Bo Ji,Jinfang Zhou,Junda Zhu,Liping Qian

DOI: https://doi.org/10.1049/cp:20061251

2006-01-01

Abstract:Networks, along with the explosive growth of the Internet, developed quickly and make our lives more convenient and efficient. However, at the same time, people will face much more network security problems such as illegal observation, modification, IP Spoofing, etc. This article proposes a novel type of universal software architecture named Fastpath which is purposely designed and optimized for Network Element (NE) in the Next Generation Networks (NGN), under Linux. Furthermore, it illustrates the experience in developing IPSec-based VPN gateway over IXP425, and offloading IPSec processing to NPEs and coprocessors by using APIs of software AccessLibrary through Open Crypto Framework (OCF). Finally, we investigate the performance issues both internally and externally. Through the benchmarks, we analyze the performance of the system and identify that Fastpath and network processor together can construct a universal and high-functional platform for NE which focuses on network processing.

Binanda Sengupta,Yingjiu Li,Kai Bu,Robert H. Deng

DOI: https://doi.org/10.1145/3372046

IF: 5.3

2020-01-01

ACM Transactions on Internet Technology

Abstract:The end-users communicating over a network path currently have no control over the path. For a better quality of service, the source node often opts for a superior (or premium) network path to send packets to the destination node. However, the current Internet architecture provides no assurance that the packets indeed follow the designated path. Network path validation schemes address this issue and enable each node present on a network path to validate whether each packet has followed the specific path so far. In this work, we introduce two notions of privacy-path privacy and Index privacy-in the context of network path validation. We show that, in case a network path validation scheme does not satisfy these two properties, the scheme is vulnerable to certain practical attacks (that affect the privacy, reliability, neutrality and quality of service offered by the underlying network). To the best of our knowledge, ours is the first work that addresses privacy issues related to network path validation. We design PrivNPV, a privacy-preserving network path validation protocol, that satisfies both path privacy and index privacy. We discuss several attacks related to network path validation and how PrivNPV defends against these attacks. Finally, we discuss the practicality of PrivNPV based on relevant parameters.

Ming Li,Matti Siekkinen,Sasu Tarkoma,Antti Yla-Jaaski,Yong Cui

DOI: https://doi.org/10.1109/ISCC.2010.5546541

2010-01-01

Abstract:This paper presents SLA (Segment Level Authentication), a transport segment level solution designed to prevent both of the intra-domain and inter-domain source spoofing. SLA is based on public key cryptography authentication. It enables intermediate network nodes the ability to validate the packet authenticity by verifying authentication information carried in packets. Although public key cryptography is computationally intensive and induces the traffic overhead, SLA leverages FPGA (Field Programmable Gate Array) based ECC (Elliptic Curve Cryptography) hardware cryptography accelerator to decrease the computation and traffic overhead. SLA provides incremental deployment and offers incentives for both of hosts and ASes. We find that the SLA is feasible for Gigabit links and can effectively mitigate source spoofing in both of intra-domain and inter-domain networks.

Henrik Forssell,Ragnar Thobaben,Hussein Al-Zubaidy,James Gross

DOI: https://doi.org/10.48550/arXiv.1806.10387

2018-06-27

Abstract:We study the detection and delay performance impacts of a feature-based physical layer authentication (PLA) protocol in mission-critical machine-type communication (MTC) networks. The PLA protocol uses generalized likelihood-ratio testing based on the line-of-sight (LOS), single-input multiple-output channel-state information in order to mitigate impersonation attempts from an adversary node. We study the detection performance, develop a queueing model that captures the delay impacts of erroneous decisions in the PLA (i.e., the false alarms and missed detections), and model three different adversary strategies: data injection, disassociation, and Sybil attacks. Our main contribution is the derivation of analytical delay performance bounds that allow us to quantify the delay introduced by PLA that potentially can degrade the performance in mission-critical MTC networks. For the delay analysis, we utilize tools from stochastic network calculus. Our results show that with a sufficient number of receive antennas (approx. 4-8) and sufficiently strong LOS components from legitimate devices, PLA is a viable option for securing mission-critical MTC systems, despite the low latency requirements associated to corresponding use cases. Furthermore, we find that PLA can be very effective in detecting the considered attacks, and in particular, it can significantly reduce the delay impacts of disassociation and Sybil attacks.

