Your search keyword '"C.2.0"' showing total 42 results

1. Penetrating Shields: A Systematic Analysis of Memory Corruption Mitigations in the Spectre Era

Author

Na, Weon Taek, Emer, Joel S., and Yan, Mengjia

Subjects

Computer Science - Cryptography and Security, Computer Science - Hardware Architecture, K.6.5, D.4.6, C.2.0

Abstract

This paper provides the first systematic analysis of a synergistic threat model encompassing memory corruption vulnerabilities and microarchitectural side-channel vulnerabilities. We study speculative shield bypass attacks that leverage speculative execution attacks to leak secrets that are critical to the security of memory corruption mitigations (i.e., the shields), and then use the leaked secrets to bypass the mitigation mechanisms and successfully conduct memory corruption exploits, such as control-flow hijacking. We start by systematizing a taxonomy of the state-of-the-art memory corruption mitigations focusing on hardware-software co-design solutions. The taxonomy helps us to identify 10 likely vulnerable defense schemes out of 20 schemes that we analyze. Next, we develop a graph-based model to analyze the 10 likely vulnerable defenses and reason about possible countermeasures. Finally, we present three proof-of-concept attacks targeting an already-deployed mitigation mechanism and two state-of-the-art academic proposals., Comment: 14 pages

Published

2023

2. Information Leakage from Optical Emanations

Author

Loughry, Joe and Umphress, David A.

Subjects

Computer Science - Cryptography and Security, Electrical Engineering and Systems Science - Signal Processing, C.2.0, D.4.6, E.3, K.6.5

Abstract

A previously unknown form of compromising emanations has been discovered. LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device. Physical access is not required; the attacker gains access to all data going through the device, including plaintext in the case of data encryption systems. Experiments show that it is possible to intercept data under realistic conditions at a considerable distance. Many different sorts of devices, including modems and Internet Protocol routers, were found to be vulnerable. A taxonomy of compromising optical emanations is developed, and design changes are described that will successfully block this kind of "Optical TEMPEST" attack., Comment: 26 pages, 11 figures

Published

2023

3. Crypto-ransomware detection using machine learning models in file-sharing network scenario with encrypted traffic

Author

Berrueta, Eduardo, Morato, Daniel, Magaña, Eduardo, and Izal, Mikel

Subjects

Computer Science - Cryptography and Security, Computer Science - Networking and Internet Architecture, C.2.0, D.4.6

Abstract

Ransomware is considered as a significant threat for most enterprises since the past few years. In scenarios wherein users can access all files on a shared server, one infected host can lock the access to all shared files. We propose a tool to detect ransomware infection based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. The proposal is designed to work for clear text and for encrypted file-sharing protocols. We compare three machine learning models and choose the best for validation. We train and test the detection model using more than 70 ransomware binaries from 26 different strains and more than 2500 hours of not infected traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries, including those not used in training phase (unseen). This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detected., Comment: 26 pages, 9 figures

Published

2022

4. On the Analysis of MUD-Files' Interactions, Conflicts, and Configuration Requirements Before Deployment

Author

Andalibi, Vafa, Lear, Eliot, Kim, DongInn, and Camp, L. Jean

Subjects

Computer Science - Cryptography and Security, Computer Science - Networking and Internet Architecture, C.2.0, D.4.6

Abstract

Manufacturer Usage Description (MUD) is an Internet Engineering Task Force (IETF) standard designed to protect IoT devices and networks by creating an out-of-the-box access control list for an IoT device. %The protocol defines a conceptually straightforward method to implement an isolation-based defensive mechanism based on the rules that are introduced by the manufacturer of the device. However, in practice, the access control list of each device is defined in its MUD-File and may contain possibly hundreds of access control rules. As a result, reading and validating these files is a challenge; and determining how multiple IoT devices interact is difficult for the developer and infeasible for the consumer. To address this we introduce the MUD-Visualizer to provide a visualization of any number of MUD-Files. MUD-Visualizer is designed to enable developers to produce correct MUD-Files by providing format correction, integrating them with other MUD-Files, and identifying conflicts through visualization. MUD-Visualizer is scalable and its core task is to merge and illustrate ACEs for multiple devices; both within and beyond the local area network. MUD-Visualizer is made publicly available and can be found on GitHub., Comment: 22 pages, 6 figures, 3 algorithms, To be published in 5th EAI International Conference on Safety and Security in Internet of Things (SaSeIoT)

Published

2021

5. Secure Distribution of Protected Content in Information-Centric Networking

Author

Bilal, Muhammad and Pack, Sangheon

Subjects

Computer Science - Networking and Internet Architecture, Computer Science - Cryptography and Security, Computer Science - Distributed, Parallel, and Cluster Computing, C.2.0, C.2.2, C.2.4, K.6.5, K.6.m, D.4.6, K.4.2, C.2.0, C.2.2, C.2.4, K.6.5, K.6.m, D.4.6, K.4.2

Abstract

The benefits of the ubiquitous caching in ICN are profound, such features make ICN promising for content distribution, but it also introduces a challenge to content protection against the unauthorized access. The protection of a content against unauthorized access requires consumer authentication and involves the conventional end-to-end encryption. However, in information-centric networking (ICN), such end-to-end encryption makes the content caching ineffective since encrypted contents stored in a cache are useless for any consumers except those who know the encryption key. For effective caching of encrypted contents in ICN, we propose a secure distribution of protected content (SDPC) scheme, which ensures that only authenticated consumers can access the content. SDPC is lightweight and allows consumers to verify the originality of the published content by using a symmetric key encryption. Moreover, SDPC naming scheme provides protection against privacy leakage. The security of SDPC was proved with the BAN logic and Scyther tool verification, and simulation results show that SDPC can reduce the content download delay., Comment: 15 pages, 8 figures, This article is an enhancement version of journal article published in IEEE Systems Journal, DOI: 10.1109/JSYST.2019.2931813. arXiv admin note: text overlap with arXiv:1808.03289

Published

2019

6. Optical TEMPEST

Author

Loughry, Joe

Subjects

Computer Science - Cryptography and Security, C.2.0, D.4.6, E.3, K.6.5

Abstract

Research on optical TEMPEST has moved forward since 2002 when the first pair of papers on the subject emerged independently and from widely separated locations in the world within a week of each other. Since that time, vulnerabilities have evolved along with systems, and several new threat vectors have consequently appeared. Although the supply chain ecosystem of Ethernet has reduced the vulnerability of billions of devices through use of standardised PHY solutions, other recent trends including the Internet of Things (IoT) in both industrial settings and the general population, High Frequency Trading (HFT) in the financial sector, the European General Data Protection Regulation (GDPR), and inexpensive drones have made it relevant again for consideration in the design of new products for privacy. One of the general principles of security is that vulnerabilities, once fixed, sometimes do not stay that way., Comment: 6 pages, 2 figures; accepted to the International Symposium and Exhibition on Electromagnetic Compatibility (EMC Europe 2018), 27--30 August 2018, in Amsterdam, The Netherlands

Published

2018

7. Effective Caching for the Secure Content Distribution in Information-Centric Networking

Author

Bilal, Muhammad, Kang, Shin-Gak, and Pack, Sangheon

Subjects

Computer Science - Cryptography and Security, Computer Science - Distributed, Parallel, and Cluster Computing, Computer Science - Networking and Internet Architecture, 94A62, 94A60, 68P25, 68M12, 68M14, 68M10, 14G50, C.2.0, C.2.2, C.2.4, K.6.5, K.6.m, D.4.6, K.4.2

