altair santin | PUC Paraná (original) (raw)
Papers by altair santin
Anais do XVII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2017)
Spam detection is very costly when compared to the simple task of spreading spam. Most approaches... more Spam detection is very costly when compared to the simple task of spreading spam. Most approaches aim to reach higher accuracy percentages, leaving the classification performance in background, what may cause many problems, such as bottlenecks in the e-mail system, huge infrastructure investments and waste of resources pooling. To avoid these problems, this paper proposes a hierarchical spam features organization using Huffman Trees, where the most important features stay closer to the root. With the reduction of these trees (leaves pruning) the feature space is significantly reduced, speeding up the e-mail classification process. The experiments showed a performance 60 times faster when compared to Spam Assassin.
ICC 2021 - IEEE International Conference on Communications
Changes in network traffic behavior over time are neglected by authors who use machine learning t... more Changes in network traffic behavior over time are neglected by authors who use machine learning techniques applied to intrusion detection. In general, it is assumed that periodic model updates are performed, regardless of the challenges related to such a task. This paper proposes a new multi-view intrusion detection model capable of reliably performing model updates without human assistance while also maintaining its accuracy over time. The proposal evaluates the classification's confidence values in a multi-view configuration to maintain its reliability over time, even without model updates. Besides, it is able to perform model updates autonomously, according to the result of the multi-view classification. Our experiments, performed with 7TB of real network traffic over a 2-year interval, show that our proposed scheme can maintain its accuracy over time without model updates, rejecting only 14.2% of its classification. However, when autonomous model updates are performed, the rejection rate drops to just 8.8%, while also improving the model's accuracy by 4.3%.
Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing
IECON 2020 The 46th Annual Conference of the IEEE Industrial Electronics Society, 2020
2021 IEEE Global Communications Conference (GLOBECOM), 2021
Despite the promising results reported in the literature, the intrusion detection schemes cannot ... more Despite the promising results reported in the literature, the intrusion detection schemes cannot deal with new network traffic behaviors making such proposals unfeasible to be deployed in production environments. This paper presents an intrusion detection model that relies on a moving target defense strategy to face new network traffic behavior in a two stage process. First, the system select the most suitable classifiers set to assign a class (normal or attack) according to the current event behavior. Second, we evaluate if the performed classification is reliable by validating its confidence values. The goal is to ensure that only the higher confident classifications from the most suitable classifiers are used to trigger intrusion detection alerts, keeping the system reliable over time. Experiments performed on a dataset that spans over 97GB of data with seven categories of network traffic shows that current machine learning techniques cannot cope with novel traffic behavior, failing to detect up to four new traffic categories. In contrast, the proposed model can select the most confident classifiers, reducing the average false-negative rates by up to 39%, regardless of the current network traffic category.
Advanced Information Networking and Applications, 2020
A smart grid (SG) is a complex system that comprises distributed servers and Internet-of-Things (... more A smart grid (SG) is a complex system that comprises distributed servers and Internet-of-Things (IoT) devices. IoT devices are resource-constrained and are unable to cope with traditional communication and security protocols. In light of this limitation, this work proposes a novel method for end-to-end secure communication between the elements in the SG. Our proposal enables an authenticated user to transport her Internet credentials to the IoT context. We provide high efficiency in the message exchanges by adopting multicast communication without compromising the SG security. However, even though this process provides secure communication, it cannot enforce fine-grained access control over protected resources. Therefore, we propose a new two-step lightweight access control mechanism that leverages the established configuration to provide role-based authorization in the IoT context. The prototype evaluation shows that our proposal is more flexible, demanding less manual configuration, while also requires only 23% of message exchanges compared to other approaches in the literature.
j ourna l ho mepage: www.elsevier.com/locate/asoc
Advanced Information Networking and Applications, 2020
Current machine learning approaches for network-based intrusion detection do not cope with new ne... more Current machine learning approaches for network-based intrusion detection do not cope with new network traffic behavior, which requires periodic computationally and time-consuming model updates. This paper proposes a novel stream learning intrusion detection model that maintains system accuracy, even in the presence of unknown traffic behavior. It also facilitates the process of updating the model, gradually incorporating new knowledge into the machine learning model. Our experiments were performed using a recent realistic dataset of network behaviors and they have shown that the proposed technique detects potentially unreliable classifications. Moreover, the proposed model can incorporate the new network traffic behavior from model updates to improve the system accuracy while maintaining its reliability.
