Showing papers by "Mayank Dave published in 2021"

Detection and Analysis of TCP-SYN DDoS Attack in Software-Defined Networking

Abstract: Software-defined networking (SDN) is an advanced networking technology that yields flexibility with cost-efficiency as per the business requirements. SDN breaks the vertical integration of control and data plane and promotes centralized network management. SDN allows data intensive applications to work more efficiently by making the network dynamically configurable. With the growing development of SDN technology, the issue of security becomes critical because of its architectural characteristics. Currently, Distributed denial of service (DDoS) is one of the most powerful attacks that cause the services to be unavailable for normal users. DDoS seeks to consume the resources of the SDN controller with the intention to slow down working of the network. In this paper, a detailed analysis of the effect of spoofed and non-spoofed TCP-SYN flooding attacks on the controller resources in SDN is presented. We also suggest a machine learning based intrusion detection system. Five different classification models belong to a variety of families are used to classify the traffic, and evaluated using different performance indicators. Cross-validation technique is used to validate the classification models. This work enables better features to be extracted and classify the traffic efficiently. The experimental results reveal significantly good performance with all the considered classification models.

Position Falsification Misbehavior Detection in VANETs

Abstract: VANETs stands for vehicular ad hoc networks. In VANETs, alerts like post-crash notification (PCN), beacon messages, etc., (with sender id, position, speed and timestamp) are exchanged between vehicles in order to improve road safety so that the driver is previously alerted of the hazard or crash that she/he could face ahead. This technology has a great potential to reduce the number of accidents that are happening every year. If the driver is alerted few seconds before the accident about the hazard, then the accident could be prevented from happening. But, in VANETs, there is a possibility that due to selfish or malicious reasons, some attacker might send false alerts and falsified information in beacon leading to change in driver’s behavior and entire network. This could result in accidents in the network or long-distance travel of driver. Hence, it is very much necessary to detect the false messages that are communicated in vehicular network.

Crypto-Preserving Investigation Framework for Deep Learning Based Malware Attack Detection for Network Forensics

Abstract: The exponential growth in technology observed over the past decade has introduced newer ways to exploit network and cyber-physical system-related vulnerabilities. Cybercriminals perform malware attacks by exploiting vulnerabilities to cause damage to a network or computer without any victim's knowledge. The attack sites from where the vulnerabilities are exploited provide concrete evidence that can be collected and used against the attackers (cybercriminals) under cyber law jurisdiction. The collected digital pieces of evidence can easily be damaged by various attack techniques. The investigation of the crime is purely dependent on the raw evidence that must be protected for correct investigation. In this article, a crypto-evidence preservation and evidence collecting model is proposed. The model is used to detect malware attacks, preserve evidence, and categorize the network traffic data into suitable classes as either malicious or non-malicious. It successfully preserves collected digital pieces of evidence and keeps them in protected mode (tamper-safe). The meta-data for malware traffic is extracted using deep learning and machine learning classifiers. The various studies have shown that deep learning supports the analysis of large data sets efficiently whereas ensemble classifiers increase the probability for better prediction analysis of malware and real-time data flowing through a network. This article proposes an ensemble classifier-based deep learning model to investigate malicious packets, preserve evidence using the SHA-256 crypto-system, learn on collected data and keep the pieces of evidence alive (availability of data) when needed in the forensic investigation on the network for a malware attack. The proposed model outperforms various existing models with an average score of 97% (F1-score) for malware detection and evidence preservation. Further, the scope of the work is discussed which can be explored by the researchers for their study.

Secure Path Key Establishment Schemes Based on Random Key Management for WSN

Abstract: A large number of the path key establishment schemes regard same probability of the node capture attack for each node in the wireless sensor networks. However, in certain critical applications this statement may not be right making such schemes less practical for many real-world applications like border surveillance and disaster management. In this paper, an attack matrix (AM) is designed to calculate the attack coefficient of the sensor nodes at the time of their positioning in the sensor field. The path key exposure problem is minimized by bypassing the nodes with greatest value of attack coefficient. Three attack-resistant path key establishment schemes are presented based on the AM namely attack-resistant proxy-based path key establishment, attack-resistant friend-based path key establishment and attack-resistant disjoint path key establishment. We find that the proposed schemes show improved performance compared to the existing path key establishment schemes. The resistance against node capture of proposed schemes has been verified based on the probability of key recovery and path compromise ratio. The result outcomes prove their expediency in diminishing node capture impact.

SQL Injection Attack Detection, Evidence Collection, and Notifying System Using Standard Intrusion Detection System in Network Forensics

Abstract: Structured query language (SQL) injection is an attack method that explores the functional and storage vulnerabilities of web applications that have data stored in a database. The attacker is capable of affecting the security by intentionally deciding the content that will be forwarded to the database for information retrieval. The attacker gets the benefit by exploiting the syntax and storage vulnerabilities that are responsible for weak points generated in the DBMS security system. This study makes use of the Snort intrusion detection system log files that contain information affiliated to attackers and can provide timed attack notifications via digital notification systems, like emails. In this research, a web server-based network system is initialized using the Snort intrusion detection system (IDS) to detect various methods of SQL injection attacks possible. The method used is based on NIST standards which are based on major risk assessment phases. This is a five phase-based research that performs exploit site testing, simulating attack circumstances, configuring IDS, collecting data and final phase of performing analysis. This study contributes to a web server-based IDS snort system that is capable of detecting a significant number of SQL injection attacks and real-time response notifying system via digital notifications.

