Software Defined Networking(SDN) is a revolutionary networking paradigm towards the future network,experiencing rapid development nowadays.However,its main characteristic,the separation of control plane and data plane...Software Defined Networking(SDN) is a revolutionary networking paradigm towards the future network,experiencing rapid development nowadays.However,its main characteristic,the separation of control plane and data plane,also brings about new security challenges,i.e.,Denial-of-Service(DoS) attacks specific to Open Flow SDN networks to exhaust the control plane bandwidth and overload the buffer memory of Open Flow switch.To mitigate the DoS attacks in the Open Flow networks,we design and implement SGuard,a security application on top of the NOX controller that mainly contains two modules:Access control module and Classification module.We employ novel six-tuple as feature vector to classify traffic flows,meanwhile optimizing classification by feature ranking and selecting algorithms.All the modules will cooperate with each other to complete a series of tasks such as authorization,classification and so on.At the end of this paper,we experimentally use Mininet to evaluate SGuard in a software environment.The results show that SGuard works efficiently and accurately without adding more overhead to the SDN networks.展开更多
This paper develops an event-triggered resilient consensus control method for the nonlinear multiple unmanned systems with a data-based autoregressive integrated moving average(ARIMA)agent state prediction mechanism a...This paper develops an event-triggered resilient consensus control method for the nonlinear multiple unmanned systems with a data-based autoregressive integrated moving average(ARIMA)agent state prediction mechanism against periodic denial-of-service(Do S)attacks.The state predictor is used to predict the state of neighbor agents during periodic Do S attacks and maintain consistent control of multiple unmanned systems under Do S attacks.Considering the existing prediction error between the actual state and the predicted state,the estimated error is regarded as the uncertainty system disturbance,which is dealt with by the designed disturbance observer.The estimated result is used in the design of the consistent controller to compensate for the system uncertainty error term.Furthermore,this paper investigates dynamic event-triggered consensus controllers to improve resilience and consensus under periodic Do S attacks and reduce the frequency of actuator output changes.It is proved that the Zeno behavior can be excluded.Finally,the resilience and consensus capability of the proposed controller and the superiority of introducing a state predictor are demonstrated through numerical simulations.展开更多
This paper concentrates on the secure consensus problem of networked mechanical/Euler–Lagrange systems.First,a new periodic event-triggered(PET)secure distributed observer is proposed to estimate the leader informati...This paper concentrates on the secure consensus problem of networked mechanical/Euler–Lagrange systems.First,a new periodic event-triggered(PET)secure distributed observer is proposed to estimate the leader information.The proposed distributed observer only relies on the PET data from its neighbors,which can significantly reduce the communication and computational burden.More importantly,it is secure in the sense that it can work normally regardless of the Denial-of-Service(DoS)attacks.Second,based on the proposed distributed observer,an adaptive fuzzy control law is proposed for each Euler–Lagrange system.A PET mechanism is integrated into the controller,which can reduce the control update.This is helpful for both energy saving and fault tolerance of actuators.Moreover,the PET mechanism naturally makes the controller easy to be implemented in digital platform.The property of fuzzy logic systems and Gronwall inequality are skillfully utilized to show the stability of the closed-loop system.Finally,the proposed control scheme is verified on real Euler–Lagrange systems,which contain a robot manipulator and several servo motors.展开更多
In this work,an H_(∞)/passive-based secure synchronization control problem is investigated for continuous-time semi-Markov neural networks subject to hybrid attacks,in which hybrid attacks are the combinations of den...In this work,an H_(∞)/passive-based secure synchronization control problem is investigated for continuous-time semi-Markov neural networks subject to hybrid attacks,in which hybrid attacks are the combinations of denial-of-service attacks and deception attacks,and they are described by two groups of independent Bernoulli distributions.On this foundation,via the Lyapunov stability theory and linear matrix inequality technology,the H_(∞)/passive-based performance criteria for semi-Markov jump neural networks are obtained.Additionally,an activation function division approach for neural networks is adopted to further reduce the conservatism of the criteria.Finally,a simulation example is provided to verify the validity and feasibility of the proposed method.展开更多
