Report available! Modelling and identifying IP address space fragmentation pressure points

Despite exhaustion of the IPv4 address space commencing in 2011, the Internet has largely not transitioned to IPv6, and in fact the rate of IPv6 diffusion has recently begun to slow down (Huston, 2018).  The IPv6 transition is expected to take decades and hence problems stemming from issues the lack of scalability of IPv4 will continue to affect the Internet for many years to come.

Indeed, the number of allocated IPv4 address blocks continues to grow; this is enabled due to subdivision of existing allocations into multiple blocks, and is argued to allow un-used or under-utilised address space to be moved to other organisations with greater need.  The amount of address space which could potentially be reallocated in this way is substantial: the volume of routed IPv4 address space is considerably less than the total allocated IPv4 address space (Richter et al., 2015), suggesting that there is a considerable amount of un-used address space which could potentially be transferred to other network operators.

This typically involves partitioning existing IPv4 address blocks into smaller pieces and transferring some of those pieces to other operators.  In some cases operators re-number their networks to free up contiguous address space which is subsequently transferred; while this can result in more effective use of address space it also results in BGP routing table growth, one of the major scaling issues facing the Internet today (Gamba et al., 2017).  In other cases network operators could migrate whole networks from public to private address space and deploy NAT before transferring address space elsewhere.

Continuing the current practice of dividing address space into ever-smaller allocations while increasingly relying on NAT not only presents challenges for IPv6 diffusion efforts but will increasingly create ‘pressure points’ in economies or regions where allocations are smaller.  Further, it also increases the prevalence of layered NAT (sometimes dubbed ‘double NAT’), which can not only lead to a range of operational problems but which has security implications including the creation of attack points to be targeted by malicious parties and increasing the difficulty of identifying hosts involved in botnet activity (BITAG, 2012).  Nevertheless, there has been nothing to suggest that the practice will end in the foreseeable future.

There has been no modelling to identify economies or regions likely to be first affected by such pressure points, or for how long this practice can continue.  This project will develop a statistical model of the process, thus allowing countries at greatest risk to develop mitigation strategies, providing clarity to the Internet community, and providing stakeholders tasked with stimulating IPv6 diffusion with a better understanding of differences between different countries and economies.

The final report is available here.

Report available! Collaborative Honeynet Threat Sharing Platform

With the continuous rise of cyber security threats, monitoring security potential threats and attacks become essential to plan for cyber defense. Honeypot, a decoy system designed to lure attackers, has been used to track and learn attacker’s behavior. Collecting attacker’s interactions with honeypot at different locations inside different organization’s premises provide useful and more complete picture of the landscape of current cyber security threats. The log of the attacks to the honeypots become an essential cyber security threat information that could be shared to many of the security incident analysts at different organizations to provide relevant and contextual threat intelligence. The goal of this project is to develop and implement a collaborative honeynet threat sharing platform that could collect, store, add contextual information pertaining to the threat and share these threat information to the relevant organization. This project continues on the previous year project with additional type of honeypots are being added to the collection of honeypot sensors. In addition, new type of threat categories, threat purpose and threat phases are added to define more fine-grained secure shell (ssh) attacks seen in our honeypots. With the new public dashboard is now ready for public view, our hope is more organizations in Indonesia as well as organizations in ASEAN countries would be interested to participate in the project in a collaborative effort to share and exchange threat information, which potentially could be used as a cyber defense platform for each of the participating organizations.

The project achieved the following objectives:

  1. Develop a collaborative repository platform for storing honeynet-based threat information. The project allows anyone or organization to participate in a community-based threat information sharing based on the honeynet system.  There are 4 honeypots currently implemented, i.e., cowrie, Dionaea, Elastichoney, and conpot.
  2. Redesign and develop a more robust repository and visualization platform that allows security analysts to add and enrich existing security threat information with the results of the analysis of the security events or objects related to the events. The robust repository platform utilized the cluster database of MongoDB while the visualization platform also uses cluster setup to distribute search tasks over cluster servers, improving overall user experience of using the platform.
  3. An enhanced platform that allows organizations to share and exchange security threat information with other organizations. The platform enables the threat information to be exchanged with the cyber security community through TAXII services in a standardized format or through open-source threat intelligence Malware Information Sharing Platform (MISP).

