Randolph Marchany

A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks

Attack mitigation schemes actively throttle attack traffic generated in distributed denial-of-service (DDoS) attacks. This paper presents attack diagnosis (AD), a novel attack mitigation scheme that adopts a divide-and-conquer strategy. AD combines the concepts of pushback and packet marking, and its architecture is in line with the ideal DDoS attack countermeasure paradigm - attack detection is performed near the victim host and packet filtering is executed close to the attack sources. AD is a reactive defense mechanism that is activated by a victim host after an attack is detected. By instructing its upstream routers to mark packets deterministically, the victim can trace back one attack source and command an AD-enabled router close to the source to filter the attack packets. This process isolates one attacker and throttles it, which is repeated until the attack is mitigated. We also propose an extension to AD called parallel attack diagnosis (PAD) that is capable of throttling traffic coming from a large number of attackers simultaneously. AD and PAD are analyzed and evaluated using the Skitter Internet map, Lumetas Internet map, and the 6-degree complete tree topology model. Both schemes are shown to be robust against IP spoofing and to incur low false positive ratios

Effects of Wi-Fi and Bluetooth Battery Exhaustion Attacks on Mobile Devices

This paper provides insight into the ramifications of battery exhaustion Denial of Service (DoS) attacks on battery-powered mobile devices. Several IEEE 802.11 Wi-Fi, IEEE 802.15.1 Bluetooth, and blended attacks are studied to understand their effects on device battery lifetimes. In the worst case, DoS attacks against mobile devices were found to accelerate battery depletion as much as 18.5%. Also presented in this work is a hybrid Intrusion Detection System (IDS) designed to thwart this form of malicious activity; Multi-Vector Portable Intrusion Detection System (MVP-IDS). MVP-IDS combines host-based device instantaneous current (IC) monitoring with attack traffic signaturing modules.

Reflections on operating in hostile environments

We introduce a generally applicable framework to assess and substantiate the security of a software component of a computer system. The framework constitutes a metamodel. Security models can be derived from it for components of a computer system. The concept of trust is interwoven into the metamodel and is an integral part of derived security models.

NISp1-05: RIM: Router Interface Marking for IP Traceback

Distributed Denial-of-Service (DDoS) attacks have become a major threat to the Internet. As a countermeasure against DDoS attacks, IP traceback schemes identify the network paths the attack traffic traverses. This paper presents a novel IP traceback scheme called Router Interface Marking (RIM). In RIM, a router probabilistically marks packets with a router interfaces identifier. After collecting the packets marked by each router in an attack path, a victim machine can use the information in the marked packets to trace back to the attack source. Different from most existing IP traceback schemes, RIM marks packets with the information of router interfaces rather than that of router IP addresses. This difference endows RIM with several advantageous features, including fast traceback speed, last-hop traceback capability, small computation overhead, low occurrence of false positives, and enhanced security.

The Multi-Vector Portable Intrusion Detection System (MVP-IDS): A hybrid approach to intrusion detection for portable information devices

The Battery-Sensing Intrusion Protection System (B-SIPS) [1] initially took a non-conventional approach to intrusion detection by recognizing attacks based on anomalous Instantaneous Current (IC) drain. An extension of B-SIPS, the Multi-Vector Portable Intrusion Detection System (MVP-IDS) validates the idea of recognizing attacks based on anomalous IC drain by correlating the detected anomalies with wireless attack traffic from both the Wi-Fi and Bluetooth mediums. To effectively monitor the Wi-Fi and Bluetooth mediums for malicious packet streams, the Snort-Based Wi-Fi and Bluetooth Attack Detection and Signature System (BADSS) modules were introduced. This paper illustrates how a blended strategy of using a low overhead tripwire can be combined with more sophisticated detection mechanisms to provide an effective protection system for limited resource wireless information technology devices.

Malware propagation in fully connected networks: A netflow-based analysis

Malware attacks have become ubiquitous in modern large data-centric networks. Therefore advanced malware threat detection and related countermeasures are an important paradigm in cybersecurity research. This work studies malware propagation in fully connected networks, where network topology plays a minimal role in lateral spread within the network. The live netflow and perimeter alert data used in this study contrasts with other previous works due to the unavailability of ground truth for any attack type. Important features calculated from the netflow data as well as a novel ring-based flow model are described. These are helpful in tracking possible malware flow within the network. The results show that relevant features can be used to draw inferences about the propagation of certain classes of malware attacks.

Battery-Sensing Intrusion Protection System Validation Using Enhanced Wi-Fi and Bluetooth Attack Correlation

This paper discusses mobile device security and extends the original Battery-Sensing Intrusion Protection System (B-SIPS) (1) design by introducing the Multi- Vector Portable - Intrusion Detection System (MVP-IDS). MVP-IDS validates reported anomalous battery depletion from B-SIPS clients with real-time Wi-Fi and Bluetooth traffic using attack signature detection modules. To correlate instantaneous current (IC) anomalies with Wi-Fi and Bluetooth attack traffic, MVP-IDS integrates B-SIPS anomaly detection with the signature-based matching systems of Snort (2) and a newly developed research system, Bluetooth Attack Detection and Signature System (BADSS).