VTechWorks staff will be away for the winter holidays starting Tuesday, December 24, 2024, through Wednesday, January 1, 2025, and will not be replying to requests during this time. Thank you for your patience, and happy holidays!

Browsing by Author "Marchany, Randolph C."

Now showing 1 - 20 of 40
  • Thumbnail Image
    Achieving Security and Privacy in the Internet Protocol Version 6 Through the Use of Dynamically Obscured Addresses
    Dunlop, Matthew William (Virginia Tech, 2012-03-15)
    Society's increased use of network applications, such as email, social networking, and web browsing, creates a massive amount of information floating around in cyber space. An attacker can collect this information to build a profile of where people go, what their interests are, and even what they are saying to each other. For certain government and corporate entities, the exposure of this information could risk national security or loss of capital. This work identifies vulnerabilities in the way the Internet Protocol version 6 (IPv6) forms addresses. These vulnerabilities provide attackers with the ability to track a node's physical location, correlate network traffic with specific users, and even launch attacks against users' systems. A Moving Target IPv6 Defense (MT6D) that rotates through dynamically obscured network addresses while maintaining existing connections was developed to prevent these addressing vulnerabilities.MT6D is resistant to the IPv6 addressing vulnerabilities since addresses are not tied to host identities and continuously change. MT6D leverages the immense address space of IPv6 to provide an environment that is infeasible to search efficiently. Address obscuration in MT6D occurs throughout ongoing sessions to provide continued anonymity, confidentiality, and security to communicating hosts. Rotating addresses mid-session prevents an attacker from determining that the same two hosts are communicating. The dynamic addresses also force an attacker to repeatedly reacquire the target node before he or she can launch a successful attack. A proof of concept was developed that demonstrates the feasibility of MT6D and its ability to seamlessly bind new IPv6 addresses. Also demonstrated is MT6D's ability to rotate addresses mid-session without dropping or renegotiating sessions.This work makes three contributions to the state-of-the-art IPv6 research. First, it fully explores the security vulnerabilities associated with IPv6 address formation and demonstrates them on a production IPv6 network. Second, it provides a method for dynamically rotating network addresses that defeats these vulnerabilities. Finally, a functioning prototype is presented that proves how network addresses can be dynamically rotated without losing established network connections. If IPv6 is to be globally deployed, it must not provide additional attack vectors that expose user information.
  • Thumbnail Image
    Android Hypovisors: Securing Mobile Devices through High-Performance, Light-Weight, Subsystem Isolation with Integrity Checking and Auditing Capabilities
    Krishnan, Neelima (Virginia Tech, 2014-12-12)
    The cellphone turned 40 years old in 2013, and its evolution has been phenomenal in these 40 years. Its name has evolved from "cellphone" to "mobile phone" and "smartphone" to "mobile device."] Its transformation has been multi-dimensional in size, functionality, application, and the like. This transformation has allowed the mobile device to be utilized for casual use, personal use, and enterprise use. Usage is further driven by the availability of an enormous number of useful applications for easy download from application (App) markets. Casual download of a seemingly useful application from an untrusted source can cause immense security risks to personal data and any official data resident in the mobile device. Intruding malicious code can also enter the enterprise networks and create serious security challenges. Thus, a mobile device architecture that supports secure multi-persona operation is strongly needed. The architecture should be able to prevent system intrusions and should be able to perform regular integrity checking and auditing. Since Android has the largest user base among mobile device operating systems (OS), the architecture presented here is implemented for Android. This thesis describes how an architecture named the "Android Hypovisor" has been developed and implemented successfully as part of this project work. The key contributions of the project work are: 1. Enhancement of kernel security 2. Incorporation of an embedded Linux distribution layer that supports Glibc/shared libraries so that open-source tools can be added easily 3. Integration of integrity checking and auditing tools (Intrusion Detection and Prevention System; IDPS) 4. Integration of container infrastructure to support multiple OS instances. 5. Analysis shows that the hypovisor increases memory usages by 40-50 MB. As the proposed OS is stripped down to support the embedded hypovisor, power consumption is only minimally increased. This thesis describes how the implemented architecture secures mobile devices through high-performance, light-weight, subsystem isolation with integrity checking and auditing capabilities.
