This paper evaluates the performance of Internet Protocol Security (IPSec) based Multiprotocol Label Switching (MPLS) virtual private network (VPN) in a small to medium sized organization. The demand for security in d...This paper evaluates the performance of Internet Protocol Security (IPSec) based Multiprotocol Label Switching (MPLS) virtual private network (VPN) in a small to medium sized organization. The demand for security in data networks has been increasing owing to the high cyber attacks and potential risks associated with networks spread over distant geographical locations. The MPLS networks ride on the public network backbone that is porous and highly susceptible to attacks and so the need for reliable security mechanisms to be part of the deployment plan. The evaluation criteria concentrated on Voice over Internet Protocol (VoIP) and Video conferencing with keen interest in jitter, end to end delivery and general data flow. This study used both structured questionnaire and observation methods. The structured questionnaire was administered to a group of 70 VPN users in a company. This provided the study with precise responses. The observation method was used in data simulations using OPNET Version 14.5 Simulation software. The results show that the IPSec features increase the size of data packets by approximately 9.98% translating into approximately 90.02% effectiveness. The tests showed that the performance metrics are all well within the recommended standards. The IPSec Based MPLS Virtual private network is more stable and secure than one without IPSec.展开更多
Based on the analysis of the covert channel's working mechanism of the internet control message protocol (ICMP) in internet protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), the ICMP covert cha...Based on the analysis of the covert channel's working mechanism of the internet control message protocol (ICMP) in internet protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), the ICMP covert channd's algorithms of the IPv4 and IPv6 are presented, which enable automatic channeling upon IPv4/v6 nodes with non-IPv4-compatible address, and the key transmission is achieved by using this channel in the embedded Internet terminal. The result shows that the covert channel's algorithm, which we implemented if, set correct, the messages of this covert channel might go through the gateway and enter the local area network.展开更多
Internet voting protocols is the base of the Internet voting systems. In this paper a new practical Internet voting protocol is introduced. The proposed Internet voting protocol does not apply the strong physical assu...Internet voting protocols is the base of the Internet voting systems. In this paper a new practical Internet voting protocol is introduced. The proposed Internet voting protocol does not apply the strong physical assumptions and has the properties of privacy, completeness, soundness, fairness, invariableness, and universal verifiability, receipt-free and coercion-resistant. At the same time it solves some problems in other internet voting protocols and the verification progress of universal verifiability is simple and efficient.展开更多
The single planar routing protocol has a slow convergence rate in the large-scale Wireless Sensor Network(WSN).Although the hierarchical routing protocol can effectively cope with large-scale application scenarios,how...The single planar routing protocol has a slow convergence rate in the large-scale Wireless Sensor Network(WSN).Although the hierarchical routing protocol can effectively cope with large-scale application scenarios,how to elect a secure cluster head and balance the network load becomes an enormous challenge.In this paper,a Trust Management-based and Low Energy Adaptive Clustering Hierarchy protocol(LEACH-TM)is proposed.In LEACH-TM,by using the number of dynamic decision cluster head nodes,residual energy and density of neighbor nodes,the size of the cluster can be better constrained to improve energy efficiency,and avoid excessive energy consumption of a node.Simultaneously,the trust management scheme is introduced into LEACH-TM to defend against internal attacks.The simulation results show that,compared with LEACH-SWDN protocol and LEACH protocol,LEACH-TM outperforms in prolonging the network lifetime and balancing the energy consumption,and can effectively mitigate the influence of malicious nodes on cluster head selection,which can greatiy guarantee the security of the overall network.展开更多
Internet of Things(IoT)network used for industrial management is vulnerable to different security threats due to its unstructured deployment,and dynamic communication behavior.In literature various mechanisms addresse...Internet of Things(IoT)network used for industrial management is vulnerable to different security threats due to its unstructured deployment,and dynamic communication behavior.In literature various mechanisms addressed the security issue of Industrial IoT networks,but proper maintenance of the performance reliability is among the common challenges.In this paper,we proposed an intelligent mutual authentication scheme leveraging authentication aware node(AAN)and base station(BS)to identify routing attacks in Industrial IoT networks.The AAN and BS uses the communication parameter such as a route request(RREQ),node-ID,received signal strength(RSS),and round-trip time(RTT)information to identify malicious devices and routes in the deployed network.The feasibility of the proposed model is validated in the simulation environment,where OMNeT++was used as a simulation tool.We compare the results of the proposed model with existing field-proven schemes in terms of routing attacks detection,communication cost,latency,computational cost,and throughput.The results show that our proposed scheme surpasses the previous schemes regarding these performance parameters with the attack detection rate of 97.7%.展开更多
