Dissertations / Theses on the topic 'Attack Path'

URL parser and normalization processes are common and important operations in different web frameworks and technologies. In recent years, security researchers have targeted these processes and discovered high impact vulnerabilities and exploitation techniques. In a different approach, we will focus on semantic disconnect among different framework-independent web technologies (e.g., browsers, proxies, cache servers, web servers) which results in different URL interpretations. We coined the term “Path Confusion” to represent this disagreement and this thesis will focus on analyzing enabling factors and security impact of this problem.In this thesis, we will show the impact and importance of path confusion in two attack classes including Style Injection by Relative Path Overwrite (RPO) and Web Cache Deception (WCD). We will focus on these attacks as case studies to demonstrate how utilizing path confusion techniques makes targeted sites exploitable. Moreover, we propose novel variations of each attack which would expand the number of vulnerable sites and introduce new attack scenarios. We will present instances which have been secured against these attacks, while being still exploitable with introduced Path Confusion techniques. To further elucidate the seriousness of path confusion, we will also present the large scale analysis results of RPO and WCD attacks on high profile sites. We present repeatable methodologies and automated path confusion crawlers which detect thousands of sites that are still vulnerable to RPO or WCD only with specific types of path confusion techniques. Our results attest the severity of path confusion based class of attacks and how extensively they could hit the clients or systems. We analyze some browser-based mitigation techniques for RPO and discuss that WCD cannot be dealt as a common vulnerability of each component; instead it arises when an ecosystem of individually impeccable components ends up in a faulty situation.

URL parser and normalization processes are common and important operations in different web frameworks and technologies. In recent years, security researchers have targeted these processes and discovered high impact vulnerabilities and exploitation techniques. In a different approach, we will focus on semantic disconnect among different framework-independent web technologies (e.g., browsers, proxies, cache servers, web servers) which results in different URL interpretations. We coined the term “Path Confusion” to represent this disagreement and this thesis will focus on analyzing enabling factors and security impact of this problem.In this thesis, we will show the impact and importance of path confusion in two attack classes including Style Injection by Relative Path Overwrite (RPO) and Web Cache Deception (WCD). We will focus on these attacks as case studies to demonstrate how utilizing path confusion techniques makes targeted sites exploitable. Moreover, we propose novel variations of each attack which would expand the number of vulnerable sites and introduce new attack scenarios. We will present instances which have been secured against these attacks, while being still exploitable with introduced Path Confusion techniques. To further elucidate the seriousness of path confusion, we will also present the large scale analysis results of RPO and WCD attacks on high profile sites. We present repeatable methodologies and automated path confusion crawlers which detect thousands of sites that are still vulnerable to RPO or WCD only with specific types of path confusion techniques. Our results attest the severity of path confusion based class of attacks and how extensively they could hit the clients or systems. We analyze some browser-based mitigation techniques for RPO and discuss that WCD cannot be dealt as a common vulnerability of each component; instead it arises when an ecosystem of individually impeccable components ends up in a faulty situation.

The role of the unmanned aerial vehicle (UAV) has significantly expanded in the military sector during the last decades mainly due to their cost effectiveness and their ability to eliminate the human life risk. Current UAV technology supports a variety of missions and extensive research and development is being performed to further expand its capabilities. One particular field of interest is the area of the low cost expendable UAV since its small price tag makes it an attractive solution for target suppression. A swarm of these low cost UAVs can be utilized as guided munitions or kamikaze UAVs to attack multiple targets simultaneously. The focus of this thesis is the development of a cooperative online path planning algorithm that coordinates the trajectories of these UAVs to achieve a simultaneous arrival to their dynamic targets. A nonlinear autopilot design based on the dynamic inversion technique is also presented which stabilizes the dynamics of the UAV in its entire operating envelope. A nonlinear high fidelity six degrees of freedom model of a fixed wing aircraft was developed as well that acted as the main test platform to verify the performance of the presented algorithms
ID: 031001316; System requirements: World Wide Web browser and PDF reader.; Mode of access: World Wide Web.; Adviser: Houman A. Sadri.; Title from PDF title page (viewed March 26, 2013).; Thesis (M.A.)--University of Central Florida, 2012.; Includes bibliographical references (p. 89-99).
M.S.E.E.
Masters
Electrical Engineering and Computing
Engineering and Computer Science
Electrical Engineering; Controls and Robotics

