Secure anonymous authentication scheme without verification table for mobile satellite communication systems

An authentication scheme is one of the most basic and important security mechanisms for satellite communication systems because it prevents illegal access by an adversary. Lee et al. recently proposed an efficient authentication scheme for mobile satellite communication systems. However, we observed that this authentication scheme is vulnerable to a denial of service (DoS) attack and does not offer perfect forward secrecy. Therefore, we propose a novel secure authentication scheme without verification table for mobile satellite communication systems. The proposed scheme can simultaneously withstand DoS attacks and support user anonymity and user unlinkability. In addition, the proposed scheme is based on the elliptic curve cryptosystem, has low client‐side and server‐side computation costs, and achieves perfect forward secrecy. Copyright © 2013 John Wiley & Sons, Ltd.     

一种认证协议防御拒绝服务攻击的设计方法

拒绝服务(DoS)攻击是一种阻碍授权用户正常获得服务的主动攻击,大量认证协议和密钥建立协议存在着不同程度的DoS隐患.本文提出一种新的解决方法,用于无可信第三方认证协议和密钥建立协议防御DoS攻击,该方法可动态调整DoS防御的强度,并可减少并行会话攻击,增强协议的安全性.     

Key Management in Secure Satellite Multicast Using Key Hypergraphs

Satellite networks play an important role in today’s information age because they can provide the global coverage services. Information security is an important concern in satellite multicast communications, where eavesdropping can be performed much easier than the fixed terrestrial networks. In this work, a novel multicast key management scheme based on key hypergraph for satellite networks on a predefined communication scenario is proposed. We use logical key hierarchy and distributed-logical key hierarchy as reference models for performance comparisons. It is shown that the proposed multicast key management scheme is scalable to large dynamic groups and minimizes satellite bandwidth usage.     

The threat to identity from new and unknown malware

Malicious code in the form of computer viruses, worms, trojans and spam bots represents a most dangerous and costly threat to fully interconnected networked information systems. Infected Web pages can seriously compromise client machines and networks. Infected electronic messages, commonly sent in the form of e-mail viruses, may not only damage individual machines but may also cause serious denial of service damage by flooding networks. Socially engineered messages in the form of phishing attacks can cause a general lack of confidence in electronic commerce. Conventional approaches to these problems focus on identifying legitimate messages, which is not always an easy or obvious task. Validating the identity of an electronic communication is a fundamental problem in the modern wired world. The aim of this paper is to highlight the problem of authenticating the identity of electronic communications and to demonstrate an extra layer of protection with respect to e-mail systems, whereby attacks based upon the falsification of identity can be detected and eliminated with minimum impact on the system.     

Denial-of-service attack resilience dynamic group key agreement for heterogeneous networks

Heterogeneous networks, which can be either integrated wired and wireless networks or fully wireless networks, are convenient as they allow user nodes to be connected whenever and wherever they desire. Group key agreement (GKA) protocols are used to allow nodes in these networks to communicate securely with each other. Dynamic GKA protocols such as Join and Leave Protocol are also important since users can join and leave the network at anytime and the group key has to be changed to provide backward and forward secrecy. Denial-of-Service (DoS) attacks on GKA protocols can disrupt GKA services for secure group communications but most GKA protocols in current literature do not consider protection against DoS attacks. Furthermore, most current GKA protocols only consider outsider attacks and do not consider insider attacks. In this paper, we present three authenticated, energy-efficient and scalable GKA protocols, namely Initial GKA, Join and Leave Protocol, that provide protection against insider and DoS attacks and key confirmation properties. We also present a detection protocol to detect malicious group insiders and continue establishing a group key after blocking these malicious insiders. Unlike current communication energy analysis that uses a single energy per bit value, our communication energy analysis separates point-to-point (P2P) and broadcast communications to provide more detailed study on communications in GKA. Both the complexity and energy analysis show that the three proposed protocols are efficient, scalable and suitable for heterogeneous networks.     

针对网络信息审计系统的DoS攻击检测

提出了一种针对网络信息审计系统的拒绝服务攻击(DoS)的检测算法。该算法通过分析系统告警的频率与分散度提取能够标示系统状态变化的两维特征向量，然后使用经过样本训练的K最近邻分类器检测DoS攻击。实验结果表明，该算法能够及时发现、防御DoS攻击，有效地阻止DoS攻击对网络信息审计系统的破坏。     

SAPA-based approach for defending DoS attacks in cloud computing

Denial of service (DoS) attack was one of the major threats to cloud computing.Security access path algorithm (SAPA) used node route table (NRT) to compose security access path.It simplified role nodes of traditional secure overlay services (SOS),and periodically updated role nodes,and cached security access paths.Therefore,SAPA was more appropriate for cloud computing to defend DoS attacks.Based on the turn routing architecture of cloud computing,the mathematical model of SAPA was built and its performance was analyzed in theory.The performance of SAPA was tested in OMNeT++ experimental platform.Also,the Test-bed experiments were performed to evaluate the effectiveness of SAPA for defending DoS attack.Experimental results show that comparing with SOS,SAPA can degrade the impact of communication success rate caused by DoS attack effectively,and guarantees the access delay small enough.     

