Destination IP Address Research Articles

Intrusion Detection in IOT

This study introduces a novel approach to enhance the efficiency and reliability of suspicious activity alert systems in network security. Our proposed solution utilizes an ensemble learning-based approach, which leverages multiple deep learning techniques. By combining the strengths of these models, we aim to enhance stratification correctness and minimize the fall-outs. Our system is specifically designed to identify suspicious activities by analyzing network traffic data, such as source IP address, destination IP address, port number, and protocol type. By detecting patterns that deviate from normal behavior, such as unusual connections or excessive data transfer, the system can trigger alerts that notify network administrators of potential security threats. The effectiveness of our proposed approach is demonstrated through rigorous experimental testing using real-world network traffic data. Additionally, our system can adapt and learn over time, making it more effective in detecting and preventing security breaches. In summary, our research contributes to the development of highly efficient and reliable suspicious activity alert systems in network security. Furthermore, our findings shed light on the potential benefits of ensemble learning techniques in this domain. Keywords—- Suspicious activity, Alert system, Network security, Deep learning, Intrusion detection

AI techniques applied to network intrusion detection system by using genetic approaches

The ability to identify and assess potential security risks to a communication network is a critical function of network intrusion detection systems. The data it provides regarding the frequency and type of assaults is a valuable addition to other network security measures, including firewalls. Typically, an NIDS will have a sensor that scans all incoming and outgoing packets on the monitored network, flags those that seem suspicious, and then sends the flagged packets and an alert message to a server system, which will then store them and analyse them in conjunction with other events. First, we standardised the protocol structure. Then, we used a genetic approach to generate mutation and cross-over values for device identification. Finally, we used a modified J48 decision tree algorithm to conduct our search. The developed algorithms/ones outperform the existing methods in terms of performance. As an initial step in detecting an intrusion, the 64-byte structured protocol standardisation technique is created. The wire shark tool is used to monitor the communication process network, taking into account all potential transactions. An array is created from the recorded packets. Included in the array are details about the frames, as well as the protocol type, hardware device type, source and destination IP addresses, MAC addresses, and data. This information is transformed by the 64-byte protocol structured standardisation. Because all of the necessary attributes are determined in the same place by this common protocol structure procedure, finding the MAC and IP addresses in packets should take as little time as possible. As a second step, the product and device details are supplied by the least and most important 16 bits of the MAC address. Using the cross-over and mutation functions, the genetic iv method compares the invader device to the Current Active Directory List (CADL).

Leveraging Advanced Machine Learning Algorithms for Enhanced Cyberattack Detection on U.S. Business Networks

Cyberattacks' rising volume and sophistication have made conventional security measures, such as firewalls, signature-based intrusion detection systems, and antivirus software, increasingly inadequate. The upsurge of cyber threats has been one of the most pressing predicaments for U.S. organizations in the digital age. With the increased dependence on internet-based forums, cloud computing, and interconnected networks, companies face an advancing number of extreme cyberattacks. The chief objective of this research project is to design and deploy proven machine learning methods to enhance the detection and combating of cyberattacks on U.S. organization networks. This research project retrieved a cyber-attack dataset from Kaggle.com, which had a collection of public datasets of cyber threats. This dataset was curated precisely, offering a realistic representation of cyber-attack scenarios, making it an ideal playground for various analytical tasks. The collection was classified as per the source of the relevant information, such as host-based datasets, network traffic datasets, malware or fraud reports, or a special section for datasets that can be classified according to a specific source. The dataset comprised numerous network traffic attributes such as source and destination IP addresses, ports, protocol, payload size, and attack labels. For this research project, three machine learning algorithms were used, namely: Logistic Regression, XG-Boost and Random Forest. This research project applied performance metrics such as accuracy, precision, recall, and F1 score for the performance of the classification models were considered. The result illustrated that the random forest model was far superior in accuracy compared to the logistic regression model; particularly, it had excellent accuracy. Through the use of advanced machine learning models, organizations will be in a position to devise more dynamic and intelligent security systems that evolve with the threat landscape. These intelligent systems monitor every kind of anomaly, malicious activity, and threat response with unparalleled effectiveness. The findings of this research project have significant implications for enhancing cybersecurity in U.S. organizational networks.

Implementation of Snort as a Wireless Network Security Detection Tool Using Linux Ubuntu

Implementation of snort as a wireless network security detection tool using linux ubuntu by adding a server that is used to observe activities on a wireless network, if there is an activity that is considered dangerous by the client, the information will be stored in the snort log and database. The web-based front-end uses BASE (Basic Analysis and Security Engine) which can be accessed through a browser with the url : IPaddressServer/base/. The information provided is related to attacks detected by snort that have been stored in the database. The information is in the form of source and destination IP addresses, the type of attack that occurred. Based on the tests carried out, it was found that the implementation of snort as a wireless network security detection tool using linux ubuntu can help detect attacks that occur on the network and provide information related to these attacks.

