Shiyong Zhang

Resisting flooding attacks in ad hoc networks

Mobile ad hoc networks will often be deployed in environments where the nodes of the networks are unattended and have little or no physical protection against tampering. The nodes of mobile ad hoc networks are thus susceptible to compromise. The networks are particularly vulnerable to denial of service (DOS) attacks launched through compromised nodes or intruders. In this paper, we present a new DOS attack and its defense in ad hoc networks. The new DOS attack, called ad hoc flooding attack, can result in denial of service when used against on-demand routing protocols for mobile ad hoc networks, such as AODV, DSR. The intruder broadcasts mass Route Request packets or sends a lot of attacking DATA packets to exhaust the communication bandwidth and node resource so that the valid communication can not be kept. After analyzed ad hoc flooding attack, we develop flooding attack prevention (FAP), a generic defense against the ad hoc flooding attack in mobile ad hoc networks. The FAP is composed of neighbor suppression and path cutoff. When the intruder broadcasts exceeding packets of route request, the immediate neighbors of the intruder observe a high rate of route request and then they lower the corresponding priority according to the rate of incoming queries. Moreover, not serviced low priority queries are eventually discarded. When the intruder sends many attacking DATA packets to the victim node, the node may cut off the path and does not set up a path with the intruder any more. Mobile ad hoc networks can prevent the ad hoc flooding attack by FAP with little overhead.

PeerCDN: A novel P2P network assisted streaming content delivery network scheme

Providing scalable streaming media service over the internet is a demanding task nowadays, CDN(Content Delivery Network) and P2P are the main approaches while both have pros and cons. We propose a novel hybrid architecture - PeerCDN to combine the two approaches seamlessly with their inherited excellent features. PeerCDN is a two-layer streaming architecture. Upper layer is a server layer which is composed of original CDN servers including origin servers and replica servers. Lower layer consists of groups of clients who request the streaming services, each client is considered as a client peer in the group. Each group of client peers is led by the nearby replica server. Client peers contribute their resource through the coordination of the leader peer. The scheme uses a revised Kademlia-like protocol for peer-to-peer topology management and DHT for data retrieval. It constructs a topology-aware overlay network and results reduced jitter. PeerCDN makes best use of original investment and infrastructure. The service capacity is larger than traditional CDN system with the participation of the client peers. Also, the topology-aware overlay network restricts the unnecessary backbone bandwidth consuming during client peer sharing. The experiment result shows that PeerCDN has better features than the CDN and pure p2p approaches.

An adaptive adjusting mechanism for agent distributed blackboard architecture

Abstract Distributed blackboard is one of the popular agent communication architectures. However, in current agent systems, the distributed blackboard architecture is kept fixed after its initial setting, which may influence the system performance when network topology or agent cooperation relations are changed during operation. To solve the problem, this paper presents a novel mechanism for adjusting agent communication architecture. Based on graph theory, this mechanism provides a way to adjust the distributed blackboard architecture. The adjustment made to the architecture kept its validity, and the adjusted architecture outperforms the initial one in new network topology or agents cooperation relations, which are proved by the Mobile Ambients Calculus analysis and the simulation experiments. Therefore, the adjusting mechanism presented here can achieve the adaptation of the agent communication architecture to the changes of the network topology and agent cooperation relations.

Autonomous trust construction in multi-agent systems: a graph theory methodology

Trust mechanism always has two popular architectures: centralized fashion and distributed fashion. However, those two architectures are not well suited for multi-agent system since they cannot achieve the trust management autonomy. To achieve the trust management autonomy, the paper presents an autonomous trust construction model based on graph theory methodology. The presented model adopts the graph to describe the trust information, and uses the graph combination and path searching to construct the trust relation. Every agent can implement trust management autonomously; agent system can construct the global trust concept by the combination of trust information among agents; an agent can achieve the trust relation with other agent by trust path searching or trust negotiation. The simulation experiment results prove that the autonomous trust construction based on graph theory methodology is effective.

Probabilistic Isolation of Malicious Vehicles in Pseudonym Changing VANETs

Privacy is one of the most important security requirements of VANETs. To avoid being tracked, the idea of pseudonym changes is introduced, which leads to a problem that a malicious vehicle can easily create a new identity without being punished. In this paper, we present a probabilistic method to isolate malicious vehicles with the existence of pseudonym in VANETs. The main idea is to use Bloom filters to record both dishonest and trusted nodes, periodically broadcast these feedbacks and thereby receivers can update their own credits. In our scheme, we assume each car has a tamper-proof device (TPD) carrying out secure operations, such as signing and credit updating. Honest majority is also assumed. A mathematical model is presented to securely evaluate the credit of a node itself with the help of TPD. The credit will then be attached to each important message as a proof of the reliability of the message. We also discuss the potential attacks.

