An estimate of a portion of network traffic that is nonconforming to a communication transmission control protocol is used to signal that a distributed denial of service attack may be occurring. Traffic flows are aggregated and packets are intentionally dropped from the flow aggregate in accordance with an assigned perturbation signature. The flow aggregates are observed to determine if the rate of arrival of packets that have a one-to-one transmission correspondence with the dropped packets are similarly responsive to the perturbation signature. By assigning orthogonal perturbation signatures to different routers, multiple routers may perform the test on the aggregate and the results of the test will be correctly ascertained at each router. Nonconforming aggregates may be redefined to finer granularity to determine the node on the network that is under attack, which may then take mitigating action.

Detection of nonconforming network traffic flow aggregates for mitigating distributed denial of service attacks

Systems and methods for domain classification using the network request behavior of clients are provided. The network requests of a plurality of clients are analyzed to determine a domain corresponding to each request. This information can be used to associate a set of domains with each individual client. Because of the reciprocal nature of a network request, the information is also used to associate a set of clients with each individual domain. Within the plurality of domains associated with the plurality of clients, there may exist known domains having a classification and unknown domains having no classification. Based on the correlation of clients and domains from their respective associations, the system generates domain classification information for at least one of the unknown domains.

Domain classification based on client request behavior

Embodiments include processes, systems, and devices for initiating proximity actions upon the activation of a proximity connection. A proximity service receives an indication from a proximity provider that a proximity connection is established, and then determines a joint proximity context of the proximity connection. The proximity service then initiates a proximity action to facilitate a proximity function indicated by the joint proximity context. Joint proximity contexts include indications that an application has queued content to be shared with a proximity device, that an application has registered to publish messages on a namespace, that an application has subscribed to messages on a namespace, that an application has registered to find a peer application on a proximity device to enable multi-user collaboration, and that a device seeks to pair with another device.

Platform-enabled proximity service

The number of internet users and devices that are in need for more IP addresses to be assigned to them is rapidly increasing. A new protocol named IPv6 was developed in 1998 to overcome the addressing issue and to improve network communications in general. IPv6 is an improved protocol compared to IPv4 in terms of security since it provides built-in security mechanisms, such as IPSec. In addition, it brought new functionalities, such as Neighbour Discovery Protocol (NDP) procedure, which depends on Internet Control Message Protocol version 6 (ICMPv6) protocol messages. However, IPv6 inherited a number of attacks from IPv4 in addition to new attacks it brought within its new features. One of the most common attacks is the Denial of Service (DoS) attack due to its ease of being launched in different ways. A more serious DoS attack can be launched from many hosts called Distributed Denial of Service (DDoS). DoS and DDoS attacks are thorny and a grave problem of today's internet, resulting in economic damages for organizations and individuals. Therefore, this paper is created to study the properties of DoS and DDoS attacks against IPv6 networks using ICMPv6 messages. Additionally, it analyzes the various existing detection and prevention approaches that are proposed to tackle ICMPv6-based DoS and DDoS attacks. Moreover, it explains the existing tools that might be used for performing these attacks.

ICMPv6-Based DoS and DDoS Attacks and Defense Mechanisms: Review

Neighbor discovery protocol (NDP) is the core protocol of Internet protocol version 6 (IPv6) suite. The motive behind NDP is to replace address resolution protocol (ARP), router discovery, and redirect functions in Internet protocol version 4. NDP is known as the stateless protocol as it is utilized by the IPv6 nodes to determine joined hosts as well as routers in an IPv6 network without the need of dynamic host configuration protocol server. NDP is susceptible to attacks due to the deficiency in its authentication process. Securing NDP is extremely crucial as the Internet is prevalent nowadays and it is widely used in communal areas, for instance, airports, where trust does not exist among the users. A malicious host is able to expose denial of service or man-in-the-middle attacks by injecting spoofed address in NDP messages. With the intention to protect the NDP many solutions were proposed by researchers. However, these solutions either introduced new protocols that need to be supported by all nodes or built mechanisms that require the cooperation of all nodes. Moreover, some solutions are deviating from the layering principals of open system interconnection model. Therefore, the necessity to study NDP in details to recognize and identify the points that could be a source of enhancement has become mandatory task. This article revolves around the survey of the vulnerabilities mitigations approaches of NDP, since the time of the protocol development up to the date of finalized this paper. We described the technical specifications of NDP showing its components, functions, and working procedures. In addition, each threat of NDP is classified and explained in details. Open challenges of NDP and recommended future directions for scientific research are presented at the end of this paper.

