Your search keyword '"Gurtov, A."' showing total 35 results

1. Simulating ADS-B Attacks in Air Traffic Management

Author

Andrei Gurtov, Anton Blaberg, Gustav Lindahl, and Billy Josefsson

Subjects

021110 strategic, defence & security studies, Atmosphere (unit), business.industry, Aviation, Computer science, Real-time computing, Air traffic management, 0211 other engineering and technologies, ComputerApplications_COMPUTERSINOTHERSYSTEMS, 02 engineering and technology, Air traffic control, Data point, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Code (cryptography), 020201 artificial intelligence & image processing, The Internet, business

Abstract

In Air Traffic Management (ATM) training, simulations of real air traffic control (ATC) scenarios are a key part of practical teaching. On the internet one may find multiple different ATM simulators available to the public with open source code. Today most aircraft transmit data about position, altitude, and speed into the atmosphere that practically are unencrypted data points. This data is called automatic dependant surveillance broadcast (ADS-B) data. The lack of security means that potential attackers could project “fake” ADS-B data and spoof existing data to air traffic controllers (ATCO) if the right equipment is used. We see this as a security flaw and we want to prepare ATCO for cyberattacks by modifying an ATM simulator with cyberattacks. First, OpenScope was chosen as the ATM simulator to be modified. Subsequently, three types of attacks were chosen for the simulator to be equipped with, based on ADS-B weaknesses from existing literature: aircraft not responding to commands, aircraft with altering positional data, and aircraft with incorrect speed and altitude data. The recorded parameters were the written command lines and corresponding aircraft type it was applied to. Using this modified simulator, ATCO can now be evaluated against cyberattacks.

Published

2020

2. Secure and Resilient Communications in the Industrial Internet

Author

Mohammad Borhani, Andrei Gurtov, Anca Delia Jurcut, Madhusanka Liyanage, Pardeep Kumar, and Ali Hassan Sodhro

Subjects

Focus (computing), Network architecture, business.industry, Computer science, Big data, Industrial Internet, The Internet, Cloud computing, business, Resilience (network), Computer security, computer.software_genre, computer

Abstract

The Industrial Internet brings the promise of increased efficiency through on-demand manufacturing and maintenance, combining sensors data from engines and industrial devices with big data analysis in the cloud. In this chapter, we survey the main challenges that the Industrial Internet faces from a networking viewpoint. We especially focus on security, as critical industrial components could be exposed over the Internet, affecting resilience. We describe two approaches, Identity-Defined Networking and Software-Defined Virtual Private LAN Services as potential network architectures for the Industrial Internet.

Published

2020

3. Opportunities and Challenges of Software-Defined Mobile Networks in Network Security

Author

Mika Ylianttila, Madhusanka Liyanage, Ahmed Bux Abro, and Andrei Gurtov

Subjects

Mobile radio, OpenFlow, Computer Networks and Communications, Network security, Computer science, Vulnerability, Mobile computing, Telecommunications service, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, Cloud computing security, business.industry, 020206 networking & telecommunications, Virtualization, Security service, Network Access Control, Scalability, Network security policy, 020201 artificial intelligence & image processing, The Internet, Mobile telephony, business, Software-defined networking, Law, computer, Computer network

Abstract

Software-defined mobile network (SDMN) architecture integrates software-defined networks, network functions virtualization, and cloud computing principles in mobile networking environments to transform rigid and disparate legacy mobile networks into scalable and dynamic ecosystems. However, because SDMN architecture separates the control and data planes, it will significantly change the way security is managed and applied for mobile networks. In this article, the authors discuss the security challenges, vulnerabilities, and opportunities that need to be investigated and addressed for future SDMNs. It also highlights how common security threats in IP networks such as the Internet are now applicable in new open and IP-based SDMNs.

Published

2016

4. Analyzing Internet-connected industrial equipment

Author

Adam Hansson, Mohammad Khodari, and Andrei Gurtov

Subjects

Industrial equipment, Authentication, Exploit, business.industry, Computer science, Industrial control system, Computer security, computer.software_genre, Server, The Internet, Internet of Things, business, computer, Vulnerability (computing)

Abstract

The search engine Shodan crawls the Internet to collect banners from Internet connected devices. When making this information publicly available, anyone can search and find these devices. Results from Shodan show that it is not only web or mail servers that are connected, but also industrial Control Systems (ICS) and Internet of Things (IoT) devices. Some of these devices use protocols that were invented more than 20 years ago. These protocols are not designed to be exposed on the Internet and since they lack security mechanisms, they are vulnerable to attacks. With help from Shodan we have searched for vulnerable devices using search queries corresponding to ICS and IoT protocols. To find the security flaws in protocols, we utilized the vulnerability and exploit database Rapid7. Our results indicate that there are several hundreds of online devices that are vulnerable in Sweden.

