SECURITY OF COMMUNICATION IN COMPUTER NETWORKS (KEY MANAGEMENT, VERIFICATION).

LU, WEN-PAI.

January 1986

This dissertation concerns investigations on two of the most important problems in establishing communication security in computer networks: (1) developing a model which precisely describes the mechanism that enforces the security policy and requirements for a secure network, and (2) designing a key management scheme for establishing a secure session for end-to-end encryption between a pair of communicants. The security mechanism attempts to ensure secure flow of information between entities assigned to different security classes in different computer systems attached to a computer communication network. The mechanism also controls the accesses to the network devices by the subjects (users and processes executed on behalf of the users). The communication security problem is formulated by using a mathematical model which precisely describes the security requirements for the network. The model integrates the notions of access control and information flow control to provide a Trusted Network Base (TNB) for the network. The demonstration of security of the network when the security mechanism is designed following the present model is given by using mathematical induction techniques. The problem of designing key management schemes for establishing end-to-end encrypted sessions between source-destination pairs when the source and the destination are on different networks interconnected via Gateways and intermediate networks is examined. In such an internet environment, the key management problem attains a high degree of complexity due to the differences in the key distribution mechanisms used in the constituent networks and the infeasibility of effecting extensive hardware and software changes to the existing networks. A hierarchical approach for key management is presented which utilizes the existing network specific protocols at the lower levels and protocols between Authentication Servers and/or Control Centers of different networks at the higher levels. Details of this approach are discussed for specific illustrative scenarios to demonstrate the implementational simplicity. A formal verification of the security of the resulting system is also conducted by an axiomatic procedure utilizing certain combinatory logic principles. This approach is general and can be used for verifying the security of any existing key management scheme.

Computer networks -- Security measures.

A holistic approach to network security in OGSA-based grid systems

Loutsios, Demetrios

January 2006

Grid computing technologies facilitate complex scientific collaborations between globally dispersed parties, which make use of heterogeneous technologies and computing systems. However, in recent years the commercial sector has developed a growing interest in Grid technologies. Prominent Grid researchers have predicted Grids will grow into the commercial mainstream, even though its origins were in scientific research. This is much the same way as the Internet started as a vehicle for research collaboration between universities and government institutions, and grew into a technology with large commercial applications. Grids facilitate complex trust relationships between globally dispersed business partners, research groups, and non-profit organizations. Almost any dispersed “virtual organization” willing to share computing resources can make use of Grid technologies. Grid computing facilitates the networking of shared services; the inter-connection of a potentially unlimited number of computing resources within a “Grid” is possible. Grid technologies leverage a range of open standards and technologies to provide interoperability between heterogeneous computing systems. Newer Grids build on key capabilities of Web-Service technologies to provide easy and dynamic publishing and discovery of Grid resources. Due to the inter-organisational nature of Grid systems, there is a need to provide adequate security to Grid users and to Grid resources. This research proposes a framework, using a specific brokered pattern, which addresses several common Grid security challenges, which include: Providing secure and consistent cross-site Authentication and Authorization; Single-sign on capabilities to Grid users; Abstract iii; Underlying platform and runtime security, and; Grid network communications and messaging security. These Grid security challenges can be viewed as comprising two (proposed) logical layers of a Grid. These layers are: a Common Grid Layer (higher level Grid interactions), and a Local Resource Layer (Lower level technology security concerns). This research is concerned with providing a generic and holistic security framework to secure both layers. This research makes extensive use of STRIDE - an acronym for Microsoft approach to addressing security threats - as part of a holistic Grid security framework. STRIDE and key Grid related standards, such as Open Grid Service Architecture (OGSA), Web-Service Resource Framework (WS-RF), and the Globus Toolkit are used to formulate the proposed framework.

