Improved performance high speed network intrusion detection systems (NIDS). A high speed NIDS architectures to address limitations of Packet Loss and Low Detection Rate by adoption of Dynamic Cluster Architecture and Traffic Anomaly Filtration (IADF).

Akhlaq, Monis

January 2011

Intrusion Detection Systems (IDS) are considered as a vital component in network security architecture. The system allows the administrator to detect unauthorized use of, or attack upon a computer, network or telecommunication infrastructure. There is no second thought on the necessity of these systems however; their performance remains a critical question. This research has focussed on designing a high performance Network Intrusion Detection Systems (NIDS) model. The work begins with the evaluation of Snort, an open source NIDS considered as a de-facto IDS standard. The motive behind the evaluation strategy is to analyze the performance of Snort and ascertain the causes of limited performance. Design and implementation of high performance techniques are considered as the final objective of this research. Snort has been evaluated on highly sophisticated test bench by employing evasive and avoidance strategies to simulate real-life normal and attack-like traffic. The test-methodology is based on the concept of stressing the system and degrading its performance in terms of its packet handling capacity. This has been achieved by normal traffic generation; fussing; traffic saturation; parallel dissimilar attacks; manipulation of background traffic, e.g. fragmentation, packet sequence disturbance and illegal packet insertion. The evaluation phase has lead us to two high performance designs, first distributed hardware architecture using cluster-based adoption and second cascaded phenomena of anomaly-based filtration and signature-based detection. The first high performance mechanism is based on Dynamic Cluster adoption using refined policy routing and Comparator Logic. The design is a two tier mechanism where front end of the cluster is the load-balancer which distributes traffic on pre-defined policy routing ensuring maximum utilization of cluster resources. The traffic load sharing mechanism reduces the packet drop by exchanging state information between load-balancer and cluster nodes and implementing switchovers between nodes in case the traffic exceeds pre-defined threshold limit. Finally, the recovery evaluation concept using Comparator Logic also enhance the overall efficiency by recovering lost data in switchovers, the retrieved data is than analyzed by the recovery NIDS to identify any leftover threats. Intelligent Anomaly Detection Filtration (IADF) using cascaded architecture of anomaly-based filtration and signature-based detection process is the second high performance design. The IADF design is used to preserve resources of NIDS by eliminating large portion of the traffic on well defined logics. In addition, the filtration concept augment the detection process by eliminating the part of malicious traffic which otherwise can go undetected by most of signature-based mechanisms. We have evaluated the mechanism to detect Denial of Service (DoS) and Probe attempts based by analyzing its performance on Defence Advanced Research Projects Agency (DARPA) dataset. The concept has also been supported by time-based normalized sampling mechanisms to incorporate normal traffic variations to reduce false alarms. Finally, we have observed that the IADF has augmented the overall detection process by reducing false alarms, increasing detection rate and incurring lesser data loss. / National University of Sciences & Technology (NUST), Pakistan

Intrusion Detection Systems (IDS)

Dynamic Cluster Architecture

Low detection rate

Packet loss

Network security

Telecommunication infrastructure

Network performance

Traffic Anomaly Filtration (IADF)

Denial of Service (DoS)

Increasing detection rate

Detection of Denial of Service Attacks on the Open Radio Access Network Intelligent Controller through the E2 Interface

