Prevention and Detection of Intrusions in Wireless Sensor Networks

Butun, Ismail

01 January 2013

Wireless Sensor Networks (WSNs) continue to grow as one of the most exciting and challenging research areas of engineering. They are characterized by severely constrained computational and energy resources and also restricted by the ad-hoc network operational environment. They pose unique challenges, due to limited power supplies, low transmission bandwidth, small memory sizes and limited energy. Therefore, security techniques used in traditional networks cannot be directly adopted. So, new ideas and approaches are needed, in order to increase the overall security of the network. Security applications in such resource constrained WSNs with minimum overhead provides significant challenges, and is the main focus of this dissertation. There is no "one size fits all" solution in defending WSNs against intrusions and attacks. Therefore, intrusions and attacks against WSNs should be carefully examined to reveal specific vulnerabilities associated with them, before beginning the design of any kind of intrusion prevention and detection systems. By following this rationale, the dissertation starts with providing information regarding the WSNs, types of attacks towards WSNs, and the methods on how to prevent and detect them. Then, in order to secure WSNs, a security provisioning plan is provided. In general, the following processes may be involved in securing WSNs: Intrusion Prevention, Intrusion Detection, and Intrusion Mitigation. This dissertation presents solutions (algorithms and schemes) to the first two lines of defenses of the security provisioning plan, namely, Intrusion Prevention and Intrusion Detection. As a first line of defense in securing WSNs, this dissertation presents our proposed algorithm ("Two-Level User Authentication" scheme) as an Intrusion Prevention System (IPS) for WSNs. The algorithm uses two-level authentication between a sensor node and a user. It is designed for heterogeneous WSNs, meaning that the network consists of two components: regular nodes and more powerful cluster heads. The proposed scheme is evaluated both analytically and also in a simulation environment, by comparing it to the current state-of-the-art schemes in the literature. A comprehensive and systematic survey of the state-of-the-art in Intrusion Detection Systems (IDSs) that are proposed for Mobile Ad-Hoc Networks (MANETs) and WSNs is presented. Firstly, detailed information about IDSs is provided. This is followed by the analysis and comparison of each scheme along with their advantages and disadvantages from the perspective of security. Finally, guidelines on IDSs that are potentially applicable to WSNs are provided. Overall, this work would be very helpful to the researchers in developing their own IDSs for their WSNs. Clustering (of the nodes) is very important for WSNs not only in data aggregation, but also in increasing the overall performance of the network, especially in terms of total life-time. Besides, with the help of clustering, complex intrusion prevention and detection algorithms can be implemented. Therefore, background on the clustering algorithms is provided and then a clustering algorithm for WSNs is proposed, that is both power and connectivity aware. The proposed algorithm provides higher energy efficiency and increases the life-time of the network. In evaluating the proposed clustering algorithm (in a simulation environment by comparing its' performance to the previously proposed algorithm, namely Kachirski et al.'s algorithm), it is demonstrated that the proposed algorithm improves energy efficiency in WSNs. Finally, an IDS framework based on multi-level clustering for hierarchical WSNs is proposed. It is based upon (the nodes use our proposed clustering algorithm while forming their clusters) the clustering algorithm that is proposed in this dissertation. The framework provides two types of intrusion detection approaches, namely "Downwards-IDS (D-IDS)" to detect the abnormal behavior (intrusion) of the subordinate (member) nodes and "Upwards-IDS (U-IDS)" to detect the abnormal behavior of the cluster heads. By using analytical calculations, the optimum parameters for the D-IDS (number of maximum hops) and U-IDS (monitoring group size) of the framework are evaluated and presented. Overall, this dissertation research contributes to the first two lines of defenses towards the security of WSNs, namely, IPS and IDS. Furthermore, the final contribution of this dissertation is towards the topology formation of the WSNs (especially for the hierarchical WSNs), namely, clustering; which would be very useful in implementation of the IPS and IDS systems that are presented in this dissertation.

