Memory-based dynamic event-triggered control for networked interval type-2 fuzzy systems subject to DoS attacks

In this article, the memory-based dynamic event-triggered controller design issue is investigated for networked interval type-2 (IT2) fuzzy systems under non-periodic denial-of-service (DoS) attacks. For saving limited network bandwidth, a novel memory-based dynamic event-triggered mechanism (DETM) is proposed to schedule data communication. Unlike existing event-triggered generators, the developed memory-based DETM can utilize a series of newly released signals and further save network resources by introducing interval dynamic variables. Moreover, to improve design flexibility, an IT2 fuzzy controller with freely selectable fuzzy rule number and premise membership functions (MFs) is synthesized. Then, a new switched time-delay system with imperfectly matched MFs is established under the consideration of memory-based DETM and DoS attacks simultaneously. Besides, based on the property of MFs, the boundary information of membership grades and slack matrices are introduced in the stability analysis. Furthermore, by using a piecewise Lyapunov–Krasovskii method, membership-functions-dependent criteria are deduced to ensure the asymptotic stability of built fuzzy switched systems. Finally, the effectiveness of proposed control strategies is demonstrated by simulation examples.     

内容中心网络的DoS攻击研究

“内容中心网络”(Content Centric Networking,CCN)是未来互联网架构体系群中极具前景的架构之一。CCN的核心思想在于内容命名,即用户不需要根据数据的地址而仅根据数据的名字来获取目标内容。在设计上,CCN是一种基于拉(pull-based)的网络,即用户为了获取相应的内容,必须向网络发送一个兴趣包(Interest)以便获取同名数据包(Data),也就是说CCN是一个用户驱动的网络。安全对任何一种网络架构来说,都是不容忽视的一个问题,其中,拒绝服务攻击(DoS)是TCP/IP网络中最为常见的攻击手法之一,这里研究了CCN中常见的DoS攻击,并提出了具有针对性的解决方案。     

A non‐repudiable negotiation protocol for security service level agreements

Security service level agreements (SSLAs) provide a systematic way for end users at home or in the office to guarantee sufficient security level when doing business or exchanging sensitive personal or organizational data with an online service. In this paper, we propose an SSLA negotiation protocol that implements non‐repudiation with cryptographic identities and digital signatures and includes features that make it resistant to denial of service attacks. The basic version of the protocol does not rely on the use of a trusted third party, and it can be used for all kinds of simple negotiations. For the negotiation about SSLAs, the protocol provides an option to use an external knowledge base that may help the user in the selection of suitable security measures. We have implemented a prototype of the system, which uses JSON Web Signature for the message exchange and made some performance tests with it. The results show that the computational effort required by the cryptographic operations of the negotiation protocol remains at a reasonable level. Copyright © 2014 John Wiley & Sons, Ltd.     

一体化标识网络映射缓存DoS攻击防范方法研究

为了抵御一体化标识网络中接入路由器可能遭受的映射缓存DoS攻击,本文提出了一种基于双门限机制的映射缓存DoS攻击防范方法.该方法设计了一种基于迭代思想的谜题机制降低映射缓存中映射信息条目的增加速率,并采用了映射信息可信度算法识别和过滤映射缓存中恶意的映射信息条目.仿真实验与性能分析表明,该方法能够有效地抵御映射缓存DoS攻击,防止映射缓存溢出.     

抗DoS攻击的多用户传感器网络广播认证方案

在vBNN-IBS签名基础上提出了一种抗DoS攻击的多用户传感器网络广播认证方案DDA-MBAS,利用散列运算及用户信息进行虚假数据过滤。与现有的多用户传感器网络广播认证方案相比,DDA-MBAS在抵抗节点妥协攻击、主动攻击的基础上,以较低的能耗过滤虚假消息并有效地限制了妥协用户发起的DoS攻击及共谋攻击的安全威胁。     

Modeling denial‐of‐service against pending interest table in named data networking

