 |
Router System Security 2014 |
Routers are among the most ubiquitous electronic devices in use. Basic security from protocols and encryption can be readily achieved, but routing has many leaks. The articles cited here look at route leaks, stack protection, and mobile platforms using Tor, iOS, and Android OS, among other topics. They were published in 2014.
Siddiqui, M.S.; Montero, D.; Yannuzzi, M.; Serral-Gracia, R.; Masip-Bruin, X., “Diagnosis of Route Leaks Among Autonomous Systems in the Internet,” Smart Communications in Network Technologies (SaCoNeT), 2014 International Conference on, vol., no., pp. 1, 6, 18-20 June 2014. doi:10.1109/SaCoNeT.2014.6867765
Abstract: Border Gateway Protocol (BGP) is the defacto inter-domain routing protocol in the Internet. It was designed without an inherent security mechanism and hence is prone to a number of vulnerabilities which can cause large scale disruption in the Internet. Route leak is one such inter-domain routing security problem which has the potential to cause wide-scale Internet service failure. Route leaks occur when Autonomous systems violate export policies while exporting routes. As BGP security has been an active research area for over a decade now, several security strategies were proposed, some of which either advocated complete replacement of the BGP or addition of new features in BGP, but they failed to achieve global acceptance. Even the most recent effort in this regard, lead by the Secure Inter-Domain Routing (SIDR) working group (WG) of IETF fails to counter all the BGP anomalies, especially route leaks. In this paper we look at the efforts in countering the policy related BGP problems and provide an analytical insights into why they are ineffective. We contend a new direction for future research in managing the broader security issues in the inter-domain routing. In that light, we propose a naive approach for countering the route leak problem by analyzing the information available at hand, such as the RIB of the router. The main purpose of this paper was to position and highlight the autonomous smart analytical approach for tackling policy related BGP security issues.
Keywords: Internet; computer network security; routing protocols; BGP security issue; IETF; Internet autonomous systems; Secure InterDomain Routing working group; border gateway protocol; interdomain routing protocol; interdomain routing security problem; route leak diagnosis; security issues; IP networks; Radiation detectors; Routing; Routing protocols; Security (ID#: 15-6675)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6867765&isnumber=6867755
Peng Wu; Wolf, T., “Stack Protection in Packet Processing Systems,” Computing, Networking and Communications (ICNC), 2014 International Conference on, vol., no., pp. 53, 57, 3-6 Feb. 2014. doi:10.1109/ICCNC.2014.6785304
Abstract: Network security is a critical aspect of Internet operations. Most network security research has focused on protecting end-systems from hacking and denial-of-service attacks. In our work, we address hacking attacks on the network infrastructure itself. In particular, we explore data plane stack smashing attacks that have demonstrated successfully on network processor systems. We explore their use in the context of software routers that are implemented on top of general-purpose processor and operating systems. We discuss how such attacks can be adapted to these router systems and how stack protection mechanisms can be used as defense. We show experimental results that demonstrate the effectiveness of these stack protection mechanisms.
Keywords: Internet; computer crime; computer network security; general purpose computers; operating systems (computers); packet switching; telecommunication network routing Internet; computer network security; denial of service attacks; end systems protection; general purpose processor; hacking attacks; network infrastructure; network processor systems; operating systems; packet processing system; router systems; smashing attacks; software routers; stack protection mechanism; Computer architecture; Information security; Linux; Operating systems; Protocols; attack; defense; network security; stack smashing (ID#: 15-6676)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6785304&isnumber=6785290
Frantti, T.; Röning, J., “A Risk-Driven Security Analysis for a Bluetooth Low Energy Based Microdata Ecosystem,” Ubiquitous and Future Networks (ICUFN), 2014 Sixth International Conf on, vol., no., pp. 69, 74, 8-11 July 2014. doi:10.1109/ICUFN.2014.6876753
Abstract: This paper presents security requirements, risk survey, security objectives, and security controls of the Bluetooth Low Energy (BLE) based Catcher devices and the related Microdata Ecosystem of Ceruus company for a secure, energy efficient and scalable wireless content distribution. The system architecture was composed of the Mobile Cellular Network (MCN) based gateway/edge router device, such as Smart Phone, Catchers, and web based application servers. It was assumed that MCN based gateways communicate with application servers and surrounding Catcher devices. The analysis of the scenarios developed highlighted common aspects and led to security requirements, objectives, and controls that were used to define and develop the Catcher and MCN based router devices and guide the system architecture design of the Microdata Ecosystem.