The attack path is an effective tool for showing possible hacking routestaken by an attacker to target a specific computer network. It also informsadministrators about potential weakness in a network helpingthem roll-out network configuration changes. Based on predefinedcomputing methods, a large number of attack paths can be generated.However, attack paths show all possible routes for each calculationand represent them with terminologies specific to the cybersecurityfield. A major portion of attack routes and representations aretoo complicated for normal users, making it difficult to identify theparts they should pay more attention to. In this thesis project, a frameworkfor generating a concise and user-friendly attack path throughgrouping continuous attack steps is described. The framework is designedwith 6 levels of hierarchical abstraction. Top 3 levels of theseabstractions are classified based on the predefined structure of the softwareand named Structural Division. The other 3 lower levels areclassified based on semantics involving a taxonomy for natural languagerepresentation called SCV (Security Community Vocabulary),named semantics division. This visualization method is released aspart of securiCADR , a cybersecurity product released by Foreseeti,which provides a concise and understandable interaction by aggregatingoriginal attack steps according to different requirements of customers.
Anfallsstigen är ett effektivt verktyg för att visa möjliga hackningsvägarsom en angripare tar emot ett specifikt datornätverk. Det informerarockså administratörer om eventuell svaghet i ett nätverk somhjälper dem att utrulla nätverkskonfigurationsändringar. Baserat påfördefinierade datormetoder kan ett stort antal attackvägar genereras.Åtkomstvägar visar dock alla möjliga vägar för varje beräkning och representerardem med terminologier som är specifika för fältet Cybersecurity.En stor del av attackvägar och representationer är för kompliceradeför vanliga användare vilket gör det svårt att identifiera de delarsom de borde ägna mer uppmärksamhet åt. I denna avhandlingsrapportbeskrivs ett ramverk för att generera en kortfattad och användarvänligattackväg genom att gruppera kontinuerliga angreppssteg.Ramverket är utformat med 6 nivåer av hierarkisk abstraktion. Topp3 nivåer av dessa abstraktioner klassificeras baserat på den fördefinieradestrukturen av mjukvaran och namngiven strukturell uppdelning.De övriga 3 lägre nivåerna klassificeras baserat på semantik meden taxonomi för naturlig språkrepresentation som heter SCV (SecurityCommunity Vocabulary), namngiven semantikavdelning. Denna visualiseringsmetodsläpps som en del av securiCADR en cybersecurityproduktsom släpptes av Foreseeti, vilket ger en kortfattad och förståeliginteraktion genom att aggregera ursprungliga attacksteg enligtolika kunders krav.

This dissertation investigates and introduces novel algorithms, theories, and supporting frameworks to significantly improve the growing problem of Internet security. A distributed firewall and active response architecture is introduced that enables any device within a cyber environment to participate in the active discovery and response of cyber attacks. A theory of semantic association systems is developed for the general problem of knowledge discovery in data. The theory of semantic association systems forms the basis of a novel semantic path merger packet classification algorithm. The theoretical aspects of the semantic path merger packet classification algorithm are investigated, and the algorithm's hardware-based implementation is evaluated along with comparative analysis versus content addressable memory. Experimental results show that the hardware implementation of the semantic path merger algorithm significantly outperforms content addressable memory in terms of energy consumption and operational timing.

The use of Internet has revolutionized the way information is exchanged, changed business paradigms and put mission critical and sensitive systems online. Any dis- ruption of this connectivity and the plethora of services provided results in significant damages to everyone involved. Denial of Service (DoS) attacks are becoming increas- ingly common and are the cause of lost time and revenue. Flooding type DoS attacks use spoofed IP addresses to disguise the attackers. This makes identification of the attackers extremely difficult. This work proposes a new scheme that allows the victim of a DoS attack to identify the correct origin of the malicious traffic. The suggested mechanism requires routers to mark packets using adjusted probabilistic marking. This results in a lower number of packet-markings required to identify the traffic source. Unlike many related works, we use the existing IPv4 header structure to incorporate these markings. We simulate and test our algorithms using real Internet trace data to show that our technique is fast, and works successfully for a large number of distributed attackers.