  • Thumbnail Image
    Assessing Security Vulnerabilities: An Application of Partial and End-Game Verification and Validation
    Frazier, Edward Snead (Virginia Tech, 2010-04-21)
    Modern software applications are becoming increasingly complex, prompting a need for expandable software security assessment tools. Violable constraints/assumptions presented by Bazaz [1] are expandable and can be modified to fit the changing landscape of software systems. Partial and End-Game Verification, Validation, and Testing (VV&T) strategies utilize the violable constraints/assumptions and are established by this research as viable software security assessment tools. The application of Partial VV&T to the Horticulture Club Sales Assistant is documented in this work. Development artifacts relevant to Partial VV&T review are identified. Each artifact is reviewed for the presence of constraints/assumptions by translating the constraints/assumptions to target the specific artifact and software system. A constraint/assumption review table and accompanying status nomenclature are presented that support the application of Partial VV&T. Both the constraint/assumption review table and status nomenclature are generic, allowing them to be used in applying Partial VV&T to any software system. Partial VV&T, using the constraint/assumption review table and associated status nomenclature, is able to effectively identify software vulnerabilities. End-Game VV&T is also applied to the Horticulture Club Sales Assistant. Base test strategies presented by Bazaz [1] are refined to target system specific resources such as user input, database interaction, and network connections. Refined test strategies are used to detect violations of the constraints/assumptions within the Horticulture Club Sales Assistant. End-Game VV&T is able to identify violation of constraints/assumptions, indicating vulnerabilities within the Horticulture Club Sales Assistant. Addressing vulnerabilities identified by Partial and End-Game VV&T will enhance the overall security of a software system.
  • Thumbnail Image
    Battery-Based Intrusion Detection
    Jacoby, Grant Arthur (Virginia Tech, 2005-04-12)
    This dissertation proposes an efficacious early warning system via a mobile host-based form of intrusion detection that can alert security administrators to protect their corporate network(s) by a novel technique that operates through the implementation of smart battery-based intrusion detection (B-bid) on mobile devices, such as PDAs, HandPCs and smart-phones by correlating attacks with their impact on device power consumption. A host intrusion detection engine (HIDE) monitors power behavior to detect potential intrusions by noting consumption irregularities and serves like a sensor to trigger other forms of protection. HIDE works in conjunction with a Scan Port Intrusion Engine (SPIE) that ascertains the IP and port source of the attack and with a host analysis signature trace engine (HASTE) that determines the energy signature of the attack and correlates it to a variety of the most common attacks to provide additional protection and alerts to both mobile hosts and their network.
  • Thumbnail Image
    Battery-Sensing Intrusion Protection System (B-SIPS)
    Buennemeyer, Timothy Keith (Virginia Tech, 2008-12-05)
    This dissertation investigates using instantaneous battery current sensing techniques as a means of detecting IEEE 802.15.1 Bluetooth and 802.11b (Wi-Fi) attacks and anomalous activity on small mobile wireless devices. This research explores alternative intrusion detection methods in an effort to better understand computer networking threats. This research applies to Personal Digital Assistants (PDAs) and smart phones, operating with sensing software in wireless network environments to relay diagnostic battery readings and threshold breaches to indicate possible battery exhaustion attack, intrusion, virus, and worm activity detections. The system relies on host-based software to collect smart battery data to sense instantaneous current characteristics of anomalous network activity directed against small mobile devices. This effort sought to develop a methodology, design and build a net-centric system, and then further explore this non-traditional intrusion detection system (IDS) approach. This research implements the Battery-Sensing Intrusion Protection System (B-SIPS) client detection capabilities for small mobile devices, a server-based Correlation Intrusion Detection Engine (CIDE) for attack correlation with Snort's network-based IDS, device power profiling, graph views, security administrator alert notification, and a database for robust data storage. Additionally, the server-based CIDE provides the interface and filtering tools for a security administrator to further mine our database and conduct forensic analysis. A separate system was developed using a digital oscilloscope to observe Bluetooth, Wi-Fi, and blended attack traces and to create unique signatures. The research endeavor makes five significant contributions to the security field of