Experimenting with an intrusion detection system for encrypted networks

Network-based Intrusion Detection Systems (NIDSs) analyse network traffic to detect instances of malicious activity. Typically, this is only possible when the network traffic is accessible for analysis. With the growing use of Virtual Private Networks (VPNs) that encrypt network traffic, the NIDS can no longer access this crucial audit data. In this paper, we present an implementation and evaluation of our approach proposed in Goh et al. (2009). It is based on Shamir's secret-sharing scheme and allows a NIDS to function normally in a VPN without any modifications and without compromising the confidentiality afforded by the VPN.

Multi-factor password-authenticated key exchange

We consider a new form of authenticated key exchange which we call multi-factor password-authenticated key exchange, where session establishment depends on successful authentication of multiple short secrets that are complementary in nature, such as a long-term password and a one-time response, allowing the client and server to be mutually assured of each other's identity without directly disclosing private information to the other party. Multi-factor authentication can provide an enhanced level of assurance in higher-security scenarios such as online banking, virtual private network access, and physical access because a multi-factor protocol is designed to remain secure even if all but one of the factors has been compromised. We introduce a security model for multi-factor password-authenticated key exchange protocols, propose an efficient and secure protocol called MFPAK, and provide a security argument to show that our protocol is secure in this model. Our security model is an extension of the Bellare-Pointcheval-Rogaway security model for password-authenticated key exchange and accommodates an arbitrary number of symmetric and asymmetric authentication factors.

Using Web2.0 applications to close the digital divide in Western Australia

The research reported in this paper documents the use of Web2.0 applications with six Western Australian schools that are considered to be regional and/or remote. With a population of two million people within an area of 2,525,500 square kilometres Western Australia has a number of towns that are classified as regional and remote. Each of the three education systems have set up telecommunications networks to improve learning opportunities for students and administrative services for staff through a virtual private network (VPN) with access from anywhere, anytime and ultimately reduce the feeling of professional and social dislocation experienced by many teachers and students in the isolated communities. By using Web2.0 applications including video conferencing there are enormous opportunities to close the digital divide within the broad directives of the Networking the Nation plan. The Networking the Nation plan aims to connect all Australians regardless of where they are hence closing the digital divide between city and regional living. Email and Internet facilities have greatly improved in rural, regional and remote areas supporting every day school use of the Internet. This study highlights the possibilities and issues for advanced telecommunications usage of Web2.0 applications discussing the research undertaken with these schools. (Contains 1 figure and 3 tables.)

On optimal computation of MPLS label binding for multipoint-to-point connections

Most network operators have considered reducing Label Switched Routers (LSR) label spaces (i.e. the number of labels that can be used) as a means of simplifying management of underlaying Virtual Private Networks (VPNs) and, hence, reducing operational expenditure (OPEX). This letter discusses the problem of reducing the label spaces in Multiprotocol Label Switched (MPLS) networks using label merging - better known as MultiPoint-to-Point (MP2P) connections. Because of its origins in IP, MP2P connections have been considered to have tree- shapes with Label Switched Paths (LSP) as branches. Due to this fact, previous works by many authors affirm that the problem of minimizing the label space using MP2P in MPLS - the Merging Problem - cannot be solved optimally with a polynomial algorithm (NP-complete), since it involves a hard- decision problem. However, in this letter, the Merging Problem is analyzed, from the perspective of MPLS, and it is deduced that tree-shapes in MP2P connections are irrelevant. By overriding this tree-shape consideration, it is possible to perform label merging in polynomial time. Based on how MPLS signaling works, this letter proposes an algorithm to compute the minimum number of labels using label merging: the Full Label Merging algorithm. As conclusion, we reclassify the Merging Problem as Polynomial-solvable, instead of NP-complete. In addition, simulation experiments confirm that without the tree-branch selection problem, more labels can be reduced

Label Space Reduction in MPLS Networks: How Much Can A Single Stacked Label Do?