Machine Learning and Deep Learning powered satellite communications: Enabling technologies,applications, open challenges,and future research directions

The recent wave of creating an interconnected world through satellites has renewed interest in satellite communications. Private and government-funded space agencies are making advancements in the creation of satellite constellations, and the introduction of 5G has brought a new focus to a fully connected world. Satellites are the proposed solutions for establishing high throughput and low latency links to remote, hard-to-reach areas. This has caused the injection of many satellites in Earth's orbit, which has caused many discrepancies. There is a need to establish highly adaptive and flexible satellite systems to overcome this. Machine Learning (ML) and Deep Learning (DL) have gained much popularity when it comes to communication systems. This review extensively provides insight into ML and DL's utilization in satellite communications. This review covers how satellite communication subsystems and other satellite system applications can be implemented through Artificial Intelligence (AI) and the ongoing open challenges and future directions.     

Security issues in hybrid networks with a satellite component

Satellites are expected to play an increasingly important role in providing broadband Internet services over long distances in an efficient manner. Most future networks will be hybrid in nature - having terrestrial nodes interconnected by satellite links. Security is an important concern in such networks, since the satellite segment is susceptible to a host of attacks, including eavesdropping, session hijacking and data corruption. In this article we address the issue of securing communication in satellite networks. We discuss various security attacks that are possible in hybrid satellite networks, and survey the different solutions proposed to secure data communications in these networks. We look at the performance problems arising in hybrid networks due to security additions like Internet security protocol (IPSec) or secure socket layer (SSL), and suggest solutions to performance-related problems. We also point out important drawbacks in the proposed solutions, and suggest a hierarchical key-management approach for adding data security to group communication in hybrid networks.     

频域过滤DoS攻击方法的研究

拒绝服务DoS(DenialofService)攻击已逐渐成为全世界网络最严重的威胁之一。其攻击方式主要通过连续发送大量的数据包,耗尽网络资源,造成连接阻塞。该文采用数字信号处理的方法对DoS攻击进行分析,并针对其因发送大量数据而具有较大能量的特点,设计参数FIR滤波器来滤除频谱中含有攻击流量的频率分量,提高LAR(LegitimatetraffictoAttackedtrafficRatio),以便有更多的网络资源为用户提供正常的服务。     

An enhanced secure delegation-based anonymous authentication protocol for PCSs

Rapid development of wireless networks brings about many security problems in portable communication systems (PCSs), which can provide mobile users with an opportunity to enjoy global roaming services. In this regard, designing a secure user authentication scheme, especially for recognizing legal roaming users, is indeed a challenging task. It is noticed that there is no delegation-based protocol for PCSs, which can guarantee anonymity, untraceability, perfect forward secrecy, and resistance of denial-of-service (DoS) attack. Therefore, in this article, we put forward a novel delegation-based anonymous and untraceable authentication protocol, which can guarantee to resolve all the abovementioned security issues and hence offer a solution for secure communications for PCSs.     

An elastic intrusion detection system for software networks

Internal users are the main causes of anomalous and suspicious behaviors in a communication network. Even when traditional security middleboxes are present, internal attacks may lead the network to outages or to leakage of sensitive information. In this article, we propose BroFlow, an Intrusion Detection and Prevention System based on Bro traffic analyzer and on the global network view of the software-defined networks (SDN) which is provided by the OpenFlow. BroFlow main contributions are (i) dynamic and elastic resource provision of traffic-analyzing machines under demand; (ii) real-time detection of DoS attacks through simple algorithms implemented in a policy language for network events; (iii) immediate reaction to DoS attacks, dropping malicious flows close of their sources, and (iv) near-optimal placement of sensors through a proposed heuristic for strategically positioning sensors in the network infrastructure, which is shared by multi-tenants, with a minimum number of sensors. We developed a prototype of the proposed system, and we evaluated it in a virtual environment of the Future Internet Testbed with Security (FITS). An evaluation of the system under attack shows that BroFlow guarantees the forwarding of legitimate packets at the maximal link rate, reducing up to 90 % of the maximal network delay caused by the attack. BroFlow reaches 50 % of bandwidth gain when compared with conventional firewalls approaches, even when the attackers are legitimate tenants acting in collusion. In addition, the system reduces the sensors number, while keeping full coverage of network flows.     