Keywords: Bluetooth; cellular radio; computer network security; network servers; telecommunication network routing; BLE based catcher devices; Bluetooth low energy based microdata ecosystem; Ceruus company; MCN based gateway-edge router device; application servers; energy efficient wireless content distribution; mobile cellular network; risk-driven security analysis; wireless content distribution scalability; wireless content distribution security; Authentication; Ecosystems; Encryption; Logic gates; Protocols; Servers; Internet of Things; authentication; authorization; confidentiality; integrity; security; timeliness (ID#: 15-6677)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6876753&isnumber=6876727
Wang Ming-Hao, “The Security Analysis and Attacks Detection of OSPF Routing Protocol,” Intelligent Computation Technology and Automation (ICICTA), 2014 7th International Conference on, vol., no., pp. 836, 839, 25-26 Oct. 2014. doi:10.1109/ICICTA.2014.200
Abstract: The widespread use of the Internet proposes great challenges for information security. Routing protocols are used to distribute network topology information among routers. Routers find the best route according to the topology information, and realize the network data forwarding. Without correct router information, the network packet transmission is inefficient or incorrect, which may even cause network paralyzed. Therefore, secure routing protocol is an import factor to ensure network security. This paper emphasizes the security of OSPF routing protocol. We firstly outline the background of OSPF technology, and present the OSPF security analysis, including authentication mechanism, reliable flooding mechanism and hierarchical routing mechanism. Then the vulnerabilities of OSPF and protecting methods are introduced. In addition, we propose the attacks detection system of OSPF routing protocol from the perspective of the OSPF security, in order to detect attacks without affecting the network operation. Lastly, future research on OSPF routing protocol are concluded.
Keywords: Internet; cryptographic protocols; routing protocols; telecommunication network topology; telecommunication security; Internet; OSPF routing protocol; OSPF technology; attacks detection system; authentication mechanism; flooding mechanism; hierarchical routing mechanism; information security; secure routing protocol; security analysis; topology information; Authentication; Cryptography; Floods; Routing; Routing protocols; Data Packet; Key; Link-state; OSPF; Routing Protocol (ID#: 15-6678)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7003663&isnumber=7003462
Ben Hadjy Youssef, N.; El Hadj Youssef, W.; Machhout, M.; Tourki, R.; Torki, K., “Instruction Set Extensions of AES Algorithms for 32-Bit Processors,” Security Technology (ICCST), 2014 International Carnahan Conference on, vol., no., pp. 1, 5, 13-16 Oct. 2014. doi:10.1109/CCST.2014.6986988
Abstract: Embedded processors are an integral part of many communications devices such as mobile phones, secure access to private networks, electronic commerce and smart cards. However, such devices often provide critical functions that could be sabotaged by malicious entities. The supply of security for data exchange on basis of embedded systems is a very important objection to accomplish. This paper focuses on instruction set extensions of symmetric key algorithm. The main contribution of this work is the extension of SPARC V8 LEON2 processor core with cryptographic Instruction Set Extensions. The proposed cryptographic algorithm is Advanced Encryption Standard (AES). Our customized instructions offer a cryptographic solution for embedded devices, in order to ensure communications security. Furthermore, as embedded systems are extremely resource constrained devices in terms of computing capabilities, power and memory area; these technological challenges are respected. Our extended LEON2 SPARC V8 core with cryptographic ISE is implemented using Xilinx XC5VFX70t FPGA device and an ASIC CMOS 40 nm technology. The total area of the resulting Chip is about 0.28 mm2 and can achieve an operating frequency of 3.33 GHz. The estimated power consumption of the chip was 13.3 mW at 10 MHz. Hardware cost and power consumption evaluation are provided for different clock frequencies, the achieved results show that our circuit is able to be arranged in many security domains such as embedded services routers, real-time multimedia applications and smartcard.
Keywords: CMOS logic circuits; application specific integrated circuits; cryptography; electronic data interchange; embedded systems; field programmable gate arrays; instruction sets; microprocessor chips; 32-bit processors; AES algorithms; ASIC CMOS technology; SPARC V8 LEON2 processor core; Xilinx XC5VFX70t FPGA device; communication devices; cryptographic ISE; cryptographic instruction set extension; data exchange security; embedded devices; embedded processors; embedded services routers; malicious entities; operating frequency; power consumption evaluation; real-time multimedia applications; resource constrained devices; size 40 nm; smartcard; symmetric key algorithm; word length 32 bit; Encryption; Field programmable gate arrays; Hardware; Program processors; Registers; Standards; AES; Embedded processor; FPGA and ASIC implementation; LEON2; decryption; encryption (ID#: 15-6679)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6986988&isnumber=6986962
Owezarski, P., “Unsupervised Classification and Characterization of Honeypot Attacks,” Network and Service Management (CNSM), 2014 10th International Conference on, vol., no., pp. 10, 18, 17-21 Nov. 2014. doi:10.1109/CNSM.2014.7014136
Abstract: Monitoring communication networks and their traffic is of essential importance for estimating the risk in the Internet, and therefore designing suited protection systems for computer networks. Network and traffic analysis can be done thanks to measurement devices or honeypots. However, analyzing the huge amount of gathered data, and characterizing the anomalies and attacks contained in these traces remain complex and time consuming tasks, done by network and security experts using poorly automatized tools, and are consequently slow and costly. In this paper, we present an unsupervised method for classification and characterization of security related anomalies and attacks occurring in honeypots. This as automatized as possible method does not need any attack signature database, learning phase, or labeled traffic. This corresponds to a major step towards autonomous security systems. This paper also shows how it is possible from anomalies characterization results to infer filtering rules that could serve for automatically configuring network routers, switches or firewalls.
