Modeling and defense against propagation of worms in networks

Worms are widely believed to be one of the most serious challenges in network security research. In order to prevent worms from propagating, we present a microcosmic model, which can benefit the security industry by allowing them to save significant money in the deployment of their security patching schemes.

Defense against packet dropping attacks in opportunistic networks

Opportunistic networks (OppNets) are an interesting topic that are seen to have a promising future. Many protocols have been developed to accommodate the features of OppNets such as frequent partitions, long delays, and no end-to-end path between the source and destination nodes. Embedding security into these protocols is challenging and has taken a lot of attention in research. One of the attacks that OppNets are exposed to is the packet dropping attack, where the malicious node attempts to drop some packets and forwards an incomplete number of packets which results in the distortion of the message. To increase the security levels in OppNets, this paper presents an algorithm developed to detect packet dropping attacks, and finds the malicious node that attempted the attack. The algorithm detects the attack by using an indicative field in the header section of each packet; the indicative field has 3 sub fields - the identification field, the flag field, and the offset field. These 3 fields are used to find if a node receives the complete original number of packets from the previous node. The algorithm will have the advantage of detecting packets dropped by each intermediate node, this helps solve the difficulties of finding malicious nodes by the destination node only.

Catabolism attack and anabolism defense: a novel attack and traceback mechanism in opportunistic networks

Security is a major challenge in Opportunistic Networks (OppNets) because of its characteristics, such as open medium, dynamic topology, no centralized management and absent clear lines of defense.A packet dropping attack is one of the major security threats in OppNets since neither source nodes nor destination nodes have the knowledge of where or when the packet will be dropped. In this paper, we present a novel attack and traceback mechanism against a special type of packet dropping where the malicious node drops one or more packets and then injects new fake packets instead. We call this novel attack a Catabolism Attack and we call our novel traceback mechanism against this attack Anabolism Defense. Our novel detection and traceback mechanism is very powerful and has very high accuracy. Each node can detect and then traceback the malicious nodes based on a solid and powerful idea that is, hash chain techniques. In our defense techniques we have two stages. The first stage is to detect the attack, and the second stage is to find the malicious nodes. Simulation results show this robust mechanism achieves a very high accuracy and detection rate.

Defense and traceback mechanisms in opportunistic wireless networks

 In this thesis, we have identified a novel attack in OppNets, a special type of packet dropping attack where the malicious node(s) drops one or more packets (not all the packets) and then injects new fake packets instead. We name this novel attack as the Catabolism attack and propose a novel attack detection and traceback approach against this attack referred to as the Anabolism defence. As part of the Anabolism defence approach we have proposed three techniques: time-based, Merkle tree based and Hash chain based techniques for attack detection and malicious node(s) traceback. We provide mathematical models that show our novel detection and traceback mechanisms to be very effective and detailed simulation results show our defence mechanisms to achieve a very high accuracy and detection rate.

Intelligent DDoS packet filtering in high-speed networks

Currently high-speed networks have been attacked by successive waves of Distributed Denial of Service (DDoS) attacks. There are two major challenges on DDoS defense in the high-speed networks. One is to sensitively and accurately detect attack traffic, and the other is to filter out the attack traffic quickly, which mainly depends on high-speed packet classification. Unfortunately most current defense approaches can not efficiently detect and quickly filter out attack traffic. Our approach is to find the network anomalies by using neural network, deploy the system at distributed routers, identify the attack packets, and then filter them quickly by a Bloom filter-based classifier. The evaluation results show that this approach can be used to defend against both intensive and subtle DDoS attacks, and can catch DDoS attacks’ characteristic of starting from multiple sources to a single victim. The simple complexity, high classification speed and low storage requirements make it especially suitable for DDoS defense in high-speed networks.

Classifying DDoS packets in high-speed networks

Recently high-speed networks have been utilized by attackers as Distributed Denial of Service (DDoS) attack infrastructure. Services on high-speed networks also have been attacked by successive waves of the DDoS attacks. How to sensitively and accurately detect the attack traffic, and quickly filter out the attack packets are still the major challenges in DDoS defense. Unfortunately most current defense approaches can not efficiently fulfill these tasks. Our approach is to find the network anomalies by using neural network and classify DDoS packets by a Bloom filter-based classifier (BFC). BFC is a set of spaceefficient data structures and algorithms for packet classification. The evaluation results show that the simple complexity, high classification speed and accuracy and low storage requirements of this classifier make it not only suitable for DDoS filtering in high-speed networks, but also suitable for other applications such as string matching for intrusion detection systems and IP lookup for programmable routers.

A defense system against DDoS attacks by large-scale IP traceback

In this paper, we present a new approach, called Flexible Deterministic Packet Marking (FDPM), to perform a large-scale IP traceback to defend against Distributed Denial of Service (DDoS) attacks. In a DDoS attack the victim host or network is usually attacked by a large number of spoofed IP packets coming from multiple sources. IP traceback is the ability to trace the IP packets to their sources without relying on the source address field of the IP header. FDPM provides many flexible features to trace the IP packets and can obtain better tracing capability than current IP traceback mechanisms, such as Probabilistic Packet Marking (PPM), and Deterministic Packet Marking (DPM). The flexibilities of FDPM are in two ways, one is that it can adjust the length of marking field according to the network protocols deployed; the other is that it can adjust the marking rate according to the load of participating routers. The implementation and evaluation demonstrates that the FDPM needs moderately only a small number of packets to complete the traceback process; and can successfully perform a large-scale IP traceback, for example, trace up to 110,000 sources in a single incident response. It has a built-in overload prevention mechanism, therefore this scheme can perform a good traceback process even it is heavily loaded.

