Managing trust in a distributed Mobile Ad Hoc Network (MANET) is challenging when collaboration or cooperation is critical to achieving mission and system goals such as reliability, availability, scalability, and reconfigurability. In defining and managing trust in a military MANET, we must consider the interactions between the composite cognitive, social, information and communication networks, and take into account the severe resource constraints (e.g., computing power, energy, bandwidth, time), and dynamics (e.g., topology changes, node mobility, node failure, propagation channel conditions). We seek to combine the notions of "social trust" derived from social networks with "quality-of-service (QoS) trust" derived from information and communication networks to obtain a composite trust metric. We discuss the concepts and properties of trust and derive some unique characteristics of trust in MANETs, drawing upon social notions of trust. We provide a survey of trust management schemes developed for MANETs and discuss generally accepted classifications, potential attacks, performance metrics, and trust metrics in MANETs. Finally, we discuss future research areas on trust management in MANETs based on the concept of social and cognitive networks.

/pdf/a-survey-on-trust-management-for-mobile-ad-hoc-networks-2gs07mjtah.pdf

A Survey on Trust Management for Mobile Ad Hoc Networks

Pervasive healthcare systems, smart grids, and unmanned aircraft systems are examples of Cyber-Physical Systems (CPSs) that have become highly integrated in the modern world. As this integration deepens, the importance of securing these systems increases. In order to identify gaps and propose research directions in CPS intrusion detection research, we survey the literature of this area. Our approach is to classify modern CPS Intrusion Detection System (IDS) techniques based on two design dimensions: detection technique and audit material. We summarize advantages and drawbacks of each dimension’s options. We also summarize the most and least studied CPS IDS techniques in the literature and provide insight on the effectiveness of IDS techniques as they apply to CPSs. Finally, we identify gaps in CPS IDS research and suggest future research areas.

/pdf/a-survey-of-intrusion-detection-techniques-for-cyber-51fb5blgwd.pdf

A survey of intrusion detection techniques for cyber-physical systems

Data centers deploy a variety of middleboxes (e.g., firewalls, load balancers and SSL offloaders) to protect, manage and improve the performance of applications and services they run. Since existing networks provide limited support for middleboxes, administrators typically overload path selection mechanisms to coerce traffic through the desired sequences of middleboxes placed on the network path. These ad-hoc practices result in a data center network that is hard to configure and maintain, wastes middlebox resources, and cannot guarantee middlebox traversal under network churn.To address these issues, we propose the policy-aware switching layer or PLayer, a new layer-2 for data centers consisting of inter-connected policy-aware switches or pswitches. Unmodified middleboxes are placed off the network path by plugging them into pswitches. Based on policies specified by administrators, pswitches explicitly forward different types of traffic through different sequences of middleboxes. Experiments using our prototype software pswitches suggest that the PLayer is flexible, uses middleboxes efficiently, and guarantees correct middlebox traversal under churn.

/pdf/a-policy-aware-switching-layer-for-data-centers-376vwt6hkh.pdf

A policy-aware switching layer for data centers

Motivation: For the biologist, running bioinformatics analyses involves a time-consuming management of data and tools. Users need support to organize their work, retrieve parameters and reproduce their analyses. They also need to be able to combine their analytic tools using a safe data flow software mechanism. Finally, given that scientific tools can be difficult to install, it is particularly helpful for biologists to be able to use these tools through a web user interface. However, providing a web interface for a set of tools raises the problem that a single web portal cannot offer all the existing and possible services: it is the user, again, who has to cope with data copy among a number of different services. A framework enabling portal administrators to build a network of cooperating services would therefore clearly be beneficial.

Results: We have designed a system, Mobyle, to provide a flexible and usable Web environment for defining and running bioinformatics analyses. It embeds simple yet powerful data management features that allow the user to reproduce analyses and to combine tools using a hierarchical typing system. Mobyle offers invocation of services distributed over remote Mobyle servers, thus enabling a federated network of curated bioinformatics portals without the user having to learn complex concepts or to install sophisticated software. While being focused on the end user, the Mobyle system also addresses the need, for the bioinfomatician, to automate remote services execution: PlayMOBY is a companion tool that automates the publication of BioMOBY web services, using Mobyle program definitions.