Cryptography and Security,Networking and Internet Architecture

Yuxin Chen,Jiayu Yang,Xuanbo Huang,Jiangping Han,Bobo Wang,Jian Li,Kaiping Xue

DOI: https://doi.org/10.1109/icccn58024.2023.10230118

2023-01-01

Abstract:With potential advantages over TCP/IP for content delivery, mobility, and security, Named Data Networking (NDN) has become a promising architecture for the next-generation network. However, its poor performance in reliable transmission is still an unsolved problem. Many existing schemes in NDN employ inaccurate retransmission timeouts calculated with RTTs from diverse content sources to detect packet loss, which is lagging and may deteriorate transmission performance. Besides, after identifying the loss, the consumer costly resends the request to recover it, further increasing recovery time. In this paper, we propose an in-network Proactive Loss Recovery (PLR) scheme, which provides an efficient in-network method for timely detection and proactive recovery of lost packets. Deployed on each router, PLR detects the loss by monitoring queue status and sends high-priority explicit feedback to notify consumers of loss events timely. Meanwhile, lost packets are stored in each router's cache and will be retransmitted at an adaptive rate based on the detected remaining bandwidth. The simulation shows that PLR can vastly reduce the number of retransmissions on consumers, and the content completion time can be decreased by up to 21.8% compared with the baseline.

Chen He,Jiangtao Luo,Fei Zhang,Zuoqi Jiang,Mengnan Wang

DOI: https://doi.org/10.1109/hoticn.2018.8606005

2018-01-01

Abstract:Named Data Networking (NDN) is regarded as a promising architecture for the future Internet. Due to the characteristics of in-network caching and name-based routing in NDN, access control cannot be tied to a particular location, and traditional channel-based access control mechanisms are no longer viable, which brings a major challenge to the access control enforcement. To enhance content-based access control in NDN, this paper presents a per-packet protection (PPP) scheme based on a combination of public key encryption and symmetric-key cryptography, which adopts one-way hash functions to generate random cipher keys for different data packets. Furthermore, PPP using secret sharing method provides efficient and flexible access control, which supports scalability and collusion resistance. The experimental results prove that our solution introduces acceptable overheads and reduces the computation time at the users.

Jie Li,Huang Lu,Mohsen Guizani

DOI: https://doi.org/10.1109/tpds.2014.2308215

IF: 5.3

2015-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:In Vehicular Ad hoc NETworks (VANETs), authentication is a crucial security service for both inter-vehicle and vehicle-roadside communications. On the other hand, vehicles have to be protected from the misuse of their private data and the attacks on their privacy, as well as to be capable of being investigated for accidents or liabilities from non-repudiation. In this paper, we investigate the authentication issues with privacy preservation and non-repudiation in VANETs. We propose a novel framework with preservation and repudiation (ACPN) for VANETs. In ACPN, we introduce the public-key cryptography (PKC) to the pseudonym generation, which ensures legitimate third parties to achieve the non-repudiation of vehicles by obtaining vehicles' real IDs. The self-generated PKCbased pseudonyms are also used as identifiers instead of vehicle IDs for the privacy-preserving authentication, while the update of the pseudonyms depends on vehicular demands. The existing ID-based signature (IBS) scheme and the ID-based online/offline signature (IBOOS) scheme are used, for the authentication between the road side units (RSUs) and vehicles, and the authentication among vehicles, respectively. Authentication, privacy preservation, non-repudiation and other objectives of ACPN have been analyzed for VANETs. Typical performance evaluation has been conducted using efficient IBS and IBOOS schemes. We show that the proposed ACPN is feasible and adequate to be used efficiently in the VANET environment.