Denial of Service Distributed Denial of Service (DOS) attack, especially (DDoS) attack, is one of the greatest threats to Internet. Much research has been done for it by now, however, it is always concentrated in ...Denial of Service Distributed Denial of Service (DOS) attack, especially (DDoS) attack, is one of the greatest threats to Internet. Much research has been done for it by now, however, it is always concentrated in the behaviors of the network and can not deal with the problem exactly. In this paper, we start from the security of the protocol, then we propose a novel theory for security protocol analysis of Denial of Service in order to deal with the DoS attack. We first introduce the conception of weighted graph to extend the strand space model, then we extend the penetrator model and define the goal of anti-DoS attack through the conception of the DoS-stop protocol, finally we propose two kinds of DoS test model and erect the novel formal theory for security protocol analysis of Denial of Service. Our new formal theory is applied in two example protocols. It is proved that the Internet key exchange (IKE) easily suffers from the DoS attacks, and the efficient DoS- resistant secure key exchange protocol (JFK) is resistant against DoS attack for the server, respectively.展开更多
Two significant issues in Internet-based networked control systems ( INCSs), transport performance of different protocols and security breach from Internet side, are investigated. First, for improving the performanc...Two significant issues in Internet-based networked control systems ( INCSs), transport performance of different protocols and security breach from Internet side, are investigated. First, for improving the performance of data transmission, user datagram protocol (UDP) is adopted as the main stand for controllers and plants using INCSs. Second, a dual-channel secure transmission scheme (DCSTS)based on data transmission characteristics of INCSs is proposed, in which a raw UDP channel and a secure TCP (transmission control protocol) connection making use of SSL/TLS (secure sockets layer/transport layer security) are included. Further, a networked control protocol (NCP) at application layer for supporting DCSTS between the controllers and plants in INCSs is designed, and it also aims at providing a universal communication mechanism for interoperability of devices among the networked control laboratories in Beijing Institute of Technology of China, Central South University of China and Tokyo University of Technology of Japan. By means of a networked single-degree-of-free- dom robot arm, an INCS under the new protocol and security environment is created. Compared with systems such as IPSec or SSL/TLS, which may cause more than 91% network throughput deduction, the new DCSTS protocol may yield results ten times better, being just 5.67%.展开更多
This paper deals with an in-line network security processor (NSP) design that implements the Intemet Protocol Security (IPSec) protocol processing for the 10 Gbps Ethernet. The 10 Gbps high speed data transfer, th...This paper deals with an in-line network security processor (NSP) design that implements the Intemet Protocol Security (IPSec) protocol processing for the 10 Gbps Ethernet. The 10 Gbps high speed data transfer, the IPSec processing in- cluding the crypto-operation, the database query, and IPSec header processing are integrated in the design. The in-line NSP is implemented using 65 nm CMOS technology and the layout area is 2.5 mm^3 mm with 360 million gates. A configurable crossbar data transfer skeleton implementing an iSLIP scheduling algorithm is proposed, which enables simultaneous data transfer between the heterogeneous multiple cores. There are, in addition, a high speed input/output data buffering mechanism and design of high performance hardware structures for modules, wherein the transfer efficiency and the resource utilization are maximized and the IPSec protocol processing achieves 10 Gbps line speed. A high speed and low power hardware look-up method is proposed, which effectively reduces the area and power dissipation. The post simulation results demonstrate that the design gives a peak throughput for the Authentication Header (AH) transport mode of 10.06 Gbps with the average test packet length of 512 bytes under the clock rate of 250 MHz, and power dissipation less than 1 W is obtained. An FPGA prototype is constructed to verify the function of the design. A test bench is being set up for performance and function verification.展开更多
文摘This paper evaluates the performance of Internet Protocol Security (IPSec) based Multiprotocol Label Switching (MPLS) virtual private network (VPN) in a small to medium sized organization. The demand for security in data networks has been increasing owing to the high cyber attacks and potential risks associated with networks spread over distant geographical locations. The MPLS networks ride on the public network backbone that is porous and highly susceptible to attacks and so the need for reliable security mechanisms to be part of the deployment plan. The evaluation criteria concentrated on Voice over Internet Protocol (VoIP) and Video conferencing with keen interest in jitter, end to end delivery and general data flow. This study used both structured questionnaire and observation methods. The structured questionnaire was administered to a group of 70 VPN users in a company. This provided the study with precise responses. The observation method was used in data simulations using OPNET Version 14.5 Simulation software. The results show that the IPSec features increase the size of data packets by approximately 9.98% translating into approximately 90.02% effectiveness. The tests showed that the performance metrics are all well within the recommended standards. The IPSec Based MPLS Virtual private network is more stable and secure than one without IPSec.
