@article{he_dai_ning_dutta_2017, title={A Leader-Follower Controlled Markov Stopping Game for Delay Tolerant and Opportunistic Resource Sharing Networks}, volume={35}, ISSN={["1558-0008"]}, DOI={10.1109/jsac.2017.2659581}, abstractNote={In various resource sharing networks, opportunistic resources with dynamic quality are often present for the users to exploit. As many user tasks are delay-tolerant, this favorably allows the network users to wait for and access the opportunistic resource at the time of its best quality. For such delay-tolerant and opportunistic resource sharing networks, the resource accessing strategies developed in the literature suffer from three limitations. First, they mainly focused on single-user scenarios, whereas the competition from other users is ignored. Second, the influence from the resource seller who may take actions to manipulate the resource sharing procedure is not considered. Third, the impact of the actions from both the network users and the resource seller on the resource quality dynamics is not considered either. To overcome these limitations, a leader–follower controlled Markov stopping game (LF-C-MSG) is developed in this paper. The derived Stackelberg equilibrium strategy of the LF-C-MSG can be used to guide the behaviors of both the network users and the resource seller for better performance and resource utilization efficiency. Two exemplary applications of the proposed LF-C-MSG are presented, along with corresponding numerical results to verify the effectiveness of the proposed framework.}, number={3}, journal={IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS}, author={He, Xiaofan and Dai, Huaiyu and Ning, Peng and Dutta, Rudra}, year={2017}, month={Mar}, pages={615–627} } @inproceedings{he_dai_ning_dutta_2016, title={A A multi-player Markov stopping game for delay-tolerant and opportunistic resource sharing networks}, DOI={10.1109/infocom.2016.7524350}, abstractNote={Opportunistic resources are often present in various resource sharing networks for the users to exploit, but their qualities often change over time. Fortunately, many user tasks are delay-tolerant, which offers the network users a favorable degree of freedom in waiting for and accessing the opportunistic resource at the time of its best quality. For such delay-tolerant and opportunistic resource sharing networks (DT-ORS-Net), the corresponding optimal accessing strategies developed in existing literature mainly focus on the single-user scenarios, while the potential competition from other peer users in practical multi-user DT-ORS-Net is often ignored. Considering this, a multi-player Markov stopping game (M-MSG) is developed in this work, and the derived Nash equilibrium (NE) strategy of this M-MSG can guide network users to properly handle the potential competition from other peers and thus exploit the time diversity of the opportunistic resource more effectively, which in turn further improves the resource utilization efficiency. Applications in the cloud-computing and the mobile crowdsourcing networks are demonstrated to verify the effectiveness of the proposed method, and simulation results show that using the NE strategy of the proposed M-MSG can provide substantial performance gain as compared to using the conventional single-user optimal one.}, booktitle={IEEE INFOCOM 2016 - the 35th annual IEEE international Conference on Computer Communications}, author={He, X. F. and Dai, Huaiyu and Ning, P. and Dutta, Rudra}, year={2016} } @article{he_dai_ning_2016, title={Faster Learning and Adaptation in Security Games by Exploiting Information Asymmetry}, volume={64}, ISSN={["1941-0476"]}, DOI={10.1109/tsp.2016.2548987}, abstractNote={With the advancement of modern technologies, the security battle between a legitimate system (LS) and an adversary is becoming increasingly sophisticated, involving complex interactions in unknown dynamic environments. Stochastic game (SG), together with multi-agent reinforcement learning (MARL), offers a systematic framework for the study of information warfare in current and emerging cyber-physical systems. In practical security games, each player usually has only incomplete information about the opponent, which induces information asymmetry. This paper exploits information asymmetry from a new angle, considering how to exploit information unknown to the opponent to the player's advantage. Two new MARL algorithms, termed minimax post-decision state (minimax-PDS) and Win-or-Learn Fast post-decision state (WoLF-PDS), are proposed, which enable the LS to learn and adapt faster in dynamic environments by exploiting its information advantage. The proposed algorithms are provably convergent and rational, respectively. Also, numerical results are presented to show their effectiveness through three important applications.}, number={13}, journal={IEEE TRANSACTIONS ON SIGNAL PROCESSING}, author={He, Xiaofan and Dai, Huaiyu and Ning, Peng}, year={2016}, month={Jul}, pages={3429–3443} } @article{wang_ren_ning_hu_2016, title={Jamming-Resistant Multiradio Multichannel Opportunistic Spectrum Access in Cognitive Radio Networks}, volume={65}, ISSN={["1939-9359"]}, DOI={10.1109/tvt.2015.2511071}, abstractNote={For achieving optimized spectrum usage, most existing opportunistic spectrum sensing and access protocols model the spectrum sensing and access problem as a partially observed Markov decision process by assuming that the information states and/or the primary users' (PUs) traffic statistics are known a priori to the secondary users (SUs). While theoretically sound, the existing solutions may not be effective in practice due to two main concerns. First, the assumptions are not practical, as before the communication starts, PUs' traffic statistics may not be readily available to the SUs. Second and more serious, existing approaches are extremely vulnerable to malicious jamming attacks. By leveraging the same statistic information and stochastic dynamic decision-making process that the SUs would follow, a cognitive attacker with sensing capability can sense and jam the channels to be accessed by SUs, while not interfering PUs. To address these concerns, we formulate the antijamming, multichannel access problem as a nonstochastic multi-armed bandit problem. By leveraging probabilistically shared information between the sender and the receiver, our proposed protocol enables them to hop to the same set of channels with high probability while gaining resilience to jamming attacks without affecting PUs' activities. We analytically show the convergence of the learning algorithms and derive the performance bound based on regret. We further discuss the problem of tracking the best adaptive strategy and characterize the performance bound based on a new regret. Extensive simulation results show that the probabilistic spectrum sensing and access protocol can overcome the limitation of existing solutions and is highly resilient to various jamming attacks even with jammed acknowledgment (ACK) information.}, number={10}, journal={IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY}, author={Wang, Qian and Ren, Kui and Ning, Peng and Hu, Shengshan}, year={2016}, month={Oct}, pages={8331–8344} } @article{xiong_ning_2015, title={Cost-Efficient and Attack-Resilient Approaches for State Estimation in Power Grids}, DOI={10.1145/2695664.2695937}, abstractNote={State estimation is a fundamental question in a power grid and it is used to understand the state of power grids based on readings of sensors placed at important power grid components. Current state estimation approaches are highly vulnerable to malicious attacks; an attacker can compromise one or a few sensors to mislead state estimation and thus the power grid control algorithms, leading to catastrophic consequences (e.g., a large-scale blackout). This paper presents a series of attack-resilient state estimation algorithms for power grids. These algorithms use the intrinsic relationship among the state variables and the sensor measurements to effectively tolerate malicious sensor readings. This paper also investigates the properties of these algorithms through theoretical analysis and simulation, which both demonstrate the effectiveness of the proposed approaches.}, journal={30TH ANNUAL ACM SYMPOSIUM ON APPLIED COMPUTING, VOLS I AND II}, author={Xiong, Kaiqi and Ning, Peng}, year={2015}, pages={2192–2197} } @article{he_dai_ning_dutta_2015, title={Dynamic IDS Configuration in the Presence of Intruder Type Uncertainty}, ISSN={["2334-0983"]}, DOI={10.1109/glocom.2015.7417158}, abstractNote={Intrusion detection systems (IDSs) assume increasingly importance in past decades as information systems become ubiquitous. Despite the abundance of intrusion detection algorithms developed so far, there is still no single detection algorithm or procedure that can catch all possible intrusions; also, simultaneously running all these algorithms may not be feasible for practical IDSs due to resource limitation. For these reasons, effective IDS configuration becomes crucial for real-time intrusion detection. However, the uncertainty in the intruder's type and the (often unknown) dynamics involved with the target system pose challenges to IDS configuration. Considering these challenges, the IDS configuration problem is formulated as an incomplete information stochastic game in this work, and a new algorithm, Bayesian Nash-Q learning, that combines conventional reinforcement learning with a Bayesian type identification procedure is proposed. Numerical results show that the proposed algorithm can identify the intruder's type with high fidelity and provide effective configuration.}, journal={2015 IEEE GLOBAL COMMUNICATIONS CONFERENCE (GLOBECOM)}, author={He, Xiaofan and Dai, Huaiyu and Ning, Peng and Dutta, Rudra}, year={2015} } @inproceedings{yu_ning_vouk_2015, title={Enhancing security of Hadoop in a public cloud}, DOI={10.1109/iacs.2015.7103198}, abstractNote={Hadoop has become increasingly popular as it rapidly processes data in parallel. Cloud computing gives reliability, flexibility, scalability, elasticity and cost saving to cloud users. Deploying Hadoop in cloud can benefit Hadoop users. Our evaluation exhibits that various internal cloud attacks can bypass current Hadoop security mechanisms, and compromised Hadoop components can be used to threaten overall Hadoop. It is urgent to improve compromise resilience, Hadoop can maintain a relative high security level when parts of Hadoop are compromised. Hadoop has two vulnerabilities that can dramatically impact its compromise resilience. The vulnerabilities are the overloaded authentication key, and the lack of fine-grained access control at the data access level. We developed a security enhancement for a public cloud-based Hadoop, named SEHadoop, to improve the compromise resilience through enhancing isolation among Hadoop components and enforcing least access privilege for Hadoop processes. We have implemented the SEHadoop model, and demonstrated that SEHadoop fixes the above vulnerabilities with minimal or no run-time overhead, and effectively resists related attacks.