We consider network security exercises where students construct virtual networks with User-mode Linux (UML) virtual machines and then execute attack and defense activities on these networks. In an older version of the exercise system, the students accessed the desktop screens of the remote servers running UMLs with Windows applications and then built networks by executing UML commands. However, performing the exercises remotely (e.g., due to the COVID-19 pandemic) resulted in difficulties due to factors such as the dependency of the work environment on specific operating systems, narrow-band networks, as well as issues in providing support for configuring UMLs. In this paper, a novel web-based hands-on system with intuitive and seamless operability and lightweight responsiveness is proposed in order to allow performing the considered exercises while avoiding the mentioned shortcomings. The system provides web pages for editing device layouts and cable connections by mouse operations intuitively, web pages connecting to UML terminals, and web pages for operating X clients running on UMLs. We carried out experiments for evaluating the proposed system on the usability, system performance, and quality of experience. The subjects offered positive assessments on the operability and no negative assessments on the responsiveness. As for command inputs in terminals, the response time was shorter and the traffic was much smaller in comparison with the older system. Furthermore, the exercises using nano required at least 16 kbps bandwidth and ones using wireshark required at least 2048 kbps bandwidth.

HTTP Distributed Denial of Service (DDoS) flooding attack aims to deplete the connection resources of a targeted web server by transmitting a massive amount of HTTP request packets using botnets. This type of attack seriously deteriorates the service quality of the web server by tying up its connection resources and uselessly holds up lots of network resources like link capacity and switching capability. This paper proposes a defense method for mitigating HTTP DDoS flooding attack based on software-defined networking (SDN). It is demonstrated in this paper that the proposed method can effectively defend the web server and preserve network resources against HTTP DDoS flooding attacks.

Computer networks are facing serious threats from the emergence of sophisticated new DGA bots. These DGA bots have their own dictionary, from which they concatenate words to dynamically generate domain names that are difficult to distinguish from human-generated domain names. In this letter, we propose an approach for identifying the callback communications of DGA bots based on relations among the words that constitute the character string of each domain name. Our evaluation indicates high performance, with a recall of 0.9977 and a precision of 0.9869.

With the rapid evolution and increase of cyberthreats in recent years, it is necessary to detect and understand it promptly and precisely to reduce the impact of cyberthreats. A darknet, which is an unused IP address space, has a high signal-to-noise ratio, so it is easier to understand the global tendency of malicious traffic in cyberspace than other observation networks. In this paper, we aim to capture global cyberthreats in real time. Since multiple hosts infected with similar malware tend to perform similar behavior, we propose a system that estimates a degree of synchronizations from the patterns of packet transmission time among the source hosts observed in unit time of the darknet and detects anomalies in real time. In our evaluation, we perform our proof-of-concept implementation of the proposed engine to demonstrate its feasibility and effectiveness, and we detect cyberthreats with an accuracy of 97.14%. This work is the first practical trial that detects cyberthreats from in-the-wild darknet traffic regardless of new types and variants in real time, and it quantitatively evaluates the result.

Mobile wireless sensor networks (WSNs) are facing threats from malicious nodes that disturb packet transmissions, leading to poor mobile WSN performance. Existing studies have proposed a number of methods, such as decision tree-based classification methods and reputation based methods, to detect these malicious nodes. These methods assume that the malicious nodes follow only pre-defined attack models and have no learning ability. However, this underestimation of the capability of malicious node is inappropriate due to recent rapid progresses in machine learning technologies. In this study, we design reinforcement learning-based malicious nodes, and define a novel observation space and sparse reward function for the reinforcement learning. We also design an adaptive learning method to detect these smart malicious nodes. We construct a robust classifier, which is frequently updated, to detect these smart malicious nodes. Extensive experiments show that, in contrast to existing attack models, the developed malicious nodes can degrade network performance without being detected. We also investigate the performance of our detection method, and confirm that the method significantly outperforms the state-of-the-art methods in terms of detection accuracy and false detection rate.

More and more attacks are found due to the insecure channel between different network domains in legacy mobile network. In this letter, we discover an attack exploiting SUCI to track a subscriber in 5G network, which is directly caused by the insecure air channel. To cover this issue, a secure authentication scheme is proposed utilizing the existing PKI mechanism. Not only dose our protocol ensure the authentication signalling security in the channel between UE and SN, but also SN and HN. Further, formal methods are adopted to prove the security of the proposed protocol.

Due to the depletion of the public IPv4 address pool, the transition to IPv6 became inevitable. However, this ongoing transition is taking a long time, and the two incompatible versions of the Internet Protocol must coexist. Different IPv6 transition technologies were developed, which can be used to enable communication in various scenarios, but they also involve additional security issues. In this paper, first, we introduce our methodology for analyzing the security of IPv6 transition technologies in a nutshell. Then, we develop a priority classification method for the ranking of different IPv6 transition technologies and their most important implementations, so that the vulnerabilities of the most crucial ones may be examined first. Next, we conduct a comprehensive survey of the existing IPv6 transition technologies by describing their application scenarios and the basics of their operation and we also determine the priorities of their security analysis according to our ranking system. Finally, we show that those IPv6 transition technologies that we gave high priorities, cover the most relevant scenarios.

