Rong Fan,Lingdi Ping,JianQing Fu,Xuezeng Pan

DOI: https://doi.org/10.1109/PACCS.2010.5626600

2010-01-01

Abstract:As wireless sensor networks (WSNs) are susceptible to attacks and sensor nodes have limited resources, designing a secure and efficient user authentication protocol for WSNs is a difficult task. Considering that most future large-scale WSNs follow a two-tiered architecture, we propose an efficient and Denial-of-Service resistant user authentication scheme for two-tiered WSNs, which imposes very light computational load and requires simple operations such as one-way hash function and exclusive-OR operations. In addition, there is a growing requirement for preserving user anonymity recently. Thus we introduce pseudonym identity for each user which is concealed in login messages. And through clever design, our proposed scheme can prevent from smart card breach. Moreover, the security analysis on this scheme demonstrates that our proposed scheme enjoys security attributes such as preventing the various kinds of attacks and user anonymity. Finally, performance analysis shows that our proposed scheme is simple and efficient.

Rong Fan,Dao-jing He,Xue-zeng Pan,Ling-di Ping

DOI: https://doi.org/10.1631/jzus.c1000377

2011-01-01

Abstract:Wireless sensor networks (WSNs) are vulnerable to security attacks due to their deployment and resource constraints. Considering that most large-scale WSNs follow a two-tiered architecture, we propose an efficient and denial-of-service (DoS)-resistant user authentication scheme for two-tiered WSNs. The proposed approach reduces the computational load, since it performs only simple operations, such as exclusive-OR and a one-way hash function. This feature is more suitable for the resource-limited sensor nodes and mobile devices. And it is unnecessary for master nodes to forward login request messages to the base station, or maintain a long user list. In addition, pseudonym identity is introduced to preserve user anonymity. Through clever design, our proposed scheme can prevent smart card breaches. Finally, security and performance analysis demonstrates the effectiveness and robustness of the proposed scheme.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

Qian Wang,Timothy Dunlap,Youngho Cho,Gang Qu

DOI: https://doi.org/10.1109/wocc.2017.7928974

2017-01-01

Abstract:Denial of service (DoS) attacks have been one of the major network security problems over the last decades. DoS attacks can usually be mounted on hardware devices such as routers and firewalls to send spoofing messages to the target network. Thus, methods for defeating such DoS attacks are highly related to the vulnerabilities in the hardware devices. In this paper, we investigate the potential attacks specific to the hardware infrastructure of the network and also categorize the countermeasures against DoS attacks that can be implemented on hardware devices. Moreover, we analyze the advantages of the emerging silicon physical unclonable functions and discuss the potential of integrating them into authentication methods in order to defend against DoS attacks.

Yin Qin,Xue Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.12.055

2006-01-01

Abstract:DDoS attacks in the Internet have produced new challenges to network and system security. Many mecha- nisms have been designed to address this problem in recent years. This paper surveys these techniques and analyses them.

Yubo Song,Chen Xi,Hu Aiqun

DOI: https://doi.org/10.1109/MINES.2009.209

2009-01-01

Abstract:The WAI (WLAN Authentication Infrastructure), which is composed of mutual certificate authentication and key agreement, is the authentication protocol in the Chinese Wireless LAN standard. In this paper, we analyze the WAI protocol using a finite-state verification tool Mur¿ and find that the authentication protocol can't resist the denial of service attack. Attackers can forge the messages to produce inconsistent keys in peers. Three Denial-of-Service attacks are discussed in this paper. Two of those attacks are occurred in the mutual certificate authentication phase and one is found in the key agreement phase. Furthermore, several amendments are discussed in this paper.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Yao Zhao,Sagar Vemuri,Jiazhen Chen,Yan Chen,Hai Zhou,Zhi Fu

DOI: https://doi.org/10.1109/DSN.2009.5270358

2009-01-01

Abstract:Security protocols are not as secure as we assumed. In this paper, we identified a practical way to launch DoS attacks on security protocols by triggering exceptions. Through experiments, we show that even the latest strongly authenticated protocols such as PEAP, EAP-TLS and EAP-TTLS are vulnerable to these attacks. Real attacks have been implemented and tested against TLS-based EAP protocols, the major family of security protocols for wireless LAN, as well as the return routability of mobile IPv6, an emerging lightweight security protocol in new IPv6 infrastructure. DoS attacks on PEAP, one popular TLS-based EAP protocol were performed and tested on a major university's wireless network, and the attacks were highly successful. We further tested the scalability of our attack through a series of ns-2 simulations. Countermeasures for detection of such attacks and improvements of the protocols to overcome these types of DoS attacks are also proposed and verified experimentally.

濮青

DOI: https://doi.org/10.3969/j.issn.1001-3695.2003.03.023

2003-01-01

Abstract:Denial of Sevice (DoS) attack on the Internet now has become a ordinary network attack method.DoS attack is a malicious action that exhausts victim hosts resources and prevents them from serving any other legal users by exploiting software bugs or system leaks.In this paper,we discuss the theory of DoS attack,analyze some potential leaks in TCP/IP protocol set,and introduce some new progress such as DDos .We also show how to make security plans to defense the DoS attacks by using Firewalls or IDS.