The evolution of Mirai botnet scans over a six-year period

The evolution of Mirai botnet scans over a six-year period

Towards Persistent Detection of DDoS Attacks in NDN: A Sketch-Based Approach

As a promising architectural design for future Internet, Named Data Networking (NDN) relies on data names, instead of destination IP addresses, to deliver data. NDN supports data authenticity and integrity by making public key signatures mandatory on data content and data names. This handles the primary security concern in NDN, but is still vulnerable to new DDoS attacks, including Cache Pollution attacks and Interest Flooding attacks, which degrade NDN transmission significantly, by violating the crucial components of NDN routers. To defend against DDoS attacks in NDN, the most effective way is to persistently detect the malicious traffic and then throttle them. Except for the usual concern of the accuracy and efficiency in attack detection, since these attacks themselves have already imposed a huge burden on victims, to avoid exhausting the remaining resources on the victims for detection purpose, a lightweight detection solution is highly desired. We study DDoS attacks and propose a persistent detection solution based on an observed malicious traffic pattern, which leverages a novel sketch to monitor the malicious traffic in a timely and lightweight way. Additionally, our analysis and experiments demonstrate that, with fixed low resource consumption, the proposed solution can persistently detect DDoS attacks in NDN.

Packet Inspection to Identify Network Layer Attacks Using Machine Learning

Abstract: With the advent of technology, computer networks have become an integral part of our lives. However, with the increase in the use of computer networks, network attacks have also increased. Network attacks can cause serious harm to network infrastructure, resulting in loss of data, financial loss, and reputation damage. In this paper, we propose a machine learning algorithm to analyze network packets to detect malicious activities that are aimed at disrupting the normal functioning of a network. Network layer attacks typically target the underlying infrastructure of a network, which includes the IP layer, transport layer, and network access layer. These attacks can cause various problems such as denial of service, data theft, and network downtime. To detect network layer attacks, the proposed approach involves extracting features from network packets. Features refer to the attributes or characteristics of a packet, such as the source and destination IP addresses, protocol type, payload size, etc. These features are then used to train a machine learning model to identify various network layer attacks such as DDoS, ARP spoofing, and ICMP attacks. The machine learning model uses these features to learn the patterns and behaviours of these attacks and uses this knowledge to detect them in real-time. The proposed approach is evaluated using various metrics such as accuracy, precision, recall, and F1-score. The evaluation results demonstrate that the proposed approach is effective in detecting network layer attacks and outperforms existing approaches. The proposed approach can be used to enhance network security and prevent network attacks.

FORENSIC NETWORK ANALYSIS AND IMPLEMENTATION OF SECURITY ATTACKS ON VIRTUAL PRIVATE SERVERS

ABSTRACT-PT Kodinglab Integrasi Indonesia's Virtual Private Server (VPS) product requires good quality standards, including security. The challenge that arises is still frequent disruptions to the protection of PT Kodinglab's VPS customers, where it is difficult to identify the source of the attack. Network forensics in the form of dead forensics and live forensics using the NIST method with the stages of collection, examination, Analysis, and reporting are used to find the source of the attack. Data for dead forensics comes from snort tools, and data for live forensics comes from capture Wireshark. The collection stage involves collecting attack data from snort logs and wireshark for life forensics. While the examination dataset stages are further analyzed and mapped. Advanced check on the server via syslog snort. From the attack testing carried out to obtain information in the form of the attacker's IP address, destination IP address, date of the attack, server time, and type of attack from testing the TCP Flooding and UDP Flooding attacks, all attacks on the customer's VPS can be identified. The information obtained regarding the attacker is in the form of the date and time the attack occurred, the attacker's IP address and the victim's IP address, and the protocol used. Kata kunci : Network Forensic, Dead Forensic, Live Forensic, Virtual Private Server, DDos, TCP Flooding, UDP Flooding.

A high-performance energy efficient packet classification design on FPGA

One of the most crucial thing to safeguard the network against malicious activities is security and the network devices must be able to classify packets. The firewall applications benefit greatly from the architecture of the packet classification engine that is given in this research work. A tree-based approach is used to systematically analyze each field in a packet header, leading to a more secure system. The Packet Classification Engine (PCE) is configured to evaluate Ethernet packets based on the source IP address, destination IP address, source port, destination port, and protocol aspects in the packet header. The PCE shows that the typical clock frequency from input to output is 13 clocks per second. The architecture is extremely rapid, reliable, and adaptable and can make good use of the tree based algorithm's advantages. The proposed architecture has achieved high throughput of 538 MPPS with less energy of 10.6 nJ at low latency of 62 ns. The PCE must have a rapid and reliable FIFO buffer to work effectively. A FPGA (Field Programmable Gate Array) device is being utilized to filter Ethernet packets using the proposed PCE.

