SECURITY OF COMMUNICATION IN COMPUTER NETWORKS (KEY MANAGEMENT, VERIFICATION).

LU, WEN-PAI.

January 1986

This dissertation concerns investigations on two of the most important problems in establishing communication security in computer networks: (1) developing a model which precisely describes the mechanism that enforces the security policy and requirements for a secure network, and (2) designing a key management scheme for establishing a secure session for end-to-end encryption between a pair of communicants. The security mechanism attempts to ensure secure flow of information between entities assigned to different security classes in different computer systems attached to a computer communication network. The mechanism also controls the accesses to the network devices by the subjects (users and processes executed on behalf of the users). The communication security problem is formulated by using a mathematical model which precisely describes the security requirements for the network. The model integrates the notions of access control and information flow control to provide a Trusted Network Base (TNB) for the network. The demonstration of security of the network when the security mechanism is designed following the present model is given by using mathematical induction techniques. The problem of designing key management schemes for establishing end-to-end encrypted sessions between source-destination pairs when the source and the destination are on different networks interconnected via Gateways and intermediate networks is examined. In such an internet environment, the key management problem attains a high degree of complexity due to the differences in the key distribution mechanisms used in the constituent networks and the infeasibility of effecting extensive hardware and software changes to the existing networks. A hierarchical approach for key management is presented which utilizes the existing network specific protocols at the lower levels and protocols between Authentication Servers and/or Control Centers of different networks at the higher levels. Details of this approach are discussed for specific illustrative scenarios to demonstrate the implementational simplicity. A formal verification of the security of the resulting system is also conducted by an axiomatic procedure utilizing certain combinatory logic principles. This approach is general and can be used for verifying the security of any existing key management scheme.

Computer networks -- Security measures.

A holistic approach to network security in OGSA-based grid systems

Loutsios, Demetrios

January 2006

Grid computing technologies facilitate complex scientific collaborations between globally dispersed parties, which make use of heterogeneous technologies and computing systems. However, in recent years the commercial sector has developed a growing interest in Grid technologies. Prominent Grid researchers have predicted Grids will grow into the commercial mainstream, even though its origins were in scientific research. This is much the same way as the Internet started as a vehicle for research collaboration between universities and government institutions, and grew into a technology with large commercial applications. Grids facilitate complex trust relationships between globally dispersed business partners, research groups, and non-profit organizations. Almost any dispersed “virtual organization” willing to share computing resources can make use of Grid technologies. Grid computing facilitates the networking of shared services; the inter-connection of a potentially unlimited number of computing resources within a “Grid” is possible. Grid technologies leverage a range of open standards and technologies to provide interoperability between heterogeneous computing systems. Newer Grids build on key capabilities of Web-Service technologies to provide easy and dynamic publishing and discovery of Grid resources. Due to the inter-organisational nature of Grid systems, there is a need to provide adequate security to Grid users and to Grid resources. This research proposes a framework, using a specific brokered pattern, which addresses several common Grid security challenges, which include: Providing secure and consistent cross-site Authentication and Authorization; Single-sign on capabilities to Grid users; Abstract iii; Underlying platform and runtime security, and; Grid network communications and messaging security. These Grid security challenges can be viewed as comprising two (proposed) logical layers of a Grid. These layers are: a Common Grid Layer (higher level Grid interactions), and a Local Resource Layer (Lower level technology security concerns). This research is concerned with providing a generic and holistic security framework to secure both layers. This research makes extensive use of STRIDE - an acronym for Microsoft approach to addressing security threats - as part of a holistic Grid security framework. STRIDE and key Grid related standards, such as Open Grid Service Architecture (OGSA), Web-Service Resource Framework (WS-RF), and the Globus Toolkit are used to formulate the proposed framework.