Jian Wang,Jie An,Mingshuai Chen,Naijun Zhan,Lulin Wang,Miaomiao Zhang,Ting Gan

DOI: https://doi.org/10.1007/s11432-019-2644-8

2020-01-01

Science China Information Sciences

Abstract:Software-defined networking(SDN) is a revolutionary technology that facilitates network management and enables programmatically efficient network configuration, thereby improving network performance and flexibility. However, as the application programming interfaces(APIs) of SDN are low-level or functionality-restricted, SDN programmers cannot easily keep pace with the ever-changing devices, topologies, and demands of SDN. By deriving motivation from industry practice, we define a novel network algorithm programming language(NAPL) that enhances the SDN framework with a rapid programming flow from topology-based network models to C++ implementations, thus bridging the gap between the limited capability of existing SDN APIs and the reality of practical network management. In contrast to several state-of-the-art languages, NAPL provides a range of critical high-level network programming features:(1) topology-based network modeling and visualization;(2) fast abstraction and expansion of network devices and constraints;(3) a declarative paradigm for the fast design of forwarding policies;(4) a built-in library for complex algorithm implementation;(5) full compatibility with C++ programming; and(6) userfriendly debugging support when compiling NAPL into highly readable C++ codes. The expressiveness and performance of NAPL are demonstrated in various industrial scenarios originating from practical network management.

Yi Wang,Huichen Dai,Junchen Jiang,Keqiang He,Wei Meng,Bin Liu

DOI: https://doi.org/10.1109/glocom.2011.6134161

2011-01-01

Abstract:Name- based route lookup is a key function for Named Data Networking (NDN). The NDN names are hierarchical and have variable and unbounded lengths, which are much longer than IPv4/6 address, making fast name lookup a challenging issue. In this paper, we propose a parallel architecture for NDN name lookup called Parallel Name Lookup (PNL) which leverages hardware parallelism to achieve high lookup speedup while keeping a low and controllable memory redundancy. The core of PNL is an allocation algorithm that maps the logically tree- based structure to physically parallel modules, with low computational complexity. We evaluate the PNL's performance and show that PNL dramatically accelerates the name lookup process. Furthermore, with certain knowledge of prior probability, the speedup can be significantly improved.

Ludovic Barman,Italo Dacosta,Mahdi Zamani,Ennan Zhai,Apostolos Pyrgelis,Bryan Ford,Joan Feigenbaum,Jean-Pierre Hubaux

DOI: https://doi.org/10.2478/popets-2020-0061

2020-08-17

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Organizational networks are vulnerable to trafficanalysis attacks that enable adversaries to infer sensitive information fromnetwork traffic—even if encryption is used. Typical anonymous communication networks are tailored to the Internet and are poorly suited for organizational networks.We present PriFi, an anonymous communication protocol for LANs, which protects users against eavesdroppers and provides high-performance traffic-analysis resistance. PriFi builds onDining Cryptographers networks (DC-nets), but reduces the high communication latency of prior designs via a new client/relay/server architecture, in which a client’s packets remain on their usual network path without additional hops, and in which a set of remote servers assist the anonymization process without adding latency. PriFi also solves the challenge of equivocation attacks, which are not addressed by related work, by encrypting traffic based on communication history. Our evaluation shows that PriFi introduces modest latency overhead (≈ 100ms for 100 clients) and is compatible with delay-sensitive applications such as Voice-over-IP.

Mubarak Umar,Jiandong Wang,Feng Li,Shuguang Wang,Minggang Zheng,Zhiwei Zhang,Yulong Shen

DOI: https://doi.org/10.1016/j.adhoc.2023.103303

IF: 4.816

2023-09-24

Ad Hoc Networks

Abstract:The high security and low complexity of physical layer authentication (PLA) make it a promising complement for complex cryptographic authentication approaches, especially for Internet of Vehicles (IoV) systems constrained by limited computational capabilities and facing increasing security threats due to the broadcast nature of their communications. However, existing PLA schemes exploiting geographical location information to predict channel characteristics for authentication face the challenge of location falsifying/spoofing attacks. Moreover, they either require cryptographic-based initial authentication or cannot be applied to moving vehicle scenarios. To tackle these challenges, we propose a PLA scheme based on the Gaussian process (GP) regression that jointly considers the location and speed attributes of vehicles to enhance the reliability of authentication in the IoV network. Specifically, the historical channel state information attributes together with the location and speed information of transmitters are utilized to establish a mapping and train a GP model to predict the next legitimate location and speed of a transmitter for authentication. First, for vehicle-to-road side unit (RSU) authentication, the trained GP model is stored on RSU and used to authenticate vehicles entering its vicinity by cross-verifying their reported location and speed information with the ones predicted by the model. Next, for vehicle-to-vehicle authentication, we propose an RSU-assisted authentication, where the RSU in the location shared by two vehicles is used to assist in verifying the validity of their reported location and speed information. Finally, for RSU-to-vehicle authentication, we leverage the path loss and angle of arrival of a signal from RSU to estimate and cross-verify its location. We utilize QuaDRiGa, a quasideterministic radio channel generator to generate realistic channels for experimental validations. The results of simulation tests conducted demonstrated that our approach significantly improves authentication performance compared with the existing approaches.