Most network operators have considered reducing LSR label spaces (number of labels used) as a way of simplifying management of underlaying virtual private networks (VPNs) and therefore reducing operational expenditure (OPEX). The IETF outlined the label merging feature in MPLS-allowing the configuration of multipoint-to-point connections (MP2P)-as a means of reducing label space in LSRs. We found two main drawbacks in this label space reduction a)it should be separately applied to a set of LSPs with the same egress LSR-which decreases the options for better reductions, and b)LSRs close to the edge of the network experience a greater label space reduction than those close to the core. The later implies that MP2P connections reduce the number of labels asymmetrically

Valutazione sperimentale di tecnologie per la creazione di VPN in ambito LAN/WAN

Il documento riporta, con prove sperimentali, un confronto tra le prestazioni che diverse tecnologie VPN hanno all'interno dello scenari wired e wireless. Il protocollo di tunneling utilizzato per la creazione delle VPN incide in modo particolare sulle performance della rete. L'obiettivo è proprio quello di valutare il protocollo che fornisce una qualità migliore a livello prestazionale, il tutto tramite un insieme mirato di test.

Towards a virtualized Internet for computer networking assignments

By combining virtualization technologies, virtual private network techniques and parameterization of network scenarios it is possible to enhance a networking laboratory, typically carried out in university laboratory premises using equipment located there, by interconnecting it to virtual networks running on the students own personal computers. This paper describes some experiences applying this model to create hands-on assignments for a large group of students in computer networking education.

Tor network forensics and hidden service deanonymization

The cybernetics revolution of the last years improved a lot our lives, having an immediate access to services and a huge amount of information over the Internet. Nowadays the user is increasingly asked to insert his sensitive information on the Internet, leaving its traces everywhere. But there are some categories of people that cannot risk to reveal their identities on the Internet. Even if born to protect U.S. intelligence communications online, nowadays Tor is the most famous low-latency network, that guarantees both anonymity and privacy of its users. The aim of this thesis project is to well understand how the Tor protocol works, not only studying its theory, but also implementing those concepts in practice, having a particular attention for security topics. In order to run a Tor private network, that emulates the real one, a virtual testing environment has been configured. This behavior allows to conduct experiments without putting at risk anonymity and privacy of real users. We used a Tor patch, that stores TLS and circuit keys, to be given as inputs to a Tor dissector for Wireshark, in order to obtain decrypted and decoded traffic. Observing clear traffic allowed us to well check the protocol outline and to have a proof of the format of each cell. Besides, these tools allowed to identify a traffic pattern, used to conduct a traffic correlation attack to passively deanonymize hidden service clients. The attacker, controlling two nodes of the Tor network, is able to link a request for a given hidden server to the client who did it, deanonymizing him. The robustness of the traffic pattern and the statistics, such as the true positive rate, and the false positive rate, of the attack are object of a potential future work.

