Papers by NIKHIL TRIPATHI
ACM Computing Surveys
Application layer Denial-of-Service (DoS) attacks are generated by exploiting vulnerabilities of ... more Application layer Denial-of-Service (DoS) attacks are generated by exploiting vulnerabilities of the protocol implementation or its design. Unlike volumetric DoS attacks, these are stealthy in nature and target a specific application running on the victim. There are several attacks discovered against popular application layer protocols in recent years. In this article, we provide a structured and comprehensive survey of the existing application layer DoS attacks and defense mechanisms. We classify existing attacks and defense mechanisms into different categories, describe their working, and compare them based on relevant parameters. We conclude the article with directions for future research.
Traffic classification finds its application in the implementation of various services like Quali... more Traffic classification finds its application in the implementation of various services like Quality of Service (QoS) and security monitoring. In today’s networks, a significant portion of traffic is generated from mobile applications. Thus, a robust and accurate mobile application traffic classification technique is needed. In this paper, we propose AppHunter, a mobile application classification technique to classify Android applications using Deep Packet Inspection (DPI). Unlike previously known mobile application classification techniques, AppHunter is an unsupervised approach and does not require training with flows explicitly collected for each application. AppHunter extracts required fields from HTTP/HTTPS header of a flow and compares them with application details extracted from Google Playstore. We test the classification performance of AppHunter with two publicly available datasets and one dataset generated by simulating more than thousand applications in our testbed setup a...
Network flow analysis has applications in security monitoring. Flow analysis techniques like peri... more Network flow analysis has applications in security monitoring. Flow analysis techniques like periodicity and self similarity detection are often used to model and understand the application traffic behavior. In this paper we propose a method to identify recurring and similar network flows which can be used in security monitoring. To identify recurring network flows we generate a communication graph of a host every ΔΤ time interval with its peers and find the intersection of these graphs successively. The edges which remain after the intersection will be used as candidates for similarity detection. We estimate the similarity between successive flows between a pair of hosts by measuring Manhattan distance between the features of flows. The recurring flow which shows small distance between successive flows will be identified as similar. Subsequently we adapt this technique to botnet detection as a case study. We experiment with a recently released public botnet dataset and show that ou...
IEEE INFOCOM 2019 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)
Service Level Agreements (SLAs) are commonly used to negotiate the computation and performance re... more Service Level Agreements (SLAs) are commonly used to negotiate the computation and performance requirements between a service provider and user. In commercial cloud computing environments, SLAs are commonly used to negotiate performance guarantees. However there are no standardized mechanisms for defining and enforcement of security SLAs in cloud computing. In this paper, we consider the problem of defining security SLAs in cloud computing environment. We divide these SLAs into three categories as availability, security and integrity related SLAs. We provide a mechanism to formally describe SLAs and a method for run-time evaluation of these SLAs through a trusted Third Party Auditor (TPA). TPA collects necessary evidence in the form of logs from the cloud on a cloud user's behalf and evaluates SLA's compliance against collected evidence. We implement few sample SLAs of each category in a cloud testbed and show that TPA can evaluate and enforce the security requirements.
Revolutionary Applications of Blockchain-Enabled Privacy and Access Control
Distributed denial of service (DDoS) attacks have been a matter of serious concern for network ad... more Distributed denial of service (DDoS) attacks have been a matter of serious concern for network administrators in the last two decades. These attacks target the resources such as memory, CPU cycles, and network bandwidth in order to make them unavailable for the benign users, thereby violating availability, one of the components of cyber security. With the existence of DDoS-as-a-service on internet, DDoS attacks have now become more lucrative for the adversaries to target a potential victim. In this work, the authors focus on countering DDoS attacks using one of the latest technologies called blockchain. In inception phase, utilizing blockchain for countering DDoS attacks has proved to be quite promising. The authors also compare existing blockchain-based defense mechanisms to counter DDoS attacks and analyze them. Towards the end of the work, they also discuss possible future research directions in this domain.