L'exportation et la mutualisation des industries de fabrication des circuits intégrés impliquent de nombreuses interrogations concernant l'intégrité des circuits fabriqués. On se retrouve alors confronté au problème d'insertion d'une fonctionnalité dissimulée pouvant agir de façon cachée : on parle de Cheval de Troie Matériel (CTM). En raison de la complexité d'un circuit intégré, repérer ce genre de modification se révèle particulièrement difficile. Le travail proposé dans ce manuscrit s'oriente vers une technique de détection non destructrice de CTM. L’approche consiste à utiliser les temps de calculs internes du système étudié comme canal permettant de détecter des CTM. Dans ces travaux, un modèle décrivant les temps de calcul est défini. Il prend notamment en compte deux paramètres importants que sont les conditions expérimentales et les variations de procédés.Des attaques en faute par glitchs d’horloge basée sur la violation de contraintes temporelles permettent de mesurer des temps de calcul internes. Des cartes fiables sont utilisées pour servir de référence. Après avoir validé la pertinence de ce canal d’étude concernant l’obtention d’informations sur le comportement interne du circuit cible, on procède à des détections expérimentales de CTM insérés à deux niveaux d’abstraction (niveau RTL et après l'étape de placement/routage). Des traitements avec prise en compte des variations de procédés permettent d'identifier si les cartes testées sont infectées par un CTM
The globalization of integrated circuits fabrication involves several questions about the integrity of the fabricated circuits. Malicious modifications called Hardware Trojans (HT) can be introduced during the circuit production process. Due to the complexity of an integrated circuit, it is really difficult to find this kind of alterations.This work focuses on a non-destructive method of HT detection. We use the paths delays of the studied design as a channel to detect HT. A model to describe paths delays is defined. It takes into account two important parameters which are the experimental conditions and the process variations.Faults attacks by clock glitches based on timing constraints violations have been performed to measure data paths delays. Reliable circuits are used for reference. After validating the relevance of this channel to get information on the internal behavior of the targeted design, experimental detections of HT inserted on two different abstraction levels (RTL and after place and route) were achieved. Process variations are taken into consideration in the studies to detect if the tested circuits are infected

Les outils de prévention des vulnérabilités et de détection des anomalies sont essentiels pour la sécurité des réseaux informatiques. Cette thèse se concentre sur l'utilisation des données du MITRE ATT&CK, des scores CVSS et de la norme ISO 27002:2022 pour automatiser et consolider l'analyse des vulnérabilités et la détection des anomalies. Les objectifs principaux sont : - Diagnostic de vulnérabilité : Identifier les sous-réseaux les plus vulnérables en combinant les données du MITRE ATT&CK, des scores CVSS et de la norme ISO 27002:2022. Pour cela, une base de données appelée Data ISO-MA a été créée. Un algorithme évalue la vulnérabilité des chemins dans le réseau, identifiant ceux les plus à risque. - Détection d’anomalies : Analyser les flux de trafic pour détecter des comportements inhabituels dans les chemins vulnérables. Une approche inspirée du modèle Path-scan de Joshua Neil et al. (2013) a été utilisée. Chaque connexion réseau est modélisée avec un modèle de Markov à 3 états et la statistique du rapport de vraisemblance généralisé (GLRT), permettant de capturer et d'identifier les comportements anormaux.Ces deux outils visent à renforcer la sécurité des réseaux informatiques en fournissant une solution intégrée pour la prévention des vulnérabilités et la détection des anomalies
Tools for vulnerability prevention and anomaly detection are essential for the security of computer networks. This thesis focuses on using MITRE ATT&CK data, CVSS scores, and the ISO 27002:2022 standard to automate and consolidate vulnerability analysis and anomaly detection.The main objectives are: -Vulnerability Diagnosis: Identify the most vulnerable sub-networks by combining MITRE ATT&CK data, CVSS scores, and the ISO 27002:2022 standard. To achieve this, a database called Data ISO-MA was created. An algorithm evaluates the vulnerability of network paths, identifying those most at risk. - Anomaly Detection: Analyze traffic flows to detect unusual behaviors in vulnerable paths. An approach inspired by the Path-scan model introduced by Joshua Neil et al. (2013) was used. Each network connection is modeled with a 3-state Markov model and the Generalized Likelihood Ratio Test (GLRT), allowing for the capture and identification of abnormal behaviors.These two tools aim to enhance the security of computer networks by providing an integrated solution for vulnerability prevention and anomaly detection

