Ana Lucila Sandoval Orozco

Routing Protocols in Wireless Sensor Networks

The applications of wireless sensor networks comprise a wide variety of scenarios. In most of them, the network is composed of a significant number of nodes deployed in an extensive area in which not all nodes are directly connected. Then, the data exchange is supported by multihop communications. Routing protocols are in charge of discovering and maintaining the routes in the network. However, the appropriateness of a particular routing protocol mainly depends on the capabilities of the nodes and on the application requirements. This paper presents a review of the main routing protocols proposed for wireless sensor networks. Additionally, the paper includes the efforts carried out by Spanish universities on developing optimization techniques in the area of routing protocols for wireless sensor networks.

Auto-Configuration Protocols in Mobile Ad Hoc Networks

The TCP/IP protocol allows the different nodes in a network to communicate by associating a different IP address to each node. In wired or wireless networks with infrastructure, we have a server or node acting as such which correctly assigns IP addresses, but in mobile ad hoc networks there is no such centralized entity capable of carrying out this function. Therefore, a protocol is needed to perform the network configuration automatically and in a dynamic way, which will use all nodes in the network (or part thereof) as if they were servers that manage IP addresses. This article reviews the major proposed auto-configuration protocols for mobile ad hoc networks, with particular emphasis on one of the most recent: D2HCP. This work also includes a comparison of auto-configuration protocols for mobile ad hoc networks by specifying the most relevant metrics, such as a guarantee of uniqueness, overhead, latency, dependency on the routing protocol and uniformity.

Distributed Dynamic Host Configuration Protocol (D2HCP)

Mobile Ad Hoc Networks (MANETs) are multihop wireless networks of mobile nodes without any fixed or preexisting infrastructure. The topology of these networks can change randomly due to the unpredictable mobility of nodes and their propagation characteristics. In most networks, including MANETs, each node needs a unique identifier to communicate. This work presents a distributed protocol for dynamic node IP address assignment in MANETs. Nodes of a MANET synchronize from time to time to maintain a record of IP address assignments in the entire network and detect any IP address leaks. The proposed stateful autoconfiguration scheme uses the OLSR proactive routing protocol for synchronization and guarantees unique IP addresses under a variety of network conditions, including message losses and network partitioning. Simulation results show that the protocol incurs low latency and communication overhead for IP address assignment.

Smartphone image clustering

Every day the use of images from mobile devices as evidence in legal proceedings is more usual and common.Image source acquisition identification is a branch of digital forensic analysis.We use a combination of hierarchical and flat clustering and the use of Sensor Pattern Noise for source identification.We make a series of experiments which emulate similar situations to those that may occur in reality. Every day the use of images from mobile devices as evidence in legal proceedings is more usual and common. Therefore, forensic analysis of mobile device images takes on special importance. This paper explores the branch of forensic analysis which is based on the identification of the source, specifically on the grouping or clustering of images according to their source acquisition. In contrast with other state of the art techniques for source identification, hierarchical clustering does not involve a priori knowledge of the number of images or devices to be identified or training data for a future classification stage. That is, a grouping by classes with all the input images is performed. The proposal is based on the combination of hierarchical and flat clustering and the use of Sensor Pattern Noise (SPN). There has been a series of experiments which emulate similar situations to those that may occur in reality to test the robustness and reliability of the results of the technique. The results are satisfactory in all the experiments, obtaining high rates of success.

Malware detection system by payload analysis of network traffic (poster abstract)

This paper presents a system for detecting intrusions when analyzing the network traffic payload looking for malware evidences. The system implements the detection algorithm as a Snort preprocessor component. Since they work together, a highly effective system against known attacks has been achieved (based on Snort rules) and a highly effective system against unknown threats (which was the main aim of the designed system). As the majority of such systems, the proposal consists of two phases: a training phase and a detection phase. During the training phase a statistical model of the legitimate network usage is created through Bloom Filters and N-grams techniques. Subsequently, the results obtained by analyzing a dataset of attacks are compared with such model. This will allow a set of rules to be developed which will be able to determine whether the packets payloads contain malware. In the detection phase, the traffic to analyze is compared with the model created in the training phase and the results obtained when applying rules. The performed experiments showed really satisfactory results, with 100% malware detection and just 0.15% false positives.

