Vassilios Vassilakis | University of York (original) (raw)
Papers by Vassilios Vassilakis
IEEE/IET CSNDSP, 2022
Although IoT security is a field studied extensively, recent attacks such as BotenaGo show that c... more Although IoT security is a field studied extensively, recent attacks such as BotenaGo show that current security solutions cannot effectively stop the spread of IoT attacks. Machine Learning (ML) techniques are promising in improving protection against such attacks. In this work, three supervised ML algorithms are trained and evaluated for detecting rank and blackhole attacks in RPL-based IoT networks. Extensive simulations of the attacks are implemented to create a dataset and appropriate fields are identified for training the ML model. We use Google AutoML and Microsoft Azure ML platforms to train our model. Our evaluation results show that ML techniques can be effective in detecting rank and blackhole attacks, achieving a precision of 93.3%.
IEEE/IET CSNDSP, 2022
In recent years, the world has witnessed a significant increase in the number of IoT devices, wit... more In recent years, the world has witnessed a significant increase in the number of IoT devices, with a global and continuous rise in the demand for their multipurpose applications. However, malicious use of IoT devices began to emerge among cybercriminals. IoT-enabled cyberattacks and botnets, such as the Mirai botnet and its variants and imitators, demonstrate that the industry needs to better secure IoT devices and networks; otherwise, there will be higher risks of exposing the Internet's infrastructure and services to increasingly disruptive DDoS attacks. This paper presents the results of a study of IoT botnets. We focus on their distinctive characteristics, exploits used, and cyberattack capabilities. In total, we have reviewed and compared 46 recent IoT botnets. We also present details of the main CPU architectures targeted by these IoT botnets. We illustrate that IoT botnets pose a significant threat to private individuals and enterprises by employing effective evasion mechanisms, encrypted communication, and targeting a wide range of systems and networks.
Journal of Cybersecurity and Privacy, 2022
This article is an open access article distributed under the terms and conditions of the Creative... more This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY
Ad Hoc Networks, 2022
Unmanned aerial vehicles (UAVs) are a rapidly evolving technology, and being highly mobile, UAV s... more Unmanned aerial vehicles (UAVs) are a rapidly evolving technology, and being highly mobile, UAV systems are able to cooperate with each other to accomplish a wide range of different tasks. UAVs can be used in commercial applications, such as goods delivery, as well as in military surveillance. They can also operate in civil domains like search-and-rescue missions, that require multiple UAVs to collect location data as well as transmit video streams. However, the malicious use of UAVs began to emerge in recent years. The frequency of such attacks has been significantly increasing and their impact can have devastating effects. Hence, the relevant industries and standardisation bodies are exploring possibilities for securing UAV systems and networks. Our survey focuses on UAV security and privacy issues whilst establishing flying ad-hoc networks (FANETs) as well as on threats to the Internet of drones (IoD) infrastructure used to provide control and access over the Internet between UAVs and users. The goal of this survey is to categorise the versatile aspects of the UAV threat landscape and develop a classification approach based on different types of connections and nodes in FANETs and IoD. In particular, we categorise security and privacy threats on connections between UAVs, ground control stations, and personal pilot devices. All the most relevant threats and their corresponding defence mechanisms are classified using characteristics of the first four layers of the OSI model. We then analyse the conventional and novel UAV routing protocols, indicating their advantages and disadvantages from the cyber security perspective. To provide a deeper insight, the reviewed defence mechanisms have undergone a thorough examination of their security requirements and objectives such as availability, authentication, authorisation, confidentiality, integrity, privacy, and non-repudiation. Finally, we discuss the open research challenges, the limitations of current UAV standards, and provide possible future directions for research. 2.2. UAV communication architectures categorisation Communication is a critical issue when deploying fast moving multi-UAV systems. Depending on data flow, UAV communications architectures are either centralised or decentralised. This categorisation is shown in Fig. 2 and explained below. 2.2.1. Centralised architectures UAVs communicate with a central controller, meaning there is a single point of failure. Fig. 3 presents three types of centralised communication architectures [9]. In UAV-GCS, to obtain data, every UAV must directly connect to the GCS. This type of link is not advisable in changeable environments, such as stormy weather conditions. In UAV-satellite, communication is done via a satellite, which is suitable for when the distance between GCS and UAV is big. In UAV-cellular, communication is performed via appropriate cellular technology; it uses base stations to implement routing technology that facilitates communication between nodes.