Radar target tracking via robust linear filtering

In this letter, we provide a robust version of a linear Kalman filter for target tracking based on a measurement conversion technique on the nonlinear radar measurements. We prove that the state estimation error is bounded in a probabilistic sense. We compare our approach with the current state of the art in converted radar measurement-based linear filtering.

Reconstruction of megalake Chad using shuttle radar topographic mission data

In the 2,500,000 km² Lake Chad Basin in central Africa, the 2000 Shuttle Radar Topographic Mission (SRTM) data have been used to supplement the existing topographic data. SRTM data produce much sharper images of the region's topography and provide new insights into debates about the nature and extent of late Quaternary Lake Chad. This paper shows that the accuracy of SRTM30, the recently released 30 arc seconds topographic data from SRTM, largely surpasses that of previous global Digital Elevation Models (DEMs) available in the region. Using a GIS we identified from SRTM30 elevation data key features in the landscape topography providing further evidence for the existence of a Megalake Chad. The SRTM30 data corroborate the presence of two ancient shorelines associated with stillstands of the paleolake at the elevation of the Mayo Kebbi and Bahr el Ghazal spillovers. We found a general flattening of the topography in the region covered by Megalake Chad which is most likely the result of wave-cut action. The SRTM30 data show that the remains of the highest paleoshoreline have a constant elevation of 325 ± 5 m amsl. At its maximum extent, Megalake Chad had an area of about 340 000 km² (only 8% less than the present-day world's largest lake, the Caspian Sea). The SRTM30 data also revealed ancient drainage networks in the Sahara that lead to Megalake Chad. We compiled available 14C dates to constrain Holocene Megalake Chad events. The results presented in this paper have significant consequences for improving our knowledge of regional paleohydrology and continental climate change. This study is also the first step for a GIS-based reconstruction of late Quaternary paleohydrology in tropical Africa.

Decentralized and robust target tracking with sensor networks

In this paper we address the problem of decentralized and robust linear filtering for target tracking using networks of (radar) sensors taking nonlinear range and bearing measurements. The algorithm introduced in this paper permits efficient data fusion from multiple sensors through a summation style fusion architecture. Moreover, we prove that the state estimation error for the linear filtering algorithm is bounded.

A distributed active defense system against DDoS attacks

This thesis proposes a novel architecture of Distributed Active Defense System (DADS) against Distibuted Denial of Service (DDoS) attacks. Three sub-systems of DADS were built. For each sub-system corresponding algorithms were developed, prototypes implemented, criteria for evaluation were set up and experiments in both simulation and real network laboratory environments were carried out.

Special issue: Building secure parallel and distributed networks and systems

Security and privacy have been the major concern when people build parallel and distributed networks and systems. While the attack systems have become more easy-to-use, sophisticated, and powerful, interest has greatly increased in the field of building more effective, intelligent, adaptive, active and high performance defense systems which are distributed and networked. This special issue focuses on the issues of building secure parallel and distributed networks and systems.

A survey on latest botnet attack and defense

A botnet is a group of compromised computers, which are remotely controlled by hackers to launch various network attacks, such as DDoS attack and information phishing. Botnet has become a popular and productive tool behind many cyber attacks. Recently, the owners of some botnets, such as storm worm, torpig and conflicker, are employing fluxing techniques to evade detection. Therefore, the understanding of their fluxing tricks is critical to the success of defending from botnet attacks. Motivated by this, we survey the latest botnet attacks and defenses in this paper. We begin with introducing the principles of fast fluxing (FF) and domain fluxing (DF), and explain how these techniques were employed by botnet owners to fly under the radar. Furthermore, we investigate the state-of-art research on fluxing detection. We also compare and evaluate those fluxing detection methods by multiple criteria. Finally, we discuss future directions on fighting against botnet based attacks.

DDoS attack detection at local area networks using information theoretical metrics

DDoS attacks are one of the major threats to Internet services. Sophisticated hackers are mimicking the features of legitimate network events, such as flash crowds, to fly under the radar. This poses great challenges to detect DDoS attacks. In this paper, we propose an attack feature independent DDoS flooding attack detection method at local area networks. We employ flow entropy on local area network routers to supervise the network traffic and raise potential DDoS flooding attack alarms when the flow entropy drops significantly in a short period of time. Furthermore, information distance is employed to differentiate DDoS attacks from flash crowds. In general, the attack traffic of one DDoS flooding attack session is generated by many bots from one botnet, and all of these bots are executing the same attack program. As a result, the similarity among attack traffic should higher than that among flash crowds, which are generated by many random users. Mathematical models have been established for the proposed detection strategies. Analysis based on the models indicates that the proposed methods can raise the alarm for potential DDoS flooding attacks and can differentiate DDoS flooding attacks from flash crowds with conditions. The extensive experiments and simulations confirmed the effectiveness of our proposed detection strategies.

Modeling the propagation and defense study of internet malicious information

 Dr. Wen's research includes modelling the propagation dynamics of malicious information, exposing the most influential people and source identification of epidemics in social networks. His research is beneficial to both academia and industry in the field of Internet social networks.