OSI SECURITY ARCHITECTURE

• The OSI (Open Systems Interconnection) Security Architecture defines a systematic

approach to providing security at each layer. It defines security services and security
mechanisms that can be used at each of the seven layers of the OSI model to provide
security for data transmitted over a network.
• These security services and mechanisms help to ensure the confidentiality, integrity, and
availability of the data.
OSI SECURITY ARCHITECTURE FOCUSES ON
THESE CONCEPTS:
• Security Attack:
• Security mechanism: A security mechanism is a means of protecting a system, network,
or device against unauthorized access, tampering, or other security threats.
• Security Service:
CLASSIFICATION OF OSI SECURITY ARCHITECTURE

classification of OSI Security Architecture

OSI Security Architecture is categorized into three broad
categories namely Security Attacks, Security
mechanisms, and Security Services.
1. SECURITY ATTACKS:

• A security attack is an attempt by a person or entity to gain unauthorized access to disrupt

or compromise the security of a system, network, or device. These are defined as the
actions that put at risk an organization’s safety. They are further classified into 2 sub-
categories:
A. PASSIVE ATTACK:

• Attacks in which a third-party intruder tries to access the message/ content/ data being
shared by the sender and receiver by keeping a close watch on the transmission or eave-
dropping the transmission is called Passive Attacks. These types of attacks involve the
attacker observing or monitoring system, network, or device activity without actively
disrupting or altering it. Passive attacks are typically focused on gathering information or
intelligence, rather than causing damage or disruption.
B. ACTIVE ATTACKS:

• Active attacks refer to types of attacks that involve the attacker actively disrupting or
altering system, network, or device activity. Active attacks are typically focused on
causing damage or disruption, rather than gathering information or intelligence. Here,
both the sender and receiver have no clue that their message/ data is modified by some
third-party intruder. The message/ data transmitted doesn’t remain in its usual form and
shows deviation from its usual behavior. This makes active attacks dangerous as there is
no information provided of the attack happening in the communication process and the
receiver is not aware that the data/ message received is not from the sender.
2. SECURITY MECHANISM

• The mechanism that is built to identify any breach of security or attack on the
organization, is called a security mechanism. Security Mechanisms are also responsible
for protecting a system, network, or device against unauthorized access, tampering, or
other security threats. Security mechanisms can be implemented at various levels within a
system or network and can be used to provide different types of security, such as
confidentiality, integrity, or availability.
3. SECURITY SERVICES:

• Security services refer to the different services available for maintaining the security and
safety of an organization. They help in preventing any potential risks to security. Security
services are divided into 5 types:
• Authentication is the process of verifying the identity of a user or device in order to grant or
deny access to a system or device.
• Access control involves the use of policies and procedures to determine who is allowed to
access specific resources within a system.
• Data Confidentiality is responsible for the protection of information from being accessed or
disclosed to unauthorized parties.
• Data integrity is a security mechanism that involves the use of techniques to ensure that data
has not been tampered with or altered in any way during transmission or storage.
• Non- repudiation involves the use of techniques to create a verifiable record of the origin and
transmission of a message, which can be used to prevent the sender from denying that they sent
the message.
 BENEFITS OF OSI ARCHITECTURE:
• 1 Providing Security:
• OSI Architecture in an organization provides the needed security and safety, preventing potential threats and
risks.
• Managers can easily take care of the security and there is hassle-free security maintenance done through OSI
Architecture.
• 2. Organising Task:
• The OSI architecture makes it easy for managers to build a security model for the organization based on strong
security principles.
• Managers get the opportunity to organize tasks in an organization effectively.
• 3. Meets International Standards:
• Security services are defined and recognized internationally meeting international standards.
• The standard definition of requirements defined using OSI Architecture is globally accepted.
SECURITY ATTACKS,
MECHANISMS, AND SERVICES
ATTACKS, SERVICES AND MECHANISMS

• Security Attack: Any action that compromises the security of information.

