Robin Doss

Distributed Computing and Networking

Wireless sensor networks (WSN) are attractive for information gathering in large-scale data rich environments. In order to fully exploit the data gathering and dissemination capabilities of these networks, energy-efficient and scalable solutions for data storage and information discovery are essential. In this paper, we formulate the information discovery problem as a load-balancing problem, with the combined aim being to maximize network lifetime and minimize query processing delay resulting in QoS improvements. We propose a novel information storage and distribution mechanism that takes into account the residual energy levels in individual sensors. Further, we propose a hybrid push-pull strategy that enables fast response to information discovery queries. Simulations results prove the proposed method(s) of information discovery offer significant QoS benefits for global as well as individual queries in comparison to previous approaches.Wireless sensor networks (WSN) are attractive for information gathering in large-scale data rich environments. In order to fully exploit the data gathering and dissemination capabilities of these networks, energy-efficient and scalable solutions for data storage and information discovery are essential. In this paper, we formulate the information discovery problem as a load-balancing problem, with the combined aim being to maximize network lifetime and minimize query processing delay resulting in QoS improvements. We propose a novel information storage and distribution mechanism that takes into account the residual energy levels in individual sensors. Further, we propose a hybrid push-pull strategy that enables fast response to information discovery queries. Simulations results prove the proposed method(s) of information discovery offer significant QoS benefits for global as well as individual queries in comparison to previous approaches.

Traceback of DDoS Attacks Using Entropy Variations

Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memoryless feature of the Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and efficient method to deal with this issue so far. In this paper, we propose a novel traceback method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques. In comparison to the existing DDoS traceback methods, the proposed strategy possesses a number of advantages - it is memory nonintensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. The results of extensive experimental and simulation studies are presented to demonstrate the effectiveness and efficiency of the proposed method. Our experiments show that accurate traceback is possible within 20 seconds (approximately) in a large-scale attack network with thousands of zombies.

Information theory based detection against network behavior mimicking DDoS attacks

DDoS is a spy-on-spy game between attackers and detectors. Attackers are mimicking network traffic patterns to disable the detection algorithms which are based on these features. It is an open problem of discriminating the mimicking DDoS attacks from massive legitimate network accessing. We observed that the zombies use controlled function(s) to pump attack packages to the victim, therefore, the attack flows to the victim are always share some properties, e.g. packages distribution behaviors, which are not possessed by legitimate flows in a short time period. Based on this observation, once there appear suspicious flows to a server, we start to calculate the distance of the package distribution behavior among the suspicious flows. If the distance is less than a given threshold, then it is a DDoS attack, otherwise, it is a legitimate accessing. Our analysis and the preliminary experiments indicate that the proposed method- can discriminate mimicking flooding attacks from legitimate accessing efficiently and effectively.

A practical quadratic residues based scheme for authentication and privacy in mobile RFID systems

In this paper we propose a novel approach to authentication and privacy in mobile RFID systems based on quadratic residues and in conformance to EPC Class-1 Gen-2 specifications. Recently, Chen et al. (2008) [10] and Yeh et al. (2011) [11] have both proposed authentication schemes for RFID systems based on quadratic residues. However, these schemes are not suitable for implementation on low-cost passive RFID tags as they require the implementation of hash functions on the tags. Consequently, both of these current methods do not conform to the EPC Class-1 Gen-2 standard for passive RFID tags which from a security perspective requires tags to only implement cyclic redundancy checks (CRC) and pseudo-random number generators (PRNG) leaving about 2.5k-5k gates available for any other security operations. Further, due to secure channel assumptions both schemes are not suited for mobile/wireless reader applications. We present the collaborative authentication scheme suitable for mobile/wireless reader RFID systems where the security of the server-reader channel cannot be guaranteed. Our schemes achieves authentication of the tag, reader and back-end server in the RFID system and protects the privacy of the communication without the need for tags to implement expensive hash functions. Our scheme is the first quadratic residues based scheme to achieve compliance to EPC Class-1 Gen-2 specifications. Through detailed security analysis we show that the collaborative authentication scheme achieves the required security properties of tag anonymity, reader anonymity, reader privacy, tag untraceability and forward secrecy. In addition, it is resistant to replay, impersonation and desynchronisation attacks. We also show through strand space analysis that the proposed approach achieves the required properties of agreement, originality and secrecy between the tag and the server.

