HiMAC:一种用于消息认证和加密的分层安全协议

为检测并阻止恶意节点伪装成新的可信节点攻击移动自组织网络,该文提出了一种用于消息认证和加密的分层安全协议(HiMAC)。该协议将分层消息认证码用于保护移动Ad-Hoc网络中的数据传播。在源和目标之间的由中间节点转发分组时动态地计算可信路由,在每个中间节点对数据包进行签名和加密,防止攻击者篡改数据包或修改其跳数,实现数据可信传输。在NS2模拟器中,运用Crypto++库中的RSA算法对HiMAC进行测试。结果表明:HiMAC可以检测和阻止对MANET节点和数据包的攻击;与原有的A-SAODV安全机制相比,HiMAC平均跳数减少了47.1%,平均队列长度减小了35.5%,节点数据包数量降低2.5倍,其性能明显优于A-SAODV。尽管HiMAC的密码操作给路由协议带来了额外的开销,但由于HiMAC采用基于信任机制动态建立安全路由,使得节点能够动态地选择路径上的下一个节点,不必始终保持安全路由,使得HiMAC中的增减开销可以相互抵消达到平衡。     

DSR协议下数据包攻击及防御机制

移动Ad—hoc网络又称移动自组网、多跳网络,是一种特殊的、在不借助中心管理的情况下,在有限的范围内实现多个移动终端临时互联的网络。由于Adhoc网络自身的特殊性,其路由协议的设计与传统固定网络有很大不同,而且种类繁多,DSR协议便是其中一种。DSR协议也被称做动态源路由协议,它作为Ad—hoc网络的路由协议之一,最大特点是在发送的每个数据包中放入一个完整的、按序排列的路由信息,并且在传递数据包的过程中依赖着这些路由信息去完成工作。文章主要介绍了Ad—hoc网络中的DSR协议的工作方式,针对其安全性提出一种新的攻击模型——数据包攻击,并通过模拟实验,给出了数据包攻击的检测方法和防御策略,能够成功地发现并有效地阻碍数据包攻击。     

Black Hole Attack Detection and Performance Improvement in Mobile Ad-Hoc Network

ABSTRACT

Security is an essential service for mobile network communications. Routing plays an important role in the security of mobile ad-hoc networks (MANETs). A wide variety of attacks targets the weakness of MANETs. By attacking the routing protocols, attackers can absorb network traffic, injecting themselves into the path between the source and destination. The black hole attack is one of the routing attacks where a malicious node advertise itself as having the shortest path to all nodes in the network by sending fake route reply. In this paper, a defense scheme for detecting black hole node is proposed. The detection is based on the timing information and destination sequence numbers maintained in the Neighborhood Route Monitoring Table. The table maintains the record of time of Reply. A black hole node will send a route reply message without checking the routing table as the legitimate node normally does. This reduced reply time is used to detect the black hole node. To improve the security further, the destination sequence number is checked with the threshold value, which is dynamically updated. The simulation results demonstrate that the protocol not only detects black hole attack but also improves the overall performance.     

An efficient homomorphic MAC-based scheme against data and tag pollution attacks in network coding-enabled wireless networks

Recent research efforts have shown that wireless networks can benefit from network coding (NC) technology in terms of bandwidth, robustness to packet losses, delay and energy consumption. However, NC-enabled wireless networks are susceptible to a severe security threat, known as data pollution attack, where a malicious node injects into the network polluted packets that prevent the destination nodes from decoding correctly. Due to recoding, occurred at the intermediate nodes, according to the core principle of NC, the polluted packets propagate quickly into other packets and corrupt bunches of legitimate packets leading to network resource waste. Hence, a lot of research effort has been devoted to schemes against data pollution attacks. Homomorphic MAC-based schemes are a promising solution against data pollution attacks. However, most of them are susceptible to a new type of pollution attack, called tag pollution attack, where an adversary node randomly modifies tags appended to the end of the transmitted packets. Therefore, in this paper, we propose an efficient homomorphic message authentication code-based scheme, called HMAC, providing resistance against data pollution attacks and tag pollution attacks in NC-enabled wireless networks. Our proposed scheme makes use of three types of homomorphic tags (i.e., MACs, D-MACs and one signature) which are appended to the end of the coded packet. Our results show that the proposed HMAC scheme is more efficient compared to other competitive tag pollution immune schemes in terms of complexity, communication overhead and key storage overhead.     