}, booktitle={2015 6th International Conference on Information and Communication Systems (ICICS)}, author={Yu, X. Q. and Ning, P. and Vouk, M. A.}, year={2015}, pages={38–43} } @inproceedings{he_dai_ning_2015, title={Improving learning and adaptation in security games by exploiting information asymmetry}, DOI={10.1109/infocom.2015.7218560}, abstractNote={With the advancement of modern technologies, the security battle between a legitimate system (LS) and an adversary is becoming increasingly sophisticated, involving complex interactions in unknown dynamic environments. Stochastic game (SG), together with multi-agent reinforcement learning (MARL), offers a systematic framework for the study of information warfare in current and emerging cyber-physical systems. In practical security games, each player usually has only incomplete information about the opponent, which induces information asymmetry. This work exploits information asymmetry from a new angle, considering how to exploit local information unknown to the opponent to the player's advantage. Two new MARL algorithms, termed minimax-PDS and WoLF-PDS, are proposed, which enable the LS to learn and adapt faster in dynamic environments by exploiting its private local information. The proposed algorithms are provably convergent and rational, respectively. Also, numerical results are presented to show their effectiveness through two concrete anti-jamming examples.}, booktitle={2015 ieee conference on computer communications (infocom)}, author={He, X. F. and Dai, H. Y. and Ning, P.}, year={2015} } @inproceedings{shen_liu_he_dai_ning_2015, title={No time to demodulate - fast physical layer verification of friendly jamming}, DOI={10.1109/milcom.2015.7357518}, abstractNote={Jamming attacks are well-known threats to wireless communications, but on the other hand they provide insights for researchers to design novel approaches to protect wireless communications. In recent years, friendly jamming is used by a number of research works to achieve the wireless medium access control. However, in these works, the friendly jammer relies on bit-level information to distinguish the allies' wireless transmissions from the enemies', which requires the received signals to be processed through demodulation steps and thus introduces a non-trivial reaction time delay for the friendly jammer. This reaction delay is undesirable as the transmissions need to be jammed while they are still on the air. To address this problem, we propose fast friendly jamming, which eliminates the need for demodulation and enables the friendly jammer to verify the received signals directly on the physical layer. We have implemented a prototype of the proposed techniques based on GNURadio and USRP, and performed real-world experiments to validate the proposed techniques. The experiment results show that the proposed techniques reduce the normal reaction delay of the friendly jammer by 81.9%-85.7%, and achieve the accurate distinction between allies' and enemies' transmissions.}, booktitle={2015 ieee military communications conference (milcom 2015)}, author={Shen, W. B. and Liu, Y. and He, X. F. and Dai, H. Y. and Ning, P.}, year={2015}, pages={653–658} } @article{he_dai_shen_ning_dutta_2016, title={Toward Proper Guard Zones for Link Signature}, volume={15}, ISSN={["1558-2248"]}, DOI={10.1109/twc.2015.2498621}, abstractNote={Motivated by information-theoretic security, link signature (LS)-based security mechanisms exploit the ample channel characteristics between wireless devices for security establishment. Nevertheless, LS is originated from wireless environments and hence may exhibit potential vulnerabilities that can be exploited by adversary in the vicinity. As to this, it is widely believed in existing literature on LS that, a half-wavelength guard zone is sufficient to decorrelate the adversary channel from the legitimate one and thereby secures the legitimate LS. However, such an assumption may not hold universally - in some environments, high channel correlations have been observed for much larger spatial separations. Considering this, a comprehensive understanding of channel correlation in different wireless environments is needed for more confident deployment of LS-based security mechanisms. To this end, various well-established channel correlation models are investigated in this work. A set of important physical factors that have significant influence on LS security are identified, and with the obtained insights, extensive simulations are conducted to explore suitable guard zone sizes for LS in several typical indoor and outdoor environments. Experimental results based on universal software radio peripheral (USRP) platforms and GNURadio are also presented to further support the analysis.}, number={3}, journal={IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS}, author={He, Xiaofan and Dai, Huaiyu and Shen, Wenbo and Ning, Peng and Dutta, Rudra}, year={2016}, month={Mar}, pages={2104–2117} } @article{fang_liu_ning_2016, title={Wireless Communications under Broadband Reactive Jamming Attacks}, volume={13}, ISSN={["1941-0018"]}, DOI={10.1109/tdsc.2015.2399304}, abstractNote={A reactive jammer jams wireless channels only when target devices are transmitting; Compared to constant jamming, reactive jamming is harder to track and compensate against [2], [38]. Frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS) have been widely used as countermeasures against jamming attacks. However, both will fail if the jammer jams all frequency channels or has high transmit power. In this paper, we propose an anti-jamming communication system that allows communication in the presence of a broadband and high power reactive jammer. The proposed system transmits messages by harnessing the reaction time of a reactive jammer. It does not assume a reactive jammer with limited spectrum coverage and transmit power, and thus can be used in scenarios where traditional approaches fail. We develop a prototype of the proposed system using GNURadio. Our experimental evaluation shows that when a powerful reactive jammer is present, the prototype still keeps communication, whereas other schemes such as 802.11 DSSS fail completely.}, number={3}, journal={IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING}, author={Fang, Song and Liu, Yao and Ning, Peng}, year={2016}, pages={394–408} } @article{he_dai_ning_2014, title={Dynamic Adaptive Anti-Jamming via Controlled Mobility}, volume={13}, ISSN={["1558-2248"]}, DOI={10.1109/twc.2014.2320973}, abstractNote={In this paper, the mobility of network nodes is explored as a new promising approach for jamming defense. To fulfill it, properly designed node motion that can intelligently adapt to the jammer's action is crucial. In our study, anti-jamming mobility control is investigated in the context of the single and multiple commodity flow problems, in the presence of intelligent mobile jammers which can respond to the evasion of legitimate nodes as well. Based on spectral graph theory, two new spectral quantities, single- and multi-weighted Cheeger constants and corresponding eigenvalue variants, are constructed to direct motions of the defender and the attacker in this dynamic adaptive competition. Both analytical and simulation results are presented to justify the effectiveness of the proposed approach. Furthermore, the proposed scheme can also be applied in cognitive radio networks to reconfigure the secondary users in the presence of mobile primary users.}, number={8}, journal={IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS}, author={He, Xiaofan and Dai, Huaiyu and Ning, Peng}, year={2014}, month={Aug}, pages={4374–4388} } @article{zhang_yang_yang_gu_ning_zang_2014, title={Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps}, volume={9}, ISSN={["1556-6021"]}, DOI={10.1109/tifs.2014.2347206}, abstractNote={The android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system. This paper presents VetDroid, a dynamic analysis platform for generally analyzing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid proposes a systematic permission use analysis technique to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid, a state-of-the-art technique. In addition, we show how we can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help to identify subtle vulnerabilities in some (top free) applications otherwise hard to detect.}, number={11}, journal={IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY}, author={Zhang, Yuan and Yang, Min and Yang, Zhemin and Gu, Guofei and Ning, Peng and Zang, Binyu}, year={2014}, month={Nov}, pages={1828–1842} } @article{shen_ning_he_dai_2013, title={Ally Friendly Jamming: How to Jam Your Enemy and Maintain Your Own Wireless Connectivity at the Same Time}, ISBN={["978-1-4673-6166-8"]}, ISSN={["1081-6011"]}, DOI={10.1109/sp.2013.22}, abstractNote={This paper presents a novel mechanism, called Ally Friendly Jamming, which aims at providing an intelligent jamming capability that can disable unauthorized (enemy) wireless communication but at the same time still allow authorized wireless devices to communicate, even if all these devices operate at the same frequency. The basic idea is to jam the wireless channel continuously but properly control the jamming signals with secret keys, so that the jamming signals are unpredictable interference to unauthorized devices, but are recoverable by authorized ones equipped with the secret keys. To achieve the ally friendly jamming capability, we develop new techniques to generate ally jamming signals, to identify and synchronize with multiple ally jammers. This paper also reports the analysis, implementation, and experimental evaluation of ally friendly jamming on a software defined radio platform. Both the analytical and experimental results indicate that the proposed techniques can effectively disable enemy wireless communication and at the same time maintain wireless communication between authorized devices.