Report available! Collaborative Honeynet Threat Sharing Platform

With the continuous rise of cyber security threats, monitoring security potential threats and attacks become essential to plan for cyber defense. Honeypot, a decoy system designed to lure attackers, has been used to track and learn attacker’s behavior. Collecting attacker’s interactions with honeypot at different locations inside different organization’s premises provide useful and more complete picture of the landscape of current cyber security threats. The log of the attacks to the honeypots become an essential cyber security threat information that could be shared to many of the security incident analysts at different organizations to provide relevant and contextual threat intelligence. The goal of this project is to develop and implement a collaborative honeynet threat sharing platform that could collect, store, add contextual information pertaining to the threat and share these threat information to the relevant organization. This project continues on the previous year project with additional type of honeypots are being added to the collection of honeypot sensors. In addition, new type of threat categories, threat purpose and threat phases are added to define more fine-grained secure shell (ssh) attacks seen in our honeypots. With the new public dashboard is now ready for public view, our hope is more organizations in Indonesia as well as organizations in ASEAN countries would be interested to participate in the project in a collaborative effort to share and exchange threat information, which potentially could be used as a cyber defense platform for each of the participating organizations.

The project achieved the following objectives:

  1. Develop a collaborative repository platform for storing honeynet-based threat information. The project allows anyone or organization to participate in a community-based threat information sharing based on the honeynet system.  There are 4 honeypots currently implemented, i.e., cowrie, Dionaea, Elastichoney, and conpot.
  2. Redesign and develop a more robust repository and visualization platform that allows security analysts to add and enrich existing security threat information with the results of the analysis of the security events or objects related to the events. The robust repository platform utilized the cluster database of MongoDB while the visualization platform also uses cluster setup to distribute search tasks over cluster servers, improving overall user experience of using the platform.
  3. An enhanced platform that allows organizations to share and exchange security threat information with other organizations. The platform enables the threat information to be exchanged with the cyber security community through TAXII services in a standardized format or through open-source threat intelligence Malware Information Sharing Platform (MISP).

The project was lead by the Charles Lim, from Swiss German University (SGU) and builds on years of collaboration to support the Honeynet project Indonesia Chapter (IHP), in partnership with the Ministry of Communication and Informatics (KOMINFO) and Badan Siber & Sandi Negara (BSSN). It is also an expansion of a previous ISIF Asia grant allocated in 2019.

The final report is available here.

Report available! Telemetering the telltale signs of power issues of wireless internet relays

The TellTale project was conceived with aim of addressing the problem of measurement and projection of the power uptime duration of wireless internet relays. In rural areas and in areas where such projections are not available, operators often fail to address downtimes in a timely manner, thereby increasing the number and duration of downtimes and/or fail to project the power needs of a relay properly. These issues have direct adverse economic consequences for both providers and users

In line with this, the project objectives were to:
1. Identify an affordable and replicable sensor+SBC + internet uplink power charge and discharge module
2. Create a cloud-based, machine-learning supported, data ingestion, storage, data prep, analysis and reporting system.
3. Develop an easy-to0use reporting and alert system with PC and mobile applications (Android)
4. Measure and report on the cost-saving and improved uptime impact of the project
5. Disseminate the project findings and share the systems design
6. Create a paid support system for interested parties.

The project has achieved most of its objectives. An AirJaldi “TellTale” system, capable of measuring battery voltage and generating indicators and alerts based on the its change over time, has been built, demonstrated and is ready for distribution and sharing. At a device cost of around US $20 (hardware components) the system is affordable, as are the software packages and cloud hosting services required.

AirJaldi will offer TellTale using a Freemium model. Interested users can either download the source codes and manuals at no cost from Github (accessed directly or via our website and those of other partners), or choose one of various models of paid support offered by AirJaldi.

TellTale’s User Interface (UI) was designed to be clear and easy to use and update and is available in both computer and mobile version. An Android APK, offering a stripped-down version of the web UI with a focus on alerts, was also created and made available for users.

We plan to continue working on improving and enriching TellTale in the coming months and will share information and resources.

The final report is available here.

Report Available! Experiment and improve reinforcement learning algorithms to enhance anomalous network behaviour detection

Cybersecurity is a significant research area because all of the operations based on government, military, commercial, financial and civilians gather, process, transfer and store tremendous volume of data on computers and others. Cyber-attacks have imposed increasing threats and damages on our modern society at all levels. Network Intrusion Detection System (NIDS) is one of the major techniques in preventing cyber-attacks occurred in network traffic. Over the past decade, a lot of research work has been conducted to explore the capabilities of artificial intelligence (AI) methods in developing NIDS solutions. The previous studies suggested that AI algorithms have promising potentials in developing effective solutions to detect the increasing attacks.

