Abstract

One of the most important challenges for network administrators is the identification of applications behind the Internet traffic. This identification serves for many purposes as in network security, traffic engineering and monitoring. The classical methods based on standard port numbers or deep packet inspection are unfortunately becoming less and less efficient because of encryption and the utilization of non standard ports. In this paper we come up with an online iterative probabilistic method that identifies applications quickly and accurately by only using the size of packets. Our method associates a configurable confidence level to the port number carried in the transport header and is able to consider a variable number of packets at the beginning of a flow. By verification on real traces we observe that even in the case of no confidence in the port number, a very high accuracy can be obtained for well known applications after few packets were examined. Document type: Part of book or chapter of book

Abstract

SDN approaches to inter-domain routing promise better traffic engineering, enhanced security, and higher automation. Yet, naïve deployment of SDN on the Internet is dangerous as the control plane expressiveness of BGP is significantly more limited than the data plane expressiveness of SDN, which allows fine-grained rules to deflect traffic from BGP’s default routes. Most notably, this mismatch may lead to incorrect forwarding behaviors such as forwarding loops and blackholes, ultimately hindering SDN deployment at the inter-domain level. In this work, we make a first step towards verifying the correctness of inter-domain forwarding state with a focus on loop freedom while keeping private the SDN rules, as they comprise confidential routing information. To this end, we design a simple yet powerful primitive that allows two networks to verify whether their SDN rules overlap, i.e. the set of packets matched by these rules is non-empty, without leaking any information about the SDN rules. We propose an efficient implementation of this primitive by using recent advancements in Secure Multi-Party Computation and we then leverage it as the main building block for designing a system that detects Internet-wide forwarding loops among any set of SDN-enabled Internet eXchange Points. Master [120] : ingénieur civil en informatique, Université catholique de Louvain, 2017

Abstract

Part 2: Real World; International audience; In this paper, we present a practical approach to generate the constraint engine for an effective constraint-based intrusion detection system (IDS). The IDS framework was designed for safety-sensitive networks that involve limited-access closed networks such as the networks for command and control systems or Air Traffic Control (ATC) systems. The constraint engine generated by the framework supports real-time performance while ensuring the intended, normal behaviour of its target networks. We present the IDS framework in terms of its internal DSL representation as well as its transformation mechanisms to generate the constraint engine code. Comparing the autogenerated version against a manually implemented, optimized version of the constraint engine indicates no significant difference in terms of their performance. Document type: Conference object

Abstract

The paper considers the problem of constructing a full group of failure scenarios for physical infrastructures when subjected to cyber attacks (CAs). Physical infrastructures actually are systems of systems, or network of networks [1]. The main idea of the research rests on the assumption, that in order to damage any physical infrastructure by a cyber attack, it has to be able to produce a powerful enough physical impact on the most vulnerable part(s) of the infrastructure. Only civil engineering and industrial structures and installations connected to Internet and World Wide Web are considered. Hence, all infrastructures discussed below have to be elements of the Enterprise IoT or IoT, namely: electrical grids, oil, gas and product pipeline systems, water supply and disposal (waste) systems, rail networks, air traffic control and telecommunications (finance, commerce, business) networks, etc. The paper discusses how to construct a full group of scenarios of physical impacts on an infrastructure and how to calculate reliability, resilience and safety of infrastructures exposed to CAs. This paper should calm down the legitimate concerns of lay people about disclosing vulnerabilities of critical infrastructures, because it raises the awareness and offers infinitely much more to the armor/shield than to the canon/spear. © 2019 Published under licence by IOP Publishing Ltd.