intrusion detection. First, this B-SIPS work creates an effective intrusion detection approach that can operate on small, mobile host devices in networking environments to sense anomalous patterns in instantaneous battery current as an indicator of malicious activity using an innovative Dynamic Threshold Calculation (DTC) algorithm. Second, the Current Attack Signature Identification and Matching System (CASIMS) provides a means for high resolution current measurements and supporting analytical tools. This system investigates Bluetooth, Wi-Fi, and blended exploits using an oscilloscope to gather high fidelity data. Instantaneous current changes were examined on mobile devices during representative attacks to determine unique attack traces and recognizable signatures. Third, two B-SIPS supporting theoretical models are presented to investigate static and dynamic smart battery polling. These analytical models are employed to examine smart battery characteristics to support the theoretical intrusion detection limits and capabilities of B-SIPS. Fourth, a new genre of attack, known as a Battery Polling Cycle Timing Attack, is introduced. Today's smart battery technology polling rates are designed to support Advanced Power Management needs. Every PDA and smart phone has a polling rate that is determined by the device and smart battery original equipment manufacturers. If an attacker knows the precise timing of the polling rate of the battery's chipset, then the attacker could attempt to craft intrusion packets to arrive within those limited time windows and between the battery's polling intervals. Fifth, this research adds to the body of knowledge about non-traditional attack sensing and correlation by providing a component of an intrusion detection strategy. This work expands today's research knowledge towards a more robust multilayered network defense by creating a novel design and methodology for employing mobile computing devices as a first line of defense to improve overall network security and potentially through extension to other communication mediums in need of defensive capabilities. Mobile computing and communications devices such as PDAs, smart phones, and ultra small general purpose computing devices are the typical targets for the results of this work. Additionally, field-deployed battery operated sensors and sensor networks will also benefit by incorporating security mechanisms developed and described here.
  • Thumbnail Image
    Bluetooth Threat Taxonomy
    Dunning, John Paul (Virginia Tech, 2010-10-08)
    Since its release in 1999, Bluetooth has become a commonly used technology available on billions of devices through the world. Bluetooth is a wireless technology used for information transfer by devices such as Smartphones, headsets, keyboard/mice, laptops/desktops, video game systems, automobiles, printers, heart monitors, and surveillance cameras. Dozens of threats have been developed by researchers and hackers which targets these Bluetooth enabled devices. The work in this thesis provides insight into past and current Bluetooth threats along with methods of threat mitigation. The main focus of this thesis is the Bluetooth Threat Taxonomy (BTT); it is designed for classifying threats against Bluetooth enabled technology. The BTT incorporates nine distinct classifications to categorize Bluetooth attack tools and methods and a discussion on 42 threats. In addition, several new threats developed by the author will be discussed. This research also provides means to secure Bluetooth enabled devices. The Bluetooth Attack Detection Engine (BLADE) is as a host-based Intrusion Detection System (IDS) presented to detect threats targeted toward a host system. Finally, a threat mitigation schema is provided to act as a guideline for securing Bluetooth enabled devices.
  • Thumbnail Image
    Cybersecurity for the Internet of Things:  A Micro Moving Target IPv6 Defense
    Zeitz, Kimberly Ann (Virginia Tech, 2019-09-04)
    As the use of low-power and low-resource embedded devices continues to increase dramatically with the introduction of new Internet of Things (IoT) devices, security techniques are necessary which are compatible with these devices. This research advances the knowledge in the area of cybersecurity for the IoT through the exploration of a moving target defense to apply for limiting the time attackers may conduct reconnaissance on embedded systems while considering the challenges presented from IoT devices such as resource and performance constraints. We introduce the design and optimizations for µMT6D, a Micro-Moving Target IPv6 Defense, including a description of the modes of operation and use of lightweight hash algorithms. Through simulations and experiments µMT6D is shown to be viable for use on low power and low resource embedded devices in terms of footprint, power consumption, and energy consumption increases in comparison to the given security benefits. Finally, this provides information on other future considerations and possible avenues of further experimentation and research.
