Mapping out the Key Security Components in Relational Databases (MK-SCoRe) : Enhancing the Security of Relational Database Technology / Kartläggning av Nyckelkomponenter för Säkerhet i Relationsdatabaser (MK-SCoRe) : Förbättring av Säkerheten i Relationsdatabasteknik

Alobaidi, Murtadha, Trabulsiah, Abdullah

January 2024

Relational database security has become an increasingly important issue for organizations worldwide in the current era of data-driven operations. The urgent need for an extensive knowledge of relational database security components in relational databases is addressed in this thesis. Database security is constantly improving, but there is still a lack of research that analyzes these important factors. Because of this gap, databases are not sufficiently secured from new cyber threats, which endangers its accessibility, confidentiality, and integrity. The problem that the thesis addresses is the lack of comprehensive research covering all key security components in relational databases which, presents a challenge for organizations seeking to comprehensively secure their database systems. The purpose of this thesis is to systematically map the key security components essential to relational databases. The goal is to assist organizations and Database professionals to secure their relational databases against diverse cyber threats. Using a qualitative and exploratory methodology, the research analyzes a wide range of literature on database security. The research offers a balanced and comprehensive perspective on the current security landscape in relational databases by integrating theoretical study with structured interviews. This method guarantees that all essential security components is fully investigated. The results of this thesis involve a detailed mapping of the key security components within relational databases, which are uniquely informed by a combination of academic research and empirical findings from structured interviews with Database security experts. This thesis analyzes these security components based on how well they address current security threats, how well they secure databases, and how well they can adapt to different organizational needs. / Säkerhet i relationsdatabaser har blivit en allt viktigare fråga för organisationer världen över i den nuvarande eran av datadriven verksamhet. I den här avhandlingen behandlas det akuta behovet av en omfattande kunskap om säkerhetskomponenter för relationsdatabaser i relationsdatabaser. Databassäkerheten förbättras ständigt, men det finns fortfarande en brist på forskning som analyserar dessa viktiga faktorer. På grund av denna brist är databaser inte tillräckligt skyddade mot nya cyberhot, vilket äventyrar deras tillgänglighet, konfidentialitet och integritet. Problemet som avhandlingen tar upp är bristen på omfattande forskning som täcker alla viktiga säkerhetskomponenter i relationsdatabaser, vilket utgör en utmaning för organisationer som vill säkra sina databassystem på ett heltäckande sätt. Syftet med denna avhandling är att systematiskt kartlägga de viktigaste säkerhetskomponenterna som är väsentliga för relationsdatabaser. Målet är att hjälpa organisationer och databasspecialister att säkra sina relationsdatabaser mot olika cyberhot. Med hjälp av en kvalitativ och explorativ metod analyseras ett brett spektrum av litteratur om databassäkerhet. Forskningen erbjuder ett balanserat och omfattande perspektiv på det nuvarande säkerhetslandskapet i relationsdatabaser genom att integrera teoretiska studier med strukturerade intervjuer. Denna metod garanterar att alla väsentliga säkerhetskomponenter undersöks fullständigt. Resultatet av denna avhandling innebär en detaljerad kartläggning av de viktigaste säkerhetskomponenterna inom relationsdatabaser, som är unikt informerade av en kombination av akademisk forskning och empiriska resultat från strukturerade intervjuer med databassäkerhetsexperter. Denna avhandling analyserar dessa säkerhetskomponenter utifrån hur väl de hanterar aktuella säkerhetshot, hur väl de säkrar databaser och hur väl de kan anpassas till olika organisatoriska behov.

Relational Database Security

Database Security

Cyber Threats

Data Protection

Access Control

Database Vulnerabilities

Encryption

Network Security.

Säkerhet i Relationsdatabaser

Databassäkerhet

Cyberhot

Datasäkerhet

Åtkomstkontroll

Sårbarheter i Databaser

Kryptering

Nätverkssäkerhet.

