朱建新,杨小虎

DOI: https://doi.org/10.3969/j.issn.1001-3695.2001.12.004

2001-01-01

Abstract:Network security is an important research area in the application of information system now,How to implement effective access control based on user's identity is very important. This paper briefly introduces the concept and technology of authentication first,and analyze the technology of biometric identification,then points out that fingerprint-based biometric identification in networking environment combining data transfer encrypt is a reliable method for control user's access and protect information system,and describes the design and implementation of fingerprint-based authentication system in networking environment.

Yuanchao Shu,Yu Gu,Jiming Chen

DOI: https://doi.org/10.1109/MASS.2012.6502522

2012-01-01

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges can not be transferred among trusted users. In this work, we introduce a sensory-data-enhanced authentication for access control systems. By combining sensory-data obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss and stolen. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with simple sensor data and empirically demonstrate simple rotations can increase key space by more than 30, 000 times with an authentication accuracy of 95%. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Yuanchao Shu,Yu (Jason) Gu,Jiming Chen

DOI: https://doi.org/10.1109/tpds.2013.153

IF: 5.3

2014-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial, and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges cannot be transferred among trusted users. In this work, we introduce a dynamic authentication with sensory information for the access control systems. By combining sensory information obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss, stolen, and duplication. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with sensory information of different sensors and empirically demonstrate simple rotations can increase key space by more than 1,000,000 times with an authentication accuracy of 90 percent. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Yuanchao Shu,Jiming Chen,Fachang Jiang,Yu Gu,Zhiyu Dai,Tian He

DOI: https://doi.org/10.1145/2070942.2071025

2011-01-01

Abstract:To bridge the gap between insufficiency of existing proximity authentication solutions and the increasing demand of high security guarantee for access control systems, we develope a WISP-based access control system combing electronic and mechanical authentication methods. In our authentication, encryption complexity is changeable and trusted users can share privileges with each other. During experiments, our system has achieved 95% authentication accuracy rate with up to 3 different users.

Namin Hou,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ICCCS61882.2024.10603286

2024-01-01

Abstract:The advancement of Fifth-Generation (5G) technology has greatly enriched individuals' access to a broad array of convenient services, offering significant benefits in mobile communications, autonomous driving, smart homes, and the Internet of Things. However, with the increase in the number of network access devices, large and frequent data interactions have brought potential security risks to wireless networks, which are related to user privacy security, traffic safety, and even social security. Malicious intrusions targeting wireless communications have resulted in significant disruptions and incurred substantial losses. Presently, user identities in wireless communications rely on software-based data identifiers, which can be forged easily. This paper proposes a hardware-level device authentication mechanism that uses the intrinsic hardware characteristics of the transmitter (shown as impairments in the radio signal of the transmission link) for identity authentication. The resulting fingerprint is naturally distinctive and highly resistant to counterfeiting attempts. We use 5 devices across different models and 10 devices of the same model for experimental evaluation. Then we apply machine learning algorithms to construct a fingerprint database and device authentication, achieving an average of 82.4% precision, 89.9% recall, and 85.9% F1-score, which can help to safeguard the security of 5G communication.

Jiaqi Liu,Aiqun Hu,Sheng Li

DOI: https://doi.org/10.1109/csp55486.2022.00027

2022-01-01

Abstract:In the local area network (LAN) system, most terminals are connected to edge switches through fast or gigabit Ethernet connections. The terminal access security problem has always been a key concern. This paper proposes a method of Ethernet card fingerprint extraction and identification based on spectrum characteristics, which solves the problem of illegal terminal access with counterfeit media access control (MAC) addresses. The extracted Ethernet card fingerprint is used as the identity of the terminal, which is unique and difficult to be counterfeited. The frequency-domain features of the signals can be extracted by analyzing the Ethernet card signals of wired terminals received by the switch. The dimension of these features is reduced to obtain their Ethernet card fingerprints, which can be effectively classified and identified. In the classification and recognition experiments on 7 Ethernet cards of 100M produced by the same manufacturer, 26 Ethernet cards by different manufacturers, and 65 Ethernet cards by mixed manufacturers, all Ethernet cards can achieve an accuracy of 100%. This method can be widely used for identity authentication during the access and connection of terminals and provides a secure access control scheme.

Caidan Zhao,Minmin Huang,Lianfen Huang,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1016/j.comnet.2017.05.028

IF: 5.493

2017-01-01

Computer Networks

Abstract:The increasing demand for different types of wireless communication services and the advanced wireless technology has led to the presence of emerging networks. However, wireless communication allows attackers to send useless information into the network through the process of multi-hop transmission, which results in the forwarding of many invalid data and the consumption of energy. To address this, the network needs effective identity authentication. In this paper, we propose a new robust authentication algorithm based on the phase noise fingerprint of the physical-layer (PHY). Furthermore, we propose a security authentication scheme of combined PHY fingerprints to ensure the survivability of the network in the presence of attacks or intrusions. The experimental results show that the identification rate of the simple multiple kernel learning (SimpleMKL) reaches 98.25%, and the scheme is robust against malicious nodes and efficient with low computation and storage.