Adaptive artificial immune networks for mitigating DoS flooding attacks

Abstract Denial of service attacks pose a threat in constant growth. This is mainly due to their tendency to gain in sophistication, ease of implementation, obfuscation and the recent improvements in occultation of fingerprints. On the other hand, progress towards self-organizing networks, and the different techniques involved in their development, such as software-defined networking, network-function virtualization, artificial intelligence or cloud computing, facilitates the design of new defensive strategies, more complete, consistent and able to adapt the defensive deployment to the current status of the network. In order to contribute to their development, in this paper, the use of artificial immune systems to mitigate denial of service attacks is proposed. The approach is based on building networks of distributed sensors suited to the requirements of the monitored environment. These components are capable of identifying threats and reacting according to the behavior of the biological defense mechanisms in human beings. It is accomplished by emulating the different immune reactions, the establishment of quarantine areas and the construction of immune memory. For their assessment, experiments with public domain datasets (KDD’99, CAIDA’07 and CAIDA’08) and simulations on various network configurations based on traffic samples gathered by the University Complutense of Madrid and flooding attacks generated by the tool DDoSIM were performed.

Image source acquisition identification of mobile devices based on the use of features

Nowadays, forensic analysis of digital images is especially important, given the frequent use of digital cameras in mobile devices. The identification of the device type or the make and model of image source are two important branches of forensic analysis of digital images. In this paper we have addressed both of these, with an approach based on different types of image features and the classification using support vector machines. The study has mainly focused on images created with mobile devices and as a result, the techniques and features have been adapted or created for this purpose. There have been a total of 36 experiments classified into 5 sets, in order to test different configurations of the techniques. In the configuration of the experiments, the future use of the technique by the forensic analyst in real situations to create experiments with high technical requirements was taken into account, amongst other things.

Analysis of errors in exif metadata on mobile devices

Nowadays the number of cameras integrated in mobile phones is growing very fast, making it essential to design new specific forensic analysis techniques aimed towards the pictures created with these devices. Most of these phones automatically add relevant Exif metadata in the process of image acquisition. This metadata, even if it is vulnerable to tampering, can be very helpful for a variety of forensic analysis techniques. That is why the existence of efficient, robust and specialized tools is a necessity. These should allow metadata to be extracted in a consistent, fast and sound way. Besides, metadata extraction must never manipulate the image and it needs to take into account possible departures from the Exif specification, including the insertion of the metadata in the image acquisition process by the makers, as well as any modification, whether malicious or not. This paper will show the multiple anomalies in the Exif specification we have found during our study, which can produce serious problems in classical tools for the extraction of image metadata, including crashes and wrong results, and even interoperability problems among different devices. We will also show some anomalies found in the operation of different well-known forensic tools.Nowadays the number of cameras integrated in mobile phones is growing very fast, making it essential to design new specific forensic analysis techniques aimed towards the pictures created with these devices. Most of these phones automatically add relevant Exif metadata in the process of image acquisition. This metadata, even if it is vulnerable to tampering, can be very helpful for a variety of forensic analysis techniques. That is why the existence of efficient, robust and specialized tools is a necessity. These should allow metadata to be extracted in a consistent, fast and sound way. Besides, metadata extraction must never manipulate the image and it needs to take into account possible departures from the Exif specification, including the insertion of the metadata in the image acquisition process by the makers, as well as any modification, whether malicious or not. This paper will show the multiple anomalies in the Exif specification we have found during our study, which can produce serious problems in classical tools for the extraction of image metadata, including crashes and wrong results, and even interoperability problems among different devices. We will also show some anomalies found in the operation of different well-known forensic tools.

Adaptive routing protocol for mobile ad hoc networks

Artificial immune systems (AIS) are used for solving complex optimization problems and can be applied to the detection of misbehaviors, such as a fault tolerant. We present novel techniques for the routing optimization from the perspective of the artificial immunology theory. We discussed the bioinspired protocol AntOR and analyze its new enhancements. This ACO protocol based on swarm intelligence takes into account the behavior of the ants at the time of obtaining the food. In the simulation results we compare it with the reactive protocol AODV observing how our proposal improves it according to Jitter, the delivered data packet ratio, throughput and overhead in number of packets metrics.

Alert correlation framework for malware detection by anomaly-based packet payload analysis

Abstract Intrusion detection based on identifying anomalies typically emits a large amount of reports about the malicious activities monitored; hence information gathered is difficult to manage. In this paper, an alert correlation system capable of dealing with this problem is introduced. The work carried out has focused on the study of a particular family of sensors, namely those which analyze the payload of network traffic looking for malware. Unlike conventional approaches, the information provided by the network packet headers is not taken into account. Instead, the proposed strategy considers the payload of the monitored traffic and the characteristics of the models built during the training of such detectors, in this way supporting the general-purpose incident management tools. It aims to analyze, classify and prioritize alerts issued, based on two criteria: the risk of threats being genuine and their nature. Incidences are studied both in a one-to-one and in a group context. This implies the consideration of two different processing layers: The first one allows fast reactions and resilience against certain adversarial attacks, and on the other hand, the deeper layer facilitates the reconstruction of attack scenarios and provides an overview of potential threats. Experiments conducted by analyzing real traffic demonstrated the effectiveness of the proposal.