In this paper,a new filtering fusion problem is studied for nonlinear cyber-physical systems under errorvariance constraints and denial-of-service attacks.To prevent data collision and reduce communication cost,the st...In this paper,a new filtering fusion problem is studied for nonlinear cyber-physical systems under errorvariance constraints and denial-of-service attacks.To prevent data collision and reduce communication cost,the stochastic communication protocol is adopted in the sensor-to-filter channels to regulate the transmission order of sensors.Each sensor is allowed to enter the network according to the transmission priority decided by a set of independent and identicallydistributed random variables.From the defenders’view,the occurrence of the denial-of-service attack is governed by the randomly Bernoulli-distributed sequence.At the local filtering stage,a set of variance-constrained local filters are designed where the upper bounds(on the filtering error covariances)are first acquired and later minimized by appropriately designing filter parameters.At the fusion stage,all local estimates and error covariances are combined to develop a variance-constrained fusion estimator under the federated fusion rule.Furthermore,the performance of the fusion estimator is examined by studying the boundedness of the fused error covariance.A simulation example is finally presented to demonstrate the effectiveness of the proposed fusion estimator.展开更多
The success of Internet of Things(IoT)deployment has emerged important smart applications.These applications are running independently on different platforms,almost everywhere in the world.Internet of Medical Things(I...The success of Internet of Things(IoT)deployment has emerged important smart applications.These applications are running independently on different platforms,almost everywhere in the world.Internet of Medical Things(IoMT),also referred as the healthcare Internet of Things,is the most widely deployed application against COVID-19 and offering extensive healthcare services that are connected to the healthcare information technologies systems.Indeed,with the impact of the COVID-19 pandemic,a large number of interconnected devices designed to create smart networks.These networks monitor patients from remote locations as well as tracking medication orders.However,IoT may be jeopardized by attacks such as TCP SYN flooding and sinkhole attacks.In this paper,we address the issue of detecting Denial of Service attacks performed by TCP SYN flooding attacker nodes.For this purpose,we develop a new algorithm for Intrusion Detection System(IDS)to detect malicious activities in the Internet of Medical Things.The proposed scheme minimizes as possible the number of attacks to ensure data security,and preserve confidentiality of gathered data.In order to check the viability of our approach,we evaluate analytically and via simulations the performance of our proposed solution under different probability of attacks.展开更多
The proliferation of Internet of Things(IoT)rapidly increases the possiblities of Simple Service Discovery Protocol(SSDP)reflection attacks.Most DDoS attack defence strategies deploy only to a certain type of devices ...The proliferation of Internet of Things(IoT)rapidly increases the possiblities of Simple Service Discovery Protocol(SSDP)reflection attacks.Most DDoS attack defence strategies deploy only to a certain type of devices in the attack chain,and need to detect attacks in advance,and the detection of DDoS attacks often uses heavy algorithms consuming lots of computing resources.This paper proposes a comprehensive DDoS attack defence approach which combines broad learning and a set of defence strategies against SSDP attacks,called Broad Learning based Comprehensive Defence(BLCD).The defence strategies work along the attack chain,starting from attack sources to victims.It defends against attacks without detecting attacks or identifying the roles of IoT devices in SSDP reflection attacks.BLCD also detects suspicious traffic at bots,service providers and victims by using broad learning,and the detection results are used as the basis for automatically deploying defence strategies which can significantly reduce DDoS packets.For evaluations,we thoroughly analyze attack traffic when deploying BLCD to different defence locations.Experiments show that BLCD can reduce the number of packets received at the victim to 39 without affecting the standard SSDP service,and detect malicious packets with an accuracy of 99.99%.展开更多