computer science, information systems,telecommunications

Ruibin Wang,Yihao Ang,Yongpeng Wu,Wenjun Zhang

DOI: https://doi.org/10.1109/iccc62479.2024.10681736

2024-01-01

Abstract:In this paper, we introduce ND-PMAC, a novel medium access control mechanism that merges preamble-based access with the Neighbor Discovery Protocol to foster efficient network management in Power Line Communication (PLC) systems. ND-PMAC enhances network topology by facilitating synchronized route discovery among same-layer nodes, thereby forming a cohesive overlapped clustering architecture. This mechanism significantly contributes to the robustness and scalability of IP-based PLC networks. We elucidate the ND-PMAC networking procedure, specify MAC frame architecture, and unveil the Zero-bit Stuffing Time Slot Scheduling Algorithm, designed to mitigate data frame collisions. Through comparative simulations, ND-PMAC demonstrates a considerable reduction in networking delay and networking control overhead against traditional protocols such as CSMA, P-MAC, and E-PMAC, across varied network configurations.

Sachin Kumar Verma,Abhishek Verma,Avinash Chandra Pandey

DOI: https://doi.org/10.1109/TENSYMP54529.2022.9864545

2023-03-01

Abstract:Low-Power and Lossy Networks (LLNs) run on resource-constrained devices and play a key role in many Industrial Internet of Things and Cyber-Physical Systems based applications. But, achieving an energy-efficient routing in LLNs is a major challenge nowadays. This challenge is addressed by Routing Protocol for Low-power Lossy Networks (RPL), which is specified in RFC 6550 as a "Proposed Standard" at present. In RPL, a client node uses Destination Advertisement Object (DAO) control messages to pass on the destination information towards the root node. An attacker may exploit the DAO sending mechanism of RPL to perform a DAO Insider attack in LLNs. In this paper, it is shown that an aggressive attacker can drastically degrade the network performance. To address DAO Insider attack, a lightweight defense solution is proposed. The proposed solution uses an early blacklisting strategy to significantly mitigate the attack and restore RPL performance. The proposed solution is implemented and tested on Cooja Simulator.

Cryptography and Security,Networking and Internet Architecture

Guoqiang Zhang,Mingwei Xu,Jiang Li

DOI: https://doi.org/10.1109/IPCCC50635.2020.9391537

2020-01-01

Abstract:The Border Gateway Protocol (BGP) is the de facto standard interdomain routing protocol. A major problem affecting the operation of BGP is its failure to provide security guarantees. Despite some high-profile security extensions proposed, none of them has been largely deployed by Autonomous Systems (AS) in the global Internet. Previous studies show that three main factors hinder the adoption of BGP security solutions: limited benefits in partial deployment, computational overheads, and the trouble of coordinating among tens of thousands of independent ASes. In this paper, we present Neighbor Routes Validator (NRV), a lightweight prototype system of BGP security enhancement. Instead of depending on a single centralized authority, NRV focuses on neighboring ASes' self-driven collaborations that significantly reduce the scale of coordination. It aims to address real-world security issues of BGP and uses the privacy-preserving capability of Secure Multi-Party Computation (SMPC) to dispel ASes' privacy concerns. Security analyses and simulations demonstrate the feasibility of NRV, and we also argue that network operators have incentives to deploy it after weighing the pros and cons.

