Global ETD Search

161	Υλοποίηση του πρωτοκόλλου S2RP (Secure and Scalable Rekeying Protocol) Τσιτσιπής, Δημήτρης 23 January 2012 (has links) Τα Wireless Sensor Networks (WSNs) είναι μια σχετικά νέα τεχνολογία, της οποίας η σημαντικότητα έχει αναγνωριστεί από την επιστημονική κοινότητα και έχει προοπτικές για εφαρμογή σε πολλές περιπτώσεις που απαιτείται επίβλεψη και έλεγχος σε μεγάλες εκτάσεις, όπως ο έλεγχος καλής λειτουργίας κτηρίων και κατασκευών, παρακολούθηση στρατιωτικών περιοχών, παρακολούθηση και έλεγχος καλλιεργειών ή ακόμα και επίβλεψη της υγείας ενός ασθενούς. Είναι προφανές πως σε πολλά από αυτά τα σενάρια εφαρμογών τα δεδομένα που αποκτώνται και ανταλλάσσονται μέσα σε αυτά τα δίκτυα είναι ευαίσθητα και η απόκρυψή τους από τρίτους, καθώς και η αποτροπή προσθήκης ψευδών δεδομένων από τρίτους είναι υψίστης σημασίας. Καθώς όμως τα δίκτυα αυτά αποτελούνται από χαμηλής υπολογιστικής δυνατότητας κόμβους, (τόσο λόγω οικονομίας, ώστε, δεδομένου του αριθμού των κόμβων που απαιτούνται για τέτοιες εφαρμογές, το κόστος να κρατηθεί σε λογικά επίπεδα, όσο και για λόγους κατανάλωσης ενέργειας) απαιτείται η χρήση αλγορίθμων ασφαλείας μικρών υπολογιστικών και επικοινωνιακών απαιτήσεων. Για την επίτευξη ασφαλούς επικοινωνίας μεταξύ των κόμβων με μικρή υπολογιστική επιβάρυνση, υλοποιούνται συμμετρικοί αλγόριθμοι κρυπτογραφίας, και για τη διαχείριση των κλειδιών κρυπτογραφίας το πρωτόκολλο διαχείρισης κλειδιών S2RP, το οποίο καθορίζει μεθόδους διανομής, αλλά και ακύρωσης συμμετρικών κλειδιών. Το πρωτόκολλο αυτό μπορεί να διατηρήσει προς τα εμπρός και προς τα πίσω ασφάλεια (ασφάλεια των μελλοντικών μεταδόσεων, και ασφάλεια των δεδομένων που έχουν ήδη μεταδοθεί αντίστοιχα) των δεδομένων σε δυναμικά μεταβαλλόμενες τοπολογίες (πχ. πρόσθεση νέου κόμβου ή ανακάλυψη εκτεθειμένου κόμβου που πρέπει να αφαιρεθεί από την τοπολογία). Στο πλαίσιο της εργασίας, έγινε υλοποίηση του πρωτοκόλλου S2RP, καθώς και κρυπτογραφικών αλγορίθμων που απαιτούνται για την εφαρμογή του. Η υλοποίηση έγινε αρχικά σε ένα γραφικό περιβάλλον εξομοίωσης, που δημιουργήθηκε για τον έλεγχο του πρωτοκόλλου σε επίπεδο πακέτου, ενώ στη συνέχεια έγινε μεταφορά του πρωτοκόλλου σε δίκτυο από ασύρματους αισθητήρες TelosB. / Wireless Sensor Networks (WSNs) are a relatively new technology, the importance of which is widely recognized in academia. They have great potential for use in applications requiring monitoring and control over large areas, like integrity and operational monitoring of buildings and structures, military surveillance, crop monitoring or even health monitoring. It is obvious that the data transfered in most of these applications are of a sensitive nature, and preventing a third party from accessing that data, or injecting its own forged data in the network is of utmost importance. However, because of the low computational power and network performance of these networks' nodes (which is due to economic reasons - so as to keep cost in reasonable levels in high node count networks, as well as for energy consumption reasons), the use of algorithms and protocols of low computational and communication requirements is mandatory. To achieve secure communication between the nodes of a such network, we implement symmetric key cryptographic algorithms, and the protocol S2RP (Secure and Scalable Rekeying Protocol) for key management. S2RP defines procedures for key distribution and revocation, with the use of which it can maintain forward and backward communication security (e.g. connection of a new node, or discovery of an exposed node, which must be removed) for dynamic network topologies. For the purpose of this thesis, we implemented the S2RP protocol, as well as the additional cryptographic primitives that are needed to achieve secure communication in a network. The implementation was initially made within a graphical simulator, which we implemented to test the protocol in the packet level. Finally, we ported the protocol to a network of TelosB motes. Δίκτυα αισθητήρων Ασφάλεια δικτύων 005.8 Wireless sensor networks (WSNs) Network security