Abstract

The secure distribution of protected content requires consumer authentication and involves the conventional method of end-to-end encryption. However, in information-centric networking (ICN) the end-to-end encryption makes the content caching ineffective since encrypted content stored in a cache is useless for any consumer except those who know the encryption key. For effective caching of encrypted content in ICN, we propose a novel scheme, called the Secure Distribution of Protected Content (SDPC). SDPC ensures that only authenticated consumers can access the content. The SDPC is a lightweight authentication and key distribution protocol; it allows consumer nodes to verify the originality of the published article by using a symmetric key encryption. The security of the SDPC was proved with BAN logic and Scyther tool verification., Comment: 7 pages, 9 figures, 2018 IEEE 87th Vehicular Technology Conference (VTC Spring)

Published

2018

8. An Authentication Protocol for Future Sensor Networks

Author

Bilal, Muhammad and Kang, Shin-Gak

Subjects

Computer Science - Cryptography and Security, Computer Science - Networking and Internet Architecture, 94A62, 94A60, 68P25, 68M12, 68M14, 68M10, 14G50, C.2.0, C.2.2, C.2.4, K.6.5, K.6.m, D.4.6, K.4.2

Abstract

Authentication is one of the essential security services in Wireless Sensor Networks (WSNs) for ensuring secure data sessions. Sensor node authentication ensures the confidentiality and validity of data collected by the sensor node, whereas user authentication guarantees that only legitimate users can access the sensor data. In a mobile WSN, sensor and user nodes move across the network and exchange data with multiple nodes, thus experiencing the authentication process multiple times. The integration of WSNs with Internet of Things (IoT) brings forth a new kind of WSN architecture along with stricter security requirements; for instance, a sensor node or a user node may need to establish multiple concurrent secure data sessions. With concurrent data sessions, the frequency of the re-authentication process increases in proportion to the number of concurrent connections, which makes the security issue even more challenging. The currently available authentication protocols were designed for the autonomous WSN and do not account for the above requirements. In this paper, we present a novel, lightweight and efficient key exchange and authentication protocol suite called the Secure Mobile Sensor Network (SMSN) Authentication Protocol. In the SMSN a mobile node goes through an initial authentication procedure and receives a re-authentication ticket from the base station. Later a mobile node can use this re-authentication ticket when establishing multiple data exchange sessions and/or when moving across the network. This scheme reduces the communication and computational complexity of the authentication process. We proved the strength of our protocol with rigorous security analysis and simulated the SMSN and previously proposed schemes in an automated protocol verifier tool. Finally, we compared the computational complexity and communication cost against well-known authentication protocols., Comment: This article is accepted for the publication in "Sensors" journal. 29 pages, 15 figures

Published

2017

9. Guardian of the HAN: Thwarting Mobile Attacks on Smart-Home Devices Using OS-level Situation Awareness

Author

Demetriou, Soteris, Zhang, Nan, Lee, Yeonjoon, Wang, Xiaofeng, Gunter, Carl, Zhou, Xiaoyong, and Grace, Michael

Subjects

Computer Science - Cryptography and Security, Computer Science - Networking and Internet Architecture, C.2.0, D.4.6

Abstract

A new development of smart-home systems is to use mobile apps to control IoT devices across a Home Area Network (HAN). Those systems tend to rely on the Wi-Fi router to authenticate other devices; as verified in our study, IoT vendors tend to trust all devices connected to the HAN. This treatment exposes them to the attack from malicious apps, particularly those running on authorized phones, which the router does not have information to control, as confirmed in our measurement study. Mitigating this threat cannot solely rely on IoT manufacturers, which may need to change the hardware on the devices to support encryption, increasing the cost of the device, or software developers who we need to trust to implement security correctly. In this work, we present a new technique to control the communication between the IoT devices and their apps in a unified, backward-compatible way. Our approach, called Hanguard, does not require any changes to the IoT devices themselves, the IoT apps or the OS of the participating phones. Hanguard achieves a fine-grained, per-app protection through bridging the OS-level situation awareness and the router-level per-flow control: each phone runs a non-system userspace Monitor app to identify the party that attempts to access the protected IoT device and inform the router through a control plane of its access decision; the router enforces the decision on the data plane after verifying whether the phone should be allowed to talk to the device. Hanguard uses a role-based access control (RBAC) schema which leverages type enforcement (TE) and multi-category security (MCS) primitives to define highly flexible access control rules. We implemented our design over both Android and iOS (>95% of mobile OS market share) and a popular router. Our study shows that Hanguard is both efficient and effective in practice.

Published

2017

10. Security and Privacy of performing Data Analytics in the cloud - A three-way handshake of Technology, Policy, and Management

Author

Rastogi, Nidhi, Gloria, Marie Joan Kristine, and Hendler, James

Subjects

Computer Science - Distributed, Parallel, and Cluster Computing, Computer Science - Computers and Society, Computer Science - Networking and Internet Architecture, C.2.0, D.4.6, K.4.1, C.2.4

Abstract

Cloud platform came into existence primarily to accelerate IT delivery and to promote innovation. To this point, it has performed largely well to the expectations of technologists, businesses and customers. The service aspect of this technology has paved the road for a faster set up of infrastructure and related goals for both startups and established organizations. This has further led to quicker delivery of many user-friendly applications to the market while proving to be a commercially viable option to companies with limited resources. On the technology front, the creation and adoption of this ecosystem has allowed easy collection of massive data from various sources at one place, where the place is sometimes referred as just the cloud. Efficient data mining can be performed on raw data to extract potentially useful information, which was not possible at this scale before. Targeted advertising is a common example that can help businesses. Despite these promising offerings, concerns around security and privacy of user information suppressed wider acceptance and an all-encompassing deployment of the cloud platform. In this paper, we discuss security and privacy concerns that occur due to data exchanging hands between a cloud servicer provider (CSP) and the primary cloud user - the data collector, from the content generator. We offer solutions that encompass technology, policy and sound management of the cloud service asserting that this approach has the potential to provide a holistic solution., Comment: 28 pages, 3 figures, Journal of Information Privacy

Published

2017

11. Graph Analytics for anomaly detection in homogeneous wireless networks - A Simulation Approach

Author

Rastogi, Nidhi and Hendler, James

Subjects

Computer Science - Cryptography and Security, Computer Science - Networking and Internet Architecture, C.2.0, D.4.6

Abstract

In the Internet of Things (IoT) devices are exposed to various kinds of attacks when connected to the Internet. An attack detection mechanism that understands the limitations of these severely resource-constrained devices is necessary. This is important since current approaches are either customized for wireless networks or for the conventional Internet with heavy data transmission. Also, the detection mechanism need not always be as sophisticated. Simply signaling that an attack is taking place may be enough in some situations, for example in NIDS using anomaly detection. In graph networks, central nodes are the nodes that bear the most influence in the network. The purpose of this research is to explore experimentally the relationship between the behavior of central nodes and anomaly detection when an attack spreads through a network. As a result, we propose a novel anomaly detection approach using this unique methodology which has been unexplored so far in communication networks. Also, in the experiment, we identify presence of an attack originating and propagating throughout a network of IoT using our methodology., Comment: 5 pages, 4 figures, ICCWS

Published

2017

12. WhatsApp security and role of metadata in preserving privacy

Author

Rastogi, Nidhi and Hendler, James

Subjects

Computer Science - Cryptography and Security, Computer Science - Networking and Internet Architecture, Computer Science - Social and Information Networks, C.2.0, D.4.6