Published

2018

5. Anonymous Secure Framework in Connected Smart Home Environments

Author

Phuong Hoai Ha, An Braeken, Jari Iinatti, Andrei Gurtov, Pardeep Kumar, Industrial Sciences and Technology, Digital Mathematics, and Engineering Technology

Subjects

Smart Home, Computer science, smart home, Computer Networks and Communications, Internet of Things, unlinkability, 02 engineering and technology, Computer security, computer.software_genre, Home automation, 0202 electrical engineering, electronic engineering, information engineering, Session key, Safety, Risk, Reliability and Quality, AKA, Authentication, anonymity, business.industry, key agreement, 020206 networking & telecommunications, Intervention (law), Identity (object-oriented programming), 020201 artificial intelligence & image processing, The Internet, business, computer, Anonymity

Abstract

The smart home is an environment, where heterogeneous electronic devices and appliances are networked together to provide smart services in a ubiquitous manner to the individuals. As the homes become smarter, more complex, and technology dependent, the need for an adequate security mechanism with minimum individual’s intervention is growing. The recent serious security attacks have shown how the Internet-enabled smart homes can be turned into very dangerous spots for various ill intentions, and thus lead the privacy concerns for the individuals. For instance, an eavesdropper is able to derive the identity of a particular device/appliance via public channels that can be used to infer in the life pattern of an individual within the home area network. This paper proposes an anonymous secure framework (ASF) in connected smart home environments, using solely lightweight operations. The proposed framework in this paper provides efficient authentication and key agreement, and enables devices (identity and data) anonymity and unlinkability. One-time session key progression regularly renews the session key for the smart devices and dilutes the risk of using a compromised session key in the ASF. It is demonstrated that computation complexity of the proposed framework is low as compared with the existing schemes, while security has been significantly improved.

Published

2017

6. Hierarchical architectures in structured peer-to-peer overlay networks

Author

Dmitry Korzun and Andrei Gurtov

Subjects

Hierarchy, Computer Networks and Communications, business.industry, Computer science, Distributed computing, Overlay network, Hash table, Shared resource, Scalability, Key (cryptography), The Internet, Hierarchical network model, business, Software, Computer network

Abstract

Distributed Hash Tables (DHT) are presently used in several large-scale systems in the Internet and envisaged as a key mechanism to provide identifier-locator separation for mobile hosts in Future Internet. Such P2P-based systems become increasingly complex serving popular social networking, resource sharing applications, and Internet-scale infrastructures. Hierarchy is a standard mechanism for coping with heterogeneity and scalability in distributed systems. To address the shortcomings of flat DHT designs, many hierarchical P2P designs have been proposed over recent years. The last generation is hierarchical DHTs (HDHTs) where nodes are organized onto layers and groups. This article discusses hierarchical architectures applied in structured P2P overlay networks, focusing on HDHT designs. We introduce a framework consisting of conceptual models of network hierarchy, multi-layer hierarchical DHT architectures, principles affecting the design choices, and cost models for system tradeoff analysis, performance evaluation, and scalability estimation. Based on the framework we provide a taxonomy and survey more than 20 hierarchical HDHT proposals.

Published

2013

7. CIDOR: Content distribution and retrieval in disaster networks for public protection

Author

Hasan M A Islam, Dmitrij Lagutin, Andrey Lukyanenko, Andrei Gurtov, Antti Ylä-Jääski, Professorship Ylä-Jääski A., Department of Computer Science, Linköping University, Aalto-yliopisto, and Aalto University

Subjects

Routing protocol, Delay-tolerant networking, Networking and Internet Architecture (cs.NI), FOS: Computer and information sciences, ta113, Exploit, Computer science, business.industry, 020206 networking & telecommunications, 02 engineering and technology, Communications system, Metadata, Computer Science - Networking and Internet Architecture, Models of communication, 0202 electrical engineering, electronic engineering, information engineering, The Internet, business, Host (network), Computer network

Abstract

Information-Centric Networking (ICN) introduces a paradigm shift from a host centric communication model for Future Internet architectures. It supports the retrieval of a particular content regardless of the physical location of the content. Emergency network in a disaster scenario or disruptive network presents a significant challenge to the ICN deployment. In this paper, we present a Content dIstribution and retrieval framework in disaster netwOrks for public pRotection (CIDOR) which exploits the design principle of the native CCN architecture in the native Delay Tolerant Networking (DTN) architecture. We prove the feasibility and investigate the performance of our proposed solution using extensive simulation with different classes of the DTN routing strategies in different mobility scenarios. The simulation result shows that CIDOR can reduce the content retrieval time up to 50% while the response ratio is close to 100%., International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob)

Published

2017

8. Analysis of deployment challenges of Host Identity Protocol

Author

Ijaz Ahmad, Andrei Gurtov, Mika Ylianttila, and Madhusanka Liyanage

Subjects

Mobility, Network security, business.industry, computer.internet_protocol, Computer science, Mobile computing, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, SDN, Software deployment, Mobile VPN, 0202 electrical engineering, electronic engineering, information engineering, Security, 020201 artificial intelligence & image processing, The Internet, Host Identity Protocol, business, Software-defined networking, Protocol (object-oriented programming), computer, Internetworking

Abstract

Host Identity Protocol (HIP), a novel internetworking technology proposes separation of the identity-location roles of the Internet Protocol (IP). HIP has been successful from the technological perspectives for network security and mobility, however, it has very limited deployment. In this paper we assess HIP to find the reasons behind its limited deployment and highlight the challenges faced by HIP for its commercial use. We propose technological development and outline deployment strategies for the wide use of HIP. Furthermore, this paper investigates the use of HIP in Software Defined Networks (SDN) to evaluate its performance in new disruptive networking technologies. In a nutshell, this paper presents revealing challenges for the deployment of innovative networking protocols and a way ahead for successful and large scale deployment.

