Yulong Fu

Security and Robustness by Protocol Testing

Network protocols are the basis of network communication, and security concerns about protocol aspects are always important and useful in network systems. For the past two decades, the methods of protocol testing have been used to verify the functional conformance between the network specifications and the implementations. In this paper, we extend protocol testing methods by considering the robustness of the network protocols. We suggest a method for modeling network systems with concurrent components and propose a robustness testing approach to evaluate the system security. A new definition of Glued IOLTS is used to define this kind of system, and an algorithm for robustness test case generation is given. A case study with the RADIUS protocol is presented.

Network securing against threatening requests

Networked systems mainly consists of autonomous components conforming to the network protocols. Those concurrent and networked components are potentially to be attacked by malicious users. They have to implement some mechanisms to avoid the possible threatening requests aimed at disrupting or crashing the system, and then provoke some denial of service attack. In this paper, we address this problem. We suggest a method to model this kind of components and we propose a robustness testing approach to evaluate the system security. A new definition of Glued_IOLTS is used to define this kind of system and an algorithm for robustness testing cases generation is given. A case study with the RADIUS protocol is presented.

A Robustness Testing Method for Network Security

In this paper one type of the security problem of DoS (Denial of Service) is studied and transformed to check the robustness of a multiple components system. The network components like attackers, normal clients and the network devices are modeled as implementations of the testing system. And by evaluating the system’s robustness, the potential design defects can be detected. The methods on robustness testing of multiple components are studied, and a new model of Glued-IOLTS (Labelled Transition System) is given for defining this kind of multiple and networked system. Then a new approach and algorithm are given for generating the robustness test cases automatically.

EGHR: Efficient group-based handover authentication protocols for mMTC in 5G wireless networks

Abstract Future fifth generation (5G) wireless network will be a flexible, open, and highly heterogeneous with densified small cell deployment and overlay coverage. The design of the access authentication for massive machine type communication (mMTC) devices in 5G heterogeneous networks is the challenging issue to achieve 5G applications security due to stringent latency and concurrent access requirements for 5G multi-tier architecture. The current roaming authentication mechanisms between Long Term Evolution-Advanced (LTE-A) network and Wireless Local Area Network (WLAN) proposed by 3GPP incur several protocol attacks with unacceptable delay for real-time mMTC applications. In this paper, we propose secure and efficient group-based handover authentication and re-authentication protocols for mMTC in 5G wireless networks when mMTC devices simultaneously roam into the new networks. Our proposed protocols outperform the standard mechanisms and other related protocols in terms of authentication signaling overhead and bandwidth consumption with robust handover security requirements. The BAN logic and the formal verification tool by using the AVISPA and SPAN show that our proposed protocols are secure against various malicious attacks.

Validation of security protocol implementations from security objectives

Protocol security testing can verify and find the potential defects of protocols and their implementations to avoid possible threatening request attacks. It requires concrete experiment against a real, physical implementation. But with the growing complexity of the protocol, added to the multiplicity of possible malicious inputs, the combination of scenarios to be computed will increase to an explosive speed and become the main problem. To address this, we use the concept of Security Objectives to Protocol Security Testing, to generate the test cases on-the-fly. We propose the model, the approach and the algorithm for this protocol verification method and we present a case study with an authentication service.

Data Fusion for Network Intrusion Detection: A Review

Rapid progress of networking technologies leads to an exponential growth in the number of unauthorized or malicious network actions. As a component of defense-in-depth, Network Intrusion Detection System (NIDS) has been expected to detect malicious behaviors. Currently, NIDSs are implemented by various classification techniques, but these techniques are not advanced enough to accurately detect complex or synthetic attacks, especially in the situation of facing massive high-dimensional data. Besides, the inherent defects of NIDSs, namely, high false alarm rate and low detection rate, have not been effectively solved. In order to solve these problems, data fusion (DF) has been applied into network intrusion detection and has achieved good results. However, the literature still lacks thorough analysis and evaluation on data fusion techniques in the field of intrusion detection. Therefore, it is necessary to conduct a comprehensive review on them. In this article, we focus on DF techniques for network intrusion detection and propose a specific definition to describe it. We review the recent advances of DF techniques and propose a series of criteria to compare their performance. Finally, based on the results of the literature review, a number of open issues and future research directions are proposed at the end of this work.