  • Thumbnail Image
    Designing PhelkStat: Big Data Analytics for System Event Logs
    Salman, Mohammed; Welch, Brian; Raymond, David Richard; Marchany, Randolph C.; Tront, Joseph G. (HICSS Symposium on Cybersecurity Big Data Analytics, 2017-01-04)
    With wider adoption of micro-service based architectures in cloud and distributed systems, logging and monitoring costs have become increasingly relevant topics of research. There are a large number of log analysis tools such as the ELK(ElasticSearch, Logstash and Kibana) stack, Apache Spark, Sumo Logic, and Loggly, among many others. These tools have been deployed to perform anomaly detection, diagnose threats, optimize performance, and troubleshoot systems. Due to the real-time and distributed nature of logging, there will always be a need to optimize the performance of these tools; this performance can be quantified in terms of compute, storage, and network utilization. As part of the Information Technology Security Lab at Virginia Tech, we have the unique ability to leverage production data from the university network for research and testing. We analyzed the workload variations from two production systems at Virginia Tech, finding that the maximum workload is about four times the average workload. Therefore, a static configuration can lead to an inefficient use of resources. To address this, we propose PhelkStat: a tool to evaluate the temporal and spatial attributes of system workloads, using clustering algorithms to categorize the current workload. Using PhelkStat, system parameters can be automatically tweaked based on the workload. This paper reviews publicly available system event log datasets from supercomputing clusters and presents a statistical analysis of these datasets. We also show a correlation between these attributes and the runtime performance.
  • Thumbnail Image
    Detecting software attacks by monitoring electric power consumption patterns
    (United States Patent and Trademark Office, 2011-01-25)
    Software attacks such as worms and viruses are detected in an electronic device by monitoring power consumption patterns. In a first embodiment, software attacks are detected by an increase in power consumption. The increased power consumption can be caused by increased network traffic, or by increased activity in the microprocessor. Monitoring power consumption is particularly effective for detecting DOS/flooding attacks when the electronic device is in an idle state. In a second embodiment, a power consumption signal is converted to the frequency domain (e.g., by fast Fourier transform). The highest amplitude frequencies are identified. Specific software attacks produce characteristic frequencies in the power consumption signal. Software attacks are therefore detected by matching the highest amplitude frequencies with frequencies associated with specific worms and viruses. Identification of a particular software attack typically requires matching of 3 or more of the highest amplitude frequencies, and, optionally, amplitude information.
  • Thumbnail Image
    Embedding Network Information for Machine Learning-based Intrusion Detection
    DeFreeuw, Jonathan Daniel (Virginia Tech, 2019-01-18)
    As computer networks grow and demonstrate more complicated and intricate behaviors, traditional intrusion detections systems have fallen behind in their ability to protect network resources. Machine learning has stepped to the forefront of intrusion detection research due to its potential to predict future behaviors. However, training these systems requires network data such as NetFlow that contains information regarding relationships between hosts, but requires human understanding to extract. Additionally, standard methods of encoding this categorical data struggles to capture similarities between points. To counteract this, we evaluate a method of embedding IP addresses and transport-layer ports into a continuous space, called IP2Vec. We demonstrate this embedding on two separate datasets, CTU'13 and UGR'16, and combine the UGR'16 embedding with several machine learning methods. We compare the models with and without the embedding to evaluate the benefits of including network behavior into an intrusion detection system. We show that the addition of embeddings improve the F1-scores for all models in the multiclassification problem given in the UGR'16 data.
  • Thumbnail Image
    Evaluating Standard and Custom Applications in IPv6 Within a Simulation Framework
    Clore, Brittany Michelle (Virginia Tech, 2012-07-30)
    Internet Protocol version 6 (IPv6) is being adopted in networks around the world as the Internet Protocol version 4 (IPv4) addressing space reaches its maximum capacity. Although there are IPv6 applications being developed, there are not many production IPv6 networks in place in which these applications can be deployed. Simulation presents a cost effective alternative to setting up a live test bed of devices to validate specific IPv6 environments before actual physical deployment. OPNET Modeler provides the capability to simulate the IPv6 protocol and System-in-the-Loop, an add-on module, allows for real communication traffic from physical devices to be converted and sent over the simulated network. This research has developed a campus framework, modeled after the Virginia Tech Blacksburg campus, to verify and validate standard and custom IPv6 applications. Specifically, the framework was used to test MT6D, a custom IPv6 security application developed in the Virginia Tech IT Security Lab (ITSL) as well as test Voice over IP (VoIP) as a somewhat bandwidth demanding benchmarking standard application. The work presented shows that simulation helped to identify potential issues within the applications and verified the results after fixes were applied. It also reveals challenges and shortcomings of OPNET Modeler's IPv6 implementation and presents potential solutions to these problems.