2017 IEEE International Conference on Communications (ICC), 2017
Organizations establish partnerships in order to achieve a strategic goal. In many cases, resourc... more Organizations establish partnerships in order to achieve a strategic goal. In many cases, resources in a given organization are accessed from external domains, characterizing multi-domain operations. This paper presents an approach to perform role activation in multi-domain environments. The active roles are imported in other domains from a user's home domain. Thus, a Single Role Activation (SRA) is performed, similarly to Single Sign-On (SSO) authentication. The administrative autonomy to define each role permission is kept within each local domain. We evaluated the proposal by implementing a prototype to provide support for SRA, based on RESTful web services and standardized specifications such as XACML and OpenID Connect. The prototype evaluation measured response time for simultaneous access requests, with SRA showing better results when compared to traditional role activation. Furthermore, from a security perspective, the proposal is about 15 times faster than traditional approaches.
Applications using P2P as an Overlay network in MANet (P2M) are very unstable in terms of MANet i... more Applications using P2P as an Overlay network in MANet (P2M) are very unstable in terms of MANet interconnections and P2P churn. MANet-based P2P applications usually create a considerable overhead on the P2P consumer due to the control of the end-to-end communication with the peer that provides the shared content. Moreover, traditional P2P networks offer polluted contents wasting the device ́s scarce resources. This paper proposes a service that minimizes the P2M environment instabilities for mobile devices and reduces the probability of downloading corrupt contents. A prototype was developed to show that SP2MS can be easily integrated into the traditional P2P infrastructure. Index Terms — Mobile Ad Hoc Network; Peer-to-Peer; P2P Content
Anais do XXI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2021), 2021
Redes elétricas inteligentes (SG, Smart Grid) são compostas por dispositivos da internet das cois... more Redes elétricas inteligentes (SG, Smart Grid) são compostas por dispositivos da internet das coisas (IoT, Internet of Things) que possuem restrições computacionais que impedem a adoção de protocolos tradicionais de comunicação e segurança. Assim, esse trabalho propõem uma abordagem de segurança fim-a-fim na comunicação entre os elementos da SG, permitindo que um usuário autenticado transporte suas credenciais obtidas na Internet para o contexto de IoT. Essa abordagem tem como principal vantagem a utilização do protocolo multicast na comunicação, sem comprometer a segurança. Apesar dessa proposta prover segurança na comunicação, não é capaz de prover controle fino no acesso aos recursos protegidos da IoT. Dessa maneira, propomos um controle de acesso leve baseado em duas etapas baseado para prover autorizações baseadas em papéis no contexto da IoT. A avaliação do protótipo mostrou-se mais eficiente e flexível do que os trabalhos encontrados na literatura.
Cluster Computing, 2020
Enforcing Service Level Agreements (SLA) on service provisioning is a challenge in cloud computin... more Enforcing Service Level Agreements (SLA) on service provisioning is a challenge in cloud computing environments. This paper proposes an architecture for multiparty (provider and client) auditing in cloud computing to identify SLA deviations. The architecture uses inspectors (software agents) and an independent auditor (third party) to collect SLA metrics from these parties. Privacy is preserved by using the separation of duties for all associated entities (inspectors and auditors). Additionally, service computing surges are automatically detected and handled using machine learning, avoiding performance bottlenecks and misinterpretation of measured SLA items. Thus, this paper improves service maintainability by avoiding service design changes when the service faces performance issues.
