SHABAN ALI MALIK (FA20-MSCS-018)

IQRA ZAFAR(FA20-MSCS-010)

SAHAR IJAZ (SP20-MSCS-001)

MARYAM MEHBOOB (FA20-MSCS-022)

RESEARCH METHODOLOGY :

ASSIGNMENT 4

Abstract:
The encryption of organization traffic complicates genuine organization observing, traffic analysis, and network forensics. In this paper, we
present ongoing lightweight ID of HTTPS client dependent on network checking and SSL/TLS fingerprinting. Our analysis shows that it is feasible
to assess the User-Agent of a client in HTTPS correspondence through the examination of the SSL/TLS handshake. The fingerprints of SSL/TLS
handshakes, including a listing of upheld cipher suites, are different among customers and correspond to User-Agent values from a HTTP
header. We developed a word reference of SSL/TLS cipher suite records and HTTP User-Agents and relegated the User-Agents to the noticed
SSL/TLS associations with recognize communicating clients. The word reference was utilized to arrange live HTTPS network traffic. We were
ready to recover client types from 95.4 % of HTTPS network traffic. Further, we talked about host-based and network-based strategies for
dictionary recovery and assessed the nature of the information.
The electronic endeavor applications, for example, internet business, web based banking, online closeout, informal communities, and
forums. Have been increasingly more well known in our general public. These applications become the objective of security attacks. Henceforth,
tying down sites and association with the clients is significant. In the event that we possess or deal with a site, we absolutely concern about how
secure it is. For evaluating the security level of a site, we typically make some move, including testing the site utilizing security examining tools. A
large portion of checking pparatuses has limits and should be updated frequently. Utilizing just one checking apparatus is at some point
sufficiently not to decide security level of a site. It proposes a system upporting site security evaluation. The possibility of this structure is to
incorporate diverse filtering apparatuses into the system. We at that point compose a program to carry out this system with a genuine site. We
direct the clients how to add another filtering apparatus to this structure, oversee it and produce a last report. In expansion, we talk about the
issue of safety on customer side called clickjacking attack that numerous customers may endure when getting to the malicious sites, we propose
a technique to shield them from this assault.
Security threats and financial losses caused by network attacks, intrusions and security breaches have led to in-depth research on
network security. Usually, the data collected on the network system can be used to detect security threats. By analyzing security-related data,
network attacks and intrusions can be detected, and the security level of the entire network system can be further measured. Obviously, the first
step in detecting network attacks and intrusions is to collect security-related data. big data and 5G, there are some challenges in collecting
security-related data. This document first briefly introduces the security-related data of the network, including its definition and characteristics,
and the applications that collect network security data. Collect security-related data and propose the purpose of data collection technology
classification. In addition, we check existing collection nodes, collection tools, and collection mechanisms to collect and analyze network data
according to the proposed requirements and goals for collecting high-quality security data.
Phishing is an online scam that aims to obtain user credentials through fraudulent websites. This document uses a new method that uses
a multilayer perception neural network to detect fraudulent URLs. Detection system because it has a high accuracy rate of 98.5%.
Wireless local area networks (WLANs) with gateways to Internet services are becoming more and more popular because they are fast,
cost effective, flexible, and easy to use. There are some security issues. For IT administrators, choosing a security protocol is a key issue. The
main reason is to understand wireless network security threats and shortcomings in wireless security protocols. We also compared WEP, WPA
and WPA2. Check the authentication of the 3 protocols related to the legendary attack vector script. i.e. Air crack runs many tools. The test was
conducted in the Back Track operating system, which is a dedicated operating system for penetration testing. As a result, it was found that WEP
was the weakest, and WPA was a temporary solution. WPA2 is a very reliable and long-term solution.