The project was lead by the Charles Lim, from Swiss German University (SGU) and builds on years of collaboration to support the Honeynet project Indonesia Chapter (IHP), in partnership with the Ministry of Communication and Informatics (KOMINFO) and Badan Siber & Sandi Negara (BSSN). It is also an expansion of a previous ISIF Asia grant allocated in 2019.

The final report is available here.

Report Available! Experiment and improve reinforcement learning algorithms to enhance anomalous network behaviour detection

Cybersecurity is a significant research area because all of the operations based on government, military, commercial, financial and civilians gather, process, transfer and store tremendous volume of data on computers and others. Cyber-attacks have imposed increasing threats and damages on our modern society at all levels. Network Intrusion Detection System (NIDS) is one of the major techniques in preventing cyber-attacks occurred in network traffic. Over the past decade, a lot of research work has been conducted to explore the capabilities of artificial intelligence (AI) methods in developing NIDS solutions. The previous studies suggested that AI algorithms have promising potentials in developing effective solutions to detect the increasing attacks.

TeleMARS R&D team commits to advance AI-based methods, explore realistic approaches of deploying the research outcomes in real network environment, and support on-going research in wider community to achieve long term sustainable development. The key objectives of this project were to:

  • contribute to the development of NIDS;
  • contribute to research community in the subject of anomaly detection;
  • establish a practical collaboration framework to enable scientists and IT professionals from diverse background to work together to continuously contribute to NIDS research;
  • test and prove TeleMARS operation and technical frameworks, and the team capabilities; and
  • inspire and enable the participation of broader research community in cybersecurity domain supporting gender equality and inclusion

This project started in September 2020 and finalized in June 2021. The main activities included:

  • Literature review and project design.
  • Data analysis and preparation.
  • Anomaly detection model development using Machine Learning methods including Reinforcement Learning method.
  • Model experimentation.
  • Established evaluation pipelines to simulate real application environment.
  • Model capability evaluation applying different datasets.
  • Implementation of a collaboration framework supporting the research activities conducted by researchers and professionals with various backgrounds.

The final technical report is available for review here.

2020 ISIF Asia Grant recipients announced

ISIF Asia has awarded USD 120,000 to four organizations to support network operations research and development for the benefit of the region.

2020 Internet Operations Research Grant Recipients

Four grants of USD 30,000 each were allocated to four research and development projects focused on the availability, reliability, and security of the Internet, with a particular focus on practical solutions around operational stability and security. The 2020 ISIF Asia Grant Recipients and the main focus of their projects are:

Open Lawful Intercept for Asia Pacific. University of Waikato. New Zealand. To support further development and expand adoption in the Asia Pacific of OpenLI, the only open source software capable of meeting the ETSI standards for lawful interception.

IPv6 Deployment at Enterprises. IIESoc. India. To work collaboratively with a nonprofit industry consortium in the United States, Industry Network Technology Council (INTC), to address the issue of IPv6 adoption at large brick-and-mortar enterprises in the APAC region.

Collaborative Honeynet Threat Sharing Platform. Swiss German University (SGU), Badan Siber & Sandi Negara (BSSN) and Indonesia Honeynet Project (IHP). Indonesia.
This project aims to extend the design of the existing Honeynet Threat Sharing Platform to provide a broader range of honeypot support, a more complete threat database and threat correlation to allow organizations to easily share information with each other in a consistent format in ASEAN economies.

Experiment and improve reinforcement learning algorithms to enhance anomalous network behaviour detection. TeleMARS Pty Ltd. Australia. To research various machine learning algorithms that may effectively monitor, analyze, and detect anomalous traffic at devices connections, and/or anomalous traffic at routers/links. This project will investigate how reinforcement learning algorithms such as GANs would perform against other machine learning algorithms such as classification, statistical and deep learning algorithms.

The APNIC Foundation and ISIF Asia thanks all applicants for sharing their ideas, the Selection Committee members for their hard work, and APNIC for their generous funding contributions for 2020.

Report Available! Honeynet Threat Sharing Platform

This project, led by Charles Lim from the Swiss German University in Indonesia, in collaboration with Indonesia Honeynet Project and Badan Siber dan Sandi Negara.

With the continuous rise of cyber security threats, monitoring security potential threats and attacks become essential to plan for cyber defense. Honeypot, a decoy system designed to lure attackers, has been used to track and learn attacker’s behavior. Collecting attacker’s interactions with honeypot at different location inside different organization’s premises provide useful and more complete picture of the landscape of current cyber security threats. The log of the attacks to the honeypots become an essential cyber security threat information that could be shared to many of the security incident analyst at different organization to provide a relevant and contextual threat intelligence.