  • Thumbnail Image
    Evaluation of Moving Target IPv6 Defense and Distributed Denial of Service Defenses
    DiMarco, Peter Lewis (Virginia Tech, 2013-12-13)
    A Denial-of-Service (DoS) attack is a network attack from a single machine that attempts to prevent the victim, the targeted machine, from communicating to other devices on the network or perform its normal tasks. The extension of these attacks to include many malicious machines became known as Distributed Denial-of-Service (DDoS) attacks. DDoS attacks cause an immense amount of strain on both the victim and the devices used to reach the victim. In reaction to these attacks, preexisting technologies were used as DDoS defenses to mitigate the effects. The two most notable defenses used are the firewall and Internet Protocol Security (IPsec). The technologies behind these defenses emerged over twenty years ago and since then have been updated to conform to the newest Internet protocols. While these changes have kept the technologies viable, these defenses have still fallen victim to successful attacks. Because of the number of Internet connected devices and the small address space in Internet Protocol version 4 (IPv4), Internet Protocol version 6 (IPv6) was developed to solve the address space problem. With IPv6 however, there are new problems to address; therefore, these aforementioned defenses have to be further modifed to accommodate the new protocol. Moving Target IPv6 Defense (MT6D) has been developed to attempt to leverage the new standard against DDoS attacks in the IPv6 arena. This research evaluates the DDoS prevention capabilities of the aging defenses relative to the newly developed MT6D to determine which defense is best suited to defend against these attacks for a variety of scenarios. The threat environment in this study is limited to Synchronize (SYN) Flood, HTTP/GET Flood, Denial6, Dos-New-IP6, and Slowloris attacks. Attacks on the MT6D key distribution mechanism are not considered. Strengths and weaknesses of the aforementioned defenses are presented and analyzed. This project examines different metrics including the performance impact on the machines and the client throughput in an instrumented testbed. MT6D has high operating costs and low throughput compared to the other defenses. Under DDoS attacks, the firewall is unable to prevent attacks in IPv6 due to the inability to determine the same host from multiple Internet Protocol (IP) addresses. Overall, IPsec and MT6D effectively mitigate the DDoS attacks. Although, MT6D is susceptible to some attacks due to its operating at the guest level. At this point in MT6D's development, the difference in performance could be considered a reasonable price to pay for the added benefits from MT6D.
  • Thumbnail Image
    Frequent Inventory of Network Devices for Incident Response: A Data-driven Approach to Cybersecurity and Network Operations
    Kobezak, Philip D. (Virginia Tech, 2018-05-22)
    Challenges exist in higher education networks with host inventory and identification. Any student, staff, faculty, or dedicated IT administrator can be the primary responsible personnel for devices on the network. Confounding the problem is that there is also a large mix of personally-owned devices. These network environments are a hybrid of corporate enterprise, federated network, and Internet service provider. This management model has survived for decades based on the ability to identify responsible personnel when a host, system, or user account is suspected to have been compromised or is disrupting network availability for others. Mobile devices, roaming wireless access, and users accessing services from multiple devices has made the task of identification onerous. With increasing numbers of hosts on networks of higher education institutions, strategies such as dynamic addressing and address translation become necessary. The proliferation of the Internet of Things (IoT) makes this identification task even more difficult. Loss of intellectual property, extortion, theft, and reputational damage are all significant risks to research institution networks. Quickly responding to and remediating incidents reduces exposure and risk. This research evaluates what universities are doing for host inventory and creates a working prototype of a system for associating relevant log events to one or more responsible people. The prototype reduces the need for human-driven updates while enriching the dynamic host inventory with additional information. It also shows the value of associating application and service authentications to hosts. The prototype uses live network data which is de-identified to protect privacy.