Software-Defined Network(SDN)decouples the control plane of network devices from the data plane.While alleviating the problems presented in traditional network architectures,it also brings potential security risks,par...Software-Defined Network(SDN)decouples the control plane of network devices from the data plane.While alleviating the problems presented in traditional network architectures,it also brings potential security risks,particularly network Denial-of-Service(DoS)attacks.While many research efforts have been devoted to identifying new features for DoS attack detection,detection methods are less accurate in detecting DoS attacks against client hosts due to the high stealth of such attacks.To solve this problem,a new method of DoS attack detection based on Deep Factorization Machine(DeepFM)is proposed in SDN.Firstly,we select the Growth Rate of Max Matched Packets(GRMMP)in SDN as detection feature.Then,the DeepFM algorithm is used to extract features from flow rules and classify them into dense and discrete features to detect DoS attacks.After training,the model can be used to infer whether SDN is under DoS attacks,and a DeepFM-based detection method for DoS attacks against client host is implemented.Simulation results show that our method can effectively detect DoS attacks in SDN.Compared with the K-Nearest Neighbor(K-NN),Artificial Neural Network(ANN)models,Support Vector Machine(SVM)and Random Forest models,our proposed method outperforms in accuracy,precision and F1 values.展开更多
Lightweight Directory Access Protocol (LDAP) servers are widely used to authenticate users in enterprise level networks. Organizations such as universities and small to medium-sized businesses use LDAP for a variety o...Lightweight Directory Access Protocol (LDAP) servers are widely used to authenticate users in enterprise level networks. Organizations such as universities and small to medium-sized businesses use LDAP for a variety of applications including e-mail clients, SSH, and workstation authentication. Since many organizations build dependencies on the LDAP service, a Denial-of-Service (DoS) attack to the service can cause a greater number of services disrupted. This paper examines the danger in the use of LDAP for user authentication by executing a DoS attack exploiting the TCP three-way handshake required when initializing a connection to an LDAP server.展开更多
With the development of wireless communication technology,cyber physical systems are applied in various fields such as industrial production and infrastructure,where lots of information exchange brings cyber security ...With the development of wireless communication technology,cyber physical systems are applied in various fields such as industrial production and infrastructure,where lots of information exchange brings cyber security threats to the systems.From the perspective of system identification with binary-valued observations,we study the optimal attack problem when the system is subject to both denial of service attacks and data tampering attacks.The packet loss rate and the data tampering rate caused by the attack is given,and the estimation error is derived.Then the optimal attack strategy to maximize the identification error with the least energy is described as a min–max optimization problem with constraints.The explicit expression of the optimal attack strategy is obtained.Simulation examples are presented to verify the effectiveness of the main conclusions.展开更多
Mobile Ad hoc NETworks (MANETs), characterized by the free move of mobile nodes are more vulnerable to the trivial Denial-of-Service (DoS) attacks such as replay attacks. A replay attacker performs this attack at anyt...Mobile Ad hoc NETworks (MANETs), characterized by the free move of mobile nodes are more vulnerable to the trivial Denial-of-Service (DoS) attacks such as replay attacks. A replay attacker performs this attack at anytime and anywhere in the network by interception and retransmission of the valid signed messages. Consequently, the MANET performance is severally degraded by the overhead produced by the redundant valid messages. In this paper, we propose an enhancement of timestamp discrepancy used to validate a signed message and consequently limiting the impact of a replay attack. Our proposed timestamp concept estimates approximately the time where the message is received and validated by the received node. This estimation is based on the existing parameters defined at the 802.11 MAC layer.展开更多
