A Type of Network Attack in Which Traffic Is Captured and Sent Again by the Attacker to the System.

Passive Attack

Hallmark Systems

Christophe Kiennert , ... Pascal Thoniel , in Digital Identity Direction, 2015

3.1.3.2 Typology of network attacks

Attacks on networks may exist classified and differentiated by type in gild to obtain a more than detailed judgment of the solidity of protocols and architectures, notably those used for authentication. These attacks may be grouped into 2 complementary categories: agile attacks, which involve an injection of traffic by the assaulter, and passive attacks, based on spying on communications.

Passive attacks are relatively scarce from a classification perspective, but can be carried out with relative ease, particularly if the traffic is not encrypted. There are two types of passive attacks:

–

eavesdropping (tapping): the attacker simply listens to letters exchanged by two entities. For the set on to be useful, the traffic must not be encrypted. Whatsoever unencrypted information, such equally a password sent in response to an HTTP request, may be retrieved past the attacker.

–

traffic assay: the attacker looks at the metadata transmitted in traffic in order to deduce information relating to the commutation and the participating entities, e.g. the course of the exchanged traffic (rate, duration, etc.). In the cases where encrypted data are used, traffic analysis can also lead to attacks by cryptanalysis, whereby the assaulter may obtain data or succeed in unencrypting the traffic.

Active attacks accept a wider diversity of forms, with an about endless number of possibilities. In an active attack, the attacker is involved in a communication, either past sending or modifying messages. The main types of active attacks are as follows:

–

replay: this attack consists of recording a series of messages exchanged by two entities, typically a client (the victim) and a server, in order to play them dorsum as-is to the same server with the aim of obtaining access to protected resource, for case. This set on type works on encrypted conversations, unless additional countermeasures have been taken. These countermeasures by and large have the form of random number exchanges or fourth dimension stamping.

–

denial-of-service: in this case, the aggressor aims to exhaust the network or system resources of a automobile. One well-known variant is the distributed denial of service (DDoS), where a big number of zombie (malware-compromised) machines are used to generate a very large amount of traffic for a given target.

–

man in the middle (MITM): in this instance, the aggressor relays communications between victims, in each instance pretending to exist the other legitimate correspondent. The assaulter therefore intercepts all messages and is able to alter them before transmission to the true recipient, every bit shown in Figure 3.1. MITM attacks are hard to prevent from a theoretical perspective. When designing a protocol including countermeasures, these measures lead the protocol to question the identity of the correspondent during the authentication process itself; this prevents production of a proof of identity. Past definition, all password-based protocols, including OTPs, are therefore vulnerable to MITM attacks.

Figure 3.1. Man in the middle principle

Brute force attacks as well autumn into this category. In this case, the attacker aims to obtain a clandestine code by testing all possible combinations; this is only efficient in cases with a relatively limited number of possibilities. Dictionary attacks also fall into this category, targeting passwords by testing dictionary terms and shut derivatives.

Read total chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781785480041500031

Vulnerability Identification

Thomas Wilhelm , in Professional Penetration Testing, 2010

Organisation Identification

Now that nosotros know what ports are open on our target systems, we can endeavour and identify the OS of our target. Most application exploits are written for a specific OS (even language pack in some cases), then finding out the OS is essential if we desire to identify possible vulnerabilities on our target.

Agile OS Fingerprinting

Nmap tin scan a organisation and identify the OS based on various findings. In Effigy 10.16, we see the result of an OS scan against the target 192.168.1.100. Nmap has identified the Os every bit Linux 2.6 and gives u.s.a. a range of versions to work with.

FIGURE ten.16. Nmap OS Scan

Another tool we can employ is xprobe2, which performs like tasks every bit Nmap. In Figure 10.17, we can run across a portion of the scan results using xprobe2 when given the control: xprobe2 –p tcp:80:open 192.168.1.100. The results are confirmed every bit before – information technology seems the target is using a version of Linux 2.6.