Abstract

WhatsApp messenger is arguably the most popular mobile app available on all smart-phones. Over one billion people worldwide for free messaging, calling, and media sharing use it. In April 2016, WhatsApp switched to a default end-to-end encrypted service. This means that all messages (SMS), phone calls, videos, audios, and any other form of information exchanged cannot be read by any unauthorized entity since WhatsApp. In this paper we analyze the WhatsApp messaging platform and critique its security architecture along with a focus on its privacy preservation mechanisms. We report that the Signal Protocol, which forms the basis of WhatsApp end-to-end encryption, does offer protection against forward secrecy, and MITM to a large extent. Finally, we argue that simply encrypting the end-to-end channel cannot preserve privacy. The metadata can reveal just enough information to show connections between people, their patterns, and personal information. This paper elaborates on the security architecture of WhatsApp and performs an analysis on the various protocols used. This enlightens us on the status quo of the app security and what further measures can be used to fill existing gaps without compromising the usability. We start by describing the following (i) important concepts that need to be understood to properly understand security, (ii) the security architecture, (iii) security evaluation, (iv) followed by a summary of our work. Some of the important concepts that we cover in this paper before evaluating the architecture are - end-to-end encryption (E2EE), signal protocol, and curve25519. The description of the security architecture covers key management, end-to-end encryption in WhatsApp, Authentication Mechanism, Message Exchange, and finally the security evaluation. We then cover importance of metadata and role it plays in conserving privacy with respect to whatsapp., Comment: 8 pages, 2 figures

Published

2017

13. Security-related Research in Ubiquitous Computing -- Results of a Systematic Literature Review

Author

Kušen, Ema and Strembeck, Mark

Subjects

Computer Science - Cryptography and Security, Computer Science - Distributed, Parallel, and Cluster Computing, C.2.0, D.4.6, K.4.1, K.4.2, K.6.5

Abstract

In an endeavor to reach the vision of ubiquitous computing where users are able to use pervasive services without spatial and temporal constraints, we are witnessing a fast growing number of mobile and sensor-enhanced devices becoming available. However, in order to take full advantage of the numerous benefits offered by novel mobile devices and services, we must address the related security issues. In this paper, we present results of a systematic literature review (SLR) on security-related topics in ubiquitous computing environments. In our study, we found 5165 scientific contributions published between 2003 and 2015. We applied a systematic procedure to identify the threats, vulnerabilities, attacks, as well as corresponding defense mechanisms that are discussed in those publications. While this paper mainly discusses the results of our study, the corresponding SLR protocol which provides all details of the SLR is also publicly available for download.

Published

2017

14. Two factor authentication using EEG augmented passwords

Author

Švogor, Ivan and Kišasondi, Tonimir

Subjects

Computer Science - Cryptography and Security, Computer Science - Human-Computer Interaction, C.2.0, D.4.6, H.5.2

Abstract

The current research with EEG devices in the user authentication context has some deficiencies that address expensive equipment, the requirement of laboratory conditions and applicability. In this paper we address this issue by using widely available and inexpensive EEG device to verify its capability for authentication. As a part of this research, we developed two phase authentication that enables users to enhance their password with the mental state by breaking the password into smaller, marry them with mental state, and generate one time pad for a secure session., Comment: Preliminary communication

Published

2016

15. A Survey on Honeypot Software and Data Analysis

Author

Nawrocki, Marcin, Wählisch, Matthias, Schmidt, Thomas C., Keil, Christian, and Schönfelder, Jochen

Subjects

Computer Science - Cryptography and Security, Computer Science - Networking and Internet Architecture, C.2.0, C.2.2, C.2.3, C.2.6, D.4.6, K.6.5

Abstract

In this survey, we give an extensive overview on honeypots. This includes not only honeypot software but also methodologies to analyse honeypot data.

Published

2016

16. Open Mobile API: Accessing the UICC on Android Devices

Author

Roland, Michael and Hölzl, Michael

Subjects

Computer Science - Cryptography and Security, Computer Science - Operating Systems, C.2.0, C.3, C.5.3, D.2.7, D.4.6

Abstract

This report gives an overview of secure element integration into Android devices. It focuses on the Open Mobile API as an open interface to access secure elements from Android applications. The overall architecture of the Open Mobile API is described and current Android devices are analyzed with regard to the availability of this API. Moreover, this report summarizes our efforts of reverse engineering the stock ROM of a Samsung Galaxy S3 in order to analyze the integration of the Open Mobile API and the interface that is used to perform APDU-based communication with the UICC (Universal Integrated Circuit Card). It further provides a detailed explanation on how to integrate this functionality into CyanogenMod (an after-market firmware for Android devices)., Comment: University of Applied Sciences Upper Austria, JR-Center u'smile, Technical report, 76 pages, 12 figures

Published

2016

17. Security Evaluation for Mail Distribution Systems

Author

Rizopoulos, Antonis S., Kallergis, Dimitrios N., and Prezerakos, George N.

Subjects

Computer Science - Cryptography and Security, Computer Science - Computers and Society, 68M12, C.2.0, C.2.2, D.4.6, H.3.4

Abstract

The security evaluation for Mail Distribution Systems focuses on certification and reliability of sensitive data between mail servers. The need to certify the information conveyed is a result of known weaknesses in the simple mail transfer protocol (SMTP). The most important consequence of these weaknesses is the possibility to mislead the recipient, which is achieved via spam (especially email spoofing). Email spoofing refers to alterations in the headers and/or the content of the message. Therefore, the authenticity of the message is compromised. Unfortunately, the broken link between certification and reliability of the information is unsolicited email (spam). Unlike the current practice of estimating the cost of spam, which prompts organizations to purchase and maintain appropriate anti-spam software, our approach offers an alternative perspective of the economic and moral consequences of unsolicited mail. The financial data provided in this paper show that spam is a major contributor to the financial and production cost of an organization, necessitating further attention. Additionally, this paper highlights the importance and severity of the weaknesses of the SMTP protocol, which can be exploited even with the use of simple applications incorporated within most commonly used Operating Systems (e.g. Telnet). As a consequence of these drawbacks Mail Distribution Systems need to be appropriate configured so as to provide the necessary security services to the users., Comment: 6 pages, eRA 5th International Scientific Conference, September 15-18 2010, Piraeus, Greece

Published

2014

18. Blind and robust images watermarking based on wavelet and edge insertion

Author

Razafindradina, Henri Bruno and Karim, Attoumani Mohamed

Subjects

Computer Science - Multimedia, Computer Science, K.6.5, C.2.0, D.4.6

Abstract

This paper gives a new scheme of watermarking technique related to insert the mark by adding edge in HH sub-band of the host image after wavelet decomposition. Contrary to most of the watermarking algorithms in wavelet domain, our method is blind and results show that it is robust against the JPEG and GIF compression, histogram and spectrum spreading, noise adding and small rotation. Its robustness against compression is better than others watermarking algorithms reported in the literature. The algorithm is flexible because its capacity or robustness can be improved by modifying some parameters., Comment: 8 pages

Published

2013

19. Network Access Control Technology - Proposition to contain new security challenges

Author

Lakbabi, Abdelmajid, Orhanou, Ghizlane, and Hajji, Said El

Subjects

Computer Science - Cryptography and Security, D.4.6, C.2.0

Abstract

Traditional products working independently are no longer sufficient, since threats are continually gaining in complexity, diversity and performance; In order to proactively block such threats we need more integrated information security solution. To achieve this objective, we will analyze a real-world security platform, and focus on some key components Like, NAC, Firewall, and IPS/IDS then study their interaction in the perspective to propose a new security posture that coordinate and share security information between different network security components, using a central policy server that will be the NAC server or the PDP (the Policy Decision Point), playing an orchestration role as a central point of control. Finally we will conclude with potential research paths that will impact NAC technology evolution., Comment: 7 pages, 7 figures

Published

2013

20. High-Speed Signature Matching in Network Interface Device using Bloom Filters

Author

P, Arun Kumar S

Subjects

Computer Science - Networking and Internet Architecture, C.2.0, C.2.5, D.4.6, K.4.4