S. Remya,Manu J. Pillai,C. Arjun,Somula Ramasubbareddy,Yongyun Cho

DOI: https://doi.org/10.1109/access.2024.3391918

IF: 3.9

2024-05-03

IEEE Access

Abstract:An extensive worldwide network known as the Internet of Things (IoT) links different electronic devices and facilitates easy communication and group work. This interdependency is especially apparent in Low Power and Lossy Networks (LLNs), where resource-constrained devices adhere to specified protocols for effective communication. Such systems frequently use Routing Protocol for LLNs (RPL). Nevertheless, due to its basic simplicity, there are numerous ways to exploit it, thereby compromising network security. It is also difficult to carry out complex computational operations on LLNs due to their resource constraints. A highly developed system called the Trust-Based Intrusion Detection System for RPL (TIDSRPL) is presented in this research study. Complex trust computations are offloaded to the root node by TIDSRPL, which assesses node trust based on network behavior. Reduce the possibility of resource depletion with this strategic transfer that preserves energy, storage, and computational resources at the node level. Comparative analysis with the default RPL Objective Function (OF), MRHOF-RPL, demonstrates TIDSRPL's superior efficacy in detecting and isolating malicious nodes engaged in Sinkhole, Selective forwarding, and Sybil attacks. Notably, TIDSRPL exhibits a 20-35% reduction in average packet loss ratio and attains 33-45% greater energy efficiency compared to MRHOF-RPL, reinforcing its robustness in securing LLN operations.

computer science, information systems,telecommunications,engineering, electrical & electronic

Songtao Fu,Qi Li,Min Zhu,Xiaoliang Wang,Su Yao,Yangfei Guo,Xinle Du,Ke Xu

DOI: https://doi.org/10.1109/iwqos52092.2021.9521345

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The source and path verification in Path-Aware Networking considers the two critical issues: (1) end hosts could verify that the network follows their forwarding decisions, and (2) both on-path routers and destination host could authenticate the source of packets and filter the malicious traffic. Unfortunately, the state-of-the-art mechanisms require heavy communication overhead in the network and computation overhead in the router; moreover, it is difficult to meet the dynamic requirements of the end host. We propose a user-driven mechanism, source and path verification based on Multi-AS-Key (MASK). MASK decreases the communication overhead by a short additional packet header and reduces the computation overhead by separating the control and data plane in terms of the cryptographic operation. Furthermore, it utilizes the stateful user to instruct the stateless routers to process the packet with a user-driven policy, thus satisfying the user’s requirements such as detecting the packet drop and replay attack. With the plausible design, the communication overhead for realistic path lengths is 1/2 to 1/10 compared with the state-of-the-art mechanisms. We implement MASK in the BMv2 environment and commodity Barefoot Tofino programmable switch, testify that MASK introduces significantly less overhead than the state-of-the-art mechanisms, and demonstrate that MASK could achieve the verification in the programmable switch at line rate.

Mubarak Umar,Jiandong Wang,Hafsa Kabir Ahmad,Shuangrui Zhao,Feng Li,Shuguang Wang,Minggang Zheng,Yulong Shen,Zhiwei Zhang,Xin Guo

DOI: https://doi.org/10.1016/j.vehcom.2023.100708

IF: 6.7

2023-12-06

Vehicular Communications

Abstract:The Internet of Vehicles (IoV) systems improve road safety through coordination among vehicles, but they are vulnerable to impersonation attack due to their broadcast communication nature. Existing cryptographic authentication approaches are complex for resource-limited IoV devices, which motivated the development of less complex Physical Layer Authentication (PLA) approaches. However, the existing PLA approaches use all channel attributes for all communication scenarios and do not update reference attributes used to authenticate newly observed attributes during authentication, which leads to poor performance when the attributes become insensitive to communication scenarios. To address these limitations, we propose a multiple attributes-based PLA scheme that flexibly selects effective attributes according to current communication scenarios for improved authentication. First, the historical channel attributes including the ricean K-Factor (KF), the Delay Spread (DS), and the Azimuth Spread of Arrival (ASA) together with the communication scenarios (i.e., Line-of-Sight (LoS) and Non-Line-of-Sight (NLoS)) information of transmitters are used to establish a relationship and train a Long Short-Term Memory (LSTM) neural network to identify current communication scenarios. The softmax function is then used to evaluate the scenario identification performance of each attribute and the attributes with maximum softmax values are dynamically selected for authentication. Second, to track and update the reference attributes, we use the historical attributes together with the past location and communication scenarios information of transmitters and train our model to predict future attributes for authentication. Finally, we use the Euclidean distance to measure the similarity between the selected and the predicted attributes to authenticate the transmitters. We validate the effectiveness of our approach and compare its performance with the existing methods through extensive simulations using realistic radio channel characteristics generated from the Quasi Deterministic Radio channel Generator (QuaDRiGa) platform. The results of the evaluation show that our system improves authentication performance and its false alarm and miss detection are respectively 19.19% and 52% lower than the existing approaches.