162	Ασφάλεια στην υλοποίηση πρωτοκόλλου διαδικτύου στις διαστημικές επικοινωνίες Σουφρίλας, Παναγιώτης 09 January 2012 (has links) Στην παρούσα διπλωματική εργασία παρουσιάζεται μια νέα αρχιτεκτονική δικτύων που ονομάζεται DTN,για δίκτυα τα οποία αντιμετωπίζουν δυσκολίες στην επικοινωνία και στη συνδεσιμότητα των κόμβων τους. Τα δίκτυα αυτά αντιμετωπίζουν τέτοιες δυσκολίες λόγω του δυσμενoύς περιβάλλοντος στο οποίο βρίσκονται,όπως για παράδειγμα ένα δίκτυο στο διάστημα. Έτσι προχωρήσαμε στο σχεδιασμό ενός δικού μας DTN δικτύου που ονομάζεται planet-ece επιλέγοντας την DTN2 υλοποίηση του πρωτοκόλλoυ bundle για τους κόμβους μας καθώς είναι ιδανικότερη για όποιον θέλει να πειραματιστεί. Η ανάπτυξη αυτού του δικτύου έγινε με σκοπό να ερευνηθούν θέματα όπως της διαχείρισης ενός τέτοιου δικτύου (network management) και της ασφάλειας του (security).Βασιζόμενοι τώρα στο εγκατεστημένο πια DTN δίκτυό μας planet-ece και αφού έχει ελεγχθεί η σωστή του λειτουργία, το επόμενο βήμα ήταν να υλοποιηθεί ένας μηχανισμός παρακολούθησης (moniroting), ο οποίος θα μας επιτρέπει να εποπτεύουμε την κατάσταση του δικτύου και της ανταλλασόμενης κίνησης σε επίπεδο DTN. Έπειτα προχωρήσαμε στην υλοποίηση ενός συστήματος παρακολούθησης έξυπνων καμερών μέσω του DTN δικτύου μας planet-ece. Σε αυτή την υλοποίηση λοιπόν, αξιολογούμε την ασφάλεια και τη συμπεριφορά του συστήματος, εστιάζοντας στην επικοινωνία μέσω του δικτύου DTN με σκοπό να εκτιμήσουμε πώς συμπεριφέρεται ένα τέτοιο δίκτυο σε διάφορες πιθανές καταστάσεις, από γεγονότα και δικτυακή διαθεσιμότητα, με ή χωρίς ασφάλεια και σε σύγκριση με υπάρχουσες μεθόδους επικοινωνίας. / This thesis presents a new network architecture called DTN, for networks with difficulties in communication and connectivity. These networks are facing such difficulties due to extreme environmental surroundings, such as a network in space. So we proceeded to design our own DTN network called planet-ece selecting DTN2 implementation of Bundle Protocol for our nodes because is ideal for anyone who wants to experiment. The development of this network was designed to investigate issues such as management of such a network and security. Based now to our installed DTN network named planet-ece and after having verified the correct function, the next step was to implement a monitoring mechanism, which will allow us to monitor the network status and traffic in a DTN level. Then we proceeded to implement a secure DTN-based smart camera surveillance system through our DTN network planet-ece. In this implementation, therefore, we evaluate the safety and behavior of the system, focusing on communication via the DTN network in order to appreciate how such a system behaves in different possible situations, events and network availability, with or without security and in comparison with existing methods of communication. Διαχείριση δικτύου Ασφάλεια δικτύου 004.6 Network monitoring Network security DTN Smart cameras
163	A quantitative security assessment of modern cyber attacks : a framework for quantifying enterprise security risk level through system's vulnerability analysis by detecting known and unknown threats Munir, Rashid January 2014 (has links) Cisco 2014 Annual Security Report clearly outlines the evolution of the threat landscape and the increase of the number of attacks. The UK government in 2012 recognised the cyber threat as Tier-1 threat since about 50 government departments have been either subjected to an attack or a direct threat from an attack. The cyberspace has become the platform of choice for businesses, schools, universities, colleges, hospitals and other sectors for business activities. One of the major problems identified by the Department of Homeland Security is the lack of clear security metrics. The recent cyber security breach of the US retail giant TARGET is a typical example that demonstrates the weaknesses of qualitative security, also considered by some security experts as fuzzy security. High, medium or low as measures of security levels do not give a quantitative representation of the network security level of a company. In this thesis, a method is developed to quantify the security risk level of known and unknown attacks in an enterprise network in an effort to solve this problem. The identified vulnerabilities in a case study of a UK based company are classified according to their severity risk levels using common vulnerability scoring system (CVSS) and open web application security project (OWASP). Probability theory is applied against known attacks to create the security metrics and, detection and prevention method is suggested for company network against unknown attacks. Our security metrics are clear and repeatable that can be verified scientifically.
