在P2P网络下Sybil攻击的研究与防范

P2P网络的自由开放特性使得节点可随意创建身份加入系统，但这也会引发Sybil攻击。文章设计了一种新节点身份的认证方案，提出新节点身份需暴力破解单向函数的计算难题才能加入网络。因此增加了用户创建新节点身份的代价，使得用户无法随意创建身份，从而达到了验证新节点身份的目的，避免系统受到攻击。     

基于信任权重防御Sybil攻击的模型

P2P分布式系统特别容易遭受Sybil攻击,即一个不良用户伪造多个不存在的虚假用户,与网络中普通用户进行交互,进而达到控制网络的目的。防御模型基于社会化网络的信任概念,在SybilGuard基础上提出了路由增加信任权重的方法,用以降低节点与虚假用户交易的概率,实验显示,诚实节点间的交易成功率及节点停留在安全区域内的概率得到提高,增强了系统健壮性。     

防御无线传感器网络Sybil攻击的新方法

在传感器网络中,Sybil 攻击是一类主要的攻击手段.通过随机秘密信息预分配,利用节点身份证人确认机制,提出了防御传感器网络Sybil 攻击的新方案并进行了综合性能分析.在新方案中,基于单向累加器建立了传感器网络节点秘密信息管理和分配方案,在共享密钥建立阶段,提出了传感器网络认证对称密钥建立协议,并在universally composable(UC)安全模型中对该协议进行了可证明安全分析,该协议可建立网络邻居节点之间惟一的对称密钥.     

ZigBee网络抵御Sybil攻击的自适应链路指纹认证方案

该文针对ZigBee网络中Sybil攻击破坏节点身份唯一性的问题,提出一种抵御Sybil攻击的自适应链路指纹认证方案。方案首先基于无线链路特征设计了链路指纹,在此基础上,提出了反映信道质量的相干时间估测算法和适应子节点数量变化的保护时隙(GTS)动态申请算法,并给出了Sybil攻击认证流程。安全性分析及实验结果表明,方案在通信环境的安全边界条件下节点认证成功率可达97%以上,且链路指纹无需存储,具有较低的资源需求。     

无线传感器网络中检测女巫攻击的节点定位方法

为了有效抵制女巫攻击,在攻击存在的情况下提高无线传感器网络节点的定位精度,分析、总结了女巫攻击所固有的薄弱环节,提出了基于接收功率验证的检测女巫攻击的节点安全定位方法。检测机制分为两步,首先检测节点通过比较接收功率,从所接收的全部信标节点中选择出距其距离相同的信标节点,列为可疑Sybil节点,然后通过邻居节点间的信息交互和距离验证,最终检测出攻击节点,利用去除了Sybil节点的信标节点集合实现定位。仿真实验显示,当存在攻击时,检测成功概率能达到95%以上,定位精度提高了9～11.64 m,表明该方法能有效检测女巫攻击,实现节点安全定位。     

一种新的基于信誉的P2P网络信任管理模型

文中提出了一种非中心的P2P网络信任管理模型NewTrust。在P2P网络中,需要根据一个节点在网络中的信誉来判断其是否可信,通过在信任向量中引入评价方差,有效抑制了不稳定节点和策略类恶意节点;通过区分陌生节点和不可信节点,解决了陌生节点的融入问题;通过对不同信誉的节点提供不同质量的服务,解决了节点激励问题;通过引入分布式哈希表(DHT)资源发现模式解决推荐信息的管理问题,降低了搜索与管理推荐信息的代价,并使系统具有良好的可扩展性。模型能够有效地抵御多种恶意攻击。     

一种分层的P2P网络模型

基于分布式哈希表(DHT)的结构化P2P网络是目前研究热点,但是DHT机制实现比较复杂,更重要的是节点频繁的加入或退出所造成的网络动荡会对系统的网络造成巨大的压力,网络系统的稳定性很差。文章提出了一种层次化的P2P网络模型,该网络模型分为两层,其中上层是结构化Chord网络,下层中心化网络,该网络结合了结构化和中心化P2P网络的优点,弱化或克服了两者的缺点,在稳定性、可扩展性和查询效率等方面的性能都有一定的提高。     

社交网络中的Sybil攻击检测方案研究

社交网络中的Sybil攻击行为已经变得越来越难以识别,因此如何有效的检测社交网络中的Sybil攻击行为,进而设计相应的防御方案来避免网络遭受攻击,已经成为当下网络安全领域研究的热点.相应的Sybil攻击检测技术也在不断的研究中得到发展和完善.文章对近年来Sybil攻击识别技术的研究动态和最新进展进行了综述,对其使用的检测方法和评价指标进行了分析比较,并对社交网络中的Sybil识别技术的发展趋势和应用前景进行了预测.     

