Visible to the public Network Security Architecture

SoS Newsletter- Advanced Book Block

Network Security Architecture

Network security is one of the main areas for cybersecurity research. The works cited here cover a range of transmission media, architectures, and data in transit. These works were presented or published in the first half of 2014.

  • Zaalouk, A; Khondoker, R.; Marx, R.; Bayarou, K., "OrchSec: An Orchestrator-based Architecture For Enhancing Network-Security Using Network Monitoring And SDN Control Functions," Network Operations and Management Symposium (NOMS), 2014 IEEE, pp.1,9, 5-9 May 2014. doi: 10.1109/NOMS.2014.6838409 The original design of the Internet did not take network security aspects into consideration, instead it aimed to facilitate the process of information exchange between end-hosts. Consequently, many protocols that are part of the Internet infrastructure expose a set of vulnerabilities that can be exploited by attackers. To reduce these vulnerabilities, several security approaches were introduced as a form of add-ons to the existing Internet architecture. However, these approaches have their drawbacks (e.g., lack of centralized control, and automation). In this paper, to address these drawbacks, the features provided by Software Defined Networking (SDN) such as network-visibility, centralized management and control are considered for developing security applications. Although the SDN architecture provides features that can aid in the process of network security, it has some deficiencies when it comes to using SDN for security. To address these deficiencies, several architectural requirements are derived to adapt the SDN architecture for security use cases. For this purpose, OrchSec, an Orchestrator-based architecture that utilizes Network Monitoring and SDN Control functions to develop security applications is proposed. The functionality of the proposed architecture is demonstrated, tested, and validated using a security application.
    Keywords: Internet; computer network security; Internet architecture; Internet infrastructure; OrchSec; SDN control functions; centralized control; network monitoring; network security aspects; network security enhancement; orchestrator based architecture; software defined networking; Monitoring; Prototypes; Switches (ID#:14-2991)
  • Rengaraju, P.; Chung-Horng Lung; Srinivasan, A, "QoS-Aware Distributed Security Architecture for 4G Multihop Wireless Networks," Vehicular Technology, IEEE Transactions on, vol.63, no.6, pp.2886,2900, July 2014. doi: 10.1109/TVT.2013.2292882 Vehicular communications have received a great deal of attention in recent years due to the demand for multimedia applications during travel and for improvements in safety. Safety applications often require fast message exchanges but do not use much bandwidth. On the other hand, multimedia services require high bandwidth for vehicular users. Hence, to provide mobile broadband services at a vehicular speed of up to 350 km/h, Worldwide interoperable for Microwave Access (WiMAX) and Long-Term Evolution (LTE) are considered the best technologies for vehicular networks. WiMAX and LTE are Fourth-Generation (4G) wireless technologies that have well-defined quality of service (QoS) and security architectures. However, some security threats, such as denial of service (DoS), an introduction of rogue node, etc., still exist in WiMAX and LTE networks, particularly in multihop networks. Therefore, strong security architecture and hasty authentication methods are needed to mitigate the existing security threats in 4G multihop wireless networks. Conversely, the network QoS should not be degraded while enhancing security. Thus, we propose QoS-aware distributed security architecture using the elliptic curve Diffie-Hellman (ECDH) protocol that has proven security strength and low overhead for 4G wireless networks. In this paper, we first describe the current security standards and security threats in WiMAX and LTE networks. Then, the proposed distributed security architecture for 4G multihop wireless networks is presented. Finally, we compare and analyze the proposed solution using testbed implementation and simulation approaches for WiMAX. From the simulation and testbed results for WiMAX networks, it is evident that the proposed scheme provides strong security and hasty authentication for handover users without affecting the QoS performance. For LTE networks, we present the theoretical analysis of the proposed scheme to show that similar performance can also be achieved.
