Catálogo de publicaciones - libros

As the rapid development of mobile broadband access network technologies in recent years, 802.11 Wi-Fi, GPRS and 3G access networks have been widely used. Users have the characteristic of mobility in these wireless heterogeneous networks. As users are roaming, How to report rapidly the current location of users to network management center, so that the pagers are able to obtain the right user location for establishing communication, has become an important issue. we focus on the architecture and policies of location management for wireless heterogeneous networks. we propose the Geographical Location Registration (GLR) mechanism for location updating and paging, where the location information in wireless heterogeneous networks is maintained to rapidly page other users and to reduce the overall cost. Compared to traditional mechanisms, the proposed GLR mechanism is capable of improving the paging cost by 79%. Besides, as the moving speed of users increases, the paging cost will not increase substantially.

UMTS-WLAN interworking has attracted many research efforts because each of UMTS and WLAN can maximize its capability in service provisioning. Through UMTS-WLAN internetworking, users can be offered the most suitable services according to service area and service provider can reduce network building and maintenance costs. In this paper, we propose a network architecture and fast handover scheme using Mobility Anchor (MA) for UMTS-WLAN interworking. MA is provided at the boundary between GGSN and PDG, under the 3GPP-proposed interworking reference model. Such MA can enable authentication and session establishment before L2 handover of the mobile node, so that seamless and fast vertical handover could be possible. Through computer simulation using OPNET for the performance measurement, the efficiency and validity of the proposed scheme has been examined.

MIH (Media Independent Handover)[1] is the standard technology of IEEE 802.21. It gives seamless handover to mobile terminals that have multiple wireless interfaces. Recently, many mobile terminals having multiple wireless interfaces are emerging on the market. Thus, the handover technology, which makes it possible to hand-over between heterogeneous networks, is attracting the attention of network operators. In this article, we explain IEEE 802.21 framework and its laboratory implementation and compare between IEEE 802.21-based handover and non-802.21-based handover. We performed laboratory experiments on handover between IEEE 802.11 (WiFi) access networks and IEEE 802.3 (Ethernet) using MIH Functions. We also analyzed and compared 802.21-assisted handover and non-802.21-assisted handover.

Pattern matching for network intrusion/prevention detection demands exceptionally high throughput with recent updates to support new attack patterns. This paper describes a novel FPGA-based pattern matching architecture using a recent hashing algorithm called . The proposed architecture features on-the-fly pattern updates without reconfiguration, more efficient hardware utilization, and higher throughput. Through various algorithmic changes of Cuckoo Hashing, we can implement parallel pattern matching on SRAM-based FPGA. Our system can accommodate the newest Snort rule-set, an open source Network Intrusion Detection/Prevention System, and achieve the highest utilization in terms of SRAM per character and Logic Cells per character at 15.63 bits/character and 0.033 Logic Cells/character, respectively on major Xilinx Virtex FPGA architectures. Compared to others, ours is more efficient than any other Xilinx FPGA architectures.

The fast extension of inexpensive computer networks has increased the problem of unauthorized access and tampering with data. Many NIDSs are developed till now to respond these network attacks. As network technology presses forward, Gigabit Ethernet has become the actual standard for large network installations. Therefore, software solutions in developing high-speed NIDSs are increasingly impractical. It thus appears well motivated to investigate the hardware-based solutions. Although several solutions have been proposed recently, finding an efficient solution is considered as a difficult problem due to the limitations in resources such as a small memory size, as well as the growing link speed. In this paper, we propose the FPAG-based intrusion detection technique to detect and respond variant attacks on high-speed links. It is possible through novel pattern matching mechanism and heuristic analysis mechanism that is processed on FPGA-based reconfiguring hardware. Most of all, It was designed to fully exploit hardware parallelism to achieve real-time packet inspection, to require a small memory for storing signature. The technique is a part of our proposed system, called ATPS(Adaptive Threat Prevention System) recently developed. That is, the proposed system has hardware architecture that can be capable of provide the high-performance detection mechanism.

The research on the detection of zero-day network attack and the signature generation is highlighted as an issue according to the outbreak of the new network attack is faster than a prediction. In this paper, we propose a very practical method that detects the executable codes within the network packet payload. It could be used as the key function of the signature generation against the zero-day attack or the high speed anomaly detection. The proposed heuristic method in this paper could be expressed in terms of visually classifying the characteristic of the instruction pattern of executable codes. And then we generalize this by applying the discrete parameter Markov chain. Our experimental study showed that the presented scheme could find all types of executable codes in our experiments.

For the security consistency, firewall rule editing, ordering, and distribution must be done very carefully on each of the cooperative firewalls, especially in a large-scale and multi-firewall-equipped network. Nevertheless, a network operator is prone to incorrectly configuring the firewalls because there are typically thousands or hundreds of filtering/admission rules (i.e., rules in the Access Control List file; or ACL for short) which should be setup in a firewall, not mention these rules among firewalls which affect mutually can make the matter worse. For this reason, our work is to build a visualized validation system for checking the security consistency between firewalls’ rule configuration and the demands of network security policies. The system collects the filtering/admission rules (or ACL rules) from all of the firewalls (and routers if they are ACL-configured) in the managed network and then checks if these rules meet the demands of the global network security policies. The checked/analyzed results would later be visualized systematically by our system with different viewpoints for error debugging or anomaly removal. Currently, part of the firewalls’ configuration of our campus network has being used to demonstrate our system’s implementation.

A general model for securing widely deployed Web Services has been recommended in which the security of Web Services is divided into three layers: network security, host security and the security of Web Service message, also called SOAP message security. According to principles of this model, we propose a new secure Web Services Providing Framework based on the Lock-Keeper technology, which is a high level security solution implementing the basic security concept, ”Physical Separation”. In the proposed framework, the internal Web Services provider and its network are protected well by being physically isolated with the external world. At the same time, trusted Web Service message based communications can be performed smoothly and securely with the guard of a ”SOAP Verification Module”, which is integrated in the Lock-Keeper system. The SOAP Verification Module realizes general functionalities of both ”Trust Management” and ”Threat Prevention” that have been specified by most common WS-Security standards. Experiments demonstrated in this paper show that our proposed framework, which can simultaneously guarantee all the three layers of Web Services security, is feasible, applicable and secure.

This paper presents a measurement study of the traffic traces from the industrial process control IP networks. We present some interesting and unique traffic characteristics of the IP networks which support the control of manufacturing and precision-control machines. Understanding their traffic behaviors would help us to operate the fault-tolerant control IP networks, where the cost of network malfunctioning is far more severe than ordinary IP data networks. We observe rather steady and cyclic traffic patterns in the collected traces between the control IP network entities, mainly PLCs and process controllers.

For IP routers, it is important for realistic performance evaluation of address lookup algorithms to consider both routing table and trace data obtained from target network. However, most of trace data available are published after anonymizing personal information. Thus, the published trace data cannot be applied directly to estimate performance of routers. In this paper, we propose a new method for predicting more realistic router performance by using anonymized trace data. For our motivation, we analyze correlations of address space usage between real trace data and routing table. Based on analytic results, we also propose a method which transforms IP addresses in trace data by using statistics of address space usage in routing table. Through trace-driven simulation we show that our method can predict the routers’ performance closer to the actual one.