• Security Mechanism: A mechanism that is designed to detect, prevent, or
recover from a security attack.
• Security Service: A service that enhances the security of data processing
systems and information transfers. A security service makes use of one or
more security mechanisms.
ACTIVE ATTACKS:

• Active attacks are a type of cybersecurity attack in which an attacker attempts to alter,
destroy, or disrupt the normal operation of a system or network. Active attacks
involve the attacker taking direct action against the target system or network, and can be
more dangerous than passive attacks, which involve simply monitoring or
eavesdropping on a system or network.
TYPES OF ACTIVE ATTACKS ARE AS FOLLOWS

• Masquerade
• Modification of messages
• Repudiation
• Replay
• Denial of Service
MASQUERADE

• Masquerade is a type of cybersecurity attack in which an attacker pretends to be someone

else in order to gain access to systems or data. This can involve impersonating a
legitimate user or system to trick other users or systems into providing sensitive
information or granting access to restricted areas.
THERE ARE SEVERAL TYPES OF MASQUERADE
ATTACKS, INCLUDING:
• Username and password masquerade: In a username and password masquerade attack, an attacker uses
stolen or forged credentials to log into a system or application as a legitimate user.
• IP address masquerade: In an IP address masquerade attack, an attacker spoofs or forges their IP
address to make it appear as though they are accessing a system or application from a trusted source.
• Website masquerade: In a website masquerade attack, an attacker creates a fake website that appears to
be legitimate in order to trick users into providing sensitive information or downloading malware.
• Email masquerade: In an email masquerade attack, an attacker sends an email that appears to be from a
trusted source, such as a bank or government agency, in order to trick the recipient into providing
sensitive information or downloading malware.
MODIFICATION OF MESSAGES –

• It means that some portion of a message is altered or that message is delayed or reordered
to produce an unauthorized effect. Modification is an attack on the integrity of the
original data. It basically means that unauthorized parties not only gain access to data but
also spoof the data by triggering denial-of-service attacks, such as altering transmitted
data packets or flooding the network with fake data. Manufacturing is an attack on
authentication. For example, a message meaning “Allow JOHN to read confidential file
X” is modified as “Allow Smith to read confidential file X”.
REPUDIATION –

• Repudiation attacks are a type of cybersecurity attack in which an attacker attempts to

deny or repudiate actions that they have taken, such as making a transaction or sending a
message. These attacks can be a serious problem because they can make it difficult to
track down the source of the attack or determine who is responsible for a particular
action.
THERE ARE SEVERAL TYPES OF REPUDIATION
ATTACKS, INCLUDING:
• Message repudiation attacks: In a message repudiation attack, an attacker sends a message and
then later denies having sent it. This can be done by using spoofed or falsified headers or by
exploiting vulnerabilities in the messaging system.
• Transaction repudiation attacks: In a transaction repudiation attack, an attacker makes a
transaction, such as a financial transaction, and then later denies having made it. This can be done
by exploiting vulnerabilities in the transaction processing system or by using stolen or falsified
credentials.
• Data repudiation attacks: In a data repudiation attack, an attacker modifies or deletes data and
then later denies having done so. This can be done by exploiting vulnerabilities in the data storage
system or by using stolen or falsified credentials.
REPLAY –

• It involves the passive capture of a message and its subsequent transmission to produce
an authorized effect. In this attack, the basic aim of the attacker is to save a copy of the
data originally present on that particular network and later on use this data for personal
uses. Once the data is corrupted or leaked it is insecure and unsafe for the users.
DENIAL OF SERVICE –

• Denial of Service (DoS) is a type of cybersecurity attack that is designed to make a

system or network unavailable to its intended users by overwhelming it with traffic or
requests. In a DoS attack, an attacker floods a target system or network with traffic or
requests in order to consume its resources, such as bandwidth, CPU cycles, or memory,
and prevent legitimate users from accessing it.
THERE ARE SEVERAL TYPES OF DOS ATTACKS,
INCLUDING:
• Flood attacks: In a flood attack, an attacker sends a large number of packets or requests to a target system or
network in order to overwhelm its resources.
• Amplification attacks: In an amplification attack, an attacker uses a third-party system or network to amplify
their attack traffic and direct it towards the target system or network, making the attack more effective.
• To prevent DoS attacks, organizations can implement several measures, such as:
• 1.Using firewalls and intrusion detection systems to monitor network traffic and block suspicious activity.
• 2.Limiting the number of requests or connections that can be made to a system or network.
• 3.Using load balancers and distributed systems to distribute traffic across multiple servers or networks.
• 4.Implementing network segmentation and access controls to limit the impact of a DoS attack.
PASSIVE ATTACKS:

