Spelling suggestions: "subject:" bnetwork security"" "subject:" conetwork security""
131 |
Secure Geolocation for Wireless Indoor NetworksLim, Yu-Xi 12 April 2006 (has links)
The objective of the research is to develop an accurate system for indoor location
estimation using a secure architecture based on the IEEE 802.11 standard for infrastructure
networks. Elements of this secure architecture include: server-oriented
platform for greater trust and manageability; multiple wireless network parameters
for improved accuracy; and Support Vector Regression (SVR) for accurate, high-resolution
estimates. While these elements have been investigated individually in
earlier research, none has combined them to a single security-oriented system. Thus
this research investigates the feasibility of using these elements together.
|
132 |
Layer 2 security inter-layering in networksAltunbasak, Hayriye Celebi 20 November 2006 (has links)
An architectural framework is proposed to secure the data link layer (Layer 2) in Internet protocol (IP) over Ethernet networks. In this architecture, a new security inter-layering concept, incorporating cryptographic Layer 2 identities, is introduced. Instead of traditional media access control (MAC) addresses, secure and flexible data link layer identifiers are utilized to securely bind Layer 2 and upper layers. In addition, to create security parameters and negotiate identifiers at the data link layer, a key establishment protocol is presented. Moreover, this architecture incorporates the IEEE 802.1AE standard (MACsec) and uses a key hierarchy similar to the IEEE 802.11i standard for future compatibility of wired and wireless networks. Finally, we provide a security analysis of the new data link layer security architecture.
|
133 |
Intrusion Detection and Response Systems for Mobile Ad Hoc NetworksHuang, Yi-an 20 November 2006 (has links)
A mobile ad hoc network (MANET) consists of a group of autonomous mobile nodes with no infrastructure support. In this research, we develop a distributed intrusion detection and response system for MANET, and we believe it presents a second line of defense that cannot be replaced by prevention schemes.
We based our detection framework on the study of attack taxonomy. We then propose a set of detection methods suitable of detecting different attack categories. Our approaches are based on protocol specification analysis with categorical and statistical measures.
Node-based approaches may be too restrictive in scenarios where attack patterns cannot be observed by any isolated node. Therefore, we have developed cooperative detection approaches for a more effective detection model. One approach is to form IDS clusters by grouping nearby nodes, and information can be exchanged within clusters. The cluster-based scheme is more efficient in terms of power consumption and resource utilization, it is also proved resilient against common security compromises without changing the decentralized assumption.
We further address two response techniques, traceback and filtering. Existing traceback systems are not suitable for MANET because they rely on incompatible assumptions such as trustworthy routers and static route topology. Our solution, instead, adapts to dynamic topology with no infrastructure requirement. Our solution is also resilient in the face of arbitrary number of collaborative adversaries. We also develop smart filtering schemes to maximize the dropping rate of attack packets while minimizing the dropping rate of normal packets with real-time guarantee.
To validate our research, we present case study using both ns-2 simulation and MobiEmu emulation platform with three ad hoc routing protocols: AODV, DSR and OLSR. We implemented various representative attacks based on the attack taxonomy. Our experiments show very promising results using node-based and cluster-based approaches.
|
134 |
Scalable and efficient distributed algorithms for defending against malicious Internet activitySung, Minho 31 July 2006 (has links)
The threat of malicious Internet activities
such as Distributed Denial of Service (DDoS) attacks, spam emails
or Internet worms/viruses has been increasing in the
last several years. The impact and frequency of these malicious
activities are expected to grow unless they are properly addressed.
In this thesis, we propose to design and evaluate a set of practical and
effective protection measures against potential malicious
activities in current and future networks. Our research objective is twofold.
First, we design the methods to defend against DDoS attacks.
Our research focuses on two important issues related to DDoS attack defense mechanisms.
One issue is the method to trace the sources of attacking packets, which is known as
IP traceback. We propose a novel packet logging based (i.e., hash-based) traceback
scheme using only a one-bit marking field in IP header.
It reduces processing and storage cost by an order of magnitude than the existing
hash-based schemes, and is therefore scalable to much higher link speed (e.g., OC-768).
Next, we propose an improved traceback scheme with lower storage overhead
by using more marking space in IP header.
Another issue in DDoS defense is to investigate protocol-independent techniques for
improving the throughput of legitimate traffic during DDoS attacks.
We propose a novel technique that can effectively filter out the majority of DDoS
traffic, thus improving the overall throughput of the legitimate traffic.
Second, we investigate the problem of distributed network monitoring.
We propose a set of novel distributed data streaming algorithms
that allow scalable and efficient monitoring of aggregated traffic.
