PoK

Author:Donggang Liu,Peng Ning,Sencun Zhu,Sushil Jajodia

Description:
Broadcast authentication is a critical security service in sensor networks; it allows a sender to broadcast messages to multiple nodes in an authenticated way. mTESLA and multi-level mTESLA have been proposed to provide such services for sensor networks. However, none of these techniques are scalable in terms of the number of senders.Though multi-level mTESLA schemes can scale up to large sensor networks (in terms of receivers), they either use substantial bandwidth and storage at sensor nodes,require significant resources at senders to deal with DOS attacks. This paper presents efficient techniques to support a potentially large number of broadcast senders using mTESLA instances as building blocks. The proposed techniques are immune to the DOS attacks. This paper also provides two approaches, a revocation tree based scheme and a proactive distribution based scheme, to revoke the broadcast authentication capability from compromised senders.The proposed techniques are implemented, and evaluated through simulation on TinyOS. The analysis and experiment show that these techniques are efficient and practical,and can achieve better performance than the previous approaches.

Author:Donggang Liu,Peng Ning,Wenliang Du

Description:
Sensors locations play a critical role in many sensor network applications. A number of techniques have been proposed recently to discover the locations of regular ensors based on a few special nodes called beacon nodes, which are assumed to know their locations (e.g., through GPS receivers or manual configuration). However, none of these techniques can work properly when there are malicious attacks, especially when some of the beacon nodes are compromised. This paper introduces a suite of techniques to detect and remove compromised beacon nodes that supply misleading location information to the regular sensors, aiming at providing secure location discovery services in wireless sensor networks. These techniques start with a simple but effective method to detect malicious beacon signals. To identify malicious beacon nodes and avoid false detection, this paper also presents several techniques to detect replayed beacon signals. This paper then roposes a method to reason about the suspiciousness of each beacon node at the base station based on the detection results collected from beacon nodes, and then revoke malicious beacon nodes accordingly. Finally, this paper provides detailed analysis and simulation to evaluate the proposed techniques. The results show that our techniques are practical and effective in detecting malicious beacon nodes.

Author:Ronghua Wang, Wenliang Du,Peng Ning

Description:
Broadcast authentication is an important application in sensor networks.Public Key Cryptography (PKC) is desirable for this application,but due to the resource constraints on sensor nodes, these operations are expensive, which means sensor networks using PKC are susceptible to Denial of Service (DoS) attacks: attackers keep broadcasting bogus messages, which will incur extra costs, thus exhaust the energy of the honest nodes. In addition, the long time to verify each message using PKC increases the response time of the nodes; it is impractical for the nodes to validate each incoming message before forwarding it.In this paper we discuss this type of DoS attacks, in which the goal of the adversary is to exhaust the energy of the sensor nodes and to increase their response time to broadcast messages. We then present a dynamic window scheme, where sensor nodes determine whether first to verify a message or first to forward the message by themselves. This is made possible with the information such as how far this node is away from the malicious attacker, and how many hops the incoming message has passed. We compare the performance of the proposed scheme with other schemes, and show that it can contain the damage of DoS attacks to only a small portion of the sensor nodes.

Author:Pan Wang,Peng Ning,Douglas S. Reeves

Description:
Anonymity is increasingly important for network applications concerning about censorship and privacy. The ex isting anonymous communication protocols generally system from mixnet and DC net. They either cannot provide provable anonymity or suer from transmission collision. In this paper, we introduce a novel approach which takes advantage of hierarchical ring structure and mix technique. This proposed protocol is collision free and provides provable k
anonymity for both the sender and the recipient, even if a polynomial time adversary can eavesdrop all network trafic and control a fraction of participants. Furthermore, it can hide the sender and the recipient from each other and thus can be used for anonymous ¯le sharing. The analysis shows the proposed protocol is secure against various at tacks. Measurements further demonstrate it is practical.

Author:Qinghua Zhang, Douglas S. Reeves, Peng Ning, S.Purushothaman Iyer

Description:
Remotely launched software exploits are a common way for attackers to intrude into vulnerable computer systems. As detection techniques improve, remote exploitation techniques are also evolving. Recent techniques for evasion f exploit detection include polymorphism (code encryption) and metamorphism (code obfuscation). This paper addresses the problem of detecting in network traffic polymorphic remote exploits that are encrypted, and that self decrypt before launching the intrusion. Such exploits pose a great challenge to existing malware detection techniques, partly due to the non obvious starting location of the exploit code in the network payload.We describe a new method for detecting self decrypting exploit codes. This method scans network traffic for the presence of a decryption routine, which is characteristic of such exploits. The proposed method uses static analysis and emulated instruction execution techniques. This improves the accuracy of determining the starting location and instructions of the decryption routine, even if self modifying code is used. The method outperforms approaches that have been previously proposed, both in terms of detection capabilities, and in detection accuracy. The proposed method has been implemented and tested on current polymorphic exploits, including ones generated by state of the art polymorphic engines. All exploits have been detected (i.e., a 100% detection rate), including those for which the decryption routine is dynamically coded, or self modifying. The false positive rate is close to 0%. Runningtime is approximately linear in the size of the network payload being analyzed.