Denial-of-Service (DOS) attacks are virulent to both computer and networked systems. Modeling and evaluating DoS attacks are very important issues to networked systems; they provide both mathematical foundations and...Denial-of-Service (DOS) attacks are virulent to both computer and networked systems. Modeling and evaluating DoS attacks are very important issues to networked systems; they provide both mathematical foundations and theoretic guidelines to security system design. As defense against DoS has been built more and more into security protocols, this paper studies how to evaluate the risk of DoS in security protocols. First, we build a formal framework to model protocol operations and attacker capabilities. Then we propose an economic model for the risk evaluation. By characterizing the intruder capability with a probability model, our risk evaluation model specifies the "Value-at-Risk" (VaR) for the security protocols. Tile "Value-at-Risk" represents how much computing resources are expected to lose with a given level of confidence. The proposed model can help users to have a better understanding of the protocols they are using, and in the meantime help designers to examine their designs and get clues of improvement. Finally we apply the proposed model to analyze a key agreement protocol used in sensor networks and identify a DoS flaw there, and we also validate the applicability and effectiveness of our risk evaluation model by applying it to analyze and compare two public key authentication protocols.展开更多
We investigate the existing arbitrated quantum signature schemes as well as their cryptanalysis, including intercept- resend attack and denial-of-service attack. By exploring the loopholes of these schemes, a maliciou...We investigate the existing arbitrated quantum signature schemes as well as their cryptanalysis, including intercept- resend attack and denial-of-service attack. By exploring the loopholes of these schemes, a malicious signatory may success- fully disavow signed messages, or the receiver may actively negate the signature from the signatory without being detected. By modifying the existing schemes, we develop counter-measures to these attacks using Bell states. The newly proposed scheme puts forward the security of arbitrated quantum signature. Furthermore, several valuable topics are also presented for further research of the quantum signature scheme.展开更多
基金supported by the National key Research and Development Program of China(No.2016YFB0800100,2016YFB0800101)the National Natural Science Fund for Creative Research Groups Project(No.61521003)the National Natural Science Fund for Youth Found Project(No.61602509)
文摘Software Defined Networking(SDN) is a revolutionary networking paradigm towards the future network,experiencing rapid development nowadays.However,its main characteristic,the separation of control plane and data plane,also brings about new security challenges,i.e.,Denial-of-Service(DoS) attacks specific to Open Flow SDN networks to exhaust the control plane bandwidth and overload the buffer memory of Open Flow switch.To mitigate the DoS attacks in the Open Flow networks,we design and implement SGuard,a security application on top of the NOX controller that mainly contains two modules:Access control module and Classification module.We employ novel six-tuple as feature vector to classify traffic flows,meanwhile optimizing classification by feature ranking and selecting algorithms.All the modules will cooperate with each other to complete a series of tasks such as authorization,classification and so on.At the end of this paper,we experimentally use Mininet to evaluate SGuard in a software environment.The results show that SGuard works efficiently and accurately without adding more overhead to the SDN networks.
基金supported by the National Natural Science Foundation of China(Nos.61833013,62003162,62233009)Natural Science Foundation of Jiangsu Province of China(Nos.BK20200416,BK20222012)+5 种基金China Postdoctoral Science Foundation(Nos.2020TQ0151,2020M681590)Fundamental Research Funds for the Central Universities(No.NS2021025)Industry-University Research Innovation Foundation for the Chinese Ministry of Education(No.2021ZYA02005)Science and Technology on Space Intelligent Control Laboratory(No.HTKJ2022KL502015)Aeronautical Science Foundation of China(No.20200007018001)Natural Sciences and Engineering Research Council of Canada
文摘This paper develops an event-triggered resilient consensus control method for the nonlinear multiple unmanned systems with a data-based autoregressive integrated moving average(ARIMA)agent state prediction mechanism against periodic denial-of-service(Do S)attacks.The state predictor is used to predict the state of neighbor agents during periodic Do S attacks and maintain consistent control of multiple unmanned systems under Do S attacks.Considering the existing prediction error between the actual state and the predicted state,the estimated error is regarded as the uncertainty system disturbance,which is dealt with by the designed disturbance observer.The estimated result is used in the design of the consistent controller to compensate for the system uncertainty error term.Furthermore,this paper investigates dynamic event-triggered consensus controllers to improve resilience and consensus under periodic Do S attacks and reduce the frequency of actuator output changes.It is proved that the Zeno behavior can be excluded.Finally,the resilience and consensus capability of the proposed controller and the superiority of introducing a state predictor are demonstrated through numerical simulations.
