1,721,060 research outputs found
Secure multicast in wireless networks
No full textMulticast services and wireless interconnection networks are among the emerging technologies of the last decade. A significant amount of research has been separately performed in the areas of secure multicast and wireless interconnection networks. In this paper we investigate the issues of designing secure multicast services in wireless mobile environments for dynamic groups and propose protocols for key management for a variety of scenarios. Our solution decouples mobility management from group dynamics management, by taking into account the level of trust in the support stations. In particular, we show that protocol efficiency on the mobile host side can be traded-off with the level of trust in the support stations
Adding availability to log services of untrusted machines
No full textUncorrupted log files are the critical system component for computer forensics in case of intrusion and for real time system monitoring and auditing. Protection from tampering with information can be achieved using cryptographic functions that provide authenticity, integrity, and confidentiality. However, they cannot provide the prerequisite for any further information processing, i.e., information availability. In this case, fault tolerant strategies can be of great help improving information availability in case of accidental or deliberate deletion.In this paper we propose a system that increases log files availability in case of software deletion by reliably and efficiently distributing the logs on multiple independent machines. The proposed scheme is more efficient than simple replication, both from the storage space and the network bandwidth points of view. The proposed system has been implemented and its impact on performance has been measured. Since it operates as a postprocessor after log generation, the proposed system can be easily integrated with logging systems that provide various cryptographic functions for forensic purposes
A quantitative study of Public Key infrastructures
No full textPublic Key Infrastructures have not reached the widespread diffusion expected of them, although they are well understood from a security point of view, because, like many say, the killer application has not been found yet. The lack of a clear understanding of the performance of these systems also contributes significantly to their limited diffusion. Studies have appeared of specific aspects of the operations of PKIs, but no complete studies of the overall system are known.
In this paper we present an evaluation study of X.509-compliant Public Key Infrastructures using queuing network models. We focus our analysis on the performance of the subsystem in charge of generating and managing digital certificates, under a variety of load conditions, both in terms of the type of requests and their number. We also investigate the impact on the performance of the system of some implementation choices such as revocation mechanisms and auditing activities. The main result of our analysis is that the system we consider, given the current state of technology, can guarantee acceptable response time in steady state even in the presence of PKI with a consistent number of users. However, in order to guarantee such a performance level, throughput must not exceed 3.5 requests per second, where a request can be a certificate generation or revocation request. Such a limitation hinders the deployment of PKIs with large numbers of users, since recovering after a system compromise may require an unacceptable amount of time
S-ARP : a secure address resolution protocol
No full textTapping into the communication between two hosts on a LAN has become quite simple thanks to tools that can be downloaded from the Internet. Such tools use the address resolution protocol (ARP) poisoning technique, which relies on hosts caching reply messages even though the corresponding requests were never sent. Since no message authentication is provided, any host of the LAN can forge a message containing malicious information. We present a secure version of ARP that provides protection against ARP poisoning. Each host has a public/private key pair certified by a local trusted party on the LAN, which acts as a certification authority. Messages are digitally signed by the sender, thus preventing the injection of spurious and/or spoofed information. As a proof of concept, the proposed solution was implemented on a Linux box. Performance measurements show that PKI based strong authentication is feasible to secure even low level protocols, as long as the overhead for key validity verification is kept small
Disarming offense to facilitate defense
No full textComputer security has traditionally focused on system de- fense, concentrating on protection and recovery of victim machines. Moving from the opposite perspective, we pro- pose a complementary approach that focuses on limiting the attacking capabilities of the hosts. Software design and implementation weaknesses usually are at the basis of com- puter offensive capacities. Since software redesign or patch- ing on an extensive basis is not possible, we propose the adoption of a filtering strategy to block abuse attempts at the originating machines. As an example, applications of such an approach axe presented at host level, in order to prevent root compromise attacks, and at network level, in order to prevent DoS attacks, among others.
The proposed solution is not a silver bullet and could be bypassed by sophisticated users. However, we believe it can effectively restrain the offensive capabilities of hosts that could be easily seized by crackers. We discuss the pros and cons of the proposed solution and present an application to host and network security
Voice over IPsec : analysis and solutions
No full textIn this paper we present the results of the experimental analysis of the transmission of voice over secure communication links implementing IPsec. Critical parameters characterizing the real-time transmission of voice over an IPsec-ured Internet connection, as well as techniques that could be adopted to overcome some of the limitations of VoIPsec (Voice over IPsec), are presented Our results show that the effective bandwidth can be reduced up to 50% with respect to VoIP in case of VoIPsec. Furthermore, we show that the cryptographic engine may hurt the performance of voice traffic because of the impossibility to schedule the access to it in order to prioritize traffic. We present an efficient solution for packet header compression, which we call cIPsec, for VoIPsec traffic. Simulation results show that the proposed compression scheme significantly reduces the overhead of packet headers, thus increasing the effective bandwidth used by the transmission. In particular, when cIPsec is adopted, the average packet size is only 2% bigger than in the plain case (VoIP), which makes VoIPsec and VoIP equivalent from the bandwidth usage point of view
AngeL : a tool to disarm computer systems
No full textIn this paper we present a tool designed to intercept attacks at the host where they are launched so as to block them before they reach their targets. The tool works both for attacks targeted on the local host and on hosts connected to the network. In the current implementation it can detect and block more than 70 attacks as reported in the literature.The tool is based on the idea of improving the overall security of the Internet by connecting disarmed systems, i.e., hosts that cannot launch attacks against other hosts. Such a strategy was presented in [4]. Here we present an extended version of the tool that has been engineered to consider a wide variety of attacks and to run on various releases of the Linux kernel and the experience learned in building such a tool. A protection mechanism of the tool itself that prevents its removal is also implemented. Experimental results of the impact of the tool on system performance show that the overhead introduced by the tool is negligible from the user's perspective, thus it is not expected to be a hindrance to the successful deployment of the tool
A tool for pro-active defense against the buffer overrun attack
No full textThe problem of buffer overruns, i.e., writing past the end of an array, in C programs has been known since the early seventies as one of the possible consequences of the C language data integrity philosophy. Since the late eighties, when computer security incidents started affecting the Internet, it has been clear that buffer overruns are a powerful threat to system security as they allow ordinary users to gain superuser privileges on Unix systems. Nowadays, buffer overruns are one of the most popular exploits in the hacker scene.
In this paper we present a tool for the automatic detection of buffer overrun vulnerabilities in object code. It can be applied to operating system components as well as ordinary programs. The tool is aimed at helping system administrators eliminate vulnerable programs before they are exploited. A fully working prototype for HP-UX and Linux systems is currently available. Extensions are planned for other Unix versions
Going Beyond Counting First Authors in Author Co-citation Analysis
Full text linkThe present study examines one of the fundamental aspects of author co-citation analysis (ACA) - the way co-citation
counts are defined. Co-citation counting provides the data on which all subsequent statistical analyses and mappings
are based, and we compare ACA results based on two different types of co-citation counting - the traditional type that
only counts the first one among a cited work's authors on the one hand and a non-traditional type that takes into
account the first 5 authors of a cited work on the other hand. Results indicate that the picture produced through this non-traditional author co-citation counting contains more coherent author groups and is therefore considerably clearer. However, this picture represents fewer specialties in the research field being studied than that produced through the traditional first-author co-citation counting when the same number of top-ranked authors is selected and analyzed. Reasons for these effects are discussed
- …
