Estudo e análise das redes centradas em conteúdos

A Internet, conforme a conhecemos, foi projetada com base na pilha de protocolos TCP/IP, que foi desenvolvida nos anos 60 e 70 utilizando um paradigma centrado nos endereços individuais de cada máquina (denominado host-centric). Este paradigma foi extremamente bem-sucedido em interligar máquinas através de encaminhamento baseado no endereço IP. Estudos recentes demonstram que, parte significativa do tráfego atual da Internet centra-se na transferência de conteúdos, em vez das tradicionais aplicações de rede, conforme foi originalmente concebido. Surgiram então novos modelos de comunicação, entre eles, protocolos de rede ponto-a-ponto, onde cada máquina da rede pode efetuar distribuição de conteúdo (denominadas de redes peer-to-peer), para melhorar a distribuição e a troca de conteúdos na Internet. Por conseguinte, nos últimos anos o paradigma host-centric começou a ser posto em causa e apareceu uma nova abordagem de Redes Centradas na Informação (ICN - information-centric networking). Tendo em conta que a Internet, hoje em dia, basicamente é uma rede de transferência de conteúdos e informações, porque não centrar a sua evolução neste sentido, ao invés de comunicações host-to-host? O paradigma de Rede Centrada no Conteúdo (CCN - Content Centric Networking) simplifica a solução de determinados problemas de segurança relacionados com a arquitetura TCP/IP e é uma das principais propostas da nova abordagem de Redes Centradas na Informação. Um dos principais problemas do modelo TCP/IP é a proteção do conteúdo. Atualmente, para garantirmos a autenticidade e a integridade dos dados partilhados na rede, é necessário garantir a segurança do repositório e do caminho que os dados devem percorrer até ao seu destino final. No entanto, a contínua ineficácia perante os ataques de negação de serviço praticados na Internet, sugere a necessidade de que seja a própria infraestrutura da rede a fornecer mecanismos para os mitigar. Um dos principais pilares do paradigma de comunicação da CCN é focalizar-se no próprio conteúdo e não na sua localização física. Desde o seu aparecimento em 2009 e como consequência da evolução e adaptação a sua designação mudou atualmente para Redes de Conteúdos com Nome (NNC – Named Network Content). Nesta dissertação, efetuaremos um estudo de uma visão geral da arquitetura CCN, apresentando as suas principais características, quais os componentes que a compõem e como os seus mecanismos mitigam os tradicionais problemas de comunicação e de segurança. Serão efetuadas experiências com o CCNx, que é um protótipo composto por um conjunto de funcionalidades e ferramentas, que possibilitam a implementação deste paradigma. O objetivo é analisar criticamente algumas das propostas existentes, determinar oportunidades, desafios e perspectivas para investigação futura.