QMRPRNS: Design of QoS multicast routing protocol using reliable node selection scheme for MANETs

A mobile Ad-Hoc networks (MANETs) is a continuously self-configuring, infrastructure-less network of wireless mobile devices. In which multicast is one of the efficient way of communication. Currently, several research have been conducted to design multicast routing protocols for wireless mobile ad-hoc networks (MANETs). Multicasting is a technique that allow to send the same message to a group of destinations simultaneously. However, it faces several challenges against its implementation in ad-hoc network due to its dynamic nature, lack of bandwidth, short battery lifetime of the mobile devices. The multicast routing protocol MAODV have several constraints as mentioned above. Hence to address these constraints a reliable neighbour nodes selection scheme has been integrated over MAODV. This paper attempt a Quality of Service (QoS) based multicast routing protocol using reliable neighbour nodes selection scheme (QMRPRNS) for same. The simulation has been conducted to compare the performance of the proposed scheme against some existing multicast routing protocols which shows significant improvement over EMAODV and MAODV.     

基于MCPK的移动网络安全路由方案

针对移动Ad Hoc网络易受虫洞攻击的问题,提出一种基于最佳链路路由协议的MSRP安全路由协议,其中包括邻居检测、身份认证与通信密钥协商过程,探讨在平衡安全和性能的情况下解决OLSR协议中存在的安全问题。采用基于MCPK的安全路由协议,通过在OLSR邻居探测阶段引入安全验证机制来预防虫洞攻击。实验结果表明,随着加密通道长度的增加,虫洞攻击检测率明显上升,该协议能较好地预防和检测虫洞攻击。     

DAWA: Defending against wormhole attack in MANETs by using fuzzy logic and artificial immune system

Mobile ad hoc networks (MANETs) are mobile networks, which are automatically outspread on a geographically limited region, without requiring any preexisting infrastructure. Mostly, nodes are both self-governed and self-organized without requiring a central monitoring. Because of their distributed characteristic, MANETs are vulnerable to a particular routing misbehavior, called wormhole attack. In wormhole attack, one attacker node tunnels packet from its position to the other attacker nodes. Such wormhole attack results in a fake route with fewer hop count. If source node selects this fictitious route, attacker nodes have the options of delivering the packets or dropping them. For this reason, this paper proposes an improvement over AODV routing protocol to design a wormhole-immune routing protocol. The proposed protocol called defending against wormhole attack (DAWA) employs fuzzy logic system and artificial immune system to defend against wormhole attacks. DAWA is evaluated through extensive simulations in the NS-2 environment. The results show that DAWA outperforms other existing solutions in terms of false negative ratio, false positive ratio, detection ratio, packet delivery ratio, packets loss ratio and packets drop ratio.     

移动ad hoc网络中DOS攻击及其防御机制

移动ad hoc网络由于其动态拓扑、无线信道以及各种资源有限的特点,特别容易遭受拒绝服务(DOS)攻击．提出了移动ad hoc网络中一种新的DOS攻击模型——ad hoc flooding攻击及其防御策略．该攻击主要针对移动ad hoc网络中的按需路由协议,如AODV,DSR等．ad hoc flooding攻击是通过在网络中泛洪发送超量路由查询报文及数据报文,大量地占用网络通信及节点资源,以至于阻塞节点正常的通信．分析ad hoc flooding攻击之后,提出了两种防御策略：其一是邻居阻止,即当入侵者发送大量路由查询报文时,邻居节点降低对其报文的处理优先级,直至不再接收其报文．其二是路径删除,即目标节点将入侵者发送攻击报文的路径删除,以阻止其继续发送攻击报文．模拟实验证实,通过这两种方法的结合．能够有效地阻止网络中的ad hoc flooding攻击行为．     

