Search for: All records

Intrusion detection systems (IDSes) are critical building blocks for securing Internet-of-Things (IoT) devices and networks. Advances in AI techniques are contributing to enhancing the efficiency of IDSes, but their performance typically depends on high-quality training datasets. The scarcity of such datasets is a major concern for the effective use of machine learning for IDSes in IoT networks. To address such a need, we present IoTDSCreator - a tool for the automatic generation of labeled datasets able to support various devices, connectivity technologies, and attacks. IoTDSCreator provides a user with DC-API, an API by which the user can describe a target network and an attack scenario against it. Based on the description, the framework configures the network, leveraging virtualization techniques on user-provided physical machines, performs single or multi-step attacks, and finally returns labeled datasets. Thereby, IoTDSCreator dramatically reduces the manual effort for generating labeled and diverse datasets. We release the source code of IoTDSCreator and 16 generated datasets with 193 features based on 26 types of IoT devices, 2 types of communication links, and 15 types of IoT applications. 

Zero Trust (ZT) is a security paradigm aiming to curtail an attacker’s lateral movements within a network by implementing least-privilege and per-request access control policies. However, its widespread adoption is hindered by the difficulty of generating proper rules owing to the lack of detailed knowledge of communication requirements and the characteristic behaviors of communicating entities under benign conditions. Consequently, manual rule generation becomes cumbersome and error prone. To address these problems, we proposeZT-SDN, an automated framework for learning and enforcing network access control in Software-Defined Networks (SDNs). ZT-SDN collects data from the underlying network and models the network “transactions” performed by communicating entities as graphs. The nodes represent entities, whereas the directed edges represent transactions identified by different protocol stacks observed. It uses novel unsupervised learning approaches to extract transaction patterns directly from the network data, such as the allowed protocol stacks and port numbers and data transmission behavior. Finally, ZT-SDN uses an innovative approach to generate correct access control rules and infer strong associations between them, allowing proactive rule deployment in forwarding devices. We show the framework’s efficacy in detecting abnormal network accesses and abuses of permitted flows in changing network conditions with real network datasets. Additionally, we showcase ZT-SDN’s scalability and the network’s performance when applied in an SDN environment. 

The rampant occurrence of cybersecurity breaches imposes substantial limitations on the progress of network infras- tructures, leading to compromised data, financial losses, potential harm to individuals, and disruptions in essential services. The current security landscape demands the urgent development of a holistic security assessment solution that encompasses vul- nerability analysis and investigates the potential exploitation of these vulnerabilities as attack paths. In this paper, we propose GRAPHENE, an advanced system designed to provide a detailed analysis of the security posture of computing infrastructures. Using user-provided information, such as device details and software versions, GRAPHENE performs a comprehensive secu- rity assessment. This assessment includes identifying associated vulnerabilities and constructing potential attack graphs that adversaries can exploit. Furthermore, it evaluates the exploitabil- ity of these attack paths and quantifies the overall security posture through a scoring mechanism. The system takes a holistic approach by analyzing security layers encompassing hardware, system, network, and cryptography. Furthermore, GRAPHENE delves into the interconnections between these layers, exploring how vulnerabilities in one layer can be leveraged to exploit vulnerabilities in others. In this paper, we present the end-to-end pipeline implemented in GRAPHENE, showcasing the systematic approach adopted for conducting this thorough security analysis. 

Digital signatures are a fundamental building block for ensuring integrity and authenticity of contents delivered by the Named Data Networking (NDN) systems. However, current digital signature schemes adopted by NDN open source libraries have a high computational and communication overhead making them unsuitable for high throughput applications like video streaming and virtual reality gaming. In this poster, we propose a real-time digital signature mechanism for NDN based on the offline-online signature framework known as Structure-free and Compact Real-time Authentication scheme (SCRA). Our signature mechanism significantly reduces the signing and verification costs and provides different variants to optimize for the specific requirements of applications (i.e. signing overhead, verification overhead or communication cost). Our experiments results show that SCRA is a suitable framework for latency-sensitive NDN applications.