Amir R. Khakpour,Joshua W. Hulst,Zihui Ge,Alex X. Liu,Dan Pei,Jia Wang

DOI: https://doi.org/10.1109/INFCOM.2012.6195544

2012-01-01

Abstract:Firewalls are critical security devices handling all traffic in and out of a network. Firewalls, like other software and hardware network devices, have vulnerabilities, which can be exploited by motivated attackers. However, because firewalls are usually placed in the network such that they are transparent to the end users, it is very hard to identify them and use their corresponding vulnerabilities to attack them. In this paper, we study firewall fingerprinting, in which one can use firewall decisions on TCP packets with unusual flags and machine learning techniques for inferring firewall implementation.

Amir R. Khakpour,Joshua W. Hulst,Zhihui Ge,Alex X. Liu,Dan Pei,Jia Wang

2011-01-01

Abstract:Firewalls are critical security devices handling all traffic in and out of a network. When under heavy load of both malicious and legitimate traffic, firewalls may be overloaded and start discarding or permitting packets without checking firewall rules, which can cause huge revenue losses or security breaches. In this paper, we study Denial of Firewalling attacks, where attackers use well-crafted traffic to effectively overwhelm a firewall. We first investigate firewall implementation characteristics that can be exploited for such attacks while treating the firewall as a black box. We conducted our studies on a testbed with three popular firewall devices. Second, given a remote firewall, we propose methods for attackers to infer the implementation of the firewall. We develop firewall fingerprinting techniques based on firewall decisions on a sequence of TCP packets with unusual flags and machine learning techniques for inferring firewall implementation. Finally, we present methods that attackers can use to generate the traffic that can effectively overload an identified remote firewall. We show that some firewalls can be easily overloaded by a small volume of carefully crafted traffic.

L Cai,Xh Yang

DOI: https://doi.org/10.1109/ICSMC.2005.1571196

2005-01-01

Abstract:More and more network attacks are focusing on application level vulnerabilities. Recently, several examples of this trend have been highly publicized such as the SQL Slammer and SQL Snake attacks. Traditional firewalls, used for protecting the database, only prevent attacks searching for vulnerabilities. Database firewalls take defense deep into the organization by providing full syntax control and audit of the SQL AN stream before it reaches the database, and enforcing content-driven access to database. This paper proposes a layered reference model for database firewalls by enhancing the capability of COAST Laboratory's model. It separates a database firewall into three layers (network layer, schematic layer and semantic layer) according to the knowledge, computation target, and the control granularity of each layer. Based on this model, a database firewall product had been prototyped It can greatly improve the database security by introducing self-controlled authentication principal mapping, object mapping, and mandatory access control modules.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1109/percom45495.2020.9127375

2020-01-01

Abstract:The broadcast nature of wireless medium makes WLANs easily be attacked by rogue Access Points (APs). Rogue AP attacks can potentially cause severe privacy leakage and financial lost. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs, since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP, but also depend on the client, significantly limiting their applicable scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint. These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication. Our scheme can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 12 million WiFi packets. Results shows that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate.

Amit Klein

DOI: https://doi.org/10.48550/arXiv.2112.09604

2022-09-01

Abstract:We analyzed the generation of protocol header fields in the implementations of multiple TCP/IP network stacks and found new ways to leak information about global protocol states. We then demonstrated new covert channels by remotely observing and modifying the system's global state via these protocol fields. Unlike earlier works, our research focuses on hosts that reside in firewalled networks (including source address validation -- SAV), which is a very common scenario nowadays. Our attacks are designed to be non-disruptive -- in the exfiltration scenario, this makes the attacks stealthier and thus extends their longevity, and in case of host alias resolution and similar techniques -- this ensures the techniques are ethical. We focused on ICMP, which is commonly served by firewalls, and on UDP, which is forecasted to take a more prominent share of the Internet traffic with the advent of HTTP/3 and QUIC, though we report results for TCP as well. The information leakage scenarios we discovered enable the construction of practical covert channels which directly pierce firewalls, or indirectly establish communication via hosts in firewalled networks that also employ SAV. We describe and test three novel attacks in this context: exfiltration via the firewall itself, exfiltration via a DMZ host, and exfiltration via co-resident containers. These are three generic, new use cases for covert channels that work around firewalling and enable devices that are not allowed direct communication with the Internet, to still exfiltrate data out of the network. In other words, we exfiltrate data from isolated networks to the Internet. We also explain how to mount known attacks such as host alias resolution, de-NATting and container co-residence detection, using the new information leakage techniques.