Future Generation Computer Systems, 2018
Existing machine learning solutions for networkbased intrusion detection cannot maintain their re... more Existing machine learning solutions for networkbased intrusion detection cannot maintain their reliability over time when facing high-speed networks and evolving attacks. In this paper, we propose BigFlow, an approach capable of processing evolving network traffic while being scalable to large packet rates. BigFlow employs a verification method that checks if the classifier outcome is valid in order to provide reliability. If a suspicious packet is found, an expert may help BigFlow to incrementally change the classification model. Experiments with BigFlow, over a network traffic dataset spanning a full year, demonstrate that it can maintain high accuracy over time. It requires as little as 4% of storage and between 0.05% and 4% of training time, compared with other approaches. BigFlow is scalable, coping with a 10-Gbps network bandwidth in a 40-core cluster commodity hardware.
2015 IEEE Symposium on Computers and Communication (ISCC), 2015
Managing UCONABC policies in modern distributed computing systems is a challenge for traditional ... more Managing UCONABC policies in modern distributed computing systems is a challenge for traditional approaches. The provisioning model has trouble to keep track and to synchronize large numbers of distributed policies, outsourcing model may suffer from network overhead and single point of failure. This paper describes an approach to manage distributed UCONABC policies, derived from the combination of authorization assertions and policy templates. It combines the benefits of provisioning and outsourcing, eliminating their respective drawbacks. Prototyping details and performance evaluation are shown, messages are 42.7% smaller than provisioning and response times are faster than outsourcing.
2015 XXXIII Brazilian Symposium on Computer Networks and Distributed Systems, 2015
The popularization of PaaS environments presents challenges to traditional authorization models f... more The popularization of PaaS environments presents challenges to traditional authorization models for controlling resource usage. This article describes a hybrid authorization model suitable for PaaS environments, using rule templates, authorization credentials and local derivation of individual policies. In addition, we present the usage control mechanisms that eliminate the main disadvantages of policy models based on provisioning and outsourcing. The work also shows the technical details of the implementation of a prototype with its performance evaluation results.
Journal of Parallel and Distributed Computing
The business-driven access control used in cloud computing is not well suited for tracking fine-g... more The business-driven access control used in cloud computing is not well suited for tracking fine-grained user service consumption. UCONABC applies continuous authorization reevaluation, which requires usage accounting that enables fine-grained access control for cloud computing. However, it was not designed to work in distributed and dynamic authorization environments like those present in cloud computing. During a continuous (periodical) reevaluation, an authorization exception condition, disparity among usage accounting and authorization attributes may occur. This proposal aims to provide resilience to the UCONABC continuous authorization reevaluation, by dealing with individual exception conditions while maintaining a suitable access control in the cloud environment. The experiments made with a proof-of-concept prototype show a set of measurements for an application scenario (e-commerce) and allows for the identification of exception conditions in the authorization reevaluation.
A mobile ad hoc network (MANet) is a flexible way to interconnect mobile devices. Peer-to-peer (P... more A mobile ad hoc network (MANet) is a flexible way to interconnect mobile devices. Peer-to-peer (P2P) networks are serverless self-organized infrastructures that enable end-to-end communications. The P2P churn and the instabilities of MANETs interconnections bring important challenges to P2P over MANETs(PoM). A consumer peer in PoM wastes several of its scarce resources managing the communication with the peer that provides content. Our proposal aims at reducing the consumer peer control over the communication so that to avoid unnecessary consumption of its resources. A virtual content provider is used for this purpose and a prototype was implemented in order to show the feasibility of the proposal.
