Security Technology (Communications in Computer and Information Science, 58)

Communications in Computer and Information Science

58

´ ˛zak Tai-hoon Kim Dominik Sle Wai-Chi Fang Kirk P. Arnett (Eds.)

Security Technology International Conference, SecTech 2009 Held as Part of the Future Generation Information Technology Conference, FGIT 2009 Jeju Island, Korea, December 10-12, 2009 Proceedings

13

Volume Editors ´ ˛zak Dominik Sle University of Warsaw & Infobright Inc., Poland E-mail: [email protected] Tai-hoon Kim Hannam University, Daejeon, South Korea E-mail: [email protected] Wai-Chi Fang National Chiao Tung University, Hsinchu, Taiwan E-mail: [email protected] Kirk P. Arnett Mississippi State University, Mississippi State, MS, USA E-mail: [email protected]

Library of Congress Control Number: 2009940048 CR Subject Classification (1998): E.3, C.2, D.2, D.4.6, K.6.5, C.2.3 ISSN ISBN-10 ISBN-13

1865-0929 3-642-10846-6 Springer Berlin Heidelberg New York 978-3-642-10846-4 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12805136 06/3180 543210

Foreword

As future generation information technology (FGIT) becomes specialized and fragmented, it is easy to lose sight that many topics in FGIT have common threads and, because of this, advances in one discipline may be transmitted to others. Presentation of recent results obtained in different disciplines encourages this interchange for the advancement of FGIT as a whole. Of particular interest are hybrid solutions that combine ideas taken from multiple disciplines in order to achieve something more significant than the sum of the individual parts. Through such hybrid philosophy, a new principle can be discovered, which has the propensity to propagate throughout multifaceted disciplines. FGIT 2009 was the first mega-conference that attempted to follow the above idea of hybridization in FGIT in a form of multiple events related to particular disciplines of IT, conducted by separate scientific committees, but coordinated in order to expose the most important contributions. It included the following international conferences: Advanced Software Engineering and Its Applications (ASEA), Bio-Science and Bio-Technology (BSBT), Control and Automation (CA), Database Theory and Application (DTA), Disaster Recovery and Business Continuity (DRBC; published independently), Future Generation Communication and Networking (FGCN) that was combined with Advanced Communication and Networking (ACN), Grid and Distributed Computing (GDC), Multimedia, Computer Graphics and Broadcasting (MulGraB), Security Technology (SecTech), Signal Processing, Image Processing and Pattern Recognition (SIP), and uand e-Service, Science and Technology (UNESST). We acknowledge the great effort of all the Chairs and the members of advisory boards and Program Committees of the above-listed events, who selected 28% of over 1,050 submissions, following a rigorous peer-review process. Special thanks go to the following organizations supporting FGIT 2009: ECSIS, Korean Institute of Information Technology, Australian Computer Society, SERSC, Springer LNCS/CCIS, COEIA, ICC Jeju, ISEP/IPP, GECAD, PoDIT, Business Community Partnership, Brno University of Technology, KISA, K-NBTC and National Taipei University of Education. We are very grateful to the following speakers who accepted our invitation and helped to meet the objectives of FGIT 2009: Ruay-Shiung Chang (National Dong Hwa University, Taiwan), Jack Dongarra (University of Tennessee, USA), Xiaohua (Tony) Hu (Drexel University, USA), Irwin King (Chinese University of Hong Kong, Hong Kong), Carlos Ramos (Polytechnic of Porto, Portugal), Timothy K. Shih (Asia University, Taiwan), Peter M.A. Sloot (University of Amsterdam, The Netherlands), Kyu-Young Whang (KAIST, South Korea), and Stephen S. Yau (Arizona State University, USA).

VI

Foreword

We would also like to thank Rosslin John Robles, Maricel O. Balitanas, Farkhod Alisherov Alisherovish, and Feruza Sattarova Yusfovna – graduate students of Hannam University who helped in editing the FGIT 2009 material with a great passion.

October 2009

Young-hoon Lee Tai-hoon Kim Wai-chi Fang Dominik Ślęzak

Preface

We would like to welcome you to the proceedings of the 2009 International Conference on Security Technology (SecTech 2009), which was organized as part of the 2009 International Mega-Conference on Future Generation Information Technology (FGIT 2009), held during December 10–12, 2009, at the International Convention Center Jeju, Jeju Island, South Korea. SecTech 2009 focused on the various aspects of advances in security technology with computational sciences, mathematics and information technology. It provided a chance for academic and industry professionals to discuss recent progress in the related areas. We expect that the conference and its publications will be a trigger for further related research and technology improvements in this important subject. We would like to acknowledge the great effort of all the Chairs and members of the Program Committee. Out of 140 submissions to SecTech 2009, we accepted 41 papers to be included in the proceedings and presented during the conference. This gives a roughly 30% acceptance ratio. Four of the papers accepted for SecTech 2009 were published in the special FGIT 2009 volume, LNCS 5899, by Springer. The remaining 37 accepted papers can be found in this CCIS volume. We would like to express our gratitude to all of the authors of submitted papers and to all of the attendees, for their contributions and participation. We believe in the need for continuing this undertaking in the future. Once more, we would like to thank all the organizations and individuals who supported FGIT 2009 as a whole and, in particular, helped in the success of SecTech 2009.

October 2009

Dominik Ślęzak Tai-hoon Kim Wai-chi Fang Kirk P. Arnett

Organization

Organizing Committee General Chair

Wai-chi Fang (National Chiao Tung University, Taiwan)

Program Chairs

Tai-hoon Kim (Hannam University, Korea) Kirk P. Arnett (Mississippi State University, USA)

Advisory Board

Dominik Ślęzak (University of Warsaw and Infobright, Poland) Edwin H-M. Sha (University of Texas at Dallas, USA) Justin Zhan (CMU, USA) Kouichi Sakurai (Kyushu University, Japan) Laurence T. Yang (St. Francis Xavier University, Canada) Byeong-Ho Kang (University of Tasmania, Australia)

Publicity Chairs

Antonio Coronato (ICAR-CNR, Italy) Damien Sauveron (Université de Limoges / CNRS, France) Hua Liu (Xerox Corporation, USA) Kevin R.B. Butler (Pennsylvania State University, USA) Guojun Wang (Central South University, China) Tao Jiang (Huazhong University of Science and Technology, China) Gang Wu (UESTC, China) Yoshiaki Hori (Kyushu University, Japan) Muhammad Khurram Khan (King Saud University, Saudi Arabia)

Publication Chair

Yong-ik Yoon (Sookmyung Women's University, Korea)

Program Committee A. Hamou-Lhadj ByungRae Cha Costas Lambrinoudakis Dieter Gollmann E. Konstantinou Eduardo B. Fernandez Fangguo Zhang Filip Orsag Gerald Schaefer Hiroaki Kikuchi

Hironori Washizaki Hsiang-Cheh Huang Hyun-Sung Kim J.H. Abbawajy Javier Garcia Villalba Jongmoon Baik Jordi Forne Kouichi Sakurai Larbi Esmahi Jungsook Kim

Justin Zhan Lejla Batina Luigi Buglione MalRey Lee Mario Marques Freire Martin Drahansky Masahiro Mambo N. Jaisankar Nobukazu Yoshioka Paolo D'Arco

X

Organization

Petr Hanacek Qi Shi Raphael C.-W. Phan Rhee Kyung-Hyune Robert Seacord Rolf Oppliger Rui Zhang Serge Chaumette

Sheng-Wei Chen Silvia Abrahao Stan Kurkovsky Stefan Katzenbeisser Stefanos Gritzalis Swee-Huay Heng Tony Shan Wen-Shenq Juang

Willy Susilo Yannis Stamatiou Yi Mu Yijun Yu Yingjiu Li Yong Man Ro Young Ik Eom

Table of Contents

Applications of Reversible Data Hiding Techniques with the Quick Response Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hsiang-Cheh Huang, Feng-Cheng Chang, and Wai-Chi Fang

1

A New Approach in T-FA Authentication with OTP Using Mobile Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Abdulaziz S. Almazyad and Yasir Ahmad

9

Correlating Alerts into Compressed Graphs Using an Attribute-Based Method and Time Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Seyed Hossein Ahmadinejad and Saeed Jalili

18

A Study on Secure Contents Using in Urban Computing . . . . . . . . . . . . . . Hoon Ko, Jongmyung Choi, and Carlos Ramos

26

Shadow Generation Protocol in Linguistic Threshold Schemes . . . . . . . . . Marek R. Ogiela and Urszula Ogiela

35

Analysis of Handwritten Signature Image . . . . . . . . . . . . . . . . . . . . . . . . . . . Debnath Bhattacharyya, Poulami Das, Samir Kumar Bandyopadhyay, and Tai-hoon Kim

43

The Design of Signature Selection for Protecting Illegal Outflow of Sensitive Information in Mobile Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bo-heung Chung, Min-ho Han, and Ki-young Kim Hardware Based Data Inspection for USB Data Leakage Prevention . . . . DongHo Kang, BoHeung Jung, and KiYoung Kim Grayscale Image Classification Using Supervised Chromosome Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Debnath Bhattacharyya, Poulami Das, Samir Kumar Bandyopadhyay, and Tai-hoon Kim Towards the Integration of Security Aspects into System Development Using Collaboration-Oriented Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Linda Ariani Gunawan, Peter Herrmann, and Frank Alexander Kraemer

51 57

64

72

Impact of Malicious Node on Broadcast Schemes . . . . . . . . . . . . . . . . . . . . . Aneel Rahim and Fahad bin Muyaha

86

Hierarchical Identity-Based Identification Schemes . . . . . . . . . . . . . . . . . . . Ji-Jian Chin, Swee-Huay Heng, and Bok-Min Goi

93

XII

Table of Contents

The Trend of the Security Research for the Insider Cyber Threat . . . . . . Jaeseung Hong, Jongwung Kim, and Jeonghun Cho

100

MIMO Wiretap Channel: A Scalar Approach . . . . . . . . . . . . . . . . . . . . . . . . Mohammad Rakibul Islam and Jinsang Kim

108

Security Testing for Operating System and Its System Calls . . . . . . . . . . . Gaoshou Zhai, Hanhui Niu, Na Yang, Minli Tian, Chengyu Liu, and Hengsheng Yang

116

Efficient Group Signature with Forward Secure Revocation . . . . . . . . . . . . Haimin Jin, Duncan S. Wong, and Yinlong Xu

124

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jieren Cheng, Jianping Yin, Yun Liu, Zhiping Cai, and Chengkun Wu Researching on Cryptographic Algorithm Recognition Based on Static Characteristic-Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tie-Ming Liu, Lie-hui Jiang, Hong-qi He, Ji-zhong Li, and Xian Yu Verification of Security-Relevant Behavior Model and Security Policy for Model-Carrying Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Yonglong Wei, Xiaojuan Zheng, Jinglei Ren, Xudong Zheng, Chen Sun, and Zhenhao Li

132

140

148

Feature Level Fusion of Biometrics Cues: Human Identification with Doddington’s Caricature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dakshina Ranjan Kisku, Phalguni Gupta, and Jamuna Kanta Sing

157

A Study on the Interworking for SIP-Based Secure VoIP Communication with Security Protocols in the Heterogeneous Network . . . . . . . . . . . . . . . . Seokung Yoon, Hyuncheol Jung, and Kyung-Seok Lee

165

DDoS Attack Detection Using Three-State Partition Based on Flow Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jieren Cheng, Boyun Zhang, Jianping Yin, Yun Liu, and Zhiping Cai

176

A Development of Finite State Machine Create Tool for Cryptography Module Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jae-goo Jeong, Seung-yong Hur, and Gang-Soo Lee

185

A Privacy-Aware System Using Threat-Based Evaluation and Feedback Method in Untrusted Ubiquitous Environments . . . . . . . . . . . . . . . . . . . . . . Yuan Tian, Biao Song, and Eui-Nam Huh

193

Fusion of Multiple Matchers Using SVM for Offline Signature Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dakshina Ranjan Kisku, Phalguni Gupta, and Jamuna Kanta Sing

201

Table of Contents

XIII

A Two-Factor Mutual Authentication Scheme Using Biometrics and Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sheikh Ziauddin

209

Secure Collection Tree Protocol for Tamper-Resistant Wireless Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peter Pecho, Jan Nagy, Petr Han´ aˇcek, and Martin Drahansk´y

217

Accelerometer Based Digital Video Stabilization for Security Surveillance Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Martin Drahansk´y, Filip Ors´ ag, and Petr Han´ aˇcek

225

Escrowed Deniable Identification Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . Pairat Thorncharoensri, Qiong Huang, Willy Susilo, Man Ho Au, Yi Mu, and Duncan Wong

234

Insights into Malware Detection and Prevention on Mobile Phones . . . . . Qiang Yan, Yingjiu Li, Tieyan Li, and Robert Deng

242

Automation of Post-exploitation: Focused on MS-Windows Targets . . . . . Mohammad Tabatabai Irani and Edgar R. Weippl

250

Speaker Dependent Frequency Cepstrum Coefficients . . . . . . . . . . . . . . . . . Filip Ors´ ag

258

Towards the Detection of Encrypted BitTorrent Traffic through Deep Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . David A. Carvalho, Manuela Pereira, and M´ ario M. Freire A Simple Encryption Scheme for Binary Elliptic Curves . . . . . . . . . . . . . . Brian King Analysis of Text Complexity in a Crypto System – A Case Study on Telugu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M.S.V.S. Bhadri Raju, B. Vishnu Vardhan, G.A. Naidu, L. Pratap Reddy, and A. Vinaya Babu Symmetric-Key Encryption for Wireless Internet SCADA . . . . . . . . . . . . . Rosslin John Robles and Min-Kyu Choi

265 273

281

289

An Efficient Pre-filtering Mechanism for Parallel Intrusion Detection Based on Many-Core GPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chengkun Wu, Jianping Yin, Zhiping Cai, En Zhu, and Jieren Cheng

298

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

307

Applications of Reversible Data Hiding Techniques with the Quick Response Codes Hsiang-Cheh Huang1, Feng-Cheng Chang2, and Wai-Chi Fang3 1

National University of Kaohsiung, Kaohsiung 811, Taiwan [email protected] 2 Tamkang University, I-Lan 262, Taiwan [email protected] 3 National Chiao-Tung University, Hsinchu 300, Taiwan [email protected]

Abstract. The goal of quick response (QR) codes aims at convenience-oriented applications for mobile phone users. People can use the mobile phone cameras to capture the code with random patterns, usually displayed at the corner of web page, and then the hyperlink corresponding to the QR code can be accessed. Since QR code looks like random noise, its existence can greatly reduce the value of the original image. With the aid of reversible data hiding technique, we propose a scheme such that when the image containing the QR code is browsed, the hyperlink corresponding to the QR code is accessed first. Then, the QR code can get vanished and the original image can be recovered to retain the information conveyed therein. Simulation results demonstrate the applicability of the proposed algorithm. Keywords: Quick response (QR) code, reversible data hiding, histogram, difference expansion.

1 Introduction The proliferation of Internet usage has made people to link to the web pages easily by using PC, PDA, or mobile phone over the wired or wireless networks. Particularly, for users using the mobile phones to browse the web pages, it has brought much more conveniences to their daily lives [1]. As people know, comparing the time consumption between the computer keyboard and the mobile phone keypad for inputting the URL (Uniform Resource Locator), by using the mobile phone keypad brings much more inconveniences and difficulties for linking to the web pages. To solve this problem, the quick response (QR) code has emerged. The QR code can be easily seen from web pages or posters nowadays. It is a twodimensional code in square shape, mostly represented by binary form (black and white pixels), attached somewhere in the web pages or posters. Colorized QR codes are also in existence. At the beginning, the purpose for the QR code is to utilize the quick connection to the specific web page with the URL information converted to the QR code pattern. And from the viewpoint of watermarking researches [1], QR code can be regarded as the visible watermark. Since visible watermark cause the D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 1–8, 2009. © Springer-Verlag Berlin Heidelberg 2009

2

H.-C. Huang, F.-C. Chang, and W.-C. Fang

degradation of image quality both objectively and subjectively, how to effectively remove the watermark and to retain the information conveyed in the original image seems an interesting topic for applications. Here we propose an algorithm and the associated integration that can utilize the capability of the QR code, and can effectively recover the original image in addition to the removal the QR code. Once the image containing the QR code is browsed, the designated web page is accessed, and the original image is recovered back by use of the reversible data hiding techniques to be described shortly. This paper is organized as follows. In Sec. 2, we present some fundamental descriptions of the QR codes. Then, in Sec. 3, we review two different kinds of reversible data hiding techniques and the integration with QR codes. Simulation results are demonstrated in Sec. 4, which suggest the applicability of the algorithm and the integration proposed. Finally, we conclude this paper in Sec. 5.

2 Background Descriptions of QR Codes The QR (quick response) code is a 2-dimensional bar code, created by Japanese corporation Denso-Wave in 1994. It is also standardized by Japanese Industrial Standards (JIS), with the name JIS-X-0510: 1999 QR Code [2]. QR Codes can be easily seen from web pages, or advertisements in posters or newspapers. One example can be depicted in Figure 1(a). This QR code contains the URL information of the website of original image in Figure 1(b), or http://www.lenna.org/. After encoding, the square, binary image with the size of 135 × 135 is produced. Besides, Figure 1(b) denotes the practical scenario for the utility of the QR code. It is inserted into the corner of the original image. We take the commonly seen test image Lena with the image size of 1024 × 1024 for instance. The major purpose for the QR codes is for mobile phone users to link to the web page corresponding to the QR code quickly. Most mobile phones can read this code by using the camera on the phone, and then the hyperlink information contained in the QR Codes can be deciphered, and the web page can be displayed on the screen of the mobile phone. Comparing to conventional schemes for accessing the homepages with the mobile phones, users need not to type the alphanumeric characters in the URL; by shooting the QR Code with the mobile phone camera, the webpage can be shown instantly and lots of time for inputting the alphanumeric characters can be saved. However, the QR code is still in the original image, and hence the degraded quality of image can be expected. Different from the conventional bar codes, the QR codes offer much more capacities for hiding information, which can be classified as follows: ¾ ¾ ¾ ¾

Numeric only: at most 7089 characters; Alphanumeric: at most 4296 characters; Byte format: at most 2953 bytes; Japanese character: at most 1817 characters.

Since the QR code can be captured by mobile phone cameras, some errors might be induced, and hence the captured QR code needs to have some error correcting capabilities. Hence, the QR code can correct 7% to 30% of the codeword based on different error correction levels by using the Reed Solomon codes [2].

Applications of Reversible Data Hiding Techniques with the Quick Response Codes

(a)

3

(b)

Fig. 1. Test materials in this paper. (a) The QR code with size 135 × 135 , containing the hyperlink of http://www.lenna.org/. (b) The grey level image “lena” with size 1024× 1024 , containing the QR code at lower-right corner.

From the watermarking perspective, the QR code can be regarded as the visible watermark. For instance, at the lower-right portion of Figure 1(b), the pixels in the original image of this region are directly replaced by the QR code. After capturing the QR code, further procedures, such as shopping online, or obtaining more information about the image itself, can be performed with the browsers. Even though this brings conveniences to the access of web pages, quality degradation of original image can be 135 135 expected even though only 1024 × 1024 × 100% = 1.74% of the total image area is

occupied. The peak signal-to-noise ratio (PSNR) is only 22.81 dB in Figure 1(b). In addition, it is sometimes inevitable that important information of the original image might reside in the corner portions. By replacing the corner portions of the original image with the QR code might remove the inherent information conveyed. Thus, we propose an algorithm by using reversible data hiding to hide the corner portion of original image into the rest of the original image in advance, and replace such a portion by the QR code. After browsing the image containing the QR code, the QR code is removed first, and the original data can be recovered back with reversible data hiding from the rest of the image.

3 Algorithms of Reversible Data Hiding and Integration with QR Codes Reversible data hiding is a new branch in data hiding researches. At the encoder, the data are hidden into original image, and output looks identical to original image. At decoder, unlike conventional watermarking that only the watermark needs to be extracted, reversible data hiding requires both the hidden data and the original image should be perfectly recovered.

4

H.-C. Huang, F.-C. Chang, and W.-C. Fang

3.1 Histogram-Modification for Reversible Data Hiding

Histogram-modification scheme for data embedding is adopted from [3], which can be described as follows. Step 1. Generate the histogram of original image. The luminance with the maximal occurrences in histogram is labeled as “max point,” while that with no occurrence is labeled as “zero point.” The luminance values of “max” and “zero” points, each is represented by 8 bits, are treated as side information. Hence, a total of 16 bits should be transmitted to the receiver for data extraction. Step 2. Select the range between max and zero points. The range of luminance values between max and zero points is recorded in the histogram. Step 3. Modify of luminance values in selected range. In the region between max and zero points recorded in Step 2, luminance values between the max and zero points are altered in advance. Luminance values in the selected range are all increased by 1. Step 4. Embed the data. For the embedding of binary watermark, if the watermark bit is ‘1,’ the luminance value is increased by 1; if the watermark bit is ‘0,’ it is decreased by 1. In extracting both the hidden data and the original image, the following steps should apply accordingly. Step 1. Locate selected range with side information. Luminance values between the max and zero points are compared. Step 2. Extract the hidden data relating to the original. Every pixel in the output image is scanned and examined sequentially to extract the data bits to compare to Step 3 of the embedding procedure. Step 3. Obtain the original image. By moving the histogram into its original form, the original content is recovered. The histogram-based reversible data hiding has the advantages of ease of implementation and little side information produced. On the contrary, the number of bits for embedding, or the capacity, might not be enough for the hidden data. Hence, the difference expansion (DE) scheme described in Sec. 3.2, based on the concept of wavelet transform, was proposed. 3.2 Difference-Expansion for Reversible Data Hiding

If we group every 1× 4 block into a unit, called the quad, reversible data hiding can be performed by using the relationships among the four pixels. The scheme called difference expansion of quads (DEQ), is proposed in [4]. A quad is a 1× 4 vector (u1 , u 2 , u 3 , u 4 ) formed from four pixel values from a 2× 2 block. By following DE, we then calculate the following values:

⎢ u + u1 + u 2 + u 3 ⎥ , v0 = ⎢ 0 ⎥ 4 ⎣ ⎦

(1)

v1 = u1 − u0 ,

(2)

Applications of Reversible Data Hiding Techniques with the Quick Response Codes

5

v2 = u 2 − u 0 ,

(3)

v3 = u 3 − u 0 ,

(4)

where ⎣⋅⎦ denotes the floor function. For embedding three bits, b1, b2, b3 into one quad, v~1 = 2 ⋅ ⎣v21 ⎦ + b1 ,

(5)

v~2 = 2 ⋅ ⎣v22 ⎦ + b2 ,

(6)

v v~3 = 2 ⋅ ⎣ 23 ⎦ + b3 .

(7)

By doing so, the capacity for DEQ is 0.75 bit/pixel, meaning that at most three quarters of the image size, represented by bit, can be hidden. However, due to the overflow problems in Eqs. (2) to (4), some quad positions might not be suitable for embedding the three bits corresponding to such a quad. Suitable positions for embedding, called the location map, are the side information generated. Since most quads are suitable for embedding three bits each for natural images, the positions that are not suitable for embedding, called the non-location map, is recorded to reach the reduced size of side information. From the derivations above, in comparison with Sec. 3.1, the DEQ scheme has the advantage to embed a large amount of data, while the location map needs to be obtained at the decoder for performing the extraction of both original image and hidden data [5]. 3.3 Proposed Scheme for Integration

Both the algorithms in Sec. 3.1 and Sec. 3.2 have their own drawbacks. Hence, we combine both algorithms altogether by considering their advantages, and integrate with the QR code. Step 1. Generate the QR code with the information relating to the original image, and obtain the size of the QR code image. Step 2. Produce the non-location map for data embedding in DEQ. Step 3. Choose a threshold for embedding the information at the beginning of nonlocation map with histogram-based scheme. Step 4. If the sum of peak occurrences is larger than the threshold, hide the beginning of non-location map into the histogram. If not, lower the threshold value in Step 2. Step 5. Embed the remaining non-location map information with the DEQ method. Step 6. Replace the lower-right corner by the QR code generated in Step 1. Step 7. Output both the image with QR code, and the side information. On the other hand, extraction of data and original is simple, which can be performed as follows. Step 1. Locate the QR code area in the image and decipher the information contained in QR code.

6

H.-C. Huang, F.-C. Chang, and W.-C. Fang

Step 2. Generate the histogram of the image other except for the QR code portion. Step 3. Reveal selected range with side information. Step 4. Produce the beginning of non-location map locations from the histogram. Step 5. Extract the portion previously occupied in the QR code, and recover original with DEQ scheme. By following the descriptions above, we can effectively hide the QR code image into the rest of the original image with high capacity and low overhead. After the removal of the QR code image, the original information contained in such an area can be gathered back, and the original image can be obtained.

