Accountability using flow-net: design, implementation, and performance evaluation

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks 2012; 5:29–49

Published online 16 June 2011 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.348

SPECIAL ISSUE PAPER

Accountability using flow‐net: design, implementation,and performance evaluationYang Xiao*, Ke Meng and Daisuke Takahashi

Department of Computer Science, The University of Alabama, Tuscaloosa, AL 35487–0290, U.S.A.

ABSTRACT

Accountability is a very important topic for computer and networking systems. It helps to answer questions such as, “Whathappened?” and, “Who did it?” These two questions are also related to forensics; however, forensics normally tries toanswer these questions by adding some human factors (such as a guess or an instinct due to missing evidence, as well ashuman involvements) under the available system. Accountability, on the other hand, can only be achieved by significantlyimproving the current system with the result that forensics becomes trivial in an accountable system. Furthermore, eachentity in the system must be held responsible for its activities. In order to provide accountability, a better logging system isnecessary so that not only their activities but also their relationships may be captured. To this end, our previous workproposed a novel logging mechanism, flow‐net methodology, for accountability. In this paper, we extend the flow‐netmethodology and present its design and implementation in wireless networks. We also evaluate the performance of flow‐net and compare it with that of audit log files. Copyright © 2011 John Wiley & Sons, Ltd.

KEYWORDS

accountability; logging; trace; media access control (MAC); routing; wireless networks

*Correspondence

Yang Xiao, Department of Computer Science, The University of Alabama, 101 Houser Hall, PO Box 870290, Tuscaloosa, AL 35487–0290,U.S.A.E‐mail: [email protected]

1. INTRODUCTION

Accountability implies that an entity should be heldresponsible for its specific actions or behaviors so that theentity is part of a larger chain of accountability [1]. One ofthe goals of accountability is that, once an event hastranspired, the events that took place may be traceable andthus the event’s causes may be determined afterward [1].The poor accountability provided by today’s computersand networks wastes a great deal of money and effort (e.g.,determining whether a system is under reconnaissance orattack, or difficulties of distinguishing legitimate e‐mailsfrom phishing attacks). This is due to the simple fact thattoday’s computing and network infrastructure has not beenbuilt with accountability in mind [1].

Typically, there are two complementary classes ofapproaches for network security: prevention‐based ap-proaches and detection‐based approaches [2]. Prevention‐based techniques, such as authentication and encryption,can effectively reduce attacks by ensuring that usersconform to predefined security policies. Prevention‐basedtechniques can keep most illegitimate users from enteringthe system. However, security research indicates that there

Copyright © 2011 John Wiley & Sons, Ltd.

are always some weak points that are hard to predict in thesystem [2]. To solve these problems, detection‐basedapproaches, such as virus detection and intrusion detectionsystems (which serve as the second wall of protection),could effectively help identify malicious activities. How-ever, neither prevention‐based approaches nor detection‐based approaches can track what happens afterward (i.e.,traceability).

Accountability plays a crucial role in informationassurance systems. To achieve accountability, many fields(such as hardware, operating systems, programminglanguage, software, networking, applications, and security)are involved. Most of the existing research has focused onE‐commerce accountability [3,4], web access accountabil-ity [5,6], programming accountability [7,8], digital rightsmanagement [9,10], audit trail [11,12], and so forth. Forweb accountability, it is possible to associate individualswith actions on web‐based objects and services. Forprogramming accountability, specific flows caused byparticular program invocations can be known and limitedto a particular flow policy. For digital rights management,data is packaged for access controls in remote platforms.To provide accountability in information assurance, it may

29

Accountability using flow‐net Y. Xiao, K. Meng and D. Takahashi

be necessary to track who has read or written a particularfile or a piece of the file, the sources of the file or a piece ofthe file, and compromised material in the file if there is amalicious insider. Sources of information, such asmessages, reports, images, videos, articles, and so forth,are particularly useful when identifying all the contributorsin accountable systems. An audit trail may be needed torecord all of these sources. However, current techniques[3–12] still cannot provide true accountability, asevidenced by the fact that current computer systems andnetworks have not provided much assistance in trackingactual information flows or enforcing information flowpolicies. Furthermore, most research efforts in wired/wireless networks have focused on prevention‐based anddetection‐based security, whereas less effort has beenmade regarding accountability.

