Literature Review Assessment- Network Security

Literature Review Assessment

Case Scenario/ Task

The research question follows the PICO paradigm mentioned in the (Kitchenham 2007) guideline for systematic literature review.

We will take the Context (Systematic review of web application security development model) Topic as an example to apply PICO Paradigm

Population (P): The population is the application area. So, in this context the web application layer.

Intervention (I): Intervention is the software methodology or procedure for example, technologies to perform specific tasks. Therefore in this context the security model or development process that addresses given issues is considered as the intervention.

Comparison (C): Comparison is the procedure or methodology with which the intervention is being compared to. So the comparison in this context is between the insecure or vulnerable model and secure models.

Outcome (O): Outcome in this context is the meaningful confidence or most appropriate model that best suits the types of vulnerabilities

identified.

Literature Review

Recent advances in technology have led to introduction of smart devices such as tablets and smart phones thus resulting in an increase in cyber crimes where in hackers target mobile users to attack a particular business model. With the advent of 3G network, there is an increase in security concern especially in core networks. Most of the security developments are focussed on RAN and thus, core network can be potential target of hackers in near future. Literature Review section mainly focuses on analysing four different methods / approaches adopted to enhance mobile core network security and their respective pros and cons.

The NEMESYS Approach

Figure 1 shows the detailed Architecture of NEMESYS. [1]

Figure – 1: Architecture of NEMESYS Approach

Virtualized Mobile Client Honeypot: Honeypots are basically the main elements of network systems which serve the purpose of getting attacked and compromised by hackers in order to understand the actual approaches used by hackers to target a network. Traditional honeypots and client honeypots are entirely different because the former passively wait for being attacked by hackers but whereas the latter one actively go in search of hacked / compromised websites, malwares and other kind of cyber attacks. The NEMESYS approach involves development of highly advanced client honeypot that is virtual in nature for Android devices so as to attract and gather all traces of mobile attacks. The virtualization technology employed in this method logically divides the device into two different VMs namely infrastructure VM and honeypot VM. The function of honeypot VM is to host the OS of Android device and hence has no direct access to the hardware of device. The function of infrastructure VM is to mediate complete access to communication hardware and utilize sensors to detect attacks. Important system attributes will be identified and prioritized to enhance efficiency of detection of malware. Traces that are gathered from malwares and other kinds of mobile attacks will be passed onto next component that is Data Collection Infrastructure. [1]

Infrastructure for Data Collection: This component will collect and store all traces of mobile attacks from honeyclient and virtualized mobile client honeypot. These traces are then combined with external sources and mobile core network data so as to visualize, enrich and correlate analysis. Efficient Database design is very important to store and manage huge amount of data sets. Once data coming from different sources consolidated, the next step is to enrich the data by carrying out data analysis or get access to external sources. The honeyclient developed for this purpose is very similar to the first component and makes use of Android emulator that is driven by user generated inputs in order to interact with applications, websites and application markets to gather traces of mobile attacks. [1]

Anomaly Detection utilizing Billing Data and Control Plane: The third component functions at the mobile network operator’s side and its purpose is to identify and precisely predict abnormal behavior occurring in mobile network and mobile devices. Mobile networks are prone to two kinds of attacks namely: user – oriented and signalling attacks. Signalling attacks are more severe as they tend to overload the mobile network’s control plane by making use of low – volume and low – rate attack traffic depending on the features and structure of mobile networks. To detect DoS attacks occurring in mobile networks, signalling data coming from protocols of control plane and CDRs from users. Normal statistics of user behavior and as well as synthetic user playbacks are used to develop traces of billing data and signalling events. Bayesian techniques are employed such as max likelihood detection, neuronal methods based on learning and their combination to develop precise and robust change detection methods with the aim of detecting presence of attack and successfully classify algorithms to analyze the type of attack. [1]