Journal of Information Security and Applications
Abstract Distributed Denial of Service (DDoS) attacks are one of the prominent network security a... more Abstract Distributed Denial of Service (DDoS) attacks are one of the prominent network security attacks. In DDoS attack several machines send large amount of network traffic to the victim using spoofed IP address. Unfortunately there is no reliable technique to detect spoofed IP packets. In this paper we argue that, a proactive detection of spoofed IP packets will help in predicting DDoS attacks. In this paper we describe an event based detection method to identify spoofed IP packets. Our method works by proactively probing received packets for genuineness. Active probing technique uses inconsistencies in TTL values of received packets to decide whether the first packet was spoofed or genuine. We enumerate several possible spoofing scenarios with our detection method in place and identify its type based on the response to probing. Further, we study limitations of event based method and discuss ways to overcome those. We design and experiment with all spoofing scenarios in a real network setup and report the results. With few optimizations done to the probing strategy, the overhead incurred can be minimized considerably, which makes the proposed technique useful for detecting DDoS attacks.
Computers & Security
Network Time Protocol (NTP) is used by millions of hosts in Internet today to synchronize their c... more Network Time Protocol (NTP) is used by millions of hosts in Internet today to synchronize their clocks. Clock synchronization is necessary for many network applications to function correctly. Unsynchronized clock may lead to failure of various core Internet services including DNS and RPKI based interdomain routing and opens path for more sophisticated attacks. In this paper, we describe a new attack which can prevent a client configured in NTP's broadcast mode from synchronizing its clock with the server. We test the attack in real networks and show that it is effective in both authenticated and unauthenticated broadcast/multicast modes of NTP. We also perform experiments to measure the overall attack surface by scanning the entire IPv4 address space and show that NTP broadcast mode is being used in the wild by several low stratum (highly accurate) hosts. We also suggest few countermeasures to mitigate the proposed attack.
ABSTRACT Confidentiality, Integrity and Availability are the three major components of cyber secu... more ABSTRACT Confidentiality, Integrity and Availability are the three major components of cyber security. Denial of Service (DoS) and its variant, Distributed Denial of Service (DDoS), are possible threats which exhaust the resources to make it unavailable for the legitimate users, thereby, violating one of the security components- Availability. DoS attacks to networks are numerous and potentially devastating. So far, many types of DoS attacks are identified and most of them are quite effective to stop the communication in the networks. IPv4 as well as IPv6 are quite vulnerable to these attacks. A number of countermeasures are developed to mitigate these attacks. This paper presents classification of DoS/DDoS attacks under IPv4 and IPv6. The impact of these attacks, analysis and their countermeasures are also discussed in this paper. The analysis of these attacks is performed using different utilities and traffic analyzer.
Domain Name System (DNS) is a central protocol of the internet and provides a way to resolve doma... more Domain Name System (DNS) is a central protocol of the internet and provides a way to resolve domain names to their corresponding IP addresses. Due to its working, it is one of the most critical protocols being used in the internet. However, DNS is known to be vulnerable to a popular attack called DNS poisoning. Fortunately, DNS poisoning has become difficult to launch due to introduction of techniques like source port and query identification value randomization. In this paper, we propose a targeted DNS spoofing attack that exploits a vulnerability present in DHCP server-side IP address conflict detection technique. We show that the proposed attack is easier to launch and requires minimal bandwidth as compared to previously known attacks. We also discuss how proposed attack can target even a single victim client also without affecting other clients. We test the effectiveness of proposed attack in a real network setup and report the results. Further, we discuss how known detection and mitigation techniques are unable to detect the attack.