Availability: The Mobyle system is distributed under the terms of the GNU GPLv2 on the project web site (http://bioweb2.pasteur.fr/projects/mobyle/). It is already deployed on three servers: http://mobyle.pasteur.fr, http://mobyle.rpbs.univ-paris-diderot.fr and http://lipm-bioinfo.toulouse.inra.fr/Mobyle. The PlayMOBY companion is distributed under the terms of the CeCILL license, and is available at http://lipm-bioinfo.toulouse.inra.fr/biomoby/PlayMOBY/.

Contact: rf.ruetsap@troppus-elybom; rf.toredid-sirap-vinu.sbpr@troppus-elybom; rf.ruetsap@ladnotel

Supplementary information:Supplementary data are available at Bioinformatics online.

Mobyle: a new full web bioinformatics framework

Automatic protocol reverse-engineering is important for many security applications, including the analysis and defense against botnets. Understanding the command-and-control (C&C) protocol used by a botnet is crucial for anticipating its repertoire of nefarious activity and to enable active botnet infiltration. Frequently, security analysts need to rewrite messages sent and received by a bot in order to contain malicious activity and to provide the botmaster with an illusion of successful and unhampered operation. To enable such rewriting, we need detailed information about the intent and structure of the messages in both directions of the communication despite the fact that we generally only have access to the implementation of one endpoint, namely the bot binary. Current techniques cannot enable such rewriting. In this paper, we propose techniques to extract the format of protocol messages sent by an application that implements a protocol specification, and to infer the field semantics for messages both sent and received by the application. Our techniques enable applications such as rewriting the C&C messages for active botnet infiltration. We implement our techniques into Dispatcher, a tool to extract the message format and field semantics of both received and sent messages. We use Dispatcher to analyze MegaD, a prevalent spam botnet employing a hitherto undocumented C&C protocol, and show that the protocol information extracted by Dispatcher can be used to rewrite the C&C messages.

/pdf/dispatcher-enabling-active-botnet-infiltration-using-4rpyf10cw2.pdf

Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering

Creating an experimental infrastructure for developing next-generation information security technologies.

Cyber defense technology networking and evaluation

In this paper we extend the work presented in [1], [2] by quantifying the effects of in-band wormhole attacks on Intrusion Detection Systems. More specifically, we propose a mathematical framework for obtaining performance bounds of Byzantine attackers and the Intrusion Detection System (IDS) in terms of detection delay. We formulate the problem of distributed collaborative defense against coordinated attacks in MANET as a dynamic game problem. In our formulation we have on the one hand a group of attackers that observe what is going on in the network and coordinate their attack in an adaptive manner. On the other side, we have a group of defending nodes (the IDS nodes) that collaboratively observe the network and coordinate their actions against the attackers. Using extensions of the game theoretic framework of [3] we provide a mathematical framework for efficient identification of the worst attacks and damages that the attackers can achieve, as well as the best response of the defenders. This approach leads to quantifying resiliency of the routing-attack IDS with respect to Byzantine attacks.

/pdf/intrusion-detection-system-resiliency-to-byzantine-attacks-3gf9bua20n.pdf

Intrusion Detection System Resiliency to Byzantine Attacks: The Case Study of Wormholes in OLSR

In a wormhole attack, colluding nodes create the illusion that two remote regions of a MANET are directly connected through nodes that appear to be neighbors, but are actually distant from each other. This undermines shortest-path routing calculations, allowing the attacking nodes to attract traffic, which can then be manipulated. Prior research has concentrated on out-of-band wormholes, which covertly connect the purported neighbors via a separate wireline network or RF channel. We present a detailed description of in-band wormholes in OLSR networks. These connect the purported neighbors via covert, multi-hop tunnels. In-band wormholes are an important threat because they do not require specialized hardware and can be launched by any node in the MANET. Moreover, unlike out-of-band wormholes, in-band wormholes consume network capacity, inherently degrading service. We explain the conditions under which an in-band wormhole will collapse and how it can be made collapse resilient. We identify the self-contained and extended forms of in-band wormholes and present wormhole gravitational analysis, a technique for comparing the effect of wormholes on the network. Finally, we identify potential countermeasures for preventing and detecting in-band wormholes based on packet loss rates, packet delays, and topological characteristics, and we describe the results of initial laboratory experiments to assess their effectiveness.

