Visible to the public Biblio

Found 248 results

Filters: Keyword is IP networks  [Clear All Filters]
Dishington, Cole, Sharma, Dilli P., Kim, Dong Seong, Cho, Jin-Hee, Moore, Terrence J., Nelson, Frederica F..  2019.  Security and Performance Assessment of IP Multiplexing Moving Target Defence in Software Defined Networks. 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). :288–295.
With the interconnection of services and customers, network attacks are capable of large amounts of damage. Flexible Random Virtual IP Multiplexing (FRVM) is a Moving Target Defence (MTD) technique that protects against reconnaissance and access with address mutation and multiplexing. Security techniques must be trusted, however, FRVM, along with past MTD techniques, have gaps in realistic evaluation and thorough analysis of security and performance. FRVM, and two comparison techniques, were deployed on a virtualised network to demonstrate FRVM's security and performance trade-offs. The key results include the security and performance trade-offs of address multiplexing and address mutation. The security benefit of IP address multiplexing is much greater than its performance overhead, deployed on top of address mutation. Frequent address mutation significantly increases an attackers' network scan durations as well as effectively obfuscating and hiding network configurations.
Ezick, James, Henretty, Tom, Baskaran, Muthu, Lethin, Richard, Feo, John, Tuan, Tai-Ching, Coley, Christopher, Leonard, Leslie, Agrawal, Rajeev, Parsons, Ben et al..  2019.  Combining Tensor Decompositions and Graph Analytics to Provide Cyber Situational Awareness at HPC Scale. 2019 IEEE High Performance Extreme Computing Conference (HPEC). :1–7.
This paper describes MADHAT (Multidimensional Anomaly Detection fusing HPC, Analytics, and Tensors), an integrated workflow that demonstrates the applicability of HPC resources to the problem of maintaining cyber situational awareness. MADHAT combines two high-performance packages: ENSIGN for large-scale sparse tensor decompositions and HAGGLE for graph analytics. Tensor decompositions isolate coherent patterns of network behavior in ways that common clustering methods based on distance metrics cannot. Parallelized graph analysis then uses directed queries on a representation that combines the elements of identified patterns with other available information (such as additional log fields, domain knowledge, network topology, whitelists and blacklists, prior feedback, and published alerts) to confirm or reject a threat hypothesis, collect context, and raise alerts. MADHAT was developed using the collaborative HPC Architecture for Cyber Situational Awareness (HACSAW) research environment and evaluated on structured network sensor logs collected from Defense Research and Engineering Network (DREN) sites using HPC resources at the U.S. Army Engineer Research and Development Center DoD Supercomputing Resource Center (ERDC DSRC). To date, MADHAT has analyzed logs with over 650 million entries.
Guo, Qingrui, Xie, Peng, Li, Feng, Guo, Xuerang, Li, Yutao, Ma, Lin.  2019.  Research on Linkage Model of Network Resource Survey and Vulnerability Detection in Power Information System. 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC). :1068–1071.
this paper first analyses the new challenges of power information network management, difficulties of the power information network resource survey and vulnerability detection are proposed. Then, a linkage model of network resource survey and vulnerability detection is designed, and the framework of three modules in the model is described, meanwhile the process of network resources survey and vulnerability detection linkage is proposed. Finally, the implementation technologies are given corresponding to the main functions of each module.
Byun, Minjae, Lee, Yongjun, Choi, Jin-Young.  2019.  Risk and avoidance strategy for blocking mechanism of SDN-based security service. 2019 21st International Conference on Advanced Communication Technology (ICACT). :187–190.
Software-Defined Network (SDN) is the dynamic network technology to address the issues of traditional networks. It provides centralized view of the whole network through decoupling the control planes and data planes of a network. Most SDN-based security services globally detect and block a malicious host based on IP address. However, the IP address is not verified during the forwarding process in most cases and SDN-based security service may block a normal host with forged IP address in the whole network, which means false-positive. In this paper, we introduce an attack scenario that uses forged packets to make the security service consider a victim host as an attacker so that block the victim. We also introduce cost-effective risk avoidance strategy.
Singh, Neeraj Kumar, Mahajan, Vasundhara.  2019.  Fuzzy Logic for Reducing Data Loss during Cyber Intrusion in Smart Grid Wireless Network. 2019 IEEE Student Conference on Research and Development (SCOReD). :192–197.