2009 International Conference on Advanced Information Networking and Applications Workshops, 2009
In 1 the classic use of P2P, e.g. file sharing, there is no concern about persistent peer identif... more In 1 the classic use of P2P, e.g. file sharing, there is no concern about persistent peer identification, peer and content reputation and content authenticity. Security proposals currently found in technical literature try to adapt techniques from client-server architecture to P2P environments, which it is not the most appropriate approach. This work proposes applying public keys to identify peers. It allows creating a persistent identification scheme, without losing anonymity, even in a self-managed environment as P2P. Also, it applies digital signature to provide authenticity to the P2P content and to guarantee non-repudiation in the content transfer. In order to provide credibility to the non-certified content and public keys a reputation mechanism is applied. We have developed a prototype to show the benefits of this approach.
2010 IEEE 24th International Conference on Advanced Information Networking and Applications Workshops, 2010
Applications using P2P as an Overlay network in MANet (P2M) are very unstable in terms of MANet i... more Applications using P2P as an Overlay network in MANet (P2M) are very unstable in terms of MANet interconnections and P2P churn. MANet-based P2P applications usually create a considerable overhead on the P2P consumer due to the control of the end-to-end communication with the peer that provides the shared content. Moreover, traditional P2P networks offer polluted contents wasting the device´s scarce resources. This paper proposes a service that minimizes the P2M environment instabilities for mobile devices and reduces the probability of downloading corrupt contents. A prototype was developed to show that SP2MS can be easily integrated into the traditional P2P infrastructure.
2009 IEEE International Conference on Communications, 2009
The dynamic environment of Business Coalition (BC) requires a flexible access control approach to... more The dynamic environment of Business Coalition (BC) requires a flexible access control approach to deal with user management and policy writing. However, the traditional approach applied to BC assigns to access control a burden, mainly to the service provider, thus requiring ad hoc schemes to mitigate the lack of controls developed to BC needs. We present a brokered access control architecture, based on UCON ABC , to obtain an integrated usage control management for BC. The broker intermediates contract establishment between service provider and consumer, and derives from it the policies to regulate the usage at service-level. The consumer defines user-level policies to control the usage of the contracted services. We developed a web services based prototype to evaluate the feasibility of our proposal. The proposed architecture enables distribution of duties and integration of usage control management in a loosely coupled fashion, providing the flexibility desired in BC environments.
Anais do XVII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2017)
Spam detection is very costly when compared to the simple task of spreading spam. Most approaches... more Spam detection is very costly when compared to the simple task of spreading spam. Most approaches aim to reach higher accuracy percentages, leaving the classification performance in background, what may cause many problems, such as bottlenecks in the e-mail system, huge infrastructure investments and waste of resources pooling. To avoid these problems, this paper proposes a hierarchical spam features organization using Huffman Trees, where the most important features stay closer to the root. With the reduction of these trees (leaves pruning) the feature space is significantly reduced, speeding up the e-mail classification process. The experiments showed a performance 60 times faster when compared to Spam Assassin.
ICC 2021 - IEEE International Conference on Communications
Changes in network traffic behavior over time are neglected by authors who use machine learning t... more Changes in network traffic behavior over time are neglected by authors who use machine learning techniques applied to intrusion detection. In general, it is assumed that periodic model updates are performed, regardless of the challenges related to such a task. This paper proposes a new multi-view intrusion detection model capable of reliably performing model updates without human assistance while also maintaining its accuracy over time. The proposal evaluates the classification's confidence values in a multi-view configuration to maintain its reliability over time, even without model updates. Besides, it is able to perform model updates autonomously, according to the result of the multi-view classification. Our experiments, performed with 7TB of real network traffic over a 2-year interval, show that our proposed scheme can maintain its accuracy over time without model updates, rejecting only 14.2% of its classification. However, when autonomous model updates are performed, the rejection rate drops to just 8.8%, while also improving the model's accuracy by 4.3%.
Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing
IECON 2020 The 46th Annual Conference of the IEEE Industrial Electronics Society, 2020
2021 IEEE Global Communications Conference (GLOBECOM), 2021
Despite the promising results reported in the literature, the intrusion detection schemes cannot ... more Despite the promising results reported in the literature, the intrusion detection schemes cannot deal with new network traffic behaviors making such proposals unfeasible to be deployed in production environments. This paper presents an intrusion detection model that relies on a moving target defense strategy to face new network traffic behavior in a two stage process. First, the system select the most suitable classifiers set to assign a class (normal or attack) according to the current event behavior. Second, we evaluate if the performed classification is reliable by validating its confidence values. The goal is to ensure that only the higher confident classifications from the most suitable classifiers are used to trigger intrusion detection alerts, keeping the system reliable over time. Experiments performed on a dataset that spans over 97GB of data with seven categories of network traffic shows that current machine learning techniques cannot cope with novel traffic behavior, failing to detect up to four new traffic categories. In contrast, the proposed model can select the most confident classifiers, reducing the average false-negative rates by up to 39%, regardless of the current network traffic category.
Advanced Information Networking and Applications, 2020
A smart grid (SG) is a complex system that comprises distributed servers and Internet-of-Things (... more A smart grid (SG) is a complex system that comprises distributed servers and Internet-of-Things (IoT) devices. IoT devices are resource-constrained and are unable to cope with traditional communication and security protocols. In light of this limitation, this work proposes a novel method for end-to-end secure communication between the elements in the SG. Our proposal enables an authenticated user to transport her Internet credentials to the IoT context. We provide high efficiency in the message exchanges by adopting multicast communication without compromising the SG security. However, even though this process provides secure communication, it cannot enforce fine-grained access control over protected resources. Therefore, we propose a new two-step lightweight access control mechanism that leverages the established configuration to provide role-based authorization in the IoT context. The prototype evaluation shows that our proposal is more flexible, demanding less manual configuration, while also requires only 23% of message exchanges compared to other approaches in the literature.
j ourna l ho mepage: www.elsevier.com/locate/asoc
Advanced Information Networking and Applications, 2020
Current machine learning approaches for network-based intrusion detection do not cope with new ne... more Current machine learning approaches for network-based intrusion detection do not cope with new network traffic behavior, which requires periodic computationally and time-consuming model updates. This paper proposes a novel stream learning intrusion detection model that maintains system accuracy, even in the presence of unknown traffic behavior. It also facilitates the process of updating the model, gradually incorporating new knowledge into the machine learning model. Our experiments were performed using a recent realistic dataset of network behaviors and they have shown that the proposed technique detects potentially unreliable classifications. Moreover, the proposed model can incorporate the new network traffic behavior from model updates to improve the system accuracy while maintaining its reliability.
2017 IEEE International Conference on Communications (ICC), 2017
Organizations establish partnerships in order to achieve a strategic goal. In many cases, resourc... more Organizations establish partnerships in order to achieve a strategic goal. In many cases, resources in a given organization are accessed from external domains, characterizing multi-domain operations. This paper presents an approach to perform role activation in multi-domain environments. The active roles are imported in other domains from a user's home domain. Thus, a Single Role Activation (SRA) is performed, similarly to Single Sign-On (SSO) authentication. The administrative autonomy to define each role permission is kept within each local domain. We evaluated the proposal by implementing a prototype to provide support for SRA, based on RESTful web services and standardized specifications such as XACML and OpenID Connect. The prototype evaluation measured response time for simultaneous access requests, with SRA showing better results when compared to traditional role activation. Furthermore, from a security perspective, the proposal is about 15 times faster than traditional approaches.