Computer networks -- Security measures

Near real-time threat assessment using intrusion detection system's data

Fragkos, Grigorios

January 2011

The concept of Intrusion Detection (ID) and the development of such systems have been a major concern for scientists since the late sixties. In recent computer networks, the use of different types of Intrusion Detection Systems (IDS) is considered essential and in most cases mandatory. Major improvements have been achieved over the years and a large number of different approaches have been developed and applied in the way these systems perform Intrusion Detection. The purpose of the research is to introduce a novel approach that will enable us to take advantage of the vast amounts of information generated by the large number of different IDSs, in order to identify suspicious traffic, malicious intentions and network attacks in an automated manner. In order to achieve this, the research focuses upon a system capable of identifying malicious activity in near real-time, that is capable of identifying attacks while they are progressing. The thesis addresses the near real-time threat assessment by researching into current state of the art solutions. Based on the literature review, current Intrusion Detection technologies lean towards event correlation systems using different types of detections techniques. Instead of using linear event signatures or rule sets, the thesis suggests a structured description of network attacks based on the abstracted form of the attacker’s activity. For that reason, the design focuses upon the description of network attacks using the development of footprints. Despite the level of knowledge, capabilities and resources of the attacker, the system compares occurring network events against predefined footprints in order to identify potential malicious activity. Furthermore, based on the implementation of the footprints, the research also focuses upon the design of the Threat Assessment Engine (TAE) which is capable of performing detection in near real-time by the use of the above described footprints. The outcome of the research proves that it is possible to have an automated process performing threat assessment despite the number of different ongoing attacks taking place simultaneously. The threat assessment process, taking into consideration the system’s architecture, is capable of acting as the human analyst would do when investigating such network activity. This automation speeds up the time-consuming process of manually analysing and comparing data logs deriving from heterogeneous sources, as it performs the task in near real-time. Effectively, by performing the this task in near real-time, the proposed system is capable of detecting complicated malicious activity which in other cases, as currently performed, it would be difficult, maybe impossible or results would be generated too late.

005.8

Computer networks Security measures

Security management system for 4G heterogeneous networks

Alquhayz, Hani

January 2015

There is constant demand for the development of mobile networks to meet the service requirements of users, and their development is a significant topic of research. The current fourth generation (4G) of mobile networks are expected to provide high speed connections anywhere at any time. Various existing 4G architectures such as LTE and WiMax support only wireless technologies, while an alternative architecture, Y-Comm, has been proposed to combine both existing wired and wireless networks. Y-Comm seeks to meet the main service requirements of 4G by converging the existing networks, so that the user can get better service anywhere and at any time. One of the major characteristics of Y-Comm is heterogeneity, which means that networks with different topologies work together to provide seamless communication to the end user. However, this heterogeneity leads to technical issues which may compromise quality of service, vertical handover and security. Due to the convergence characteristic of Y-Comm, security is considered more significant than in the existing LTE and WiMax networks. These security concerns have motivated this research study to propose a novel security management system. The research aims to meet the security requirements of 4G mobile networks, e.g. preventing end user devices from being used as attack tools. This requirement has not been met clearly in previous studies of Y-Comm, but this study proposes a security management system which does this. This research follows the ITU-T recommendation M.3400 dealing with security violations within Y-Comm networks. It proposes a policy-based security management system to deal with events that trigger actions in the system and uses Ponder2 to implement it. The proposed system, located in the top layer of the Y-Comm architecture, interacts with components of Y-Comm to enforce the appropriate policies. Its four main components are the Intelligent Agent, the Security Engine, the Security Policies Database and the Security Administrator. These are represented in this research as managed objects to meet design considerations such as extensibility and modifiability. This research demonstrates that the proposed system meets the security requirements of the Y-Comm environment. Its deployment is possible with managed objects built with Ponder2 for all of the components of Y-Comm, which means that the security management system is able to prevent end user devices from being used as attack tools. It can also achieve other security goals of Y-Comm networks.

005.1

Design of Anonymity scheme for communication systems

Zhang, Cong, 張聰

January 2002

published_or_final_version / Computer Science and Information Systems / Master / Master of Philosophy

Data protection.

Cryptography.

Computer networks - Security measures.