Named data networking (NDN) has attracted much attention on the design for next generation Internet architecture. Although it embeds some security primitives in its original architecture, it may suffer from denial‐of‐service (DoS) attacks. In this paper, we model one representative type of NDN‐specific DoS attacks named DoS against pending interest table (PIT), or DoS‐PIT, which floods malicious Interests that request nonexistent content to bypass cached content at routers and to exhaust the memory resource for PIT, bringing in severe service degradation. In our proposed analytical model, the closed‐form expressions for the DoS probability for users suffering DoS‐PIT are derived, while considering several important factors of NDN networks such as PIT size, time‐to‐live of each PIT entry, popularity of content, and cache size. Moreover, extensive simulation experiments demonstrate the accuracy of the proposed model on evaluating the damage effect of DoS‐PIT. In addition, the proposed model can be chosen to guide designing effective countermeasures for DoS‐PIT (or attacks with similar way to harm NDN) by properly setting the values of some parameters (e.g., cache size) of each NDN router. Copyright © 2013 John Wiley & Sons, Ltd.     

Dynamic and adaptive detection method for flooding in wireless sensor networks

In recent years, wireless sensor networks (WSNs) have attracted an increasing attention in several fields. However, WSNs must be treated with significant challenges in their design due to their special characteristics such as limited energy, processing power, and data storage that make the energy consumption saving a real challenge. Also, regarding their distributed deployment in open radio frequency and lack of physical security, these networks are vulnerable and exposed to several attacks: passive eavesdropping, active attacks, and identity theft. In this paper, we propose a new method called accordion method to detect and apprehend denial of service attacks in WSNs. This approach is a dynamic and an adaptive method based on using clustering method which allows electing control nodes that analyze the traffic inside a cluster and send warnings to the cluster head whenever an abnormal behavior is suspected or detected. The proposed method relies on the analysis of the evolution of the threshold messages (alerts) sent in the cluster. The proposed method has been evaluated, and the obtained numerical results show its benefit compared with other detection methods.     

低速率拒绝服务攻击研究与进展综述

低速率拒绝服务攻击是新型的拒绝服务攻击,对Internet的安全造成严重的潜在威胁,引起众多研究者的兴趣和重视,成为网络安全领域的重要研究课题之一.自2003年以来,研究者先后刻画了Shrew攻击、降质攻击、脉冲拒绝服务攻击和分布式拒绝服务攻击等多种低速率拒绝服务攻击方式,并提出了相应的检测防范方法.从不同角度对这种新型攻击的基本机理和攻击方法进行了深入的研究;对TCP拥塞控制机制进行了安全性分析,探讨了引起安全问题的原因;对现有的各种各样的LDoS攻击防范和检测方案,从多个方面进行了分类总结和分析评价;最后总结了当前研究中出现的问题,并展望了未来研究发展的趋势,希望能为该领域的研究者提供一些有益的启示.     

一种改进的超轻量级RFID所有权转移协议

针对RFID所有权转移协议中存在的拒绝服务攻击漏洞,提出了一种改进的超轻量级RFID所有权转移协议,并给出了基于GNY逻辑的协议安全性证明。通过改进协议的交互方式,实现了阅读器和标签的双向认证功能,解决了攻击者重放消息造成的拒绝服务攻击漏洞等问题,提高了阅读器和标签在开放环境中通信的保密性。对协议的安全性分析和性能比较分析表明,该协议不仅满足所有权转移的安全要求,而且具有超轻量的特点,适合于移动身份认证环境中的实际应用。     

IPv6与隧道多地址性的DoS攻击放大问题研究

DoS攻击是威胁IPv4网络安全的重要问题之一.随着IPv6的发展,相关安全问题也逐步体现并影响IPv6网络的正常运行.该文指出利用IPv6和隧道主机的多地址性,攻击者可获得大量合法IPv6地址,通过伪装成多个虚拟主机实施对目标设备的DoS攻击.这种攻击具有大量的可用地址范围,且受控于同一真实主机,通过不断使用新地址和多地址间配合,可避开以IP为单位的传统检测与防御策略,并可有效放大攻击节点数目或减少实际攻击节点数量.为此提出了基于地址特征分类的防御框架(defense framework based on addresses classification,DFAC).通过分类不同地址特征,构造特征子集,在特征子集基础上实施对虚拟主机攻击的检测和防御,解决虚拟主机引发的放大问题.原型系统实验结果表明,DFAC有效地降低了上述DoS攻击对系统负载的影响.