Detecting Coordinated Internet-Wide Scanning by TCP/IP Header Fingerprint

Adversaries perform port scanning to discover accessible and vulnerable hosts as a prelude to cyber havoc. A darknet is a cyberattack observation network to capture these scanning activities through reachable yet unused IP addresses. However, the enormous amount of packets and superposition of diverse scanning strategies prevent extracting significant insights from the aggregate traffic. Some coordinated scanners disperse probe packets whose TCP/IP header follows a unique pattern to determine whether the received packets are valid responses to their probes or are part of other background traffic. We call such a pattern a fingerprint. For example, a probe packet from a Mirai-infected host satisfies a pattern whereby the destination IP address equals the sequence number. A fingerprint indicates that the source host has been involved in a particular scanning campaign. Although some fingerprints have been discovered and known to the public, there are and will be more undiscovered ones. We intend to unveil these fingerprints. Our preliminary work automatically identified flexible fingerprints but overlooked low-rate and coordinated scanners. In this work, we improved the fingerprint identifier, enabling it to detect these stealth scans. Moreover, we revealed the scans’ objectives by investigating destination port sets. We associated fingerprints with threat intelligence and verified their reliability. Our approach identified all well-known and eight unknown fingerprints on one month’s worth of darknet data collected from about three-hundred thousand unused IP addresses. We disclosed the fingerprints of the Mozi botnet and destination port sets that were previously unreported.

Flow-Based IDS Features Enrichment for ICMPv6-DDoS Attacks Detection

Internet Protocol version 6 (IPv6) and its core protocol, Internet Control Message Protocol version 6 (ICMPv6), need to be secured from attacks, such as Denial of Service (DoS) and Distributed DoS (DDoS), in order to be reliable for deployment. Several Intrusion Detection Systems (IDSs) have been built and proposed to detect ICMPv6-based DoS and DDoS attacks. However, these IDSs suffer from several drawbacks, such as the inability to detect novel attacks and a low detection accuracy due to their reliance on packet-based traffic representation. Furthermore, the existing IDSs that rely on flow-based traffic representation use simple heuristics features that do not contribute to detecting ICMPv6-based DoS and DDoS attacks. This paper proposes a flow-based IDS by enriching the existing features with a set of new features to improve the detection accuracy. The flow consists of packets with similar attributes (i.e., packets with the same source and destination IP address) and features that can differentiate between normal and malicious traffic behavior, such as the source IP address’s symmetry and the whole flow’s symmetry. The experimental results reveal that the enriched features significantly improved the IDS’s detection accuracy by 16.02% and that the false positive rate decreased by 19.17% compared with state-of-the-art IDSs.

Entropy-based distributed denial of service attack detection in software-defined networking

Software defined networking (SDN) is a new network architecture that allows for centralized network control. The separation of the data plane from the control plane, which establishes a programmable network environment, is the key breakthrough underpinning SDN. The controller facilitates the deployment of services that specify control policies and delivers these rules to the data plane using a common protocol such as OpenFlow at the control plane. Despite the many advantages of this design, SDN security remains a worry because the aforementioned chapter expands the network's attack surface. In fact, denial of service (DoS) assaults pose a significant threat to SDN settings in a variety of ways, owing to flaws in the data and control layers. This work shows how distributed denial of service (DDoS) attack detection is based on the entropy variation of the destination IP address. The study takes advantage of the OpenFlow protocol's (OFP) flexibility and an OpenFlow controller (POX) to apply the proposed method. An entropy computation to determine the distributed features of DDoS traffic is developed and it is capable of detecting a user datagram protocol (UDP) flood attack after 0.445 seconds this type of attack occurred.