164	vLab: A Cloud based Resource and Service Sharing Platform for Computer and Network Security Education January 2010 (has links) abstract: Cloud computing systems fundamentally provide access to large pools of data and computational resources through a variety of interfaces similar in spirit to existing grid and HPC resource management and programming systems. These types of systems offer a new programming target for scalable application developers and have gained popularity over the past few years. However, most cloud computing systems in operation today are proprietary and rely upon infrastructure that is invisible to the research community, or are not explicitly designed to be instrumented and modified by systems researchers. In this research, Xen Server Management API is employed to build a framework for cloud computing that implements what is commonly referred to as Infrastructure as a Service (IaaS); systems that give users the ability to run and control entire virtual machine instances deployed across a variety physical resources. The goal of this research is to develop a cloud based resource and service sharing platform for Computer network security education a.k.a Virtual Lab. / Dissertation/Thesis / M.S. Computer Science 2010 Computer Science Computer and Network Security Computer Science and Engineering Open source cloud computing Virtual Lab vLab XenServer
165	Estudo sobre a extração de políticas de firewall e uma proposta de metodologia / A Study about firewall policy extraction and a proposal for a methodology Horowitz, Eduardo January 2007 (has links) Com o aumento das ameaças na Internet, firewalls tornaram-se mecanismos de defesa cada vez mais utilizados. No entanto, sua configuração é notadamente complexa, podendo resultar em erros. Vários estudos foram realizados com o intuito de resolver tais problemas, mas a grande maioria deles se concentrou em trabalhar diretamente no nível de configuração, o que possui limitações. O presente trabalho investiga maneiras de extrair políticas em mais alto nível a partir de regras de firewall em baixo nível, o que é mais intuitivo. A fim de extrair as políticas reais a partir de regras de firewall, o problema do descorrelacionamento é estudado e algoritmos anteriormente propostos para resolvê-lo são apresentados e discutidos. É apresentado, também, um tipo de grafo para a melhor visualização e análise de correlacionamento entre regras. Além disso, é pesquisado o agrupamento de regras descorrelacionadas, que tem o objetivo de elevar o nível das mesmas. São apresentados dois algoritmos para realizar o agrupamento, sendo um deles novo. A seguir, é proposta uma nova metodologia de extração de políticas de firewall. A primeira parte desta consiste na utilização de um novo tipo de descorrelacionamento, o descorrelacionamento hierárquico. Este é acompanhado por uma nova maneira de agrupar regras descorrelacionadas hierarquicamente, o agrupamento hierárquico. A segunda parte é uma nova modelagem de regras de firewall que fazem parte de blacklist ou whitelist, separando-as das demais regras na extração de políticas. Algumas maneiras de realizar esta separação também são discutidas. Por fim, são relatadas as conclusões e possibilidades de trabalhos futuros. / As the number of threats in the Internet grows, firewalls have become a very important defense mechanism. However, configuring a firewall is not an easy task and is prone to errors. Several investigations have been made towards solving these issue. However, most of them have focused on working directly at the configuration level and have a number of limitations. This work investigates methods to extract higher level policies from low level firewall rules. Aiming at extracting real policies from firewall rules, we analyse the firewall decorrelation problem and previously proposed algoritmhs to solve it. In addition, a new type of graph is presented aiming at better visualising and analysing rules’ correlation. We also investigate the merging of decorrelated rules, with the goal of defining more abstract rules. Two algorithms are then presented and a new methodology for the extraction of firewall policies is proposed. This methodology is twofold. The first part consists of the use a new type of decorrelation: the hierachical decorrelation, which is introduced along with a new way of hierarchically merging decorrelated rules. The second part is a new model for blacklist or whitelist firewall rules, separating them from the other rules in the policy extraction. We also present alternatives for accomplishing this separation. Finally, we conclpude and point out directions for future work. Seguranca : Computadores Criptografia Firewall Network security Firewalls Firewall policies Decorrelation Policy extraction