Radhakrishnan, Vikas Krishnan

03 July 2023

Open Radio Access Networks (Open RANs) enable flexible cellular network deployments by adopting open-source software and white-box hardware to build reference architectures customizable to innovative target use cases. The Open Radio Access Network (O-RAN) Alliance defines specifications introducing new Radio Access Network (RAN) Intelligent Controller (RIC) functions that leverage open interfaces between disaggregated RAN elements to provide precise RAN control and monitoring capabilities using applications called xApps and rApps. Multiple xApps targeting novel use cases have been developed by the O-RAN Software Community (OSC) and incubated on the Near-Real-Time RIC (Near-RT RIC) platform. However, the Near-RT RIC has, so far, been demonstrated to support only a single xApp capable of controlling the RAN elements. This work studies the scalability of the OSC Near-RT RIC to support simultaneous control signaling by multiple xApps targeting the RAN element. We particularly analyze its internal message routing mechanism and experimentally expose the design limitations of the OSC Near-RT RIC in supporting simultaneous xApp control. To this end, we extend an existing open-source RAN slicing xApp and prototype a slice-aware User Equipment (UE) admission control xApp implementing the RAN Control E2 Service Model (E2SM) to demonstrate a multi-xApp control signaling use case and assess the control routing capability of the Near-RT RIC through an end-to-end O-RAN experiment using the OSC Near-RT RIC platform and an open-source Software Defined Radio (SDR) stack. We also propose and implement a tag-based message routing strategy for disambiguating multiple xApps to enable simultaneous xApp control. Our experimental results prove that our routing strategy ensures 100% delivery of control messages between multiple xApps and E2 Nodes while guaranteeing control scalability and xApp non-repudiation. Using the improved Near-RT RIC platform, we assess the security posture and resiliency of the OSC Near-RT RIC in the event of volumetric application layer Denial of Service (DoS) attacks exploiting the E2 interface and the E2 Application Protocol (E2AP). We design a DoS attack agent capable of orchestrating a signaling storm attack and a high-intensity resource exhaustion DoS attack on the Near-RT RIC platform components. Additionally, we develop a latency monitoring xApp solution to detect application layer signaling storm attacks. The experimental results indicate that signaling storm attacks targeting the E2 Terminator on the Near-RT RIC cause control loop violations over the E2 interface affecting service delivery and optimization for benign E2 Nodes. We also observe that a high-intensity E2 Setup DoS attack results in unbridled memory resource consumption leading to service interruption and application crash. Our results also show that the E2 interface at the Near-RT RIC is vulnerable to volumetric application layer DoS attacks, and robust monitoring, load-balancing, and DoS mitigation strategies must be incorporated to guarantee resiliency and high reliability of the Near-RT RIC. / Master of Science / Telecommunication networks need sophisticated controllers to support novel use cases and applications. Cellular base stations can be managed and optimized for better user experience through an intelligent radio controller called the Near-Real-Time Radio Access Network (RAN) Intelligent Controller (RIC) (Near-RT RIC), defined by the Open Radio Access Network (O-RAN) Alliance. This controller supports simultaneous connections to multiple base stations through the E2 interface and allows simple radio applications called xApps to control the behavior of those base stations. In this research work, we study the performance and behavior of the Near-RT RIC when a malicious or compromised base station tries to overwhelm the controller through a Denial of Service (DoS) attack. We develop a solution to determine the application layer communication delay between the controller and the base station to detect potential attacks trying to compromise the functionality and availability of the controller. To implement this solution, we also upgrade the controller to support multiple radio applications to interact and control one or more base stations simultaneously. Through the developed solution, we prove that the O-RAN Software Community (OSC) Near-RT RIC is highly vulnerable to DoS attacks from malicious base stations targeting the controller over the E2 interface.

srsRAN

Denial of Service

Open Source

Radio Access Network

Open RAN

RAN Control

Kubernetes

SCTP

USRP

SDR

UE

4G

LTE

5G

eNB

gNB

EPC

Collaboratively Detecting HTTP-based Distributed Denial of Service Attack using Software Defined Network

Ikusan, Ademola A.

January 2017

No description available.

Computer Science

Computer Engineering

Information Technology

Information Systems

Information Science

Software Defined Networking

Distributed Denial of Service Attack

HTTP-GET Attack

Flow rule

OpenFlow

Low-Rate Attacks

HASH STAMP MARKING SCHEME FOR PACKET TRACEBACK

NEIMAN, ADAM M.

January 2005

No description available.

Computer Science

hash

message authentication code

MAC

hash-keyed message authentication

HMAC

Internet Protocol

IP

spoofing

packet stamping

packet marking

traceback

computer network security

denial of service

DoS

How Secure is Verisure’s Alarm System?

Hamid, Lars-Eric, Möller, Simon

January 2020

Security is a very important part of today’s society.Verisure is the leader in home alarm systems with 30 years ofexperience. In this project, we aim to evaluate how secure theiralarm system is from a software perspective. The system wasbought in January 2020. After an initial threat modeling, followedby penetration testing it turns out that the alarm system is not assecure as Verisure markets. We could find several security flawsin the system. Some of them let an attacker block the system,and others yield full control without the user’s knowledge. Thereare also a couple of vulnerabilities that could be exploited bypeople without any special knowledge regarding hacking or thesystem in general. / Säkerhet är en mycket viktig del i dagens samhälle. Verisure är ledande inom hemmalarmsystem med 30 års erfarenhet. I det här projektet utvärderar vi hur säkert deras larmsystem är från ett mjukvaruperspektiv. Systemet köptes i januari 2020. Efter en inledande hotmodellering och följande penetrationstester visar det sig att larmsystemet inte är lika säkert som Verisure marknadsför. Vi kunde under projektets gång hitta flera säkerhetsbrister i systemet. Några av dessa gör att en angripare kan blockera systemet och andra ger full kontroll utan användarnas vetskap. Det finns också ett par sårbarheter som kan utnyttjas av människor utan någon speciell kunskap om hacking eller systemet i allmänhet. / Kandidatexjobb i elektroteknik 2020, KTH, Stockholm

Alarm system

Cross-site request forgery

Cyber-security

Denial of Service

Hacking

Internet of Things

Verisure

Elektroteknik och elektronik

Intrusion Detection of Flooding DoS Attacks on Emulated Smart Meters

Akbar, Yousef M. A. H.