FIGURE ten.17. Results of xprobe2 Scan

An additional method of identifying a host Os is to await at the applications running on the host itself. Nosotros will meet an example of an application providing Os information later in this chapter.

Passive OS Fingerprinting

Identifying a target system's OS passively requires a lot of patience. The objective backside passive OS fingerprinting is to capture TCP packets stealthfully, which contain window's size and Fourth dimension to Live (TTL) data, and then analyze the packets to gauge the Bone manually. The problem is passive attacks on a network are sometimes difficult – unless the target system needs to communicate with the assault arrangement direct (which pushes the set on out of the definition of "passive") or the attacking system is able to collect all packets traveling across the network, there is no easy way to obtain the data needed.

Are Y'all Endemic?

Passive Attacks

Passive attacks during a penetration testing project are a great way to stay undetected by network and arrangement administrators. Unfortunately, it is as well used extensively past malicious attackers every bit well. To defend against passive attacks, make sure that the network is a "switch" network, ensuring packets are properly directed to the correct system – non sent to all systems in the network.

If we are lucky enough to obtain admission to TCP packets (by having access to a router or another system), nosotros would come across the results found in Figure 10.18 using the p0f application.

Effigy ten.18. p0f Scan

Another technique nosotros could use is Address Resolution Protocol (ARP) poisoning to force the target system to talk with u.s.. Repeating the higher up scenario, we will use an boosted tool – arpspoof. In Figure ten.19, we make arpspoof announce to our target (192.168.1.100) that our set on system is the network gateway (192.168.one.ane). We would allow arpspoof run until p0f confirmed the Bone; in Figure ten.xix, nosotros see what happens when arpspoof is terminated – the ARP table of the target arrangement is given the correct Media Access Control (MAC) address of the gateway (equally seen in Effigy 10.5), clearing the target's ARP enshroud.

FIGURE x.xix. ARP Poisoning Attack

To verify that the ARP poisoning really works, we can look at the target system's ARP enshroud, every bit seen in Figure 10.20. We see that our target arrangement believes that the assault system and the gateway accept the same MAC address. The consequence is that any time our target wants to transport information through the default gateway, it will instead send data to our assail system and so the attack system volition ship it out to the correct gateway system acting as a man-in-middle to avoid detection.

FIGURE 10.20. ARP Cache of Target System

Given plenty time, we will gather enough packets that we volition get similar results equally those found in Figure 10.eighteen. Until and then, we are unfortunately creating a denial of service attack against the target system. Unless we establish a communication tunnel with the actual gateway, finer creating a Man-in-the-Eye (MITM) set on, we increase our chances of discovery.

Alarm

Depending on the criticality of the target arrangement, ARP cache poisoning may be unacceptable. ARP poisoning is an aggressive method of intercepting data and can hands crusade denial of services. If the objective is to simply identify the Os, ARP poisoning may be too aggressive unless you apply it as a human being-in-middle scenario.

Read full chapter

URL:

https://world wide web.sciencedirect.com/scientific discipline/article/pii/B9781597494250000154

Security for Mobile Advert Hoc Networks

Raja Datta , Ningrinla Marchang , in Handbook on Securing Cyber-Physical Critical Infrastructure, 2012

7.4.1 Passive Attacks

Some types of passive attacks are release of bulletin content and traffic assay. A malicious node in MANET executes a passive attack, without actively initiating malicious actions. In traffic analysis, the malicious node attempts to learn important information from the system past monitoring and listening on the advice between nodes within the MANET. For instance, if the malicious node observes that the connexion to a certain node is requested more frequently than to other nodes, the passive attacker would exist able to recognize that this node is crucial for special functions within the MANET, like for example routing. The attacker may then switch its function from passive to active, and attempt to launch an active attack so as to put the crucial node out of operation. It could do and so, for example, past performing a DoS attack, to collapse parts of or even the complete MANET. On the other hand, information technology may pass on the data to an accomplice, which launches the attack.

