Security and trust in opportunistic networks - a survey

Opportunistic networks or OppNets refer to a number of wireless nodes opportunistically communicating with each other in a form of “Store–Carry–Forward”. This occurs when they come into contact with each other without proper network infrastructure. OppNets use wireless technologies, such as IEEE 802.11, WiMAX, Bluetooth, and other short-range radio communication. In OppNets, there is no end-to-end connection between the source and the destination nodes, and the nodes usually have high mobility, low density, limited power, short radio range, and often subject to different kinds of attacks by malicious nodes. Due to these characteristics and features, OppNets are subject to serious security challenges. OppNets strongly depend on human interaction; therefore, the success of securing such networks is based on trust between people. This survey includes the security approaches in OppNets and techniques used to increase their security levels.

An efficient detection mechanism against packet faking attack in opportunistic networks

Security is a major challenge in Opportunistic Networks (OppNets) because of its characteristics, such as open medium, dynamic topology, no centralized management and absent clear lines of defense. A packet dropping attack is one of the major security threats in OppNets since neither source nodes nor destination nodes have the knowledge of where or when the packet will be dropped. In our previous novel attack (Packet Faking Attack [1]) we presented a special type of packet dropping where the malicious node drops one or more packets and then injects new fake packets instead. In this paper, we present an efficient detection mechanism against this type of attack where each node can detect the attack instead of the destination node. Our detection mechanism is very powerful and has very high accuracy. It relies on a very simple yet powerful idea, that is, the packet creation time of each packet. Simulation results show this robust mechanism achieves a very high accuracy, detection rate and good network traffic reduction.

Catabolism attack and anabolism defense: a novel attack and traceback mechanism in opportunistic networks

Security is a major challenge in Opportunistic Networks (OppNets) because of its characteristics, such as open medium, dynamic topology, no centralized management and absent clear lines of defense.A packet dropping attack is one of the major security threats in OppNets since neither source nodes nor destination nodes have the knowledge of where or when the packet will be dropped. In this paper, we present a novel attack and traceback mechanism against a special type of packet dropping where the malicious node drops one or more packets and then injects new fake packets instead. We call this novel attack a Catabolism Attack and we call our novel traceback mechanism against this attack Anabolism Defense. Our novel detection and traceback mechanism is very powerful and has very high accuracy. Each node can detect and then traceback the malicious nodes based on a solid and powerful idea that is, hash chain techniques. In our defense techniques we have two stages. The first stage is to detect the attack, and the second stage is to find the malicious nodes. Simulation results show this robust mechanism achieves a very high accuracy and detection rate.

Fool me if you can: mimicking attacks and anti-attacks in cyberspace

Botnets have become major engines for malicious activities in cyberspace nowadays. To sustain their botnets and disguise their malicious actions, botnet owners are mimicking legitimate cyber behavior to fly under the radar. This poses a critical challenge in anomaly detection. In this paper, we use web browsing on popular web sites as an example to tackle this problem. First of all, we establish a semi-Markov model for browsing behavior. Based on this model, we find that it is impossible to detect mimicking attacks based on statistics if the number of active bots of the attacking botnet is sufficiently large (no less than the number of active legitimate users). However, we also find it is hard for botnet owners to satisfy the condition to carry out a mimicking attack most of the time. With this new finding, we conclude that mimicking attacks can be discriminated from genuine flash crowds using second order statistical metrics. We define a new fine correntropy metrics and show its effectiveness compared to others. Our real world data set experiments and simulations confirm our theoretical claims. Furthermore, the findings can be widely applied to similar situations in other research fields.

Detecting stepping stones by abnormal causality probability

Locating the real source of the Internet attacks has long been an important but difficult problem to be addressed. In the real world, attackers can easily hide their identities and evade punishment by relaying their attacks through a series of compromised systems or devices called stepping stones. Currently, researchers mainly use similar features from the network traffic, such as packet timestamps and frequencies, to detect stepping stones. However, these features can be easily destroyed by attackers using evasive techniques. In addition, it is also difficult to implement an appropriate threshold of similarity that can help justify the stepping stones. In order to counter these problems, in this paper, we introduce the consistent causality probability to detect the stepping stones. We formulate the ranges of abnormal causality probabilities according to the different network conditions, and on the basis of it, we further implement to self-adaptive methods to capture stepping stones. To evaluate our proposed detection methods, we adopt theoretic analysis and empirical studies, which demonstrate accuracy of the abnormal causality probability. Moreover, we compare our proposed methods with previous works. The result shows that our methods in this paper significantly outperform previous works in the accuracy of detection malicious stepping stones, even when evasive techniques are adopted by attackers.