Introduction:
The increasing popularity of encrypted network traffic is a double-edged sword. On the one hand, it provides secure data transmission,
prevents eavesdropping and improves the reliability of communication between hosts. On the other hand, this makes it difficult to monitor
legitimate network traffic, including traffic classification. And host ID. Today, we can monitor, identify and classify network traffic using plain text
(such as HTTP). However, this is difficult. Analyze encrypted communications. From the perspective of a communication partner, the more
secure the connection, the harder it is to understand network traffic and identify abnormal and malicious activity. In addition, malicious network
behavior can be hidden in invisible encrypted connections. This article introduces HTTPS-HTTP over SSL/TLS, which is the most commonly
used protocol for encrypted network traffic. By creating a dictionary of SSL/TLS handshake fingerprints and related user agents, we solved the
problem of SSL/TLS client authentication and HTTPS traffic classification.
With the advancement of web technology, the number of security attacks on websites and web applications has increased dramatically in
the past decade. OWASP is a non-profit organization dedicated to improving software security. Provide test instructions for finding software
vulnerabilities. According to the definition, the security defect we are referring to is a legal or error in the design, implementation, operation or
management of the website, which can be used to undermine the security goal of the website. There are different types of testing: _ Black box
testing is the easiest and easiest way to identify a web server. Look at the server field in the HTTP response header. This is called behavioral
testing, where the internal structure of the website is not a white box test. This is called an out-of-the-box test. It refers to testing a website with
extensive knowledge and accessing all the source code and documentation in the architecture. The ideal form of penetration testing is a black
box, because most attackers know nothing about it. Internal attributes before the attack began. This document focuses on creating a new
infrastructure so that users can use more scanning tools at once. We proposed the new structure mentioned above. We discuss the issue of
clickjacking attacks and close the document.
With the rapid development of network and communication technology, more and more attention is paid to the security of network
systems. Network security is usually reflected in the relevant data generated, initiated or retrieved by the network system. By examining data
related to network security incidents, the security of the network system can be quantified and measured. We quote data that indicate and
indicate security threats Anomalies related to security, protection, confidentiality, and trust are called network security data, or simply security
data. Obviously, the first step in detecting network attacks and intrusions is to collect this security data. However, in the era of big data and next-
generation network systems (short for 5G), data collection related to security faces many challenges. In the case of big data, the amount of data
shared, created and generated on the network is very large. Safety-related data has 5V attributes (volume, type, value, speed and accuracy),
which makes it extremely difficult to collect these data. In addition, 5G is usually heterogeneous and supports devices used in devices, cars used
in automobiles, and other communication technologies. In other words, 5G covers different types of networks, such as the Internet, peer-to-peer
mobile network (MANET), and cellular cellular networks. And wireless sensor network (WSN),In order to be able to evaluate the security of 5G
networks, the current method used to collect security-related data in a single network must be redesigned for large heterogeneous networks.
People know very little about the Internet, so collecting security-related data is a hot and difficult topic. It can be recorded at both system
entrance and system exit, and plays an important role in IT, because it is essential for troubleshooting and managing network systems, detecting
network intrusions, and calculating network traffic. Since network attacks and intrusions often occur in the network, we mainly check data packets
and data flows. However, other types of data (such as memory and CPU life) can also be used to detect cyber attacks. Previous research has
shown that they are not as effective as analyzing network packets and data streams to detect network intrusions and attacks.
In recent years, cyber attacks have become more and more common. Attackers use computers as tools or targets, and sometimes even
as both. A network attack is an intrusion by a hacker who uses one or more computers to attack one or more computers or infrastructure. Cyber
attacks deliberately damage computers, steal information, or use infected computers as a starting point for other threats. Cyber attacks are
generally divided into two categories. The first category is grammatical attacks, which are collectively referred to as malware. Such attacks
include viruses, Trojan horses and worms. The second category is semantic attacks, in which the attacker collects information about the victim
through links to certain websites or seemingly trusted websites, or obtains their username, password, and credit card information.
The current trend of network security research to study the performance of WLAN security protocols is one of the research fields. Due to the
complexity and inefficiency of creating security logs, there is usually no method or technology that can be used to model and evaluate security
logs. The protocol required to protect the wireless network can be realized by using the network simulator software to create a wireless scheme.
The study shows a scheme for reviewing security logs. Since NS2 mainly implements routing protocols, new protocols must be developed
specifically for security purposes. The next security function is the encryption/decryption of transmitted data. Then the agreement will be an ideal
realization.
Research questions:
I. What SSL/TLS handshake options can I use to authenticate the client?
II. Can we match the selected SSL/TLS handshake options and HTTP header fields?
III. In order to analyze a considerable part of network traffic, how much information do we need, namely the number of known SSL/TLS
parameters and the coupling with HTTP headers?
IV. Can we use SSL/TLS fingerprinting to monitor network security and detect intruders?
I. How to use security scanning tools to protect websites and user connections and to rate them?
II. How many scanning tools are needed to determine the security level of a website? Third, what are the limitations?
III. Do I need to update the scanning tool frequently to identify new vulnerabilities?
IV. How to integrate various scanning tools into the framework of a real website and create a final report.
V. How do you ensure the security of clients called clickjacking attacks, which many clients suffer from when they visit malicious websites?

I. How to collect big data and 5G network attacks and intrusions to collect security-related data?
II. What is the taxonomy of data collection techniques?
III. Third, why check the existing collection nodes, collection tools and collection mechanisms to collect network data?
IV. How can investigation and analysis of security-related data help identify attacks and interventions in the network to measure the security
level of the entire network system?
I. How does phishing obtain user credentials from fraudulent websites?
II. How to use new methods to detect fraudulent urls?
I. Why should you be aware of the security threats to wireless networks and understand the shortcomings of wireless security protocols? II.
Why do we need to compare and analyze WEP, WPA and WPA2, and what solutions are there?
Research objectives:

