Lawrence Tandoh,Li Fagen,Ali Ikram,Haruna Charles R.,Kpiebaareh Michael Y.,Christopher Tandoh

DOI: https://doi.org/10.1007/s11235-021-00842-6

2021-01-01

Telecommunication Systems

Abstract:One of the major security threats that plague network coding are pollution attacks. Therefore, the ability to authenticate the contents of received packets is a vital requirement of all network coding authentication schemes. One of the most famous cryptographic approaches used to mitigate data and tag pollution in network coding are homomorphic message authentication codes (HMACS). In this approach, authentication is achieved by appending one or more HMAC tag vectors and in some cases a homomorphic cryptographic signature to the packet payload. Two major concerns arise when designing authentication schemes for network coding. These are the costs associated with the communication and computational overheads. These two factors determine the efficiency and practicality of the scheme. Unfortunately, in most cases, lowering one of the costs results in an increase in the other. In this paper we propose an efficient data and tag pollution immune authentication scheme based on HMACs and a homomorphic cryptographic signature. In our evaluation of the performance of the proposed scheme we compared it with three other similar state of the art schemes. The result of our evaluation showed that the proposed scheme incurs a computational overhead that is up to 64–97% lower at the source and non-source nodes. The proposed scheme also fairs well with respect to communication overhead where it is only outperformed by one of the three schemes. This difference however is minute (one symbol) and is greatly outweighed by the proposed schemes lower computational overhead.

Tandoh Lawrence,Fagen Li,Ikram Ali,Michael Y. Kpiebaareh,Charles R. Haruna,Tandoh Christopher

DOI: https://doi.org/10.1016/j.sysarc.2021.102051

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:Authentication schemes based on homomorphic message authentication codes (HMACs) with or without a homomorphic cryptographic signature (HCS) have always played a vital role in network coding (NC). A newly developing trend with respect to research in this area takes authentication in NC-compatible networks beyond error detection. Current HMAC-based authentication schemes for networks that support NC not only detect and drop corrupted packets but also identify the rogue nodes that begun the attack. However, in order to completely optimize the performance of an NC-enabled network, nodes that identify corrupted packets should also be able to correct the errors. Doing this eliminates the communication cost associated with the need for re-transmission and improves throughput. In this paper we propose what to the best of our knowledge is the first of such HMAC-based authentication schemes. Like all current state of the art HMAC-based authentication schemes, the proposed scheme is able to identify pollution attacks and the nodes that launched them. Furthermore, the proposed scheme is also able to correct the corruption. This according to our evaluation improves the throughput of the network when compared to other similar state of the art schemes that do not possess this feature.

Tandoh Lawrence,Ikram Ali,Tandoh Christopher,Fagen Li

DOI: https://doi.org/10.1016/J.JISA.2020.102658

2020-01-01

Abstract:Abstract Pollution attacks in network coding result in the waste of bandwidth and computational resources. Several homomorphic message authentication code (HMAC) and signature-based schemes have been proposed to mitigate such attacks. In these schemes, authentication is achieved by appending several HMAC tags with or without a signature to the packet payload. This approach negatively affects the throughput as well as the communication overhead incurred by such schemes. A phenomenon determined by a property we dubbed as the admissible payload rate (APR). In this paper we propose an HMAC and signature-based authentication scheme that addresses the afore mentioned problems. It achieves this by reducing the number of symbols needed to represent a packet. We evaluated the performance of our scheme and compared our findings to the performance of similar, state of the art authentication schemes. Our comparisons revealed that the proposed scheme incurred a negligible percentage gain in computational complexity. However, with no extra key storage overhead, and without sacrificing security, our scheme achieved a significant percentage reduction in communication overhead. The above mentioned favorable characteristics make our scheme an ideal and practical authentication solution for networks where bandwidth is a constraint or an optimal throughput is a requirement.