Our algorithms target the specific network monitoring problem of
finding common content in traffic traversing several
nodes/links across the Internet. These algorithms find applications in
network-wide intrusion detection, early warning for fast propagating worms,
and detection of hot objects and spam traffic.
|
135 |
Snap: Robust Tool for Internet-wide Operating System FingerprintingNandwani, Ankur Bharatbhushan 2010 December 1900 (has links)
Different approaches have been developed for TCP/IP fingerprinting, but none
of these approaches is suited for Internet-wide fingerprinting. In this work, we develop
approaches that rigorously tackle the issue of noise and packet loss while carrying out
Internet-wide fingerprinting. We then carry out an Internet-wide scan to determine
the distribution of different operating systems on the Internet. The results of our
scan indicate that there are approximately 8.9 million publicly accessible web-servers
on the Internet running Linux, while there are nearly 9.6 million web-servers with
different embedded operating systems.
|
136 |
Oblivious Handshakes and Sharing of Secrets of Privacy-Preserving Matching and Authentication ProtocolsDuan, Pu 2011 May 1900 (has links)
The objective of this research is focused on two of the most important privacy-preserving techniques: privacy-preserving element matching protocols and privacy-preserving credential authentication protocols, where an element represents the information generated by users themselves and a credential represents a group membership assigned from an independent central authority (CA). The former is also known as private set intersection (PSI) protocol and the latter is also known as secret handshake (SH) protocol. In this dissertation, I present a general framework for design of efficient and secure PSI and SH protocols based on similar message exchange and computing procedures to confirm “commonality” of their exchanged information, while protecting the information from each other when the commonalty test fails. I propose to use the homomorphic randomization function (HRF) to meet the privacy-preserving requirements, i.e., common element/credential can be computed efficiently based on homomorphism of the function and uncommon element/credential are difficult to derive because of the randomization of the same function.
Based on the general framework two new PSI protocols with linear computing and communication cost are proposed. The first protocol uses full homomorphic randomization function as the cryptographic basis and the second one uses partial homomorphic randomization function. Both of them achieve element confidentiality and private set intersection. A new SH protocol is also designed based on the framework, which achieves unlinkability with a reusable pair of credential and pseudonym and least number of bilinear mapping operations. I also propose to interlock the proposed PSI protocols and SH protocol to design new protocols with new security properties. When a PSI protocol is executed first and the matched elements are associated with the credentials in a following SH protocol, authenticity is guaranteed on matched elements. When a SH protocol is executed first and the verified credentials is used in a following PSI protocol, detection resistance and impersonation attack resistance are guaranteed on matching elements.
The proposed PSI and SH protocols are implemented to provide privacy-preserving inquiry matching service (PPIM) for social networking applications and privacy-preserving correlation service (PAC) of network security alerts. PPIM allows online social consumers to find partners with matched inquiries and verified group memberships without exposing any information to unmatched parties. PAC allows independent network alert sources to find the common alerts without unveiling their local network information to each other.
|
137 |
The Research of Network Security in IP TracebackTseng, Yu-kuo 29 September 2004 (has links)
With the dramatic expansion of computers and communication networks, computer crimes, such as threatening letters, fraud, and theft of intellectual property have been growing at a dreadful rate. The increasing frequency of malicious computer attacks on government agencies and Internet businesses has caused severe economic waste and unique social threats. The problems of protecting data and information on computers and communication networks has become even more critical and challenging, since the widespread adoption of the Internet and the Web. Consequently, it is very urgent to design an integrated network-security architecture so as to make information safer, proactively or reactively defeat any network attack, make attackers accountable, and help the law enforcement system to collect the forensic evidences.
Among a variety of attacks on computer servers or communication networks, a prevalent, famous, and serious network-security subject is known as "Denial of Service" (DoS) or "Distributed Denial of Service" (DDoS) attacks. According to an investigation on computer crime conducted by CSI/FBI in 2003, Internet DoS/DDoS have increased in frequency, severity, and sophistication, and have caught international attentions to the vulnerability of the Internet.
DoS/DDoS attacks consume the resources of a remote host or network, thereby denying or degrading service to legitimate users. Such attacks are among the hardest security problems to address because they are simple to implement, difficult to prevent, and very difficult to trace. Therefore, this dissertation will firstly concentrate on how to resolve these troublesome DoS/DDoS problems. This is considered as the first step to overcome generic network security problems, and to achieve the final goal for accomplishing a total solution of network security.
Instead of tolerating DoS/DDoS attacks by mitigating their effect, to trace back the attacking source for eliminating the attacker is an aggressive and better approach. However, it is difficult to find out the true attacking origin by utilizing the incorrect source IP address faked by the attacker.