Abstract

Network intrusion detection systems play a critical role in protecting the information infrastructure of an organization. Due to the sophistication and complexity of techniques used for the analysis they are commonly based on general-purpose workstations. Although cost-efficient, these general-purpose systems are found to be inadequate as they are unable to perform efficiently at high packet rates. The resulting packet loss degrades the system's overall effectiveness, as the analyzing capability of the system is reduced. It has been found that the performance of these sensors can be improved significantly by filtering out unwanted packets. This paper presents the design of a Programmable Ethernet Interface Card that is used to offload signature matching from software and thereby improve the detection ratio and performance of the system., Comment: Pre-print version. International Joint Journal Conference in Engineering, IJJCE 2009

Published

2009

21. Side-channel attack on labeling CAPTCHAs

Author

Hernandez-Castro, Carlos Javier, Ribagorda, Arturo, and Saez, Yago

Subjects

Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition, Computer Science - Computers and Society, Computer Science - Human-Computer Interaction, C.2.0, D.4.6, K.4.4, K.6.5, H.1.2

Abstract

We propose a new scheme of attack on the Microsoft's ASIRRA CAPTCHA which represents a significant shortcut to the intended attacking path, as it is not based in any advance in the state of the art on the field of image recognition. After studying the ASIRRA Public Corpus, we conclude that the security margin as stated by their authors seems to be quite optimistic. Then, we analyze which of the studied parameters for the image files seems to disclose the most valuable information for helping in correct classification, arriving at a surprising discovery. This represents a completely new approach to breaking CAPTCHAs that can be applied to many of the currently proposed image-labeling algorithms, and to prove this point we show how to use the very same approach against the HumanAuth CAPTCHA. Lastly, we investigate some measures that could be used to secure the ASIRRA and HumanAuth schemes, but conclude no easy solutions are at hand.

Published

2009

22. Service Cloaking and Authentication at Data Link Layer

Author

P, Arun Kumar S

Subjects

Computer Science - Networking and Internet Architecture, Computer Science - Cryptography and Security, C.2.0, C.2.5, D.4.6, K.4.4

Abstract

This paper discusses that there is significant benefit in providing stronger security at lower layers of the network stack for hosts connected to a network. It claims to reduce the attack vulnerability of a networked host by providing security mechanisms in a programmable Network Interface Card (NIC). Dynamic access control mechanisms are implemented in hardware to restrict access to the services provided, only to authenticated hosts. This reduces server vulnerability to various layer 2 attacks. Also the services will be immune to zero-day vulnerabilities due to the minimal code execution paths. To this end, it presents architecture and implementation details of a programmable network interface card equipped with these measures. It works alongside, and augments, existing security protocols making deployment practical.

Published

2008

23. Secure Fractal Image Coding

Author

Lian, Shiguo

Subjects

Computer Science - Multimedia, Computer Science - Cryptography and Security, C.2.0, D.2.11, D.4.6

Abstract

In recent work, various fractal image coding methods are reported, which adopt the self-similarity of images to compress the size of images. However, till now, no solutions for the security of fractal encoded images have been provided. In this paper, a secure fractal image coding scheme is proposed and evaluated, which encrypts some of the fractal parameters during fractal encoding, and thus, produces the encrypted and encoded image. The encrypted image can only be recovered by the correct key. To keep secure and efficient, only the suitable parameters are selected and encrypted through in-vestigating the properties of various fractal parameters, including parameter space, parameter distribu-tion and parameter sensitivity. The encryption process does not change the file format, keeps secure in perception, and costs little time or computational resources. These properties make it suitable for secure image encoding or transmission., Comment: 21 pages, 8 figures. To be submitted

Published

2007

24. CANE: The Content Addressed Network Environment

Author

Gardner-Stephen, Paul

Subjects

Computer Science - Networking and Internet Architecture, Computer Science - Cryptography and Security, Computer Science - Distributed, Parallel, and Cluster Computing, C.2.0, C.2.2, C.2.4, D.4.2, D.4.3, D.4.4, D.4.6, D.4.7, E.2, E.3, E.5, H.1.2, H.2.4, H.3.2, H.3.4, H.5.2, I.3.2, I.3.3, I.3.6

Abstract

The fragmented nature and asymmetry of local and remote file access and network access, combined with the current lack of robust authenticity and privacy, hamstrings the current internet. The collection of disjoint and often ad-hoc technologies currently in use are at least partially responsible for the magnitude and potency of the plagues besetting the information economy, of which spam and email borne virii are canonical examples. The proposed replacement for the internet, Internet Protocol Version 6 (IPv6), does little to tackle these underlying issues, instead concentrating on addressing the technical issues of a decade ago. This paper introduces CANE, a Content Addressed Network Environment, and compares it against current internet and related technologies. Specifically, CANE presents a simple computing environment in which location is abstracted away in favour of identity, and trust is explicitly defined. Identity is cryptographically verified and yet remains pervasively open in nature. It is argued that this approach is capable of being generalised such that file storage and network access can be unified and subsequently combined with human interfaces to result in a Unified Theory of Access, which addresses many of the significant problems besetting the internet community of the early 21st century., Comment: 18 pages, 1 figure

Published

2007

25. On the Performance of Joint Fingerprint Embedding and Decryption Scheme

Author

Lian, Shiguo, Liu, Zhongxuan, Ren, Zhen, and Wang, Haila

Subjects

Computer Science - Multimedia, Computer Science - Cryptography and Security, C.2.0, D.2.11, D.4.6

Abstract

Till now, few work has been done to analyze the performances of joint fingerprint embedding and decryption schemes. In this paper, the security of the joint fingerprint embedding and decryption scheme proposed by Kundur et al. is analyzed and improved. The analyses include the security against unauthorized customer, the security against authorized customer, the relationship between security and robustness, the relationship between secu-rity and imperceptibility and the perceptual security. Based these analyses, some means are proposed to strengthen the system, such as multi-key encryp-tion and DC coefficient encryption. The method can be used to analyze other JFD schemes. It is expected to provide valuable information to design JFD schemes., Comment: 10 pages,9 figures. To be submitted

Published

2007

26. A Comparison of Secret Sharing Schemes Based on Latin Squares and RSA

Author

Wagner, Liam

Subjects

Computer Science - Cryptography and Security, Computer Science - Discrete Mathematics, Mathematics - Combinatorics, C.2.0, D.4.6, H.2.0, H.2.7

Abstract

In recent years there has been a great deal of work done on secret sharing scehemes. Secret Sharing Schemes allow for the division of keys so that an authorised set of users may access information. In this paper we wish to present a critical comparison of two of these schemes based on Latin Squares, [Cooper et., al.] and RSA [Shoup]. These two protocols will be examined in terms of their positive and negative aspects of their secuirty.

Published

2003

27. ODP channel objects that provide services transparently for distributing processing systems

Author

Eaves, Walter

Subjects

Computer Science - Distributed, Parallel, and Cluster Computing, Computer Science - Operating Systems, C.2.0, C.2.4, D.4.7, H.5.1, K.6.4, D.4.6

Abstract

This paper describes an architecture for a distributing processing system that would allow remote procedure calls to invoke other services as messages are passed between clients and servers. It proposes that an additional class of data processing objects be located in the software communications channel. The objects in this channel would then be used to enforce protocols on client-server applications without any additional effort by the application programmers. For example, services such as key-management, time-stamping, sequencing and encryption can be implemented at different levels of the software communications stack to provide a complete authentication service. A distributing processing environment could be used to control broadband network data delivery. Architectures and invocation semantics are discussed, Example classes and interfaces for channel objects are given in the Java programming language., Comment: 35 pages, 10 figures

Published

1999

28. Security Policy Specification Using a Graphical Approach

Author

Hoagland, James A., Pandey, Raju, and Levitt, Karl N.