Published

2017

9. CR-Chord: Improving lookup availability in the presence of malicious DHT nodes

Author

Dmitry Korzun, Andrei Gurtov, and Boris Nechaev

Subjects

Pastry, InformationSystems_INFORMATIONINTERFACESANDPRESENTATION(e.g.,HCI), GeneralLiterature_INTRODUCTORYANDSURVEY, Computer Networks and Communications, business.industry, Computer science, Distributed computing, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Hash table, Key-based routing, Chord (music), The Internet, Chord (peer-to-peer), business, Computer network

Abstract

Distributed Hash Tables (DHTs) provide a useful key-to-value lookup service for many Internet applications. However, without additional mechanisms DHTs are vulnerable to attacks. In particular, previous research showed that Chord is not well resistant to malicious nodes that joined the DHT. We introduce the cyclic routing algorithm as an extension of Chord (CR-Chord). Using simulations we compare the lookup availability of Chord and CR-Chord. The results suggest that CR-Chord improves the lookup availability on the average by 1.4 times. When the number of malicious nodes is small, such as 5%, CR-Chord has almost twice lower lookup failure rate.

Published

2011

10. Secure and Efficient IPv4/IPv6 Handovers Using Host-Based Identifier-Locator Split

Author

Samu Varjonen, Miika Komu, and Andrei Gurtov

Subjects

lcsh:Computer software, business.industry, computer.internet_protocol, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Network layer, IPv4, IPv6, Identifier, lcsh:QA76.75-76.765, Multihoming, The Internet, Host Identity Protocol, Electrical and Electronic Engineering, business, computer, Host (network), Software, Computer network

Abstract

Internet architecture is facing at least three major challenges. First, it is running out of IPv4 addresses. IPv6 offers a long-term solution to the problem by offering a vast amount of addresses but is neither supported widely by networking software nor has been deployed widely in different networks. Second, end-to-end connectivity is broken by the introduction of NATs, originally invented to circumvent the IPv4 address depletion. Third, the Internet architecture lacks a mechanism that supports end-host mobility and multihoming in a coherent way between IPv4 and IPv6 networks. We argue that an identifier-locator split can solve these three problems based on our experimentation with the Host Identity Protocol. The split separates upper layer identifiers from lower network layer identifiers, thus enabling network-location and IPversionindependent applications. Our contribution consists of recommendations to the present HIP standards to utilize cross-family mobility more efficiently based on our implementation experiences. To the best of our knowledge we are also the first ones to show a performance evaluation of HIP-based cross-family handovers.

Published

2010

11. Poster abstract

Author

Juho Heikkilä, Joakim Koskela, and Andrei Gurtov

Subjects

business.industry, Computer science, Internet privacy, General Medicine, Communications system, Computer security, computer.software_genre, Phishing, Identity management, Electronic mail, Scale (social sciences), Identity theft, The Internet, Architecture, business, computer

Abstract

The Internet is plagued by an increasing number of nuisances ranging from simple inconveniences to threats, such as phishing and identity theft. The scale of these problems has grown to alarming proportions, as well seen in the amount of unsolicited electronic mail (SPAM) in the Internet today. In systems where the control lies in trusted centralized entities threats have been well recognized, and techniques developed to mitigate the effect. However, as mobile and ad-hoc networks are becoming commonplace, we see more systems designed using distributed and peer-to-peer architectures. A similar outbreak of security threats is feared in these domains, unless we integrate security in the design. The mechanisms developed for centralized systems might not be applicable, forcing us to explore new methods and models. Our work focuses on developing and experimenting with security mechanisms for distributed real-time communication systems. We concentrate on issues such as secure architecture, privacy and identity management, as well as prevention of unwanted calls.

Published

2010

12. Hi3: An efficient and secure networking architecture for mobile hosts

Author

Pekka Nikander, Andrey Lukyanenko, Dmitry Korzun, and Andrei Gurtov

Subjects

Computer Networks and Communications, Computer science, business.industry, computer.internet_protocol, Denial-of-service attack, Computer security, computer.software_genre, Multihoming, Mobile architecture, Scalability, The Internet, Host Identity Protocol, business, Resilience (network), Host (network), computer, Computer network

Abstract

The Host Identity Indirection Infrastructure (Hi3) is a networking architecture for mobile hosts, derived from the Internet Indirection Infrastructure (i3) and the Host Identity Protocol (HIP). Hi3 has efficient support for secure mobility and multihoming, which both are crucial for future Internet applications. In this paper, we describe and analyze Hi3 in detail. Compared to existing solutions, Hi3 achieves better resilience, scalability, and security. Both our analysis and early measurements support the notion that Hi3 preserves the best of both approaches while improving performance compared to i3 and enhancing flexibility and security compared to HIP.

Published

2008

13. Secure communication and data processing challenges in the industrial internet

Author

Andrei Gurtov, Madhusanka Liyanage, and Dmitry Korzun

Subjects

Data processing, IoT, General Computer Science, cybersecurity, business.industry, Computer science, Communication Systems, Communications system, Computer security, computer.software_genre, Internet Architecture Board, VPLS, Automation, Networking, 5G, smart spaces, Secure communication, Industrial Internet, The Internet, Industrial Revolution, business, computer, Kommunikationssystem

Abstract

The next industrial revolution is foreseen to happen with upcoming Industrial Internet that combines massive data collected by industrial sensors with data analysis for improving the efficiency of operations. Collecting, pre-processing, storing and analyzing such real-time data is a complex task with stringent demands on communication intelligence, QoS and security. In this paper we outline some challenges facing the Industrial Internet, namely integration with 5G wireless networks, Software Defined Machines, ownership and smart processing of digital sensor data. We propose a secure communication architecture for the Industrial Internet based on Smart Spaces and Virtual Private LAN Services. It is a position paper, describing state-of-the-art and a roadmap for future research on the Industrial Internet.

