追踪洋葱包的高级标记方案与实现

洋葱路由技术是实现信息隐藏而提出的一种新的匿名连接技术，使攻击者既不能进行窃听，也不能实施流量分析。然而攻击者一旦利用此技术进行拒绝服务式攻击，受害者无法追踏出攻击者。为此本文提出一种可追踪洋葱数据包的高级标记方案，使洋葱路由技术在保持原有隐匿性的同时受害者还可以近似地追踪出攻击者，本方案有很低的网络和路由器开销，也容易扩充到IPV6和未来的主干网。     

距离矢量路由协议的网络可生存性研究

研究了距离矢量路由协议对网络可生存性的影响,给出了网络可生存性的定义和计算方法,为了有效的提高距离矢量路由协议的网络生存性,提出了一种能够对消息真实性的度量方法,分析结果显示该方法能够抵御网络中攻击节点发起的虚假路由消息攻击,可以有效提高距离矢量路由协议的网络可生存性.     

基于异常控制流识别的漏洞利用攻击检测方法

为应对APT等漏洞利用攻击的问题,提出了一种基于异常控制流识别的漏洞利用攻击检测方法.该方法通过对目标程序的静态分析和动态执行监测,构建完整的安全执行轮廓,并限定控制流转移的合法目标,在函数调用、函数返回和跳转进行控制流转移时,检查目标地址的合法性,将异常控制流转移判定为漏洞攻击,并捕获完整的攻击步骤.实验结果表明,该方法能够准确检测到漏洞利用攻击,并具备良好的运行效率,可以作为漏洞利用攻击的实时检测方案.     

针对安全路由协议的抢先重放攻击研究

AODV路由协议在设计上缺乏安全的考虑,存在一些可用来攻击的漏洞。为了弥补各种安全缺陷,研究人员引入安全证书、数字签名和哈希链等措施增强了路由协议的安全性,有代表性的是ARAN和SAODV安全路由协议。通过对这2种协议的工作过程认真分析,发现它们在面对抢先重放攻击时仍然存在着巨大的漏洞,在建立路由时,通过抢先-重放攻击,能够跳过合法节点,形成一条不成立的伪路由。对攻击过程进行了详细分析,并给出了弥补措施。     

基于聚合签名算法的DSR路由认证技术

分析了Ad Hoc网络中DSR按需路由发现原理及黑洞攻击原理,针对DSR路由协议面临的黑洞攻击问题,提出了一种基于JYH聚合签名算法的路由记录认证机制,新方案在DSR路由请求和路由应答消息中定义了路径证明属性,并设计了与之适应的输入签名算法和输出验证算法;最后,采用形式化逻辑SVO方法对该路由记录认证机制的安全性进行了分析。分析表明,提出的路由记录认证机制可以有效抵御针对DSR路由协议的黑洞攻击。     

适用于移动云计算的抗中间人攻击的SSP方案

低功率蓝牙（BLE）专为资源受限的设备设计,但现有的研究已经指出其安全简单配对方案（SSP）存在中间人攻击（MITM）漏洞.文章指出造成MITM漏洞的根本原因是：配对信息被篡改以及JW模式自身的漏洞.为此文章中提出了两个适用于移动云计算（MCC）中BLE设备的SSP改进方案,所提出的方案基于哈希函数并利用MCC技术提高SSP的安全性.方案1适用于支持PE或者OOB模式的BLE设备,其利用哈希函数确保配对信息的真实性、可靠性.方案2通过哈希序列来解决仅支持JW模式的BLE设备的MITM攻击漏洞.文章分别从安全角度和性能角度对所提出的方案进行分析,以表明方案在不同级别敌手的攻击下可以提供MITM攻击防护能力.     

移动Ad hoc网络按需路由协议中的虫洞问题研究

由于移动Ad hoc网络具有动态变化的特性以及自组织和多跳性的特点,更容易遭受多种恶意攻击。其中虫洞攻击就是最严重的一种攻击。本文详细剖析了虫洞问题,在总结已有解决方案的基础上提出了一种简洁的解决方案。此方案利用路由发现过程中中间结点计算的MAC值以及邻居维护机制提供的认证信息一起能够很好的抵抗虫洞攻击,提高了路由协议的安全性。     

基于SIP的IMS安全分析研究

文中首先分析了SIP协议的五个常见漏洞:注册劫持、服务器伪装、消息篡改、会话终止、拒绝服务,然后对IMS安全机制中的接入安全、网络域安全以及安全联盟的建立流程做了分析,并以此为基础分析研究了在IMS中应用SIP协议的漏洞实施攻击的可行性.从分析结果可以看出,IMS的安全机制能够拒绝除了DOS攻击之外的所有基于SIP漏洞的攻击.最后给出了在IMS中实施DOS攻击的流程,并利用Open SERB服务器在100M的局域网中对DOS攻击进行了仿真验证.     