I. Usually analyze encrypted network traffic, including identifying and characterizing encrypted network traffic and classifying interacting
clients.
II. Customer identification, its purpose is to obtain information about a single customer. This mainly applies to obtaining fingerprints from a
web browser.
III. Where we usually want to detect the activity of a particular networkHosting, detecting malicious clients, and measuring the activity of
unknown or abnormal clients.
I. Use security scanning tools to protect the security of the website and connect users
II. Determine the number of scanning tools required to determine the security level of the website
III. List the restrictions, these restrictions should be updated frequently to identify new vulnerabilities
IV. Multiple integration methodsScan the tool in a frame with a real website and generate a final report.
V. Client security is called a clickjacking attack, and many clients may be harmed by visiting malicious websites.
I. Big data to detect network attacks and intrusions and 5g to collect data related to security.
II. Classification of data collection techniques.
III. check the existing collection nodes, collection tools and collection mechanisms for network data collection.
IV. Inspection and analysis of security-related data can help identify network intrusions and attacks, thereby measuring the security level of
the entire network system.
I. Obtain user credentials through fraudulent websites.
II. A new method is used to detect fraudulent URLs.
I. Understand the security threats to wireless networks and understand the shortcomings of wireless security protocols.
II. Comparative analysis of wep, wpa and wpa2, what are the solutions to these problems.
Literature Review:

A three-step experiment to answer our research questions and test the idea of using HTTPS client authentication with SSL/TLS
fingerprinting. In the first phase, we set up real-time network traffic measurement in the network SSL/TLS connection. In the second step, create
a dictionary SSL/TLS fingerprinting and HTTP user agent are based on the analysis of intercepted network traffic. In the third step, use this
vocabulary to assign user agents to the traffic to be measured and test the authentication capabilities of the HTTPS client. The tick is called the
stream key. The standard stream stream key consists of the following L3/L4 parameters: protocol, IP address and port number. Each flow is
represented by a flow entry: f = (proto, srcIP, dstIP, srcPort, dstPort, tSt), where proto, srcIP, dstIP, srcPort and dstPort are common flow key
values, and tSt is the expiration time mark. Since the standard stream does not contain detailed information about HTTP and HTTPS traffic, use
two extensions for traffic measurement to add new elements to the stream protocol. The first extension adds the user agent element (and others)
to HTTP. Only HTTP flows whose destination port is 80 are counted.The HTTP stream assigned the user agent is called FHTTP.FHTTP = {(f,
ua) | f .dstPort = 80? ua = null} The second extension of the stream dimension adds elements in the ClientHello message, which are exchanged
during the first SSL/TLS handshake of the HTTPS connection. it only measure constant elements Any client connection, d. H. SSL/TLS protocol
version (vr), encryption list (cs), compression (cm) and TLS extension (ex). The collection of all extended HTTPS streams is called FHTTPS.
Hello = (vr, cs, cm, ex) FHTTPS = {(f, hello) | f .dstPort =443∧hello = null} The purpose of measurement is to obtain basic data. In the next step,
we create a dictionary that can be used to convert SSL/TLS fingerprint elements to HTTPUser proxy. The glossary has been applied to all
measurement data to test its usability and practicality. More information about HTTPS clients. The second goal of the measurement is to
carefully study the SSL/TLS configuration.Establish a connection and get basic network traffic statistics, the focus is on SSL/TLS traffic. Cipher
suite and user agent list matching. To identify HTTPS clients, you need to build a dictionary containing cipher suite and user agent pairs.
SSL/TLS handshake and custom protocol. Agents. This is the second phase of our experiment. We decided to use only the list of cipher suites in
the ClientHello message to build the dictionary.The list of cipher suites is a large number of elements of the SSL/TLS handshake, and we
assume that they are sufficient to identify the client. The other elements of the handshake have several different meanings, so we are not going
to add them to the dictionary. To clarify the ambiguous results we use two host-based methods and stream-based methods Associate the list of
cipher suites with the user agent. The host-based approach uses information from a single HTTPS connection on the server side, where
unencrypted data is available, including HTTP headers. This method is very accurate, but requires the client to access the monitored server. We
will set up an HTTPS server that will run the Apache web server and SSLhaf plug-in. Using SSLhaf, we were able to register SSL/TLS
parameters for HTTPS connections. We record the SSL/TLS connection parameters in the ClientHell message, including the encryption list. The
similarity of the grouped user agents can at least indicate whether the client is a web browser, its operating system or its mobile device.
Otherwise, please report an error in the pairing method. The list of collections is different for different client applications and their versions, which
makes them suitable for additional identification. During the measurement
I. unique encrypted list
II. relationship between cipher suites and HTTP user agents.
The user agent is the universal client ID in HTTP. However, in HTTPS, if the transmitted data is not decrypted, it cannot be accessed directly. s