Computers & Electrical Engineering, 2021
This work focuses on infiltration methods, such as Address Resolution Protocol (ARP) spoofing, wh... more This work focuses on infiltration methods, such as Address Resolution Protocol (ARP) spoofing, where adversaries sends fabricated ARP messages, linking their Media Access Control (MAC) address to a genuine device's Internet Protocol (IP) address. We developed a Software-Defined Networking (SDN)-based Intrusion Detection and Prevention System (IDPS), which defends against ARP spoofing and Blacklisted MAC Addresses. This is done by dynamically adjusting SDN's operating parameters to detect malicious network traffic. Bespoke software was written to conduct the attack tests and customise the IDPS; this was coupled to a specifically developed library to validate user input. Improvements were made to SDN in the areas of attack detection, firewall, intrusion prevention, packet dropping, and shorter timeouts. Our extensive experimental results show that the developed solution is effective and quickly responds to intrusion attempts. In the considered test scenarios, our measured detection and mitigation times are sufficiently low (in the order of a few seconds).
12th IEEE/IET CSNDSP, 2020
The IPv6 over Low-power Wireless Personal Area Network (6LoWPAN) has been standardized to support... more The IPv6 over Low-power Wireless Personal Area Network (6LoWPAN) has been standardized to support IP over lossy networks. RPL (Routing Protocol for Low-Power and Lossy Networks) is the common routing protocol for 6LoWPAN. Among various attacks on RPL-based networks, the wormhole attack may cause severe network disruption and is one of the hardest to detect. We have designed and implemented in ContikiOS a wormhole detection technique for 6LoWPAN, that uses round-trip times and hop counts. In addition, the performance of this technique has been evaluated in terms of power, CPU, memory, and communication overhead.
12th IEEE/IET CSNDSP, 2020
IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) has been designed to handle routing ... more IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) has been designed to handle routing in IoT. We investigate the detection of blackhole and greyhole attacks in RPL networks. We evaluate the existing heartbeat-based detection method for blackhole attacks and propose its modification for greyhole attacks. Extensive experiments have been performed to verify the accuracy and effectiveness of the new method using Contiki-NG and Cooja simulator. The obtained results show that the method is accurate in detecting the attacks. The overhead introduced by the modified heartbeat protocol in terms of CPU usage and battery consumption is found to be negligible.
IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT’20), 2020
This paper investigates the use of Software-Defined Networking (SDN) in the detection and mitigat... more This paper investigates the use of Software-Defined Networking (SDN) in the detection and mitigation of malware threat, focusing on the example of ExPetr ransomware. Extensive static and dynamic analysis of ExPetr is performed in a purpose-built SDN testbed. The results acquired from this analysis are then used to design and implement an SDN-based solution to detect the malware and prevent it from spreading to other machines inside a local network. Our solution consists of three security mechanisms that have been implemented as components/modules of the Python-based POX controller. These mechanisms include: port blocking, SMB payload inspection, and HTTP payload inspection. When malicious activity is detected, the controller communicates with the SDN switches via the OpenFlow protocol and installs appropriate entries in their flow tables. In particular, the controller blocks machines which are considered infected, by monitoring and reacting in real time to the network traffic they produce. Our experimental results demonstrate that the proposed designs are effective against self-propagating malware in local networks. The implemented system can respond to malicious activities quickly and in real time. Furthermore, by tuning certain thresholds of the detection mechanisms it is possible to trade-off the detection time with the false positive rate.
Lecture Notes in Computer Science, vol 11980. Springer, Cham, 2020
Internet of Things (IoT) is already playing a significant role in our lives, as more and more ind... more Internet of Things (IoT) is already playing a significant role in our lives, as more and more industries are adopting IoT for improving existing systems and providing novel applications. However, recent attacks caused by Mirai and Chalubo botnets show that IoT systems are vulnerable and new security mechanisms are required. In this work, we design and implement a prototype of Intrusion Detection System (IDS) for protecting IoT networks and devices from Denial-of-Service (DoS) attacks. Our focus is on detecting attacks that exploit the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL), which is a widely used protocol for packet routing in low-power IoT networks. Our considered Operating System (OS) is the popular ContikiOS and we use the Cooja simulator to study DoS attacks and test the detection algorithms. In particular, we simulated scenarios that involve both benign and malicious/compromised IoT devices. A compromised device exploits RPL control messages to cause other devices perform heavy computations and disrupt the established network routes. The obtained simulation results help us understand the characteristics of an RPL-based IoT network under its normal operation and devise effective countermeasures against malicious activity. A new threshold-based IDS is proposed and a first prototype is implemented in ContikiOS. The IDS relies on tunable parameters and involves both centralised and distributed components in order to effectively detect malicious RPL messages. Experimental results show high detection rate and low false positives in large networks.