In our previous paper [1], we proposed a novelaccountable logging mechanism, called flow‐net method-ology. However, neither implementation nor comprehen-sive evaluation was provided in http://en.wikipedia.org/wiki/Promiscuous_mode. In this paper, we extend theflow‐net methodology and present its design and imple-mentation in wireless networks. We also evaluate theperformance of flow‐net and compare it with that of auditlog files. Note that a short version of this paper waspresented in a conference in [14]. Our other related workincludes temporal accountability [15], accountability forwireless networks [16], logging [17], accountability insmart grids [18], and quantitative study of accountability[19–21]. There are also many related work in networksecurity [22–154].

The new contributions from this paper include thefollowing: we propose that accountability should beimplemented in all layers of the networking stack; weelaborate upon several aspects of the flow‐net methodology,including compression techniques and multi‐level resolu-tion of flow‐net; we implement a prototype of flow‐net inwireless local area networks (WLAN), and we describe ourimplementation; and we provide a comprehensive evalua-tion and comparison of flow‐net and logging files.

The rest of the paper is organized as follows: in Section 2,we propose that accountability should be implemented in alllayers of the networking stack; in Section 3, we elaborateupon several aspects of the flow‐net methodology, includingcompression and multi‐level resolution; in Section 4, wedescribe our prototype, a simplified implementation of flow‐net; in Section 5, we present performance evaluation; finally,we conclude our paper in Section 6.

2. ACCOUNTABILITY INALL LAYERS

A network consists of many computers/devices as well asother transmission media; therefore, both computers/devices and transmission media should be accountable inorder to achieve true accountability. We refer to the aboveas device accountability and media accountability, asshown in Figure 1, respectively. In this project, we focus

30 Se

on the device’s network accountability and mediaaccountability.

A network adopts a layered approach. Most networksadopt five layers, whereas some adopt fewer layers. Webelieve that accountability should be implemented inevery layer of a device’s protocol stack and, in eachtransmission media/channel, both hop‐to‐hop and end‐to‐end. The rationale behind this is similar to that ofnetwork security, in which security should be placed inevery layer of the protocol stack, both hop‐to‐hop andend‐to‐end. Therefore, we should have physical layeraccountability, media access control (MAC) layeraccountability (part of the data link layer accountability),IP layer accountability, transmission control protocol/userdatagram protocol (TCP/UDP) layer accountability,application layer accountability, hop‐to‐hop accountabil-ity, end‐to‐end accountability, and transmission mediaaccountability. It is not possible to achieve totalaccountability until accountability at all layers is achieved.Meanwhile, network accountability must cooperate withcomputer accountability (including operating systemaccountability, etc.) to achieve true overall accountability,as shown in Figure 1.

3. FLOW‐NET METHODOLOGY

3.1. Introduction of flow‐net methodology

In [1], we proposed a flow‐net methodology for efficienttracing as follows: (i) is convenient to use; (ii) is completein terms of information; (iii) maintains full relationshipsamong different layers; and (iv) is consistent over differentsystems. A flow for a particular entity is the entity’s eventlist with timestamps, and each entity in a system has aflow. An interconnection of two flows at a given timemeans that something occurs at that time and that itinvolves both entities. These flows (event lists) intercon-nect with each other via timestamps. These interconnectedflows form a net over time because they interconnect;therefore, we call it a flow‐net.

