Catálogo de publicaciones - libros

Two methods to implement privacy in network communication, anonymity and DCSC (data confidentiality and secure computation) are analysed and compared in regard to privacy in mobile agent applications. It is illustrated that privacy through DCSC is more suitable in mobile agent applications. To support this conclusion, privacy is concretely implemented in a bidding mobile agent scheme in this paper. Success of this example demonstrates that privacy can be practically achieved in mobile agent applications through DCSC without compromising the advantage of mobile agent.

This paper presents a scheme for transaction pseudonymization of IP address data in a distributed passive monitoring infrastructure. The approach provides high resistance against traffic analysis and injection attacks, and it provides a technique for gradual release of data through a key management scheme. The scheme is non-expanding, and it should be suitable for hardware implementations for high-bandwidth monitoring systems.

Robustness is one of the most important issues in digital watermarking. By modeling digital watermarking as digital communications, several researchers proposed using error correcting coding (ECC) to improve watermark robustness. However, the following important facts are neglected. i) The robust watermark channel suffers from a very high bit error ratio (BER), which may exceed the capability of ECC; ii) Due to the imperceptibility requirement, the redundancy introduced by ECC will lead to a decrease of the watermark magnitude. Could the usage of ECC effectively improve the robustness of watermark? This paper addresses this problem from the perspectives of both theoretical analysis and experiments. Our investigation shows that ECC cannot effectively improve the robustness of watermarking against a vast majority of various attacks except for cropping and jitter attacks. Hence, ECC should not be considered as a universal method applied to enhance the watermark robustness.

The Domain Name System (DNS) is an essential component of the critical infrastructure of the Internet. The role of DNS is vital, as it is involved in virtually every Internet transaction. It is sometimes remarked that DNS works well as it is now and any changes to it may disrupt its functionality and add complexity. However, due to its importance, an insecure DNS is unacceptable for current and future networks. The astonishing simplicity of mounting an attack against the DNS and the damaging potential of such an attack should convince practitioners and system administrators to employ a secure version of DNS. However, security comes with a cost. In this paper, we examine the performance of two proposals for secure DNS and we discuss the advantages and disadvantages of both. In particular, we analyze the impact that security measures have on the performance of DNS. While it is clear that adding security will lower DNS performance, our results show that the impact of security can be mitigated by deploying different security extensions at different levels in the DNS tree.

We also describe the first implementation of the SK-DNSSEC [1] protocol. The code is freely downloadable and released under an open-source license.

Delivery of real-time streaming content is an increasingly important Internet application. Applications involved in processing streaming content may have exploitable vulnerabilities, as many other applications have been discovered to have, and using a firewall to filter out malicious traffic may provide some benefit. However, as these applications largely rely on traffic carried by RTP/UDP, firewalls that are unaware of the behaviour of RTP data streams have difficulties in filtering out malicious traffic injected into a stream by an attacker. In this paper, we observe a vulnerability in the current RTP protocol which allows an attacker to inject malicious traffic into a data stream, and present a scheme that allows a stateful firewall that keeps state from RTP packets to detect such malicious traffic. Our technique uses non-static fields such as RTP sequence numbers to improve the inspection scheme by modelling streaming traffic and detecting malicious streams based on deviation for this model. We show effectiveness of our approach by giving the results of our experiments.

Nowadays Distributed Denial of Service (DDoS) attacks have made one of the most serious threats to the information infrastructure. In this paper we firstly present a new filtering approach, Mark-Aided Distributed Filtering (MADF), which is to find the network anomalies by using a back-propagation neural network, deploy the defense system at distributed routers, identify and filtering the attack packets before they can reach the victim; and secondly propose an analytical model for the interactions between DDoS attack party and defense party, which allows us to have a deep insight of the interactions between the attack and defense parties. According to the experimental results, we find that MADF can detect and filter DDoS attack packets with high sensitivity and accuracy, thus provide high legitimate traffic throughput and low attack traffic throughput. Through the comparison between experiments and numerical results, we also demonstrate the validity of the analytical model that can precisely estimate the effectiveness of a DDoS defense system before it encounters different attacks.

Trust-management subjects face the problem of discovering credential chain. In this paper, the distributed credential chain discovery algorithms in trust-management with parameterized roles are proposed. The algorithms extend the RT’s and are goal-oriented also. Based on the concept of parameterized roles in RT, they search the credential graph via the constant matching and variable solving mechanisms. The algorithms can perform chain discovery in most trust-management systems and can support the protection of access control policies during automated trust negotiation. Soundness and completeness of the algorithms are given.