4 Simulation Results We perform the following items for assessing the applicability of our algorithm. At the encoder: ¾ ¾ ¾

generate the QR code; embed QR code with proposed algorithm; post the image containing QR code in some web page.

At the decoder: ¾ ¾ ¾

access the image containing QR code with the browser; decode the QR code information and remove the QR code; recover the original image.

Table 1 depicts the experiments with four different test images and the corresponding URL information for generating the QR code. All the QR codes have the sizes of 135 × 135 . The results with the third column, the baboon picture, are demonstrated in Figure 1. For all the pictures, 135 × 135 × 8 = 145800 bits at the lower-right portion of original image should be hidden, thus, our algorithm is capable of hiding such an amount of data. After inserting the QR code, the image qualities have degraded to 21.59 to 22.81 dB. At the decoder, after decoding the QR code, a new page is popped up for representing the URL in the QR code, and information relating to the original image can be provided, or online shopping can be proceeded consequently, shown in Figure 2. Next, after removing the QR code, the original is recovered, and we can see that all the mean square errors (MSE’s) at the final row of Table 1 are all 0.00, meaning that the recovered images are identical to their original counterpart. Table 1. Comparisons of image qualities

Test image Image size Image quality with QR QR information MSE between original and recovered images

Lena 1024× 1024

baboon 1024× 1024

airplane 1024× 1024

pepper 1024× 1024

22.81 dB

21.71 dB

22.08 dB

21.59 dB

http://www. lenna.org

http://www. nuk.edu.tw

http://www. yahoo.com.tw

http://www. google.com

0.00

0.00

0.00

0.00

Applications of Reversible Data Hiding Techniques with the Quick Response Codes

7

Fig. 2. After decoding, both the web page corresponding to QR code and the original can be obtained

5 Conclusions In this paper, we described the popularity of the use of QR codes. QR codes can facilitate the access of web pages with mobile phones by capturing the specific corner in the image. As we can see from practical scenarios, the existence of such a code degrades the quality of the original image or even conceals some information contained in the original image inherently. Considering the facilities offered by the QR codes, users can access the webpage with the QR code first, and then it can be removed from the corner of the image, and the original image can be recovered back. The QR code information can be deciphered to some URL relating to the original image, and more information corresponding to the original image can be discovered by the users, such as online shopping. More applications can also be explored in the future.

8

H.-C. Huang, F.-C. Chang, and W.-C. Fang

Acknowledgments. The authors would like to thank National Science Council (Taiwan, R.O.C) for supporting this paper under Grant No. NSC97-2221-E-390-011 and NSC98-2221-E-390-017.

References 1. Pan, J.S., Huang, H.-C., Jain, L.C., Fang, W.C. (eds.): Intelligent Multimedia Data Hiding. Springer, Heidelberg (2007) 2. Denso Wave Incorporated: QR Code standardization (2003), http://www.denso-wave.com/qrcode/qrstandard-e.html 3. Ni, Z., Shi, Y.-Q., Ansari, N., Su, W.: Reversible Data Hiding. IEEE Trans. Circuits Syst. Video Technol. 16, 354–362 (2006) 4. Alattar, A.M.: Reversible Watermark Using the Difference Expansion of a Generalized Integer Transform. IEEE Trans. Image Process. 13, 1147–1156 (2004) 5. Hu, Y., Lee, H.K., Li, J.: DE-Based Reversible Data Hiding with Improved Overflow Location Map. IEEE Trans. Circuits Syst. Video Technol. 19, 250–260 (2009)

A New Approach in T-FA Authentication with OTP Using Mobile Phone Abdulaziz S. Almazyad and Yasir Ahmad Center of Excellence in Information Assurance College of Computer Engineering and Sciences King Saud University, KSA [email protected], [email protected]

Abstract. Security will never go out of style. The most existing network applications authenticate users with an username/password system. Such systems using the reusable passwords are susceptible to attacks based on the theft of the password. To overcome the above susceptibility in the existing applications There exist an authentication mechanism known as Two factor Authentication (T-FA). Two factor authentication is a process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. It is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. With One-time password (OTP) a factor makes it more difficult to gain unauthorized access to restricted resources, like a computer account, bank account etc. In this paper, we propose a new approach in implementing the two factor authentication with one of the factor as one time password key generation using mobile phones.

1 Introduction Authentication is the process of identifying a user in a system to access it. Access to a system normally depends upon the identity of the user who requests access to a particular resource. Authentication is a major concern while making a secure system. The most commonly used solution today for authentication is the username and password. The more number of services the more number of username and password pairs that the user needs to remember. It is already known that so many people experiences that it is impossible to remember all the username and password combinations. Therefore they use the same combinations for all their services and select passwords that are easily remembered. The intruders take this to their advantage and act as a justified user [5][6].These same combination pairs strongly reduce the security of an authentication mechanism. The more secure way of authentication may be implemented with Smart Cards, an Authentication Server or even a PKI [11]. Authentication of a person in a system can be achieved by one of the following factors or by their combination: 1. 2. 3.

Something you know ( e.g., code numbers) Something you are ( e.g., biometrics) Something you have (e.g., pass, ID card or token)

D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 9–17, 2009. © Springer-Verlag Berlin Heidelberg 2009

10

A.S. Almazyad and Y. Ahmad

Section 2 explains the method of two factor authentication with various authentication types and section 3 overviews the one time password generation methodology, using the above two technologies we provide a solution to implement a secure system. Section 4 describes the related technology and its benefits. Section 5 describes the related works and their disadvantages. Section 6 presents our work and advantages over the work done in section 5. Finally, section 7 and 8 draws the conclusion, future work and the references respectively.

2 T-FA (Two-Factor Authentication) Two-factor authentication (T-FA) is a system where two different factors are used to authenticate a user. It adds more security to the system because the user must have to provide two factors of authentication i.e., password or passcode. The two-factor authentication combines ‘something that you know’ (password – PIN), with ‘something that you have’ (hardware token, mobile phone) or ‘something that you are’ (biometric ), to actually identifies the correct person that he claims to be. Two factor authentication means leveraging at least two of the authentication methods mentioned above. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. In order to gain access to specific resources, an un-authorized user or intruder needs to have access to ‘two factors’: the secret codes (password PIN) and the authentication device. T-FA could tremendously reduce the possibility of online identity theft [8], because the victim's secret password would no longer be sufficient for an intruder to access their information. However, T-FA is still vulnerable to trojan and man-in-the-middle attacks. [1] 2.1 T-FA Implementations There are number of methods available to practically implement the T-FA. The combination of different implementations is used, e.g., an ATM card and a PIN, in this case the term two-factor authentication is used. 2.2 Authentication Types Tokens A security token (or a hardware token) is a small device that the user carries to authorize access to a network resource. Magnetic Cards Magnetic cards e.g., credit cards, debit cards, ATM cards, etc provide a possible two-factor authentication. Mobile Phones A mobile phone could be used as a token device using SMS messaging or an interactive telephone call.

A New Approach in T-FA Authentication with OTP Using Mobile Phone

11

Biometrics Biometrics such as face recognition, voice authentication and fingerprinting. There are more authentication types which are not possible to discuss here and are beyond the scope of this paper.

3 OTP (One Time Password) Traditional static passwords can be easily accessed by an un-authorized intruder after making some attempts. An authentication method that can overcome this issue with the security of the system is one time password generation each time [2][3][4]. One-Time Password provides a secure and easy to use authentication solution, There are many implementations of OTP in existence today [7][8][9][10][11]. 1. 2. 3.

4. 5.

A mathematical algorithm is used to generate a new password based on the previous one. Time-synchronization based method between the authentication server and the client providing the password. A mathematical algorithm is used, but the new password is based on a challenge (e.g., a random number chosen by the authentication server) and a counter instead of being based on the previous password. A list of passwords printed on paper. Portable electronic devices (e.g., mobile phones)

One-Time-Passwords solve many of the issues with static passwords. They are generated by a hardware token, a computer, mobile phone or any other device using challenge response and many other methods, therefore appear totally random. And also in addition to this they are used only once as the name suggests. This property makes them invulnerable to attack and sniffing. By changing the password every time OTP solutions introduce aliveness which is an important concept to detect if any unauthorized intruder is trying to use old information.

4 Related Technology Single Sign On (SSO) is the ability for a user to login once and gets access to multiple software systems that are related to each other but independent, using just one user ID and password. 4.1 Benefits 1. 2. 3.

Reducing password fatigue from different user name and password combinations [12]. Reducing time spent re-entering passwords for the same identity [13]. Support authentication such as Windows credentials (i.e., username/password).

12

A.S. Almazyad and Y. Ahmad

4.

It provides security on all levels to access the systems without re-entering the user credentials.

Since the static passwords are the least secure mechanism for authentication, single sign on has now become known as reduced sign on (RSO) since more than one type of authentication mechanism is used in enterprises e.g., in an enterprise using SSO software, the user logs into the system with their ID and password. This gives Single Sign On Authentication to access low risk information and multiple applications such as the information portal. However, when the user tries to access higher risk applications and information, like a payroll system, the single sign on software requires them to use a stronger form of authentication. This may include digital certificates, security tokens, smart cards, biometrics or the combinations of them.

5 Related Work There have been many researches on one-time password mechanism, and there are also many mechanisms in practice that are in use as product through commercialization. Such one-time password mechanism, which generates the password, can be classified into the Time, MIDlet based authentication. 5.1 Time Factor Based Free Auth Project has developed a MIDlet of their OTP solution [14]. Their OTP generation depends upon a time factor and it requires both client and server synchronization. Time factor sync is not possible every time and hence not an easy task and the solution is vulnerable if the synchronization fails. 5.2 Java MIDlet There is one more solution where a user should have access to a computer connected to the Internet and he must possess a mobile phone with a SIM card. A Java MIDlet is to be installed on Java enabled mobile phone which transforms the phone into a secure OTP token which can be used to log in to any service on the Internet. If the computer and mobile phone is equipped with Bluetooth higher usability can be obtained. Through the browser application on the computer user can access web services provided by service providers. The service provider (SP) is connected to an Authentication Server (AS) which in turn will handle the authentication on behalf of the SP. The AS is connected to the GSM network which enables it to communicate with the user’s mobile phone. The authenticator on the AS server communicates with the client and relays messages to the AAA server which handles the authentication [15]. There are many limitations in the practical implemention of this solution.

A New Approach in T-FA Authentication with OTP Using Mobile Phone

13

Firstly, the MIDlet should already be installed on the phone by the service provider. Secondly, current diverse range of user interfaces on different mobile phone types leads to a significant challenge for support staff. They need to be fully trained in all supported phone types to guide the end users how to use and navigate the java MIDlet application installed on the phone.

6 The Proposed System Traditional solutions require a user to carry a dedicated hardware token for each application. Mobile phones eliminate the need for a simple user or enterprise users to carry additional hardware tokens. In addition to two-factor authentication, mobile phone also delivers two-way authentication. In the traditional OTP authentication [7] mechanism there is only one way the user authenticates their identity to the application provider. One way authentication cannot prevent phishing or spoofing attacks where a fake website attempts to steal users’ identities by presenting itself as a legal commercial website. The recent studies on authentication have shown that the single isolated usage of one of these solutions does not guarantee a high security level. However, it has been shown that a combination of these techniques guarantees a stronger authentication, since it involves the usage of two separate authentication mechanisms. 6.1 Solution Overview In our work we consider the disadvantages related to the solutions described in section 5 and hence designed a well structured system with two tier security authentication. Our solution is simply to include OTP as one of the two factors in TFA with some modifications in the application side to achieve the desired degree of authentication for accessing a secure system. In our proposed solution, the pre-requisites are as under: 1. 2. 3.

A computer with internet facility. A mobile phone with working SIM card An application with two consecutive intermediate screens of authentication.

We also assume that a user is already registered with an application provider and has been provided with the static userID and password to access the initial page of the application i.e., traditional login screen wherein username and password has to be entered. To get the actual access to the application the user needs one more authentication for the second intermediate screen. That’s where OTP plays its role in T-FA authentication mechanism proposed by us. 6.2 One Time Password Generation We are using a new system of OTP generation as shown in the Fig 1. We will describe our new OTP system in the following steps listed below:

14

A.S. Almazyad and Y. Ahmad

1. 2. 3.

4.

5.

A user login to the system with the issued username and password. The application sends a notification to the host server to generate a random number (OTP) may be composed of 6 - 8 digits. The application sends this generated random number in the form of a text message SMS to the user’s mobile phone through the internet (mobile service provider). This OTP is valid for per user session i.e., until the web browser is closed or the session expires. Whenever a user logs out from the application the given OTP is still valid till the particular browser window is open. The session expires only after closing the browser window or a specified period of time. Every time a user opens a new browser window and login to the system a new request has been made and a new OTP generated.

6.3 Working of the System Firstly, a user login to the initial screen of the application with the static userID and password allotted by the application provider at the time of registration. After successfully logging into this screen the user is presented with one more screen having one more password option. Simultaneously, the underlying application sends a request to the host server and a OTP password is generated as described in the section 6.2. The user must enter this number in the intermediate screen’s

OTP

Service Provider

Web Browser

Network Interface

Internet

Computer Fig. 1. One Time Password Generation

Web server

A New Approach in T-FA Authentication with OTP Using Mobile Phone

15

User

Intermediate Screen

First Screen

App. data

Web Server Mobile

No Pass entered in time

Yes

Flow diagram 1

password option to get the actual access of the application. If the sending application doesn’t get the response of the user entering the OTP passcode for a specified period of time, it assumes some failure in sending the passcode. So, it generates a new passcode and sends it again to the user mobile as depicted in the flow diagram 1. 6.4 Comparison and Advantages In our solution it is evident that we overcome all the disadvantages related to previous solutions which are as under: 1. 2. 3. 4. 5.

There is no need for time factor synchronization on our systyem. Hence our solution doesn’t fail. In our solution we don’t need any special MIDlet installed on the device by the service provider. Also no need for fully trained support staff to guide the end users how to use and navigate the java MIDlet application installed on the phone We just use the existing SMS text messages without the need to add or support additional software on the phone. A user doesn’t need to do anything at all. It is the application provider who has to modify the application so as to implement the proposed authentication system.

16

A.S. Almazyad and Y. Ahmad

Application Data Intermediate Screen Login Screen

Application Server

Fig. 2. Our System Architecture

7 Conclusion This paper studies the Two Factor Authentication in detail and makes improvements accordingly. It also presents OTP authentication system using Mobile phones. TFA/OTP is the combined authentication system which aims to improve the security of the web applications while maintaining the security and usability through the use of a simple mobile phone device. We also presented the new concept in the web application design with the integration of one more intermediate screen. The proposed solution is easy to integrate in new or existing web applications. However, since it authenticates user and execute password authentication one more time, it has the shortcoming that authentication takes some more time. Therefore the proposed system is determined suitable in the fields where security is emphasized over time characteristics such as internet banking, electronic payment, medical system and eCommerce. And currently we also have the issue of the delay of SMS messages (OTP) in our system during peak rush hours. In our future work we are going to conduct the continuous research on the methods of reducing authentication time and the SMS delay.

A New Approach in T-FA Authentication with OTP Using Mobile Phone

17

References 1. The Failure of Two-Factor Authentication (Bruce Schneier) (March 2005), http://www.schneier.com/blog/archives/ 2005/03/the_failure_of.html 2. Haller, N.: The S/KEY One-Time Password System. In: Proceedings of the Symposium on Network and Distributed System Security (1994) 3. Rubin, A.D.: Independent One-Time Passwords. In: Proc. 5th UNIX Security Symposium. USENIX Association (June 1995) 4. Haller, N., Matz, C., Nesser, P., Straw, M.: A One-Time Password System. RFC 2289, IETF (1998) 5. Tittel, Chapple, M., Stewart, J.M. (eds.): CISSP: Certified Information Systems Security Professional, Sybex (2003) 6. Oppliger, R.: Security Technologies for the World Wide Web. Artech House (2000) 7. Lamport, L.: Password Authentication with insecure communication. Communications of the ACM 24(11), 770–772 (1981) 8. Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading (2003) 9. http://www.cryptocard.com/ 10. http://www.securid.com 11. Kim, H.-C., Lee, H.-W., Lee, K.-S., Jun, M.-S.: Networked Computing and Advanced Information Management. In: Fourth International Conference on NCM 2008, September 2-4, vol. 1, pp. 18–24 (2008) 12. White Papers on Simple and Secure Enterprise Single Sign-On, http://secude.com/htm/806/en/ White_Paper_Section%3A_Single_Sign-On.htm 13. How to Improve Business Results by Reducing IT Help Desk Costs through Secure Single Sign-On, http://secude.com/htm/811/en/ White_Paper%3A_Enterprise_SSO.htm 14. FreeAuthProject. The FreeAuth Project, http://www.freeauth.org/site (cited 2007 March) 15. Hallsteinsen, S.: Department of Telematics, Norwegian University of Science and.. Using the mobile phone as a security token for unified authentication., http://ieeexplore.ieee.org/ 16. Whitman, M.E.: In defense of the realm: understanding the threats to information security. International Journal of Information Management 24(1), 43–57 (2004) 17. Lee, N.-Y., Chen, J.-C.: Improvement of One-Time Password Authentication Scheme Using Smart Cards. Oxford Journals E88-B(9), 3765–3767 18. Archer Harris, J.: OPA: A One-Time Password System. In: International Conference on Parallel Processing Workshops (ICPPW 2002), p. 25 (2002) 19. Zhu, D.: Security control in inter-bank fund transfer. Journal of Electronic Commerce Research 3(1) (2002)

Correlating Alerts into Compressed Graphs Using an Attribute-Based Method and Time Windows Seyed Hossein Ahmadinejad and Saeed Jalili Faculty of Electrical and Computer Engineering, Tarbiat Modares University {ahmadinejad,sjalili}@modares.ac.ir

Abstract. Intrusion Detection Systems usually report a huge number of alerts every day. Since abstraction level of these alerts is very low, analyzing and discovering the attack strategies behind the alerts are not easy or even possible. Alert correlation methods have been developed to decrease the number of alerts and provide a high-level abstraction of them. In this paper, we propose a method to estimate correlation probabilities between alerts. The concept of time windows is applied in a special way to decrease the complexity and increase the accuracy as well. Besides, we suggest a compression method for more reduction in the number of comparisons needed for correlating alerts and making the output of the method more intelligible. Our experiments reveal while the proposed correlation method performs accurately, its complexity dropped noticeably compared to previous methods.

1

Introduction

Security has always been one of the great concerns about networks. Intrusion detection system (IDS) is one of the techniques developed to establish security in networks. However, alerts raised by IDSs are not so meaningful that the administrator could analyze them directly. Furthermore, IDSs generate too many alerts. Clearly, finding the strategy of attack from primitive alerts is impossible for human. Therefore, a higher level management is required to reduce the number of alerts and provide a brief and high-level view of the security state of the protected network. Alert Correlation methods have been proposed to address this challenge. Quite a number of techniques from various approaches have been suggested. In this paper, our mehod is based on the fact that there are some similarities between attributes of correlated alerts. We organize correlated alerts in different groups. When a new alert arrives, first we should find to which group it belongs and then with which alerts it is correlated in that group. Each group is divided into time windows. To find the host group of the new alert, we select some alerts from each group and compare them with the new alert. By using time windows, 

This project has been supported in part by the Iran Telecommunication Research Center(ITRC) under grant no.T/500/20120.

´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 18–25, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

Correlating Alerts into Compressed Graphs

19

we avoid selecting all previous alerts for comparison because it is not practial in the real world. To compare two alerts, a similarity vector is extracted from their attributes such as IP, Port etc and a correlation knowledge base. A classifier estimates their correlation probablity using their similairity vector. After finding the host group, those alerts that their correlation probability with the new alert is more than a predefined threshold are correlated with the new alert. Our main contribution in this paper is a method to compress groups of correlated alerts using merging similar alerts. The remainder of this paper is organized as follows: next section presents main principles and steps of the proposed method. Section 3 illustrates the experiments we have done to show the abilities of our method. Section 4 discussed related works and advantages of our method over them. Last section concludes this paper and points out some future research directions.

2 2.1

Alert Correlation Method Correlation Knowledge Base

Alerts raised by IDS have a type attribute. We use a matrix structure exactly the same as the one we defined in our previous work [1] to store the correlation strength between any two types of alerts. This matrix is incrementally updated during the alert correlation process. Actually this matrix encodes knowledge about correlation information between all pairs of alert types. The most important information in the knowledge base is correlation strength between alert types which is shown as CS(ai , aj ) and computed as follows: CS(ai , aj ) =

n 

pi,j (K)

(1)

k=1

Where Pi,j (k) is the probability of k th correlation between ai and aj (types of ith and j th alerts). Moreover, n is the number of times these two types of alerts have been correlated. 2.2

Similarity Vectors

In order to estimate correlation probability between two alerts, a similarity vector is created according to their attributes. Feature 1: Source IPs Similarity. Similarity between two IPs is computed by counting the number of high-order bits in the first IP which are the same as another IP. The value of this feature is between 0 and 1. Feature 2: Destination IPs Similarity. It is computed like Feature 1. Feature 3: Destination Ports Similarity. If the destination port numbers of two alerts are just the same, this feature will be 1, otherwise it will be 0. Feature 4: Alerts IP Chain. The value of this feature will be 1 if source IP address of the new alert matches destination IP address of the previous alert.

20

S.H. Ahmadinejad and S. Jalili

Feature 5: Alerts Type Chain. The likelihood that an alert type would be followed by another alert type.This feature is computed according to the following equation: n  AT C(ai , aj ) = CS(ai , aj )/ CS(ak , aj ) (2) k=1

Feature 6: Correlation Frequency. The number of times two alert types were correlated divided by the number of times these two types were compared. 2.3

Correlation Probability Estimation

In order to estimate the correlation probability between two alerts based on their constructed similarity vector, we use a classification method. To select the proper classifier, many classification methods were tested in terms of their accuracy. LogitBoost[2] - a boosting method - with DecisionStump[2] as its base learner led to the best result. Due to the space limitation, it is not possible to show the evaluation results in this paper. 2.4

Correlating Alerts

First we define a few terms which will be used in this paper: –Alert: a primitive message raised by an IDS. –Alert Set: a set of several alerts with the same alert type and located in the same time window. (we use alert set instead of alert due to the need for a structure which could contain more than one alert) –Front alert: the last alert inserted in an alert set. –Hyper Alert Graph (Hyper Alert): a graph of correlated alerts whose nodes are alert sets and edges depict correlation between nodes. In the first step, the classifier should be trained. We created a small training set based on the principles of correlation between alerts attributes. We put alerts into alert sets to support compression because some alerts might be merged in the compression step. Hyper alerts contain alert sets and each alert set contains one or more alerts. Each group of correlated alerts is placed in a different hyper alert. When a new alert arrives, a new alert set containing the new alert is created. A hyper alert whose alerts have the highest average of correlation with the new alert should be selected as the host hyper alert. To find the host hyper alert, the new alert is compared with previous alerts spreading over hyper alerts. Since comparing the new alert with all previous alerts in all hyper alerts is time consuming and it might be even impossible due to the large number of alerts, a part of alerts in each hyper alert is selected for comparison. For the purpose of selecting some delegate alerts from hyper alerts, we consider time windows over them. However, unlike those methods which use time windows to avoid investigating the correlation of old alerts with the new one, we just want to focus more on newer alerts not to omit old alerts. This more attention to recent alerts decreases the probability of being affected by too old alerts. To do so, a few alerts not all of them are selected from time windows using a new technique. If there

Correlating Alerts into Compressed Graphs

21

is totally n time windows in a hyper alert, we select λ alerts from time window wi (ith time window in the hyper alert) according to the following equation: β = i × number of alerts in wi / n

(3)

λ=α∗β

(4)

Where β is a number less than the number of alerts in wi and α is a constant value (set by an expert) between 0 and 1 helps us to select even fewer alerts. We aim to pick more alerts from those time windows that are closer to current time or contain a considerable number of alerts. As stated above, nodes of hyper alerts are alert sets not alerts. So, sample alert sets are picked using (4) for all time windows of a hyper alert. The new alert is compared with the front alert of each selected alert set because there might be more than one alert in the selected alert set. To compare them with the new alert, similarity vectors are constructed and fed into the classifier. The output of the classifier for a similarity vector -correlation probability- is multiplied by the number of alerts merged in the alert set. All correlation probabilities are added together and divided by the number of comparisons. The result called CorrelationFactor shows the average correlation probability between the new alert and a hyper alert. CorrelationFactor is computed for all hyper alerts. During this process, the maximum of estimated correlation probabilities is stored for every hyper alert. Before describing the rest of the method, it is necessary to introduce two thresholds: Correlation Threshold: a threshold to find the host hyper alert for the new alert. Correlation Sensitivity: a threshold to find those alerts that are correlated with the new alert in the host hyper alert. Once CorrelationFactor is computed for all hyper alerts, a hyper alert with the maximum value of CorrelationFactor is selected. If the maximum correlation probability in the selected hyper alert is more than the Correlation Threshold, the selected hyper alert will be the host of the new alert set. Otherwise, a new hyper alert is created and the new alert set will be placed there. In the former case, the new alert set is compared with all of the alert sets in the host hyper alert to specify some of which that are correlated with it. This comparison step is done exactly like the previous step. If pi is the correlation probability between the new alert alnew and an alert set asi in the host hyper alert and pmax is the maximum correlation probability, alnew is correlated with asi if the following condition evaluates to true: pmax − pi < Correlation Sensitivity

(5)

After correlating two alert sets, their corresponding cell in the correlation knowledge base is updated. Eventually, each group of correlated alerts gather in different hyper alerts. Furthermore, there is a hyper alert compression method which is used during the correlation process to not only cause more reduction in the number of comparisons but also to suppress abundant details. Although it might

22

S.H. Ahmadinejad and S. Jalili

have a little effect on the accuracy of the system, this degradation can be controlled by means of a threshold which will be explained in the next section. The frequency of the compression process is specified by a security expert.