Computer networks -- Security measures

Near real-time threat assessment using intrusion detection system's data

Fragkos, Grigorios

January 2011

The concept of Intrusion Detection (ID) and the development of such systems have been a major concern for scientists since the late sixties. In recent computer networks, the use of different types of Intrusion Detection Systems (IDS) is considered essential and in most cases mandatory. Major improvements have been achieved over the years and a large number of different approaches have been developed and applied in the way these systems perform Intrusion Detection. The purpose of the research is to introduce a novel approach that will enable us to take advantage of the vast amounts of information generated by the large number of different IDSs, in order to identify suspicious traffic, malicious intentions and network attacks in an automated manner. In order to achieve this, the research focuses upon a system capable of identifying malicious activity in near real-time, that is capable of identifying attacks while they are progressing. The thesis addresses the near real-time threat assessment by researching into current state of the art solutions. Based on the literature review, current Intrusion Detection technologies lean towards event correlation systems using different types of detections techniques. Instead of using linear event signatures or rule sets, the thesis suggests a structured description of network attacks based on the abstracted form of the attacker’s activity. For that reason, the design focuses upon the description of network attacks using the development of footprints. Despite the level of knowledge, capabilities and resources of the attacker, the system compares occurring network events against predefined footprints in order to identify potential malicious activity. Furthermore, based on the implementation of the footprints, the research also focuses upon the design of the Threat Assessment Engine (TAE) which is capable of performing detection in near real-time by the use of the above described footprints. The outcome of the research proves that it is possible to have an automated process performing threat assessment despite the number of different ongoing attacks taking place simultaneously. The threat assessment process, taking into consideration the system’s architecture, is capable of acting as the human analyst would do when investigating such network activity. This automation speeds up the time-consuming process of manually analysing and comparing data logs deriving from heterogeneous sources, as it performs the task in near real-time. Effectively, by performing the this task in near real-time, the proposed system is capable of detecting complicated malicious activity which in other cases, as currently performed, it would be difficult, maybe impossible or results would be generated too late.

005.8

Computer networks Security measures

Design of Anonymity scheme for communication systems

Zhang, Cong, 張聰

January 2002

published_or_final_version / Computer Science and Information Systems / Master / Master of Philosophy

Data protection.

Cryptography.

Computer networks - Security measures.

A generalized trust model using network reliability

Mahoney, Glenn R.

10 April 2008

Economic and social activity is increasingly reflected in operations on digital objects and network-mediated interactions between digital entities. Trust is a prerequisite for many of these interactions, particularly if items of value are to be exchanged. The problem is that automated handling of trust-related concerns between distributed entities is a relatively new concept and many existing capabilities are limited or application-specific, particularly in the context of informal or ad-hoc relationships. This thesis contributes a new family of probabilistic trust metrics based on Network Reliability called the Generic Reliability Trust Model (GRTM). This approach to trust modelling is demonstrated with a new, flexible trust metric called Hop-count Limited Transitive Trust (HLTT), and is also applied to an implementation of the existing Maurer Confidence Valuation (MCV) trust metric. All metrics in the GRTM framework utilize a common probabilistic trust model which is the solution of a general reliability problem. Two generalized algorithms are presented for computing GRTM based on inclusion-exclusion and factoring. A conservative approximation heuristic is defined which leads to more practical algorithm performance. A JAVA-based implementation of these algorithms for HLTT and MCV trust metrics is used to demonstrate the impact of the approximation. An XML-based trust-graph representation and a random power-law trust graph generator is used to simulate large informal trust networks.

Computer networks -- Security measures

Internet -- Security measures

Distributed and collaborative key agreement protocols with authentication and implementation for dynamic peer groups.