Survey on big data analysis algorithms for network security measurement

With the development of network technologies such as IoTs, D2D and SDN/NFV, etc., convenient network connections with various networks have stepped into our social life, and make the Cyber Space become a fundamental infrastructure of the modern society. The crucial importance of network security has raised the requirement of security measurement on a heterogeneous networking system. However, the research on this topic is still in its infancy. According to the existing security evaluation schemes of intrusion and malware detection, we believe the network data related to security should be the key for effective network security measurement. A study of the algorithms in terms of data analysis for Data Dimension Reduction, Data Classification and Data Composition becomes essential and urgent for achieving the goal of network security measurement. In this paper, we focus on the problem of big data analysis methods for security measurement, and mainly investigate the existing algorithms in different processes of big data analysis. We also evaluate the existing methods in terms of accuracy, validity and their support on security related data analysis. Through survey, we indicate open issues and propose future research trends in the field of network security measurement.

An Automata Based Intrusion Detection Method for Internet of Things

Internet of Things (IoT) transforms network communication to Machine-to-Machine (M2M) basis and provides open access and new services to citizens and companies. It extends the border of Internet and will be developed as one part of the future 5G networks. However, as the resources of IoT’s front devices are constrained, many security mechanisms are hard to be implemented to protect the IoT networks. Intrusion detection system (IDS) is an efficient technique that can be used to detect the attackers when cryptography is broken, and it can be used to enforce the security of IoT networks. In this article, we analyzed the intrusion detection requirements of IoT networks and then proposed a uniform intrusion detection method for the vast heterogeneous IoT networks based on an automata model. The proposed method can detect and report the possible IoT attacks with three types: jam-attack, false-attack, and reply-attack automatically. We also design an experiment to verify the proposed IDS method and examine the attack of RADIUS application.

A secure SDN based multi-RANs architecture for future 5G networks

Abstract 5G refers to the next generation of telecommunication techniques facing the year of 2020. It aims to offer 100 times faster data transmission rate than current Long Term Evolution (LTE) networks. To achieve this goal, recent research proposed to apply the interoperability among heterogeneous wireless networks to improve the data rate. However, such an approach to detecting free bandwidths and efficiently managing forwarding packets is still in its infancy. In this article, we propose a Multiple Radio Access Networks (Multi-RANs) parallel accessing architecture (named SDN-5G) by importing Software Defined Networking (SDN). It can optimally utilize the multiple RAN capabilities of mobile devices to improve the data transmission rate. Moreover, we analyze the security of the proposed architecture, list possible security threats, and design a number of security schemes to protect the proposed SDN-5G networks. We also give the security proofs of the each scheme with Burrows-Abadi-Needham (BAN) logic, and verify the security of the mutual authentication and key distributions of the proposed SDN-5G architecture.

Model based security verification of protocol implementation

Finite transition models such as Automata, Labeled Transition System, have been widely used to model and analyze the complex system and protocol implementations. Those methods model the systems with states and transitions, and present them with a reachable graph. Properties of the systems such as conformance, robustness, and interoperability, can be verified through the test cases, which are generated from those reachable graphs. But these methods are still hard to adopt the requirements of security protocols, because first of all, in the classic definition of transition model, the non-negligible security properties (such as nonce, encryption etc.) cannot be described and analyzed. In addition, security protocols usually need to concern the malicious actions from the probable intruders, which is also an obstacle to classical transition based modeling. In this article, we firstly extend the standard Input Output Labeled Transition System (IOLTS) model to a secure and glued IOLTS (SG IOLTS) model, which can include security properties and their associated security functions. Then we propose a general finite intruder model, which makes the final reachable graph of the whole system contains the malicious actions from?intruders. A corresponding algorithm for automatic test generation is also given and?an example of verifying Needham-Schroeder-Lowe (NSL) protocol is proposed in the?end.