At other times, a passive attacker might attempt to eavesdrop on traffic between nodes communicating in a MANET to extract data. For case, the enemy could attempt to launch such an attack to spy on hush-hush data flowing in a MANET deployed in a battlefield.

Read total chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780124158153000078

SIP Trunking and PSTN Interconnection

Dan York , in 7 Deadliest Unified Communications Attacks, 2010

Modification

Along with the more passive set on of eavesdropping, an attacker could of course try to get in a position to alter the contents of communication that are flowing across the SIP body. As you learned in Affiliate 3, "Eavesdropping and Modification," an attacker needs to go direct in the heart of the communication path, but, once that is washed, can make changes to whatever flows through the path. Consider, again, the thought of a visitor interacting with their customers who accept chosen in from the PSTN. What if the assailant were to, for example, inject profanity or insults into the audio stream heard by the customers?

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597495479000053

Session Hijacking

In Hack Proofing Your Network (Second Edition), 2002

Dsniff

Dsniff is a suite of tools that allow passive attacks and sniffing on TCP sessions. Certain functions, webmitm and sshmitm, also let this programme to exercise "double duty" for MITM attacks on both SSH1 and SSL connections. Information technology does this by showtime implementing DNS spoofing (see the "UDP Hijacking" department earlier) with dnsspoof to fool the participating host into thinking that that the Secure HTTP (HTTPS) or SSH connection is indeed the host to which they intended to connect.

For example, after an entry for the SSL domain the hacker wants to spoof is added to the dnsspoof hosts file, the webmitm component presents a self-signed certificate to the user with webmitm relaying the sniffed traffic to the real domain. The legitimate domain's reply is sent through the attacker back to the host that requested the session. All subsequent advice on this aqueduct takes place through the aggressor's system.

A typical dnsspoof host file contents look something like this:

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781928994701500148

De-Anonymization Techniques for Social Networks

B.1000. Tripathy , in Social Network Analytics, 2019

3 De-Anonymization Attacks

There are three types of attacks possible on an anonymized social network such as the following:

•

Privacy breach

•

Passive attack

•

Active attack

3.1 Privacy Breach

Privacy alienation deals with identifying nodes and learns the border relations among them. Passive assault is to observe the released anonymized social network without interfering and is undetectable. Active assault creates some new nodes (e.chiliad., new email accounts) and (patterned) edges among new nodes and to victim nodes. It is hard to notice.

3.two Passive Assail

A network is studied carefully for loose points or points which can be captured under control easily. The information is gathered about a target node such that except for collecting the information no changes are made in their value or structure. Similar nodes class a group H in a network and an intruder can involve itself as a member in the community which is pocket-size and can be identified easily. The intruder tin can come up to a undercover agreement with the other thousand  −   1 nodes and so that information technology becomes easier to know about other nodes which are in contact with the nodes in H. Of course, in society that such an attack tin be fruitful, all the nodes in H should be aware of themselves and the connectivity inside H such that the members of H know the identity of the nodes outside their group.

3.3 Agile Attack

In active attack, before releasing the anonymized network G of due north  −  k nodes an aggressor does the following:

•

selects a set of b-targeted users

•

creates a subgraph H containing k nodes

•

attaches H to the targeted nodes

Creating such a subgraph H is called structural steganography.

After the anonymized network is released it performs:

•

Find the subgraph H in the graph Yard

•

Follow edges from H to locate b target nodes and their truthful location in G

Now, information technology is determined that all edges among these b nodes lead to the breach of privacy.