3

Compression Method

As long as new alerts arrive, size of the hyper alerts grows as well as the number of comparisons. On the other hand, there are some nodes (Alert sets) that are very similar in their relation with other nodes and we can merge some of them to boost performance, even though with a negligible decrease in accuracy. First, we define some variables and functions for a node asi (alert set) in a hyper alert: asi .parent: a set of nodes (Alert sets) connected to asi . asi .children: a set of nodes (Alert sets) to which asi is connected. subtract(set1 , set2 ): set1 when we remove those nodes that exist in set2 . size(set1): number of elements (Alert sets) in set1 . Two alert sets asi and asj merge together in compression phase if the following statements evaluate to true: – asi and asj are in the same time window. – asi and asj have the same alert type.

1−

size(subtract(asi .children,asj .children)) size(asi .children)

> Strictness

– 1−

size(subtract(asj .children,asi.children)) size(asj .children)

> Strictness

– 1−

size(subtract(asi .parent,asj .parent)) size(asi .parent)

> Strictness

– 1−

size(subtract(asj .parent,asi .parent)) size(asj .parent)

> Strictness

–

To merge two alert sets, a new alert set is created with union of alerts contained in the two alert sets and union of their relations with other alert sets. For repetitive edges, only one of them is stored but the number of repetitions is also held to show its strength. Strictness is a threshold between 0 and 1 defined by the administrator to control a trade-off between accuracy and performance. The more the Strictness is, the less the hyper alert is compressed. The merging process continues provided that there is a pair of alert sets which can merge according to above conditions.

4 4.1

Experimental Results Method Validation

To evaluate our method, we used DARPA2000 dataset [3]. There are 2 attack scenarios: LLDOS1.0 and LLDOS2.0.2. In the both scenarios a novice attacker tries to install components necessary to run a Distributed Denial of Service, and then launch a DDOS at a US government site. We tested our method on both

Correlating Alerts into Compressed Graphs

23

0:Admind 3 1:Sadmind_Ping

1 1 10

7

10

10 3:Admind

6

14

1

6:Admind

13 1

1

1

9

9

10

1

7:Sadmind_Amslverify_Overflow

7

9

8 34:Rsh

8

54:TelnetTerminaltype

1

1 1

49:Mstram_Zombie

1 52:Rsh

1 1 53:Mstream_Zombie

55:TelnetXdisplay

1

1 1

1 41:Mstream_Zombie

1

1 1

1 1

1

1

1

1 1

1

56:TelnetEnvAll 1

57:Mstream_Zombie

Fig. 1. Hyper alert graph created for LLDOS1.0

datasets, but we can illustrate the result of our experiments only on the first dataset due to space limitations. We used RealSecure to generate alerts for the datasets. Figure 1 displays a hyper alert built for LLDOS1.0 . RealSecure does not raise any alert for the first step of attack but a few ’sadmind-ping’ alerts are generated when the attacker tries to find out which hosts are running the ’sadmind’ remote administration tool. Then, attacker wants to penetrate into the hosts recognized as vulnerable machines in previous step. So IDS raises several ’admind’ and ’sadmind-amslverify-overflow’. For the fourth step, logging into victims and installing ’mstream’ software cause five types of alerts, ’Rsh’, ’TelnetXdisplay’, ’TelnetEnvAll’, ’TelnetTerminaltype’ and ’Mstream-Zombie’. The last stage of attack leading to a few ’stream-DOS’ alerts could be included in the hyper alerts through initializing the corresponded cells in the knowledge base with proper values. As can be seen in the Fig. 1, all alerts were accurately correlated. 4.2

Method Evaluation

In this section, we compare three configurations of our implementation to show the effectiveness of the method. We did not use time windows and compression method in the first configuration. The new alert is compared with all received alerts. In the second configuration, we added time windows and at last, the third configuration is our complete correlation method. Figure 2 indicates differences between these configurations when we consider the number of comparisons. Evidently, number of comparisons in the first configuration is almost four times as high as the figure for the third configuration because the compression method merges similar nodes and reduces candidate alerts for comparison. However, according to Fig. 3, the second configuration performed better than the others in

24

S.H. Ahmadinejad and S. Jalili

C2

C3

C1

C2

C3

10 9 8 7 6 5 4 3 2 1 0

E Error

Num mber off compparisonns(thouusandss)

Configuration Configuration C1 450 400 350 300 250 200 150 100 50 0 LLDOS1.0

Dataset

LLDOS1 0 LLDOS1.0

LLDOS2.0.2

Fig. 2. No. of comparisons in the three configurations

LLDOS2 0 2 LLDOS2.0.2

Dataset

Fig. 3. Errors in the three configurations

regard to accuracy because it avoids comparing the new alert with very old alerts that can deflect our mehod from working correctly. Since compression procedure aims to merge some nodes, naturally it loses some details that has a small impact on the error rate of the correlation system but it is still much better than the first configuration.

5

Related Works

A class of alert correlation methods aims to find causal relationships among alerts through their pre and post conditions [4,5,6]. If post conditions of an alert satisfy pre conditions of another alert, they are correlated. Specifying pre and post conditions is time-consuming and error-prone. Additionally, if there are not any causal relationships between two alerts, they will not be correlated. The second group of alert correlation techniques is pre-defined attack scenario-based methods [7,8]. If alerts contribute to construction of a predefined attack scenario, they should be correlated. Unfortunately, It is not reasonable to assume that defender can reliably know all vulnerabilities on the network to create a complete attack graph. Moreover, if the attacker lunches an unknown attack, these methods could not work properly. Some methods utilize machine learning techniques for alert correlation[9,10,11]. Our work in this paper is slightly similar to [11]. However the method proposed in [11] seems costly and impractical. Comparing the new alert with all received alerts used in [11] is not practical. Finally, temporal based methods [12,13] correlate alerts according to their temporal relationships. This class of methods is capable of correlating alerts that may contribute to unknown attacks but if the attacker puts delays into his attack strategy, he can evade the security system. The way that we apply time windows can resolve this problem to a great extent.

6

Conclusion and Future Works

In this paper, we propsoed a method that employ a classifier to estmiate correlation probability between alerts based on their attributes. Correlated alerts are

Correlating Alerts into Compressed Graphs

25

organized in several hyper alerts. Since recent alerts are more important in correlation, we consider time windows over hyper alerts. Hyper alerts are compressed with a predefined frequency by merging those alert sets that are very similar and raised in the same time window. Compression has a great improvement in the number of comparisons according to the experiments . Our method can discover unknown attacks because it does not depend on domain knowledge about known attacks. In our future research, we will develop a technique to find the values of thresholds and variables automatically during the correlation process.

References 1. Ahmadinejad, S.H., Jalili, S.: Alert correlation using correlation probability estimation and time windows. In: International Conference on Information Theory and Engineering, Kota Kinabalu, Malaysia. IEEE Computer Society CPS, Los Alamitos (2009) 2. Friedman, J., Hastie, T., Tibshirani, R.: Additive logistic regression: A statistical view of boosting. Annals of statistics, 337–374 (2000) 3. http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/ index.html Darpa 2000 intrusion detection evaluation datasets (2000) 4. Ning, P., Cui, Y.: An intrusion alert correlator based on prerequisites of intrusions. Submitted for publication. Technical report, Available as Technical Report TR2002-01, Department of Computer Science, North Carolina State University (2002) 5. Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM conference on Computer and communications security, pp. 200–209. ACM, New York (2003) 6. Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the 2000 workshop on New security paradigms, pp. 31–38. ACM, New York (2001) 7. Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications 29(15), 2917–2933 (2006) 8. Siraj, A., Vaughn, R.: A cognitive model for alert correlation in a distributed environment. In: Kantor, P., Muresan, G., Roberts, F., Zeng, D.D., Wang, F.-Y., Chen, H., Merkle, R.C. (eds.) ISI 2005. LNCS, vol. 3495, pp. 218–230. Springer, Heidelberg (2005) 9. Li, Z., Zhang, A., Lei, J., Wang, L.: Real-Time Correlation of Network Security Alerts. In: Proceedings of the IEEE International Conference on e-Business Engineering, pp. 73–80. IEEE Computer Society, Washington (2007) 10. Dain, O., Cunningham, R.: Fusing a heterogeneous alert stream into scenarios. Applications of Data Mining and Computer Security (2002) 11. Zhu, B., Ghorbani, A.: Alert correlation for extracting attack strategies. International Journal of Network Security 3(3), 244–258 (2006) 12. Qin, X., Lee, W.: Statistical causality analysis of infosec alert data. In: Vigna, G., Kr¨ ugel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003) 13. Benjamin, M., Herve, D.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Kr¨ ugel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)

A Study on Secure Contents Using in Urban Computing Hoon Ko1, Jongmyung Choi2, and Carlos Ramos1 1

GECAD, Institute of Engineering Polytechnic of Porto, Rua Dr. Antonio Bernardino de Almeida, 431, 4200-072 Porto, Portugal [email protected], [email protected] 2 Department of Computer Engineering, Mokpo National University, 61, Dorim-Li, Chyounggye-Myeun, Muan-Gun, Jeon-nam, S. Korea [email protected]

Abstract. Urban computing provides the services by considering of user’s devices and environments near user’s location. That means that it can be detected their moving by sensor the generated contexts during user moving. And they can guess the user’s next moving through these detected contexts. During user’s moving, there are getting more increase the number of contexts. And the more increase the number of users, the more detect the number of context by sensor. Therefore, there are so many users / devices for attacking. However, existing urban computing is insufficiency to process the security module. To use it in safety, we studied how we have to use urban computing in safety. In this paper, we suggest the way to secure contents using in urban computing. Keywords: Urban Computing, Context-Aware, Contents, Spam-mail, Authentication / Authorization.

1 Introduction An aim of urban computing is continually to provide services between users and space / environment information near moving users [3]. That is, users can take all services during their moving over their devices through processing organic processing between user’s environment and space environment. The relation among users, between users and urban constituent are very important in urban space. Because users usually ask to get useful services during their moving, also users would like to receive the services what they want from some shops without any stopping. Users periodically may want to get that information or on during their shopping. These days, sending information to users is usually responsible for SMS or letter. Although some company services to user’s requesting, still there are some problems like no detail of products, sending them to users who don’t want to get, etc. It can be considered as SPAM mail in future. Anyway, in order to receive information of what they want send; first users have to register asking information into shops (called CP, it’s server in each shop). And contents provider (CP) must keep it up-to-date, a certificate Server (CS) and a secure server (SS) should control the security service between contents servers and users. Also, CS and SS have to observe attacks by attackers. If attackers D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 26–34, 2009. © Springer-Verlag Berlin Heidelberg 2009

A Study on Secure Contents Using in Urban Computing

27

illegally put his information to CP, users in database may receive unwanted information. To protect those problems, CS has to process an authentication to confirm integrity for their asking. This article is composed by four chapters. Section 1 is to be an introduction and we explain our proposed secure context operation in section 2; section 3 is for some discussion. At last, we make a conclusion in section 4.

2 Secure Context Operating 2.1 Security Functions We explain about each mission of four, which is a context allocator, a context analyzer, a context collector, and a context detector for secure processing in urban computing [Fig. 1] [4]. Context Detector (CD): CD is to detecting to all contexts changing. Context Collector (CC): CC gets together all contexts from CD. First processing of security (An authentication / an authorization) is this area’s job. All contexts that were detected on all sensors will be transferred to security framework [4][9], and then they get a security processing. According to this process, they decide whether they set the security level or not. Context Analyzer (CA): CA defines the security policy received context from CC. Context Allocator (CoA): CoA suitably arranges them to each module.

Fig. 1. Security Functions

2.2 Urban Life User A and user B have to register their requesting about their wanted information of product before their moving. Also, each shop has to keep up to date their information of product in CP [Fig. 2].

28

H. Ko, J. Choi, and C. Ramos Table 1. Definition Symbol C CS CP SS

Name Contents Certificate Server Contents Provider Secure Server

SS.3

SS.2

Safe CP / Users Safe CPProvider] / Users [Contents [Contents Provider] D.CP = User [E,… G] D.CP = User [E,…,I] G] G.CP = User [B,D,… G.CP = User [B,D,… ,I] [Users] [Users] B,User, D,User,I.User B,User, D,User,I.User E.User, G.User,... E.User, G.User,...

CP.4

CP.1 Put the shop’ s information for Each users A.Shop

Safe CP / Users [Contents Provider] A.CP = User [ A,E,… G,H] B.CP = User [A,B,D,… ,G,I] [Users] A.User, B,User, D,User, E.User, G.User, H.User, I.User ...

SS.1

CP.5 CP.6

Contents detail information of all products Control all SS / User Support product information Control CPs

A.User : Asked List… E.User : Asked List … : : G.User : Asked List … H.User : Asked List …

CP.3

Forbid to put unauthorized / unauthenticated shop’s Information

CP.2

C.Shop

A.User : Asked List… B.User : Asked List … D.User : Asked List … : : G.User : Asked List … I.User : Asked List …

Put the shop’s Information for Each users

B.Shop

A.C

A.C A.User

H.C B.C

B.User

Ask each information

H.User

C : Contents CP : Contents Provider SS : Secure Server CS : Certificate Server

Fig. 2. Urban Life. User A / user B have to register their requesting information before their moving.

Therefore, CP is keeping some information, which is user’s requesting item and registered product’s contents by shops, and then CP sends information to user’s device with relation between tables in databases. A defined symbol is to be the table 1. 2.3 Each Step Each user puts their asking into shop’s computer like below. (The shops register, which is information into the related CP with shops. CP.1 controls A.Shop and CP.2 manages B.Shop. // A.Shop.CP.1 / B.Shop.CP.2 A.User’s Asking::[/P.1.Cont.2/P.2.Cont.1/]->CP.1 A.User’s Asking::[/P.3.Cont.1/]->CP.2 B.User’s Asking::[/P.2.Cont.1/P.2.Cont.1/]->CP.2

A Study on Secure Contents Using in Urban Computing

29

Fig. 3. Steps

Fig. 4. CP, contents and users certificate. CS keeps security information of SS and SS controls CP and user’s.

Each CP detects user’s moving when users are being in their area. As soon as CP is aware of user.A, he transfers them to user.A.

30

H. Ko, J. Choi, and C. Ramos

Fig. 5. New user

2.4 Security Processing If CS gets requesting confirmation of SS from CP, then CS takes a process about that. Basically, CS follows the structures and policies of PKI. SS is responsible for CP and user’s authentication. Therefore, SS manages security information for user and CP, he can send the security results to each other if they want it. Also, generally SS processes user’s confirmation through CS. In side user D, he didn’t register his information in CP.1 and SS.1, so CP.1 and SS.1 have no user D’s information. Consequently, CP.1 and SS.1 will reject user D without hesitation as soon as user D’s asking. [Fig. 4, In red line]. In near future, user D want to receive information of products from them, it has to be the first time to put his requesting to shop (1). CP.1 transfers user’s requesting information to SS.1, SS.1 take a confirmation for CP.1 / user D (2). Of course, firstly SS.1 identifies CP.1 requesting through user D (3)(4). If SS.1 replies the result to CP.1, then all processing will be finished for user D (5)(6) [Fig. 5].

3 Discussion 3.1 Algorithm Table 2 is used Notation for this article analysis. In this research, we suppose that there are N users, who would be randomly distributed according to the channel of Networks (Shops). Each user moves in their way. {

Model Initial „

{

n = N , Ti = user Avg. inactivation time / Arrival schedule of first asking

Contents asking / processing „ Processing and contents beginning schedule for arrival „

n = n −1 schedule

/

(time() + exp ntl (Ti / n)) * f ( xn * wn ) Next arrival asking

A Study on Secure Contents Using in Urban Computing

31

Table 2. Notation

Symbol

Contents

xn yn wi f1 f2 sn tn T b

The number of User (1, 2, ….. , n) Output values of each users = Weight (ex, security rate, power, etc) Activation function for Users * Weight Activation function for Transferring Time * Contents Size Contents Size of User n Transferring Time Critical Values Bios Point

Cost (C )

Total Cost

Fig. 6. Cost model

Fig. 6 shows us the cost estimation, which is happened when the contents are transferred through proposed model. And we put the user’s information into proposed algorithm in order to activation point of user, that is, users, weight, message size, transferring time. Formula 1 is the cost generation algorithm for user i.

yi = f i ( xi × wi ) + f 2 ( si × ti )

(Formula 1)

And, we define the algorithm for total cost like formula 2.

Cost (Cn ) = f1 ( xn × wn ) + f 2 ( sn × t n )

(Formula 2)

Cost for users will be computed with the sum of between (the number of users * weight, formula 3) and (transferring time * content size, formula 4). f1 ( xn × wn ) = x ⋅ wT

f 2 ( sn × t n ) = s ⋅ t

⎡ w1 ⎤ (Formula 3) ⎢w ⎥ 2 = [ x1 , x2 ,..., xn ]⎢ ⎥ ⎢: ⎥ ⎢ ⎥ ⎣ wn ⎦ = x1 ⋅ w1 + x2 ⋅ w2 + ... + x n ⋅ wn

⎡t1 ⎤ (Formula 4) ⎢t ⎥ = [ s1 , s2 ,..., sn ]⎢ 2 ⎥ ⎢: ⎥ ⎢ ⎥ ⎣t n ⎦ = s1 ⋅ t1 + s2 ⋅ t 2 + ... + sn ⋅ t n

32

H. Ko, J. Choi, and C. Ramos Table 3. Experiment Items The number of CS The number of SS The number of CP The number of CP a user The number of User Content Length (Size) Key Length for Security Link Delay Stay Time a User (sec) Empty CRL Size (Structure) Simple Certificate Size Experiment Time

Contents 1 2 3 1.4 100 Random (100) 512 bits 10ms Random (100) 55kb 1kb 1000 sec

Environment of experiments are to be table 3. The CROSSCERT, which is a security company (VeriSign) in Korea usually assigns one CRL file a 1000 for certificate. And, there is 55kb size in emptied CRL, each certificate is assigned by 3kb size. However, as a result of the analysis of our certificate, normally, the size of a certificate be in less and more than 1kb. (Maybe, if we use the expand area of our certificate, that size will be bigger than 1kb in future). Finally, we defined the average certificate size is 1kb in this article. 3.2 Result of Experiments The number of CP is defined as xn in experiment. In future, the definition for users will be defined with user’s requesting. CASE 1: User A wants to receive the information from 2 CP, weight of CP.1 is 0.5, CP.2 is 0.3. The content size in CP.1 is 4 and in CP.2 is 2, and then each transferring time is 0.3 and 0.4. ANSWER 1: f 1 ( x n × w n ) + f 2 ( s n × t n ) = {( 2 × 0 . 5 ) + ( 2 × 0 . 3 )} + {( 4 × 0 . 3 ) + ( 2 × 0 . 4 )} = 1 .6 + 2 .0 = 3 .6

Finally the total cost for user A is 3.6. We applied this algorithm to 100 users with the same way. We let them sequentially enter in experiment area (service area) during experiment time. Table 4 is the result of average interarrival, average waiting time in queue, average cost. Table 4. Results Item Average Time

Interarrival Time 4.47

Waiting Time in Queue 3.47

Total Cost 0.57

A Study on Secure Contents Using in Urban Computing

33

Fig. 7. The result of experiment

Average entering time to be in service area is 4.47 sec. The service time from CP after entered that area is 3.47 sec. We called waitingTime in Queue. This waitingtime would be used in Notation 1 as a kind of Weight. Therefore, if waitingtime gets longer, Total Costs will be getting increasing. Lastly, the total cost for 100 users is 0.57. Fig. 7 shows us the result of experiment. There are 33 users in between 0 to 2 in total cost that is the minimum cost and the maximum cost is 2 users which cost are 16.

4 Conclusion We studied the way, which how users receive their requesting information during their moving by CP near there in safety. Of course, we partially put an algorithm for security between users and CPs like authentication. However, still there are some insufficiency points to detailed researching about user’s variable, user’s and CP’s weight etc. Therefore, we need to study that issues in more detail in future, and have to more study a correspondence for security changing of users and CPs.

Acknowledgments This work is partially supported under the support of the Portuguese Foundation for Science and Technology (FCT) in the aims of Ciência 2007 program for the hiring of Post-PhD researchers.

References 1. IST Advisory Group, Scenarios for Ambient Intelligence in 2010, European Commission (2001) 2. Ramos, C., Augusto, J.C., Shapiro, D.: Ambient intelligence the next step for artificial intelligence. IEEE Intelligent Systems 23(2), 15–18 (2008)

34

H. Ko, J. Choi, and C. Ramos

3. Franinovic, K., Visell, Y.: Modulating Urban Atmospheres: Opportunity, Flow, and Adaptation. In: Urban Computing Conference 2005, Metapolis and Urban Life Workshop Proceeding, pp. 82–87 (2005) 4. Ko, H., Ramos, C.: A Study on Security Framework for Ambient Intelligent Environment (ISyRAmI SF: ISyRAmI Security Framework). In: ICWMC 2009, pp. 93–98 (2009) 5. Ma, M.: Authorization delegation for u-City in subscription-based. Computers & Security, 371–378 (2006) 6. Yang, S.J.H.: Context-Aware Ubiquitous Learning Environments for Peer-to-Peer Collaborative Learning. Educational Technology & Society, Security, 188–201 (2006) 7. Chen, G., Kotz, D.: A Survey of Context-Aware Mobile Computing Research, Technical Report: TR2000-381. Dartmouth College, Hanover, NH, USA 8. Ward, A., Jones, A., Hopper, A.: A new location technique for the active office. IEEE Personal Communications 4(5), 42–47 (1997) 9. Ma, M.: Authorization delegation for u-City in subscription-based. Computers & Security, 371–378 (2006) 10. Meiier, R., Cahill, V.: Location-Aware Event-Based Middleware: A Paradigm for Collaborative Mobile Application. Computers & Security, 371–378 (2006) 11. Yang, S.J.H.: Context-Aware Ubiquitous Learning Environments for Peer-to-Peer Collaborative Learning. Educational Technology & Society, Security, 188–201 (2006) 12. Vieira, M.S., Rosa, N.S.: A Reconfigurable Group Management Middleware Service for Wireless Sensor Networks. In: MPAC 2005, November 2005, pp. 1–8 (2005) 13. Sivaharan, T., Blair, G., Conlson, G.: GREEN: A Configurable and Re-configurable Publish-Subscribe Middleware for Pervasive Computing. In: Meersman, R., Tari, Z. (eds.) OTM 2005. LNCS, vol. 3760, pp. 732–749. Springer, Heidelberg (2005)

Shadow Generation Protocol in Linguistic Threshold Schemes Marek R. Ogiela and Urszula Ogiela AGH University of Science and Technology Al. Mickiewicza 30, PL-30-059 Krakow, Poland {mogiela, ogiela}@agh.edu.pl

Abstract. The field of secret splitting algorithms has recently seen solutions based on using syntactic methods to create further information used as an additional component of the split secret. One of such solutions comprises linguistic threshold schemes which use context-free grammars to code the input string representing the shared secret. This study describes a general protocol for creating secret components using this approach. This solution allows the known, traditional secret sharing algorithms to be extended into algorithms executed in a hierarchical way. Such methods can then be used to split and manage information in various information structures that have linear characteristics or divisional dependencies. Keywords: Secret sharing, threshold schemes, information management.

