is focused on Slowloris, Slow POST, Slow Read, and Apache Range Header attacks. Detection methods are based on network traffic analysis and anomalous traffic monitoring. When the attack is detected, the attacker is blocked and web server resources are released. Methods are implemented as an intrusion prevention system software.

Published

2019

36. Slow Dos Attacks Detection And Mitigation

Author

Sikora, Marek and Sikora, Marek

Abstract

This article investigates the detection and mitigation methods against Slow DoS (Demand of Service) attacks. This research is focused on Slowloris, Slow POST, Slow Read, and Apache Range Header attacks. Detection methods are based on network traffic analysis and anomalous traffic monitoring. When the attack is detected, the attacker is blocked and web server resources are released. Methods are implemented as an intrusion prevention system software.

Published

2019

37. Android App Tracking: Investigating the feasibility of tracking user behavior on mobile phones by analyzing encrypted network traffic

Author

Meijer, Wilko (author) and Meijer, Wilko (author)

Abstract

The mobile phone has become an important part of people's lives and which apps are used says a lot about a person. Even though data is encrypted, meta-data of network traffic leaks private information about which apps are being used on mobile devices.Apps can be detected in network traffic using the network fingerprint of an app, which shows what a typical connection of the app resembles. In this work, we investigate whether fingerprinting apps is feasible in the real world. We collected automatically generated data from various versions of around 500 apps and real-world data from over 65 unique users. We learn the fingerprints of the apps by training a Random Forest on the collected data. This Random Forest is used to detect app fingerprints in network traffic. We show that it is possible to build a model that can classify a specific subset of apps in network traffic. We also show that it is very hard to build a complete model that can classify all possible apps traffic due to overlapping fingerprints. Updates to apps have a significant effect on the network fingerprint, such that models should be updated every one or two months. We show that by only selecting a subset of apps it is possible to successfully classify network traffic. Various countermeasures against network traffic analysis are investigated. We show that using a VPN is not an effective countermeasure because an effective classifier can be trained on VPN data. We conclude that fingerprinting in the real world is feasible, but only on specific sets of apps.

Published

2019

38. Automated data exfiltration detection using netflow metadata

Author

Etta Tabe, Takang Kajikaw (author) and Etta Tabe, Takang Kajikaw (author)

Abstract

The volume and sophistication of data exfiltration attacks over networks have significantly increased in the last decade. This has resulted in the need for defense mechanisms, to effectively detect both known and unknown data exfiltration scenarios over the network. While methods such as DPI (Deep Packet Inspection) are commonly used to detect data exfiltrations, this mechanism requires a thorough inspection of every payload or packet going out of the network, making it unsuitable for use in some environments, as it is quite resource intensive and can lead to severe data privacy implications. In our work, we use lightweight netflows which are non-privacy invasive to detect data exfiltrations at connection-level granularity. The key intuition behind our proposed solution is that connections involved in data exfiltration tend to differentiate themselves from normal network connections based on certain feature values. The result of this research shows that features extracted from netflows such as the duration of a netflow, the source bytes, the source bytes sent per second, the source bytes sent per packet and the producer-consumer ratio can be used to effectively detect data exfiltration. Subsequently, connections are grouped using k-means, and the robust Z-score of their distances from their respective cluster centroid is used as a statistical and distance-based technique to detect connections involved in a data exfiltration. While this method detects some data exfiltration scenarios, it results in a significant number of false positives. Combining this with the results from the LOF (local outlier factor) and the LoOP (local outlier probability), which are density-based techniques, leads to a more robust model, as it significantly reduces the number of false positives and false negatives. Also, we show that using the smallest clusters formed from k-means for analysis leads to similar detection results as the entire datasets, with a significant reduction in computatio, Computer Science | Cyber Security, Computer Science | Distributed Systems

Published

2019

39. MultiProxy: a collaborative approach to censorship circumvention

Author

Shi, Gaomei (author) and Shi, Gaomei (author)

Abstract

In recent years, many countries and administrative domains exploit control over their communication infrastructures to censor online materials. The concrete reasons behind the Internet censorship remain poorly understood due to the opaque nature of the systems. Generally, Internet censorship is to disrupt the free flow of information. It involves a series of steps to stop the dissemination of information, or prevent the access to information, for example, disrupt the link between the users and providers. These technologies bring significant inconvenience for legitimate users. The goal of the thesis is to undertake a recent study to measure the behaviour of the Great Firewall of China (GFW). Based on that, this work designs a Peer-to-Peer (P2P) circumvention system called MultiProxy which exploits the blockchain-based economical model in order to create a balanced environment for resources providing and consuming. The system also uses multi-hop messaging to protect the privacy of the request initiators. The evaluation results show that MultiProxy can evade censorship while protecting users privacy., Computer Science