166	Estudo sobre a extração de políticas de firewall e uma proposta de metodologia / A Study about firewall policy extraction and a proposal for a methodology Horowitz, Eduardo January 2007 (has links) Com o aumento das ameaças na Internet, firewalls tornaram-se mecanismos de defesa cada vez mais utilizados. No entanto, sua configuração é notadamente complexa, podendo resultar em erros. Vários estudos foram realizados com o intuito de resolver tais problemas, mas a grande maioria deles se concentrou em trabalhar diretamente no nível de configuração, o que possui limitações. O presente trabalho investiga maneiras de extrair políticas em mais alto nível a partir de regras de firewall em baixo nível, o que é mais intuitivo. A fim de extrair as políticas reais a partir de regras de firewall, o problema do descorrelacionamento é estudado e algoritmos anteriormente propostos para resolvê-lo são apresentados e discutidos. É apresentado, também, um tipo de grafo para a melhor visualização e análise de correlacionamento entre regras. Além disso, é pesquisado o agrupamento de regras descorrelacionadas, que tem o objetivo de elevar o nível das mesmas. São apresentados dois algoritmos para realizar o agrupamento, sendo um deles novo. A seguir, é proposta uma nova metodologia de extração de políticas de firewall. A primeira parte desta consiste na utilização de um novo tipo de descorrelacionamento, o descorrelacionamento hierárquico. Este é acompanhado por uma nova maneira de agrupar regras descorrelacionadas hierarquicamente, o agrupamento hierárquico. A segunda parte é uma nova modelagem de regras de firewall que fazem parte de blacklist ou whitelist, separando-as das demais regras na extração de políticas. Algumas maneiras de realizar esta separação também são discutidas. Por fim, são relatadas as conclusões e possibilidades de trabalhos futuros. / As the number of threats in the Internet grows, firewalls have become a very important defense mechanism. However, configuring a firewall is not an easy task and is prone to errors. Several investigations have been made towards solving these issue. However, most of them have focused on working directly at the configuration level and have a number of limitations. This work investigates methods to extract higher level policies from low level firewall rules. Aiming at extracting real policies from firewall rules, we analyse the firewall decorrelation problem and previously proposed algoritmhs to solve it. In addition, a new type of graph is presented aiming at better visualising and analysing rules’ correlation. We also investigate the merging of decorrelated rules, with the goal of defining more abstract rules. Two algorithms are then presented and a new methodology for the extraction of firewall policies is proposed. This methodology is twofold. The first part consists of the use a new type of decorrelation: the hierachical decorrelation, which is introduced along with a new way of hierarchically merging decorrelated rules. The second part is a new model for blacklist or whitelist firewall rules, separating them from the other rules in the policy extraction. We also present alternatives for accomplishing this separation. Finally, we conclpude and point out directions for future work. Seguranca : Computadores Criptografia Firewall Network security Firewalls Firewall policies Decorrelation Policy extraction
167	A theory for understanding and quantifying moving target defense Zhuang, Rui January 1900 (has links) Doctor of Philosophy / Computing and Information Sciences / Scott A. DeLoach / The static nature of cyber systems gives attackers a valuable and asymmetric advantage - time. To eliminate this asymmetric advantage, a new approach, called Moving Target Defense (MTD) has emerged as a potential solution. MTD system seeks to proactively change system configurations to invalidate the knowledge learned by the attacker and force them to spend more effort locating and re-locating vulnerabilities. While it sounds promising, the approach is so new that there is no standard definition of what an MTD is, what is meant by diversification and randomization, or what metrics to define the effectiveness of such systems. Moreover, the changing nature of MTD violates two basic assumptions about the conventional attack surface notion. One is that the attack surface remains unchanged during an attack and the second is that it is always reachable. Therefore, a new attack surface definition is needed. To address these issues, I propose that a theoretical framework for MTD be defined. The framework should clarify the most basic questions such as what an MTD system is and its properties such as adaptation, diversification and randomization. The framework should reveal what is meant by gaining and losing knowledge, and what are different attack types. To reason over the interactions between attacker and MTD system, the framework should define key concepts such as attack surface, adaptation surface and engagement surface. Based on that, this framework should allow MTD system designers to decide how to use existing configuration choices and functionality diversification to increase security. It should allow them to analyze the effectiveness of adapting various combinations of different configuration aspects to thwart different types of attacks. To support analysis, the frame- work should include an analytical model that can be used by designers to determine how different parameter settings will impact system security. Moving Target Defense Network Security Computer Security Science of Security Cloud Security Computer Science (0984)
