This paper presents a mechanism for detecting flooding-attacks. The simplicity of the mechanism lies in its statelessness and low computation overhead, which makes the detection mechanism itself immune to flooding-att...This paper presents a mechanism for detecting flooding-attacks. The simplicity of the mechanism lies in its statelessness and low computation overhead, which makes the detection mechanism itself immune to flooding-attacks. The SYN-flooding, as an instance of flooding-attack, is used to illustrate the anomaly detection mechanism. The mechanism applies an exponentially weighted moving average (EWMA) method to detect the abrupt net flow and applies a symmetry analysis method to detect the anomaly activity of the network flow. Experiment shows that the mechanism has high detection accuracy and low detection latency.展开更多
The paper puts forward a variance-time plots method based on slide-window mechanism tocalculate the Hurst parameter to detect Distribute Denial of Service(DDoS)attack in real time.Basedon fuzzy logic technology that c...The paper puts forward a variance-time plots method based on slide-window mechanism tocalculate the Hurst parameter to detect Distribute Denial of Service(DDoS)attack in real time.Basedon fuzzy logic technology that can adjust itself dynamically under the fuzzy rules,an intelligent DDoSjudgment mechanism is designed.This new method calculates the Hurst parameter quickly and detectsDDoS attack in real time.Through comparing the detecting technologies based on statistics andfeature-packet respectively under different experiments,it is found that the new method can identifythe change of the Hurst parameter resulting from DDoS attack traffic with different intensities,andintelligently judge DDoS attack self-adaptively in real time.展开更多
Privacy-preserving data publishing (PPDP) is one of the hot issues in the field of the network security. The existing PPDP technique cannot deal with generality attacks, which explicitly contain the sensitivity atta...Privacy-preserving data publishing (PPDP) is one of the hot issues in the field of the network security. The existing PPDP technique cannot deal with generality attacks, which explicitly contain the sensitivity attack and the similarity attack. This paper proposes a novel model, (w,γ, k)-anonymity, to avoid generality attacks on both cases of numeric and categorical attributes. We show that the optimal (w, γ, k)-anonymity problem is NP-hard and conduct the Top-down Local recoding (TDL) algorithm to implement the model. Our experiments validate the improvement of our model with real data.展开更多
By allowing routers to combine the received packets before forwarding them,network coding-based applications are susceptible to possible malicious pollution attacks.Existing solutions for counteracting this issue eith...By allowing routers to combine the received packets before forwarding them,network coding-based applications are susceptible to possible malicious pollution attacks.Existing solutions for counteracting this issue either incur inter-generation pollution attacks(among multiple generations)or suffer high computation/bandwidth overhead.Using a dynamic public key technique,we propose a novel homomorphic signature scheme for network coding for each generation authentication without updating the initial secret key used.As per this idea,the secret key is scrambled for each generation by using the generation identifier,and each packet can be fast signed using the scrambled secret key for the generation to which the packet belongs.The scheme not only can resist intra-generation pollution attacks effectively but also can efficiently prevent inter-generation pollution attacks.Further,the communication overhead of the scheme is small and independent of the size of the transmitting files.展开更多
According to the security shortages of two robust practical email protocols with perfect forward secrecy, attacks on the two protocols are analyzed and corresponding improvements on the two protocols are proposed. Fir...According to the security shortages of two robust practical email protocols with perfect forward secrecy, attacks on the two protocols are analyzed and corresponding improvements on the two protocols are proposed. First, by analyzing the two email protocols, the corresponding man-in-the-middle attacks are proposed, where the adversary forges the messages in the receiving phase to cheat the two communication participants and makes them share the wrong session keys with him. Consequently, the man-in-the-middle attacks can make the two protocols fail to provide perfect forward secrecy. Secondly, by adding corresponding signatures in the receiving phases of the two protocols, two corresponding improvements on the protocols are proposed to overcome the man-in-the-middle attacks on the two protocols and make them provide perfect forward secrecy. Moreover, the two improved protocols can retain all the merits of the former protocols.展开更多
Within an agent server, the model introduces a trusted third party entity called Secure Service Station(SSS). The SSS is a non\|hardware component and is intended to prevent most attacks performed by malicious hosts, ...Within an agent server, the model introduces a trusted third party entity called Secure Service Station(SSS). The SSS is a non\|hardware component and is intended to prevent most attacks performed by malicious hosts, by providing mechanisms that ensure attack detection and provide integrity to mobile agents. This noble technique involves encapsulating partial results obtained on each intermediate host and binding these results together using a hash function, thus forming a strong bonded chain that cannot be compromised. An analytical model to explore the system performance was also developed.展开更多
