Future Internet Security School

Speakers

Prof. Alexander Afanasyev

Florida International University, USA

Prof. Alexander Afanasyev

Talk title: Data-Centric Security of Named Data Networking

Abstract: Today's Internet is built on top of the IP architecture, which provides point-to-point communications among all computing devices in the world. Many security solutions, developed later, follow the IP's model by securing the communication channel between two endpoints. However, ... the network usage today no longer fits the point-to-point conversation model with many more incompatible uses coming in the future. Examples include content distribution, infrastructure-less and delay-tolerant mobile communication, and massive IoT device networking. This mismatch between what IP's point-to-point delivery model provides and what applications need impacts both communication efficiency and efficacy of the security solutions. Named Data Networking (NDN) as a proposed data-centric communication architecture makes information the centerpiece for communication and security. NDN retrieves data chunks using application-defined names, and each chunk carries a crypto signature that binds the name to its content. Using a simplified version of Internet-of-Things application in a smart home as an example, I will discuss advantages and challenges of NDN. I will also introduce the concept of a "trust schema" that formalizes trust relationships as a set of rules between hierarchical names of data and keys, enabling automating most of the key management, data signing, and data authentication tasks.

Dr. Alberto Compagno

CISCO, France

Dr. Alberto Compagno

Talk title: Security and Privacy Analysis in Information-Centric Networking

Abstract: The Internet Protocol (IP) is the lifeblood of the modern Internet. Its simplicity and universality have fueled the unprecedented and lasting global success of the current Internet. Nonetheless, some limitations of IP ... have been emerging in recent years. Information-Centric Networking (ICN) is a recent networking paradigm being considered as a possible replacement for the current IP-based host-centric Internet infrastructure. Rather than establishing direct IP connections with a host serving content, ICN consumers directly request pieces of content by name; the network is in charge of finding the closest copy of the content, and of retrieving it as efficiently as possible. This decoupling of content and location allows ICN to efficiently implement many of the IP's drawbacks such as, multicast, content replication, fault tolerance, mobility and dynamic forwarding. As a prominent design requirement, ICN emphasized "security and privacy by design" in order to avoid the long and unhappy history of incremental patching and retrofitting that characterizes the current Internet architecture. In this talk, we focus on salient security and privacy features and issues of the Information-Centric Networking (ICN) paradigm, and how different ICN implementing projects such as, NDN, CICN and HICN, cover these aspects.

Prof. Mauro Conti

University of Padova, Italy

Prof. Mauro Conti
  • Welcome Message: Introducing the School and the SPRITZ Security and Privacy Research Group together with its activities in the area of privacy and security of the emerging Future Internet Architectures.

  • Final Remarks

Prof. Sajal K. Das

Missouri S&T, USA

Prof. Sajal Das

Talk title: Security and Trustworthiness in Sensor Networks, IoTs and Crowdsensing: A Data Driven Approach

Abstract: The advent of pervasive sensing, 5G wireless communications, cognitive networking, and ubiquitous computing has made our lives increasingly smarter relying on a variety of interdependent smart service systems and cyber-physical infrastructures (e.g., smart city, smart energy, transportation, healthcare, or agriculture) ...with a goal to improve quality of life and experience. Alongside, low-cost sensors, Internet of Things (IoTs) and rich mobile devices (e.g., smartphones) are empowering humans with fine-grained information/opinion collection through crowdsensing, leading to actionable inferences and decisions. However, sensors and IoTs are extremely vulnerable to attacks and security threats. This talk will highlight unique research challenges and opportunities in securing such systems, followed by the development of novel defense mechanisms. Specifically, we will propose data-driven frameworks and solutions for security forensics and lightweight statistical anomaly detection in sensor and IoT networks to defend against organized and persistent adversaries launching data falsification attacks. The novelty lies in a newly defined information-theoretic metric to quantify robustness and security, minimize attacker’s impact, and result in low false alarm rates. Our approach is based on a rich set of theoretical and practical design principles, such as secure data fusion, uncertainty reasoning, information theory, game theory, and belief or trust models. We will further propose secure and trustworthy decision making schemes in mobile crowdsensing to detect false (or spam) contributions due to selfish and malicious user behavior. Based on the cumulative prospect theory and reputation/trust scoring, our approach prevents revenue loss owing to undue incentives and improves the operational reliability and decision accuracy. Case studies and experimental results with real data sets will be presented to validate the proposed models. The talk will be concluded with directions for future research.

