Mark Looi

Towards context-aware security: an authorization architecture for intranet environments

We introduce a context-aware authorization architecture that is designed to augment existing network security protocols in an intranet environment. It describes the architecture components, the proposed extensions to RBAC that facilitate context-aware access control policy, details of the prototyped implementation, and a number of performance results.

A Multicast Routing Scheme for Efficient Safety Message Dissemination in VANET

Vehicular ad hoc network (VANET) is a wireless ad hoc network that operates in a vehicular environment to provide communication between vehicles. VANET can be used by a diverse range of applications to improve road safety. Cooperative collision warning system (CCWS) is one of the safety applications that can provide situational awareness and warning to drivers by exchanging safety messages between cooperative vehicles. Currently, the routing strategies for safety message dissemination in CCWS are scoped broadcast. However, the broadcast schemes are not efficient as a warning message is sent to a large number of vehicles in the area, rather than only the endangered vehicles. They also cannot prioritize the receivers based on their critical time to avoid collision. This paper presents a more efficient multicast routing scheme that can reduce unnecessary transmissions and also use adaptive transmission range. The multicast scheme involves methods to identify an abnormal vehicle, the vehicles that may be endangered by the abnormal vehicle, and the latest time for each endangered vehicle to receive the warning message in order to avoid the danger. We transform this multicast routing problem into a delay-constrained minimum Steiner tree problem. Therefore, we can use existing algorithms to solve the problem. The advantages of our multicast routing scheme are mainly its potential to support various road traffic scenarios, to optimize the wireless channel utilization, and to prioritize the receivers.

Multi-vehicles interaction graph model for cooperative collision warning system

Cooperative collision warning system for road vehicles, enabled by recent advances in positioning systems and wireless communication technologies, can potentially reduce traffic accident significantly. To improve the system, we propose a graph model to represent interactions between multiple road vehicles in a specific region and at a specific time. Given a list of vehicles in vicinity, we can generate the interaction graph using several rules that consider vehicles properties such as position, speed, heading, etc. Safety applications can use the model to improve emergency warning accuracy and optimize wireless channel usage. The model allows us to develop some congestion control strategies for an efficient multi-hop broadcast protocol.

Cross-domain one-shot authorization using smart cards

As the use of information technology is increasing rapidly in organizations around the world, an important task is to design global networks with high security, eÆciency and functionality. While centralized systems have the advantages of simpli ed management, they face the problems of bottleneck and single point of failure. In this paper, we propose a new authorization scheme that operates over existing centralized authentication mechanisms. The goal is to enhance the performance and scalability in a centrally administered security architecture. A new technique of using one-shot authorization tokens is introduced. It facilitates a mechanism for updating or revocation of the access rights of users in online or o -line authorization models. A smart card is used as an authorization device in addition to its traditional function of user authentication. This scheme provides the mobility for users and the exibility in coping with di erent access control policies in a cross domain multi-application environment.

Experimenting with an Intrusion Detection System for Encrypted Networks

Network-based Intrusion Detection Systems (NIDSs) analyse network traffic to detect instances of malicious activity. Typically, this is only possible when the network traffic is accessible for analysis. With the growing use of Virtual Private Networks (VPNs) that encrypt network traffic, the NIDS can no longer access this crucial audit data. In this paper, we present an implementation and evaluation of our approach proposed in Goh et al. (2009). It is based on Shamirs secret-sharing scheme and allows a NIDS to function normally in a VPN without any modifications and without compromising the confidentiality afforded by the VPN.

Enhancing the security of Internet applications using location: a new model for tamper-resistant GSM location

This paper introduces location-based security services and discusses a new model for tamper-resistant location determination. These location-based security services are demonstrated in terms of a framework for both WAP and web-based Internet applications, which facilities the acquisition of location using the proposed model for tamper-resistant location determination. The framework is realized in two example applications that utilize location-based security services to enhance access control and audit facilities.

Context-Aware Multicast Protocol for Emergency Message Dissemination in Vehicular Networks

Road traffic accidents can be reduced by providing early warning to drivers through wireless ad hoc networks. When a vehicle detects an event that may lead to an imminent accident, the vehicle disseminates emergency messages to alert other vehicles that may be endangered by the accident. In many existing broadcast-based dissemination schemes, emergency messages may be sent to a large number of vehicles in the area and can be propagated to only one direction. This paper presents a more efficient context aware multicast protocol that disseminates messages only to endangered vehicles that may be affected by the emergency event. The endangered vehicles can be identified by calculating the interaction among vehicles based on their motion properties. To ensure fast delivery, the dissemination follows a routing path obtained by computing a minimum delay tree. The multicast protocol uses a generalized approach that can support any arbitrary road topology. The performance of the multicast protocol is compared with existing broadcast protocols by simulating chain collision accidents on a typical highway. Simulation results show that the multicast protocol outperforms the other protocols in terms of reliability, efficiency, and latency.

Integrating Smart Cards Into Authentication Systems

This paper presents alternative schemes for the integration of smart card technology into the Kerberos authentication system. A limitation of the initial interaction phase is identified and three implementation options are proposed to overcome this weakness. A further three implementation options are described that enhance the security of Kerberos authentication, however these do not cryptgraphically overcome the identified limitation.

Towards Intrusion Detection for Encrypted Networks

Traditionally, network-based Intrusion Detection Systems (NIDS) monitor network traffic for signs of malicious activities. However, with the growing use of Virtual Private Networks (VPNs) that encrypt network traffic, the NIDS can no longer analyse the encrypted data. This essentially negates any protection offered by the NIDS. Although the encrypted traffic can be decrypted at a network gateway for analysis, this compromises on data confidentiality. In this paper, we propose a detection framework which allows a traditional NIDS to continue functioning, without compromising the confidentiality afforded by the VPN. Our approach uses Shamirs secret-sharing scheme and randomised network proxies to enable detection of malicious activities in encrypted channels. Additionally, this approach is able to detect any malicious attempts to forge network traffic with the intention of evading detection. Our experiments show that the probability of a successful evasion is low, at about 0.98% in the worst case. We implement our approach in a prototype and present some preliminary results. Overall, the proposed approach is able to consistently detect intrusions and does not introduce any additional false positives.

Secure Authorisation Agent for Cross-Domain Access Control in a Mobile Computing Environment

New portable computers and wireless communication technologies have significantly enhanced mobile computing. The emergence of network technology that supports user mobility and universal network access has prompted new requirements and concerns, especially in the aspects of access control and security. In this paper, we propose a new approach using authorisation agents for cross-domain access control in a mobile computing environment. Our framework consists of three main components, namely centralised authorisation servers, authorisation tokens and authorisation agents. An infrastructure of centralised authorisation servers and application servers from different domains is proposed for supporting trust propagation to mobile hosts instantaneously. While the authorisation token is a form of static capability, the authorisation agent on the client side can be regarded as a dynamic capability to provide the functionality in client-server interactions. It works collaboratively with remote servers to provide authorisation service with finer access granularity and higher flexibility.