Guangquan Xu

On the security and improvement of a two-factor user authentication scheme in wireless sensor networks

User authentication is a basic security requirement during the deployment of the wireless sensor network (WSN), because it may operate in a rather hostile environment, such as a military battlefield. In 2010, Khan and Alghathbar (KA) found out that Das’s two-factor user authentication scheme for WSNs is vulnerable to the gateway node (GW-node) bypassing attack and the privileged-insider attack. They further presented an improved scheme to overcome the security flaws of Das’s scheme. However, in this paper, we show that KA’s scheme still suffers from the GW-node impersonation attack, the GW-node bypassing attack, and the privileged-insider attack. Hence, to fix the security flaws in KA’s scheme, we propose a new user authentication scheme for WSNs. The security of the user authentication session in the proposed scheme is reduced by the model of Bellare and Rogaway. The security of partial compromise of secrets in the proposed scheme is reduced and analyzed by our adversarial model. Based on the performance evaluation, the overall cost of the proposed scheme is less than that of KA’s scheme. Hence, we believe that the proposed scheme is more suitable for real security applications than KA’s scheme.

Swift Trust in a Virtual Temporary System: A Model Based on the Dempster-Shafer Theory of Belief Functions

Trust- and reputation-based information security has been attracting global interest and attention in various disciplines. Despite the achievements of the past several decades, there is still a long way to go before the mechanism of trust and reputation is thoroughly mastered. Swift trust is playing an increasingly important role in virtual temporary systems but has not been analyzed in any depth, and the idea of applying swift trust to the study of temporary systems in virtual societies is still novel. Based on the Dempster-Shafer theory of belief functions, a swift trust model is proposed in which the mechanism of swift trust is realized by way of layered reasoning, which is superior to the typical trust reasoning. The model puts forward a trust-transfer mechanism and clustering mechanism to achieve a whole swift trust value. The reliability of swift trust in developing and maintaining temporary systems is discussed, together with the reliability of the swift trust values derived from the proposed approach. Experiments show good consistency with the results obtained by the model.

Attack Tree Based Android Malware Detection with Hybrid Analysis

This paper proposes an Android malware detection approach based on attack tree. Attack tree model is extended to provide a novel way to organize and exploit behavior rules. Connections between attack goals and application capability are represented by an attack tree structure and behavior rules are assigned to every attack path in the attack tree. In this way, fine-grained and comprehensive static capability estimation and dynamic behavior detection can be achieved. This approach employs a hybrid static-dynamic analysis method. Static analysis tags attack tree nodes based on application capability. It filters the obviously benign applications and highlights the potential attacks in suspicious ones. Dynamic analysis selects rules corresponding to the capability and conducts detection according to runtime behaviors. In dynamic analysis, events are simulated to trigger behaviors based on application components, and hence it achieves high code coverage. Finally, in this way, we implement an automatic malware detection prototype system called AM Detector. The experiment result shows that the true positive rate is 88.14% and the false positive rate is as low as 1.80%.

AMTS: Adaptive multi-objective task scheduling strategy in cloud computing

Task scheduling in cloud computing environments is a multi-objective optimization problem, which is NP hard. It is also a challenging problem to find an appropriate trade-off among resource utilization, energy consumption and Quality of Service (QoS) requirements under the changing environment and diverse tasks. Considering both processing time and transmission time, a PSO-based Adaptive Multi-objective Task Scheduling (AMTS) Strategy is proposed in this paper. First, the task scheduling problem is formulated. Then, a task scheduling policy is advanced to get the optimal resource utilization, task completion time, average cost and average energy consumption. In order to maintain the particle diversity, the adaptive acceleration coefficient is adopted. Experimental results show that the improved PSO algorithm can obtain quasi-optimal solutions for the cloud task scheduling problem.

Network Security Situation Awareness Based on Semantic Ontology and User-Defined Rules for Internet of Things

Internet of Things (IoT) brings the third development wave of the global information industry, which makes users, network, and perception devices cooperate more closely. However, if IoT has security problems, it may cause a variety of damage and even threaten human lives and properties. To improve the abilities of monitoring, providing emergency response, and predicting the development trend of IoT security, a new paradigm called network security situation awareness (NSSA) is proposed. However, it is limited by its ability to mine and evaluate security situation elements from multi-source heterogeneous network security information. To solve this problem, this paper proposes an IoT network security situation awareness model using a situation reasoning method based on semantic ontology and user-defined rules. Ontology technology can provide a unified and formalized description to solve the problem of semantic heterogeneity in the IoT security domain. In this paper, four key sub-domains are proposed to reflect an IoT security situation: context, attack, vulnerability, and network flow. Furthermore, user-defined rules can compensate for the limited description ability of ontology, and hence can enhance the reasoning ability of our proposed ontology model. The examples in real IoT scenarios show that the ability of the network security situation awareness that adopts our situation reasoning method is more comprehensive and more powerful reasoning abilities than the traditional NSSA methods.