Yanfei Fan,Yixin Jiang,Haojin Zhu,Jiming Chen,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/twc.2011.122010.100087

IF: 10.4

2010-01-01

IEEE Transactions on Wireless Communications

Abstract:Privacy threat is one of the critical issues in multi-hop wireless networks, where attacks such as traffic analysis and flow tracing can be easily launched by a malicious adversary due to the open wireless medium. Network coding has the potential to thwart these attacks since the coding/mixing operation is encouraged at intermediate nodes. However, the simple deployment of network coding cannot achieve the goal once enough packets are collected by the adversaries. On the other hand, the coding/mixing nature precludes the feasibility of employing the existing privacy-preserving techniques, such as Onion Routing. In this paper, we propose a novel network coding based privacy-preserving scheme against traffic analysis in multi-hop wireless networks. With homomorphic encryption on Global Encoding Vectors (GEVs), the proposed scheme offers two significant privacy-preserving features, packet flow untraceability and message content confidentiality, for efficiently thwarting the traffic analysis attacks. Moreover, the proposed scheme keeps the random coding feature, and each sink can recover the source packets by inverting the GEVs with a very high probability. Theoretical analysis and simulative evaluation demonstrate the validity and efficiency of the proposed scheme.

Frederique Oggier,Hanane Fathi

DOI: https://doi.org/10.48550/arXiv.0909.3146

2009-09-17

Abstract:Systems exploiting network coding to increase their throughput suffer greatly from pollution attacks which consist of injecting malicious packets in the network. The pollution attacks are amplified by the network coding process, resulting in a greater damage than under traditional routing. In this paper, we address this issue by designing an unconditionally secure authentication code suitable for multicast network coding. The proposed scheme is robust against pollution attacks from outsiders, as well as coalitions of malicious insiders. Intermediate nodes can verify the integrity and origin of the packets received without having to decode, and thus detect and discard the malicious messages in-transit that fail the verification. This way, the pollution is canceled out before reaching the destinations. We analyze the performance of the scheme in terms of both multicast throughput and goodput, and show the goodput gains. We also discuss applications to file distribution.

Information Theory,Cryptography and Security

Man Liang,Haibin Kan

DOI: https://doi.org/10.1587/transfun.e96.a.1889

2013-01-01

Abstract:Wireless sensor network (WSN) using network coding is vulnerable to pollution attacks. Existing authentication schemes addressing this attack either burden the sensor node with a higher computation overhead, or fail to provide an efficient way to mitigate two recently reported attacks: tag pollution attacks and repetitive attacks, which makes them inapplicable to WSN. This paper proposes an efficient hybrid cryptographic scheme for WSN with securing network coding. Our scheme can resist not only normal pollution attacks, but the emerging tag pollution and repetitive attacks in an efficient way. In particular, our scheme is immediately suited for distributing multiple generations using a single public key. Experimental results show that our scheme can significantly improve the computation efficiency at a sensor node under the two above-mentioned attacks.

Peng Zhang,Yixin Jiang,Chuang Lin,Hongyi Yao,Albert Wasef,Xuemin Shen

DOI: https://doi.org/10.1109/INFCOM.2011.5934876

2011-01-01

Abstract:Network coding provides a promising alternative to traditional store-and-forward transmission paradigm. However, due to its information-mixing nature, network coding is notoriously susceptible to pollution attacks: a single polluted packet can end up corrupting bunches of good ones. Existing authentication mechanisms either incur high computation/bandwidth overheads, or cannot resist the tag pollution proposed recently. This paper presents a novel idea termed “padding for orthogonality” for network coding authentication. Inspired by it, we design a public-key based signature scheme and a symmetric-key based MAC scheme, which can both effectively contain pollution attacks at forwarders. In particular, we combine them to propose a unified scheme termed MacSig, the first hybrid-key cryptographic approach to network coding authentication. It can thwart both normal pollution and tag pollution attacks in an efficient way. Simulative results show that our MacSig scheme has a low bandwidth overhead, and a verification process 2-4 times faster than typical signature-based solutions in some circumstances.