Cryptography and Security

Wajid Rafique,Xin He,Zifan Liu,Yuhu Sun,Wanchun Dou

DOI: https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00080

2019-01-01

Abstract:Managing the Internet of Things (IoT) infrastructure has become a critical challenge due to an enormous increase in the connected devices and the lack of available security solutions. Software-Defined Networking (SDN) has been extensively involved in network infrastructure management. Moreover, numerous recent studies demonstrate the use of SDN for managing IoT networks. In SDN, policy consistency and security of the data plane is maintained through Waypoint Enforcement (WPE) which ensures that the traffic traverses policy nodes/switches to implement high-level network requirements. Previous studies on SDN primarily secure SDN infrastructure against traditional Distributed Denial of Service (DDoS) attacks. However, we investigate Crossfire Attack (CFA), which is a novel DDoS attack capable of interrupting communication of data plane switches using low-rate legitimate traffic. CFA has the potential to isolate policy switch from the rest of the data plane devices which introduces many security anomalies and routing inconsistencies. We first demonstrate how CFA is lethal on policy switch attacks and then present the design and implementation of a novel CFA countermeasure called CFADefense, which employs link selection, attack detection, and malicious flows interception modules. CFADefense has been developed as an application at the application layer of the open-source Floodlight controller. Our evaluation demonstrates that CFADefense accurately detects and efficiently mitigates CFA and poses minimal overhead on the controller in dealing with this attack.

Jiahao Cao,Zijie Yang,Kun Sun,Qi Li,Mingwei Xu,Peiyi Han

2019-01-01

Abstract:By decoupling control and data planes, Software-Defined Networking (SDN) enriches network functionalities with deploying diversified applications in a logically centralized controller. As the applications reveal the presence or absence of internal network services and functionalities, they appear as black-boxes, which are invisible to network users. In this paper, we show an adversary can infer what applications run on SDN controllers by analyzing low-level and encrypted control traffic. Such information can help an adversary to identify valuable targets, know the possible presence of network defense, and thus schedule a battle plan for a later stage of an attack. We design deep learning based methods to accurately and efficiently fingerprint all SDN applications from mixed control traffic. To evaluate the feasibility of the attack, we collect massive traces of control traffic from a real SDN testbed running various applications. Extensive experiments demonstrate an adversary can accurately identify various SDN applications with a 95.4% accuracy on average.

Xiaoyu Ma,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/globecom38437.2019.9013771

2019-01-01

Abstract:Security is critical to cloud services, this paper introduces a design of firewall, which based on IDS's feedback t change rules in order to detect attack flexible. It combines firewall and Intrusion Detection Systems(IDS) by using Intrusion Detection Systems, which detects ICMP, TCP, UDP attacks. Usually, a cloud service is a service built on a virtual machine. The virtual device is virtualized to achieve the purpose of multiplexing. Therefore, if you want to implement cloud security detection, you can listen to the physical device's network card. There are two types of Intrusion Detection System, one is host-based intrusion detection system(HIDS) and another is network intrusion detection system(NIDS). What's more, in order to highlight the importance of the firewall, the IDS monitoring data is analyzed and added to the firewall's defense strategy automatically. Finally, we measure the effectiveness of the system by False Negative(FN) and False Positive(FP), and verify that feedback plays a crucial role in improving the effectiveness of the system, improving the efficiency of the entire system filtering attacks.

Abdelhadi Azzouni,Othmen Braham,Nguyen Thi Mai Trang,Guy Pujolle,Raouf Boutaba

DOI: https://doi.org/10.48550/arXiv.1611.02370

2017-05-02

Abstract:Software-Defined Networking (SDN) controllers are considered as Network Operating Systems (NOSs) and often viewed as a single point of failure. Detecting which SDN controller is managing a target network is a big step for an attacker to launch specific/effective attacks against it. In this paper, we demonstrate the feasibility of fingerpirinting SDN controllers. We propose techniques allowing an attacker placed in the data plane, which is supposed to be physically separate from the control plane, to detect which controller is managing the network. To the best of our knowledge, this is the first work on fingerprinting SDN controllers, with as primary goal to emphasize the necessity to highly secure the controller. We focus on OpenFlow-based SDN networks since OpenFlow is currently the most deployed SDN technology by hardware and software vendors.