基于Merkle树的安全移动代理路由协议及其推广

本文对Domingo J.等人提出的一个高效的移动代理路由协议进行了分析,指出其具有一个很严重的安全缺陷:不能抵制路由主机间的共谋攻击.在此基础上,利用hash函数,提出了一个基于Merkle树的安全移动代理路由协议,并分析了其安全性、计算复杂度以及信息传输量.结果表明该方案不仅弥补了原有协议的缺陷,而且保持了原协议高效的特点.最后,将该方案其推广至动态路由.     

可证安全的无证书盲代理重签名

利用双线性群,在代理重签名机制和盲签名机制的基础上,提出了一个有效的无证书盲代理重签名方案。方案中解决了密钥托管问题及证书管理带来的额外开销,同时实现了代理者在签名转换中消息隐私特性。基于NGBDH问题和Many-NGBDH的困难性,证明了新方案具有能够抵抗伪造攻击的特性。该方案满足正确性和消息盲性。     

一种基于群签名的分布式洋葱路由

洋葱路由技术是指一个在公用网络上广泛运用的基于P2P的匿名通信技术,它使得攻击者既不能进行窃听,也不能实施流量分析,实现了信息发送者和接收者的匿名性,也保护了信息内容本身的安全。针对当下洋葱路由实现的基本模型,结合群签名技术和分布式的概念,文中提出了一种基于群签名的分布式洋葱路由方案,并对其性能做了简单的分析,证明确实在路径的隐蔽性、系统的安全性等方面都有了较好的提升。     

一个采用分段验证签密隐蔽路由的设计与实现

在公开的计算机网络中采用隐蔽路由网络连接,任何隐蔽网络的用户只能获得与其直接连接的前序和后继节点的地址,使得攻击者既不能窃听到机密,也不能实施流量分析.现有的隐蔽路由方案或采用原子签名和加密,或采用嵌套加密和签名,即洋葱路由,本文应用分段验证签密的方法提出了一个新的隐蔽路由实现方案,该方案用签密代替现有方案中先签名再加密两步常规密码方法,减少协议的计算和通信量,提高了执行效率,并包容了两种方法各自具有的优点.最后分析了方案的安全性.     

Random forest classifier‐based safe and reliable routing for opportunistic IoT networks

Designing a safe and reliable way for communicating the messages among the devices and humans forming the Opportunistic Internet of Things network (OppIoT) has been a challenge since the broadcast mode of message sharing is used. To contribute toward addressing such challenge, this paper proposes a Random Forest Classifier (RFC)‐based safe and reliable routing protocol for OppIoT (called RFCSec) which ensures space efficiency, hash‐based message integrity, and high packet delivery, simultaneously protecting the network against safety threats viz. packet collusion, hypernova, supernova, and wormhole attacks. The proposed RFCSec scheme is composed of two phases. In the first one, the RFC is trained on real data trace, and based on the output of this training, the second phase consists in classifying the encountered nodes of a given node as belonging to one of the output classes of nodes based on their past behavior in the network. This helps in proactively isolating the malicious nodes from participating in the routing process and encourages the participation of the ones with good message forwarding behavior, low packet dropping rate, high buffer availability, and a higher probability of delivering the messages in the past. Simulation results using the ONE simulator show that the proposed RFCSec secure routing scheme is superior to the MLProph, RLProph, and CAML routing protocols, chosen as benchmarks, in terms of legitimate packet delivery, probability of message delivery, count of dropped messages, and latency in packet delivery. The out‐of‐bag error obtained is also minimal     

对2个基于身份签名方案的伪造攻击

对李—姜(2009)和谷—贾—姜(2011)依据Paterson方案(2006)分别提出的标准模型下基于身份的签名方案构造了3个有效的伪造攻击算法:攻击者在不得到任何签名用户私钥的情况下,仅通过选取随机参数以及多项式时间内的计算,便能够以显著的概率成功伪造任意用户对任意消息的有效签名。这些攻击算法显示李—姜和谷—贾—姜的基于身份签名方案都是不安全的。最后分析了方案遭受攻击的原因,并给出了2个可能的改进措施。     

ARDEN: Anonymous networking in delay tolerant networks

Delay Tolerant Networks (DTNs) provide a communications infrastructure for environments lacking continuous connectivity. Such networks rely on the mobility of nodes and the resulting opportunistic connections to carry messages from source to destination. Unfortunately, exchanging packets with an arbitrary intermediary node makes privacy difficult to achieve in these systems as any adversary can easily act as an intermediary and determine the sender and receiver of a message. In this paper, we present ARDEN, an anonymous communication mechanism for DTNs based on a modified onion routing architecture. Instead of selecting specific nodes through which messages must pass as is traditionally done in onion routing, ARDEN uses Attribute-Based Encryption (ABE) to specify and manage groups that may decrypt and forward messages. Through simulation, we show that this approach not only increases throughput and reduces end-to-end latency over traditional onion routing techniques, but also adds minimal overhead when compared to DTN routing protocols that do not provide anonymity guarantees. Through this, we show that ARDEN is an effective solution for anonymous communication in intermittently connected networks such as DTNs.     