168	SDN-based Proactive Defense Mechanism in a Cloud System January 2015 (has links) abstract: Cloud computing is known as a new and powerful computing paradigm. This new generation of network computing model delivers both software and hardware as on-demand resources and various services over the Internet. However, the security concerns prevent users from adopting the cloud-based solutions to fulfill the IT requirement for many business critical computing. Due to the resource-sharing and multi-tenant nature of cloud-based solutions, cloud security is especially the most concern in the Infrastructure as a Service (IaaS). It has been attracting a lot of research and development effort in the past few years. Virtualization is the main technology of cloud computing to enable multi-tenancy. Computing power, storage, and network are all virtualizable to be shared in an IaaS system. This important technology makes abstract infrastructure and resources available to users as isolated virtual machines (VMs) and virtual networks (VNs). However, it also increases vulnerabilities and possible attack surfaces in the system, since all users in a cloud share these resources with others or even the attackers. The promising protection mechanism is required to ensure strong isolation, mediated sharing, and secure communications between VMs. Technologies for detecting anomalous traffic and protecting normal traffic in VNs are also needed. Therefore, how to secure and protect the private traffic in VNs and how to prevent the malicious traffic from shared resources are major security research challenges in a cloud system. This dissertation proposes four novel frameworks to address challenges mentioned above. The first work is a new multi-phase distributed vulnerability, measurement, and countermeasure selection mechanism based on the attack graph analytical model. The second work is a hybrid intrusion detection and prevention system to protect VN and VM using virtual machines introspection (VMI) and software defined networking (SDN) technologies. The third work further improves the previous works by introducing a VM profiler and VM Security Index (VSI) to keep track the security status of each VM and suggest the optimal countermeasure to mitigate potential threats. The final work is a SDN-based proactive defense mechanism for a cloud system using a reconfiguration model and moving target defense approaches to actively and dynamically change the virtual network configuration of a cloud system. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2015 Computer science Attack Graph Cloud Computing Cloud Security Cybersecurity Network security Software Defined Networking
169	Policy Conflict Management in Distributed SDN Environments January 2017 (has links) abstract: The ease of programmability in Software-Defined Networking (SDN) makes it a great platform for implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. However, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers. In this dissertation, a formalism for flow rule conflicts in SDN environments is introduced. This formalism is realized in Brew, a security policy analysis framework implemented on an OpenDaylight SDN controller. Brew has comprehensive conflict detection and resolution modules to ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage. Techniques for global prioritization of flow rules in a decentralized environment are presented, using which all SDN flow rule conflicts are recognized and classified. Strategies for unassisted resolution of these conflicts are also detailed. Alternately, if administrator input is desired to resolve conflicts, a novel visualization scheme is implemented to help the administrators view the conflicts in an aesthetic manner. The correctness, feasibility and scalability of the Brew proof-of-concept prototype is demonstrated. Flow rule conflict avoidance using a buddy address space management technique is studied as an alternate to conflict detection and resolution in highly dynamic cloud systems attempting to implement an SDN-based Moving Target Defense (MTD) countermeasures. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2017 Computer science Intellectual property Distributed Environments Network Security Policy Conflict SDN
170	Time Division Multiplexing of Network Access by Security Groups in High Performance Computing Environments January 2013 (has links) abstract: It is commonly known that High Performance Computing (HPC) systems are most frequently used by multiple users for batch job, parallel computations. Less well known, however, are the numerous HPC systems servicing data so sensitive that administrators enforce either a) sequential job processing - only one job at a time on the entire system, or b) physical separation - devoting an entire HPC system to a single project until recommissioned. The driving forces behind this type of security are numerous but share the common origin of data so sensitive that measures above and beyond industry standard are used to ensure information security. This paper presents a network security solution that provides information security above and beyond industry standard, yet still enabling multi-user computations on the system. This paper's main contribution is a mechanism designed to enforce high level time division multiplexing of network access (Time Division Multiple Access, or TDMA) according to security groups. By dividing network access into time windows, interactions between applications over the network can be prevented in an easily verifiable way. / Dissertation/Thesis / M.S. Computer Science 2013 Computer science High Performance Computing Network Security Time Division Multiple Access

Search results