Published

2016

14. On scalability properties of the Hi3 control plane

Author

Andrei Gurtov and Dmitry Korzun

Subjects

Network architecture, Indirection, Computer Networks and Communications, business.industry, computer.internet_protocol, Computer science, Mobile computing, Denial-of-service attack, PlanetLab, Scalability, Forwarding plane, The Internet, Host Identity Protocol, business, computer, Computer network

Abstract

The Host Identity Indirection Infrastructure (Hi3) is a general-purpose networking architecture, derived from the Internet Indirection Infrastructure (i3) and the Host Identity Protocol (HIP). Hi3 combines efficient and secure end-to-end data plane transmission of HIP with robustness and resilience of i3. The architecture is well-suited for mobile hosts given the support for simultaneous host mobility, rendezvous and multi-homing. Although an Hi3 prototype is implemented and tested on PlanetLab, scalability properties of Hi3 for a large number of hosts are unknown. In this paper, we propose a simple model for bounds of size and latency of the Hi3 control plane for a large number of clients and in the presence of DoS attacks. The model can be used for a first approximation study of a large-scale Internet control plane before its deployment. We apply the model to quantify the performance of the Hi3 control plane. Our results show that the Hi3 control plane can support a large number of mobile hosts with acceptable latency.

Published

2006

15. Case Studies in Secure Computing

Author

Biju Issac, Madhusanka Liyanage, Dr Anitha Rajagopal Usha, Lam-for KWOK, Tushar Kanti Saha, M. B. Ghaznavi-Ghoushchi, Hossain Shahriar, Kashif Munir, Wenjuan Li, Andrei Gurtov, and Kian Meng Yap

Subjects

Computer science, business.industry, Cloud computing, Information security, Web application security, Computer security, computer.software_genre, Security association, Application security, The Internet, Smart card, business, computer, Signcryption

Abstract

Survey of Secure Computing Kuruvilla Mathew and Biju Issac Feature Selection and Decision Tree: A Combinational Approach for Intrusion Detection Hari Om and Alok Kumar Gupta Fuzzy Logic-Based Application Security Risk Assessment Hossain Shahriar, Hisham M. Haddad, and Ishan Vaidya Authenticated Multiple-Key Establishment Protocol for Wireless Sensor Networks Jayaprakash Kar Tees Confidentiality Model (TCM2): Supporting Dynamic Authorization and Overrides in Attribute Based Access Control Jim Longstaff and Tony Howitt Design and Analysis of Independent, Open-Access Wi-Fi Monitoring Infrastructures in Live Environments Jonny Milliken, Kian Meng Yap, and Alan Marshall Security Attacks and Countermeasures in Cloud Computing Kashif Munir, Lawan Ahmad Mohammad, and Sellapan Palaniappan Optimizing Ant-Based Internet Protocol Traceback Mohammad Hamedi-Hamzehkolaie, Mohammad Javad Shamani, and M. B. Ghaznavi-Ghoushchi A Case Study on Security Issues in LT E Backhaul and Core Networks Madhusanka Liyanage, Mika Ylianttila, and Andrei Gurtov A Case Study of Intelligent ID S False Alarm Reduction in Cloud Environments: Challenges and Trends Yuxin Meng, We njuan Li, and Lam-For Kwok Attacks in Wireless Sensor Networks and Their Countermeasures Mukesh Kumar and Kamlesh Dutta Privacy-Preserving Identity-Based Broadcast Encryption and Its Applications Muthulakshmi Angamuthu, Anitha Ramalingam, and Thanalakshmi Perumal The Impact of Application-Layer Denial-of-Service Attacks Hugo Gonzalez, Marc Antoine Gosselin-Lavigne, Natalia Stakhanova, and Ali A. Ghorbani Classification of Radical Messages on Twitter Using Security Associations Pooja Wadhwa and M. P. S. Bhatia Toward Effective Malware Clustering: Reducing False Negatives through Feature Weighting and the Lp Metric Renato Cordeirode Amorim and Peter Komisarczuk Reversible Watermarking: Theory and Practice Ruchira Naskar and Rajat Subhra Chakraborty Web Application Security Attacks and Countermeasures Tushar Kanti Saha and A. B. M. Shawkat Ali Security in Mobile Networks: A Novel Challenge and Solution Tran Quang Thanh, Yacine Rebahi, and Thomas Magedanz Web Session Security: Attack and Defense Techniques Zachary Evans and Hossain Shahriar Internet Botnets: A Survey of Detection Techniques Boris Nechaev and Andrei Gurtov Creating a Solid Information Security Infrastructure through the Use of the Intelligence Cycle: A Case Study Carlos F. Lerma Resendez A Novel Construction of Certificateless Signcryption Scheme for Smart Card Jayaprakash Kar

Published

2014

16. PAuthKey: A Pervasive Authentication Protocol and Key Establishment Scheme for Wireless Sensor Networks in Distributed IoT Applications

Author

Pawani Porambage, Pardeep Kumar, Mika Ylianttila, Corinna Schmitt, Andrei Gurtov, University of Zurich, and Porambage, Pawani