1 Introduction One important problem related to using information splitting or sharing algorithms is the ability to use them for the intelligent management and distribution of important data. Such operations are carried out in modern enterprises, corporations or state institutions. In this case, information management is particularly important with regard to data that is strategic for the given organization. It requires the use of intelligent solutions that allow data to be allocated according to certain rights. This has led to the need to develop new, advanced algorithmic solutions that would facilitate such an intelligent allocation of important data, and then allocating the appropriate parts to the decision-making groups at various management levels or having the appropriate access rights to the shared data that is of strategic nature. Obviously two types of a structural information split can be distinguished. This split can, for example, be hierarchical or by layers. The principal difference between the presented types of splits concerns the method of introducing the split itself. When a split is made within homogenous, uniform groups of layers, then it is a layer split, whereas if the split is made regardless of the homogeneity of the group or layer but by reference to several groups ordered hierarchically, this is a hierarchical split. Information can be divided both within the entire structure in which some hierarchical dependency is identified, or within a given group as well as within any D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 35–42, 2009. © Springer-Verlag Berlin Heidelberg 2009

36

M.R. Ogiela and U. Ogiela

homogenous layer. This is why, depending on the type of information split, it makes sense to identify correctly selected information splitting algorithms. Algorithms for the multi-level splitting of confidential or secret information are designed using structural analysis and the linguistic recording of data. The structural analysis used for this kind of task is based on the analysis of the structure of the business organisation and can be designed for a specific organisation, or splitting and sharing algorithms can be designed for a broader group of organisations, which proves that the method is universal. However, one must be aware that the group should be homogenous in terms of the structure of organisations forming part of it. Another important component of information splitting algorithms is the use of linguistic data recording methods [13]. This type of information recording and presentation refers to a syntactic data analysis. The key in this approach is that it uses mathematical formalisms and linguistic methods which allow an additional stage to be introduced which enhances the functionality of classical threshold schemes of information sharing [3, 4, 10, 12, 16]. Such enhanced linguistic schemes and information splitting protocols will be presented in this paper.

2 Shadow Generation Protocol in Linguistic Schemes First, a generalized algorithm will be described that allows coding to be carried out using the approach of mathematical linguistics. Context-free grammars will be used here to introduce an additional stage of coding the input representation of the shared data or the secret allocated in a hierarchical way. In practice, the use of such grammar will allow us to strengthen the secret splitting algorithm used and to obtain a certain additional secret (a part of the split information) in the form of rules of the used formal grammar. The general methodology of using formal languages to enhance a traditional threshold scheme is as follows: 1. one of the classical secret sharing schemes (e.g. Shamir’s, Blakley’s or Tang’s algorithm [6, 14, 16]) is used to encode the input secret; 2. the split data is transformed into a bit sequence; 3. a new formal grammar is defined which generates bit or bit blocks positions for the shared data; 4. the bit (or bit blocks) sequence is parsed with an analyser defined for the introduced grammar; 5. the parsing generates a sequence of grammar rules which allow the bit representation of the shared secret to be generated; 6. the secret represented by a sequence of production numbers is split using the threshold scheme selected (in step 1); 7. shadows are distributed to particular participants of the protocol. These stages determine the basic actions necessary to generate the components of shared information which can be communicated to the participants of the entire procedure of allocating the split data. A proposal for splitting information using context-free grammars is presented in Fig 1.

Shadow Generation Protocol in Linguistic Threshold Schemes

37

Fig. 1. A linguistic threshold scheme. The enhancement consists in using a grammar at the stage of changing the bit representation into sequences of numbers of grammar rules.

The solution presented in Fig. 1 shows how selected information is converted into its bit or bit block representation which is coded using the proposed grammar. The coded form of information can be split in the way presented in Figure 1. This is an (m, n)-threshold split in which just the main part of the secret, that is m or n-m of secrets is necessary to reconstruct the split secret. Every one of these main split parts allows the split secret to be successfully reconstructed. However, combining these components yields only the contents of the secret, which allows the input information to be decoded using grammatical reasoning methods (i.e. meaning analysis methods). The proposed modification of a threshold algorithm for information splitting and sharing consists in using a grammar at the stage of converting the bit representation into sequences of numbers of linguistic rules in the grammar. After this transformation is completed, any secret splitting scheme can be used, and the components can be distributed among any number n of protocol participants. If the allocation of grammatical rules remains a secret, then this is an arbitration protocol in which the reconstruction of a secret by the authorised group of shadow owners requires the involvement of a trusted arbitrator who has information on grammar rules. If the grammar is disclosed, the secret can be reconstructed without the involvement of a trusted person just on the basis of the secret components possessed by the authorised group of participants of the information splitting algorithm.

38

M.R. Ogiela and U. Ogiela

The proposed information sharing algorithm may apply to the execution of any classical (m, n)-threshold secret sharing algorithm. In the case of data splitting and sharing algorithms, the split secret is not the bit sequence itself, but the sequence composed of numbers of syntactic rules of the grammar introduced for the splitting. Depending on its structure and type, it can contain values of two or more bits. This is why the stage of converting the bit representation of the shared secret can also be generalised from the version coding single bits to the coding of bit blocks of various lengths. However, to avoid too many generation rules in the defined grammar, it is worth imposing a restriction on the length of coded bit blocks in the proposed scheme. It seems easy and natural to consider bit blocks no longer than 4-5 bits. To illustrate the idea of an enhanced linguistic coding, a generalised version of a linguistic information splitting algorithm will be presented for a grammar that converts blocks of several bits. G=( VN, VT, SP, STS), where: VN = {SECRET, BIT_BLOCK, 1B, 2B, 3B, 4B, 5B} – a set of non-terminal symbols VT = {ONE BIT, TWO BITS, THREE BITS, FOUR BITS, FIVE BITS, λ} – a set of terminal symbols which define each bit block value. {λ} – defines an empty symbol. STS = SECRET - the grammar start symbol. A production set SP is defined in following way. 1. 2. 3. 4. 5. 6. 7. 8. 9.

SECRET Æ BIT_BLOCK BIT_BLOCK Æ BIT_BLOCK BIT_BLOCK BIT_BLOCK Æ 1B | 2B | 3B | 4B | 5B BIT_BLOCK Æ λ 1B Æ ONE BIT 2B Æ TWO BITS 3B Æ THREE BITS 4B Æ FOUR BITS 5B Æ FIVE BITS

This type of grammar allows more complex information coding tasks to be executed, as the information is converted into the bit representation and in the next step is converted into a record of 2, 3, 4 or 5-bit clusters which become the basis for coding the original information. With regard to the proposals of the linguistic enhancement of threshold schemes presented here it is notable that the level of security achieved is independent of the length of blocks subjected to conversion with the use of rules of the introduced grammar. The methods of multi-level information splitting or sharing presented in this chapter, which use bit blocks of various lengths, show how information splitting algorithms can be significantly enhanced by adding elements of linguistic and grammatical data analysis. This is a novel solution. The length of bit blocks has a major impact on the speed and length of the stage of coding the input information representation, which is the stage that prepares information to be coded as a secret.

Shadow Generation Protocol in Linguistic Threshold Schemes

39

3 Application of Linguistic Threshold Schemes in Layered and Hierarchical Structures The essence of the presented approach is that within a given layer it is possible to divide secret information in such a way that every person involved in the process of encrypting the information becomes the owner of a certain part of the secret. Even though such persons are equal owners of parts of the secret from the perspective of the information splitting process, the secret can be recreated omitting some of them. If the secret is split between the members of a given group in equal parts, this means that every member will receive the same amount of the secret, and then all of them have to reveal their parts to recreate the original message. There is obviously no absolute requirement for all owners of parts of the secret to reveal their parts, because, for example, threshold schemes for information splitting (like the Tang’s algorithm [16]) guarantee that secret information can be recreated with the involvement of a smaller number of participants than the number between which the shares were distributed. Since every participant of the information splitting and also the information reconstruction process is treated as an equal process participant, there is no person in the group who could reconstruct the information without involving others. Such a split of information between the members of a given group in which every one has the same privileges is a layer split. It is worth noting that the layer split may refer to the following types of splits: • Of various secrets split in various layers in the same (similar) way - this situation means that the secret is split in the same way (in the sense of the method), regardless of the layer dealing with this secret. Obviously, the number of participants of the secret split in various layers is determined by the instance supervising the split (the decision-maker), and in addition it is unchanged in the remaining layers. What does change is the information constituting the secret being split in the specific layer. • Of the same secret split in different ways depending on the layer - if we take information A, which can be a secret for several layers within which it is split, then, for instance, this secret can be split among n participants in the first layer, the same secret can be split in the superior (second) layer between n-k participants, which is a number smaller than in the subordinate layer, and in the third layer the same secret can be split among n-k-p participants. The values n, k, p can be defined freely depending on the size of the group from which the selected persons - secret trustees - are chosen. • Various secrets in different layers - this type of a split concerns a situation in which different pieces of information can be split between different groups of persons. So for a business organisation this situation may mean that at the decisionmaking level the secret split comprises specific strategic information of the organisation, but at the executive stage marketing and promotion information of the organisation may be split. The mentioned layer splits of secrets can apply to splitting information at various levels - the operational, tactical and strategic levels of a given organisation. Of course,

40

M.R. Ogiela and U. Ogiela

the selection of the appropriate splitting method depends on the type of the organisational structure and the importance of the shared information. Another type of business structure is a hierarchical structure. The essence of the hierarchical approach lies in considering the hierarchy operating within the business organisation. It is the hierarchical nature of business organisations that allows hierarchical secret splits to be introduced. Such a split may have the form of a split of varied information (secret) within a given hierarchy, taking into consideration that higher up in the hierarchy this secret can be reconstructed by other trustees (or a single other trustee) of parts of the secret. This situation is illustrated in Fig. 2. Hierarchical information splits are much more frequent than layered splits, as the hierarchical nature of the structure is much more commonplace in various types of organisations. This is why a hierarchical information split can be used both in lean and flat structures, taking into account the superiority of persons managing the organisation and the subordination of particular departments and their managers. In the case of a hierarchical information split, it is noticeable that secret splits are very varied and the ways of splitting and sharing information are very numerous and depend on the individual situation of the organisation and the materiality of shared information. This is why the methods of secret splitting presented in this publication, concerning both the hierarchical and the layered split, can be used in various types of organisational structures.

Fig. 2. Hierarchical secret split

Shadow Generation Protocol in Linguistic Threshold Schemes

41

4 Conclusion This publication proposes a new protocol for executing linguistic threshold schemes which use context-free sequential grammars. This protocol allows known threshold schemes to be extended to include an additional stage of coding the shared secret using an appropriately defined grammar. The coding can be applied to single bits of the input representation of the split secret or blocks consisting of 2, 3 or more bits. For the general scheme of this information split, the authors have also presented its possible applications for the intelligent management and distribution of data in organisational structures of a linear and hierarchic type. Important strategic data can be distributed in institutions of such structure due to the protocol, described here, whereby data is split and a part of it allocated to persons at the appropriate levels. The proposed method, in addition to its high utility, also introduces certain improvements to previously known techniques of information splitting. Such techniques, even though they are completely secure, require the participation of a trusted instance or an arbiter for the correct division or recreation of the information. The presented protocol is a universal solution suitable for using both as an arbitration protocol and as a protocol requiring no trusted party to participate. In the second case, executing it introduces an additional information component allocated to one of the parties participating in the information splitting procedure. Acknowledgements. This work has been supported by the AGH University of Science and Technology under Grant No. 10.10.120.783.

References 1. Asmuth, C.A., Bloom, J.: A modular approach to key safeguarding. IEEE Transactions on Information Theory 29, 208–210 (1983) 2. Ateniese, G., Blundo, C., De Santis, A., Stinson, D.R.: Constructions and bounds for visual cryptography. In: Meyer auf der Heide, F., Monien, B. (eds.) ICALP 1996. LNCS, vol. 1099, pp. 416–428. Springer, Heidelberg (1996) 3. Beguin, P., Cresti, A.: General short computational secret sharing schemes. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 194–208. Springer, Heidelberg (1995) 4. Beimel, A., Chor, B.: Universally ideal secret sharing schemes. IEEE Transactions on Information Theory 40, 786–794 (1994) 5. Blakley, G.R.: Safeguarding Cryptographic Keys. In: Proceedings of the National Computer Conference, pp. 313–317 (1979) 6. Blakley, B., Blakley, G.R., Chan, A.H., Massey, J.: Threshold schemes with disenrollment. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 540–548. Springer, Heidelberg (1993) 7. Blundo, C., De Santis, A.: Lower bounds for robust secret sharing schemes. Inform. Process. Lett. 63, 317–321 (1997) 8. Charnes, C., Pieprzyk, J.: Generalised cumulative arrays and their application to secret sharing schemes. Australian Computer Science Communications 17, 61–65 (1995) 9. Desmedt, Y., Frankel, Y.: Threshold Cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, Heidelberg (1990)

42

M.R. Ogiela and U. Ogiela

10. van Dijk, M.: On the information rate of perfect secret sharing schemes. Designs, Codes and Cryptography 6, 143–169 (1995) 11. Hang, N., Zhao, W.: Privacy-preserving data mining Systems. Computer 40(4), 52–58 (2007) 12. Jackson, W.-A., Martin, K.M., O’Keefe, C.M.: Ideal secret sharing schemes with multiple secrets. Journal of Cryptology 9, 233–250 (1996) 13. Ogiela, M.R., Ogiela, U.: Linguistic Extension for Secret Sharing (m, n)-threshold Schemes. In: SecTech 2008 - 2008 International Conference on Security Technology, Hainan Island, Sanya, China, December 13-15, pp. 125–128 (2008), ISBN: 978-0-76953486-2, doi:10.1109/SecTech.2008.15 14. Shamir, A.: How to Share a Secret. Communications of the ACM, 612–613 (1979) 15. Simmons, G.J.: An Introduction to Shared Secret and/or Shared Control Schemes and Their Application in Contemporary Cryptology. In: The Science of Information Integrity, pp. 441–497. IEEE Press, Los Alamitos (1992) 16. Tang, S.: Simple Secret Sharing and Threshold RSA Signature Schemes. Journal of Information and Computational Science 1, 259–262 (2004)

Analysis of Handwritten Signature Image Debnath Bhattacharyya1, Poulami Das1, Samir Kumar Bandyopadhyay2, and Tai-hoon Kim3 1

Computer Science and Engineering Department, Heriatge Institute of Technology, Kolkata-700107, India {debnathb,dasp88}@gmail.com 2 Department of Computer Science and Engineering, University of Calcutta, Kolkata-700009, India [email protected] 3 Hannam University, Daejeon-306791, Korea [email protected]

Abstract. Handwritten Signature Identification is a classical work area in the line of Computer Science and Technology since last few years. Various new techniques of Image Analysis also attracting the Computer Scientists as well. Firstly, Pixel clustering is used to transform the signature image into bi-color image. Then secondly, instead of considering the whole image, only signature area is extracted. Thirdly, by using Image scaling technique the signature image resized along the coordinate directions. As different techniques are used to subsample (image after transformation) which will be discussed in turn. Fourthly, a different technique is used for thinning to reduce the threshold output of an edge detector algorithm is used to lines of a single pixel thickness. In this paper we propose the above mentioned series of techniques as the preprocessing analysis part of Handwritten Signature Recognition. Keywords: Skeletonization, Scaling, ITA (Image Thinning Algorithm), ROI (Region of Interest).

1 Introduction Handwritten Signature Recognition is a generalized way of authenticity. However, it is easy to copy, signature of one person may vary in different times, and it is still more common and widely recognized technique for authentication. There are 2 (Two) approaches available for Handwritten Signature Recognition: a) On-Line and b) OffLine. This Research is highlighted on the static features of a Handwritten Signature, which can be considered as Off-Line Approach [7]. The Images of the Handwritten Signature is taken repeatedly considering as the “Signature of a person may vary widely time to time”, which are special type of objects. From these sample Signatures an average will be taken and stored for authentication in future. At this point the type of errors likes to reduce the chance of rejection of genuine Signatures and improve forgery resistance. Incorporating those two aspects – acceptance of the variance and the requirement for exactness of certain D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 43–50, 2009. © Springer-Verlag Berlin Heidelberg 2009

44

D. Bhattacharyya et al.

features in one system is a very difficult task and still there is no perfect solution. The techniques developed so far, is that, to extract Morphological Features from Handwritten Signature Image and by analyzing that Image decisions can be taken [6].

2 Previous Works Image can be represented morphologically, using Image Dilation and Erodes. The fundamental operations associated with an object are the standard set operations union, intersection, and complement plus translation, and Boolean Convolution [1]. Binary Image Morphology is taken into account based on behavior of Binary Images, Erosion and Dilation, consideration of foreground and background of images, Blur, Effect of addition of noise, translationally invariant methods for pattern matching [2]. Morphological Filtering of image, a theory introduced in 1988 in the context of mathematical morphology. Research on lattice framework. The emphasis is put on the lattices of numerical functions in digital and continuous spaces and Morphological Filters [3]. The usefulness of the hit-miss transform (HMT) and related transforms for pattern matching in document image application is examined. HMT is sensitive to the types of noise found in scanned images, including both boundary and random noise, a simple extension, the Blur HMT, is relatively robust. The noise immunity of the Blur HMT derives from its ability to treat both types of noise together, and to remove them by appropriate dilations [4]. The adaptation is achieved using a tradeoff parameter in the form of a nonlinear function of the local saturation. To evaluate the performance of the proposed algorithm, a deigned psychophysical experiment is used to derive a metric denoted as the average value for the psychophysical evaluation in percent (APE%). Results of implementing the proposed APE show that an APE=73 to 96% can be achieved for basic morphological operators, i.e., dilation, erosion, opening, and closing. APE value depends on the size and shape of the structuring element as well as on the image details. The proposed algorithm has also been extended to other morphological operators, such as image smoothing (noise suppression), top hat, gradient, and Laplacian operators. In the case of a smoothing operation, an average peak signal-tonoise ratio (PSNR)=31 to 37 dB is achieved at various structuring elements and applied noise variances, while good results are achieved with the proposed top-hat operators [5]. Whenever an image is digitized, i.e., converted from one form to another some form of degradation occurs at output [6]. There is no image processing system which can produce an ideal image. Image enhancement is the improvement of the appearance of the image. Enhancement can be done via, contrast intensification, smoothing and edge sharpening. Algorithm for spatial domain and frequency domain techniques are used widely. Spatial domain is dealt with neighborhood of single pixel and frequency domain dealt with global filters (masks) [6]. Alessandro Zimmer, Lee Luan Ling, 2003, proposed a new hybrid handwritten signature verification system, where the on-line reference data acquired through a

Analysis of Handwritten Signature Image

45

digitizing tablet serves as the basis for the segmentation process of the corresponding scanned off-line data. Local foci of attention over the image were determined through a self-adjustable learning process in order to pinpoint the feature extraction process. Both local and global primitives were processed and the decision about the authenticity of the specimen defined through similarity measurements. The global performance of the system was measured using two different classifiers [7]. A method for the automatic verification of handwritten signatures was described by Ramanujan S. Kashi, William Turin, and Winston L. Nelson in 1996. The method based on global and local features that summarize aspects of signature shape and dynamics of signature production. They compared with their previously proposed method and shown the improvement of current version [8].

3 Our Work We propose following four algorithms to achieve our goal. Those algorithms are: 3.1 Transform Gray Signature Image to Bi-Color Signature Image Input: Gray scale Signature Image. Output: Bi-Color Signature Image. a. Open Gray scale Signature Image in Read Mode. b. Read the Pixel. c. Check the Pixel intensity value: if the value is less than 255 (gray value for white color) Then convert it to 0 Else no modification in the Pixel value. d. Rewrite the Pixel with changed intensity value e. If not ‘end of file’ Then go to Step-b. f. Close image file. 3.2 Extracting Region of Interest (ROI) Input: Bi-Color Signature Image (Output of 3.1 Algorithm). Output: Image only with Signature Region. a. Open Image1 (Bi-Color Signature Image) File in Input Mode. b. Open Image2 File in Output Mode. c. Declare an Integer 2D Matrix of [n x m], where, n and m are width and height of Image1. d. Get RGB Value[i, j] of Image1 and store it to Matrix[i, j] position. e. GotoStep-4 until end of Image1 File Matrix [n, m] is generated with RGB Weight of Image1. f. Identify First row where First Black RGB Color is occurred in Matrix[n, m], i.e., p. g. Identify First column where First Black RGB Color is occurred in Matrix[n, m], i.e., q. h. Here, Matrix[p, q] is the starting position of Signature Region of Image1. i. Identify Last row where Last Black RGB Color is occurred in Matrix[n, m], i.e., x.

46

D. Bhattacharyya et al.

j. k. l.

Identify Last column where Last Black RGB Color is occurred in Matrix[n, m], i.e., y. Here, Matrix[x, y] is the end position of Signature Region of Image1. Get RGB Values of the Matrix…..[p, q] to [x, y] Position and Write into Image2 File.

3.3 Scaling Considering the resultant bi-color signature image from the algorithm mentioned in 3.2. Mathematics behind the scaling we used and tested randomly as given below…. a. b.

c.

d.

e.

f.

Input image is loaded via Toolkit and Media-Tracker. Four (4) arguments contain the maximum size of the Image to be created. The actual size of the Image will be computed from that maximum size and the actual size of the image (all sizes are given as pixels). The code will scale the Input Image correctly. If the two arguments for the maximum Image size are both 100 and the image that was loaded is 400 times 200 pixels large, we want the image to be 100 times 50 pixels large, not 100 times 100, because the original image is twice as wide as it is high. A 100 times 100 pixel image would contain a very skewed version of the original image. Now that we have determined the size of the image we create a BufferedImage of that size, named iImage. We have taken another object for that new image and call its drawImage method to draw the original image on that new image. The call to drawImage does the actual scaling. The rendering and bilinear interpolation can be used (performance will slowdown) and speed more important. For nicer results (at least in some cases) we have used INTERPOLATION BICUBIC instead of INTERPOLATION BILINEAR. In order to save the scaled-down image to a file, we have created a buffered FileOutputStream with the second argument as name and initialize the necessary objects. The quality argument from the command line is converted from the interval 0 to 100 to the interval 0.0f to 1.0f, because that's what the codec expects (I mostly used 0.75f). The higher that quality number is, the better the resulting image quality, but also the larger the resulting file.

3.4 Image Thinning Algorithm (ITA) Input: Resultant Signature Image from 3.3 Algorithm Output: Thinned Signature Image a. b. c. d.

Take the surrounding pixels of foreground. Foreground points must have at least a single background neighbor. Reject points that with more than one foreground neighbor. Continue Steps [b to d] until locally disconnect (divided into 2 parts) region with Pixel iterate until convergence.

Analysis of Handwritten Signature Image

47

Implemented pseudocode: BufferedImage bi = ImageIO.read (new File("Signature_Image")); int[][] matrix = new int[bi.getWidth()][bi.getHeight()]; for(int i=0; i 0

(10)

and the probability of outage as Pout = Pr{CS < R}

(11)

Proposition 2: The probability of outage can be written as Pout = Pr{CS < R}   1 + h2 SNR 1  < R} = Pr{ log  σ2 h2 2 1 + 12 2 SNR

(12)

σ1 +σ2

Remark 3: If the main channel is extremely noisy, we can take σ12 >> σ22 and the CS → 0. In this case, the system is in outage with probability 1. On the other hand, if the eavesdropper channel is extremely we  noisy then  can take 1 2 σ12 1, k, lp ∈ N which are the security parameters, the group manager chooses the following parameters: λ1 , λ2 , γ1 and γ2 such that λ1 > (λ2 + k) + 2, λ2 > 4lp , γ1 > (γ2 + k) + 2, and γ2 > λ1 + 2. Define

Efficient Group Signature with Forward Secure Revocation

127

the integral ranges Λ = [2λ1 − 2λ2 , 2λ1 + 2λ2 ] and Γ = [2γ1 − 2γ2 , 2γ1 + 2γ2 ]. Note that H : {0, 1}∗ → {0, 1}k is a collision-resistant hash function. The parameter  controls the tightness of the statistical zero-knowledgeness and the parameter lp sets the size of the modulus to use. All these parameters are public. The group manager computes the group public key mpk = (n, a, a0 , y, g, h, g1 , g2 ) and the secret key msk = (p , q  , x) as follows: (a) Select random lp -bit primes p , q  such that p = 2p +1 and q = 2p +1 are prime. Set the modulus n = pq. Note that all the arithmetic operations in the following sections are modulo n unless specified otherwise. (b) Choose random elements a, a0 , g, h, g1 , g2 ∈R QR(n) (of order p q  ), where QR(n) denotes the set of quadratic residues of group Zn∗ . (c) Chooses a random secret x ∈R Zp∗ q , and set y = g x . The membership information is Ω = (c, u), where c is initialized to g1 and u is initialized to 1. 2. G.Enroll The uski , rvki , upki of the new member i are generated as follows: (a) The member i generates a secret exponent x ˜i ∈R [0, 2λ2 ], a random x ˜i r˜i integer r˜i ∈R [0, n] and sends C1 = g h to the group manager and proves his knowledge of the representation of C1 , i.e., sends the signature of knowledge W = SP K[˜ xi , r˜i : C1 = g x˜i hr˜i ](0) (see the construction in [12]). (b) The group manager checks that C1 ∈ QR(n). If this is the case, the group manager selects αi , βi ∈R [0, 2λ2 ] at random and sends (αi , βi ) to member i. (c) Member i computes xi = 2λ1 + (αi x ˜i + βi mod 2λ2 ) in Z and sends the xi group manager the value C2 = a . Member i also proves to the group manager that: i. that the discrete log of C2 with respect to base a lies in Λ, i.e., SP K[xi : C2 = axi ∧ a ∈ Λ](0) (see the construction in [12]). ii. user’s membership secret xi = loga C2 is correctly computed from C1 , αi and βi as follows: ˜i + βi mod 2λ2 , v = (αi x ˜i + βi )/2λ2  in Z A. computes u = αi x and w = αi r˜ in Z and prove that, λ1 B. u lies in [−2λ2 , 2λ2 ] and equals the discrete log of C2 /a2 with λ1 respect to base a, i.e., computes SP K[u : au = C2 /a2 ∧u ∈ [−2λ2 , 2λ2 ]](0) (see the construction in [9]). λ2 C. C1αi g βi equals g u (g 2 )v hw , i.e., computes SP K[αi , βi , u, v, w : λ 2 C1αi g βi = g u (g 2 )v hw ](0) (It is easy to get the construction from [12]).