access control

clustering

cryptography

network security

user authentication

Computer Engineering

Computer Sciences

Electrical and Computer Engineering

CredProxy: A Password Manager for Online Authentication Environments

Golrang, Mohammad Saleh

20 December 2012

Internet users are increasingly required to sign up for online services and establish accounts before receiving service from websites. On the one hand, generation of strong usernames and passwords is a difficult task for the user. On the other hand, memorization of strong passwords is by far more problematic for the average user. Thus, the average user has a tendency to use weak passwords, and also reuse his passwords for more than one website, which makes several attacks feasible. Under the aforementioned circumstances, the use of password managers is beneficial, since they unburden the user from the task of memorizing user credentials. However, password managers have a number of weaknesses. This thesis is mainly aimed at alleviating some of the intrinsic weaknesses of password managers. We propose three cryptographic protocols which can improve the security of password managers while enhancing user convenience. We also present the design of a phishing and Man-in-the-Browser resistant password manger which best fits into our scheme. Furthermore, we present our novel virtual on-screen keyboard and keypad which are designed to provide strong protection mechanisms against threats such as keylogging and shoulder surfing.

Dictionary Attacks

Password Managers

Password Security

Website User Authentication

Virtual Keyboards

MITB Attacks

Cued Click-Point Memorability

Svensson, Rickard

January 2015

The Safety of passwords has been in question for over 40 years, long before the Internet. While improvements have been made to ensure security nothing has changed with passwords since the emergence of the Internet. Passwords need to be long and complex to be secure and users should not reuse their passwords. In a world where there are thousands of services on the internet requiring authentication to keep passwords safe users will have to remember a lot of passwords. Studies show however that users are prone to both create bad passwords but to also reuse their passwords on different sites. A lot of different alternatives to passwords has been proposed but none has become dominant. Is there a good alternative to text-based passwords? Can a graphical password be that alternative? The purpose of this thesis is to create a prototype of a CCP-like system and to conduct a memorability and usability test with it. The test results suggest that CCP is easy to use for users new to the concept of graphical passwords. A CCP-password also seems memorable with most participants recalling their passwords after a week with ease. PCCP can be a good substitute for passwords since it is easy to use, easy to remember and potentially more secure than text-based passwords.

User Authentication

Graphical Passwords

Cued Click-Points

Computer Sciences

Datavetenskap (datalogi)

CredProxy: A Password Manager for Online Authentication Environments

Golrang, Mohammad Saleh

January 2013

Internet users are increasingly required to sign up for online services and establish accounts before receiving service from websites. On the one hand, generation of strong usernames and passwords is a difficult task for the user. On the other hand, memorization of strong passwords is by far more problematic for the average user. Thus, the average user has a tendency to use weak passwords, and also reuse his passwords for more than one website, which makes several attacks feasible. Under the aforementioned circumstances, the use of password managers is beneficial, since they unburden the user from the task of memorizing user credentials. However, password managers have a number of weaknesses. This thesis is mainly aimed at alleviating some of the intrinsic weaknesses of password managers. We propose three cryptographic protocols which can improve the security of password managers while enhancing user convenience. We also present the design of a phishing and Man-in-the-Browser resistant password manger which best fits into our scheme. Furthermore, we present our novel virtual on-screen keyboard and keypad which are designed to provide strong protection mechanisms against threats such as keylogging and shoulder surfing.

Dictionary Attacks

Password Managers

Password Security

Website User Authentication

Virtual Keyboards

MITB Attacks

Towards a Continuous User Authentication Using Haptic Information

Alsulaiman, Fawaz Abdulaziz A.

January 2013

With the advancement in multimedia systems and the increased interest in haptics to be used in interpersonal communication systems, where users can see, show, hear, tell, touch and be touched, mouse and keyboard are no longer dominant input devices. Touch, speech and vision will soon be the main methods of human computer interaction. Moreover, as interpersonal communication usage increases, the need for securing user authentication grows. In this research, we examine a user's identification and verification based on haptic information. We divide our research into three main steps. The first step is to examine a pre-defined task, namely a handwritten signature with haptic information. The user target in this task is to mimic the legitimate signature in order to be verified. As a second step, we consider the user's identification and verification based on user drawings. The user target is predefined, however there are no restrictions imposed on the order or on the level of details required for the drawing. Lastly, we examine the feasibility and possibility of distinguishing users based on their haptic interaction through an interpersonal communication system. In this third step, there are no restrictions on user movements, however a free movement to touch the remote party is expected. In order to achieve our goal, many classification and feature reduction techniques have been discovered and some new ones were proposed. Moreover, in this work we utilize evolutionary computing in user verification and identification. Analysis of haptic features and their significance on distinguishing users is hence examined. The results show a utilization of visual features by Genetic Programming (GP) towards identity verification, with a probability equal to 50% while the remaining haptic features were utilized with a probability of approximately 50%. Moreover, with a handwritten signature application, a verification success rate of 97.93% with False Acceptance Rate (FAR) of 1.28% and @11.54% False Rejection Rate (FRR) is achieved with the utilization of genetic programming enhanced with the random over sampled data set. In addition, with a totally free user movement in a haptic-enabled interpersonal communication system, an identification success rate of 83.3% is achieved when random forest classifier is utilized.