Secure Tag Search in RFID Systems Using Mobile Readers

One of the important features of an RFID system is its ability to search for a particular tag among a group of tags. In order to ensure privacy and security of the tags, the search has to be conducted in a secure fashion. To our knowledge not much work has been done in this secure search area of RFID. The minimal work that has been done do not comply with the EPC C1G2 (Class-1 Gen-2) standard since most of them use expensive hash operations or sophisticated encryption schemes that cannot be implemented in the low-cost passive tags that are highly resource constrained. Our work aims to fill this gap by proposing a protocol that is based on simple XOR encryption and 128 bit pseudo random number generators (PRNG), operations that can be easily implemented on low-cost passive tags. Thus, our protocol enables large scale implementations and achieves EPC C1G2 compliance while meeting the security requirements. The protocol provides additional protection by hiding the pseudo-random number during all transmissions using a blind-factor.

A minimum disclosure approach to authentication and privacy in RFID systems

In this paper we present a novel approach to authentication and privacy in RFID systems based on the minimum disclosure property and in conformance to EPC Class-1 Gen-2 specifications. We present two security schemes that are suitable for both fixed reader and mobile/wireless reader environments, the mutual authentication and the collaborative authentication schemes respectively. Both schemes are suited to the computational constraints of EPC Class-1 Gen-2 passive RFID tags as only the cyclic redundancy check (CRC) and pseudo random number generator (PRNG) functions that passive RFID tags are capable of are used. Detailed security analysis of both our schemes show that they offer robust security properties in terms of tag anonymity, tag untraceability and reader privacy while at the same time being robust to replay, tag impersonation and desynchronisation attacks. Simulations results are also presented to study the scalability of the schemes and its impact on authentication delay. In addition, Yeh et al. (2010) 20] proposed a security scheme for EPC Class-1 Gen-2 based mobile/wireless RFID systems. We show that this scheme has a security vulnerability and is not suitable for mobile/wireless RFID systems.

Secure RFID Tag Ownership Transfer Based on Quadratic Residues

In this paper, we propose a novel approach to secure ownership transfer in RFID systems based on the quadratic residue property. We present two secure ownership transfer schemes-the closed loop and open loop schemes. An important property of our schemes is that ownership transfer is guaranteed to be atomic. Further, both our schemes are suited to the computational constraints of EPC Class-1 Gen-2 passive RFID tags as they only use operations that such passive RFID tags are capable of. We provide a detailed security analysis to show that our schemes achieve strong privacy and satisfy the required security properties of tag anonymity, tag location privacy, forward secrecy, and forward untraceability. We also show that the schemes are resistant to replay (both passive and algebraic), desynchronization, and server impersonation attacks. Performance comparisons demonstrate that our schemes are practical and can be implemented on low-cost passive RFID tags.

Geographic Routing with Cooperative Relaying and Leapfrogging in Wireless Sensor Networks

A novel geographic routing protocol for multi-hop wireless sensor networks is presented. It exploits the broadcast nature of the wireless channel to enable on-demand cooperative relaying and leapfrogging for circumventing weak radio links. In order to achieve energy efficiency, a metric is introduced for next-hop selection that takes into account information on the residual battery energy, the geographical position of the sensor nodes, and the channel quality of the involved radio links when available. Performance results show that the completely decentralized protocol offers significant benefits by reducing the number of (re)transmissions required to reach the destination. This translates into network-wide energy savings that extend the network lifetime.

A Robust Grouping Proof Protocol for RFID EPC C1G2 Tags

Several grouping proof protocols for RFID systems have been proposed over the years but they are either found to be vulnerable to certain attacks or do not comply with the EPC class-1 gen-2 (C1G2) standard because they use hash functions or other complex encryption schemes. Among other requirements, synchronization of keys, simultaneity, dependence, detecting illegitimate tags, eliminating unwanted tag processing, and denial-of-proof attacks have not been fully addressed by many. Our protocol addresses these important gaps by taking a holistic approach to grouping proofs and provides forward security, which is an open research issue. The protocol is based on simple (XOR) encryption and 128-bit pseudorandom number generators, operations that can be easily implemented on low-cost passive tags. Thus, our protocol enables large-scale implementations and achieves EPC C1G2 compliance while meeting the security requirements.

A general cloud firewall framework with dynamic resource allocation

Cloud is becoming a dominant computing platform. However, we see few work on how to protect cloud data centers. As a cloud usually hosts many different type of applications, the traditional packet level firewall mechanism is not suitable for cloud platforms in case of complex attacks. It is necessary to perform anomaly detection at the event level. Moreover, protecting objects are more diverse than the traditional firewall. Motivated by this, we propose a general framework of cloud firewall, which features event level detection chain with dynamic resource allocation. We establish a mathematical model for the proposed framework. Moreover, a linear resource investment function is proposed for economical dynamical resource allocation for cloud firewalls. A few conclusions have been extracted for the reference of cloud service providers and designers.