128

H. Jin, D.S. Wong, and Y. Xu

(d) The group manager checks that C2 ∈ QR(n). If this is the case and all the above proofs were correct, the group manager selects a random prime ei ∈R Γ and computes Ai = (C2 a0 )1/ei = (axi a0 )1/ei . Then the group manager set upki = Ai , rvki = ei . Finally, the group manager sends [Ai , ei ] to Member i. (e) Member i verifies that axi a0 = Aei i . If this is the case, Member i set upki = Ai , rvki = ei and uski = xi . The algorithms Join, Iss are implied by the G.Enroll protocol. 3. G.Revoke On input of rvkk of member k who is to be deleted for this time and the current Ω = (c, μ), the group manager updates c as c = crvkk and updates u as μ = μ  · rvkk . Suppose there are revoked members j, ..., k till now, the k k rvki latest c = g1 i=j and μ = i=j rvki . 4. G.Sign A group signature σ on message m consists of a tuple V˜1 , V˜2 which is generated as follows: (a) Member i computes a signature of knowledge V˜1 = SP K[(r, xi , rvki , i Ai ) : T1 = y r Ai ∧ T2 = g r ∧ T3 = hr g rvki ∧ axi a0 = Arvk ∧ xi ∈ i Λ ∧ rvki ∈ Γ ](m) as shown in Table 1: Table 1. The Constructions of Signature of Knowledge V˜1 1. randomly choose r ∈R {0, 1}2lp and computes T1 = y r Ai , T2 = g r , T3 = g rvki hr 2. randomly choose r1 ∈R ±{0, 1}(γ2 +k) , r2 ∈R ±{0, 1}(λ2 +k) , r3 ∈R ±{0, 1}(γ1 +2lp +k+1) , r4 ∈R ±{0, 1}(2lp +k) and computes: (a) d1 = T1r1 /(ar2 y r3 ), d2 = T2r1 /g3r3 , d3 = g r4 , d4 = g r1 hr4 (b) v = H(g||h||y||a0 ||a||T1 ||T2 ||T3 ||d1 ||d2 ||d3 ||d4 ||m) (c) s1 = r1 − v(rvki − 2γ1 ), s2 = r2 − v(xi − 2λ1 ), s3 = r3 − v · rvki · r, and s4 = r4 − v · r (all in Z) (d) Output (v, s1 , s2 , s3 , s4 , T1 , T2 , T3 )

(b) Member i computes a signature of knowledge V˜2 to prove that his rvki which is committed in T3 is not condensed in c (i.e., not be revoked by the group manager) as follows: k i. Note that c = g1μ , where μ = i=j rvki . Since gcd(rvki , μ) = 1, he can find f, b ∈ Z such that f · μ + b · rvki = 1. Let d = g1−b . ii. With c, f, d, rvki , r, he computes V˜2 = SP K[(rvki , r, f, d) : T3 = hr g rvki ∧ cf = drvki g1 ∧ rvki ∈ Γ ](m) as shown in Table 2.

Efficient Group Signature with Forward Secure Revocation

129

Table 2. The Constructions of Signature of Knowledge V˜2 1. computes T4 = dg2r 2. randomly choose r1 ∈R ±{0, 1}(γ2 +k) , r2 ∈R ±{0, 1}(λ2 +k) , r3 ∈R ±{0, 1}(γ1 +2lp +k+1) , r4 ∈R ±{0, 1}(2lp +k) and computes: (a) d1 = T4r1 /(cr2 g2r3 ), d2 = g r1 hr4 (b) v = H(g||h||g1 ||g2 ||c||T4 ||T3 ||d1 ||d2 ||m) (c) s1 = r1 − v(rvki − 2γ1 ), s2 = r2 − v(xi − 2λ1 ), s3 = r3 − v · rvki · r, and s4 = r4 − vr (all in Z) (d) Output (v, s1 , s2 , s3 , s4 , T4 , T3 ) as V˜2

5. G.Ver To verify a group signature σ = (V˜1 , V˜2 ) on message m and the revocation membership information Ω (actually only c is required), the verifier is to check the validation and correctness of V˜1 , V˜2 with respect to mpk and Ω as follows. s −v2γ1 av T 1 – Verify V˜1 : compute v  = H(g||h||y||a0 ||a||T1 ||T2 ||T3 || 0 1 λ || s −v2γ1 T2 1 g s3

(as2 −v2

1

y s3 )

γ1

||T2v g s4 || T3v g s1 −v2 hs4 ||m).

Return 1 for accept if and only if v = v  , and s1 ∈ ±{0, 1}(γ2+k)+1 , s2 ∈ ±{0, 1}(λ2+k)+1 , s3 ∈ ±{0, 1}(λ1+2lp +k+1)+1 , and s4 ∈±{0, 1}(2lp+k)+1 . Otherwise, return 0 for reject. s −v2γ1 (g−1 )v T 1 – Verify V˜2 : compute v  = H(g||h||g1 ||g2 ||c||T4 ||T3 || 1s −v24λ1 s3 || γ1

(c

2

g2 )

T3v g s1 −v2 hs4 ||m). Return 1 for accept if and only if v = v  , and s1 ∈ ±{0, 1}(γ2+k)+1 , s2 ∈ ±{0, 1}(λ2+k)+1 , s3 ∈ ±{0, 1}(λ1+2lp +k+1)+1 , and s4 ∈ ±{0, 1}(2lp+k)+1 . Otherwise, return 0 for reject. 6. G.Open Given a message-signature pair (m, σ = (V˜1 , V˜2 )) and the trace key tk = x, if G.Ver(mpk, tk, Ω, m, σ) = 1 then output the upki which is computed as upki = T1 /T2x (i.e do the decryption of (T2 , T1 ) which is an ElGamal ciphertext). 4.1

Security Analysis

Correctness and Traceability: If all the algorithms and protocol described above are carried out accordingly, we have signature σ on message m generated as σ ← G.Sign(mpk, upki , uski , rvki , Ω, m) such that G.Ver(mpk, Ω, m, σ) = 1 for ˜ ← G.Open(mpk, tk, Ω, m, σ) such that upk ˜ = upki . all m ∈ {0, 1}∗ and upk 1. The correctness: Since according to the protocol, whenever σ ← G.Sign (mpk, upk, usk, rvk, Ω, m), there always has G.Ver(mpk, Ω, m, σ) = 1 for all m ∈ {0, 1}∗.

130

H. Jin, D.S. Wong, and Y. Xu

2. The traceability: Suppose there is a message and signature pair (m, σ) such that G.Ver(mpk, Ω, m, σ) = 1, where i ← G.Open(mpk, tk, Ω, m, σ). Suppose σ = (V˜1 , V˜2 ), where V˜1 = {T1 , T2 , T3 , ...}. If σ is valid, the validation of V˜1 makes sure that there is a tuple (xi , Ai , ei , r) such that T1 = Ai y r , T2 = g r , T3 = g ei hr , Ai = (axi a0 )1/ei and xi ∈ Λ and ei ∈ Γ . According to [1, Theorem 1], such tuple can only be obtained via the G.Enroll. And according to G.Open, we compute upki = T1 /T2x = Ai . Hence, the Ai can be uniquely linked to an instance of the G.Enroll protocol and thus the user i who originated the signature can be identified. To give a formal security analysis, we also propose a set of security models for group signature with forward secure revocation. The models are based on that proposed by Nakanishi et al. [15]. In the models, we define the notions of unforgeability, anonymity, forward secure revocation and non-frameability. We will provide the security models and proofs in the full version of this paper.

References 1. Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000) 2. Ateniese, G., Song, D., Tsudik, G.: Quasi-efficient revocation of group signatures. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 183–197. Springer, Heidelberg (2003) 3. Ateniese, G., Tsudik, G.: Some open issues and new directions in group signatures. In: Franklin, M.K. (ed.) FC 1999. LNCS, vol. 1648, pp. 196–211. Springer, Heidelberg (1999) 4. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004) 5. Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: Proc. CCS 2004, pp. 168–177. ACM, New York (2004) 6. Bresson, E., Stern, J.: Efficient revocation in group signatures. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 190–206. Springer, Heidelberg (2001) 7. Camenisch, J., Groth, J.: Group signatures: Better efficiency and new theoretical aspects. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 120–133. Springer, Heidelberg (2005) 8. Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 101–120. Springer, Heidelberg (2002) 9. Camenisch, J., Michels, M.: Separability and efficiency for generic group signature schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 413–430. Springer, Heidelberg (1999) 10. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997) 11. Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)

Efficient Group Signature with Forward Secure Revocation

131

12. Damg˚ ard, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002) 13. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) 14. Kim, S.J., Park, S.J., Won, D.H.: Convertible group signatures. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 311–321. Springer, Heidelberg (1996) 15. Nakanishi, T., Fujii, H., Hira, Y., Funabiki, N.: Revocable group signature schemes with constant costs for signing and verifying. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 463–480. Springer, Heidelberg (2009) 16. Nakanishi, T., Funabiki, N.: Verifier-local revocation group signature schemes with backward unlinkability from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 533–548. Springer, Heidelberg (2005) 17. Nakanishi, T., Sugiyama, Y.: A group signature scheme with efficient membership revocation for reasonable groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 336–347. Springer, Heidelberg (2004)

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion Jieren Cheng1,2, Jianping Yin1, Yun Liu1, Zhiping Cai1, and Chengkun Wu1 1

School of Computer, National University of Defense Technology, 410073 Changsha, China 2 Department of Mathematics, Xiangnan University, 423000 Chenzhou, China [email protected]

Abstract. Detection of Distributed denial of service (DDoS) attacks is currently a hot topic in both industry and academia. We present an IP flow interaction algorithm (IFI) merging multi-feature of normal flow and DDoS attack flow. Using IFI time series describe the state of network flow, we propose an efficient DDoS attack detection method based on IFI time series (DADF). DADF employs an adaptive parameter estimate algorithm and detects DDoS attack by associating with the states of IFI time series and an alert evaluation mechanism. Experiment results demonstrate that IFI can well fuse the multiple features of normal flow and DDoS attack flow and it is efficient to be used to distinguish normal flow from DDoS attack flow; DADF can fast detect DDoS attack with higher detection rate and lower false alarm rate under relatively large normal background flows. Keywords: Network Security, Distributed Denial of Service, Normal Profile, Multi-feature Fusion.

1 Introduction Distributed Denial of Service (DDoS) attack is one of the main threats that the Internet is facing. DDoS attacks are currently tending to use actual source IP address [1] and simulate normal flows to perform an attack, and make serious destroy on the victims by flooding traffic or using periodically low-rate attack flows [2]. Furthermore, at an early stage of a DDoS attack, the traffic changes are difficult to detect because low traffic fluctuations are not obvious. Many approaches focus on the study of [3,4,5] based on flow dissymmetry can detect dissymmetric attack flows, but the in and outgoing traffic of normal flow are highly disproportional sometimes. It is more expensive and difficult to implement cooperatively at the edge networks. Moreover, attacker may use random spoofed source IP address, or simulate normal flow to send out attack packets and make that the attack traffic from each source network can be within normal range and unnoticed compared with legitimate traffic flows. Thus detecting attack traffic accurately can be difficult or impossible at the source network. [6] detected DDoS attack using the distribution of IP addresses; [7,8] detected attack based on the abrupt traffic change; to avoid the shortcoming of the methods based on single attack characteristic D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 132–139, 2009. © Springer-Verlag Berlin Heidelberg 2009

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion

133

[9,10,11] integrated multiple characteristics to detect DDoS attack. However, the methods are disturbed by relatively large volume of normal background flows. The distributed collaborative methods [12,13] employed distributed sensors to detect the attacks collaboratively, but it is difficult to deploy the system and the detection quality of the system relies on the capability of detection of each sensor. Based on normal flow feature, [14] established detection models and could detect different kinds of attacks. However, it is very difficult to build a stable model for all kinds of normal flows. Moreover, the attackers may launch an attack by simulating the normal flows. Hence, detection of DDoS attacks is a challenging task requiring novel approaches. This paper presents an IP Flow Interaction algorithm based on multi-feature of normal flow and DDoS attack (IFI) and proposes a DDoS attack detection method based on IFI time series (DADF). Theoretical analysis and experiment results demonstrate that: IFI algorithm makes use of multiple features effectively and can reflect the difference feature between normal flow and DDoS flow; DADF can well use IFI feature time series of network flows to detect DDoS attack with higher detection rate and lower false alarm rate.

2 IFI Algorithm The common characteristic of normal flows and attack flows is the interaction. However, because of the difference of their interaction purpose, their statistic features on IP addresses and ports are essentially different. Assume a network flow F in a certain time period T is described as , where i=1,2,…,n, ti means the timestamp of the ith packet, si, spi, di, dpi represent the source IP address, the source port, the destination IP address and the destination port of the ith packet. Definition 1. Classify the n packets and make the packets with the same source IP address and destination IP address in the same class. Denote the class with the source IP address Ai as IPS(Ai), and denote the class with the destination IP address Aj as IPD(Aj). If there is a source IP address Ai in class IPS(Ai) makes class IPD(Ai) nonempty, then IPS(Ai) is called an Interaction Flow (IF and denoted as IF(Ai). If there is a source IP address Ai in class IPS(Ai) makes class IPD(Ai) empty, then IPS(Ai) is called a Source Half Interaction Flow (SH and denoted as SH(Ai). If there is a destination IP address Ai in class IPD(Ai) makes class IPS(Ai) empty, then IPD(Ai) is called a Destination Half Interaction Flow (DH and denoted as DH(Ai). Flow SH and flow DH are all called Half Interaction Flow (HF). The normal flows are most IFs with Interaction per unit time and obey the TCP congestion control protocol to evade congestion, even if a website server sustains a flash crowd. Hence, in a time period T the number M of all IFs is large, while the number S of all SHs and the number D of all DHs are relatively small, thus |S-D|/M→0. However, the successful DDoS attack flows are most HFs per unit time, because the DDoS attack keeps from network service by continually sending out a great

）

）

）

134

J. Cheng et al.

number of attack packets and does not obey the TCP congestion control protocol, especially when the attacker perform a DDoS attack with spoofing source IP addresses. For all the HFs, when source-to-destination address is many-to-one dissymmetry, the number S of all SHs and the number D of all DHs have S>D. Furthermore, in a time period T S is large because of distribution of attack source address and abrupt traffic change and D is relatively small due to concentrated target, while the number M of all IFs is small, thus |S-D|/M→∞. Additionally, when sourceto-destination address is one-to-many dissymmetry at the early stage of indirect DDoS [11], in T S is small due to concentrated target and D is large because of distribution of attack source address and abrupt traffic change, if M is small, thus |S-D|/M→∞. Furthermore, the number of difference port number Port(SH(Aj))>θ/ms or Port(DH(Ai)) >θ/ms, θ is the threshold. When the attack flow is small, but the normal background flows are relatively large, the detection quality is affected. In order to reduce the interference of IFs and improve the detection sensitivity for attack flows, we define Source Address Entropy (SAE), which can reflect the distribution of source addressed of IFs [6]. Definition 2. Classify the n packets and get all the interaction flow IFs of F as IF1, IF2,…, IFm. The number of packets with a source IP address Ai in IFi is denoted as sipi, where i=1,2,…,m. The number of the packets of all the IFs is denoted as ASIP. All the source half interaction flow SHs of F are denoted as SH1, SH2,…, SHS, the amount of different source port number of class SHi is denoted as Port(SHi), i=1,2,…,S. All the destination half interaction flow DHs are denoted as DH1, DH2,…, DHD, the amount of different destination port number of class DHi is denoted as Port(DHi), i=1,2,…,D. The SAE is defined as: m

SA E = − ∑ i =1

sip i sip i log 2 ( ) A SIP A SIP

(1)

we give the IP Flow Interaction Feature (IFI) algorithm merging multi-feature, which is flow interaction, source-to-destination address dissymmetry, distribution of attack source address, concentrated target and abrupt traffic change, as follow: Definition 3. The IFI is defined as: S

IF I F =

f ( S A E )(| S − D | + ∑ w eig h t ( P o rt ( S H i )) + i =1

D

∑ w eig h t ( P o rt ( D H j =1

j

)))

(2)

m +1

in which Where f ( x) = ⎧ x x > 1 weight ( x) = ⎧ x x /Δt > θ Δt is the sampling time period, ⎨ ⎨ ⎩1 x ≤ 1 , ⎩ 0 x /Δt ≤ θ , θ is the threshold resulting from normal flow by statistic method, which can be the maximum of port number of a HF flow in Δt. It is very difficult or impossible to translate a large number of attack flows with half interaction into IF flows per unit time out of the source network. Consequently, IFI is efficient for distinguishing normal flow from DDoS attack flow.

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion

135

3 DDoS Attack Detection Method When the attack flows are relatively small versus massive normal background flows, IFI will be small. Contrarily, because network noises or other non-attack uncertainty may lead to a loss of packets, delay or dithering, IFI of the normal flows will have abnormal changes at some times. Hence, we propose an efficient detection method based on IFI Time series (DADF). 3.1 DDoS Attack Detection Model Assume that the slide detection window size is W, sampling time period is Δt, the sampled IFI time series of network flow F are a1, a2,…, aW, and the attack threshold is H. G(x,y) present x>y, F(x) present x is an abnormal value, and the FDD(IFI-based DDoS Attack Detection Model) is defined as: ∀i, i ≥ W , G (ai − w+1 , H ) ∧ G (ai − w+ 2 , H ) ∧ " ∧ G (ai , H ) → F (ai )

(3)

∀i, i > 1, F ( ai −1 ) ∧ G ( ai , H ) → F ( ai )

(4)

Rule (3) present that ai is abnormal value if each ai (i=1,2,…,W) exceeds H. Rule (4) present ai is abnormal value if ai-1 is abnormal value and ai exceeds H. Rule (3) is the premise of rule (4), and rule (4) can help to decrease the number of judgment of the detection system. In real-time applications, the sliding detection window will move forward once when the detection for a current IFI is completed. 3.2 Adaptive Parameter Estimate Algorithm In real applications, it is hard to specify manually the proper parameters in FDD because of the differences of sampling time interval, all kinds of normal traffic, network environments and application requirements. We present an adaptive parameter estimate algorithm. Algorithm 1. The adaptive parameter estimate algorithm Input: an initial sample A, R of smoothing A, the average value RMean of R, the maximum value RMax of R, a stopping criterion C, a ideal false alarm rate IFA. Output: sliding detection window size W, attack threshold H, real false alarm rate RFA, the graph about the change of RFA with the increase of H. processing procedure: 1. Initialization-related variables; 2. While (criterion C is not satisfied){ 3. Initialization-related variables; 4. H=RMean; 5. While (RFA < FA and H≤ Max ){ 6. Detecting sample A using FDD model; 7. Calculate the real false alarm rate RFA; 8. H= H +RMean; 9. return H, RFA;} 10. W=W+1; 11. return W;}

136

J. Cheng et al.

Sample the normal network flow F with a time interval Δt, and calculate the IFI of each sampling, after N times, a time series sample of IFI is obtained, A(N,Δt)={ IFIi,i=1,2,…,N}, N is the length of the series. Let IFIi=ai, i=1,2,…,N, then use the locally weighted linear regression smoothing method (Loess) [15] to smooth sample and eliminate the random noises of sample A. Loess is a locally weighted scatter plot smooth using linear least squares fitting and a second-degree polynomial. We specify the span of Loess as 2*W+1(W is the size of sliding detection window). Assume a1, a2,…, an are transformed into r1, r2,…, rm by Loess smoothing method, calculate the average value of denoted as RMean, and calculate the maximum value of denoted as RMax. A network flow state is defined as the normal state when IFI≤ Mean, the quasi-abnormal state when Mean Max. If the size of attack threshold can be designated between Mean and Max, namely detecting attack in quasi-abnormal state, the detection rate will increase drastically. However, the premise is that false alarm rate must be in the viable span. The process of the adaptive parameter estimate algorithm is given in algorithm 1. 3.3 Alert Evaluation Mechanism The cause of abnormal changes in IFI states of network flows includes the DDoS attack as well as congestion and some other reasons. Hence, our detection system employs alert evaluation mechanism based on the alert frequency and time interval. when the U (U≥1) anomalies value are detected in a specified time interval ΔT (ΔT≥0), the system will generate an alarm. The setting value of ΔT and U may be set dynamically according to the network security situations, because larger ΔT and U can decrease the risk of false alarm rate, but the time efficiency will be decrease too.

4 Experiments and Results The experiment used the normal flow data in 1999 and DDoS flow data LLDoS2.0.2 in 2000 from MIT Lincoln lab [16]. 4.1 Feature The IFI time series and the number of packets (size of traffic) of corresponding traffic of the normal flows were obtained by multiple sampling and calculation depicted in figure 1. Similarly, the results of the abnormal flows were depicted in figure 2. From figure 1 & figure 2, we can see that, IFI time series are sensitive to attack flows and they can magnify for the attack flow using randomized destination ports, while they are steady and small for the normal flows. As depicted in figure 2, there are few IFIs which size is smaller than the size of attack traffic, and the main reason is that the few normal flows responded become IFs in a certain Δt. So the sampling period can influence the IFI state of abnormal flows containing DDoS attack flow, it can be designated a proper size according to the quality of network service.

