C. F. Chong

IDR: an intrusion detection router for defending against distributed denial-of-service (DDoS) attacks

Distributed denial-of-service (DDoS) attack has turned into one of the major security threats in recent years. Usually the only solution is to stop the services or shut down the victim and then discard the attack traffic only after the DDoS attack characteristics (such as the destination ports of the attack packets) are known. In this paper, we introduce a generic DDoS attack detection mechanism as well as the design and setup of a testbed for performing experiments and analysis. Our results showed that the mechanism can detect DDoS attack. This enables us to proceed to the next steps of packet classification and traffic control.

An improved authenticated key agreement protocol with perfect forward secrecy for wireless mobile communication

To provide secure communication for mobile devices, an authenticated key agreement protocol is an important primitive for establishing session keys. However, most existing authenticated key agreement protocols are not designed for wireless mobile communication for which bandwidth and device storage capacity are limited. Also, as mobile devices are more vulnerable to attack, providing forward secrecy becomes an essential element in the protocol. Based on Seo and Sweeneys simple authenticated key agreement algorithm (SAKA), we develop an improved authenticated key agreement protocol that eliminates the disadvantages of SAKA and provides identity authentication, key validation, and perfect forward secrecy. Also, our protocol can foil man-in-the-middle attacks. We also show how our proposed protocol can be included in the current 3GPP2 specifications for OTASP to improve A-key (authentication key) distribution, which is the master key in IS-95 and cdma2000 mobile networks. The proposed protocol requires significantly less bandwidth, and less computational and storage overhead, while having higher security compared to 3GPP2 specifications. The proposed protocol can also be applied to other wireless communication scenarios.

Separable and Anonymous Identity-Based Key Issuing

In identity-based (ID-based) cryptosystems, a local registration authority (LRA) is responsible for authentication of users while the key generation center (KGC) is responsible for computing and sending the private keys to users and therefore, a secure channel is required. For privacy-oriented applications, it is important to keep in secret whether the private key corresponding to a certain identity has been requested. All of the existing ID-based key issuing schemes have not addressed this anonymity issue. Besides, the separation of duties of LRA and KGC has not been discussed as well. We propose a novel separable and anonymous ID-based key issuing scheme without secure channel. Our protocol supports the separation of duties between LRA and KGC. The private key computed by the KGC can be sent to the user in an encrypted form such that only the legitimate key requester authenticated by LRA can decrypt it. and any eavesdropper cannot know the identity corresponding to the secret key

BTM - An Automated Rule-based BT Monitoring System for Piracy Detection

With the advent of peer-to-peer communication technologies, individuals can easily connect to one another over Internet for file sharing and online chatting. Although these technologies provide wonderful platforms for users to share their digital materials, its illegitimate use on unauthorized sharing of copyrighted files is increasingly rampant. With the BitTorrent (BT) technology, the tracking down of these illegal activities is even more difficult as the downloaders can also act as the distributors and cooperate to provide different parts of the same file for sharing. It is close to impossible for law enforcement agencies to trace these distributed and short-duration Internet piracy activities with limited resources. In this paper, we present the first automated rule-based software system, the BitTorrent monitoring (BTM) system, for monitoring, recording, and analyzing suspicious BT traffic on the Internet. From a preliminary experiment on a real case, the system successfully located 126 distributors (a.k.a. seeders) for some Cantonese pop songs within 90 minutes.

Intrusion Detection Routers: Design, Implementation and Evaluation Using an Experimental Testbed

In this paper, we present the design, the implementation details, and the evaluation results of an intrusion detection and defense system for distributed denial-of-service (DDoS) attack. The evaluation is conducted using an experimental testbed. The system, known as intrusion detection router (IDR), is deployed on network routers to perform online detection on any DDoS attack event, and then react with defense mechanisms to mitigate the attack. The testbed is built up by a cluster of sufficient number of Linux machines to mimic a portion of the Internet. Using the testbed, we conduct real experiments to evaluate the IDR system and demonstrate that IDR is effective in protecting the network from various DDoS attacks

Digital evidence search kit

With the rapid development of electronic commerce and Internet technology, cyber crimes have become more and more common. There is a great need for automated software systems that can assist law enforcement agencies in cyber crime evidence collection. This paper describes a cyber crime evidence collection tool called DESK (digital evidence search kit), which is the product of several years of cumulative efforts of our center together with the Hong Kong Police Force and several other law enforcement agencies of the Hong Kong Special Administrative Region. We use DESK to illustrate some of the desirable features of an effective cyber crime evidence collection tool.

Security of Wang et al.'s group-oriented (t, n) threshold signature schemes with traceable signers

Abstract This paper describes a new forgery attack on the group-oriented (t,n) threshold signature schemes proposed by Wang et al. Our attack is more fundamental than Tseng–Jans attack in the sense that it cannot be recognized or blocked at the designated clerk level of the signature schemes.

A hybrid approach for authenticating MPEG-2 streaming data

There are two main approaches for authenticating digital streams, namely the tree chaining [1] and the hash chaining [2,3]. Both approaches have their disadvantages. Hash chaining is superior for low communication overhead, however, it is not resilient to packet loss and it has a longer verification delay. On the other hand, tree chaining is more robust even if packet loss occurs and with shorter verification delay, but the communication overhead is too high to be tolerable, especially in online applications. In this paper, we try to combine the two techniques and propose a hybrid scheme for authenticating MPEG-2 streaming data, which are still used by real application systems, by taking advantage of the characteristics of MPEG frames. The hybrid approach is shown to be more effective as compared to the other two approaches.

Security of Tseng-Jan's group signature schemes

Two forgery attacks are given to show that the group signature schemes proposed by Tseng and Jan, based on the discrete logarithm, are insecure.

Risk management of corporate confidential information in digital form

As electronic commerce becomes increasingly popular, more business data are being stored in digital form and processed by software systems, rather than being stored in paper form and handled by human beings. Consequently, loss of company secrets via the electronic media is becoming a greater threat to organizations. This paper gives a brief analysis of the risk associated with losing corporate confidential information in electronic form