Computer and Information Sciences

Data- och informationsvetenskap

Data-Driven Computing and Networking Solution for Securing Cyber-Physical Systems

Yifu Wu (18498519)

03 May 2024

<p dir="ltr">In recent years, a surge in data-driven computation has significantly impacted security analysis in cyber-physical systems (CPSs), especially in decentralized environments. This transformation can be attributed to the remarkable computational power offered by high-performance computers (HPCs), coupled with advancements in distributed computing techniques and sophisticated learning algorithms like deep learning and reinforcement learning. Within this context, wireless communication systems and decentralized computing systems emerge as highly suitable environments for leveraging data-driven computation in security analysis. Our research endeavors have focused on exploring the vast potential of various deep learning algorithms within the CPS domains. We have not only delved into the intricacies of existing algorithms but also designed novel approaches tailored to the specific requirements of CPSs. A pivotal aspect of our work was the development of a comprehensive decentralized computing platform prototype, which served as the foundation for simulating complex networking scenarios typical of CPS environments. Within this framework, we harnessed deep learning techniques such as restricted Boltzmann machine (RBM) and deep convolutional neural network (DCNN) to address critical security concerns such as the detection of Quality of Service (QoS) degradation and Denial of Service (DoS) attacks in smart grids. Our experimental results showcased the superior performance of deep learning-based approaches compared to traditional pattern-based methods. Additionally, we devised a decentralized computing system that encompassed a novel decentralized learning algorithm, blockchain-based learning automation, distributed storage for data and models, and cryptography mechanisms to bolster the security and privacy of both data and models. Notably, our prototype demonstrated excellent efficacy, achieving a fine balance between model inference performance and confidentiality. Furthermore, we delved into the integration of domain knowledge from CPSs into our deep learning models. This integration shed light on the vulnerability of these models to dedicated adversarial attacks. Through these multifaceted endeavors, we aim to fortify the security posture of CPSs while unlocking the full potential of data-driven computation in safeguarding critical infrastructures.</p>

System and network security

Networking and communications

Cyber-physical system security

Deep Learning

Network attack

False Data detection

Adversarial Attack

Power System

decentralized computation

Software Supply Chain Security: Attacks, Defenses, and the Adoption of Signatures

Taylor R Schorlemmer (14674685)

27 April 2024

<p dir="ltr">Modern software relies heavily on third-party dependencies (often distributed via public package registries), making software supply chain attacks a growing threat. Prior work investigated attacks and defenses, but only taxonomized attacks or proposed defensive techniques, did not consistently define software supply chain attacks, and did not provide properties to assess the security of software supply chains. We do not have a unified definition of software supply chain attacks nor a set of properties that a secure software supply chain should follow.</p><p dir="ltr">Guaranteeing authorship in a software supply chain is also a challenge. Package maintainers can guarantee package authorship through software signing. However, it is unclear how common this practice is or if existing signatures are created properly. Prior work provided raw data on registry signing practices, but only measured single platforms, did not consider quality, did not consider time, and did not assess factors that may influence signing. We do not have up-to-date measurements of signing practices nor do we know the quality of existing signatures. Furthermore, we lack a comprehensive understanding of factors that influence signing adoption.</p><p dir="ltr">This thesis addresses these gaps. First, we systematize existing knowledge into: (1) a four-stage supply chain attack pattern; and (2) a set of properties for secure supply chains (transparency, validity, and separation). Next, we measure current signing quantity and quality across three kinds of package registries: traditional software (Maven Central, PyPI), container images (Docker Hub), and machine learning models (Hugging Face). Then, we examine longitudinal trends in signing practices. Finally, we use a quasi-experiment to estimate the effect that various factors had on software signing practices.</p><p dir="ltr">To summarize the findings of our quasi-experiment: (1) mandating signature adoption improves the quantity of signatures; (2) providing dedicated tooling improves the quality of signing; (3) getting started is the hard part — once a maintainer begins to sign, they tend to continue doing so; and (4) although many supply chain attacks are mitigable via signing, signing adoption is primarily affected by registry policy rather than by public knowledge of attacks, new engineering standards, etc. These findings highlight the importance of software package registry managers and signing infrastructure.</p>

