Ändra sökning
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf
IDS rule management made easy
Karlstads universitet, Fakulteten för hälsa, natur- och teknikvetenskap (from 2013), Institutionen för matematik och datavetenskap (from 2013). (PriSec)ORCID-id: 0000-0001-9886-6651
Karlstads universitet, Fakulteten för hälsa, natur- och teknikvetenskap (from 2013), Institutionen för matematik och datavetenskap (from 2013). (PriSec)ORCID-id: 0000-0003-0778-4736
2016 (Engelska)Ingår i: Electronics, Computers and Artificial Intelligence (ECAI), 2016 8th International Conference on, IEEE, 2016Konferensbidrag, Publicerat paper (Refereegranskat)
Abstract [en]

Signature-based intrusion detection systems (IDSs) are commonly utilized in enterprise networks to detect and possibly block a wide variety of attacks. Their application in industrial control systems (ICSs) is also growing rapidly as modem ICSs increasingly use open standard protocols instead of proprietary. Due to an ever changing threat landscape, the rulesets used by these IDSs have grown large and there is no way to verify their precision or accuracy. Such broad and non-optimized rulesets lead to false positives and an unnecessary burden on the IDS, resulting in possible degradation of the security. This work proposes a methodology consisting of a set of tools to help optimize the IDS rulesets and make rule management easier. The work also provides attack traffic data that is expected to benefit the task of IDS assessment.

Ort, förlag, år, upplaga, sidor
IEEE, 2016.
Serie
International Conference on Electronics Computers and Artificial Intelligence, ISSN 2378-7147
Nationell ämneskategori
Datavetenskap (datalogi)
Identifikatorer
URN: urn:nbn:se:kau:diva-48016DOI: 10.1109/ECAI.2016.7861119ISI: 000402541200055ISBN: 978-1-5090-2048-5 (tryckt)ISBN: 978-1-5090-2047-8 (digital)OAI: oai:DiVA.org:kau-48016DiVA, id: diva2:1076856
Konferens
8th International Conference on Electronics, Computers and Artificial Intelligence (ECAI), 30 June-2 July 2016, Ploiesti, Romania
Projekt
HITS, 4707
Forskningsfinansiär
KK-stiftelsenTillgänglig från: 2017-02-24 Skapad: 2017-02-24 Senast uppdaterad: 2020-01-14Bibliografiskt granskad
Ingår i avhandling
1. Towards Secure Multipath TCP Communication
Öppna denna publikation i ny flik eller fönster >>Towards Secure Multipath TCP Communication
2017 (Engelska)Licentiatavhandling, sammanläggning (Övrigt vetenskapligt)
Abstract [en]

The evolution in networking coupled with an increasing demand to improve user experience has led to different proposals to extend the standard TCP. Multipath TCP (MPTCP) is one such extension that has the potential to overcome few inherent limitations in the standard TCP. While MPTCP's design and deployment progresses, most of the focus has been on its compatibility. The security aspect is confined to making sure that the MPTCP protocol itself offers the same security level as the standard TCP.

The topic of this thesis is to investigate the unexpected security implications raised by using MPTCP in the traditional networking environment. The Internet of today has security middle-boxes that perform traffic analysis to detect intrusions and attacks. Such middle-boxes make use of different assumptions about the traffic, e.g., traffic from a single connection always arrives along the same path. This along with many other assumptions may not be true anymore with the advent of MPTCP as traffic can be fragmented and sent over multiple paths simultaneously.

We investigate how practical it is to evade a security middle-box by fragmenting and sending traffic across multiple paths using MPTCP. Realistic attack traffic is used to evaluate such attacks against Snort IDS to show that these attacks are feasible. We then go on to propose possible solutions to detect such attacks and implement them in an MPTCP proxy. The proxy aims to extend the MPTCP performance advantages to servers that only support standard TCP, while ensuring that intrusions can be detected as before. Finally, we investigate the potential MPTCP scenario where security middle-boxes only have access to some of the traffic. We propose and implement an algorithm to perform intrusion detection in such situations and achieve a nearly 90% detection accuracy. Another contribution of this work is a tool, that converts IDS rules into equivalent attack traffic to automate the evaluation of a middle-box.

Abstract [en]

Multipath TCP (MPTCP) is an extension to standard TCP that is close to being standardized. The design of the protocol is progressing, but most of the focus has so far been on its compatibility. The security aspect is confined to making sure that the MPTCP protocol itself offers the same security level as standard TCP. The topic of this thesis is to investigate the unexpected security implications raised by using MPTCP in a traditional networking environment. Today, the security middleboxes make use of different assumptions that may not be true anymore with the advent of MPTCP.We investigate how practical it is to evade a security middlebox by fragmenting and sending traffic across multiple paths using MPTCP. Realistic attack traffic generated from a tool that is also presented in this thesis is used to show that these attacks are feasible. We then go on to propose possible solutions to detect such attacks and implement them in an MPTCP proxy. The proxy aims to extend secure MPTCP performance advantages. We also investigate the MPTCP scenario where security middleboxes can only observe some of the traffic. We propose and implement an algorithm to perform intrusion detection in such situations and achieve a high detection accuracy.