User Authentication

Identity Verification

User Identification

Haptics

Genetic Programming

Mobile user authentication system (MUAS) for e-commerce applications

Molla, Rania A.

January 2017

The rapid growth of e-commerce has many associated security concerns. Thus, several studies to develop secure online authentication systems have emerged. Most studies begin with the premise that the intermediate network is the primary point of compromise. In this thesis, we assume that the point of compromise lies within the end-host or browser; this security threat is called the man-in-the-browser (MITB) attack. MITB attacks can bypass security measures of public key infrastructures (PKI), as well as encryption mechanisms for secure socket layers and transport layer security (SSL/TLS) protocol. This thesis focuses on developing a system that can circumvent MITB attacks using a two-phase secure-user authentication system, with phases that include challenge and response generation. The proposed system represents the first step in conducting an online business transaction. The proposed authentication system design contributes to protect the confidentiality of the initiating client by requesting minimal and non-confidential information to bypass the MITB attack and transition the authentication mechanism from the infected browser to a mobile-based system via a challenge/response mechanism. The challenge and response generation process depends on validating the submitted information and ensuring the mobile phone legitimacy. Both phases within the MUAS context mitigate the denial-of-service (DOS) attack via registration information, which includes the client's mobile number and the International Mobile Equipment Identity (IMEI) of the client's mobile phone. This novel authentication scheme circumvents the MITB attack by utilising the legitimate client's personal mobile phone as a detached platform to generate the challenge response and conduct business transactions. Although the MITB attacker may have taken over the challenge generation phase by failing to satisfy the required security properties, the response generation phase generates a secure response from the registered legitimate mobile phone by employing security attributes from both phases. Thus, the detached challenge- and response generation phases are logically linked.

005

Security, Privacy, Identity And Patient Consent Management Across Healthcare Enterprises Inintegrated Healthcare Enterprises (ihe) Cross Enterprise Document Sharing (xds) Affinity Domain

Namli, Tuncay

01 June 2007

Integrated Healthcare Enterprise (IHE) is an initiative by industry and healthcare professionals to improve knowledge sharing and interoperability between healthcare related enterprises. IHE publishes Integration Profiles on several Healthcare Fields to define how systems can use existing standards and technologies to execute a specific use case in healthcare. Cross Enterprise Document Sharing (XDS) is such a profile which defines the way of sharing Electronic Health Records (EHR) between healthcare enterprises. In this thesis, IHE Cross Enterprise User Authentication, IHE Node Authentication and Audit Trail, IHE Basic Patient Privacy Consent profiles are implemented based on the IHE XDSimplementation by National Institute of Standards, USA. Furthermore, some of the unspecified issues related with these profiles are clarified and new techniques are offered for their implementations. One of the contribution of the thesis is to use OASIS Extensible Access Control Markup Language (XACML) to define patient consent policies and manage access control. Other technologies and standards that are used in the implementation are as follows / OASIS Security Assertion Markup Language (SAML), XML Signature, Mutual Transport Layer Security (TLS), RFC 3195 Reliable Delivery for Syslog, RFC 3881 Security Audit and Access Accountability Message XML Data Definitions.