Accordingly, this dissertation will aim at conquering this representative network security problem, i.e. DoS/DDoS attacks, with IP traceback, and designing an optimal IP traceback. IP traceback ¡X the ability to trace IP packets to their origins¡Xis a significant step toward identifying, and thus stopping, attackers. A promising solution to the IP traceback is probabilistic packet marking (PPM). This traceback approach can be applied during or after an attack, and it does not require any additional network traffic, router storage, or packet size increase. Therefore, the IP traceback research on countering DoS/DDoS attacks will be based on PPM scheme. In this dissertation, three outstanding improvements among four PPM criteria¡Xthe convergency, the computational overhead, and the incomplete PPM deployment problem¡Xhas been achieved.
PPM-NPC is proposed to improve the PPM convergency and computational overhead. With non-preemptively compensation, the probability of each marked packet arrived at the victim equals its original marking probability. Therefore, PPM-NPC will efficiently achieve the optimal convergent situation by simply utilizing a 2-byte integer counter. Another better scheme, CPPM, is also proposed, such that the marked packets can be fully compensated as well while they are remarked. With CPPM, the probability of each marked packet arrived at the victim will also equal its original marking probability. Consequently, CPPM will achieve the optimal convergent situation efficiently as well.
Furthermore, RPPM-NPC is presented to advance the accuracy of a reconstructed path in an incomplete PPM deployment environment by correcting and recovering any discontinuous individual transparent router and any segment of consecutive double transparent routers. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path.
Except for these improved criteria, PPM robustness, some weak assumptions in PPM, and a few unsolved problems for PPM, e.g. reflective DDoS attacks, will also be improved in the future. It is also interesting in combining other network security researches, such as IDS, system access control mechanism, etc., for constructing a more complete network security architecture.
Therefore, this research hereby is done in order to completely resolve the troublesome flood-style DoS/DDoS problems, and as the basis for accomplishing a total solution of network security.
|
138 |
Mining Network Traffic Data for Supporting Denial of Service Attack DetectionMa, Shu-Chen 17 August 2005 (has links)
Denial of Service (DoS) attacks aim at rendering a computer or network incapable of providing normal services by exploiting bugs or holes of system programs or network communication protocols. Existing DoS attack defense mechanisms (e.g., firewalls, intrusion detection systems, intrusion prevention systems) typically rely on data gathered from gateways of network systems. Because these data are IP-layer or above packet information, existing defense mechanisms are incapable of detecting internal attacks or attackers who disguise themselves by spoofing the source IP addresses of their packets. To address the aforementioned limitations of existing DoS attack defense mechanisms, we propose a classification-based DoS attack detection technique on the basis of the SNMP MIB II data from the network interface to induce a DoS detection model from a set of training examples that consist of both normal and attack traffic data). The constructed DoS detection model is then used for predicting whether a network traffic from the network interface is a DoS attack.
To empirically evaluate our proposed classification-based DoS attack detection technique, we collect, with various traffic aggregation intervals (including 1, 3, and 5 minutes), normal network traffic data from two different environments (including an enterprise network, and a university campus network) and attack network traffics (including TCP SYN Flood, Land, Fake Ping, and Angry Ping) from an independent experimental network. Our empirical evaluation results show that the detection accuracy of the proposed technique reaches 98.59% or above in the two network environments. The evaluation results also suggest that the proposed technique is insensitive to the traffic aggregation intervals examined and has a high distinguishing power for the four types of DoS attacks under investigation.
|
139 |
Energy-Aware Key Management in Wireless Ad-Hoc NetworksChang, Chia-Wen 26 July 2006 (has links)
In this thesis, we consider how to reduce the communication cost of the key exchange procedures as many as possible, while the secure group communication can still be achieved. Due to the energy consumption is usually proportional to the distance, we use the shortest paths algorithm to find the shortest communication paths between any pair of the secure group members. We first propose a straightforward heuristic named Minimum-Energy First-Selected ( MEFS ). MEFS tries to select the pair of group members which has less communication cost than all other pairs have at every time. Though MEFS performs better than random selecting, it still has some weakness in solving the energy-aware key management problem. So we use the concept of the minimum cost flow problem, and by appropriate transformation, then we get the optimal solution of the energy-aware key management problem under some constraints. At last, the simulation results proves that the minimum cost flow approach actually works better than MEFS does.
|
140 |
A Security Management System DesignOnder, Hulusi 01 July 2007 (has links) (PDF)
This thesis analyzes the difficulties of managing the security of an enterprise network. The problem that this thesis study deals with is the central management of a large number and variety of services that provide organization-wide network and information security. This study addresses two problem areas: how to better manage the security of a network, and how to explain the security issues to upper management better.
The study proposes a Security Management System (SMS) to be used for network security management, monitoring and reporting purposes. The system is a custom made, central management solution, which combines the critical performance indicators of the security devices and presents the results via web pages.
|
Page generated in 0.0389 seconds