ДЕЦЕНТРАЛІЗОВАНА СИСТЕМА ІДЕНТИФІКАЦІЇ ТА СЕРТИФІКАЦІЇ

This article describes an approach to identification and certification in a decentralized environment. The protocol defines the way to integrate blockchain technology and web-of-trust concepts to create a decentralized public key infrastructure with easy user ID management. The essence of the scheme is to differentiate the entire infrastructure into 2 levels: the level of certification authorities (service providers) that jointly keep track of events related to user certificates; and the level of end users, systems and applications. During creating, updating, and revoking certificates, higher-level members reach a consensus on the confirmation of transactions associated with them, which ensures a higher level of validity of the certificates and synchronization of their status between certification centers. In turn, lower-level members do not need to perform complex verification procedures for a corresponding certificate: unlike the classic X.509 architecture and web-of-trust approach, the maximum number of checks in a chain can be two. An important feature of such a system is its ability to refuse certification centers: in the case of failure and / or compromise of the keys of one certification center, other network members continue to work seamlessly with others, and blockchain technology may make it impossible to add a certificate to a center whose keys have been compromised, because all the events in the system are connected by cryptographic methods. In particular, such a system can be used on the Internet of Things. Each individual sensor must communicate properly with other components of the system as a whole. In order to enable the secure interaction of these components, they must exchange encrypted messages to verify their integrity and authenticity, the provisioning scheme of which is in the described scheme.Ця стаття описує підхід до ідентифікації та сертифікації у децентралізованому середовищі. Протокол визначає шлях інтеграції блокчейн-технології та концепції web-of-trust для створення децентралізованої інфраструктури відкритих ключів зі зручним керуванням ідентифікаторами користувачів. Сутність схеми полягає у розмежуванні усієї інфраструктури на 2 рівня: рівень центрів сертифікації (постачальників послуг), які сумісно ведуть історію подій, що пов’язані з сертифікатами користувачів; та рівень кінцевих користувачів, систем та додатків. При створенні, оновленні та відкликанні сертифікатів, учасники вищого рівня досягають консенсусу відносно підтвердження пов’язаних з цим транзакцій, що забезпечує більш високий рівень валідності сертифікатів та синхронізацію їх стану між центрами сертифікації. У свою чергу учасникам нижчого рівня не потрібно виконувати складні процедури верифікації окремого сертифікату: на відміну від класичної Х.509 архітектури та web-of-trust підходу, максимальна кількість перевірок у ланцюжці може дорівнювати - двом. Важливою особливістю в такій системі є її здатність до відмови центрів сертифікації: у випадку відмови та/чи компрометації ключів одного центру сертифікації, інші учасники мережі продовжують безперебійно працювати з іншими, а технологія блокчейн може забезпечити неможливість додавання сертифікату центром, ключі якого були скомпрометовані, так як всі події в системі зв'язані за допомогою криптографічних методів. Зокрема, така система може використовуватися у Інтерні Речей (Internet of Things). Кожен індивідуальний сенсор повинен правильно комунікувати з іншими компонентами системи в цілому. Для надання безпечної взаємодії цих компонентів, вони повинні обмінюватися зашифрованими повідомленнями з можливістю перевірки їх цілісності та автентичності, схема надання котрих знаходиться в описаній схемі

Security Improvements for the Automatic Identification System

The Automatic Identification System (AIS) is used aboard the vast majority of sea-going vessels in the world as a collision avoidance tool. Currently, the AIS operates without any security features, which make it vulnerable to exploits such as spoofing, hijacking, and replay attacks by malicious parties. This paper examines the work that has been done so far to improve AIS security, as well as the approaches taken on similar problems in the aircraft and vehicular mobile ad-hoc network (MANET) industries. The first major contribution of this paper is the implementation of a Software Defined Radio (SDR) AIS transmitter and receiver which can be used to conduct vulnerability analysis and test the implementation of new security features. The second contribution is the design of a novel authentication protocol which overcomes the existing vulnerabilities in the AIS system. The proposed protocol uses time-delayed hash-chain key disclosures as part of a message authentication code (MAC) appended to automatic position reports to verify the authenticity of a user. This method requires only one additional time slot for broadcast authentication compared to the existing standard and is a significant reduction in message overhead requirements compared to alternative approaches that solely rely on public key infrastructure (PKI). Additionally, there is an embedded time stamp, a feature lacking in the existing system, which makes this protocol resistant to replay attacks. A test implementation of the proposed protocol indicates that it can be deployed as a link layer software update to existing AIS transceivers and can be deployed within the current AIS technical standards as an expanded message set