• A Passive attack attempts to learn or make use of information from the system but does
not affect system resources. Passive Attacks are in the nature of eavesdropping on or
monitoring transmission. The goal of the opponent is to obtain information that is being
transmitted. Passive attacks involve an attacker passively monitoring or collecting data
without altering or destroying it. Examples of passive attacks include eavesdropping,
where an attacker listens in on network traffic to collect sensitive information, and
sniffing, where an attacker captures and analyzes data packets to steal sensitive
information.
TYPES OF PASSIVE ATTACKS ARE AS FOLLOWS:

• The release of message content

• Traffic analysis
THE RELEASE OF MESSAGE CONTENT –

• Telephonic conversation, an electronic mail message, or a transferred file may contain

sensitive or confidential information. We would like to prevent an opponent from learning
the contents of these transmissions.
TRAFFIC ANALYSIS –

• Suppose that we had a way of masking (encryption) information, so that the attacker even
if captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and could
observe the frequency and length of messages being exchanged. This information might
be useful in guessing the nature of the communication that was taking place.
The most useful protection against traffic analysis is encryption of SIP traffic. To do this,
an attacker would have to access the SIP proxy (or its call log) to determine who made
the call.
CONVENTIONAL ENCRYPTION PRINCIPLES

• An encryption scheme has five ingredients:

• Plaintext Encryption algorithm
• Secret Key
• Ciphertext
• Decryption algorithm
• Security depends on the secrecy of the key, not the secrecy of the algorithm
TYPES OF SECURITY MECHANISM

• Network Security is field in computer technology that deals with ensuring security of
computer network infrastructure. As the network is very necessary for sharing of
information whether it is at hardware level such as printer, scanner, or at software level.
Therefore security mechanism can also be termed as is set of processes that deal with
recovery from security attack. Various mechanisms are designed to recover from these
specific attacks at various protocol layers.
TYPES OF SECURITY MECHANISM ARE

• Encipherment :
This security mechanism deals with hiding and covering of data which helps data to
become confidential. It is achieved by applying mathematical calculations or algorithms
which reconstruct information into not readable form. It is achieved by two famous
techniques named Cryptography and Encipherment. Level of data encryption is
dependent on the algorithm used for encipherment.
• Access Control :
This mechanism is used to stop unattended access to data which you are sending. It can
be achieved by various techniques such as applying passwords, using firewall, or just by
adding PIN to data.
• Notarization :
This security mechanism involves use of trusted third party in communication. It acts as
mediator between sender and receiver so that if any chance of conflict is reduced. This
mediator keeps record of requests made by sender to receiver for later denied.
• Data Integrity :
This security mechanism is used by appending value to data to which is created by data itself.
It is similar to sending packet of information known to both sending and receiving parties and
checked before and after data is received. When this packet or data which is appended is
checked and is the same while sending and receiving data integrity is maintained.
• Authentication exchange :
This security mechanism deals with identity to be known in communication. This is achieved
at the TCP/IP layer where two-way handshaking mechanism is used to ensure data is sent or
not
• Bit stuffing :
This security mechanism is used to add some extra bits into data which is being
transmitted. It helps data to be checked at the receiving end and is achieved by Even
parity or Odd Parity.
• Digital Signature :
This security mechanism is achieved by adding digital data that is not visible to eyes. It is
form of electronic signature which is added by sender which is checked by receiver
electronically. This mechanism is used to preserve data which is not more confidential but
sender’s identity is to be notified.