A review of security protocols in mHealth Wireless Body Area Networks (WBAN)

The popularity of smartphones has led to an increasing demand for health apps. As a result, the healthcare industry is embracing mobile technology and the security of mHealth is essential in protecting patient’s user data and WBAN in a clinical setting. Breaches of security can potentially be life-threatening as someone with malicious intentions could misuse mHealth devices and user information. In this article, threats to security for mHealth networks are discussed in a layered approach addressing gaps in this emerging field of research. Suite B and Suite E, which are utilized in many security systems, including in mHealth applications, are also discussed. In this paper, the support for mHealth security will follow two approaches; protecting patient-centric systems and associated link technologies. Therefore this article is focused on the security provisioning of the communication path between the patient terminal (PT; e.g., sensors) and the monitoring devices (e.g., smartphone, data-collector).

6 million spam tweets: a large ground truth for timely Twitter spam detection

Twitter has changed the way of communication and getting news for people's daily life in recent years. Meanwhile, due to the popularity of Twitter, it also becomes a main target for spamming activities. In order to stop spammers, Twitter is using Google SafeBrowsing to detect and block spam links. Despite that blacklists can block malicious URLs embedded in tweets, their lagging time hinders the ability to protect users in real-time. Thus, researchers begin to apply different machine learning algorithms to detect Twitter spam. However, there is no comprehensive evaluation on each algorithms' performance for real-time Twitter spam detection due to the lack of large groundtruth. To carry out a thorough evaluation, we collected a large dataset of over 600 million public tweets. We further labelled around 6.5 million spam tweets and extracted 12 light-weight features, which can be used for online detection. In addition, we have conducted a number of experiments on six machine learning algorithms under various conditions to better understand their effectiveness and weakness for timely Twitter spam detection. We will make our labelled dataset for researchers who are interested in validating or extending our work.

Defence against code injection attacks

Code injection attacks are considered serious threats to the Internet users. In this type of attack the attacker injects malicious codes in the user programs to change or divert the execution flows. In this paper we explore the contemporary defence strategies against code injection attacks (CIAs) and underline their limitations. To overcome these limitations, we suggest a number of countermeasure mechanisms for protecting from CIAs. Our key idea relies on the multiplexing technique to preserve the exact return code to ensure the integrity of program execution trace of shell code. This technique also maintains a FIFO (first in first out) queue to defeat the conflict state when multiple caller method makes a call simultaneously. Finally, our technique can provide better performance, in terms of protection and speed, in some point compared to the CFI (control flow integrity) as well as CPM (code pointer masking) techniques.

Asymmetric self-learning for tackling Twitter spam drift

Spam has become a critical problem on Twitter. In order to stop spammers, security companies apply blacklisting services to filter spam links. However, over 90% victims will visit a new malicious link before it is blocked by blacklists. To eliminate the limitation of blacklists, researchers have proposed a number of statistical features based mechanisms, and applied machine learning techniques to detect Twitter spam. In our labelled large dataset, we observe that the statistical properties of spam tweets vary over time, and thus the performance of existing ML based classifiers are poor. This phenomenon is referred as 'Twitter Spam Drift'. In order to tackle this problem, we carry out deep analysis of 1 million spam tweets and 1 million non-spam tweets, and propose an asymmetric self-learning (ASL) approach. The proposed ASL can discover new information of changed tweeter spam and incorporate it into classifier training process. A number of experiments are performed to evaluate the ASL approach. The results show that the ASL approach can be used to significantly improve the spam detection accuracy of using traditional ML algorithms.

Establishing trust relationships in OppNets using Merkle trees

Opportunistic Networks (OppNets) are exposed to a variety of attacks, among them are packet dropping attacks. The security challenges in OppNets is to effectively and securely forward data and guarantee their delivery without any loss. Security and trust in OppNets have gained popularity in research because of their inherent features, including frequent partitions, long delays and intermittent connectivity. This paper presents an efficient malicious path and malicious node detection technique against selective packet dropping attacks. In our algorithm we have developed a solid detection mechanism using the Merkle tree hashing technique. The result of malicious path detection is used to build trust by destination nodes for each path, the built trust value of nodes is then used to detect malicious nodes. Simulation results show that the technique accurately detects malicious paths. The results also show that with the increase of simulation time, node detection accuracy also increases as intermediate nodes have more time to establish trust with destination nodes.