Key management for beyond 5G mobile small cells: a survey

The highly anticipated 5G network is projected to be introduced in 2020. 5G stakeholders are unanimous that densification of mobile networks is the way forward. The densification will be realized by means of small cell technology, and it is capable of providing coverage with a high data capacity. The EU-funded H2020-MSCA project “SECRET” introduced covering the urban landscape with mobile small cells, since these take advantages of the dynamic network topology and optimizes network services in a cost-effective fashion. By taking advantage of the device-to-device communications technology, large amounts of data can be transmitted over multiple hops and, therefore, offload the general network. However, this introduction of mobile small cells presents various security and privacy challenges. Cryptographic security solutions are capable of solving these as long as they are supported by a key management scheme. It is assumed that the network infrastructure and mobile devices from network users are unable to act as a centralized trust anchor since these are vulnerable targets to malicious attacks. Security must, therefore, be guaranteed by means of a key management scheme that decentralizes trust. Therefore, this paper surveys the state-of-the-art key management schemes proposed for similar network architectures (e.g., mobile ad hoc networks and ad hoc device-to-device networks) that decentralize trust. Furthermore, these key management schemes are evaluated for adaptability in a network of mobile small cells

Mustererkennungsbasierte Verteidgung gegen gezielte Angriffe

The speed at which everything and everyone is being connected considerably outstrips the rate at which effective security mechanisms are introduced to protect them. This has created an opportunity for resourceful threat actors which have specialized in conducting low-volume persistent attacks through sophisticated techniques that are tailored to specific valuable targets. Consequently, traditional approaches are rendered ineffective against targeted attacks, creating an acute need for innovative defense mechanisms. This thesis aims at supporting the security practitioner in bridging this gap by introducing a holistic strategy against targeted attacks that addresses key challenges encountered during the phases of detection, analysis and response. The structure of this thesis is therefore aligned to these three phases, with each one of its central chapters taking on a particular problem and proposing a solution built on a strong foundation on pattern recognition and machine learning. In particular, we propose a detection approach that, in the absence of additional authentication mechanisms, allows to identify spear-phishing emails without relying on their content. Next, we introduce an analysis approach for malware triage based on the structural characterization of malicious code. Finally, we introduce MANTIS, an open-source platform for authoring, sharing and collecting threat intelligence, whose data model is based on an innovative unified representation for threat intelligence standards based on attributed graphs. As a whole, these ideas open new avenues for research on defense mechanisms and represent an attempt to counteract the imbalance between resourceful actors and society at large.In unserer heutigen Welt sind alle und alles miteinander vernetzt. Dies bietet mächtigen Angreifern die Möglichkeit, komplexe Verfahren zu entwickeln, die auf spezifische Ziele angepasst sind. Traditionelle Ansätze zur Bekämpfung solcher Angriffe werden damit ineffektiv, was die Entwicklung innovativer Methoden unabdingbar macht. Die vorliegende Dissertation verfolgt das Ziel, den Sicherheitsanalysten durch eine umfassende Strategie gegen gezielte Angriffe zu unterstützen. Diese Strategie beschäftigt sich mit den hauptsächlichen Herausforderungen in den drei Phasen der Erkennung und Analyse von sowie der Reaktion auf gezielte Angriffe. Der Aufbau dieser Arbeit orientiert sich daher an den genannten drei Phasen. In jedem Kapitel wird ein Problem aufgegriffen und eine entsprechende Lösung vorgeschlagen, die stark auf maschinellem Lernen und Mustererkennung basiert. Insbesondere schlagen wir einen Ansatz vor, der eine Identifizierung von Spear-Phishing-Emails ermöglicht, ohne ihren Inhalt zu betrachten. Anschliessend stellen wir einen Analyseansatz für Malware Triage vor, der auf der strukturierten Darstellung von Code basiert. Zum Schluss stellen wir MANTIS vor, eine Open-Source-Plattform für Authoring, Verteilung und Sammlung von Threat Intelligence, deren Datenmodell auf einer innovativen konsolidierten Graphen-Darstellung für Threat Intelligence Stardards basiert. Wir evaluieren unsere Ansätze in verschiedenen Experimenten, die ihren potentiellen Nutzen in echten Szenarien beweisen. Insgesamt bereiten diese Ideen neue Wege für die Forschung zu Abwehrmechanismen und erstreben, das Ungleichgewicht zwischen mächtigen Angreifern und der Gesellschaft zu minimieren

