IPv6 is a fundamentally different internet Protocol than IPv4, and IPv6-only networks cannot, by default, communicate with the IPv4 internet. This lack of interoperability necessitates complex mechanisms for increment...
详细信息
ISBN:
(纸本)9783031562488;9783031562495
IPv6 is a fundamentally different internet Protocol than IPv4, and IPv6-only networks cannot, by default, communicate with the IPv4 internet. This lack of interoperability necessitates complex mechanisms for incremental deployment and bridging networks so that non-dual-stack systems can interact with the whole internet. NAT64 is one such bridging mechanism by which a network allows IPv6-only clients to connect to the entire internet, leveraging DNS to identify IPv4-only networks, inject IPv6 response addresses pointing to an internal gateway, and seamlessly translate connections. To date, our understanding of NAT64 deployments is limited;what little information exists is largely qualitative, taken from mailing lists and informal discussions. In this work, we present a first look at the active measurement of NAT64 deployment on the internet focused on deployment prevalence, configuration, and security. We seek to measure NAT64 via two distinct large-scale measurements: 1) open resolvers on the internet, and 2) client measurements from RIPE Atlas. For both datasets, we broadly find that despite substantial anecdotal reports of NAT64 deployment, measurable deployments are exceedingly sparse. While our measurements do not preclude the large-scale deployment of NAT64, they do point to substantial challenges in measuring deployments with our existing best-known methods. Finally, we also identify problems in NAT64 deployments, with gateways not following the RFC specification and also posing potential security risks.
The military usage of Unmanned Aerial Vehicles (UAVs) has garnered attention, especially after their employment in the Ukrainian war. Despite the most commented lethal usage, they have many other applications from whi...
详细信息
ISBN:
(纸本)9798350357899;9798350357882
The military usage of Unmanned Aerial Vehicles (UAVs) has garnered attention, especially after their employment in the Ukrainian war. Despite the most commented lethal usage, they have many other applications from which surveillance for imagery acquisition is one of primal importance. Using a stand-alone UAV for this purpose is well-known, but to cope with the scale of battlefield operations, using multi-UAV systems is an asset of great value. However, these systems rely on ad hoc networks that require solutions beyond conventional ones based on the internet Protocol (IP). This paper addresses this concern by proposing a communication support mechanism for multiUAV military surveillance systems based on the InformationCentric Networks (ICN) paradigm. The proposed approach consists of the dynamic deployment of an ICN network based on microservices architecture, where the communication services of each UAV are deployed according to their resources. The solution is validated in a simulated battlefield scenario where a surveillance UAV provides data demanded by other nodes. The results demonstrate that the proposed solution minimizes the data delivery delays by successfully deploying the customized set of microservices to support the transmission, even when a UAV with a low battery level is replaced at runtime.
internet Protocol v6 (IPv6) for low-power wireless personal area networks has been developed to facilitate and support IP stack communication over IPv6 networks. In RFC 6550, the internet Engineering Task Force specif...
详细信息
The rapid evolution of cyber threats has increased the need for robust methods to discover vulnerabilities in increasingly complex and diverse network protocols. This paper introduces Network Attack-centric Compositio...
详细信息
ISBN:
(纸本)9783031790065;9783031790072
The rapid evolution of cyber threats has increased the need for robust methods to discover vulnerabilities in increasingly complex and diverse network protocols. This paper introduces Network Attack-centric Compositional Testing (NACT) [12], a novel methodology designed to discover new vulnerabilities in network protocols and create scenarios to reproduce these vulnerabilities through attacker models. NACT integrates composable attacker specifications, formal specification mutations, and randomized constraint-solving techniques to generate sophisticated attack scenarios and test cases. The methodology enables comprehensive testing of both single-protocol and multi-protocol interactions. Through case studies involving a custom minimalist protocol (MiniP) and five widely used QUIC implementations, NACT is shown to effectively identify, reproduce, and find new real-world vulnerabilities such as version negotiation abuse. Additionally, by comparing the current and older versions of these QUIC implementations, NACT demonstrates its ability to detect both persistent vulnerabilities and regressions. Finally, by supporting cross-protocol testing within a black-box testing framework, NACT provides a versatile approach to improve the security of network protocols.
While applications quickly evolve, internet protocols do not follow the same pace. There are two root causes for this. First, extending protocol with cleartext control plane is usually hindered by various network devi...
详细信息
ISBN:
(纸本)9798350390605;9783903176638
While applications quickly evolve, internet protocols do not follow the same pace. There are two root causes for this. First, extending protocol with cleartext control plane is usually hindered by various network devices such as middleboxes. Second, such extensions usually require support from all participating entities, but often these run different implementations, leading to the chicken-and-egg deployment issue. The recently standardized QUIC protocol paved the way for dealing with the first concern by embedding encryption by design. However, it attracted so much interest that there is now a large heterogeneity in QUIC implementations, hence amplifying the second problem. To get rid of these deployment issues and to enable interoperable, implementation-independent innovation at transport layer, we propose a paradigm shift called Core QUIC. While Core QUIC keeps compliant with the standardized QUIC protocol, it enforces implementation architecture such that any Core QUIC-supporting participant can be extended with the same, generic bytecode. To achieve this, Core QUIC defines a standardized representation format of common QUIC structures on which plugins running in a controlled environment can operate to extend the underlying host implementation. We demonstrate the feasibility of our approach by making two implementations Core QUIC-compliant. Then, we show that we can extend both with the same plugin code over several use cases.