Subjects

Key establishment, Article Subject, 10009 Department of Informatics, Computer Networks and Communications, Computer science, 000 Computer science, knowledge & systems, lcsh:QA75.5-76.95, 1705 Computer Networks and Communications, ta518, Key management, ta515, ta113, Authentication, ta112, ta213, business.industry, General Engineering, Key distribution in wireless sensor networks, Authentication protocol, ta5141, 2200 General Engineering, The Internet, lcsh:Electronic computers. Computer science, business, Implicit certificate, Wireless sensor network, Computer network

Abstract

Wireless sensor Networks (WSNs) deployed in distributed Internet of Things (IoT) applications should be integrated into the Internet. According to the distributed architecture, sensor nodes measure data, process, exchange information, and perform collaboratively with other sensor nodes and end-users, which can be internal or external to the network. In order to maintain the trustworthy connectivity and the accessibility of distributed IoT, it is important to establish secure links for end-to-end communication with a strong pervasive authentication mechanism. However, due to the resource constraints and heterogeneous characteristics of the devices, traditional authentication and key management schemes are not effective for such applications. This paper proposes a pervasive lightweight authentication and keying mechanism for WSNs in distributed IoT applications, in which the sensor nodes can establish secured links with peer sensor nodes and end-users. The established authentication scheme PAuthKey is based on implicit certificates and it provides application level end-to-end security. A comprehensive description for the scenario based behavior of the protocol is presented. With the performance evaluation and the security analysis, it is justified that the proposed scheme is viable to deploy in the resource constrained WSNs.

Published

2014

17. A scalable and secure VPLS architecture for provider provisioned networks

Author

Andrei Gurtov and Madhusanka Liyanage

Subjects

Network security, business.industry, computer.internet_protocol, Computer science, Virtual Private LAN Service, Node (networking), Distributed computing, Local area network, Telecommunications service, Provisioning, Cryptographic protocol, Encryption, Broadcast communication network, Enterprise private network, Session key, The Internet, Host Identity Protocol, business, computer, Private network, Computer network

Abstract

Virtual Private LAN Service (VPLS) is a Layer 2 Virtual Private Network (VPN) service. Internet Engineering Task Force (IETF) defined the essential system requirements of a VPLS network. Among them, Security is a key requirement as a VPLS delivers the customer data frames via untrusted public networks. However, the existing secure VPLS architectures are suffering from scalability issues and they are infeasible to implement in large scale networks. In this paper, we propose a novel VPLS architecture based on Host Identity Protocol (HIP). It includes a new session key based security mechanism which provides the scalability both in forwarding and security planes. Initial simulations verify that the proposed architecture reduces the key storage in a VPLS node, the total key storage in the network and the number of encryption per broadcast frame than other secure VPLS architectures. Additionally, our proposal provides an efficient broadcast mechanism and comparably higher degree of security features than other existing VPLS proposals.

Published

2013

18. Mediating Multimedia Traffic with Strict Delivery Constraints

Author

Tatiana Polishchuk, Michael Karl, Thorsten Herfet, and Andrei Gurtov

Subjects

Multicast, Multimedia, business.industry, Computer science, Broadband networks, Internet traffic, Multimedia Broadcast Multicast Service, computer.software_genre, Broadcasting (networking), Scalability, The Internet, business, computer, Dissemination, Computer network

Abstract

Internet multimedia traffic currently occupies more than half of the total Internet traffic and it continues to expand tremendously. Targeting to meet strict constraints imposed by the requirements of real-time multimedia applications appropriate error-correction techniques should be implemented within the data dissemination network. We propose to introduce multipurpose relay nodes called Mediators into several positions within the tree networks typical for multicasting and broadcasting scenarios. By utilizing the error-correction domain separation paradigm in combination with selective insertion of the supplementary data from parallel networks, when the corresponding content is available, the proposed mechanism reduces the total network load and improves scalability of multicast/broadcast transmission. We share our view on how the existing application frameworks could benefit from the incremental deployment of the proposed mechanism. Experimental results confirm suitability and applicability of our assumptions.

Published

2012

19. Hierarchical DHT Architectures

Author

Andrei Gurtov and Dmitry Korzun

Subjects

Hierarchy, Computer science, business.industry, Distributed computing, Taxonomy (general), ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Scalability, Key (cryptography), Overlay network, The Internet, Hierarchical network model, business, Hash table

Abstract

Distributed Hash Tables (DHT) are presently used in several large-scale distributed systems in the Internet and envisaged as a key mechanism to provide identifier-locator separation for mobile hosts in Future Internet. Such decentralized structured data storage systems become increasingly complex serving popular social networking, P2P applications, and Internet-scale infrastructures. Hierarchy is a standard mechanism for coping with complexity, scalability, and heterogeneity in distributed systems. To address the shortcomings of flat DHT designs, many hierarchical P2P designs have been proposed over recent years. The last generation is hierarchical DHTs (HDHTs) where nodes are organized onto layers and groups. This chapter discusses concepts of hierarchical architectures in structured P2P overlay networks, focusing on HDHT designs. We introduce a framework consisting of conceptual models of network hierarchy, multi-layer hierarchical P2P architectures, and principles affecting the design choices. Based on the framework we provide taxonomy of existing P2P systems and thoroughly go over proposed hierarchical P2P alternatives.