January 2003

Lee, Pak-Ching. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2003. / Includes bibliographical references (leaves 80-83). / Abstracts in English and Chinese. / Chapter 1 --- Introduction --- p.1 / Chapter 2 --- Related Work --- p.5 / Chapter 3 --- Tree-Based Group Diffie-Hellman --- p.9 / Chapter 4 --- Interval-Based Distributed Rekeying Algorithms --- p.14 / Chapter 4.1 --- Rebuild Algorithm --- p.15 / Chapter 4.2 --- Batch Algorithm --- p.16 / Chapter 4.3 --- Queue-batch Algorithm --- p.19 / Chapter 5 --- Performance Evaluation --- p.22 / Chapter 5.1 --- Mathematical Analysis --- p.22 / Chapter 5.1.1 --- Analysis of the Rebuild Algorithm --- p.24 / Chapter 5.1.2 --- Analysis of the Batch Algorithm --- p.25 / Chapter 5.1.3 --- Analysis of the Queue-batch Algorithm --- p.30 / Chapter 5.2 --- Experiments --- p.31 / Chapter 5.3 --- Discussion of the experimental results --- p.35 / Chapter 6 --- Authenticated Tree-Based Group Diffie-Hellman --- p.43 / Chapter 6.1 --- Description of A-TGDH --- p.44 / Chapter 6.2 --- Security Analysis --- p.47 / Chapter 7 --- Implementation and Applications --- p.50 / Chapter 7.1 --- Leader and Sponsors --- p.51 / Chapter 7.1.1 --- Leader --- p.51 / Chapter 7.1.2 --- Sponsors --- p.53 / Chapter 7.1.3 --- Rekeying Operation --- p.56 / Chapter 7.2 --- System Architecture --- p.57 / Chapter 7.2.1 --- System Preliminaries --- p.57 / Chapter 7.2.2 --- System Components --- p.58 / Chapter 7.2.3 --- Implementation Considerations --- p.64 / Chapter 7.3 --- SGCL API --- p.65 / Chapter 7.4 --- Experiments --- p.67 / Chapter 7.5 --- Applications --- p.72 / Chapter 7.6 --- Future Extensions --- p.75 / Chapter 8 --- Conclusions and Future Directions --- p.76 / Chapter 8.1 --- Conclusions --- p.76 / Chapter 8.2 --- Future Directions --- p.77 / Chapter 8.2.1 --- Construction of a Hybrid Key Tree with the Physical and Logical Properties --- p.77 / Chapter 8.2.2 --- Extended Implementation --- p.79 / Bibliography --- p.80

Computer networks--Security measures

Authentication

Computer algorithms

Multiplexing high speed quantum key distribution with conventional data on a single optical fibre

Patel, Ketaki Animesh

January 2015

No description available.

620

An innovative algebraic approach for IP traceback.

January 2004

Chen Zhaole. / Thesis submitted in: Aug 2003. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2004. / Includes bibliographical references (leaves 54-56). / Abstracts in English and Chinese. / Abstract / Acknowledgement / Chapter 1 --- Introduction --- p.1 / Chapter 1.1. --- Motivation --- p.2 / Chapter 1.2. --- The Problem --- p.2 / Chapter 1.3. --- Project Introduction --- p.3 / Chapter 1.4. --- Thesis Outline --- p.4 / Chapter 2 --- Denial-of-Service Attacks --- p.5 / Chapter 2.1 --- Introduction --- p.6 / Chapter 2.2 --- Denial-of-Service Attacks --- p.7 / Chapter 2.2.1 --- Direct DoS Attacks --- p.7 / Chapter 2.2.2 --- Reflector DoS Attacks --- p.11 / Chapter 3 --- Related Work --- p.14 / Chapter 3.1 --- Introduction --- p.15 / Chapter 3.2 --- Link Testing --- p.15 / Chapter 3.3 --- Probabilistic Marking Scheme --- p.16 / Chapter 3.4 --- ICMP Traceback --- p.17 / Chapter 3.5 --- Algebraic Marking Scheme --- p.18 / Chapter 3.6 --- Advanced and Authenticated Marking Scheme --- p.19 / Chapter 4 --- An Innovative Algebraic Approach for IP Traceback --- p.21 / Chapter 4.1 --- Introduction --- p.22 / Chapter 4.2 --- Background --- p.23 / Chapter 4.2.1 --- Definitions --- p.23 / Chapter 4.2.2 --- Assumptions --- p.24 / Chapter 4.2.3 --- Basic Principles --- p.25 / Chapter 4.3 --- Marking Schemes for Tracing DoS Attacks --- p.26 / Chapter 4.3.1 --- Simplified Algebraic Marking Scheme --- p.26 / Chapter 4.3.2 --- Reflective Algebraic Marking Scheme --- p.31 / Chapter 5 --- Feasibility and Performance Analysis --- p.35 / Chapter 5.1 --- Backward Compatibility --- p.36 / Chapter 5.2 --- Number of False Positives --- p.37 / Chapter 5.3 --- Minimum Number of Packets for Reconstruction --- p.38 / Chapter 5.4 --- Multiple Attacks --- p.38 / Chapter 5.5 --- Reconstruction Time --- p.39 / Chapter 5.6 --- Router Performance --- p.39 / Chapter 6 --- Experiment Results --- p.40 / Chapter 6.1 --- Experiments of Simplified Marking Scheme --- p.41 / Chapter 6.2 --- Experiments of Reflective Marking Scheme --- p.44 / Chapter 7 --- Conclusions and future work --- p.47 / Chapter 7.1 --- Conclusions --- p.47 / Chapter 7.2 --- Future Work --- p.48 / Bibliography --- p.50

Computer networks--Security measures

Computer security

Towards IP traceback based defense against DDoS attacks.