Finding a subgraph H should have the following characteristics:

•

Subgraph H must be uniquely and efficiently identifiable regardless of Chiliad

•

No other subgraph Due south  ≠ H in Chiliad such that S and H are isomorphic

•

Subgraph H has no automorphism

3.iii.1 Broad Category of Active Attacks

At that place are two types of agile attacks proposed in Ref. [3]. These attacks are concerned with anonymizing social networks using privacy of edges. These attacks are conceived on the notion that the structure and size of the social network can be changed by the adversaries before the network is published. The prepare of nodes for which the intruder wants to violate their privacy is identified and by creating a few factious accounts it connects to all of the target nodes in such a manner that later on the publication of the anonymized version, this structure tin be easily identified. The intruder creates Sybil nodes (that is nodes which merits multiple identities in a social network), whose outgoing edges help reidentify nodes. The two categories of active attacks are as follows (Fig. 1):

Fig. 1. Scenario

•

walk-based set on

•

cut-based attack

In walk-based set on, the steps are:

•

Generate subgraph H  =   {x _one, x ₂,   …x _k } with k  = θ(lognorthward)

•

Link each targeted node due west _i to distinct subset of nodes in H

•

Create each edge within H with a probability of 0.v

•

Number of compromised nodes b  = θ((logdue north)ⁱⁱ)

Construction of H tin be carried out such that

•

H  =   gear up of nodes X size k  =   (two   + δ) log n (δ  >   0)

•

W  =   set of targeted users size b  = O((lognorthward)ⁱⁱ)

•

External degree for node 10 _i is D _i , where D _i   ∈   [d ₀, d ₁] such that d ₀  ≤ d ₁  = O(logn)

•

Each w _i connects to a set of nodesNorthward _i   ⊆ 10.

•

Gear up N _j must be of size at most c  =   three and are distinct across all nodes west _j .

Add together arbitrary edges from H to Thousand   −   H to brand it D _i for all 10 _i .

Add internal edges in H: edge {x _i , x _{i  +   1}}.

Add boosted internal edges connecting {10 _i , x _j } with probability 0.5.

Therefore, each node ten _i has total degrees of D _i ^'  = D _i   +   #   (internal edges).

In cut-based attack, the steps are:

Theoretical asymptotic lower bound for #new nodes: $\mathrm{\Omega }\left(\sqrt{log\mathrm{northward}}\right)$ .

Randomly generate subgraph H  =   {ten _one, x ₂,   …x _k } with $k=O\left(\sqrt{log\mathrm{northward}}\right)$ .

Number of compromised nodes $b=\theta \left(\sqrt{logn}\right)$ .

Construction of H can be carried out as follows:

For Due west  =   {due west ₁, due west _two,   …w _b } is the fix of targeted users,

Create X  =   {x _i, 10 _ii,   …x _k } where k  =   3b  +   3 nodes.

Create links between each pair {x _i , ten _j } with probability   =   0.5.

Choose capricious b nodes {x ₁, x ₂,   …x _b }.

Connect x _i to due west _i .

A comparison between agile and passive attack is shown in Tabular array ane.

Tabular array one. Comparison Betwixt Agile and Passive Assault

Passive Assault	Active set on
Attackers may not be able to identify themselves subsequently seeing the released anonymized network	More effective. Work with high probability in whatsoever network
The victims are only those linked to the attackers	Tin choose the victims
Harder to detect	Hazard of existence detected

The applicability of active assault is limited to small-sized networks and cannot be applied to offline networks.

The intruder has command over the edges coming out of the nodes and has no control over other types of edges. In fact, the legal nodes are not likely to connect these Sybil nodes. Then, it provides an indication to the network administrator about something fishy and hence he may anticipate about a Sybil attack [3].

The next limitation in these attacks is related to the link construction. The social networks which are online work on the principle that the connections between nodes should be both ways so that the information can exist available. But, the connections from the added nodes to the existing nodes exercise non show upwards in the published network. If the size of agile attacks increases, the number of Sybil nodes too increases in a huge fashion, which makes the process infeasible practically.

Again, the passive attacks were also considered in Ref. [3] so that a small group of nodes course an brotherhood amongst themselves and then that the nodes around them (in a small neighborhood) can be identified by using the existing noesis and structure of the nodes in the anonymized network. Over again, the size of the network to which such attacks can exist applied should be very minor.