Dynamic Host Configuration Protocol (DHCP) is used to automatically configure clients with IP add... more Dynamic Host Configuration Protocol (DHCP) is used to automatically configure clients with IP address and other network configuration parameters. Due to absence of any in-built authentication, the protocol is vulnerable to a class of Denial-of-Service (DoS) attacks, popularly known as DHCP starvation attacks. However, known DHCP starvation attacks are either ineffective in wireless networks or not stealthy in some of the network topologies. In this paper, we first propose a stealth DHCP starvation attack which is effective in both wired and wireless networks and can not be detected by known detection mechanisms. We test the effectiveness of proposed attack in both IPv4 and IPv6 networks and show that it can successfully prevent other clients from obtaining IP address, thereby, causing DoS scenario. In order to detect the proposed attack, we also propose a Machine Learning (ML) based anomaly detection framework. In particular, we use some popular one-class classifiers for the detection purpose. We capture IPv4 and IPv6 traffic from a real network with thousands of devices and evaluate the detection capability of different machine learning algorithms. Our experiments show that the machine learning algorithms can detect the attack with high accuracy in both IPv4 and IPv6 networks.
—HTTP/2 is a newly standardized protocol designed to efficiently utilize the TCP's transmission r... more —HTTP/2 is a newly standardized protocol designed to efficiently utilize the TCP's transmission rate and has other advantages compared to HTTP/1.1. However its threat vectors are not completely understood yet. Our contribution in this paper is threefold. First we describe few new threat vectors of HTTP/2 which are Slow Rate DoS attacks and can be launched by injecting specially crafted HTTP requests. We perform an empirical evaluation of these attacks against popular web servers and report that majority of web servers are vulnerable to these attacks. We also test the effectiveness of proposed attacks using both clear text and encrypted HTTP/2 requests and find that the attack is effective independent of the request type. Second we compare structurally similar attacks with HTTP/1.1 and report that HTTP/2 has more threat vectors compared to its predecessor. Third we propose an anomaly detection scheme which uses chi-square (χ 2) test between traffic profiles generated in normal and attack scenarios to detect these attacks.
Dynamic Host Configuration Protocol (DHCP) is used by clients in a network to configure their int... more Dynamic Host Configuration Protocol (DHCP) is used by clients in a network to configure their interface with IP address and other network configuration parameters such as Default Gateway and DNS server IP addresses. This protocol is vulnerable to a Denial of Service (DoS) attack popularly known as classic DHCP starvation attack. In this paper, we make threefold contribution. First, we highlight the practical difficulty in generating classic DHCP starvation attack in wireless networks. Secondly, we propose a stealth starvation attack which is effective in wireless networks, easier to launch, requires fewer number of messages to be transmitted and difficult to detect by known detection methods. We also show a structurally similar attack in IPv6 networks which can affect address configuration protocols such as DHCPv6 and StateLess Address Autoconfig-uration (SLAAC). Subsequently, we also describe an anomaly detection method to detect the proposed attack. We design and generate the attacks in a real network setup and report the results. The proposed detection method use the Hellinger distance between two probability distributions generated from training and testing data to detect starvation.
—Dynamic Host Configuration Protocol (DHCP) is used by clients in a network to configure their in... more —Dynamic Host Configuration Protocol (DHCP) is used by clients in a network to configure their interface with IP address. DHCP is vulnerable to a popularly known Denial of Service (DoS) attack called DHCP starvation attack. In this paper, we highlight the practical difficulties of creating conventional starvation attack in wireless networks (802.11) and also describe two new variations of attacks which can be easily launched in wireless networks. Subsequently, we also propose an anomaly detection system which can detect all variations of starvation attacks. This anomaly detection system generates a probability distribution of various DHCP messages collected from a particular network as a normal profile and subsequently compare the current activity to this profile to detect starvation attacks. We experiment with different types of starvation attacks in a real network setup and report detection performance of our proposed method.