An algorithm on fairness verification of mobile sink routing in wireless sensor network

Congestion and starvation will occur among some nodes due to the emerging serious unfairness, which is derived from the limited communication capabilities of all nodes and sink or in the case of a mobile sink moving to a new place. The problem to be solved is to balance the network and keep the fairness for all nodes. For this purpose, this paper focuses on verifying the fairness of mobile sink routing based on both state and action, which is realized mainly by composing Labeled Kripke Transition Systems (LKTS). First, an approach is presented by LKTS to model node behaviors. Second, a notion of Fair Computational Tree Logic (CTL) is introduced to describe the fairness formulae in branching time transitions, and four kinds of fairness assumptions are defined for fairness verification. Moreover, in order to avoid the problem of state-space explosion, Bounded model Checking to explore states and transitions on-the-fly until a witness is found, while Strong Connected Components algorithm is used to pick up fair paths under fairness constraints of Fair CTL. The experimental results show the superiority of our method by the savings in memory and time consumptions during the mobile sink routing process.

A novel optimized vertical handover framework for seamless networking integration in cyber-enabled systems

Abstract Seamless integration of wireless networks for secure mobile applications has increased interest in the research area of mobile cyber-enabled systems. Multi-objective handover needs to compensate the different quality of services provided by the wireless technologies. Notably, the recent works select only the performance perspective on the network to suffice user requirements. In mobile cyber-enabled systems, the security policies are essential while providing the ubiquitous connectivity. In this paper, a novel Optimized Vertical Handover (OVH) framework is proposed to optimize and secure the handover process and reduce the handover execution time significantly. This framework integrates IEEE 802.21 Media Independent Handover (MIH) and Software-Defined Networking (SDN) for seamless link establishment and agile network path reconfiguration. In the handover process, the network selection process is divided into two stages, such as pre-filtering and handover network selection. The pre-filtering eliminates the candidates with incompatible security capabilities using coarse and fine-grained methods. The network selection process utilizes the advantages of Manhattan and Chebyshev distance functions to feature the static and dynamic attributes during the handover. Among multiple factors, the OVH applies for compensation according to the network and mobile node states and improves the efficiency of the handover decision. Compared with the original VIKOR, the proposed OVH algorithm reduces the time complexity significantly through the periodic evaluation of dynamic attributes. Finally, the simulation results highlight that the OVH framework significantly reduces the handover delay and execution time.

A multi-attribute rating based trust model: improving the personalized trust modeling framework

Recently, trust models have contributed much to the success of online multimedia recommendation service. However, most of them only consider the case of binary ratings and ignore the attributes of ratings, which will limit their universal applicability. To address this problem, we propose a multi-attribute rating based trust model to improve the Zhang’s Personalized trust modeling framework, an existing framework for trust modeling by using binary ratings in multi-agent electronic marketplaces. In our approach, it does not restrict users to using a single attribute rating; it allows a rating to be a certain value between 0 and 1 rather than only 0 or 1; it can improve assessment accuracy by calculating the similarity of common ratings between recommenders and users; and it considers the certainty of ratings to deal with the sudden change of partner’s behaviours. Finally, experimental results show that, our approach can effectively model the trustworthiness of recommenders and providers, and it can also resist several malicious attacks.

MP-MID

It is very difficult to detect intrusions in wireless sensor networks (WSN), because of its dynamic network topology and diverse routing protocols. Traditional Intrusion Detection Systems (IDS) for WSN only focus attention on some one routing protocol, which lacks universality and flexibility. To solve the problem of multi-protocol intrusion detection, this paper proposes a universal method: MP-MID (Multi-Protocol Oriented Middleware-level Intrusion Detection). Our work can generate all known attack types for any routing protocol of WSN, and furthermore, all of them can be detected with the automatically generated rules. In this work, we formalize the routing protocol with the Process Algebra for Wireless Mesh Networks (AWN) language, and propose the conception of attack points to find out all attack types. Combining attack points with formalized protocol in AWN, we get co-sentences which represent the attack features in the protocol. With program slicing technology, all known attack types can be found out based on co-sentences. According to the characteristic of the key variables of the attack types, MP-MID can generate misused based detection or anomaly based detection. Our case study of ADOV (Ad hoc On-demand Distance Vector) protocol shows that our method generated all types of attacks, which outperforms other work. Experimental results show that our generated detection methods have a relatively high detection accuracy rate as we claimed. Our MP-MID method could be used as a flexible and universal tool to analyze and detect attack types for multi-protocol in WSN effectively.

HyCPK: Securing Identity Authentication in Ubiquitous Computing

Identity authentication (IA) is vital in ubiquitous computing systems, one of which is web service system, however most current IA schemes and technologies are facing various kinds of attacks and large-scale certification problem. To address this problem, this paper proposes the HyCPK, an improved CPK algorithm based on a single-double hybrid matrix. In this algorithm, the key management center produces a basic key matrix and an assistant key matrix simultaneously, and the former is used to calculate the keys of web services, while both are used to calculate the keys of users. Moreover, CPK identity is redefined to be composed of user identity and the corresponding validity date, which enables the validation processes to be tackled in a more convenient way. Contrasting with the existing CPK schema, the proposed algorithm can solve the problem of large-scale certification and resist three main collusion attacks, and hence the security performance is improved.