Integrated Social and QoS Trust-Based Routing in Delay Tolerant Networks

We propose and analyze a class of integrated social and quality of service (QoS) trust-based routing protocols in mobile ad-hoc delay tolerant networks. The underlying idea is to incorporate trust evaluation in the routing protocol, considering not only QoS trust properties but also social trust properties to evaluate other nodes encountered. We prove that our protocol is resilient against bad-mouthing, good-mouthing and whitewashing attacks performed by malicious nodes. By utilizing a stochastic Petri net model describing a delay tolerant network consisting of heterogeneous mobile nodes with vastly different social and networking behaviors, we analyze the performance characteristics of trust-based routing protocols in terms of message delivery ratio, message delay, and message overhead against connectivity-based, epidemic and PROPHET routing protocols. The results indicate that our trust-based routing protocols outperform PROPHET and can approach the ideal performance obtainable by epidemic routing in delivery ratio and message delay, without incurring high message overhead. Further, integrated social and QoS trust-based protocols can effectively trade off message delay for a significant gain in message delivery ratio and message overhead over traditional connectivity-based routing protocols.     

Sleep scheduling with expected common coverage in wireless sensor networks

Sleep scheduling, which is putting some sensor nodes into sleep mode without harming network functionality, is a common method to reduce energy consumption in dense wireless sensor networks. This paper proposes a distributed and energy efficient sleep scheduling and routing scheme that can be used to extend the lifetime of a sensor network while maintaining a user defined coverage and connectivity. The scheme can activate and deactivate the three basic units of a sensor node (sensing, processing, and communication units) independently. The paper also provides a probabilistic method to estimate how much the sensing area of a node is covered by other active nodes in its neighborhood. The method is utilized by the proposed scheduling and routing scheme to reduce the control message overhead while deciding the next modes (full-active, semi-active, inactive/sleeping) of sensor nodes. We evaluated our estimation method and scheduling scheme via simulation experiments and compared our scheme also with another scheme. The results validate our probabilistic method for coverage estimation and show that our sleep scheduling and routing scheme can significantly increase the network lifetime while keeping the message complexity low and preserving both connectivity and coverage.     

How to misuse AODV: a case study of insider attacks against mobile ad-hoc routing protocols

This paper presents a systematic analysis of insider attacks against mobile ad-hoc routing protocols, using the Ad-hoc On-Demand Distance Vector (AODV) protocol as an example. It identifies a number of attack goals, and then studies how to achieve these goals through misuses of the routing messages. To facilitate the analysis, it classifies insider attacks into two categories: atomic misuses and compound misuses. Atomic misuses are performed by manipulating a single routing message, which cannot be further divided; compound misuses are composed of combinations of atomic misuses and possibly normal uses of the routing protocol. The analysis results in this paper reveal several classes of insider attacks, including route disruption, route invasion, node isolation, and resource consumption. Finally, this paper presents simulation results that validate and demonstrate the impact of these attacks.     

Energy efficient secured routing protocol for MANETs

The design of routing protocol with energy efficiency and security is a challenging task. To overcome this challenge, we propose energy-efficient secured routing protocol. The objective of our work is to provide a secured routing protocol, which is energy efficient. To provide security for both link and message without relying on the third party, we provide security to the protocol by choosing a secure link for routing using Secure Optimized Link State Routing Protocol. Each node chooses multipoint relay nodes amongst the set of one-hop neighbors, so as to reach all two-hop neighbors. The access control entity authorizes nodes announcing the node identification to the network. In addition, the access control entity signs a public key Ki, a private key ki, and the certificate Ci required by an authorized node to obtain the group key. Each node maintains a route table with power status as one of its entry. After selecting the link, on requirement of a new route, we check nodes’ power status in its routing table and then accordingly arise a route. Then, we perform group key distribution using the generated keys using a small number of messages which helps reducing energy consumption. The group key can be altered periodically to avoid nonauthorized nodes and to avoid the use of the same group key in more than some amount of data. Then, we provide communication privacy for both message sender and message recipient using Secure Source Anonymous Message Authentication Scheme. Thereby, the message sender or the sending node generates a source anonymous message authentication for message for releasing each message based on the MES scheme. Hence, our approach will provide message content authenticity without relying on any trusted third parties.