  • Thumbnail Image
    HE-MT6D: A Network Security Processor with Hardware Engine for Moving Target IPv6 Defense (MT6D) over 1 Gbps IEEE 802.3 Ethernet
    Sagisi, Joseph Lozano (Virginia Tech, 2017-07-28)
    Traditional static network addressing allows attackers the incredible advantage of taking time to plan and execute attacks against a network. To counter, Moving Target IPv6 Defense (MT6D) provides a network host obfuscation technique that dynamically obscures network and transport layer addresses. Software driven implementations have posed many challenges, namely, constant code maintenance to remain compliant with all library and kernel dependencies, less than optimal throughput, and the requirement for a dedicated general purpose hardware. The work of this thesis presents Network Security Processor and Hardware Engine for MT6D (HE-MT6D) to overcome these challenges. HE-MT6D is a soft core Intellectual Property (IP) block developed in full Register Transfer Level (RTL) and is the first hardware-oriented design of MT6D. Major contributions of HE-MT6D include the complete separation of the data and control planes, development of a nonlinear Complex Instruction Set Computer (CISC) Network Security Processor for in-flight packet modification, a specialized Packet Assembly language, a configurable and a parallelized memory search through tag-based Hybrid Content Addressable Memory (HCAM) L1 write-through cache, full RTL Network Time Protocol version 4 hardware module, and a modular crypto engine. HE-MT6D supports multiple nodes and provides 1,025% throughput performance increase over earlier C-based MT6D at 863 Mbps with full encapsulation and decapsulation, and it matches bare wire throughput performance for all other traffic. The HE-MT6D IP block can be configured as an independent physical gateway device, built as embedded Application Specific Integrated Circuit (ASIC), or serve as a System on Chip (SoC) integrated submodule.
  • Thumbnail Image
    Implementing an IPv6 Moving Target Defense on a Live Network
    Dunlop, Matthew; Groat, Stephen; Marchany, Randolph C.; Tront, Joseph G. (Cyber-Physical Systems Virtual Organization, 2012)
    The goal of our research is to protect sensitive communications, which are commonly used by government agencies, from eavesdroppers or social engineers. In prior work, we investigated the privacy implications of stateless and stateful address autoconguration in the Internet Protocol version 6 (IPv6). Autocongured addresses, the default addressing system in IPv6, provide a third party a means to track and monitor targeted users globally using simple tools such as ping and traceroute. Dynamic Host Conguration Protocol for IPv6 (DHCPv6) addresses contain a static DHCP Unique Identier (DUID) that can be used to track and tie a stateless address to a host identity. Our research focuses on preventing the issue of IPv6 address tracking as well as creating a "moving target defense." The Moving Target IPv6 Defense (MT6D) dynamically hides network and transport layer addresses of packets in IPv6 to achieve anonymity and protect against certain classes of network attacks. Packets are encrypted to prevent trac correlation, which provides signicantly improved anonymity. MT6D has numerous applications ranging from hosts desiring to keep their locations private to hosts conducting sensitive communications. This paper explores the results of implementing a proof of concept MT6D prototype on a live IPv6 network.
  • Thumbnail Image
    Implementing Moving Target IPv6 Defense to Secure 6LoWPAN in the Internet of Things and Smart Grid
    Sherburne, Matthew; Marchany, Randolph C.; Tront, Joseph G. (ACM Press, 2014)
    The growing momentum of the Internet of Things (IoT) has shown an increase in attack vectors within the security research community. We propose adapting a recent new approach of frequently changing IPv6 address assignment to add an additional layer of security to the Internet of Things. We examine implementing Moving Target IPv6 Defense (MT6D) in IPv6 over Low-Powered Wireless Personal Area Networks (6LoWPAN); a protocol that is being used in wireless sensors found in home automation systems and smart meters. 6LoWPAN allows the Internet of Things to extend into the world of wireless sensor networks. We propose adapting Moving-Target IPv6 Defense for use with 6LoWPAN in order to defend against network-side attacks such as Denial-of-Service and Man-In-The-Middle while maintaining anonymity of client-server communications. This research aims in providing a moving-target defense for wireless sensor networks while maintaining power efficiency within the network.