The objective of this research was to provide a sharing platform for any organizations in Indonesia (later can be applied to ASEAN and/or Asia Pacific countries) to share security threats information collected using honeypots in the relevant organization in the related countries to other organizations in Asia Pacific. To start with, the research began to develop and share the security threat information collected from different provinces to all related organizations in Indonesia.

The project is open to any researchers (men or women) who is interested to help building better security posture in their respected countries or any Asia Pacific countries. This is the first time we combine research effort between government, education institution and cyber security community to build a security threat information platform. The completed project is expected to bring significant contributions to raise not only the participation of security threat information contribution but also the overall potential security posture of the Internet in Asia Pacific.

The final technical report is available for review here.

Report available! Establishment of a Carrier Neutral Software-Defined IXP

The project led by Zartash Afzal Uzmi, from the SBA School of Science and Engineering at Lahore University of Management Sciences (LUMS) finalized their project and submitted their technical report.

Internet exchange points (IXP) are a critical piece of the Internet infrastructure that enable ISP networks to exchange traffic with each other. The Internet has more than 300 IXPs worldwide. IXPs offer a number of benefits including cost savings, better performance, and security. Traditional IXPs do not leverage the modern networking evolution offered by Software-Defined Networking (SDN).

This project aims to develop and deploy a Software-Defined IXP (SDX), using recent advances in SDN to allow operators to enable novel applications such as application-specific peering, traffic redirection through middleboxes, and inbound traffic engineering. We have already created a working prototype of SDX, comprising a route server (Quagga Application), Two (2) ISPs (2 PCs with Quagga BGP configurations), Aruba Openflow switch and Ryu Controller. Two novel peering applications have also been implemented on this SDN-based IXP.

To support the management and configuration of novel peering applications, we have developed a new package to SDN-enable the “IXP Manager” which is a web-based peering portal used by 79 traditional, non-SDN based, IXPs worldwide. Our package integrates with an open-source version of a traditional IXP Manager and allows configuring SDN-based applications through the peering web portal. This retrofitted IXP Manager will not only be useful for upcoming SDN-based IXPs, particularly in developing countries, but will also be useful for the existing IXPs worldwide as they introduce SDN capabilities within their infrastructure.

While the development work of the project has been completed, we will continue exploring avenues for large-scale deployment. As a first step in this direction, this project centered on Pakistan IXP; a future goal will be to use it as a testbed for full-scale deployment, testing, and evaluation. We will also continue to carry out training programs to prepare additional human resource in managing IXPs as well as in using SDN controllers. An additional future direction stemming from this project is to build a sustainable basis of discussion, collaboration, and training programs between least developed countries around SDN, IXPs, and other emerging technologies.

The establishment of an SDN-based IXP stands to bring down operating costs of IXPs via automatic configuration management and dynamic policy assignment. The SDN-based IXP platform developed in this project will also uncover the empirical data highlighting the benefits of IXP, particularly in the developing world, by measuring the inter-ISP traffic volumes. We further aim (as a future goal) to study the traffic types to estimate the growth in content hosted locally, or moved over from international to local hosting. Our project will eventually be useful for persuading popular large-volume publishers (Facebook, Netflix, YouTube, etc.) and content distribution networks (CDNs) to establish their local presence within the country and peer at the IXPs in Pakistan. This project will further allow the Pakistan IXP team to right size the future IXPs (in Karachi and Lahore) and scale the one in Islamabad. The knowledge of “where” the traffic is destined and downloaded from “outside the country” will motivate additional local and international cloud service providers to get interested in hosting their platforms within the region.

The report is publicly available.

Report available! A novel graph analytics theory model to mitigate IoT botnets attacks for big data

The project led by Raihana Syahirah Abdullah, from the Faculty of Information Technology and Communication at the Universiti Teknikal Malaysia Melaka (UTeM) finalized their project and submitted their technical report.

The research focused on getting the parameter from raw infection codes using a reverse engineering approach as well as addressing the behaviours of IoT botnets. The main objective of the research was to develop a new model in detecting IoT botnets using graph analytics theory model with analysing the selection of influence feature factor. The output of this research is a scheme that is able to remove and quarantine the suspicious codes as well as able to detect the behaviour changes in the IoT devices. The model also can be used as a security tool to discover the real behaviors of IoT botnets from the raw infection codes that exists in particular IoT devices and machines.

