61 research outputs found
Security and Privacy Issues in Wireless Mesh Networks: A Survey
This book chapter identifies various security threats in wireless mesh
network (WMN). Keeping in mind the critical requirement of security and user
privacy in WMNs, this chapter provides a comprehensive overview of various
possible attacks on different layers of the communication protocol stack for
WMNs and their corresponding defense mechanisms. First, it identifies the
security vulnerabilities in the physical, link, network, transport, application
layers. Furthermore, various possible attacks on the key management protocols,
user authentication and access control protocols, and user privacy preservation
protocols are presented. After enumerating various possible attacks, the
chapter provides a detailed discussion on various existing security mechanisms
and protocols to defend against and wherever possible prevent the possible
attacks. Comparative analyses are also presented on the security schemes with
regards to the cryptographic schemes used, key management strategies deployed,
use of any trusted third party, computation and communication overhead involved
etc. The chapter then presents a brief discussion on various trust management
approaches for WMNs since trust and reputation-based schemes are increasingly
becoming popular for enforcing security in wireless networks. A number of open
problems in security and privacy issues for WMNs are subsequently discussed
before the chapter is finally concluded.Comment: 62 pages, 12 figures, 6 tables. This chapter is an extension of the
author's previous submission in arXiv submission: arXiv:1102.1226. There are
some text overlaps with the previous submissio
iPDA: An Integrity-Protecting Private Data Aggregation Scheme for Wireless Sensor Networks
Data aggregation is an efficient mechanism widely used in wireless sensor networks (WSN) to collect statistics about data of interests. However, the shared-medium nature of communication makes the WSNs are vulnerable to eavesdropping and packet tampering/injection by adversaries. Hence, how to protect data privacy and data integrity are two major challenges for data aggregation in wireless sensor networks. In this paper, we present iPDA??????an integrity-protecting private data aggregation scheme. In iPDA, data privacy is achieved through data slicing and assembling technique; and data integrity is achieved through redundancy by constructing disjoint aggregation paths/trees to collect data of interests. In iPDA, the data integrity-protection and data privacy-preservation mechanisms work synergistically. We evaluate the iPDA scheme in terms of the efficacy of privacy preservation, communication overhead, and data aggregation accuracy, comparing with a typical data aggregation scheme--- TAG, where no integrity protection and privacy preservation is provided. Both theoretical analysis and simulation results show that iPDA achieves the design goals while still maintains the efficiency of data aggregation
Hop-by-hop Channel - Alert Routing to Congestion Control in Wireless Sensor Networks
One of the major challenges in wireless sensor networks (WSNs) research is to prevent traffic congestion without compromising with the energy of the sensor nodes. Network congestion leads to packet loss, throughput impairment, and energy waste. To address this issue in this paper, a distributed traffic-aware routing scheme with a capacity of adjusting the data transmission rate of nodes is proposed for multi-sink wireless sensor networks that effectively distribute traffic from the source to sink nodes. Our algorithm is designed through constructing a hybrid virtual gradient field using depth and normalized traffic loading to routing and providing a balance between optimal paths and possible congestion on routes toward those sinks. The simulation results indicate that the proposed solution can improve the utilization of network resources, reduce unnecessary packet retransmission, and significantly improve the performance of WSNs. Keywords: Wireless sensor networks; Traffic-aware; Routing; Data transmission rate; Congestion; Gradien
Network Simulation Cradle
This thesis proposes the use of real world network stacks instead of protocol
abstractions in a network simulator, bringing the actual code used in
computer systems inside the simulator and allowing for greater simulation
accuracy. Specifically, a framework called the Network Simulation
Cradle is created that supports the kernel source code from FreeBSD, OpenBSD
and Linux to make the network stacks from these systems available to the
popular network simulator ns-2.
Simulating with these real world network stacks reveals situations where the
result differs significantly from ns-2's TCP models. The simulated
network stacks are able to be directly compared to the same operating system
running on an actual machine, making validation simple. When measuring the
packet traces produced on a test network and in simulation the results are
nearly identical, a level of accuracy previously unavailable using traditional
TCP simulation models. The results of simulations run comparing ns-2 TCP
models and our framework are presented in this dissertation along with
validation studies of our framework showing how closely simulation resembles
real world computers.
Using real world stacks to simulate TCP is a complementary approach to using
the existing TCP models and provides an extra level of validation. This way of
simulating TCP and other protocols provides the network researcher or engineer
new possibilities. One example is using the framework as a protocol
development environment, which allows user-level development of protocols with
a standard set of reproducible tests, the ability to test scenarios which are
costly or impossible to build physically, and being able to trace and debug
the protocol code without affecting results
Advance of the Access Methods
The goal of this paper is to outline the advance of the access methods in the last ten years as well as
to make review of all available in the accessible bibliography methods
Private and censorship-resistant communication over public networks
Societyâs increasing reliance on digital communication networks is creating unprecedented opportunities for wholesale
surveillance and censorship. This thesis investigates the use of public networks such as the Internet to build
robust, private communication systems that can resist monitoring and attacks by powerful adversaries such as national
governments.