The algorithm proposed in Ref. [3] tin be practical to larger sized networks and does not have the assumptions made higher up and requires a few Sybil nodes to exist added.

The privacy protection techniques proposed and so far are not that efficient as either they have some heavy assumptions like the intruders have restricted efficiency or the networks used for testing are small or synthetic ones which are different from the story when it comes to existent social networks. One tin accept for instance the anonymization algorithm proposed in Ref. [4]. Information technology does not have into consideration the background knowledge of the intruder. Nonetheless, somewhat better architectural approaches are used in Refs. [5, 6], an idea which depends on a more sound architecture based on the server-side Facebook application.

For privacy, perhaps the most popular technique used is anonymity. In Ref. [7], the users represented by tokens drawn randomly are taken into consideration instead of the users themselves. Similarly, the approach in Ref. [2], unidentifiable graphs are generated from the information concord by the respondents and used in instead of them so that the information of social network will not be disclosed during the analysis process.

An idea where a group of p nodes are treated to be equivalent through an automated process such that a heavy requirement like the graph generated maps the nodes into one another is used in Ref. [5]. This heavy requirement is used in the case of very strong invaders. The concept of edge addition is used in Ref. [viii] and then that groups of p 1-neighborhoods are made to be similar through isomorphism to p  −   1 other 1-neighborhoods and are anonymized every bit a group. Here a liberal assumption is made that the attacker knows but the 1-neighborhood information of the nodes. The disadvantage in this case is that the process of improver of edges requires a high amount of nodes being used and it varies directly with the degrees of the nodes sharply.

Several conclusions are derived in Ref. [three]. We present them beneath.

It may be noted that m-anonymity criteria even when information technology is satisfied nosotros cannot guarantee anonymity of the network as it is a syntactic belongings.

Another problem with these algorithms is that a lot of restrictions are imposed on the properties of the social network and also the noesis of the attackers is supposed to be limited to a certain extent. This is a heavy restriction and in reality cannot be satisfied.

Moreover, the restriction that the information available with the intruders is to only 1-neighborhood is very strong and in most of real life situations it is much wider than this assumption.

The above observations encouraged the authors in [one] to develop an algorithm, which uses the background knowledge of the intruders to de-anonymize or reidentify the nodes after the anonymization is done past using any algorithm to this extent. This is a cyclic process as once some of the nodes are identified, more information gets available and this is added to the groundwork knowledge of the adversaries to identify further nodes.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/commodity/pii/B9780128154588000049

Cellular Network Security

Peng Liu , ... Kameswari Kotapati , in Network and System Security (2d Edition), 2014

Cross-Infrastructure Cyber Cascading Attacks

When cascading attacks cross into cellular networks from the Internet through cross-network services, they're called cross-infrastructure cyber cascading attacks. This attack is illustrated on the CFS in Figure eleven.vii.

Effigy 11.7. Cross-infrastructure cyber cascading attacks on phone call-forrad service.

As the CFS forrad calls based on the emails received, corruption is shown to propagate from the post server to a call-forrard (CF) server and finally to the MSC. In the assault, using any standard mail service server vulnerabilities, the adversary may compromise the mail server and corrupt the email data source by deleting emails from people the victim is expecting to phone call. The CF server receives and caches wrong e-mail from the mail server.

When calls arrive for the subscriber, the phone call-forwarding service is triggered, and the MSC queries the CF server on how to forward the call. The CF server checks its incorrect email cache, and because there are no emails from the caller, information technology responds to the MSC to forward the call to the victim's voicemail when in reality the call should have been forwarded to the cellular device. Thus the effect of the attack on the mail server propagates to the CF service nodes. This is a archetype case of a cross-infrastructure cyber cascading assail, whereby the antagonist gains access to the cross-network server, and attacks by modifying information in the data source of the cross-network server. Note that it has become highly simplified to launch such attacks due to easy accessibility to the Internet and subscriber preference for Internet-based cross-network services.