Root Cause Analysis, Virtualization and Correlation: The main function of this component is to carry out data processing gathered from anomaly detection module and data collection infrastructure to identify and analyze correlations among various network events. Hence, provide a system for visual analytics to carry out formulation and testing. Input data to this component is heterogenous in nature and thus, needs to be formatted and presented to the network operator to avoid hassles. Analysis and visualization section aims at providing visual type of analytics tools to the user/ operator. Monitoring in real-time involves analyzing security status of huge number of mobile users and mobile network need to be shared with the operator. [1]

Integration and Validation: With a specific end goal to assess and accept the advances that are being created and to show their effect to intrigued parties, NEMESYS will build a virtual testing environment in view of rules gave by industrial accomplices that is as near a genuine versatile system as could be expected under the circumstances inside of practicality confinements. The diverse modules being produced by different accomplices will be coordinated in the virtual testing environment; furthermore, approval tests will be directed taking into account practical use cases. [1]

Pros of NEMESYS Approach: Effective, attacks are analyzed in depth during the attack and as well as after the attack, other devices present in particular network are not affected and premium services running are not compromised

Cons of NEMESYS Approach: Implementation is complex, maintenance is difficult.

Intrusion Protection System (IPS) for GPRS Tunnel Protocol (GTP)

A GTP IPS is proposed to ensure GTP protocol against assaults and also fulfilling the ongoing prerequisite. The framework depends on the occasion based depiction language and occasion examination engine. Figure 2 shows GTP IPS architecture. In this framework, analysts have combined hardware based information stream capture strategies to catch network bundles continuously, while for the upper layer convention occasion examination and separating, furthermore precisely control the reaction speed and in addition its unwavering quality.

Figure -2: Architecture of GTP IPS

System Architecture

The architecture presented in Figure 2 consists of four main components. One module is meant for initialization of system and remaining three modules are meant for runtime analysis. [2]

The main function of Language Interpreter is to fulfil the configuration and initialization phases of system. During the phase of system initialization, the GTP based protocol scripts are translated by Language Interpreter and attack specific scripts into GTP Attack Detectors and GTP – X Analyzers that are event engine based. The above mentioned detectors and analyzers are to be used in analysis of GTP protocols and thus attack during the phase of runtime. Implementation of filtering scheme and runtime GTP analysis is done by 3 modules:

Implementation of GTP Stream Filtering Engine is done using a group of parallel processing hardware and carry out analysis and process of filtering of huge number of network packets at the same time. Analysis and filtering in parallel pattern ensure safe passage of packets through the system without having an adverse effect on overall system performance [2]

The next module is named as GTP Event Analysis Engine and is made up of 3 parts: GTP Packet Parser, GTP Attack Detector and GTP Protocol Analyzers. The function of GTP Packet Parser is to parse input GTP packets based on the specification of protocol provided at lexical level. Next, it filters the important protocol elements and encapsulates them into “Atom Events” and pass on to the relevant protocol analyzers. The function of GTP Protocol Analyzer is to map the atom events to pre – defined rules. Finally, GTP Attack Detector analyze the factors of “Abstract Events” that are formed by GTP Protocol Analyzer and confirm on the presence of attack signatures

In case of detection of attacks, the function of Responder module is to handle the reactions for instance: alerting, logging, packet dropping etc. If the packets are dropped, the function of GTP Stream Filtering Engine is to enforce the relevant action and also maintain and update the state of protocol of corresponding GTP tunnel. [2]

Pros of GTP IPS are: Highly effective in protection of GTP protocol, Architecture and functionality of GTP IPS is simpler when compared to other approaches

Cons of GTP IPS are: Range of protection is not high, does not cater protection of large number of real – time instances. [2]

SDN (Software Defined Networking) Approach

The Software Defined Networking is a problematic and creative force in the systems administration industry that effects verging on each player including system administrators, hardware vendors, Internet administration suppliers and cloud administration suppliers. With SDN, the low-level gadget setup and, administration can be taken care of by the centralized programming controller which encourages the update of usefulness and also debugging. [3]