Keywords: computer network security; pattern classification; telecommunication network routing; telecommunication traffic; unsupervised learning; Internet; autonomous security systems; communication network monitoring; computer network protection systems; firewalls; honeypot attacks; network routers; switches; traffic analysis; unsupervised anomaly characterization; Algorithm design and analysis; Clustering algorithms; Correlation; IP networks; Internet; Partitioning algorithms; Security; Anomaly classification; Honeypot attack detection (ID#: 15-6680)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7014136&isnumber=7014126
Tsikoudis, N.; Papadogiannakis, A.; Markatos, E.P., “LEoNIDS: a Low-latency and Energy-efficient Network-level Intrusion Detection System,” Emerging Topics in Computing, IEEE Transactions on, vol., no. 99, pp.1,1, 05 December 2014. doi:10.1109/TETC.2014.2369958
Abstract: Over the past decade, design and implementation of low-power systems has received significant attention. Started with data centers and battery-operated mobile devices, it has recently branched to core network devices such as routers. However, this emerging need for low-power system design has not been studied for security systems, which are becoming increasingly important today. Towards this direction, we aim to reduce the power consumption of Network-level Intrusion Detection Systems (NIDS), which are used to improve the secure operation of modern computer networks. Unfortunately, traditional approaches to low-power system design, such as frequency scaling lead to a disproportionate increase in packet processing and queuing times. In this work, we show that this increase has a negative impact on the detection latency and impedes a timely reaction. To address this issue, we present LEoNIDS: an architecture that resolves the energy-latency tradeoff by providing both low power consumption and low detection latency at the same time. The key idea is to identify the packets that are more likely to carry an attack and give them higher priority so as to achieve low attack detection latency. Our results indicate that LEoNIDS consumes comparable power to a state-of-the-art low-power design, while, at the same time, achieving up to an order of magnitude faster attack detection.
Keywords: Computer architecture; Delays; Mobile handsets; Power demand; Program processors; Security; Time-frequency analysis; Energy-Efficient Systems; Intrusion Detection Systems; Low Latency; Low-Power design; Multi-Core Packet Processing; Network Security; Performance (ID#: 15-6681)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6977945&isnumber=6558478
Renukuntla, S.S.B.; Rawat, S., “Optimization of Excerpt Query Process for Packet Attribution System,” Information Assurance and Security (IAS), 2014 10th International Conference on, vol., no., pp. 41, 46, 28-30 Nov. 2014. doi:10.1109/ISIAS.2014.7064618
Abstract: Internet and its applications have increased to an enormous extent in the past decade. As the usage increased, it has also exposed its users to various security threats. Network forensic techniques can be used to traceback the source and the path of an attack that can be used as a legal evidence in a court of law. Packet attribution techniques like Source Path Isolation (SPIE), Block Bloom Filter (BBF), and Hierarchical Bloom Filter (HBF) are proposed to store the packet data into the bloom filters at each router present in the network. All the routers in the Autonomous System (AS) are queried for presence of excerpt in their bloom filters to traceback source and path of attack. Upon receiving the excerpt query, each router search their bloom filters for presence of excerpt and send the result to NMS. NMS receives the response from routers and determines the traceback path from victim to source of attack. In this process, all the routers are engaged in searching the bloom filters, causing possible delay in performing actual routing tasks. This degrades network performance and may adversely affect QoS of network. To address potential performance issues, in this paper, we propose query optimization techniques, reducing the number of routers to be searched to a great extent, without adversely affecting storage and processing requirements as compared to existing attribution methods.