The Domain Name Service (DNS) is fundamental to the successful operation of the internet, providing behind the scenes translation between Uniform Resource Locators (URLs) used by humans and machines and the internet P...
详细信息
ISBN:
(纸本)9798350375367
The Domain Name Service (DNS) is fundamental to the successful operation of the internet, providing behind the scenes translation between Uniform Resource Locators (URLs) used by humans and machines and the internet Protocol (IP) addresses required for data transmission between hosts and servers. DNS is ubiquitous across networks and for decades has been used for malicious purposes by threat actors. There has been significant research in detecting DNS protocol abuse leveraging statistical analysis, natural language processing and machine learning. The volume of DNS traffic in enterprise networks is significant and leveraging detection techniques on large datasets is costly in terms of time, processing and memory resources. There is a need to reduce the size of DNS logs to enable more efficient use of detection techniques and reduce the amount of data to be reviewed by analysts. The aim of this research was to develop and evaluate a log filtering technique to reduce DNS log size while retaining sufficient malicious traffic samples to enable efficient analysis and DNS abuse detection. This technique leverages a single time-delta feature and density-based clustering to reduce DNS log size. The results showed up to a 76% decrease in log size by row count and up to 99% reduction in user IP and DNS query pairs while retaining up to 83% of malicious traffic. Operationally, this provides a much reduced dataset size for analysts that requires less time and computational resources to process.
Internal domain names are domain names that are resolved locally and not by the global DNS. Name collisions occur if an internal name is resolved in the global DNS, e.g. if queries are accidentally sent to a public re...
详细信息
ISBN:
(纸本)9798350378887;9783903176645
Internal domain names are domain names that are resolved locally and not by the global DNS. Name collisions occur if an internal name is resolved in the global DNS, e.g. if queries are accidentally sent to a public resolver. This can lead to security issues. While previous studies of name collisions used passive measurement data, we use active measurements on RIPE Atlas to survey the use of internal names in home networks. We discover 3092 names, used by 4305 probes, of which 34.51% are at risk of collision if their top-level domain is delegated.
Computer network monitoring systems are crucial for gathering evidence in cases of computer fraud. This research introduces a tool called Sniffing Attack Prevention (SNAP), utilizing Sockets to connect a Client Node a...
详细信息
This article introduces a novel methodology, Network Simulator-centric Compositional Testing (NSCT), to enhance the verification of network protocols with a particular focus on time-varying network properties. NSCT fo...
详细信息
ISBN:
(纸本)9783031626449;9783031626456
This article introduces a novel methodology, Network Simulator-centric Compositional Testing (NSCT), to enhance the verification of network protocols with a particular focus on time-varying network properties. NSCT follows a Model-Based Testing (MBT) approach. These approaches usually struggle to test and represent timevarying network properties. NSCT also aims to achieve more accurate and reproducible protocol testing. It is implemented using the Ivy tool and the Shadow network simulator. This enables online debugging of real protocol implementations. A case study on an implementation of QUIC (picoquic) is presented, revealing an error in its compliance with a timevarying specification. This error has subsequently been rectified, highlighting NSCT's effectiveness in uncovering and addressing real-world protocol implementation issues. The article underscores NSCT's potential in advancing protocol testing methodologies, offering a notable contribution to the field of network protocol verification.
Optimizing network protocols is crucial for improving application performance. Recent research works use multi-armed bandit (MAB) online learning methods to address network optimization problems, aiming to improve cum...
详细信息
ISBN:
(纸本)9798350350128
Optimizing network protocols is crucial for improving application performance. Recent research works use multi-armed bandit (MAB) online learning methods to address network optimization problems, aiming to improve cumulative payoffs such as network throughput. However, existing MAB frameworks are ineffective since they inherently assume the network environment is static, or they have high complexity in detecting environmental changes. In this work, we advocate using lightweight "network-assist" techniques together with online learning to optimize network protocols, and show it can effectively detect environmental changes and maximize network performance. Furthermore, optimizing network protocols often face two types of decision (or arm) spaces: discrete and continuous choices, while most prior MAB models only handle discrete settings. This paper proposes a framework capable of managing both spaces. To our best knowledge, we are the first to develop an MAB framework that incorporates network-assist signals in handling dynamic environments, while considering the distinct characteristics of discrete and continuous arm spaces. Our framework can achieve optimality by showing its sub-linear regret bound, matching the state-of-the-art results in several degenerate cases. We also illustrate how to apply our framework to two network applications: (1) wireless network channel selection, and (2) rate-based TCP congestion control. We demonstrate the merits of our algorithms via both numerical simulations and packet-level experiments.
暂无评论