11 May 2020

The power grid has changed a great deal from what has been generally viewed as a traditional power grid. The modernization of the power grid has seen an increase in the integration and incorporation of computing and communication elements, creating an interdependence of both physical and cyber assets of the power grid. The fast-increasing connectivity has transformed the grid from what used to be primarily a physical system into a Cyber- Physical System (CPS). The physical elements within a power grid are well understood by power engineers; however, the newly deployed cyber aspects are new to most researchers and operators in this field. The new computing and communications structure brings new vulnerabilities along with all the benefits it provides. Cyber security of the power grid is critical due to the potential impact it can make on the community or society that relies on the critical infrastructure. These vulnerabilities have already been exploited in the attack on the Ukrainian power grid, a highly sophisticated, multi-layered attack which caused large power outages for numerous customers. There is an urgent need to understand the cyber aspects of the modernized power grid and take the necessary precautions such that the security of the CPS can be better achieved. The power grid is dependent on two main cyber infrastructures, i.e., Supervisory Control And Data Acquisition (SCADA) and Advanced Metering Infrastructure (AMI). This thesis investigates the AMI in power grids by developing a testbed environment that can be created and used to better understand and develop security strategies to remove the vulnerabilities that exist within it. The testbed is to be used to conduct and implement security strategies, i.e., an Intrusion Detections Systems (IDS), creating an emulated environment to best resemble the environment of the AMI system. A DoS flooding attack and an IDS are implemented on the emulated testbed to show the effectiveness and validate the performance of the emulated testbed. / M.S. / The power grid is becoming more digitized and is utilizing information and communication technologies more, hence the smart grid. New systems are developed and utilized in the modernized power grid that directly relies on new communication networks. The power grid is becoming more efficient and more effective due to these developments, however, there are some considerations to be made as for the security of the power grid. An important expectation of the power grid is the reliability of power delivery to its customers. New information and communication technology integration brings rise to new cyber vulnerabilities that can inhibit the functionality of the power grid. A coordinated cyber-attack was conducted against the Ukrainian power grid in 2015 that targeted the cyber vulnerabilities of the system. The attackers made sure that the grid operators were unable to observe their system being attacked via Denial of Service attacks. Smart meters are the digitized equivalent of a traditional energy meter, it wirelessly communicates with the grid operators. An increase in deployment of these smart meters makes it such that we are more dependent on them and hence creating a new vulnerability for an attack. The smart meter integration into the power grid needs to be studied and carefully considered for the prevention of attacks. A testbed is created using devices that emulate the smart meters and a network is established between the devices. The network was attacked with a Denial of Service attack to validate the testbed performance, and an Intrusion detection method was developed and applied onto the testbed to prove that the testbed created can be used to study and develop methods to cover the vulnerabilities present.

Denial of Service (DoS)

Advanced Metering Infrastructure (AMI)

Wireless Mesh Network (WMN)

Cyber-Physical System (CPS)

Power Grid

Cyber Security of Smart Meters

Security Analysis of OPC UA in Automation Systems for IIoT / Säkerhetsanalys av OPC UA inom automationssystem för IIoT.