Keywords: Internet; computer network security; data structures; digital forensics; optimisation; quality of service; query processing; telecommunication network routing; AS; Internet security; NMS; QoS; autonomous system; bloom filters; excerpt query process optimization; network forensic technique; packet attribution system; packet data store; routing task; source traceback; Hafnium; IP networks; Excerpt Query; Hash-based traceback; Packet Attribution System; Payload Attribution System (ID#: 15-6682)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7064618&isnumber=7064614
Tennekoon, R.; Wijekoon, J.; Harahap, E.; Nishi, H.; Saito, E.; Katsura, S., “Per Hop Data Encryption Protocol for Transmission of Motion Control Data over Public Networks,” Advanced Motion Control (AMC), 2014 IEEE 13th International Workshop on, vol., no., pp. 128, 133, 14-16 March 2014. doi:10.1109/AMC.2014.6823269
Abstract: Bilateral controllers are widely used vital technology to perform remote operations and telesurgeries. The nature of the bilateral controller enables control objects, which are geographically far from the operation location. Therefore, the control data has to travel through public networks. As a result, to maintain the effectiveness and the consistency of applications such as teleoperations and telesurgeries, faster data delivery and data integrity are essential. The Service-oriented Router (SoR) was introduced to maintain the rich information on the Internet and to achieve maximum benefit from networks. In particular, the security, privacy and integrity of bilateral communication are not discoursed in spite of its significance brought by its underlying skill information or personal vital information. An SoR can analyze all packet or network stream transactions on its interfaces and store them in high throughput databases. In this paper, we introduce a hop-by-hop routing protocol which provides hop-by-hop data encryption using functions of the SoR. This infrastructure can provide security, privacy and integrity by using these functions. Furthermore, we present the implementations of proposed system in the ns-3 simulator and the test result shows that in a given scenario, the protocol only takes a processing delay of 46.32 μs for the encryption and decryption processes per a packet.
Keywords: Internet; computer network security; control engineering computing; cryptographic protocols; data communication; data integrity; data privacy; force control; medical robotics; motion control; position control; routing protocols; surgery; telecontrol; telemedicine; telerobotics; SoR; bilateral communication; bilateral controller; control objects; data delivery; decryption process; hop-by-hop data encryption; hop-by-hop routing protocol; motion control data transmission; network stream transaction analysis; ns-3 simulator; operation location; packet analysis; per hop data encryption protocol; personal vital information; privacy; processing delay; public network; remote operation; security; service-oriented router; skill information; teleoperation; telesurgery; throughput database; Delays; Encryption; Haptic interfaces; Routing protocols; Surgery; Bilateral Controllers; Service-oriented Router; hop-by-hop routing; motion control over networks; ns-3 (ID#: 15-6683)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6823269&isnumber=6823244
Jin Hai; Wang Hai-Lan, “Research of the Router Scheme for Virtual Storage,” Intelligent Computation Technology and Automation (ICICTA), 2014 7th International Conference on, vol., no., pp. 484, 487, 25-26 Oct. 2014. doi:10.1109/ICICTA.2014.123
Abstract: With the development of storage technology, the increase of the storage quantity and diverse forms, virtual storage has become a most adaptable technology in the current environment. It helps users to provide interactive procedure in the heterogeneous environment, maintain the operating system continuity, simplify the storage management complexity and reduce the storage cost. Virtual storage is to centralized manage multiple storage devices and provide large capacity, high data transmission performance for users. It can be realized in three levels: virtual storage based on hosts, networks and storage devices. Virtual storage based on networks can be further divided into virtualization based on net devices, switches and routers. This paper focus on the router scheme in for virtual storage, which has higher performance and better security compared with other method. Virtualization based on routers is to integrate virtual modules into the routers, giving storage routers in the network have both exchange functions of the switches and protocol conversion functions of the routers. It makes full use of the current storage resources and protecting user investment, and also allows users in the Ethernet connect to the virtual storage pool, which can use different protocol channels at the same time. As the focus study at present, virtual storage can be used in several fields, such as data mirroring, data replication, tapes backup enhancement devices, real-time duplication, real-time data recovery and application integration.
Keywords: data communication; local area networks; protocols; virtual storage; virtualisation; Ethernet; multiple storage devices; protocol channels; protocol conversion functions; storage cost reduction; storage management complexity; storage resources; storage router scheme; switches conversion functions; virtual storage; virtualization; Operating systems; Routing protocols; Servers; Storage area networks; Storage management; Virtualization; Data Storage; Router Scheme; Storage Devices; Storage Management; Virtual Storage (ID#: 15-6684)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7003586&isnumber=7003462
Ahmed, A.S.; Hassan, R.; Othman, N.E., “Security Threats for IPv6 Transition Strategies: A Review,” Engineering Technology and Technopreneuship (ICE2T), 2014 4th International Conference on, vol., no., pp. 83, 88, 27-29 Aug. 2014. doi:10.1109/ICE2T.2014.7006224
Abstract: There is a growing perception among communications experts that IPv6 and its associated protocols is set to soon replace the current IP version. This is somewhat interesting given that general adoption of IPv6 has been slow. Perhaps this can be explained by the short-term fixes to IPv4 address including classless addressing and NAT. Because of these short-term solutions in addition that IPv4 is not capable to manage the growth of information systems, particularly the growth of internet technologies and services including cloud computing, mobile IP, IP telephony, and IP-capable mobile telephony, all of which necessitate the use of IPv6. There is however a realization that the transformation must be gradual and properly guided and managed. To this end, the Internet Engineering Task Force (IETF) was formed to assist in the transition from IPv4 to IPv6 Dual Stack, Header Translation and Tunneling. The mechanisms employed in this transition consist of changes to protocol mechanisms affecting hosts and routers, addressing and deployment, that are designed to avoid mishap and facilitate a smooth transition from IPv4 to IPv6. Given the inevitability of adopting IPv6, this paper focuses on a detailed examination of the transition techniques and its associated benefits and possible shortcomings. Furthermore, the security threats for each transition technique are overviewed.