Networking and Internet Architecture

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Ding Pengfule,Tian Zhihong,Zhang Hongli,Wang Yong,Zhang Liang,Guo Sanchuan

DOI: https://doi.org/10.1109/dsc.2016.108

2016-01-01

Abstract:The extensive use of Internet technology has brought great convenience to modern society, however, more and more severe problems regarding to network security have also emerged at the same time. Especially the DDoS attacks, represented by SYN Flood, pose massive threats to the network security. This paper discusses an algorithm which could detect SYN Flood attack quickly under large scale network: the adaptive threshold algorithm. Then we propose "Slow detection, Fast recovery" mechanism on basis of adaptive threshold algorithm. Finally, we implement the attack detection and defense algorithms in dual-stack firewall, and test the validity and performance respectively. The results indicate that the methods of detecting and defending SYN Flood proposed by this paper can improve the system efficiency substantially when firewall is attacked, while consuming only a small amount of extra memory.

Qian Wang,Timothy Dunlap,Youngho Cho,Gang Qu

DOI: https://doi.org/10.1109/wocc.2017.7928974

2017-01-01

Abstract:Denial of service (DoS) attacks have been one of the major network security problems over the last decades. DoS attacks can usually be mounted on hardware devices such as routers and firewalls to send spoofing messages to the target network. Thus, methods for defeating such DoS attacks are highly related to the vulnerabilities in the hardware devices. In this paper, we investigate the potential attacks specific to the hardware infrastructure of the network and also categorize the countermeasures against DoS attacks that can be implemented on hardware devices. Moreover, we analyze the advantages of the emerging silicon physical unclonable functions and discuss the potential of integrating them into authentication methods in order to defend against DoS attacks.

Zhichun Li,Yan Gao,Yan Chen

DOI: https://doi.org/10.1016/j.comnet.2009.10.016

IF: 5.493

2009-01-01

Computer Networks

Abstract:Global-scale attacks like worms and botnets are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper, leveraging data streaming techniques such as the reversible sketch, we design HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND: (i) is scalable to flow-level detection on high-speed networks; (ii) is DoS resilient; (iii) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; (iv) enables aggregate detection over multiple routers/gateways; and (v) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (e.g. OC192), even for the worst-case traffic of 40-byte-packet streams with each packet forming a flow.

Pengfei Liu,Yang Liu,Xiangming Wang,Yuanyi Bao,Dong Yang,Wenqing Wang,Tong Wu,Zhuo Lv,Ting Liu

DOI: https://doi.org/10.1109/tii.2022.3198676

IF: 12.3

2023-03-29

IEEE Transactions on Industrial Informatics

Abstract:It is hard to conduct cyberattacks in industrial control systems (ICSs) because most underlying networks of ICS like the field bus network are isolated from the internet. However, attackers can physically connect the intrusive device into the target network to launch various attacks, which bypasses the security protection mechanisms between the ICS and the internet. Currently, no effective measures could defend against such unauthorized physical access attacks. In this article, a reflection-based channel fingerprint is proposed to detect and locate these physically intrusive devices in the field bus network. We theoretically analyze the signal reflection characteristics and utilize inevitable changes in the channel fingerprint to detect the intrusive device. Besides, the detected anomaly features could be used to accurately estimate the intrusive device's location. In the end, the proposed method's effectiveness is validated through extensive simulation experiments.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Ken Goss,Wei Jiang

DOI: https://doi.org/10.48550/arXiv.1810.01571

2018-10-03

Abstract:Firewalls have long been in use to protect local networks from threats of the larger Internet. Although firewalls are effective in preventing attacks initiated from outside, they are vulnerable to insider threats, e.g., malicious insiders may access and alter firewall configurations, and disable firewall services. In this paper, we develop an innovative distributed architecture to obliviously manage and evaluate firewalls to prevent both insider and external attacks oriented to the firewalls. Our proposed structure alleviates these issues by obfuscating the firewall rules or policies themselves, then distributing the function of evaluating these rules across multiple servers. Thus, both accessing and altering the rules are considerably more difficult thereby providing better protection to the local network as well as greater security for the firewall itself. We achieve this by integrating multiple areas of research such as secret sharing schemes and multi-party computation, as well as Bloom filters and Byzantine agreement protocols. Our resulting solution is an efficient and secure means by which a firewall may be distributed, and obfuscated while maintaining the ability for multiple servers to obliviously evaluate its functionality.