Forensic Investigation-Based Framework for SDN Using Blockchain

Abstract: Software-defined networking (SDN) is a promising networking technology that provides a new way of network management to the customers. SDN provides more programmable and flexible network services. SDN breaks the vertical integration of control and data planes and promotes centralized network management. This unique characteristic of SDN offers security features to deal with the malicious activities. However, architectural design of SDN makes it vulnerable to several attacks. Therefore, it is important to investigate the crime through various forensic techniques. This work discusses a literature study of some possible forensic techniques. A framework is also presented for forensic investigation of SDN environment in attack scenario. The proposed framework includes the collection of evidence and preserves them against any damage. During investigation, protection of evidence and chain of custody are of utmost importance to avoid misleading of the investigators. The safe storage strategy as well as maintaining the custody link can be achieved through blockchain technology.

Malware Detection System Using Ensemble Learning: Tested Using Synthetic Data

Abstract: Malwares refer to the malicious programs that are used to exploit the target system’s vulnerabilities, such as a bug or a legitimate software. Malware infiltration can have disastrous consequences on any corporation which includes stealing confidential data, damaging network devices, and crippling of network systems. So, there is a need to filter the malware out from the network and this is achieved with the help of intrusion detection systems; the malware detection model sits at the core of those systems. This paper aims to design a malware detection model using machine learning techniques and training the model on synthetically generated data. In this paper, we first harness or generate synthetic dataset using a tool named CICFlowMeter. CICFlowMeter is a network traffic flow generator tool that captures the network traffic to produce a featured dataset of the network. We first capture the data using the tool, and then, this data would be used to produce synthetic dataset of the network. After that we use various machine learning techniques to build our malware detection model, which is trained and tested using synthetically produced dataset.

Addressing Spoofed DDoS Attacks in Software-defined Networking

Abstract: Software-defined networking (SDN) has become a popular networking paradigm that provides a separation of control plane from the data plane devices. This separation offers various facilities such as flexibility, programmability, and a centralized global view of the complete network. However, SDN introduces various cyber-attacks due to its architectural design. In the present scenario, Distributed denial-of-service (DDoS) is one of the most severe attacks that makes the resources unavailable for normal users. Attackers use spoofed IPs in the DDoS attack and hide their original identity, which making it difficult to mitigate the impacts of such kind of DDoS attacks. An spoofed DDoS attack in SDN can affect all three important entities, such as switch, controller, and switch-controller channel. Therefore, in this work, we propose an statistical measure - z-score based mechanism against spoofed flooding DDoS attack (TCP-SYN) for attack detection. The proposed mechanism also mitigates the impacts of the attacks and avoids any additional communication between switches and controller. The performance results show that the proposed attack defense mechanism mitigates the spoofed TCP-SYN flooding attack efficiently and reduces the CPU usage on the victim host after attack detection.

Towards Utilizing Blockchain for Countering Distributed Denial-of-Service (DDoS)

Abstract: Distributed denial of service (DDoS) attacks have been a matter of serious concern for network administrators in the last two decades. These attacks target the resources such as memory, CPU cycles, and network bandwidth in order to make them unavailable for the benign users, thereby violating availability, one of the components of cyber security. With the existence of DDoS-as-a-service on internet, DDoS attacks have now become more lucrative for the adversaries to target a potential victim. In this work, the authors focus on countering DDoS attacks using one of the latest technologies called blockchain. In inception phase, utilizing blockchain for countering DDoS attacks has proved to be quite promising. The authors also compare existing blockchain-based defense mechanisms to counter DDoS attacks and analyze them. Towards the end of the work, they also discuss possible future research directions in this domain.

Machine Learning-Based Lightweight Android Malware Detection System with Static Features

Abstract: With the increased popularity and wide adaptation in the embedded system domain, Android has become the main target for malware writers. Due to rapid growth in the number, variants and diversity of malware, fast detection of malware on the Android platform has become a challenging task. Existing malware detection systems built around machine learning algorithms with static, dynamic, or both analysis techniques use a high dimensionality of feature set. Machine learning algorithms are often challenged by such a large number of feature sets and consume a lot of power and time for both training and detection. The model built using such a large number of features may include an irrelevant or negative feature that reduces the overall efficiency of the detection system. In this paper, we present a lightweight Android malware detection system based on machine learning techniques that use fewer static features to distinguish between malicious and benign applications. To reduce the feature dimensions, we have used the feature engineering approach, which utilizes a multilevel feature reduction and elimination process to create a detection model lightweight. Finally, we have built a machine learning-based detection system on the reduced feature set that performs better in comparison to the model build using the original feature set. The proposed detection system achieves accuracy and precision above 98% and drastically reduces the feature set size from 3,73,458 to 105 features.