基金supported by the National Natural Science Foundation of China(No.52375520)Hunan Provincial Natural Science Foundation Regional Joint Fund(2023JJ50037).
文摘This paper concentrates on the secure consensus problem of networked mechanical/Euler–Lagrange systems.First,a new periodic event-triggered(PET)secure distributed observer is proposed to estimate the leader information.The proposed distributed observer only relies on the PET data from its neighbors,which can significantly reduce the communication and computational burden.More importantly,it is secure in the sense that it can work normally regardless of the Denial-of-Service(DoS)attacks.Second,based on the proposed distributed observer,an adaptive fuzzy control law is proposed for each Euler–Lagrange system.A PET mechanism is integrated into the controller,which can reduce the control update.This is helpful for both energy saving and fault tolerance of actuators.Moreover,the PET mechanism naturally makes the controller easy to be implemented in digital platform.The property of fuzzy logic systems and Gronwall inequality are skillfully utilized to show the stability of the closed-loop system.Finally,the proposed control scheme is verified on real Euler–Lagrange systems,which contain a robot manipulator and several servo motors.
基金supported by the National Natural Science Foundation of China under Grant Nos.62103005,62173001,and 62273006the Natural Science Foundation of Anhui Provincial Natural Science Foundation under Grant No.2108085QF276+3 种基金the Natural Science Foundation for Distinguished Young Scholars of Higher Education Institutions of Anhui Province under Grant No.2022AH020034the Natural Science Foundation for Excellent Young Scholars of Higher Education Institutions of Anhui Province under Grant No.2022AH030049,2023AH030030,2022AH030049the Major Technologies Research and Development Special Program of Anhui Province under Grant No.202003a05020001the Key Research and Development Projects of Anhui Province under Grant No.202104a05020015。
文摘In this work,an H_(∞)/passive-based secure synchronization control problem is investigated for continuous-time semi-Markov neural networks subject to hybrid attacks,in which hybrid attacks are the combinations of denial-of-service attacks and deception attacks,and they are described by two groups of independent Bernoulli distributions.On this foundation,via the Lyapunov stability theory and linear matrix inequality technology,the H_(∞)/passive-based performance criteria for semi-Markov jump neural networks are obtained.Additionally,an activation function division approach for neural networks is adopted to further reduce the conservatism of the criteria.Finally,a simulation example is provided to verify the validity and feasibility of the proposed method.
基金supported in part by the National Natural Science Foundation of China(62173068,61803074,61703245,61973102,U2030205,61903065,61671109,U1830207,U1830133)the China Postdoctoral Science Foundation(2018M643441,2017M623005)+1 种基金the Royal Society of UKthe Alexander von Humboldt Foundation of Germany。
文摘In this paper,a new filtering fusion problem is studied for nonlinear cyber-physical systems under errorvariance constraints and denial-of-service attacks.To prevent data collision and reduce communication cost,the stochastic communication protocol is adopted in the sensor-to-filter channels to regulate the transmission order of sensors.Each sensor is allowed to enter the network according to the transmission priority decided by a set of independent and identicallydistributed random variables.From the defenders’view,the occurrence of the denial-of-service attack is governed by the randomly Bernoulli-distributed sequence.At the local filtering stage,a set of variance-constrained local filters are designed where the upper bounds(on the filtering error covariances)are first acquired and later minimized by appropriately designing filter parameters.At the fusion stage,all local estimates and error covariances are combined to develop a variance-constrained fusion estimator under the federated fusion rule.Furthermore,the performance of the fusion estimator is examined by studying the boundedness of the fused error covariance.A simulation example is finally presented to demonstrate the effectiveness of the proposed fusion estimator.