Keywords: Internet; information systems; security of data; transport protocols; IETF; IP-capable mobile telephony; IPv4; IPv6 transition strategy; Internet engineering task force; NAT; classless addressing; cloud computing; dual stack; header translation; information system; internet technology; mobile IP; protocol mechanism; security threat; tunneling; Encapsulation; Firewalls (computing); IP networks; Internet; Protocols; Dual Stack; IPv4; IPv6; Translation; Tunneling (ID#: 15-6685)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7006224&isnumber=7006204
Guneysu, T.; Regazzoni, F.; Sasdrich, P.; Wojcik, M., “THOR — The Hardware Onion Router,” Field Programmable Logic and Applications (FPL), 2014 24th International Conference on, vol., no., pp. 1, 4, 2-4 Sept. 2014. doi:10.1109/FPL.2014.6927408
Abstract: Security and privacy of data traversing internet have always been a major concern for all users. In this context, The Onion Routing (Tor) is the most successful protocol to anonymize global Internet traffic and is widely deployed as software on many personal computers or servers. In this paper, we explore the potential of modern reconfigurable devices to efficiently realize the Tor protocol on embedded devices. In particular, this targets the acceleration of the complex cryptographic operations involved in the handshake of routing nodes and the data stream encryption. Our hardware-based implementation on the Xilinx Zynq platform outperforms previous embedded solutions by more than a factor of 9 with respect to the cryptographic handshake — ultimately enabling quite inexpensive but highly efficient routers. Hence, we consider our work as a further milestone towards the development and the dissemination of low-cost and high performance onion relays that hopefully ultimately leads again to a more private Internet.
Keywords: Internet; computer network security; cryptographic protocols; data privacy; embedded systems; routing protocols; system-on-chip; telecommunication traffic; SoC; THOR; Tor protocol; Xilinx Zynq platform; complex cryptographic operations; cryptographic handshake; data stream encryption; embedded devices; global Internet traffic; hardware onion router; hardware-based implementation; modern reconfigurable devices; onion routing protocol; routing nodes handshake; security; Computer architecture; Encryption; Hardware; Protocols; Relays; Software (ID#: 15-6686)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6927408&isnumber=6927322
Sapio, A.; Baldi, M.; Liao, Y.; Ranjan, G.; Risso, F.; Tongaonkar, A.; Torres, R.; Nucci, A., “MAPPER: A Mobile Application Personal Policy Enforcement Router for Enterprise Networks,” Software Defined Networks (EWSDN), 2014 Third European Workshop on, vol., no., pp. 131, 132, 1-3 Sept. 2014. doi:10.1109/EWSDN.2014.9
Abstract: MAPPER is a system for enforcing user-specific policies based on the availability of access nodes that support the capability to dynamically load and execute processing modules on the data path. This work leverages a network access node that, after authenticating a connecting user, loads a set of lightweight virtual machines that process traffic terminated on the user device to implement articulated user-specific access policies. Specifically, we demonstrate how a man-in-the-middle-proxy module, dynamically and opportunistically combined with a module capable of mobile application identification, can implement complex access policies. The man-in-the-middle-proxy module enables MAPPER policies to be applied to both clear and HTTPS traffic, while an intelligent traffic classification system, provides support for policies based on over 250,000 mobile apps spanning both Android and iOS platforms.