基于超级节点的P2P信任模型的研究

提出基于超级节点的P2P网络信任模型—Super Trust。在Super Trust模型中,对节点的信任值采用了组内直接信任,组内间接信任和组间信任相结合的方式,从而提高了信任值计算的精确性;此外,通过引入超级节点机制,提高了系统交互的成功率。实验结果表明,与基于推荐信任传统模型和RBTrust模型相比,Super Trust具有较高的交易成功率,并且在不同的恶意节点攻击模式下具有较高的成功交易率。     

一种基于文件共享的P2P节点认证方案

身份认证是P2P（peertopeer）网络安全的重要组成部分,但传统的PKI（金钥基础设施）认证方式因为具有静态的集中化控制和固定的证书内容等特点,不能很好地满足P2P网络安全认证的需要,且在公钥的分发过程中容易遭受中间人攻击。为此,提出了一种新型的公钥管理架构和身份认证方案,每个节点可以自己产生并分发公私钥,认证服务器仅在节点加入网络时参与完成公钥的分发。超级节点负责管理本组内全部节点的公钥,节点在相互认证时无需认证服务器的参与,仅通过超级节点来完成。分析结果表明,这种认证方案可以有效地抵抗中间人攻击,在保持高效率的基础上又保证了认证的安全性。     

无线传感器网络节点复制攻击和女巫攻击防御机制研究

在无线传感器网络(WSNs)中,节点复制攻击和女巫攻击可扰乱数据融合和阈值选举等网络操作.发起这两种攻击需先通过邻居发现认证过程.考虑到在WSNs中发起邻居认证是不频繁的,提出了一种基于单向密钥链的ID认证防御机制(OKCIDA),降低攻击者在任何时间段发起这两种攻击的可能性.然后基于椭圆曲线离散对数问题,构造对称参数,并组合OKCIDA和利用节点邻居关系,提出了一种无需位置的邻居认证协议(LFNA),以阻止复制节点和女巫节点成功加入网络.最后给出了安全性证明和分析,并在安全和开销方面将LFNA与已有典型防御方案进行了比较,结果表明该方案具有一定的优势.     

Node ID based detection of Sybil attack in mobile wireless sensor network

Security is the major issue in wireless sensor networks and many defence mechanisms have been developed to secure the network from these alarming attacks by detecting the malicious nodes which hinder the performance of the network. Sybil attack can make the network vulnerable. Sybil attack means a node which illegitimately claims multiple identities. This attack threatens wireless sensor network in routing, voting system, fair resource allocation, data aggregation and misbehaviour detection. Hence, the research is carried out to prevent the Sybil attack and improve the network performance. The node ID-based scheme is proposed, where the detection is based on node registration, consisting of two phases and the assignment of ID to the node is done dynamically. The ID's corresponding to the nodes registered is at the base station and the node active time is monitored, any abnormalities in the above phases confirm the presence of Sybil nodes in the network. The scheme is simulated using NS2. The energy consumed for this algorithm is 2.3?J. The proposed detection scheme is analysed based on the network's PDR and found that the throughput has improved, which prove that this scheme may be used in the environment where security is needed.     

Novel Trusted Hierarchy Construction for RFID Sensor–Based MANETs Using ECCs

In resource‐constrained, low‐cost, radio‐frequency identification (RFID) sensor–based mobile ad hoc networks (MANETs), ensuring security without performance degradation is a major challenge. This paper introduces a novel combination of steps in lightweight protocol integration to provide a secure network for RFID sensor–based MANETs using error‐correcting codes (ECCs). The proposed scheme chooses a quasi‐cyclic ECC. Key pairs are generated using the ECC for establishing a secure message communication. Probability analysis shows that code‐based identification; key generation; and authentication and trust management schemes protect the network from Sybil, eclipse, and de‐synchronization attacks. A lightweight model for the proposed sequence of steps is designed and analyzed using an Alloy analyzer. Results show that selection processes with ten nodes and five subgroup controllers identify attacks in only a few milliseconds. Margrave policy analysis shows that there is no conflict among the roles of network members.     

