[Analysis of the Dark Web Environment]
The goal of this project is to analyze the Dark Web Environment and learn about the ambiguous environment. In the recent years, the Dark Web has been getting attention by not only the security community, but the general public as well. As the world becomes heavily weighted on the Internet, cyber threats have become a more public issue, causing the surfacing of the Dark Web. The Dark Web is an anonymity guaranteed environment, therefore is a major source of malicious content. By understanding the Dark Web content, structure, mechanism, etc., we can prepare and alleviate the dangers and threats the Dark Web may propose.
Investigation of Cryptocurrency Abuses in the Dark Web
– Project Leader : Seunghyeon Lee
The purpose of this research is to collect large scale Dark Web data, extract cryptocurrency information from the Dark Web, and analyze the usages patterns of cryptocurrencies on the Dark Web. The Dark Web is known to be a major source of malicious content such as drugs, malwares, and scamming campaigns. Due to the basic characteristics of anonymity, cryptocurrency are commonly used for trade purchases. Researchers noticed this issue and investigated how cryptocurrencies were used in the Dark Web, but on small or out-of-date datas. This work introduces MFScope, a framework that analyzes the above mentioned aspects on the most up-to-date Dark Web data.
Introduction
There are three main challenges that in-depth analysis on the usages of cryptocurrencies present. First, collecting large-scale data of cryptocurrency on the Dark Web is difficult due to the nature of the Dark Web. Second, because cryptocurrency is designed for people seeking pseudonymity (i.e., hiding who is sending/receiving the money), it is not easy to identify the user/owner of cryptocurrency accounts. Third, even after collecting data related to cryptocurrency in the Dark Web, we still need to gather more information that can be used to reveal its identity for further analysis. To address the challenges, we design a Dark Web data collection and analysis platform, MFScope. Our platform first extracts seed dark website addresses by leveraging Dark Web indexing services and crawls those extracted sites. It also extracts links to other dark websites from the crawled data to increase our data corpus. With this platform,we collect a large number of dark websites (around 27 millions of pages) and cryptocurrency addresses (around 10 millions of unique cryptocurrency addresses). We argue that the analysis of a large amount of data will provide a better understanding of the Dark Web and its usage of cryptocurrency than that of other works relying on a small set of data.
[SDN Security Vulnerability Genome Project]
The goal of this project is to establish and maintain a centralized database of the security vulnerabilities exist in various SDN components, including SDN controllers, switches and protocols. Our research group has been not only collecting the known vulnerabilities from various sources, but also simultaneously running DELTA (introduced below) to reveal and disclose new vulnerabilities.
SDN Security Evaluation
– Project Leader : Seungsoo Lee
In short, this research is motivated by security penetration testing (or pen-testing) tools in the traditional network security domain, Delta represents the first pen-testing tool for SDN environments. It is envisaged that this tool will be used for security conformance benchmarking of SDN devices.
Introduction
Developing a systematic understanding of the attack surface of emergent networks, such as software defined networks (SDNs), is necessary and arguably the starting point toward making it more secure. Prior work have largely relied on ad-hoc empirical methods to evaluate the security of various SDN elements from different perspectives. However, they have stopped short of converging on a systematic methodology or developing automated systems to rigorously test for security flaws in SDNs. Thus conducting security assessment of new SDN software remains a non-replicable and unregimented process. This work makes the case for automating and standardizing the vulnerability identification process in SDNs. As a first step, we develop a penetration testing tool, DELTA, that reinstantiates published SDN attacks in diverse test environments. Furthermore, we enhance our tool with a fuzzing module to potentially detect other unknown vulnerabilities.
[Design and Implementation of Innovative Security Services with SDN]
Our research group has already designed and implemented existing security services, such as firewall, IDS, IPS and network anomaly detectors, in SDN applications, and verified the feasibility, effectiveness and capability of each security service SDN application. In addition to the existing security services, with SDN, it is possible to provide new and innovative security services that were difficult to realize in the traditional networks. We have been designing and implementing different types of security services in SDN applications for different SDN controller platforms. The figure below illustrates the design of SDN-based NIPS application for Floodlight controller.
Effective and Usable Application Permission System for SDN
– Project Leader : Heedo Kang
In short, this research introduces a novel and usabale security mechanism called Astraea that can effectively help SDN operators avoid potentially dangerous SDN applications.
Introduction
In SDN, one of the critical security issues is that an SDN application can unrestrictedly access SDN resources, manipulate the operations of an SDN controller, and finally destroy the network. To address this issue, permission-based access control systems have been empolyed to well-known SDN controllers; however, permission-based access control mechanisms can be evaded by excessively/insuffciently privileged applications (i.e., permission gap), and SDN controllers employing such mechanisms are no exception. In addition, it is possible that the permissions required for an application are not clearly presented to an administrator (i.e., semantic gap). Since an SDN controller directly manages a network, the damage caused by this problem would be much more serious. To address this issue, in this project, we propose Astraea, an automatic tool for analyzing the fi delity of the descriptions and declared permissions of an SDN application. Astraea automatically detect detect permission-gap and semantic-gap of given SDN application by leveraging static analysis and natural language processing (NLP) techniques, respectively, and it also provides the asset and information security triad that can be violated through each permission in gaps to enable quick understanding of the potential risks of each gap. A prototype of Astraea is currently developed for the ONOS controller.
Data-Plane Extensions for SDN Security Service Instantiation
– Project Leader : Taejune Park
In the legacy SDN NFV technologies in security, the performance is rather low due to the ‘detour’ of the network packets to each virtualized security service, which expends bandwidth and increases delay. To alleviate this delay, this work introduces DPX, an extension of an SDN/OpenFlow switch that natively supports security features as a set of abstract OpenFlow actions.
Introduction
In this research, to eliminate the detouring issue and accelerate virtualized security services, we extend an SDN/OpenFlow switch, called DPX (Data-Plane eXtensions), to natively supports security features as a set of abstract OpenFlow actions. The DPX action model provides network services on traversing packets and improves performance by reducing redundant processing caused by detouring and also represent them as simplified flow rules, allowing administrators to easily configure network security services with lightweight flow tables. Also, to express security policies for different flows as an integrated one, DPX introduces a novel technique called ‘action
clustering’ that increases the efficiency of enforcing complex security policies by aggregating the DPX actions from multiple flows into a small number of synthetic rules. DPX is carefully engineered to mitigate associated detouring overheads, such that it can provide security services with maximal performance, producing a performance profile that is comparable to simple forwarding and a latency profile that is two to three times faster than traditional NFV, with decreased management cost. As the network becomes more complex nowadays, we expect that the approach of DPX has high-potential that could be utilized not just to support efficient
academic security projects, but also industrial operations.