Cyberattacks are becoming a greater concern as our society is digitized to a greater extent, with the storage of sensitive information being a rule rather than an exception. This poses a need of a time- and cost efficient way to assess the cyber security of an enterprise. The threat modeling language enterpriseLang constitute just that, where a general enterprise system assumption allows for re-usage on several enterprise systems. The language is created with Meta Attack Language and is based on the knowledgeable attack- and mitigation steps of MITRE ATT&CK Enterprise Matrix. Since all possible attack paths are not equally likely, probability distributions need to be applied to the attack and mitigation steps. The work presented in this paper includes the provision of probability distributions to a handful of them, mainly connected to gaining initial access to a system with the help of user execution. Beyond this, the financial impact an attack can have and if mitigation measures are financially profitable are examined. To calculate this, a Return on Response Investment model is developed.
Cyberattacker håller på att bli ett större orosmoment allteftersom vårt samhälle digitaliseras i större utsräckning, där lagring av känslig information snarare har blivit regel än undantag. Detta utgör ett behov av ett tids- och kostnadseffektivt sätt att bedömma cybersäkerheten hos ett företag. Hotmodelleringsspråket enterpriseLang är just detta, där antagandet av ett generellt företagssystem möjliggör återanvändning på flera olika system. Språket är skapat med Meta Attack Language och är baserat på kända attack- och försvarssteg från MITRE ATT&CK Enterprise matris. Eftersom alla möjliga attackvägar inte utnyttjas i lika stor utsträckning, behöver sannolikhetsfördelningar tilldelas till attack- och försvarsstegen. Arbetet som presenteras i den här rapporten inkluderar tilldelningen av sannolikhetsfördelningar till en handfull av dem, i synnerhet de kopplade till att få inital åtkomst till ett system med hjälp av användarutföranden. Utöver detta undersöks också den finansiella påverkan en attack kan ha samt om försvarsåtgärder är finansiellt lönsamma. En modell för avkastning på en sådan investering utvecklas för att kunna beräkna detta.

The classifier discussed in this thesis considers the path traversed by an email (instead of its content) and reputation of the relays, features inaccessible to spammers. Groups of spammers and individual behaviors of a spammer in a given domain were analyzed to yield association patterns, which were then used to identify similar spammers. Unsolicited and phishing emails were successfully isolated from legitimate emails, using analysis results. Spammers and phishers are also categorized into serial spammers/phishers, recent spammers/phishers, prospective spammers/phishers, and suspects. Legitimate emails and trusted domains are classified into socially close (family members, friends), socially distinct (strangers etc), and opt-outs (resolved false positives and false negatives). Overall this classifier resulted in far less false positives when compared to current filters like SpamAssassin, achieving a 98.65% precision, which is well comparable to the precisions achieved by SPF, DNSRBL blacklists.