Subjects

Computer Science - Cryptography and Security, c.2.0, D.4.6

Abstract

A security policy states the acceptable actions of an information system, as the actions bear on security. There is a pressing need for organizations to declare their security policies, even informal statements would be better than the current practice. But, formal policy statements are preferable to support (1) reasoning about policies, e.g., for consistency and completeness, (2) automated enforcement of the policy, e.g., using wrappers around legacy systems or after the fact with an intrusion detection system, and (3) other formal manipulation of policies, e.g., the composition of policies. We present LaSCO, the Language for Security Constraints on Objects, in which a policy consists of two parts: the domain (assumptions about the system) and the requirement (what is allowed assuming the domain is satisfied). Thus policies defined in LaSCO have the appearance of conditional access control statements. LaSCO policies are specified as expressions in logic and as directed graphs, giving a visual view of policy. LaSCO has a simple semantics in first order logic (which we provide), thus permitting policies we write, even for complex policies, to be very perspicuous. LaSCO has syntax to express many of the situations we have found to be useful on policies or, more interesting, the composition of policies. LaSCO has an object-oriented structure, permitting it to be useful to describe policies on the objects and methods of an application written in an object-oriented language, in addition to the traditional policies on operating system objects. A LaSCO specification can be automatically translated into executable code that checks an invocation of a program with respect to a policy. The implementation of LaSCO is in Java, and generates wrappers to check Java programs with respect to a policy., Comment: 28 pages, 22 figures, in color (but color is not essential for viewing); UC Davis CS department technical report (July 22, 1998)

Published

1998

29. Information Leakage from Optical Emanations

Author

Joe Loughry and David Umphress

Subjects

Signal Processing (eess.SP), FOS: Computer and information sciences, Computer Science - Cryptography and Security, General Computer Science, Computer science, E.3, Covert channel, Computer security, computer.software_genre, Encryption, Communications security, law.invention, C.2.0, law, K.6.5, Internet Protocol, FOS: Electrical engineering, electronic engineering, information engineering, Electrical Engineering and Systems Science - Signal Processing, Safety, Risk, Reliability and Quality, Block (data storage), business.industry, Plaintext, D.4.6, Information leakage, Tempest, business, computer, Cryptography and Security (cs.CR), Computer network

Abstract

A previously unknown form of compromising emanations has been discovered. LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device. Physical access is not required; the attacker gains access to all data going through the device, including plaintext in the case of data encryption systems. Experiments show that it is possible to intercept data under realistic conditions at a considerable distance. Many different sorts of devices, including modems and Internet Protocol routers, were found to be vulnerable. A taxonomy of compromising optical emanations is developed, and design changes are described that will successfully block this kind of "Optical TEMPEST" attack., 26 pages, 11 figures

Published

2023

30. Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic

Author

Eduardo Magaña, Eduardo Berrueta, Daniel Morato, Mikel Izal, Universidad Pública de Navarra. Departamento de Ingeniería Eléctrica, Electrónica y de Comunicación, Nafarroako Unibertsitate Publikoa. Ingeniaritza Elektriko, Elektroniko eta Telekomunikazio Saila, and Universidad Pública de Navarra / Nafarroako Unibertsitate Publikoa

Subjects

Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Computer Science - Cryptography and Security, General Engineering, C.2.0, D.4.6, Network security, Computer Science Applications, Computer Science - Networking and Internet Architecture, Crypto-ransomware, Artificial Intelligence, File-sharing traffic, Cryptography and Security (cs.CR)

Abstract

Ransomware is considered as a significant threat for most enterprises since the past few years. In scenarios wherein users can access all files on a shared server, one infected host can lock the access to all shared files. We propose a tool to detect ransomware infection based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. The proposal is designed to work for clear text and for encrypted file-sharing protocols. We compare three machine learning models and choose the best for validation. We train and test the detection model using more than 70 ransomware binaries from 26 different strains and more than 2500 hours of not infected traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries, including those not used in training phase (unseen). This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detected., 26 pages, 9 figures

Published

2022

31. Levels of Anonymity

Author

Flinn, Bill, Maurer, Hermann, Maurer, Hermann, editor, Calude, Cristian, editor, and Salomaa, Arto, editor

Published

1996

32. Secure Distribution of Protected Content in Information-Centric Networking

Author

Sangheon Pack and Muhammad Bilal

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Computer Networks and Communications, Computer science, 0211 other engineering and technologies, K.4.2, Access control, 02 engineering and technology, Encryption, Computer security, computer.software_genre, K.6.m, Computer Science - Networking and Internet Architecture, C.2.2, Information-centric networking, C.2.0, K.6.5, C.2.4, Electrical and Electronic Engineering, C.2.0, C.2.2, C.2.4, K.6.5, K.6.m, D.4.6, K.4.2, Networking and Internet Architecture (cs.NI), Authentication, 021103 operations research, business.industry, D.4.6, Computer Science Applications, Symmetric-key algorithm, Computer Science - Distributed, Parallel, and Cluster Computing, Control and Systems Engineering, The Internet, Distributed, Parallel, and Cluster Computing (cs.DC), Cache, business, Cryptography and Security (cs.CR), computer, 5G, Information Systems

Abstract

The benefits of the ubiquitous caching in ICN are profound, such features make ICN promising for content distribution, but it also introduces a challenge to content protection against the unauthorized access. The protection of a content against unauthorized access requires consumer authentication and involves the conventional end-to-end encryption. However, in information-centric networking (ICN), such end-to-end encryption makes the content caching ineffective since encrypted contents stored in a cache are useless for any consumers except those who know the encryption key. For effective caching of encrypted contents in ICN, we propose a secure distribution of protected content (SDPC) scheme, which ensures that only authenticated consumers can access the content. SDPC is lightweight and allows consumers to verify the originality of the published content by using a symmetric key encryption. Moreover, SDPC naming scheme provides protection against privacy leakage. The security of SDPC was proved with the BAN logic and Scyther tool verification, and simulation results show that SDPC can reduce the content download delay., 15 pages, 8 figures, This article is an enhancement version of journal article published in IEEE Systems Journal, DOI: 10.1109/JSYST.2019.2931813. arXiv admin note: text overlap with arXiv:1808.03289

Published

2019

33. Effective Caching for the Secure Content Distribution in Information-Centric Networking

Author

Shin-Gak Kang, Sangheon Pack, and Muhammad Bilal

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Computer science, Key distribution, K.4.2, 02 engineering and technology, Encryption, K.6.m, 94A62, 94A60, 68P25, 68M12, 68M14, 68M10, 14G50, Computer Science - Networking and Internet Architecture, C.2.2, Information-centric networking, C.2.0, K.6.5, 0202 electrical engineering, electronic engineering, information engineering, C.2.4, Protocol (object-oriented programming), Networking and Internet Architecture (cs.NI), Authentication, business.industry, 020206 networking & telecommunications, D.4.6, Symmetric-key algorithm, Computer Science - Distributed, Parallel, and Cluster Computing, Key (cryptography), 020201 artificial intelligence & image processing, The Internet, Cache, Distributed, Parallel, and Cluster Computing (cs.DC), business, Cryptography and Security (cs.CR), Computer network

Abstract

The secure distribution of protected content requires consumer authentication and involves the conventional method of end-to-end encryption. However, in information-centric networking (ICN) the end-to-end encryption makes the content caching ineffective since encrypted content stored in a cache is useless for any consumer except those who know the encryption key. For effective caching of encrypted content in ICN, we propose a novel scheme, called the Secure Distribution of Protected Content (SDPC). SDPC ensures that only authenticated consumers can access the content. The SDPC is a lightweight authentication and key distribution protocol; it allows consumer nodes to verify the originality of the published article by using a symmetric key encryption. The security of the SDPC was proved with BAN logic and Scyther tool verification., Comment: 7 pages, 9 figures, 2018 IEEE 87th Vehicular Technology Conference (VTC Spring)

