Elias Bou-Harb

Communication security for smart grid distribution networks

The operation and control of the next generation electrical grids will depend on a complex network of computers, software, and communication technologies. Being compromised by a malicious adversary would cause significant damage, including extended power outages and destruction of electrical equipment. Moreover, the implementation of the smart grid will include the deployment of many new enabling technologies such as advanced sensors and metering, and the integration of distributed generation resources. Such technologies and various others will require the addition and utilization of multiple communication mechanisms and infrastructures that may suffer from serious cyber vulnerabilities. These need to be addressed in order to increase the security and thus the greatest adoption and success of the smart grid. In this article, we focus on the communication security aspect, which deals with the distribution component of the smart grid. Consequently, we target the network security of the advanced metering infrastructure coupled with the data communication toward the transmission infrastructure. We discuss the security and feasibility aspects of possible communication mechanisms that could be adopted on that subpart of the grid. By accomplishing this, the correlated vulnerabilities in these systems could be remediated, and associated risks may be mitigated for the purpose of enhancing the cyber security of the future electric grid.

Fingerprinting Internet DNS Amplification DDoS Activities

This work proposes a novel approach to infer and characterize Internet-scale DNS amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DNS Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo- location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using 720 GB of real darknet data collected from a /13 address space during a recent three months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The case study of the largest DDoS attack in history lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DNS amplification DDoS activities.

Investigating the dark cyberspace: Profiling, threat-based analysis and correlation

An effective approach to gather cyber threat intelligence is to collect and analyze traffic destined to unused Internet addresses known as darknets. In this paper, we elaborate on such capability by profiling darknet data. Such information could generate indicators of cyber threat activity as well as providing in-depth understanding of the nature of its traffic. Particularly, we analyze darknet packets distribution, its used transport, network and application layer protocols and pinpoint its resolved domain names. Furthermore, we identify its IP classes and destination ports as well as geo-locate its source countries. We further investigate darknet-triggered threats. The aim is to explore darknet embedded threats and categorize their severities. Finally, we contribute by exploring the inter-correlation of such threats, by applying association rule mining techniques, to build threat association rules. Specifically, we generate clusters of threats that co-occur targeting a specific victim. Such work proves that specific darknet threats are correlated. Moreover, it provides insights about threat patterns and allows the interpretation of threat scenarios.

On fingerprinting probing activities

Motivated by recent cyber attacks that were facilitated through probing, limited cyber security intelligence and the lack of accuracy that is provided by scanning detection systems, this paper presents a new approach to fingerprint probing activity. It investigates whether the perceived traffic refers to probing activities and which exact scanning technique is being employed to perform the probing. Further, this work strives to examine probing traffic dimensions to infer the ‘machinery’ of the scan; whether the probing is random or follows a certain predefined pattern; which probing strategy is being employed; and whether the probing activity is generated from a software tool or from a worm/bot. The approach leverages a number of statistical techniques, probabilistic distribution methods and observations in an attempt to understand and analyze probing activities. To prevent evasion, the approach formulates this matter as a change point detection problem that yielded motivating results. Evaluations performed using 55 GB of real darknet traffic shows that the extracted inferences exhibit promising accuracy and can generate significant insights that could be used for mitigation purposes.

Inferring distributed reflection denial of service attacks from darknet

This work proposes a novel approach to infer and characterize Internet-scale DNS Distributed Reflection Denial of Service (DRDoS) attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) activities using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DRDoS activities such as intensity, rate and geo-location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks and the expectation maximization and k-means clustering techniques in an attempt to identify campaigns of DRDoS Attacks. We empirically evaluate the proposed approach using 1.44TB of real darknet data collected from a/13 address space during a recent several months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DRDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The extracted insights from various validated DNS DRDoS case studies lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DRDoS activities.

Behavioral analytics for inferring large-scale orchestrated probing events

The significant dependence on cyberspace has indeed brought new risks that often compromise, exploit and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, inferring probing events, which are commonly the first stage of any cyber attack, render a promising tactic to achieve that task. We have been receiving for the past three years 12 GB of daily malicious real darknet data (i.e., Internet traffic destined to half a million routable yet unallocated IP addresses) from more than 12 countries. This paper exploits such data to propose a novel approach that aims at capturing the behavior of the probing sources in an attempt to infer their orchestration (i.e., coordination) pattern. The latter defines a recently discovered characteristic of a new phenomenon of probing events that could be ominously leveraged to cause drastic Internet-wide and enterprise impacts as precursors of various cyber attacks. To accomplish its goals, the proposed approach leverages various signal and statistical techniques, information theoretical metrics, fuzzy approaches with real malware traffic and data mining methods. The approach is validated through one use case that arguably proves that a previously analyzed orchestrated probing event from last year is indeed still active, yet operating in a stealthy, very low rate mode. We envision that the proposed approach that is tailored towards darknet data, which is frequently, abundantly and effectively used to generate cyber threat intelligence, could be used by network security analysts, emergency response teams and/or observers of cyber events to infer large-scale orchestrated probing events for early cyber attack warning and notification.