IEICE Information and Communication Technology Forum (ICTF), 2018
Nowadays ransomware presents a huge and the fastest growing problem for all types of users from s... more Nowadays ransomware presents a huge and the fastest growing problem for all types of users from small households to large corporations and government bodies. Modern day ransomware families implement sophisticated encryption and propagation schemes, thus limiting chances to recover the data almost to zero. In order to design and develop appropriate detection and mitigation mechanisms it is important to perform ransomware analysis and indemnify its features. In this work, we present our ransomware analysis results focusing on the infamous WannaCry ransomware. In particular, the presented research examines the WannaCry behaviour during its execution in a purpose-built virtual lab environment. We perform static and dynamic analysis using a wide range of malware analysis tools. The obtained results can be used for developing appropriate detection and mitigation mechanisms for WannaCry or other ransomware families that exhibit similar behaviour.
Journal of Network and Computer Applications, 2019
Over recent years, we have observed a significant increase in the number and the sophistication o... more Over recent years, we have observed a significant increase in the number and the sophistication of cyber attacks targeting home users, businesses, government organizations and even critical infrastructure. In many cases, it is important to detect attacks at the very early stages, before significant damage can be caused to networks and protected systems, including accessing sensitive data. To this end, cybersecurity researchers and professionals are exploring the use of Software-Defined Networking (SDN) technology for efficient and real-time defense against cyberattacks. SDN enables network control to be logically centralised by decoupling the control plane from the data plane. This feature enables network programmability and has the potential to almost instantly block network traffic when some malicious activity is detected. In this work, we design and implement an Intrusion Detection and Prevention System (IDPS) using SDN. Our IDPS is a software-application that monitors networks and systems for malicious activities or security policy violations and takes steps to mitigate such activity. We specifically focus on defending against port-scanning and Denial of Service (DoS) attacks. However , the proposed design and detection methodology has the potential to be expanded to a wide range of other malicious activities. We have implemented and tested two connection-based techniques as part of the IDPS, namely the Credit-Based Threshold Random Walk (CB-TRW) and Rate Limiting (RL). As a mechanism to defend against port-scanning, we outline and test our Port Bingo (PB) algorithm. Furthermore, we include QoS as a DoS attack mitigation, which relies on flow-statistics from a network switch. We conducted extensive experiments in a purpose-built testbed environment. The experimental results show that the launched port-scanning and DoS attacks can be detected and stopped in real-time. Finally, the rate of false positives can be kept sufficiently low by tuning the threshold parameters of the detection algorithms.
Computers & Electrical Engineering, 2019
Modern day ransomware families implement sophisticated encryption and propagation schemes, thus l... more Modern day ransomware families implement sophisticated encryption and propagation schemes, thus limiting chances to recover the data almost to zero. We investigate the use of software-defined networking (SDN) to detect and mitigate advanced ransomware threat. We present our ransomware analysis results and our developed SDN-based security framework. For the proof of concept, the infamous WannaCry ransomware was used. Based on the obtained results, we design an SDN detection and mitigation framework and develop a solution based on OpenFlow. The developed solution detects suspicious activities through network traffic monitoring and blocks infected hosts by adding flow table entries into OpenFlow switches in a real-time manner. Finally, our experiments with multiple samples of WannaCry show that the developed mechanism in all cases is able to promptly detect the infected machines and prevent WannaCry from spreading.
2018 11th International Symposium on Communication Systems, Networks & Digital Signal Processing (CSNDSP), 2018
The emergence of the Internet of Things (IoT) is expected to significantly advance the technology... more The emergence of the Internet of Things (IoT) is expected to significantly advance the technology development in many application domains such as agriculture, home automation, and healthcare. However, in the IoT era, this development faces serious research challenges in terms of handling large amounts of data, designing efficient system architectures, and implementing appropriate mechanisms for privacy and security assurance. Especially the network security aspect of the IoT is of major importance due to huge amounts of data that the IoT is expected to generate and handle, and considering the limited resources of typical IoT devices. One of the serious security threats are the physical attacks on the IoT devices that operate in remote locations. These are known in the literature as the \emph{node capture attacks}. Motivated by the aforementioned issues, this paper first introduces the background of IoT security and discusses the related challenges. Next, a secure group communication scheme that enables IoT using low energy wireless IP network is described. The proposed approach is based on Shamir's Secret Sharing scheme, which has been enhanced to enable secure group-to-group communication of resource-constrained IoT devices. In particular, we consider the low energy wireless IP networking technology as one of the IoT enablers and the problem of mitigating the negative effects of node capture attacks on IoT devices. Simulation results show significant improvements of the proposed scheme over the traditional public-key based approach.