Prof. Christian Doerr

TU Delft, the Netherlands

Prof. Christian Doerr

Talk title: Lessons from Today's Attacks to Tomorrow's Internet

Abstract: Designing a new technology brings the big opportunity to include lessons learned in the past into the design. Due to its historical origins, the level of security of the Internet is less than desired and needed by today's standards, a future Internet architecture may however rectify these. In this talk, I will based on the kill chain methodology show the progression of typical attacks on the Internet, we will dive into key weaknesses of current Internet, and discuss which of these can be remediated by future Internet technologies.

Prof. Guofei Gu

Texas A&M University, USA

Prof. Guofei Gu

Talk title: When SDN Meets Security: New Challenges and Opportunities

Abstract: Software Defined Networking (SDN) is a new networking paradigm that decouples the control logic from the closed and proprietary implementations of traditional network data plane infrastructure. SDN enables researchers to ... more easily design and distribute innovative flow handling and network control algorithms. We believe that SDN can, in time, prove to be one of the more impactful technologies to drive a variety of innovations in network security and security will be a new killer app for SDN. However, to date there remains a stark paucity of SDN security research and development. In this talk, I will discuss some new opportunities as well as challenges in this new direction, and demonstrate with our recent research results. I will discuss how SDN can enhance network security, e.g., by offering a dramatic simplification to the way we design and integrate complex network security applications/services into large. I will also discuss some unique new security problems inside SDN and then introduce some of our work to enhance the security of SDN.

Dr. Chhagan Lal

University of Padova, Italy

Dr. Chhagan Lal

Talk title: Robust and Efficient Dynamic Adaptive Streaming over ICN

Abstract: To sustain the adequate bandwidth demands over rapidly growing multimedia traffic and considering the effectiveness of Information-Centric Networking (ICN), recently, HTTP based Dynamic Adaptive Streaming (DASH) has been introduced over ICN, which significantly increases the network bandwidth ...utilisation. However, we identified that the inherent features of ICN also causes new vulnerabilities in the network. In this talk, we first discuss a novel attack called as Bitrate Oscillation Attack (BOA), which exploits fundamental ICN characteristics: in-network caching and interest aggregation, to disrupt DASH functionality. In particular, the proposed attack forces the bitrate and resolution of video received by the attacked client to oscillate with high frequency and high amplitude during the streaming process. To detect and mitigate BOA, we design and implement a reactive countermeasure called Fair-RTT-DAS. Our solution ensures efficient bandwidth utilisation and improves the user perceived Quality of Experience (QoE) in the presence of varying content source locations.

Dr. Markus Legner

ETH Zurich, Switzerland

Dr. Markus Legner

First talk title: A Next-generation Secure Internet for the 21st Century

Abstract:

The Internet has been successful beyond even the most optimistic expectations. It permeates and intertwines with almost all aspects of our society and economy. The success of the Internet has created a dependency on communication as many of the processes underpinning the foundations of mod...ern society would grind to a halt should communication become unavailable. However, much to our dismay, the current state of safety and availability of the Internet is far from commensurate given its importance. Although we cannot conclusively determine what the impact of a 1-day, or 1-week outage of Internet connectivity on our society would be, anecdotal evidence indicates that even short outages have a profound negative impact on society, businesses, and government. Unfortunately, the Internet has not been designed for high availability in the face of malicious actions by adversaries. Recent patches to improve Internet security and availability have been constrained by the current Internet architecture, business models, and legal aspects. Moreover, there are fundamental design decisions of the current Internet that inherently complicate secure operation. Given the diverse nature of constituents in today's Internet, another important challenge is how to scale authentication of entities (e.g., AS ownership for routing, name servers for DNS, or domains for TLS) to a global environment. Currently prevalent PKI models (monopoly and oligarchy) do not scale globally because mutually distrusting entities cannot agree on a single trust root, and because everyday users cannot evaluate the trustworthiness of each of the many root CAs in their browsers. To address these issues, we propose SCION, a next-generation Internet architecture that is secure, available, and offers privacy by design; that provides incentives for a transition to the new architecture; and that considers economic and policy issues at the design stage. We have implemented SCION and deployed it in the production networks of several ISPs.