}, journal={2013 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP)}, author={Shen, Wenbo and Ning, Peng and He, Xiaofan and Dai, Huaiyu}, year={2013}, pages={174–188} } @inproceedings{he_dai_ning_2013, title={Dynamic adaptive anti-jamming via controlled mobility}, DOI={10.1109/cns.2013.6682686}, abstractNote={In this paper, the mobility of network nodes is explored as a new promising approach for jamming defense. To fulfill it, properly designed node motion that can intelligently adapt to the jammer's action is crucial. In our study, anti-jamming mobility control is investigated in the context of the single and multiple commodity flow problems, in the presence of intelligent mobile jammers which can respond to the evasion of legitimate nodes as well. Based on spectral graph theory, two new spectral quantities, single- and multi-weighted Cheeger constants and corresponding eigenvalue variants, are constructed to direct motions of the defender and the attacker in this dynamic adaptive competition. Both analytical and simulation results are presented to justify the effectiveness of the proposed approach. Furthermore, the proposed scheme can also be applied in cognitive radio networks to reconfigure the secondary users in the presence of mobile primary users.}, booktitle={2013 IEEE Conference on Communications and Network Security (CNS)}, author={He, X. F. and Dai, H. Y. and Ning, P.}, year={2013}, pages={1–9} } @article{he_dai_ning_2013, title={HMM-Based Malicious User Detection for Robust Collaborative Spectrum Sensing}, volume={31}, ISSN={0733-8716}, url={http://dx.doi.org/10.1109/jsac.2013.131119}, DOI={10.1109/jsac.2013.131119}, abstractNote={Collaborative spectrum sensing improves the spectrum state estimation accuracy but is vulnerable to the potential attacks from malicious secondary cognitive radio (CR) users, and thus raises security concerns. One promising malicious user detection method is to identify their abnormal statistical spectrum sensing behaviors. From this angle, two hidden Markov models (HMMs) corresponding to honest and malicious users respectively are adopted in this paper to characterize their different sensing behaviors, and malicious user detection is achieved via detecting the difference in the corresponding HMM parameters. To obtain the HMM estimates, an effective inference algorithm that can simultaneously estimate two HMMs without requiring separated training sequences is also developed. By using these estimates, high malicious user detection accuracy can be achieved at the fusion center, leading to more robust and reliable collaborative spectrum sensing performance (substantially enlarged operational regions) in the presence of malicious users, as compared to the baseline approaches. Different fusion methods are also discussed and compared.}, number={11}, journal={IEEE Journal on Selected Areas in Communications}, publisher={Institute of Electrical and Electronics Engineers (IEEE)}, author={He, Xiaofan and Dai, Huaiyu and Ning, Peng}, year={2013}, month={Nov}, pages={2196–2208} } @article{dong_liu_ning_2013, title={Providing DoS resistance for signature-based broadcast authentication in sensor networks}, volume={12}, DOI={10.1145/2442116.2442123}, abstractNote={ Recent studies have demonstrated that it is feasible to perform public key cryptographic operations on resource-constrained sensor platforms. However, the significant energy consumption introduced by public key operations makes any public key-based protocol an easy target of Denial-of-Service (DoS) attacks. For example, if digital signature schemes such as ECDSA are used directly for broadcast authentication without further protection, an attacker can simply broadcast fake messages and force the receiving nodes to perform a huge number of unnecessary signature verifications, eventually exhausting their battery power. This paper shows how to mitigate such DoS attacks when digital signatures are used for broadcast authentication in sensor networks. Specifically, this paper first presents two filtering techniques, the group-based filter and the key chain-based filter , to handle the DoS attacks against signature verification. Both methods can significantly reduce the number of unnecessary signature verifications when a sensor node is under DoS attacks. This paper then combines these two filters and proposes a hybrid solution to further improve the performance. }, number={3}, journal={ACM Transactions on Embedded Computing Systems}, author={Dong, Q. and Liu, D. G. and Ning, P.}, year={2013} } @inproceedings{he_dai_ning_2012, title={A Byzantine attack defender: The Conditional Frequency Check}, DOI={10.1109/isit.2012.6284709}, abstractNote={Collaborative spectrum sensing is vulnerable to the Byzantine attack. Existing reputation based countermeasures will become incapable when malicious users dominate the network. Also, there is a scarcity of methods that fully explore the Markov property of the spectrum states to restrain sensors' statistical misbehaviors. In this paper, a new malicious user detection method based on two proposed Conditional Frequency Check (CFC) statistics is developed with a Markovian spectrum model. With the assistance of one trusted sensor, the proposed method can achieve high malicious user detection accuracy in the presence of arbitrary percentage of malicious users, and thus significantly improves collaborative spectrum sensing performance.}, booktitle={2012 ieee international symposium on information theory proceedings (isit)}, author={He, X. F. and Dai, H. Y. and Ning, P.}, year={2012} } @article{yavuz_ning_reiter_2012, title={BAF and FI-BAF: Efficient and Publicly Verifiable Cryptographic Schemes for Secure Logging in Resource-Constrained Systems}, volume={15}, ISSN={["1557-7406"]}, DOI={10.1145/2240276.2240280}, abstractNote={ Audit logs are an integral part of modern computer systems due to their forensic value. Protecting audit logs on a physically unprotected machine in hostile environments is a challenging task, especially in the presence of active adversaries. It is critical for such a system to have forward security and append-only properties such that when an adversary compromises a logging machine, she cannot forge or selectively delete the log entries accumulated before the compromise. Existing public-key-based secure logging schemes are computationally costly. Existing symmetric secure logging schemes are not publicly verifiable and open to certain attacks. In this article, we develop a new forward-secure and aggregate signature scheme called Blind-Aggregate-Forward (BAF) , which is suitable for secure logging in resource-constrained systems. BAF is the only cryptographic secure logging scheme that can produce publicly verifiable, forward-secure and aggregate signatures with low computation, key/signature storage, and signature communication overheads for the loggers, without requiring any online trusted third party support . A simple variant of BAF also allows a fine-grained verification of log entries without compromising the security or computational efficiency of BAF. We prove that our schemes are secure in Random Oracle Model (ROM). We also show that they are significantly more efficient than all the previous publicly verifiable cryptographic secure logging schemes. }, number={2}, journal={ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY}, author={Yavuz, Attila A. and Ning, Peng and Reiter, Michael K.}, year={2012}, month={Jul} } @inproceedings{liu_ning_2012, title={BitTrickle: Defending against broadband and high-power reactive jamming attacks}, DOI={10.1109/infcom.2012.6195840}, abstractNote={Reactive jamming is not only cost effective, but also hard to track and remove due to its intermittent jamming behaviors. Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum (DSSS) have been widely used to defend against jamming attacks. However, both will fail if the jammer jams all frequency channels or has high transmit power. In this paper, we propose BitTrickle, an anti-jamming wireless communication scheme that allows communication in the presence of a broadband and high power reactive jammer by exploiting the reaction time of the jammer. We develop a prototype of BitTrickle using the USRP platform running GNURadio. Our evaluation shows that when under powerful reactive jamming, BitTrickle still maintains communication, whereas other schemes such as 802.11 DSSS fail completely.}, booktitle={2012 Proceedings IEEE infocom}, author={Liu, Y. and Ning, P.}, year={2012}, pages={909–917} } @article{xiong_wang_du_ning_2012, title={Containing Bogus Packet Insertion Attacks for Broadcast Authentication in Sensor Networks}, volume={8}, ISSN={["1550-4867"]}, DOI={10.1145/2240092.2240094}, abstractNote={Broadcast is a critical communication primitive in wireless sensor networks. The multihop nature of sensor networks makes it necessary for sensor nodes to forward broadcast messages so that the messages can reach an entire network. Authentication of broadcast messages is an important but challenging problem in sensor networks. Public key cryptography (PKC) has been used recently to address this problem. However, PKC-based authentication techniques are susceptible to bogus packet insertion attacks in which attackers keep broadcasting bogus messages and force resource-constrained sensor nodes to forward such messages. Moreover, because it takes time to do signature verifications, it is impractical for each node to authenticate every received message before forwarding it. In this article, we propose a dynamic window scheme to thwart the aforementioned bogus packet insertion attacks which permits sensor nodes to efficiently broadcast messages. Within this scheme, a sensor node has the ability to determine whether or not to verify an incoming message before forwarding the message. We further study the property of this dynamic window scheme and investigate the best strategy for thwarting bogus packet insertion attacks. We propose three strategies for finding the optimal parameters by an improved additive increase multiplicative decrease (AIMD) window updating function so that the proposed dynamic window scheme can achieve the best overall performance with respect to the authentication and forwarding times of messages. Numerical validations show that our proposed scheme performs very well in terms of energy saving and broadcast delays based on three different metrics, including average authentication delays, the percentage of nodes receiving fake messages, and the percentage of nodes forwarding fake messages.