Let us use the example of IEEE 802.11 MAC asfollows. Figure 2(a) shows a flow‐net for fragmentationtransmissions between stations A and B, and Figure 2(b)shows a flow‐net for the point coordination function (PCF)period between the access point (AP) and station A. Toconveniently represent the events of starting and endingtransmitting/receiving a frame/packet, we use duration toshow two events as one event. For example, in Figure 2(a),an event of station A transmitting a fragment during [T1,T3] is a simplified version of the starting transmittingfragment of two events of station A at time T1 and endingtransmitting fragment at time T3. This simplifies flow‐netwhen applied to networking. Figure 2(a) has a total of sixentities: station A, station B, fragment 0, fragment 1, andtwo ACK frames. Event lists of entities are called flows.Their corresponding flows are flow A, flow B, flow F0,flow F1, and two ACK flows.

curity Comm. Networks 2012; 5:29–49 © 2011 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Figure 1. A network device’s accountability.

(a)

(b)

Figure 2. (a) A flow‐net for fragmentation transmissions between stations A and B (F0, fragment 0; F1, fragment 1); (b) a flow‐net forthe point coordination function period among access points (AP) and station A (broadcasting frames such as beacon and Contention‐

Free End (CF‐End) are drawn differently). ACK, acknowledgement.

Accountability using flow‐netY. Xiao, K. Meng and D. Takahashi

3.2. Multi‐resolution and multi‐level

Although this paper focuses primarily on medium accessaccountability (MAA), our goal is to apply these ideas intomore general wired/wireless networking scenarios, includ-ing multiple layers of application, TCP/UDP, IP, MAC,and PHY. Our long‐term goal is to achieve trulyaccountable computer and network systems. To the bestof our knowledge, our proposed research is the first workto study accountability at the MAC layer [1]. However,our work is not limited to MAA, and our proposed workmay have significant impacts on other networks/systems.

Figure 3 shows a multi‐level and multi‐resolution ap-proach. In Figure 3, an upper‐layer (or the lower‐level) eventis related to multiple lower‐layer (or the higher‐level) events.For example, the application layer event “sending amessage”will involve multiple events at the TCP layer (e.g., “setup aTCP socket,” “divide the message into multiple segments,”“transmit each segment,” “TCP acknowledgement,” etc.). On

Security Comm. Networks 2012; 5:29–49 © 2011 John Wiley & Sons, Ltd.DOI: 10.1002/sec

the other hand, an event in the TCP layer involves multipleevents in IP layer. Within each level, events form a flow‐net.From Figure 3, we see that the sub‐layer events related to anevent in the top layer form a tree structure; such a treestructure can be saved as a record in the top layer by usingindexing and compression techniques. Similar to the multi‐resolution video, we can see an upper event, and, if we areparticularly interested in an event, we can examine the detailsof this event by looking at its related sub‐layer events (i.e., thesub‐tree of the event). In other words, a higher layer sub‐treeis stored into a tree‐structure in a lower layer node. Such a datastructure is a real‐time 3D multi‐level flow‐net, which weintroduced previously.

3.3. Compression of flow‐net

We propose compression of flow‐nets in which somerepetitive patterns exist to reduce overhead. A commonexample is beacon compression, as shown in Figures 4(a)–(c),

31

Figure 3. Multi‐level and multi‐resolution (layers). IP, Internet protocol; MAC, media access control; PHY, physical; TCP, transmissioncontrol protocol.


which normally happens when there is no activity in theWLAN for a long period. Another example, DATA com-pression, is shown in Figures 4(d–f). Both Figure 4(c) andFigure 4(f) compress more than Figure 4(b) and Figure 4(e),respectively. Other examples include request‐to‐send/clear‐to‐send DATA compression, PCF‐polling compression,and so forth. Of course, the complexity of the language usedfor representing repetitive patterns may increase as the trade‐off. Furthermore, compression may cause the handling ofmulti‐level flow‐nets (3D) to become more complex.

4. SIMPLIFIED IMPLEMENTATION—A PROTOTYPE

We have implemented the flow‐net method for WLAN anda small ad hoc network based on WLAN. During theimplementation, some aspects of the flow‐net method weresimplified and re‐designed. For example, the flow‐netmethod should be built into each protocol layer, but, inorder to simplify the implementation and for demonstra-tion purposes, we implemented it via captured frames. Wehave called this approach a prototype because a realisticimplementation should not be done this way.