System and network security

Empirical software engineering

software supply chain

signing

software signing

digital signature

cybersecurity

software supply chain attack

cryptography

quasi experiment

empirical software engineering

provenance

package registry

software reuse

Towards Representation Learning for Robust Network Intrusion Detection Systems

Ryan John Hosler (18369510)

03 June 2024

<p dir="ltr">This research involves numerous network intrusion techniques through novel applications of graph representation learning and image representation learning. The methods are tested on multiple publicly available network flow datasets.</p>

System and network security

Deep learning

Neural networks

Graph Representation Model

image embedding

Network intrusion detection framework

Android malware analysis and detection

autoencoder neural networks

Wasserstein Generative Adversarial ...

deep graph convolutional neural networks

network flow modelling

Anomaly Detection in Hard Real-Time Embedded Systems

Boakye Dankwa (19752255)

30 September 2024

<p dir="ltr">Lessons learned in protecting desktop computers, servers, and cloud systems from cyberattacks have not translated to embedded systems easily. Yet, embedded systems impact our lives in many ways and are subject to similar risks. In particular, real-time embedded systems are computer systems controlling critical physical processes in industrial controllers, avionics, engine control systems, etc. Attacks have been reported on real-time embedded systems, some with devastating outcomes on the physical processes. Detecting intrusions in real-time is a prerequisite to an effective response to ensure resilience to damaging attacks. In anomaly detection methods, researchers typically model expected program behavior and detect deviations. This approach has the advantage of detecting zero-day attacks compared to signature-based intrusion detection methods; however, existing anomaly detection approaches suffer high false-positive rates and incur significant performance overhead caused by code instrumentation, making them impractical for hard real-time embedded systems, which must meet strict temporal constraints.</p><p dir="ltr">This thesis presents a hardware-assisted anomaly detection approach that uses an automaton to model valid control-flow transfers in hard real-time systems without code instrumentation. The approach relies on existing hardware mechanisms to capture and export runtime control-flow data for runtime verification without the need for code instrumentation, thereby preserving the temporal properties of the target program. We implement a prototype of the mechanism on the Xilinx Zynq Ultrascale+ platform and empirically demonstrate precise detection of control-flow hijacking attacks with negligible (0.18%) performance overhead without false alarms using a real-time variant of the well-known RIPE benchmark we developed for this work. We further empirically demonstrate via schedulability analysis that protecting a real-time program with the proposed anomaly detection mechanism preserves the program’s temporal constraints.</p>

Software and application security

System and network security

Anomaly Detection

Intrusion Detection

Control-Flow Integrity

Embedded Systems

Hard Real-Time Systems

Hard Real-Time Schedulability

Security Evaluation Tool

Baremetal Embedded Systems

Hardware Assisted

ARM CoreSight

Consensus and analia: new challenges in detection and management of security vulnerabilities in data networks