Published

2018

34. Security and Privacy of Performing Data Analytics in the Cloud: A Three-way Handshake of Technology, Policy, and Management

Author

Rastogi, Nidhi, Gloria, Marie Joan Kristine, and Hendler, James

Subjects

Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, Public Administration, Sociology and Political Science, Communication, D.4.6, K.4.1, Computer Science - Networking and Internet Architecture, Computer Science - Computers and Society, Computer Science - Distributed, Parallel, and Cluster Computing, C.2.0, C.2.4, Computers and Society (cs.CY), Distributed, Parallel, and Cluster Computing (cs.DC)

Abstract

Cloud platform came into existence primarily to accelerate IT delivery and to promote innovation. To this point, it has performed largely well to the expectations of technologists, businesses and customers. The service aspect of this technology has paved the road for a faster set up of infrastructure and related goals for both startups and established organizations. This has further led to quicker delivery of many user-friendly applications to the market while proving to be a commercially viable option to companies with limited resources. On the technology front, the creation and adoption of this ecosystem has allowed easy collection of massive data from various sources at one place, where the place is sometimes referred as just the cloud. Efficient data mining can be performed on raw data to extract potentially useful information, which was not possible at this scale before. Targeted advertising is a common example that can help businesses. Despite these promising offerings, concerns around security and privacy of user information suppressed wider acceptance and an all-encompassing deployment of the cloud platform. In this paper, we discuss security and privacy concerns that occur due to data exchanging hands between a cloud servicer provider (CSP) and the primary cloud user - the data collector, from the content generator. We offer solutions that encompass technology, policy and sound management of the cloud service asserting that this approach has the potential to provide a holistic solution., Comment: 28 pages, 3 figures, Journal of Information Privacy

Published

2015

35. An Authentication Protocol for Future Sensor Networks

Author

Shin-Gak Kang and Muhammad Bilal

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, Computer science, K.4.2, 02 engineering and technology, privacy, K.6.m, 01 natural sciences, Biochemistry, Article, 94A62, 94A60, 68P25, 68M12, 68M14, 68M10, 14G50, Analytical Chemistry, Computer Science - Networking and Internet Architecture, C.2.2, Base station, C.2.0, sensor networks, K.6.5, C.2.4, network security, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Instrumentation, Key exchange, Networking and Internet Architecture (cs.NI), Authentication, business.industry, Node (networking), 010401 analytical chemistry, D.4.6, 020206 networking & telecommunications, Atomic and Molecular Physics, and Optics, BAN logic, 0104 chemical sciences, authentication, key distribution, Authentication protocol, Sensor node, Ticket, business, Cryptography and Security (cs.CR), Wireless sensor network, Computer network

Abstract

Authentication is one of the essential security services in Wireless Sensor Networks (WSNs) for ensuring secure data sessions. Sensor node authentication ensures the confidentiality and validity of data collected by the sensor node, whereas user authentication guarantees that only legitimate users can access the sensor data. In a mobile WSN, sensor and user nodes move across the network and exchange data with multiple nodes, thus experiencing the authentication process multiple times. The integration of WSNs with Internet of Things (IoT) brings forth a new kind of WSN architecture along with stricter security requirements; for instance, a sensor node or a user node may need to establish multiple concurrent secure data sessions. With concurrent data sessions, the frequency of the re-authentication process increases in proportion to the number of concurrent connections, which makes the security issue even more challenging. The currently available authentication protocols were designed for the autonomous WSN and do not account for the above requirements. In this paper, we present a novel, lightweight and efficient key exchange and authentication protocol suite called the Secure Mobile Sensor Network (SMSN) Authentication Protocol. In the SMSN a mobile node goes through an initial authentication procedure and receives a re-authentication ticket from the base station. Later a mobile node can use this re-authentication ticket when establishing multiple data exchange sessions and/or when moving across the network. This scheme reduces the communication and computational complexity of the authentication process. We proved the strength of our protocol with rigorous security analysis and simulated the SMSN and previously proposed schemes in an automated protocol verifier tool. Finally, we compared the computational complexity and communication cost against well-known authentication protocols., Comment: This article is accepted for the publication in "Sensors" journal. 29 pages, 15 figures

Published

2017

36. WhatsApp security and role of metadata in preserving privacy

Author

Rastogi, N. and James Hendler

Subjects

Networking and Internet Architecture (cs.NI), Social and Information Networks (cs.SI), FOS: Computer and information sciences, Computer Science - Networking and Internet Architecture, Computer Science - Cryptography and Security, C.2.0, D.4.6, Computer Science - Social and Information Networks, Cryptography and Security (cs.CR)

Abstract

WhatsApp messenger is arguably the most popular mobile app available on all smart-phones. Over one billion people worldwide for free messaging, calling, and media sharing use it. In April 2016, WhatsApp switched to a default end-to-end encrypted service. This means that all messages (SMS), phone calls, videos, audios, and any other form of information exchanged cannot be read by any unauthorized entity since WhatsApp. In this paper we analyze the WhatsApp messaging platform and critique its security architecture along with a focus on its privacy preservation mechanisms. We report that the Signal Protocol, which forms the basis of WhatsApp end-to-end encryption, does offer protection against forward secrecy, and MITM to a large extent. Finally, we argue that simply encrypting the end-to-end channel cannot preserve privacy. The metadata can reveal just enough information to show connections between people, their patterns, and personal information. This paper elaborates on the security architecture of WhatsApp and performs an analysis on the various protocols used. This enlightens us on the status quo of the app security and what further measures can be used to fill existing gaps without compromising the usability. We start by describing the following (i) important concepts that need to be understood to properly understand security, (ii) the security architecture, (iii) security evaluation, (iv) followed by a summary of our work. Some of the important concepts that we cover in this paper before evaluating the architecture are - end-to-end encryption (E2EE), signal protocol, and curve25519. The description of the security architecture covers key management, end-to-end encryption in WhatsApp, Authentication Mechanism, Message Exchange, and finally the security evaluation. We then cover importance of metadata and role it plays in conserving privacy with respect to whatsapp., 8 pages, 2 figures

Published

2017

37. Security-related Research in Ubiquitous Computing -- Results of a Systematic Literature Review

Author

Ku��en, Ema and Strembeck, Mark

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, C.2.0, D.4.6, K.4.1, K.4.2, K.6.5, Computer Science - Distributed, Parallel, and Cluster Computing, Distributed, Parallel, and Cluster Computing (cs.DC), Cryptography and Security (cs.CR)

Abstract

In an endeavor to reach the vision of ubiquitous computing where users are able to use pervasive services without spatial and temporal constraints, we are witnessing a fast growing number of mobile and sensor-enhanced devices becoming available. However, in order to take full advantage of the numerous benefits offered by novel mobile devices and services, we must address the related security issues. In this paper, we present results of a systematic literature review (SLR) on security-related topics in ubiquitous computing environments. In our study, we found 5165 scientific contributions published between 2003 and 2015. We applied a systematic procedure to identify the threats, vulnerabilities, attacks, as well as corresponding defense mechanisms that are discussed in those publications. While this paper mainly discusses the results of our study, the corresponding SLR protocol which provides all details of the SLR is also publicly available for download.