In Figure 2. Part (1) of the model shows the

scanning tool, shown as a built-in plug-in in the proposed framework. The format can be changed. Part (2) shows the parsing lexer/parser used
to scan the white box. In part (3), assigned all scan results to the database, where it removed recurring vulnerabilities from various scanning
tools. In the requirements analysis stage, it define the functions of the framework shown in by calling the selected plug-in. You can manage
plugins by adding a new plugin, editing its function and removing it from the framework.In addition, users can manage the vulnerability database,
view the results after scanning, create log files, and more. web application needs to be scanned (in the case of white box testing). Each plugin
takes some time to complete the scan. So if we select multiple plugins, then the time is is expected to be larger. If you cancel the scan, will get
an incomplete report.
I. Access the plug-in for scanning
II. Manage plug-ins
III. Manage vulnerability database
IV. Implement the proposed framework in C#.
The VulScanner interface allows users to select plug-ins and specify the target website to be tested. White box testing can only be used if the
source code of the website is available. Some security vulnerabilities can be detected by multiple scanning tools, so VulScanner can detect
some The number of vulnerabilities detected by security vulnerabilities is less than the total number of vulnerabilities detected by individually
named tools. VulScan -ner calls one plugin at a time The execution time of the experiment is a bit longer than the total time of all individual
scans. The accuracy of the test depends on the selected plug-in and its accuracy.
 Large-scale heterogeneous network system a network is composed of many different network systems (e.g. Internet, WSN, MANET,
automobile Internet, satellite network, etc). There are two unresolved problems in collecting cyber security data. First, there is no comprehensive,
and scalable method for describing security-related data. Second, there is no effective data acquisition method that can be used to adaptively
switch between different networks. In the future, privacy and information security will receive more and more attention. Therefore, ensuring
security, protecting privacy and preventing information leakage when collecting data related to network security is an open but important issue. In
order to solve the problem of reliability of data collection, certain types of data identification must be implemented in big data, especially in the
case of big data and 5G. There are several tasks that can achieve adaptability goals. This problem can be solved by efficient data mining
algorithms and machine learning or pattern matching techniques. meet the intellectual goals and meet the individual's intellectual needs by an
intelligent, automatic data acquisition effective machine learning or deep learning algorithms will solve this open problem. The rule-based data
collection method has a high degree of scalability, but it has the problem of rule conflicts only translation and content analysis are allowed for
academic research.
Proposed model shows the block diagram of the URL detection system. The proposed system reads URLs, and then classifies URLs
according to characteristics according to the components of the data set. The model will then apply a single attribute evaluator and rank the
features of the links. The proposed model is based on a single attribute evaluator, which can remove unnecessary attributes. The next step is to
combine attributes and apply search strategies to eliminate redundant data and maintain high levels of relevant attributes. Ultimately, the system
determines whether the link is malicious. New method of phishing detection Use multilayer perceptron neural network. The model applies
processing steps. A single attribute evaluator and attributes are combined to achieve a high accuracy. Use multi-layer perceptron to effectively

detect phishing sites, with a learning rate of 70%.

NS2 network simulator can be used to simulate attacks on WSN. NS2 can replicate the network in real time. This is a time-based event
simulator. What specific events might happen? Nodes can be created, data can be transferred between nodes, and attacks can be displayed. It
has become one of the most widely used open source simulators. This is a free modeling tool that can be obtained online. The simulator consists
of many applications, protocols (such as TCP, UDP and many network parameters). It can run on various platforms, such as UNIX, Mac and
Windows. You can use this NS2 tool to design a model for connecting wireless sensor networks between network nodes. Network security can
be tested based on network attacks (such as denial of service, flood attack, funnel attack, Sybil attack). These attacks can be created on the
network, and the security level of the wireless sensor network can be tested to ensure the secure transmission of data between nodes in the
security protocols WEP, WAP, and WAP2, which is the focus. They are an important function of the project. The security of the system depends
on the encryption method used by this protocol. NS2 is a network modeling tool that can be used to analyze and design network configurations.
Proposed system model and complete description of simulation and required software Implement the network. NS-2 is a widely used network
modeling tool. A network simulator is software that predicts network performance when there is no actual network. NS2 is an important network
modeling tool. NS2 is very useful because it is very expensive to test the feasibility of new algorithms, test architectures, test topologies, test data
transmission, etc. It also explains the basis of network security when using network security. The realization of the encryption and decryption
concepts of unconventional ciphers (block ciphers and stream ciphers) the reason for having two target programming languages is a user-
friendly but fast and powerful simulator. C++ forms the effective core of the ns-2 class hierarchy, which handles data packets, headers and
algorithms. Object TCL (OOTCL) is also an object-oriented programming language, used for network scripts in ns-2 and supports fast work The
script changes the script. OTCL and C++ interact with each other through the TCL /C++ interface called TCL/C++. Use the SOHO network to
virtually create a node network, which is aimed at three areas and different areas of node size. First compare WEP performance. Measure with
X-graph. In the second phase of the study, WPA-2 will be tested to preserve the identity of the entire environment. Use the histogram to evaluate
the results obtained.
 I. Ratio to WPA-2 and specific and lighter ratioKnow exactly the parameters of its limitation. However, it is also important not to influence this
change within the expected scope of work.
II. Follow the above process to discover new results and their impact on the transmission and security of data items.
III. The ongoing process is standardized, and new changes made by a single organization can be evaluated to verify the performance of its
network. By creating such a flowchart, an independent organization can conduct research and report the results, thereby giving everyone
the power of the EPA.