基金Funding for this study was received from the Deanship of Scientific Research(DSR)at Jouf University,Sakakah,Kingdom of Saudi Arabia under the Grant No:DSR-2021-02-0103.
文摘The success of Internet of Things(IoT)deployment has emerged important smart applications.These applications are running independently on different platforms,almost everywhere in the world.Internet of Medical Things(IoMT),also referred as the healthcare Internet of Things,is the most widely deployed application against COVID-19 and offering extensive healthcare services that are connected to the healthcare information technologies systems.Indeed,with the impact of the COVID-19 pandemic,a large number of interconnected devices designed to create smart networks.These networks monitor patients from remote locations as well as tracking medication orders.However,IoT may be jeopardized by attacks such as TCP SYN flooding and sinkhole attacks.In this paper,we address the issue of detecting Denial of Service attacks performed by TCP SYN flooding attacker nodes.For this purpose,we develop a new algorithm for Intrusion Detection System(IDS)to detect malicious activities in the Internet of Medical Things.The proposed scheme minimizes as possible the number of attacks to ensure data security,and preserve confidentiality of gathered data.In order to check the viability of our approach,we evaluate analytically and via simulations the performance of our proposed solution under different probability of attacks.
基金The work presented in this paper is supported by the Shandong Provincial Natural Science Foundation(No.ZR2020MF04)National Natural Science Foundation of China(No.62072469)+2 种基金the Fundamental Research Funds for the Central Universities(19CX05027B,19CX05003A-11)West Coast Artificial Intelligence Technology Innovation Center(2019-1-5,2019-1-6)the Opening Project of Shanghai Trusted Industrial Control Platform(TICPSH202003015-ZC).
文摘The proliferation of Internet of Things(IoT)rapidly increases the possiblities of Simple Service Discovery Protocol(SSDP)reflection attacks.Most DDoS attack defence strategies deploy only to a certain type of devices in the attack chain,and need to detect attacks in advance,and the detection of DDoS attacks often uses heavy algorithms consuming lots of computing resources.This paper proposes a comprehensive DDoS attack defence approach which combines broad learning and a set of defence strategies against SSDP attacks,called Broad Learning based Comprehensive Defence(BLCD).The defence strategies work along the attack chain,starting from attack sources to victims.It defends against attacks without detecting attacks or identifying the roles of IoT devices in SSDP reflection attacks.BLCD also detects suspicious traffic at bots,service providers and victims by using broad learning,and the detection results are used as the basis for automatically deploying defence strategies which can significantly reduce DDoS packets.For evaluations,we thoroughly analyze attack traffic when deploying BLCD to different defence locations.Experiments show that BLCD can reduce the number of packets received at the victim to 39 without affecting the standard SSDP service,and detect malicious packets with an accuracy of 99.99%.
基金This work was funded by the Researchers Supporting Project No.(RSP-2021/102)King Saud University,Riyadh,Saudi ArabiaThis work was supported by the Research Project on Teaching Reform of General Colleges and Universities in Hunan Province(Grant No.HNJG-2020-0261),China.
文摘Software-Defined Network(SDN)decouples the control plane of network devices from the data plane.While alleviating the problems presented in traditional network architectures,it also brings potential security risks,particularly network Denial-of-Service(DoS)attacks.While many research efforts have been devoted to identifying new features for DoS attack detection,detection methods are less accurate in detecting DoS attacks against client hosts due to the high stealth of such attacks.To solve this problem,a new method of DoS attack detection based on Deep Factorization Machine(DeepFM)is proposed in SDN.Firstly,we select the Growth Rate of Max Matched Packets(GRMMP)in SDN as detection feature.Then,the DeepFM algorithm is used to extract features from flow rules and classify them into dense and discrete features to detect DoS attacks.After training,the model can be used to infer whether SDN is under DoS attacks,and a DeepFM-based detection method for DoS attacks against client host is implemented.Simulation results show that our method can effectively detect DoS attacks in SDN.Compared with the K-Nearest Neighbor(K-NN),Artificial Neural Network(ANN)models,Support Vector Machine(SVM)and Random Forest models,our proposed method outperforms in accuracy,precision and F1 values.