IPv6 Neighbor Discovery Protocol Specifications, Threats and Countermeasures: A Survey

Provided is an apparatus and a method for security managing of an information terminal. The provided classifies a plurality of information providing means into a plurality of domains including at least one information providing means and when a user process accesses any one domain and then attempts to access another domain, controls the access to said another domain by verifying whether or not the access of the user process to said another domain is allowed. According to the provided, security threats are monitored for each domain which an execution process accesses by simply constructing domain classification information of an entire system without specifically establishing a security policy of an information providing device, such that it is possible to protect a terminal from a multi-domain access process having high security risk. Accordingly, it is advantageous to increase security for the terminal from various security threats.

Apparatus and method for security managing of information terminal

Neighbor Discovery (ND) protocol has been proposed to discover neighboring hosts and routers in IPv6 wired or wireless local networks. Even though ND protocol is very useful, it has a weakness to security because it allows a malicious user to impersonate a legitimate host or a router by forging ND protocol messages. To address the security problem, IETF (Internet Engineering Task Force) has proposed SEcure Neighbor Discovery (SEND) protocol. The key functions of SEND protocol include address ownership proof mechanism, ND protocol message protection mechanism, reply attack prevention mechanism, and router authentication mechanism. In this paper, we analyze SEND protocol in the view point of security through several experiments. For this, we implement SEND protocol in IPv6 real system and develop a simulation environment. Based on the experimental results, we also propose a monitoring-based ND message differentiation scheme which is able to make up for security vulnerability of SEND protocol effectively.

Analysis of SEND Protocol through Implementation and Simulation

Provided are an apparatus and method for limiting bandwidths of burst aggregate flows according to the present invention. The apparatus comprises: a bandwidth measuring unit measuring a bandwidth of at least one input aggregate flow; a grade determining unit determining abnormal grades according to abnormal levels of the input aggregate flows; a bandwidth limit determining unit determining a bandwidth volume and aggregate flow to be limited; a bandwidth limiting unit inputting a result determined by the bandwidth limit determining unit, limiting or releasing a bandwidth of a aggregate flow selected among the input aggregate flows and outputting the selected aggregate flow; and a status information storage unit storing status information including a usage bandwidth, an abnormal grade, and a limited bandwidth volume of the input aggregate flow. Accordingly, the apparatus and method provide an effect of dropping attack aggregate flows corresponding to excessive traffic while not influencing normal aggregate flows.

Apparatus and method for limiting bandwidths of burst aggregate flows

Strong access control mechanisms become most critical when we need security services in large-scale computing environments of sensitive organizations. Furthermore, if users join or leave such computing environment frequently, requiring different access control decisions based on their current job responsibilities and contexts, the need for advanced access control is pressing. Although the currently available access control approaches have a great potential for providing reliable service, there are still critical obstacles to be solved, especially in large-scale, dynamic computing environments. In this paper we introduce an advanced access control mechanism, Active Access Control (AAC), which accounts for the ability to make dynamic access control decisions based not only on pre-defined privileges, but also on the current situation of the user. The framework of the proposed AAC approach provides fine-grained access control, by considering a variety of attributes about the user and the current computing environment, especially, when the users contexts are frequently changed. Although the outputs of the AAC approach can be integrated with any other existing access control mechanisms and improve the overall fine-granularity, as a full demonstration of our approach for fine-granularity as well as scalability, in this particular paper we focus on large-scale computing environments and integrate the AAC results with the role-based approach. Finally, in order to prove the feasibility of our proposed idea we implement the AAC approach with roles and discuss the evaluation results with existing approaches. Copyright © 2010 John Wiley & Sons, Ltd.

Active access control (AAC) with fine‐granularity and scalability

A mobile communication device is a small size of portable computer which provides communication service. One of the biggest barriers in developing the mobile communication device is security. To protect itself against security threats, the mobile communication device need to be loaded with various kinds of security functions such as firewall, access control, and so on. However because the mobile communication device has relatively poor computing power and inconvenient user interface, it may experience performance deterioration and user inconveniency in case that it employs all the security functions. This paper proposes a context-aware dynamic security configuration scheme for effective security management of the mobile communication device. Our scheme can maximize the performance of the mobile communication device in terms of computing resource efficiency and user convenience without degrading security level by automatically optimizing its security configuration based on its security context. The performance of our scheme is measured and evaluated through experiments.

Gaeil An

Papers

Apparatus and method for security managing of information terminal

Analysis of SEND Protocol through Implementation and Simulation

Apparatus and method for limiting bandwidths of burst aggregate flows

Active access control (AAC) with fine‐granularity and scalability

Context-Aware Dynamic Security Configuration for Mobile Communication Device