Privacy-Preserving Data Packet Filtering Protocol with Source IP Authentication

Packet filtering allows a network gateway to control the network traffic flows and protect the computer system. Most of the recent research works on the filtering systems mainly concern the performance, reliability and defence against common network attacks. However, since the gateway might be controlled by red an untrusted attacker, who might try to infer the identity privacy of the sender host and mount IP tracking to its data packets. IP spoofing is another problem. To avoid data packets to be filtered in the packet filtering system, the malicious sender host might use a spoofed source IP address. Therefore, to preserve the source IP privacy and provide source IP authentication simultaneously in the filtering system is an interesting and challenging problem. To deal with the problem, we construct a data packet filtering scheme, which is formally proved to be semantic secure against the chosen IP attack and IP guessing attack. Based on this filtering scheme, we propose the first privacy-preserving packet filtering system, where the data packets whose source IP addresses are at risk are filtered, the privacy of the source IP is protected and its correctness can be verified by the recipient host. The analysis shows that our protocol can fulfil the objectives of a data packet filtering system. The performance evaluation demonstrates its applicability in the current network systems. We also presented a packet filtering scheme, where the data packets from one subnet can be filtered with only one filter policy.     

在无线双向通信中基于CRC-NC抵抗污染攻击方案

本文提出一种CRC-NC (Cyclic Redundancy Check-Network Coding）方案．在无线双向通信网络中,该方案通过结合网络编码和循环冗余校验码技术,对接收到的消息的进行可信度检测,能有效地降低目的节点解码误码率,并抵抗污染攻击．该方案中节点与节点在中继节点的辅助下相互发送消息,并利用对方节点和中继节点发送的消息解码．若节点直接从对方节点获得的消息中有S个消息正确,该节点将对方节点发送的消息和中继节点发送的消息进行组合,并计算组合消息的汉明重量,从中选择K-S个最小的汉明重量所对应的由中继节点发送的消息解码．通过仿真结果表明,与基于随机选取方案和加密方案相比,该方案能有效的降低节点解码差错概率．      

一种同时保障隐私性与完整性的无线传感器网络可恢复数据聚合方案

该文针对无线传感器网络(WSNs)数据聚合与安全目标之间的矛盾,基于隐私同态和聚合消息验证码技术提出一种同时保障数据隐私性与完整性的可恢复数据聚合方案。该方案支持由聚合结果恢复出各感知数据,从而一方面能够验证感知数据和聚合数据的完整性,另一方面能够对原始数据进行任意所需的处理,不受聚合函数类型的限制。安全分析表明该方案不仅支持数据隐私性、完整性,还能够抵抗未授权聚合攻击,聚合节点俘获攻击,且能够在一定范围内检测及定位恶意节点。性能分析表明,该方案相比其他算法在通信和计算开销方面具有显著优势。为了评估方案性能和可行性,基于TinyOS给出了算法的原型实现。实验结果表明,该方案开销较低,对于资源受限的WSNs是高效可行的。     

A secure wireless mission critical networking system for unmanned aerial vehicle communications

A privacy-preserving secure communication in ad hoc (without infrastructure) mission critical wireless networking system suitable for unmanned aerial vehicle communication systems is introduced and analyzed. It is expected that in a critical condition, few ad hoc (without infrastructure) mission critical wireless networking systems will work together. To make the simple and low cost privacy-preserving secure communication among the same network, each transmitting mobile node generates packets in such a way that its wanted receiving mobile nodes can read the message packets easily. On the other hand, the unwanted receiving mobile nodes from other networks cannot read those message packets. In addition, the unwanted receiving mobile nodes receive ‘jamming packets’ if they try to read them. This mechanism prevents the malicious receivers (readers from other networks) from reading the packets and obtaining information from this network. Results show that the throughput is very high and does not detect any jamming packets, if the receiving nodes of a network try to read packets transmitted by the nodes from the same networks.     

Combining network coding and compressed sensing for error correction in wireless sensor networks

As the spatial and temporal correlations of sensor readings are common in wireless sensor networks, motivated by these features and the drawbacks of network coding (NC), we introduce compressed sensing (CS) into NC scheme and construct a cooperating coding mechanism, which performs over different data fields with a compatible transformation measure for the combination of NC and CS. This cooperating coding scheme can reduce the amount of redundant information transmission significantly, because the temporal and spatial correlations are explored fully. Meanwhile, the erasures and errors are considered simultaneously in relay transmission process; a NC decoding for error control is proposed to correct the erasures and errors. Although the decoding error of NC is existent, this error can be further reduced by the reconstruction process of CS; as a result, the relative recovery error is small enough in the sink. Finally, the reliability and performance analyses confirm that the proposed cooperating coding scheme obtains considerable compression gain as compared with conventional coding scheme of NC and transmits information reliably with high recovery precision. Copyright © 2014 John Wiley & Sons, Ltd.     