Published

2017

38. Blind and robust images watermarking based on wavelet and edge insertion

Author

Attoumani Mohamed Karim and Henri Bruno Razafindradina

Subjects

FOS: Computer and information sciences, business.industry, Computer science, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Pattern recognition, computer.file_format, D.4.6, JPEG, Multimedia (cs.MM), K.6.5, C.2.0, Wavelet, Robustness (computer science), Histogram, Computer Science::Multimedia, Computer Science, Artificial intelligence, Noise (video), Enhanced Data Rates for GSM Evolution, business, Digital watermarking, Rotation (mathematics), computer, Computer Science - Multimedia

Abstract

This paper gives a new scheme of watermarking technique related to insert the mark by adding edge in HH sub-band of the host image after wavelet decomposition. Contrary to most of the watermarking algorithms in wavelet domain, our method is blind and results show that it is robust against the JPEG and GIF compression, histogram and spectrum spreading, noise adding and small rotation. Its robustness against compression is better than others watermarking algorithms reported in the literature. The algorithm is flexible because its capacity or robustness can be improved by modifying some parameters., 8 pages

Published

2013

39. Two Factor Authentication using EEG Augmented Passwords

Author

��vogor, Ivan, Ki��asondi, Tonimir, Luzar-Stiffer, Vestna, Jarec, Iva, and Bekic, Zoran

Subjects

FOS: Computer and information sciences, H.5.2, Computer Science - Cryptography and Security, C.2.0, EEG, BCI, password augmentation, security, brain waves, one time pass, two phase, Computer Science - Human-Computer Interaction, D.4.6, Cryptography and Security (cs.CR), Human-Computer Interaction (cs.HC)

Abstract

The current research with EEG devices in the user authentication context has some deficiencies that address expensive equipment, the requirement of laboratory conditions and applicability. In this paper we address this issue by using widely available and inexpensive EEG device to verify its capability for authentication. As a part of this research, we developed two phase authentication that enables users to enhance their password with the mental state by breaking the password into smaller, marry them with mental state, and generate one time pad for a secure session., Preliminary communication

Published

2012

40. Index Structures for Data Warehouses

Author

Jürgens, Marcus

Subjects

C.2.0, K.6.5, data warehouse, 000 Informatik, Informationswissenschaft, allgemeine Werke::000 Informatik, Wissen, Systeme::004 Datenverarbeitung, Informatik, D.4.6, index structures, database

Abstract

0 Title and Table of Contents i 1\. Introduction 1 2\. State of the Art of Data Warehouse Research 5 3\. Data Storage and Index Structures 15 4\. Mixed Integer Problems for Finding Optimal Tree-based Index Structures 35 5\. Aggregated Data in Tree-Based Index Structures 43 6\. Performance Models for Tree-Based Index Structures 63 7\. Techniques for Comparing Index Structures 89 8\. Conclusion and Outlook 113 Bibliographie 116 Appendix 125, This thesis investigates which index structures support query processing in typical data warehouse environments most efficiently. Data warehouse applications differ significantly from traditional transaction-oriented operational applications. Therefore, the techniques applied in transaction- oriented systems cannot be used in the context of data warehouses and new techniques must be developed. The thesis shows that the time complexity for the computation of optimal tree-based index structures prohibits its use in real world applications. Therefore, we improve heuristic techniques (e. g., R*-tree) to process range queries on aggregated data more efficiently. Experiments show the benefits of this approach for different kinds of typical data warehouse queries. Performance models estimate the behavior of standard index structures and the behavior of the extended index structures. We introduce a new model that considers the distribution of data. We show experimentally that the new model is more precise than other models known from literature. Two techniques compare two tree-based index structures with two bitmap indexing techniques. The performance of these index structures depends on a set of different parameters. Our results show which index structure performs most efficiently depending on the parameters., In dieser Arbeit wird untersucht, welche Indexstrukturen Anfragen in typischen Data Warehouse Systemen effizient unterstützen. Indexstrukturen, seit mehr als zwanzig Jahren Forschungsgegenstand im Datenbankbereich, wurden in der Vergangenheit für transaktionsorientierte Systeme optimiert. Ein Kennzeichen dieser Systeme ist die effiziente Unterstützung von Einfüge-, Änderungs- und Löschoperationen auf einzelnen Datensätzen. Typische Operationen in Data Warehouse Systemen sind dagegen komplexe Anfragen auf großen relativ statischen Datenmengen. Aufgrund dieser veränderten Anforderungen müssen Datenbankmanagementsysteme, die für Data Warehouses eingesetzt werden, andere Techniken nutzen, um komplexe Anfragen effizient zu unterstützen. Zunächst wird ein Ansatz untersucht, der mit Hilfe eines gemischt ganzzahligen Optimierungsproblems eine optimale Indexstruktur berechnet. Da die Kosten für die Berechnung dieser optimalen Indexstruktur mit der Anzahl der zu indizierenden Datensätze exponentiell steigen, wird in anschließenden Teilen der Arbeit heuristischen Ansätzen nachgegangen, die mit der Größe der zu indizierenden Datensätze skalieren. Ein Ansatz erweitert auf Bäumen basierende Indexstrukturen um aggregierte Daten in den inneren Knoten. Experimentell wird gezeigt, daß mit Hilfe der materialisierten Zwischenergebnisse in den inneren Knoten Bereichsanfragen auf aggregierten Daten wesentlich schneller bearbeitet werden. Um das Leistungsverhalten von Indexstrukturen mit und ohne materialisierte Zwischenergebnisse zu untersuchen, wird das PISA Modell (Performance of Index Structures with and without Aggregated Data) entwickelt. In diesem Modell wird die Verteilung der Daten und die Verteilung der Anfragen berücksichtigt. Das PISA Modell wird an gleich-, schief- und normalverteilte Datensätze angepaßt. Experimentell wird gezeigt, daß das PISA Modell mit einer höheren Präzision als die bisher aus der Literatur bekannten Modelle arbeitet. Die Leistung von Indexstrukturen hängt von unterschiedlichen Parametern ab. In dieser Arbeit werden zwei Techniken vorgestellt, die abhängig von einer bestimmten Menge von Parametern Indexstrukturen vergleichen. Mit Hilfe von Klassifikationsbäumen wird z. B. gezeigt, daß die Blockgröße die relative Leistung weniger beeinflußt als andere Parameter. Ein weiteres Ergebnis ist, daß Bitmap-Indexstrukturen von den Verbesserungen neuerer Sekundärspeicher stärker profitieren als heute übliche auf Bäumen basierende Indexstrukturen. Bitmap-Indexierungstechniken bieten noch ein großes Potential für weitere Leistungssteigerungen im Datenbankbereich.

Published

2002

41. Access Control Management in Distributed Object Systems

Author

Brose, Gerald

Subjects

Policy, C.2.0, Distributed Systems, K.6.5, Access Control, Security, D.4.6, CORBA