Corral Torruella, Guiomar

10 September 2009

A mesura que les xarxes passen a ser un element integral de les corporacions, les tecnologies de seguretat de xarxa es desenvolupen per protegir dades i preservar la privacitat. El test de seguretat en una xarxa permet identificar vulnerabilitats i assegurar els requisits de seguretat de qualsevol empresa. L'anàlisi de la seguretat permet reconèixer informació maliciosa, tràfic no autoritzat, vulnerabilitats de dispositius o de la xarxa, patrons d'intrusió, i extreure conclusions de la informació recopilada en el test. Llavors, on està el problema? No existeix un estàndard de codi obert ni un marc integral que segueixi una metodologia de codi obert per a tests de seguretat, la informació recopilada després d'un test inclou moltes dades, no existeix un patró exacte i objectiu sobre el comportament dels dispositius de xarxa ni sobre les xarxes i, finalment, el nombre de vulnerabilitats potencials és molt extens. El desafiament d'aquest domini resideix a tenir un gran volum de dades complexes, on poden aparèixer diagnòstics inconsistents. A més, és un domini no supervisat on no s'han aplicat tècniques d'aprenentatge automàtic anteriorment. Per això cal una completa caracterització del domini. Consensus és l'aportació principal d'aquesta tesi: un marc integrat que inclou un sistema automatitzat per millorar la realització de tests en una xarxa i l'anàlisi de la informació recollida. El sistema automatitza els mecanismes associats a un test de seguretat i minimitza la durada de l'esmentat test, seguint la metodologia OSSTMM. Pot ser usat en xarxes cablejades i sense fils. La seguretat es pot avaluar des d'una perspectiva interna, o bé externa a la pròpia xarxa. Es recopilen dades d'ordinadors, routers, firewalls i detectors d'intrusions. Consensus gestionarà les dades a processar per analistes de seguretat. Informació general i específica sobre els seus serveis, sistema operatiu, la detecció de vulnerabilitats, regles d'encaminament i de filtrat, la resposta dels detectors d'intrusions, la debilitat de les contrasenyes, i la resposta a codi maliciós o a atacs de denegació de servei són un exemple de les dades a emmagatzemar per cada dispositiu. Aquestes dades són recopilades per les eines de test incloses a Consensus.La gran quantitat de dades per cada dispositiu i el diferent número i tipus d'atributs que els caracteritzen, compliquen l'extracció manual d'un patró de comportament. Les eines de test automatitzades poden obtenir diferents resultats sobre el mateix dispositiu i la informació recopilada pot arribar a ser incompleta o inconsistent. En aquest entorn sorgeix la segona principal aportació d'aquesta tesi: Analia, el mòdul d'anàlisi de Consensus. Mentre que Consensus s'encarrega de recopilar dades sobre la seguretat dels dispositius, Analia inclou tècniques d'Intel·ligència Artificial per ajudar als analistes després d'un test de seguretat. Diferents mètodes d 'aprenentatge no supervisat s'han analitzat per ser adaptats a aquest domini. Analia troba semblances dins dels dispositius analitzats i l'agrupació dels esmentats dispositius ajuda als analistes en l'extracció de conclusions. Les millors agrupacions són seleccionades mitjançant l'aplicació d'índexs de validació. A continuació, el sistema genera explicacions sobre cada agrupació per donar una resposta més detallada als analistes de seguretat.La combinació de tècniques d'aprenentatge automàtic en el domini de la seguretat de xarxes proporciona beneficis i millores en la realització de tests de seguretat mitjançant la utilització del marc integrat Consensus i el seu sistema d'anàlisi de resultats Analia. / A medida que las redes pasan a ser un elemento integral de las corporaciones, las tecnologías de seguridad de red se desarrollan para proteger datos y preservar la privacidad. El test de seguridad en una red permite identificar vulnerabilidades y asegurar los requisitos de seguridad de cualquier empresa. El análisis de la seguridad permite reconocer información maliciosa, tráfico no autorizado, vulnerabilidades de dispositivos o de la red, patrones de intrusión, y extraer conclusiones de la información recopilada en el test. Entonces, ¿dónde está el problema? No existe un estándar de código abierto ni un marco integral que siga una metodología de código abierto para tests de seguridad, la información recopilada después de un test incluye muchos datos, no existe un patrón exacto y objetivo sobre el comportamiento de los dispositivos de red ni sobre las redes y, finalmente, el número de vulnerabilidades potenciales es muy extenso. El desafío de este dominio reside en tener un gran volumen de datos complejos, donde pueden aparecer diagnósticos inconsistentes. Además, es un dominio no supervisado donde no se han aplicado técnicas de aprendizaje automático anteriormente. Por ello es necesaria una completa caracterización del dominio.Consensus es la aportación principal de esta tesis: un marco integrado que incluye un sistema automatizado para mejorar la realización de tests en una red y el análisis de la información recogida. El sistema automatiza los mecanismos asociados a un test de seguridad y minimiza la duración de dicho test, siguiendo la metodología OSSTMM. Puede ser usado en redes cableadas e inalámbricas. La seguridad se puede evaluar desde una perspectiva interna, o bien externa a la propia red. Se recopilan datos de ordenadores, routers, firewalls