SACM - United States of America

Permanent URI for this collectionhttps://drepo.sdl.edu.sa/handle/20.500.14154/9668

Browse

Has files: YesSubject: search.filters.subject.Network Security

Search Results

Now showing 1 - 4 of 4
  • No Thumbnail Available
    ItemRestricted
    Large-scale Measurements to Assess the Impact of Middleboxes on the Internet’s Reliability
    (Saudi Digital Library, 2025-07-13) Alaraj, Abdulrahman Abdullah S; Eric, Wustrow
    The fundamental design principle that shaped the architecture of the early Internet, namely the end-to-end argument, has been undermined by the expansion and the resulting complexity of more developed stages of the Internet. The middle fabric of today’s Internet underwent numerous stages of development which offered tangible improvements to the Internet’s usability and reliability despite violating the cherished design principle. In tandem with this development, researchers have extensively studied middleboxes—a core element to the middle fabric. Nevertheless, with the continuous growth and complexity of this part of the Internet, under-explored research avenues emerge. In this dissertation, I present a series of large-scale Internet measurements that reveal how middleboxes, while integral to the successful expansion of the Internet, can compromise its reliability. First, I examine the role that nation-state censorship middleboxes can play in launching unprecedented TCP reflected amplification attacks that can produce virtually inexhaustible amplification rendering Denial of Service (DoS) attacks more powerful than ever presumed. Second, I investigate how network misconfigurations can cause persistent routing loops that can be abused to launch DoS attacks, and show that contrary to the common belief, middleboxes, not exclusively routers or managed switches, can cause this faulty behavior. Third, I study the censorship of circumvention proxies that affects millions of Internet users in Iran, and present evidence that challenges an established notion of censorship monolithism in Iran. Indeed, this diversity of censorship deployments complicates the circumvention landscape, requiring ISP-specific circumvention strategies to individually combat heterogeneous censorship middleboxes. Finally, I present measurements that demonstrates how the performance of on-path censorship middleboxes can be degraded without impacting the underlying network, thereby highlighting the significant risks from degraded Internet connectivity had these middleboxes been deployed in-path. Through these large-scale measurements, this dissertation argues that the evolving complexity of middleboxes introduces both new challenges and opportunities for improving the Internet’s reliability.
    13 0
  • No Thumbnail Available
    ItemRestricted
    Comprehensive Strategies for Time-Sensitive Networks: Path Selection, Scheduling, Security, and Virtual Reality Traffic Insights
    (Univeristy of Delaware, 2024-09) Alnajim, Abdullah Abdulkarim; Shen, Chien-Chung
    Distributed real-time applications (RTAs) demand that their communication networks be robust and deterministic. Two properties identify the network’s determinism, which are (1) the stability in terms of end-to-end latency and jitter and (2) the resilience to failures and security threats. To achieve determinism, the IEEE Time-Sensitive Networking (TSN) Task Group has amended the standards of IEEE 802.3 Ethernet to support the stringent timing requirements of RTAs. The primary purpose of this dissertation is to satisfy these two properties in the context of TSN and analyze the traffic characteristics of one popular RTA application, namely Virtual Reality (VR). To meet the stability property, we design an incremental performance-aware path selection and non-time-slotted scheduling framework that uses performance measurements to route TSN flows while load-balancing both TSN and best-effort traffic and diversifying the selected paths to avoid creating bottleneck links. Then, the framework uses non-time-slotted scheduling to find the appropriate transmission time to avoid queuing delays (or make them predictable) while enhancing bandwidth utilization compared to existing time-slotted scheduling solutions. The incremental nature of the framework, although increasing its flexibility by allowing RTAs to join the network while it is in operation, introduces security threats. We identify these threats, evaluate their impacts, and propose reactive defenses to detect and react to them upon their occurrences. To better understand future RTAs, we also analyzed the traffic characteristics of the ideal VR experience, where we used the information of the human vision capabilities to derive specific values for the required capacity, latency, and reliability for such an experience. To evaluate the accuracy of these estimated values, we derived corresponding values for Quest 2 using its provided specifications. Then, we conducted realistic VR experiences over an edge-enabled IEEE 802.11ax network to evaluate how far the calculated values were from the measured values. Results showed that the schedulability of better load-balanced TSN flows increases by up to 95.08%. Compared with time-slotted scheduling, non-time-slotted scheduling increases the schedulability of TSN flows by fivefold in some cases. Moreover, non-time-slotted scheduling reduces the number of guard bands, enhancing link utilization by more than 60%. Furthermore, the reactive defenses retained TSN’s determinism by dropping less than 1% of TSN flows in some scenarios. Finally, the measured traffic characteristics from the realistic VR experience over IEEE 802.11ax aligned with their corresponding calculated values.
    24 0
  • Thumbnail Image
    ItemRestricted
    A Distributed and Hybrid AI-Based Security Framework for 5G Real-time Applications
    (Washington University in St. Louis, 2024-08-15) Ghubaish, Ali Hussain A; Chamberlain, Roger; Dutta, Ashutosh; Jain, Raj; Ottley, Alvitta; Zhang, Ning