Keywords: Android (operating system); business communication; iOS (operating system); mobile computing; security of data; telecommunication network routing; virtual machines; Android platform; MAPPER; articulated user specific access policies; complex access policies; enterprise networks; iOS platform; intelligent traffic classification system; lightweight virtual machines; mobile application personal policy enforcement router; network access node; user authentication; userspecific policies; Conferences; Europe; Mobile communication; Mobile computing; Monitoring; Smart phones; Virtual machining; apps; network; policy; virtualization (ID#: 15-6687)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6984070&isnumber=6984033
Ganegedara, T.; Weirong Jiang; Prasanna, V.K., “A Scalable and Modular Architecture for High-Performance Packet Classification,” Parallel and Distributed Systems, IEEE Transactions on, vol. 25, no.5, pp. 1135, 1144, May 2014. doi:10.1109/TPDS.2013.261
Abstract: Packet classification is widely used as a core function for various applications in network infrastructure. With increasing demands in throughput, performing wire-speed packet classification has become challenging. Also the performance of today's packet classification solutions depends on the characteristics of rulesets. In this work, we propose a novel modular Bit-Vector (BV) based architecture to perform high-speed packet classification on Field Programmable Gate Array (FPGA). We introduce an algorithm named StrideBV and modularize the BV architecture to achieve better scalability than traditional BV methods. Further, we incorporate range search in our architecture to eliminate ruleset expansion caused by range-to-prefix conversion. The post place-and-route results of our implementation on a state-of-the-art FPGA show that the proposed architecture is able to operate at 100+ Gbps for minimum size packets while supporting large rulesets up to 28 K rules using only the on-chip memory resources. Our solution is ruleset-feature independent, i.e. the above performance can be guaranteed for any ruleset regardless the composition of the ruleset.
Keywords: field programmable gate arrays; packet switching; FPGA; core function; field programmable gate array; high performance packet classification solutions; high speed packet classification; modular architecture; modular bit vector; network infrastructure; on-chip memory resources; range-to-prefix conversion; ruleset expansion; ruleset-feature independent; scalable architecture; wire speed packet classification; Arrays; Field programmable gate arrays; Hardware; Memory management; Pipelines; Throughput; Vectors; ASIC; FPGA; Packet classification; firewall; hardware architectures; network security; networking; router (ID#: 15-6688)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6627892&isnumber=6786006
Fadlallah, A., “Adaptive Probabilistic Packet Marking Scheme for IP Traceback,” Computer Applications and Information Systems (WCCAIS), 2014 World Congress on, vol., no., pp. 1, 5, 17-19 Jan. 2014. doi:10.1109/WCCAIS.2014.6916548
Abstract: IP Traceback is a fundamental mechanism in defending against cyber-attacks in particular the denial of service (DoS) attacks. Many schemes have been proposed in the literature; in particular, Probabilistic Packet Marking (PPM) schemes were in the center of the researchers’ attention given their scalability and thus their ability to trace distributed attacks such as distributed denial of service attacks (DDoS). A major issue in PPM-based schemes is the fixed marking probability, which reduces the probability of getting marked packets from routers far away from the victim given that their marked packets have a higher probability to be re-marked by routers near the victim. This increases the number of packets required to reconstruct the attack path. In this paper, we propose a simple, yet efficient solution for this issue by letting the routers adapt their marking probability based on the number of packets they have previously re-marked. We compare our scheme to the original PPM through extensive simulations. The results clearly show the improvement brought by our proposed marking scheme.
Keywords: IP networks; computer network security; probability; DDoS attacks; IP traceback; PPM schemes; PPM-based schemes; adaptive probabilistic packet marking scheme; cyber-attacks; distributed denial of service attacks; marking probability; Computers; Filtering theory; Internet; Probabilistic logic; Radiation detectors; Simulation; Denial of Service attacks; IP traceback; Probabilistic Packet Marking (ID#: 15-6689)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6916548&isnumber=6916540
Liang Chen, “Secure Network Coding for Wireless Routing,” Communications (ICC), 2014 IEEE International Conference on, vol., no., pp. 1941, 1946, 10-14 June 2014. doi:10.1109/ICC.2014.6883607
Abstract: Nowadays networking is secure because we encrypt the confidential messages with the underlying assumption that adversaries in the network are computationally bounded. For traditional routing or network coding, routers know the contents of the packets they receive. Networking is not secure any more if there are eavesdroppers with infinite computational power at routers. Our concern is whether we can achieve stronger security at routers. This paper proposes secure network coding for wireless routing. Combining channel coding and network coding, this scheme can not only provide physical layer security at wireless routers but also forward data error-free at a high rate. In the paper we prove this scheme can be applied to general networks for secure wireless routing.