文摘Lightweight Directory Access Protocol (LDAP) servers are widely used to authenticate users in enterprise level networks. Organizations such as universities and small to medium-sized businesses use LDAP for a variety of applications including e-mail clients, SSH, and workstation authentication. Since many organizations build dependencies on the LDAP service, a Denial-of-Service (DoS) attack to the service can cause a greater number of services disrupted. This paper examines the danger in the use of LDAP for user authentication by executing a DoS attack exploiting the TCP three-way handshake required when initializing a connection to an LDAP server.
文摘With the development of wireless communication technology,cyber physical systems are applied in various fields such as industrial production and infrastructure,where lots of information exchange brings cyber security threats to the systems.From the perspective of system identification with binary-valued observations,we study the optimal attack problem when the system is subject to both denial of service attacks and data tampering attacks.The packet loss rate and the data tampering rate caused by the attack is given,and the estimation error is derived.Then the optimal attack strategy to maximize the identification error with the least energy is described as a min–max optimization problem with constraints.The explicit expression of the optimal attack strategy is obtained.Simulation examples are presented to verify the effectiveness of the main conclusions.
文摘Mobile Ad hoc NETworks (MANETs), characterized by the free move of mobile nodes are more vulnerable to the trivial Denial-of-Service (DoS) attacks such as replay attacks. A replay attacker performs this attack at anytime and anywhere in the network by interception and retransmission of the valid signed messages. Consequently, the MANET performance is severally degraded by the overhead produced by the redundant valid messages. In this paper, we propose an enhancement of timestamp discrepancy used to validate a signed message and consequently limiting the impact of a replay attack. Our proposed timestamp concept estimates approximately the time where the message is received and validated by the received node. This estimation is based on the existing parameters defined at the 802.11 MAC layer.
基金supported by the National Natural Science Foundation of China under Grant No.60873239.
文摘Denial-of-Service (DOS) attacks are virulent to both computer and networked systems. Modeling and evaluating DoS attacks are very important issues to networked systems; they provide both mathematical foundations and theoretic guidelines to security system design. As defense against DoS has been built more and more into security protocols, this paper studies how to evaluate the risk of DoS in security protocols. First, we build a formal framework to model protocol operations and attacker capabilities. Then we propose an economic model for the risk evaluation. By characterizing the intruder capability with a probability model, our risk evaluation model specifies the "Value-at-Risk" (VaR) for the security protocols. Tile "Value-at-Risk" represents how much computing resources are expected to lose with a given level of confidence. The proposed model can help users to have a better understanding of the protocols they are using, and in the meantime help designers to examine their designs and get clues of improvement. Finally we apply the proposed model to analyze a key agreement protocol used in sensor networks and identify a DoS flaw there, and we also validate the applicability and effectiveness of our risk evaluation model by applying it to analyze and compare two public key authentication protocols.
基金supported by the National Natural Science Foundation of China(Grant No.61272501)Beijing Natural Science Foundation(Grant No.4132056)the National Key Basic Research Program of China(973 Program)(Grant No.2012CB315905)
文摘We investigate the existing arbitrated quantum signature schemes as well as their cryptanalysis, including intercept- resend attack and denial-of-service attack. By exploring the loopholes of these schemes, a malicious signatory may success- fully disavow signed messages, or the receiver may actively negate the signature from the signatory without being detected. By modifying the existing schemes, we develop counter-measures to these attacks using Bell states. The newly proposed scheme puts forward the security of arbitrated quantum signature. Furthermore, several valuable topics are also presented for further research of the quantum signature scheme.