一种无线切换认证协议的性能改进*

切换认证协议是确保移动节点在无线网络中多个接入点之间进行快速安全切换的关键。在设计切换认证协议时,必须充分考虑移动节点计算、存储能力低以及电池容量小等特点。针对无线局域网的切换认证协议HashHand双线性对运算消耗资源大的缺陷,提出了一种新的快速切换认证协议。该协议不使用对运算,仅使用加法群的点乘运算替代,提高了协议的效率。并且具有用户匿名性与不可追踪性,有条件的隐私保护性。用户与认证服务器满足互认证性,能够安全地协商会话密钥并且周期性地更新。该协议能有效地抵制重放攻击和拒绝服务攻击。     

移动自组织网络中内部丢包的检测模型

无线移动自组织网络中数据的传输是基于中间节点的合作转发的,但由于内部自私节点为了节省带宽和电量或者网络受到恶意节点的攻击,导致丢包行为发生,网络性能严重降低。基于无线自组织网络常用的路由协议AODV,提出了一种新的针对内部丢包攻击的检测模型。该检测模型引入旁信道概念,旁信道节点和看门狗共同检测并记录节点转发报文行为,采用邻居信息表存放检测结果,当相应节点的记录值达到一定下限时就被隔离出网络。由于旁信道可以发送警报报文,该模型能够同时检测到自私节点或合作攻击节点引起的内部丢包攻击。     

基于SPINS的无线传感器网络低能耗安全路由协议

LEACH协议是一种基于分簇结构和分层技术的重要的无线传感器网络路由协议,其簇建立过程容易遭受身份伪造、laptop型攻击等。基于SPINS设计了低能耗安全路由协议,使用μTESLA思想认证广播包,借助SNEP协议为簇头和其簇成员节点分配认证密钥,节点验证簇头身份和链路可达后方可加入簇。协议实现了不同类型节点之间通信的机密性、完整性、新鲜性、身份和链路双向性认证等安全目标。基于NS2的仿真结果表明,由于基站和簇头节点承担了与安全相关的较多任务,普通节点的能耗并未明显增加。     

一种基于移动Ad hoc网络的安全路由策略

移动Adhoc网是一种新兴的无线移动自组织网络,其路由安全机制与传统网络的路由安全机制有很大差异。在分析Adhoc网络的特点和局限性的基础上,从各网络节点易受攻击、俘获,各网络节点之间不可信赖的角度出发,引入了可信任第三方的信任分散策略,提出了一种新的移动Adhoc网络的安全路由策略,解决了节点之间身份的分布式认证,为节点之间的通信提供了极为安全的路由策略。     

无线传感器网络安全路由协议的设计与分析

路由安全是无线传感器网络安全的关键因素,而现有的无线传感器网络路由协议在设计时都没有充分考虑安全问题。在充分考虑网络路由协议攻击方法和无线传感器网络自身特点的基础上,结合基于ID的认证密钥协商技术以及秘密共享技术,提出了无线传感器网络路由的安全策略及其设计思想。同时,在路由建立阶段增加安全机制,提出了一种较优的安全路由协议。经过安全性分析,该路由协议可防御虚假路由信息、Sybile、确认欺骗等常见攻击。     

基于IPSec的移动AD-HOC安全体系结构

一直以来，认为在移动AD—HOC网络和无线节点之间运用IPSec来保证通信安全是困难的。文章描述了一个基于IPSec的体系结构，并把它用在AD—HOC网络上，无缝地实现了节点移动性和IP地址的转换。这种方法可以保证应用、移动管理与认证协议的安全通信，是一种基于认证的方法，它通过加入动态的密钥产生与分配节点之间的安全关联。     