The report is publicly available.

Report available! A peering strategy for the Pacific Islands

Many telecommunications networks in the Pacific interconnect not directly but via international carriers in the United States or Australia. This has a profound impact on both the cost and the performance of regional traffic. While web traffic is slowed, real-time collaborations are rendered unusable, creating barriers for inter-island collaboration.

Governments, competitive carriers, Internet societies, and activists argue that direct interconnection, or peering, is the answer to these performance problems. They believe that if competitive networks are allowed to exchange traffic free-of-charge with incumbent networks, the cost of Internet will go down, and performance will go up.

Incumbent networks throughout the Pacific steadfastly refuse to openly peer with other carriers, education networks, and government networks – and a change in this behaviour is not in sight. Not only do they refuse to peer, they sometimes charge their competitors more for direct access to their networks than competitors pay for global Internet connectivity. Competitors, activists, and even governments say this is a clear violation of network neutrality. This project investigating carrier interconnections in the Pacific has shown the situation to be far more nuanced.

This project’s objective was to share research collected during an earlier iteration of the project via the web in a dynamic way. This included information on physical and routed topologies, telecommunications market data, and information on the relationships Pacific Island nations have with the rest of the world.

In support of these objectives, the project has produced a website that reviews the telecommunications environment of the Pacific Islands. The site looks at each market’s connectivity to the world: telecommunications, sea freight, air routes, and trade. It provides real-time statistics on carrier market share. Finally, it considers the complexity of island telecommunications through a composite case study on peering.

The report is publicly available.

Report available! RPKI Monitor and Visualizer for Detecting and Alerting for RPKI Errors

Dr. Di Ma from the Internet DNS Beijing Engineering Research Center (ZDNS) has completed the report for one of the grants that was allocated in 2018 for implementation in 2019, titled “RPKI Monitor and Visualizer for Detecting and Alerting for RPKI Errors”.

This project implements an RPKI security mechanism that detects and counters adverse actions in the RPKI, which helps mitigate risks to global routing system. The mechanism is implemented by two components: the monitor, which detects erroneous or malicious RPKI changes, and the visualizer, which displays graphically the validation process passed to it by the validator and the alert information issued by the monitor.

The project achieved the following objectives:

  • Develop an RPKI Monitor to detect RPKI problems due to mistakes by or attacks against CAs and repositories, and generate alerts to the affected parties to remedy the problems. It also provides suggestions to guide RPs in deciding whether to accept or defer accepting those changes.
  • Develop an RPKI Visualizer to display graphically the validation process and involved RPKI data passed to it by the validator and the alert information issued by the Monitor.

The report is publicly available.

Report available! Scalable Traffic Classification in Internet of Things (IoT) for Network Anomaly Detection

Prof. Winston Seah from the School of Engineering and Computer Science at the Victoria University of Wellington has completed the report for one of the grants that was allocated in 2017 for implementation in 2018, titled “Scalable Traffic Classification in Internet of Things (IoT) for Network Anomaly Detection”.

The project focused on accurate traffic classification in the Internet of Things (IoT). The IoT comprises large numbers of heterogeneous simple devices running single applications, often with little to no security features making them easily compromised and used as tools in cyberattacks. As we become more connected and reliant on the Internet, any form of disruption in connectivity due network anomalies can result in adverse consequences, ranging from loss of productivity and revenue, to destruction of critical infrastructure and loss of life. In the last decade, cyberattacks have increased at an alarming rate, even just based on the reported incidents. We need to be able to classify new traffic types coming from IoT devices accurately and promptly, so that anomalous traffic can be identified and dealt with quickly.

Payload-based (PB) techniques although can reach high accuracy, but suffers from several limitations. The limitations of PB classification are expected to be addressed by statistical-based (SB) techniques. SB approaches are based on flow features and the traffic is classified using Machine Learning algorithms (MLAs). SB classification assumes that specific flow-level features such as flow duration, inter-arrival time, transmitted bytes, packet length and packet size can distinguish different types of traffic flows. We studied how unsupervised machine learning can be applied to network anomaly detection in the dynamic IoT environment where previously unencountered traffic types and patterns are regularly emerging and need to be identified and classified. This project involves the study and selection of appropriate MLAs (to be implemented as a proof-of-concept prototype) and identification of those flow features which have the highest impact on the traffic classification accuracy. This project contributes to making safer cyber-physical systems that are an integral component of the IoT.

The report is publicly available.