Shibo Luo,Jun Wu,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/FCST.2015.11

2015-01-01

Abstract:Distributed Denial of Service (DDoS) attack is a major threat to Internet based killer applications, such as independent news web sites, e-business and online games. Detecting and blocking such clever attacks has become difficult. Software-Defined Networks (SDN) has emerged as a future communication network architecture which decouples network control and forwarding. It has some particular features such as central control and programmability to combat against DDoS attack. In this paper, we survey DDoS attacks and existing defense mechanisms, and draw a conclusion of the needs of defense mechanism for successful combating against DDoS. Then, we analyze the particular features of SDN and conclude it is conducive to countermeasure DDoS attack. According the analysis, we construct a defense mechanism for DDoS in SDN. At last, we illustrate how this mechanism could combat against DDoS attacks through a working example.

Huang Tang,Xiangning Chen,Jichun Zhang

DOI: https://doi.org/10.1109/csss.2012.207

2012-01-01

Abstract:Denial of service (DoS) attacks remain a serious threat on the internet and again it is very difficult to devise a perfect DoS defense mechanism. In this paper, we investigate the main form of blocking attacks launched by a small amount of attacker firstly. And then cite some of the major methods that deal with denial of service attacks from the three aspects of prevention, detection and tracking. After that, a new type of authentication method applied to a shared media network or broadcast network, based on the calculation of the amount, established a connection between the client and the server-side is proposed. Lastly we present a detailed analysis the method that greatly enhances the security of the server.

Yixin Jiang,Minghui Shi,Xuemin (Sherman) Shen,Chuang Lin,Xiaowen Chu

DOI: https://doi.org/10.1201/9781420068405.ch21

2009-01-01

Abstract:In this chapter, a novel authentication protocol is proposed, which satisfies both security and reliability requirements for group communications in ad hoc networks. The security features include identity anonymity and intracability, one-way session key/identity refreshment, and data privacy. The reliability features include efficient denial-of-service (DoS) tolerance for forged refreshment messages and fault tolerance for lost messages recovery. The theoretical and the simulative results demonstrate that the proposed protocol is robust and efficient under severe DoS attack and poor wireless channel quality.

Zeng Xiao-hui,Peng Xuan-ge,Li Man-hua,Xu Hong-qi,Jin Shi-yao

DOI: https://doi.org/10.1109/icrccs.2009.15

2009-01-01

Abstract:Aiming at the shortage of existing DDoS attacks defense system, this paper puts forward an effective approach against DDoS attacks based on the three-way handshake process, and the key point lies in discarding the aggressive first handshake requests which consume a lot of system resources; thus it ensures that the new normal network request can be dealt with. An efficient defense system against DDoS attacks is designed, and the experiment results show our approach can improve the whole system’s protection capability against DDoS attacks; what’s more, the system can still keep receiving new network requests.

Yanan Sun,Xiaohong Guan,Ting Liu

DOI: https://doi.org/10.1007/978-3-642-24403-2_13

2011-01-01

Abstract:Authentication is of great importance in information security. Traditional method only focus on encryption of the content itself, which is the same with the later proposed methods named information hiding and digital watermark. Since data transmission is in the open network, it can easily be detected and intercepted by the malicious party. In this paper, we put forward a new method which utilize the communication channel, not the content, as the data carrier, and guarantee the validation of the user's identity during the common data transmission. Specifically, by manipulating the inter-packet delays, we implement a prototype system for authentication and embed the authentication tag within the packet intervals based on network covert channel. By conducting a series of experiments, we prove that our method performs well in LAN and Campus Network.

Yixin Jiang,Chuang Lin,Minghui Shi,Xuemin (Sherman) Shen,Xiaowen Chu

DOI: https://doi.org/10.1016/j.comcom.2007.04.012

IF: 5.047

2007-01-01

Computer Communications

Abstract:In this paper, a novel authentication protocol is proposed, which satisfies both security and reliability requirements for group communications in ad hoc networks. The security features include identity anonymity and location intracability, periodic one-way session key and pseudonym identity refreshment with implicit authentication, dynamic joining and leaving an in-progress communication session, and data encryption. The reliability features include efficient Denial of Service tolerance for broadcasting refreshment messages, fault-tolerance for recovering lost refreshment messages, robustness for resisting the clock skews among member nodes and seamless key switch without disrupting ongoing data transmissions. The performance and security analysis show that the communication and computation overhead of the proposed protocol is similar to the existing one, while the security can be enhanced significantly. The simulation results demonstrate the robustness of the proposed protocol under severe Denial of Service attack and poor wireless channel quality.