Ort, förlag, år, upplaga, sidor
Karlstad: Karlstads universitet, 2017. s. 91
Serie
Karlstad University Studies, ISSN 1403-8099 ; 2017:12
Nyckelord
network security, MPTCP, TCP, IDS, snort, edit-distance
Nationell ämneskategori
Datavetenskap (datalogi)
Forskningsämne
Datavetenskap
Identifikatorer
urn:nbn:se:kau:diva-48172 (URN)978-91-7063-763-6 (ISBN)978-91-7063-764-3 (ISBN)
Presentation
2017-04-28, 1B364, Karlstad, 13:00 (Engelska)
Opponent
Handledare
Projekt
HITS
Tillgänglig från: 2017-04-10 Skapad: 2017-03-17 Senast uppdaterad: 2019-12-02Bibliografiskt granskad
2. Life of a Security Middlebox: Challenges with Emerging Protocols and Technologies
Öppna denna publikation i ny flik eller fönster >>Life of a Security Middlebox: Challenges with Emerging Protocols and Technologies
2020 (Engelska)Doktorsavhandling, sammanläggning (Övrigt vetenskapligt)
Abstract [en]

The Internet of today has intermediary devices known as middleboxes that perform more functions than the normal packet forwarding function of a router. Security middleboxes are a subset of these middleboxes and face an increasingly difficult task to perform their functions correctly. These middleboxes make many assumptions about the traffic that may not hold true any longer with the advent of new protocols such as MPTCP and technologies like end-to-end encryption.

The work in this thesis focuses on security middleboxes and the challenges they face. We develop methods and solutions to help these security middleboxes continue to function correctly. In particular, we investigate the case of using MPTCP over traditional security infrastructure as well as the case of end-to-end encryption. We study how practical it is to evade a security middlebox by fragmenting and sending traffic across multiple paths using MPTCP. We then go on to propose possible solutions to detect such attacks and implement them. The potential MPTCP scenario where security middleboxes only have access to part of the traffic is also investigated and addressed. Moreover, the thesis contributes a machine learning based approach to help security middleboxes detect malware in encrypted traffic without decryption.

Abstract [en]

The Internet of today has intermediary devices known as middleboxes thatperform more functions than the normal packet forwarding function of arouter. Security middleboxes are a subset of these middleboxes and face anincreasingly difficult task to perform their functions correctly in the wake ofemerging protocols and technologies on the Internet. Security middleboxesmake many assumptions about the traffic, e.g., they assume that traffic froma single connection always arrives over the same path and they often expectto observe plaintext data. These along with many other assumptions may nothold true any longer with the advent of new protocols such as MPTCP andtechnologies like end-to-end encryption.

The work in this thesis focuses on security middleboxes and the challengesthey face in performing their functions in an evolving Internet where newnetworking protocols and technologies are regularly introduced. We developmethods and solutions to help these security middleboxes continue to functioncorrectly. In particular, we investigate the case of using MPTCP overtraditional security infrastructure as well as the case of end-to-end encryption.

We study how practical it is to evade a security middlebox by fragmentingand sending traffic across multiple paths using MPTCP. Attack traffic that isgenerated from a self-developed tool is used to evaluate such attacks to showthat these attacks are feasible. We then go on to propose possible solutionsto detect such attacks and implement them. The potential MPTCP scenariowhere security middleboxes only have access to part of the traffic is also investigated.Furthermore, we propose and implement an algorithm to performintrusion detection in such situations. Moreover, the thesis contributes a machinelearning based approach to help security middleboxes detect malware inencrypted traffic without decryption.

Ort, förlag, år, upplaga, sidor
Karlstad: Karlstads universitet, 2020. s. 26
Serie
Karlstad University Studies, ISSN 1403-8099 ; 2020:10
Nyckelord
network security, TCP, MPTCP, IDS, Snort, edit-distance, encryption
Nationell ämneskategori
Elektroteknik och elektronik
Forskningsämne
Datavetenskap
Identifikatorer
urn:nbn:se:kau:diva-76291 (URN)978-91-7867-093-2 (ISBN)978-91-7867-103-8 (ISBN)
Disputation
2020-02-28, 21A342, Eva Erikssonsalen, Karlstad, 10:15 (Engelska)
Opponent
Handledare
Tillgänglig från: 2020-02-05 Skapad: 2020-01-14 Senast uppdaterad: 2020-02-05Bibliografiskt granskad

Open Access i DiVA

Fulltext saknas i DiVA

Övriga länkar

Förlagets fulltext

Personposter BETA

Afzal, ZeeshanLindskog, Stefan

Sök vidare i DiVA

Av författaren/redaktören
Afzal, ZeeshanLindskog, Stefan
Av organisationen
Institutionen för matematik och datavetenskap (from 2013)
Datavetenskap (datalogi)

Sök vidare utanför DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetricpoäng

doi
isbn
urn-nbn
Totalt: 453 träffar
RefereraExporteraLänk till posten
Permanent länk

Direktlänk
Referera
Referensformat
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Annat format
Fler format
Språk
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Annat språk
Fler språk
Utmatningsformat
  • html
  • text
  • asciidoc
  • rtf