Selected Papers from the 12th International Networking Conference

Malware continues to be a major threat to information security. To avoid being detected and analyzed, modern malware is continuously improving its stealthiness. A high number of unique malware samples detected daily suggests a likely high degree of code reuse and obfuscation to avoid detection. Traditional malware detection techniques relying on binary code signatures are greatly hindered by encryption, packing, code polymorphism, and similar other obfuscation techniques. Although obfuscation greatly changes a malware’s binary, its functionalities remain intact.

We propose to study malware’s network behavior during its execution, to understand the malware’s functionality. While malware may transform its code to evade analysis, we contend that its key network behaviors must endure through the transformations to achieve the malware’s ultimate purpose, such as sending victim information, scanning for vulnerable hosts, etc. While live malware analysis is risky, we leverage the Fantasm platform on the DeterLab testbed to perform it safely and effectively. Based on observed network traffic we propose an encoding of malware samples. This encoding can help us classify malware flows and samples, identify code reuse and genealogy, and develop behavioral signatures for malware defense. We apply our approach to more than 8,000 diverse samples from the Georgia Tech Apiary project. We find that over 60% of malware is multi-purposed (e.g. downloading new payload and uploading user data). We also illustrate how our encoding and malware flow clustering can be used to identify behavioral signatures for malware defense.

Cryptography is one of the essential methods for securing the information. In cryptography, there are many encryption algorithms; some of them strong where the others are broken. RC4 stream cipher one of the most common algorithms that are characterized by its speed in implementation does not need large storage space and has less complexity, but there are weaknesses in its output. Numerous researches work on the RC4 stream cipher to boost the security of it, to be strong enough. However, the biases in the output are still in most of the enhancement. The researchers claim that its swap function is responsible for those biases. They recommended to ignore some initial bytes from the key-stream output, to dispose of this before de facto encryption begins. This paper present new development over the RC4 algorithm (RC4D) via amendment in the first and second parts of the algorithm. In the first part, it increases the use of the key operations to obtain more considerable randomness, while adding one more random variable and use the Xor function in the second part. Thus, the experimental result of the NIST statistical tests and the distant-equalities statistical analysis shows the RC4D more robust than the original RC4.

Secure user authentication has become an important issue in modern society as in many consumer applications, especially financial transactions, it is extremely important to prove the identity of the user. In this context, biometric authentication methods that rely on physical and behavioural characteristics have been proposed as an alternative for convolutional systems that rely on simple passwords, Personal Identification Number or tokens. However, in real-world applications, authentication systems that involve a single biometric faced many issues, especially lack accuracy and noisy data, which boost the research community to create multibiometric systems that involve a variety of biometrics. Those systems provide better performance and higher accuracy compared to other authentication methods. However, most of them are inconvenient and requires complex interactions from the user. Thus, in this paper, we present a multimodal authentication system that relies on machine learning and blockchain, intending to provide a more reliable, transparent, and convenient authentication mechanism. The proposed system combines tow important biometrics: fingerprint and face with age, and gender features. The supervised learning algorithm Decision Tree has been used to combine the results of the biometrics verification process and produce a confidence level related to the user. The initial experimental results show the efficiency and robustness of the proposed systems.

Keystroke dynamics analysis has often been used in user authentication. In this work, it is used to classify users according to their age. The authors have extended their previous research in which they managed to identify the age group that a user belongs to with an accuracy of 66.1%. The main changes made were the use of a larger dataset, which resulted from a new volunteer recording phase, the exploitation of more keystroke dynamics features, and the use of a procedure for selecting those features that can best distinguish users according to their age. Five machine learning models were used for the classification, and their performance in relation to the number of features involved was tested. As a result of these changes in the research method, an improvement in the performance of the proposed system has been achieved. The accuracy of the improved system is 89.7%.

This paper presents a Wi-Fi Evil Twin, Man in the Middle attack (MiTM), which utilizes channel switch announcement (802.11h). The proposed technique examines and demonstrates through measurements the feasibility to perform a successful MiTM attack, when the target receives a lower received signal strength from the rogue access point (AP), compared to the received signal strength received by the legitimate AP. The above signal strength condition can allow the execution of a successful MiTM attack from relatively longer distances, since the rogue AP does not have to compete, signal strength wise, with the legitimate AP. Initial results suggest that the attack can be successfully performed. Furthermore, the attack is specific to a target and does not disrupt the operation of other targets, making the attack stealthy.