—Internet of Things (IoT) is envisioned as a trans-formative approach with a wide range of applic... more —Internet of Things (IoT) is envisioned as a trans-formative approach with a wide range of applications in various sectors such as home automation, industrial control, and agriculture. It promises innovative business models and improved user experience. However, as evidenced by recent attacks such as the Mirai botnet, IoT networks and systems remain very vulnerable and require stronger protection mechanisms. Furthermore, due to processing, memory, and power constraints of typical IoT devices, traditional Internet security mechanisms are not always feasible or appropriate. In this work, we are concerned with designing an Intrusion Detection System (IDS) for protecting IoT networks from external threats as well as internal compromised devices. Our proposed design adopts a signature-based intrusion detection approach and involves both certralised and distributed IDS modules. Using the Cooja simulator, we have implemented a Denial of Service (DoS) attack scenario on IoT devices. This scenario exploits the RPL protocol, which is widely used for routing in low-power networks, including IoT networks. In particular, we have implemented two variants of DoS attacks, namely " Hello " flooding and version number modification. As shown by simulation results, these attacks may impact the reachability of certain IoT devices and their power consumption.
IET Networks
Novel networking paradigms, such as software-defined networking (SDN) and network function virtua... more Novel networking paradigms, such as software-defined networking (SDN) and network function virtualization (NFV), introduce new opportunities in the design of next-generation mobile networks. Our present work investigates the benefits of the emerging SDN and NFV technologies on the radio resource management (RRM) in mobile cellular networks. In particular, the aim of our RRM scheme is to enable an efficient and flexible radio resource allocation in order to assure quality-of-experience (QoE) of mobile users. We consider the OFDMA multiple-access scheme and the complete radio resource sharing policy. To enable time-and space-efficient resource allocation, we investigate the applicability of the well-known Kaufman-Roberts recursion in the context of new architectural and functional changes of SDN/NFV based mobile environments. Finally, we discuss the applicability of the proposed approach for more complicated resource sharing policies.
—Dual connectivity (DC) has been included in the Release 12 of the long-term evolution (LTE) stan... more —Dual connectivity (DC) has been included in the Release 12 of the long-term evolution (LTE) standard. In this paper, we perform a formal security verification of the key establishment protocol for DC in small cell LTE networks. In particular, the security verification is performed using a popular tool called Scyther. The considered security properties include secrecy and reachability. We also simulate a key leakage and show that some security claims in this case can be falsified.
—The smart grid (SG), generally referred to as the next-generation power system, is considered as... more —The smart grid (SG), generally referred to as the next-generation power system, is considered as a revolutionary and evolutionary regime of existing power grids. Among the emerging SG applications, the advanced metering infrastructure (AMI) enables automated, two-way communication between a smart meter (SM) and a public utility company. To authenticate a message, the sender (e.g., a SM) signs the message with its private key using a pre-defined digital signature algorithm. To verify the message, the recipient verifies the sender's certificate and then the sender's signature using the sender's public key. In some cases, however, a previously issued certificate for a network node needs to be revoked. In this paper we investigate two possible approaches for the certificate management of SMs in AMI networks. These are based on the traditional certificate revocation lists (CRLs) and on the Bloom filters. We compare the two approaches in terms of the required packet size for the distribution of the revoked certificate serial numbers. We also discuss the advantages and limitations of each approach.
Diffie-Hellman (DH) key exchange is a well known method for secure exchange of cryptographic keys... more Diffie-Hellman (DH) key exchange is a well known method for secure exchange of cryptographic keys and has been widely used in popular Internet protocols, such as IPsec, TLS, and SSH. To enable authenticated key establishment, the DH protocol has been integrated with the digital signature algorithm (DSA). In this paper, we analyze three variants of the integrated DH-DSA protocol. We study the protocol variants with respect to known types of attacks and security features. In particular, the focus is on the properties of forward secrecy, known-key security, and replay attack resilience.
—The concept of software-defined networking (SDN) is able to offer important advantages over the ... more —The concept of software-defined networking (SDN) is able to offer important advantages over the traditional communication paradigms. This is achieved by decoupling the decision-making process from the underlying network infrastructure that forwards the traffic. Recently, there have been efforts in applying the SDN approach to wireless and cellular networks. In fact, SDN is considered as one of the key enablers for future 5G communication networks. Information-centric networking (ICN) is another emerging communication paradigm that has been proposed to improve the content delivery efficiency compared to the traditional host-centric communication protocols. ICN decouples the data from their location, application, and means of transportation. This feature makes ICN particularly suitable for efficient dissemination of large volumes of data, especially in highly dynamic and heterogeneous mobile environments. In this work, we consider an SDN-enabled cellular network and propose an ICN protocol to ensure fast and efficient content dissemination to mobile users. The proposed protocol has been evaluated by means of computer simulations for the use case of a live video streaming service. Our experimental results show significant improvements in terms of response times over the current long-term evolution (LTE) networks.