基金Supported by the National Natural Science Foun-dation of China (90104005 ,66973034)
文摘Based on the analysis of the covert channel's working mechanism of the internet control message protocol (ICMP) in internet protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), the ICMP covert channd's algorithms of the IPv4 and IPv6 are presented, which enable automatic channeling upon IPv4/v6 nodes with non-IPv4-compatible address, and the key transmission is achieved by using this channel in the embedded Internet terminal. The result shows that the covert channel's algorithm, which we implemented if, set correct, the messages of this covert channel might go through the gateway and enter the local area network.
基金Supported by the National Natural Science Foundation of China (60373087,60473023)
文摘Internet voting protocols is the base of the Internet voting systems. In this paper a new practical Internet voting protocol is introduced. The proposed Internet voting protocol does not apply the strong physical assumptions and has the properties of privacy, completeness, soundness, fairness, invariableness, and universal verifiability, receipt-free and coercion-resistant. At the same time it solves some problems in other internet voting protocols and the verification progress of universal verifiability is simple and efficient.
基金supported by the National Natural Science Foundation of China(Grant No.61571303,No.61571004)the Shanghai Natural Science Foundation(Grant No.21ZR1461700)+3 种基金the Shanghai Sailing Program(Grant No.19YF1455800)the National Science and Technology Major Project of China(No.2018ZX03001031)the Fundamental Research Funds for State Key Laboratory of Synthetical Automation for Process Industries(Grant No.PAL-N201703)the National Key Research and Development Program of China-Internet of Things and Smart City Key Program(No.2019YFB2101600,NO.2019YFB2101602,No.2019YFB2101602-03).
文摘The single planar routing protocol has a slow convergence rate in the large-scale Wireless Sensor Network(WSN).Although the hierarchical routing protocol can effectively cope with large-scale application scenarios,how to elect a secure cluster head and balance the network load becomes an enormous challenge.In this paper,a Trust Management-based and Low Energy Adaptive Clustering Hierarchy protocol(LEACH-TM)is proposed.In LEACH-TM,by using the number of dynamic decision cluster head nodes,residual energy and density of neighbor nodes,the size of the cluster can be better constrained to improve energy efficiency,and avoid excessive energy consumption of a node.Simultaneously,the trust management scheme is introduced into LEACH-TM to defend against internal attacks.The simulation results show that,compared with LEACH-SWDN protocol and LEACH protocol,LEACH-TM outperforms in prolonging the network lifetime and balancing the energy consumption,and can effectively mitigate the influence of malicious nodes on cluster head selection,which can greatiy guarantee the security of the overall network.
基金supported by the MSIT(Ministry of Science and ICT),Korea under the ITRC(Information Technology Research Center)support program(IITP-2020-2018-0-01426)supervised by IITP(Institute for Information and Communication Technology Planning&Evaluation)+1 种基金in part by the National Research Foundation(NRF)funded by the Korea government(MSIT)(No.2019R1F1A1059125).