Theoretical framework:
Network monitoring: Network monitoring is a subset of network management. It is a systematic attempt by a computer network to identify slow
or faulty components before they cause problems. When a problem occurs and causes a failure, the task of the network monitoring system is to
notify the network administrator in time.
HTTPS: stands for Secure Hypertext Transfer Protocol. It is a protocol in which encrypted HTTP data is transmitted over a secure connection.
Then, HTTPS encrypts the data between the client and the server to prevent interception, information tampering and data manipulation.
User-Agent: is a kind of software that retrieves web content and presents it to end users, or software implemented using web technology. User
agents include web browsers, media players, and plug-ins for retrieving, displaying, and interacting with web content.
SSL: Secure Socket Layer (SSL). A protocol used for web browsers and servers to authenticate, encrypt and decrypt data sent over the Internet.
TLS: Transport Layer Security (TLS) is encryption protocols used to protect the security of communications on computer networks and computer
application.
Fingerprinting: is a process in which data elements of any size (such as computer files) are compared with much shorter bit sequences (ie fingerprints) to
uniquely identify the original data. For all practical purposes such as human fingerprints, a person can be uniquely identified.
Security assessment: can identify, evaluate and implement critical security controls in the application, and ensure that the application is not
vulnerable to attacks.
OWASP standards: The Open Web Application Security Project (OWASP) is an online community that publishes publicly available articles,
methods, documents, tools, and techniques related to web application security.
Network security: it is a series of rules and settings for using hardware and software technologies to protect the integrity, confidentiality and
availability of computer networks and data.
Data collection technologies: is defined as the process of collecting, measuring, and analyzing accurate knowledge for research using
standard best practices. The method of data collection differs depending on the information required in different research fields.
Heterogeneous networks: In computer networks, heterogeneous networks are networks that connect computers and other devices. In these
devices, operating systems and protocols are very different.
Multilayer Perceptron (MLP): Multilayer Perceptron (MLP) is a feed forward artificial neural network (ANN). MLP consists of at least three levels
of nodes: input layer, hidden layer and output layer. Except for the input nodes, each node is a neuron that uses a non-linear ignition function.
Activation function: is a function used in an artificial neural network. It produces a smaller value for a smaller input, and a larger value when its
input exceeds the threshold in computer science is inspired by the motor potential of neuroscience.
Semantic attack: (also known as social engineering) manipulate users' perception and interpretation of computer data in order to fraudulently
obtain valuable information (such as passwords, financial data, and government ratings) from users.
Phishing: is a social engineering attack widely used to steal user information, including credentials and credit card numbers. This happens when
an attacker masquerading as a trusted entity tricks the victim into opening an email, instant message or text message.
Security protocols: is a network protocol that can ensure the security and integrity of data transmitted through a network connection. The
network security protocol defines the procedures and methods used to protect network data from illegal attempts to view or access data content.
WEP: stands for Wired Equivalent Privacy are a security algorithm used in wireless IEEE 802.11 networks to ensure data confidentiality
comparable to traditional wired networks.
WPA: stands for Wi-Fi Protected Access. WPA is a security protocol used to create a secure wireless network (Wi-Fi). It is similar to WEP, but
with improvements in the way users handle and authorize security keys.
WPA2: is the abbreviation of Wi-Fi Protected Access 2 which is a security method added by WPA for wireless networks, which can provide
better data protection and control of network access. Provide a high level of security for corporate and consumer Wi-Fi users so that only
authorized users can access their wireless networks
WiFi Security: mainly protects your wireless network from malicious and unauthorized access attempts. Generally, wireless networks are
protected by wireless devices (usually wireless routers/switches), and by default, these devices encrypt and protect all wireless connections.
No Objectives of the Methodology Analysis Techniques Result Comments / Gaps
1 Study and the
Related Variables

usák et al. EURASIP Journal on The encryption of Experiment design We designed a three- Experimental technique Data was collected
Information Security (2016) 2016:6 DOI network traffic phase experiment to answer our research In this paper, we from random
10.1186/s13635-016-0030-7 complicates legitimate questions and verify the idea of using have shown that it is sources.
network monitoring, HTTPS client identification with SSL/TLS possible to estimate
HTTPS traffic analysis and traffic analysis, and fingerprinting. the User-Agent of a
network forensics. In client in HTTPS
client identification using this paper, we present communication. This
passive SSL/TLS real-time lightweight was done for further
identification of HTTPS identifying the client
fingerprinting using network
clients based on
network monitoring monitoring and
EURASIO JOURNEL ON
INFORMATION SECURITY and SSL/TLS fingerprinting the
fingerprinting. Our SSL/TLS handshake,
experiment shows which is the main
that it is possible to contribution of this
estimate the User- paper.
Agent of a client in
HTTPS communication
via the analysis of the
SSL/TLS handshake.
The fingerprints of
SSL/TLS handshakes,
including a list of
supported cipher
suites, differ among
clients and correlate
to User-Agent values
from a HTTP header.