IEEE/IET CSNDSP, 2022
Although IoT security is a field studied extensively, recent attacks such as BotenaGo show that c... more Although IoT security is a field studied extensively, recent attacks such as BotenaGo show that current security solutions cannot effectively stop the spread of IoT attacks. Machine Learning (ML) techniques are promising in improving protection against such attacks. In this work, three supervised ML algorithms are trained and evaluated for detecting rank and blackhole attacks in RPL-based IoT networks. Extensive simulations of the attacks are implemented to create a dataset and appropriate fields are identified for training the ML model. We use Google AutoML and Microsoft Azure ML platforms to train our model. Our evaluation results show that ML techniques can be effective in detecting rank and blackhole attacks, achieving a precision of 93.3%.
IEEE/IET CSNDSP, 2022
In recent years, the world has witnessed a significant increase in the number of IoT devices, wit... more In recent years, the world has witnessed a significant increase in the number of IoT devices, with a global and continuous rise in the demand for their multipurpose applications. However, malicious use of IoT devices began to emerge among cybercriminals. IoT-enabled cyberattacks and botnets, such as the Mirai botnet and its variants and imitators, demonstrate that the industry needs to better secure IoT devices and networks; otherwise, there will be higher risks of exposing the Internet's infrastructure and services to increasingly disruptive DDoS attacks. This paper presents the results of a study of IoT botnets. We focus on their distinctive characteristics, exploits used, and cyberattack capabilities. In total, we have reviewed and compared 46 recent IoT botnets. We also present details of the main CPU architectures targeted by these IoT botnets. We illustrate that IoT botnets pose a significant threat to private individuals and enterprises by employing effective evasion mechanisms, encrypted communication, and targeting a wide range of systems and networks.
Journal of Cybersecurity and Privacy, 2022
This article is an open access article distributed under the terms and conditions of the Creative... more This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY
Ad Hoc Networks, 2022
Unmanned aerial vehicles (UAVs) are a rapidly evolving technology, and being highly mobile, UAV s... more Unmanned aerial vehicles (UAVs) are a rapidly evolving technology, and being highly mobile, UAV systems are able to cooperate with each other to accomplish a wide range of different tasks. UAVs can be used in commercial applications, such as goods delivery, as well as in military surveillance. They can also operate in civil domains like search-and-rescue missions, that require multiple UAVs to collect location data as well as transmit video streams. However, the malicious use of UAVs began to emerge in recent years. The frequency of such attacks has been significantly increasing and their impact can have devastating effects. Hence, the relevant industries and standardisation bodies are exploring possibilities for securing UAV systems and networks. Our survey focuses on UAV security and privacy issues whilst establishing flying ad-hoc networks (FANETs) as well as on threats to the Internet of drones (IoD) infrastructure used to provide control and access over the Internet between UAVs and users. The goal of this survey is to categorise the versatile aspects of the UAV threat landscape and develop a classification approach based on different types of connections and nodes in FANETs and IoD. In particular, we categorise security and privacy threats on connections between UAVs, ground control stations, and personal pilot devices. All the most relevant threats and their corresponding defence mechanisms are classified using characteristics of the first four layers of the OSI model. We then analyse the conventional and novel UAV routing protocols, indicating their advantages and disadvantages from the cyber security perspective. To provide a deeper insight, the reviewed defence mechanisms have undergone a thorough examination of their security requirements and objectives such as availability, authentication, authorisation, confidentiality, integrity, privacy, and non-repudiation. Finally, we discuss the open research challenges, the limitations of current UAV standards, and provide possible future directions for research. 2.2. UAV communication architectures categorisation Communication is a critical issue when deploying fast moving multi-UAV systems. Depending on data flow, UAV communications architectures are either centralised or decentralised. This categorisation is shown in Fig. 2 and explained below. 2.2.1. Centralised architectures UAVs communicate with a central controller, meaning there is a single point of failure. Fig. 3 presents three types of centralised communication architectures [9]. In UAV-GCS, to obtain data, every UAV must directly connect to the GCS. This type of link is not advisable in changeable environments, such as stormy weather conditions. In UAV-satellite, communication is done via a satellite, which is suitable for when the distance between GCS and UAV is big. In UAV-cellular, communication is performed via appropriate cellular technology; it uses base stations to implement routing technology that facilitates communication between nodes.
