By Topic

Dependable and Secure Computing, IEEE Transactions on

Issue 3 • Date May-June 2011

Filter Results

Displaying Results 1 - 15 of 15
  • [Front cover]

    Page(s): c1
    Save to Project icon | Request Permissions | PDF file iconPDF (124 KB)  
    Freely Available from IEEE
  • [Inside front cover]

    Page(s): c2
    Save to Project icon | Request Permissions | PDF file iconPDF (125 KB)  
    Freely Available from IEEE
  • A Policy Enforcing Mechanism for Trusted Ad Hoc Networks

    Page(s): 321 - 336
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1929 KB) |  | HTML iconHTML  

    To ensure fair and secure communication in Mobile Ad hoc Networks (MANETs), the applications running in these networks must be regulated by proper communication policies. However, enforcing policies in MANETs is challenging because they lack the infrastructure and trusted entities encountered in traditional distributed systems. This paper presents the design and implementation of a policy enforcing mechanism based on Satem, a kernel-level trusted execution monitor built on top of the Trusted Platform Module. Under this mechanism, each application or protocol has an associated policy. Two instances of an application running on different nodes may engage in communication only if these nodes enforce the same set of policies for both the application and the underlying protocols used by the application. In this way, nodes can form trusted application-centric networks. Before allowing a node to join such a network, Satem verifies its trustworthiness of enforcing the required set of policies. Furthermore, Satem protects the policies and the software enforcing these policies from being tampered with. If any of them is compromised, Satem disconnects the node from the network. We demonstrate the correctness of our solution through security analysis, and its low overhead through performance evaluation of two MANET applications. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • CASTLE: Continuously Anonymizing Data Streams

    Page(s): 337 - 352
    Multimedia
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2627 KB)  

    Most of the existing privacy-preserving techniques, such as k-anonymity methods, are designed for static data sets. As such, they cannot be applied to streaming data which are continuous, transient, and usually unbounded. Moreover, in streaming applications, there is a need to offer strong guarantees on the maximum allowed delay between incoming data and the corresponding anonymized output. To cope with these requirements, in this paper, we present Continuously Anonymizing STreaming data via adaptive cLustEring (CASTLE), a cluster-based scheme that anonymizes data streams on-the-fly and, at the same time, ensures the freshness of the anonymized data by satisfying specified delay constraints. We further show how CASTLE can be easily extended to handle ℓ-diversity. Our extensive performance study shows that CASTLE is efficient and effective w.r.t. the quality of the output data. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Determining the Diagnosability of (1,2)-Matching Composition Networks and Its Applications

    Page(s): 353 - 362
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2110 KB) |  | HTML iconHTML  

    The classic problem of determining the diagnosability of a given network has been studied extensively. Under the PMC model, this paper addresses the problem of determining the diagnosability of a class of networks called (1,2)-Matching Composition Networks, each of which is constructed by connecting two graphs via one or two perfect matchings. By applying our results to multiprocessor systems, we can determine the diagnosability of hypercubes, twisted cubes, locally twisted cubes, generalized twisted cubes, recursive circulants G(2^{n},4) for odd n, folded hypercubes, augmented cubes, crossed cubes, Möbius cubes, and hyper-Petersen networks, all of which belong to the class of (1,2)-matching composition networks. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Low-Energy Symmetric Key Distribution in Wireless Sensor Networks

    Page(s): 363 - 376
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1402 KB) |  | HTML iconHTML  

    In this work, a scheme for key distribution and network access in a Wireless Sensor Network (WSN) that utilizes Identity-Based Cryptography (IBC) is presented. The scheme is analyzed on the ARM920T processor and measurements were taken for the runtime and energy of its components. It was found that the Tate pairing component of the scheme consumes significant amounts of energy, and so should be ported to hardware. An accelerator was implemented in 65 nm Complementary Metal Oxide Silicon (CMOS) technology and area, timing, and energy figures have been obtained for the design. Results indicate that a hardware implementation of IBC would meet the strict energy constraint required of a wireless sensor network node. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Modeling and Detection of Camouflaging Worm

    Page(s): 377 - 390
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1486 KB) |  | HTML iconHTML  