Smart grid consists of smart devices to control, record and analyze the grid power flow. All these devices belong to the latest technology, which is used to interact through the wireless network making the grid communication network vulnerable to cyber attack. This paper deals with a novel approach using altering the Internet Protocol (IP) address of the smart grid communication network using fuzzy logic according to the degree of node. Through graph theory approach Wireless Communication Network (WCN) is designed by considering each node of the system as a smart sensor. In this each node communicates with other nearby nodes for exchange of data. Whenever there is cyber intrusion the WCN change its IP using proposed fuzzy rules, where higher degree nodes are given the preference to change first with extreme IP available in the system. Using the proposed algorithm, different IEEE test systems are simulated and compared with existing Dynamic Host Configuration Protocol (DHCP). The fuzzy logic approach reduces the data loss and improves the system response time.
Zhang, Junjie, Sun, Tianfu.  2019.  Multi-core Heterogeneous Video Processing System Design. 2019 IEEE 13th International Conference on Anti-counterfeiting, Security, and Identification (ASID). :178–182.
In order to accelerate the image processing speed, in this paper, a multi-core heterogeneous computing technology based on the Xilinx Zynq platform is proposed. The proposed technique could accelerate the real-time video image processing system through hardware acceleration. In order to verify the proposed technique, an Otsu binarized hardware-accelerated IP is designed in FPGA and interacts with ARM through the AXI bus. Compared with the existing homogeneous architecture processor computing, the image processing speed of the proposed technique with multi-core heterogeneous acceleration processing is significantly accelerated.
Zhang, Jiemin, Mao, Jian, Liu, Jinming, Tang, Zhi, Gu, Zhiling, Liu, Yongmei.  2019.  Cloud-based Multi-core Architecture against DNS Attacks. 2019 14th International Conference on Computer Science Education (ICCSE). :391–393.
The domain name resolution system provides support service for website visits as the basic service of the Internet. With the increase of DNS attacks, it has brought copious challenges to network security. The paper studies on the key defense technologies against DNS attacks based on the DNS principle. The multi-core customized to the DNS is adopted to analyze hardware kernel, while AI algorithms being realized for malicious flow cleaning and intelligent routing running on the cloud system established specifically for DNS. The designed DNS intelligent cloud system can provide high-efficiency domain name resolution in practice, while ensuring the network security.
Dan, Kenya, Kitagawa, Naoya, Sakuraba, Shuji, Yamai, Nariyoshi.  2019.  Spam Domain Detection Method Using Active DNS Data and E-Mail Reception Log. 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC). 1:896–899.

E-mail is widespread and an essential communication technology in modern times. Since e-mail has problems with spam mails and spoofed e-mails, countermeasures are required. Although SPF, DKIM and DMARC have been proposed as sender domain authentication, these mechanisms cannot detect non-spoofing spam mails. To overcome this issue, this paper proposes a method to detect spam domains by supervised learning with features extracted from e-mail reception log and active DNS data, such as the result of Sender Authentication, the Sender IP address, the number of each DNS record, and so on. As a result of the experiment, our method can detect spam domains with 88.09% accuracy and 97.11% precision. We confirmed that our method can detect spam domains with detection accuracy 19.40% higher than the previous study by utilizing not only active DNS data but also e-mail reception log in combination.

Zhuang, Yuan, Pang, Qiaoyue, Wei, Min.  2019.  Secure and Fast Multiple Nodes Join Mechanism for IPv6-Based Industrial Wireless Network. 2019 International Conference on Information Networking (ICOIN). :1–6.
More and more industrial devices are expected to connect to the internet seamlessly. IPv6-based industrial wireless network can solve the address resources limitation problem. It is a challenge about how to ensure the wireless node join security after introducing the IPv6. In this paper, we propose a multiple nodes join mechanism, which includes a timeslot allocation method and secure join process for the IPv6 over IEEE 802.15.4e network. The timeslot allocation method is designed in order to configure communication resources in the join process for the new nodes. The test platform is implemented to verify the feasibility of the mechanism. The result shows that the proposed mechanism can reduce the communication cost for multiple nodes join process and improve the efficiency.
Taib, Abidah Mat, Othman, Nor Arzami, Hamid, Ros Syamsul, Halim, Iman Hazwam Abd.  2019.  A Learning Kit on IPv6 Deployment and Its Security Challenges for Neophytes. 2019 21st International Conference on Advanced Communication Technology (ICACT). :419–424.