The continuous growth of traffic demand driven by the brisk increase in number of Internet users and emerging online services creates new challenges for communication networks. The latest advances in Wavelength Division Multiplexing (WDM) technology make it possible to build Transparent Optical Networks (TONs) which are expected to be able to satisfy this rapidly growing capacity demand. Moreover, with the ability of TONs to transparently carry the optical signal from source to destination, electronic processing of the tremendous amount of data can be avoided and optical-to-electrical-to-optical (O/E/O) conversion at intermediate nodes can be eliminated. Consequently, transparent WDM networks consume relatively low power, compared to their electronic-based IP network counterpart. Furthermore, TONs bring also additional benefits in terms of bit rate, signal format, and protocol transparency. However, the absence of O/E/O processing at intermediate nodes in TONs has also some drawbacks. Without regeneration, the quality of the optical signal transmitted from a source to a destination might be degraded due to the effect of physical-layer impairments induced by the transmission through optical fibers and network components. For this reason, routing approaches specifically tailored to account for the effect of physical-layer impairments are needed to avoid setting up connections that don’t satisfy required signal quality at the receiver. Transparency also makes TONs highly vulnerable to deliberate physical-layer attacks. Malicious attacking signals can cause a severe impact on the traffic and for this reason proactive mechanisms, e.g., network design strategies, able to limit their effect are required. Finally, even though energy consumption of transparent WDM networks is lower than in the case of networks processing the traffic at the nodes in the electronic domain, they have the potential to consume even less power. This can be accomplished by targeting the inefficiencies of the current provisioning strategies applied in WDM networks. The work in this thesis addresses the three important aspects mentioned above. In particular, this thesis focuses on routing and wavelength assignment (RWA) strategies specifically devised to target: (i) the lightpath transmission quality, (ii) the network security (i.e., in terms of vulnerability to physical-layer attacks), and (iii) the reduction of the network energy consumption. Our contributions are summarized below. A number of Impairment Constraint Based Routing (ICBR) algorithms have been proposed in the literature to consider physical-layer impairments during the connection provisioning phase. Their objective is to prevent the selection of optical connections (referred to as lightpaths) with poor signal quality. These ICBR approaches always assign each connection request the least impaired lightpath and support only a single threshold of transmission quality, used for all connection requests. However, next generation networks are expected to support a variety of services with disparate requirements for transmission quality. To address this issue, in this thesis we propose an ICBR algorithm supporting differentiation of services at the Bit Error Rate (BER) level, referred to as ICBR-Diff. Our approach takes into account the effect of physical-layer impairments during the connection provisioning phase where various BER thresholds are considered for accepting/blocking connection requests, depending on the signal quality requirements of the connection requests. We tested the proposed ICBR-Diff approach in different network scenarios, including also a fiber heterogeneity. It is shown that it can achieve a significant improvement of network performance in terms of connection blocking, compared to previously published non-differentiated RWA and ICBR algorithms.  Another important challenge to be considered in TONs is their vulnerability to physical-layer attacks. Deliberate attacking signals, e.g., high-power jamming, can cause severe service disruption or even service denial, due to their ability to propagate in the network. Detecting and locating the source of such attacks is difficult, since monitoring must be done in the optical domain, and it is also very expensive. Several attack-aware RWA algorithms have been proposed in the literature to proactively reduce the disruption caused by high-power jamming attacks. However, even with attack-aware network planning mechanisms, the uncontrollable propagation of the attack still remains an issue. To address this problem, we propose the use of power equalizers inside the network nodes in order to limit the propagation of high-power jamming attacks. Because of the high cost of such equipment, we develop a series of heuristics (incl. Greedy Randomized Adaptive Search Procedure (GRASP)) aiming at minimizing the number of power equalizers needed to reduce the network attack vulnerability to a desired level by optimizing the location of the equalizers. Our simulation results show that the equalizer placement obtained by the proposed GRASP approach allows for 50% reduction of the sites with the power equalizers while offering the same level of attack propagation limitation as it is possible to achieve with all nodes having this additional equipment installed. In turn, this potentially yields a significant cost saving.    Energy consumption in TONs has been the target of several studies focusing on the energy-aware and survivable network design problem for both dedicated and shared path protection. However, survivability and energy efficiency in a dynamic provisioning scenario has not been addressed. To fill this gap, in this thesis we focus on the power consumption of survivable WDM network with dynamically provisioned 1:1 dedicated path protected connections. We first investigate the potential energy savings that are achievable by setting all unused protection resources into a lower-power, stand-by state (or sleep mode) during normal network operations. It is shown that in this way the network power consumption can be significantly reduced. Thus, to optimize the energy savings, we propose and evaluate a series of energy-efficient strategies, specifically tailored around the sleep mode functionality. The performance evaluation results reveal the existence of a trade-off between energy saving and connection blocking. Nonetheless, they also show that with the right provisioning strategy it is possible to save a considerable amount of energy with a negligible impact on the connection blocking probability. In order to evaluate the performance of our proposed ICBR-Diff and energy-aware RWA algorithms, we develop two custom-made discrete-event simulators. In addition, the Matlab program of GRASP approach for power equalization placement problem is implemented.