  • Thumbnail Image
    Improving the Security, Privacy, and Anonymity of a Client-Server Network through the Application of a Moving Target Defense
    Morrell, Christopher Frank (Virginia Tech, 2016-05-03)
    The amount of data that is shared on the Internet is growing at an alarming rate. Current estimates state that approximately 2.5 exabytes of data were generated every day in 2012. This rate is only growing as people continue to increase their on-line presence. As the amount of data grows, so too do the number of people who are attempting to gain access to the data. Attackers try many methods to gain access to information, including a number of attacks that occur at the network layer. A network-based moving target defense is a technique that obfuscates the location of a machine on the Internet by arbitrarily changing its IP address periodically. MT6D is one of these techniques that leverages the size of the IPv6 address space to make it statistically impossible for an attacker to find a specific target machine. MT6D was designed with a number of limitations that include manually generated static configurations and support for only peer to peer networks. This work presents extensions to MT6D that provide dynamically generated configurations, a secure and dynamic means of exchanging configurations, and with these new features, an ability to function as a server supporting a large number of clients. This work makes three primary contributions to the field of network-based moving target defense systems. First, it provides a means to exchange arbitrary information in a way that provides network anonymity, authentication, and security. Second, it demonstrates a technique that gives MT6D the capability to exchange configuration information by only sharing public keys. Finally, it introduces a session establishment protocol that clients can use to establish concurrent connections with an MT6D server.
  • Thumbnail Image
    LIDS: An Extended LSTM Based Web Intrusion Detection System With Active and Distributed Learning
    Sagayam, Arul Thileeban (Virginia Tech, 2021-05-24)
    Intrusion detection systems are an integral part of web application security. As Internet use continues to increase, the demand for fast, accurate intrusion detection systems has grown. Various IDSs like Snort, Zeek, Solarwinds SEM, and Sleuth9, detect malicious intent based on existing patterns of attack. While these systems are widely deployed, there are limitations with their approach, and anomaly-based IDSs that classify baseline behavior and trigger on deviations were developed to address their shortcomings. Existing anomaly-based IDSs have limitations that are typical of any machine learning system, including high false-positive rates, a lack of clear infrastructure for deployment, the requirement for data to be centralized, and an inability to add modules tailored to specific organizational threats. To address these shortcomings, our work proposes a system that is distributed in nature, can actively learn and uses experts to improve accuracy. Our results indicate that the integrated system can operate independently as a holistic system while maintaining an accuracy of 99.03%, a false positive rate of 0.5%, and speed of processing 160,000 packets per second for an average system.
  • Thumbnail Image
    MARCS: Mobile Augmented Reality for Cybersecurity
    Mattina, Brendan Casey (Virginia Tech, 2017-06-19)
    Network analysts have long used two-dimensional security visualizations to make sense of network data. As networks grow larger and more complex, two-dimensional visualizations become more convoluted, potentially compromising user situational awareness of cyber threats. To combat this problem, augmented reality (AR) can be employed to visualize data within a cyber-physical context to restore user perception and improve comprehension; thereby, enhancing cyber situational awareness. Multiple generations of prototypes, known collectively as Mobile Augmented Reality for Cyber Security, or MARCS, were developed to study the impact of AR on cyber situational awareness. First generation prototypes were subjected to a formative pilot study of 44 participants, to generate user-centric performance data and feedback, which motivated the design and development of second generation prototypes and provided initial insight into the potentially beneficial impact of AR on cyber situational awareness. Second generation prototypes were subjected to a summative secondary study by 50 participants, to compare the impact of AR and non-AR visualizations on cyber situational awareness. Results of the secondary study suggest that employing AR to visualize cyber threats in a cyber-physical context collectively improves user threat perception and comprehension, indicating that, in some cases, AR security visualizations improve user cyber situational awareness over non-AR security visualizations.
  • Thumbnail Image
    Method and system for dynamically obscuring addresses in IPv6
    (United States Patent and Trademark Office, 2016-10-04)
    The invention dynamically obscures network and transport layer addresses of packets to achieve anonymity, including authentication privacy, as well as protection against tracking and traffic correlation and certain classes of network attacks by combining both intrusion protection with anonymity, avoiding the use of a separate management unit outside the host for distribution of obscured addresses. The invention enables a host to automatically configure obscured addresses and determine the obscured address of the intended recipient without outside involvement, computing addresses based on a set of parameters, and to operate without re-authentication whenever an address changes. The invention enables encryption of the packet payload to prevent traffic correlation. The technology of the invention can be implemented embedded on a host device or as a connected gateway device and requires negligible configuration and is therefore transparent to hosts.