Computers & Electrical Engineering, 2021
This work focuses on infiltration methods, such as Address Resolution Protocol (ARP) spoofing, wh... more This work focuses on infiltration methods, such as Address Resolution Protocol (ARP) spoofing, where adversaries sends fabricated ARP messages, linking their Media Access Control (MAC) address to a genuine device's Internet Protocol (IP) address. We developed a Software-Defined Networking (SDN)-based Intrusion Detection and Prevention System (IDPS), which defends against ARP spoofing and Blacklisted MAC Addresses. This is done by dynamically adjusting SDN's operating parameters to detect malicious network traffic. Bespoke software was written to conduct the attack tests and customise the IDPS; this was coupled to a specifically developed library to validate user input. Improvements were made to SDN in the areas of attack detection, firewall, intrusion prevention, packet dropping, and shorter timeouts. Our extensive experimental results show that the developed solution is effective and quickly responds to intrusion attempts. In the considered test scenarios, our measured detection and mitigation times are sufficiently low (in the order of a few seconds).
12th IEEE/IET CSNDSP, 2020
The IPv6 over Low-power Wireless Personal Area Network (6LoWPAN) has been standardized to support... more The IPv6 over Low-power Wireless Personal Area Network (6LoWPAN) has been standardized to support IP over lossy networks. RPL (Routing Protocol for Low-Power and Lossy Networks) is the common routing protocol for 6LoWPAN. Among various attacks on RPL-based networks, the wormhole attack may cause severe network disruption and is one of the hardest to detect. We have designed and implemented in ContikiOS a wormhole detection technique for 6LoWPAN, that uses round-trip times and hop counts. In addition, the performance of this technique has been evaluated in terms of power, CPU, memory, and communication overhead.
12th IEEE/IET CSNDSP, 2020
IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) has been designed to handle routing ... more IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) has been designed to handle routing in IoT. We investigate the detection of blackhole and greyhole attacks in RPL networks. We evaluate the existing heartbeat-based detection method for blackhole attacks and propose its modification for greyhole attacks. Extensive experiments have been performed to verify the accuracy and effectiveness of the new method using Contiki-NG and Cooja simulator. The obtained results show that the method is accurate in detecting the attacks. The overhead introduced by the modified heartbeat protocol in terms of CPU usage and battery consumption is found to be negligible.
IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT’20), 2020
This paper investigates the use of Software-Defined Networking (SDN) in the detection and mitigat... more This paper investigates the use of Software-Defined Networking (SDN) in the detection and mitigation of malware threat, focusing on the example of ExPetr ransomware. Extensive static and dynamic analysis of ExPetr is performed in a purpose-built SDN testbed. The results acquired from this analysis are then used to design and implement an SDN-based solution to detect the malware and prevent it from spreading to other machines inside a local network. Our solution consists of three security mechanisms that have been implemented as components/modules of the Python-based POX controller. These mechanisms include: port blocking, SMB payload inspection, and HTTP payload inspection. When malicious activity is detected, the controller communicates with the SDN switches via the OpenFlow protocol and installs appropriate entries in their flow tables. In particular, the controller blocks machines which are considered infected, by monitoring and reacting in real time to the network traffic they produce. Our experimental results demonstrate that the proposed designs are effective against self-propagating malware in local networks. The implemented system can respond to malicious activities quickly and in real time. Furthermore, by tuning certain thresholds of the detection mechanisms it is possible to trade-off the detection time with the false positive rate.
Lecture Notes in Computer Science, vol 11980. Springer, Cham, 2020
Internet of Things (IoT) is already playing a significant role in our lives, as more and more ind... more Internet of Things (IoT) is already playing a significant role in our lives, as more and more industries are adopting IoT for improving existing systems and providing novel applications. However, recent attacks caused by Mirai and Chalubo botnets show that IoT systems are vulnerable and new security mechanisms are required. In this work, we design and implement a prototype of Intrusion Detection System (IDS) for protecting IoT networks and devices from Denial-of-Service (DoS) attacks. Our focus is on detecting attacks that exploit the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL), which is a widely used protocol for packet routing in low-power IoT networks. Our considered Operating System (OS) is the popular ContikiOS and we use the Cooja simulator to study DoS attacks and test the detection algorithms. In particular, we simulated scenarios that involve both benign and malicious/compromised IoT devices. A compromised device exploits RPL control messages to cause other devices perform heavy computations and disrupt the established network routes. The obtained simulation results help us understand the characteristics of an RPL-based IoT network under its normal operation and devise effective countermeasures against malicious activity. A new threshold-based IDS is proposed and a first prototype is implemented in ContikiOS. The IDS relies on tunable parameters and involves both centralised and distributed components in order to effectively detect malicious RPL messages. Experimental results show high detection rate and low false positives in large networks.