Applications using P2P as an Overlay network in MANet (P2M) are very unstable in terms of MANet i... more Applications using P2P as an Overlay network in MANet (P2M) are very unstable in terms of MANet interconnections and P2P churn. MANet-based P2P applications usually create a considerable overhead on the P2P consumer due to the control of the end-to-end communication with the peer that provides the shared content. Moreover, traditional P2P networks offer polluted contents wasting the device ́s scarce resources. This paper proposes a service that minimizes the P2M environment instabilities for mobile devices and reduces the probability of downloading corrupt contents. A prototype was developed to show that SP2MS can be easily integrated into the traditional P2P infrastructure. Index Terms — Mobile Ad Hoc Network; Peer-to-Peer; P2P Content
Anais do XXI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2021), 2021
Redes elétricas inteligentes (SG, Smart Grid) são compostas por dispositivos da internet das cois... more Redes elétricas inteligentes (SG, Smart Grid) são compostas por dispositivos da internet das coisas (IoT, Internet of Things) que possuem restrições computacionais que impedem a adoção de protocolos tradicionais de comunicação e segurança. Assim, esse trabalho propõem uma abordagem de segurança fim-a-fim na comunicação entre os elementos da SG, permitindo que um usuário autenticado transporte suas credenciais obtidas na Internet para o contexto de IoT. Essa abordagem tem como principal vantagem a utilização do protocolo multicast na comunicação, sem comprometer a segurança. Apesar dessa proposta prover segurança na comunicação, não é capaz de prover controle fino no acesso aos recursos protegidos da IoT. Dessa maneira, propomos um controle de acesso leve baseado em duas etapas baseado para prover autorizações baseadas em papéis no contexto da IoT. A avaliação do protótipo mostrou-se mais eficiente e flexível do que os trabalhos encontrados na literatura.
Cluster Computing, 2020
Enforcing Service Level Agreements (SLA) on service provisioning is a challenge in cloud computin... more Enforcing Service Level Agreements (SLA) on service provisioning is a challenge in cloud computing environments. This paper proposes an architecture for multiparty (provider and client) auditing in cloud computing to identify SLA deviations. The architecture uses inspectors (software agents) and an independent auditor (third party) to collect SLA metrics from these parties. Privacy is preserved by using the separation of duties for all associated entities (inspectors and auditors). Additionally, service computing surges are automatically detected and handled using machine learning, avoiding performance bottlenecks and misinterpretation of measured SLA items. Thus, this paper improves service maintainability by avoiding service design changes when the service faces performance issues.
Future Generation Computer Systems, 2018
Existing machine learning solutions for networkbased intrusion detection cannot maintain their re... more Existing machine learning solutions for networkbased intrusion detection cannot maintain their reliability over time when facing high-speed networks and evolving attacks. In this paper, we propose BigFlow, an approach capable of processing evolving network traffic while being scalable to large packet rates. BigFlow employs a verification method that checks if the classifier outcome is valid in order to provide reliability. If a suspicious packet is found, an expert may help BigFlow to incrementally change the classification model. Experiments with BigFlow, over a network traffic dataset spanning a full year, demonstrate that it can maintain high accuracy over time. It requires as little as 4% of storage and between 0.05% and 4% of training time, compared with other approaches. BigFlow is scalable, coping with a 10-Gbps network bandwidth in a 40-core cluster commodity hardware.
2015 IEEE Symposium on Computers and Communication (ISCC), 2015
Managing UCONABC policies in modern distributed computing systems is a challenge for traditional ... more Managing UCONABC policies in modern distributed computing systems is a challenge for traditional approaches. The provisioning model has trouble to keep track and to synchronize large numbers of distributed policies, outsourcing model may suffer from network overhead and single point of failure. This paper describes an approach to manage distributed UCONABC policies, derived from the combination of authorization assertions and policy templates. It combines the benefits of provisioning and outsourcing, eliminating their respective drawbacks. Prototyping details and performance evaluation are shown, messages are 42.7% smaller than provisioning and response times are faster than outsourcing.
2015 XXXIII Brazilian Symposium on Computer Networks and Distributed Systems, 2015
The popularization of PaaS environments presents challenges to traditional authorization models f... more The popularization of PaaS environments presents challenges to traditional authorization models for controlling resource usage. This article describes a hybrid authorization model suitable for PaaS environments, using rule templates, authorization credentials and local derivation of individual policies. In addition, we present the usage control mechanisms that eliminate the main disadvantages of policy models based on provisioning and outsourcing. The work also shows the technical details of the implementation of a prototype with its performance evaluation results.
