Matthew Dunlop

MT6D: A Moving Target IPv6 Defense

The Internet Protocol version 6 (IPv6) brings with it a seemingly endless supply of network addresses. It does not, however, solve many of the vulnerabilities that existed in Internet Protocol version 4 (IPv4). In fact, privacy-related crimes in IPv6 are made easier due to the way IPv6 addresses are formed. We developed a Moving Target IPv6 Defense (MT6D) that leverages the immense address space of IPv6. The two goals of MT6D are maintaining user privacy and protecting against targeted network attacks. These goals are achieved by repeatedly rotating the addresses of both the sender and receiver. Address rotation occurs, regardless of the state of ongoing sessions, to prevent an attacker from discovering the identities of the two communicating hosts. Rotating addresses mid-session prevents an attacker from even determining that the same two hosts are communicating. The continuously changing addresses also force an attacker to repeatedly reacquire the target node before he or she can launch a successful network attack. Our proof of concept demonstrates the feasibility of MT6D and its ability to seamlessly bind new IPv6 addresses. We also demonstrate MT6Ds ability to rotate addresses mid-session without dropping or renegotiating sessions. Since MT6D operates at the network layer of the protocol stack, it provides a powerful moving target solution that is both platform and application independent.

GoldPhish: Using Images for Content-Based Phishing Analysis

Phishing attacks continue to plague users as attackers develop new ways to fool users into submitting personal information to fraudulent sites. Many schemes claim to protect against phishing sites. Unfortunately, most do not protect against zero-day phishing sites. Those schemes that do allege to provide zero-day protection, often incorrectly label both phishing and legitimate sites. We propose a scheme that protects against zero-day phishing attacks with high accuracy. Our approach captures an image of a page, uses optical character recognition to convert the image to text, then leverages the Google PageRank algorithm to help render a decision on the validity of the site. After testing our tool on 100 legitimate sites and 100 phishing sites, we accurately reported 100% of legitimate sites and 98% of phishing sites.

Using an IPv6 moving target defense to protect the Smart Grid

As advanced Internet Protocol (IP)-based communication systems are proposed for the Smart Grid, security solutions must be developed which address not only the security of the communications, but also the security of the communicating systems. To support the large number of hosts required for the Smart Grid on an IP network, the new Internet Protocol version 6 (IPv6) must be leveraged. Unfortunately, IPv6 inherits the majority of Internet Protocol version 4 (IPv4) vulnerabilities as well as adds new address-based exploits. The embedded systems necessary for Smart Grid deployments using IP communications will be especially vulnerable to attacks due to their limited system resources. A moving target defense not only secures the communications between peers, but also prevents the peers from being located for attack. Implementing security at the network layer mitigates most IP-specific exploits and allows for solutions to be integrated with minimal impact to existing Smart Grid systems, thus reducing costs and increasing reliability. By using a network layer moving target defense, hosts cannot be located for exploitation and secure connectivity is maintained with trusted peers. A robust Smart Grid network must be capable of proactive defense so that components are not consumed with defending incoming attacks. A solution which implements a proactive network layer defense called the Moving Target IPv6 Defense (MT6D) is offered as a potential solution for secure Smart Grid communications.

The privacy implications of stateless IPv6 addressing

Current implementations of the Internet Protocol version 6 (IPv6) use a static value determined from the Media Access Control (MAC) address as the host portion, or interface identifier (IID), of the IPv6 address. Some implementations create the IID using the MAC unobscured, while others compute a onetime hash value involving the MAC. As a result of this deterministic address assignment, the IID of the address is the same, regardless of the network the node accesses. This IID assignment provides interested parties (whether malicious or not) with the ability to easily track a nodes physical location using simple tools such as ping and traceroute. Additionally, a static IID provides a means to correlate network traffic with a specific user. This is accomplished through a combination of filtering of the static IID and traffic analysis. The serious breaches in privacy caused by a static IID should be addressed before deployment of IPv6 becomes widespread.