We sketch the design of a censorship-resistant communication system based on peer-to-peer Internet overlays in which
the participants only communicate directly with people they know and trust. This âfriend-to-friendâ approach protects
the participantsâ privacy, but it also presents two significant challenges. The first is that, as with any peer-to-peer
overlay, the users of the system must collectively provide the resources necessary for its operation; some users might
prefer to use the system without contributing resources equal to those they consume, and if many users do so, the
system may not be able to survive.
To address this challenge we present a new game theoretic model of the problem of encouraging cooperation between
selfish actors under conditions of scarcity, and develop a strategy for the game that provides rational incentives for
cooperation under a wide range of conditions.
The second challenge is that the structure of a friend-to-friend overlay may reveal the usersâ social relationships to
an adversary monitoring the underlying network. To conceal their sensitive relationships from the adversary, the
users must be able to communicate indirectly across the overlay in a way that resists monitoring and attacks by other
participants.
We address this second challenge by developing two new routing protocols that robustly deliver messages across
networks with unknown topologies, without revealing the identities of the communication endpoints to intermediate
nodes or vice versa. The protocols make use of a novel unforgeable acknowledgement mechanism that proves that a
message has been delivered without identifying the source or destination of the message or the path by which it was
delivered. One of the routing protocols is shown to be robust to attacks by malicious participants, while the other
provides rational incentives for selfish participants to cooperate in forwarding messages
Revealing Encryption for Partial Ordering
We generalize the cryptographic notion of Order Revealing Encryption (ORE) to arbitrary functions and we present a construction that allows to determine the (partial) ordering of two vectors i.e., given E(x) and E(y) it is possible to learn whether x is less than or equal to y, y is less than or equal to x or whether x and y are incomparable. This is the first non-trivial example of a Revealing Encryption (RE) scheme with output larger than one bit, and which does not rely on cryptographic obfuscation or multilinear maps
A scheme for efficient peer-to-peer live video streaming over wireless mesh networks
Peers in a Peer-to-Peer (P2P) live video streaming system over hybrid wireless mesh networks (WMNs) enjoy high video quality when both random network coding (RNC) and an efficient hybrid routing protocol are employed. Although RNC is the most recently used method of efficient video streaming, it imposes high transmission overhead and decoding computational complexity on the network which reduces the perceived video quality. Besides that, RNC cannot guaranty a non-existence of linear dependency in the generated coefficients matrix. In WMNs, node mobility has not been efficiently addressed by current hybrid routing protocols that increase video distortion which would lead to low video quality. In addition, these protocols cannot efficiently support nodes which operate in infrastructure mode. Therefore, the purpose of this research is to propose a P2P live video streaming scheme which consists of two phases followed by the integration of these two phases known as the third phase to provide high video quality in hybrid WMNs. In the first phase, a novel coefficients matrix generation and inversion method has been proposed to address the mentioned limitations of RNC. In the second phase, the proposed enhanced hybrid routing protocol was used to efficiently route video streams among nodes using the most stable path with low routing overhead. Moreover, this protocol effectively supports mobility and nodes which operate in infrastructure mode by exploiting the advantages of the designed locator service. Results of simulations from the first phase showed that video distortion as the most important performance metric in live video streaming, had improved by 36 percent in comparison with current RNC method which employs the Gauss-Jordan Elimination (RNC-GJE) method in decoding. Other metrics including frame dependency distortion, initial start-up delay and end-to-end delay have also improved using the proposed method. Based on previous studies, although Reactive (DYMO) routing protocol provides better performance than other existing routing protocols in a hybrid WMN, the proposed protocol in the second phase had average improvements in video distortion of l86% for hybrid wireless mesh protocol (HWMP), 49% for Reactive (Dynamic MANET On-Demand-DYMO), 75% for Proactive (Optimized Link State Routing-OLSR), and 60% for Ad-hoc on-demand Distance Vector Spanning-Tree (AODV-ST). Other metrics including end-to-end delay, packet delay variation, routing overhead and number of delivered video frames have also improved using the proposed protocol. Finally, the third phase, an integration of the first two phases has proven to be an efficient scheme for high quality P2P live video streaming over hybrid WMNs. This video streaming scheme had averagely improved video distortion by 41%, frame dependency distortion by 50%, initial start-up delay by 15% and end-to-end delay by 33% in comparison with the average introduced values by three other considered integration cases which are Reactive and RNC-GJE, Reactive and the first phase, the second phase and RNC-GJE
Using honeypots to trace back amplification DDoS attacks