The Internet of Things (IoT) is one of the main research fields in the Cybersecurity domain. This is due to (a) the increased dependency on automated device, and (b) the inadequacy of general-purpose Intrusion Detection Systems (IDS) to be deployed for special purpose networks usage. Numerous lightweight protocols are being proposed for IoT devices communication usage. One of the distinguishable IoT machine-to-machine communication protocols is Message Queuing Telemetry Transport (MQTT) protocol. However, as per the authors best knowledge, there are no available IDS datasets that include MQTT benign or attack instances and thus, no IDS experimental results available.

In this paper, the effectiveness of six Machine Learning (ML) techniques to detect MQTT-based attacks is evaluated. Three abstraction levels of features are assessed, namely, packet-based, unidirectional flow, and bidirectional flow features. An MQTT simulated dataset is generated and used for the training and evaluation processes. The dataset is released with an open access licence to help the research community further analyse the accompanied challenges. The experimental results demonstrated the adequacy of the proposed ML models to suit MQTT-based networks IDS requirements. Moreover, the results emphasise on the importance of using flow-based features to discriminate MQTT-based attacks from benign traffic, while packet-based features are sufficient for traditional networking attacks.

The tsunami of connectivity brought by the Internet of Things is rapidly revolutionising several sectors, ranging from industry and manufacturing, to home automation, healthcare and many more. When it comes to enforce security within an IoT network such as a smart home, there is a need to automatically recognise the type of each joining devices, in order to apply the right security policy. In this paper, we propose a method for identifying IoT devices’ types based on natural language processing (NLP), text classification, and web search engines. We implement a proof of concept and we test it against 33 different IoT devices. With a success rate of \(88.9\%\) for BACnet and \(87.5\%\) for MUD devices, our experiments show that we can efficiently and effectively identify different IoT devices.

Internet of Things (IoT) is a promising profound technology with tremendous expansion and effect. However, IoT infrastructures are vulnerable to cyber-attacks due to the constraints in computation, storage, and communication capacity for the endpoint devices such as thermostat, home appliance, etc. It was reported that 99% of the cyber-attacks are developed by slightly mutating previously known attacks to generate a new attack tending to be handled as a benign traffic through the IoT network. In this research, we developed a new intelligent self-reliant system that can detect mutations of IoT cyber-attacks using deep convolutional neural network (CNN) leveraging the power of CUDA based Nvidia-Quad GPUs for parallel computation and processing. Specifically, the proposed system is composed of three subsystems: Feature Engineering subsystem, Feature Learning subsystem and Traffic classification subsystem. All subsystems are developed, verified, integrated, and validated in this research. To evaluate the developed system, we employed the NSL-KDD dataset which includes all the key attacks in the IoT computing. The simulation results showed a superior attacks’ classification accuracy over the state-of-art machine learning based intrusion detection systems employing similar dataset. The obtained results showed more than 99.3% and 98.2% of attacks’ classification accuracy for both binary-class classifier (normal vs anomaly) and multi-class classifier (five categories) respectively. All development steps and testing and verification results of the developed system are reported in the paper.

Cyber Ranges exist to enable hands on training within realistic ICT infrastructures in a sandboxed environment, to investigate attack and defense strategies and to assess the resilience of the infrastructures. To fully exploit their capabilities one has to have access to multi domain exercises, which may combine ICT, naval, electrical grid, telecom or other relevant infrastructures. It can become obvious that no single organization can easily own or sustain a multi domain cyber range and that there is a need to connect multi domain Cyber Ranges from different organizations together. This paper focuses into analyzing the current state of the art on the federation of Cyber Ranges, by focusing on the federated network interconnection. Various methods for interconnecting distributed Cyber Ranges into a single federated Cyber Range are being discussed and their network performance impact is evaluated. VPNs are widely used to interconnect networks together due to their relative low cost and simplistic nature, however, performance of the network must be accounted, alongside the flexibility the VPNs can provide to support multiple scenarios in a multi domain distributed federated Cyber Range. This work focuses on the performance comparison of IPsec and Virtual Tunnels.

Software Defined Networking (SDN) is a widely used network architecture. It separates the controller logic (or control plane) from forwarding plane (or data plane) to manage the whole network and it enables the network scalability and programmability. One of the most significant challenges in Software Defined Networking (SDN) is the Controller Placement Problem (CPP), which tries to specify the minimum number of controllers and their optimal location.

In our study, we extend the methodology based on K-means and K-center algorithms to solve the Controller Placement problem (CPP) into a Multi-level Hierarchical Controller Placement Problem (HCPP), where the Super Controller (SC) is in the top-level, some Master Controllers (MCs) are in the intermediate level and the Domain Controllers (DCs) are at the bottom level. The optimization metric is the latency between controller and switches assigned to it and the latency for controller to controller communication.