拒绝服务攻击下的弹性事件触发负荷频率控制

针对互联电力系统负荷频率控制通信网络带宽受限及易遭受恶意网络攻击的问题,文中研究了拒绝服务攻击下弹性事件触发机制和负荷频率控制器的联合设计问题。在拒绝服务攻击参数已知的情况下,提出了一种既能缓解通信带宽压力,又可同时消除拒绝服务攻击影响的弹性事件触发机制。文中构建了一种基于弹性事件触发机制及拒绝服务攻击的负荷频率控制时滞切换系统模型。应用分段李亚普洛夫函数对切换系统稳定性进行了分析,并进行了触发参数和控制器的联合设计。最后,通过一个两区域互联电力系统仿真验证了所提方法的有效性。     

Fog‐SDN: A light mitigation scheme for DDoS attack in fog computing framework

Cloud computing is one of the most tempting technologies in today's computing scenario as it provides a cost‐efficient solutions by reducing the large upfront cost for buying hardware infrastructures and computing power. Fog computing is an added support to cloud environment by leveraging with doing some of the less compute intensive task to be done at the edge devices, which reduces the response time for end user computing. But the vulnerabilities to these systems are still a big concern. Among several security needs, availability is one that makes the demanded services available to the targeted customers all the time. Availability is often challenged by external attacks like Denial of service (DoS) and distributed denial of service (DDoS). This paper demonstrates a novel source‐based DDoS mitigating schemes that could be employed in both fog and cloud computing scenarios to eliminate these attacks. It deploys the DDoS defender module which works on a machine learning–based light detection method, present at the SDN controller. This scheme uses the network traffic data to analyze, predict, and filter incoming data, so that it can send the filtered legitimate packets to the server and blocking the rest.     

物理层认证的中间人导频攻击分析

现有物理层认证机制依赖合法信道状态信息(CSI)的私有性,一旦攻击者能够操控或窃取合法信道,物理层认证机制就会面临被攻破的威胁。针对上述缺陷,该文提出一种中间人导频攻击方法(MITM),通过控制合法双方的信道测量过程对物理层认证机制进行攻击。首先对中间人导频攻击系统进行建模,并给出一种中间人导频攻击的渐进无感接入策略,该策略允许攻击者能够顺利接入合法通信双方;在攻击者顺利接入后,可对两种基本的物理层认证机制发起攻击:针对基于CSI的比较认证机制,可以实施拒绝服务攻击和仿冒接入攻击;针对基于CSI的加密认证机制,可以实现对信道信息的窃取,从而进一步破解认证向量。该攻击方法适用于一般的公开导频无线通信系统,要求攻击者能够对合法双方的导频发送过程进行同步。仿真分析验证了渐进无感接入策略、拒绝服务攻击、仿冒接入攻击、窃取信道信息并破解认证向量等多种攻击方式的有效性。     

Performance analysis of secure communications over correlated slow‐fading additive white Gaussian noise channels

The broadcast nature of communications in wireless communication networks makes it vulnerable to some attacks, particularly eavesdrop attack. Hence, information security can have a key role to protect privacy and avoid identity theft in these networks, especially in distributed networks. In the wireless systems, the signal propagation is affected by path loss, slow fading (shadowing), and fast fading (multi‐path fading). As we know, there is a correlation between communication channels in the real radio environments. This correlation is defined by the correlation between their shadowing and/or multipath fading factors. So when there are several channels in the wireless systems, there is certainly a correlation between the channels. In this paper, we assume that the transmitter knows the full channel state information (CSI), it means the transmitter knows both the channel gains of the illegitimate (ie, eavesdropper) and the legitimate receivers and study the performance of secure communications of single‐input single‐output (SISO) systems consisting of single antenna devices, in the presence of a single antenna passive eavesdropper over correlated slow fading channels, where the main (transmitter to legitimate receiver) and eavesdropper (transmitter to illegitimate receiver) channels are correlated. Finally, we present numerical results and verify the accuracy of our analysis by Monte‐Carlo simulations.     

Secure Authentication Schemes for Vehicular Adhoc Networks: A Survey

Vehicular Adhoc Network (VANET) is based on the principles of Mobile Adhoc NETwork (MANET) where vehicles are considered as nodes and secure communication is established to provide a safe driving experience. Due to its unique characteristics, it has various issues and challenges. These issues can be resolved by ensuring security requirements like authentication, privacy preservation, message integrity, non-repudiation, linkability, availability etc. Authentication plays a vital role since it is the first step to establish secure communication in the vehicular network. It also distinguishes malicious vehicles from legitimate vehicles. Different authentication schemes have been proposed to establish secure vehicular communications. A survey of the existing authentication schemes is given in this paper. At first, the existing authentication schemes are broadly classified based on message signing and verification methods. Then, each category is clearly explained with its sub-categories. At last, the existing schemes in each category are compared based on security requirements, security attacks and performance parameters.

     

卫星集群IP多播组呼业务协议研究

现有集群通信覆盖范围有限,为实现全方位集群通信,提出将卫星通信与集群通信相结合。以TETRA为例,分析了现有国内外集群通信系统集群业务的实现方式。针对电路域集群,提出实现分组域多媒体集群。为更利于工程实现,提出了基于MBMS技术的卫星集群IP多播组呼业务协议流程,并分析了实现中需要解决的关键问题及解决方案。该方案将为卫星移动通信集群业务的发展提供新的方向。