Journal of Parallel and Distributed Computing
The business-driven access control used in cloud computing is not well suited for tracking fine-g... more The business-driven access control used in cloud computing is not well suited for tracking fine-grained user service consumption. UCONABC applies continuous authorization reevaluation, which requires usage accounting that enables fine-grained access control for cloud computing. However, it was not designed to work in distributed and dynamic authorization environments like those present in cloud computing. During a continuous (periodical) reevaluation, an authorization exception condition, disparity among usage accounting and authorization attributes may occur. This proposal aims to provide resilience to the UCONABC continuous authorization reevaluation, by dealing with individual exception conditions while maintaining a suitable access control in the cloud environment. The experiments made with a proof-of-concept prototype show a set of measurements for an application scenario (e-commerce) and allows for the identification of exception conditions in the authorization reevaluation.
A mobile ad hoc network (MANet) is a flexible way to interconnect mobile devices. Peer-to-peer (P... more A mobile ad hoc network (MANet) is a flexible way to interconnect mobile devices. Peer-to-peer (P2P) networks are serverless self-organized infrastructures that enable end-to-end communications. The P2P churn and the instabilities of MANETs interconnections bring important challenges to P2P over MANETs(PoM). A consumer peer in PoM wastes several of its scarce resources managing the communication with the peer that provides content. Our proposal aims at reducing the consumer peer control over the communication so that to avoid unnecessary consumption of its resources. A virtual content provider is used for this purpose and a prototype was implemented in order to show the feasibility of the proposal.
2009 International Conference on Advanced Information Networking and Applications Workshops, 2009
In 1 the classic use of P2P, e.g. file sharing, there is no concern about persistent peer identif... more In 1 the classic use of P2P, e.g. file sharing, there is no concern about persistent peer identification, peer and content reputation and content authenticity. Security proposals currently found in technical literature try to adapt techniques from client-server architecture to P2P environments, which it is not the most appropriate approach. This work proposes applying public keys to identify peers. It allows creating a persistent identification scheme, without losing anonymity, even in a self-managed environment as P2P. Also, it applies digital signature to provide authenticity to the P2P content and to guarantee non-repudiation in the content transfer. In order to provide credibility to the non-certified content and public keys a reputation mechanism is applied. We have developed a prototype to show the benefits of this approach.
2010 IEEE 24th International Conference on Advanced Information Networking and Applications Workshops, 2010
Applications using P2P as an Overlay network in MANet (P2M) are very unstable in terms of MANet i... more Applications using P2P as an Overlay network in MANet (P2M) are very unstable in terms of MANet interconnections and P2P churn. MANet-based P2P applications usually create a considerable overhead on the P2P consumer due to the control of the end-to-end communication with the peer that provides the shared content. Moreover, traditional P2P networks offer polluted contents wasting the device´s scarce resources. This paper proposes a service that minimizes the P2M environment instabilities for mobile devices and reduces the probability of downloading corrupt contents. A prototype was developed to show that SP2MS can be easily integrated into the traditional P2P infrastructure.
2009 IEEE International Conference on Communications, 2009
The dynamic environment of Business Coalition (BC) requires a flexible access control approach to... more The dynamic environment of Business Coalition (BC) requires a flexible access control approach to deal with user management and policy writing. However, the traditional approach applied to BC assigns to access control a burden, mainly to the service provider, thus requiring ad hoc schemes to mitigate the lack of controls developed to BC needs. We present a brokered access control architecture, based on UCON ABC , to obtain an integrated usage control management for BC. The broker intermediates contract establishment between service provider and consumer, and derives from it the policies to regulate the usage at service-level. The consumer defines user-level policies to control the usage of the contracted services. We developed a web services based prototype to evaluate the feasibility of our proposal. The proposed architecture enables distribution of duties and integration of usage control management in a loosely coupled fashion, providing the flexibility desired in BC environments.