telecommunications,transportation science & technology

Xiaodong Wang,Ye Tian,Min Zhao,Mingzheng Li,Lei Mei,Xinming Zhang

DOI: https://doi.org/10.1016/j.comnet.2018.09.018

IF: 5.493

2018-01-01

Computer Networks

Abstract:Protocol-Oblivious Forwarding (POF) is a groundbreaking technology that enables a protocol-independent data plane for the future Software-Defined Networking (SDN). Compared to OpenFlow and P4, POF provides more generality and flexibility in the data plane, but at a cost of additional complexity in the control plane. To overcome such complexity, in this paper we present PNPL, the first control plane programming framework over the POF SDN data plane. PNPL provides an easy-to-use programming paradigm that includes a header specification language and a set of protocol-agnostic programming APIs. With PNPL, a programmer can arbitrarily define network protocols, and compose network policies over the self-defined protocols with high-level abstractions. PNPL’s runtime system takes the user program as input, automatically produces and maintains forwarding pipelines in POF switches. The pipeline efficiently parses the self-defined protocol headers and enforces the programmer’s network policy. We have implemented a PNPL prototype, and experiment with existing and novel protocols and a number of network applications. We show that PNPL can effectively facilitate network innovations by simplifying programming over novel protocols, producing and maintaining forwarding pipelines of high quality; compared to P4, PNPL does not require a device configuration phase, and improves network performance by significantly reducing the packet parsing overhead.

Long Li,Chingfang Hsu,Man Ho Au,Jianqun Cui,Lein Harn,Zhuo Zhao

DOI: https://doi.org/10.1109/tifs.2024.3477305

IF: 7.231

2024-10-22

IEEE Transactions on Information Forensics and Security

Abstract:The vehicular ad hoc network (VANET) is a basic component of intelligent transportation systems. Due to the growing security and privacy-preserving requirements of the VANET, a lot of conditional privacy-preserving authentication (CPPA) protocols have been proposed in recent years. Unfortunately, the traditional CPPA protocols, which are based on a trusted authority (TA) and rely solely on classical mathematical problems, cannot resist quantum attacks. Moreover, these protocols do not take into account the increasingly complex traffic flow in the VANET and cannot utilize fog nodes (FNs) to assist in the TA's authentication work. In this paper, we design a lattice-based and fog-assisted conditional privacy-preserving authentication (LFCPPA) protocol to solve the above challenges. Compared to existing solutions, we have made the following improvements. First, our protocol is resistant to quantum attacks. Second, the solution supports batch processing of signature verification and mutual authentication of identity between the TA / FNs and vehicles. Third, in our design, FNs reduce the computing pressure of the TA to improve the efficiency of the system. In addition, we demonstrate the security of the protocol under the random oracle model with provable security. Finally, the efficiency and security of this scheme are better than similar solutions. Specifically, compared with the latest scheme, in terms of computational cost, our scheme is reduced by 74.47%, 85.58%, 19.69%, and 85.90% in the four stages of the protocol. Meanwhile, in terms of communication cost, our protocol reduces it by 89.98%.

computer science, theory & methods,engineering, electrical & electronic

YN Kou,ZZ Li,ZG Liao

DOI: https://doi.org/10.1109/icapp.2002.1173598

2002-01-01

Abstract:As a new programmable network architecture, the active network supports the development, verification and deployment of new network protocols and services. It is not used widely as we expected. The main reason is that its security has not been resolved. We introduce an active network security prototype designed by a pluggable module. It implements three aspects of security, including cryptography and digital signatures; authentication and authorization; revocation; etc. Especially, cryptography solves the integrity and confidentiality of active codes, and the decode mode implements cryptography's replacement and extensibility. Our system is dual nonrepudiation on both. Nonrepudiation on both is that the sender cannot deny that he sends the message; dual nonrepudiation means that nonrepudiation has been done in digital signature authentication and authorization authentication. The section of revocation designed according to the active network guarantees the validity of active code's execution. We measured latency and throughput of the experimental active network on two services: a prototype for active networks, a prototype of security for active networks. In fact, the security techniques applied in our system have little influence on the latency and throughput of active networks.