Linzhi Jiang,Chunxiang Xu,Xiaofang Wang,Yanghong Zhou

DOI: https://doi.org/10.1109/HPCC-CSS-ICESS.2015.148

2015-01-01

Abstract:Network security protocol design is important aspect of network security research. DoS/DDoS is very serious attack in wired and wireless network. DoS/DDoS attack depletes memory/cpu of service provider, so legitimate user can't gain normal service. According to anti-DoS attack strategy of network security protocols, we give and discuss three mechanisms (stateless connection, Fail-together and Subset Sum Client-Puzzle) on design of a key exchange protocol against denial of service attack for ISO/IEC1170-3 key exchange protocol. Subset Sum Client-Puzzle has simple structure, Non-Parallelizable speciality and fast verification. N Subset Sum Client-Puzzles' difficulties are sum of n Subset Sum Client-Puzzle's difficulty. Based on analysis of new key exchange protocol, we compare initiator and responder for computation resource, memory depletion and anti-DoS/DDoS. ISO/IEC1170-3 key exchange protocol on Subset Sum Client Puzzle, which is non-parallelizable, easy construction and verification, has the good property against DoS/DDoS attack. It provides a very good reference for network security protocol design with anti-DoS/DDoS attack.

Wenting Li,Bin Li,Yiming Zhao,Ping Wang,Fushan Wei

DOI: https://doi.org/10.1155/2018/8539674

2018-01-01

Abstract:Nowadays wireless sensor networks (WSNs) have drawn great attention from both industrial world and academic community. To facilitate real-time data access for external users from the sensor nodes directly, password-based authentication has become the prevalent authentication mechanism in the past decades. In this work, we investigate three foremost protocols in the area of password-based user authentication scheme for WSNs. Firstly, we analyze an efficient and anonymous protocol and demonstrate that though this protocol is equipped with a formal proof, it actually has several security loopholes been overlooked, such that it cannot resist against smart card loss attack and violate forward secrecy. Secondly, we scrutinize a lightweight protocol and point out that it cannot achieve the claimed security goal of forward secrecy, as well as suffering from user anonymity violation attack and offline password guessing attack. Thirdly, we find that an anonymous scheme fails to preserve two critical properties of forward secrecy and user friendliness. In addition, by adopting the "perfect forward secrecy (PFS)" principle, we provide several effective countermeasures to remedy the identified weaknesses. To test the necessity and effectiveness of our suggestions, we conduct a comparison of 10 representative schemes in terms of the underlying cryptographic primitives used for realizing forward secrecy.

Fan Wu,Lili Xu,Saru Kumari,Xiong Li

DOI: https://doi.org/10.1007/s12083-015-0404-5

IF: 3.488

2015-01-01

Peer-to-Peer Networking and Applications

Abstract:Wireless sensor network(WSN) contains many specially distributed sensors which collect information for people to analyze appointed objects in real-time. WSN is deployed widely in many fields, such as fire detection and remote health care monitoring. User authentication is an important part for the communication of WSN. In 2014, Jiang et al. and Choi et al. proposed their authentication schemes for WSN, respectively. However, we find some weaknesses in them. Jiang et al.'s scheme cannot resist the De-Synchronization attack, the off-line guessing attack and the user forgery attack. Besides, it does not keep the character of strong forward security. Choi et al.'s scheme is under the off-line password guessing attack and the user impersonation attack without user anonymity. We present an improved authentication scheme and prove it to be secure with the formal security model. Also, we analyze the concrete secure characters and the performance of our scheme. Through comparison with some recent schemes, our scheme is more practical and fit for applications.

Zhen Cao,Zhi Guan,Zhong Chen,Jian-Bin Hu,Li-Yong Tang

DOI: https://doi.org/10.1007/s11390-010-9330-4

2010-01-01

Abstract:Denial-of-Service (DoS) attacks are virulent to both computer and networked systems. Modeling and evaluating DoS attacks are very important issues to networked systems; they provide both mathematical foundations and theoretic guidelines to security system design. As defense against DoS has been built more and more into security protocols, this paper studies how to evaluate the risk of DoS in security protocols. First, we build a formal framework to model protocol operations and attacker capabilities. Then we propose an economic model for the risk evaluation. By characterizing the intruder capability with a probability model, our risk evaluation model specifies the “Value-at-Risk” (VaR) for the security protocols. The “Value-at-Risk” represents how much computing resources are expected to lose with a given level of confidence. The proposed model can help users to have a better understanding of the protocols they are using, and in the meantime help designers to examine their designs and get clues of improvement. Finally we apply the proposed model to analyze a key agreement protocol used in sensor networks and identify a DoS flaw there, and we also validate the applicability and effectiveness of our risk evaluation model by applying it to analyze and compare two public key authentication protocols.

Zhao Wang,Xuesong Zhang,Zhong Chen

DOI: https://doi.org/10.1109/iccis.2012.215

2012-01-01

Abstract:Radio frequency identification (RFID) technology is a non-contact automatic identification technology. The basic principle of RFID is coupled with radio frequency signal and the spatial transmission characteristics. From object recognition to achieve automatic recognition, RFID has the advantages of being effective, diversity, high capacity, low cost, anti-pollution, penetrating and so on. However, current RFID authentication protocols cannot defend against DoS attack. This paper proposes Rapdos, a novel mutual authentication protocol, which is based on the use of symmetric encryption and dynamic update key to prevent the DoS attack. The experiment has validated that Rapdos has provided good security for RFID system, and can defeat location privacy attack, relay attack, eavesdropping attack, denial-of-service attack, and solve problems of RFID security privacy.