METHODOLOGY FOR THE FORMATION OF INFORMATION SYSTEMS FALSE NETWORK TRAFFIC FOR PROTECTION AGAINST NETWORK RECONNAISSANCE

Simulation of false network traffic in order to protect the structural and functional characteristics of information systems is a difficult task in view of the self-similarity of its statistical properties in IP networks, not only in the current moment, but also retrospectively. A Hurst index based algorithm for assessing the degree of self-similarity of network traffic of information systems has been proposed. The connection between the fractal dimension of the attractor of the model of information system functioning and the Hurst index is shown. A technique has been developed to substantiate the characteristics of false network traffic to simulate the functioning of information systems in the process of reconfiguration of their structural and functional characteristics caused by an intruder conducting network reconnaissance. The methodology allows to solve the problem of improving the protection of information systems from network reconnaissance by providing the maximum likelihood of false network traffic by pseudophase reconstruction of the dynamic system attractor, approximating the time series of information traffic of the protected object. The approaches to the description of the network traffic of the information system are considered, the parameters determining the network interaction between the two nodes of the data transmission network are selected as follows: source IP-address, source port, destination IP-address, destination port, protocol, packet size, duration of connection. The process of functioning of information system in different situations is formalized and the dependences allowing to synthesize parameters of false network traffic, statistically similar to the reference ones are received.

Domain name encryption is not enough: privacy leakage via IP-based website fingerprinting

AbstractAlthough the security benefits of domain name encryption technologies such as DNS over TLS (DoT), DNS over HTTPS (DoH), and Encrypted Client Hello (ECH) are clear, their positive impact on user privacy is weakened by—the still exposed—IP address information. However, content delivery networks, DNS-based load balancing, co-hosting of different websites on the same server, and IP address churn, all contribute towards making domain–IP mappings unstable, and prevent straightforward IP-based browsing tracking.In this paper, we show that this instability is not a roadblock (assuming a universal DoT/DoH and ECH deployment), by introducing an IP-based website finger-printing technique that allows a network-level observer to identifyat scalethe website a user visits. Our technique exploits the complex structure of most websites, which load resources from several domains besides their primary one. Using the generated fingerprints of more than 200K websites studied, we could successfully identify 84% of them when observing solely destination IP addresses. The accuracy rate increases to 92% for popular websites, and 95% for popularandsensitive web-sites. We also evaluated the robustness of the generated fingerprints over time, and demonstrate that they are still effective at successfully identifying about 70% of the tested websites after two months. We conclude by discussing strategies for website owners and hosting providers towards hindering IP-based website fingerprinting and maximizing the privacy benefits offered by DoT/DoH and ECH.

Discriminating flash crowds from DDoS attacks using efficient thresholding algorithm

Distributed Denial-of-Service attacks have been a challenge to cyberspace, as the attackers send a large number of attack packets similar to the normal traffic, to throttle legitimate flows. These attacks intentionally disrupt the services offered by the systems resulting in heavy cost. A flash crowd or flash event is an unexpected surge in the number of visitors to a particular website resulting in a sudden increase in server load. Flash crowds, which are legitimate flows, are difficult to be discriminated from Distributed Denial-of-Service attacks that are illicit flows. Effective and accurate detection of Distributed Denial of Service attacks still remains a challenge due to the difficulty in its detection and the false alerts generated in the case of flash crowds. There is a trade off between detection rate and false positive rate. This work deals with an efficient and early detection of distributed denial of service attacks and discriminates flash crowd by considering two network traffic parameters such as packet size and destination IP address. Using these traffic features two attributes are computed and its generalized entropies are calculated. The threshold is computed using the mean value of network attributes to detect the attacks. Threshold updater can automatically adjust the threshold values according to the changes in the channel conditions. The data sets used to evaluate the performance of the proposed approach are the MIT Lincoln Laboratory DARPA data set and a data set generated in a University network. Experimental results show this research approach achieves higher detection rate and lower false positives in a much reduced processing time as compared to the existing methods.

Network intrusion detection with a novel hierarchy of distances between embeddings of hash IP addresses

Including high-dimensional categorical predictors in a machine learning model is a major challenge. This is particularly appropriate for the IP and Port addresses of network connections when they are considered as predictors (features) in machine learning models. These features are particularly important for network intrusion detection, as many attacks exploit information about IP/Port addresses. The sparsity and high dimensionality of these features make it difficult their inclusion into the models, being discarded as useful information in many cases. This work proposes to replace the original network addresses by new features based on a set of distances defined between different components of the source and destination IP and Port addresses. These distances incorporate information on the probability of co-occurrence of source and destination addresses. The distances are calculated using a dense, low-dimensional vector representation (embedding) of the different network address components. The embeddings are obtained with a neural network, which requires few computational resources, plus an additional hash function that collapses the extremely large range of IP and Port values, making the model implementation feasible. A self-supervised learning framework under a hierarchical model is used to train the encoding network. The novel features can be used to predict future co-occurrence of source and destination network addresses, and, when applied as features in a supervised model, they significantly increase the prediction performance of most classifiers for the detection of network intrusions. We demonstrate this prediction improvement over two modern network intrusion datasets: CICIDS2017 and CICDDoS2019. • Network addresses (IP and Port) are high cardinality categorical variables. • Novel method to encode a network address into low-dimensional embeddings. • Estimation of the probability that two network addresses share a network flow. • Hash and embedding transforms applied to a hierarchy of address components. • Neural network trained under self-supervised framework.