y detectores de intrusiones. Consensus gestionará los datos a procesar por analistas de seguridad. Información general y específica sobre sus servicios, sistema operativo, la detección de vulnerabilidades, reglas de encaminamiento y de filtrado, la respuesta de los detectores de intrusiones, la debilidad de las contraseñas, y la respuesta a código malicioso o a ataques de denegación de servicio son un ejemplo de los datos a almacenar por cada dispositivo. Estos datos son recopilados por las herramientas de test incluidas en Consensus. La gran cantidad de datos por cada dispositivo y el diferente número y tipo de atributos que les caracterizan, complican la extracción manual de un patrón de comportamiento. Las herramientas de test automatizadas pueden obtener diferentes resultados sobre el mismo dispositivo y la información recopilada puede llegar a ser incompleta o inconsistente. En este entorno surge la segunda principal aportación de esta tesis: Analia, el módulo de análisis de Consensus. Mientras que Consensus se encarga de recopilar datos sobre la seguridad de los dispositivos, Analia incluye técnicas de Inteligencia Artificial para ayudar a los analistas después de un test de seguridad. Distintos métodos de aprendizaje no supervisado se han analizado para ser adaptados a este dominio. Analia encuentra semejanzas dentro de los dispositivos analizados y la agrupación de dichos dispositivos ayuda a los analistas en la extracción de conclusiones. Las mejores agrupaciones son seleccionadas mediante la aplicación de índices de validación. A continuación, el sistema genera explicaciones sobre cada agrupación para dar una respuesta más detallada a los analistas de seguridad.La combinación de técnicas de aprendizaje automático en el dominio de la seguridad de redes proporciona beneficios y mejoras en la realización de tests de seguridad mediante la utilización del marco integrado Consensus y su sistema de análisis de resultados Analia. / As networks become an integral part of corporations and everyone's lives, advanced network security technologies are being developed to protect data and preserve privacy. Network security testing is necessary to identify and report vulnerabilities, and also to assure enterprise security requirements. Security analysis is necessary to recognize malicious data, unauthorized traffic, detected vulnerabilities, intrusion data patterns, and also to extract conclusions from the information gathered in the security test. Then, where is the problem? There is no open-source standard for security testing, there is no integral framework that follows an open-source methodology for security testing, information gathered after a security test includes large data sets, there is not an exact and objective pattern of behavior among network devices or, furthermore, among data networks and, finally, there are too many potentially vulnerabilities. The challenge of this domain resides in having a great volume of data; data are complex and can appear inconsistent diagnostics. It is also an unsupervised domain where no machine learning techniques have been applied before. Thus a complete characterization of the domain is needed.Consensus is the main contribution of this thesis. Consensus is an integrated framework that includes a computer-aided system developed to help security experts during network testing and analysis. The system automates mechanisms related to a security assessment in order to minimize the time needed to perform an OSSTMM security test. This framework can be used in wired and wireless networks. Network security can be evaluated from inside or from outside the system. It gathers data of different network devices, not only computers but also routers, firewalls and Intrusion Detection Systems (IDS). Consensus manages many data to be processed by security analysts after an exhaustive test. General information, port scanning data, operating system fingerprinting, vulnerability scanning data, routing and filtering rules, IDS response, answer to malicious code, weak passwords reporting, and response to denial of service attacks can be stored for each tested device. This data is gathered by the automated testing tools that have been included in Consensus.The great amount of data for every device and the different number and type of attributes complicates a manually traffic pattern finding. The automated testing tools can obtain different results, incomplete or inconsistent information. Then data obtained from a security test can be uncertain, approximate, complex and partial true. In this environment arises the second main contribution of this thesis: Analia, the data analysis module of Consensus. Whereas Consensus gathers security data, Analia includes Artificial Intelligence to help analysts after a vulnerability assessment. Unsupervised learning has been analyzed to be adapted to this domain. Analia finds resemblances within tested devices and clustering aids analysts in the extraction of conclusions. Afterwards, the best results are selected by applying cluster validity indices. Then explanations of clustering results are included to give a more comprehensive response to security analysts.The combination of machine learning techniques in the network security domain provides benefits and improvements when performing security assessments with the Consensus framework and processing its results with Analia.

