1,721,016 research outputs found
A Parallel Architecture for Stateful Intrusion Detection in High Traffic Networks
No full textAbstract—In a scenario where network bandwidth and traffic are continuously growing, network appliances that have to monitor and analyze all flowing packets are reaching their limits. These issues are critical especially for Network Intrusion Detection Systems (NIDS) that need to trace and reassemble every connection, and to examine every packet flowing on the monitored link(s), to guarantee high security levels. Any NIDS based on a single component cannot scale over certain thresholds, even if it has some parts built in hardware. Hence, parallel architectures appear as the most valuable alternative for the future. In this paper, we propose a parallel NIDS architecture that is able to provide us with fully reliable analysis, high performance and scalability. These properties come together with the low costs and high flexibility that are guaranteed by a total software implementation. The load balancing mechanism of the proposed NIDS distributes the traffic among a configurable number of parallel sensors, so that each of them is reached by a manageable amount of traffic. The parallelism and traffic distribution do not alter the results of the traffic analysis that remains reliable and stateful
A collaborative framework for intrusion detection in mobile networks
Full text linkAbstract Mobile devices are becoming the most popular way of connection, but protocols supporting mobility represent a serious source of concerns because their initial design did not enforce strong security. This paper introduces a novel class of stealth network attacks, called mobility-based evasion, where an attacker splits a malicious payload in such a way that no part can be recognized by existing defensive mechanisms including the most modern network intrusion detection systems operating in stateful mode. We propose an original cooperative framework for intrusion detection that can prevent mobility-based evasion. The viability and performance of the proposed solution is shown through a prototype applied to Mobile IPv4, Mobile IPv6 and WiFi protocols
Cybersecurity Domains: A design pattern for creating Zero Trust Architectures through microsegmentation
No full textPerimeter defense strategies are inadequate to ensure cybersecurity of infrastructures consisting of heterogeneous and dynamic resources. The Zero Trust security model emerges as the most promising solution to mitigate risks and protect assets, but significant organizational and implementation challenges hinder its adoption. Microsegmentation of networked systems composed by dynamic IT components and mobile devices cause several technological and management concerns. We present a comprehensive analysis of microsegmentation with the goal of identifying the key aspects that distinguish it from traditional perimeter defenses. We then propose a modular architectural design pattern that ensures adherence to the Zero Trust principles and satisfies its security constraints. This design is based on the concept of Security Domain, which represents the fundamental unit of network segmentation. By combining multiple Security Domains and following precise rules that provably preserve network security, it becomes possible to create complex infrastructures from elementary building blocks. We provide also a formal specification of the proposed design by means of the TLA+ modeling language. We leverage this model to verify its correctness and security properties even in the presence of insider threats
Framework and Models for Multistep Attack Detection
No full textCyber attacks are becoming increasingly complex, especially when the target is a modern IT infrastructure, characterized by a layered architecture that integrates several security technologies such as firewalls and intrusion detection systems. These contexts can be violated by a multistep attack, that is a complex attack strategy that comprises multiple correlated intrusion activities. While a modern Intrusion Detection System detects single intrusions, it is unable to link them together and to highlight the strategy that underlies a multistep attack.Hence, a single multistep attack may generate a high number of uncorrelated intrusion alerts. The critical task of analyzing and correlating all these alerts is then performed manually by security experts. This process is time consuming and prone to human errors. This paper proposes a novel framework for the analysis and correlation of security alerts generated by state-of-the-art Intrusion Detection Systems. Our goal is to help security analysts in recognizing and correlating intrusion activities that are part of the same multistep attack scenario. The proposed framework produces correlation graphs, in which all the intrusion alerts that are part of the same multistep attack are linked together. By looking at these correlation graphs, a security analyst can quickly identify the relationships that link together seemingly uncorrelated intrusion alerts, and can easily recognize complex attack strategies and identify their final targets. Moreover, the proposed framework is able to leverage multiple algorithms for alert correlation