Palvelunestohyökkäyksiltä suojautuminen ja niiden torjuminen

Kybersodankäynnin merkitys on kasvanut viime vuosina merkittävästi, ja yhtenä kyberso-dankäynnin välineenä voidaan käyttää palvelunestohyökkäyksiä. Tässä tutkimuksessa selvi-tän millä menetelmillä palvelunestohyökkäyksiltä voidaan suojautua ja miten niitä voidaan torjua. Tutkimuksen pääkysymyksenä on: Millä menetelmillä voidaan suojautua palvelunes-tohyökkäyksien vaikutukselta? ja alakysymyksiä ovat: Mikä on palvelunestohyökkäys ja mi-ten se toimii? Mitä erilaisia palvelunestohyökkäyksiä on olemassa? Miten eri palvelunesto-hyökkäykset vaikuttavat? Miten palvelunestohyökkäys havaitaan? Tutkielman lähteinä on käytetty pääasiassa aihealuetta käsitteleviä ja sitä sivuuttavia tutkimuksia. Palvelunestohyökkäyksellä (Denial of Service, DoS) tarkoitetaan Internet-palveluun tai muu-hun tietotekniseen palveluun oikeutettujen käyttäjien palvelun käyttämisen estämistä tai huomattavaa hidastamista kuormittamalla joko tietoliikennettä tai itse kohdejärjestelmää. Palvelunestohyökkäykset ovat keskeytyshyökkäyksiä, joilla toisin kuin muilla kyberhyökkä-yksillä ei yleensä pyritä varastamaan tietoa tai asentamaan haittaohjelmia, vaan pelkästään es-tämään palvelun tai järjestelmän käyttö siihen oikeutetuilta käyttäjiltä. Tutkielman tuloksista selviää, että palvelunestohyökkäyksiä vastaan taisteleminen voidaan jakaa kolmeen osaan: hyökkäysten estämiseen, niiden havaitsemiseen sekä hyökkäyksen tor-jumiseen. Tärkeintä palvelunestohyökkäysten välttämisessä on niiden ennaltaehkäisy. Hyväk-si havaittu yleinen tapa ennaltaehkäistä hyökkäyksiä ja parantaa tietoturvallisuutta on pitää tietoverkko yksinkertaisena, hyvin organisoituna ja hyvin ylläpidettynä sekä päivitettynä. Jo-kaiseen eri palvelunestohyökkäystyyppiin löytyy kyllä suojautumis- ja torjuntakeinot, mutta niiden tehokkuutta hyökkäyksen pysähtymiselle ei voida taata. Vaikeimpia palvelunesto-hyökkäyksiä suojautumisen ja torjumisen suhteen ovat hajautetut palvelunestohyökkäykset, koska niitä ei voida suodattaa IP-osoitteen perusteella.

Lutte aux botnets : les politiques de prévention s'avèrent-elles efficaces?

Les alertes que nos logiciels antivirus nous envoient ou encore les différents reportages diffusés dans les médias nous font prendre conscience de l'existence des menaces dans le cyberespace. Que ce soit les pourriels, les attaques par déni de service ou les virus, le cyberespace regorge de menaces qui persistent malgré les efforts qui sont déployés dans leur lutte. Est-ce que cela a à voir avec l'efficacité des politiques en place actuellement pour lutter contre ce phénomène? Pour y répondre, l'objectif général du présent mémoire est de vérifier quelles sont les politiques de prévention (lois anti-pourriel, partenariats publics-privés et démantèlements de botnets) qui influencent le plus fortement le taux de menaces informatiques détectées, tout en s'attardant également à l'effet de différents facteurs socio-économiques sur cette variable. Les données collectées par le logiciel antivirus de la compagnie ESET ont été utilisées. Les résultats suggèrent que les partenariats publics-privés offrant une assistance personnalisée aux internautes s'avèrent être la politique de prévention la plus efficace. Les démantèlements de botnets peuvent également s'avérer efficaces, mais seulement lorsque plusieurs acteurs/serveurs importants du réseau sont mis hors d'état de nuire. Le démantèlement du botnet Mariposa en est un bon exemple. Les résultats de ce mémoire suggèrent que la formule partenariats-démantèlements serait le choix le plus judicieux pour lutter contre les cybermenaces. Ces politiques de prévention possèdent toutes deux des méthodes efficaces pour lutter contre les menaces informatiques et c'est pourquoi elles devraient être mises en commun pour assurer une meilleure défense contre ce phénomène.

Group 21 Slartibartfast - Group Resource

Informative website about Anonymous/LulzSec and Denial of Service attacks

INFO6003: Network Security: DDoS

A run through various aspects of Distributed Denial of Service attacks

Enhanced three-factor security protocol for consumer USB mass storage devices

The Universal Serial Bus (USB) is an extremely popular interface standard for computer peripheral connections and is widely used in consumer Mass Storage Devices (MSDs). While current consumer USB MSDs provide relatively high transmission speed and are convenient to carry, the use of USB MSDs has been prohibited in many commercial and everyday environments primarily due to security concerns. Security protocols have been previously proposed and a recent approach for the USB MSDs is to utilize multi-factor authentication. This paper proposes significant enhancements to the three-factor control protocol that now makes it secure under many types of attacks including the password guessing attack, the denial-of-service attack, and the replay attack. The proposed solution is presented with a rigorous security analysis and practical computational cost analysis to demonstrate the usefulness of this new security protocol for consumer USB MSDs.