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion 1

1

25

0.8

15

0.6

10

0.2 0

0

1 2 3 4 Time Sample Point(1/0.01s) 4 x 10

0.4

50

0.2

5 0

Size of Normal Traffic 100 Size

0.4

20

Size

Size

Size

0.6

150 IFI of Normal Flow

Size of Normal Traffic

IFI of Normal Flow 0.8

137

0

0

1 2 3 4 Time Sample Point(1/0.01s) 4 x 10

0

0

1 2 3 4 Time Sample Point(1/0.1s) 4 x 10

0

1 2 3 4 Time Sample Point(1/0.1s) 4 x 10

Fig. 1. IFI time series and traffic of 1999 normal flow 1500

100 IFI of Normal Flow IFI of Attack Flow

150

800

Size of Normal Traffic Size of Attack Traffic

80

600

100 50 0

IFI of Normal Flow IFI of Attack Flow

Size

Size

Size

1000

60 40

Size

200

500 200

20

0

0

1000 2000 3000 4000 Time Sample Point(1/0.01s)

Size of Normal Traffic Size of Attack Traffic

400

0

0

1000 2000 3000 4000 Time Sample Point(1/0.01s)

0

0

500 1000 1500 Time Sample Point(1/0.1s)

0

500 1000 1500 Time Sample Point(1/0.1s)

Fig. 2. IFI time series of LLDoS2.0.2-Inside network flow 150

1400

700

1200

600

1000

500

800

400

70

Size of Normal Traffic Size of Attack Traffic

Size

IFI of Normal Flow IFI of Attack Flow

Size

50 Size

100

40 30

600

20

400

50

200

10 0

1

1.1 1.2 1.3 1.4 Time Sample Point(1/0.01s) 4 x 10

0

1

1.1 1.2 1.3 1.4 Time Sample Point(1/0.01s) 4 x 10

0 3000

Size

60

300 Size of Normal Traffic Size of Attack Traffic

200 IFI of Normal Flow IFI of Attack Flow 3500 4000 Time Sample Point(1/0.1s)

100 0 3000

3500 4000 Time Sample Point(1/0.1s)

Fig. 3. IFI time series of LLDoS2.0.2-Outside network flow

We obtained attack flows from attack flow data LLSDDOS2.0.2-Outside.dump, and simulated the attack flows sent by “Zombie” in indirect DDoS attack. Figure 3 shows that, for indirect DDoS attack, IFI is sensitive to attack flows and can magnify because of randomized source ports used. 4.2 Performance Comparison We compared IFI algorithm with previous similar works, one of which is the Entropy of Feature Distributions (EFD) method [6]. Setting sampling period Δt to 0.1s, we obtained the IFI and EFD time series of normal flows respectively; alternately, mixing the normal flows with attack flows we obtained the IFI and EFD time series of abnormal flows respectively. As depicted in figure 4, the vertical axis represents the detection rate and the false positive rate, the horizontal axis represents the amount of normal packets divides the amount of attack packets. The detection results of IFI based on SVM classifier and EFD based on SVM classifier are shown in figure 4. As the background network flows increase, the detection rate of IFI method drop from 100% to 99.8%, the average detection rate is 99.9%. The results demonstrate that IFI method can effectively identify the abnormal flows, and is insensitive to large normal background

100 80 60

False Alarm Rate of IFI Detection Rate of IFI False Alarm Rate of EFD Detection Rate of EFD

40 20 0

1

2

3

4 5 6 7 8 Increase Multiple of Network Flow

9

10

False Alarm Rate and Detection Rate• %•

J. Cheng et al. False Alarm Rate and Detection Rate• %•

138

100 False Alarm Rate of IFI Based on SVM Detection Rate of IFI Based on SVM False Alarm Rate of IFI Based on FDD Detection Rate of IFI Based on FDD

80 60 40 20 0

1

2

3

4 5 6 7 8 Increase Multiple of Network Flow

9

10

Fig. 4. Compare of different algorithm Fig. 5. Compare of different detection method

flows, so it can be deployed on attack source, media and terminal equipments to detect attack. The main reasons for false negative are the network state shift caused by network random noise. The false alarm rate of IFI method increases from 0.0% to 2.5%, with an average false alarm rate 2.1%. The results show that IFI method can accurately identify normal flow and will not lead to high false positive with large normal flows. The main reasons for false positive are from two aspects: (1) The random network noise; (2) Network delay and packet lost. EFD is designed to extract distributed IP addresses features of DDoS attack using four-dimensional characteristic vector and calculate the features value without distinguishing the normal flows from attack flows. But IFI is designed to extract the multi-feature of normal flow and DDoS attack flow using one-dimensional characteristic vector and it can help to separate attack flows and normal flows effectively and calculate their characteristic values respectively so as to reduce the interference of normal flows effectively. By comparison, IFI method has a lower false negative and false positive, and IFI algorithm is efficient for DDoS attack detection. We compared DADF method with IFI-based SVM method under the same condition above. Furthermore, for the fairness to both methods, the abnormal alert time interval ΔT was set to zero and the number of anomalies U was set to one. The results are shown in figure 5 For DADF method, the detection rate is 100% for each test, as the background network flows increase, the false alarm rate of DADF method increases from 0.0% to 0.1%, which average false alarm rate is 0.1%. The results show that DADF method has higher detection rate and lower false alarm rate compared with IFI-based SVM method. IFI-based SVM method detected the IFI of current network flows in isolation, but DADF method detected the IFI of current network flows by associating with the states of IFI time series, which sliding detection window size W was three in this experiment. In summary, IFI can be used to distinguish normal flow from DDoS attack flow. DADF can effectively detect DDoS attack under larger normal background flows.

5 Conclusions DDoS attacks can cause severe disruption to the stability of the Internet. In this paper, we propose an IFI algorithm based on multi-feature fusion. Using IFI time series describe the state of network flow, we propose an efficient DDoS attack detection method based on IFI time series (DADF). DADF obtains its model parameters from the training samples of normal flows by an adaptive parameter estimate algorithm and

Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion

139

detects DDoS attack by associating with the states of IFI time series and an alert evaluation mechanism. Analyses and experiment results show that: IFI can be used to identify DDoS attack flow; DADF can fast detect DDoS attack with higher detection rate and lower false alarm rate under relatively large normal background flows. In the future, we will explore on how to use our method to defense the DDoS attacks. Acknowledgments. This work is supported by National Science Foundation of China (60970034, 60603062, 60603015), Scientific Research Fund of Hunan Provincial Education Department (07C718), the Foundation for the Author of National Excellent Doctoral Dissertation (2007B4), Science Foundation of Hunan Provincial (06JJ3035), Application of Innovation Plan Fund of the Ministry of Public Security (2007YYCXHNST072).

References 1. Handley, M.: DoS-resistant Internet subgroup report. Internet Architecture WG (2005) 2. Macia, G., Diaz, J.E., Garcia, P.: Evaluation of a low-rate DoS attack against application servers. Computers & Security 27(7-8), 335–354 (2008) 3. Abdelsayed, S., Glimsholt, D., Leckie, C., et al.: An efficient filter for denial-of service bandwidth attacks. In: Proceedings of the 46th IEEE GLOBECOM, pp. 1353–1357 (2003) 4. Wang, H., Zhang, D., Shin, K.G.: Detecting SYN flooding attacks. In: Proceedings of IEEE INFOCOM 2002, pp. 1530–1539 (2002) 5. Mirkovic, J., Wang, M., Reither, P., et al.: Save: Source address validity enforcement protocol. In: Proceedings of IEEE INFOCOM 2002, pp. 1557–1566 (2002) 6. Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. In: Proceedings of ACM SIGCOMM, Philadelphia, Pennsylvania, USA (2005) 7. Cheng, C.M., Kung, H.T., Tan, K.S.: Use of spectral analysis in defense against DoS attacks. In: Proceedings of IEEE GLOBECOM 2002, pp. 2143–2148 (2002) 8. Lakhina, A., Crovella, M., Diot, C.: Diagnosing Network-Wide Traffic Anomalies. In: Proceedings of ACM SIGCOMM, Portland, Oregon, USA (August 2004) 9. Cheng, J., Yin, J., Liu, Y., et al.: Detecting Distributed Denial of Service Attack Based on Address Correlation Value. Journal of Computer Research and Development (2009) 10. Cheng, J., Yin, J., Liu, Y., et al.: DDoS attack detection Algorithm using IP Address Features. In: Deng, X., Hopcroft, J.E., Xue, J. (eds.) FAW 2009. LNCS, vol. 5598. Springer, Heidelberg (2009) 11. Cheng, J., Yin, J., Wu, C., et al.: DDoS Attack Detection Method Based on Linear Prediction Model. In: Huang, D.-S., et al. (eds.) ICIC 2009. LNCS, vol. 5754, pp. 1004– 1013. Springer, Heidelberg (2009) 12. Chen, Y., Hwang, K., Ku, W.-S.: Collaborative Detection of DDoS Attacks over Multiple Network Domains. IEEE Trans. on Parallel and Distributed Systems (2007) 13. Chen, F., Zhou, V., Leckie, C., et al.: Decentralized multi-dimensional alert correlation for collaborative intrusion detection. Journal of Network and Computer Applications (2009) 14. Manikopoulos, C., Papavassiliou, S.: Network intrusion and fault detection: A statistical anomaly approach. IEEE Commun. Mag. 40(10), 76–82 (2002) 15. Cleveland, W.S., Devlin, S.J.: Locally Weighted Regression: An Approach to Regression Analysis by Local Fitting. Journal of the American Statistical Association (1988) 16. http://www.ll.mit.edu/mission/communications/ist/corpora/ ideval/data/index.html

Researching on Cryptographic Algorithm Recognition Based on Static Characteristic-Code Tie-Ming Liu, Lie-hui Jiang, Hong-qi He, Ji-zhong Li, and Xian Yu National Digital Switching System Engineering & Technology Research Center Zhengzhou, Henan Province 450002, China [email protected]

Abstract. Recognizing cryptographic algorithm from the binary codes plays an important role in checking the malicious codes and protecting the security of computer systems. This paper firstly introduces the current situation about the algorithm recognition and characteristic-code checking, makes use of the software reverse-engineering technology in order to extract the characteristiccodes from all kinds of the cryptographic algorithms and builds up the static characteristic database about the cryptographic algorithms. Then the paper introduces Boyer-Moore matching algorithm to design a scanning tool for the cryptographic algorithms, tests its efficiency and discusses the corresponding reliability; finally, the paper points out the developmental direction for algorithm recognition and technologies, which will be adopted in the field of software reverse engineering. Keywords: Algorithm Recognition, Cryptographic Algorithm, Characteristiccode, Disassemble, Decompile.

1 Introduction In the field of communication and computer security, the security of data transmission and software system often depends on some cryptographic algorithm, and at the same time the viruses and Trojans also use the protection mechanism of cryptographic algorithm to hide their static characteristic. Recognizing the cryptographic algorithm from the binary codes can play an active pole in checking the malicious codes and protecting the computer security. Research on algorithm recognition, which belongs to the category of program understanding[1], is mainly optimizing codes and analyzing programs based on the source codes. Prof. Robert Metzger in MIT had already adopted an automated recognizing and replacing system based on AST (Abstract Syntax Tree) technology [2], and the result is better. The national researchers used Bayes decision[3] model to recognize whether the cryptographic algorithm is contained in the target files. This method need lots of executive codes as samples and subroutines as the basic unit when recognizing, however, it cannot locate the specific cryptographic algorithm. The cryptographic algorithm recognizing technology based on characteristic-codes checking proposed by the paper can effectively search the cryptographic algorithms in the target binary files and mark their names. D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 140–147, 2009. © Springer-Verlag Berlin Heidelberg 2009

Researching on Cryptographic Algorithm Recognition

141

2 Associated Research 2.1 The Characteristic-Code Checking Technology The static characteristic-code checking technology is typically applied in the virus checking and recognition. This method is that collecting the known specific characteristic-code of virus in a database, and the virus checking engine will analyze the target file to check whether virus is in the file or not, according to the characteristic-code stored in the database. The reliability of static characteristic-code checking technology is dependent on the static characteristic-code database, so many anti-virus software should update their virus database regularly to cut out the virus and their varieties. There are many strategies used for locating the characteristic-code of new virus and also different anti-virus software manufacturers use different strategies. The crucial module in the anti-virus engine is the characteristic-code database, because the accuracy and timeliness of extracting the characteristic-code will greatly impact the antivirus efficiency. In the document [4] there are three methods, the MD5 format, string format and two-segment checksum format, for extracting the characteristic-code. 2.2 The Algorithm Recognition Technology In the field of reverse engineering, the algorithm recognition mainly begins to study from the aspects of the binary level, the assembly level and the high language level. All the levels of algorithm recognition in the reverse engineering and the whole framework used is shown as Figure 1. The algorithm recognition in the binary level is using the static characteristic-code for marking an algorithm. This technology is used for checking viruses, not seen frequently for the algorithm recognition. This paper applies the static characteristiccode in the algorithm recognition after studying the cryptographic algorithm mechanism. The algorithm recognition in the assembly level needs to disassemble the binary file[5] by using the mutual disassembly and heuristic algorithm in order to increase the precision. Usually, this level of algorithm recognition is achieved in the statistical way, so large numbers of samples are required; the semantics analysis can effectively mark the dynamic executive process, and this technology can increase the precision and reliability of recognition. But there is not the corresponding achievement at home and abroad yet. The algorithm recognition in the high language level needs to decompile based on disassembly for the target files to improve the program readability[6]. So far, HexRayes is one of the mature decompiler developed by Hex-Rayes SA Corporation. This software can decompile partly and totally under the X86 instruction set, so the algorithm recognition in connection with the source code in the program understanding can be used as a source of reference. The target of recognition is the high language created by the decompiling result. This research has not been seen usually at home and abroad.

142

T.-M. Liu et al.

binary code segment

disassemble

disassembler

result

algorithm

algorithm

recognition

recognition

decompiler

decompiler

result algorithm recognition

recognition based on

recognition based

recognition based on

characteristic-code and

on semantics and

data ming

statistic

AST and characteristic expression

……

……

……

Fig. 1. The algorithm recognition in reverse engineering and it’s key technologies

3 Extracting the Characteristic-Code from Cryptographic Algorithms Extracting the characteristic-code from cryptographic algorithms is important because the precision is dependent on its reliability. The cryptographic algorithms [7] use the static characteristic-code, such as the initialization link value, addition constants, S box, interchange box, big prime numbers, and it is found that these characteristiccodes will appear in the code section or data section from the disassembly result when analyzing the standard database of cryptographic algorithms reversely by using reverse-analyzing tools. Therefore, the common cryptographic algorithm can be marked by these static characteristic-codes. The flow of the static characteristic-code database is constructed as shown below, Figure 2.

re s ea rch o n m e c ha nis m of c om m on cry pto gra phi c al gorit hm

in itia liz ed li nk v alu e ad ditio n co ns ta nts

…

e x trac t the c ha rac te ris tic-c od e from c ry pto gra ph ic a lgo ri thm s

S bo x

b uild t he b as e o f c ry p tog rap hic

inte rc ha nge box

al gori thm s ta tic c ha rac te r-c od e

Fig. 2. Extracting framework the characteristic-code from cryptographic algorithms

The cryptographic algorithm, according to the differences of the cryptographic mechanism, is divided into Hash cryptographic algorithm, grouping cryptographic algorithm and public key cryptographic algorithm. The process of extracting the three algorithms will be discussed on subsequently and some examples will be given to explain in detail.

Researching on Cryptographic Algorithm Recognition

143

3.1 The Characteristic-Code of Hash Function Hash function can map the finite length input into fix-length output, and the efficiency is high. The structure of hash function is grouping iterative typically: the finite length input is divided into xi groups, each of which is r bits, and this division needs extra bit to pad, making sure that the total length is multiple of r. Each group xi as the input of compression function f, which regards the intermediate result of n bits and the next input group xi computed forward as parameters, can compute a new intermediate result of n bits. Hash function uses the initialization value to deal with the cryptographic data. Next, the static characteristic-code of SHA256 is introduced as an example. The SHA256 algorithm can create hashing values of 256 bits. During the initial period, 8 initialized 32-bit numbers are used: 0x6A09E667, 0xBB67AE85, 0x3C6EF372,0xA54FF53A,0x510E527F,0x9B05688C,0x1F83D9AB,0x5BE0CD19. SHA256 algorithm can make use of different ways to finish the above initialization. However, the 8 constants are unchangeable, so 8 initialized 32-bit link values are chosen as the static characteristic-codes. After extracting the characteristic-code, the target file will be scanned. If all of the 8 initialized 32-bit link values defined by SHA256 algorithm are matched with the values in the target codes, SHA256 algorithm is contained in the target file. For example, the code segment shown in Figure 3 has scanned all 8 constants. Because of the appearance of above characteristic-code, it is conjectured that this file contains SHA256 algorithm. By disassembling and analyzing this file, it can be proved that the function of this code is finishing the initialization of SHA256 algorithm. 00401225 8B442404 00401229 83602000 0040122D 83602400 00401231 C70067E6096A 00401237 C7400485AE67BB 0040123E C7400872F36E3C 00401245 C7400C3AF54FA5 0040124C C740107F520E51 00401253 C740148C68059B 0040125A C74018ABD9831F 00401261 C7401C19CDE05B

mov and and mov mov mov mov mov mov mov mov

eax,[esp+ARG_0] dword ptr [eax+20H],0 dword ptr [eax +24H],0 dword ptr [eax],6A09E667H dword ptr [eax +4],0BB67AE85H dword ptr [eax +8],3C6EF372H dword ptr [eax +0CH],0A54FF53AH dword ptr [eax +10H],510E527FH dword ptr [eax +14H],9B05688CH dword ptr [eax +18H],1F83D9ABH dword ptr [eax +1CH],5BE0CD19H

Fig. 3. The target code segment including static character-code of SHA256 algorithm

Because the little-endian way is adopted under Intel architecture, the constants in the target codes are: 67E6096A,85AE67BB,72F36E3C,3AF54FA5,7F520E51, 8C68059B,ABD9831F, 9CDE05B. The static characteristic-code database of hash cryptographic algorithm that contains that code of MD4, MD5 and SHA256 can be constructed by large numbers of statistic analysis.

144

T.-M. Liu et al.

3.2 The Characteristic-Code of Grouping Cryptographic Algorithm The mathematical model of grouping cryptographic algorithm can be abstracted to several processes: clear data, key, encryption, encrypted data and decryption. The encryption of grouping key is: the sequence encoded by the clear data is divided into some groups of equal length, and then the clear data and key sequences are input. Under the control of the key, the encrypted data are output by cryptographic algorithm in equal length. The encrypted data are stored and transmitted, and the decryption key sequence is also input. Finally, the clear data of equal length are output by decryption algorithm under the control of key. The grouping key uses S box and interchange box as constants when realization. Next, AES grouping algorithm as an example is introduced to show the condition of S box in the target file. S box, which is operated for table searching when encrypting groups, is defined a static array. For example, S box in AES algorithm is typically defined as: Static const u32Sbox0[256]= { 0xC66363A5, 0xf87C7C84, 0xEE777799, 0xF67B7B8D, 0xFFF2F20D, 0xD66B6BBD,0xDE6F6FB1, 0x91C5C554, 0x60303050, 0x02010103, 0xCE6767A9, 0x562B2B7D, 0xE7FEFE19, 0xB5D7D762, 0x4DABABE6, …… } //S box of AES S box as a characteristic word is used for scanning and checking a target file. If S box defined by AES grouping cryptographic algorithm is matched with some information in the file, the target file probably contains AES algorithm. For instance, S box appears in the code section shown in Figure 4. So the conjecture is reasonable. 10004170 DATA 00 00 00 00 00 00 00 00 A5 63 63 C6 84 7C 7C F8 10004180 DATA 99 77 77 EE 8D 7B 7B F6 0D F2 F2 FF BD 6B 6B D6 10004190 DATA B1 6F 6F DE 54 C5 C5 91 50 30 30 60 03 01 01 02 100041A0 DATA A9 67 67 CE 7D 2B 2B 56 19 FE FE E7 62 D7 D7 B5 100041B0 DATA E6 AB AB 4D 9A 76 76 EC 45 CA CA 8F 9D 82 82 1F Fig. 4. The target code section including S box of AES algorithm

After disassembling the target code and analyzing the result, AES grouping cryptographic algorithm is surely contained. In order to improve the matching efficiency, it is not necessary for using the whole S box as the characteristic-code of cryptographic algorithm when constructing the static characteristic-code database. On the premise of not affecting accuracy, only choosing a part of S box is OK. The static characteristic-code database of grouping cryptographic algorithm that contains that code of DES, AES, RC5 and RC6 can be constructed by large numbers of statistic analysis.

Researching on Cryptographic Algorithm Recognition

145

3.3 The Characteristic-Code of Public Key Cryptographic Algorithm The public key password is denoted by a kind of trap door uni-directional function: Function f is a uni-directional function, if arbitrary x, the field of definition in f, is −1 easy to compute f(x), all of y, the field of value in f, cannot get the result of f ( y) , even if f is known. But if some auxiliary information (trap door information) is given, f −1 ( y) can be computed, then Function f is trap door uni-directional function. The public key mechanism is designed for this principle, then the auxiliary information (trap door information) is the key. The security of this kind of password relies on its computing complexity according to the real situation. Currently, there are two categories of popular public key mechanism: one is based on big integer factoring, and the typical one is RSA; another one is based on discrete logarithm, for example, the EIGamaI public key and the elliptical curve public key mechanism. The public key mechanism has many static characteristic[8]. RSA is used for big integer factoring, so a lot of big prime numbers will appear when realizing it. The characteristic of big prime number in the target code is introduced, RSA being shown as an example. The code that creates big prime numbers usually contains a small prime number table, so the small prime numbers appear in the data section as magic numbers, as shown in Figure 5. 17 29 3B 49 61

00 00 00 00 00

00 00 00 00 00

00 00 00 00 00

1D 00 00 00 1F 00 00 00 25 2B 00 00 00 2F 00 00 00 35 3D 00 00 00 43 00 00 00 47 4F 00 00 00 53 00 00 00 59 65 00 00 00 67 00 00 00 6B

00 00 00 00 00

00 00 00 00 00

00 00 00 00 00

Fig. 5. The example of the small prime numbers appear in the data section

Generally, it is required that the size of multiprecision integer is found as quickly as possible. A searching table containing 256 bytes is used for saving checking time for each bit in one byte. So the searching table and small prime number code segment can be regarded as the static characteristic-code for marking the public key cryptographic algorithm. By doing a lot of statistic analysis, it is constructed that the static characteristic-code database of public key cryptographic algorithms that contain RSA, DSA, ElGamal, etc.

4 The Matching Algorithm of Cryptographic Algorithm Recognition The quality of matching algorithm can directly affect the recognition efficiency, and the subsequent shifting process does not take full advantage of candidate shifting each time during execution in the common matching algorithm. Suppose that the length of the target string is n, the length of pattern string is m, and the time complexity is O(nm+1). Boyer-Moore algorithm[9] imports two functions, F(x) and G(x), in order to make full use of the subsequent shifting process. F(x) is the location table that every

146

T.-M. Liu et al.

letter is met when counting from the right side in the alphabet of pattern string x. G(x) is also a table, which can gives the position where each possible postfix of x is when appearing the second time by counting from the right side. The implementation of Boyer-Moore algorithm is shown as Figure 6. Begin initialize A,x,text,n←Length[text],m←Length[x] F(x)←Last-Occurrence Function G(x)←Good-Suffix Function s←0; while s≤n-m do j←m; while j>0 and x[j]=text[s+j] do j←j-1; if j=0 then Output the Location; s←s+G(0); else s←s+max[G(j),j-F(text[s+j])]; return end Fig. 6. Boyer-Moore algorithm

5 Test and Conclusion In order to verify the speed and reliability of recognizing the characteristic-code and analyze the common applications, the test platform is: Windows XP Pentium4 2.8G 512M memory. The result is shown as Table 1.

，

，

Table 1. The scanning result of cryptographic algorithm characteristic-code No. 1 2 3 4

The scanned file name Adobe Acrobat Acrobat.dll MS Office Exchcsp.dll MS Office Word.exe WinRAR 3.02 Unacev2.dll

File size ˄B˅

Scanning time˄S˅

11,866,112

4.719

247,296

0.125

12,037,688

4.797

75,264

0.047

5

UltraEdit-32 SftpDLL.dll

565,248

0.281

6

Winzip Pro WZEAY32.dll

856,064

0.328

The displacement address of characteristic words in the file MD5:0060AA4D,SHA1:001A754F,SHA512:005EF891, SHA384:005EF733, AES:0087B900, RC2:0087B9A0, BASE64:007534F8, MD2:0087A1E0 MD5:000304F6,SHA1:00005394,DES:00009550, RC2:00009410,BASE64:000019B8, MD2:00038F50 MD5_UNICODE:00104726, SHA1_UNICODE:00104726, TEA:002C3841 SHA1:0000A60A, Blowfish:000099F2 Blowfish:00060FE8,CAST:00065C0C,DES:000647C8, SHA1:00020128, MD2:0007390C, MD5:00020194, RC2:00073D1C, AES:0005C320, RIPEMD:00027B79 SHA1: 00003C28, CAST: 0008C6F0 DES: 0008A9D0, MD5: 00003C8A RC2: 000B9360, AES: 0008CB19

Suppose that the size of file i is gi, the scanning time is ti, and the average speed is η=∑gi/∑ti=2.49M/s. The maximal size of the file in the tested data is 12.037M bytes and spent 4.797s.

Researching on Cryptographic Algorithm Recognition

147

The result shows that this scanning tool can find the common cryptographic algorithm information from the target codes quickly, and the speed will decrease as the characteristic-code database increases. The scanning time increases linearly and this cannot affect its practicability. The probability of conflict between the characteristic words is very small, so the result has high reliability.

6 Future Works The reliability of the method, which is proposed by this paper -- the cryptographic algorithm recognizing technology based on characteristic-codes checking, is mainly dependent on the static characteristics database of cryptographic algorithms, so it has definite limitations; however, in the process of communication, software encryption and decryption, their security is relied on the security of cryptographic algorithm itself, so users adopt the standard cryptographic database during processing, and because of the limited modification about the cryptographic algorithm itself, this method has considerable reliability. Essentially, algorithm recognition needs to make sure some lexeme movements directed by a section of codes, and judging whether the two of them is equivalent had been proved that this is a NP- complete problem; in theory, algorithm recognition should keep on studying the algorithm lexeme function description, the target information extracted by the reverse analysis. The technologies, e.g. the abstract algorithm description, dataflow analysis and expression restoration, can be applied in the field.