Study of OLSR protocol with Network Simulator 2 over Linux

Until a few years ago, most of the network communications were based in the wire as the physical media, but due to the advances and the maturity of the wireless communications, this is changing. Nowadays wireless communications offers fast, secure, efficient and reliable connections. Mobile communications are in expansion, clearly driven by the use of smart phones and other mobile devices, the use of laptops, etc… Besides that point, the inversion in the installation and maintenance of the physical medium is much lower than in wired communications, not only because the air has no cost, but because the installation and maintenance of the wire require a high economic cost. Besides the economic cost we find that wire is a more vulnerable medium to external threats such as noise, sabotages, etc… There are two different types of wireless networks: those which the structure is part of the network itself and those which have a lack of structure or any centralization, in a way that the devices that form part of the network can connect themselves in a dynamic and random way, handling also the routing of every control and information messages, this kind of networks is known as Ad-hoc. In the present work we will proceed to study one of the multiple wireless protocols that allows mobile communications, it is Optimized Link State Routing, from now on, OLSR, it is an pro-active routing, standard mechanism that works in a distributed in order to stablish the connections among the different nodes that belong to a wireless network. Thanks to this protocol it is possible to get all the routing tables in all the devices correctly updated every moment through the periodical transmission of control messages and on this way allow a complete connectivity among the devices that are part of the network and also, allow access to other external networks such as virtual private networks o Internet. This protocol could be perfectly used in environments such as airports, malls, etc… The update of the routing tables in all the devices is got thanks to the periodical transmission of control messages and finally it will offer connectivity among all the devices and the corresponding external networks. For the study of OLSR protocol we will have the help of the network simulator “Network Simulator 2”, a freeware network simulator programmed in C++ based in discrete events. This simulator is used mainly in educational and research environments and allows a very extensive range of protocols, both, wired networks protocols and wireless network protocols, what is going to be really useful to proceed to the simulation of different configurations of networks and protocols. In the present work we will also study different simulations with Network Simulator 2, in different scenarios with different configurations, wired networks, and Ad-hoc networks, where we will study OLSR Protocol. RESUMEN. Hasta hace pocos años, la mayoría de las comunicaciones de red estaban basadas en el cable como medio físico pero debido al avance y madurez alcanzados en el campo de las comunicaciones inalámbricas esto está cambiando. Hoy día las comunicaciones inalámbricas nos ofrecen conexiones veloces, seguras, eficientes y fiables. Las comunicaciones móviles se encuentran en su momento de máxima expansión, claramente impulsadas por el uso de teléfonos y demás dispositivos móviles, el uso de portátiles, etc… Además la inversión a realizar en la instalación y el mantenimiento del medio físico en las comunicaciones móviles es muchísimo menor que en comunicaciones por cable, ya no sólo porque el aire no tenga coste alguno, sino porque la instalación y mantenimiento del cable precisan de un elevado coste económico por norma. Además del coste económico nos encontramos con que es un medio más vulnerable a amenazas externas tales como el ruido, escuchas no autorizadas, sabotajes, etc… Existen dos tipos de redes inalámbricas: las constituidas por una infraestructura que forma parte más o menos de la misma y las que carecen de estructura o centralización alguna, de modo que los dispositivos que forman parte de ella pueden conectarse de manera dinámica y arbitraria entre ellos, encargándose además del encaminamiento de todos los mensajes de control e información, a este tipo de redes se las conoce como redes Ad-hoc. En el presente Proyecto de Fin de Carrera se procederá al estudio de uno de los múltiples protocolos inalámbricos que permiten comunicaciones móviles, se trata del protocolo inalámbrico Optimized Link State Routing, de ahora en adelante OLSR, un mecanismo estándar de enrutamiento pro-activo, que trabaja de manera distribuida para establecer las conexiones entre los nodos que formen parte de las redes inalámbricas Ad-hoc, las cuales carecen de un nodo central y de una infraestructura pre-existente. Gracias a este protocolo es posible conseguir que todos los equipos mantengan en todo momento las tablas de ruta actualizadas correctamente mediante la transmisión periódica de mensajes de control y así permitir una completa conectividad entre todos los equipos que formen parte de la red y, a su vez, también permitir el acceso a otras redes externas tales como redes privadas virtuales o Internet. Este protocolo sería usado en entornos tales como aeropuertos La actualización de las tablas de enrutamiento de todos los equipos se conseguirá mediante la transmisión periódica de mensajes de control y así finalmente se podrá permitir conectividad entre todos los equipos y con las correspondientes redes externas. Para el estudio del protocolo OLSR contaremos con el simulador de redes Network Simulator 2, un simulador de redes freeware programado en C++ basado en eventos discretos. Este simulador es usado principalmente en ambientes educativos y de investigación y permite la simulación tanto de protocolos unicast como multicast. El campo donde más se utiliza es precisamente en el de la investigación de redes móviles Ad-hoc. El simulador Network Simulator 2 no sólo implementa el protocolo OLSR, sino que éste implementa una amplia gama de protocolos, tanto de redes cableadas como de redes inalámbricas, lo cual va a sernos de gran utilidad para proceder a la simulación de distintas configuraciones de redes y protocolos. En el presente Proyecto de Fin de Carrera se estudiarán también diversas simulaciones con el simulador NS2 en diferentes escenarios con diversas configuraciones; redes cableadas, redes inalámbricas Ad-hoc, donde se estudiará el protocolo antes mencionado: OLSR. Este Proyecto de Fin de Carrera consta de cuatro apartados distintos: Primeramente se realizará el estudio completo del protocolo OLSR, se verán los beneficios y contrapartidas que ofrece este protocolo inalámbrico. También se verán los distintos tipos de mensajes existentes en este protocolo y unos pequeños ejemplos del funcionamiento del protocolo OLSR. Seguidamente se hará una pequeña introducción al simulador de redes Network Simulator 2, veremos la historia de este simulador, y también se hará referencia a la herramienta extra NAM, la cual nos permitirá visualizar el intercambio de paquetes que se produce entre los diferentes dispositivos de nuestras simulaciones de forma intuitiva y amigable. Se hará mención a la plataforma MASIMUM, encargada de facilitar en un entorno académico software y documentación a sus alumnos con el fin de facilitarles la investigación y la simulación de redes y sensores Ad-hoc. Finalmente se verán dos ejemplos, uno en el que se realizará una simulación entre dos PCs en un entorno Ethernet y otro ejemplo en el que se realizará una simulación inalámbrica entre cinco dispositivos móviles mediante el protocolo a estudiar, OLSR.