文摘Internet of Things(IoT)network used for industrial management is vulnerable to different security threats due to its unstructured deployment,and dynamic communication behavior.In literature various mechanisms addressed the security issue of Industrial IoT networks,but proper maintenance of the performance reliability is among the common challenges.In this paper,we proposed an intelligent mutual authentication scheme leveraging authentication aware node(AAN)and base station(BS)to identify routing attacks in Industrial IoT networks.The AAN and BS uses the communication parameter such as a route request(RREQ),node-ID,received signal strength(RSS),and round-trip time(RTT)information to identify malicious devices and routes in the deployed network.The feasibility of the proposed model is validated in the simulation environment,where OMNeT++was used as a simulation tool.We compare the results of the proposed model with existing field-proven schemes in terms of routing attacks detection,communication cost,latency,computational cost,and throughput.The results show that our proposed scheme surpasses the previous schemes regarding these performance parameters with the attack detection rate of 97.7%.
基金This work is supported by National Natural Science Foundation of China under contract 60902008.
文摘Denial of Service Distributed Denial of Service (DOS) attack, especially (DDoS) attack, is one of the greatest threats to Internet. Much research has been done for it by now, however, it is always concentrated in the behaviors of the network and can not deal with the problem exactly. In this paper, we start from the security of the protocol, then we propose a novel theory for security protocol analysis of Denial of Service in order to deal with the DoS attack. We first introduce the conception of weighted graph to extend the strand space model, then we extend the penetrator model and define the goal of anti-DoS attack through the conception of the DoS-stop protocol, finally we propose two kinds of DoS test model and erect the novel formal theory for security protocol analysis of Denial of Service. Our new formal theory is applied in two example protocols. It is proved that the Internet key exchange (IKE) easily suffers from the DoS attacks, and the efficient DoS- resistant secure key exchange protocol (JFK) is resistant against DoS attack for the server, respectively.
文摘Two significant issues in Internet-based networked control systems ( INCSs), transport performance of different protocols and security breach from Internet side, are investigated. First, for improving the performance of data transmission, user datagram protocol (UDP) is adopted as the main stand for controllers and plants using INCSs. Second, a dual-channel secure transmission scheme (DCSTS)based on data transmission characteristics of INCSs is proposed, in which a raw UDP channel and a secure TCP (transmission control protocol) connection making use of SSL/TLS (secure sockets layer/transport layer security) are included. Further, a networked control protocol (NCP) at application layer for supporting DCSTS between the controllers and plants in INCSs is designed, and it also aims at providing a universal communication mechanism for interoperability of devices among the networked control laboratories in Beijing Institute of Technology of China, Central South University of China and Tokyo University of Technology of Japan. By means of a networked single-degree-of-free- dom robot arm, an INCS under the new protocol and security environment is created. Compared with systems such as IPSec or SSL/TLS, which may cause more than 91% network throughput deduction, the new DCSTS protocol may yield results ten times better, being just 5.67%.
基金Project (No. 2011ZX01034-002-002-003) supported by the National Science and Technology Major Projects of the Ministry of Industry and Information Technology, China
文摘This paper deals with an in-line network security processor (NSP) design that implements the Intemet Protocol Security (IPSec) protocol processing for the 10 Gbps Ethernet. The 10 Gbps high speed data transfer, the IPSec processing in- cluding the crypto-operation, the database query, and IPSec header processing are integrated in the design. The in-line NSP is implemented using 65 nm CMOS technology and the layout area is 2.5 mm^3 mm with 360 million gates. A configurable crossbar data transfer skeleton implementing an iSLIP scheduling algorithm is proposed, which enables simultaneous data transfer between the heterogeneous multiple cores. There are, in addition, a high speed input/output data buffering mechanism and design of high performance hardware structures for modules, wherein the transfer efficiency and the resource utilization are maximized and the IPSec protocol processing achieves 10 Gbps line speed. A high speed and low power hardware look-up method is proposed, which effectively reduces the area and power dissipation. The post simulation results demonstrate that the design gives a peak throughput for the Authentication Header (AH) transport mode of 10.06 Gbps with the average test packet length of 512 bytes under the clock rate of 250 MHz, and power dissipation less than 1 W is obtained. An FPGA prototype is constructed to verify the function of the design. A test bench is being set up for performance and function verification.