    Keywords: Long Term Evolution; WiMax; broadband networks; cryptographic protocols; electronic messaging; message authentication; mobility management (mobile radio);multimedia communication; public key cryptography; quality of service; telecommunication security; vehicular ad hoc networks; 4G multihop wireless network; ECDH protocol; LTE networks; QoS; WiMax network; distributed security architecture; elliptic curve Diffie-Hellman protocol; handover user; hasty authentication; long term evolution; message exchange; mobile broadband services; multimedia application; multimedia service;quality of service; safety application; security standard; security threat mitigation; vehicular communication; vehicular network; vehicular user; worldwide interoperable for microwave access; Authentication; Long Term Evolution; Quality of service; Spread spectrum communication; WiMAX; Distributed security; ECDH; LTE ;Long-Term Evolution (LTE);Multihop; WiMAX; Worldwide interoperable for Microwave Access (WiMAX);elliptic curve Diffie??Hellman (ECDH); multihop (ID#:14-2992)
  • Zhang, Lei; An, Chengjin; Spinsante, Susanna; Tang, Chaojing, "Adaptive Link Layer Security Architecture For Telecommand Communications In Space Networks," Systems Engineering and Electronics, Journal of, vol.25, no.3, pp.357, 372, June 2014. doi: 10.1109/JSEE.2014.00041 Impressive advances in space technology are enabling complex missions, with potentially significant and long term impacts on human life and activities. In the vision of future space exploration, communication links among planets, satellites, spacecrafts and crewed vehicles will be designed according to a new paradigm, known as the disruption tolerant networking. In this scenario, space channel peculiarities impose a massive reengineering of many of the protocols usually adopted in terrestrial networks; among them, security solutions are to be deeply reviewed, and tailored to the specific space requirements. Security is to be provided not only to the payload data exchanged on the network, but also to the telecommands sent to a spacecraft, along possibly differentiated paths. Starting from the secure space telecommand design developed by the Consultative Committee for Space Data Systems as a response to agency-based requirements, an adaptive link layer security architecture is proposed to address some of the challenges for future space networks. Based on the analysis of the communication environment and the error diffusion properties of the authentication algorithms, a suitable mechanism is proposed to classify frame retransmission requests on the basis of the originating event (error or security attack) and reduce the impact of security operations. An adaptive algorithm to optimize the space control protocol, based on estimates of the time varying space channel, is also presented. The simulation results clearly demonstrate that the proposed architecture is feasible and efficient, especially when facing malicious attacks against frame transmission.
    Keywords: Aerospace electronics; Authentication; Encryption; Network security; Protocols; Space technology; Space vehicles; adaptive estimate; misbehavior detection; performance optimization; space network; telecommand security (ID#:14-2993)
  • Liu, Shuhao; Cai, Zhiping; Xu, Hong; Xu, Ming, "Security-aware Virtual Network Embedding," Communications (ICC), 2014 IEEE International Conference on, pp.834,840, 10-14 June 2014. doi: 10.1109/ICC.2014.6883423 Network virtualization is a promising technology to enable multiple architectures to run on a single network. However, virtualization also introduces additional security vulnerabilities that may be exploited by attackers. It is necessary to ensure that the security requirements of virtual networks are met by the physical substrate, which however has not received much attention thus far. This paper represents an early attempt to consider the security issue in virtual network embedding, the process of mapping virtual networks onto physical nodes and links. We model the security demands of virtual networks by proposing a simple taxonomy of abstractions, which is enough to meet the variations of security requirements. Based on the abstraction, we formulate security-aware virtual network embedding as an optimization problem, proposing objective functions and mathematical constraints which involve both resource and security restrictions. Then a heuristic algorithm is developed to solve this problem. Our simulation results indicate its high efficiency and effectiveness.
    Keywords: Bandwidth; Heuristic algorithms; Mathematical model; Network topology; Security; Substrates; Virtualization (ID#:14-2994)
  • Al-Anzi, F.S.; Salman, AA; Jacob, N.K.; Soni, J., "Towards Robust, Scalable And Secure Network Storage in Cloud Computing," Digital Information and Communication Technology and it's Applications (DICTAP), 2014 Fourth International Conference on, pp.51,55, 6-8 May 2014. doi: 10.1109/DICTAP.2014.6821656 The term Cloud Computing is not something that appeared overnight, it may come from the time when computer system remotely accessed the applications and services. Cloud computing is Ubiquitous technology and receiving a huge attention in the scientific and industrial community. Cloud computing is ubiquitous, next generation's in-formation technology architecture which offers on-demand access to the network. It is dynamic, virtualized, scalable and pay per use model over internet. In a cloud computing environment, a cloud service provider offers "house of resources" includes applications, data, runtime, middleware, operating system, virtualization, servers, data storage and sharing and networking and tries to take up most of the overhead of client. Cloud computing offers lots of benefits, but the journey of the cloud is not very easy. It has several pitfalls along the road because most of the services are outsourced to third parties with added enough level of risk. Cloud computing is suffering from several issues and one of the most significant is Security, privacy, service availability, confidentiality, integrity, authentication, and compliance. Security is a shared responsibility of both client and service provider and we believe security must be information centric, adaptive, proactive and built in. Cloud computing and its security are emerging study area nowadays. In this paper, we are discussing about data security in cloud at the service provider end and proposing a network storage architecture of data which make sure availability, reliability, scalability and security.