TeleMARS R&D team commits to advance AI-based methods, explore realistic approaches of deploying the research outcomes in real network environment, and support on-going research in wider community to achieve long term sustainable development. The key objectives of this project were to:

  • contribute to the development of NIDS;
  • contribute to research community in the subject of anomaly detection;
  • establish a practical collaboration framework to enable scientists and IT professionals from diverse background to work together to continuously contribute to NIDS research;
  • test and prove TeleMARS operation and technical frameworks, and the team capabilities; and
  • inspire and enable the participation of broader research community in cybersecurity domain supporting gender equality and inclusion

This project started in September 2020 and finalized in June 2021. The main activities included:

  • Literature review and project design.
  • Data analysis and preparation.
  • Anomaly detection model development using Machine Learning methods including Reinforcement Learning method.
  • Model experimentation.
  • Established evaluation pipelines to simulate real application environment.
  • Model capability evaluation applying different datasets.
  • Implementation of a collaboration framework supporting the research activities conducted by researchers and professionals with various backgrounds.

The final technical report is available for review here.

Report Available! Implementation and Utilities of RDAP for Wider Usability among Internet Stakeholders

This project aimed to increase the adoption of the Registration Data Access Protocol (RDAP), which is the replacement/upgradation of WHOIS. It is used to retrieve registration data using Internet resources such as domain names, Internet Protocol (IP) addresses, and autonomous system numbers (ASN). RDAP solves several problems of WHOIS. It has many new features which include: standardized query/response formats, authoritative address of the Regional Internet Registries (RIR), authentication, and encryption. Internet operation researchers and users need to adopt RDAP as it will continue to play an increasingly important role in Internet resilience, safety, and investigations requiring the search and collection of registration data. This project contributed in increasing the utilization and adoption of the RDAP by implementing the RDAP client in Matlab (Data Simulation Tool), Browser extensions, and generic recommendations to establish RDAP clone in national Registries across Asia Pacific region.

Matlab is a powerful tool to simulate, design, and analyze real-world systems. At the time of the project was proposed , there was no direct/native support of RDAP protocol in Matlab. Implementing such a client or toolbox will enable easy retrieval of data from RDAP with minimal development efforts as well as native support for RDAP in Matlab. Eventually, it will facilitate doing Internet operation research, data visualization, digital forensic, and other studies involving internet resources such as domain name, etc. The Browsers extension would assist end users in getting lookup information of the domain they are about to visit, this way it will potentially help in mitigating the risk of online spam and scams with the benefit of improved transparency of legitimate Internet resources. Moreover, this project also explored potential implementation strategies to set up RDAP clone for national Registries. This replication can potentially improve the availability of RDAP in unforeseen circumstances and could help to implement robust strategies for improved quality of service. The recommendations and guidelines are useful for RDAP adoption acceleration, identifying the current state of RDAP, identifying future strategies to deploy country level RDAP, and challenges faced by country level Registries.

The final technical report is available for review here.

Report Available! Measuring and Detecting Network Interference in Southeast Asia

This network measurement research aims to show current and past Internet censorship and network interference in media, political criticism, religion, gender and social media networks in South East Asian economies using network monitoring nodes around the region. Additionally a pilot gender gap social audit will be conducted for a marginalized urban community in Malaysia to research and measure non-technical gaps in Internet access such as affordability, Internet literacy, knowledge or rights, and accessibility and availability of gender-related content.

The final technical report is available for review here.

Report Available! Network Coding over Satellite Links: Scheduling Redundancy for Better Goodput

Many Pacific islands still rely on satellite for Internet access, using narrowband links with capacities far below those of the networks at either end, carrying mostly TCP (Transmission Control Protocol) traffic. On these links, a large number of TCP senders simultaneously try to adjust their congestion windows to the perceived link capacity: Acknowledgment (ACK) packets prompt congestion window increases; overdue ACKs shrink window sizes exponentially.

The long link latency means that senders thus get an extremely outdated picture of the available capacity, often leading to excessive queue oscillation, where the link input buffer overflows and drains entirely within seconds. Complete drainage means idle link capacity, while overflows impede large TCP transfers.

Our experiments in the islands have shown that sending coded packets with redundancy for a small numbers of such transfers can increase goodput by concealing some overflow tail drops. Under our last two ISIF grants, we built a simulator to investigate coding of all flows for such island links.

This showed that coding is extremely time-sensitive: Coded packets must result in ACKs before TCP retransmits, but must also not hit the input buffer during overflows, a common occurrence in our first generation encoder.

