Christos Xenakis

A generic characterization of the overheads imposed by IPsec and associated cryptographic algorithms

This paper presents an assessment of the communication overheads of IPsec and evaluates the feasibility of deploying it on handheld devices for the UMTS architecture. A wide range of different cryptographic algorithms are used in conjunction with IPsec, such as Data Encryption Standard (DES), Advanced Encryption Standard (AES), Message Digest (MD5) and Secure Hash Algorithm 1 (SHA-1). We consider the processing and packetization overheads introduced by these algorithms and quantify their impact in terms of communication quality (added delay for the end-user) and resource consumption (additional bandwidth on the radio interface). We conduct a quantitive analysis based on a detailed simulation model of an IPsec enabled handheld device. We verify our simulation results by comparing against analytic results obtained from an approximate analytic model.

Security in third Generation Mobile Networks

In the last few years, we have witnessed an explosion in demand for security measures motivated by the proliferation of mobile/wireless networks, the fixed-mobile network convergence, and the emergence of new services, such as e-commerce. 3G-systems play a key role in this network evolution, and, thus, all stakeholders are interested in the security level supported in the new emerging mobile environment. This paper elaborates on the security framework in 3G mobile networks. The security requirements imposed by the different types of traffic, and by the different players involved (mobile users, serving network and service providers) are investigated. The security architecture, which comprises all the security mechanisms that are projected for the Universal Mobile Telecommunication System (UMTS) network, is analyzed. The employment of traditional security technologies, originally designed for fixed networking, such as firewalls, and static Virtual Private Network (VPN), in order to safeguard the UMTS core network from external attacks, as well as to protect user data when conveyed over the network are examined. Critical points in the 3G-security architecture that may cause network and service vulnerability are identified and discussed. Furthermore, proposals for the enhancement of the 3G-security architecture, and the provision of advanced security services to end-user data traffic within and outside the UMTS core network are discussed. The proposed enhancements can be easily integrated in the existing network infrastructure, and operate transparently to the UMTS network functionality.

A comparative evaluation of intrusion detection architectures for mobile ad hoc networks

Mobile Ad Hoc Networks (MANETs) are susceptible to a variety of attacks that threaten their operation and the provided services. Intrusion Detection Systems (IDSs) may act as defensive mechanisms, since they monitor network activities in order to detect malicious actions performed by intruders, and then initiate the appropriate countermeasures. IDS for MANETs have attracted much attention recently and thus, there are many publications that propose new IDS solutions or improvements to the existing. This paper evaluates and compares the most prominent IDS architectures for MANETs. IDS architectures are defined as the operational structures of IDSs. For each IDS, the architecture and the related functionality are briefly presented and analyzed focusing on both the operational strengths and weaknesses. Moreover, methods/techniques that have been proposed to improve the performance and the provided security services of those are evaluated and their shortcomings or weaknesses are presented. A comparison of the studied IDS architectures is carried out using a set of critical evaluation metrics, which derive from: (i) the deployment, architectural, and operational characteristics of MANETs; (ii) the special requirements of intrusion detection in MANETs; and (iii) the carried analysis that reveals the most important strengths and weaknesses of the existing IDS architectures. The evaluation metrics of IDSs are divided into two groups: the first one is related to performance and the second to security. Finally, based on the carried evaluation and comparison a set of design features and principles are presented, which have to be addressed and satisfied in future research of designing and implementing IDSs for MANETs.

One-Pass EAP-AKA Authentication in 3G-WLAN Integrated Networks

The incorporation of Wireless Local Area Networks (WLANs) within the third generation (3G) networks materializes the next generation of mobile/wireless systems, named 3G-WLANs integrated networks. This paper proposes an improved authentication procedure for the 3G-WLANs integrated networks that enables a WLAN user to get access to the 3G packet switched services or to the public Internet through the 3G public land mobile network. The proposed procedure reduces significantly the authentication overhead compared to the legacy one, without compromising the provided security services. A security analysis of the proposed authentication procedure is elaborated that ensures the correctness of the authentication procedure, the provision of advanced security services and the elimination of possible attacks that may threaten the proposed authentication procedure. In addition, an energy cost analysis is carried out that compares the energy consumption induced by the legacy and the proposed authentication procedures. Finally, a communication cost analysis is provided that estimates the cost improvement of the proposed over the legacy authentication procedure.