    Keywords: cloud computing; data integrity; data privacy; security of data; storage management; ubiquitous computing; virtualisation; Internet; adaptive security; authentication; built in security; client overhead; cloud computing environment; cloud service provider; compliance; confidentiality; data security; data sharing;data storage; information centric security; integrity; middleware; network storage architecture; networking; on-demand access; operating system; pay per use model; privacy; proactive security; remote application access remote service access; robust scalable secure network storage; server; service availability; service outsourcing; ubiquitous next generation information technology architecture; virtualization; Availability; Cloud computing; Computer architecture; Data security; Distributed databases; Servers; Cloud Computing; Data Storage; Data security; RAID (ID#:14-2995)
  • Aiash, M.; Mapp, G.; Lasebae, A; Loo, J., "A Secure Framework for Communications in Heterogeneous Networks," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on, pp.841,846, 13-16 May 2014. doi: 10.1109/WAINA.2014.132 Heterogeneous Networks represent an open architecture in which two different domains need to cooperate in order to provide ubiquitous connectivity. The first is network operators domain, where multiple network operators share the core network to provide network accessibility over a wide variety of wireless technologies such as WiFi and mobile network technologies. The other is the Application-Service Providers domain, which launches various services ranging from the normal video streaming to the most confidential E-Commerce services. This highlights the fact that any efficient security solution for heterogeneous networks has to consider the security in these different domains. Therefore, this paper introduces security framework that comprises two Authentication and Key Agreement protocols to secure transactions at the network and service levels. The proposed protocols have been formally verified using formal methods approach based on Casper/FDR tool.
    Keywords: computer network security; cryptographic protocols; formal verification; wireless LAN; Casper/FDR tool; E-commerce services; WiFi network technologies; application-service providers domain; authentication and key agreement protocols; communication security framework; formal methods; heterogeneous networks; mobile network technologies; multiple network operators; network accessibility; network operators domain; normal video streaming; ubiquitous connectivity; wireless technologies; Authentication; Communication system security; Mobile communication; Protocols; Quality of service; Wireless communication (ID#:14-2996)
  • Bhar, C.; Das, G.; Dixit, A; Lannoo, B.; Colle, D.; Pickavet, M.; Demeester, P., "A Novel Hybrid WDM/TDM PON Architecture Using Cascaded AWGs and Tunable Components," Lightwave Technology, Journal of, vol.32, no.9, pp.1708, 1716, May1, 2014. doi: 10.1109/JLT.2014.2310653 The paper introduces a novel architecture for optical access networks that simultaneously provides complete flexibility and security. At the same time, the distribution architecture is completely passive. Unlike the other architectures in literature, the proposed architecture does not possess a security-flexibility tradeoff. Complete flexibility allows to switch OFF appropriate number of active components at low network loads making this design a green technology. The discussed architecture has a long reach, which is independent of the number of users in the network.