Understanding the IP address depletion and the importance of handling security issues in IPv6 deployment can make IT personnel becomes more functional and helpful to the organization. It also applied to the management people who are responsible for approving the budget or organization policy related to network security. Unfortunately, new employees or fresh graduates may not really understand the challenge related to IPv6 deployment. In order to be equipped with appropriate knowledge and skills, these people may require a few weeks of attending workshops or training. Thus, of course involving some implementation cost as well as sacrificing allocated working hours. As an alternative to save cost and to help new IT personnel become quickly educated and familiar with IPv6 deployment issues, this paper presented a learning kit that has been designed to include self-learning features that can help neophytes to learn about IPv6 at their own pace. The kit contains some compact notes, brief security model and framework as well as a guided module with supporting quizzes to maintain a better understanding of the topics. Since IPv6 is still in the early phase of implementation in most of developing countries, this kit can be an additional assisting tool to accelerate the deployment of IPv6 environment in any organization. The kit also can be used by teachers and trainers as a supporting tool in the classroom. The pre-alpha testing has attracted some potential users and the findings proved their acceptance. The kit has prospective to be further enhanced and commercialized.
Liang, Xiao, Chen, Heyao.  2019.  A SDN-Based Hierarchical Authentication Mechanism for IPv6 Address. 2019 IEEE International Conference on Intelligence and Security Informatics (ISI). :225–225.
The emergence of IPv6 protocol extends the address pool, but it also exposes all the Internet-connected devices to danger. Currently, there are some traditional schemes on security management of network addresses, such as prevention, traceability and encryption authentication, but few studies work on IPv6 protocol. In this paper, we propose a hierarchical authentication mechanism for the IPv6 source address with the technology of software defined network (SDN). This mechanism combines the authentication of three parts, namely the access network, the intra-domain and the inter-domain. And it can provide a fine-grained security protection for the devices using IPv6 addresses.
Li, Chunlei, Wu, Qian, Li, Hewu, Zhou, Jiang.  2019.  SDN-Ti: A General Solution Based on SDN to Attacker Traceback and Identification in IPv6 Networks. ICC 2019 - 2019 IEEE International Conference on Communications (ICC). :1–7.
Network attacks have become a growing threat to the current Internet. For the enhancement of network security and accountability, it is urgent to find the origin and identity of the adversary who misbehaves in the network. Some studies focus on embedding users' identities into IPv6 addresses, but such design cannot support the Stateless Address Autoconfiguration (SLAAC) protocol which is widely deployed nowadays. In this paper, we propose SDN-Ti, a general solution to traceback and identification for attackers in IPv6 networks based on Software Defined Network (SDN). In our proposal, the SDN switch performs a translation between the source IPv6 address of the packet and its trusted ID-encoded address generated by the SDN controller. The network administrator can effectively identify the attacker by parsing the malicious packets when the attack incident happens. Our solution not only avoids the heavy storage overhead and time synchronism problems, but also supports multiple IPv6 address assignment scenarios. What's more, SDN-Ti does not require any modification on the end device, hence can be easily deployed. We implement SDN-Ti prototype and evaluate it in a real IPv6 testbed. Experiment results show that our solution only brings very little extra performance cost, and it shows considerable performance in terms of latency, CPU consumption and packet loss compared to the normal forwarding method. The results indicate that SDN-Ti is feasible to be deployed in practice with a large number of users.
Jain, Jay Kumar, Chauhan, Dipti.  2019.  Analytical Study on Mobile Ad Hoc Networks for IPV6. 2019 4th International Conference on Internet of Things: Smart Innovation and Usages (IoT-SIU). :1–6.
The ongoing progressions in wireless innovation have lead to the advancement of another remote framework called Mobile Ad hoc Networks. The Mobile Ad hoc Network is a self arranging system of wireless gadgets associated by wireless connections. The traditional protocol, for example, TCP/IP has restricted use in Mobile impromptu systems in light of the absence of portability and assets. This has lead to the improvement of many steering conventions, for example, proactive, receptive and half breed. One intriguing examination zone in MANET is steering. Steering in the MANETs is a testing assignment and has gotten a colossal measure of consideration from examines. An uncommon consideration is paid on to feature the combination of MANET with the critical highlights of IPv6, for example, coordinated security, start to finish correspondence. This has prompted advancement of various directing conventions for MANETs, and every creator of each developed convention contends that the technique proposed gives an improvement over various distinctive systems considered in the writing for a given system situation. In this way, it is very hard to figure out which conventions may perform best under various diverse system situations, for example, expanding hub thickness and traffic. In this paper, we give the ongoing expository investigation on MANETs for IPV6 systems.