Subsequent to SDN permits a granular control of system and administrations through its deliberation of the fundamental hardware, it meets the earnest need from the portable systems that are experiencing a quick change to all the while work over numerous remote advancements so as to suit the radical development of information traffic. Figure 3 demonstrates an imagined SDN-empowered remote versatile systems, the present pattern of merging in such systems can profit by SDN to upgrade asset usage, system administration and security in multi - service environment. [3]

Figure – 3: Wireless Mobile Network that is SDN enabled

Increased Security using SDN in Wireless Mobile Networks

Network merging is the pattern for wireless mobile network where administrators will coordinate diverse wireless advancements (such as 4G and WiFi) to the system infrastructure. This makes a test toward interoperability as step by step instructions to deal with the multi-merchant physical gadgets that use diverse designs under different arrangement and security prerequisite in a multi-administrator environment. As end clients regularly move crosswise over various systems oversaw by diverse administrators, such versatility brings many-sided quality to the system administration as far as translating inter - domain strategy to ensure steady security in a effective and dynamic way. [3]

SDN gives the virtualized reflection that gives a helpful approach to conceal the multifaceted nature of different remote conventions and topology. The programmability and stream model of SDN likewise encourage granular strategy control, adaptable traffic collection and partition. These functional components and its flexibility make SDN suited for future remote mobile environment. [3]

Pros of Software Defined Networking Approach: SDN provide good security for all security based elements, easily adaptable to any environment and is also flexible, efficient performance

Cons of Software Defined Networking Approach: Present issues related to mobility and roaming, deployment issues, privacy concerns, presence of various operators and technologies lead to negotiation process that is complex in nature. [3]

Radio Technology Approaches (WiFi and LTE)

Architecture of 3G Security

Security insurance in 3G-systems requires the thought of a few viewpoints and, issues, for example, access to wireless network, the end-client versatility, the specific security dangers, the kind of data to be secured, and the intricacy of the system engineering. The radio transmission is by nature more helpless to listening stealthily than wired transmission. The client mobility and the all inclusive system get to surely infer security treats. The diverse sorts of information, for example, client information, billing information, client data information, and system administration information, which are passed on or are occupant in portable systems, require diverse sorts and levels of security. Besides, the system topologies and the heterogeneity of the innovations involved build the reliability challenge. Figure 4 introduces a diagram of the complete 3G security design. [4]

Figure – 4: The complete 3G security design

The architecture consists of total five different features. They are:

• Network access security
• Network domain security
• User domain security
• Application domain security
• Configurability and visibility of security [4]

Architecture of LTE Security

The LTE/SAE system comprises of just two hubs: (1) The MME/S-GW, which is a multi-standard type of access framework acting as the anchor point for the portability between diverse access frameworks, and (2) The eNB, which accumulates all the simply radio-situated functionalities. The greater part of the security prerequisites for 3G systems hold additionally for the LTE, so as in any event the same security level (as in 3G) might be ensured (Figure 5). [4]

Figure – 5: LTE Security Architecture

The principle changes that have been embraced to satisfy the required level of LTE security are mentioned as follows:

• Another various levelled key framework has been presented in which keys can be changed for various purposes.
• The LTE security capacities for the Access Stratum (AS) and the Non-Access Stratum (NAS) have been isolated. The NAS capacities are in charge of the interchanges between the center system and the portable terminal, while the AS capacities envelop the correspondences between the system edges, i.e. the eNB and the terminal.
• The idea of forward security has been presented for LTE.
• LTE security capacities have been presented between the current 3G system furthermore, the LTE. Moreover, since in LTE the ordered encryption from the cell phone ends at the eNB, MNOs ought to secure the IP-based control/client plane transport to the center system utilizing IPsec; despite the fact that not compulsory as indicated by the norms. [4]

Pros: Easy implementation and design, maintenance is easy

Cons: Security level is low in comparison with other methods, chances of data loss is high