Peng Zhang,Chuang Lin

DOI: https://doi.org/10.1007/978-3-319-31083-1_3

2016-01-01

Abstract:As is introduced in Chap. 2, network coding is notoriously susceptible to pollution attacks: a single polluted packet can end up corrupting bunches of good ones. The mechanisms that we introduced previously either incur high computation/bandwidth overheads or cannot resist the tag pollution proposed recently. This chapter will present a novel idea termed padding for orthogonality for network coding authentication. Inspired by it, we design a public key-based signature scheme and a symmetric key-based MAC scheme, which can both effectively contain pollution attacks at forwarders. In particular, we combine them to propose a unified scheme termed MacSig, the first hybrid key cryptographic approach to network coding authentication. It can thwart both normal pollution and tag pollution attacks in an efficient way. Simulative results show that our MacSig scheme has a low bandwidth overhead and a verification process 2-4 times faster than typical signature-based solutions in some circumstances.

Anh Le,Athina Markopoulou

DOI: https://doi.org/10.48550/arXiv.1102.3504

2011-09-16

Abstract:Intra-session network coding is known to be vulnerable to pollution attacks. In this work, first, we introduce a novel homomorphic MAC scheme called SpaceMac, which allows an intermediate node to verify if its received packets belong to a specific subspace, even if the subspace is expanding over time. Then, we use SpaceMac as a building block to design a cooperative scheme that provides complete defense against pollution attacks: (i) it can detect polluted packets early at intermediate nodes and (ii) it can identify the exact location of all, even colluding, attackers, thus making it possible to eliminate them. Our scheme is cooperative: parents and children of any node cooperate to detect any corrupted packets sent by the node, and nodes in the network cooperate with a central controller to identify the exact location of all attackers. We implement SpaceMac in both C/C++ and Java as a library, and we make the library available online. Our evaluation on both a PC and an Android device shows that (i) SpaceMac's algorithms can be computed quickly and efficiently, and (ii) our cooperative defense scheme has low computation and significantly lower communication overhead than other comparable state-of-the-art schemes.

Cryptography and Security,Networking and Internet Architecture

Xiaohu Wu,Yinlong Xu,Liping Xiang,Wei Xu

DOI: https://doi.org/10.1109/ISNETCOD.2011.5979070

2011-01-01

Abstract:Network coding allows intermediate nodes to encode data packets, which increases network throughput and enhances robustness. However, once a node injects corrupted data blocks into a network, the polluted data blocks will propagate quickly with network coding. Based on linear subspace and key pre-distribution, this paper proposes a HYBRID scheme against pollution attacks to network coding. Some typical properties of HYBRID are: (1) all nodes are able to detect polluted data blocks; (2) it prevents tag pollution attacks; (3) It does not need a very large field to implement and is computationally efficient; (4) It does not need a time synchronization of all nodes in a network and the correctness of each data packet can be verified immediately when it arrives at a node.

Wu Chi,Huang Cheng,Huang Xiaotao

DOI: https://doi.org/10.1109/ICIS.2012.5

2012-01-01

Computer and Information Science

Abstract:The network coding usually suffers from pollution attacks. Two schemes against pollution attacks are discussed in this paper, based on linear space signature and information theory, respectively. Pollution attacks detection algorithm of information theory based scheme is improved. The time consumptions of two schemes under different conditions of file size and data segmentation size are compared, and then a new scheme combining linear space signature and with information theory is provide to fight pollution attacks.

Xiaohu Wu,Yinlong Xu,Chau Yuen,Liping Xiang

DOI: https://doi.org/10.1109/tpds.2013.24

IF: 5.3

2013-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Network coding allows intermediate nodes to encode data packets to improve network throughput and robustness. However, it increases the propagation speed of polluted data packets if a malicious node injects fake data packets into the network, which degrades the bandwidth efficiency greatly and leads to incorrect decoding at sinks. In this paper, insights on new mathematical relations in linear network coding are presented and a key predistribution-based tag encoding scheme KEPTE is proposed, which enables all intermediate nodes and sinks to detect the correctness of the received data packets. Furthermore, the security of KEPTE with regard to pollution attack and tag pollution attack is quantitatively analyzed. The performance of KEPTE is competitive in terms of: 1) low computational complexity; 2) the ability that all intermediate nodes and sinks detect pollution attack; 3) the ability that all intermediate nodes and sinks detect tag pollution attack; and 4) high fault-tolerance ability. To the best of our knowledge, the existing key predistribution-based schemes aiming at pollution detection can only achieve at most three points as described above. Finally, discussions on the application of KEPTE to practical network coding are also presented.