Published

2012

20. Host identity protocol (HIP): an overview

Author

Thomas R. Henderson, Andrei Gurtov, and Pekka Nikander

Subjects

Engineering, computer.internet_protocol, business.industry, Computer security, computer.software_genre, NAT traversal, Multihoming, Accountability, The Internet, Host Identity Protocol, Architecture, business, computer, Computer network

Published

2012

21. DISPUTE: Distributed puzzle tussle

Author

Andrei Gurtov, Andrey Lukyanenko, and Antti Ylä-Jääski

Subjects

Variable (computer science), Computer science, business.industry, Server, Denial-of-service attack, The Internet, business, Computer security, computer.software_genre, computer, Server-side, Computer network

Abstract

Distributed Denial of Service (DDoS) attack continues to be one of the main vulnerabilities of today's Internet. Client's puzzle mechanism is a well-known solution against such threat, however with badly tuned puzzle sizes it may harm the clients in the peaceful time, as well as produce additional difficulties during an attack. Here, we introduce a novel algorithm — DISPUTE — auto-tunable distributed puzzle mechanism with variable puzzle sizes. Main feature of it is that the server does not need to adjust any puzzle sizes, instead the clients during the “fight for” server resources find some form of equilibrium situation on the server side. We describe the algorithm and show the DISPUTE's performance using a simulation tool. The results suggest that regular (laptop) users, as well as light (sensor) users can successfully access a server even during a heavy DDoS attack.

Published

2011

22. Improving TCP-Friendliness for mHIP

Author

Andrei Gurtov and Tatiana Polishchuk

Subjects

Computer science, business.industry, Multihoming, Goodput, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Multipath routing, Throughput, The Internet, business, Multipath propagation, Data transmission, Computer network, Connection (mathematics)

Abstract

Multihomed environments are getting increasingly common, especially for mobile users. mHIP was designed to provide secure multipath data transmission for the multihomed hosts and boost throughput of a single TCP connection by effectively distributing data over multiple available paths.

Published

2011

23. Playing Defense by Offense: Equilibrium in the DoS-attack problem

Author

Vladimir V. Mazalov, I. Falko, Andrei Gurtov, and Andrey Lukyanenko

Subjects

Constant (computer programming), Computer science, business.industry, Identity (object-oriented programming), Denial-of-service attack, The Internet, Computer security, computer.software_genre, business, Game theory, computer, Computer network

Abstract

We develop defenses from resource-exhausting Denial-of-Service attacks initiated by an attacker to a server. The attacker does not have a permanent identity but spoofs the IP addresses for other users. Generalizing the Defense-by-Offense approach we enable benign users to obtain low service time by re-submitting requests according to a game-theoretic strategy. The attacker that tries to overwhelm the server by a constant stream of requests cannot succeed as its requests are dropped by the server. We derive optimal strategies for the server, as well as the attacker. We show that in the equilibrium state, the server can successfully repel the attackers with selective processing of requests. Simulations using OMNeT++ support analytical results.

Published

2010

24. A secure peer-to-peer web framework

Author

Andrei Gurtov and Joakim Koskela

Subjects

Computer science, business.industry, Network security, Service provider, Peer-to-peer, computer.software_genre, Firewall (construction), Server, Scalability, Web application, The Internet, business, computer, Computer network

Abstract

We present the design and evaluation of a secure peer-to-peer HTTP middleware framework that enables a multitude of web applications without relying on service providers. The framework is designed to be deployed in existing network environments, allowing ordinary users to create private services without investing in network infrastructure. Compared to previous work, scalability, NAT/firewall traversal and peer mobility is achieved without the need for maintaining dedicated servers by utilizing new network protocols and re-using existing network resources.

Published

2010

25. Elliptic Curve Cryptography (ECC) for Host Identity Protocol (HIP)

Author

Oleg Ponomarev, Andrei Gurtov, and Andrey Khurri

Subjects

business.industry, Computer science, computer.internet_protocol, Cryptographic protocol, Encryption, Public-key cryptography, Server, Session key, The Internet, Host Identity Protocol, Hardware_ARITHMETICANDLOGICSTRUCTURES, Elliptic curve cryptography, business, computer, Computer network

Abstract

We compare computational resources required for handling control plane of the Host Identity Protocol (HIP) using Rivest-Shamir-Adleman (RSA) versus Elliptic Curve Cryptography (ECC) encryption algorithms with keys of equivalent strength. We show that servers would establish almost three times more HIP connections per second when ECC is used for generating the session key. For devices with low computational power such as Nokia N810 Internet Tablet, the use of ECC would notably reduce the delay to establish a HIP association. Unless compatibility with legacy RSA/DSA-only systems is needed, the Host Identity may be an ECC key as well, but such a modification would bring only 50 percent additional performance with the current default keys. However the situation becomes different under higher security requirements when employing ECC for the host identification boosts the performance more than four times, and we consider ECC Host Identities desirable in that case.

Published

2010

26. Distributed user authentication in wireless LANs

Author

Andrey Khurri, Andrei Gurtov, and Dmitriy Kuptsov

Subjects

Password, Authentication, Access network, computer.internet_protocol, business.industry, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Computer security, computer.software_genre, IPsec, The Internet, Host Identity Protocol, Mobile telephony, business, computer, Mobile device, Computer network

Abstract

An increasing number of mobile devices, including smartphones, use WLAN for accessing the Internet. Existing WLAN authentication mechanisms are either disruptive, such as presenting a captive web page prompting for password, or unreliable, enabling a malicious user to attack a part of operator's infrastructure. In this paper, we present a distributed authentication architecture for WLAN users providing instant network access without manual interactions. It supports terminal mobility across WLAN access points with the Host Identity Protocol (HIP), at the same time protecting the operator's infrastructure from external attacks. User data sent over a wireless link is protected by the IPsec ESP protocol. We present our architecture design and implementation experience on two OpenWrt WLAN access points, followed by measurement results of the working prototype. The system is being deployed into pilot use in the city-wide panOULU WLAN.