WSNs中基于秘密共享的身份认证协议

身份认证是无线传感器网络安全的第一道屏障。针对现有无线传感器网络中的身份认证协议的效率和安全问题,基于Shamir门限秘密共享方案提出一种低功耗的身份认证协议。在不降低网络安全性的前提下,通过多个已认证节点对新节点进行身份认证,能够有效的降低认证过程中的计算量。认证过程中使用单向散列函数对通信数据进行加密并且运用时间戳机制抵御重放攻击。分析结果表明协议具有低功耗的特点,并且能够抵御窃听攻击、重放攻击以及少数节点被俘虏的攻击。     

LPPA: Lightweight privacy‐preservation access authentication scheme for massive devices in fifth Generation (5G) cellular networks

Because of the requirements of stringent latency, high‐connection density, and massive devices concurrent connection, the design of the security and efficient access authentication for massive devices is the key point to guarantee the application security under the future fifth Generation (5G) systems. The current access authentication mechanism proposed by 3rd Generation Partnership Project (3GPP) requires each device to execute the full access authentication process, which can not only incur a lot of protocol attacks but also result in signaling congestion on key nodes in 5G core networks when sea of devices concurrently request to access into the networks. In this paper, we design an efficient and secure privacy‐preservation access authentication scheme for massive devices in 5G wireless networks based on aggregation message authentication code (AMAC) technique. Our proposed scheme can accomplish the access authentication between massive devices and the network at the same time negotiate a distinct secret key between each device and the network. In addition, our proposed scheme can withstand a lot of protocol attacks including interior forgery attacks and DoS attacks and achieve identity privacy protection and group member update without sacrificing the efficiency. The Burrows Abadi Needham (BAN) logic and the formal verification tool: Automated Validation of Internet Security Protocols and Applications (AVISPA) and Security Protocol ANimator for AVISPA (SPAN) are employed to demonstrate the security of our proposed scheme.     

Defense against Sybil attacks and authentication for anonymous location-based routing in MANET

In MANET, providing authentication and security to location-based routing is a big task. To overcome this problem, in this paper, we proposed a defense against Sybil attacks and authentication for anonymous location-based routing in MANET. Each random forwarder has a table of RSS values estimated from the previous message exchanges across a zone to detect the Sybil attack. The difference in RSS values of two neighboring nodes is estimated based on which the node’s arrival angle into the zone is detected. Depending on the arrival angle, the nodes can be categorized as safety zone and caution zone. The messages exchanged between the RFs and senders can be protected by means of group signature. Finally, misrouting packet drop attack is detected and eliminated by using ant colony optimization technique. By simulation results, we show the proposed technique reduces the packet drop due to attacks, thereby increasing the delivery ratio.     

抗污染攻击的自适应网络编码传输机制

研究了网络编码中的污染攻击问题,提出了一种抗污染攻击的自适应网络编码传输机制ASNC (adaptive secure network coding)。在编码数据分组的传输过程中,该机制利用网络编码的时间和空间特性有效控制污染数据分组的传播。同时,ASNC机制创新性地促使网络编码系统动态调整安全策略,自适应于当前网络安全态势。此外,为了达到更好的实用性,ASNC机制有效利用网络编码的编码空间特性,不需要额外的安全数据通道和数据分组加密操作。ASNC机制的安全分析和仿真结果表明,其能够有效抵抗污染攻击,与不具有自适应能力的机制相比具有更好的安全效率。     

A lightweight anonymous authentication scheme for consumer roaming in ubiquitous networks with provable security

Ubiquitous networks provide roaming service for mobile nodes enabling them to use the services extended by their home networks in a foreign network. A mutual authentication scheme between the roamed mobile node and the foreign network is needed to be performed through the home network. Various authentication schemes have been developed for such networks, but most of them failed to achieve security in parallel to computational efficiency. Recently, Shin et al. and Wen et al. separately proposed two efficient authentication schemes for roaming service in ubiquitous networks. Both argued their schemes to satisfy all the security requirements for such systems. However, in this paper, we show that Shin et al. 's scheme is susceptible to: (i) user traceability; (ii) user impersonation; (iii) service provider impersonation attacks; and (iv) session key disclosure. Furthermore, we show that Wen et al. 's scheme is also insecure against: (i) session key disclosure; and (ii) known session key attacks. To conquer the security problems, we propose an improved authentication scheme with anonymity for consumer roaming in ubiquitous networks. The proposed scheme not only improved the security but also retained a lower computational cost as compared with existing schemes. We prove the security of proposed scheme in random oracle model. Copyright © 2015 John Wiley & Sons, Ltd.