He, Lin, Ren, Gang, Liu, Ying.  2019.  Bootstrapping Accountability and Privacy to IPv6 Internet without Starting from Scratch. IEEE INFOCOM 2019 - IEEE Conference on Computer Communications. :1486–1494.
Accountability and privacy are considered valuable but conflicting properties in the Internet, which at present does not provide native support for either. Past efforts to balance accountability and privacy in the Internet have unsatisfactory deployability due to the introduction of new communication identifiers, and because of large-scale modifications to fully deployed infrastructures and protocols. The IPv6 is being deployed around the world and this trend will accelerate. In this paper, we propose a private and accountable proposal based on IPv6 called PAVI that seeks to bootstrap accountability and privacy to the IPv6 Internet without introducing new communication identifiers and large-scale modifications to the deployed base. A dedicated quantitative analysis shows that the proposed PAVI achieves satisfactory levels of accountability and privacy. The results of evaluation of a PAVI prototype show that it incurs little performance overhead, and is widely deployable.
Gao, Jiaqiong, Wang, Tao.  2019.  Research on the IPv6 Technical Defects and Countermeasures. 2019 International Conference on Computer Network, Electronic and Automation (ICCNEA). :165–170.
The current global Internet USES the TCP/IP protocol cluster, the current version is IPv4. The IPv4 is with 32-bit addresses, the maximum number of computers connected to the Internet in the world is 232. With the development of Internet of things, big data and cloud storage and other technologies, the limited address space defined by IPv4 has been exhausted. To expand the address space, the IETF designed the next generation IPv6 to replace IPv4. IPv6 using a 128-bit address length that provides almost unlimited addresses. However, with the development and application of the Internet of things, big data and cloud storage, IPv6 has some shortcomings in its addressing structure design; security and network compatibility, These technologies are gradually applied in recent years, the continuous development of new technologies application show that the IPv6 address structure design ideas have some fatal defects. This paper proposed a route to upgrade the original IPv4 by studying on the structure of IPv6 "spliced address", and point out the defects in the design of IPv6 interface ID and the potential problems such as security holes.
Saadeh, Huda, Almobaideen, Wesam, Sabri, Khair Eddin, Saadeh, Maha.  2019.  Hybrid SDN-ICN Architecture Design for the Internet of Things. 2019 Sixth International Conference on Software Defined Systems (SDS). :96–101.
Internet of Things (IoT) impacts the current network with many challenges due to the variation, heterogeneity of its devices and running technologies. For those reasons, monitoring and controlling network efficiently can rise the performance of the network and adapts network techniques according to environment measurements. This paper proposes a new privacy aware-IoT architecture that combines the benefits of both Information Centric Network (ICN) and Software Defined Network (SDN) paradigms. In this architecture controlling functionalities are distributed over multiple planes: operational plane which is considered as smart ICN data plane with Controllers that control local clusters, tactical plane which is an Edge environment to take controlling decisions based on small number of clusters, and strategic plane which is a cloud controlling environment to make long-term decision that affects the whole network. Deployment options of this architecture is discussed and SDN enhancement due to in-network caching is evaluated.
Cui, Liqun, Dong, Mianxiong, Ota, Kaoru, Wu, Jun, Li, Jianhua, Wu, Yang.  2019.  NSTN: Name-Based Smart Tracking for Network Status in Information-Centric Internet of Things. ICC 2019 - 2019 IEEE International Conference on Communications (ICC). :1–6.
Internet of Things(IoT) is an important part of the new generation of information technology and an important stage of development in the era of informatization. As a next generation network, Information Centric Network (ICN) has been introduced into the IoT, leading to the content independence of IC-IoT. To manage the changing network conditions and diagnose the cause of anomalies within it, network operators must obtain and analyze network status information from monitoring tools. However, traditional network supervision method will not be applicable to IC-IoT centered on content rather than IP. Moreover, the surge in information volume will also bring about insufficient information distribution, and the data location in the traditional management information base is fixed and cannot be added or deleted. To overcome these problems, we propose a name-based smart tracking system to store network state information in the IC-IoT. Firstly, we design a new structure of management information base that records various network state information and changes its naming format. Secondly, we use a tracking method to obtain the required network status information. When the manager issues a status request, each data block has a defined data tracking table to record past requests, the location of the status data required can be located according to it. Thirdly, we put forward an adaptive network data location replacement strategy based on the importance of stored data blocks, so that the information with higher importance will be closer to the management center for more efficient acquisition. Simulation results indicate the feasibility of the proposed scheme.