Published

2009

27. Performance of Host Identity Protocol on Symbian OS

Author

Andrey Khurri, Andrei Gurtov, and Dmitriy Kuptsov

Subjects

Authentication, business.industry, computer.internet_protocol, Computer science, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, computer.software_genre, Porting, Public-key cryptography, Multihoming, Mobile phone, IPsec, Server, Operating system, The Internet, Host Identity Protocol, business, Host (network), computer, Computer network

Abstract

The Host Identity Protocol (HIP) has been specified by the IETF as a new solution for secure host mobility and multihoming in the Internet. HIP uses self-certifying public-private key pairs in combination with IPsec to authenticate hosts and protect user data. While there are three open-source HIP implementations, little experience is available with running HIP on lightweight hardware such as a mobile phone. Limited computational power and battery lifetime of lightweight devices raise concerns if HIP can be used there at all. This paper describes the porting process of HIP on Linux (HIPL) and OpenHIP implementations to Symbian OS, as well as performance measurements of HIP over WLAN using Nokia E51 and N80 smartphones. We found that with 1024-bit keys, the HIP base exchange with a server varies from 1.68 to 3.31 seconds depending on whether the mobile phone is in standby or active state respectively. After analyzing HIP performance in different scenarios we make conclusions and recommendations on using IP security on lightweight hardware clients.

Published

2009

28. Usable security management with host identity protocol

Author

Andrei Gurtov, Kristiina Karvonen, and Miika Komu

Subjects

Computer science, computer.internet_protocol, business.industry, Usability, Cryptographic protocol, Computer security, computer.software_genre, Identity management, World Wide Web, IPsec, Security management, The Internet, Host Identity Protocol, business, computer, Host (network)

Abstract

Host Identity Protocol (HIP) proposes a change to the Internet architecture by introducing cryptographically-secured names, called Host Identities (HIs), for hosts. Applications use HIs instead of IP addresses in transport layer connections, which allows applications to tolerate host-based mobility better. HIP provides IPsec-based, lower-layer security, but the problem is that this type of security is invisible for most applications and users. Our main contribution is the implementation and user evaluation of several security indicators which inform the user when HIP and IPsec are securing the connections of the user. We experimented with application and system level security indicators at the client-side, as well as with server-side indicators. In this paper, we present implementation experience on integrating the identity management Graphical User Interface (GUI) to HIP and results of usability tests with actual users.

Published

2009

29. Collaborative Reputation-based Voice Spam Filtering

Author

Ruishan Zhang and Andrei Gurtov

Subjects

Voice over IP, Point (typography), business.industry, Computer science, InformationSystems_INFORMATIONSYSTEMSAPPLICATIONS, media_common.quotation_subject, Filter (signal processing), Computer security, computer.software_genre, World Wide Web, ComputingMethodologies_PATTERNRECOGNITION, Server, Leverage (statistics), The Internet, business, computer, Reputation, media_common

Abstract

We propose a collaborative reputation-based voice spam filtering framework. Our approach uses the cumulative online duration of a VoIP user to derive his reputation value. And we leverage user feedback to mark unsolicited calls. For each unwanted call, our voice spam filter charges the caller a reputation point, and transfers this reputation point to the callee. To avoid VoIP users to manually label nuisance calls, our voice spam filter automatically marks all VoIP calls with short call durations as unsolicited. The preliminary simulation results show that our approach is effective to counter voice spam.

Published

2009

30. Secure Multipath Transport For Legacy Internet Applications

Author

Andrei Gurtov and Tatiana Polishchuk

Subjects

business.product_category, business.industry, computer.internet_protocol, Network packet, Computer science, Distributed computing, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Multihoming, Multipath routing, Internet access, The Internet, Stream Control Transmission Protocol, Host Identity Protocol, business, computer, Multipath propagation, Computer network

Abstract

Multi-interface mobile devices and multihomed residential Internet connections are becoming commonplace. However, standard transport protocols TCP and SCTP are unable to take advantage of several available paths so that the application using a single transport connection would receive the aggregate bandwidth of all paths. Multihoming and advanced security features make the Host Identity Protocol a good candidate to provide multipath data delivery. In this paper, we design and implement a multipath scheduler that distributes the incoming traffic among multiple available paths. Using Fastest Path First scheduling, packets from a single TCP connection could be spread to multiple paths with no reordering. Our simulations confirm effectiveness and TCP-friendliness of multipath transfer for a range of path bandwidths and in the presence of cross-traffic.1

Published

2009

31. SAVAH: Source Address Validation with Host Identity Protocol

Author

Andrei Gurtov and Dmitriy Kuptsov

Subjects

Router, Authentication, business.industry, Network packet, Computer science, computer.internet_protocol, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Computer security, computer.software_genre, IPv4, IPv6, Overhead (computing), The Internet, Host Identity Protocol, business, computer, Computer network

Abstract

Explosive growth of the Internet and lack of mechanisms that validate the authenticity of a packet source produced serious security and accounting issues. In this paper, we propose validating source addresses in LAN using Host Identity Protocol (HIP) deployed in a first-hop router. Compared to alternative solutions such as CGA, our approach is suitable both for IPv4 and IPv6. We have implemented SAVAH in Wi-Fi access points and evaluated its overhead for clients and the first-hop router.