Second talk title: Next-Generation Public-Key Infrastructures

Abstract:

Public-key infrastructures form the core of authentication systems that are in use in today's Internet. Unfortunately, the inadequacies of the design of currently used PKIs are emerging with the constant evolution of the Internet and its uses. In this talk, we will discuss the differ...ent types of PKIs that are needed to secure Internet communication, and show how we can design next-generation PKIs to achieve better scalability, security, trust agility, and usability. In particular, we will address the following challenges. How can we design a highly available PKI system to support a routing infrastructure? Can we design a PKI that allows to control/limit the power of authorities (e.g., no kill switch possibilities)? How can we securely, scalably, and efficiently update compromised root keys? What considerations do we have for the design a DNS PKI? Should we base the TLS PKI on the DNS PKI as proposed in DANE? Or should we design a TLS PKI that is independent of a secure DNS system?

Third talk title: DDoS -- RIP

Abstract:

DDoS attacks have been plaguing the Internet for over 20 years. For every defense mechanism invented, attackers find a new way to circumvent it. Is it possible to fundamentally prevent DDoS attacks? Since the Internet is a public resource, what does it even mean to prev...ent DDoS -- since the adversary can also claim to be communicating "legitimately". In this talk we will unravel the different forms of DDoS attacks by first discussing how to construct meaningful definitions, and second showing how to counter the different attacks.

Dr. Eleonora Losiouk

University of Padova, Italy

Dr. Eleonora Losiouk

Talk title: ChoKIFA: A New Detection and Mitigation Approach against Interest Flooding Attacks in NDN

Abstract: Named-Data Networking (NDN) is a potential Future Internet Architectures which introduces a shift from the existing host-centric IP-based Internet infrastructure towards a content-oriented one. Its design, however, can be misused to introduce a new type of DoS attack, better known as Interest Flooding Attack (IFA). In IFA, ...an adversary issues non-satisfiable requests in the network to saturate the Pending Interest Table(s) (PIT) of NDN routers and prevent them from properly handling the legitimate traffic. Prior solutions to mitigate this problem are not highly effective, damages the legitimate traffic, and incurs high communication overhead. In this paper, we propose a novel mechanism for IFA detection and mitigation, aimed at reducing the memory consumption of the PIT by effectively reducing the malicious traffic that passes through each NDN router. In particular, our protocol exploits an effective management strategy on the PIT which differentially penalizes the malicious traffic by dropping both the inbound and already stored malicious traffic from the PIT. We implemented our proposed protocol on the open-source ndnSIM simulator and compared its effectiveness with the one achieved by the existing state-of-the-art. The results show that our proposed protocol effectively reduces the IFA damages, especially on the legitimate traffic, with improvements that go from 5% till 40% with respect to the existing state-of-the-art.

Dr. Eduard Marin

University of Birmingham, UK

Dr. Eduard Marin

Talk title: An In-depth Look Into the Topology Discovery Mechanisms in Software Defined Networks

Abstract:

Software-Defined Networking (SDN) is a novel network architecture that has revolutionized the existing network architectures by decoupling the control plane from the data plane. Recently, researchers have demons...trated that SDN networks are highly vulnerable to attacks. For instance, attackers can tamper with the controller's network topology view to hijack the hosts' location or create fake inter-switch links. These attacks can be launched for various purposes, ranging from impersonating hosts to intercepting network traffic. Several defenses have been proposed against these topology attacks, but their effectiveness is questionable in the presence of novel attacker models. In this talk, I will give an overview of the existing topology attacks and the state-of-the-art defenses. The focus of this talk will be on analysing the actual security of the proposed defenses. Subsequently, I will introduce two novel topology attacks that exploit implementation weaknesses in one of the major SDN controllers. These attacks show that the process of securing the network topology discovery implies not only to design secure defenses but also to implement the topology services at the controller correctly. Finally, I will discuss possible research directions for further improving the security of the SDN topology discovery mechanisms.