    Keywords: arrayed waveguide gratings; optical tuning; passive optical networks; telecommunication security; time division multiplexing; wavelength division multiplexing; active components; arrayed waveguide gratings; cascaded AWG; distribution architecture; green technology; hybrid WDM-TDM PON architecture; network loads; optical access networks; passive optical networks; tunable components; Bandwidth; Laser applications; Laser tuning; Optical fiber networks; Ports (Computers);Security; Switches; Arrayed waveguide grating; bandwidth flexibility; network security; passive optical networks (ID#:14-2997)
  • Bakshi, K., "Secure Hybrid Cloud Computing: Approaches And Use Cases," Aerospace Conference, 2014 IEEE, pp.1, 8, 1-8 March 2014. doi: 10.1109/AERO.2014.6836198 Hybrid cloud is defined as a cloud infrastructure composed of two or more cloud infrastructures (private, public, and community clouds) that remain unique entities, but are bound together via technologies and approaches for the purposes of application and data portability. This paper will review a novel approach for implementing a secure hybrid cloud. Specifically, public and private cloud entities will be discussed for a hybrid cloud approach. The approach is based on extension of virtual Open Systems Interconnection (OSI) Layer 2 switching functions from a private cloud and to public clouds, tunneled on an OSI Layer 3 connection. As a result of this hybrid cloud approach, virtual workloads can be migrated from the private cloud to the public cloud and continue to be part of the same Layer 2 domain as in the private cloud, thereby maintaining consistent operational paradigms in bot the public and private cloud. This paper will introduce and discuss the virtual switching technologies which are fundamental underpinnings of the secure hybrid approach. This paper will not only discuss the virtual Layer 2 technical architecture of this approach, but also related security components. Specifically, data in motion security between the public and private clouds and interworkload secure communication in the public cloud will be reviewed. As part of the hybrid cloud approach, security aspects like encrypted communication tunnels, key management, and security management will be discussed. Moreover, management consoles, control points, and integration with cloud orchestration systems will also be discussed. Additionally, hybrid cloud consideration for network services like network firewall, server load balancers, application accelerators, and network routing functions will be examined. Finally, several practical use cases which can be applicable in the aerospace industry, like workload bursting, application development environments, and Disaster Recovery as a Service will be explored.
    Keywords: cloud computing; open systems; security of data; OSI; aerospace industry; application accelerators; cloud infrastructure; cloud orchestration systems; community clouds; data portability; disaster recovery; encrypted communication tunnels; key management; motion security; network firewall; network routing functions; open systems interconnection; private clouds ;public clouds; secure hybrid cloud computing; security aspects; security components; security management; server load balancers; switching functions; virtual switching technologies; Cloud computing; Computer architecture; Switches; Virtual machine monitors; Virtual machining (ID#:14-2998)
  • Manley, E.D., "Low Complexity All-Optical Network Coder Architecture," Computing, Networking and Communications (ICNC), 2014 International Conference o, pp.1046, 1050, 3-6 Feb. 2014. doi: 10.1109/ICCNC.2014.6785482 Network coding, a networking paradigm in which different pieces of data are coded together at various points along a transmission, has been proposed for providing a number of benefits to networks including increased throughput, robustness, and security. For optical networks, the potential for using network coding to provide survivability is especially noteworthy as it may be possible to allow for the ultra-fast recovery time of dedicated protection schemes with the bandwidth efficiency of shared protection schemes. However, the need to perform computations at intermediate nodes along the optical route leads to the undesirable necessity of either electronically buffering and processing the data at intermediate nodes or outfitting the network with complex photonic circuits capable of performing the computations entirely within the optical domain. In this paper, we take the latter approach but attempt to mitigate the impact of the device complexity by proposing a low-complexity, all-optical network coder architecture. Our design provides easily scalable, powerful digital network coding capabilities at the optical layer, and we show that existing network coding algorithms can be adjusted to accommodate it.
    Keywords: integrated optics; network coding; optical fibre networks; telecommunication network routing; telecommunication security; bandwidth efficiency; complex photonic circuits; digital network coding capabilities; electronic buffering; intermediate nodes; low complexity all-optical network coder architecture; optical layer; optical route; shared protection schemes; ultra-fast recovery time; Encoding; Logic gates; Network coding; Optical buffering; Optical fiber networks; Optical switches (ID#:14-2999)
  • Jaic, K.; Smith, M.C.; Sarma, N., "A Practical Network Intrusion Detection System For Inline Fpgas On 10gbe Network Adapters," Application-specific Systems, Architectures and Processors (ASAP), 2014 IEEE 25th International Conference on, pp.180,181, 18-20 June 2014. doi: 10.1109/ASAP.2014.6868655 A network intrusion detection system (NIDS), such as SNORT, analyzes incoming packets to identify potential security threats. Pattern matching is arguably the most important and most computationally intensive component of a NIDS. Software-based NIDS implementations drop up to 90% of packets during increased network load even at lower network bandwidth. We propose an alternative hybrid-NIDS that couples an FPGA with a network adapter to provide hardware support for pattern matching and software support for post processing. The proposed system, SFAOENIDS, offers an extensible open-source NIDS for Solarflare AOE devices. The pattern matching engine-the primary component of the hardware architecture was designed based on the requirements of typical NIDS implementations. In testing on a real network environment, the SFAOENIDS hardware implementation, operating at 200 MHz, handles a 10Gbps data rate without dropping packets while simultaneously minimizing the server CPU load.