Varadarajan, Vaishnavi

January 2022

Establishing secured communication among the different entities in an industrial environment is a major concern. Especially with the introduction of the Industrial Internet of Things (IIoT), industries have been susceptible to cyber threats, which makes security a critical requirement for the industries. Prevailing industrial communication standards were proven to meet the security needs to some extent, but the major issue which was yet to be addressed was interoperability. To achieve interoperability, Open Platform Communication Unified Architecture (OPC UA) was introduced as a communication protocol. OPC UA helped bridge the gap between Information Technology (IT) and Operational Technology (OT) security needs, but this also gives rise to new attack opportunities for the intruder. In this thesis, we have analysed the security challenges in OPC UA and the impact of two different cyberattacks on the OPC UA. First, we have implemented an OPC UA Network with the help of Raspberry Pis and open62541, an open-source implementation of the OPC UA client and server. Following this, to evaluate the performance of the network, we performed three cybersecurity attacks, Packet Sniffing, Man in the Middle Attack (MITM) and Denial of Service attack. We assessed the impact these attacks have on the OPC UA network. We have also discussed the detection mechanism for the same attacks. This analysis has helped us recognize the threats faced by OPC UA in an IIoT environment with respect to message flooding, packet sniffing and man in the middle attack and the countermeasures to this attack have been discussed / Att etablera en säker kommunikation mellan de olika enheterna i en industriell miljö är en stor utmaning. Speciellt efter introduktionen av Industrial Internet of Things (IIoT) har industrier varit mottagliga för cyberhot vilket gör cybersäkerhet en prioritet. Rådande industriella kommunikationsstandarder har visats att till viss del uppfylla säkerhets- behoven, men en av de största problemen var bristen på interoperabilitet. För att uppnå interoperabiliteten skapades Open Platform Communication Unified Architecture (OPC UA) som kommun- ikationsprotokoll. OPC UA hjälper till att överbrygga gapet mellan säkerhetsbehoven av information- steknologi (IT) och Operational Technology (OT), men detta ger också upphov till nya attackmöjligheter för inkräktare. I detta examensarbete har vi analyserat säkerhetsutmaningarna i OPC UA och effekten av två olika cyberattacker på OPC UA. Först har vi implementerat ett OPC UA Network med hjälp av Raspberry Pis och open62541 som är en öppen källkodsimplementering av OPC UA klient och server. Efter detta utförde vi tre cybersäkerhetsattacker för att utvärdera nätverkets prestanda, packet sniffing, Man in the Middle Attack (MITM) och Denial of Service attack. Vi bedömde vilken effekt dessa attacker har på OPC UA-nätverket. Vi har också diskuterat detektionsmekanismen för samma attacker. Denna analys har hjälpt oss att känna igen de hot som OPC UA står inför i en IIoT-miljö med avseende på dataflöde, packet sniffing och Man in the Middle attack och även försvar mot dessa attacker har diskuterats.

Man in the Middle Attack

Denial of Service (DoS)

Industrial Internet of Things (IIoT)

Time Sensitive Networking (TSN)

Man in the Middle Attack

Denial of Service (DoS)

Industrial Internet of Things (IIoT)

Time Sensitive Networking (TSN)

Computer and Information Sciences

Data- och informationsvetenskap

Security Analysis of OPC UA in Automation Systems for IIoT / Säkerhetsanalys av OPC UA inom automationssystem för IIoT.

Varadarajan, Vaishnavi

January 2022

Establishing secured communication among the different entities in an industrial environment is a major concern. Especially with the introduction of the Industrial Internet of Things (IIoT), industries have been susceptible to cyber threats, which makes security a critical requirement for the industries. Prevailing industrial communication standards were proven to meet the security needs to some extent, but the major issue which was yet to be addressed was interoperability. To achieve interoperability, Open Platform Communication Unified Architecture (OPC UA) was introduced as a communication protocol. OPC UA helped bridge the gap between Information Technology (IT) and Operational Technology (OT) security needs, but this also gives rise to new attack opportunities for the intruder. In this thesis, we have analysed the security challenges in OPC UA and the impact of two different cyberattacks on the OPCUA. First, we have implemented an OPC UA Network with the help of Raspberry Pis and open62541, an open-source implementation of the OPC UA client and server. Following this, to evaluate the performance of the network, we performed three cybersecurity attacks, Packet Sniffing, Man in the Middle Attack (MITM) and Denial of Service attack. We assessed the impact these attacks have on the OPC UA network. We have also discussed the detection mechanism for the same attacks. This analysis has helped us recognize the threats faced by OPC UA in an IIoT environment with respect to message flooding, packet sniffing and man in the middle attack and the countermeasures to this attack have been discussed. / Att etablera en säker kommunikation mellan de olika enheterna i en industriell miljö är en stor utmaning. Speciellt efter introduktionen av Industrial Internet of Things (IIoT) har industrier varit mottagliga för cyberhot vilket gör cybersäkerhet en prioritet. Rådande industriella kommunikationsstandarder har visats att till viss del uppfylla säkerhets- behoven, men en av de största problemen var bristen på interoperabilitet. För att uppnå interoperabiliteten skapades Open Platform Communication Unified Architecture (OPC UA) som kommun- ikationsprotokoll. OPC UA hjälper till att överbrygga gapet mellan säkerhetsbehoven av information- steknologi (IT) och Operational Technology (OT), men detta ger också upphov till nya attackmöjligheter för inkräktare. I detta examensarbete har vi analyserat säkerhetsutmaningarna i OPC UA och effekten av två olika cyberattacker på OPC UA. Först har vi implementerat ett OPC UA Network med hjälp av Raspberry Pis och open62541 som är en öppen källkodsimplementering av OPC UA klient och server. Efter detta utförde vi tre cybersäkerhetsattacker för att utvärdera nätverkets prestanda, packet sniffing, Man in the Middle Attack (MITM) och Denial of Service attack. Vi bedömde vilken effekt dessa attacker har på OPC UA-nätverket. Vi har också diskuterat detektionsmekanismen för samma attacker. Denna analys har hjälpt oss att känna igen de hot som OPC UA står inför i en IIoT-miljö med avseende på dataflöde, packet sniffing och Man in the Middle attack och även försvar mot dessa attacker har diskuterats.

