Secure Geolocation for Wireless Indoor Networks

Lim, Yu-Xi

12 April 2006

The objective of the research is to develop an accurate system for indoor location estimation using a secure architecture based on the IEEE 802.11 standard for infrastructure networks. Elements of this secure architecture include: server-oriented platform for greater trust and manageability; multiple wireless network parameters for improved accuracy; and Support Vector Regression (SVR) for accurate, high-resolution estimates. While these elements have been investigated individually in earlier research, none has combined them to a single security-oriented system. Thus this research investigates the feasibility of using these elements together.

Network security

Computer networks Security measures

Wireless LANs

Wireless communication systems

Layer 2 security inter-layering in networks

Altunbasak, Hayriye Celebi

20 November 2006

An architectural framework is proposed to secure the data link layer (Layer 2) in Internet protocol (IP) over Ethernet networks. In this architecture, a new security inter-layering concept, incorporating cryptographic Layer 2 identities, is introduced. Instead of traditional media access control (MAC) addresses, secure and flexible data link layer identifiers are utilized to securely bind Layer 2 and upper layers. In addition, to create security parameters and negotiate identifiers at the data link layer, a key establishment protocol is presented. Moreover, this architecture incorporates the IEEE 802.1AE standard (MACsec) and uses a key hierarchy similar to the IEEE 802.11i standard for future compatibility of wired and wireless networks. Finally, we provide a security analysis of the new data link layer security architecture.

Identities

Data link layer

Network security

Inter-layering

Computer network architectures

Intrusion Detection and Response Systems for Mobile Ad Hoc Networks

Huang, Yi-an

20 November 2006

A mobile ad hoc network (MANET) consists of a group of autonomous mobile nodes with no infrastructure support. In this research, we develop a distributed intrusion detection and response system for MANET, and we believe it presents a second line of defense that cannot be replaced by prevention schemes. We based our detection framework on the study of attack taxonomy. We then propose a set of detection methods suitable of detecting different attack categories. Our approaches are based on protocol specification analysis with categorical and statistical measures. Node-based approaches may be too restrictive in scenarios where attack patterns cannot be observed by any isolated node. Therefore, we have developed cooperative detection approaches for a more effective detection model. One approach is to form IDS clusters by grouping nearby nodes, and information can be exchanged within clusters. The cluster-based scheme is more efficient in terms of power consumption and resource utilization, it is also proved resilient against common security compromises without changing the decentralized assumption. We further address two response techniques, traceback and filtering. Existing traceback systems are not suitable for MANET because they rely on incompatible assumptions such as trustworthy routers and static route topology. Our solution, instead, adapts to dynamic topology with no infrastructure requirement. Our solution is also resilient in the face of arbitrary number of collaborative adversaries. We also develop smart filtering schemes to maximize the dropping rate of attack packets while minimizing the dropping rate of normal packets with real-time guarantee. To validate our research, we present case study using both ns-2 simulation and MobiEmu emulation platform with three ad hoc routing protocols: AODV, DSR and OLSR. We implemented various representative attacks based on the attack taxonomy. Our experiments show very promising results using node-based and cluster-based approaches.

Data mining

Intrusion detection

Routing security

Mobile ad hoc networks

Network security

Scalable and efficient distributed algorithms for defending against malicious Internet activity

Sung, Minho

31 July 2006

The threat of malicious Internet activities such as Distributed Denial of Service (DDoS) attacks, spam emails or Internet worms/viruses has been increasing in the last several years. The impact and frequency of these malicious activities are expected to grow unless they are properly addressed. In this thesis, we propose to design and evaluate a set of practical and effective protection measures against potential malicious activities in current and future networks. Our research objective is twofold. First, we design the methods to defend against DDoS attacks. Our research focuses on two important issues related to DDoS attack defense mechanisms. One issue is the method to trace the sources of attacking packets, which is known as IP traceback. We propose a novel packet logging based (i.e., hash-based) traceback scheme using only a one-bit marking field in IP header. It reduces processing and storage cost by an order of magnitude than the existing hash-based schemes, and is therefore scalable to much higher link speed (e.g., OC-768). Next, we propose an improved traceback scheme with lower storage overhead by using more marking space in IP header. Another issue in DDoS defense is to investigate protocol-independent techniques for improving the throughput of legitimate traffic during DDoS attacks. We propose a novel technique that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. Second, we investigate the problem of distributed network monitoring. We propose a set of novel distributed data streaming algorithms that allow scalable and efficient monitoring of aggregated traffic. Our algorithms target the specific network monitoring problem of finding common content in traffic traversing several nodes/links across the Internet. These algorithms find applications in network-wide intrusion detection, early warning for fast propagating worms, and detection of hot objects and spam traffic.

