Yuan-Cheng Lai

Using String Matching for Deep Packet Inspection

String matching has sparked renewed research interest due to its usefulness for deep packet inspection in applications such as intrusion detection, virus scanning, and Internet content filtering. Matching expressive pattern specifications with a scalable and efficient design, accelerating the entire packet flow, and string matching with high-level semantics are promising topics for further study.

Review: Application classification using packet size distribution and port association

Traffic classification is an essential part in common network management applications such as intrusion detection and network monitoring. Identifying traffic by looking at port numbers is only suitable to well-known applications, while signature-based classification is not applicable to encrypted messages. Our preliminary observation shows that each application has distinct packet size distribution (PSD) of the connections. Therefore, it is feasible to classify traffic by analyzing the variances of packet sizes of the connections without analyzing packet payload. In this work, each connection is first transformed into a point in a multi-dimensional space according to its PSD. Then it is compared with the representative points of pre-defined applications and recognized as the application having a minimum distance. Once a connection is identified as a specific application, port association is used to accelerate the classification by combining it with the other connections of the same session because applications usually use consecutive ports during a session. Using the proposed techniques, packet size distribution and port association, a high accuracy rate, 96% on average, and low false positive and false negative rates, 4-5%, are achieved. Our proposed method not only works well for encrypted traffic but also can be easily incorporated with a signature-based method to provide better accuracy.

Two blocking algorithms on adaptive binary splitting: single and pair resolutions for RFID tag identification

In radio frequency identification (RFID) systems, the reader identifies tags through communication over a shared wireless channel. When multiple tags transmit their IDs simultaneously, their signals collide, increasing the identification delay. Therefore, many previous anti-collision algorithms, including an adaptive query splitting algorithm (AQS) and an adaptive binary splitting algorithm (ABS), focused on solving this problem. This paper proposes two blocking algorithms, a single resolution blocking ABS algorithm (SRB) and a pair resolution blocking ABS algorithm (PRB), based on ABS. SRB not only inherits the essence of ABS which uses the information of recognized tags obtained from the last process of tag identification, but also adopts a blocking technique which prevents recognized tags from being collided by unrecognized tags. PRB further adopts a pair resolution technique which couples recognized tags and thus only needs half time for next identifying these recognized tags. We formally analyze the performance of SRB and PRB. Finally, the analytic and simulation results show that SRB slightly outperforms ABS and PRB significantly surpasses ABS.

Coexistence Proof Using Chain of Timestamps for Multiple RFID Tags

How can a RFID (Radio Frequency Identification Devices) system prove that two or more RFID tags are in the same location? Previous researchers have proposed yoking-proof and grouping-proof techniques to address this problem – and when these turned out to be vulnerable to replay attacks, a new existence-proof technique was proposed. We critique this class of existence-proofs and show it has three problems: (a) a race condition when multiple readers are present; (b) a race condition when multiple tags are present; and (c) a problem determining the number of tags. We present two new proof techniques, a secure timestamp proof (secTS-proof) and a timestamp-chaining proof (chaining-proof) that avoid replay attacks and solve problems in previously proposed techniques.

Identifying android malicious repackaged applications by thread-grained system call sequences

Android security has become highly desirable since adversaries can easily repackage malicious codes into various benign applications and spread these malicious repackaged applications (MRAs). Most MRA detection mechanisms on Android focus on detecting a specific family of MRAs or requiring the original benign application to compare with the malicious ones. This work proposes a new mechanism, SCSdroid (System Call Sequence Droid), which adopts the thread-grained system call sequences activated by applications. The concept is that even if MRAs can be camouflaged as benign applications, their malicious behavior would still appear in the system call sequences. SCSdroid extracts the truly malicious common subsequences from the system call sequences of MRAs belonging to the same family. Therefore, these extracted common subsequences can be used to identify any evaluated application without requiring the original benign application. Experimental results show that SCSdroid falsely detected only two applications among 100 evaluated benign applications, and falsely detected only one application among 49 evaluated malicious applications. As a result, SCSdroid achieved up to 95.97% detection accuracy, i.e., 143 correct detections among 149 applications.

A Pair-Resolution Blocking Algorithm on Adaptive Binary Splitting for RFID Tag Identification

For RFID tag identification, this research proposes a novel anti-collision method, the Pair-Resolution Blocking algorithm (PRB). It inherits the essence of a previous algorithm, the Adaptive Binary Splitting algorithm (ABS), and thus uses the information of recognized tags obtained from the last process of tag identification. Furthermore, PRB adopts a blocking technique which prevents recognized tags from being collided by unrecognized tags and utilizes a pair resolution technique which couples recognized tags to significantly reduce the identification delay. The analytical and simulation results show that PRB significantly outperforms ABS.