Our previous ISIF-funded project added a delay to the coded packets, resulting in more arrivals and increased goodput when the delay happened to coincide with link capacity. This is a hit-and-miss game, however: coded packets may be sent too late and often still hit queue overflows.

Moreover, when surplus coded packets make it into the buffer, they add to the round-trip-time for all other TCP senders with subsequent packets in the queue. The current project leverages a new feature in our coding software, which lets us distinguish coded packets from “original” packets on the wire. We have implemented a queueing system that only feeds coded packets into the “original” buffer once this queue drains below a configured size, and can now also drop surplus coded packets.

Simulations to date show that this leads to a significant increase in goodput on large monopoly flows over the conventional coding, and we are currently investigating how the queueing system parameters must be best chosen to allow this gain to extend to cumulative goodput of a large mix of flows of different sizes, as encountered on such links.

The final technical report is available for review here.

2020 ISIF Asia Grant recipients announced

ISIF Asia has awarded USD 120,000 to four organizations to support network operations research and development for the benefit of the region.

2020 Internet Operations Research Grant Recipients

Four grants of USD 30,000 each were allocated to four research and development projects focused on the availability, reliability, and security of the Internet, with a particular focus on practical solutions around operational stability and security. The 2020 ISIF Asia Grant Recipients and the main focus of their projects are:

Open Lawful Intercept for Asia Pacific. University of Waikato. New Zealand. To support further development and expand adoption in the Asia Pacific of OpenLI, the only open source software capable of meeting the ETSI standards for lawful interception.

IPv6 Deployment at Enterprises. IIESoc. India. To work collaboratively with a nonprofit industry consortium in the United States, Industry Network Technology Council (INTC), to address the issue of IPv6 adoption at large brick-and-mortar enterprises in the APAC region.

Collaborative Honeynet Threat Sharing Platform. Swiss German University (SGU), Badan Siber & Sandi Negara (BSSN) and Indonesia Honeynet Project (IHP). Indonesia.
This project aims to extend the design of the existing Honeynet Threat Sharing Platform to provide a broader range of honeypot support, a more complete threat database and threat correlation to allow organizations to easily share information with each other in a consistent format in ASEAN economies.

Experiment and improve reinforcement learning algorithms to enhance anomalous network behaviour detection. TeleMARS Pty Ltd. Australia. To research various machine learning algorithms that may effectively monitor, analyze, and detect anomalous traffic at devices connections, and/or anomalous traffic at routers/links. This project will investigate how reinforcement learning algorithms such as GANs would perform against other machine learning algorithms such as classification, statistical and deep learning algorithms.

The APNIC Foundation and ISIF Asia thanks all applicants for sharing their ideas, the Selection Committee members for their hard work, and APNIC for their generous funding contributions for 2020.

Report Available! Honeynet Threat Sharing Platform

This project, led by Charles Lim from the Swiss German University in Indonesia, in collaboration with Indonesia Honeynet Project and Badan Siber dan Sandi Negara.

With the continuous rise of cyber security threats, monitoring security potential threats and attacks become essential to plan for cyber defense. Honeypot, a decoy system designed to lure attackers, has been used to track and learn attacker’s behavior. Collecting attacker’s interactions with honeypot at different location inside different organization’s premises provide useful and more complete picture of the landscape of current cyber security threats. The log of the attacks to the honeypots become an essential cyber security threat information that could be shared to many of the security incident analyst at different organization to provide a relevant and contextual threat intelligence.

The objective of this research was to provide a sharing platform for any organizations in Indonesia (later can be applied to ASEAN and/or Asia Pacific countries) to share security threats information collected using honeypots in the relevant organization in the related countries to other organizations in Asia Pacific. To start with, the research began to develop and share the security threat information collected from different provinces to all related organizations in Indonesia.

The project is open to any researchers (men or women) who is interested to help building better security posture in their respected countries or any Asia Pacific countries. This is the first time we combine research effort between government, education institution and cyber security community to build a security threat information platform. The completed project is expected to bring significant contributions to raise not only the participation of security threat information contribution but also the overall potential security posture of the Internet in Asia Pacific.

The final technical report is available for review here.

Report available! Connecting the Unserved – Bhutan’s First Trial with TV White Spaces

This project, led by Tshering Norbu from NANO, conducted Bhutan’s first trial with emerging TV White Space (TVWS) technology to deliver broadband Internet access to the unserved areas and determine its appropriateness or not in Bhutan where the terrains are mountainous, thickly forested and rugged, and where building wired network infrastructures is technically and commercially challenging.

