Do you want to publish a course? Click here

SMap: Internet-wide Scanning for Ingress Filtering

63   0   0.0 ( 0 )
 Added by Tianxiang Dai
 Publication date 2020
and research's language is English




Ask ChatGPT about the research

To protect from attacks, networks need to enforce ingress filtering. Despite the importance, the existing studies do not allow to infer the extent of ingress filtering at Internet-scale, providing results with only a limited coverage: they can either measure networks that operate servers with faulty network-stack implementations, or require installation of the measurement software by volunteers, or assume specific properties, like traceroute loops, which are challenging to reproduce in practice. Improving coverage of the spoofing measurements is critical. In this work we present the Spoofing Mapper (SMap): the first scanner for performing Internet-wide studies of enforcement of ingress filtering. The SMap measurement methodology utilises standard protocols behaviour that are present in almost any network. SMap not only provides better coverage of ingress-filtering measurements, but it is also more effective than the previous approaches. We applied SMap for Internet-wide measurements: we found that 21% of all the Autonomous Systems (ASes) in the Internet do not filter spoofed packets, in contrast to 2.5% ASes identified by the most recent study with volunteers (of the Spoofer Project), as well as 13173 new spoofable ASes, which were not detected by the other tools. Our study with SMap provides the most comprehensive view of ingress filtering deployment in the Internet and remediation in filtering spoofed packets over a period of six months until February 2020. SMap is simple to use and does not require installation on the tested network nor coordination with the tested networks. We set up a web service at http://to_be_revealed/ which reports statistics from SMap evaluations and enables continual Internet-wide data collection and analysis. We also make our datasets as well as the SMap tool publicly available to enable researchers to reproduce and validate the results.



rate research

Read More

Due to increasing digitalization, formerly isolated industrial networks, e.g., for factory and process automation, move closer and closer to the Internet, mandating secure communication. However, securely setting up OPC UA, the prime candidate for secure industrial communication, is challenging due to a large variety of insecure options. To study whether Internet-facing OPC UA appliances are configured securely, we actively scan the IPv4 address space for publicly reachable OPC UA systems and assess the security of their configurations. We observe problematic security configurations such as missing access control (on 24% of hosts), disabled security functionality (24%), or use of deprecated cryptographic primitives (25%) on in total 92% of the reachable deployments. Furthermore, we discover several hundred devices in multiple autonomous systems sharing the same security certificate, opening the door for impersonation attacks. Overall, in this paper, we highlight commonly found security misconfigurations and underline the importance of appropriate configuration for security-featuring protocols.
Internet of Things (IoT) based applications face an increasing number of potential security risks, which need to be systematically assessed and addressed. Expert-based manual assessment of IoT security is a predominant approach, which is usually inefficient. To address this problem, we propose an automated security assessment framework for IoT networks. Our framework first leverages machine learning and natural language processing to analyze vulnerability descriptions for predicting vulnerability metrics. The predicted metrics are then input into a two-layered graphical security model, which consists of an attack graph at the upper layer to present the network connectivity and an attack tree for each node in the network at the bottom layer to depict the vulnerability information. This security model automatically assesses the security of the IoT network by capturing potential attack paths. We evaluate the viability of our approach using a proof-of-concept smart building system model which contains a variety of real-world IoT devices and potential vulnerabilities. Our evaluation of the proposed framework demonstrates its effectiveness in terms of automatically predicting the vulnerability metrics of new vulnerabilities with more than 90% accuracy, on average, and identifying the most vulnerable attack paths within an IoT network. The produced assessment results can serve as a guideline for cybersecurity professionals to take further actions and mitigate risks in a timely manner.
Quantum computing represents an emerging threat to the public key infrastructure underlying transport layer security (TLS) widely used in the Internet. This paper describes how QKD symmetric keys can be used with TLS to provide quantum computing resistant security for existing Internet applications. We also implement and test a general hybrid key delivery architecture with QKD over long distance fibers between secure sites, and wireless key distribution over short distance within each site Finally we show how this same capability can be extended to a TLS cipher scheme with perfect security.
Key generation is a promising technique to bootstrap secure communications for the Internet of Things (IoT) devices that have no prior knowledge between each other. In the past few years, a variety of key generation protocols and systems have been proposed. In this survey, we review and categorise recent key generation systems based on a novel taxonomy. Then, we provide both quantitative and qualitative comparisons of existing approaches. We also discuss the security vulnerabilities of key generation schemes and possible countermeasures. Finally, we discuss the current challenges and point out several potential research directions.
Obtaining and maintaining anonymity on the Internet is challenging. The state of the art in deployed tools, such as Tor, uses onion routing (OR) to relay encrypted connections on a detour passing through randomly chosen relays scattered around the Internet. Unfortunately, OR is known to be vulnerable at least in principle to several classes of attacks for which no solution is known or believed to be forthcoming soon. Current approaches to anonymity also appear unable to offer accurate, principled measurement of the level or quality of anonymity a user might obtain. Toward this end, we offer a high-level view of the Dissent project, the first systematic effort to build a practical anonymity system based purely on foundations that offer measurable and formally provable anonymity properties. Dissent builds on two key pre-existing primitives - verifiable shuffles and dining cryptographers - but for the first time shows how to scale such techniques to offer measurable anonymity guarantees to thousands of participants. Further, Dissent represents the first anonymity system designed from the ground up to incorporate some systematic countermeasure for each of the major classes of known vulnerabilities in existing approaches, including global traffic analysis, active attacks, and intersection attacks. Finally, because no anonymity protocol alone can address risks such as software exploits or accidental self-identification, we introduce WiNon, an experimental operating system architecture to harden the uses of anonymity tools such as Tor and Dissent against such attacks.
comments
Fetching comments Fetching comments
Sign in to be able to follow your search criteria
mircosoft-partner

هل ترغب بارسال اشعارات عن اخر التحديثات في شمرا-اكاديميا