Recently we have seen increasing adoption of wireless ad-hoc and sensor networks (WAHAS) for security critical applications in military and civilian domains, such as battlefield surveillance and emergency rescue and relief. However, they are often exposed to a wide-range of control and data traffic attacks. Control attacks are directed to control traffic in the network, such as routing and localization. Examples are wormhole,  Sybil, and rushing attacks. Control attacks are often easy to launch even without the need for any cryptographic key and can be used to subvert the functionality of the network by disrupting data flow. Data traffic attacks include selective forwarding and misrouting attacks. We have pursued two lines of defense to secure WAHAS networks. The first is attack prevention using low-cost key management for encryption and authentication. Our protocol SECOS provides the guarantee that communication between any two nodes remains secure despite compromise of any number of other nodes. The second line of defense is control and data traffic attack detection, diagnosis, and isolation through local monitoring and response. Each node oversees the traffic in its one-hop neighborhood and maintains state for the behavior of each neighbor. We develop a suite of three protocols for respectively static networks, mobile networks, and energy efficient sleep-awake aware local monitoring. To demonstrate the protocols, we perform analysis and simulations in ns-2. The metrics for evaluation include fraction of data received at the destination, coverage and delay of isolation, likelihood of false positives, and overhead in terms of resource consumption.

This research investigates the denial of service problem, in the context of services provided over a network, and contributes to improved techniques for modelling, detecting, and preventing denial of service attacks against these services.

While the majority of currently employed denial of service attacks aim to pre-emptively consume the network bandwidth of victims, a significant amount of research effort is already being directed at this problem. This research is instead concerned with addressing the inevitable migration of denial of service attacks up the protocol stack to the application layer. Of particular interest is the denial of service resistance of key establishment protocols (security protocols that enable an initiator and responder to mutually authenticate and establish cryptographic keys for establishing a secure communications channel), which owing to the computationally intensive activities they perform, are particularly vulnerable to attack.

Access hierarchies are useful in many applications and are modeled as a set of access classes organized by a partial order. A user who obtains access to a class in such a hierarchy is entitled to access objects stored at that class, as well as objects stored at its descendant classes. Efficient schemes for this framework assign only one key to a class and use key derivation to permit access to descendant classes. Ideally, the key derivation uses simple primitives such as cryptographic hash computations. A straightforward key derivation time is then linear in the length of the path between the user’s class and the class of the object that the user wants to access.

Recently, work presented in [Atallah et al. 2005] has given a solution that significantly lowers this key derivation time for deep hierarchies, by adding a modest number of extra edges to the hierarchy. While such techniques were given for trees, this work presents efficient key derivation techniques for hierarchies that are not trees using a different mechanism. The construction we give in the present paper is recursive and makes a novel use of the notion of the dimension d of an access graph. We provide a solution through which no key derivation requires more than O(d) hash function computations, even for “unbalanced” hierarchies whose depth is linear in their number of access classes n.

Online privacy is an increasingly important problem, as many services are now offered in a digital form. Privacy (or the lack thereof) is of a special concern in subscriptions to large data repositories with heterogeneous information, where the service provider can easily profile its users and sell that information to third parties. In this work we present the design and implementation of a system that closely resembles the current practice of subscriptions to many services such as newspapers, digital libraries, music collections, etc., but at the same time offers anonymous access to the service. As with current practice, in our solution a user subscribes to the service obtaining access to it for a certain period of time, at the end of which the subscription expires.

In our system user access is always anonymous and no two transactions by the same user can be linked together. Moreover, the system assures a high level of protection to the service provider, as a user cannot share her subscription credentials with others without denying herself access to the service. We present experimental results showing that the design of our system results in only small computation overheads, in addition to having very low communication requirements. The main objective of this work is thus to illustrate the practically of integrating anonymity into today’s subscription-based services.

We propose the role-and-relation-based access control (R2BAC) model for workflow systems. In R2BAC, in addition to a user

Today, most public service delivery mechanisms, such as hospitals, police and fire departments, rely exclusively on digital generation, storage and analysis of vital information. To protect critical digital resources access control mechanisms are employed. The aim is to define rules under which authorized users can access resources required to perform organizational tasks. These rules or policies define constraints of time and space on digital resources. Natural or man-made disasters pose a unique challenge, whereby, previously defined constraints may debilitate the ability of the organization to act to its fullest capability. In this paper we propose to employ contextual parameters; specifically, activity context in the form of emergency warnings, to adapt access control policies according to a priori configuration which allows maximum access to critical resources. We also propose an architecture for the detection of crises in the form of activity context and incorporate it in the policy adaptation framework.

The notion of spatio-temporal multi-granularity is fundamental when modeling objects in GIS applications in that it supports the representation of the temporal evolutions of these objects. Concepts and issues in multi-granular spatio-temporal representations have been widely investigated by the research community. However, despite the large number of theoretical investigations, no comprehensive approaches, have been proposed dealing with the representation of multi-granular spatio-temporal objects in commercially available DBMSs.  The goal of the work that we report in this paper is to address this gap. To achieve it, the paper first introduces an object-relational model based on OpenGis specifications described in SQL3. Several extensions are developed in order to improve the semantics and behavior for spatio-temporal data types introducing an approach to represent the temporal dimension in this model and the multi-representation of spatio-temporal granularities.