In the last decade,cognitive radio(CR) has emerged as a major next generation wireless networking technology,which is the most promising candidate solution to solve the spectrum scarcity and improve the spectrum utili...In the last decade,cognitive radio(CR) has emerged as a major next generation wireless networking technology,which is the most promising candidate solution to solve the spectrum scarcity and improve the spectrum utilization.However,there exist enormous challenges for the open and random access environment of CRNs,where the unlicensed secondary users(SUs) can use the channels that are not currently used by the licensed primary users(PUs) via spectrum-sensing technology.Because of this access method,some malicious users may access the cognitive network arbitrarily and launch some special attacks,such as primary user emulation attack,falsifying data or denial of service attack,which will cause serious damage to the cognitive radio network.In addition to the specifi c security threats of cognitive network,CRNs also face up to the conventional security threats,such as eavesdropping,tampering,imitation,forgery,and noncooperation etc..Hence,Cognitive radio networks have much more risks than traditional wireless networks with its special network model.In this paper,we considered the security threats from passive and active attacks.Firstly,the PHY layer security is presented in the view of passive attacks,and it is a compelling idea of using the physical properties of the radio channel to help provide secure wireless communications.Moreover,malicious user detection is introduced in the view of active attacks by means of the signal detection techniques to decrease the interference and the probabilities of false alarm and missed detection.Finally,we discuss the general countermeasures of security threats in three phases.In particular,we discuss the far reaching effect of defensive strategy against attacks in CRNs.展开更多
Denial of Service Distributed Denial of Service (DOS) attack, especially (DDoS) attack, is one of the greatest threats to Internet. Much research has been done for it by now, however, it is always concentrated in ...Denial of Service Distributed Denial of Service (DOS) attack, especially (DDoS) attack, is one of the greatest threats to Internet. Much research has been done for it by now, however, it is always concentrated in the behaviors of the network and can not deal with the problem exactly. In this paper, we start from the security of the protocol, then we propose a novel theory for security protocol analysis of Denial of Service in order to deal with the DoS attack. We first introduce the conception of weighted graph to extend the strand space model, then we extend the penetrator model and define the goal of anti-DoS attack through the conception of the DoS-stop protocol, finally we propose two kinds of DoS test model and erect the novel formal theory for security protocol analysis of Denial of Service. Our new formal theory is applied in two example protocols. It is proved that the Internet key exchange (IKE) easily suffers from the DoS attacks, and the efficient DoS- resistant secure key exchange protocol (JFK) is resistant against DoS attack for the server, respectively.展开更多
基金TheNationalHighTechnologyResearchandDevelopmentProgramofChina(863Program) (No .2 0 0 2AA14 5 0 90 )
文摘This paper presents a mechanism for detecting flooding-attacks. The simplicity of the mechanism lies in its statelessness and low computation overhead, which makes the detection mechanism itself immune to flooding-attacks. The SYN-flooding, as an instance of flooding-attack, is used to illustrate the anomaly detection mechanism. The mechanism applies an exponentially weighted moving average (EWMA) method to detect the abrupt net flow and applies a symmetry analysis method to detect the anomaly activity of the network flow. Experiment shows that the mechanism has high detection accuracy and low detection latency.
基金the Six Heights of Talent in Jiangsu Prov-ince(No.06-E-044).
文摘The paper puts forward a variance-time plots method based on slide-window mechanism tocalculate the Hurst parameter to detect Distribute Denial of Service(DDoS)attack in real time.Basedon fuzzy logic technology that can adjust itself dynamically under the fuzzy rules,an intelligent DDoSjudgment mechanism is designed.This new method calculates the Hurst parameter quickly and detectsDDoS attack in real time.Through comparing the detecting technologies based on statistics andfeature-packet respectively under different experiments,it is found that the new method can identifythe change of the Hurst parameter resulting from DDoS attack traffic with different intensities,andintelligently judge DDoS attack self-adaptively in real time.
基金supported in part by Research Fund for the Doctoral Program of Higher Education of China(No.20120009110007)Program for Innovative Research Team in University of Ministry of Education of China (No.IRT201206)+3 种基金Program for New Century Excellent Talents in University(NCET-110565)the Fundamental Research Funds for the Central Universities(No.2012JBZ010)the Open Project Program of Beijing Key Laboratory of Trusted Computing at Beijing University of TechnologyBeijing Higher Education Young Elite Teacher Project(No. YETP0542)
文摘Privacy-preserving data publishing (PPDP) is one of the hot issues in the field of the network security. The existing PPDP technique cannot deal with generality attacks, which explicitly contain the sensitivity attack and the similarity attack. This paper proposes a novel model, (w,γ, k)-anonymity, to avoid generality attacks on both cases of numeric and categorical attributes. We show that the optimal (w, γ, k)-anonymity problem is NP-hard and conduct the Top-down Local recoding (TDL) algorithm to implement the model. Our experiments validate the improvement of our model with real data.