Isolating Vulnerabilities

From the abstract model, the major vulnerable-to-attacks network components are: (1) information sources; (2) agents (more generally called service logic); and (3) signaling messages. By exploiting each of these vulnerabilities, data items that are crucial to the correct working of a cellular network tin be corrupted, leading to ultimate service disruption through cascading effects.

In improver, the effect of corrupt signaling messages is dissimilar from the effect of corrupt data sources. By corrupting data items in a data source of a service node, all the subscribers attached to this service node may exist affected. However, by corrupting a signaling bulletin, only the subscribers (such as the caller and called party in case of call delivery service) associated with the message are affected. Besides, corrupting the agent in the service node can affect all subscribers using the agent in the service node. Hence, in the three-dimensional taxonomy, a vulnerability exploited is considered as an attack dimension, since the effect on each vulnerability is different.

Besides, the adversary'south physical access to a cellular network too affects how the vulnerability is exploited and how the assail cascades. For example, consider the instance when a subscriber has access to the air interface. The adversary can only bear on messages on the air interface. Similarly, if the antagonist has access to a service node, the data sources and service logic may be corrupted. Hence, in the three-dimensional taxonomy, the physical access is considered a category as it affects how the vulnerability is exploited and its ultimate effect on the subscriber.

Finally, the mode the adversary chooses to launch an attack ultimately affects the service in a dissimilar way. Consider a passive set on such as interception. Here the service is not affected, but it can have a afterward effect on the subscriber, such equally identity theft or loss of privacy. An active attack such as interruption can crusade complete service disruption. Hence, in the three-dimensional taxonomy, the attack means are considered a category due the ultimate issue on service. In the adjacent function of the chapter, nosotros detail the cellular network specific three-dimensional taxonomy and the way the previously mentioned dimensions are incorporated (see checklist: "An Agenda For Activity When Incorporating The Cellular Network Specific Three-Dimensional Attack Taxonomy").

An Agenda for Action when Incorporating the Cellular Network Specific Three-Dimensional Assail Taxonomy

The 3 dimensions in the taxonomy include Dimension I: Physical Admission to the Network, Dimension Ii: Attack Categories and Dimension 3: Vulnerability Exploited. In the following, we outline each dimension (bank check all tasks completed):

_____1.

Dimension I–Physical Access to the Network: In this dimension, attacks are classified based on the adversary'due south level of physical admission to a cellular network. Dimension I may be farther classified into unmarried infrastructure attacks (Level I–III) and cantankerous-infrastructure cyber-attacks (Level IV–V):

_____a.

Level I: Access to air interface with physical device. Here the antagonist launches attacks via access to the radio access network using standard cheap "off-the-shelf" equipment [26]. Attacks include faux base station attacks, eavesdropping, and man-in-the-middle attacks and stand for to attacks previously mentioned.

_____b.

Level II: Access to links connecting core service nodes. Here the adversary has access to links connecting to core service nodes. Attacks include disrupting normal transmission of signaling messages and represent to message corruption attacks previously mentioned.

_____c.

Level III: Access core service nodes. In this instance, the antagonist could be an insider who managed to proceeds physical access to core service nodes. Attacks include editing the service logic or modifying information sources, such as subscriber data (profile, security and services) stored in the service node and corresponding to corrupt service logic, data source, and node impersonation attacks previously mentioned.

_____d.

Level 4: Access to links connecting the Internet and the core network service nodes. This is a cantankerous-infrastructure cyber-attack. Hither the antagonist has admission to links connecting the cadre network and Cyberspace service nodes. Attacks include editing and deleting signaling messages between the two networks. This level of set on is easier to attain than Level 2.