Big Data Behavioral Analytics Meet Graph Theory: On Effective Botnet Takedowns

Cyberspace continues to host highly sophisticated malicious entities that have demonstrated their ability to launch debilitating, intimidating, and disrupting cyber attacks. Recently, such entities have been adopting orchestrated, often botmaster- coordinated, stealthy attack strategies aimed at maximizing their targets’ coverage while minimizing redundancy and overlap. The latter entities, which are typically dubbed as bots within botnets, are ominously being leveraged to cause drastic Internet-wide and enterprise impacts by means of severe misdemeanors. While a plethora of literature approaches have devised operational cyber security techniques for the detection of such botnets, very few have tackled the problem of how to promptly and effectively takedown such botnets. In the past three years, we have received 12 GB of daily malicious real darknet data (i.e., Internet traffic destined to half a million routable but unallocated IP addresses or sensors) from more than 12 countries. This article exploits such data to propose a novel Internet-scale cyber security capability that fuses big data behavioral analytics in conjunction with formal graph theoretical concepts to infer and attribute Internet-scale infected bots in a prompt manner and identify the niche of the botnet for effective takedowns. We validate the accuracy of the proposed approach by employing 100 GB of the Carna botnet, which is a very recent real malicious Internet-scale botnet. Since performance is also an imperative metric when dealing with big data for network security, this article further provides a comparison between two trending big data processing architectures: the almost standard Apache Hadoop system, and a more traditional and simplistic multi-threaded programming approach, by employing 1 TB of real darknet data. Several recommendations and possible future research work derived from the previous experiments conclude this article.

A secure, efficient, and cost-effective distributed architecture for spam mitigation on LTE 4G mobile networks

The 4G of mobile networks will be a technology-opportunistic and user-centric system, combining the economical and technological advantages of various transmission technologies. As a part of its new architecture, LTE networks will implement an evolved packet core. Although this will provide various critical advantages, it will, on the other hand, expose telecom networks to serious IP-based attacks. One often adopted solution to mitigate such attacks is based on a centralized security architecture. However, this approach requires large processing and memory resources to handle huge amounts of traffic, which, in turn, causes a significant over dimensioning problem in the centralized nodes. Hence, it may cause this approach to fail from achieving its security task. In this paper, we focus on a SPAM flooding attack, namely SMTP SPAM, and demonstrate, through simulations and discussion, its DoS impact on the Long Term Evolution (LTE) network and subsequent effects on the mobile network operator. Our main contribution involves proposing a distributed architecture on the LTE network that is secure and that mitigates attacks efficiently by solving the over dimensioning problem. It is also cost-effective by utilizing ‘off-the-shelf’ low-cost hardware in the distributed nodes. Through additional simulation and analysis, we demonstrate the feasibility and effectiveness of our approach. Copyright

A systematic approach for detecting and clustering distributed cyber scanning

We present in this paper an approach that is composed of two techniques that respectively tackle the issues of detecting corporate cyber scanning and clustering distributed reconnaissance activity. The first employed technique is based on a non-attribution anomaly detection approach that focuses on what is being scanned rather than who is performing the scanning. The second technique adopts a statistical time series approach that is rendered by observing the correlation status of a traffic signal to perform the identification and clustering. To empirically validate both techniques, we utilize and examine two real network traffic datasets and implement two experimental environments. The first dataset comprises of unsolicited one-way telescope/darknet traffic while the second dataset has been captured in our lab through a customized setup. The results show, on one hand, that for a class C network with 250 active hosts and 5 monitored servers, the training period of the proposed detection technique required a stabilization time of less than 1 s and a state memory of 80 bytes. Moreover, in comparison with Snorts sfPortscan technique, it was able to detect 4215 unique scans and yielded zero false negative. On the other hand, the proposed clustering technique is able to correctly identify and cluster the scanning machines with high accuracy even in the presence of legitimate traffic. We further validate this clustering technique by formulating the presented scenario as a machine learning problem. Specifically, we compare our proposed technique with an unsupervised data clustering technique that adopts the k-means and the expectation maximization approach. The results authenticate our clustering technique rendering it feasible for adoption.

A Brief Survey of Security Approaches for Cyber-Physical Systems

The security of Cyber-Physical Systems (CPS) has been recently receiving significant attention from the research community. To this end, this paper sheds the light on a number of security approaches for CPS from two perspectives, namely, control-theoretic and cyber security. Further, threat detectors in various CPS environments are highlighted and discussed. The aim is to demonstrate the lack of coherent approaches that systematically tackle both security aspects of such systems, in addition to pinpointing several insightful research gaps that endeavor to shape future CPS security solutions.