}, number={3}, journal={ACM TRANSACTIONS ON SENSOR NETWORKS}, author={Xiong, Kaiqi and Wang, Ronghua and Du, Wenliang and Ning, Peng}, year={2012}, month={Jul} } @inproceedings{liu_ning_2012, title={Enhanced wireless channel authentication using time-synched link signature}, DOI={10.1109/infcom.2012.6195669}, abstractNote={Wireless link signature is a physical layer authentication mechanism, which uses the unique wireless channel characteristics between a transmitter and a receiver to provide authentication of wireless channels. A vulnerability of existing link signature schemes has been identified by introducing a new attack, called mimicry attack. To defend against the mimicry attack, we propose a novel construction for wireless link signature, called time-synched link signature, by integrating cryptographic protection and time factor into traditional wireless link signatures. We also evaluate the mimicry attacks and the time-synched link signature scheme on the USRP2 platform running GNURadio. The experimental results demonstrate the effectiveness of time-synched link signature.}, booktitle={2012 Proceedings IEEE infocom}, author={Liu, Y. and Ning, P.}, year={2012}, pages={2636–2640} } @article{pyun_park_reeves_wang_ning_2012, title={Interval-based flow watermarking for tracing interactive traffic}, volume={56}, ISSN={["1872-7069"]}, DOI={10.1016/j.comnet.2012.01.017}, abstractNote={Tracing interactive attack traffic that traverses stepping stones (i.e., intermediate hosts) is challenging, as the packet headers, lengths, and contents can all be changed by the stepping stones. The traffic timing (delays between packets) has therefore been studied as a means of tracing traffic. One such technique uses traffic timing as a side channel into which a watermark, or identifying tag, can be embedded to aid with tracing. The effectiveness of such techniques is greatly reduced when the packet count of the traffic is changed at the stepping stone. Such transformations may occur as a result of either active countermeasures (e.g. chaff packets, flow splitting) by an adversary attempting to defeat tracing, or by incidental repacketization of the traffic by network interfaces. This paper presents a new method of embedding a watermark in traffic timing, for purposes of tracing the traffic in the presence of flow splitting, chaff packets, timing perturbation, and repacketization. This method uses an invariant characteristic of two connection flows which are part of the same stepping stone chain, namely, the elapsed time of the flows. The duration of each flow is sliced into short fixed-length intervals. Packet timing is adjusted to manipulate the packet count in specific intervals (without adding or deleting any packets), for purposes of embedding the watermark. The method is self-synchronizing and does not require clock synchronization between the watermark encoder and decoder. A statistical analysis of the method, with no assumptions or limitations concerning the distribution of packet times, proves the effectiveness of the method given a sufficient number of packets, despite natural and/or deliberate repacketization and countermeasures by an adversary. The method has been implemented and tested on a large number of SSH traffic flows. The results demonstrate that 100% detection rates and very low false positive rates are achieved under conditions of multiple countermeasures, and using only a few hundred packets.}, number={5}, journal={COMPUTER NETWORKS}, author={Pyun, Young June and Park, Younghee and Reeves, Douglas S. and Wang, Xinyuan and Ning, Peng}, year={2012}, month={Mar}, pages={1646–1665} } @inproceedings{natarajan_ning_liu_jajodia_hutchinson_2012, title={NSDMiner: Automated discovery of network service dependencies}, DOI={10.1109/infcom.2012.6195642}, abstractNote={Enterprise networks today host a wide variety of network services, which often depend on each other to provide and support network-based services and applications. Understanding such dependencies is essential for maintaining the well-being of an enterprise network and its applications, particularly in the presence of network attacks and failures. In a typical enterprise network, which is complex and dynamic in configuration, it is non-trivial to identify all these services and their dependencies. Several techniques have been developed to learn such dependencies automatically. However, they are either too complex to fine tune or cluttered with false positives and/or false negatives. In this paper, we propose a suite of novel techniques and develop a new tool named NSDMiner (which stands for Mining for Network Service Dependencies) to automatically discover the dependencies between network services from passively collected network traffic. NSDMiner is non-intrusive; it does not require any modification of existing software, or injection of network packets. More importantly, NSDMiner achieves higher accuracy than previous network-based approaches. Our experimental evaluation, which uses network traffic collected from our campus network, shows that NSDMiner outperforms the two best existing solutions significantly.}, booktitle={2012 Proceedings IEEE infocom}, author={Natarajan, A. and Ning, P. and Liu, Y. and Jajodia, S. and Hutchinson, S. E.}, year={2012}, pages={2507–2515} } @article{yavuz_ning_2012, title={Self-sustaining, efficient and forward-secure cryptographic constructions for Unattended Wireless Sensor Networks}, volume={10}, ISSN={["1570-8713"]}, DOI={10.1016/j.adhoc.2012.03.006}, abstractNote={Unattended Wireless Sensor Networks (UWSNs) operating in hostile environments face great security and performance challenges due to the lack of continuous real-time communication with the final data receivers (e.g., mobile data collectors). The lack of real-time communication forces sensors to accumulate sensed data possibly for long time periods, along with the corresponding authentication tags. It also makes UWSNs vulnerable to active adversaries, which can compromise sensors and manipulate the collected data. Hence, it is critical to have forward security property such that even if the adversary can compromise the current keying materials, she cannot forge authentication tags generated before the compromise. Forward secure and aggregate signature schemes are developed to address these issues. Unfortunately, existing schemes either impose substantial overhead, or do not allow public verifiability, thereby impractical for resource-constrained UWSNs.In this paper, we propose a new class of cryptographic schemes, referred to as Hash-BasedSequentialAggregate andForwardSecureSignature (HaSAFSS), which allows a signer to sequentially generate a compact, fixed-size, and publicly verifiable signature efficiently. We develop three HaSAFSS schemes, Symmetric HaSAFSS (Sym-HaSAFSS), Elliptic Curve Cryptography (ECC) based HaSAFSS (ECC-HaSAFSS) and self-SUstaining HaSAFSS (SU-HaSAFSS). These schemes integrate the efficiency of MAC-based aggregate signatures and the public verifiability of Public Key Cryptography (PKC)-based signatures by preserving forward security via Timed-Release Encryption (TRE). We demonstrate that our schemes are secure and also significantly more efficient than previous approaches.}, number={7}, journal={AD HOC NETWORKS}, author={Yavuz, Attila Altay and Ning, Peng}, year={2012}, month={Sep}, pages={1204–1220} } @article{liu_ning_reiter_2011, title={False Data Injection Attacks against State Estimation in Electric Power Grids}, volume={14}, ISSN={["1557-7406"]}, DOI={10.1145/1952982.1952995}, abstractNote={ A power grid is a complex system connecting electric power generators to consumers through power transmission and distribution networks across a large geographical area. System monitoring is necessary to ensure the reliable operation of power grids, and state estimation is used in system monitoring to best estimate the power grid state through analysis of meter measurements and power system models. Various techniques have been developed to detect and identify bad measurements, including interacting bad measurements introduced by arbitrary, nonrandom causes. At first glance, it seems that these techniques can also defeat malicious measurements injected by attackers. In this article, we expose an unknown vulnerability of existing bad measurement detection algorithms by presenting and analyzing a new class of attacks, called false data injection attacks , against state estimation in electric power grids. Under the assumption that the attacker can access the current power system configuration information and manipulate the measurements of meters at physically protected locations such as substations, such attacks can introduce arbitrary errors into certain state variables without being detected by existing algorithms. Moreover, we look at two scenarios, where the attacker is either constrained to specific meters or limited in the resources required to compromise meters. We show that the attacker can systematically and efficiently construct attack vectors in both scenarios to change the results of state estimation in arbitrary ways. We also extend these attacks to generalized false data injection attacks , which can further increase the impact by exploiting measurement errors typically tolerated in state estimation. We demonstrate the success of these attacks through simulation using IEEE test systems, and also discuss the practicality of these attacks and the real-world constraints that limit their effectiveness. }, number={1}, journal={ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY}, author={Liu, Yao and Ning, Peng and Reiter, Michael K.}, year={2011}, month={May} } @article{zhou_roy_ning_chakrabarty_2011, title={P(2)DAP - Sybil Attacks Detection in Vehicular Ad Hoc Networks}, volume={29}, ISSN={["0733-8716"]}, DOI={10.1109/jsac.2011.110308}, abstractNote={Vehicular ad hoc networks (VANETs) are being increasingly advocated for traffic control, accident avoidance, and management of parking lots and public areas. Security and privacy are two major concerns in VANETs. Unfortunately, in VANETs, most privacy-preserving schemes are vulnerable to Sybil attacks, whereby a malicious user can pretend to be multiple (other) vehicles. In this paper, we present a lightweight and scalable protocol to detect Sybil attacks. In this protocol, a malicious user pretending to be multiple (other) vehicles can be detected in a distributed manner through passive overhearing by s set of fixed nodes called road-side boxes (RSBs). The detection of Sybil attacks in this manner does not require any vehicle in the network to disclose its identity; hence privacy is preserved at all times. Simulation results are presented for a realistic test case to highlight the overhead for a centralized authority such as the DMV, the false alarm rate, and the detection latency. The results also quantify the inherent trade-off between security, i.e., the detection of Sybil attacks and detection latency, and the privacy provided to the vehicles in the network. From the results, we see our scheme being able to detect Sybil attacks at low overhead and delay, while preserving privacy of vehicles.