Vulnerability assessment

Clustering

Unsupervised Learning

Machine Learning

Network security

Clustering

Detección de vulnerabilidades

Aprendizaje no supervisado

Aprendizaje automático

Seguridad en redes de datos

Aprenentatge no supervisat

Clustering

Detecció de vulnerabilitats

Aprenentatge Artificial

Seguretat de xarxes de dades

Les TIC i la seva Gestió

004

62

621.3

Memory Efficient Regular Expression Pattern Matching Architecture For Network Intrusion Detection Systems

Kumar, Pawan

08 1900

The rampant growth of the Internet has been coupled with an equivalent growth in cyber crime over the Internet. With our increased reliance on the Internet for commerce, social networking, information acquisition, and information exchange, intruders have found financial, political, and military motives for their actions. Network Intrusion Detection Systems (NIDSs) intercept the traffic at an organization’s periphery and try to detect intrusion attempts. Signature-based NIDSs compare the packet to a signature database consisting of known attacks and malicious packet fingerprints. The signatures use regular expressions to model these intrusion activities. This thesis presents a memory efficient pattern matching system for the class of regular expressions appearing frequently in the NIDS signatures. Proposed Cascaded Automata Architecture is based on two stage automata. The first stage recognizes the sub-strings and character classes present in the regular expression. The second stage consumes symbol generated by the first stage upon receiving input traffic symbols. The basic idea is to utilize the research done on string matching problem for regular expression pattern matching. We formally model the class of regular expressions mostly found in NIDS signatures. The challenges involved in using string matching algorithms for regular expression matching has been presented. We introduce length-bound transitions, counter-based states, and associated counter arrays in the second stage automata to address these challenges. The system uses length information along with counter arrays to keep track of overlapped sub-strings and character class based transition. We present efficient implementation techniques for counter arrays. The evaluation of the architecture on practical expressions from Snort rule set showed compression in number of states between 50% to 85%. Because of its smaller memory footprint, our solution is suitable for both software based implementations on network chips as well as FPGA based designs.

Access Control (Computer Networks)

Cryptography

Network Intrusion Detection System

Computer Security

Cyber-attack

Cascaded Automata Architecture

Deterministic Finite Automata

Modified Word-based NFA (M-WNFA)

Network Security

Pattern Matching

Computer Science

Efficient Key Management, and Intrusion Detection Protocols for Enhancing Security in Mobile Ad Hoc Networks