References 1. Alias, C.: Program Optimization by Template Recognition and Replacement. University of Versailles Saint-Quentin (2005) 2. Metzger, R.: Automatic Algorithm Recognition and Replacement. MIT, Cambridge (2003) 3. Li, J.-z., Jiang, L.-h., Yin, Q.: Cryptogram Algorithm Recognition Technology Based on Bayes Decision-making. Computer Engineering 34(20), 159–163 (2008) 4. Jin, Q., Wu, G.-x., Li, D.: Research of anti-virus engine and automatic extraction of computer virus signatures. Computer Engineering and Design 28(24) (2007) 5. Chen, H.-w., Liu, C.-l.: Principle of Compiling. National Defense Industry Press, Beijing (2000) 6. Cifuentes, C.: Reverse Compilation Techniques. Queensland University (1994) 7. Wu, S.-z., Zhu, S.-x.: Applied Cryptography. China Machine Press, Beijing (2000) 8. Harvey, I.: Cipher Hunting: How To Find Cryptographic Algorithms In Large Binaries. nCipher Corporation Ltd. (2001) 9. Li, H.-d., Yao, T.-x.: Pattern Classification. China Machine Press, Beijing (2003)

Verification of Security-Relevant Behavior Model and Security Policy for Model-Carrying Code Yonglong Wei, Xiaojuan Zheng, Jinglei Ren, Xudong Zheng, Chen Sun, and Zhenhao Li School of Software, Northeast Normal University, Changchun, China [email protected], [email protected], {jinglei.ren, dong128, bbsunchen, zhenhaolee}@gmail.com

Abstract. This article presents a method of verifying the safety of untrusted mobile code, using the model of security-relevant behaviors of code. This method verifies whether models violate users’ security policies to help users decide which programs to run and which not, and hence ensures the security of users’ systems and devices. Based on the framework of model-carrying code, we make several improvements: using the extended pushdown automaton (EPDA) as the program behavior model, reducing ambiguity in regular expressions over events (REE), proposing a new verification algorithm according to above significant improvements. Keywords: mobile code security, verification, behavior model, security policy, model-carrying code.

1

Introduction

With rapid growth in the use of the Internet and wireless networks, malware, such as viruses, Trojan horses, worms, spyware, are widely spread as hidden in mobile codes and become a dire threat to users’ information security. In order to meet the challenge concerning mobile code security, R. Sekar et al. proposed the security framework of model-carrying code (MCC) [1]. In spite of the many advantages of MCC method over traditional ones, there are still problems, among witch the most significant is the limited precision of the program behavior model and the ambiguity in expressing security policies. To overcome these problems and make MCC method more practical, we make the following improvements to the MCC method: (1) We use the extended pushdown automaton(EPDA) to model security-relevant program behaviors. This new model features in extended attributes including a call stack and state variables which make the PDA more precise so that one sort of impossible paths is eliminated 

This work was supported by the key project of Science and Technology Planning of Jilin, P.R.China (20080323) and National Collegiate Innovative Experiment Program.

´ ezak et al. (Eds.): SecTech 2009, CCIS 58, pp. 148–156, 2009. D. Sl  c Springer-Verlag Berlin Heidelberg 2009 

Verification of Security-Relevant Behavior Model and Security Policy

149

and many mimicry attacks [7] can be detected. (2) We define extended finite state automaton(EFSA) to model the security policy and use standard greedy quantifiers for regular expressions over events(REE) [4], by which much ambiguity in policy expression is eliminated. (3) We provide a new algorithm for verification of the EPDA-based program behavior model and the EFSA-based security policy. In order to make MCC framework more applicable to wireless networks and mobile codes. We have also implemented a prototype system on Java Platform Micro Edition (Java ME). The organization of this paper is as follows: related work are introduced first in Section 2; formal definitions of the program behavior model and the security policy are given respectively in Section 3 and Section 4; in Section 5, procedures of the verification algorithm are given, including analysis of its complexity and proof of equivalence between defined automaton; and Section 6 is the conclusion.

2

Related Work

Researchers have proposed many approaches to ensure the security of execution of untrusted code, mostly based on static analysis or runtime monitor. Prevalent methods include sandbox [5], code signature [5,6], proof-carrying code [3], and java security model [9]. An important common problem with those methods is that they fail to consider the gap between code producers and consumers. Code producers are actually unable to foresee safety requirements of code consumers; the other way round, code consumers cannot determine in advance the proper limits on local recourse access of the program, since the security policy largely depends on program’s function. R. Sekar et al. proposed the model-carrying code method [1], providing an ideal safety framework for mobile code execution. The method originates from the domain of intrusion detection. Nevertheless, R. Sekar’s MCC still has defects in several aspects: (1) it uses EFSA as the program behavior model which cannot capture a programs’ function call and return behaviors, and therefore allow impossible paths and possibility of mimicry and evasion attacks [7]; (2) the expression of security policy using REE is ambiguous and imprecise, which may lead to extra false matches when compared with operation sequences and affect the performance of verification.

3

Security-Relevant Behavior Model: EPDA

We employ a new way to identify relations between calls to the same function that are triggered at different points of the program. The automaton pushes a specific symbol to the call stack when the function is called at some point and then pops the symbol when function returns to determine the next state the program reaches after the call. Specifically, we use the EPDA as the model of security-relevant behaviors of code, which is formally defined as follows:

150

Y. Wei et al.

Definition 3.1 M = (Q, Σ, Γ, δ, q0 , z, F, n, m, S, A, β0 , con, ass), where Q is a finite set of internal states, Σ is the finite set of function names of system calls, Γ is a finite set of symbols called the stack alphabet, δ: Q × (Σ ∪ λ) × Γ → finite subsets of Q × Γ ∗ is the transition function, q0 ∈ Q is the initial state, z ∈ Γ is the stack start symbol, F ⊆ Q is the set of final states, n is the maximal number of arguments of system calls, m is the number of state variables, S is the alphabet of a first-order language without universal and existential qualifiers whose variable symbols are v1 , v2 ... vm , p1 , p2 ... pn , A is a S-structure, β0 is the initial assignment in A, a map {v1 , v2 ...vm } → |A|, con: Q × (Σ ∪ λ) × Γ × Q × Γ ∗ → the set of S-formulas is a function that maps each state transition to a condition, ass: (the set of functions {v1 , v2 ...vm } → |A|)×Q×(Σ∪λ)×Γ ×Q×Γ ∗×|A|n → (the set of functions {v1 , v2 ...vm } → |A|). Let I = (Σ ∪ {λ}) × |A|n be the set of input alphabet. The tuple (q, w, u, β), where q is the current state, w is the unread part of the input string, u is the stack contents and β is a map {v1 , v2 ...vm } → |A| is called an instantaneous description of an EPDA. A move from one instantaneous description to another will be denoted by the symbol . (q1 , aw, bx, β1 )  (q2 , w, yx, β2 ) is possible if and only if 1. 2. such 3.

(q2 , y) ∈ δ(q1 , a(1), b) and A  con(q1 , a(1), b, q2 , y)[β1 ∪ θ] where θ is function {p1 , p2 ...pn } → |A|n that θ(pi ) = a(i + 1) and β2 = ass(β1 , q1 , a(1), b, q2 , y, a(2), a(3)...a(n + 1)).

Since EPDA-based behavior models can carry additional information about function calls and returns, they are more precise than EFSA and lead to less impossible paths and higher complexity.

4

Security Policy: EFSA

Much the same way as traditional MCC, the security policy is expressed by EFSA, but we redefine EFSA as the following tuple so that it can be used in the formal proof and the algorithm description in Section 5: Definition 4.1 The EFSA is defined by the tuple M = (Q, Σ, δ, q0 , F, n, m, S, A, β0 , con, ass),

Verification of Security-Relevant Behavior Model and Security Policy

151

where Q is a finite set of internal states, Σ is the finite set of function names of system calls, δ: Q × (Σ ∪ λ) → finite subsets of Q is the transition function, q0 ∈ Q is the initial state, F ⊆ Q is the set of final states, n is the maximal number of arguments of system calls, m is the number of state variables, S is the alphabet of a first-order language without universal and existential qualifiers whose variable symbols are v1 , v2 ... vm , p1 , p2 ... pn , A is a S-structure, β0 is the initial assignment in A, a map {v1 , v2 ...vm } → |A|, con is a computable function Q × (Σ ∪ λ) × Q → the set of S-formulas is a function that maps each state transition to a condition, ass is a computable function (the set of functions {v1 , v2 ...vm } → |A|) × Q × (Σ ∪ λ) × Q × |A|n → (the set of functions {v1 , v2 ...vm } → |A|). If ass(β, q1 , a, q2 , π1 ...πn ) = β then ass is called trivial assignment. Let I = (Σ ∪ {λ}) × |A|n be the set of input alphabet. The tuple (q, w, β), where q is the current state, w is the unread part of the input sequence, and β is a map {v1 , v2 ...vm } → |A| is called an instantaneous description of a EFSA. A move from one instantaneous description to another will be denoted by the symbol . (q1 , aw, β1 )  (q2 , w, β2 ) is possible if and only if 1. q2 ∈ δ(q1 , a(1)) and 2. A  con(q1 , a(1), q2 )[β1 ∪ θ] where θ is function {p1 , p2 ...pn } → |A|n such that θ(pi ) = a(i + 1) and 3. β2 = ass(β1 , q1 , a(1), q2 , a(2), a(3)...a(n + 1)). Moves involving an arbitrary number of steps will be denoted by ∗ . On occasions where several automata are under consideration we will use M to emphasize that the move is made by the particular automaton M .

5 5.1

Formal Verification of EPDA and EFSA Finding an Equivalent EFSA for a EPDA

Behavior models of code are based on EPDA while security policies are based on EFSA. To verify whether models satisfy policies, we need to build a product automaton of EPDA and EFSA. That requires us to find an equivalent EFSA for EPDA. The proof of their equivalence is given as below. Definition 5.1. The language accepted by EPDA M is the set L(M ) = {w ∈ I ∗ : (q0 , w, z, β0 ) ∗M (p, λ, u, β), p ∈ F , β a map {v1 , v2 ...vm } → |A|}.

152

Y. Wei et al. 

Definition 5.2. The language accepted by EFSA M is the set 

L(M ) = {w ∈ I ∗ : (q0 , w, β0 ) ∗M (p, λ, β), p ∈ F , β a map {v1 , v2 ...vm } → |A|}. Theorem 5.1   For any EPDA M , there is an EFSA M such that L(M ) = L(M ) Proof Suppose M = (Q, Σ, Γ, δ, q0 , z, F, n, m, S, A, β0, con, ass),  construct M as follows,     Q = Q × Γ × (range(δ) ∪ {z}), Σ = Σ, δ : Q × (Σ ∪ λ) → finite subsets of    Q , q2 ∈ δ (q1 , a) if and only if (q2 (1), q2 (3)) ∈ δ(q1 (1), a, q1 (2)), q0 = (q0 , z, z),      F = {q ∈ Q : q(1) ∈ F }, n = n, m = m, S = S ∪ {St, link, top} where St is a variable symbol, link a binary function symbol, top a unary function   symbol, A is an extension of A such that |A | = |A| ∪ Γ ∗ , for aw, v ∈ Γ ∗ , 









topA (aw) = a, link A (aw, v) = vw, β0 = β0 ∪ (St, z), con : con (q1 , a, q2 ) = con(q1 (1), a, q1 (2), q2 (1), q2 (3)) ∧ top(St) = q1 (2) ∧ top(link(St, q2 (3))) = q2 (2),  ass : (the set of functions of the form ({v1 , v2 ...vm } → |A|) ∪ {(St, w ∈ Γ ∗ )}) × Q × (Σ ∪ λ) × Q × |A|n → (the set of functions of the form ({v1 , v2 ...vm } →  |A|) ∪ {(St, w ∈ Γ ∗ )}) such that ass (β ∪ {(St, w)}, q1 , a, q2 , t ∈ |A|n ) = ass(β, q1 (1), a, q2 (1), t) ∪ {(St, link(w, q2 (3)))}. We now only need to prove that for any w ∈ I ∗ , we have (q0 , w, z, β0 ) kM     (p, λ, u, β) for some p ∈ F , if and only if (q0 , w, β0 ) kM  (p , λ, β ) for some   p ∈ F . The proof is by induction: 1. The base case:  For the initial instantaneous description of M (q0 , w, z, β0 ), M has a initial instantaneous description of the form ((q0 , z, t), w, β0 ∪{(St, z)}) for some t ∈ Γ ∗ . 2. The induction step: (q1 , ax, by, β1 ) M (q2 , x, vy, β2 ) if and only if (q2 , v) ∈ δ(q1 , a(1), b), A  con(q1 , a(1), b, q2 , v)[β1 ∪ θ] where θ is function {p1 , p2 ...pn } → |A|n such that θ(pi ) = a(i + 1), and β2 = ass(β1 , q1 , a(1), b, q2 , v, a(2), a(3)...a(n + 1)); if and only if (q2 , v) ∈ δ(q1 , a(1), b),  A  con(q1 , a(1), b, q2 , v) ∧ top(St) = b ∧ top(link(St, v)) = top(vy)[β1 ∪ θ ∪ {(St, by)}] where θ is function {p1 , p2 ...pn } → |A|n such that θ(pi ) = a(i + 1), and β2 ∪ {(St, vy)} = ass(β1 , q1 , a(1), b, q2 , v, a(2), a(3)...a(n + 1)) ∪ {(St, link(by, v))} = ass(β1 , q1 , a(1), b, q2 , v, a(2), a(3)...a(n + 1)) ∪ {(St, link(β(St), v))} where β = β1 ∪ {(St, by)};  and by the construction of M , if and only if ((q1 , b, t), ax, β1 ∪{(St, by)}) M  ((q2 , top(vy), v), x, β2 ∪ {(St, vy)}) for some t ∈ Γ ∗ . We have proved that (q0 , w, z, β0 ) kM (p, x, u, β)   if and only if (q0 , w, β0 ) kM  ((p, top(u), t), x, β ∪ {(St, u)}) for some t ∈ Γ ∗ for all k ∈ N .

Verification of Security-Relevant Behavior Model and Security Policy

153

Further, (q0 , w, z, β0 ) kM (p, λ, u, β) for some p ∈ F and u ∈ Γ ∗   if and only if (q0 , w, β0 ) kM  ((p, top(u), t), λ, β ∪ {(St, u)}) for some p ∈ F , some t ∈ Γ ∗ , and u ∈ Γ ∗ ,       if and only if (q0 , w, β0 ) kM  (p , λ, β ) for some p ∈ F . End of Proof Proof of Theorem 5.1 demonstrates that EPDA has no more descriptive power than EFSA and also shows how to construct the equivalent EFSA for an EPDA. 5.2

Improvements to REE

It is inconvenient and inefficient for users to define policies directly using EFSA due to lack of easy and interactive expression. Therefore MCC introduces regular expressions over events (REE) [4] to express and define security policies. REE can be efficiently transformed into equivalent EFSA. However, there may be more than one ways for a sequence of function calls to be matched by a pattern. We reduce the ambiguity in expression of the policy by using the standard quantifiers in REE. The default mode of matching is greedy strategy and control symbol ? can set a non-greedy mode. For example, the policy pattern P 3 = a∗?(a(x)|x = 3, n := x)a∗ indicates n = 3. There are several algorithms to transform REE to EFSA. A straightforward one is to transform REE to NFA first and then transform NFA to DFA. For a REE of length m, this algorithm takes O(2m ) time [8]. 5.3

Algorithms for Verification

Suppose EPDA m is a security-relevant behavior model of code, EFSA p is a policy and EFSA v is the matching result of m and p: m = (Qm , Σm , Γm , δm , qm 0, zm , Fm , nm , mm , Sm , Am , βm , conm , assm ) p = (Qp , Σp , Γp , δp , qp 0, Fp , np , mp , Sp , Ap , βp , conp , assp ) v = (Qv , Σv , Γv , δv , qv 0, Fm , nv , mv , Sv , Av , βv , conv , assv ) where, (1) qv0 is the initial state of v, qv0 = join(qm0 , qp0 ), c = join(a, b) is a function to build the product automaton v = m × p , and c inherit all properties in a and b. (2) Fv is the set of final states of v, Fv = Fp × Qm Qv ∈ (Qp × Qm ) (3) δv is the transition function of v, subset of Qv × (Σv ∪ λv ) × Γv → Qv × Γv∗ , created by algorithm merge. If there are feasible paths in this product v that lead to the final states, then the policy is violated and v points out all such violations. Otherwise, the model m is supposed to be safe. Obviously the verification phase has two steps: building product of two automaton and exploring the feasible paths to the final states.

154

Y. Wei et al.

Product of EFSA and EPDA Algorithm: Merge Transitions 1. for each tm ∈ δm , tp ∈ δp 2. as described in definition 3.1 and definition 4.1: if ∃tm such that (qm1 , am wm , t, βm1 )  (qm2 , wm , t, βm2 ) and tp such that (qp1 , ap wp , βp1 )  (qp2 , wp , βp2 ), then transitions tp and tm can be merged as the following steps according to the result of boolean operation on conm and conp , and get the result tv ∈ δv . let conv = conm ∩ conp (a) if conv ⊆ conm ∩ conp , create tv for v according to tp such that ((qm1 , qp1 ), av wv , βv1 )  ((qm2 , qp2 ), wv , βv2 ), let assv = assm ∪ assp (b) if conv ⊆ conm and conv  conp , create tv for v according to tm such ˇ let assv = assm that ((qm1 , qp1 ), av wv , βv1 )  ((qm2 , qp1 ), wv , βv2 )¨ıijN (c) if conv ⊆ conp and conv  conm , create no transition for v 3. repeat steps 1) to 2) until δm or δp are empty For EPDA m with M states and EFSA p with N states, this algorithm takes O (M × N )2 ) time. Algorithm: Merge States 1. 2. 3. 4. 5.

for each qp ∈ Qp , qm ∈ Qm create a state qv for Qv , where qv is merged from qp and qm if qp == qp0 and qm == qm0 then let qv = qv0 , the initial state of v; if qp ∈ Fp then push qv into Fv repeat steps 1) to 4) until Qp and Qm are empty

Path Exploration. In order to find a path from the start state to final states in the resulting EFSA faster, we provide a search strategy that takes into account the identity of state variables. Suppose a and b both reach an identical state and currently contain the same variables, a and b are equivalent for further exploration. At this point, a and b can be merged and this obviously will reduce the complexity of the verification algorithm. Algorithm: Check Path 1. Initialize all symbols. Create 3 queues stateQ, varQ, stackQ to store the states of automata, the state of variables and the state of stack. Create a table V isitedSet to mark the visited paths. 2. push all qv0 into stateQ 3. pop qv ∈ Qv , varv , zv ∈ Γ from stateQ, varQ, stackQ, where var is the current state of variables. 4. if qv ∈ V isitedSet then goto 3) else mark qv as visited state in V isitedSet. 5. if qv ∈ Fv then return the path. 6. for each transitions δv which start with qv :

Verification of Security-Relevant Behavior Model and Security Policy

155

7. for each conditions condv in δv : 8. if condv adapt to current state of automaton then perform the actions actv in δv else goto 3) 9. if actv act on stack then perform push or pop operation according to the value of zv , 10. if actv act on variables then perform assignment operation according to the value of varv 11. invoke δ(), push qv = δ(qv ) into stateQ 12. let zv = current state of stack let varv = current state of variable, push them into stackQ and varQ. 13. if stateQ then return an empty path, else goto 3)

6

Future Work

There is still much space for further research. For the interactive part that shows the result of verification, it is desirable to offer users comprehensible description of the conflicts when a model is against some policies, and such detailed information of verification may help users refine or choose security policies. The refinement may involve two approaches: (1) Horizontal classification of policies, that is to choose a proper set of policies according to the function or other property of the program; (2) Vertical classification of policies, that is to find some function mapping conflicts to different alarm levels and accordingly choose different set of policies. Besides, content and organization of the rule base of security policies still need much study, as it largely determines the quality of protection that can be provided and the efficiency of verification.

References 1. Sekar, R., Venkatakrishnan, V.N., Basu, S., Bhatkar, S., DuVarney, D.C.: ModelCarrying Code: A Practical Approach for Safe Execution of Untrusted Applications. In: Proceedings of the nineteenth ACM symposium on Operating systems principles, pp. 15–28. ACM, New York (2003) 2. Giffin, J.T.: Model-based Intrusion Detection System Design And Evaluation, PhD thesis. University of Wisconsin-Madison (2006) 3. Necula, G.: Proof-Carry Code. In: ACM Symposium Principles of Programming Languages, POPL (1997) 4. Uppuluri, P.: Intrusion Detection/Prevention Using Behavior Specifications. PhD thesis, Stony Brook University (2003) 5. Hallaraker, O., Vigna, G.: Detecting Malicious JavaScript Code in Mozilla. In: Proceedings of 10th IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2005, pp. 85–94 (2005) 6. Cohen, S., Franco, R.: ActiveX Security: Improvements and Best Practices. MSDN (2006)

156

Y. Wei et al.

7. Wagner, D., Soto, P.: Mimicry Attacks on Host-based Intrusion Detection Systems. In: 9th ACM Conference on Computer and Communication Security (CCS), Washington, DC (2002) 8. Laurikari, V.: NFAs with Tagged Transitions, their Conversion to Deterministic Automata and Application to Regular Expressions. In: Proc. of the Seventh Intl. Symp.on String Processing and Information Retrieval (SPIRE 2000), pp. 181–187. IEEE, Los Alamitos (2000) 9. Kotz, D., Gray, R.S.: Mobile Agents and the Future of the Internet. Operating Systems Review 33, 7–13 (1999)

Feature Level Fusion of Biometrics Cues: Human Identification with Doddington’s Caricature Dakshina Ranjan Kisku1, Phalguni Gupta2, and Jamuna Kanta Sing3 1 Department of Computer Science and Engineering, Dr. B.C. Roy Engineering College, Durgapur – 713206, India 2 Department of Computer Science and Engineering, Indian Institute of Technology Kanpur, Kanpur – 208016, India 3 Department of Computer Science and Engineering, Jadavpur University, Kolkata – 700032, India {drkisku, jksing}@ieee.org, [email protected]

Abstract. This paper presents a multimodal biometric system of fingerprint and ear biometrics. Scale Invariant Feature Transform (SIFT) descriptor based feature sets extracted from fingerprint and ear are fused. The fused set is encoded by K-medoids partitioning approach with less number of feature points in the set. K-medoids partition the whole dataset into clusters to minimize the error between data points belonging to the clusters and its center. Reduced feature set is used to match between two biometric sets. Matching scores are generated using wolf-lamb user-dependent feature weighting scheme introduced by Doddington. The technique is tested to exhibit its robust performance. Keywords: Multimodal Biometrics, K-Medoids, Doddington’s Concept.

Fingerprint,

Ear,

SIFT Features,

1 Introduction The multimodal biometric systems [1] are found to be extremely useful and exhibit robust performance over the unimodal biometric systems in terms of several constraints. The aim of any multimodal system [1] is to acquire multiple sources of information from different modalities and minimize the error prone effect of monomodal systems. The focus to multimodal systems is the fusion of various biometric modality data at the various information fusion levels [2] such as sensor, feature extraction, matching score, rank or decision levels. In [1], [9] there exist multimodal biometrics systems based on face and fingerprint, face and voice, signature and voice, face and ear. However, the existence of any system through fusion of fingerprint [4] and ear [3] biometrics at feature extraction level is not known to the authors. Since, the fingerprint biometrics is widely used and the accuracy level of fingerprint system is high as compared to other biometric traits. Again, ear biometric is robust and effective to biometric applications. Further, ears [3] have several advantages over facial features such as uniform distributions of intensity and spatial resolution, and less variability with expressions and orientation of the face [5]. Unlike face recognition [5] with changing lightning and different pose of head D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 157–164, 2009. © Springer-Verlag Berlin Heidelberg 2009

158

D.R. Kisku, P. Gupta, and J.K. Sing

positions, ear shape does not change over time and ageing. Further low effect of lighting conditions and spatial distribution of pixels has made ear biometrics an emerging authentication system. Fingerprints are established themselves as widely used and efficient biometric traits for verifying individuals. Design of a reliable fingerprint verification system depends on underlying constraints such as representation of fingerprint patterns, sensing fingerprints and matching algorithms. This paper presents a robust feature level fusion technique of fingerprint [4] and ear [3] biometrics. It uses Scale Invariant Feature Transform (SIFT) descriptor [6] to obtain features from the normalized fingerprint and ear. These features are fused to get one feature vector. To obtain the more discriminative reduced set of feature vector, PAM (Partitioning About Medoids) characterized K-medoids clustering approach [7] is applied to the concatenated feature set. Matching scores between features of database set and that of query set are obtained by K-nearest neighbor approach [6] and Euclidean distance metric [2]. The relevance of individual matchers towards more efficient and robust performance is determined by wolf and lamb factors as discussed in [8]. Both these factors can decrease the performance of any biometric system by accepting more and more imposters as false accept. This paper extends the notions of Doddington's weighting scheme [8] in the proposed feature level fusion by adaptive user weighting process. The performance of feature level fusion has been determined on a multimodal database containing fingerprint and ear images. The results show significant improvements over the individual matching performance of fingerprint and ear biometrics as well as an existing feature level fusion scheme [2] which have used SIFT as feature descriptor. Next section introduces SIFT descriptor for feature extraction. Extraction of SIFT features from fingerprint and ear images and fusion by concatenation of extracted SIFT features is presented in Section 3. In Section 4, PAM characterized K-medoids clustering approach is applied to the concatenated feature set to handle the curse of dimensionality. A matching score generation technique using reduced features sets obtained from gallery and probe samples is also described in this section. Userdependent matcher weighting scheme using Doddington’s method with adaptive approach has been applied to the proposed feature level fusion in Section 5. Results have been analyzed in Section 6 and finally, concluding remarks are made in the last section.

