Browsing by study line "Datanätverk"

The continuously evolving cyber threat landscape has become a major concern because sophisticated attacks against systems connected to the Internet have become frequent. The concern is on particular threats that are known as Advanced Persistent Threats (APT). The thesis aims to introduce what APTs are and illustrate other topics under the scope, such as tools and methods attackers can use. Attack models will also be explained, providing example models proposed in the literature. The thesis also introduces which kind of operational objectives attacks can have, and for each objective, one example attack is given that characterizes the objective. In addition, the thesis also uncovers various countermeasures, including most essential security solutions, complemented with more advanced methods. The last countermeasure that the thesis introduces is attribution analysis.

Blockchain technologies and cryptocurrencies have gained massive popularity in the past few years. Smart contracts extend the utility of these distributed ledgers to distributed state machines, where anyone can store and run code and then mutually agree on the next state. This opens up a whole new world of possibilities, but also many new security challenges. In this thesis we give an up-to-date survey on smart contract security issues. First we give a brief introduction to blockchains and smart contracts and explain the most common attack types and some mitigations against them. Then we sum up and analyse our findings. We find out that many of the attacks could be avoided or at least severely mitigated if the coders followed good coding practices and used design patterns that are proven to be good. Another finding is that changing the underlying blockchain technology to counter the issues is usually not the best way, as it is hard and troublesome to do and might restrict the usability of contracts too much. Lastly, we find out that many new automated tools for security are being developed and used, which indicates movement towards more conventional coding where automated tools like scanners and analysers are being used to cover a large set of security issues.

Quantum networking is developing fast as an emerging research field. Distributing entangled qubits between any two locations in a quantum network is one of the goals of quantum networking, in which repeaters can be used to extend the length of entanglement. Although researchers focus extensively on problems inside one quantum network, further study on communication between quantum networks is necessary because the next possible evolution of quantum networking is the communication between two or more autonomous quantum networks. In this thesis, we adapted a time slotted model from the literature to study the inter quantum network routing problem. Quantum routing problem can be split into path selection and request scheduling. We focus on the latter considering the previous one received considerable interest in the literature. Five request scheduling policies are proposed to study the impact of preference for certain request types on entanglement generation rate. Experiments also demonstrate other factors should be considered in context of entanglement rate in communication between quantum networks, e.g., the number and distribution of requests and inter-network distance.

The cloud computing paradigm has risen, during the last 20 years, to the task of bringing powerful computational services to the masses. Centralizing the computer hardware to a few large data centers has brought large monetary savings, but at the cost of a greater geographical distance between the server and the client. As a new generation of thin clients have emerged, e.g. smartphones and IoT-devices, the larger latencies induced by these greater distances, can limit the applications that could benefit from using the vast resources available in cloud computing. Not long after the explosive growth of cloud computing, a new paradigm, edge computing has risen. Edge computing aims at bringing the resources generally found in cloud computing closer to the edge where many of the end-users, clients and data producers reside. In this thesis, I will present the edge computing concept as well as the technologies enabling it. Furthermore I will show a few edge computing concepts and architectures, including multi- access edge computing (MEC), Fog computing and intelligent containers (ICON). Finally, I will also present a new edge-orchestrator, the ICON Python Orchestrator (IPO), that enables intelligent containers to migrate closer to the users. The ICON Python orchestrator tests the feasibility of the ICON concept and provides per- formance measurements that can be compared to other contemporary edge computing im- plementations. In this thesis, I will present the IPO architecture design including challenges encountered during the implementation phase and solutions to specific problems. I will also show the testing and validation setup. By using the artificial testing and validation network, client migration speeds were measured using three different cases - redirection, cache hot ICON migration and cache cold ICON migration. While there is room for improvements, the migration speeds measured are on par with other edge computing implementations.

Nowadays a growing number of mobile devices are in use, and the internet connections with mobile devices are increasingly important for the everyday life of the global population. As a result, applications and use cases of different requirements including high throughput, reliability and continuous connection have emerged for mobile device connections. Multipath transport located on the transport layer of the TCP/IP model has been proposed as a solution for providing better throughput, reliability and smooth handovers for mobile devices. Multiple network interfaces are present in current mobile devices, and multipath protocols can utilize them to transfer data through multiple paths inside one connection. Multipath protocols of parallel functionality have been proposed over the years, and relevant protocol versions include multipath extensions for well-known transport layer protocols. The aim of the thesis is to provide an overview of three multipath protocols, MPTCP, CMT-SCTP and MPQUIC and the advantages and limitations they have when used for mobile connectivity through a literature review. First the challenges of multipath transport and requirements specific for mobile device usage are identified, and an overview of the protocols and their features are discussed. Then the protocols are compared in the context of the identified challenges and mobile device use. MPTCP is the only transport layer multipath protocol currently deployed and in use, while CMT-SCTP faces problems with deployability. MPQUIC shows promise for having initially comparable performance and deployability with MPTCP. Transport layer multipath protocols are currently not optimal for interactive applications and have suboptimal performance in heterogeneous network conditions. Conversely, they can provide a boost for throughput with data intensive applications and can be helpful for providing smoother handovers, but at the cost of higher energy consumption.