基金supported by the National Natural Science Foundation of China under Grant No. 61271174
文摘By allowing routers to combine the received packets before forwarding them,network coding-based applications are susceptible to possible malicious pollution attacks.Existing solutions for counteracting this issue either incur inter-generation pollution attacks(among multiple generations)or suffer high computation/bandwidth overhead.Using a dynamic public key technique,we propose a novel homomorphic signature scheme for network coding for each generation authentication without updating the initial secret key used.As per this idea,the secret key is scrambled for each generation by using the generation identifier,and each packet can be fast signed using the scrambled secret key for the generation to which the packet belongs.The scheme not only can resist intra-generation pollution attacks effectively but also can efficiently prevent inter-generation pollution attacks.Further,the communication overhead of the scheme is small and independent of the size of the transmitting files.
基金The Natural Science Foundation of Jiangsu Province(No.BK2006108)
文摘According to the security shortages of two robust practical email protocols with perfect forward secrecy, attacks on the two protocols are analyzed and corresponding improvements on the two protocols are proposed. First, by analyzing the two email protocols, the corresponding man-in-the-middle attacks are proposed, where the adversary forges the messages in the receiving phase to cheat the two communication participants and makes them share the wrong session keys with him. Consequently, the man-in-the-middle attacks can make the two protocols fail to provide perfect forward secrecy. Secondly, by adding corresponding signatures in the receiving phases of the two protocols, two corresponding improvements on the protocols are proposed to overcome the man-in-the-middle attacks on the two protocols and make them provide perfect forward secrecy. Moreover, the two improved protocols can retain all the merits of the former protocols.
文摘Within an agent server, the model introduces a trusted third party entity called Secure Service Station(SSS). The SSS is a non\|hardware component and is intended to prevent most attacks performed by malicious hosts, by providing mechanisms that ensure attack detection and provide integrity to mobile agents. This noble technique involves encapsulating partial results obtained on each intermediate host and binding these results together using a hash function, thus forming a strong bonded chain that cannot be compromised. An analytical model to explore the system performance was also developed.
基金supported in part by the National Natural Science Foundation of China(61227801,61121001,61201152,and 61421061)the Program for New Century Excellent Talents in University(NCET-01-0259)the Fundamental Research Funds for the Central Universities(2013RC0106)
文摘In the last decade,cognitive radio(CR) has emerged as a major next generation wireless networking technology,which is the most promising candidate solution to solve the spectrum scarcity and improve the spectrum utilization.However,there exist enormous challenges for the open and random access environment of CRNs,where the unlicensed secondary users(SUs) can use the channels that are not currently used by the licensed primary users(PUs) via spectrum-sensing technology.Because of this access method,some malicious users may access the cognitive network arbitrarily and launch some special attacks,such as primary user emulation attack,falsifying data or denial of service attack,which will cause serious damage to the cognitive radio network.In addition to the specifi c security threats of cognitive network,CRNs also face up to the conventional security threats,such as eavesdropping,tampering,imitation,forgery,and noncooperation etc..Hence,Cognitive radio networks have much more risks than traditional wireless networks with its special network model.In this paper,we considered the security threats from passive and active attacks.Firstly,the PHY layer security is presented in the view of passive attacks,and it is a compelling idea of using the physical properties of the radio channel to help provide secure wireless communications.Moreover,malicious user detection is introduced in the view of active attacks by means of the signal detection techniques to decrease the interference and the probabilities of false alarm and missed detection.Finally,we discuss the general countermeasures of security threats in three phases.In particular,we discuss the far reaching effect of defensive strategy against attacks in CRNs.
基金This work is supported by National Natural Science Foundation of China under contract 60902008.
文摘Denial of Service Distributed Denial of Service (DOS) attack, especially (DDoS) attack, is one of the greatest threats to Internet. Much research has been done for it by now, however, it is always concentrated in the behaviors of the network and can not deal with the problem exactly. In this paper, we start from the security of the protocol, then we propose a novel theory for security protocol analysis of Denial of Service in order to deal with the DoS attack. We first introduce the conception of weighted graph to extend the strand space model, then we extend the penetrator model and define the goal of anti-DoS attack through the conception of the DoS-stop protocol, finally we propose two kinds of DoS test model and erect the novel formal theory for security protocol analysis of Denial of Service. Our new formal theory is applied in two example protocols. It is proved that the Internet key exchange (IKE) easily suffers from the DoS attacks, and the efficient DoS- resistant secure key exchange protocol (JFK) is resistant against DoS attack for the server, respectively.