抗污染攻击的自适应网络编码传输机制

研究了网络编码中的污染攻击问题,提出了一种抗污染攻击的自适应网络编码传输机制ASNC (adaptive secure network coding)。在编码数据分组的传输过程中,该机制利用网络编码的时间和空间特性有效控制污染数据分组的传播。同时,ASNC机制创新性地促使网络编码系统动态调整安全策略,自适应于当前网络安全态势。此外,为了达到更好的实用性,ASNC机制有效利用网络编码的编码空间特性,不需要额外的安全数据通道和数据分组加密操作。ASNC机制的安全分析和仿真结果表明,其能够有效抵抗污染攻击,与不具有自适应能力的机制相比具有更好的安全效率。     

安全的WSN数据融合隐私保护方案设计

针对无线传感器网络数据融合过程中的数据隐私和完整性保护问题,提出一种安全的数据融合隐私保护方案(SPPDA),把节点的私密因子与原始数据构成复数,采用同态加密方法对复数进行加密,实现在密文不解密的情况下进行数据融合,同时采用基于复数的完整性验证方法,确保数据的可靠性。理论分析和仿真结果表明,SPPDA方案的计算代价和通信开销较少,数据融合的精确度高。     

防窃听和污染攻击的安全网络编码

搭线窃听和污染攻击是安全攻击中的2种重要手段。研究表明,网络编码自身的数据融合特性能够达到一定的安全传输效果。针对污染攻击和搭线窃听攻击,在此提出一种能够防御全能窃听和污染攻击的安全网络编码。在攻击者具有全能窃听能力以及污染部分链路,该方案通过对传输的信息进行哈希达到了防污染攻击的效果,对全局编码向量进行加密实现了防污染攻击,该方案适用于攻击者窃听能力较强并且具有污染攻击威胁的网络中。分析结果表明,该方案是有效的。     

Homomorphic Subspace MAC Scheme for Secure Network Coding

Existing symmetric cryptography‐based solutions against pollution attacks for network coding systems suffer various drawbacks, such as highly complicated key distribution and vulnerable security against collusion. This letter presents a novel homomorphic subspace message authentication code (MAC) scheme that can thwart pollution attacks in an efficient way. The basic idea is to exploit the combination of the symmetric cryptography and linear subspace properties of network coding. The proposed scheme can tolerate the compromise of up to r?1 intermediate nodes when r source keys are used. Compared to previous MAC solutions, less secret keys are needed for the source and only one secret key is distributed to each intermediate node.     

无线传感器网络恶意节点溯源追踪方法研究

 传感器节点可能被攻击者俘获用来发送大量虚假数据,从而耗尽整个网络的资源.本文提出一种实用的溯源追踪解决方案:基于概率包标记算法,每个节点按照一定概率标记其转发的包,标记信息填写于包头中的确定域,通过收集到足够多的数据包,汇聚节点能够重建一条到源节点的路径.本文证明了此方案能够应对所有类型的攻击,并针对基本标记方法的不足提出了两种改进标记方法.实验结果表明该溯源追踪解决方案是高效以及实用的.     

A novel approach for mitigating gray hole attack in MANET

Mobile ad hoc network (MANET) is defined as the category of wireless network that is capable of operating without any fixed infrastructure. The main assumption considered in this network is that all nodes are trusted nodes but in real scenario, some nodes can be malicious node and therefore can perform selective dropping of data packets instead of forwarding the data packets to the destination node. These malicious nodes behave normally during route discovery phase and afterwards drop fractions of the data packets routed through them. Such type of attack is known as smart gray hole attack which is variation of sequence number based gray hole attack. In this paper, we have launched smart gray hole attack and proposed a new mechanism for mitigating the impact of smart gray hole attack. Mitigating Gray hole Attack Mechanism (MGAM) uses several special nodes called as G-IDS (gray hole-intrusion detection system) nodes which are deployed in MANETs for detecting and preventing smart gray hole attack. G-IDS nodes overhear the transmission of its neighbouring nodes and when it detects that the node is dropping the data packets which are greater than threshold value then it broadcast the ALERT message in the network notifying about the identity of malicious node. The identified malicious is then blocked from further its participation by dropping the request and reply packet. In order to validate the effectiveness of our proposed mechanism, NS-2.35 simulator is used. The simulation results show that the proposed mechanism performs slightly well as compared with the existing scheme under smart gray hole attack.     