Published

2019

40. Development of a method for the experimental estimation of multimedia data flow rate in a computer network

Author

Sumtsov, Dmytro; Kharkiv National University of Radio Electronics Nauky ave., 14, Kharkіv, Ukraine, 61166, Osiievskyi, Serhii; Ivan Kozhedub Kharkiv University of Air Force Sumska str, 77/79, Kharkiv, Ukraine, 61023, Lebediev, Valentyn; Kharkiv National University of Radio Electronics Nauky ave., 14, Kharkіv, Ukraine, 61166, Sumtsov, Dmytro; Kharkiv National University of Radio Electronics Nauky ave., 14, Kharkіv, Ukraine, 61166, Osiievskyi, Serhii; Ivan Kozhedub Kharkiv University of Air Force Sumska str, 77/79, Kharkiv, Ukraine, 61023, and Lebediev, Valentyn; Kharkiv National University of Radio Electronics Nauky ave., 14, Kharkіv, Ukraine, 61166

Abstract

We have developed a method for the experimental estimation of rate of multimedia data stream in a computer network based on the methods of mathematical statistics. The method, in contrast to the existing ones, is based on considering the rate of multimedia data stream as a random variable that obeys the normal distribution law.When designing computer networks, in order to estimate the required throughput, mathematical streaming traffic models are applied. Such an approach is justified when the constraints of mathematical models are met, such as stationarity, ordinarity, and the absence of aftereffect for the Poisson stream of packets.Under actual conditions, estimates for characteristics of data flow, derived using existing models, may prove to be too conservative as a result of failure to comply with conditions of stationarity of the packet stream.An alternative way for solving a given task is the development of a statistical experimental method for estimating the rate of multimedia data stream in a computer network. The proposed method makes it possible to derive the values of mathematical expectation and a standard deviation in data transmission rate, as well as to estimate consistency of the hypothesis about a normal character of the distribution law of multimedia data flow rate.The experimental estimates are given for the multimedia data stream rate in a computer network at different values of resolution and frame rate of the video. These results showed that the experimental estimates exceed analytical data by 3...20 %.The values of multimedia data flow rate estimates, acquired using the proposed method, could be used to estimate the load of segments in the designed computer network, as well as to explore the throughput of segments in the existing computer network., Запропоновано метод експериментального оцінювання швидкості мультимедійного потоку даних на основі методів математичної статистики. Метод дозволяє отримати значення математичного очікування та середньоквадратичного відхилення швидкості потоку даних. Метод також дозволяє оцінити узгодженість гіпотези про нормальний характер закону розподілу швидкості мультимедійного потоку даних. Наведені експериментальні оцінки величини швидкості мультимедійного потоку даних при різних параметрах відео, Предложен метод экспериментального оценивания скорости мультимедийного потока данных на основе методов математической статистики. С помощью метода могут быть получены значения математического ожидания и среднеквадратичного отклонения скорости потока данных. Метод позволяет оценить согласованность гипотезы о нормальном характере закона распределения скорости мультимедийного потока данных. Приведены экспериментальные оценки величины скорости мультимедийного потока данных при различных параметрах видео

Published

2018

41. Limitations of passively mapping logical network topologies

Author

Akande, Ayodeji James, Fidge, Colin, Foo, Ernest, Akande, Ayodeji James, Fidge, Colin, and Foo, Ernest

Abstract

Understanding logical network connectivity is essential in network topology mapping especially in a fast growing network where knowing what is happening on the network is critical for security purposes and where knowing how network resources are being used is highly important. Mapping logical communication topology is important for network auditing, network maintenance and governance, network optimization, and network security. However, the process of capturing network traffic to generate the logical network topology may have a great influence on the operation of the network. In hierarchically structured networks such as control systems, typical active network mapping techniques are not employable as they can affect time-sensitive cyber- physical processes, hence, passive network mapping is required. Though passive network mapping does not modify or disrupt existing traffic, current passive mapping techniques ignore many practical issues when used to generate logical communication topologies. In this paper, we present a methodology which compares topologies from an idealized mapping process with what is actually achievable using passive network mapping and identify some of the factors that can cause inaccuracies in logical maps derived from passively monitored network traffic. We illustrate these factors using a case study involving a hierarchical control network.

