Hyoung-Kee Choi

A behavioral model of Web traffic

The growing importance of Web traffic on the Internet makes it important that we have accurate traffic models in order to plan and provision. In this paper we present a Web traffic model designed to assist in the evaluation and engineering of shared communication networks. Because the model is behavioral we can extrapolate the model to assess the effect of changes in protocols, the network or user behavior. The increasing complexity of Web traffic has required that we base our model on the notion of a Web-request, rather a Web page. A Web-request results in the retrieval of information that might consist of one or more Web pages. The parameters of our model are derived from an extensive trace of Web traffic. Web-requests are identified by analyzing not just the TCP header in the trace but also the HTTP headers. The effect of Web caching is incorporated into the model. The model is evaluated by comparing independent statistics from the model and from the trace. The reasons for differences between the model and the traces are given.

Security Analysis of Handover Key Management in 4G LTE/SAE Networks

The goal of 3GPP Long Term Evolution/System Architecture Evolution (LTE/SAE) is to move mobile cellular wireless technology into its fourth generation. One of the unique challenges of fourth-generation technology is how to close a security gap through which a single compromised or malicious device can jeopardize an entire mobile network because of the open nature of these networks. To meet this challenge, handover key management in the 3GPP LTE/SAE has been designed to revoke any compromised key(s) and as a consequence isolate corrupted network devices. This paper, however, identifies and details the vulnerability of this handover key management to what are called desynchronization attacks; such attacks jeopardize secure communication between users and mobile networks. Although periodic updates of the root key are an integral part of handover key management, our work here emphasizes how essential these updates are to minimizing the effect of desynchronization attacks that, as of now, cannot be effectively prevented. Our main contribution, however, is to explore how network operators can determine for themselves an optimal interval for updates that minimizes the signaling load they impose while protecting the security of user traffic. Our analytical and simulation studies demonstrate the impact of the key update interval on such performance criteria as network topology and user mobility.

Building Femtocell More Secure with Improved Proxy Signature

Demand for the femtocell is largely credited to the surge in a more always best connected communication conscious public. 3GPP define new architecture and security requirement for Release 9 to deal with femtocell, Home eNode B referred as HeNB. In this paper, we analyze the HeNB security with respect to mutual authentication, access control, and secure key agreement. Our analysis pointed out that a number of security vulnerabilities have still not been addressed and solved by 3GPP technical specification. These include eavesdropping, man-in-the-middle attack, compromising subscriber access list, and masquerading as valid HeNB. To the best of our knowledge, any related research studying HeNB security was not published before. Towards this end, this paper proposes an improved authentication and key agreement mechanism for HeNB which adapts proxy-signature and proxy-signed proxy-signature. Through our elaborate analysis, we conclude that the proposed not only prevents the various security threats but also accomplishes minimum distance from user-tolerable authentication delay.

An efficient and versatile key management protocol for secure smart grid communications

Numerous entities in a smart grid network communicate with each other via unicast, multicast, and broadcast communications in order to enhance the efficiency, reliability, and intelligence of the power supply chain. This paper proposes an efficient and scalable key management protocol for secure unicast, multicast, and broadcast communications in a smart grid network. The proposed protocol is based on a binary tree approach, and supports all these three types of secure communications by using only one binary tree. The analysis and discussion show that the proposed protocol is versatile, and hence suitable for secure smart grid communications.

Improvements on Sun 's Conditional Access System in Pay-TV Broadcasting Systems

A conditional access system (CAS) proposed by Sun has a critical security weakness in its inability to preserve backward secrecy; a former subscriber can still access programs despite his or her change in status. This weakness in Sun s CAS originates because 1) no change is made to a group key after a new member arrives, and 2) updates of group keys are done in an insecure manner. We show how simple protocol changes can fix these weaknesses and thus render Sun s CAS capable of preserving backward secrecy.