EEPPDA—Edge-enabled efficient privacy-preserving data aggregation in smart healthcare Internet of Things network

The Internet of Things-based smart healthcare provides numerous facilities to patients and medical professionals. Medical professionals can monitor the patient's real-time medical data and diagnose diseases through the medical health history stored in the cloud database. Any kind of attack on the cloud database will result in misdiagnosis of the patients by medical professionals. Therefore, it becomes a primary concern to secure private data. On the other hand, the conventional data aggregation method for smart healthcare acquires immense communication and computational cost. Edge-enabled smart healthcare can overcome these limitations. The paper proposes an edge-enabled efficient privacy-preserving data aggregation (EEPPDA) scheme to secure health data. In the EEPPDA scheme, captured medical data have been encrypted by the Paillier homomorphic cryptosystem. Homomorphic encryption is engaged in the assurance of secure communication. For data transmission from patients to the cloud server (CS), data aggregation is performed on the edge server (ES). Then aggregated ciphertext data are transmitted to the CS. The CS validates the data integrity and analyzes and processes the authenticated aggregated data. The authorized medical professional executes the decryption, then the aggregated ciphertext data are decrypted in plaintext. EEPPDA utilizes the batch verification process to reduce communication costs. Our proposed scheme maintains the privacy of the patient's identity and medical data, resists any internal and external attacks, and verifies the health data integrity in the CS. The proposed scheme has significantly minimized computational complexity and communication overhead concerning the existing approach through extensive simulation.     

Data update algorithm based on secure network coding in cloud environment

In the cloud environment for data storage,the use of secure network coding technology can be a good solution to the data privacy and reliability issues.However,each coding block usually has a high correlation after network coding,very few updates to the file need to be re-encoded which is extremely easy to cause information leakage and serious consumption of system resources.To solve this problem,a network coding cloud storage data updating algorithm was proposed.Just by sending files change difference matrix,the storage node could update parts of the coding block accordingly which could complete the entire update files.Experimental results show that compared with RS coding and Tornado coding,the algorithm can not only ensure data security,but also greatly improve the efficiency of data update and data reconstruction.     

EPEC: an efficient privacy-preserving energy consumption scheme for smart grid communications

In this paper, we propose an efficient privacy-preserving energy consumption scheme with updating certificates, called EPEC, for secure smart grid communications. Specifically, the proposed EPEC scheme consists of four phases: gateways initialization, party registration, privacy-preserving energy consumption, and updating certificates. Based on the bilinear pairing, the identity-based encryption, and the strategy of updating certificates, EPEC can achieve data privacy, gateway privacy, and is robust to data replay attack, availability attack, modification attack, man-in-the-middle attack, and Sybil attack. Through extensive performance evaluations, we demonstrate the effectiveness of EPEC in terms of transmission delay performance at the HAN gateway and average delivery ratio, by implementing three types of curves including, the Barreto–Naehrig curve with modulus 256 bits, the Kachisa–Schaefer–Scott curve with modulus 512 bits, and the Barreto–Lynn–Scott curve with modulus 640 bits.     

A Distributed Secure Data Collection Scheme via Chaotic Compressed Sensing in Wireless Sensor Networks

Motivated by chaos technology and compressed sensing, we propose a distributed secure data collection scheme via chaotic compressed sensing in wireless sensor networks. The chaotic compressed sensing is applied to the encrypted compression of sensory data for sensor node and the data acquisition for whole sensory in wireless sensor networks. The proposed scheme is suitable for long-term and large scale wireless sensor networks with energy efficiency, network lifetime and security. A sensing matrix generation algorithm and active node matrix algorithm based on chaos sequence are proposed to ensure the secure and efficient transmission of sensor packets. The secret key crack, forgery, hijack jamming and replay attacks on the proposed algorithm are evaluated to show the robustness of this scheme. Simulations and real data examples are also given to show that the proposed scheme can ensure the secure data acquisition in wireless sensor networks efficiently.     

Scalable privacy-preserving big data aggregation mechanism

As the massive sensor data generated by large-scale Wireless Sensor Networks (WSNs) recently become an indispensable part of ‘Big Data’, the collection, storage, transmission and analysis of the big sensor data attract considerable attention from researchers. Targeting the privacy requirements of large-scale WSNs and focusing on the energy-efficient collection of big sensor data, a Scalable Privacy-preserving Big Data Aggregation (Sca-PBDA) method is proposed in this paper. Firstly, according to the pre-established gradient topology structure, sensor nodes in the network are divided into clusters. Secondly, sensor data is modified by each node according to the privacy-preserving configuration message received from the sink. Subsequently, intra- and inter-cluster data aggregation is employed during the big sensor data reporting phase to reduce energy consumption. Lastly, aggregated results are recovered by the sink to complete the privacy-preserving big data aggregation. Simulation results validate the efficacy and scalability of Sca-PBDA and show that the big sensor data generated by large-scale WSNs is efficiently aggregated to reduce network resource consumption and the sensor data privacy is effectively protected to meet the ever-growing application requirements.     