Abstract

The main question addressed in this work is how the specification, deployment and management of application-oriented access control policies in distributed object systems can be supported in a way that increases the overall security. The first chapters of this thesis examine the problems that need to be addressed and identify a number of requirements for manageable access control. The overall management task is analyzed and structured into subtasks that are performed by potentially separate managers: principals or credentials management, object and domain management, and policy management. Also, the tasks of policy deployment and development are examined. As a result, we identify the requirements for documentation, support for communication between the involved parties, and for suitable management abstractions. It is concluded that an integrated approach to secure software development and management is required and that it can best be supported by the definition of a declarative policy language. Looking at the current technology for CORBA security reveals conceptual scalability problems and lack of structured support for policy design. Therefore, this thesis proposes a new view-based access model and a declarative specification language called view policy language (VPL). The abstractions of this language are designed to support deployment and development as well as management of application policies. The central concepts of VPL are views as a first-class concept for the type-safe aggregation of access rights, roles as a task-oriented abstraction of callers, and schemas as a means of specifying triggered dynamic changes in the protection state. To prove the practical relevance of these concepts, a comprehensive case study is analyzed and implemented. The technical feasibility of view-based access control is shown through an implementation of the required security infrastructure, which includes an interceptor-based access control mechanism, a language compiler, view and role repositories, and graphical management tools., Das zentrale Thema dieser Arbeit ist eine geeignete Unterstützung für die Spezifikation, die Installation und das Management von Zugriffsschutzpolitiken. Eine solche Unterstützung erhöht die Gesamtsicherheit eines verteilten Objektsystems, indem zum einen der flexible Ausdruck von Sicherheitsanforderungen erleichtert und zum anderen gleichzeitig eine grosse Zahl möglicher Fehlerquellen ausgeschlossen wird. Die Arbeit untersucht zunächst Anforderungen an handhabbaren Zugriffsschutz. Die Aufgabe des Zugriffsschutzmanagements wird analysiert und in Unteraufgaben gegliedert, die von verschiedenen, möglicherweise getrennten Managern wahrgenommen werden, nämlich die Verwaltung von Principals und Zertifikaten, von Objekten und Domänen, sowie die Politikverwaltung selbst. Darüberhinaus wurden auch die Aufgaben der Politikinstallation und -entwicklung betrachtet. Aus der Analyse der Anforderungen an die Dokumentation, die Unterstützung der Kommunikation zwischen den Beteiligten und die benötigten Sprachkonzepte ergibt sich, dass ein integrierter Ansatz für die Entwicklung und das Management von Zugriffsschutzpolitiken am besten durch die Definition einer deklarativen Politiksprache unterstützt werden kann. Der Beitrag dieser Arbeit besteht in einem neuen, sichtenbasierten Zugriffsschutzmodell und einer deklarative Politiksprache namens View Policy Language (VPL), das den genannten Anforderungen genügt. Die Abstraktionen dieser Sprache wurden speziell für die Unterstützung sowohl des Entwurfs wie der Installation und des Managements von Politiken entworfen. Die zentralen Sprachkonzepte von VPL sind Sichten als ein first-class Konzept für die typsichere Aggregation von Zugriffsrechten, Rollen als aufgabenorientierte Abstraktion von Aufrufern, sowie Schemata als Mittel zur Spezifikation automatisch ausgelöster, dynamischer Änderungen des Schutzzustandes. Die praktische Relevanz dieser Konzepte wurde durch die Implementierung einer realistischen Fallstudie gezeigt. Das Beispiel zeigt die Verwendung von Rollen, Sichten, Schemata, negativen Rechten und bedingten Sichten im Kontext eines Systems zur Begutachtung eingereichter Konferenzbeiträge. Die technische Machbarkeit sichtenbasierten Zugriffsschutzes wurde durch die Implementierung der erforderlichen Sicherheitsinfrastruktur nachgewiesen, die einen Interceptor-basierten Zugriffsschutzmechanismus, einen VPL-Übersetzer, Sichten- und Rollenrepositories sowie graphische Managementwerkzeuge umfasst.

Published

2001

42. On sigma-Filtered Boolean Algebras

Author

Geschke, Stefan

Subjects

C.2.0, K.6.5, 500 Naturwissenschaften und Mathematik::510 Mathematik::510 Mathematik, D.4.6, projective Boolean algebra Cohen model WFN

Abstract

0 Title 1 0 Contents 3 0 Introduction 5 0.1 Overview 8 0.2 Sources 9 0.3 Acknowledgements 10 1 Preparation 11 1.1 kappa-embeddings 11 1.2 kappa-filtrations 13 1.3 Universal properties 15 1.4 The kappa-Freese-Nation property 18 2 On Tightly kappa-Filtered Boolean Algebras 25 2.1 The number of tightly sigma-filtered Boolean algebras 25 2.2 Characterizations of tight kappa-filteredness 30 2.3 Stone spaces of tightly kappa-filtered Boolean algebras 35 2.4 rc-filtered, but not tightly kappa-filtered 37 2.5 Complete Boolean algebras and tight sigma-filtrations 42 3 The Weak Freese-Nation Property 53 3.1 WFN(P(omega)) in forcing extensions 53 3.2 WFN(P(omega)) and cardinal invariants 80 3.3 More complete Boolean algebras with the WFN 86 Bibliography 92, Abstract We study kappa-filtered and tightly kappa-filtered Boolean algebras for infinite regular cardinals kappa. Tight kappa-filteredness is a generalization of projectivity. kappa-filteredness is equivalent to the socalled kappa- Freese-Nation property (kappa-FN). In the case kappa=aleph_1 these properties are called sigma-filteredness, respectively tight sigma-filteredness. The aleph_1-FN is also called weak Freese-Nation property (WFN). In chapter 1 the basic notions are introduced. Chapter 2 is devoted to tightly kappa-filtered Boolean algebras. We show that there are 2^lambda isomorphism types of tightly sigma-filtered Boolean algebras of size lambda for every infinite cardinal lambda. We give charcterizations of tightly kappa-filtered Boolean algebras. Some results on Stone spaces of projective Boolean algebras are generalized. For every infinite regular cardinal kappa we construct an aleph_0-filtered Boolean algebra, which is not tightly kappa-filtered. We show that P(omega) is not tightly sigma-filtered in the Cohen model for 2^aleph_0=aleph_3. Note that P(omega) is sigma-filtered in that model. We show that no complete Boolean algebra with more than (2^aleph_0)^+ elements is tightly sigma-filtered. In chapter 3 we discuss the WFN. We show that P(omega) fails to have the WFN in many models of set theory obtained by iterated forcing. We then study the cardinal invariants of the continuum under the assumption that P(omega) has the WFN. It turns out that the invariants under consideration have the same values as in a Cohen model with the same size of the continuum. Finally we show that the WFN of P(omega) implies the WFN of many more complete c.c.c. Boolean algebras., Die Arbeit befasst sich mit kappa-filtrierten sowie mit eng kappa-filtrierten Booleschen Algebren, wobei kappa eine unendliche reguläre Kardinalzahl ist. Enge kappa-Filtriertheit verallgemeinert Projektivität. kappa-Filtriertheit ist äquivalent zur sogenannten kappa-Freese-Nation-Eigenschaft (kappa-FN). Im Fall kappa=aleph_1 spricht man von sigma-Filtriertheit bzw. enger sigma- Filtriertheit. Die aleph_1-FN wird auch als schwache Freese-Nation-Eigenschaft (WFN) bezeichnet. Nach Einführung der grundlegenden Begriffe im ersten Kapitel, werden im zweiten Kapitel eng kappa-filtrierte Boolesche Algebren untersucht. Zunächst wird gezeigt, dass es für jede unendliche Kardinalzahl lambda 2^lambda Isomorphietypen eng sigma-filtrierter Boolescher Algebren der Mächtigkeit lambda gibt. Anschließend werden verschiedene Charakterisierungen eng kappa- filtrierter Boolescher Algebren gegeben und gewisse Resultate über Stone-Räume projektiver Algebren verallgemeinert. F&uumlr; jedes unendliche reguläre kappa wird eine aleph_0-filtrierte Boolesche Algebra konstruiert, die nicht eng kappa-filtriert ist. Es wird gezeigt, dass P(omega) im Cohen-Modell für 2^aleph_0=aleph_3 zwar sigma-filtriert, aber nicht eng sigma-filtriert ist und dass keine vollständige Boolesche Algebra mit mehr als (2^aleph_0)^+ Elementen eng sigma-filtriert ist. Im dritten Kapitel wird die WFN diskutiert. Es wird gezeigt, dass P(omega) in sehr vielen Modellen, die durch iteriertes Forcing gewonnen wurden, nicht die WFN hat. Anschließend werden Kardinalzahlinvarianten des Kontinuums unter der Annahme, dass P(omega) die WFN hat, studiert. Es stellt sich heraus, dass alle untersuchten Invarianten die gleichen Werte haben, wie in einem Cohen-Modell mit derselben Größe des Kontinuums. Schließlich wird gezeigt, dass die WFN von P(omega) die WFN vieler weiterer vollständiger c.c.c. Boolescher Algebren impliziert.

Published

2000