Jinshu Su

Delay-Bounded Range Queries in DHT-based Peer-to-Peer Systems

Many general range query schemes for DHT-based peer-to-peer (P2P) systems have been proposed, which do not need to modify the underlying DHTs. However, most existing works have the query delay depending on both the scale of the system and the size of the query space or the specific query, and thus cannot guarantee to return the query results in a bounded delay. In this paper, we propose Armada, an efficient general range query scheme to support single-attribute and multipleattribute range queries. Armada is the first delaybounded range query scheme over constant-degree DHTs, and can return the results for any range query within 2logN hops in a P2P system with N peers. Results of analysis and simulations show that the average delay of Armada is less than logN, and the average message cost of single-attribute range queries is about logN+2n..2 (n is the number of peers that intersect with the query). These results are very close to the lower bounds on delay and message cost of range queries over constant-degree DHTs.

ePASS: An expressive attribute-based signature scheme with privacy and an unforgeability guarantee for the Internet of Things

The Internet of Things (IoT) provides anywhere, anything, anytime connections, for which user privacy is vulnerable and authentication methods that favor policy over attributes are essential. Thus, a signature scheme that considers user privacy and implements an attributes policy is required. Emerging attribute-based signature (ABS) schemes allow a requester of a resource to generate a signature with attributes satisfying the policy without leaking more information. However, few existing approaches simultaneously achieve an expressive policy and security under the standard Diffie-Hellman assumption. Here we describe ePASS, a novel ABS scheme that uses an attribute tree and expresses any policy consisting of AND, OR threshold gates under the computational Diffie-Hellman problem. Users cannot forge signatures with attributes they do not possess, and the signature provides assurance that only a user with appropriate attributes satisfying the policy can endorse the message, resulting in unforgeability. However, legitimate signers remain anonymous and are indistinguishable among all users whose attributes satisfy the policy, which provides attribute privacy for the signer. Compared to existing schemes, our approach delivers enhanced performance by reducing the computational cost and signature size.

Gregex: GPU Based High Speed Regular Expression Matching Engine

Regular expression matching engine is a crucial infrastructure which is widely used in network security systems, like IDS. We propose Gregex, a Graphics Processing Unit (GPU) based regular expression matching engine for deep packet inspection (DPI). Gregex leverages the computational power and high memory bandwidth of GPUs by storing data in proper GPU memory space and executing massive GPU thread concurrently to process lots of packets in parallel. Three optimization techniques, ATP, CAB, and CAT are proposed to significantly improve the performance of Gregex. On a GTX260 GPU, Gregex achieves a regular matching throughput of 126.8 Gbps, which is a speedup of 210% over traditional CPU-based implementation and a speedup of 7.9% over the state-of-the-art GPU based regular expression engine.

A novel steganography approach for voice over IP

In homeland defense and security, secure data transfer is still critical challenging due to the open nature of Internet. One of the solutions which came to the rescue is the VoIP (Voice over IP) steganography. VoIP is unquestionably the most popular real-time service in IP networks today. To date, existing VoIP steganography research commonly focus on information hiding in the LSB bits of network audio streams. However, this approach may raise serious security threat, where the hidden information may be easily removed, detected and attacked. Towards this issue, we propose AVIS, a novel Adaptive VoIP steganography approach to hide information within network audio streams. AVIS consists of three parts, named VAMI, VADDI and VODO. VAMI works by dynamically selecting multiple bits based on the VoIP vector value, VADDI dynamically changes embedding intervals to avoid detection and attacking, and VODO try to change the neighbor bits to offset the sound distortion. Also, we evaluate the effectiveness of this approach with G.711 as the codec of the cover speech in Linphone, a famous open-source VoIP software. The experimental results demonstrate that our approach provides better performance than the traditional one.

Route recovery in vertex-disjoint multipath routing for many-to-one sensor networks

Multipath routing is attractive for load-balancing, fault-tolerance, and security enhancement. However, constructing and maintaining a set of node-disjoint paths between the data source and sink is non-trivial in a dynamic environment. In this paper, we study the problem of route recovery in vertex-disjoint multipath routing for sensor networks with many-to-one traffic patterns. We identify the sufficient conditions for multipaths to be recovered when the existing node-disjoint paths are broken, and provide a simple framework for multipath maintenance. This framework is very efficient in time when multipath source routing is employed. Our findings can help to conserve network resource by not launching any route discovery when the data source realizes that a new route may not exist, to guide mobile data sources to relocate themselves in order to reconstruct the new multipaths, and to help newly-deployed data sources quickly determine whether the required number of multipaths exist for sure or not and then compute them. The technique proposed in this paper is a good complement to the classic max-flow algorithm when node-disjoint multipaths are needed.