Uma Proposta de autenticação de usuários para ensino a distância / A solution for user authentication for distance learning

Fiorese, Mauricio

January 2000

Este trabalho investiga diferentes estratégias e técnicas de autenticação de usuários visando determinar quais podem ser integradas em um ambiente de educação a distância. Diversas soluções de autenticação existentes no mercado foram analisadas para se determinar as mais adequadas. Buscou-se as soluções consideradas factíveis de utilização, seja pelo custo ou quantidade de equipamentos extras envolvidos, seja pela simplicidade operacional ou pelo grau de certeza das medidas efetuadas. A partir desta análise foi delineado um modelo de autenticação que integra várias técnicas de autenticação a fim de chegar a um nível de segurança maior que senhas, utilizadas na maioria dos sistemas de educação a distância. 0 sistema funciona como um proxy, cuja função é controlar o acesso a páginas Web através da combinação de senhas, perguntas randômicas, dispositivos biométricos e checagem randômica, ao mesmo tempo que gera logs da atividade do aluno no curso. Estes logs conterão informações como dia e hora do acesso, tempo dispendido em cada página, endereço IP da máquina do aluno, entre outras. Estas informações podem ser utilizadas tanto para avaliar o aluno, como para gerar seu perfil estatístico, que servirá para gerar alertas na medida em que os dados do perfil sofrerem mudanças acima dos limites estabelecidos, durante a atividade do aluno. Um protótipo do sistema foi implementado para validar a solução delineada ao longo do trabalho. A integração dos métodos de autenticação, que identificam o aluno e a máquina em que ele está trabalhando, com as rotinas de avaliação do procedimento de educação a distância, foi um dos principais resultados alcançados. / This work investigates different strategies and techniques of user authentication in order to determine which ones may be integrated in a distance learning environment. Several authentication solutions available on the market are analyzed in order to find the most appropriate. The criteria used to determine the best solutions involve cost or amount of equipments involved, operational simplicity, and degree of confidence or results obtained. Based on this analysis, an authentication model that integrates several authentication techniques is delineated in order to obtain greater security than those used in most distance learning systems, based only on passwords. This system works like a proxy whose function is to control access to Web pages through the combination of passwords, random queries, biometric devices and random checks, at the same time that it generates logs of student's activity during a course. These logs contain information about day and hour of access, time spent on each page, IP address of the student's machine and so on. This information can be used both to evaluate the student and to generate his/her statistical profile. This profile is used to give an alarm when the data of the profile undergo changes above the established limits, during the student's activity. A prototype of the system has been implemented to validate the solution designed. The integration of the authentication methods, which identifies both the student and the machine where he/she is working, with the evaluation routines of the distance learning procedure, is one of the main reached results.

Ensino à distância

Redes : Computadores

Autenticacao : Usuario

Seguranca : Internet

Distance learning

Computer networks

Security

User authentication

Access control

Biometric devices

Uma Proposta de autenticação de usuários para ensino a distância / A solution for user authentication for distance learning

Fiorese, Mauricio

January 2000

Este trabalho investiga diferentes estratégias e técnicas de autenticação de usuários visando determinar quais podem ser integradas em um ambiente de educação a distância. Diversas soluções de autenticação existentes no mercado foram analisadas para se determinar as mais adequadas. Buscou-se as soluções consideradas factíveis de utilização, seja pelo custo ou quantidade de equipamentos extras envolvidos, seja pela simplicidade operacional ou pelo grau de certeza das medidas efetuadas. A partir desta análise foi delineado um modelo de autenticação que integra várias técnicas de autenticação a fim de chegar a um nível de segurança maior que senhas, utilizadas na maioria dos sistemas de educação a distância. 0 sistema funciona como um proxy, cuja função é controlar o acesso a páginas Web através da combinação de senhas, perguntas randômicas, dispositivos biométricos e checagem randômica, ao mesmo tempo que gera logs da atividade do aluno no curso. Estes logs conterão informações como dia e hora do acesso, tempo dispendido em cada página, endereço IP da máquina do aluno, entre outras. Estas informações podem ser utilizadas tanto para avaliar o aluno, como para gerar seu perfil estatístico, que servirá para gerar alertas na medida em que os dados do perfil sofrerem mudanças acima dos limites estabelecidos, durante a atividade do aluno. Um protótipo do sistema foi implementado para validar a solução delineada ao longo do trabalho. A integração dos métodos de autenticação, que identificam o aluno e a máquina em que ele está trabalhando, com as rotinas de avaliação do procedimento de educação a distância, foi um dos principais resultados alcançados. / This work investigates different strategies and techniques of user authentication in order to determine which ones may be integrated in a distance learning environment. Several authentication solutions available on the market are analyzed in order to find the most appropriate. The criteria used to determine the best solutions involve cost or amount of equipments involved, operational simplicity, and degree of confidence or results obtained. Based on this analysis, an authentication model that integrates several authentication techniques is delineated in order to obtain greater security than those used in most distance learning systems, based only on passwords. This system works like a proxy whose function is to control access to Web pages through the combination of passwords, random queries, biometric devices and random checks, at the same time that it generates logs of student's activity during a course. These logs contain information about day and hour of access, time spent on each page, IP address of the student's machine and so on. This information can be used both to evaluate the student and to generate his/her statistical profile. This profile is used to give an alarm when the data of the profile undergo changes above the established limits, during the student's activity. A prototype of the system has been implemented to validate the solution designed. The integration of the authentication methods, which identifies both the student and the machine where he/she is working, with the evaluation routines of the distance learning procedure, is one of the main reached results.