Behavioural profiling in mobile networks

Zincir, Ibrahim

January 2011

In the last 20 years mobile devices gained an important role in daily life and became must have items for everyone. As mobile devices give us the much needed flexibility and mobility, they also represent one major concern; security. As the information is transmitted from node to node via radio frequencies, an imposter can gain access into a mobile network without the need to gain physical access to firewalls and gateways. Also, as they are light and small, mobile devices are easily lost and often used without any PIN or password protection enabled. Hence, it is not difficult for someone even without any technical knowledge to gain access to such devices if they have been left behind or stolen. As traditional intrusion detection systems are not very effective against this kind of attack, there is a need of a different approach that can assist in the identification of a potential imposter. This thesis begins by assessing the security needs of the mobile devices, and establishes the perceived inadequacy of existing safeguards in this respect. Therefore this research considers using Behaviour-Based Mobile Intrusion Detection System (BeMIDS) that aims to assist the identification of anomalous user activity. This in return presents the two main characteristics needed to classify a legitimate user inside a mobile network: first with whom, when and what type of connection is established and then at where the mobile device is left open. After this the research proposes a novel approach that investigates the application of three machine learning algorithms to profile user behaviour in mobile networks. In BeMIDS, historical user profiles are created and then compared with the real-time ones in order to detect unusual activity in mobile networks. If a user’s behaviour changes, this results in alerting the system as an anomalous activity. Specific examples of behaviours that BeMIDS appears to be particularly sensitive to include duration (of calls and of connection with cell towers), time of day (calls are made and cell towers are connected), and frequency of caller usage. In order to classify a legitimate user over a mobile network the thesis then validates this approach by implementing C4.5, RIPPER and SOM algorithms over MIT’s Reality Mining Dataset. The results support the proposed architecture and present accuracy rate as high as 96% for call logs and 94% for tower logs under training conditions.

621.382

A generalized trust model using network reliability

Mahoney, Glenn R.

10 April 2008

Economic and social activity is increasingly reflected in operations on digital objects and network-mediated interactions between digital entities. Trust is a prerequisite for many of these interactions, particularly if items of value are to be exchanged. The problem is that automated handling of trust-related concerns between distributed entities is a relatively new concept and many existing capabilities are limited or application-specific, particularly in the context of informal or ad-hoc relationships. This thesis contributes a new family of probabilistic trust metrics based on Network Reliability called the Generic Reliability Trust Model (GRTM). This approach to trust modelling is demonstrated with a new, flexible trust metric called Hop-count Limited Transitive Trust (HLTT), and is also applied to an implementation of the existing Maurer Confidence Valuation (MCV) trust metric. All metrics in the GRTM framework utilize a common probabilistic trust model which is the solution of a general reliability problem. Two generalized algorithms are presented for computing GRTM based on inclusion-exclusion and factoring. A conservative approximation heuristic is defined which leads to more practical algorithm performance. A JAVA-based implementation of these algorithms for HLTT and MCV trust metrics is used to demonstrate the impact of the approximation. An XML-based trust-graph representation and a random power-law trust graph generator is used to simulate large informal trust networks.

Computer networks -- Security measures

Internet -- Security measures

Distributed and collaborative key agreement protocols with authentication and implementation for dynamic peer groups.

January 2003

Lee, Pak-Ching. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2003. / Includes bibliographical references (leaves 80-83). / Abstracts in English and Chinese. / Chapter 1 --- Introduction --- p.1 / Chapter 2 --- Related Work --- p.5 / Chapter 3 --- Tree-Based Group Diffie-Hellman --- p.9 / Chapter 4 --- Interval-Based Distributed Rekeying Algorithms --- p.14 / Chapter 4.1 --- Rebuild Algorithm --- p.15 / Chapter 4.2 --- Batch Algorithm --- p.16 / Chapter 4.3 --- Queue-batch Algorithm --- p.19 / Chapter 5 --- Performance Evaluation --- p.22 / Chapter 5.1 --- Mathematical Analysis --- p.22 / Chapter 5.1.1 --- Analysis of the Rebuild Algorithm --- p.24 / Chapter 5.1.2 --- Analysis of the Batch Algorithm --- p.25 / Chapter 5.1.3 --- Analysis of the Queue-batch Algorithm --- p.30 / Chapter 5.2 --- Experiments --- p.31 / Chapter 5.3 --- Discussion of the experimental results --- p.35 / Chapter 6 --- Authenticated Tree-Based Group Diffie-Hellman --- p.43 / Chapter 6.1 --- Description of A-TGDH --- p.44 / Chapter 6.2 --- Security Analysis --- p.47 / Chapter 7 --- Implementation and Applications --- p.50 / Chapter 7.1 --- Leader and Sponsors --- p.51 / Chapter 7.1.1 --- Leader --- p.51 / Chapter 7.1.2 --- Sponsors --- p.53 / Chapter 7.1.3 --- Rekeying Operation --- p.56 / Chapter 7.2 --- System Architecture --- p.57 / Chapter 7.2.1 --- System Preliminaries --- p.57 / Chapter 7.2.2 --- System Components --- p.58 / Chapter 7.2.3 --- Implementation Considerations --- p.64 / Chapter 7.3 --- SGCL API --- p.65 / Chapter 7.4 --- Experiments --- p.67 / Chapter 7.5 --- Applications --- p.72 / Chapter 7.6 --- Future Extensions --- p.75 / Chapter 8 --- Conclusions and Future Directions --- p.76 / Chapter 8.1 --- Conclusions --- p.76 / Chapter 8.2 --- Future Directions --- p.77 / Chapter 8.2.1 --- Construction of a Hybrid Key Tree with the Physical and Logical Properties --- p.77 / Chapter 8.2.2 --- Extended Implementation --- p.79 / Bibliography --- p.80