No Authors Objectives of the Methodology Analysis Techniques Result Comments / Gaps

2 Title Study
Publication

Res. design Sample Instrument

(i) HTTPS: the method Quantitative Used dummy website to analyse the Sniffing tool A Website Identification comprehensively This research was
Hindawi Security and Communication is able to operate with method, traffic was used to Technique for Zero-Rating examined existing not complete yet.
Networks Volume 2020, Article ID HTTP over TLS traffic. sniff data zero-rating
7285786, 14 pages (ii) Support: the packets. approaches for ISPs
https://doi.org/10.1155/2020/7285786 method requires and DPI vendors and
support from the showed that the 0
Knocking on IPs: Identifying destination web 500 1000 1500 2000
server or client (e.g., 2500 3000
HTTPS Websites for Zero- installing certain Cumulative count 0
Rated Traffic software on the 500 1000 1500 2000
client). (iii) In-Band: 2500 3000 3500
the method does not 4000 Sequential
require active out- total of top 6000
ofband domains Nonempty
communication to SAN Correct
operate correctly. For predictions Wrong
example, a passive predictions
MitM can be used, Unknown
which only reads predictions Figure 3:
network traffic but Cumulative results of
does not modify, our Open-Knock
drop, or append method applied on
additional traffic. (iv) the Tranco top 6000
ESNI and DoH: the list. Security and
method works on Communication
network traffic with Networks 11majority
the ESNI and DoH of the approaches
protocol present. (v) are unsustainable
Free-Riding I: the due to freeriding
method is robust attacks and
against freeriding encrypted protocols
attacks where an such as ESNI (ECHO)
additional MitM is and DoH. Based on
deployed (e.g., a web industrial patents
proxy). (vi) Free-Riding and academic
II: the method is studies.
robust against
freeriding attacks
without the need of
additional MitM
network nodes. (vii)
Open Set: the method
requires no
preliminary
knowledge about the
possible websites that
can be identified.

No Authors Objectives of the Methodology Analysis Techniques Result Comments / Gaps

3 Title Study and the
Publication Related Variables

Res. design Sample Instrument

This paper concerns No particular sample Fingerprint biometric Quabtitave technique we first present the nill
mobile encrypted Random was used devices basics of the SSL/TLS
traffic classification, fingerprint protocol. Then, we
Rethinking Encrypted Traffic which is to classify biometric introduce the most
mobile encrypted data relevant and recent
Classification: A Multi-Attribute flows into specific encrypted traffic
Associated Fingerprint applications. With the classification
ApproachUndermining and Co- rapid development of methods [12]–[16]
mobile applications and discuss their
Creation among University and mobile network in limitations. Finally,
Faculty Members recent years, the we analyze the
number of limitations of the
applications and 978-1-7281-2700-
application downloads 2/19/$31.00 2019 c
in application markets IEEE traceset
grows continuously collection in these
[1]. relevant papers.

No Authors Objectives of the Methodology Analysis Techniques Result Comments / Gaps

4 Title Study and the
Publication Related Variables

Res. design Sample Instrument

The Transport Layer Same as Blake Anderson and David McGrew. Simple browser Data sets By studying TLS use The fingerprint
Security (TLS) protocol above 2019. TLS Beyond the Browser: and network across all application definition in our
has evolved in Combining End Host and Network diagnostic categories, we knowledge base
TLS Beyond the Browser: response to different Data to Understand Application technique identified some could be improved
attacks and is Behavior. In IMC ’19: ACM Internet important trends, by including both
Combining End Host and increasingly relied on Measurement Conference, October including a inner and outer
Network Data to Understand to secure Internet 21–23, 2019, Amsterdam, temporary decrease TLS versions,
Application Behavior communications. Netherlands. ACM, New York, NY, in the fraction of TLS compression
USA, 14 pages. https://doi.org/10. sessions using 1.3 methods, and a
1145/3355369.3355601 caused by the value that
adoption of (earlier indicates if the
Blake Anderson Cisco versions of) TLS by client_random
non-browser includes a
blake.anderson@cisco.com application timestamp. These
categories. This is omissions were
partly good news in due to deficiencies
that earlier versions in the data
of TLS are still far collection tools.
more secure than We are able to
the absence of that easily extend the
protocol, but there is fingerprint
a clear need for definition to
applications in these accommodate
categories to additional
modernize their use extension data
of TLS. fields as they are
introduced into
the ecosystem

No Authors Objectives of the Methodology Analysis Techniques Result Comments / Gaps