IEICE Information and Communication Technology Forum (ICTF), 2018
Nowadays ransomware presents a huge and the fastest growing problem for all types of users from s... more Nowadays ransomware presents a huge and the fastest growing problem for all types of users from small households to large corporations and government bodies. Modern day ransomware families implement sophisticated encryption and propagation schemes, thus limiting chances to recover the data almost to zero. In order to design and develop appropriate detection and mitigation mechanisms it is important to perform ransomware analysis and indemnify its features. In this work, we present our ransomware analysis results focusing on the infamous WannaCry ransomware. In particular, the presented research examines the WannaCry behaviour during its execution in a purpose-built virtual lab environment. We perform static and dynamic analysis using a wide range of malware analysis tools. The obtained results can be used for developing appropriate detection and mitigation mechanisms for WannaCry or other ransomware families that exhibit similar behaviour.
Journal of Network and Computer Applications, 2019
Over recent years, we have observed a significant increase in the number and the sophistication o... more Over recent years, we have observed a significant increase in the number and the sophistication of cyber attacks targeting home users, businesses, government organizations and even critical infrastructure. In many cases, it is important to detect attacks at the very early stages, before significant damage can be caused to networks and protected systems, including accessing sensitive data. To this end, cybersecurity researchers and professionals are exploring the use of Software-Defined Networking (SDN) technology for efficient and real-time defense against cyberattacks. SDN enables network control to be logically centralised by decoupling the control plane from the data plane. This feature enables network programmability and has the potential to almost instantly block network traffic when some malicious activity is detected. In this work, we design and implement an Intrusion Detection and Prevention System (IDPS) using SDN. Our IDPS is a software-application that monitors networks and systems for malicious activities or security policy violations and takes steps to mitigate such activity. We specifically focus on defending against port-scanning and Denial of Service (DoS) attacks. However , the proposed design and detection methodology has the potential to be expanded to a wide range of other malicious activities. We have implemented and tested two connection-based techniques as part of the IDPS, namely the Credit-Based Threshold Random Walk (CB-TRW) and Rate Limiting (RL). As a mechanism to defend against port-scanning, we outline and test our Port Bingo (PB) algorithm. Furthermore, we include QoS as a DoS attack mitigation, which relies on flow-statistics from a network switch. We conducted extensive experiments in a purpose-built testbed environment. The experimental results show that the launched port-scanning and DoS attacks can be detected and stopped in real-time. Finally, the rate of false positives can be kept sufficiently low by tuning the threshold parameters of the detection algorithms.
Computers & Electrical Engineering, 2019
Modern day ransomware families implement sophisticated encryption and propagation schemes, thus l... more Modern day ransomware families implement sophisticated encryption and propagation schemes, thus limiting chances to recover the data almost to zero. We investigate the use of software-defined networking (SDN) to detect and mitigate advanced ransomware threat. We present our ransomware analysis results and our developed SDN-based security framework. For the proof of concept, the infamous WannaCry ransomware was used. Based on the obtained results, we design an SDN detection and mitigation framework and develop a solution based on OpenFlow. The developed solution detects suspicious activities through network traffic monitoring and blocks infected hosts by adding flow table entries into OpenFlow switches in a real-time manner. Finally, our experiments with multiple samples of WannaCry show that the developed mechanism in all cases is able to promptly detect the infected machines and prevent WannaCry from spreading.
2018 11th International Symposium on Communication Systems, Networks & Digital Signal Processing (CSNDSP), 2018
The emergence of the Internet of Things (IoT) is expected to significantly advance the technology... more The emergence of the Internet of Things (IoT) is expected to significantly advance the technology development in many application domains such as agriculture, home automation, and healthcare. However, in the IoT era, this development faces serious research challenges in terms of handling large amounts of data, designing efficient system architectures, and implementing appropriate mechanisms for privacy and security assurance. Especially the network security aspect of the IoT is of major importance due to huge amounts of data that the IoT is expected to generate and handle, and considering the limited resources of typical IoT devices. One of the serious security threats are the physical attacks on the IoT devices that operate in remote locations. These are known in the literature as the \emph{node capture attacks}. Motivated by the aforementioned issues, this paper first introduces the background of IoT security and discusses the related challenges. Next, a secure group communication scheme that enables IoT using low energy wireless IP network is described. The proposed approach is based on Shamir's Secret Sharing scheme, which has been enhanced to enable secure group-to-group communication of resource-constrained IoT devices. In particular, we consider the low energy wireless IP networking technology as one of the IoT enablers and the problem of mitigating the negative effects of node capture attacks on IoT devices. Simulation results show significant improvements of the proposed scheme over the traditional public-key based approach.