IPv6: Nowhere to Run, Nowhere to Hide

Due to a large address space, Internet Protocol version 6 (IPv6) uses stateless address autoconfiguration to assign network addresses to hosts. This unmanaged technique creates a static value derived from the Media Access Control (MAC) address of a network interface as the host portion, or interface identifier (IID). Static IID assignment provides third parties (whether malicious or not) with the ability to track a nodes physical location, correlate network traffic with a specific user, and collect details about a nodes operating system. Using our live production IPv6 network, we demonstrate not only the feasibility of IID monitoring, but also the ease with which an attacker can accomplish it. We then highlight some possible nefarious applications where IPv6 address tracking and analysis could assist the cyber criminal. In order to prevent this privacy breach, we offer solutions that disassociate the IPv6 address from its user.

Cover-VT: Converged Security Visualization Tool

The amount of data that floods todays networks is well beyond what security analysts can manage by textual means alone. In an effort to solve this problem, researchers have explored different methods of visualizing network security threats. There is little debate that humans can perceive more information visually than textually. The problem is that the majority of visualization tools in practice or proposed do not take efficient visualization techniques into consideration. As a result, it is difficult to get a high-level view of the network that facilitates rapid isolation of network attacks. We propose the Converged Security Visualization Tool (Cover-VT) to solve the efficient visualization problem. Cover-VT was designed to provide analysts with a high-level view of network threats using geographic information systems. The tool allows for rapid identification of threats by minimizing the cognitive obstacles to efficient threat location. Cover-VT includes the capability to drill-down on a node of interest for additional details and even filter out unwanted data. Cover-VT was designed with usability in mind, making it easy to comprehend while assisting the analyst in rapid threat identification. Many different security tools make up a security analysts tool kit. Cover-VT was developed as an effective security visualization system that integrates existing security tools and network security systems.

Validating a custom IPv6 security application using OPNET modeler

The Internet Protocol version 6 (IPv6) is being adopted in networks around the world as the Internet Protocol version 4 (IPv4) address space is nearing maximum capacity. Security needs are changing because of various new aspects of IPv6, such as the way addresses are determined. There are security applications that are being developed to meet these needs; however, there are not many production IPv6 networks available for testing. Simulation solves this problem in a cost effective manner. Specifically, OPNET Modeler provides the capability to simulate an IPv6 network. Additionally, OPNETs System-in-the-Loop, an add-on module, allows for real devices to be tested over the simulated network. This software allows for custom IPv6 security applications to be tested before moving to a live network. This paper evaluates a custom IPv6 security application by simulating it using OPNET Modeler and the System-in-the-Loop module. The results show that the simulation was effective in pinpointing some flaws in design but ultimately it proved that the application is valid.

Using geographic information systems for enhanced network security visualization

The sheer volume of information that floods a network makes it difficult for network analysts to identify and isolate network security threats. This difficulty is compounded by the fact that the tools available to accomplish this task lack usability and are primarily text-based. Our goal is to design a network security visualization tool that leverages geographic information system (GIS) technology. This tool will provide enhanced usability and meet the needs of the network security community. In this paper, we present the results of a survey designed to gather current security analysis methodologies, as well as determine the existing gaps. We design a GIS-based security visualization prototype from this input.

Leveraging Cognitive Principles to Improve Security Visualization

Every day, networks are flooded with data that far exceeds what humans can feasibly comb through in a timely manner. Security analysts have turned to visualization techniques to in an attempt to streamline the identification of network threats. The problem is that most security visualization techniques do not take into account the cognitive principles that enable human beings to rapidly process information visually. We propose a tool, called the Converged Security Visualization Tool (Cover-VT), designed on these cognitive principles. Our tool facilitates rapid identification of threats by minimizing the cognitive obstacles to efficient threat location. Cover-VT is scalable meaning that analysts can identify threats from a global view or drill down to a pinpoint view to identify the source of an infection. Cover-VT was also designed with usability in mind, making it easy to comprehend regardless of the level of user experience.