An Integrated Architecture for Ad Hoc Grids

Extensive research has been conducted by the grid community to enable large-scale collaborations in pre-configured environments. grid collaborations can vary in scale and motivation resulting in a coarse classification of grids: national grid, project grid, enterprise grid, and volunteer grid. Despite the differences in scope and scale, all the traditional grids in practice share some common assumptions. They support mutually collaborative communities, adopt a centralized control for membership, and assume a well-defined non-changing collaboration. To support grid applications that do not confirm to these assumptions, we propose the concept of ad hoc grids. In the context of this research, we propose a novel architecture for ad hoc grids that integrates a suite of component frameworks. Specifically, our architecture combines the community management framework, security framework, abstraction framework, quality of service framework, and reputation framework. The overarching objective of our integrated architecture is to support a variety of grid applications in a self-controlled fashion with the help of a self-organizing ad hoc community. We introduce mechanisms in our architecture that successfully isolates malicious elements from the community, inherently improving the quality of grid services and extracting deterministic quality assurances from the underlying infrastructure. We also emphasize on the technology-independence of our architecture, thereby offering the requisite platform for technology interoperability. The feasibility of the proposed architecture is verified with a high-quality ad hoc grid implementation. Additionally, we have analyzed the performance and behavior of ad hoc grids with respect to several control parameters