5 Title Study and the
Publication Related Variables

Res. design Sample Instrument

This paper is divided Quantitative. nill As mentioned above Encryption of data is Impact of negative
into 5 Sections. The crucial when aiming behavior on job
Zlatina Gancheva, Patrick second Section aims to protect the satisfaction, and
Sattler∗ , Lars Wüstrich∗ to explain TLS privacy of users. In Motivation.
fingerprinting by modern networks,
making a detailed the TLS protocol is
TLS Fingerprinting observation of the the current
Techniques organization of the encryption standard
encryption it is based for data transferred
on. It provides a brief over the Internet.
Chair of Network Architectures and overview of TLS’s Although it is used to
Services, Department of Informatics history, current TLS mask the plain text
Technical University of Munich, versions in use and information from the
Germany Email: ga94vad@tum.de, explains in detail application layer, TLS
sattler@net.in.tum.de, important steps such also provides a set of
wuestrich@net.in.tum.d as the TLS client- unique observable
server Handshake. A parameters that
detailed overview of allow many
different conclusions to be
fingerprinting made about both the
techniques is done in client and the server
the third Section. The
applicability of the
results is discussed in
Section four. Lastly,
Section five concludes
the paper.

No Authors Objectives of the Methodology Analysis Techniques Result Comments / Gaps

6 Title Study and the
Publication Related Variables

Res. Design instrument

Saurabh Malgaonkar Computer WEP protocol Using the network simulator NS2 [9], Qaultitavie and For the To practically
Engineering Department, Thadomal Network simulator quantitative research implementation of understand how
[5] is the basic the attacks in the WSN can be
Shahani Engineering College, Mumbai WEP and WAP2 WEP and WPA
University, Mumbai, India. Rohan Patil part of IEEE simulated. NS2 creates a replica of a
we have to discuss perform in real
Associate Software Engineer, Indus
802.11 (IEEE – real time network. It is a time based
Valley Partners, Mumbai, India. and understand 2 world situations
event driven simulator. The code can
Aishwarya Rai Test Engineer AMDOCS, Institute of algorithms which following
Pune , India Electrical and be written in such a way that at what form the core in operations have
Electronics time, what particular event can operations of been carried out
Engineers) standard happen. The nodes can be created, respective with 20, 30, 50
Research on Wi-Fi Security
for the protection the data transfer between the nodes protocols. It is nodes
Protocols of WLAN networks. important to (computers in
and the attacks can be shown. It has
The basic function understand these operation). All
International Journal of Computer
become one of the most widely used
of WEP protocol is two methods the factors
Applications (0975 – 8887) Volume 164 – open source simulators. It is a free before we go remain same
to provide data
No 3, April 2017 simulation tool that can be available further and both the
security in wireless
networks in the online . The simulator consists of a implement them protocols are
same way as it is in wide variety of applications, on NS2 implemented
the wired networks. protocols like TCP, UDP and many and evaluated.
Lack of physical network parameters. It runs on X-graph of NS2
connection among is utilized for
various platforms like UNIX, Mac and
users and wireless evaluating the
windows platforms. This NS2 tool throughput for
networks enables
all users within the allows to develop a model design for the WEP
network range to wireless sensor network connection protocol hence
receive data if they between nodes in the network. implemented.
have appropriate Based on the network attacks like This section
receivers deals with
denial of service, flood attack,
results obtained
sinkhole attacks, Sybil attack the when the
network security can be tested. security
algorithm is
WEP employing
different
number of
nodes
No Authors Objectives of the Methodology Result Analysis Comments / Gaps
7 Title Study and the Techniques
Publication Related Variables

Res. Design Sample Instrument

Quantitative In general, securing the websites Live We create a Experimental The contribution
and clickjacking technique of our paper is
Nguyen Duc Thai, Nguyen Huu Hieu qualtitave is not enough. The websites’ program called
not in creation
users can still become the victims VulScanner to of a new
An Improving Way for of a kind if security attacks, called implement the scanning tool,
Website Security the model
Clickjacking. To protect the users proposed but we suggest
Assessment presents scanning the way to
from this attack, we developed a framework, written
tools, shown as integrate
script running on client-side in C#. The interface different plugins
plugins, integrated
REV Journal on Electronics system, automatically detects of VulScanner to get better
into the proposed
and Communications, Vol. clickjacking and lets the users shown in Figure 8, results. We
framework. These
10, No. 1–2, January–June, continuing their surfing securely where the users showed that it is
tools could be
2020 very easy to add
called to run can select plugin(s)
a new plugin to
anytime, return and specify the the framework,
report to the target website to easy to
framework. perform testing. As configure the
Because the tools mentioned above, framework to
work with the
are different, the whitebox testing
output formats new plugin.
can be used only if
could be different. the website source
We need to change code is available.
all the output
results to the
desired formats
before generating
the final report.
Part (2) shows
Lexer/Parser for
syntax analysis used
for whitebox
scanning

No Authors Objectives of the Methodology Analysis Techniques Result Comments / Gaps