Published

2017

42. Detecting Rare and Collective Anomalies in Network Traffic Data using Summarization

Author

Mahmood , Abdun, Engineering & Information Technology, UNSW Canberra, UNSW, Maher , Michael , Engineering & Information Technology, UNSW Canberra, UNSW, Ahmed, Mohiuddin, Engineering & Information Technology, UNSW Canberra, UNSW, Mahmood , Abdun, Engineering & Information Technology, UNSW Canberra, UNSW, Maher , Michael , Engineering & Information Technology, UNSW Canberra, UNSW, and Ahmed, Mohiuddin, Engineering & Information Technology, UNSW Canberra, UNSW

Abstract

Network anomaly detection is becoming increasingly challenging due to the amountof global Internet traffic being produced at an unprecedented rate. This thesis identifiessummarization as a key component for improving the scalability and accuracyof anomaly detection techniques. Instead of analysing a large amount of data to findanomalies, a summary of the data can be used for detection of anomalies. The goalof this thesis is to investigate three key research issues related to summarization based anomaly detection.The first research problem is identifying anomalies from large amount of data.When data size increases, the anomaly detection techniques perform poorly, due toincreasing false alarms and computational cost. Detecting anomalies from a summarycould address these issues, but existing summarization techniques cannot accuratelyrepresent the rare anomalies present in the dataset. This thesis proposes several summarization techniques based on sampling and partitional clustering that achieve significant improvement in anomaly detection accuracy and execution time over a wide range of benchmark datasets.In certain cyber-attack scenarios, such as flooding Denial of Service attacks, thedata distribution changes significantly. This forms a collective anomaly, where somesimilar kinds of normal data instances appear in abnormally large numbers. Sincethey are not rare anomalies, existing anomaly detection techniques cannot properlyidentify them. The second research problem of the thesis investigates detecting this behaviour using a number of clustering and co-clustering based techniques. Experimental evaluation demonstrates that a Hurst parameter-based technique outperforms existing collective and rare anomaly detection techniques in terms of detection accuracy and false positive rate. Solutions of the two research problems are integrated into a general summarization based anomaly detection framework.Many online applications need to process and analyse continuously arrivin

Published

2016

43. Component modeling for SCADA network mapping

Author

Parry, D, Akande, Ayodeji James, Fidge, Colin, Foo, Ernest, Parry, D, Akande, Ayodeji James, Fidge, Colin, and Foo, Ernest

Abstract

Supervisory Control and Data Acquisition systems (SCADA) are widely used to control critical infrastructure automatically. Capturing and analyzing packet-level traffic flowing through such a network is an essential requirement for problems such as legacy network mapping and fault detection. Within the framework of captured network traffic, we present a simple modeling technique, which supports the mapping of the SCADA network topology via traffic monitoring. By characterizing atomic network components in terms of their input-output topology and the relationship between their data traffic logs, we show that these modeling primitives have good compositional behaviour, which allows complex networks to be modeled. Finally, the predictions generated by our model are found to be in good agreement with experimentally obtained traffic.

Published

2015

44. The zombies strike back: Towards client-side beef detection

Author

Chernyshev, Maxim, Hannay, Peter, Chernyshev, Maxim, and Hannay, Peter

Abstract

A web browser is an application that comes bundled with every consumer operating system, including both desktop and mobile platforms. A modern web browser is complex software that has access to system-level features, includes various plugins and requires the availability of an Internet connection. Like any multifaceted software products, web browsers are prone to numerous vulnerabilities. Exploitation of these vulnerabilities can result in destructive consequences ranging from identity theft to network infrastructure damage. BeEF, the Browser Exploitation Framework, allows taking advantage of these vulnerabilities to launch a diverse range of readily available attacks from within the browser context. Existing defensive approaches aimed at hardening network perimeters and detecting common threats based on traffic analysis have not been found successful in the context of BeEF detection. This paper presents a proof-of-concept approach to BeEF detection in its own operating environment – the web browser – based on global context monitoring, abstract syntax tree fingerprinting and real-time network traffic analysis.

Published

2014

45. Association hierarchy mining and its application for network traffic characterisation

Author

Liu, Bin and Liu, Bin

Abstract

This thesis presents an association rule mining approach, association hierarchy mining (AHM). Different to the traditional two-step bottom-up rule mining, AHM adopts one-step top-down rule mining strategy to improve the efficiency and effectiveness of mining association rules from datasets. The thesis also presents a novel approach to evaluate the quality of knowledge discovered by AHM, which focuses on evaluating information difference between the discovered knowledge and the original datasets. Experiments performed on the real application, characterizing network traffic behaviour, have shown that AHM achieves encouraging performance.

