• Title/Summary/Keyword: IP Security

Search Result 739, Processing Time 0.031 seconds

A Blockchain-enabled Multi-domain DDoS Collaborative Defense Mechanism

  • Huifen Feng;Ying Liu;Xincheng Yan;Na Zhou;Zhihong Jiang
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.17 no.3
    • /
    • pp.916-937
    • /
    • 2023
  • Most of the existing Distributed Denial-of-Service mitigation schemes in Software-Defined Networking are only implemented in the network domain managed by a single controller. In fact, the zombies for attackers to launch large-scale DDoS attacks are actually not in the same network domain. Therefore, abnormal traffic of DDoS attack will affect multiple paths and network domains. A single defense method is difficult to deal with large-scale DDoS attacks. The cooperative defense of multiple domains becomes an important means to effectively solve cross-domain DDoS attacks. We propose an efficient multi-domain DDoS cooperative defense mechanism by integrating blockchain and SDN architecture. It includes attack traceability, inter-domain information sharing and attack mitigation. In order to reduce the length of the marking path and shorten the traceability time, we propose an AS-level packet traceability method called ASPM. We propose an information sharing method across multiple domains based on blockchain and smart contract. It effectively solves the impact of DDoS illegal traffic on multiple domains. According to the traceability results, we designed a DDoS attack mitigation method by replacing the ACL list with the IP address black/gray list. The experimental results show that our ASPM traceability method requires less data packets, high traceability precision and low overhead. And blockchain-based inter-domain sharing scheme has low cost, high scalability and high security. Attack mitigation measures can prevent illegal data flow in a timely and efficient manner.

A Study on The Network Design of Smart Village to Provide Wired and Wireless Convergence Services on IoT (IoT기반의 유무선 융복합 서비스 제공을 위한 스마트빌리지의 네트워크 구성방안에 관한 연구)

  • Kim, Yun-ha;Jeong, Jae-woong;Kim, Young-sung;Choi, Hyun-ju
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2022.05a
    • /
    • pp.296-299
    • /
    • 2022
  • The rapid urban expansion and the increase in natural disasters due to the increase of population after industrialization and climate change are causing numerous urban management problems. The IP based hyper-connectivity caused by the initiation of the 4th industrial revolution enables a variety of technologies and services that produce vast amounts of data and solve urban management problems based on this. Especially, the quality of life is improved by providing the necessary information for life that are produced through a sensor network on wired and wireless communication. In this study, we intend to propose the method of optimal communcation network composition for innovative and futuristic city management technology through the case of K-water Smart Village Communication System

  • PDF

On-Demand Tunnel Creation Mechanism in Star VPN Topology (성형 VPN 구조에서의 주문형 터널 생성 메커니즘)

  • Byun, Hae-Sun;Lee, Mee-Jeong
    • Journal of KIISE:Information Networking
    • /
    • v.32 no.4
    • /
    • pp.452-461
    • /
    • 2005
  • In the star VPN (Virtual Private Network) topology, the traffic between the communicating two CPE(Customer Premise Equipment) VPN GW(Gateway)s nay be inefficiently transferred. Also, the Center VPN GW nav erperience the overload due to excessive packet processing overhead. As a solution to this problem, a direct tunnel can be established between the communicating two CPE VPN GWs using the IKE (Internet Key Exchange) mechanism of IPSec(IP Security). In this case, however, the tunnel establishment and management nay be complicated. In this paper, we propose a mechanism called' SVOT (Star VPN On-demand Tunnel)', which automatically establishes a direct tunnel between the communicating CPE VPN GWs based on demand. In the SVOT scheme, CPE VPN GWs determine whether it will establish a direct tunnel or not depending on the traffic information monitored. CPE VPN GW requests the information that is necessary to establishes a direct tunnel to the Center VPN GW Through a simulation, we investigate the performance of the scheme performs better than the SYST scheme with respect to scalability, traffic efficiency and overhead of Center VPN GW, while it shows similar performance to the FVST with respect to end-to-end delay and throughput.