    Keywords: field programmable gate arrays; security of data; SFAOENIDS; SNORT; Solarflare AOE devices; inline FPGA; lower network bandwidth; network adapters; network load; open-source NIDS; pattern matching; pattern matching engine; practical network intrusion detection system; real network environment; security threats; software based NIDS implementations; Engines; Field programmable gate arrays; Hardware; Intrusion detection; Memory management; Pattern matching; Software (ID#:14-3000)
  • Silva Delgado, J.S.; Mendez Penuela, D.J.; Morales Medina, L.V.; Rueda Rodriguez, S.J., "Automatic Network Reconfiguration Because Of Security Events," Communications and Computing (COLCOM), 2014 IEEE Colombian Conference on, pp.1,6, 4-6 June 2014. doi: 10.1109/ColComCon.2014.6860412 Over the last years, networks have changed in size, traffic, and requirements. There are more nodes, the traffic has increased, and there are frequent requests that imply modifications to the underlying infrastructure. Some examples of these requirements are cloud computing, virtualized environments, and data centers. SDN has been developed to address some of these issues. By separating control and data planes, SDN enables the programming of the control plane and the dynamic reconfiguration of the data plane thus making it possible to automatize some tasks. SDN makes it possible to dynamically reconfigure a network as a response to a security event. This work studies the advantages and disadvantages of the platform for programming a network to react to security events. The number of security events that may happen in a network is considerable, therefore, we defined an architecture that may be used in different cases and implemented it to evaluate the behavior for two types of events: DoS attacks and intrusions. The platform offers several tools for programming and testing, but they are still in development. In fact, we found a problem with one tool and some inconveniences with others which we reported to the development team. The participation of the community by debugging and finding ways to improve the platform is key to SDN's development.
    Keywords: computer debugging; computer network security; DoS attacks; SDN development; automatic network reconfiguration; debugging; intrusion detection; security events; software defined networks; Control systems; Hardware; P networks; Monitoring; Programming; Security; Software (ID#:14-3001)
  • Premnath, AP.; Ju-Yeon Jo; Yoohwan Kim, "Application of NTRU Cryptographic Algorithm for SCADA Security," Information Technology: New Generations (ITNG), 2014 11th International Conference on, pp.341,346, 7-9 April 2014. doi: 10.1109/ITNG.2014.38 Critical Infrastructure represents the basic facilities, services and installations necessary for functioning of a community, such as water, power lines, transportation, or communication systems. Any act or practice that causes a real-time Critical Infrastructure System to impair its normal function and performance will have debilitating impact on security and economy, with direct implication on the society. SCADA (Supervisory Control and Data Acquisition) system is a control system which is widely used in Critical Infrastructure System to monitor and control industrial processes autonomously. As SCADA architecture relies on computers, networks, applications and programmable controllers, it is more vulnerable to security threats/attacks. Traditional SCADA communication protocols such as IEC 60870, DNP3, IEC 61850, or Modbus did not provide any security services. Newer standards such as IEC 62351 and AGA-12 offer security features to handle the attacks on SCADA system. However there are performance issues with the cryptographic solutions of these specifications when applied to SCADA systems. This research is aimed at improving the performance of SCADA security standards by employing NTRU, a faster and light-weight NTRU public key algorithm for providing end-to-end security.