Cryptography and Security

Guodong Huang,Chuan Ma,Ming Ding,Yuwen Qian,Chunpeng Ge,Liming Fang,Zhe Liu

DOI: https://doi.org/10.48550/arXiv.2302.13763

2023-02-27

Abstract:Website fingerprinting attack is an extensively studied technique used in a web browser to analyze traffic patterns and thus infer confidential information about users. Several website fingerprinting attacks based on machine learning and deep learning tend to use the most typical features to achieve a satisfactory performance of attacking rate. However, these attacks suffer from several practical implementation factors, such as a skillfully pre-processing step or a clean dataset. To defend against such attacks, random packet defense (RPD) with a high cost of excessive network overhead is usually applied. In this work, we first propose a practical filter-assisted attack against RPD, which can filter out the injected noises using the statistical characteristics of TCP/IP traffic. Then, we propose a list-assisted defensive mechanism to defend the proposed attack method. To achieve a configurable trade-off between the defense and the network overhead, we further improve the list-based defense by a traffic splitting mechanism, which can combat the mentioned attacks as well as save a considerable amount of network overhead. In the experiments, we collect real-life traffic patterns using three mainstream browsers, i.e., Microsoft Edge, Google Chrome, and Mozilla Firefox, and extensive results conducted on the closed and open-world datasets show the effectiveness of the proposed algorithms in terms of defense accuracy and network efficiency.

Cryptography and Security,Machine Learning

Daniele Bringhenti,Francesco Pizzato,Riccardo Sisto,Fulvio Valenza

DOI: https://doi.org/10.1002/nem.2307

2024-10-22

International Journal of Network Management

Abstract:This graphical abstract shows the workflow of the proposed approach for autonomous attack mitigation through firewall reconfiguration. Packet filtering firewalls represent a main defense line against cyber attacks that target computer networks daily. However, the traditional manual approaches for their configuration are no longer applicable to next‐generation networks, which have become much more complex after the introduction of virtualization paradigms. Some automatic strategies have been investigated in the literature to change that old‐fashioned configuration approach, but they are not fully autonomous and still require several human interventions. In order to overcome these limitations, this paper proposes an autonomous approach for firewall reconfiguration where all steps are automated, from the derivation of the security requirements coming from the logs of IDSs to the deployment of the automatically computed configurations. A core component of this process is React‐VEREFOO, which models the firewall reconfiguration problem as a Maximum Satisfiability Modulo Theories problem, allowing the combination of full automation, formal verification, and optimization in a single technique. An implementation of this proposal has undergone experimental validation to show its effectiveness and performance.

computer science, information systems,telecommunications

Hui Yuan,Lei Zheng,Shuang Qiu,Xiangli Peng,Yuan Liang,Yaodong Hu,Guoru Deng

DOI: https://doi.org/10.1007/978-3-030-15235-2_142

2019-04-25

Abstract:With the rapid development of the network, in recent years, the Internet has greatly improved people’s lives, and the real-time, sharing and distance-removing characteristics of network information transmission have made the operation and management of enterprises more efficient and coordinated. The basis of refinement. At the same time, various network security incidents have followed, such as hacker attacks on computer network systems, and various types of viruses, Trojans and other active attacks emerge one after another. In this regard, this paper analyzes the enterprise network security system of firewall from the perspective of enterprise network security, briefly summarizes the background, advantages and disadvantages of firewall technology, and designs and implements a client software according to the actual needs of users. The network performs real-time intelligent security monitoring. After the system design is completed, the security is tested by building a simulation platform, including qualitative testing and quantitative testing, which are divided into security and performance to verify whether the system can achieve and guarantee performance.