Man in the Middle Attack

Denial of Service (DoS)

Industrial Internet of Things (IIoT)

Time Sensitive Networking (TSN)

Man in the Middle Attack

Denial of Service (DoS)

Industrial Internet of Things (IIoT)

Time Sensitive Networking (TSN)

Computer and Information Sciences

Data- och informationsvetenskap

Improved performance high speed network intrusion detection systems (NIDS) : a high speed NIDS architectures to address limitations of packet loss and low detection rate by adoption of dynamic cluster architecture and traffic anomaly filtration (IADF)

Akhlaq, Monis

January 2011

Intrusion Detection Systems (IDS) are considered as a vital component in network security architecture. The system allows the administrator to detect unauthorized use of, or attack upon a computer, network or telecommunication infrastructure. There is no second thought on the necessity of these systems however; their performance remains a critical question. This research has focussed on designing a high performance Network Intrusion Detection Systems (NIDS) model. The work begins with the evaluation of Snort, an open source NIDS considered as a de-facto IDS standard. The motive behind the evaluation strategy is to analyze the performance of Snort and ascertain the causes of limited performance. Design and implementation of high performance techniques are considered as the final objective of this research. Snort has been evaluated on highly sophisticated test bench by employing evasive and avoidance strategies to simulate real-life normal and attack-like traffic. The test-methodology is based on the concept of stressing the system and degrading its performance in terms of its packet handling capacity. This has been achieved by normal traffic generation; fussing; traffic saturation; parallel dissimilar attacks; manipulation of background traffic, e.g. fragmentation, packet sequence disturbance and illegal packet insertion. The evaluation phase has lead us to two high performance designs, first distributed hardware architecture using cluster-based adoption and second cascaded phenomena of anomaly-based filtration and signature-based detection. The first high performance mechanism is based on Dynamic Cluster adoption using refined policy routing and Comparator Logic. The design is a two tier mechanism where front end of the cluster is the load-balancer which distributes traffic on pre-defined policy routing ensuring maximum utilization of cluster resources. The traffic load sharing mechanism reduces the packet drop by exchanging state information between load-balancer and cluster nodes and implementing switchovers between nodes in case the traffic exceeds pre-defined threshold limit. Finally, the recovery evaluation concept using Comparator Logic also enhance the overall efficiency by recovering lost data in switchovers, the retrieved data is than analyzed by the recovery NIDS to identify any leftover threats. Intelligent Anomaly Detection Filtration (IADF) using cascaded architecture of anomaly-based filtration and signature-based detection process is the second high performance design. The IADF design is used to preserve resources of NIDS by eliminating large portion of the traffic on well defined logics. In addition, the filtration concept augment the detection process by eliminating the part of malicious traffic which otherwise can go undetected by most of signature-based mechanisms. We have evaluated the mechanism to detect Denial of Service (DoS) and Probe attempts based by analyzing its performance on Defence Advanced Research Projects Agency (DARPA) dataset. The concept has also been supported by time-based normalized sampling mechanisms to incorporate normal traffic variations to reduce false alarms. Finally, we have observed that the IADF has augmented the overall detection process by reducing false alarms, increasing detection rate and incurring lesser data loss.

621.382

PACKET FILTER APPROACH TO DETECT DENIAL OF SERVICE ATTACKS

Muharish, Essa Yahya M

01 June 2016

Denial of service attacks (DoS) are a common threat to many online services. These attacks aim to overcome the availability of an online service with massive traffic from multiple sources. By spoofing legitimate users, an attacker floods a target system with a high quantity of packets or connections to crash its network resources, bandwidth, equipment, or servers. Packet filtering methods are the most known way to prevent these attacks via identifying and blocking the spoofed attack from reaching its target. In this project, the extent of the DoS attacks problem and attempts to prevent it are explored. The attacks categories and existing countermeasures based on preventing, detecting, and responding are reviewed. Henceforward, a neural network learning algorithms and statistical analysis are utilized into the designing of our proposed packet filtering system.

Information Security

OS and Networks

Systems Architecture

Theory and Algorithms