Proposta de uma ferramenta de visualização e realidade virtual para o monitoramento de tráfego de redes de computadores

Pós-graduação em Ciência da Computação - IBILCE

A Dataset for Evaluating Intrusion Detection Systems in IEEE 802.11 Wireless Networks

Internet access by wireless networks has grown considerably in recent years. However, these networks are vulnerable to security problems, especially those related to denial of service attacks. Intrusion Detection Systems(IDS)are widely used to improve network security, but comparison among the several existing approaches is not a trivial task. This paper proposes building a datasetfor evaluating IDS in wireless environments. The data were captured in a real, operating network. We conducted tests using traditional IDS and achieved great results, which showed the effectiveness of our proposed approach.

Segurança em redes sem fio: estudo sobre o desenvolvimento de conjuntos de dados para comparação de IDS

Pós-graduação em Engenharia Elétrica - FEIS

Distributed Hybrid Agent Based Intrusion Detection and Real Time Response System

Wireless LANs are growing rapidly and security has always been a concern. We have implemented a hybrid system, which will not only detect active attacks like identity theft causing denial of service attacks, but will also detect the usage of access point discovery tools. The system responds in real time by sending out an alert to the network administrator.

Sicurezza di rete, analisi del traffico e monitoraggio.

Il lavoro è stato suddiviso in tre macro-aree. Una prima riguardante un'analisi teorica di come funzionano le intrusioni, di quali software vengono utilizzati per compierle, e di come proteggersi (usando i dispositivi che in termine generico si possono riconoscere come i firewall). Una seconda macro-area che analizza un'intrusione avvenuta dall'esterno verso dei server sensibili di una rete LAN. Questa analisi viene condotta sui file catturati dalle due interfacce di rete configurate in modalità promiscua su una sonda presente nella LAN. Le interfacce sono due per potersi interfacciare a due segmenti di LAN aventi due maschere di sotto-rete differenti. L'attacco viene analizzato mediante vari software. Si può infatti definire una terza parte del lavoro, la parte dove vengono analizzati i file catturati dalle due interfacce con i software che prima si occupano di analizzare i dati di contenuto completo, come Wireshark, poi dei software che si occupano di analizzare i dati di sessione che sono stati trattati con Argus, e infine i dati di tipo statistico che sono stati trattati con Ntop. Il penultimo capitolo, quello prima delle conclusioni, invece tratta l'installazione di Nagios, e la sua configurazione per il monitoraggio attraverso plugin dello spazio di disco rimanente su una macchina agent remota, e sui servizi MySql e DNS. Ovviamente Nagios può essere configurato per monitorare ogni tipo di servizio offerto sulla rete.

Algoritmos de agrupación para flujos de datos en entornos centralizados y distribuidos