The proposed architecture and methodology is applied on Western European NRENs topology taken from Internet Topology Zoo. The entire network topology is divided into small scale networks (Clusters) and for each cluster, the optimal number of controllers (Domain Controllers) and their placement is found. A second optimization identifies the optimal number of Master Controllers and their optimal placement.

The results validate the methodology and show its feasibility on large networks and different domains. A useful use case may be the deployment of hierarchical levels of controllers for the enforcement of very precise routing policies through different domains.

Today, the amount of data in the network is increasing quickly. As it does so, congestion in the network becomes more probable. Therefore, suitable policies must be used to control the congestion and guarantee quality of services. In this paper, we proposed an SDN based congestion avoidance algorithm. In our suggested method, we use an SDN controller to calculate link usage percent for all links in the network and predict congestion in every link. Additionally, we employ two types of Dijkstra algorithm; to calculate both the shortest path and the most secluded (the path with the lowest usage percentage) path between every node pairing in the network. Then, we store these two independent paths as two buckets of Fast-Failover group table in OF switches (these paths are recalculated and updated periodically based on updated traffic statistics of the network). After congestion recognition in an output link of a switch, we disable one of the input links of that switch. Consequently, the first bucket of that FF-group table entry will be ignored and second bucket will be employed to pass the traffic. Traffic will then be sent to its destination using the most secluded path instead of the shortest path until the usage percentage of congested link reduces to 50%. Finally, we developed our proposed algorithm in Python and used Mininet to emulate our network. We compare the algorithm’s performance to one of the existing algorithms [1] of this type. Testing benchmarks showed 28% improvement in the average data transfer rate and 30% improvement in number of retransmitted packets in TCP mode. In UDP mode, we saw a 30% improvement in packet lost rate and a 24% improvement in average Jitter during data transfer.

Software-defined wireless mesh network (SDWMN) combines the functionalities of wireless mesh network (WMN) and software defined networking (SDN) to achieve the goal of being effectively manageable of WMN. In this paper, the indoor SDWMN in-band testbed is proposed and implemented. The design and implementation of indoor SDWMN in-band testbed proposed in this paper is the preliminary testbed for the future real outdoor SDWMN in-band testbed for road traffic monitoring system. The testing results of indoor SDWMN in-band discussed in this paper shows that the system can function properly and becomes ready for future testing in the real outdoor environment.

In this paper, a power optimized source-based-jamming scheme is proposed to improve the secrecy of cooperative networks comprising of multiple untrusted amplify-and-forward relays in the presence of an external eavesdropper. Nelder-Mead gradient-free optimization algorithm is used for power allocation. The secrecy performance of untrusted relaying scheme is compared with worst case scenario; where the relays and external eavesdropper are assumed to be cooperating with each other. For performance comparison, optimization algorithms such as two-dimensional exhaustive search and gradient-based methods for symmetric and asymmetric relay positions have been derived. The complexity analysis of the proposed algorithm and its performance comparison with equal power allocation (EPA) strategy are also studied. Numerical results reveal that the proposed scheme outperforms other optimization methods, EPA and worst case jamming strategies.

Vehicle ad hoc network (VANET) technology arose from the mobile ad-hoc network (MANET) and the first mention of the term was in 2003. VANET allows vehicles to communicate with other vehicles and other intelligent transport systems (ITS) facilities in their location range. This paper presents a literature review and identify the security requirements needed to achieve a secure VANET environment. It also identifies a VANET cybersecurity attack, with a focus on attacks that target the location and identity of other vehicles as well as the ability to detect previous attacks. Moreover, this research started by introducing VANET architecture, communication and applications. Then, defining the important security requirements based on the three-information security triangle with an emphasis on the VANET environment. For this paper, we have developed an application of misbehaving attacks on the positioning and identity of VANET vehicles and then used the outputs of the application to analyze the misbehaviors attacks. Which is important for road safety and the protection of human life.

Demand for food, efficient use of resources and the need for climate change adaptation are conflicting objectives of today’s agriculture. Wireless Sensor Networks (WSNs) could help to balance these contradicting requirements. A decisive advantage of a WSN is that data can be obtained from the sensors at any time without the physical presence of farmers. But in addition to a large number of technical challenges, a major challenge is to monitor necessary parameters with a sufficiently high temporal and spatial resolution. The present work discusses those challenges as a case study. Furthermore, an approach to designing a WSN for sensor-assisted landscape monitoring is proposed, that aims to support small-scale real time acquisition of site-specific requirements. Continuous monitoring is intended to lay the foundation for agricultural management strategies to be adapted at any time using real-time information.