    Active worms pose major security threats to the Internet. This is due to the ability of active worms to propagate in an automated fashion as they continuously compromise computers on the Internet. Active worms evolve during their propagation, and thus, pose great challenges to defend against them. In this paper, we investigate a new class of active worms, referred to as Camouflaging Worm (C-Worm in short). The C-Worm is different from traditional worms because of its ability to intelligently manipulate its scan traffic volume over time. Thereby, the C-Worm camouflages its propagation from existing worm detection systems based on analyzing the propagation traffic generated by worms. We analyze characteristics of the C-Worm and conduct a comprehensive comparison between its traffic and nonworm traffic (background traffic). We observe that these two types of traffic are barely distinguishable in the time domain. However, their distinction is clear in the frequency domain, due to the recurring manipulative nature of the C-Worm. Motivated by our observations, we design a novel spectrum-based scheme to detect the C-Worm. Our scheme uses the Power Spectral Density (PSD) distribution of the scan traffic volume and its corresponding Spectral Flatness Measure (SFM) to distinguish the C-Worm traffic from background traffic. Using a comprehensive set of detection metrics and real-world traces as background traffic, we conduct extensive performance evaluations on our proposed spectrum-based detection scheme. The performance data clearly demonstrates that our scheme can effectively detect the C-Worm propagation. Furthermore, we show the generality of our spectrum-based scheme in effectively detecting not only the C-Worm, but traditional worms as well. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Recovery Device for Real-Time Dual-Redundant Computer Systems

    Page(s): 391 - 403
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2200 KB) |  | HTML iconHTML  

    This paper proposes the design of specialized hardware, called Recovery Device, for a dual-redundant computer system that operates in real-time. Recovery Device executes all fault-tolerant services including fault detection, fault type determination, fault localization, recovery of system after temporary (transient) fault, and reconfiguration of system after permanent fault. The paper also proposes the algorithms for determination of fault type (whether the fault is temporary or permanent) and localization of faulty computer without using self-testing techniques and diagnosis routines. Determination of fault type allows us to eliminate only the computer with a permanent fault. In other words, the determination of fault type prevents the elimination of nonfaulty computer because of short temporary fault. On the other hand, localization of faulty computer without using self-testing techniques and diagnosis routines shortens the recovery point time period and reduces the probability that a fault will occur during the execution of fault-tolerant procedure. This is very important for real-time fault-tolerant systems. These contributions bring both an increase in system performance and an increase in the degree of system reliability. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Reliability for Networked Storage Nodes

    Page(s): 404 - 418
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (3705 KB) |  | HTML iconHTML  

    High-end enterprise storage has traditionally consisted of monolithic systems with customized hardware, multiple redundant components and paths, and no single point of failure. Distributed storage systems realized through networked storage nodes offer several advantages over monolithic systems such as lower cost and increased scalability. In order to achieve reliability goals associated with enterprise-class storage systems, redundancy will have to be distributed across the collection of nodes to tolerate both node and drive failures. In this paper, we present alternatives for distributing this redundancy, and models to determine the reliability of such systems. We specify a reliability target and determine the configurations that meet this target. Further, we perform sensitivity analyses, where selected parameters are varied to observe their effect on reliability. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Replica Placement for Route Diversity in Tree-Based Routing Distributed Hash Tables

    Page(s): 419 - 433
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (2036 KB) |  | HTML iconHTML  

    Distributed hash tables (DHTs) share storage and routing responsibility among all nodes in a peer-to-peer network. These networks have bounded path length unlike unstructured networks. Unfortunately, nodes can deny access to keys or misroute lookups. We address both of these problems through replica placement. We characterize tree-based routing DHTs and define MaxDisjoint, a replica placement that creates route diversity for these DHTs. We prove that this placement creates disjoint routes and find the replication degree necessary to produce a desired number of disjoint routes. Using simulations of Pastry (a tree-based routing DHT), we evaluate the impact of MaxDisjoint on routing robustness compared to other placements when nodes are compromised at random or in a contiguous run. Furthermore, we consider another route diversity mechanism that we call neighbor set routing and show that, when used with our replica placement, it can successfully route messages to a correct replica even with a quarter of the nodes in the system compromised at random. Finally, we demonstrate a family of replica query strategies that can trade off response time and system load. We present a hybrid query strategy that keeps response time low without producing too high a load. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking

    Page(s): 434 - 449
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1207 KB) |  | HTML iconHTML  