I know where you have been last summer: Extracting privacy-sensitive information via forensic analysis of the Mercedes-Benz NTG5*2 infotainment system
Full text linkCollaborative architecture for malware detection and analysis
No full textThe constant increase of malware threats clearly shows that the present countermeasures are not sufficient especially because most actions are put in place only when infections have already spread. In this paper, we present an innovative collaborative architecture for malware analysis that aims to early detection and timely deployment of countermeasures. The proposed system is a multi-tier architecture where the sensor nodes are geographically distributed over multiple organizations. These nodes send alerts to intermediate managers that, in their turn, communicate with one logical collector and analyzer. Relevant information, that is determined by the automatic analysis of the malware behavior in a sandbox, and countermeasures are sent to all the cooperating networks. There are many other novel features in the proposal. The architecture is extremely scalable and flexible because multiple levels of intermediate managers can be utilized depending on the complexity of the network of the participating organization. Cyphered communications among components help preventing the leakage of sensitive information and allow the pairwise authentication of the nodes involved in the information sharing. The feasibility of the proposed architecture is demonstrated through an operative prototype realized using open source software
Adaptive traffic filtering for efficient and secure IP mobility
No full textThe Mobile IP (MIP) protocol that supports node mobility in IP networks may be implemented through two routing schemes: triangular routing and reverse tunneling. While triangular routing guarantees better performance because of shorter routing paths, it is not compatible with egress filtering policies enforced by many firewalls. As a result, it is necessary to recur to the slower reverse tunneling routing scheme that causes lower mobile connection throughput and higher round trip times. In this paper, we propose an innovative adaptive traffic filtering technique in which egress filtering rules are dynamically and automatically modified to reflect the presence of mobile nodes inside the protected network. The proposed scheme, called secure triangular routing, guarantees the best trade-off between performance and security because it enables triangular routing without violating network security policies. Viability and performance improvements of the proposed solution have been demonstrated by experiments carried out through a prototype. The proposed solution does not require any modification in correspondent nodes or in their networks, and it fully complies with the MIP protocol specifications
Anomaly detection of CAN bus messages through analysis of ID sequences
No full textThis paper proposes a novel intrusion detection algorithm that aims to identify malicious CAN messages injected by attackers in the CAN bus of modern vehicles. The proposed algorithm identifies anomalies in the sequence of messages that flow in the CAN bus and is characterized by small memory and computational footprints, that make it applicable to current ECUs. Its detection performance are demonstrated through experiments carried out on real CAN traffic gathered from an unmodified licensed vehicle
Cooperative approaches to SIEM and Intrusion Detection
No full textThe original approach to intrusion detection was based on the deployment of a centralized component that gathers and analyzes events at system or network level. In this chapter we present architectures that leverage multiple components and cooperation techniques for the analysis and management of large numbers of security events generated by complex information systems. Their goal is to enhance the system capability and/or to improve the analysis efficacy by merging and correlating security alerts coming from different sources
HackCar: a test platform for attacks and defenses on a cost-contained automotive architecture
No full textIn this paper, we introduce the design of HackCar, a testing platform for replicating attacks and defenses on a generic automotive system without requiring access to a complete vehicle. This platform empowers security researchers to illustrate the consequences of attacks targeting an automotive system on a realistic platform, facilitating the development and testing of security countermeasures against both existing and novel attacks. The HackCar platform is built upon an F1-10th model, to which various automotive-grade microcontrollers are connected through automotive communication protocols. This solution is crafted to be entirely modular, allowing for the creation of diverse test scenarios. Researchers and practitioners can thus develop innovative security solutions while adhering to the constraints of automotive-grade microcontrollers. We showcase our design by comparing it with a real, licensed, and unmodified vehicle. Additionally, we analyze the behavior of the HackCar in both an attack-free scenario and a scenario where an attack on in-vehicle communication is deployed
- …