Sleep-wake protocols are critical in sensor networks to ensure long-lived operation. However, an open problem is how to develop efficient mechanisms that can be incorporated with sleep-wake protocols to ensure both longlived operation and a high degree of security. Our contribution in this paper is to address this problem by using local monitoring, a powerful technique for detecting and mitigating control and data attacks in sensor networks. In local monitoring, each node oversees part of the traffic going in and out of its neighbors to determine if the behavior is suspicious, such as, unusually long delay in forwarding a packet. Here, we present a protocol called SLAM to make local monitoring parsimonious in its energy consumption and to integrate it with any extant sleep-wake protocol in the network. The challenge is to enable sleep-wake in a secure manner even in the face of nodes that may be adversarial and not wake up nodes responsible for monitoring its traffic. We prove analytically that the security coverage is not weakened by the protocol. We perform simulations in ns-2 to demonstrate that the performance of local monitoring is practically unchanged while listening energy saving of 30 to 129 times is achieved, depending on the network load.

In multihop wireless systems, the need for cooperation among nodes to relay each other’s packets exposes them to a wide range of security attacks. A particularly devastating attack is the wormhole attack, where a malicious node records control traffic at one location and tunnels it to a colluding node, possibly far away, which replays it locally. This can have an adverse effect on route establishment by preventing nodes from discovering legitimate routes that are more than two hops away. Previous works on tolerating wormhole attacks have focused only on detection and used specialized hardware, such as directional antennas or extremely accurate clocks. More recent work has addressed the problem of locally isolating the malicious nodes. However, all of this work has been done in the context of static networks due to the difficulty of secure neighbor discovery with mobile nodes. The existing work on secure neighbor discovery has limitations in accuracy, resource requirements, and applicability to ad hoc and sensor networks. In this paper, we present a countermeasure for the wormhole attack, called MOBIWORP, which alleviates these drawbacks and efficiently mitigates the wormhole attack in mobile networks. MOBIWORP uses a secure central authority (CA) for global tracking of node positions. Local monitoring is used to detect and isolate malicious nodes locally. Additionally, when sufficient suspicion builds up at the CA, it enforces a global isolation of the malicious node from the whole network. The effect of MOBIWORP on the data traffic and the fidelity of detection is brought out through extensive simulation using ns-2. The results show that as time progresses, the data packet drop ratio goes to zero with MOBIWORP due the capability of MOBIWORP to detect, diagnose and isolate malicious nodes. With an appropriate choice of design parameters, MOBIWORP is shown to completely eliminate framing of a legitimate node by malicious nodes, at the cost of a slight increase in the drop ratio. The results also show that increasing mobility of the nodes degrades the performance of MOBIWORP.

Abstract

In multihop wireless systems, the need for cooperation among nodes to relay each other’s packets exposes them to a wide range of security attacks. A particularly devastating attack is the wormhole attack, where a malicious node records control traffic at one location and tunnels it to a colluding node, possibly far away, which replays it locally. This can have an adverse effect on route establishment by preventing nodes from discovering legitimate routes that are more than two hops away. Previous works on tolerating wormhole attacks have focused only on detection and used specialized hardware, such as directional antennas or extremely accurate clocks. More recent work has addressed the problem of locally isolating the malicious nodes. However, all of this work has been done in the context of static networks due to the difficulty of secure neighbor discovery with mobile nodes. The existing work on secure neighbor discovery has limitations in accuracy, resource requirements, and applicability to ad hoc and sensor networks. In this paper, we present a countermeasure for the wormhole attack, called MOBIWORP, which alleviates these drawbacks and efficiently mitigates the wormhole attack in mobile networks. MOBIWORP uses a secure central authority (CA) for global tracking of node positions. Local monitoring is used to detect and isolate malicious nodes locally. Additionally, when sufficient suspicion builds up at the CA, it enforces a global isolation of the malicious node from the whole network. The effect of MOBIWORP on the data traffic and the fidelity of detection is brought out through extensive simulation using ns-2.

Wireless sensor networks are increasingly being used in applications where the communication between nodes needs to be protected from eavesdropping and tampering. Such protection is typically provided using techniques from symmetric key cryptography. The protocols in this domain suffer from one or more of the following problems  weak security guarantees if some nodes are compromised, lack of scalability, high energy overhead for key management, and increased end-to-end data latency. In this paper, we propose a protocol called SECOS that mitigates these problems in static sensor networks. SECOS divides the sensor field into control groups each with a control node. Data exchange between nodes within a control group happens through the mediation of the control head which provides the common key. The keys are refreshed periodically and the control nodes are changed periodically to enhance security. SECOS enhances the survivability of the network by handling compromise and failures of control nodes. It provides the guarantee that the communication between any two sensor nodes remains secure despite the compromise of any number of other nodes in the network. The experiments based on a simulation model show a seven time reduction in energy overhead and a 50% reduction in latency compared to SPINS, which is one of the state-of-the-art protocols for key management in sensor networks.