Defend mobile agent against malicious hosts in migration itineraries

Agent integrity verification and fault-tolerance are the two prevalent methods among the solutions to the Problem of Malicious Hosts in Mobile agent system. Agent integrity verification enables the owner of the agent to detect upon its return whether a visited host has maliciously altered the state of the agent based on agent integrity verification [6]. A known drawback of such method is that it cannot detect the tampering of agent immediately, and the tampering can be detected only when the agent returned. Agent fault-tolerance is one method that achieves agent fault-tolerance in migration itineraries by agent replication and majority voting [11]. The drawback of such method is that the agent replication and majority voting can produce many agent replicas in every agent migration step, which may cost significant resource and time. Aiming at those drawbacks, the paper incorporates the two methods, and presents a novel agent migration fault-tolerance model based on integrity verification, which can defend mobile agent against malicious hosts in migration itineraries effectively. The novel agent fault-tolerance model cannot only realize the fault-tolerant execution, but also reduce the complexity and resource cost of agent migration communication.

SAID: a self-adaptive intrusion detection system in wireless sensor networks

Intrusion Detection System (IDS) is usually regarded as the second secure defense of network. However, traditional IDS cannot be suitable to deploy in Wireless Sensor Networks (WSN) because of the nature of WSN (e.g. self-origination, resource-constraint, etc). In this paper, we propose a kind of three-logic-layer architecture of Intrusion Detection System (IDS)-SAID by employing the agent technology and thought of immune mechanism. It has two work modes: 1) active work mode to improve the effectiveness and intelligence for unknown attacks; 2) passive work mode to detect and defend known attacks. The basic functions of these three layers, intrusion response, evolution approach of agent and knowledge base are also presented in this paper. Furthermore, we take advantages of local intrusion detection system and distributive & cooperative intrusion detection system to have a tradeoff among the security of WSN and communication overhead. We also design three kinds of light-weight agents: monitor agents, decision agents and defense agents in order to reduce communication overhead, computation complexity and memory cost. The analysis and experiment result illustrate that SAID has nice properties to defend attacks, and suitable to deploy in WSN.

Self-Healing Key Distribution with Revocation and Collusion Resistance for Wireless Sensor Networks

Self-healing key distribution enables users in a large and dynamic group to establish session keys for secure group communication over an unreliable network (e.g., wireless sensor networks). The main property of self-healing key distribution is that the users are capable of recovering lost session keys on their own, without requesting additional transmissions from the group manager. In this paper, we propose a self-healing key distribution scheme with t-revocation and 2t-collusion resistance capabilities for wireless sensor networks. Built on an appropriate security model, our scheme reduces both storage and communication overhead and eliminates the limitations of m sessions when compared with some previous work under the same security model. In addition, we propose a scheme which enables key recovery from a single broadcast message.

MultiPeerCast: A Tree-Mesh-Hybrid P2P Live Streaming Scheme Design and Implementation Based on PeerCast

In this paper, we firstly analyze the mechanism of PeerCast as a P2P live streaming solution. An then, based on the shortcoming analysis of tree-based PeerCast, we propose a improved tree-mesh-hybrid scheme-MultiPeerCast, including Multi-thread media transmission, multiple-to-one overlay network reconstruct, optimized buffer design, media retrieving style changing from push mode to pull mode. As part of experiment work, we discuss an improved P2P live streaming prototype system implementation based on MultiPeerCast. The experiment results verify MultiPeerCast scheme is more stable and efficient than PeerCast. At last, from our research experiences and related survey, we analyze the prospective research direction and challenges in this field.

Implementing a novel load-aware auto scale scheme for private cloud resource management platform

Resources dynamical allocation and management is always an important feature in cloud computing. Auto Scale allows users to scale their cloud resources capacity according to elastic loads timely, which has been widely used in mature public cloud. For private cloud, there are some different features from public cloud. It is more flexible to use Auto Scale technique to provide QoS guarantees and ensure system health. In this paper, we design a novel Auto Load-aware Scale scheme for private cloud environment. We describe scale in and scale out strategy based on prediction algorithm. We implement our scheme on OpenStack platform. Both simulation and experiments are carried out to evaluate our work. The experiments show that our scheme has better performance in resource utilization while providing high SLA levels.