Static configurations serve great advantage for adversaries in discovering network targets and launching attacks. Identifying active IP addresses a target domain is precursory step many Frequently changing hosts' novel proactive moving defense (MTD) that hides assets from external/internal scanners. In this paper, we use OpenFlow to develop MTD architecture transparently mutates host with high unpredictability rate, while maintaining configuration integrity minimizing operation overhead. The...

Firewalls are core elements in network security. However, managing firewall rules, particularly multi-firewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered distributed carefully order avoid policy anomalies that might cause vulnerability. Therefore, inserting or modifying any requires thorough intra- inter-firewall analysis determine the proper rule placement ordering firewalls. We identify all could exist single-...

Firewalls are core elements in network security. However, managing firewall rules, particularly, multifirewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered, distributed carefully order avoid policy anomalies that might cause vulnerability. Therefore, inserting or modifying any requires thorough intrafirewall interfirewall analysis determine the proper rule placement ordering firewalls. In this paper, we identify all...

It is difficult to build a real network test novel experiments. OpenFlow makes it easier for researchers run their own experiments by providing virtual slice and configuration on networks. Multiple users can share the same assigning different each one. Users are given responsibility maintain use writing rules in FlowTable. Misconfiguration problems arise when user writes conflicting single FlowTable or even within path of multiple switches that need FlowTables be maintained at time.

Firewalls are core elements in network security. However, managing firewall rules, especially for enterprise networks, has become complex and error-prone. Firewall filtering rules have to be carefully written organized order correctly implement the security policy. In addition, inserting or modifying a rule requires thorough analysis of relationship between this other determine proper commit updates. paper we present set techniques algorithms that provide automatic discovery policy anomalies...

Network security polices are essential elements in Internet devices that provide traffic filtering, integrity, confidentiality, and authentication. perimeter such as firewalls, IPSec, IDS/IPS operate based on locally configured policies. However, configuring network policies remains a complex error-prone task due to rule dependency semantics the interaction between network. This complexity is likely increase size increases. A successful deployment of system requires global analysis policy...

Recent studies show that configurations of network access control is one the most complex and error prone management tasks. For this reason, misconfiguration becomes main source for unreachablility vulnerability problems. In paper, we present a novel approach models global end-to-end behavior entire including routers, IPSec, firewalls, NAT unicast multicast packets. Our model represents as state machine where packet header location determines state. The transitions in are determined by...

With the rapid growth of cyber attacks, sharing threat intelligence (CTI) becomes essential to identify and respond attack in timely cost-effective manner. However, with lack standard languages automated analytics information, analyzing complex unstructured text CTI reports is extremely time- labor-consuming. Without addressing this challenge, will be highly impractical, uncertainty time-to-defend continue increase.

Network reconnaissance of addresses and ports is prerequisite to a vast majority cyber attacks. Meanwhile, the static address configuration networks hosts simplifies adversarial for target discovery. Although randomization host has been suggested as proactive disruption mechanism against such reconnaissance, proposed approaches do not exploit full potentials in provision unpredictability attack adaptability. Moreover, these provide thorough analysis on effectiveness limitations relevant...

In the current network protocol infrastructure, forwarding routes are mostly static except in case of failures or performance issues. However, route selection offers a significant advantage for adversaries to eavesdrop, launch DoS attacks on certain flows. Previous works multipath routing wireless networks propose using random avoid jamming and blackhole [18]. this work is far from being practical wired because many topological QoS constraints. Moreover, potential finding number disjoint...

The new attack surface being crafted by the huge influx of IoT devices is both formidable and unpredictable, as it introduces a rich set unexplored techniques unknown vulnerabilities. These are hard to perceive through traditional means, owing concealed cascaded inter-device, inter-system device-environment dependencies. In this paper, we present IoTSAT, formal framework for security analysis IoT. IoTSAT formally models generic behavior system systems, based on device configurations, network...

IPSec has become the defacto standard protocol for secure Internet communications, providing traffic integrity, confidentiality and authentication. Although supports a rich set of protection modes operations, its policy configuration remains complex error-prone task. The semantics IP Sec policies that allow triggering multiple rule actions with different security modes/operations coordinated between gateways in network increases significantly potential misconfiguration thereby insecure...

State estimation plays a critically important role in ensuring the secure and reliable operation of electric grid. Recent works have shown that state process is vulnerable to stealthy attacks where an adversary can alter certain measurements corrupt solution process, but evade existing bad data detection algorithms remain invisible system operator. Since result used compute optimal power flow perform contingency analysis, incorrect undermine economic operation. However, needs sufficient...

The static one-to-one binding of hosts to IP addresses allows adversaries conduct thorough reconnaissance in order discover and enumerate network assets. Specifically, this fixed address mapping distributed scanners aggregate information gathered at multiple locations over different times construct an accurate persistent view the network. unvarying nature enables collaboratively share reuse their collected various stages attack planning execution. This paper presents a novel moving target...

Packet filtering plays a critical role in many of the current high speed network technologies such as firewalls and IPSec devices. The optimization firewall policies is critically important to provide performance packet particularly for security. Current techniques exploit characteristics policies, but they do not consider traffic behavior optimizing their search data structures. This results impractically space complexity, which undermines gain offered by these techniques. Also, offer upper...

Firewalls are core elements in network security. However, managing firewall rules, especially for enterprize networks, has become complex and error-prone. Firewall filtering rules have to be carefully written organized order correctly implement the security policy. In addition, inserting or modifying a rule requires thorough analysis of relationship between this other determine proper commit updates. paper, we present set techniques algorithms that provide (1) automatic discovery policy...

Firewall is the de facto core technology of today's network security and defense. However, management firewall rules has been proven to be complex, error-prone, costly inefficient for many large-networked organizations. These are mostly custom-designed hand-written thus in constant need tuning validation, due dynamic nature traffic characteristics, ever-changing environment its market demands. One main problems that we address this paper how much useful, up-to-dated, well-organized or...

Evaluation of network security is an essential step in securing any network. This evaluation can help professionals making optimal decisions about how to design countermeasures, choose between alternative architectures, and systematically modify configurations order improve security. However, the a depends on number dynamically changing factors such as emergence new vulnerabilities threats, policy structure traffic. Identifying, quantifying validating these using metrics major challenge this...

Network reconnaissance of IP addresses and ports is prerequisite to many host network attacks. Meanwhile, static configurations networks hosts simplify this adversarial reconnaissance. In paper, we present a novel proactive-adaptive defense technique that turns end-hosts into untraceable moving targets, establishes dynamics systems by monitoring the behavior reconfiguring adaptively. This adaptability achieved discovering hazardous ranges evacuating from them quickly. Our approach maximizes...

DDoS attacks have been a persistent threat to network availability for many years. Most of the existing mitigation techniques attempt protect against by filtering out attack traffic. However, as critical resources are usually static, adversaries able bypass sending stealthy low traffic from large number bots that mimic benign behavior. Sophisticated on links can cause devastating effect such partitioning domains and networks. In this paper, we propose defend proactively changing footprint in...