QC 20120508

碩士
淡江大學
資訊管理學系碩士班
94
In this paper,we present a solution for Distributed Denial of Service Attack. Owing to the insecurity design of IP Protocol,it could not identify source. And those online company might be threatened and lost a lot of money. Yaar presented PI scheme to use path-encoding information against the attack. It is good to proceed to encode internet framework with the complete binary tree. However,The CAIDA study show that only 27% interfaces is more than 2 interfaces. After that, Gao improved the problem of insufficient interfaces of PI scheme. But it is not enough for the scheme. By Bit-Encoding and PS-Number information ,We strengthen the above-mentioned schemes. It could either improve the efficiency of Traceback and decrease the possible of attack paths.

碩士
國立交通大學
資訊工程系所
92
Ad hoc routing protocols are vulnerable due to the absence of security mechanism. Forged routing advertisement can disrupt the routing scheme. Research work has been proposed for securing the routing protocol in ad hoc networks. Some of them deployed the asymmetric cryptographic primitive, which are often infeasible in the mobile environment. In this paper, we discovered a strict, cooperative disruption attack behavior on the route path and identify the deficiency about present secure mechanisms for protecting the routing information. We proposed a path authentication scheme which relies on efficient symmetric cryptographic authentication approach. The Random Assignment Path Authentication (RAPA scheme) guarantees the integrity of a complete request route path in route discovery procedure and help the current on-demand routing protocol for resisting against the routing disruption attacks. Our scheme can be adjusted to meet different efficiency and security requirements for the various applications.

碩士
崑山科技大學
資訊管理研究所
98
Available botnet detection schemes all supposed that ISPs would be cooperative to record or generate the necessary routing information for path reconstruction. In practice, ISP’s service constantly is a mutual benefit for intelligence exchange. Therefore the constraint, require cooperation between ISPs, ought to be relaxed. A new IP traceback scheme based on ant colony optimization (ACO) algorithm is proposed for incomplete attack information formed by routing honeypots or routers’ logs. The aim of our work is to develop an analysis model for reconstruction of attack paths to traceback the botnet Command and Control (C&C) via ant-inspired collective intelligence to find possible routes with support and confidence degree. The validation of model uses NS2 (Network Simulator, version2) complied by dark IP map, to simulate the scenario of spoofed IP attacks, to test the effectiveness of model. Furthermore, sensitivity analysis is conducted to investigate significant parameters’ effect on the output of attack paths. Experimental results show that the proposed approach effectively suggests the best attack path and Command and Control of botnet in a dynamic network environment.

碩士
樹德科技大學
資訊工程系碩士班
100
With the development of computer technology, IT-related devices, such as desktop computers, laptops, and even smart mobile phones etc., are becoming more and more popular with people all over the world. However, for lack of basic computer security knowledge, most people easily get malwares on their computer. Among some common Internet attacks, Distributed Denial of Service (DDoS) attack is still hard to defend. It purposely consumes a large poison of computing and network resources using weaknesses in network protocols or system exploits in order to prevent valid users from accessing these ones. Therefore, DDoS becomes one of the most serious network security issues in recent years. A IP Traceback method, called Probabilistic Packet Marking (PPM), is proposed to overcome the DDoS problem. Victims can reconstruct attack paths by collecting and analyzing marked information embedded in packets. However, the original PPM uses only the number of hops to classify marked information and discovers links along attack paths by combining marked information brute-forcely. The number of hops here stands for the distance between some router and the victim. Therefore, if there are two or more routers with the same distance from the victim, marked information produced by these routers will be classified into the same state. The computing time of rebuilding attack paths will dramatically increase. To make matters worse, combining these different routers marked data in the same state could reconstruct false positive paths. In this thesis, we modified Space-Domain Fast Extensible Markov Model (SD-FEMM) to identify every marked information and arrange respectively each one into its own state. Therefore, we could just pick up one sample from each state for combination, and that reduces the cost of computing resource. Moreover, the proposed scheme also improves the time of attack path reconstruction.

碩士
元智大學
通訊工程學系
98
In this paper, I use double layers structure of Proximity Coupled Feed, and Microstrip Antenna to build Van Atta Array. By 2X1, 2X2, 4X1, and 4X4 array unit structure formats, I use Electromagnetic Field simulation analysis with CST simulation software. Under linear polarization structure, transmission line and radiation element of antenna are in the different planes. Through the back wave which coupled energy effects to pair antenna units, I will discuss array unit numbers, unit gap, array unit arrangement for each array and relationship which is affected by length of transmission line. Finally I will verify those by measuring far field experiment.