In todayâs interconnected world, Denial-of-Service attacks can cause great harm by simply rendering a target system or service inaccessible. Amongst the most powerful and widespread DoS attacks are amplification attacks, in which thousands of vulnerable servers are tricked into reflecting and amplifying attack traffic. However, as these attacks inherently rely on IP spoofing, the true attack source is hidden. Consequently, going after the offenders behind these attacks has so far been deemed impractical. This thesis presents a line of work that enables practical attack traceback supported by honeypot reflectors. To this end, we investigate the tradeoffs between applicability, required a priori knowledge, and traceback granularity in three settings. First, we show how spoofed attack packets and non-spoofed scan packets can be linked using honeypot-induced fingerprints, which allows attributing attacks launched from the same infrastructures as scans. Second, we present a classifier-based approach to trace back attacks launched from booter services after collecting ground-truth data through self-attacks. Third, we propose to use BGP poisoning to locate the attacking network without prior knowledge and even when attack and scan infrastructures are disjoint. Finally, as all of our approaches rely on honeypot reflectors, we introduce an automated end-to-end pipeline to systematically find amplification vulnerabilities and synthesize corresponding honeypots.In der heutigen vernetzten Welt können Denial-of-Service-Angriffe groĂe SchĂ€den verursachen, einfach indem sie ihr Zielsystem unerreichbar machen. Zu den stĂ€rksten und verbreitetsten DoS-Angriffen zĂ€hlen Amplification-Angriffe, bei denen tausende verwundbarer Server missbraucht werden, um Angriffsverkehr zu reflektieren und zu verstĂ€rken. Da solche Angriffe jedoch zwingend gefĂ€lschte IP-Absenderadressen nutzen, ist die wahre Angriffsquelle verdeckt. Damit gilt die Verfolgung der TĂ€ter bislang als unpraktikabel. Diese Dissertation prĂ€sentiert eine Reihe von Arbeiten, die praktikable AngriffsrĂŒckverfolgung durch den Einsatz von Honeypots ermöglicht. Dazu untersuchen wir das Spannungsfeld zwischen Anwendbarkeit, benötigtem Vorwissen, und RĂŒckverfolgungsgranularitĂ€t in drei Szenarien. Zuerst zeigen wir, wie gefĂ€lschte Angriffs- und ungefĂ€lschte Scan-Datenpakete miteinander verknĂŒpft werden können. Dies ermöglicht uns die RĂŒckverfolgung von Angriffen, die ebenfalls von Scan-Infrastrukturen aus durchgefĂŒhrt wurden. Zweitens prĂ€sentieren wir einen Klassifikator-basierten Ansatz um Angriffe durch Booter-Services mittels vorher durch Selbstangriffe gesammelter Daten zurĂŒckzuverfolgen. Drittens zeigen wir auf, wie BGP Poisoning genutzt werden kann, um ohne weiteres Vorwissen das angreifende Netzwerk zu ermitteln. SchlieĂlich prĂ€sentieren wir einen automatisierten Prozess, um systematisch Schwachstellen zu finden und entsprechende Honeypots zu synthetisieren
CONSTRUCTION OF EFFICIENT AUTHENTICATION SCHEMES USING TRAPDOOR HASH FUNCTIONS
In large-scale distributed systems, where adversarial attacks can have widespread impact, authentication provides protection from threats involving impersonation of entities and tampering of data. Practical solutions to authentication problems in distributed systems must meet specific constraints of the target system, and provide a reasonable balance between security and cost. The goal of this dissertation is to address the problem of building practical and efficient authentication mechanisms to secure distributed applications. This dissertation presents techniques to construct efficient digital signature schemes using trapdoor hash functions for various distributed applications. Trapdoor hash functions are collision-resistant hash functions associated with a secret trapdoor key that allows the key-holder to find collisions between hashes of different messages. The main contributions of this dissertation are as follows:
1. A common problem with conventional trapdoor hash functions is that revealing a collision producing message pair allows an entity to compute additional collisions without knowledge of the trapdoor key. To overcome this problem, we design an efficient trapdoor hash function that prevents all entities except the trapdoor key-holder from computing collisions regardless of whether collision producing message pairs are revealed by the key-holder.
2. We design a technique to construct efficient proxy signatures using trapdoor hash functions to authenticate and authorize agents acting on behalf of users in agent-based computing systems. Our technique provides agent authentication, assurance of agreement between delegator and agent, security without relying on secure communication channels and control over an agentâs capabilities.
3. We develop a trapdoor hash-based signature amortization technique for authenticating real-time, delay-sensitive streams. Our technique provides independent verifiability of blocks comprising a stream, minimizes sender-side and receiver-side delays, minimizes communication overhead, and avoids transmission of redundant information.
4. We demonstrate the practical efficacy of our trapdoor hash-based techniques for signature amortization and proxy signature construction by presenting discrete log-based instantiations of the generic techniques that are efficient to compute, and produce short signatures.
Our detailed performance analyses demonstrate that the proposed schemes outperform existing schemes in computation cost and signature size. We also present proofs for security of the proposed discrete-log based instantiations against forgery attacks under the discrete-log assumption
- âŠ