High-Density 3-D Stackable Crossbar 2D2R nvTCAM With Low-Power Intelligent Search for Fast Packet Forwarding in 5G Applications

By virtue of hardware parallelism, ternary content addressable memory (TCAM) is attractive for low-latency search for packet forwarding in routers for network communications in the upcoming fifth-generation (5G) era. However, the demand for high-density TCAM encounters remarkable costs in silicon area and power consumption. In this work, a 16-kb nonvolatile ternary content addressable memory (nvTCAM) test chip based on resistive memory (ReRAM) is demonstrated in 28-nm process with two techniques to deal with the aforementioned issues. First, the crossbar array with 2-diode-2-ReRAM (2D2R) nvTCAM cell is proposed to realize >3× improvement in storage density. The back-end-of-line integration of both diode and ReRAM resistor also allows for further 3-D stacking to realize larger storage density. Second, the machine learning concept is exploited to realize intelligent search operation. K -means clustering is employed to allocate the entry storage and then the search of destination IP address can be targeted to a specific bank for low power. The evaluation shows >70% reduction in search energy with 2% overhead in silicon area for bank count of four. The test chip also achieves a match delay of 2 ns under nominal operating conditions.

ADAPTIVE ENTROPY-BASED DETECTION AND MITIGATION OF DDOS ATTACKS IN SOFTWARE DEFINED NETWORKS

Software Defined Networking (SDN) has emerged as a new networking paradigm that is based on the decoupling between data plane and control plane providing several benefits that include flexible, manageable, and centrally controlled networks. From a security point of view, SDNs suffer from several vulnerabilities that are associated with the nature of communication between control plane and data plane. In this context, software defined networks are vulnerable to distributed denial of service attacks. In particular, the centralization of the SDN controller makes it an attractive target for these attacks because overloading the controller with huge packet volume would result in bringing the whole network down or degrade its performance. Moreover, DDoS attacks may have the objective of flooding a network segment with huge traffic volume targeting single or multiple end systems. In this paper, we propose an entropy-based mechanism for Distributed Denial of Service (DDoS) attack detection and mitigation in SDN networks. The proposed mechanism is based on the entropy values of source and destination IP addresses of flows observed by the SDN controller which are compared to a preset entropy threshold values that change in adaptive manner based on network dynamics. The proposed mechanism has been evaluated through extensive simulation experiments.

Scalable Name Lookup for NDN Using Hierarchical Hashing and Patricia Trie

Named data networking (NDN) is a content-centric network for the future of the internet. An NDN a packet is delivered based on a content name instead of a destination IP address. The name lookup for packet forwarding is challenging because the content name is variable, and its space is unbounded. This paper proposes a novel name lookup scheme that employs a hashing technique combined with Patricia tries. In this scheme, hash tables are dynamically maintained according to the hierarchical structure of the name, so the name can effectively accommodate variable and unbounded content names. Unlike chaining, a Patricia trie compares a key string only once at a leaf node, so it provides a fast name lookup. The proposed lookup scheme is implemented and evaluated by using an Intel Core i7-2600 CPU and 4GB of memory. Experimental results show that our scheme gives good scalability and a high throughput of name lookup with a controlled memory consumption.

Fast Longest Prefix Matching by Exploiting SIMD Instructions

Longest prefix matching (LPM) is a fundamental process in IP routing used not only in traditional hardware routers but also in software middleboxes. However, the performance of LPM in software is still insufficient for processing packets at over 100 Gbps, although previous studies have tackled this issue by exploiting the CPU cache or accelerators such as GPUs. To improve the performance of software LPM further, we propose a novel LPM method called Spider, which exploits a single-instruction multiple-data (SIMD) mechanism in the CPU. Spider achieves performing LPM for up to 16 destination IP address in parallel by a routing table structure carefully designed for processing by the SIMD instructions. We evaluated Spider from the following three perspectives: the improvement of LPM performance derived from the parallelism provided by the SIMD mechanism, performance comparison with other methods, and performance scalability. The evaluation shows that Spider dramatically improves the LPM performance, which reaches 1.8-3.2 times compared with the state-of-the-art methods. Moreover, Spider achieves 5,074 million lookups per second with 16 CPU cores, which is equivalent to the processing capacity of 3.4 Tbps in short packets; the performance opens up the possibility of packet processing at the terabit-class rate by software.