    Keywords: SCADA systems; critical infrastructures; cryptographic protocols; process control; process monitoring; production engineering computing; programmable controllers; public key cryptography; transport protocols; AGA-12; DNP3; IEC 60870; IEC 61850; IEC 62351; Modbus; NTRU cryptographic algorithm; NTRU public key algorithm; SCADA architecture; SCADA communication protocols; SCADA security standards; TCP/IP; communication systems; end-to-end security; industrial process control; industrial process monitoring; power lines; programmable controllers; real-time critical infrastructure system; security threats-attacks; supervisory control and data acquisition system; transportation; water; Authentication; Digital signatures; Encryption; IEC standards; SCADA systems; AGA-12; Critical Infrastructure System; IEC 62351; NTRU cryptographic algorithm; SCADA communication protocols over TCP/IP (ID#:14-3002)
  • Santamaria, Amilcare Francesco; Sottile, Cesare; Lupia, Andrea; Raimondo, Pierfrancesco, "An Efficient Traffic Management Protocol Based On IEEE802.11p Standard," Performance Evaluation of Computer and Telecommunication Systems (SPECTS 2014), International Symposium on, pp.634,641, 6-10 July 2014. doi: 10.1109/SPECTS.2014.6880004 Nowadays one of the hot themes in wireless environment research is the application of the newest technologies to road security problems. The interest of companies and researchers, with the cooperation of car manufactures, brought to life and promoted the Vehicular Ad-Hoc Network (VANET) technology. In this work an innovative security system based on VANET architecture is proposed. The system is capable of increasing road safety through the inter-communication among vehicles and road infrastructures, also known as Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2I), matching market and manufactures requests in a convenient and useful way. We design a network protocol called Geocasting Wave (GeoWave) that takes advantages of IEEE802.11p standard and tries to enhance it adding useful messages in order to increase active and passive safety system. In the proposal protocol vehicles share information with neighbors and Road Side Unit (RSU)s. In this work, we propose a network infrastructure able to continuously gather information from environment, road conditions and traffic flows. Once one of these occurrences is detected, all gathered information are spread in the network. This knowledge make possible to take precautionary actions in time such as traveling speed decreasing or switching to a safer road path when a dangerous situation approaches. In addition, a smart traffic management is made exploiting gathered information by the Control and Management Center (CMC) in order to avoid traffic blocks trying to maintain a constant average speed inside city blocks. This can help to reduce vehicles' Carbon Dioxide (CO2) emissions in the city increasing air quality.
    Keywords: Accidents; Cities and towns; Protocols; Roads; Safety; Sensors; Vehicles; Data Dissemination; Geocasting; IEEE 802.11p WAVE protocol; Road Safety; VANET (ID#:14-3003)
  • Jin Cao; Maode Ma; Hui Li; Yueyu Zhang; Zhenxing Luo, "A Survey on Security Aspects for LTE and LTE-A Networks," Communications Surveys & Tutorials, IEEE, vol.16, no.1, pp.283,302, First Quarter 2014. doi: 10.1109/SURV.2013.041513.00174 High demands for broadband mobile wireless communications and the emergence of new wireless multimedia applications constitute the motivation to the development of broadband wireless access technologies in recent years. The Long Term Evolution/System Architecture Evolution (LTE/SAE) system has been specified by the Third Generation Partnership Project (3GPP) on the way towards fourth-generation (4G) mobile to ensure 3GPP keeping the dominance of the cellular communication technologies. Through the design and optimization of new radio access techniques and a further evolution of the LTE systems, the 3GPP is developing the future LTE-Advanced (LTE-A) wireless networks as the 4G standard of the 3GPP. Since the 3GPP LTE and LTE-A architecture are designed to support flat Internet Protocol (IP) connectivity and full interworking with heterogeneous wireless access networks, the new unique features bring some new challenges in the design of the security mechanisms. This paper makes a number of contributions to the security aspects of the LTE and LTE-A networks. First, we present an overview of the security functionality of the LTE and LTE-A networks. Second, the security vulnerabilities existing in the architecture and the design of the LTE and LTE-A networks are explored. Third, the existing solutions to these problems are classically reviewed. Finally, we show the potential research issues for the future research works.
    Keywords: 4G mobile communication; IP networks; Long Term Evolution; broadband networks; cellular radio; multimedia communication; radio access networks; telecommunication security;3GPP; 4G mobile; LTE-A networks; LTE-Advanced; LTE/SAE; Long Term Evolution-system architecture evolution; broadband mobile wireless communications; broadband wireless access technology; cellular communication; flat Internet Protocol connectivity; security vulnerabilities ;telecommunication security aspects; wireless multimedia applications; Authentication; Handover; Long Term Evolution; Mobile communication; Servers; HeNB security; IMS security; LTE; LTE security; LTE-A; MTC security (ID#:14-3004)
  • Chan-Kyu Han; Hyoung-Kee Choi, "Security Analysis of Handover Key Management in 4G LTE/SAE Networks," Mobile Computing, IEEE Transactions on, vol.13, no.2, pp.457, 468, Feb. 2014. doi: 10.1109/TMC.2012.242 The goal of 3GPP Long Term Evolution/System Architecture Evolution (LTE/SAE) is to move mobile cellular wireless technology into its fourth generation. One of the unique challenges of fourth-generation technology is how to close a security gap through which a single compromised or malicious device can jeopardize an entire mobile network because of the open nature of these networks. To meet this challenge, handover key management in the 3GPP LTE/SAE has been designed to revoke any compromised key(s) and as a consequence isolate corrupted network devices. This paper, however, identifies and details the vulnerability of this handover key management to what are called desynchronization attacks; such attacks jeopardize secure communication between users and mobile networks. Although periodic updates of the root key are an integral part of handover key management, our work here emphasizes how essential these updates are to minimizing the effect of desynchronization attacks that, as of now, cannot be effectively prevented. Our main contribution, however, is to explore how network operators can determine for themselves an optimal interval for updates that minimizes the signaling load they impose while protecting the security of user traffic. Our analytical and simulation studies demonstrate the impact of the key update interval on such performance criteria as network topology and user mobility.