—Slow HTTP Denial of Service (DoS) is an application layer DoS attack in which large number of in... more —Slow HTTP Denial of Service (DoS) is an application layer DoS attack in which large number of incomplete HTTP requests are sent. If number of such open connections in the server exhaust a preset threshold, server does not accept any new connections thus creating DoS. In this paper we make twofold contributions. We do an empirical study on different HTTP servers for their vulnerability against slow HTTP DoS attacks. Subsequently we propose a method to detect Slow HTTP Dos attack. The proposed detection system is an anomaly detection system which measures the Hellinger distance between two probability distributions generated in training and testing phases. In the training phase it creates a normal profile as a probability distribution comprising of complete and incomplete HTTP requests. In case of Slow HTTP attack the proportion of incomplete messages is increased in the overall traffic and detection system leverages this for detection by generating another probability distribution and finding difference between two probability distributions. We experiment by collecting data from a real web server and report the detection performance of proposed detection system.
Dynamic Host Configuration Protocol (DHCP) starvation
is an insider attack which prevents legitim... more Dynamic Host Configuration Protocol (DHCP) starvation
is an insider attack which prevents legitimate DHCP clients
from acquiring network configuration parameters from DHCP
server. The classical methods of creating starvation attack has a
practical difficulty in wireless networks where an Access Point
(AP) mandates a client to associate with unique MAC address
before it can transmit such requests. This limits the effectiveness
of starvation in wireless networks. In this paper, we describe a
new method of creating starvation which is effective in both wired
and wireless networks. This new method exploits a precautionary
probing done by a DHCP server as described in RFC 2131. This
probing verifies the to be offered IP address for accidental usage
by other clients in the network. We show that a malicious insider
can just send spoofed replies to these probes to create the effect
of starvation in both wired and wireless networks.
International Conference on Control, Instrumentation, Communication & Computational Technologies, 2014
Address Resolution Protocol (ARP) is the fundamental
and one of the most frequently used protoco... more Address Resolution Protocol (ARP) is the fundamental
and one of the most frequently used protocol involved
in computer communications. Within a LAN, ARP messages
are used to resolve IP addresses into corresponding MAC addresses. Nevertheless, some of the limitations within this protocol make it rather vulnerable. The two most prominent limitations are - unauthenticated and stateless nature of ARP. The attackers can easily exploit these loopholes for their personal gain. ARP poisoning is considered as unitary of the basic attacks which is utilized to launch higher level attacks. Several solutions have been proposed in the literature to detect and prevent these attacks. However, all of the proposed solutions are limited to a certain extent. Some solutions are effective in a special set of scenarios while others are rather suited for scenarios belonging to a different band. As new techniques of ARP poisoning have evolved with time, researchers are getting motivated to propose new solutions.
In this paper, we have presented a comparative analysis of
different proposed solutions which are rather popular in the
literature. We have compared different mitigation techniques
based on some of the important factors that are considered as
limitations to the proposed solutions. These factors are derived
from the scenarios which are possible within a LAN when an ARP Poisoning attack is launched. A brief tabular format is likewise introduced in this paper which offers a fast overview of comparison between different proposed schemes. This comparative study can further be used to offer and build up a more efficient and effective scheme which, on one hand, enjoys the combined advantage of different mitigation techniques and on the other hand, does not hold the old limitations.
International Conference on Computational Intelligence and Computing Research
Address Resolution Protocol (ARP) poisoning is one of the most basic technique employed in comput... more Address Resolution Protocol (ARP) poisoning is one of the most basic technique employed in computer hacking. ARP poisoning is used when a host is used to poison ARP cache of another host in order to send packets to some other destination than the intended one. This paper presents a feasible technique to detect and prevent the ARP poisoning by removing the multiple entries for the same MAC address or IP address from the ARP table using a secondary cache. This secondary cache contains the entries according to Internet Control Message Protocol (ICMP) responses. Since this technique prevents multiple entries for same IP address or MAC address, it also mitigates IP exhaustion problem. The secondary cache is maintained at every host which makes this technique distributed in nature, thereby prevents it from single point failure. Experimental results are also provided to support the proposal.