    This dissertation develops a multifaceted security framework tailored for 5G-enabled real-time Internet of medical things (IoMT) systems to significantly enhance the security infrastructure within healthcare environments. The framework pivots around three core technological advancements: the development of the light feature engineering based on the mean decrease in accuracy (LEMDA), the construction of a 5G testbed that serves as a distributed intrusion detection system (IDS), and the implementation of a hybrid deep reinforcement learning (HDRL) method. LEMDA represents a breakthrough in data processing for IoMT systems. By intelligently reducing data complexity, LEMDA enhances the speed and accuracy of threat detection mechanisms, which is crucial for handling the immense volumes of data generated in healthcare settings. This method speeds up the detection process and ensures that essential data nuances are not lost, thereby maintaining high precision in threat identification. Establishing the 5G testbed introduces a novel approach to distributed IDS. This testbed leverages the latest in 5G and multi-access edge computing (MEC) technologies to distribute the processing load, thereby enhancing the overall resilience and efficiency of the network. This strategic distribution also helps overcome traditional challenges associated with centralized systems, such as scalability issues and vulnerability to single points of failure. Furthermore, this initiative has led to creating a new dataset specifically designed to support the development of IDS methodologies congruent with the architectures of 5G and MEC. This dataset is a valuable resource for researchers across both academic and industrial spheres, facilitating the advancement of tailored intrusion detection strategies. Lastly, the HDRL method integrates deep learning and reinforcement learning techniques tailored to harness network and host data for improved threat detection. This innovative approach dynamically adapts to evolving threat landscapes, reducing the need for constant human supervision and frequent retraining. The HDRL method showcases a significant enhancement in threat detection efficacy, setting new benchmarks in the field. In addition to these primary contributions, the dissertation delves into creating comprehensive datasets through the EHMS testbed and reviews current IoMT security measures and attack techniques. These endeavors provide a holistic view of the security landscape and inform the development of the proposed security framework.
    23 0
  • Thumbnail Image
    ItemRestricted
    Lightweight Cryptographic Mechanisms for Internet of Things and Embedded Systems
    (2023-03) Bin Rabiah, Abdulrahman; Abu-Ghazaleh, Nael; Richelson, Silas
    Today, IoT devices such as health monitors and surveillance cameras are widespread. As the industry matures, IoT systems are becoming pervasive. This revolution necessitates further research in network security, as IoT systems impose constraints on network design due to the use of lightweight, computationally weak devices with limited power and network connectivity being used for varying and unique applications. Thus, specialized secure protocols which can tolerate these constraints are needed. This dissertation examines three problems in the constrained IoT setting: 1) Key exchange, 2) Authentication and 3) Key management. First, IoT devices often gather critical information that needs to be communicated in a secure manner. Authentication and secure communication in an IoT environment can be difficult because of constraints, in computing power, memory, energy and network connectivity. For secure communication with the rest of the network, an IoT device needs to trust the gateway through which it communicates, often over a wireless link. An IoT device needs a way of authenticating the gateway and vice-versa, to set up that secure channel. We introduce a lightweight authentication and key exchange system for IoT environments that is tailored to handle the IoT-imposed constraints. In our system, the gateway and IoT device communicate over an encrypted channel that uses a shared symmetric session key which changes periodically (every session) in order to ensure perfect forward secrecy. We combine both symmetric-key and public-key cryptography based authentication and key exchange, thus reducing the overhead of manual configuration. We study our proposed system, called Haiku, where keys are never exchanged over the network. We show that Haiku is lightweight and provides authentication, key exchange, confidentiality, and message integrity. Haiku does not need to contact a Trusted Third Party (TTP), works in disconnected IoT environments, provides perfect forward secrecy, and is efficient in compute, memory and energy usage. Haiku achieves 5x faster key exchange and at least 10x energy consumption reductions. Second, signature-based authentication is a core cryptographic primitive essential for most secure networking protocols. We introduce a new signature scheme, MSS, that allows a client to efficiently authenticate herself to a server. We model our new scheme in an offline/online model where client online time is premium. The offline component derives basis signatures that are then composed based on the data being signed to provide signatures efficiently and securely during run-time. MSS requires the server to maintain state and is suitable for applications where a device has long-term associations with the server. MSS allows direct comparison to hash chain-based authentication schemes used in similar settings, and is relevant to resource-constrained devices e.g., IoT. We derive MSS instantiations for two cryptographic families, assuming the hardness of RSA and decisional Diffie-Hellman (DDH) respectively, demonstrating the generality of the idea. We then use our new scheme to design an efficient time-based one-time password (TOTP) system. Specifically, we implement two TOTP authentication systems from our RSA and DDH instantiations. We evaluate the TOTP implementations on Raspberry Pis which demonstrate appealing gains: MSS reduces authentication latency and energy consumption by a factor of ∼82 and 792, respectively, compared to a recent hash chain-based TOTP system. Finally, we examine an important sub-component of the massive IoT technology, namely connected vehicles (CV)/Internet of Vehicles (IoV). In the US alone, the US department of transportation approximates the number of vehicles to be around 350 million. Connected vehicles is an emerging technology, which has the potential to improve the safety and efficiency of the transportation system. To maintain the security and privacy of CVs, all vehicle-to-vehicle (V2V) communications are typically established on top of pseudonym certificates (PCs) which are maintained by a vehicular public key infrastructure (VPKI). However, the state-of-the-art VPKIs (including SCMS; the US VPKI standard for CV) often overlooked the reliability constraint of wireless networks (which eventually degrades the VPKI security) that exists in high-mobility environments such as CV networks. This constraint stems from the short coverage time between an on-board unit (OBU) inside a fast moving vehicle and a stationary road-side unit (RSU). In this work, we present TVSS, a novel VPKI design that pushes critical VPKI operations to the edge of the network; the RSU, while maintaining all security and privacy assumptions in the state-of-the-art VPKIs. Our real-life testbed shows a reduced PC generation latency by 28.5x compared to recent VPKIs. Furthermore, our novel local pseudonym certificate revocation lists (PCRLs) achieves 13x reduction in total communication overhead for downloading them compared to delta PCRLs.
    38 0

Copyright owned by the Saudi Digital Library (SDL) © 2025