Keywords: channel coding; telecommunication network routing; channel coding; forward data error-free; physical layer security; secure network coding; secure wireless routing; Communication system security; Network coding; Protocols; Relays; Routing; Security; Throughput; information-theoretic secrecy; network coding; network information theory; wireless routing (ID#: 15-6690)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6883607&isnumber=6883277
Krishnan, R.; Krishnaswamy, D.; Mcdysan, D., “Behavioral Security Threat Detection Strategies for Data Center Switches and Routers,” Distributed Computing Systems Workshops (ICDCSW), 2014 IEEE 34th International Conference on, vol., no., pp. 82, 87, June 30 2014–July 3 2014. doi:10.1109/ICDCSW.2014.19
Abstract: Behavioral security threats such as Distributed Denial of Service (DDoS) attacks are an ongoing problem in large scale Data Centers (DC) and pose huge performance challenges to DC operators. Typically, a dedicated Firewall/DDoS appliance is needed for Layer 2-7 behavioral security threat detection and mitigation. This solution is cost prohibitive for large scale multi-tenant DCs with high throughput performance needs. This paper examines various Layer 2-4 behavioral security threat detection methods and assists which are implement able in the switches and routers at low cost. For DCs, this complements the overall behavioral security threat detection strategy and enables operators to offer tiered services. Extensions to emerging NFV and SDN scenarios are also discussed.
Keywords: computer centres; computer network security; DC; DDoS attack; behavioral security threat detection strategy; data center routers; data center switches; distributed denial-of-service attack; firewall; high throughput performance needs; software defined networking; Bandwidth; Computer crime; Home appliances; IP networks; Image edge detection; Servers; Data Center; Distributed Denial of Service; NFV; SDN; Security; Threat Detection (ID#: 15-6691)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6888844&isnumber=6888817
Abirami, R.; Premalatha, G., “Depletion of Vampire Attacks in Medium Access Control Level Using Interior Gateway Routing Protocol,” Information Communication and Embedded Systems (ICICES), 2014 International Conference on, vol., no., pp. 1,5, 27-28 Feb. 2014. doi:10.1109/ICICES.2014.7033801
Abstract: A wireless sensor network is a group of network nodes which collaborate with each other in a sophisticated fashion. It is built of nodes from a few to several hundreds or even thousands, where each node is connected to one (or sometimes several) sensors. In WSN, Second layer of the OSI reference layer is a data link layer which has a sub layer of Medium Access Control. The choice of Medium Access Control (MAC) protocol has a direct bearing on the reliability and efficiency of network transmissions due to errors and interferences in wireless communications and to other challenges. They are primarily responsible for regulating access to the shared medium. There are a lot of protocols developed to protect from DOS attack, but it is not completely possible. One such DOS attack is vampire attacks which cause damage in network. Secure level is low; productivity reduces which leads to environmental disasters and cause loss in the information. Routing protocols play an important role in modern wireless communication networks. Hence propose Interior Gateway Routing Protocol (IGRP) where router used it to exchange routing data within an independent system. In WSN routing protocols find the route between nodes and ensure the consistent communication between the nodes in the network.
Keywords: access protocols; computer network security; routing protocols; wireless sensor networks; DOS attack; IGRP; MAC protocol; OSI reference layer; WSN routing protocols; data link layer; interior gateway routing protocol; medium access control level; medium access control protocol; network transmissions; routing data exchange; vampire attack depletion; wireless communication networks; wireless sensor network; Computer crime; Logic gates; Routing; Routing protocols; Sensors; Wireless sensor networks; DOS attack; IGRP; MAC; WSN (ID#: 15-6692)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7033801&isnumber=7033740
Fengjiao Li; Luyong Zhang; Dianjun Chen, “Vulnerability Mining of Cisco Router Based on Fuzzing,” Systems and Informatics (ICSAI), 2014 2nd International Conference on, vol., no., pp. 649, 653, 15-17 Nov. 2014. doi:10.1109/ICSAI.2014.7009366
Abstract: Router security analysis plays a vital role in maintaining network security. However, IOS, which runs in Cisco routers, has been proved carrying serious security risks. And in order to improve security, we need to conduct vulnerability mining on IOS. Currently, Fuzzing, as a simple and effective automated test technology, is widely used in vulnerability discovery. In this paper, we introduce a novel testing framework for Cisco routers. Based on this framework, we first generate test cases with Semi-valid Fuzzing Test Cases Generator (SFTCG), which considerably improves the test effectiveness and code coverage. After that, we develop a new Fuzzer based on SFTCG and then emulate Cisco router in Dynamips, which makes it easy to interact with GDB or IDA Pro for debugging. In order to supervise the Target, we employ a Monitor Module to check the status of the router regularly. Finally, through the experiment on ICMP protocol in IOS, we find the released vulnerabilities of Ping of Death and Denial of Service, which demonstrates the effectiveness of our proposed Fuzzer.