January 2004

Lau Nga Sin. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2004. / Includes bibliographical references (leaves 101-110). / Abstracts in English and Chinese. / Abstract --- p.i / Acknowledgement --- p.iv / Chapter 1 --- Introduction --- p.1 / Chapter 1.1 --- Research Motivation --- p.2 / Chapter 1.2 --- Problem Statement --- p.3 / Chapter 1.3 --- Research Objectives --- p.4 / Chapter 1.4 --- Structure of the Thesis --- p.6 / Chapter 2 --- Background Study on DDoS Attacks --- p.8 / Chapter 2.1 --- Distributed Denial of Service Attacks --- p.8 / Chapter 2.1.1 --- DDoS Attack Architecture --- p.9 / Chapter 2.1.2 --- DDoS Attack Taxonomy --- p.11 / Chapter 2.1.3 --- DDoS Tools --- p.19 / Chapter 2.1.4 --- DDoS Detection --- p.21 / Chapter 2.2 --- DDoS Countermeasure: Attack Source Traceback --- p.23 / Chapter 2.2.1 --- Link Testing --- p.23 / Chapter 2.2.2 --- Logging --- p.24 / Chapter 2.2.3 --- ICMP-based traceback --- p.26 / Chapter 2.2.4 --- Packet marking --- p.28 / Chapter 2.2.5 --- Comparison of various IP Traceback Schemes --- p.31 / Chapter 2.3 --- DDoS Countermeasure: Packet Filtering --- p.33 / Chapter 2.3.1 --- Ingress Filtering --- p.33 / Chapter 2.3.2 --- Egress Filtering --- p.34 / Chapter 2.3.3 --- Route-based Packet Filtering --- p.35 / Chapter 2.3.4 --- IP Traceback-based Packet Filtering --- p.36 / Chapter 2.3.5 --- Router-based Pushback --- p.37 / Chapter 3 --- Domain-based IP Traceback Scheme --- p.40 / Chapter 3.1 --- Overview of our IP Traceback Scheme --- p.41 / Chapter 3.2 --- Assumptions --- p.44 / Chapter 3.3 --- Proposed Packet Marking Scheme --- p.45 / Chapter 3.3.1 --- IP Markings with Edge Sampling --- p.46 / Chapter 3.3.2 --- Domain-based Design Motivation --- p.48 / Chapter 3.3.3 --- Mathematical Principle --- p.49 / Chapter 3.3.4 --- Marking Mechanism --- p.51 / Chapter 3.3.5 --- Storage Space of the Marking Fields --- p.56 / Chapter 3.3.6 --- Packet Marking Integrity --- p.57 / Chapter 3.3.7 --- Path Reconstruction --- p.58 / Chapter 4 --- Route-based Packet Filtering Scheme --- p.62 / Chapter 4.1 --- Placement of Filters --- p.63 / Chapter 4.1.1 --- At Sources' Networks --- p.64 / Chapter 4.1.2 --- At Victim's Network --- p.64 / Chapter 4.2 --- Proposed Packet Filtering Scheme --- p.65 / Chapter 4.2.1 --- Classification of Packets --- p.66 / Chapter 4.2.2 --- Filtering Mechanism --- p.67 / Chapter 5 --- Performance Evaluation --- p.70 / Chapter 5.1 --- Simulation Setup --- p.70 / Chapter 5.2 --- Experiments on IP Traceback Scheme --- p.72 / Chapter 5.2.1 --- Performance Metrics --- p.72 / Chapter 5.2.2 --- Choice of Marking Probabilities --- p.73 / Chapter 5.2.3 --- Experimental Results --- p.75 / Chapter 5.3 --- Experiments on Packet Filtering Scheme --- p.82 / Chapter 5.3.1 --- Performance Metrics --- p.82 / Chapter 5.3.2 --- Choices of Filtering Probabilities --- p.84 / Chapter 5.3.3 --- Experimental Results --- p.85 / Chapter 5.4 --- Deployment Issues --- p.91 / Chapter 5.4.1 --- Backward Compatibility --- p.91 / Chapter 5.4.2 --- Processing Overheads to the Routers and Network --- p.93 / Chapter 5.5 --- Evaluations --- p.95 / Chapter 6 --- Conclusion --- p.96 / Chapter 6.1 --- Contributions --- p.96 / Chapter 6.2 --- Discussions and future work --- p.99 / Bibliography --- p.110

Computer networks--Security measures

Computer security

An effective methodology to traceback DDoS attackers.