Taxonomy and Evaluation of TCP-Friendly Congestion-Control Schemes on Fairness, Aggressiveness, and Responsiveness

Many TCP-friendly congestion control schemes have been proposed to pursue the TCP-equivalence criterion, which states that a TCP-equivalent flow should have the same throughput with TCP if it experiences identical network conditions as TCP. Additionally, the throughput should converge as fast as TCP when the packet-loss conditions change. This study classifies eight typical TCP-friendly schemes according to their underlying policies on fairness, aggressiveness, and responsiveness. The schemes are evaluated to verify whether they meet TCP-equivalence and TCP-equal share. TCP-equal share is a more realistic but more challenging criterion than TCP-equivalence and states that a flow should have the same throughput with TCP if competing with TCP for the same bottleneck. Simulation results indicate that one of the selected schemes, TCP-friendly rate control (TFRC), meets both criteria under more testing scenarios than the others. Additionally, the results under non-periodic losses, low-multiplexing, two-state losses, and bursty losses reveal the causes that bring fault cases to the schemes. Finally, appropriate policies are recommended for an ideal scheme.

General binary tree protocol for coping with the capture effect in RFID tag identification

Tag anti-collision is an important issue in RFID systems because the reader must recognize all tags efficiently. In RFID wireless communication systems, tag identification will encounter the capture effect, where a reader decodes a tag ID even when multiple tags simultaneously transmit their signals. This letter proposes a tag anti-collision algorithm - the generalized binary tree protocol (GBT). GBT separates the identification process into several binary tree (BT) cycles to solve the problem caused by the capture effect. Unrecognized tags, hidden by the capture effect in a BT cycle, will be identified in subsequent cycles. The formal analysis of identification delay for GBT is derived and simulation and analytical results show that GBT significantly outperforms other existing algorithms.

A Latency and Modulation Aware Bandwidth Allocation Algorithm for WiMAX Base Stations

The mobile WiMAX systems based on IEEE 802.16e-2005 provide high data rate for the mobile wireless network. However, the link quality is frequently unstable owing to the long-distance and air interference and therefore impacts real-time applications. Thus, a bandwidth allocation algorithm is required to be modulation-aware, while further satisfying the latency guarantee, service differentiation and fairness. This work proposes the Highest Urgency First (HUF) algorithm to conquer the above challenges by taking into consideration the adaptive modulation and coding scheme (MCS) and the urgency of requests. Downlink and uplink sub-frames are determined by reserving the bandwidth for the most urgent requests and proportionating the remaining bandwidth for others. Then, independently in the downlink and uplink, the HUF allocates bandwidth to every mobile station according to a pre-calculated U-factor which considers urgency, priority and fairness. Simulation results prove the HUF is modulation-aware and achieves the above three objectives, notably the zero violation rate within system capacity as well as the throughput paralleling to the best of the existing approaches.

Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems

False positives and false negatives happen to every intrusion detection and intrusion prevention system. This work proposes a mechanism for false positive/negative assessment with multiple IDSs/IPSs to collect FP and FN cases from real-world traffic and statistically analyze these cases. Over a period of 16 months, more than 2000 FPs and FNs have been collected and analyzed. From the statistical analysis results, we obtain three interesting findings. First, more than 92.85 percent of false cases are FPs even if the numbers of attack types for FP and FN are similar. That is mainly because the behavior of applications or the format of the application content is self-defined; that is, there is not complete conformance to the specifications of RFCs. Accordingly, when this application meets an IDS/IPS with strict detection rules, its traffic will be regarded as malicious traffic, resulting in a lot of FPs. Second, about 91 percent of FP alerts, equal to about 85 percent of false cases, are not related to security issues, but to management policy. For example, some companies and campuses limit or forbid their employees and students from using peer-to-peer applications; therefore, in order to easily detect P2P traffic, an IDS/IPS is configured to be sensitive to it. Hence, this causes alerts to be triggered easily regardless of whether the P2P application has malicious traffic or not. The last finding shows that buffer overflow, SQL server attacks, and worm slammer attacks account for 93 percent of FNs, even though they are aged attacks. This indicates that these attacks always have new variations to evade IDS/IPS detection.