Yuanyuan Zhang,Marine Minier

DOI: https://doi.org/10.1155/2012/184783

2012-01-01

Journal of Computer Networks and Communications

Abstract:Network coding has attracted the attention of many researchers in security and cryptography. In this paper, a well-known attack selective forwarding attack will be studied in network coding systems. While most of the works have been dedicated to the countermeasures against pollution attacks where an attacker modifies intermediate packets, only few works concern selective forwarding attacks on data or acknowledgment (ACK) packets; those last ones are required in network coding. However, selective forwarding attacks stay a real threat in resource constraint networks such as wireless sensor networks, especially when selective forwarding attacks target the acknowledgment (ACK) messages, referred to as flooding attack . In the latter model, an adversary can easily create congestion in the network and exhaust all the resources available. The degradation of the QoS (delay, energy) goes beyond the capabilities of cryptographic solutions. In this paper, we first simulate and analyze the effects of selective forwarding attacks on both data flows and ACK flows. We then investigate the security capabilities of multipath acknowledgment in more details than in our original proposal (Zhang et al., 2011).

Bin Wu,Caifen Wang,Hailong Yao

DOI: https://doi.org/10.1007/s12083-020-01028-8

2021-01-07

Abstract:Network coding is an effective method to optimize network throughput and improve routing reliability, and has been widely used in a decentralized Internet of Things system. However, the packet-mixing property of network coding renders transmission susceptible to pollution attacks, which may prevent the reconstruction of the original file. A homomorphic signature scheme is a powerful tool that enables network coding to combat pollution attacks. Although a series of homomorphic signature schemes already exists, no construction has been proposed to support both homomorphic network coding signatures and the certificateless characteristic. In this paper, we construct a certificateless linearly homomorphic signature scheme for network coding, thus avoiding the disadvantages of certificate management and key escrow problems. We then prove the security of the scheme in a random oracle model against an adaptively chosen dataset attack under two types of adversaries. Moreover, performance analysis results show that our scheme has a lower communication overhead and enjoys a comparable computation cost with related schemes.

computer science, information systems,telecommunications

Majid Adeli,Huaping Liu

2013-01-01

Abstract:A new scheme providing security against passive attackers in linear network coding is proposed. Throughput efficiency, low algorithm complexity, and high adaptability/applicability are the major design factors that are considered in this security protocol. A bijective permutation map defined over the code field is utilized to generate the randomness that is required for masking the plain information symbols. The input arguments of the permutation map are some of the plain data symbols and one random symbol that is chosen by the source node. It is shown that as long as the attacker does not have access to all the independent channels, he can not obtain any linear combination of the plain information symbols. Reducing data throughput by only one unit compared to the non-secure network code, and avoiding the use of complex transformations such as cryptographic algorithms or hash functions are the main advantages of the proposed security protocol.

Joshua Joy,Yu-Ting Yu,Victor Perez,Dennis Lu,Mario Gerla

DOI: https://doi.org/10.48550/arXiv.1506.01946

2015-06-05

Networking and Internet Architecture

Abstract:In content-based mobile ad hoc networks (CB-MANETs), random linear network coding (NC) can be used to reliably disseminate large files under intermittent connectivity. Conventional NC involves random unrestricted coding at intermediate nodes. This however is vulnerable to pollution attacks. To avoid attacks, a brute force approach is to restrict the mixing at the source. However, source restricted NC generally reduces the robustness of the code in the face of errors, losses and mobility induced intermittence. CB-MANETs introduce a new option. Caching is common in CB MANETs and a fully reassembled cached file can be viewed as a new source. Thus, NC packets can be mixed at all sources (including the originator and the intermediate caches) yet still providing protection from pollution. The hypothesis we wish to test in this paper is whether in CB-MANETs with sufficient caches of a file, the performance (in terms of robustness) of the restricted coding equals that of unrestricted coding. In this paper, we examine and compare unrestricted coding to full cache coding, source only coding, and no coding. As expected, we find that full cache coding remains competitive with unrestricted coding while maintaining full protection against pollution attacks.

