Chengfang Fang

A Lightweight Mechanism to Mitigate Application Layer DDoS Attacks

Application layer DDoS attacks, to which network layer solutions is not applicable as attackers are indistinguishable based on packets or protocols, prevent legitimate users from accessing services. In this paper, we propose Trust Management Helmet (TMH) as a partial solution to this problem, which is a lightweight mitigation mechanism that uses trust to differentiate legitimate users and attackers. Its key insight is that a server should give priority to protecting the connectivity of good users during application layer DDoS attacks, instead of identifying all the attack requests. The trust to clients is evaluated based on their visiting history, and used to schedule the service to their requests. We introduce license, for user identification (even beyond NATs) and storing the trust information at clients. The license is cryptographically secured against forgery or replay attacks. We realize this mitigation mechanism and implement it as a Java package and use it for simulation. Through simulation, we show that TMH is effective in mitigating session flooding attack: even with 20 times number of attackers, more than 99% of the sessions from legitimate users are accepted with TMH; whereas less than 18% are accepted without it.

Mitigating application layer distributed denial of service attacks via effective trust management

Nowadays, web servers are suffering from application layer distributed denial of service (DDoS) attacks, to which network layer solutions is not applicable as attackers are indistinguishable based on packets or protocols. In this study, the authors propose trust management helmet (TMH) as a partial solution to this problem, which is a lightweight mitigation mechanism that uses trust to differentiate legitimate users from attackers. Its key insight is that a server should give priority to protecting the connectivity of good users during application layer DDoS attacks, instead of identifying all the attack requests. The trust to clients is evaluated based on their visiting history and used to schedule the service to their requests. The authors introduce license, for user identification (even beyond NATs) and storing the trust information at clients. The license is cryptographically secured against forgery or replay attacks. The authors realise this mitigation mechanism and implement it as a Java package and use it for evaluation. The simulation results show that TMH is effective in mitigating session flooding attack: even with 20 times number of attackers, more than 99% of the sessions from legitimate users are accepted with TMH; whereas less than 18% are accepted without it. Moreover, we found that the additional computation cost on the deployed server is neglectable and the bandwidth overhead is acceptable.

ID repetition in Kad

ID uniqueness is essential in DHT-based systems as peer lookup and resource searching rely on ID-matching. Many previous works and measurements on Kad do not take into account that IDs among peers may not be unique. We observe that a significant portion of peers, 19.5% of the peers in routing tables and 4.5% of the active peers (those who respond to Kad protocol), do not have unique IDs. These repetitions would mislead the measurements of Kad network. We further observe that there are a large number of peers that frequently change their UDP ports, and there are a few IDs that repeat for a large number of times and all peers with these IDs do not respond to Kad protocol. We analyze the effects of ID repetitions under simplified settings and find that ID repetition degrades Kads performance on publishing and searching, but has insignificant effect on lookup process. These measurement and analysis are useful in determining the sources of repetitions and are also useful in finding suitable parameters for publishing and searching.

Adaptive differentially private histogram of low-dimensional data

We want to publish low-dimensional points, for example 2D spatial points, in a differentially private manner. Most existing mechanisms publish noisy frequency counts of points in a fixed predefined partition. Arguably, histograms with adaptive partition, for example V-optimal and equi-depth histograms, which have smaller bin-widths in denser regions, would provide more statistical information. However, as the adaptive partitions leak significant information about the dataset, it is not clear how differentially private partitions can be published accurately. In this paper, we propose a simple method based on the observation that the sensitivity of publishing the sorted sequence of a dataset is independent of the size of dataset. Together with isotonic regression, the dataset can be reconstructed with high accuracy. One advantage of the proposed method is its simplicity, in the sense that there are only a few parameters to be determined. Furthermore, the parameters can be estimated solely from the privacy requirement e and the total number of points, and hence do not leak information about the data. Although the parameters are chosen to minimize the earth movers distance between the published data and original data, empirical studies show that the proposed method also achieves high accuracy w.r.t. to some other measurements, for example range query and order statistics.

ID Repetition in Structured P2P Networks

Identity (ID) uniqueness is essential in distributed hash table (DHT)-based systems, as peer lookup and resource searching rely on ID matching. However, many DHT implementations in the wild, such as Kad and Mainline, do not enforce such uniqueness. Most previous works and measurements on DHTs do not take into account that IDs among peers may not be unique. Unfortunately, we observe that a significant portion of peers, i.e. 19.5% of the peers in Kad and 4.0% of the peers in Mainline, do not have unique IDs. These repetitions would mislead the measurements and modeling on those networks. We further focus on investigating the repetition in Kad considering its wider usage and more serious situation of repetition. We observe that there are a large number of peers that frequently change their UDP ports, and there are a few IDs that repeat for a large number of times and all peers with these IDs do not respond to Kad protocol. We also analyze the effects of ID repetitions under simplified settings and find that the current repetition degrades Kads performance on publishing and searching, but has insignificant effect on lookup process. These measurement and analysis are useful to further determine the sources of repetitions and are also useful for finding suitable parameters in publishing and searching processes in DHT networks without compulsive ID uniqueness.

Identity leakage mitigation on asymmetric secure sketch

We consider secure sketch construction in an asymmetric setting, that is, multiple samples are acquired during enrollment, but only a single sample is obtained during verification. Known protection methods apply secure sketch constructions on the average of the samples, while publishing the auxiliary information extracted from the set of samples, such as variances or weights of the features, in clear. Since the auxiliary information is revealed, an adversary can potentially use it to determine the relationship among multiple sketches, and gather information on the identity of the sketches. In this paper, we give a formal formulation of secure sketch under the asymmetric setting, and propose two schemes that mix the identity-dependent auxiliary information within the sketch. Our analysis shows that while our schemes maintain similar bounds of information loss compared to schemes that reveal the auxiliary information, they offer better privacy protection by limiting the linkages among sketches.

A chameleon encryption scheme resistant to known-plaintext attack

From a ciphertext and a secret key assigned to a user, the decryption of a Chameleon encryption scheme produces a message which is the plaintext embedded with a watermark associated to the user. Most existing constructions of Chameleon encryption scheme are LUT (lookup table)-based, where a secret LUT plays the role of the master key and each user has a noisy version of the secret LUT. LUT-based methods have the limitation that the secrecy of the master key, under known-plaintext attack (KPA), relies on the difficulty in solving large linear system. In other words, with some knowledge of the plaintext, a dishonest user is able to derive the LUT, or an approximation of the LUT by solving a linear system. Resistance to such attack is crucial in the context of multimedia encryption since multimedia objects inherently contain high redundancies. Furthermore, for efficiency in decryption, the underlying linear system is likely to be sparse or not overly large, and hence can be solved using reasonable computing resource. In our experiment, a desktop PC is able to find a LUT (with 216 entries) within 2 hours. We propose a scheme that is resistant to KPA. The core of the scheme is a MUTABLE-PRNG (Pseudo Random Number Generator) whereby different but similar sequences are generated from related seeds. We generate such sequence from multiple pseudo random sequences based on majority-vote, and enhance its performance using error-correcting code. The proposed scheme is very simple and it is easy to show that it is resistant to KPA under reasonable cryptographic assumptions. However, it is not clear how much information on the original plaintext is leaked from the watermarked copies. We analyze the scheme and quantify the information loss using average conditional entropy.