Deterministic binary matrix based compressive data aggregation in big data WSNs

In big data wireless sensor networks, the volume of data sharply increases at an unprecedented rate and the dense deployment of sensor nodes will lead to high spatial-temporal correlation and redundancy of sensors’ readings. Compressive data aggregation may be an indispensable way to eliminate the redundancy. However, the existing compressive data aggregation requires a large number of sensor nodes to take part in each measurement, which may cause heavy load in data transmission. To solve this problem, in this paper, we propose a new compressive data aggregation scheme based on compressive sensing. We apply the deterministic binary matrix based on low density parity check codes as measurement matrix. Each row of the measurement matrix represents a projection process. Owing to the sparsity characteristics of the matrix, only the nodes whose corresponding elements in the matrix are non-zero take part in each projection. Each projection can form an aggregation tree with minimum energy consumption. After all the measurements are collected, the sink node can recover original readings precisely. Simulation results show that our algorithm can efficiently reduce the number of the transmitted packets and the energy consumption of the whole network while reconstructing the original readings accurately.     

Utilizing Neighbours-Table to Improve Tree Routing Protocol in ZigBee Network

ZigBee is an industrial standard for wireless ad hoc networks based on IEEE 802.15.4. It has been developed for low cost, low data rate and low power consumption. ZigBee??s network layer defines two routing protocols namely Ad Hoc On-demand Distance Vector and Tree Routing (TR). TR protocol follows the tree topology (parent?Cchild) in forwarding the data packets from source nodes to the sink node. However, the source does not find rather nor the location of the sink is close to the source node or if it is not in the sub-tree. In this case it will follow the tree topology which will use a lot of hops to deliver data packets to the sink node. This paper present an improvement of TR protocol for ZigBee network and is called Improved Tree Routing (ImpTR) protocol which is computationally simple in discovering the better path to transmit data packets to the sink node, and does not need any addition in hardware. ImpTR determines the better path to the sink node depending on the tables of the neighbouring nodes, which is part of the existing ZigBee network specification. Results show that the proposed algorithm provides shorter average end-to-end delay, increase throughput, decrease the average number of hops and decrease the energy consumption from the network when compared to the original TR routing protocol.     

On providing wormhole‐attack‐resistant localization using conflicting sets

Wormhole attack is a severe attack that can be easily mounted on a wide range of wireless networks without compromising any cryptographic entity or network node. In the wormhole attack, an attacker sniffs packets at one point in the network and tunnels them through the wormhole link to another point. Such kind of attack can deteriorate the localization procedure in wireless sensor networks. In this paper, we first analyze the impacts of the wormhole attack on the localization procedure. Then, we propose a secure localization scheme against the wormhole attacks called SLAW including three phases: wormhole attack detection, neighboring locators differentiation, and secure localization. The main idea of the SLAW is to build a so‐called conflicting set for each locator based on the abnormalities during the message exchanges, which can be used to differentiate the dubious locators to achieve secure localization. We first consider the simplified system model in which there is no packet loss and all the nodes have the same transmission range. We further consider the general system model where the packet loss exists and different types of nodes have different transmission radii. We conduct the simulations to illustrate the effectiveness of the proposed secure localization scheme and compare it with the existing schemes under different network parameters. Copyright © 2014 John Wiley & Sons, Ltd.     

Distributed topology management for wireless multimedia sensor networks: exploiting connectivity and cooperation

In this paper, we propose a distributed topology management algorithm, named T‐Must, which orchestrates coalition formation game between camera and scalar sensor (SS) nodes, for use in wireless multimedia sensor networks. In the proposed solution, connectivity among the peer camera sensor (CS) nodes is maintained, and coverage is ensured between them. Only the scalar data are not sufficient to describe an event in a particular monitored area. In many cases, multimedia data (specifically, video data) are required to provide more precise information about the event. As the CS nodes, which sense and transmit multimedia data, are costlier than the SS nodes, the former are deployed in the monitored area in lesser numbers compared to the latter ones. In case of CS nodes, power consumption due to sensing is also significant, similar to power consumption for the transmission and reception of packets. Therefore, in this work, in order to increase the network lifetime, topology is controlled by forming coalition between the CS and SS nodes. Upon occurrence of an event, the SS nodes send scalar data to their associated CS nodes. If the scalar data received from SS nodes cross a preconfigured threshold, the associated CS node in the coalition starts sensing the event, captures the video data, and forwards the video data toward other coalitions or sink. Copyright © 2014 John Wiley & Sons, Ltd.