Yuanyuan Zhang,Marine Minier

DOI: https://doi.org/10.1504/ijguc.2013.056256

2013-01-01

International Journal of Grid and Utility Computing

Abstract:Packet pollution attack is considered as the most threatening attack model against network coding-based sensor networks. A widely held belief says that, in a single source multi-destination dissemination scenario, the total number of polluted packets in the network will grow with the length of the transmission path and the decoding failure DF rate at the further destination nodes are relatively lower. In this work, we first obtain an opposite result by analysing the pollution attack in multicast scenarios, and find out a convergence trend of pollution attack by network coding system, and quantify the network resiliency against the pollution attacks which happen at any place along the source-destination paths. Then, the analysis result is proved by our simulations on two most widely deployed buffer strategies, Random-In Random-Out RIRO and First-in First-Out FIFO. Finally, it is proved that RIRO has a much advanced security feature than FIFO in constraining the pollution attack gradually, and almost vanished in the end.

Sang-Yoon Chang,Yih-Chun Hu,Zhuotao Liu

DOI: https://doi.org/10.1109/tmc.2017.2693990

IF: 6.075

2017-01-01

IEEE Transactions on Mobile Computing

Abstract:Wireless network dynamically allocates channel resources to improve spectral efficiency and, to avoid collisions, has its users cooperate with each other using a medium access control (MAC) protocol. However, MAC assumes user compliance and can be detrimental when a user misbehaves. An attacker who compromised the network can launch more devastating denial-of-service (DoS) attacks than a network outsider by sending excessive reservation requests to waste bandwidth, by listening to the control messages and conducting power-efficient jamming, by falsifying information to manipulate the network control, and so on. We build SecureMAC to defend against such insider threats while retaining the benefits of coordination between the cooperative users. SecureMAC is comprised of four components: channelization to prevent excessive reservations, randomization to thwart reactive targeted jamming, coordination to counter control-message aware jamming and resolve over-reserved and under-reserved spectrum, and power attribution to determine each node's contribution to the received power. Our theoretical analyses and implementation evaluations demonstrate superior performance over previous approaches, which either ignore security issues or give up the benefit of cooperation when under attack by disabling user coordination (such as the Nash equilibrium of continuous wideband transmission). In realistic scenarios, our SecureMAC implementation outperforms such schemes by 76-159 percent.

Peng Zhang,Chuang Lin

DOI: https://doi.org/10.1007/978-3-319-31083-1_2

2016-01-01

Abstract:While network coding can help improve network performance, it also introduces new security and privacy issues. For example, network coding can make data transmission more vulnerable to "pollution attacks": A single illegal packet can end up polluting a bunch of good ones through the process of intermediate coding, causing receivers unable to decode properly. Besides data integrity, data confidentiality and user privacy also become quite different in the new environment of network coding. This makes existing schemes like digital signatures, encryption algorithms, and anonymity schemes either infeasible or inefficient. This chapter will introduce several attacks on network coding and the corresponding countermeasures.

Donghai Zhu,Xinyu Yang,Wei Yu

DOI: https://doi.org/10.1109/CCNC.2014.6866593

2014-01-01

Abstract:Pollution attacks refer to ones where attackers modify and inject corrupted data packets into the wireless network with network coding to disrupt the decoding process. In the context of network coding, the epidemic effect of pollution attacks can degrade network throughput significantly because of the mixing nature of network coding. To address this issue, a number of malicious nodes identification schemes have been developed in the past. However, these schemes have their limitations and cannot effectively deal with pollution attacks. In this paper, we propose a novel light-weight Self-checking Pollution Attackers Identification Scheme (SPAIS), which can identify the pollution attackers effectively and efficiently. Through making full use of the broadcast nature of wireless media and insight that a well-behaved node can monitor its downstream neighboring nodes locally by cooperating with other nodes, SPAIS hierarchically organizes the network as levels such that the nodes in the same level can monitor their downstream level nodes cooperatively. Through the combination of theoretical analysis and extensive simulations, our experimental data demonstrates that SPAIS can more effectively identify pollution attackers with a lower cost in comparison with the existing representative schemes. For example, even if the quality of the network connection is not in good condition and the malicious nodes send only one corrupted packet, the pollution attackers can be identified with a high probability.