Haijiang Xie,Jizhong Zhao

DOI: https://doi.org/10.1007/s12083-014-0287-x

IF: 3.488

2014-01-01

Peer-to-Peer Networking and Applications

Abstract:The state of art authentication schemes are tightly linked with encryption or crypto systems, which provides concrete foundations to move towards the concept of access control by confirming the user identity. However the openness of the computer network makes the identity credentials vulnerable even transmitted as cipher text especially in lots of peer-to-peer (P2P) networks. The malicious attackers can possibly steal and fake the user identity by eavesdropping, hijacking, cryptanalysis and forging. In this paper, a novel identity authentication mechanism is proposed based on the reverse usage of the Network Covert Channel (NCC) which is originally designed by attackers to create stealth communication. Different from NCC, where the packet intervals can be exploited as the data carrier to transmit the unauthorized information, we exploit such capability in Network-Covert-Channel-based Identity Authentication (NCCIA) to transmit the identity tag. By validating user identity in a covert manner, we provide a more secure authentication method compared with many existing approaches. A NCCIA demo system is designed on a FTP Platform to verify our method. The experiments demonstrate the NCCIA can prevent the attackers from eavesdropping while maintaining transmission efficiency.

Sheng Li,Aiqun Hu,Jiaqi Liu,Jiabao Yu

DOI: https://doi.org/10.1109/cecit53797.2021.00039

2021-01-01

Abstract:Access control is a common part of network security measure. However, the existing access control mechanism is mostly limited to distinguish users based on digital authentication methods such as MAC addresses, which are vulnerable to forgery and counterfeiting attacks. Using distinguishable physical-layer (PHY) based on fingerprints from devices and MAC-based ID verification is a popular method for enhancing network security. Extracting device finger-prints is the crucial step in this enhanced security method. In this paper, different from the existing fingerprint extraction method based on the preamble, we propose an adaptive filter-based method of fingerprint extraction. The method utilizes more signal regions to extract finer fingerprints, which is not limited to the preamble. Our results show that with a filter order of 65 and 20 times averaging, among 13 devices can be classified with 98% accuracy under the Multiple Discriminant Analysis, Maximum Likelihood (MDA/ML) classifier.

Tu Rui,Su Jinshu,Chen Feng

DOI: https://doi.org/10.1109/nas.2009.34

2009-01-01

International Journal of Communications Network and System Sciences

Abstract:Legacy IP address-based access control has met many challenges, because the network nodes cannot be identified accurately based on their variable IP addresses. “Locator/Identifier Split” has made it possible to build a network access control mechanism based on the permanent identifier. With the support of “Locator/Identifier Split” routing and addressing concept, the Identifier-based Access Control (IBAC) makes network access control more accurate and efficient, and fits for mobile nodes’ access control quite well. Moreover, Self-verifying Identifier makes it possible for the receiver to verify the packet sender’s identity without the third part authentication, which greatly reduces the probability of “Identifier Spoofing”.

Qiang Huang,Yubo Song,Junjie Yang,Ming Fan,Aiqun Hu

DOI: https://doi.org/10.1109/CIRSYSSIM.2019.8935595

2019-01-01

Abstract:The rapid growth of the Internet of Things (IoT) is enhancing customers' experience with an ever-increasing mass of intelligent devices. However, the security doesn't get enough attention compared with novel concepts and features by manufactures which even not provide service of updates and patches. These issues could have been mitigated by the mechanism of the network access control. But traditional authentication mechanisms based on computational complexity of cryptographic protocols cannot be implemented on IoT devices with limited physical and computational resources. Therefore, we turn our attention to the device fingerprint which is like a biometric fingerprint that be able to provide identity authentication. The fingerprint proposed in this paper generated by network traffic features divided into the packet-feature and the IAT-feature. These features are extracted from the traffic when the device is booted, because at this time the device's network behavior is stable compared to other times. Experiments illustrate that the average identification accuracy of our device fingerprint reaches 92.4%.

Ping Zhang,Yanan Pei

DOI: https://doi.org/10.1109/ICBECS.2010.5462322

2010-01-01

Abstract:In this paper, a method of identity authentication based on USB and User Access-Control Table (UAT) applied in local area network (LAN) is proposed. UAT is a kind of equipment access control technology. With the development of LAN, it realizes the privilege management at small cost. Authentication mechanism is illuminated when users accessing the network terminal by a USB key. The security of LAN is enhanced by using the method of identity authentication based on USB and UAT.