}, number={3}, journal={IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS}, author={Zhou, Tong and Roy, Romit and Ning, Choudhury Peng and Chakrabarty, Krishnendu}, year={2011}, month={Mar}, pages={582–594} } @article{liu_ning_dai_2010, title={Authenticating Primary Users' Signals in Cognitive Radio Networks via Integrated Cryptographic and Wireless Link Signatures}, ISSN={["1081-6011"]}, DOI={10.1109/sp.2010.24}, abstractNote={To address the increasing demand for wireless bandwidth, cognitive radio networks (CRNs) have been proposed to increase the efficiency of channel utilization; they enable the sharing of channels among secondary (unlicensed) and primary (licensed) users on a non-interference basis. A secondary user in a CRN should constantly monitor for the presence of a primary user's signal to avoid interfering with the primary user. However, to gain unfair share of radio channels, an attacker (e.g., a selfish secondary user) may mimic a primary user's signal to evict other secondary users. Therefore, a secure primary user detection method that can distinguish a primary user's signal from an attacker's signal is needed. A unique challenge in addressing this problem is that Federal Communications Commission (FCC) prohibits any modification to primary users. Consequently, existing cryptographic techniques cannot be used directly. In this paper, we develop a novel approach for authenticating primary users' signals in CRNs, which conforms to FCC's requirement. Our approach integrates cryptographic signatures and wireless link signatures (derived from physical radio channel characteristics) to enable primary user detection in the presence of attackers. Essential to our approach is a {\em helper node} placed physically close to a primary user. The helper node serves as a "bridge" to enable a secondary user to verify cryptographic signatures carried by the helper node's signals and then obtain the helper node's authentic link signatures to verify the primary user's signals. A key contribution in our paper is a novel physical layer authentication technique that enables the helper node to authenticate signals from its associated primary user. Unlike previous techniques for link signatures, our approach explores the geographical proximity of the helper node to the primary user, and thus does not require any training process.}, journal={2010 IEEE SYMPOSIUM ON SECURITY AND PRIVACY}, author={Liu, Yao and Ning, Peng and Dai, Huaiyu}, year={2010}, pages={286–301} } @inproceedings{liu_ning_dai_liu_2010, title={Randomized differential DSSS: Jamming-resistant wireless broadcast communication}, DOI={10.1109/infcom.2010.5462156}, abstractNote={Jamming resistance is crucial for applications where reliable wireless communication is required. Spread spectrum techniques such as Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum (DSSS) have been used as countermeasures against jamming attacks. Traditional anti-jamming techniques require that senders and receivers share a secret key in order to communicate with each other. However, such a requirement prevents these techniques from being effective for anti-jamming broadcast communication, where a jammer may learn the shared key from a compromised or malicious receiver and disrupt the reception at normal receivers. In this paper, we propose a Randomized Differential DSSS (RD-DSSS) scheme to achieve anti-jamming broadcast communication without shared keys. RD-DSSS encodes each bit of data using the correlation of unpredictable spreading codes. Specifically, bit ``0'' is encoded using two different spreading codes, which have low correlation with each other, while bit ``1'' is encoded using two identical spreading codes, which have high correlation. To defeat reactive jamming attacks, RD-DSSS uses multiple spreading code sequences to spread each message and rearranges the spread output before transmitting it. Our theoretical analysis and simulation results show that RD-DSSS can effectively defeat jamming attacks for anti-jamming broadcast communication without shared keys.}, booktitle={2010 proceedings ieee infocom}, author={Liu, Y. and Ning, P. and Dai, H. Y. and Liu, A.}, year={2010} } @article{kim_ning_2011, title={SeCA: A framework for Secure Channel Assignment in wireless mesh networks}, volume={34}, ISSN={["1873-703X"]}, DOI={10.1016/j.comcom.2010.05.008}, abstractNote={To maximize the available throughput in multi-channel multi-radio wireless mesh networks (WMNs), it is a critical issue to design a channel assignment scheme efficiently utilizing orthogonal channels. However, most channel assignment schemes are vulnerable to the misbehaviors of nodes participating in channel assignment, and existing secure channel assignment schemes do not address all of the vulnerabilities. In this paper, we address the threats to channel assignment in WMNs resulting from node misbehaviors and present a generic verification framework to detect such misbehaviors. We develop a concrete verification scheme based on this framework and an existing distributed channel assignment scheme. We validate our approach by implementing the verification scheme and evaluating it through simulation. The results show that our approach improves misbehavior detection with minimum performance overhead.}, number={4}, journal={COMPUTER COMMUNICATIONS}, author={Kim, Mihui and Ning, Peng}, year={2011}, month={Apr}, pages={567–576} } @article{yavuz_ning_2009, title={BAF: An Efficient Publicly Verifiable Secure Audit Logging Scheme for Distributed Systems}, ISBN={["978-0-7695-3919-5"]}, DOI={10.1109/acsac.2009.28}, abstractNote={Audit logs, providing information about the current and past states of systems, are one of the most important parts of modern computer systems. Providing security for audit logs on an untrusted machine in a large distributed system is a challenging task, especially in the presence of active adversaries. In such a system, it is critical to have forward security such that when an adversary compromises a machine, she cannot modify or forge the log entries accumulated before the compromise. Unfortunately, existing secure audit logging schemes have significant limitations that make them impractical for real-life applications: Existing Public Key Cryptography (PKC) based schemes are computationally expensive for logging in task intensive or resource-constrained systems, while existing symmetric schemes are not publicly verifiable and incur significant storage and communication overheads. In this paper, we propose a novel forward secure and aggregate logging scheme called Blind-Aggregate-Forward (BAF) logging scheme, which is suitable for large distributed systems. BAF can produce publicly verifiable forward secure and aggregate signatures with near-zero computational, storage, and communication costs for the loggers, without requiring any online Trusted Third Party (TTP) support. We prove that BAF is secure under appropriate computational assumptions, and demonstrate that BAF is significantly more efficient and scalable than the previous schemes. Therefore, BAF is an ideal solution for secure logging in both task intensive and resource-constrained systems.}, journal={25TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE}, author={Yavuz, Attila A. and Ning, Peng}, year={2009}, pages={219–228} } @inproceedings{liu_ning_reiter_2009, title={False data injection attacks against state estimation in electric power grids}, DOI={10.1145/1653662.1653666}, abstractNote={A power grid is a complex system connecting electric power generators to consumers through power transmission and distribution networks across a large geographical area. System monitoring is necessary to ensure the reliable operation of power grids, and state estimation is used in system monitoring to best estimate the power grid state through analysis of meter measurements and power system models. Various techniques have been developed to detect and identify bad measurements, including the interacting bad measurements introduced by arbitrary, non-random causes. At first glance, it seems that these techniques can also defeat malicious measurements injected by attackers. In this paper, we present a new class of attacks, called false data injection attacks, against state estimation in electric power grids. We show that an attacker can exploit the configuration of a power system to launch such attacks to successfully introduce arbitrary errors into certain state variables while bypassing existing techniques for bad measurement detection. Moreover, we look at two realistic attack scenarios, in which the attacker is either constrained to some specific meters (due to the physical protection of the meters), or limited in the resources required to compromise meters. We show that the attacker can systematically and efficiently construct attack vectors in both scenarios, which can not only change the results of state estimation, but also modify the results in arbitrary ways. We demonstrate the success of these attacks through simulation using IEEE test systems. Our results indicate that security protection of the electric power grid must be revisited when there are potentially malicious attacks.}, booktitle={CCS'09: Proceedings of the 16th ACM Conference on Computer and Communications Security}, author={Liu, Y. and Ning, P. and Reiter, M. K.}, year={2009}, pages={21–32} } @article{azab_ning_sezer_zhang_2009, title={HIMA: A Hypervisor-Based Integrity Measurement Agent}, ISBN={["978-0-7695-3919-5"]}, DOI={10.1109/acsac.2009.50}, abstractNote={Integrity measurement is a key issue in building trust in distributed systems. A good solution to integrity measurement has to provide both strong isolation between the measurement agent and the measurement target and Time of Check to Time of Use (TOCTTOU) consistency (i.e., the consistency between measured version and executed version throughout the lifetime of the target). Unfortunately, none of the previous approaches provide (or can be easily modified to provide) both capabilities. This paper presents HIMA, a hypervisor-based agent that measures the integrity of Virtual Machines (VMs) running on top of the hypervisor, which provides both capabilities identified above. HIMA performs two complementary tasks: (1) active monitoring of critical guest events and (2) guest memory protection. The former guarantees that the integrity measures are refreshed whenever the guest VM memory layout changes (e.g., upon creation of processes), while the latter ensures that integrity measurement of user programs cannot be bypassed without HIMA's knowledge. This paper also reports the experimental evaluation of a HIMA prototype using both micro-benchmark and application benchmark; the experimental results indicate that HIMA is a practical solution for real world applications.