Ensino à distância

Redes : Computadores

Autenticacao : Usuario

Seguranca : Internet

Distance learning

Computer networks

Security

User authentication

Access control

Biometric devices

Uma Proposta de autenticação de usuários para ensino a distância / A solution for user authentication for distance learning

Fiorese, Mauricio

January 2000

Este trabalho investiga diferentes estratégias e técnicas de autenticação de usuários visando determinar quais podem ser integradas em um ambiente de educação a distância. Diversas soluções de autenticação existentes no mercado foram analisadas para se determinar as mais adequadas. Buscou-se as soluções consideradas factíveis de utilização, seja pelo custo ou quantidade de equipamentos extras envolvidos, seja pela simplicidade operacional ou pelo grau de certeza das medidas efetuadas. A partir desta análise foi delineado um modelo de autenticação que integra várias técnicas de autenticação a fim de chegar a um nível de segurança maior que senhas, utilizadas na maioria dos sistemas de educação a distância. 0 sistema funciona como um proxy, cuja função é controlar o acesso a páginas Web através da combinação de senhas, perguntas randômicas, dispositivos biométricos e checagem randômica, ao mesmo tempo que gera logs da atividade do aluno no curso. Estes logs conterão informações como dia e hora do acesso, tempo dispendido em cada página, endereço IP da máquina do aluno, entre outras. Estas informações podem ser utilizadas tanto para avaliar o aluno, como para gerar seu perfil estatístico, que servirá para gerar alertas na medida em que os dados do perfil sofrerem mudanças acima dos limites estabelecidos, durante a atividade do aluno. Um protótipo do sistema foi implementado para validar a solução delineada ao longo do trabalho. A integração dos métodos de autenticação, que identificam o aluno e a máquina em que ele está trabalhando, com as rotinas de avaliação do procedimento de educação a distância, foi um dos principais resultados alcançados. / This work investigates different strategies and techniques of user authentication in order to determine which ones may be integrated in a distance learning environment. Several authentication solutions available on the market are analyzed in order to find the most appropriate. The criteria used to determine the best solutions involve cost or amount of equipments involved, operational simplicity, and degree of confidence or results obtained. Based on this analysis, an authentication model that integrates several authentication techniques is delineated in order to obtain greater security than those used in most distance learning systems, based only on passwords. This system works like a proxy whose function is to control access to Web pages through the combination of passwords, random queries, biometric devices and random checks, at the same time that it generates logs of student's activity during a course. These logs contain information about day and hour of access, time spent on each page, IP address of the student's machine and so on. This information can be used both to evaluate the student and to generate his/her statistical profile. This profile is used to give an alarm when the data of the profile undergo changes above the established limits, during the student's activity. A prototype of the system has been implemented to validate the solution designed. The integration of the authentication methods, which identifies both the student and the machine where he/she is working, with the evaluation routines of the distance learning procedure, is one of the main reached results.

Ensino à distância

Redes : Computadores

Autenticacao : Usuario

Seguranca : Internet

Distance learning

Computer networks

Security

User authentication

Access control

Biometric devices