8 Title Study and the
Publication Related Variables

Res. Design Sample Instrument

Huaqing Lin1, Zheng Yan1, 2, functional Quantitative .nill . NETWORK n, we present the requirements and Studying network Research should
and objectives in terms of network security-related be continue for
Senior Member, IEEE, Yu requirements qualtitave DATA more vulnerability
COLLECTION security-related data collection. data collection is
Chen3, and Lifang Zhang2 and security of system
TECHNOLOGIES Based on the current literature and essential for the
requirements, research, the requirements mainly detection of
we propose include functional requirements and network attacks
A Survey on Network several security requirements and the and intrusions,
objectives consist of functional thus contributing
Security-Related Data objectives need objectives and security objectives. to ensure the
Collection Technologies to be achieved According to the requirements and security of a whole
in the process of objectives, existing works on network system.
security-related security-related data collection can In this paper, we
ate of publication xxxx 00, data collection. be evaluated with respect to introduced the
function and security. concept of
0000, date of current version The relationship security-related
xxxx 00, 0000. Digital Object between the data collection,
Identifier objectives and specified its
10.1109/ACCESS.2017.Doi the requirements and
defined its
Numbe requirements is objectives
shown in Table regarding both
I. It must be functionalities and
noted that security.
Furthermore, we
objectives of
presented a
network taxonomy and
security-related classification of
data collection data collection
are different technologies.
from the
objectives of
general network
data collection.
In Section IV, we
use the
proposed
objectives of
network
security-related
data to evaluate
the existing
work about
network data
collection
No Authors Objectives of the Methodology results Analysis Techniques Comments /
9 Title Study and the Gaps
Publication Related Variables

instrument Res. Design Sample

 Network Qualititave by datasets nill the proposed Phishing protection Experimental
The cyber-attacks proposed methods are Work The
are classified mainly model and system reads the classified into two proposed model
Efficient Detection of into two categories.
algorithum URL, then the URL main categories;
uses Weka 3.6
denunciation
Phishing Websites Using The first category is is classified into and Python to
platforms and
Multilayer Perceptron the syntactic attack features according heuristics-based evaluate the
that are grouped performance of
to the dataset solutions.
under the name denunciation the model. Table
Ammar Odeh () Princess Sumaya "malicious components. Then, platforms are built 2 shows the
University for Technology Amman, software" or the model applies by developers and experimental
Jordan a.odeh@psut.edu.jo Ismail "malware" and this the single attribute periodically provide parameters such
Keshta AlMaarefa University Riyadh, type of attacks the web browser
evaluator and as the learning
KSA Eman Abdelfattah Ramapo with the updated
include viruses, rate, the
College of New Jersey, New Jersey, Trojan horses, and
ranks the link’s blacklist [9]. Google
developed number of
USA worms. As soon as features. Based on SafeBrowsing and epochs (number
the malicious a single attribute operates in the of passes
software is inserted evaluator, the Safari, Chrome, through data),
into a computer, Firefox browsers. and the number
proposed model Microsoft
the computer of hidden layers,
system starts doing eliminates maintained
the batch size,
irrelevant SmartScreen and
undesired functions and the
operates in the
[3]. The second attributes. The next Internet Explorer momentum.
category is step is to combine and Edge. The main
semantic attacks, drawback of the
attributes and blacklist model is the
where the attackers
collect the victim
apply the search period of time
information strategy to remove needed to recognize
the phishing sites;
through some the redundant data sometimes it takes
websites or links and keep the high zero-day (0_day) and
that looks like
correlated sometimes takes
trusted websites or
attributes. Finally, months which is
to acquire his/her enough time to
username, the system decides fraud for multiple
password, and if the link is victims. The
credit card harmful or not. second solution is
information [4]. heuristics-based
Table 1 shows some solutions, where
types of semantic the heuristics
attacks and a brief algorithms study
description for the URL features
them and predict if the
URL is trusted or
malicious [10].
No Authors Objectives of the Methodology Analysis Result Comments / Gaps
10 Title Study and the Techniques
Publication Related Variables

Res. design Sample Instrument

This document is Qualtitative Ssl used for sampling Network simulator and ssl certificate Experimental Due to ssl many
published as a by technique attacks can be
historical record of approaching prevented nd blocked
The Secure Sockets Layer the SSL 3.0 protocol. ssl technique by firmaware
The original Abstract
(SSL) Protocol Version 3.0 Ssl is realible way
follows. This
document specifies to secue websites
A. Freier Request for Comments: version 3.0 of the
6101 P. Karlton Category: Historic Secure Sockets Layer
Netscape Communications ISSN: (SSL 3.0) protocol, a
2070-1721 P. Kocher Independent security protocol that
provides
Consultant August 2011
communications
privacy over the
Internet. The protocol
allows client/server
applications to
communicate in a way
that is designed to
prevent
eavesdropping,
tampering, or
message forgery.

No Authors Objectives of the Methodology Analysis Result Comments / Gaps

11 Title Study and the Techniques
Publication Related Variables

Res. design Sample Instrument