}, journal={25TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE}, author={Azab, Ahmed M. and Ning, Peng and Sezer, Emre C. and Zhang, Xiaolan}, year={2009}, pages={461-+} } @article{liu_ning_wang_2009, title={Lightweight Remote Image Management for Secure Code Dissemination in Wireless Sensor Networks}, ISBN={["978-1-4244-3512-8"]}, ISSN={["0743-166X"]}, DOI={10.1109/infcom.2009.5062038}, abstractNote={Wireless sensor networks are considered ideal candidates for a wide range of applications. It is desirable and sometimes necessary to reprogram sensor nodes through wireless links after they are deployed to remove bugs or add new functionalities. Several approaches (e.g., Seluge, Sluice) have been proposed recently for secure code dissemination in wireless sensor networks, all as security extensions to the state-of-the- art code dissemination system named Deluge. However, existing approaches all focused on securing the propagation of code images, but overlooked the security vulnerabilities in other image management aspects such as rebooting and erasing code images. In this paper, we identify the security vulnerabilities in epidemic image management in all existing solutions to secure code dissemination in wireless sensor networks. Such vulnerabilities allow an attacker to reboot a sensor network to undesirable images or erase critical images, exposing the network to security risks. We then develop a sequence of lightweight techniques to address these vulnerabilities. Our approach takes into consideration the limited resources on current sensor platforms, and removes the security vulnerabilities without introducing significant overhead. To evaluate the feasibility of our approach, we implement the proposed approach as a remote image management system named Seluge-ImageMan, which is intended to work with Seluge, a security extension to Deluge for injecting new code images. We perform a substantial set of experiments in the WiSeNeT sensor testbed, which consists of 72 MicaZ motes, to assess the performance overhead of Seluge-ImageMan. The experimental results indicate that our approach introduces very light overhead while completing the secure remote code image management solution for wireless sensor networks.}, journal={IEEE INFOCOM 2009 - IEEE CONFERENCE ON COMPUTER COMMUNICATIONS, VOLS 1-5}, author={Liu, An and Ning, Peng and Wang, Cliff}, year={2009}, pages={1242-+} } @article{kil_sezer_azab_ning_zhang_2009, title={Remote Attestation to Dynamic System Properties: Towards Providing Complete System Integrity Evidence}, ISBN={["978-1-4244-4422-9"]}, ISSN={["1530-0889"]}, DOI={10.1109/dsn.2009.5270348}, abstractNote={Remote attestation of system integrity is an essential part of trusted computing. However, current remote attestation techniques only provide integrity proofs of static properties of the system. To address this problem we present a novel remote dynamic attestation system named ReDAS (Remote Dynamic Attestation System) that provides integrity evidence for dynamic system properties. Such dynamic system properties represent the runtime behavior of the attested system, and enable an attester to prove its runtime integrity to a remote party. ReDAS currently provides two types of dynamic system properties for running applications: structural integrity and global data integrity. In this work, we present the challenges of remote dynamic attestation, provide an in-depth security analysis and introduce a first step towards providing a complete runtime dynamic attestation framework. Our prototype implementation and evaluation with real-world applications show that we can improve on current static attestation techniques with an average performance overhead of 8%.}, journal={2009 IEEE/IFIP INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS & NETWORKS (DSN 2009)}, author={Kil, Chongkyung and Sezer, Emre C. and Azab, Ahmed M. and Ning, Peng and Zhang, Xiaolan}, year={2009}, pages={115-+} } @article{wang_du_liu_ning_2009, title={ShortPK: A Short-Term Public Key Scheme for Broadcast Authentication in Sensor Networks}, volume={6}, ISSN={["1550-4867"]}, DOI={10.1145/1653760.1653769}, abstractNote={Broadcast authentication is an important functionality in sensor networks. Energy constraints on sensor nodes and the real-time nature of the broadcasts render many of the existing solutions impractical: previous works focusing primarily on symmetric key schemes have difficulties in achieving real-time authentication. Public Key Cryptography (PKC), however, can satisfy the real-time requirements, and recent trends indicate that public key is becoming feasible for sensor networks. However, PKC operations are still expensive computations. It is impractical to use PKC in the conventional ways for broadcast authentication in sensor networks. To reduce costs, we propose ShortPK , an efficient Short-term Public Key broadcast authentication scheme. The basic idea is to use short-length public/private keys, but limit their lifetime to only a short period of time. To cover a long period of time, we need to use many public/private key pairs; distributing these public keys to sensors is a challenging problem. We describe a progressive key distribution scheme that is secure, efficient, and packet-loss resilient. We compare our scheme with the traditional 160-bit ECC public key schemes, and show that our scheme can achieve a significant improvement on energy consumption. }, number={1}, journal={ACM TRANSACTIONS ON SENSOR NETWORKS}, author={Wang, Ronghua and Du, Wenliang and Liu, Xiaogang and Ning, Peng}, year={2009}, month={Dec} } @article{zhang_yu_ning_2008, title={A framework for identifying compromised nodes in wireless sensor networks}, volume={11}, ISSN={["1557-7406"]}, DOI={10.1145/1341731.1341733}, abstractNote={Sensor networks are often subject to physical attacks. Once a node's cryptographic key is compromised, an attacker may completely impersonate it and introduce arbitrary false information into the network. Basic cryptographic mechanisms are often not effective in this situation. Most techniques to address this problem focus on detecting and tolerating false information introduced by compromised nodes. They cannot pinpoint exactly where the false information is introduced and who is responsible for it. In this article, we propose an application-independent framework for accurately identifying compromised sensor nodes. The framework provides an appropriate abstraction of application-specific detection mechanisms and models the unique properties of sensor networks. Based on the framework, we develop alert reasoning algorithms to identify compromised nodes. The algorithm assumes that compromised nodes may collude at will. We show that our algorithm is optimal in the sense that it identifies the largest number of compromised nodes without introducing false positives. We evaluate the effectiveness of the designed algorithm through comprehensive experiments.}, number={3}, journal={ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY}, author={Zhang, Qing and Yu, Ting and Ning, Peng}, year={2008}, month={Mar} } @article{liu_ning_liu_wang_du_2008, title={Attack-resistant location estimation in wireless sensor networks}, volume={11}, ISSN={["1557-7406"]}, DOI={10.1145/1380564.1380570}, abstractNote={ Many sensor network applications require sensors' locations to function correctly. Despite the recent advances, location discovery for sensor networks in hostile environments has been mostly overlooked. Most of the existing localization protocols for sensor networks are vulnerable in hostile environments. The security of location discovery can certainly be enhanced by authentication. However, the possible node compromises and the fact that location determination uses certain physical features (e.g., received signal strength) of radio signals make authentication not as effective as in traditional security applications. This article presents two methods to tolerate malicious attacks against range-based location discovery in sensor networks. The first method filters out malicious beacon signals on the basis of the “consistency” among multiple beacon signals, while the second method tolerates malicious beacon signals by adopting an iteratively refined voting scheme. Both methods can survive malicious attacks even if the attacks bypass authentication, provided that the benign beacon signals constitute the majority of the beacon signals. This article also presents the implementation and experimental evaluation (through both field experiments and simulation) of all the secure and resilient location estimation schemes that can be used on the current generation of sensor platforms (e.g., MICA series of motes), including the techniques proposed in this article, in a network of MICAz motes. The experimental results demonstrate the effectiveness of the proposed methods, and also give the secure and resilient location estimation scheme most suitable for the current generation of sensor networks. }, number={4}, journal={ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY}, author={Liu, Donggang and Ning, Peng and Liu, An and Wang, Cliff and Du, Wenliang Kevin}, year={2008}, month={Jul} } @article{liu_ning_du_2008, title={Group-based key predistribution for wireless sensor networks}, volume={4}, ISSN={["1550-4867"]}, DOI={10.1145/1340771.1340777}, abstractNote={ Many key predistribution techniques have been developed recently to establish pairwise keys between sensor nodes in wireless sensor networks. To further improve these schemes, researchers have also proposed to take advantage of the sensors' expected locations and discovered locations to help the predistribution of the keying materials. However, in many cases, it is very difficult to deploy sensor nodes at their expected locations or guarantee the correct location discovery at sensor nodes in hostile environments. In this article, a group-based deployment model is developed to improve key predistribution. In this model, sensor nodes are only required to be deployed in groups. The critical observation in the article is that the sensor nodes in the same group are usually close to each other after