An Efficient and Secure Handover Mechanism for MVPN Services (MVPN 서비스 제공을 위한 효율적이고 안전한 핸드오버 메커니즘)

  • Woo, Hyun-Je;Kim, Kyoung-Min;Lee, Mee-Jeong
    • Journal of KIISE:Information Networking
    • /
    • v.34 no.1
    • /
    • pp.62-72
    • /
    • 2007
  • Mobile Virtual Private Network (MVPN) provides VPN services without geographical restriction to mobile workers using mobile devices. Coexistence of Mobile IP (MIP) protocol for mobility and IPsec-based VPN technology are necessary in order to provide continuous VPN service to mobile users. However, Problems like registration failure or frequent IPsec tunnel re-negotiation occur when IPsec-based VPN Gateway (GW) and MIP are used together. In order to solve these problems, IETF proposes a mechanism which uses external home agent (x-HA) located external to the corporate VPN GW. In addition, based on the IETF proposal, a mechanism that assigns x-HA dynamically in the networks where MN is currently located was also proposed with the purpose to reduce handover latency as well as end-to-end delay. However, this mechanism has problems such as exposure of a session key for dynamic Mobility Security Association (MSA) or a long latency in case of the handover between different networks. In this paper, we propose a new MVPN protocol in order to minimize handover latency, enhance the security in key exchange, and to reduce data losses cause by handover. Through a course of simulation, the performance of proposed protocol is compared with the existing mechanism.

Convergence CCTV camera embedded with Deep Learning SW technology (딥러닝 SW 기술을 이용한 임베디드형 융합 CCTV 카메라)

  • Son, Kyong-Sik;Kim, Jong-Won;Lim, Jae-Hyun
    • Journal of the Korea Convergence Society
    • /
    • v.10 no.1
    • /
    • pp.103-113
    • /
    • 2019
  • License plate recognition camera is dedicated device designed for acquiring images of the target vehicle for recognizing letters and numbers in a license plate. Mostly, it is used as a part of the system combined with server and image analysis module rather than as a single use. However, building a system for vehicle license plate recognition is costly because it is required to construct a facility with a server providing the management and analysis of the captured images and an image analysis module providing the extraction of numbers and characters and recognition of the vehicle's plate. In this study, we would like to develop an embedded type convergent camera (Edge Base) which can expand the function of the camera to not only the license plate recognition but also the security CCTV function together and to perform two functions within the camera. This embedded type convergence camera equipped with a high resolution 4K IP camera for clear image acquisition and fast data transmission extracted license plate area by applying YOLO, a deep learning software for multi object recognition based on open source neural network algorithm and detected number and characters of the plate and verified the detection accuracy and recognition accuracy and confirmed that this camera can perform CCTV security function and vehicle number plate recognition function successfully.

Cortex M3 Based Lightweight Security Protocol for Authentication and Encrypt Communication between Smart Meters and Data Concentrate Unit (스마트미터와 데이터 집중 장치간 인증 및 암호화 통신을 위한 Cortex M3 기반 경량 보안 프로토콜)

  • Shin, Dong-Myung;Ko, Sang-Jun
    • Journal of Software Assessment and Valuation
    • /
    • v.15 no.2
    • /
    • pp.111-119
    • /
    • 2019
  • The existing smart grid device authentication system is concentrated on DCU, meter reading FEP and MDMS, and the authentication system for smart meters is not established. Although some cryptographic chips have been developed at present, it is difficult to complete the PKI authentication scheme because it is at the low level of simple encryption. Unlike existing power grids, smart grids are based on open two-way communication, increasing the risk of accidents as information security vulnerabilities increase. However, PKI is difficult to apply to smart meters, and there is a possibility of accidents such as system shutdown by sending manipulated packets and sending false information to the operating system. Issuing an existing PKI certificate to smart meters with high hardware constraints makes authentication and certificate renewal difficult, so an ultra-lightweight password authentication protocol that can operate even on the poor performance of smart meters (such as non-IP networks, processors, memory, and storage space) was designed and implemented. As a result of the experiment, lightweight cryptographic authentication protocol was able to be executed quickly in the Cortex-M3 environment, and it is expected that it will help to prepare a more secure authentication system in the smart grid industry.