Published

2014

46. The zombies strike back: Towards client-side BeEFdetection

Author

Chernyshev, Maxim, Hannay, Peter, Chernyshev, Maxim, and Hannay, Peter

Abstract

A web browser is an application that comes bundled with every consumer operating system, including both desktop and mobile platforms. A modern web browser is complex software that has access to system-level features, includes various plugins and requires the availability of an Internet connection. Like any multifaceted software products, web browsers are prone to numerous vulnerabilities. Exploitation of these vulnerabilities can result in destructive consequences ranging from identity theft to network infrastructure damage. BeEF, the Browser Exploitation Framework, allows taking advantage of these vulnerabilities to launch a diverse range of readily available attacks from within the browser context. Existing defensive approaches aimed at hardening network perimeters and detecting common threats based on traffic analysis have not been found successful in the context of BeEF detection. This paper presents a proof-of-concept approach to BeEF detection in its own operating environment – the web browser – based on global context monitoring, abstract syntax tree fingerprinting and real-time network traffic analysis.

Published

2014

47. The zombies strike back: Towards client-side BeEF detection

Author

Chernyshev, Maxim, Hannay, Peter, Chernyshev, Maxim, and Hannay, Peter

Abstract

A web browser is an application that comes bundled with every consumer operating system, including both desktop and mobile platforms. A modern web browser is complex software that has access to system-level features, includes various plugins and requires the availability of an Internet connection. Like any multifaceted software products, web browsers are prone to numerous vulnerabilities. Exploitation of these vulnerabilities can result in destructive consequences ranging from identity theft to network infrastructure damage. BeEF, the Browser Exploitation Framework, allows taking advantage of these vulnerabilities to launch a diverse range of readily available attacks from within the browser context. Existing defensive approaches aimed at hardening network perimeters and detecting common threats based on traffic analysis have not been found successful in the context of BeEF detection. This paper presents a proof-of-concept approach to BeEF detection in its own operating environment – the web browser – based on global context monitoring, abstract syntax tree fingerprinting and real-time network traffic analysis.

Published

2014

48. The zombies strike back: Towards client-side BeEF detection

Author

Chernyshev, Maxim, Hannay, Peter, Chernyshev, Maxim, and Hannay, Peter

Abstract

A web browser is an application that comes bundled with every consumer operating system, including both desktop and mobile platforms. A modern web browser is complex software that has access to system-level features, includes various plugins and requires the availability of an Internet connection. Like any multifaceted software products, web browsers are prone to numerous vulnerabilities. Exploitation of these vulnerabilities can result in destructive consequences ranging from identity theft to network infrastructure damage. BeEF, the Browser Exploitation Framework, allows taking advantage of these vulnerabilities to launch a diverse range of readily available attacks from within the browser context. Existing defensive approaches aimed at hardening network perimeters and detecting common threats based on traffic analysis have not been found successful in the context of BeEF detection. This paper presents a proof-of-concept approach to BeEF detection in its own operating environment – the web browser – based on global context monitoring, abstract syntax tree fingerprinting and real-time network traffic analysis.

Published

2014

49. File Detection on Network Traffic Using Approximate Matching

Author

Breitinger, Frank, Baggili, Ibrahim, Breitinger, Frank, and Baggili, Ibrahim

Abstract

In recent years, Internet technologies changed enormously and allow faster Internet connections, higher data rates and mobile usage. Hence, it is possible to send huge amounts of data / files easily which is often used by insiders or attackers to steal intellectual property. As a consequence, data leakage prevention systems (DLPS) have been developed which analyze network traffic and alert in case of a data leak. Although the overall concepts of the detection techniques are known, the systems are mostly closed and commercial. Within this paper we present a new technique for network traffic analysis based on approximate matching (a.k.a fuzzy hashing) which is very common in digital forensics to correlate similar files. This paper demonstrates how to optimize and apply them on single network packets. Our contribution is a straightforward concept which does not need a comprehensive configuration: hash the file and store the digest in the database. Within our experiments we obtained false positive rates between 10−4 and 10−5 and an algorithm throughput of over 650 Mbit/s.

Published

2014

50. A hybrid association rule mining approach for characterizing network traffic behaviour

Author

Liu, Bin, Li, Yuefeng, Liu, Bin, and Li, Yuefeng

Abstract

Understanding network traffic behaviour is crucial for managing and securing computer networks. One important technique is to mine frequent patterns or association rules from analysed traffic data. On the one hand, association rule mining usually generates a huge number of patterns and rules, many of them meaningless or user-unwanted; on the other hand, association rule mining can miss some necessary knowledge if it does not consider the hierarchy relationships in the network traffic data. Aiming to address such issues, this paper proposes a hybrid association rule mining method for characterizing network traffic behaviour. Rather than frequent patterns, the proposed method generates non-similar closed frequent patterns from network traffic data, which can significantly reduce the number of patterns. This method also proposes to derive new attributes from the original data to discover novel knowledge according to hierarchy relationships in network traffic data and user interests. Experiments performed on real network traffic data show that the proposed method is promising and can be used in real applications. Copyright2013 John Wiley & Sons, Ltd.

Published

2013