deployment . This deployment model is practical; it greatly simplifies the deployment of sensor nodes, while still providing an opportunity to improve key predistribution. Specifically, the article presents a novel framework for improving key predistribution using the group-based deployment knowledge. This framework does not require the knowledge of the sensors' expected or discovered locations and is thus suitable for applications where it is difficult to deploy the sensor nodes at their expected locations or correctly estimate the sensors' locations after deployment. To seek practical key predistribution schemes, the article presents two efficient instantiations of this framework, a hash key-based scheme and a polynomial-based scheme . The evaluation shows that these two schemes are efficient and effective for pairwise key establishment in sensor networks; they can achieve much better performance than the previous key predistribution schemes when the sensor nodes are deployed in groups. }, number={2}, journal={ACM TRANSACTIONS ON SENSOR NETWORKS}, author={Liu, Donggang and Ning, Peng and Du, Wenliang}, year={2008}, month={Mar} } @article{ning_liu_du_2008, title={Mitigating DoS attacks against broadcast authentication in wireless sensor networks}, volume={4}, ISSN={["1550-4867"]}, DOI={10.1145/1325651.1325652}, abstractNote={ Broadcast authentication is a critical security service in wireless sensor networks. There are two general approaches for broadcast authentication in wireless sensor networks: digital signatures and μTESLA-based techniques. However, both signature-based and μTESLA-based broadcast authentication are vulnerable to Denial of Services (DoS) attacks: An attacker can inject bogus broadcast packets to force sensor nodes to perform expensive signature verifications (in case of signature-based broadcast authentication) or packet forwarding (in case of μTESLA-based broadcast authentication), thus exhausting their limited battery power. This paper presents an efficient mechanism called message-specific puzzle to mitigate such DoS attacks. In addition to signature-based or μTESLA-based broadcast authentication, this approach adds a weak authenticator in each broadcast packet, which can be efficiently verified by a regular sensor node, but takes a computationally powerful attacker a substantial amount of time to forge. Upon receiving a broadcast packet, each sensor node first verifies the weak authenticator, and performs the expensive signature verification (in signature-based broadcast authentication) or packet forwarding (in μTESLA-based broadcast authentication) only when the weak authenticator is valid. A weak authenticator cannot be precomputed without a non-reusable (or short-lived) key disclosed only in a valid packet. Even if an attacker has intensive computational resources to forge one or more weak authenticators, it is difficult to reuse these forged weak authenticators. Thus, this weak authentication mechanism substantially increases the difficulty of launching successful DoS attacks against signature-based or μTESLA-based broadcast authentication. A limitation of this approach is that it requires a powerful sender and introduces sender-side delay. This article also reports an implementation of the proposed techniques on TinyOS, as well as initial experimental evaluation in a network of MICAz motes. }, number={1}, journal={ACM TRANSACTIONS ON SENSOR NETWORKS}, author={Ning, Peng and Liu, An and Du, Wenliang}, year={2008}, month={Jan} } @article{zhu_setia_jajodia_ning_2007, title={Interleaved hop-by-hop authentication against false data injection attacks in sensor networks}, volume={3}, ISSN={["1550-4867"]}, DOI={10.1145/1267060.1267062}, abstractNote={ Sensor networks are often deployed in unattended environments, thus leaving these networks vulnerable to false data injection attacks in which an adversary injects false data into the network with the goal of deceiving the base station or depleting the resources of the relaying nodes. Standard authentication mechanisms cannot prevent this attack if the adversary has compromised one or a small number of sensor nodes. We present three interleaved hop-by-hop authentication schemes that guarantee that the base station can detect injected false data immediately when no more than t nodes are compromised, where t is a system design parameter. Moreover, these schemes enable an intermediate forwarding node to detect and discard false data packets as early as possible. Our performance analysis shows that our scheme is efficient with respect to the security it provides, and it also allows a tradeoff between security and performance. A prototype implementation of our scheme indicates that our scheme is practical and can be deployed on the current generation of sensor nodes. }, number={3}, journal={ACM TRANSACTIONS ON SENSOR NETWORKS}, author={Zhu, Sencun and Setia, Sanjeev and Jajodia, Sushil and Ning, Peng}, year={2007}, month={Aug} } @book{liu_ning_2007, title={Security for wireless sensor networks}, ISBN={9780387327235}, publisher={New York: Springer}, author={Liu, D.-G. and Ning, P.}, year={2007} } @book{information and communications security 8th international conference, icics 2006, raleigh, nc, usa, december 4-7, 2006 : proceedings_2006, publisher={Berlin ;|aNew York: Springer}, year={2006} } @inbook{zhai_ning_xu_2006, title={Integrating IDS alert correlation and OS-level dependency tracking}, volume={3975}, DOI={10.1007/11760146_24}, abstractNote={Intrusion alert correlation techniques correlate alerts into meaningful groups or attack scenarios for the ease to understand by human analysts. However, the performance of correlation is undermined by the imperfectness of intrusion detection techniques. Falsely correlated alerts can be misleading to analysis. This paper presents a practical technique to improve alert correlation by integrating alert correlation techniques with OS-level object dependency tracking. With the support of more detailed and precise information from OS-level event logs, higher accuracy in alert correlation can be achieved. The paper also discusses the application of such integration in improving the accuracy of hypotheses about possibly missed attacks while reducing the complexity of the hypothesizing process. A series of experiments are performed to evaluate the effectiveness of the methods, and the results demonstrate significant improvements on correlation results with the proposed techniques.}, booktitle={Intelligence and Security Informatics: IEEE International Conference on Intelligence and Security Informatics, ISI 2006, San Diego, CA, USA, May 23-24, 2006. Proceedings (Lecture notes in computer science; 3975)}, publisher={Berlin; New York: Springer}, author={Zhai, Y. and Ning, P. and Xu, J.}, year={2006}, pages={272–284} } @article{du_fang_peng_2006, title={LAD: Localization anomaly detection for wireless sensor networks}, volume={66}, ISSN={["1096-0848"]}, DOI={10.1016/j.jpdc.2005.12.011}, abstractNote={In wireless sensor networks (WSNs), sensors' locations play a critical role in many applications. Having a GPS receiver on every sensor node is costly. In the past, a number of location discovery (localization) schemes have been proposed. Most of these schemes share a common feature: they use some special nodes, called beacon nodes, which are assumed to know their own locations (e.g., through GPS receivers or manual configuration). Other sensors discover their locations based on the reference information provided by these beacon nodes. Most of the beacon-based localization schemes assume a benign environment, where all beacon nodes are supposed to provide correct reference information. However, when the sensor networks are deployed in a hostile environment, where beacon nodes can be compromised, such an assumption does not hold anymore. In this paper, we propose a general scheme to detect localization anomalies that are caused by adversaries. Our scheme is independent from the localization schemes. We formulate the problem as an anomaly intrusion detection problem, and we propose a number of ways to detect localization anomalies. We have conducted simulations to evaluate the performance of our scheme, including the false positive rates, the detection rates, and the resilience to node compromises.}, number={7}, journal={JOURNAL OF PARALLEL AND DISTRIBUTED COMPUTING}, author={Du, Wenliang and Fang, Lei and Peng, Ning}, year={2006}, month={Jul}, pages={874–886} } @article{sun_ning_wang_2006, title={Secure and resilient clock synchronization in wireless sensor networks}, volume={24}, ISSN={["1558-0008"]}, DOI={10.1109/JSAC.2005.861396}, abstractNote={Wireless sensor networks have received a lot of attention recently due to its wide applications. An accurate and synchronized clock time is crucial in many sensor network applications. Several clock synchronization schemes have been proposed for wireless sensor networks recently to address the resource constraints in such networks. However, most of these techniques assume benign environments, but cannot survive malicious attacks in hostile environments, especially when there are compromised nodes. As an exception, a recent work attempts to detect malicious attacks against clock synchronization, and aborts when an attack is detected. Though this approach can prevent incorrect clock synchronization due to attacks, it will lead to denial of clock synchronization in such situations. This paper adopts a model where all the sensor nodes synchronize their clocks to a common source, which is assumed to be well synchronized to the external clock. This paper seeks techniques to provide redundant ways for each node to synchronize its clock with the common source, so that it can tolerate partially missing or false synchronization information provided by compromised nodes. Two types of techniques are developed using this general method: level-based clock synchronization and diffusion-based clock synchronization. Targeted at static sensor networks, the level-based clock synchronization constructs a level hierarchy initially, and uses (or reuses) this level hierarchy for multiple rounds of clock synchronization. The diffusion-based clock synchronization attempts to synchronize all the clocks without relying on any structure assumptions and, thus, can be used for dynamic sensor networks. This paper further investigates how to use multiple clock sources for both approaches to increase the resilience against compromise of source nodes. The analysis in this paper indicates that both level-based and diffusion-based approaches can tolerate up to s colluding malicious source nodes and t colluding malicious nodes among the neighbors of each normal node, where s and t are two system parameters. This paper also presents the results of simulation studies performed to evaluate the proposed techniques. These results demonstrate that the level-based approach has less overhead and higher precision, but less coverage, than the diffusion-based approach.