Benmoussa, Ahmed, Tahari, Abdou el Karim, Lagaa, Nasreddine, Lakas, Abderrahmane, Ahmad, Farhan, Hussain, Rasheed, Kerrache, Chaker Abdelaziz, Kurugollu, Fatih.  2019.  A Novel Congestion-Aware Interest Flooding Attacks Detection Mechanism in Named Data Networking. 2019 28th International Conference on Computer Communication and Networks (ICCCN). :1–6.
Named Data Networking (NDN) is a promising candidate for future internet architecture. It is one of the implementations of the Information-Centric Networking (ICN) architectures where the focus is on the data rather than the owner of the data. While the data security is assured by definition, these networks are susceptible of various Denial of Service (DoS) attacks, mainly Interest Flooding Attacks (IFA). IFAs overwhelm an NDN router with a huge amount of interests (Data requests). Various solutions have been proposed in the literature to mitigate IFAs; however; these solutions do not make a difference between intentional and unintentional misbehavior due to the network congestion. In this paper, we propose a novel congestion-aware IFA detection and mitigation solution. We performed extensive simulations and the results clearly depict the efficiency of our proposal in detecting truly occurring IFA attacks.
Kolokotronis, Nicholas, Brotsis, Sotirios, Germanos, Georgios, Vassilakis, Costas, Shiaeles, Stavros.  2019.  On Blockchain Architectures for Trust-Based Collaborative Intrusion Detection. 2019 IEEE World Congress on Services (SERVICES). 2642-939X:21–28.
This paper considers the use of novel technologies for mitigating attacks that aim at compromising intrusion detection systems (IDSs). Solutions based on collaborative intrusion detection networks (CIDNs) could increase the resilience against such attacks as they allow IDS nodes to gain knowledge from each other by sharing information. However, despite the vast research in this area, trust management issues still pose significant challenges and recent works investigate whether these could be addressed by relying on blockchain and related distributed ledger technologies. Towards that direction, the paper proposes the use of a trust-based blockchain in CIDNs, referred to as trust-chain, to protect the integrity of the information shared among the CIDN peers, enhance their accountability, and secure their collaboration by thwarting insider attacks. A consensus protocol is proposed for CIDNs, which is a combination of a proof-of-stake and proof-of-work protocols, to enable collaborative IDS nodes to maintain a reliable and tampered-resistant trust-chain.
Musca, Constantin, Mirica, Emma, Deaconescu, Razvan.  2013.  Detecting and Analyzing Zero-Day Attacks Using Honeypots. 2013 19th International Conference on Control Systems and Computer Science. :543–548.
Computer networks are overwhelmed by self propagating malware (worms, viruses, trojans). Although the number of security vulnerabilities grows every day, not the same thing can be said about the number of defense methods. But the most delicate problem in the information security domain remains detecting unknown attacks known as zero-day attacks. This paper presents methods for isolating the malicious traffic by using a honeypot system and analyzing it in order to automatically generate attack signatures for the Snort intrusion detection/prevention system. The honeypot is deployed as a virtual machine and its job is to log as much information as it can about the attacks. Then, using a protected machine, the logs are collected remotely, through a safe connection, for analysis. The challenge is to mitigate the risk we are exposed to and at the same time search for unknown attacks.
Clark, Shane S., Paulos, Aaron, Benyo, Brett, Pal, Partha, Schantz, Richard.  2015.  Empirical Evaluation of the A3 Environment: Evaluating Defenses Against Zero-Day Attacks. 2015 10th International Conference on Availability, Reliability and Security. :80–89.
A3 is an execution management environment that aims to make network-facing applications and services resilient against zero-day attacks. A3 recently underwent two adversarial evaluations of its defensive capabilities. In one, A3 defended an App Store used in a Capture the Flag (CTF) tournament, and in the other, a tactically relevant network service in a red team exercise. This paper describes the A3 defensive technologies evaluated, the evaluation results, and the broader lessons learned about evaluations for technologies that seek to protect critical systems from zero-day attacks.
Djama, Adel, Djamaa, Badis, Senouci, Mustapha Reda.  2019.  TCP/IP and ICN Networking Technologies for the Internet of Things: A Comparative Study. 2019 International Conference on Networking and Advanced Systems (ICNAS). :1–6.