Fei-yi XIE,Yu-shan LI,Song-lin CHEN,Hong WEN

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.01.022

2017-01-01

Abstract:Access security of wireless device is a great challenge to wireless communication networks, especially for RFID and some other devices with limited computing power, which are faced with effective high-strength security challenges, and as an important non-cryptographic authentication technology, radio frequency fingerprint recognition technology, for its full use of non-imitation radio frequency characteristics, attracts more and more attention. The generation mechanism of radio frequency fingerprint and the basic model of recognition system are described, and several new methods for radio frequency fingerprint recognition also analyzed. In addition, the existing problems of radio frequency fingerprint recognition technology and the research direction of further improvement are pointed out.

CAO Jin,CHEN Lilan,MA Ruhui,LI Hui,LI Fenghua

DOI: https://doi.org/10.11959/j.issn.2096-8930.2021026

2021-01-01

Abstract:With the maturity of the key technologies of the new spectrum of the network, the network can accommodate users of various frequency bands.In order to make eff ective use of resources, diff erentiated terminals need targeted and customized security protection mechanisms.In the unifi ed network architecture, three access authentication mechanisms were proposed for common terminals, high-speed terminals and Ka terminals.At the same time, in order to ensured that diff erent types of terminals could still obtain continuous network services after accessing the network, a switching authentication mechanism based on pre-switching was proposed to provided unifi ed security switching services for the three types of terminals.Formal verifi cation tool named Scyther and informal security analysis results showed that the proposed scheme meet a variety of security requirements of the proposed scenario.At the same time, compared with the same type schemes, the proposed scheme can achieve the eff ective balance between security and performance, which can meet multidimensional integration of heaven and earth network of the scene terminal access switch and certifi cation requirements.

Zhen Chen,Fa-Chao Deng,An-An Luo,Xin Jiang,Guo-Dong Li,Run-hua Zhang,Chuang Lin

DOI: https://doi.org/10.1109/wcins.2010.5541863

2010-01-01

Abstract:Traditional NAC system in enterprise network is in coarse granularity (e.g. IP or MAC address) and lack of flexibility. Recently the demand in tight control of the enterprise network to defense the misuse and security issues become more and more urgent. Based on the TCG TNC standard, an application level network access control mechanism is proposed and implemented. With TNC client/server model in hand, a client is designed to enhance TNC client with the function of host flow controller (HFC), and intercepts each application network access request(ANAR) and transfer it to PDP server to authorize the access request. When a sensor (i.e. intrusion detection system) detects any malicious traffic, host flow controller and network flow controller can identify the application that origins this traffic by querying Metadata Access Point (MAP) server and block this application's network access. A prototype system is implemented to demonstrate the design and can be used to defense the anomaly network behaviors. The prototype system demonstrates that the hosts, switches, firewalls and IDS can work together to detect, diagnose and protect enterprise network from the malicious applications attack initiated inside or outside of an enterprise network, quarantine unhealthy hosts and make the enterprise network more reliable and trustworthy.

Xiaozhong Hu,Aiqun Hu,Jiabao Yu,Yanjun Ding,Hongxing Hu,Peng Guo

DOI: https://doi.org/10.1109/ICCECE58074.2023.10135443

2023-01-01

Abstract:With the development of science and technology, the electronic control unit (ECU) equipment has gradually become complex, and the security of the controller area network (CAN) bus protocol as the standard protocol for ECU communication has also been higher. In recent years, researchers have conducted extensive research on the security of the CAN bus, such as the anti-counterfeiting attack mechanism based on intrusion detection technology and the authentication code technology, which has improved the security of the CAN bus. However, directly modifying the CAN protocol itself based on intrusion detection technology will cause insufficient backward compatibility and a large number of devices cannot be reused; The authentication code-based approach cannot trace the origin of counterfeit devices and forensic evidence of attack devices, so further improvements are needed. In view of the above two problems, this paper proposes a CAN terminal anti-counterfeiting attack method based on physical fingerprint, which calculates the autocorrelation difference between the collected original signal and the calculated reconstructed signal, and obtains the physical fingerprint of the device as the basis for CAN terminal identity authentication, thereby achieving anti-counterfeiting attack. In this paper, 30 CAN terminals are used to experimentally verify the method in this paper, collect and transmit random data and transfer fixed data CAN frames to form two sets of data sets, and train and test using linear discriminant models, and the final model can identify the device identity rate on the two data sets up to 99%.