Los avances en el hardware permiten disponer de grandes volúmenes de datos, surgiendo aplicaciones que deben suministrar información en tiempo cuasi-real, la monitorización de pacientes, ej., el seguimiento sanitario de las conducciones de agua, etc. Las necesidades de estas aplicaciones hacen emerger el modelo de flujo de datos (data streaming) frente al modelo almacenar-para-despuésprocesar (store-then-process). Mientras que en el modelo store-then-process, los datos son almacenados para ser posteriormente consultados; en los sistemas de streaming, los datos son procesados a su llegada al sistema, produciendo respuestas continuas sin llegar a almacenarse. Esta nueva visión impone desafíos para el procesamiento de datos al vuelo: 1) las respuestas deben producirse de manera continua cada vez que nuevos datos llegan al sistema; 2) los datos son accedidos solo una vez y, generalmente, no son almacenados en su totalidad; y 3) el tiempo de procesamiento por dato para producir una respuesta debe ser bajo. Aunque existen dos modelos para el cómputo de respuestas continuas, el modelo evolutivo y el de ventana deslizante; éste segundo se ajusta mejor en ciertas aplicaciones al considerar únicamente los datos recibidos más recientemente, en lugar de todo el histórico de datos. En los últimos años, la minería de datos en streaming se ha centrado en el modelo evolutivo. Mientras que, en el modelo de ventana deslizante, el trabajo presentado es más reducido ya que estos algoritmos no sólo deben de ser incrementales si no que deben borrar la información que caduca por el deslizamiento de la ventana manteniendo los anteriores tres desafíos. Una de las tareas fundamentales en minería de datos es la búsqueda de agrupaciones donde, dado un conjunto de datos, el objetivo es encontrar grupos representativos, de manera que se tenga una descripción sintética del conjunto. Estas agrupaciones son fundamentales en aplicaciones como la detección de intrusos en la red o la segmentación de clientes en el marketing y la publicidad. Debido a las cantidades masivas de datos que deben procesarse en este tipo de aplicaciones (millones de eventos por segundo), las soluciones centralizadas puede ser incapaz de hacer frente a las restricciones de tiempo de procesamiento, por lo que deben recurrir a descartar datos durante los picos de carga. Para evitar esta perdida de datos, se impone el procesamiento distribuido de streams, en concreto, los algoritmos de agrupamiento deben ser adaptados para este tipo de entornos, en los que los datos están distribuidos. En streaming, la investigación no solo se centra en el diseño para tareas generales, como la agrupación, sino también en la búsqueda de nuevos enfoques que se adapten mejor a escenarios particulares. Como ejemplo, un mecanismo de agrupación ad-hoc resulta ser más adecuado para la defensa contra la denegación de servicio distribuida (Distributed Denial of Services, DDoS) que el problema tradicional de k-medias. En esta tesis se pretende contribuir en el problema agrupamiento en streaming tanto en entornos centralizados y distribuidos. Hemos diseñado un algoritmo centralizado de clustering mostrando las capacidades para descubrir agrupaciones de alta calidad en bajo tiempo frente a otras soluciones del estado del arte, en una amplia evaluación. Además, se ha trabajado sobre una estructura que reduce notablemente el espacio de memoria necesario, controlando, en todo momento, el error de los cómputos. Nuestro trabajo también proporciona dos protocolos de distribución del cómputo de agrupaciones. Se han analizado dos características fundamentales: el impacto sobre la calidad del clustering al realizar el cómputo distribuido y las condiciones necesarias para la reducción del tiempo de procesamiento frente a la solución centralizada. Finalmente, hemos desarrollado un entorno para la detección de ataques DDoS basado en agrupaciones. En este último caso, se ha caracterizado el tipo de ataques detectados y se ha desarrollado una evaluación sobre la eficiencia y eficacia de la mitigación del impacto del ataque. ABSTRACT Advances in hardware allow to collect huge volumes of data emerging applications that must provide information in near-real time, e.g., patient monitoring, health monitoring of water pipes, etc. The data streaming model emerges to comply with these applications overcoming the traditional store-then-process model. With the store-then-process model, data is stored before being consulted; while, in streaming, data are processed on the fly producing continuous responses. The challenges of streaming for processing data on the fly are the following: 1) responses must be produced continuously whenever new data arrives in the system; 2) data is accessed only once and is generally not maintained in its entirety, and 3) data processing time to produce a response should be low. Two models exist to compute continuous responses: the evolving model and the sliding window model; the latter fits best with applications must be computed over the most recently data rather than all the previous data. In recent years, research in the context of data stream mining has focused mainly on the evolving model. In the sliding window model, the work presented is smaller since these algorithms must be incremental and they must delete the information which expires when the window slides. Clustering is one of the fundamental techniques of data mining and is used to analyze data sets in order to find representative groups that provide a concise description of the data being processed. Clustering is critical in applications such as network intrusion detection or customer segmentation in marketing and advertising. Due to the huge amount of data that must be processed by such applications (up to millions of events per second), centralized solutions are usually unable to cope with timing restrictions and recur to shedding techniques where data is discarded during load peaks. To avoid discarding of data, processing of streams (such as clustering) must be distributed and adapted to environments where information is distributed. In streaming, research does not only focus on designing for general tasks, such as clustering, but also in finding new approaches that fit bests with particular scenarios. As an example, an ad-hoc grouping mechanism turns out to be more adequate than k-means for defense against Distributed Denial of Service (DDoS). This thesis contributes to the data stream mining clustering technique both for centralized and distributed environments. We present a centralized clustering algorithm showing capabilities to discover clusters of high quality in low time and we provide a comparison with existing state of the art solutions. We have worked on a data structure that significantly reduces memory requirements while controlling the error of the clusters statistics. We also provide two distributed clustering protocols. We focus on the analysis of two key features: the impact on the clustering quality when computation is distributed and the requirements for reducing the processing time compared to the centralized solution. Finally, with respect to ad-hoc grouping techniques, we have developed a DDoS detection framework based on clustering.We have characterized the attacks detected and we have evaluated the efficiency and effectiveness of mitigating the attack impact.