A specification-based intrusion detection engine for infrastructure-less networks

The proliferation of mobile computing devices has enabled the utilization of infrastructure-less networking as commercial solutions. However, the distributed and cooperative nature of routing in such networks makes them vulnerable to a variety of attacks. This paper proposes a host-based monitoring mechanism, called SIDE that safeguards the operation of the AODV routing protocol. SIDE encompasses two complementary functionalities: (i) a specification-based detection engine for the AODV routing protocol, and (ii) a remote attestation procedure that ensures the integrity of a running SIDE instance. The proposed mechanism operates on a trusted computing platform that provides hardware-based root of trust and cryptographic acceleration, used by the remote attestation procedure, as well as protection against runtime attacks. A key advantage of the proposed mechanism is its ability to effectively detect both known and unknown attacks, in real time. Performance analysis shows that attacks are resolved with high detection accuracy, even under conditions of high network volatility. Moreover, SIDE induces the least amount of control packet overhead in comparison with a number of other proposed IDS schemes.

Discovering Authentication Credentials in Volatile Memory of Android Mobile Devices

This paper investigates whether authentication credentials in the volatile memory of Android mobile devices can be discovered using freely available tools. The experiments that we carried out for each application included two different sets: In the first set, our goal was to check if we could recover our own submitted credentials from the memory dump of the mobile device. In the second set of experiments, the goal was to find patterns that can indicate where the credentials are located in a memory dump of an Android device. The results revealed that the majority of the Android applications are vulnerable to credentials discovery even in case of applications that their security is critical, such as web banking and password manager applications.

Security Measures and Weaknesses of the GPRS Security Architecture

This paper presents an evaluation of the security architecture employed in the General Packet Radio Services (GPRS). More specifically, the security measures applied to protect the mobile users, the radio access network, the fixed part of the network, and the related data of GPRS are presented and analyzed in details. This analysis reveals the security weaknesses of the applied measures that may lead to the realization of security attacks by adversaries. These attacks threaten network operations and data transfer through it compromising end-users and network security. To address some of the identified security weaknesses, a set of security enhancements that aims at improving the GPRS security architecture and providing advanced security services to user data traffic is proposed. The proposed enhancements can be easily integrated in the existing GPRS technology, minimizing the required changes.

Malicious actions against the GPRS technology

This paper presents the malicious actions (attacks), which threaten the general packet radio services (GPRS) network, the GPRS mobile users, and the data that either reside at the network or are transferred through it. These attacks may be performed by malicious third parties, mobile users, network operators or network operator personnel, which exploit the security weaknesses of the GPRS security architecture. Moreover, the attackers take advantage of the lack of adequate security measures that should protect certain parts of the GPRS architecture. The possible attacks against GPRS targets the equipment of mobile users, the radio access network, the GPRS backbone network, and the interfaces that connect the latter to other GPRS networks or the public Internet. The results of these attacks might be the compromise of end-users security, the users over billing, the disclosure or alteration of critical information, the services unavailability, the network breakdown, etc. The analyzed attacks and their consequences increase the risks associated with the usage of GPRS, and, thus, influence its deployment that realizes the concept mobile Internet. In order to defeat certain attacks and enhance the level of security provided by GPRS, specific security measures are proposed.

Gaithashing: A two-factor authentication scheme based on gait features

Abstract Recently, gait recognition has attracted much attention as a biometric feature for real-time person authentication. The main advantage of gait is that it can be observed at a distance in an unobtrusive manner. However, the security of an authentication system, based only on gait features, can be easily broken. A malicious actor can observe the gait of an unsuspicious person and extract the related biometric template in a trivial manner and without being noticed. Another major issue of gait as an identifier has to do with their high intra-variance, since human silhouettes can be significantly modified, when for example the user holds a bag or wears a coat. This paper proposes gaithashing, a two-factor authentication that interpolates between the security features of biohash and the recognition capabilities of gait features to provide a high accuracy and secure authentication system. A novel characteristic of gaithashing is that it enrolls three different human silhouettes types. During authentication, the new extracted gait features and the enrollment ones are fused using weighted sums. By selecting appropriate weight values, the proposed scheme eliminates the noise and distortions caused by different silhouette types and achieves to authenticate a user independently of his/her silhouette. Apart from high accuracy, the proposed scheme provides revocability in case of a biometric template compromise. The performance of the proposed scheme is evaluated by carrying out a comprehensive set of experiments. Numerical results show that gaithashing outperforms existing solutions in terms of authentication performance, while at the same time achieves to secure the gait features.

An evaluation of anomaly-based intrusion detection engines for mobile ad hoc networks

Mobile Ad Hoc Networks are susceptible to a variety of attacks that threaten their operation and the provided services. Intrusion Detection Systems may act as defensive mechanisms, since they monitor network activities in order to detect malicious actions performed by intruders. Anomaly-based detection engines are a topic of ongoing interest in the research community, due to their advantage in detecting unknown attacks. However, this advantage is offset by a number of limitations such as high rates of false alarms, imposition of processing overhead, lack of adaptability under dynamic network conditions etc. This paper presents a comprehensive evaluation and comparison of the most recent literature in the area of anomaly detection for MANETs. The provided weaknesses and limitations, which are thoroughly examined in this paper, constitute open issues in the area of MANET security and will drive future research steps.