Self-Sovereign Identity is a new concept of managaging digital identities in the digital services. The purpose of the Self-Sovereign Identity is to place the user in the center and move towards decentralized model of identity management. Verifiable Credentials, Verifiable Presentations, Identity Wallets and Decentralized Identifiers are part of the Self-Sovereign Identity model. They have also been recently included in the OpenID Connect specifications to be used with the widely used authentication layer built on OAuth 2.0. The OpenID Connect authentication can now be leveraged with the Decetralized Identifiers (DIDs) and the public keys contained in DID Documents. This work assessed the feasibility of integrating the Verifiable Credentials, Verifiable Presentations and Decentralized Identifiers with OpenID Connect in the context of two use cases. The first use case is to integrate the Verifiable Credentials and Presentations into an OpenID Connect server and utilise Single Sign-On in federated environment. The second use case is to ignore the OpenID Provider and enable the Relying Party to authenticate directly with the Identity Wallet. Custom software components, the Relying Party, the Identity Wallet and the Verifiable Credential Issuer were built to support the assessments. Two new authorization flows were designed for the two use cases. The Federated Verifiable Presentation Flow describes the protocol of Relying Party authenticating with OpenID Provider which receives the user information from the Wallet. The flow does not require any changes for any Relying Party using the same OpenID Provider to authenticate and utilise Single Sign-On. The Verifiable Presentation Flow enables the Relying Party to authenticate directly with the Wallet. However, this flow requires multiple changes to Relying Party and benefits of federated environment are not available, e.g., the Single Sign-On. Both of the flows are useful for their own specific use cases. The new flows are utilising the new segments of the Self-Sovereign Identity and are promising steps towards self-sovereignty.

Data centers provide a demanding and complex environment for networking as there is a need to provide fairness, throughput, and responsiveness while balancing great volumes of data and different types of flows. Programmable scheduling aims to make networking more flexible by providing capabilities for testing, modifying, and running a greater number of scheduling algorithms on switches than currently is possible. This is done by having a hardware design on top of which scheduling algorithms can be run as software. Over the years, multiple different abstractions for the switch scheduler have been suggested, with the aim of being capable of running at line rate. This thesis is a literature review of different programmable scheduler designs, focusing on Push-In First-Out, Push-In Extract-Out, Strict Priority Push-In First-Out, and Admission-In First-Out designs. This work provides an overview of the designs and their hardware implementations, observing their strengths and weaknesses regarding the data center environment. These designs are compared to one another with a focus on trade-offs between metrics like speed, expressiveness, and scalability, with a discussion on how these trade-offs ensure that there is currently no design that is above the others in all aspects.

Zero Trust -turvallisuusmalli uudistaa tietoverkkojen tietoturva-ajattelua lähtemällä oletukses- ta, ettei mikään tietoverkon vyöhyke ole itsessään turvallinen. Tällöin myös luotettujen verk- kojen sisäisiä tietoliikenneyhteyksiä on tarkasteltava kriittisesti, ja ne on sisällytettävä harkin- nanvaraisen ja minimioikeuksiin perustuvan pääsynhallinnan piiriin. Käsite mikrosegmentointi on ymmärrettävä suhteessa verkon segmentointiin eli sen jakamiseen vyöhykkeisiin. Mikrosegmentti on niin mikroskooppinen vyöhyke, että se on enää yhden isän- täkoneen kokoinen. Mikrosegmentoinnissa jokainen tietoliikenneyhteys, myös kahden saman lähiverkon isäntäkoneen välinen, ylittää vyöhykerajan ja on pääsynvalvonnan alainen. Tässä työssä tutkitaan, että jos virtuaalisesta tietokoneluokasta Zero Trust -mallin mukaisesti sallitaan vain tunnetut yhteydet käyttämällä tähän mikrosegmentoivaa palomuuria, niin kuinka paljon tämä vähentää lähiverkon liikennettä ja estetäänkö samalla jotain olennaista? Teoriaosuudessa esitellään tietoliikenteen perusteet, Defense in Depth ja Zero Trust -käsitteet, palomuurien toimintaperiaatteet, tietokoneiden virtualisointi sekä datakeskusverkkojen toteu- tustapoja. Empiirisessä osuudessa analysoidaan lähiverkon sisäistä liikennettä Helsingin yliopiston etä- työpöytäympäristöstä, jota voi ajatella virtuaalisena etäkäytettävänä tietokoneluokkana. Etä- työpöytäympäristöstä syntyviä lateraalisia yhteyksiä analysoidaan kvantitatiivisesti vertaillen liikennemääriä täsmä-, ryhmä- ja yleislähetysluokissa sekä kvalitatiivisesti tarkastelemalla oh- jelmistoja näiden yhteyksien taustalla. Samalla etsitään vastausta kysymyksiin: mikä tarkoitus näillä yhteyksillä on ja ovatko ne tarpeellisia virtuaalisessa tietokoneluokassa. Tarpeettomien yhteyksien suodattamista pohditaan myös energiansäästön näkökulmasta.