Maity, Soumyadev

January 2014

Security of communications is a major requirement for Mobile Adhoc NETworks(MANETs) since they use wireless channel for communications which can be easily tapped, and physical capture of MANET nodes is also quite easy. From the point of view of providing security in MANETs, there are basically two types of MANETs, viz., authoritarian MANETs, in which there exist one or more authorities who decide the members of the network, and self-organized MANETs, in which there is no such authority. Ensuring security of communications in the MANETs is a challenging task due to the resource constraints and infrastructure-less nature of these networks, and the limited physical security of MANET nodes. Attacks on security in a MANET can be launched by either the external attackers which are not legitimate members of the MANET or the internal attackers which are compromised members of the MANET and which can hold some valid security credentials or both. Key management and authentication protocols(KM-APs)play an important role in preventing the external attackers in a MANET. However, in order to prevent the internal attackers, an intrusion detection system(IDS) is essential. The routing protocols running in the network layer of a MANET are most vulnerable to the internal attackers, especially to the attackers which launch packet dropping attack during data packet forwarding in the MANET. For an authoritarian MANET, an arbitrated KM-AP protocol is perfectly suitable, where trusts among network members are coordinated by a trusted authority. Moreover, due to the resource constraints of a MANET, symmetric key management protocols are more efficient than the public key management protocols in authoritarian MANETs. The existing arbitrated symmetric key management protocols in MANETs, that do not use any authentication server inside the network are susceptible to identity impersonation attack during shared key establishments. On the other hand, the existing server coordinated arbitrated symmetric key management protocols in MANETs do not differentiate the role of a membership granting server(MGS) from the role of an authentication server, and so both are kept inside the network. However, keeping the MGS outside the network is more secure than keeping it inside the network for a MANET. Also, the use of a single authentication server inside the network cannot ensure robustness against authentication server compromise. In self-organized MANETs, public key management is more preferable over symmetric key management, since the distribution of public keys does not require a pre-established secure channel. The main problem for the existing self-organized public key management protocols in MANETs is associated with the use of large size certificate chains. Besides, the proactive certificate chaining based approaches require each member of a MANET to maintain an updated view of the trust graph of the entire network, which is highly resource consuming. Maintaining a hierarchy of trust relationships among members of a MANET is also problematic for the same reason. Evaluating the strength of different alternative trust chains and restricting the length of a trust chain used for public key verification is also important for enhancing the security of self-organized public key management protocols. The existing network layer IDS protocols in MANETs that try to defend against packet dropping attack use either a reputation based or an incentive based approach. The reputation based approaches are more effective against malicious principals than the incentive based approaches. The major problem associated with the existing reputation based IDS protocols is that they do not consider the protocol soundness issue in their design objectives. Besides, most of the existing protocols incorporate no mechanism to fight against colluding principals. Also, an IDS protocol in MANETs should incorporate some secure and efficient mechanism to authenticate the control packets used by it. In order to mitigate the above mentioned problems in MANETs, we have proposed new models and designed novel security protocols in this thesis that can enhance the security of communications in MANETs at lesser or comparable cost. First, in order to perform security analysis of KM-AP protocols, we have extended the well known strand space verification model to overcome some of its limitations. Second, we have proposed a model for the study of membership of principals in MANETs with a view to utilize the concept for analyzing the applicability and the performance of KM-AP protocols in different types of MANETs. Third and fourth, we have proposed two novel KM-AP protocols, SEAP and CLPKM, applicable in two different types of MANET scenarios. The SEAP protocol is an arbitrated symmetric key management protocol designed to work in an authoritarian MANET, whereas the CLPKM protocol is a self-organized public key management protocol designed for self-organized MANETs. Fifth, we have designed a novel reputation based network layer IDS protocol, named EVAACK protocol, for the detection of packet dropping misbehavior in MANETs. All of the three proposed protocols try to overcome the limitations of the existing approaches in their respective categories. We have provided rigorous mathematical proofs for the security properties of the proposed protocols. Performance of the proposed protocols have been compared with those of the other existing similar approaches using simulations in the QualNet simulator. In addition, we have also implemented the proposed SEAP and CLPKM protocols on a real MANET test bed to test their performances in real environments. The analytical, simulation and experimentation results confirm the effectiveness of the proposed schemes.

Mobile Ad Hoc Networks (MANET)

Mobile Ad Hoc Network Security

Intrusion Detection Systems (IDSs)

Extended Strand Space Model

Intrusion Detection Protocols

MANETs

Strand Space Model

Intrusion Detection Systems (IDSs)

Communication Engineering

Detekce síťových útoků pomocí nástroje Tshark / Detection of Network Attacks Using Tshark

Dudek, Jindřich

January 2018

This diploma thesis deals with the design and implementation of a tool for network attack detection from a captured network communication. It utilises the tshark packet analyser, the meaning of which is to convert the input file with the captured communications to the PDML format. The objective of this conversion being, increasing the flexibility of input data processing. When designing the tool, emphasis has been placed on the ability to expand it to detect new network attacks and on integrating these additions with ease. For this reason, the thesis also includes the design of a complex declarative descriptions for network attacks in the YAML serialization format. This allows us to specify the key properties of the network attacks and the conditions for their detection. The resulting tool acts as an interpreter of proposed declarative descriptions allowing it to be expanded with new types of attacks.

Modul pro sledování politiky sítě v datech o tocích / Module for Network Policy Monitoring in Flow Data

Piecek, Adam

January 2019

The aim of this master's thesis is to design a language through which it would be possible to monitor a stream of network flows in order to detect network policy violations in the local network. An analysis of the languages used in the data stream management systems and an analysis of tasks submitted by the potential administrator were both carried out. The analysis specified resulted in the language design which represents pipelining consisting of filtering and aggregation. These operations can be clearly defined and managed within security rules. The result of this thesis also results in the Policer modul being integrated in the NEMEA system, which is able to apply the main commands of the proposed language. Finally, the module meets the requirements of the specified tasks and may be used for further development in the area of monitoring network policies.