Secure and efficient protocol for vehicular ad hoc network with privacy preservation

Security is a fundamental issue for promising applications in a VANET. Designing a secure protocol for a VANET that accommodates efficiency, privacy, and traceability is difficult because of the contradictions between these qualities. In this paper, we present a secure yet efficient protocol for a VANET that satisfies these security requirements. Although much research has attempted to address similar issues, we contend that our proposed protocol outperforms other proposals that have been advanced. This claim is based on observations that show that the proposed protocol has such strengths as light computational load, efficient storage management, and dependability.

A group-based security protocol for machine-type communications in LTE-advanced

Abstract Machine-type communication (MTC) takes advantage of millions of devices being connected to each other in sensing our environment. A third-generation partnership project has been actively considering MTC as an enabler for ubiquitous computing and context-aware services. Until recently, we have not yet known how to productively manage the signaling traffic from these MTC devices because authentication requirements may impose such large signaling loads that they overwhelm the radio access of 4G cellular networks. This paper proposes the design of an efficient security protocol for MTC. This protocol is designed to be compatible with the incumbent system by being composed of only symmetric cryptography. Efficiency is attained by aggregating many authentication requests into a single one. The security and performance of the new design are evaluated via formal verification and theoretical analysis. Implementation of the proposed protocol in a real LTE-A network is provided through a feasibility analysis undertaken to prove the practicability of the protocol. Based on these evaluations, we contend that the proposed protocol is practical in terms of security and performance for MTC in LTE-Advanced.

A practical security framework for a VANET-based entertainment service

In this paper, we propose a secure multimedia resource trading system in a vehicular ad hoc network, leveraging a short-time self-certificate signature scheme. The short-time self-certificate signature does not need certificate verification overhead. Thus, it can significantly reduce computation and communication delay in the mobile environment. In addition, we present a promising and practical framework for the VANET-based entertainment service by deploying our secure trading system. The main advantage the framework is that it offers fair resource trading and complete transaction between vehicles without the mediation of a dedicated on-line trusted third party. Furthermore, the proposed scheme can prevent selfish vehicles and detect malicious vehicles trying to disguise themselves as resource sellers or repudiating receipt of multimedia resources. Our simulation results and analysis demonstrate validity and practicality of our framework.

A secure and lightweight approach for routing optimization in mobile IPv6

Mobility support is an essential part of IPv6 because we have recently seen sharp increases in the number of mobile users. A security weakness in mobility support has a direct consequence on the security of users because it obscures the distinction between devices and users. Unfortunately, a malicious and unauthenticated message in mobility support may open a security hole for intruders by supplying an easy mean to launch an attack that hijacks an ongoing session to a location chosen by the intruder. In this paper, we show how to thwart such a session hijacking attack by authenticating a suspicious message. Although much research has been directed toward addressing similar problems, we contend that our proposed protocol would outperform other proposals that have been advanced. This claim is based on observations that the proposed protocol has strengths such as light computational load, backward compatibility, and dependable operation. The results of in-depth performance evaluation show that our protocol achieves strong security and at the same time requires minimal computational overhead.

Effective discovery of attacks using entropy of packet dynamics

Network-based attacks are so devastating that they have become major threats to network security. Early yet accurate warning of these attacks is critical for both operators and end users. However, neither speed nor accuracy is easy to achieve because both require effective extraction and interpretation of anomalous patterns from overwhelmingly massive, noisy network traffic. The intrusion detection system presented here is designed to assist in diagnosing and identifying network attacks. This IDS is based on the notion of packet dynamics, rather than packet content, as a way to cope with the increasing complexity of attacks. We employ a concept of entropy to measure time-variant packet dynamics and, further, to extrapolate this entropy to detect network attacks. The entropy of network traffic should vary abruptly once the distinct patterns of packet dynamics embedded in attacks appear. The proposed classifier is evaluated by comparing independent statistics derived from five well-known attacks. Our classifier detects those five attacks with high accuracy and does so in a timely manner.