Computer networks--Security measures

Authentication

Computer algorithms

Multiplexing high speed quantum key distribution with conventional data on a single optical fibre

Patel, Ketaki Animesh

January 2015

No description available.

620

An innovative algebraic approach for IP traceback.

January 2004

Chen Zhaole. / Thesis submitted in: Aug 2003. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2004. / Includes bibliographical references (leaves 54-56). / Abstracts in English and Chinese. / Abstract / Acknowledgement / Chapter 1 --- Introduction --- p.1 / Chapter 1.1. --- Motivation --- p.2 / Chapter 1.2. --- The Problem --- p.2 / Chapter 1.3. --- Project Introduction --- p.3 / Chapter 1.4. --- Thesis Outline --- p.4 / Chapter 2 --- Denial-of-Service Attacks --- p.5 / Chapter 2.1 --- Introduction --- p.6 / Chapter 2.2 --- Denial-of-Service Attacks --- p.7 / Chapter 2.2.1 --- Direct DoS Attacks --- p.7 / Chapter 2.2.2 --- Reflector DoS Attacks --- p.11 / Chapter 3 --- Related Work --- p.14 / Chapter 3.1 --- Introduction --- p.15 / Chapter 3.2 --- Link Testing --- p.15 / Chapter 3.3 --- Probabilistic Marking Scheme --- p.16 / Chapter 3.4 --- ICMP Traceback --- p.17 / Chapter 3.5 --- Algebraic Marking Scheme --- p.18 / Chapter 3.6 --- Advanced and Authenticated Marking Scheme --- p.19 / Chapter 4 --- An Innovative Algebraic Approach for IP Traceback --- p.21 / Chapter 4.1 --- Introduction --- p.22 / Chapter 4.2 --- Background --- p.23 / Chapter 4.2.1 --- Definitions --- p.23 / Chapter 4.2.2 --- Assumptions --- p.24 / Chapter 4.2.3 --- Basic Principles --- p.25 / Chapter 4.3 --- Marking Schemes for Tracing DoS Attacks --- p.26 / Chapter 4.3.1 --- Simplified Algebraic Marking Scheme --- p.26 / Chapter 4.3.2 --- Reflective Algebraic Marking Scheme --- p.31 / Chapter 5 --- Feasibility and Performance Analysis --- p.35 / Chapter 5.1 --- Backward Compatibility --- p.36 / Chapter 5.2 --- Number of False Positives --- p.37 / Chapter 5.3 --- Minimum Number of Packets for Reconstruction --- p.38 / Chapter 5.4 --- Multiple Attacks --- p.38 / Chapter 5.5 --- Reconstruction Time --- p.39 / Chapter 5.6 --- Router Performance --- p.39 / Chapter 6 --- Experiment Results --- p.40 / Chapter 6.1 --- Experiments of Simplified Marking Scheme --- p.41 / Chapter 6.2 --- Experiments of Reflective Marking Scheme --- p.44 / Chapter 7 --- Conclusions and future work --- p.47 / Chapter 7.1 --- Conclusions --- p.47 / Chapter 7.2 --- Future Work --- p.48 / Bibliography --- p.50

Computer networks--Security measures

Computer security