—Internet of Things (IoT) is envisioned as a trans-formative approach with a wide range of applic... more —Internet of Things (IoT) is envisioned as a trans-formative approach with a wide range of applications in various sectors such as home automation, industrial control, and agriculture. It promises innovative business models and improved user experience. However, as evidenced by recent attacks such as the Mirai botnet, IoT networks and systems remain very vulnerable and require stronger protection mechanisms. Furthermore, due to processing, memory, and power constraints of typical IoT devices, traditional Internet security mechanisms are not always feasible or appropriate. In this work, we are concerned with designing an Intrusion Detection System (IDS) for protecting IoT networks from external threats as well as internal compromised devices. Our proposed design adopts a signature-based intrusion detection approach and involves both certralised and distributed IDS modules. Using the Cooja simulator, we have implemented a Denial of Service (DoS) attack scenario on IoT devices. This scenario exploits the RPL protocol, which is widely used for routing in low-power networks, including IoT networks. In particular, we have implemented two variants of DoS attacks, namely " Hello " flooding and version number modification. As shown by simulation results, these attacks may impact the reachability of certain IoT devices and their power consumption.
IET Networks
Novel networking paradigms, such as software-defined networking (SDN) and network function virtua... more Novel networking paradigms, such as software-defined networking (SDN) and network function virtualization (NFV), introduce new opportunities in the design of next-generation mobile networks. Our present work investigates the benefits of the emerging SDN and NFV technologies on the radio resource management (RRM) in mobile cellular networks. In particular, the aim of our RRM scheme is to enable an efficient and flexible radio resource allocation in order to assure quality-of-experience (QoE) of mobile users. We consider the OFDMA multiple-access scheme and the complete radio resource sharing policy. To enable time-and space-efficient resource allocation, we investigate the applicability of the well-known Kaufman-Roberts recursion in the context of new architectural and functional changes of SDN/NFV based mobile environments. Finally, we discuss the applicability of the proposed approach for more complicated resource sharing policies.
—Dual connectivity (DC) has been included in the Release 12 of the long-term evolution (LTE) stan... more —Dual connectivity (DC) has been included in the Release 12 of the long-term evolution (LTE) standard. In this paper, we perform a formal security verification of the key establishment protocol for DC in small cell LTE networks. In particular, the security verification is performed using a popular tool called Scyther. The considered security properties include secrecy and reachability. We also simulate a key leakage and show that some security claims in this case can be falsified.
—The smart grid (SG), generally referred to as the next-generation power system, is considered as... more —The smart grid (SG), generally referred to as the next-generation power system, is considered as a revolutionary and evolutionary regime of existing power grids. Among the emerging SG applications, the advanced metering infrastructure (AMI) enables automated, two-way communication between a smart meter (SM) and a public utility company. To authenticate a message, the sender (e.g., a SM) signs the message with its private key using a pre-defined digital signature algorithm. To verify the message, the recipient verifies the sender's certificate and then the sender's signature using the sender's public key. In some cases, however, a previously issued certificate for a network node needs to be revoked. In this paper we investigate two possible approaches for the certificate management of SMs in AMI networks. These are based on the traditional certificate revocation lists (CRLs) and on the Bloom filters. We compare the two approaches in terms of the required packet size for the distribution of the revoked certificate serial numbers. We also discuss the advantages and limitations of each approach.
Diffie-Hellman (DH) key exchange is a well known method for secure exchange of cryptographic keys... more Diffie-Hellman (DH) key exchange is a well known method for secure exchange of cryptographic keys and has been widely used in popular Internet protocols, such as IPsec, TLS, and SSH. To enable authenticated key establishment, the DH protocol has been integrated with the digital signature algorithm (DSA). In this paper, we analyze three variants of the integrated DH-DSA protocol. We study the protocol variants with respect to known types of attacks and security features. In particular, the focus is on the properties of forward secrecy, known-key security, and replay attack resilience.
—The concept of software-defined networking (SDN) is able to offer important advantages over the ... more —The concept of software-defined networking (SDN) is able to offer important advantages over the traditional communication paradigms. This is achieved by decoupling the decision-making process from the underlying network infrastructure that forwards the traffic. Recently, there have been efforts in applying the SDN approach to wireless and cellular networks. In fact, SDN is considered as one of the key enablers for future 5G communication networks. Information-centric networking (ICN) is another emerging communication paradigm that has been proposed to improve the content delivery efficiency compared to the traditional host-centric communication protocols. ICN decouples the data from their location, application, and means of transportation. This feature makes ICN particularly suitable for efficient dissemination of large volumes of data, especially in highly dynamic and heterogeneous mobile environments. In this work, we consider an SDN-enabled cellular network and propose an ICN protocol to ensure fast and efficient content dissemination to mobile users. The proposed protocol has been evaluated by means of computer simulations for the use case of a live video streaming service. Our experimental results show significant improvements in terms of response times over the current long-term evolution (LTE) networks.