基于分布式群身份认证的传感器网络设计与实现

在分析了无线传感器网络所面临的安全风险后的基础上,结合传感器网络的实际特点,提出了一种分布式群身份认证防御机制,该机制将网络划分群簇,在正常的传感器网络路由协议中引入群身份认证机制,使路由协议在选择数据传输下一跳时,需预先通过群首节点来验证候选节点群簇隶属身份的真实性。群首节点间认证通信采用基于公钥的分布式自组织的认证机制,以进一步保证这种群身份认证的真实性与可靠性。以常见的女巫攻击为例,介绍了该安全机制的设计过程。对该安全机制的安全性进行了总体性能评估。     

An anonymous distributed routing protocol in mobile ad-hoc networks

This paper proposes an efficient anonymous routing protocol for mobile ad hoc networks (MANETs). This protocol considers symmetric and asymmetric links during the wireless communication of MANETs. A MANET is one type of self-organized wireless network that can be formed by several wireless devices such as laptops, tablet PCs, and smartphones. Different wireless transmission ranges of different mobile devices lead to a special communication condition called an asymmetric link. Most research on this topic focuses on providing security and anonymity for the symmetric link without considering the asymmetric link. This paper proposes a novel distributed routing protocol beyond the symmetric and asymmetric links. This protocol guarantees the security, anonymity, and high reliability of an established route by avoiding unreliable intermediate nodes. The routes generated by the proposed protocol are shorter than previous research. The proposed protocol enhances MANET performance in assuring security and anonymity.     

移动自组网中安全多径DSR路由协议

Ad hoc网络的自组织、动态拓扑和无线接入等特点使得路由的安全问题日益突出。提出了一种在保证安全前提下允许中间节点返回路由应答报文的安全DSR路由协议。该协议对原有的信任机制进行了改进。仿真结果表明该协议可以有效防止路由信息伪装、篡改、路由重放以及黑洞攻击,可以缓解因恶意节点和自私节点拒绝网络服务或者网络环境变化造成的路由再发现问题。     

一种双向认证Ad hoc安全路由协议的研究

由于网络拓扑的动态性、无线链路的多跳性，传统路由协议不能保证Adhoe网络的路由安全．文章提出一种双向认证Ad hoe安全路由协议——MASRP（mutual authenticated secure Ad hoc routing protocol）协议，通过在按需路由发现的同时实现端到端节点的身份认证和一次性会话密钥的交换，以保障路径发现的正确性和数据端到端传输的可靠性，提高路由协议的安全性．协议的安全性在BAN逻辑分析下得到证明．     

一种基于PKI的移动IP安全认证协议

就重放、DoS等攻击对移动IPv4协议带来的安全威胁作了详细的分析,提出一种基于PKI的安全认证协议,该协议采用安全密钥结合最小公钥和会话密钥的技术来确保注册过程中身份的认证、信息的完整性、机密性,最后对协议的安全性进行详细的分析.     

A secure routing scheme based on social network analysis in wireless mesh networks无线网状网中一种基于社会网络分析的安全路由机制

As an extension of wireless ad hoc and sensor networks, wireless mesh networks (WMNs) are employed as an emerging key solution for wireless broadband connectivity improvement. Due to the lack of physical security guarantees, WMNs are susceptible to various kinds of attack. In this paper, we focus on node social selfish attack, which decreases network performance significantly. Since this type of attack is not obvious to detect, we propose a security routing scheme based on social network and reputation evaluation to solve this attack issue. First, we present a dynamic reputation model to evaluate a node’s routing behavior, from which we can identify selfish attacks and selfish nodes. Furthermore, a social characteristic evaluation model is studied to evaluate the social relationship among nodes. Groups are built based on the similarity of node social status and we can get a secure routing based on these social groups of nodes. In addition, in our scheme, nodes are encouraged to enter into multiple groups and friend nodes are recommended to join into groups to reduce the possibility of isolated nodes. Simulation results demonstrate that our scheme is able to reflect node security status, and routings are chosen and adjusted according to security status timely and accurately so that the safety and reliability of routing are improved.