STONE: a stream-based DDoS defense framework

An effective Distributed Denial of Service (DDoS) defense mechanism must guarantee legitimate users access to an Internet service masking the effects of possible attacks. That is, it must be able to detect threats and discard malicious packets in a online fashion. Given that emerging data streaming technology can enable such mitigation in an effective manner, in this paper we present STONE, a stream-based DDoS defense framework, which integrates anomaly-based DDoS detection and mitigation with scalable data streaming technology. With STONE, the traffic of potential targets is analyzed via continuous data streaming queries maintaining information used for both attack detection and mitigation. STONE provides minimal degradation of legitimate users traffic during DDoS attacks and it also faces effectively flash crowds. Our preliminary evaluation based on an implemented prototype and conducted with real legitimate and malicious traffic traces shows that STONE is able to provide fast detection and precise mitigation of DDoS attacks leveraging scalable data streaming technology.

Priority realloc: um mecanismo para alocação de rotas e recursos em redes EON.

Backbone networks are responsible for long-haul data transport serving many clients with a large volume of data. Since long-haul data transport service must rely on a robust high capacity network the current technology broadly adopted by the industry is Wavelength Division Multiplexing (WDM). WDM networks enable one single ber to operate with multiple high capacity channels, drastically increasing the ber capacity. In WDM networks each channel is associated with an individual wavelength. Therefore a whole wavelength capacity is assigned to a connection, causing waste of bandwidth in case the connection bandwidth requirement is less than the channel total capacity. In the last half decade, Elastic Optical Networks (EON) have been proposed and developed based on the fexible use of the optical spectrum known as the exigrid. EONs are adaptable to clients requirements and may enhance optical networks performance. For these reasons, research community and data transport providers have been demonstrating increasingly high interest in EONs which are likely to replace WDM as the universally adopted technology in backbone networks in the near future. EONs have two characteristics that may limit its ecient resources use. The spectrum fragmentation, inherent to the dynamic EON operation, decrease the network capacity to assign resources to connection requests increasing network blocking probability. The spectrum fragmentation also intensifides the denial of service to higher rate request inducing service unfairness. Due to the fact EONs were just recently developed and proposed, the aforementioned issues were not yet extensively studied and solutions are still being proposed. Furthermore, EONs do not yet provide specific features as differentiated service mechanisms. Differentiated service strategies are important in backbone networks to guarantee client\'s diverse requirements in case of a network failure or the natural congestion and resources contention that may occur at some periods of time in a network. Impelled by the foregoing facts, this thesis objective is three-fold. By means of developing and proposing a mechanism for routing and resources assignment in EONs, we intend to provide differentiated service while decreasing fragmentation level and increasing service fairness. The mechanism proposed and explained in this thesis was tested in a EON simulation environment and performance results indicated that it promotes beneficial performance enhancements when compared to benchmark algorithms.

Cluster scheduling and load balancing via TCP options

This paper describes an experiment in designing, implementing and testing a Transport layer cluster scheduling and dispatching architecture. The motivation for the experiment was the hypothesis that a Transport layer clustering solution may offer advantantages over the existing industry-standard Network layer and Data Link Layer approaches. The critical success factors initially established to guide and evaluate the experiment were reduced dispatcher work load, reduced dispatcher internal state memory requirements, distributed denial of service resilience, and cluster software design simplicity. The functional design stage of the experiment produced a Transport layer strategy for scheduling and load balancing based on the specification of two new TCP options. Implementation required the introduction of the newly specified TCP options into the Linux (2.4) kernel. The implementation produced an extended Linux Socket API to facilitate user-process access to the additional TCP capability. The testing stage of the experiment confirmed the operational efficiency of the solution.