_____e.

Level Five: Access to Internet servers or cross-network servers: This is a cross-infrastructure cyber-attack. Here the adversary can cause impairment by editing the service logic or modifying subscriber data (profile, security and services) stored in the cross-network servers. Such an attack was previously outlined before in the chapter. This level of assail is easier to achieve than Level Three.

_____2.

Dimension II–Attack Blazon: In this dimension, attacks are classified based on the type of attack. The assail categories are based on Stallings [27] piece of work in this expanse:

_____a.

Interception. The adversary intercepts signaling messages on a cable (Level II admission) but does non modify or delete them. This is a passive attack. This affects the privacy of the subscriber and the network operator. The adversary may use the information obtained from interception to analyze traffic and eliminate the competition provided by the network operator.

_____b.

Fabrication or replay. In this case, the antagonist inserts spurious messages, data, or service logic into the system, depending on the level of physical access. For instance, via a Level II access, the adversary inserts simulated signaling messages; and via a Level III access, the adversary inserts fake service logic or fake subscriber data into this system.

_____c.

Modification of resources. Here the adversary modifies data, messages, or service logic. For example, via a Level 2 admission, the adversary modifies signaling messages on the link; and via a Level 3 admission, the adversary modifies service logic or data.

_____d.

Modification of resources. Here the adversary modifies data, messages, or service logic. For example, via a Level Ii access, the adversary modifies signaling messages on the link; and via a Level III access, the adversary modifies service logic or data.

_____e.

Denial of service. In this instance, the antagonist takes actions to overload a network results in legitimate subscribers non receiving service.

_____f.

Interruption. Hither the antagonist causes an interruption by destroying information, letters, or service logic.

_____3.

Dimension Iii–Vulnerability Exploited: In this dimension, attacks are classified based on the vulnerability exploited to cause the attack. Vulnerabilities exploited are explained as follows:

_____a.

Information. The antagonist attacks the information stored in the organisation. Damage is inflicted by modifying, inserting, and deleting the data stored in the system.

_____b.

Messages. The adversary adds, modifies, deletes, or replays signaling messages.

_____c.

Service logic. Here the adversary inflicts damage by attacking the service logic running in the various cellular cadre network service nodes.

_____d.

Assail classification. In classifying attacks, we can grouping them according to Case i: Dimension I versus Dimension Ii, and Case 2: Dimension 2 versus Dimension III. Note that the Dimension I versus Dimension Iii case can exist transitively inferred from Example 1 and Case 2.

Table 11.1 shows a sample tabulation of Level I attacks grouped in Example ane. For example, with Level I access an antagonist causes interception attacks by observing traffic and eavesdropping. Besides, fabrication attacks due to Level I access include sending spurious registration letters. Modification of resources due to Level I access includes modifying conversations in the radio access network. DoS due to Level I admission occurs when a big number of fake registration messages are sent to keep the network busy and then as to not provide service to legitimate subscribers. Finally, interruption attacks due to Level I access occur when adversaries jam the radio admission channel so that legitimate subscribers cannot access the network. For further details on attack categories, refer to [22].

Table 11.1. Sample Case 1 Classification.

	Interception	Fabrication/Insertion	Modification of Resource	Denial of Service	Intermission
Level I	• Observe time, charge per unit, length, source, and destination of victim'southward locations.	• Using modified cellular devices, the adversary tin send spurious registration letters to the target network.	• With a modified base station and cellular devices, the adversary modifies conversations betwixt subscribers and their base stations.	• The adversary can cause DoS by sending a big number of fake registration messages.	• Jam victims' traffic channels so that victims cannot admission the channels.
	• With modified cellular devices, overhear on victim.	• Too, using modified base stations, the antagonist can signal victims to camp at their locations.			• Circulate at a higher intensity than immune, thereby hogging the bandwidth.

Read full affiliate

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780124166899000113

Secure and Resilient Routing: Building Blocks for Resilient Network Architectures

Deep Medhi , Dijiang Huang , in Information Assurance, 2008

Outsider wiretapping set on (a).