Network security

DDoS attack

Computer networks Security measures

Computer networks Monitoring

Snap: Robust Tool for Internet-wide Operating System Fingerprinting

Nandwani, Ankur Bharatbhushan

2010 December 1900

Different approaches have been developed for TCP/IP fingerprinting, but none of these approaches is suited for Internet-wide fingerprinting. In this work, we develop approaches that rigorously tackle the issue of noise and packet loss while carrying out Internet-wide fingerprinting. We then carry out an Internet-wide scan to determine the distribution of different operating systems on the Internet. The results of our scan indicate that there are approximately 8.9 million publicly accessible web-servers on the Internet running Linux, while there are nearly 9.6 million web-servers with different embedded operating systems.

Internet

Operating System

Fingerprinting

TCP/IP Stack

Security

Network Security

Scanning

Oblivious Handshakes and Sharing of Secrets of Privacy-Preserving Matching and Authentication Protocols

Duan, Pu

2011 May 1900

The objective of this research is focused on two of the most important privacy-preserving techniques: privacy-preserving element matching protocols and privacy-preserving credential authentication protocols, where an element represents the information generated by users themselves and a credential represents a group membership assigned from an independent central authority (CA). The former is also known as private set intersection (PSI) protocol and the latter is also known as secret handshake (SH) protocol. In this dissertation, I present a general framework for design of efficient and secure PSI and SH protocols based on similar message exchange and computing procedures to confirm “commonality” of their exchanged information, while protecting the information from each other when the commonalty test fails. I propose to use the homomorphic randomization function (HRF) to meet the privacy-preserving requirements, i.e., common element/credential can be computed efficiently based on homomorphism of the function and uncommon element/credential are difficult to derive because of the randomization of the same function. Based on the general framework two new PSI protocols with linear computing and communication cost are proposed. The first protocol uses full homomorphic randomization function as the cryptographic basis and the second one uses partial homomorphic randomization function. Both of them achieve element confidentiality and private set intersection. A new SH protocol is also designed based on the framework, which achieves unlinkability with a reusable pair of credential and pseudonym and least number of bilinear mapping operations. I also propose to interlock the proposed PSI protocols and SH protocol to design new protocols with new security properties. When a PSI protocol is executed first and the matched elements are associated with the credentials in a following SH protocol, authenticity is guaranteed on matched elements. When a SH protocol is executed first and the verified credentials is used in a following PSI protocol, detection resistance and impersonation attack resistance are guaranteed on matching elements. The proposed PSI and SH protocols are implemented to provide privacy-preserving inquiry matching service (PPIM) for social networking applications and privacy-preserving correlation service (PAC) of network security alerts. PPIM allows online social consumers to find partners with matched inquiries and verified group memberships without exposing any information to unmatched parties. PAC allows independent network alert sources to find the common alerts without unveiling their local network information to each other.

Elliptic Curve Cryptography

Network Security

The Research of Network Security in IP Traceback

Tseng, Yu-kuo

29 September 2004

With the dramatic expansion of computers and communication networks, computer crimes, such as threatening letters, fraud, and theft of intellectual property have been growing at a dreadful rate. The increasing frequency of malicious computer attacks on government agencies and Internet businesses has caused severe economic waste and unique social threats. The problems of protecting data and information on computers and communication networks has become even more critical and challenging, since the widespread adoption of the Internet and the Web. Consequently, it is very urgent to design an integrated network-security architecture so as to make information safer, proactively or reactively defeat any network attack, make attackers accountable, and help the law enforcement system to collect the forensic evidences. Among a variety of attacks on computer servers or communication networks, a prevalent, famous, and serious network-security subject is known as "Denial of Service" (DoS) or "Distributed Denial of Service" (DDoS) attacks. According to an investigation on computer crime conducted by CSI/FBI in 2003, Internet DoS/DDoS have increased in frequency, severity, and sophistication, and have caught international attentions to the vulnerability of the Internet. DoS/DDoS attacks consume the resources of a remote host or network, thereby denying or degrading service to legitimate users. Such attacks are among the hardest security problems to address because they are simple to implement, difficult to prevent, and very difficult to trace. Therefore, this dissertation will firstly concentrate on how to resolve these troublesome DoS/DDoS problems. This is considered as the first step to overcome generic network security problems, and to achieve the final goal for accomplishing a total solution of network security. Instead of tolerating DoS/DDoS attacks by mitigating their effect, to trace back the attacking source for eliminating the attacker is an aggressive and better approach. However, it is difficult to find out the true attacking origin by utilizing the incorrect source IP address faked by the attacker. Accordingly, this dissertation will aim at conquering this representative network security problem, i.e. DoS/DDoS attacks, with IP traceback, and designing an optimal IP traceback. IP traceback ¡X the ability to trace IP packets to their origins¡Xis a significant step toward identifying, and thus stopping, attackers. A promising solution to the IP traceback is probabilistic packet marking (PPM). This traceback approach can be applied during or after an attack, and it does not require any additional network traffic, router storage, or packet size increase. Therefore, the IP traceback research on countering DoS/DDoS attacks will be based on PPM scheme. In this dissertation, three outstanding improvements among four PPM criteria¡Xthe convergency, the computational overhead, and the incomplete PPM deployment problem¡Xhas been achieved. PPM-NPC is proposed to improve the PPM convergency and computational overhead. With non-preemptively compensation, the probability of each marked packet arrived at the victim equals its original marking probability. Therefore, PPM-NPC will efficiently achieve the optimal convergent situation by simply utilizing a 2-byte integer counter. Another better scheme, CPPM, is also proposed, such that the marked packets can be fully compensated as well while they are remarked. With CPPM, the probability of each marked packet arrived at the victim will also equal its original marking probability. Consequently, CPPM will achieve the optimal convergent situation efficiently as well. Furthermore, RPPM-NPC is presented to advance the accuracy of a reconstructed path in an incomplete PPM deployment environment by correcting and recovering any discontinuous individual transparent router and any segment of consecutive double transparent routers. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. Except for these improved criteria, PPM robustness, some weak assumptions in PPM, and a few unsolved problems for PPM, e.g. reflective DDoS attacks, will also be improved in the future. It is also interesting in combining other network security researches, such as IDS, system access control mechanism, etc., for constructing a more complete network security architecture. Therefore, this research hereby is done in order to completely resolve the troublesome flood-style DoS/DDoS problems, and as the basis for accomplishing a total solution of network security.