Prof. Sateesh Kumar Peddoju

Indian Institute of Technology Roorkee, India

Prof. Sateesh Kumar Peddoju

Talk title: Virtual Infrastructures and Deployment of Security Mechanisms

Abstract: Virtual Infrastructures (VI) enable us to share different computing resources present in multiple physical machines across a datacenter to your entire users' spectrum. Cloud computing allows us to provision these virtual resources ...to these users over the Internet in a fast, efficient, and convenient manner. Securing the Virtual Infrastructures are the backbone for effective delegation of Cloud computing services. However, on the other hand, the capabilities of malicious users to compromise the Cloud security from inside and outside has increased many folds. To detect various attack patterns, there are different deployment scenarios and detection methods a cloud administrator can adopt. This talk introduces various deployment mechanism of security solutions such as virtual firewalls, IDS/IPS, and Honeypots to protect the VI in a Cloud like environment. In the process, the talk introduces typical vulnerability sources in VI, threats in VI, and attacks on VI. The talk also presents a few experimental aspects such as the flow of traffic in the provider network architecture of OpenStack Cloud environment, and use of a port mirroring to detect intrusion. The results of the evaluation of such experiments over the CPU and memory performance due to IDS will also be presented briefly. Further, if time permits, I will quickly discuss our recent introspection approach for detection of malware on KVM-based Cloud environment by validating the processes inside the VI.

Prof. Thorsten Strufe

TU Dresden, Germany

Prof. Thorsten Strufe

Talk title: Security and Privacy in the Tactile Internet

Abstract: Recent technological advances in developing intelligent telecommunication networks, electronics, and secure computing infrastructures along with progress made in psychology and neuroscience ...have paved the way for a new networking paradigm: The Tactile Internet with Human-in-the-Loop (TaHiL). This emerging field aims to promote the next generation of digital human-machine interactions in perceived real time. To support even haptic feedback in various environments, completely softwarised networking solutions are required for telecommunication and computation infrastructures that do not only provide transmission of data, but also computation in close proximity, to guarantee low latency, resilience, and security. This environment of ultra-low delay requirements and virtualized functionality comes with a broad set of challenges for confidentiality and privacy, integrity, as well as the availability of the infrastructure itself. This talk will introduce the scenario with a set of real use cases, and delve into new approaches to lightweight integrity, reactive security, but also the limits of privacy when processing behavioral data.

Prof. Sasu Tarkoma

University of Helsinki, Finland

Prof. Sasu Tarkoma

Talk title: Towards AI supported security, networks and sensing

Abstract: In this talk, I will give an overview of selected AI and network related activities in Finland, namely the 5G-FORCE research program, the Finnish Center for AI (FCAI), and the MegaSense research program. I will present key highlights pertaining to AI assisted network optimization and security in mobile networks. Then as a unified example, I will present our data science flagship project called MegaSense aiming for scalable environmental sensing with 5G supported by AI technologies.

Prof. Andrea Zanella

University of Padova, Italy

Prof. Andrea Zanella

Talk title: A high level perspective on 5G technologies and applications

Abstract:

While the design of 3G and 4G systems was mainly addressed to provide higher bitrates to mobile users, with 5G the perspective has been enlarged to a variety of application scenarios, including massive Internet of Things, Industry 4.0, Smart Cities, and so on. In this talk, we will make a journey in the 5G landscape, starting from the requirements of the new application domains, and then moving towards the technical solutions that have been proposed to satisfy such requirements. During this journey, we will touch upon concept like massive access, network densification, new radio, network virtualization and edge computing, each of which has basically open a new research trail. The roadblocks that still hinder the way to the full realization of the 5G vision will finally mark the end of our trip.

With the support of:

UniPD logo

Mathematical department logo

SPRITZ group logo

CINI Cybersecurity National Lab

Human inspired technology logo

CETI logo

ETH logo

FIU logo

Helsinki logo

Roorkee logo

TUDelft logo