Keywords: computer network security; routing protocols; transport protocols; Cisco router mining; Denial of Service; GDB; ICMP protocol; IDA; IOS; SFTCG; dynamip; internet control message protocol; monitor module; network security; router security risk analysis; semivalid fuzzing test case generator; target supervision; Communication networks; Debugging; Monitoring; Routing protocols; Security; Testing; Cisco IOS; Fuzzing; SFTCG; Vulnerability (ID#: 15-6693)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7009366&isnumber=7009247
Kekai Hu; Wolf, T.; Teixeira, T.; Tessier, R., “System-Level Security for Network Processors with Hardware Monitors,” Design Automation Conference (DAC), 2014 51st ACM/EDAC/IEEE, vol., no., pp. 1, 6, 1-5 June 2014. doi: (not provided)
Abstract: New attacks are emerging that target the Internet infrastructure. Modern routers use programmable network processors that may be exploited by merely sending suitably crafted data packets into a network. Hardware monitors that are co-located with processor cores can detect attacks that change processor behavior with high probability. In this paper, we present a solution to the problem of secure, dynamic installation of hardware monitoring graphs on these devices. We also address the problem of how to overcome the homogeneity of a network with many identical devices, where a successful attack, albeit possible only with small probability, may have devastating effects.
Keywords: computer network management; computer network security; cryptography; multiprocessing systems; Internet infrastructure; data packets; dynamic installation; hardware monitoring graphs; hardware monitors; modern routers; processor behavior; processor cores; programmable network processors; Hardware; Monitoring; Program processors; Prototypes; Public key (ID#: 15-6694)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6881538&isnumber=6881325
Biswas, J.; Gupta, A.; Singh, D., “WADP: A Wormhole Attack Detection and Prevention Technique in MANET Using Modified AODV Routing Protocol,” Industrial and Information Systems (ICIIS), 2014 9th International Conference on, vol., no., pp. 1, 6,
15-17 Dec. 2014. doi:10.1109/ICIINFS.2014.7036535
Abstract: Mobile Ad hoc Networks (MANETs) are prone to a variety of attacks due to their unique characteristics like dynamic topology, open wireless medium, absence of infrastructure, multi hop nature and resource constraints. A node in MANET acts not only as an end terminal but both as router and client. In this way, multi-hop communication occurs in MANETs and thus it becomes much more difficult task to establish a secure path between the source and destination. The objective of this work is to overcome a special kind of attack called wormhole attack launched by at least two colluding nodes within a network. In this research paper work, some modifications has been done in AODV routing protocol to detect and remove wormhole attack in real-world MANET. Wormhole attack detection and prevention algorithm, WADP, has been implemented in modified AODV. Also node authentication has been used to detect malicious nodes and remove false positive problem that may arise in WADP algorithm. Node authentication not only removes false positive but also helps in mapping exact location of wormhole and is a kind of double verification for wormhole attack detection. Simulation results prove the theory.
Keywords: invasive software; mobile ad hoc networks; routing protocols; telecommunication network topology; telecommunication security; AODV routing protocol; MANET; WADP algorithm; dynamic topology; multihop communication; node authentication; open wireless medium; wormhole attack detection and prevention technique; Authentication; Delays; IP networks; Mobile ad hoc networks; Monitoring; Routing protocols; Synchronization; attack modes; modified AODV; wireless ad hoc network; wormhole nodes (ID#: 15-6695)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7036535&isnumber=7036459
Shankar, S.S.; Lin PinXing; Herkersdorf, A., “Deep Packet Inspection in Residential Gateways and Routers: Issues and Challenges,” Integrated Circuits (ISIC), 2014 14th International Symposium on, vol., no., pp. 560, 563, 10-12 Dec. 2014. doi:10.1109/ISICIR.2014.7029481
Abstract: Several industry trends and new applications have brought the residential gateway router (RGR) to the center of digital home with direct connectivity to the service provider’s network. Increasing risks of network attacks have necessitated the need for deep packet inspection in network processor (NP) used by RGR to match traffic at multiple gigabit throughput. Traditional deep packet inspection (DPI) implementations primarily focus on end hosts like servers, personal / handheld computers. Existing DPI signature matching techniques cannot be directly implemented in RGR due to various issues and challenges pertaining to processing capacity of the NP and associated memory constraints. So 4 key factors, regular expression support, gigabit throughput, scalability and ease of signature updates has been proposed through which best signature matching system could be designed for efficient DPI implementation in RGR.
Keywords: computer network security; digital signatures; internetworking; telecommunication network routing; telecommunication traffic; DPI implementation; DPI signature matching techniques; NP processing capacity; RGR; deep-packet inspection; digital home; ease-of-signature update factor; gigabit throughput factor; memory constraints; network attack risks; network processor; network traffic; regular expression support factor; residential gateway router; scalability factor; service provider network; Algorithm design and analysis; Automata; Inspection; Memory management; Pattern matching; Software; Throughput; Deep Packet Inspection; Network Security; Regular Expressions; Residential Gateway and Router (ID#: 15-6696)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7029481&isnumber=7029433
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.