In-Band Wormholes and Countermeasures in OLSR Networks

The explosive growth of the Internet and its increasingly critical role in supporting electronic commerce, transportation, and communications, have brought an equally explosive growth in attacks on Internet infrastructure and services. Some of the most difficult attacks to defend against are the Distributed Denial of Service (DDoS) attacks, in which an overwhelming flood of network packets is generated from many different sources, with the intent of preventing legitimate use of services. Typically, DDoS attacks are directed at one or more targets, such as end-users, web servers, entire networks or parts of networks, or networking infrastructure components. DDoS attacks pose a severe threat to the nation's ability to conduct business, defend itself, and provide vital government services to its citizens. Medium-scale DDoS attacks have been observed frequently during the past 2-3 years, and larger scale attacks are increasingly likely. For example, an amateur attacker disabled some of the world's largest web services (e.g., Yahoo!, CNN, Amazon, and Buy.com) for hours in February 2000. More recently, attacks against the CERT® Coordination Center [14] and edNET [15], a Scottish ISP, caused major disruptions in service. A determined enemy could perpetrate focused attacks that disable vital services at critical times, disrupt commerce, create uncertainty and panic among the public, and effectively prevent much of the electronic communication the U.S. Government relies on today. This serious national vulnerability can only be addressed through substantial and coordinated efforts by government and industry. Although DDoS has recently drawn significant attention from the network security research community, no general approach to a solution has yet been identified. The nature and goals of effective DDoS solutions are not yet clear, and no broadly applicable, practical DDoS defense implementations have been produced. Even simple DDoS attacks cause significant disruptions today; more sophisticated attack techniques, undoubtedly being developed, will be difficult or impossible to counter with current defense technology. Research experts believe the DDoS problem to be fundamentally difficult for several reasons. The network traffic transmitted in a DDoS attack can be virtually indistinguishable from traffic for legitimate use of a service. DDoS attacks make use of forged source addresses, indirection, reflection, and other techniques to conceal the locations of the computers that are the real sources of the attacks. Finally, the attack sources themselves, typically commandeered from unwitting legitimate users, are widely distributed among different independent networks, so stopping an attack at its source presents technological and administrative challenges. Developing …

Justification and Requirements for a National DDoS Defense Technology Evaluation Facility

A variety of attacks on MANET routing, forwarding, and infrastructure protocols can only be detected using distributed cooperative algorithms. One promising strategy is to organize cooperative intrusion detection activities as a multiple-level intrusion detection (ID) hierarchy in which each node reports intrusion detection observations to its parent. This enables detection decisions to be based on aggregated data that has been gathered and consolidated from neighborhoods and larger network regions efficiently. A key challenge is the selection and maintenance of a scalable and robust hierarchy that optimizes detection performance (e.g., low latency, continuous coverage) while incurring minimal cost (e.g., bandwidth consumption). Existing approaches to constructing hierarchies in MANETs based on simple heuristics lack flexibility and cannot simultaneously address diverse performance and cost requirements. Moreover, mobility can produce constant large scale changes in the hierarchy that can degrade performance and increase cost. The main contributions of this paper are to: (a) identify ID structure design requirements and formulate them as objective functions and constraints, (b) adapt a multi-objective optimization framework to the formation of ID structures and, (c) provide indicative results concerning the quality of these structures with respect to the ID design requirements.

D. Sterne

Papers

Cyber defense technology networking and evaluation

Intrusion Detection System Resiliency to Byzantine Attacks: The Case Study of Wormholes in OLSR

In-Band Wormholes and Countermeasures in OLSR Networks

Justification and Requirements for a National DDoS Defense Technology Evaluation Facility

A stochastic approximation approach for improving intrusion detection data fusion structures