}, number={2}, journal={IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS}, author={Sun, K and Ning, P and Wang, C}, year={2006}, month={Feb}, pages={395–408} } @article{sun_ning_wang_2005, title={Fault-tolerant cluster-wise clock synchronization for wireless sensor networks}, volume={2}, ISSN={["1941-0018"]}, DOI={10.1109/TDSC.2005.36}, abstractNote={Wireless sensor networks have received a lot of attention recently due to their wide applications, such as target tracking, environment monitoring, and scientific exploration in dangerous environments. It is usually necessary to have a cluster of sensor nodes share a common view of a local clock time, so that all these nodes can coordinate in some important applications, such as time slotted MAC protocols, power-saving protocols with sleep/listen modes, etc. However, all the clock synchronization techniques proposed for sensor networks assume benign environments; they cannot survive malicious attacks in hostile environments. Fault-tolerant clock synchronization techniques are potential candidates to address this problem. However, existing approaches are all resource consuming and suffer from message collisions in most of cases. This paper presents a novel fault-tolerant clock synchronization scheme for clusters of nodes in sensor networks, where the nodes in each cluster can communicate through broadcast. The proposed scheme guarantees an upper bound of clock difference between any nonfaulty nodes in a cluster, provided that the malicious nodes are no more than one third of the cluster. Unlike the traditional fault-tolerant clock synchronization approaches, the proposed technique does not introduce collisions between synchronization messages, nor does it require costly digital signatures.}, number={3}, journal={IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING}, author={Sun, K and Ning, P and Wang, C}, year={2005}, pages={177–189} } @article{wang_ning_reeves_2005, title={Network access control for mobile ad-hoc networks}, volume={3783}, journal={Information and Communications Security}, author={Wang, P. and Ning, P. and Reeves, D. S.}, year={2005}, pages={350–362} } @inbook{jiang_reeves_ning_2004, title={Certificate recommendations to improve the robustness of web of trust}, volume={3225}, ISBN={3540232087}, DOI={10.1007/978-3-540-30144-8_25}, abstractNote={Users in a distributed system establish webs of trust by issuing and exchanging certificates amont themselves. This approach does not require a central, trusted keyserver. The distributed web of trust, however, is susceptible to attack by malicious users, who may issue false certificates. In this work, we propose a method for generating certificate recommendations. These recommendations guide the users in creating webs of trust that are highly robust to attacks. To accomplish this we propose a heuristic method of graph augmentation for the certificate graph, and show experimentally that it is close to optimal. We also investigate the impact of user preferences and non-compliance with these recommendations, and demonstrate that our method helps identify malicious users if there are any.}, booktitle={Information security: 7th international conference, ISC 2004, Palo Alto, CA, USA, September 27-29, 2004: Proceedings}, publisher={Berlin; New York: Springer}, author={Jiang, Q. L. and Reeves, D. S. and Ning, P.}, editor={K. Zhang and Zheng, Y.Editors}, year={2004}, pages={292–303} } @inbook{jiang_reeves_ning_2004, title={Improving robustness of PGP keyrings by conflict detection}, volume={2964}, ISBN={3540209964}, DOI={10.1007/978-3-540-24660-2_16}, abstractNote={Secure authentication frequently depends on the correct recognition of a user’s public key. When there is no certificate authority, this key is obtained from other users using a web of trust. If users can be malicious, trusting the key information they provide is risky. Previous work has suggested the use of redundancy to improve the trustworthiness of user-provided key information. In this paper, we address two issues not previously considered. First, we solve the problem of users who claim multiple, false identities, or who possess multiple keys. Secondly, we show that conflicting certificate information can be exploited to improve trustworthiness. Our methods are demonstrated on both real and synthetic PGP keyrings, and their performance is discussed.}, booktitle={Topics in cryptology, CT-RSA 2004}, publisher={Berlin; New York: Springer}, author={Jiang, Q. L. and Reeves, D. S. and Ning, P.}, year={2004}, pages={194–207} } @book{ning_jajodia_wang_2004, title={Intrusion detection in distributed systems: An abstraction-based approach}, ISBN={140207624X}, publisher={Boston: Kluwer Academic Publishers}, author={Ning, P. and Jajodia, S. and Wang, S.}, year={2004} } @inbook{wang_ning_reeves_2004, title={Storage-efficient stateless group key revocation}, volume={3225}, ISBN={3540232087}, DOI={10.1007/978-3-540-30144-8_3}, abstractNote={Secure group communication relies on secure and robust distribution of group keys. A stateless group key distribution scheme is an ideal candidate when the communication channel is unreliable. Several stateless group key distribution schemes have been proposed. However, these schemes require all users store a certain number of auxiliary keys. The number of such keys increases as the group size grows. As a result, it is quite challenging to use these schemes when the users in a relatively large group have memory constraints. Thus, it is desirable to develop new schemes that can reduce the memory requirement. This paper introduces two novel stateless group key revocation schemes named key-chain tree (KCT) and layered key-chain tree (LKCT), which combine one-way key chains with a logical key tree. These schemes reduce the user storage requirements by trading off it with communication and computation costs. Specifically, these schemes can revoke any R users from a user group of size N by sending a key update message with at most 4R keys, while only requiring each user to store 2log N keys.}, booktitle={Information security: 7th international conference, ISC 2004, Palo Alto, CA, USA, September 27-29, 2004: Proceedings}, publisher={Berlin; New York: Springer}, author={Wang, P. and Ning, P. and Reeves, D. S.}, editor={K. Zhang and Zheng, Y.Editors}, year={2004}, pages={25–38} } @article{ning_wang_jajodia_2002, title={An algebraic representation of calendars}, volume={36}, ISSN={["1573-7470"]}, DOI={10.1023/A:1015835418881}, number={1-2}, journal={ANNALS OF MATHEMATICS AND ARTIFICIAL INTELLIGENCE}, author={Ning, P and Wang, XYS and Jajodia, S}, year={2002}, month={Sep}, pages={5–38} } @inbook{ning_cui_reeves_2002, title={Analyzing intensive intrusion alerts via correlation}, volume={2516}, ISBN={3540000208}, DOI={10.1007/3-540-36084-0_5}, abstractNote={Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive intrusions, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. Several complementary alert correlation methods have been proposed to address this problem. As one of these methods, we have developed a framework to correlate intrusion alerts using prerequisites of intrusions. In this paper, we continue this work to study the feasibility of this method in analyzing real-world, intensive intrusions. In particular, we develop three utilities (called adjustable graph reduction, focused analysis, and graph decomposition) to facilitate the analysis of large sets of correlated alerts. We study the effectiveness of the alert correlation method and these utilities through a case study with the network traffic captured at the DEF CON 8 Capture the Flag (CTF) event. Our results show that these utilities can simplify the analysis of large amounts of alerts, and also reveals several attack strategies that were repeatedly used in the DEF CON 8 CTF event.}, booktitle={Recent advances in intrusion detection, 5th international symposium, RAID 2002, Zurich, Switzerland, October 16-18, 2002: Proceedings}, publisher={Berlin; New York: Springer}, author={Ning, P. and Cui, Y. and Reeves, D. S.}, editor={A. Wespi, G. Vigna and Deri, L.Editors}, year={2002}, pages={74–94} } @article{ning_jajodia_wang_2002, title={Design and implementation of a decentralized prototype system for detecting distributed attacks}, volume={25}, ISSN={["1873-703X"]}, DOI={10.1016/S0140-3664(02)00039-7}, abstractNote={This paper presents the design and implementation of a decentralized research prototype intrusion detection system (IDS) named coordinated attacks response and detection system (CARDS), which aims at detecting distributed attacks that cannot be detected using data collected at any single place. CARDS adopts a signature-based approach. It consists of three kinds of independent but cooperative components: signature manager, monitor, and directory service. Unlike traditional distributed IDSs, CARDS decomposes global representations of distributed attacks into smaller units (called detection tasks) that correspond to the distributed events indicating the attacks, and then executes and coordinates the detection tasks in the places where the corresponding events are observed.}, number={15}, journal={COMPUTER COMMUNICATIONS}, author={Ning, P and Jajodia, S and Wang, XYS}, year={2002}, month={Sep}, pages={1374–1391} } @article{li_ning_wang_jajodia_2003, title={Discovering calendar-based temporal association rules}, volume={44}, ISSN={["1872-6933"]}, DOI={10.1016/S0169-023X(02)00135-0}, abstractNote={We study the problem of mining association rules and related time intervals, where an association rule holds either in all or some of the intervals. To restrict to meaningful time intervals, we use calendar schemas and their calendar-based patterns. A calendar schema example is (year, month, day) and a calendar-based pattern within the schema is (∗,3,15), which represents the set of time intervals each corresponding to the 15th day of a March. Our focus is finding efficient algorithms for this mining problem by extending the well-known Apriori algorithm with effective pruning techniques. We evaluate our techniques via experiments.}, number={2}, journal={DATA & KNOWLEDGE ENGINEERING}, author={Li, YJ and Ning, P and Wang, XS and Jajodia, S}, year={2003}, month={Feb}, pages={193–218} }