IP traceback

probabilitic packet marking

denial of service attack

computer network security

Mining Network Traffic Data for Supporting Denial of Service Attack Detection

Ma, Shu-Chen

17 August 2005

Denial of Service (DoS) attacks aim at rendering a computer or network incapable of providing normal services by exploiting bugs or holes of system programs or network communication protocols. Existing DoS attack defense mechanisms (e.g., firewalls, intrusion detection systems, intrusion prevention systems) typically rely on data gathered from gateways of network systems. Because these data are IP-layer or above packet information, existing defense mechanisms are incapable of detecting internal attacks or attackers who disguise themselves by spoofing the source IP addresses of their packets. To address the aforementioned limitations of existing DoS attack defense mechanisms, we propose a classification-based DoS attack detection technique on the basis of the SNMP MIB II data from the network interface to induce a DoS detection model from a set of training examples that consist of both normal and attack traffic data). The constructed DoS detection model is then used for predicting whether a network traffic from the network interface is a DoS attack. To empirically evaluate our proposed classification-based DoS attack detection technique, we collect, with various traffic aggregation intervals (including 1, 3, and 5 minutes), normal network traffic data from two different environments (including an enterprise network, and a university campus network) and attack network traffics (including TCP SYN Flood, Land, Fake Ping, and Angry Ping) from an independent experimental network. Our empirical evaluation results show that the detection accuracy of the proposed technique reaches 98.59% or above in the two network environments. The evaluation results also suggest that the proposed technique is insensitive to the traffic aggregation intervals examined and has a high distinguishing power for the four types of DoS attacks under investigation.

Denial of Service

Analysis of SNMP Traffic Data

Data Mining

Classification Analysis

Attack Detection

Network Security

Energy-Aware Key Management in Wireless Ad-Hoc Networks

Chang, Chia-Wen

26 July 2006

In this thesis, we consider how to reduce the communication cost of the key exchange procedures as many as possible, while the secure group communication can still be achieved. Due to the energy consumption is usually proportional to the distance, we use the shortest paths algorithm to find the shortest communication paths between any pair of the secure group members. We first propose a straightforward heuristic named Minimum-Energy First-Selected ( MEFS ). MEFS tries to select the pair of group members which has less communication cost than all other pairs have at every time. Though MEFS performs better than random selecting, it still has some weakness in solving the energy-aware key management problem. So we use the concept of the minimum cost flow problem, and by appropriate transformation, then we get the optimal solution of the energy-aware key management problem under some constraints. At last, the simulation results proves that the minimum cost flow approach actually works better than MEFS does.

Diffie-Hellman protocol

wireless ad-hoc networks

network security

the minimum cost flow problem

A Security Management System Design

Onder, Hulusi

01 July 2007

This thesis analyzes the difficulties of managing the security of an enterprise network. The problem that this thesis study deals with is the central management of a large number and variety of services that provide organization-wide network and information security. This study addresses two problem areas: how to better manage the security of a network, and how to explain the security issues to upper management better. The study proposes a Security Management System (SMS) to be used for network security management, monitoring and reporting purposes. The system is a custom made, central management solution, which combines the critical performance indicators of the security devices and presents the results via web pages.

H General Social Sciences 1-99