Analysis on smartphone devices for detection and prevention of malware.

The specific goals in this thesis are to investigate weaknesses on the smartphone devices, which leave it vulnerable to attacks by malicious applications, and to develop proficient detection mechanisms and methods for detecting and preventing smartphone malware, specifically in the Android devices. In addition, to Investigate weaknesses of existing countermeasures.

Time-series pattern based effective noise generation for privacy protection on cloud

Cloud computing is proposed as an open and promising computing paradigm where customers can deploy and utilize IT services in a pay-as-you-go fashion while saving huge capital investment in their own IT infrastructure. Due to the openness and virtualization, various malicious service providers may exist in these cloud environments, and some of them may record service data from a customer and then collectively deduce the customer's private information without permission. Therefore, from the perspective of cloud customers, it is essential to take certain technical actions to protect their privacy at client side. Noise obfuscation is an effective approach in this regard by utilizing noise data. For instance, noise service requests can be generated and injected into real customer service requests so that malicious service providers would not be able to distinguish which requests are real ones if these requests' occurrence probabilities are about the same, and consequently related customer privacy can be protected. Currently, existing representative noise generation strategies have not considered possible fluctuations of occurrence probabilities. In this case, the probability fluctuation could not be concealed by existing noise generation strategies, and it is a serious risk for the customer's privacy. To address this probability fluctuation privacy risk, we systematically develop a novel time-series pattern based noise generation strategy for privacy protection on cloud. First, we analyze this privacy risk and present a novel cluster based algorithm to generate time intervals dynamically. Then, based on these time intervals, we investigate corresponding probability fluctuations and propose a novel time-series pattern based forecasting algorithm. Lastly, based on the forecasting algorithm, our novel noise generation strategy can be presented to withstand the probability fluctuation privacy risk. The simulation evaluation demonstrates that our strategy can significantly improve the effectiveness of such cloud privacy protection to withstand the probability fluctuation privacy risk.

Towards anomalous diffusion sources detection in a large network

Witnessing the wide spread of malicious information in large networks, we develop an efficient method to detect anomalous diffusion sources and thus protect networks from security and privacy attacks. To date, most existing work on diffusion sources detection are based on the assumption that network snapshots that reflect information diffusion can be obtained continuously. However, obtaining snapshots of an entire network needs to deploy detectors on all network nodes and thus is very expensive. Alternatively, in this article, we study the diffusion sources locating problem by learning from information diffusion data collected from only a small subset of network nodes. Specifically, we present a new regression learning model that can detect anomalous diffusion sources by jointly solving five challenges, that is, unknown number of source nodes, few activated detectors, unknown initial propagation time, uncertain propagation path and uncertain propagation time delay. We theoretically analyze the strength of the model and derive performance bounds. We empirically test and compare the model using both synthetic and real-world networks to demonstrate its performance.

Taming transitive permission attack via bytecode rewriting on Android application

Google Android is popular for mobile devices in recent years. The openness and popularity of Android make it a primary target for malware. Even though Android's security mechanisms could defend most malware, its permission model is vulnerable to transitive permission attack, a type of privilege escalation attacks. Many approaches have been proposed to detect this attack by modifying the Android OS. However, the Android's fragmentation problem and requiring rooting Android device hinder those approaches large-scale adoption. In this paper, we present an instrumentation framework, called SEAPP, for Android applications (or “apps”) to detect the transitive permission attack on unmodified Android. SEAPP automatically rewrites an app without requiring its source codes and produces a security-harden app. At runtime, call-chains are built among these apps and detection process is executed before a privileged API is invoked. Our experimental results show that SEAPP could work on a large number of benign apps from the official Android market and malicious apps, with a repackaged success rate of over 99.8%. We also show that our framework effectively tracks call-chains among apps and detects known transitive permission attack with low overhead. Copyright © 2016 John Wiley & Sons, Ltd.

Defense and traceback mechanisms in opportunistic wireless networks

 In this thesis, we have identified a novel attack in OppNets, a special type of packet dropping attack where the malicious node(s) drops one or more packets (not all the packets) and then injects new fake packets instead. We name this novel attack as the Catabolism attack and propose a novel attack detection and traceback approach against this attack referred to as the Anabolism defence. As part of the Anabolism defence approach we have proposed three techniques: time-based, Merkle tree based and Hash chain based techniques for attack detection and malicious node(s) traceback. We provide mathematical models that show our novel detection and traceback mechanisms to be very effective and detailed simulation results show our defence mechanisms to achieve a very high accuracy and detection rate.