January 2003

Lam, Kwok Tai. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2003. / Includes bibliographical references (leaves 64-66). / Abstracts in English and Chinese. / Chapter 1 --- Introduction to Network Security via Efficient IP Traceback --- p.10 / Chapter 1.1 --- Motivation --- p.10 / Chapter 1.2 --- DDoS Attacker Traceback Problem --- p.11 / Chapter 1.3 --- Document Roadmap --- p.13 / Chapter 2 --- Background --- p.14 / Chapter 2.1 --- Probabilistic Edge Marking Algorithm --- p.14 / Chapter 2.1.1 --- Probabilistic Edge Marking Procedure --- p.15 / Chapter 2.1.2 --- Attack Graph Construction Procedure --- p.17 / Chapter 2.1.3 --- Advantages and Disadvantages of Algorithm --- p.19 / Chapter 3 --- Attacker Traceback: Linear Topology --- p.22 / Chapter 3.1 --- Determination of Local Traffic Rates --- p.23 / Chapter 3.2 --- Determination of Minimum Stable Time tmin --- p.25 / Chapter 3.3 --- Elimination of Attackers --- p.26 / Chapter 4 --- Attacker Traceback: General Topology --- p.30 / Chapter 4.1 --- Determination of Local Traffic Rates --- p.30 / Chapter 4.2 --- Determination of Minimum Stable Time tmin --- p.33 / Chapter 5 --- Simulations --- p.36 / Chapter 5.1 --- Simulation 1 - Correctness and robustness of estimating the min- imum stable time tmin --- p.37 / Chapter 5.1.1 --- Simulation l.A - Influence on tmin by different packet arrival processes --- p.37 / Chapter 5.1.2 --- Simulation l.B - Influence on tmin by different packet arrival processes under MMPP --- p.38 / Chapter 5.1.3 --- Simulation l.C - Influence on tmin and variance of traffic rate estimation by different pthreshold --- p.39 / Chapter 5.2 --- Simulation 2 - Factors which influence the minimum stable time tmin --- p.40 / Chapter 5.2.1 --- Simulation 2.A - Influence on tmin by different length of the attack path --- p.41 / Chapter 5.2.2 --- Simulation 2.B - Influence on tmin by the relative posi- tions of the attackers --- p.42 / Chapter 5.2.3 --- Simulation 2.C - Influence on tmin by different ATR and different length of the attack path --- p.43 / Chapter 5.3 --- Simulation 3 - Extension to General Network Topology --- p.45 / Chapter 5.3.1 --- Simulation 3.A - Influence on tmin by different ATR and different diameter of the network topology --- p.45 / Chapter 5.3.2 --- Simulation 3.B - Influence on tmin by different number of attackers --- p.46 / Chapter 5.4 --- Simulation 4 - Extension to Internet Topology --- p.47 / Chapter 5.4.1 --- Simulation 4.A - Influence on tminby different diameter of the network topology --- p.49 / Chapter 5.4.2 --- Simulation 4.B - Influence on tmin by different number of attackers --- p.50 / Chapter 6 --- Experiments --- p.51 / Chapter 6.1 --- Experiment 1: Simple DoS Attack --- p.53 / Chapter 6.1.1 --- Experiment l.A - Influence on tmin by different types of DDoS attack --- p.54 / Chapter 6.1.2 --- Experiment l.B - Influence on tmin by different length of the attack path --- p.55 / Chapter 6.2 --- Experiment 2: Coordinated DoS Attack --- p.55 / Chapter 6.2.1 --- Experiment 2.A - Influence on tmin by the relative posi- tions of the attackers --- p.56 / Chapter 6.2.2 --- Experiment 2.B - Influence on tmin by different number of attackers --- p.58 / Chapter 7 --- Related Work --- p.59 / Chapter 8 --- Conclusion --- p.62 / Bibliography --- p.64

Computer networks--Security measures

Computer security

Hackers