Intrusion detection system for encrypted networks using secret-sharing schemes

Secret-sharing schemes describe methods to securely share a secret among a group of participants. A properly constructed secret-sharing scheme guarantees that the share belonging to one participant does not reveal anything about the shares of others or even the secret itself. Besides the obvious feature which is to distribute a secret, secret-sharing schemes have also been used in secure multi-party computations and redundant residue number systems for error correction codes. In this paper, we propose that the secret-sharing scheme be used as a primitive in a Network-based Intrusion Detection System (NIDS) to detect attacks in encrypted networks. Encrypted networks such as Virtual Private Networks (VPNs) fully encrypt network traffic which can include both malicious and non-malicious traffic. Traditional NIDS cannot monitor encrypted traffic. Our work uses a combination of Shamir's secret-sharing scheme and randomised network proxies to enable a traditional NIDS to function normally in a VPN environment. In this paper, we introduce a novel protocol that utilises a secret-sharing scheme to detect attacks in encrypted networks.

Detecting attacks in encrypted networks using secret-sharing schemes

Secret-sharing schemes describe methods to securely share a secret among a group of participants. A properly constructed secret-sharing scheme guarantees that the share belonging to one participant does not reveal anything about the shares of others or even the secret itself. Besides being used to distribute a secret, secret-sharing schemes have also been used in secure multi-party computations and redundant residue number systems for error correction codes. In this paper, we propose that the secret-sharing scheme be used as a primitive in a Network-based Intrusion Detection System (NIDS) to detect attacks in encrypted Networks. Encrypted networks such as Virtual Private Networks (VPNs) fully encrypt network traffic which can include both malicious and non-malicious traffic. Traditional NIDS cannot monitor such encrypted traffic. We therefore describe how our work uses a combination of Shamir's secret-sharing scheme and randomised network proxies to enable a traditional NIDS to function normally in a VPN environment.

Intrusion detection framework for encrypted networks

Network-based Intrusion Detection Systems (NIDSs) monitor network traffic for signs of malicious activities that have the potential to disrupt entire network infrastructures and services. NIDS can only operate when the network traffic is available and can be extracted for analysis. However, with the growing use of encrypted networks such as Virtual Private Networks (VPNs) that encrypt and conceal network traffic, a traditional NIDS can no longer access network traffic for analysis. The goal of this research is to address this problem by proposing a detection framework that allows a commercial off-the-shelf NIDS to function normally in a VPN without any modification. One of the features of the proposed framework is that it does not compromise on the confidentiality afforded by the VPN. Our work uses a combination of Shamir’s secret-sharing scheme and randomised network proxies to securely route network traffic to the NIDS for analysis. The detection framework is effective against two general classes of attacks – attacks targeted at the network hosts or attacks targeted at framework itself. We implement the detection framework as a prototype program and evaluate it. Our evaluation shows that the framework does indeed detect these classes of attacks and does not introduce any additional false positives. Despite the increase in network overhead in doing so, the proposed detection framework is able to consistently detect intrusions through encrypted networks.