In this paper we show a simple heuristic for constructing smaller automata for a set of regular expressions, based on suffix sorting: finding common prefixes and suffixes in regular expressions and merging them. It is an important problem in network security. We applied our approach to random and real-world regular expressions. Experimental results showed that our approach yields up to 12 times enhancement in throughput.

Wireless Sensor Networks (WSNs) are randomly deployed in a hostile environment and left unattended. These networks are composed of small auto mouse sensor devices which can monitor target information and send it to the Base Station (BS) for action. The sensor nodes can easily be compromised by an adversary and the compromised nodes can be used to inject false vote or false report attacks. To counter these two kinds of attacks, the Probabilistic Voting-based Filtering Scheme (PVFS) was proposed by Li and Wu, which consists of three phases; 1) Key Initialization and assignment, 2) Report generation, and 3) En-route filtering. This scheme can be a successful countermeasure against these attacks, however, when one or more nodes are compromised, the re-distribution of keys is not handled. Therefore, after a sensor node or Cluster Head (CH) is compromised, the detection power and effectiveness of PVFS is reduced. This also results in adverse effects on the sensor network's lifetime. In this paper, we propose a Fuzzy Rule-based Key Redistribution Method (FRKM) to address the limitations of the PVFS. The experimental results confirm the effectiveness of the proposed method by improving the detection power by up to 13.75% when the key-redistribution period is not fixed. Moreover, the proposed method achieves an energy improvement of up to 9.2% over PVFS.

Distributed Denial of Service (DDoS) attacks based on HTTP and HTTPS (i.e., HTTP(S)-DDoS) are increasingly popular among attackers. Overlay-based mitigation solutions attract small and medium-sized enterprises mainly for their low cost and high scalability. However, conventional overlay-based solutions assume content inspection to remotely mitigate HTTP(S)-DDoS attacks, prompting trust concerns. This paper reports on a new overlay-based method which practically adds a third level of client identification (to conventional per-IP and per-connection). This enhanced identification enables remote mitigation of more complex HTTP(S)-DDoS categories without content inspection. A novel behavior-based reputation and penalty system is designed, then a simplified proof of concept prototype is implemented and deployed on DeterLab. Among several conducted experiments, two are presented in this paper representing a single-vector and a multi-vector complex HTTP(S)-DDoS attack scenarios (utilizing LOIC, Slowloris, and a custom-built attack tool for HTTPS-DDoS). Results show nearly 99.2% reduction in attack traffic and 100% chance of legitimate service. Yet, attack reduction decreases, and cost in service time (of a specified file) rises, temporarily during an approximately 2 minutes mitigation time. Collateral damage to non-attacking clients sharing an attack IP is measured in terms of a temporary extra service time. Only the added identification level was utilized for mitigation, while future work includes incorporating all three levels to mitigate switching and multi-request per connection attack categories.

Network servers and applications commonly use static IP addresses and communication ports, making themselves easy targets for network reconnaissances and attacks. Moving target defense (MTD) is an innovatory and promising proactive defense technique. In this paper, we develop a novel MTD mechanism, called Random Port and Address Hopping (RPAH). The goal of RPAH is to hide network servers and applications and resist network reconnaissances and attacks by constantly changing their IP addresses and ports. In order to enhance the unpredictability, RPAH integrates source identity, service identity and temporal parameter in the hopping to provide three hopping frequencies, i.e., source hopping, service hopping and temporal hopping. RPAH provides high unpredictability and the maximum hopping diversities by introducing port and address demultiplexing mechanism, and provides a convenient attack detection mechanism with which the messages from attackers using invalid or inactive addresses/ports will be conveniently detected and denied. Our experiments and evaluation on campus network and PlanetLab show that RPAH is effective in resisting various network reconnaissance and attack models such as network scanning and worm propagation, while introducing an acceptable operation overhead.

The availability is an important issue of software-defined networking (SDN). In this paper, the experiments based on a SDN testbed showed that the resource utilization of the data plane and control plane changed drastically when DDoS attacks happened. This is mainly because the DDoS attacks send a large number of fake flows to network in a short time. Based on the observation and analysis, a DDoS defense mechanism based on legitimate source and destination IP address database is proposed in this paper. Firstly, each flow is abstracted as a source-destination IP address pair and a legitimate source-destination IP address pair database (LSDIAD) is established by historical normal traffic trace. Then the proportion of new source-destination IP address pair in the traffic per unit time is cumulated by non-parametric cumulative sum (CUSUM) algorithm to detect the DDoS attacks quickly and accurately. Based on the alarm from the non-parametric CUSUM, the attack flows will be filtered and redirected to a middle box network for deep analysis via south-bound API of SDN. An on-line updating policy is adopted to keep the LSDIAD timely and accurate. This mechanism is mainly implemented in the controller and the simulation results show that this mechanism can achieve a good performance in protecting SDN from DDoS attacks.