2 Description of SIFT Features SIFT descriptor [2], [6] has been successfully used for general object detection and matching. SIFT operator can be able to detect stable and invariant feature points in images. It is invariant to image rotation, scaling, partly illumination changes, and 3D projective transform. SIFT descriptor detects feature points efficiently through a staged filtering approach that identifies stable points in the Gaussian scale-space. This is achieved by four steps: (i) selection of candidates for feature points by searching peaks in the scale- space from a difference of Gaussian (DoG) function, (ii) localization of these points by using the measurement of their stability, (iii) assignment of orientations based on local image properties, and finally, (iv) calculation of the feature descriptors which represent local shape distortions and illumination changes. These steps can determine candidate locations and a detailed

Feature Level Fusion of Biometrics Cues

159

fitting is performed to the nearby data for the candidate location, edge response and peak magnitude. To achieve invariance to image rotation, a consistent orientation is assigned to each feature point based on local image properties. Histogram of orientations is formed from the gradient orientation at all sample points within a circular window of a feature point. Peaks in this histogram correspond to the dominant directions of each feature point. For illumination invariance, 8 orientation planes are defined. Finally, the gradient magnitude and the orientation are smoothened by applying a Gaussian filter and then sampled over a 4×4 grid with 8 orientation planes. Each feature point [6] contains four types of information – spatial location (x, y), scale (s), orientation (θ) and keypoint descriptor (k). All these feature information are used. More formally, local image gradients are measured at the selected scale in the region around each keypoint. The measured gradients’ information is then transformed into a vector representation that contains a vector of 128 elements for each keypoints calculated over extracted keypoints. These keypoint descriptor vectors represent local shape distortions and illumination changes.

3 Feature Extraction and Feature Level Fusion 3.1 Preprocessing and SIFT Feature Extraction For fingerprint verification [4], three types of features are used: (i) global ridge and furrow structure forming a special pattern in the central region of the fingerprint, (ii) minutiae details associated with local ridge and furrow structure and (iii) correlation. However, minutiae based fingerprint systems [4] show higher accuracy as compared to other two types of systems. Local texture around minutiae points is more desirable and useful for good accuracy rather than the whole fingerprint image since global texture is sensitive to non-linear and non-repeatable deformation of such images. In the proposed method, SIFT features are extracted from the whole fingerprint image. On the other hand, ear biometric [3] has been newly introduced for identity verification and it is considered as one of the most reliable and invariant biometrics characteristics. SIFT descriptor is used to detect stable invariant points for general object recognition and it does not require generally any image to be preprocessed. However, in the proposed work, few preprocessing operations are performed on ear image to obtain better accuracy. In the first step, localization of ear image is done by detecting manually two points on ear image viz. Triangular Fossa and Antitragus [9]. Localization technique proposed in [9] has been used in this paper. In the next step fingerprint and ear images are normalized having adjustable gray level distribution. To make uniform distribution of gray levels, image intensity is measured in the central area and the distribution is adjusted accordingly. This is performed using adaptive histogram equalization technique. The proposed work uses the whole ear image for SIFT features extraction by making indifference it with the fingerprint texture. The use of SIFT descriptor not only increases the number of invariant SIFT points while feature extraction, but also increases the reliability of system by accumulating large number of points. Extraction of SIFT feature points can be controlled by local minima or maxima in a Gaussian scale space. The feature numbers can also be controlled by a set of parameters such as octaves and scales.

160

D.R. Kisku, P. Gupta, and J.K. Sing

(a) Minutiae Points

(b) SIFT Feature Points

Fig. 1. Minutiae and SIFT Feature Points of a Fingerprint

(a) Ear image

(b) Detection of SIFT points (c) SIFT points extraction

Fig. 2. SIFT Feature Points of an Ear Image

A fingerprint may contain thousand SIFT features. Figure 1 shows a typical fingerprint image from where 30 minutiae points and 2449 SIFT feature points have been detected. The number of SIFT feature points obtained from an ear may vary from hundreds to few thousands. An ear image is shown in Figure 2 from where 1154 SIFT feature points are extracted. 3.2 Feature Level Fusion of SIFT Keypoints Concatenation technique [2] is used to fuse SIFT features extracted from fingerprint and ear at the feature extraction level. Feature level fusion is difficult to achieve in practice because multiple modalities may have incompatible feature [1], [2] sets and the correspondence among different feature spaces may be unknown. The concatenated feature set exhibits better discrimination capability than the individual feature vectors obtained from fingerprint and ear biometrics separately.

Feature Level Fusion of Biometrics Cues

161

4 Feature Reduction and Matching 4.1 Feature Reduction PAM (Partitioning About Medoids) characterized K-medoids partitioning algorithm [7] is applied to the concatenated features set to obtain the reduced set of features which can provide more discriminative and meaningful reduced set of features. This clustering algorithm is an adaptive version of K-means clustering approach. It is used to partition dataset into some groups and minimizes the squared error between the points that belong to a cluster and a point designated as the center of the cluster. Kmedoids chooses data points as cluster centers (also called ‘medoids’). K-medoids clusters the dataset of n objects into k clusters. It is more robust to noise and outliers as compared to K-means clustering algorithm [7]. In the proposed method, K-medoids clustering algorithm is applied to the SIFT points set, which is formed by concatenation of SIFT features extracted from fingerprint and ear images. The redundant features are removed using K-medoids clustering technique and choosing the most proximate features as the representative of the set of similar features. A medoid can be defined as the object of a cluster, which means dissimilarity to all the objects in the cluster is minimal. The most generalization of K-medoids algorithm is the Partitioning Around Medoids (PAM) algorithm which can be given below. Step 1: Randomly select k number of points from the concatenated SIFT points set as the medoids. Step 2: Assign each SIFT feature point to the closest medoid and the closest medoid can be defined using a distance metric (Euclidean distance metric). Step 3: for each medoid i, i = 1, 2…k for each non-medoid SIFT point j swap i and j and compute the total cost of the configuration Step 4: Select the configuration with the lowest cost Step 5: Repeat Step 1 to Step 5 until there is no change in the medoid. 4.2 Matching The optimal features are matched using the K-nearest neighbor approach [6] by computing distances from the optimal feature vector obtained from probe samples to all stored optimal features which are obtained from gallery sample and k – closest samples are selected. In the proposed experiment, by using K-NN, a set of best matched features are selected. This computation is made using spatial location (x, y), scale (s), orientation (θ) and keypoint descriptor (k) information of SIFT descriptor. Euclidean distance is used for distance computation. The number of best matched features denotes the matching score for a particular fingerprint-ear pair sample. The matching scores are normalized in the range [0-1] [1], [8].

5 Adaptive Weighting Using Doddington’s Approach Reliability of each fused matching score can be increased by applying the proposed adaptive Doddington’s user-dependent user weighting scheme [8]. In order to

162

D.R. Kisku, P. Gupta, and J.K. Sing

decrease the number of false accepts in the proposed system, we extend the notion used for weighting the matchers by wolf-lamb concept introduced by Doddington. The authors in [8] have also used the Doddington’s concept for user weighting by weights the matchers in the fused biometric system. In the proposed system, we have computed the adaptive weights by making tan-hyperbolic weight for each matcher by assigning weights to individual matching scores. The proposed adaptive weighting scheme decreases the effect of imposter users rapidly while it is compared with the method discussed in [8]. The modified Doddington’s scheme is described as follows. Let the user-dependent fused match score for user p can be calculated as

fs p =

MS

∑w

ms p

n ms p , ∀p

(1)

ms =1

where MS denotes the total number of matching scores obtained from matching of probe and gallery samples and matching score

w ms p represents the weight that can be assigned to the

n ms p for user p. It is assumed that the fused scores carry the wolf-lamb

properties together which are not easy to determine separately. Assumptions have been made by Doddington’s [8] that the users who are labeled as lambs can be imitated easily and wolves can imitate other users. Lambs and wolves – these two constraints can lead to false accepts while they degrade the performance of biometric systems. After computing weight

w ms p for each matcher, we extend the notions for

each weight to make it adaptive one. The adaptive weight notion can be obtained by taking tan-hyperbolic of computed weights. The range of

w ms p weight must be [0,1]

and the sum of all weights should be 1. The objective of this adaptive weighting scheme is to reduce the lambness of matchers while feature level fusion of two or more biometric traits is formulated. The adaptive weight notation has been established by extending the usual notions used by [8] and by adopting the robust statistics method [8] as follows. MS ms W (w'1p , w' 2p ,..., w' ms p ,..., w' p ) = tanh(w p )

(2)

Now the Equation (1) can be re-written using Equation (2) as

fs p =

MS

∑ w'

ms p

n ms p , ∀p

(3)

ms =1

6 Experimental Results The proposed technique is tested on IIT Kanpur multimodal database consisting of fingerprint and ear images acquired from 1550 subjects and each subject has provided 2 fingerprints and 2 ear images. Fingerprint images are acquired using an optical sensor at 500 dpi and the ear images are obtained using a high resolution digital camera. After normalization of fingerprint and ear images, fingerprint images are

Feature Level Fusion of Biometrics Cues

163

< ---Ide ntific a tio n P r o ba bility (C M C )--->

Cumulative Match Characteristics Curve 1 0.99 0.98 0.97 0.96 0.95 Ear Identification Feature Level Multimodal Identification Fingerprint Identification

0.94 0.93 0.92 5

10

15

20

25

30

35

40

45

50



Fig. 3. Cumulative Match Characteristics Curves

downscaled to 200×200 pixels. This high resolution to fingerprint image may increase the number of SIFT features. On the other hand, the ear images are taken under controlled environment in different sessions. The ear viewpoints are consistently kept neutral and the ear images are downscaled to 200×140 pixels. The following protocol has been established for multimodal evaluation and testing. Training: One image per person from each modality i.e., fingerprint and ear is used enrollment in gallery database and which are further used for feature extraction and feature level fusion. Fused feature vector is then encoded and is saved as gallery vector and is used for identification and verification. Testing: Pair of fingerprint and ear images is used for testing. Imposter matching scores are generated by validating and testing the first client against itself and also against the remaining subjects. Fused feature vector is generated from a pair of fingerprint and ear images and is compared with the gallery feature vectors. Rank based method is adopted for exhibit the overall performance of the proposed feature level fusion. Matching is performed between a probe fused vector with itself encoded in the database and also with the rest of the encoded fused vectors in the database. The proposed multimodal system is able to identify the specific person from the entire database and ranks are found in terms matching probability obtained. The subjects are retrieved from database according to matching scores. The identification rate for the proposed system is obtained as 98.71% while that for fingerprint and ear biometrics are found to be 95.02% and 93.63% respectively, as shown in Figure 3.

7 Conclusion This paper has presented a feature level fusion technique of fingerprint and ear biometrics for human identification. The technique has used SIFT descriptor for

164

D.R. Kisku, P. Gupta, and J.K. Sing

invariant features extraction from fingerprint and ear modalities and PAM characterized K-medoids algorithm for feature reduction. The reduced feature set reflects higher matching proximity with relevant information. Doddington’s userdependent weighting scheme has been adopted by extending the existing notions using adaptive weighting applied to the matching scores. The performance of the technique has been determined on a multimodal database containing fingerprint and ear images. The results show significant improvements on identification performance over the fingerprint and ear biometrics as well as the existing feature level fusion scheme [2] which have used SIFT as feature descriptor. The technique not only attains higher accuracy, but also reflects robustness towards identification of individuals.

References 1. Ross, A., Nandakumar, K., Jain, A.K.: Handbook of Multibiometrics. Springer, Heidelberg (2006) 2. Rattani, A., Kisku, D.R., Bicego, M., Tistarelli, M.: Robust Feature-Level Multibiometrics Classification. In: IEEE Biometric Consortium Conference, Biometrics Symposium, pp. 1– 6 (2006) 3. Bustard, J.D., Nixon, M.S.: Robust 2D Ear Registration and Recognition based on SIFT Point Matching. In: International Conference on Biometrics: Theory, Applications, and Systems (2008) 4. Maltoni, D., Maio, D., Jain, A.K., Prabhakar, S.: Handbook of Fingerprint Recognition, 2nd edn. Springer, Heidelberg (2009) 5. Li, S.Z., Jain, A.K. (eds.): Handbook of Face Recognition. Springer, Heidelberg (2005) 6. Lowe, D.G.: Object recognition from local scale-invariant features. In: International Conference on Computer Vision, pp. 1150–1157 (1999) 7. Kaufman, L., Rousseeuw, P.J.: Finding Groups in Data: An Introduction to Cluster Analysis. Wiley, New York (1990) 8. Snelick, R., Uludag, U., Mink, A., Indovina, M., Jain, A.: Large Scale Evaluation of Multimodal Biometric Authentication Using State-of-the-Art Systems. IEEE Transactions on Pattern Analysis and Machine Intelligence 27(3), 450–455 (2005) 9. Chang, K., Bowyer, K.W., Sarkar, S.: Comparison and Combination of Ear and Face Images in Appearance-based Biometrics. Transaction on PAMI 25(9) (2003)

A Study on the Interworking for SIP-Based Secure VoIP Communication with Security Protocols in the Heterogeneous Network Seokung Yoon1, Hyuncheol Jung1, and Kyung-Seok Lee2 1

Korea Internet & Security Agency IT Venture Tower, Jungdaero 135, Songpa-gu, Seoul, Korea 138-950 {seokung, hcjung}@kisa.or.kr 2 Dept of Computer Science, Graduate School of Soongsil Univ. 511 Sangdo-dong, Dongjak-gu, Seoul, Korea 156-743 [email protected]

Abstract. VoIP will become more and more popular around the world but security vulnerabilities such as eavesdropping, learning private information could be in the way of VoIP revitalization. It is necessary to protect signaling and media information in the whole path. In the real world it is not easy to provide end-to-end secure VoIP communication because of the heterogeneous network. In this situation we have to consider network interworking between SIP-based VoIP and PSTN or Mobile. This paper analyzes interworking scenarios for secure communication and proposes the method to provide secure communication with security protocols such as TLS, SRTP and MIKEY in the heterogeneous network. Keywords: VoIP, OPTIONS Method, MIKEY, Heterogeneous Network.

1 Introduction VoIP (Voice over Internet Protocol) is poised to take over from the century-old public switched telephone network (PSTN). Numerous protocols have been authored that carry various forms of real-time multimedia session data such as voice, video, or text message. The SIP (Session Initiation Protocol) [1] is a standard protocol of IETF and works in concert with these protocols. VoIP, as it is known, has security vulnerabilities such as eavesdropping, Denial of Service (DoS), service abuse, session hijacking, VoIP spam. Especially, eavesdropping is a major issue to solve urgently. SIP-based VoIP specifies security mechanisms to protect user privacy from eavesdropping. HTTP digest [2] provides user-to-user and user-to-proxy authentication. TLS [3] provides integrity and confidentiality of SIP signaling messages. SRTP (Secure Real-time Transport Protocol) [4] provides a framework for encryption and message authentication of RTP streams. MIKEY [5] has been proposed as a key management protocol for multimedia data encryption in IETF, considered as a key management protocol for SRTP. The MIKEY protects a master key with the pre-shared key or the responder’s public key. To use the MIKEY for D. Ślęzak et al. (Eds.): SecTech 2009, CCIS 58, pp. 165–175, 2009. © Springer-Verlag Berlin Heidelberg 2009

166

S. Yoon, H. Jung, and K.-S. Lee

exchanging a master key, it is important to know to whom initiator speak. Also, initiator have to know whether responder support security protocols or not. But in case of heterogeneous network, it is not easy to know responder capability because there are legacy devices or devices which adopt different security protocols. In this situation initiator could not carry out secure communication because he does not know responder capability. This situation could leads to security vulnerabilities therefore it should be addressed. This paper analyzes the security mechanism to negotiate SIP signaling security and MIKEY as a key management protocol for multimedia data encryption. This paper also analyzes interworking scenarios for secure communication and proposes the method to provide secure communication with security protocols such as TLS, SRTP and MIKEY in the heterogeneous network. With this study, we will protect the SIP-based VoIP with MIKEY in the heterogeneous network.

2 SIP-Based Secure VoIP Communication Fig.1. shows SIP-based secure VoIP communication flow. The procedures for SIPbased secure VoIP communication are as follows. Firstly, the security mechanism negotiation to protect SIP signaling message is executed sequentially using OPTIONS method between IP phone and SIP proxy, SIP proxies, and SIP proxy and IP phone. After the security mechanism negotiation, each entity builds up TLS session. Secondly, the sender starts call setup with INVITE message containing the master key derived from MIKEY to encrypt and authenticate media traffic. Finally, a secure media channel (SRTP) is created.

Fig. 1. SIP-based VoIP secure communication flow

A Study on the Interworking for SIP-Based Secure VoIP Communication

167

3 OPTIONS Method (RFC3329) 3.1 Overview of Operation For carrying out a secure communication, it is necessary to negotiate security protocols. IETF recommends OPTIONS [6] method to support it. Fig.2. illustrates how the mechanism works.

Fig. 2. Security agreement message flow

Step 1: Clients wishing to use this specification can send a list of their supported security mechanisms along the first request to the server. Step 2: Servers wishing to use this specification can challenge the client to perform the security agreement procedure. The security mechanisms and parameters supported by the server are sent along in this challenge. Step 3: The client then proceeds to select the highest-preference security mechanism they have in common and to turn on the selected security. Step 4: The client contacts the server again, now using the selected security mechanism. The server's list of supported security mechanisms is returned as a response to the challenge. Step 5: The server verifies its own list of security mechanisms in order to ensure that the original list had not been modified. 3.2 Client Initiated Fig.3. illustrates that UA negotiates the security mechanism to be used with its server without knowing beforehand which mechanisms the proxy supports. The OPTIONS method can be used here to request the security capabilities of the server. In this way, the security can be initiated even before the first INVITE is sent via the server. Fig.4. illustrates the example of OPTIONS message.

168

S. Yoon, H. Jung, and K.-S. Lee

Fig. 3. Negotiation Initiated by the Client

(1) OPTIONS sip:proxy.example.com SIP/2.0 Security-Client: tls Security-Client: digest Require: sec-agree Proxy-Require: sec-agree (2) 494 Security Agreement Required Security-Server: ipsec-ike;q=0.1 Security-Server: tls;q=0.2 (3) INVITE sip:proxy.example.com SIP/2.0 Security-Verify: ipsec-ike;q=0.1 Security-Verify: tls;q=0.2 Route: sip:[email protected] Require: sec-agree Proxy-Require: sec-agree Fig. 4. OPTIONS message example

The UAC sends an OPTIONS request to its server, indicating at the same time that it is able to negotiate security mechanisms and that it supports TLS and HTTP Digest. The server responds to the UAC with its own list of security mechanisms - IPsec and TLS. The only common security mechanism is TLS, so they establish a TLS connection between them. When the connection is successfully established, the UAC sends an INVITE request over the TLS connection just established. This INVITE contains the server's security list. The server verifies it, and since it matches its static list, it processes the INVITE and forwards it to the next hop.

A Study on the Interworking for SIP-Based Secure VoIP Communication

169

4 MIKEY (RFC3830) 4.1 System Overview One objective of MIKEY is to produce a Data Security Association (Data SA) for the security protocol, including a Traffic-Encrypting Key (TEK), which is derived from a TEK Generation Key (TGK), and used as input for the security protocol. MIKEY supports the possibility of establishing keys and parameters for more than one security protocol (or for several instances of the same security protocol) at the same time. The concept of Crypto Session Bundle (CSB) is used to denote a collection of one or more Crypto Sessions that can have common TGK and security parameters, but which obtain distinct TEKs from MIKEY. 4.2 Basic Key Transport and Exchange Methods The MIKEY define three different methods of transporting/establishing a TGK: with the use of a pre-shared key, public-key encryption, and Diffie-Hellman (DH) key exchange. The pre-shared key method and the public-key method are both based on key transport mechanisms, where the actual TGK is pushed (securely) to the recipient(s). In the Diffie-Hellman method, the actual TGK is instead derived from the Diffie-Hellman values exchanged between the peers. The following general notation is used: - HDR: The general MIKEY header, which includes MIKEY CSB related data and information mapping to the specific security protocol used. - T: The timestamp, used mainly to prevent replay attacks. - IDx: The identity of entity x (IDi=Initiator, IDr=Responder). - RAND: Random/pseudo-random byte-string, which is always included in the first message from the Initiator. - SP: The security policies for the data security protocol. 4.2.1 Pre-Shared Key (PSK) In this method, the pre-shared secret key, s, is used to derive key material for both the encryption (encr_key) and the integrity protection (auth_key) of the MIKEY messages. As shown in Fig. 5(a), the main objective of the Initiator's message (I_MESSAGE) is to transport one or more TGKs (carried into KEMAC) and a set of security parameters (SPs) to the Responder in a secure manner. As the verification message from the Responder is optional, the Initiator indicates in the HDR whether it requires a verification message or not from the Responder. KEMAC = E(encr_key, {TGK}) || MAC

(1)

The KEMAC payload contains a set of encrypted sub-payloads and a MAC. Each sub-payload includes a TGK randomly and independently chosen by the Initiator. The MAC is a Message Authentication Code covering the entire MIKEY message using

170

S. Yoon, H. Jung, and K.-S. Lee

the authentication key, auth_key. The main objective of the verification message from the Responder is to obtain mutual authentication. The verification message, V, is a MAC computed over the Responder's entire message, the timestamp and the two party identities, using the authentication key. 4.2.2 Public-Key Encryption (PKE) As in the previous case, the main objective of the Initiator's message is to transport one or more TGKs and a set of security parameters to the Responder in a secure manner with Fig. 5(b). This is done using an envelope approach where the TGKs are encrypted with keys derived from a randomly/pseudo-randomly chosen "envelope key". The envelope key is sent to the Responder encrypted with the public key of the Responder. The PKE contains the encrypted envelope key: PKE = E(PKr, env_key). It is encrypted using the Responder's public key (PKr). If the Responder possesses several public keys, the Initiator can indicate the key used in the CHASH payload. The KEMAC contains a set of encrypted sub-payloads and a MAC: KEMAC = E(encr_key, IDi || {TGK}) || MAC

(2)

The first payload (IDi) in KEMAC is the identity of the Initiator. Each of the following payloads (TGK) includes a TGK randomly and independently chosen by the Initiator. The encrypted part is then followed by a MAC, which is calculated over the KEMAC payload. The encr_key and the auth_key are derived from the envelope key. The SIGNi is a signature covering the entire MIKEY message, using the Initiator's signature key. The main objective of the verification message from the Responder is to obtain mutual authentication. As the verification message V from the Responder is optional, the Initiator indicates in the HDR whether it requires a verification message or not from the Responder. V is calculated in the same way as in the pre-shared key mode. 4.2.3 Diffie-Hellman (D-H) Key Exchange This method creates a DH-key, which is used as the TGK. This method cannot be used to create group keys; it can only be used to create single peer-to-peer keys. The main objective of the Initiator's message is to, in a secure way, provide the Responder with its DH value (DHi) g^(xi), where xi MUST be randomly/pseudo-randomly and secretly chosen, and a set of security protocol parameters with Fig. 5(c). The SIGNi is a signature covering the Initiator's MIKEY message, I_MESSAGE, using the Initiator's signature key. The main objective of the Responder's message is to, in a secure way, provide the Initiator with the Responder's value (DHr) g^(xr), where xr MUST be randomly/pseudo-randomly and secretly chosen. The timestamp that is included in the answer is the same as the one included in the Initiator's message. The SIGNr is a signature covering the Responder's MIKEY message, R_MESSAGE, using the Responder's signature key. The DH group parameters are chosen by the Initiator and signaled to the Responder. Both parties calculate the TGK, g^(xi*xr) from the exchanged DH-values.

A Study on the Interworking for SIP-Based Secure VoIP Communication

171

FYgdcbXYf          FSA9GG5;91