Graph-based Analysis of Dynamic Systems

The analysis of dynamic systems provides insights into their time-dependent characteristics. This enables us to monitor, evaluate, and improve systems from various areas. They are often represented as graphs that model the system's components and their relations. The analysis of the resulting dynamic graphs yields great insights into the system's underlying structure, its characteristics, as well as properties of single components. The interpretation of these results can help us understand how a system works and how parameters influence its performance. This knowledge supports the design of new systems and the improvement of existing ones. The main issue in this scenario is the performance of analyzing the dynamic graph to obtain relevant properties. While various approaches have been developed to analyze dynamic graphs, it is not always clear which one performs best for the analysis of a specific graph. The runtime also depends on many other factors, including the size and topology of the graph, the frequency of changes, and the data structures used to represent the graph in memory. While the benefits and drawbacks of many data structures are well-known, their runtime is hard to predict when used for the representation of dynamic graphs. Hence, tools are required to benchmark and compare different algorithms for the computation of graph properties and data structures for the representation of dynamic graphs in memory. Based on deeper insights into their performance, new algorithms can be developed and efficient data structures can be selected. In this thesis, we present four contributions to tackle these problems: A benchmarking framework for dynamic graph analysis, novel algorithms for the efficient analysis of dynamic graphs, an approach for the parallelization of dynamic graph analysis, and a novel paradigm to select and adapt graph data structures. In addition, we present three use cases from the areas of social, computer, and biological networks to illustrate the great insights provided by their graph-based analysis. We present a new benchmarking framework for the analysis of dynamic graphs, the Dynamic Network Analyzer (DNA). It provides tools to benchmark and compare different algorithms for the analysis of dynamic graphs as well as the data structures used to represent them in memory. DNA supports the development of new algorithms and the automatic verification of their results. Its visualization component provides different ways to represent dynamic graphs and the results of their analysis. We introduce three new stream-based algorithms for the analysis of dynamic graphs. We evaluate their performance on synthetic as well as real-world dynamic graphs and compare their runtimes to snapshot-based algorithms. Our results show great performance gains for all three algorithms. The new stream-based algorithm StreaM_k, which counts the frequencies of k-vertex motifs, achieves speedups up to 19,043 x for synthetic and 2882 x for real-world datasets. We present a novel approach for the distributed processing of dynamic graphs, called parallel Dynamic Graph Analysis (pDNA). To analyze a dynamic graph, the work is distributed by a partitioner that creates subgraphs and assigns them to workers. They compute the properties of their respective subgraph using standard algorithms. Their results are used by the collator component to merge them to the properties of the original graph. We evaluate the performance of pDNA for the computation of five graph properties on two real-world dynamic graphs with up to 32 workers. Our approach achieves great speedups, especially for the analysis of complex graph measures. We introduce two novel approaches for the selection of efficient graph data structures. The compile-time approach estimates the workload of an analysis after an initial profiling phase and recommends efficient data structures based on benchmarking results. It achieves speedups of up to 5.4 x over baseline data structure configurations for the analysis of real-word dynamic graphs. The run-time approach monitors the workload during analysis and exchanges the graph representation if it finds a configuration that promises to be more efficient for the current workload. Compared to baseline configurations, it achieves speedups up to 7.3 x for the analysis of a synthetic workload. Our contributions provide novel approaches for the efficient analysis of dynamic graphs and tools to further investigate the trade-offs between different factors that influence the performance.:1 Introduction 2 Notation and Terminology 3 Related Work 4 DNA - Dynamic Network Analyzer 5 Algorithms 6 Parallel Dynamic Network Analysis 7 Selection of Efficient Graph Data Structures 8 Use Cases 9 Conclusion A DNA - Dynamic Network Analyzer B Algorithms C Selection of Efficient Graph Data Structures D Parallel Dynamic Network Analysis E Graph-based Intrusion Detection System F Molecular Dynamic

Journal of Telecommunications and Information Technology, 2014, nr 4

kwartalni

Online social networks: Measurement, analysis, and applications to distributed information systems

Recently, online social networking sites have exploded in popularity. Numerous sites are dedicated to finding and maintaining contacts and to locating and sharing different types of content. Online social networks represent a new kind of information network that differs significantly from existing networks like the Web. For example, in the Web, hyperlinks between content form a graph that is used to organize, navigate, and rank information. The properties of the Web graph have been studied extensively, and have lead to useful algorithms such as PageRank. In contrast, few links exist between content in online social networks and instead, the links exist between content and users, and between users themselves. However, little is known in the research community about the properties of online social network graphs at scale, the factors that shape their structure, or the ways they can be leveraged in information systems. In this thesis, we use novel measurement techniques to study online social networks at scale, and use the resulting insights to design innovative new information systems. First, we examine the structure and growth patterns of online social networks, focusing on how users are connecting to one another. We conduct the first large-scale measurement study of multiple online social networks at scale, capturing information about over 50 million users and 400 million links. Our analysis identifies a common structure across multiple networks, characterizes the underlying processes that are shaping the network structure, and exposes the rich community structure. Second, we leverage our understanding of the properties of online social networks to design new information systems. Specifically, we build two distinct applications that leverage different properties of online social networks. We present and evaluate Ostra, a novel system for preventing unwanted communication that leverages the difficulty in establishing and maintaining relationships in social networks. We also present, deploy, and evaluate PeerSpective, a system for enhancing Web search using the natural community, structure in social networks. Each of these systems has been evaluated on data from real online social networks or in a deployment with real users

Washington University Magazine, Spring 2006

https://digitalcommons.wustl.edu/ad_wumag/1175/thumbnail.jp