Protecting control planes in networking hardware from high rate packets is a critical issue for networks under operation. One common approach for conventional networking hardware is to offload expensive functions onto hard-wired offload engines as ASICs. This approach is inadequate for OpenFlow networks because it restricts a certain amount of flexibility for network control that OpenFlow tries to provide. Therefore, we need a control plane protection mechanism in OpenFlow switches as a last resort, while preserving flexibility for network control. In this paper, we propose a mechanism to filter out Packet-In messages, which include packets handled by the control plane in OpenFlow networks, without dropping important ones for network control. Switches record values of packet header fields before sending Packet-In messages, and filter out packets that have the same values as the recorded ones. The controllers set the header fields in advance whose values must be recorded, and the header fields are selected based on controller design. We have implemented and evaluated the proposed mechanism on a prototype software switch, concluding that it dramatically reduces CPU loads on switches while passes important Packet-In messages for network control.

This letter presents a method to adaptively counter false data injection attacks (FDIAs) in wireless sensor networks, in which a fuzzy rule-based system detects FDIAs and chooses the most appropriate countermeasures. The method does not require en-route verification processes and manual parameter settings. The effectiveness of the method is shown with simulation results.

When attackers compromise a client system, they can steal user input. We propose a distributed one-time keyboard system to prevent information leakage via keyboard typing. We define the problem of secure keyboard arrangement over distributed multi-devices and channels. An analytical model is proposed for the optimal keyboard layout.

Single-packet attack can be tracked with logging-based IP traceback approaches, whereas DDoS attack can be tracked with marking-based approaches. However, both approaches have their limits. Logging-based approaches incur heavy overhead for packet-digest storage as well as time overhead for both path recording and recovery. Marking-based approaches incur little traceback overhead but are unable to track single packets. Simply deploying both approaches in the same network to deal with single-packet and DDoS attacks is not an efficient solution due to the heavy traceback overhead. Recent studies suggest that hybrid approaches are more efficient as they consume less router memory to store packet digests and require fewer attack packets to recover attack paths. Thus, the hybrid single packet traceback approach is more promising in efficiently tracking both single-packet and DDoS attacks. The major challenge lies in reducing storage and time overhead while maintaining single-packet traceback capability. We present in this paper a new hybrid approach to efficiently track single-packet attacks by designing a novel path fragment encoding scheme using the orthogonality of Walsh matrix and the degree distribution characteristic of router-level topologies. Compared to HIT (Hybrid IP Traceback), which, to the best of our knowledge, is the most efficient hybrid approach for single-packet traceback, our approach has three advantages. First, it reduces the overhead by 2/3 in both storage and time for recording packet paths. Second, the time overhead for recovering packet paths is also reduced by a calculatable amount. Finally, our approach generates no more than 2/3 of the false-positive paths generated by HIT.

Fast string matching is essential for deep packet inspection (DPI). Traditional string matchers cannot keep up with the continuous increases in data rates due to their natural speed limits. We add a multi-byte processing prefilter to the traditional string matcher to detect target patterns on a multiple character basis. The proposed winnowing prefilter significantly reduces the number of identity blocks, thereby reducing the memory requirements.

This paper proposes a bit-split string matcher architecture for a memory-efficient hardware-based parallel pattern matching engine. In the proposed bit-split string matcher, multiple finite-state machine (FSM) tiles share match vectors to reduce the required number of stored match vectors. By decreasing the memory size for storing match vectors, the total memory requirement can be minimized.

Detecting spreaders, or scan sources, helps intrusion detection systems (IDS) identify potential attackers. The existing work can only detect aggressive spreaders that scan a large number of distinct destinations in a short period of time. However, stealthy spreaders may perform scanning deliberately at a low rate. We observe that these spreaders can easily evade the detection because current IDS's have serious limitations. Being lightweight, the proposed scheme can detect scan sources in high speed networking while residing in SRAM. By theoretical analysis and experiments on real Internet traffic traces, we demonstrate that the proposed scheme detects stealthy spreaders successfully.

In ubiquitous sensor networks, extra energy savings can be achieved by selecting the filtering solution to counter the attack. This adaptive selection process employs a fuzzy rule-based system for selecting the best solution, as there is uncertainty in the reasoning processes as well as imprecision in the data. In order to maximize the performance of the fuzzy system the membership functions should be optimized. However, the efforts required to perform this optimization manually can be impractical for commonly used applications. This paper presents a GA-based membership function optimizer for fuzzy adaptive filtering (GAOFF) in ubiquitous sensor networks, in which the efficiency of the membership functions is measured based on simulation results and optimized by GA. The proposed optimization consists of three units; the first performs a simulation using a set of membership functions, the second evaluates the performance of the membership functions based on the simulation results, and the third constructs a population representing the membership functions by GA. The proposed method can optimize the membership functions automatically while utilizing minimal human expertise.