    Network-based intruders seldom attack their victims directly from their own computer. Often, they stage their attacks through intermediate “stepping stones” in order to conceal their identity and origin. To identify the source of the attack behind the stepping stone(s), it is necessary to correlate the incoming and outgoing flows or connections of a stepping stone. To resist attempts at correlation, the attacker may encrypt or otherwise manipulate the connection traffic. Timing-based correlation approaches have been shown to be quite effective in correlating encrypted connections. However, timing-based correlation approaches are subject to timing perturbations that may be deliberately introduced by the attacker at stepping stones. In this paper, we propose a novel watermark-based-correlation scheme that is designed specifically to be robust against timing perturbations. Unlike most previous timing-based correlation approaches, our watermark-based approach is “active” in that it embeds a unique watermark into the encrypted flows by slightly adjusting the timing of selected packets. The unique watermark that is embedded in the encrypted flow gives us a number of advantages over passive timing-based correlation in resisting timing perturbations by the attacker. In contrast to the existing passive correlation approaches, our active watermark-based correlation does not make any limiting assumptions about the distribution or random process of the original interpacket timing of the packet flow. In theory, our watermark-based correlation can achieve arbitrarily close to 100 percent correlation true positive rate (TPR), and arbitrarily close to 0 percent false positive rate (FPR) at the same time for sufficiently long flows, despite arbitrarily large (but bounded) timing perturbations of any distribution by the attacker. Our paper is the first that identifies 1) accurate quantitative tradeoffs between the achievable correlation effectiveness - nd the defining characteristics of the timing perturbation; and 2) a provable upper bound on the number of packets needed to achieve a desired correlation effectiveness, given the amount of timing perturbation. Experimental results show that our active watermark-based correlation performs better and requires fewer packets than existing, passive timing-based correlation methods in the presence of random timing perturbations. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Securing Topology Maintenance Protocols for Sensor Networks

    Page(s): 450 - 465
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1924 KB) |  | HTML iconHTML  

    We analyze the security vulnerabilities of PEAS, ASCENT, and CCP, three well-known topology maintenance protocols (TMPs) for sensor networks. These protocols aim to increase the lifetime of the sensor network by only maintaining a subset of nodes in an active or awake state. The design of these protocols assumes that the sensor nodes will be deployed in a trusted, nonadversarial environment, and does not take into account the impact of attacks launched by malicious insider or outsider nodes. We propose a metaprotocol (Meta-TMP) to represent the class of topology maintenance protocols. The Meta-TMP provides us with a better understanding of the characteristics and of how a specific TMP works, and it can be used to study the vulnerabilities of a specific TMP. We describe various types of malicious behavior and actions that can be carried out by an adversary to attack a wireless sensor network by exploiting the TMP being used in the network. We describe three attacks against these protocols that may be used to reduce the lifetime of the sensor network, or to degrade the functionality of the sensor application by reducing the network connectivity and the sensing coverage that can be achieved. Further, we describe countermeasures that can be taken to increase the robustness of the protocols and make them resilient to such attacks. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The F_f-Family of Protocols for RFID-Privacy and Authentication

    Page(s): 466 - 480
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (790 KB) |  | HTML iconHTML  

    In this paper, we present the design of the lightweight Ff family of privacy-preserving authentication protocols for RFID-systems. Ff results from a systematic design based on a new algebraic framework focusing on the security and privacy of RFID authentication protocols. Ff offers user-adjustable, strong authentication, and privacy against known algebraic attacks and recently popular SAT-solving attacks. In contrast to related work, Ff achieves these security properties without requiring an expensive cryptographic hash function. Ff is designed for a challenge-response protocol, where the tag sends random nonces and the results of HMAC-like computations of one of the nonces together with its secret key back to the reader. In this paper, the authentication and privacy of Ff is evaluated using analytical and experimental methods. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • TDSC Information for authors

    Page(s): c3
    Save to Project icon | Request Permissions | PDF file iconPDF (125 KB)  
    Freely Available from IEEE
  • [Back cover]

    Page(s): c4
    Save to Project icon | Request Permissions | PDF file iconPDF (124 KB)  
    Freely Available from IEEE

Aims & Scope

The purpose of TDSC is to publish papers in dependability and security, including the joint consideration of these issues and their interplay with system performance.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Elisa Bertino
CS Department
Purdue University