NANO is one of the only three fully-fledged (Tier-1 category by Bhutan’s standard) ISPs in Bhutan licensed to establish international connectivity and cover nationwide. They own an independent international gateway, international connectivity and domestic networks built on the backbone of latest DWDM and fiber technologies including access networks which are completely on fiber. A young entrepreneurial startup founded by the top-notch management and technical team that brought Internet and telecommunications (specifically FTTx services) development in Bhutan. As of today, they operate only in three major cities in Bhutan with a focus on providing services to the selected segment of the corporate and enterprise customers.

The project implementation timeline was initially scheduled for 8 months – set to start from around 3rd week of October 2018 and complete by June 2019. TVWS was completely new to us being in its early stage of an emerging technology. We researched and studied including case studies of its deployments, and identified potential Original Equipment Manufacturers (OEMs) who were also limited in number. We shortlisted and evaluated three TVWS manufacturers: Carlson Wireless Technologies (US), Runcom Communications (Israel) and Saankhya labs (India). We chose Carlson Wireless. When we were finalizing Bill of Materials after a long design discussion and negotiation with them, we learnt they had long lead time, delay and some cases of even failing to manufacture/supply. That put huge dent to our implementation time. We did not risk and had to switched to another OEM, Redline Communications (Canada) – who carried good recommendation on their company’s credibility and technology performance. Then playing order to Redline who manufactured and supplied/delivered based only on the order consumed several months. We could complete installation of the final site of the total five deployments in March 2020. The entirely in all activities extended our project implementation timeline to 16 months.

Major activities included: field survey of two base stations and selecting only one, seven client sites survey and selecting only five; study, evaluation and selection of TVWS OEM; ordering and supply/delivery of equipment; making sites readiness; actual installation, implementation and commissioning of networks – for provisioning Internet; providing support assistance and monitoring of network performances for evaluation.

The final report is available to review here.

Report available! Establishment of a Carrier Neutral Software-Defined IXP

The project led by Zartash Afzal Uzmi, from the SBA School of Science and Engineering at Lahore University of Management Sciences (LUMS) finalized their project and submitted their technical report.

Internet exchange points (IXP) are a critical piece of the Internet infrastructure that enable ISP networks to exchange traffic with each other. The Internet has more than 300 IXPs worldwide. IXPs offer a number of benefits including cost savings, better performance, and security. Traditional IXPs do not leverage the modern networking evolution offered by Software-Defined Networking (SDN).

This project aims to develop and deploy a Software-Defined IXP (SDX), using recent advances in SDN to allow operators to enable novel applications such as application-specific peering, traffic redirection through middleboxes, and inbound traffic engineering. We have already created a working prototype of SDX, comprising a route server (Quagga Application), Two (2) ISPs (2 PCs with Quagga BGP configurations), Aruba Openflow switch and Ryu Controller. Two novel peering applications have also been implemented on this SDN-based IXP.

To support the management and configuration of novel peering applications, we have developed a new package to SDN-enable the “IXP Manager” which is a web-based peering portal used by 79 traditional, non-SDN based, IXPs worldwide. Our package integrates with an open-source version of a traditional IXP Manager and allows configuring SDN-based applications through the peering web portal. This retrofitted IXP Manager will not only be useful for upcoming SDN-based IXPs, particularly in developing countries, but will also be useful for the existing IXPs worldwide as they introduce SDN capabilities within their infrastructure.

While the development work of the project has been completed, we will continue exploring avenues for large-scale deployment. As a first step in this direction, this project centered on Pakistan IXP; a future goal will be to use it as a testbed for full-scale deployment, testing, and evaluation. We will also continue to carry out training programs to prepare additional human resource in managing IXPs as well as in using SDN controllers. An additional future direction stemming from this project is to build a sustainable basis of discussion, collaboration, and training programs between least developed countries around SDN, IXPs, and other emerging technologies.

The establishment of an SDN-based IXP stands to bring down operating costs of IXPs via automatic configuration management and dynamic policy assignment. The SDN-based IXP platform developed in this project will also uncover the empirical data highlighting the benefits of IXP, particularly in the developing world, by measuring the inter-ISP traffic volumes. We further aim (as a future goal) to study the traffic types to estimate the growth in content hosted locally, or moved over from international to local hosting. Our project will eventually be useful for persuading popular large-volume publishers (Facebook, Netflix, YouTube, etc.) and content distribution networks (CDNs) to establish their local presence within the country and peer at the IXPs in Pakistan. This project will further allow the Pakistan IXP team to right size the future IXPs (in Karachi and Lahore) and scale the one in Islamabad. The knowledge of “where” the traffic is destined and downloaded from “outside the country” will motivate additional local and international cloud service providers to get interested in hosting their platforms within the region.

The report is publicly available.