Uploads
Papers by NIKHIL TRIPATHI
is an insider attack which prevents legitimate DHCP clients
from acquiring network configuration parameters from DHCP
server. The classical methods of creating starvation attack has a
practical difficulty in wireless networks where an Access Point
(AP) mandates a client to associate with unique MAC address
before it can transmit such requests. This limits the effectiveness
of starvation in wireless networks. In this paper, we describe a
new method of creating starvation which is effective in both wired
and wireless networks. This new method exploits a precautionary
probing done by a DHCP server as described in RFC 2131. This
probing verifies the to be offered IP address for accidental usage
by other clients in the network. We show that a malicious insider
can just send spoofed replies to these probes to create the effect
of starvation in both wired and wireless networks.
and one of the most frequently used protocol involved
in computer communications. Within a LAN, ARP messages
are used to resolve IP addresses into corresponding MAC addresses. Nevertheless, some of the limitations within this protocol make it rather vulnerable. The two most prominent limitations are - unauthenticated and stateless nature of ARP. The attackers can easily exploit these loopholes for their personal gain. ARP poisoning is considered as unitary of the basic attacks which is utilized to launch higher level attacks. Several solutions have been proposed in the literature to detect and prevent these attacks. However, all of the proposed solutions are limited to a certain extent. Some solutions are effective in a special set of scenarios while others are rather suited for scenarios belonging to a different band. As new techniques of ARP poisoning have evolved with time, researchers are getting motivated to propose new solutions.
In this paper, we have presented a comparative analysis of
different proposed solutions which are rather popular in the
literature. We have compared different mitigation techniques
based on some of the important factors that are considered as
limitations to the proposed solutions. These factors are derived
from the scenarios which are possible within a LAN when an ARP Poisoning attack is launched. A brief tabular format is likewise introduced in this paper which offers a fast overview of comparison between different proposed schemes. This comparative study can further be used to offer and build up a more efficient and effective scheme which, on one hand, enjoys the combined advantage of different mitigation techniques and on the other hand, does not hold the old limitations.
is an insider attack which prevents legitimate DHCP clients
from acquiring network configuration parameters from DHCP
server. The classical methods of creating starvation attack has a
practical difficulty in wireless networks where an Access Point
(AP) mandates a client to associate with unique MAC address
before it can transmit such requests. This limits the effectiveness
of starvation in wireless networks. In this paper, we describe a
new method of creating starvation which is effective in both wired
and wireless networks. This new method exploits a precautionary
probing done by a DHCP server as described in RFC 2131. This
probing verifies the to be offered IP address for accidental usage
by other clients in the network. We show that a malicious insider
can just send spoofed replies to these probes to create the effect
of starvation in both wired and wireless networks.
and one of the most frequently used protocol involved
in computer communications. Within a LAN, ARP messages
are used to resolve IP addresses into corresponding MAC addresses. Nevertheless, some of the limitations within this protocol make it rather vulnerable. The two most prominent limitations are - unauthenticated and stateless nature of ARP. The attackers can easily exploit these loopholes for their personal gain. ARP poisoning is considered as unitary of the basic attacks which is utilized to launch higher level attacks. Several solutions have been proposed in the literature to detect and prevent these attacks. However, all of the proposed solutions are limited to a certain extent. Some solutions are effective in a special set of scenarios while others are rather suited for scenarios belonging to a different band. As new techniques of ARP poisoning have evolved with time, researchers are getting motivated to propose new solutions.
In this paper, we have presented a comparative analysis of
different proposed solutions which are rather popular in the
literature. We have compared different mitigation techniques
based on some of the important factors that are considered as
limitations to the proposed solutions. These factors are derived
from the scenarios which are possible within a LAN when an ARP Poisoning attack is launched. A brief tabular format is likewise introduced in this paper which offers a fast overview of comparison between different proposed schemes. This comparative study can further be used to offer and build up a more efficient and effective scheme which, on one hand, enjoys the combined advantage of different mitigation techniques and on the other hand, does not hold the old limitations.