An efficient distributed key management scheme for group‐signature based anonymous authentication in VANET

Group signature is one of the well-known cryptographic primitives for anonymous authentication which is the fundamental requirement for securing vehicular ad hoc networks (VANETs), but it is prone to cause huge revocation overhead in VANETs with millions of nodes and serious security risk. To solve this problem, we develop an efficient distributed key management scheme (DKM) where the whole domain of VANET is divided into several sub-regions, and any vehicle has to update its group secret key periodically from the regional group manager who manages the region where the vehicle stays. Unlike the previously reported works, DKM prevents vehicles from leaking the value of the updated group secret key to the regional group manager during the group key updating process. Subsequently, it is capable of identifying either the compromised regional authorities or the malicious vehicles. Moreover, performance analysis demonstrates that DKM can reduce the revocation cost significantly while the communication cost for key updating is small. Copyright

Graph-theoretic analysis of Kautz topology and DHT schemes

Many proposed distributed hash table (DHT) schemes for peer-to-peer network are based on some traditional parallel interconnection topologies. In this paper, we show that the Kautz graph is a very good static topology to construct DHT schemes. We demonstrate the optimal diameter and optimal fault tolerance properties of the Kautz graph and prove that the Kautz graph is (1+o(1))-congestion-free when using the long path routing algorithm. Then we propose FissionE, a novel DHT scheme based on Kautz graph. FissionE is a constant degree, O(log N) diameter and (1+o(1))-congestion-free. FissionE shows that the DHT scheme with constant degree and constant congestion can achieve O(log N) diameter, which is better than the lower bound Ω(N 1/d) conjectured before.

Mix-zones optimal deployment for protecting location privacy in VANET

A promising approach to protect driver’s location privacy in vehicular ad hoc network (VANET) suggests vehicle changing pseudonyms in regions called mix-zones, where the adversary cannot eavesdrop the vehicular communication. How to deploy mix-zones in a large city is a challenge problem and has not been well addressed in previously reported works. In this paper, we propose a statistics-based metric for evaluating the effectiveness of a mix-zone and selecting mix-zone candidates in term of privacy requirement. Furthermore, a cost-efficient mix-zones deployment scheme is presented to guarantee that vehicles at any place could pass through an effective mix-zone in certain driving time, and the extra overhead time of adjusting routes to across the mix-zone is small. Extensive simulations demonstrate that the proposed evaluation metric is viable under various traffic scenarios while the deployment plans generated by our scheme in a real-world map make drivers have more chances to pass through mix-zones on road.

Characterizing Inter-Domain Rerouting by Betweenness Centrality after Disruptive Events

Rerouting is not uncommon in nowadays Internet because it can be triggered by many root causes, such as network faults, routing attacks, etc. However, few methods effectively characterize rerouting in the whole Internet. In this paper, inspired by a well known network science metric - betweenness centrality, we propose a new approach to characterize inter-domain reroutings. By defining and analysing the variation of AS betweenness centrality for neighbouring-destination routes and global routes separately, our method empowers users to identify the temporal, topological, and relational characteristics of route changes. We apply our method to investigate the Internets reactions to four different disruptive events, including Japan earthquake in March 2011, SEA-ME-WE 4 cable fault in April 2010, routing attack on YouTube in February 2008, and AS4761 hijacking event in January 2011. This examination reveals many new insights. For example, the route flapping and the congestion caused by the side-effect of rerouting after cable faults significantly degraded path quality. Moreover, direct providers of attackers and victims are the most critical positions for amplifying impact of prefix hijacking attacks. Such results shed light on how to implement effective reactions to network faults and how to deploy efficient defense mechanisms against routing attacks.

Optimal relay node placement for multi-pair cooperative communication in wireless networks

Relaying and cooperation have emerged as important research topics in wireless communication over the past half-decade. During cooperative communication, spatial diversity can be achieved by exploiting the relaying capabilities of the involved relay nodes, which may vastly enhance the achieved system capacity. The potential gains largely depend on the location of relay nodes. In this paper, we study the relay node placement problem for multi-pair cooperative communication in wireless networks, where a finite number of candidate relay nodes can be placed to help the transmission of multiple source-destination pairs. Our objective is to maximize the system capacity. After formulating the relay node placement problem, we comprehensively study the effect of relay location on cooperative link capacity and show several attractive properties of the considered problem. As the main contribution, we develop a geographic aware relay node placement algorithm which optimally solves the relay node placement problem in polynomial time. The basic idea is to place a set of relay nodes to the optimum locations so as to maximize the system capacity. The efficiency of our proposed algorithm is evaluated by the results of series experimental studies.