Bingcheng Jiang,Qian He,Mingliu He,Zhongyi Zhai,Baokang Zhao

DOI: https://doi.org/10.1155/2023/6013270

IF: 1.968

2023-01-01

Security and Communication Networks

Abstract:Physical terminals provide network services to upper-layer applications, but their limited memory and processing power make it challenging to perform security updates and patches, leaving them vulnerable to known security threats. Attackers can exploit these weaknesses to control the terminals and attack the network. To restrict unauthorized access to the network and its resources, appropriate access control mechanisms are necessary. In this paper, we propose a fine-grained access control method based on smart contracts (FACSC) for terminals in software-defined networking (SDN). FACSC utilizes the attribute-based access control (ABAC) model to achieve fine-grained control over terminal access networks. To ensure the security and reliability of access control policies and terminal-related attribute information, we utilize smart contract technology to implement the ABAC model. Furthermore, we leverage the programming protocol-independent packet processor (P4) to filter and forward packets in the data plane based on the packet option field, enabling rapid terminal access. Experimental results show that our proposed method achieves fine-grained secure authentication of terminals in SDN networks with a low authentication processing overhead.

Ruiqi Kong,He Chen

2023-08-01

Abstract:This paper presents a new radiometric fingerprint that is revealed by micro-signals in the channel state information (CSI) curves extracted from commodity Wi-Fi devices. We refer to this new fingerprint as "micro-CSI". Our experiments show that micro-CSI is likely to be caused by imperfections in the radio-frequency circuitry and is present in Wi-Fi 4/5/6 network interface cards (NICs). We conducted further experiments to determine the most effective CSI collection configuration to stabilize micro-CSI. To extract micro-CSI from varying CSI curves, we developed a signal space-based extraction algorithm that effectively separates distortions caused by wireless channels and hardware imperfections under line-of-sight (LoS) scenarios. Finally, we implemented a micro-CSI-based device authentication algorithm that uses the k-Nearest Neighbors (KNN) method to identify 11 COTS Wi-Fi NICs from the same manufacturer in typical indoor environments. Our experimental results demonstrate that the micro-CSI-based authentication algorithm can achieve an average attack detection rate of over 99% with a false alarm rate of 0%.

Signal Processing,Cryptography and Security

Chengchen Zhu,Kunling Li,Jianan Hong,Cunqing Hua,Futai Zou

DOI: https://doi.org/10.1109/icc51166.2024.10622361

2024-01-01

Abstract:The technology development of wireless communication has brought about the rapid growth of various wireless devices, but also brings in many security threats. This paper focuses on the security and privacy problems in wireless authentication and proposes a novel authentication scheme based on the design of reusable fuzzy extractor (RFE) for device's radio frequency (RF) fingerprinting. Firstly, unlike the traditional authentication protocol, our scheme can accomplish the mutual authentication without the storage of long-term secret key, thus tackles with the key-compromise threats. Furthermore, although the scheme authenticates devices based on their RF fingerprint, it does not store RF fingerprinting information explicitly to safeguard it from eavesdroppers who may use it to impersonate the identity of valid users. Finally, our designed protocol relies on the correspondent peer to measure the fingerprint, rather than the device itself, thus is more secure against various adversaries. The security analysis shows the resiliency against theft of secret keys, wireless channel attacks and privacy disclosure. And the performance evaluation demonstrates that the design of RFE for device's RF fingernrinting is efficient in terms of recognition accuracy.

Kaiping Xue,Xiang Zhang,Qiudong Xia,David S. L. Wei,Hao Yue,Feng Wu

DOI: https://doi.org/10.1109/tnet.2019.2914189

2018-01-01

Abstract:Information centric networking (ICN) has been regarded as an ideal architecture for the next-generation network to handle users' increasing demand for content delivery with in-network cache. While making better use of network resources and providing better service delivery, an effective access control mechanism is needed due to the widely disseminated contents. However, in the existing solutions, making cache-enabled routers or content providers authenticate users' requests causes high computation overhead and unnecessary delay. Also, the straight-forward utilization of advanced encryption algorithms makes the system vulnerable to DoS attacks. Besides, privacy protection and service accountability are rarely taken into account in this scenario. In this paper, we propose SEAF, a secure, efficient, and accountable edge-based access control framework for ICN, in which authentication is performed at the network edge to block unauthorized requests at the very beginning. We adopt group signature to achieve anonymous authentication and use hash chain technique to reduce greatly the overhead when users make continuous requests for the same file. At the same time, we provide an efficient revocation method to make our framework more robust. Furthermore, the content providers can affirm the service amount received from the network and extract feedback information from the signatures and hash chains. By formal security analysis and the comparison with related works, we show that SEAF achieves the expected security goals and possesses more useful features. The experimental results also demonstrate that our design is efficient for routers and content providers and bring in only slight delay for users' content retrieval.