Traffic Engineering and Manageability for Multicast Traffic in Hybrid SDN

  • Ren, Cheng;Wang, Sheng;Ren, Jing;Wang, Xiong
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.12 no.6
    • /
    • pp.2492-2512
    • /
    • 2018
  • Multicast communication can effectively reduce network resources consumption in contrast with unicast. With the advent of SDN, current researches on multicast traffic are mainly conducted in the SDN scenario, thus to mitigate the problems of IP multicast such as the unavoidable difficulty in traffic engineering and high security risk. However, migration to SDN cannot be achieved in one step, hybrid SDN emerges as a transitional networking form for ISP network. In hybrid SDN, for acquiring similar TE and security performance as in SDN multicast, we redirect every multicast traffic to an appropriate SDN node before reaching the destinations of the multicast group, thus to build up a core-based multicast tree substantially which is first introduced in CBT. Based on the core SDN node, it is possible to realize dynamic control over the routing paths to benefit traffic engineering (TE), while multicast traffic manageability can also be obtained, e.g., access control and middlebox-supported network services. On top of that, multiple core-based multicast trees are constructed for each multicast group by fully taking advantage of the routing flexibility of SDN nodes, in order to further enhance the TE performance. The multicast routing and splitting (MRS) algorithm is proposed whereby we jointly and efficiently determine an appropriate core SDN node for each group, as well as optimizing the traffic splitting fractions for the corresponding multiple core-based trees to minimize the maximum link utilization. We conduct simulations with different SDN deployment rate in real network topologies. The results indicate that, when 40% of the SDN switches are deployed in HSDN as well as calculating 2 trees for each group, HSDN multicast adopting MRS algorithm can obtain a comparable TE performance to SDN multicast.

A Method of Performance Improvement for AAA Authentication using Fast Handoff Scheme in Mobile IPv6 (Mobile IPv6에서 Fast Handoff기법을 이용한 AAA 인증 성능 향상 방안)

  • Kim Changnam;Mun Youngsong;Huh Eui-Nam
    • Journal of KIISE:Information Networking
    • /
    • v.31 no.6
    • /
    • pp.566-572
    • /
    • 2004
  • In this paper, we define the secure authentication model to provide a mobile node with global roaming service and integrate the Fast Handoff scheme with our approach to minimize the service latency. By starting the AAA(Authentication, Authorization and Account) procedure with Fast Handoff simultaneously when a roaming occurs, authentication latency is reduced significantly and provision of fast and seamless service is possible. The previous works such as IPsec(Internet Protocol Security), RR (Return Routability) and AAA define the procedures performed after the completion of Layer2 Handoff which leads us to study a way of providing the real time and QoS guaranteed service during this period. The proposed scheme is for this goal and when appling it to roaming environment it shows the cost reduction up to 55% and 17% for the case of the MN receiving the FBACK and not respectively before L2 Handoff occurs.

An Improvement of Mobile IPv6 Binding Update Protocol Using Address Based Keys (주소기반의 키를 사용하는 모바일 IPv6 바인딩 갱신 프로토콜 개선)

  • You, Il-Sun;Choi, Sung-Kyo
    • Journal of the Institute of Electronics Engineers of Korea CI
    • /
    • v.42 no.5
    • /
    • pp.21-30
    • /
    • 2005
  • Recently, a mobile IPv6 binding update protocol using Address Based Keys (BU-ABK) was proposed. This protocol applies Address Based Keys (ABK), generated through identity-based cryptosystem, to enable strong authentication and secure key exchange without any global security infrastructure. However, because it cannot detect that public cryptographic parameters for ABKs are altered or forged, it is vulnerable to man-in-the-middle attacks and denial of service attacks. Furthermore, it has heavy burden of managing the public cryptographic parameters. In this paper, we show the weaknesses of BU-ABK and then propose an enhanced BU-ABK (EBU-ABK). Furthermore, we provide an optimization for mobile devices with constraint computational power. The comparison of EBU-ABK with BU-ABK shows that the enhanced protocol achieves strong security while not resulting in heavy computation overhead on a mobile node.

Anomaly Detection Mechanism against DDoS on BcN (BcN 상에서의 DDoS에 대한 Anomaly Detection 연구)

  • Song, Byung-Hak;Lee, Seung-Yeon;Hong, Choong-Seon;Huh, Eui-Nam;Sohn, Seong-Won
    • Journal of Internet Computing and Services
    • /
    • v.8 no.2
    • /
    • pp.55-65
    • /
    • 2007
  • BcN is a high-quality broadband network for multimedia services integrating telecommunication, broadcasting, and Internet seamlessly at anywhere, anytime, and using any device. BcN is Particularly vulnerable to intrusion because it merges various traditional networks, wired, wireless and data networks. Because of this, one of the most important aspects in BcN is security in terms of reliability. So, in this paper, we suggest the sharing mechanism of security data among various service networks on the BcN. This distributed, hierarchical architecture enables BcN to be robust of attacks and failures, controls data traffic going in and out the backbone core through IP edge routers integrated with IDRS. Our proposed anomaly detection scheme on IDRS for BcN service also improves detection rate compared to the previous conventional approaches.

  • PDF