PLC or ILC can be used to forbid outsiders from sniffing packets containing routing information. This is a straightforward method to prevent passive attacks. When PLC is provided for the entire IP payload, the outsider would not know general data, such as link-state type, advertizing router, and sequence number, that is contained inside the routing packet header. This information tin can aid an assaulter to derive network topology and traffic patterns. ILC cannot forbid an assaulter from knowing the information within the routing packet header, but information technology tin forestall subverted routers from decrypting the routing information when they utilise dissimilar encryption/decryption keys. The combination of PLC and ILC provides strong security features to guard against ineligible entities.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780123735669500161

Distributed Information Resources

Randall J. Atkinson , J. Eric Klinker , in Advances in Computers, 1999

ten.1 Threats and Issues

Unfortunately, neither rlogin, rsh, nor telnet provides confidentiality to data sent over the network or authentication of the session endpoints [17] . When passive attacks first became widespread, many users changed from using reusable disclosing passwords to using one-fourth dimension passwords to reduce risk [42, 43]. Even earlier then, many users were concerned about rlogin and rsh because they use the concept of unauthenticated trusted hosts every bit function of their potency and authentication scheme. In short, rsh and rlogin simply trusted that packets received with a source IP accost that was in the listing of trusted IP addresses were valid. No further checks were performed. Unfortunately, it is easy to forge an IP bundle. In this era of cheap PCs, IP bundle forgery is quite commonplace, making the concept of trusted hosts entirely unworkable. Other issues with the rlogin control have been discovered over the years [21].

Other users worked to enhance the existing remote terminal applications or worked to develop new applications to provide greater security through cryptographic techniques. Several efforts were undertaken to provide an encryption option to telnet. Unfortunately, telnet pick negotiation itself was not protected by almost of these projects, so the adversary could defeat the encryption by forging a telnet control packet disabling that option. Since most telnet customer implementations do not permit users to come across the choice negotiation, users were not aware that their telnet encryption had been disabled. One such projection had the misfortune of an implementation fault in primal direction that caused security to be compromised.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/S0065245808600212

Side-Channel Attacks

Swarup Bhunia , Mark Tehranipoor , in Hardware Security, 2019

8.2.1 Taxonomy of Side-Channel Attacks

Based on the level of control that an attacker may accept on a device prior to performing SCAs, they can be classified into passive and agile attacks. Passive attacks (such as power, timing, or EM SCAs) exercise not crave an attacker to interfere with the functionality or the operation of the device under attack [ten]. The attack is ordinarily launched in a manner that allows the system to behave ordinarily as if the set on is non in effect. On the other hand, active attacks aim to interfere with the operation of the device under attack, where an attacker tends to influence how the device behaves, and what functioning information technology performs. By actively controlling the beliefs of the device, an attacker gains the advantage of selectively extracting side-channel data that can assist interruption a cryptographic module, or extract the hole-and-corner key.

Each side-channel assail can be done in many means. Typically, a simple nonexhaustive arroyo has been introduced first, and and then a refined and more complex approach is developed to enhance the amount and quality of extracted side-channel information. In case of power assay attacks, as mentioned before, an adversary tin perform a elementary analysis, where a power signal is simply visually inspected. In a more sophisticated version of the attack, namely, DPA, multiple power traces are statistically analyzed to derive more robust information most the undercover key.

Figure viii.four shows the taxonomy of SCAs. Depending on the full general source of side-aqueduct information, there are several forms of SCA. They are: power SCA, EM SCA, fault injection attack, and timing SCA. Each SCA can be classified co-ordinate to specific assault method: applied analysis methods, such as simple observation and statistical methods; side-channel signal generation methods, such every bit voltages and clocks; or analysis granularity, such equally microarchitecture and system level assay. [eleven].

Figure 8.4. Taxonomy of full general side-channel attacks.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128124772000137

williamsoberthe.blogspot.com

Source: https://www.sciencedirect.com/topics/computer-science/passive-attack