Published

2009

32. Host Identity Protocol (HIP)

Author

Andrei Gurtov

Subjects

Engineering, computer.internet_protocol, business.industry, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Interoperability, Computer security, computer.software_genre, IPv4, IPv6, Multihoming, IPsec, The Internet, Host Identity Protocol, business, computer

Abstract

Within the set of many identifier-locator separation designs for the Internet, HIP has progressed further than anything else we have so far. It is time to see what HIP can do in larger scale in the real world. In order to make that happen, the world needs a HIP book, and now we have it. - Jari Arkko, Internet Area Director, IETF One of the challenges facing the current Internet architecture is the incorporation of mobile and multi-homed terminals (hosts), and an overall lack of protection against Denial-of-Service attacks and identity spoofing. The Host Identity Protocol (HIP) is being developed by the Internet Engineering Task Force (IETF) as an integrated solution to these problems. The book presents a well-structured, readable and compact overview of the core protocol with relevant extensions to the Internet architecture and infrastructure. The covered topics include the Bound End-to-End Tunnel Mode for IPsec, Overlay Routable Cryptographic Hash Identifiers, extensions to the Domain Name System, IPv4 and IPv6 interoperability, integration with SIP, and support for legacy applications. Unique features of the book: All-in-one source for HIP specifications Complete coverage of HIP architecture and protocols Base exchange, mobility and multihoming extensions Practical snapshots of protocol operation IP security on lightweight devices Traversal of middleboxes, such as NATs and firewalls Name resolution infrastructure Micromobility, multicast, privacy extensions Chapter on applications, including HIP pilot deployment in a Boeing factory HOWTO for HIP on Linux (HIPL) implementation An important compliment to the official IETF specifications, this book will be a valuable reference for practicing engineers in equipment manufacturing companies and telecom operators, as well as network managers, network engineers, network operators and telecom engineers. Advanced students and academics, IT managers, professionals and operating system specialists will also find this book of interest.

Published

2008

33. Performance of host identity protocol on lightweight hardware

Author

Andrey Khurri, Andrei Gurtov, and Ekaterina Vorobyeva

Subjects

business.industry, computer.internet_protocol, Computer science, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Encryption, Mobile phone, Multihoming, IPsec, Key (cryptography), The Internet, Host Identity Protocol, business, Host (network), computer, Computer hardware, Computer network

Abstract

The Host Identity Protocol (HIP) is being standardized by the IETF as a new solution for host mobility and multihoming in the Internet. HIP uses self-certifying public-private key pairs in combination with IPsec to authenticate hosts and protect user data. While there are three open-source HIP implementations, no experience is available with running HIP on lightweight hardware such as a PDA or a mobile phone. Limited computational power and battery lifetime of lightweight devices raises concerns if HIP can be used there at all. This paper presents performance measurements of HIP over WLAN on Nokia 770 Internet Tablet. It also provides comprehensive analysis of the results and makes suggestions on HIP suitability for lightweight clients.

Published

2007

34. Traversing Middleboxes with the Host Identity Protocol

Author

Andrei Gurtov, Hannes Tschofenig, Aarthi Nagarajan, Murugaraj Shanmugam, and Jukka Ylitalo

Subjects

Authentication, computer.internet_protocol, business.industry, Computer science, Internet layer, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Middlebox, Network layer, Computer security, computer.software_genre, law.invention, Signaling protocol, Firewall (construction), Internet protocol suite, Security association, Multihoming, law, IPsec, Internet Protocol, The Internet, Host Identity Protocol, business, computer, Computer network

Abstract

The limited flexibility of the Internet to support mobility has motivated many researchers to look for alternative architectures. One such effort that combines security and multihoming together is the Host Identity Protocol (HIP). HIP is a signaling protocol that adds a new protocol layer to the Internet stack between the transport and the network layer. HIP establishes IPsec associations to protect subsequent data traffic. Though the security associations are established solely between the communicating end hosts, HIP also aims to interwork with middleboxes such as NATs and firewalls. This paper investigates this interworking aspect and proposes a solution for secure middlebox traversal.

Published

2005

35. Analysis of the HIP base exchange protocol

Author

Andrei Gurtov, Aarthi Nagarajan, and Tuomas Aura

Subjects

Authentication, computer.internet_protocol, business.industry, Computer science, Internet layer, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Internet security, law.invention, Identifier, IP tunnel, Internet protocol suite, law, Internet Protocol, The Internet, Host Identity Protocol, business, Host (network), computer, Key exchange, Computer network

Abstract

The Host Identity Protocol (HIP) is an Internet security and multi-addressing mechanism specified by the IETF. HIP introduces a new layer between the transport and network layers of the TCP/IP stack that maps host identifiers to network locations, thus separating the two conflicting roles that IP addresses have in the current Internet. This paper analyzes the security and functionality of the HIP base exchange, which is a classic key exchange protocol with some novel features for authentication and DoS protection. The base exchange is the most stable part of the HIP specification with multiple existing implementations. We point out several security issues in the current protocol and propose changes that are compatible with the goals of HIP.