    Keywords: 3G mobile communication; 4G mobile communication Long Term Evolution; cellular radio; mobility management (mobile radio) ;telecommunication network topology; telecommunication security; 3GPP Long Term Evolution-system architecture evolution; 4G LTE-SAE networks; communication security; compromised key; corrupted network devices; desynchronization attacks; fourth-generation technology; handover key management; key update interval; malicious device; mobile cellular wireless technology; mobile network; network operators; network topology; periodic updates; security analysis; security gap; signaling load; user mobility; user network; user traffic security protection; Base stations; Computer architecture; Mobile communication; Mobile computing; Security; Authentication and key agreement; evolved packet system; handover key management; long-term evolution security; mobile networks; system architecture evolution (ID#:14-3005)
  • Suto, K.; Nishiyama, H.; Kato, N.; Nakachi, T.; Fujii, T.; Takahara, A, "An Overlay Network Construction Technique For Minimizing The Impact Of Physical Network Disruption In Cloud Storage Systems," Computing, Networking and Communications (ICNC), 2014 International Conference on, pp.68,72, 3-6 Feb. 2014. doi: 10.1109/ICCNC.2014.6785307 Cloud storage exploiting overlay networks is considered to be a scalable and autonomous architecture. While this technology can ensure the security of storage service, it requires addressing the "server breakdown" problem, which may arise due to malicious attacks on servers and mechanical troubles of servers. In existing literature, an overlay network based on bimodal degree distribution was proposed to achieve high connectivity to combat these two types of server breakdown. However, it cannot ensure the high connectivity against physical network disruption that removes numerous nodes from overlay network. To deal with this issue, in this paper, we propose a physical network aware overlay network, in which the neighboring nodes are connected with one another in the overlay. Moreover, the numerical analysis indicates that the proposed system considerably outperforms the conventional system in terms of service availability.
    Keywords: cloud computing; computer network security; network servers; overlay networks; bimodal degree distribution; cloud storage systems; numerical analysis; overlay network construction technique; physical network disruption impact minimization; server breakdown; storage service, security;Cloud computing; Computer crime; Electric breakdown; Overlay networks; Peer-to-peer computing; Servers; Tin (ID#:14-3006)
  • Zahid, A; Masood, R.; Shibli, M.A, "Security Of Sharded Nosql Databases: A Comparative Analysis," Information Assurance and Cyber Security (CIACS), 2014 Conference on, pp.1,8, 12-13 June 2014. doi: 10.1109/CIACS.2014.6861323 NoSQL databases are easy to scale-out because of their flexible schema and support for BASE (Basically Available, Soft State and Eventually Consistent) properties. The process of scaling-out in most of these databases is supported by sharding which is considered as the key feature in providing faster reads and writes to the database. However, securing the data sharded over various servers is a challenging problem because of the data being distributedly processed and transmitted over the unsecured network. Though, extensive research has been performed on NoSQL sharding mechanisms but no specific criterion has been defined to analyze the security of sharded architecture. This paper proposes an assessment criterion comprising various security features for the analysis of sharded NoSQL databases. It presents a detailed view of the security features offered by NoSQL databases and analyzes them with respect to proposed assessment criteria. The presented analysis helps various organizations in the selection of appropriate and reliable database in accordance with their preferences and security requirements.
    Keywords: SQL; security of data; BASE; NoSQL sharding mechanisms assessment criterion; security features; sharded NoSQL databases; Access control; Authentication; Distributed databases Encryption; Servers; comparative Analysis; Data and Applications Security; Database Security; NoSQL; Sharding (ID#:14-3007)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.