Interconnecting resource-constrained devices in the Internet of Things (IoT) is generally achieved via IP-based technologies such as 6LoWPAN, which rely on the adaptation of the TCP/IP stack to fit IoT requirements. Very recent researches suggest that the Information-Centric Networking (ICN) paradigm, which switches the way to do networking, by fetching data by names regardless of their location, would provide native support for the functionalities required by IoT applications. Indeed, ICN intrinsic features, such as caching, naming, packet level security and stateful forwarding, favor it as a promising approach in the IoT. This paper gives a qualitative comparative study between the two communication paradigms (TCP/IP and ICN), and discusses their support for IoT environments, with a focus on the required key features such as mobility, scalability, and security.
van Kerkhoven, Jason, Charlebois, Nathaniel, Robertson, Alex, Gibson, Brydon, Ahmed, Arslan, Bouida, Zied, Ibnkahla, Mohamed.  2019.  IPv6-Based Smart Grid Communication over 6LoWPAN. 2019 IEEE Wireless Communications and Networking Conference (WCNC). :1–6.
Smart Grid is a major element of the Smart City concept that enables two-way communication of energy data between electric utilities and their consumers. These communication technologies are going through sharp modernization to meet future demand growth and to achieve reliability, security, and efficiency of the electric grid. In this paper, we implement an IPv6 based two-way communication system between the transformer agent (TA), installed at local electric transformer and various customer agents (CAs), connected to customer's smart meter. Various homes share their energy usage with the TA which in turn sends the utility's recommendations to the CAs. Raspberry Pi is used as hardware for all the CAs and the TA. We implement a self-healing mesh network between all nodes using OpenLab IEEE 802.15.4 chips and Routing Protocol for Low-Power and Lossy Networks (RPL), and the data is secured by RSA/AES keys. Several tests have been conducted in real environments, inside and outside of Carleton University, to test the performance of this communication network in various obstacle settings. In this paper, we highlight the details behind the implementation of this IPv6-based smart grid communication system, the related challenges, and the proposed solutions.
Guanyu, Chen, Yunjie, Han, Chang, Li, Changrui, Lin, Degui, Fang, Xiaohui, Rong.  2019.  Data Acquisition Network and Application System Based on 6LoWPAN and IPv6 Transition Technology. 2019 IEEE 2nd International Conference on Electronics Technology (ICET). :78–83.
In recent years, IPv6 will gradually replace IPv4 with IPv4 address exhaustion and the rapid development of the Low-Power Wide-Area network (LPWAN) wireless communication technology. This paper proposes a data acquisition and application system based on 6LoWPAN and IPv6 transition technology. The system uses 6LoWPAN and 6to4 tunnel to realize integration of the internal sensor network and Internet to improve the adaptability of the gateway and reduce the average forwarding delay and packet loss rate of small data packet. Moreover, we design and implement the functions of device access management, multiservice data storage and affair data service by combining the C/S architecture with the actual uploaded river quality data. The system has the advantages of flexible networking, low power consumption, rich IPv6 address, high communication security, and strong reusability.
Hagan, Matthew, Kang, BooJoong, McLaughlin, Kieran, Sezer, Sakir.  2018.  Peer Based Tracking Using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection. 2018 16th Annual Conference on Privacy, Security and Trust (PST). :1–5.

Traditional firewalls, Intrusion Detection Systems(IDS) and network analytics tools extensively use the `flow' connection concept, consisting of five `tuples' of source and destination IP, ports and protocol type, for classification and management of network activities. By analysing flows, information can be obtained from TCP/IP fields and packet content to give an understanding of what is being transferred within a single connection. As networks have evolved to incorporate more connections and greater bandwidth, particularly from ``always on'' IoT devices and video and data streaming, so too have malicious network threats, whose communication methods have increased in sophistication. As a result, the concept of the 5 tuple flow in isolation is unable to detect such threats and malicious behaviours. This is due to factors such as the length of time and data required to understand the network traffic behaviour, which cannot be accomplished by observing a single connection. To alleviate this issue, this paper proposes the use of additional, two tuple and single tuple flow types to associate multiple 5 tuple communications, with generated metadata used to profile individual connnection behaviour. This proposed approach enables advanced linking of different connections and behaviours, developing a clearer picture as to what network activities have been taking place over a prolonged period of time. To demonstrate the capability of this approach, an expert system rule set has been developed to detect the presence of a multi-peered ZeuS botnet, which communicates by making multiple connections with multiple hosts, thus undetectable to standard IDS systems observing 5 tuple flow types in isolation. Finally, as the solution is rule based, this implementation operates in realtime and does not require post-processing and analytics of other research solutions. This paper aims to demonstrate possible applications for next generation firewalls and methods to acquire additional information from network traffic.