4.1. 802.11 MAC layer flow‐net design

Authentication, association, transmitting data, de‐authen-tication, and disassociation are both the most commonactions for the 802.11 wireless devices as well as thenecessary components of the WLAN communication.When a station connects to an AP, the first step is anauthentication request and an authentication response,followed by an association request and an associationresponse if the authentication succeeds. Data transmissionsoccur after the authentication and association processes.De‐authentication or disassociation is sent to notify theother wireless devices when the station or the AP wants to

32 Se

terminate the connection. This section will design theflow‐net approach for connection and data transmission atthe 802.11 MAC Layer.

4.1.1. Basic flow‐net MAC layer unit.Figure 5 shows the sequence of one integrated process

of WLAN connections and data communications. Thisfigure consists of the element frames for a successfulcommunication between the station and the AP. The wholeprocess in the communication period includes thefollowing: establishing a connection, transmitting frames,and disconnecting. However, in complicated wirelessnetworks, the figure only shows the communicationsduring one period between two nodes, and this is calledflow‐net MAC layer unit (FMLU).

4.1.2. MAC layer flow‐net.The entire flow‐net comprises numerous FMLUs, and it

extends in Figure 5 in both horizontal and verticaldirections. The MAC layer flow‐net, which is an upperlayer of the FMLU, is composed of the basic FMLUs. As inFigure 6, the MAC layer flow‐net contains more flows thatintersect each other by frame transmissions in the FMLUs.

Figure 6 only shows frame transmissions between theflows of two nearby wireless devices. However, in a realflow‐net, the relations among different flows would bemore complicated than those shown in Figure 6. Each flowmay have several FMLUs (each unit includes the wholeassociation, communication, and disassociation processes)at different times, even in the same period (the AP maycommunicate with more than one station at a time).

Furthermore, the wireless stations may forward theframes to other stations, requiring more than two hops forthe frames in each FMLU to deliver the frames to adestination. For example, in the 802.11 mesh networks[155], the frames sent by one device may be forwardedhop‐by‐hop by mesh points until they reach theirdestination wireless devices in the network or the mesh


Figure 4. (a–c) Beacon compression, where (C1, 5, T1, T2, T3, T4, T5) stands for five repetitions at times T1, T2, T3, T4, and T5,where C1 represents beacon compression; (d–f) DATA compression, where (C4, 2, T9, …, T16) stands for two repetitions with

corresponding T9, …, T16, where C4 stands for DATA compression. AP, access points; ACK, acknowledgement.

Figure 5. Basic flow‐net media access control layer unit.


33Security Comm. Networks 2012; 5:29–49 © 2011 John Wiley & Sons, Ltd.DOI: 10.1002/sec

N

Figure 6. Media access control (MAC) layer flow‐net.


portal point for the subsequent delivery through Ethernet.In this way, the FMLUs may extend their span to take upmore than two flows, including not only the continuousflows but also the separate ones.

4.2. Simplified implementation of MAClayer flow‐net

The design of 802.11 MAC layer flow‐net is complicated,on account of the fact that it refers to the hardware, theMAC layer, and even the application layer of the wirelessdevices. In the ideal MAC layer flow‐net, each deviceneeds to collect the frames’ information, whether itsuccessfully receives or transmits, in order to provideevidence for the wireless accountability. The devices maystill need to send the message to a processing server forhandling the frames’ information, managing the database,and updating the flow‐net.

4.2.1. Choosing implementation condition.Part of the flow‐net functions is implemented into the

real 802.11 WLAN environments. Firstly, in order toreduce the difficulty of modifying the wireless hardware,the MAC layer, and the application layer, we use the frameinformation provided by the additional wireless networkadapters; these may capture all the wireless frames in thecurrent channel instead of the information from wirelessframe transmitting devices. Therefore, the frame informa-tion is enough to construct the flow‐net.

The sending step classifies and organizes the capturedframes. The frames are sent by different wireless devices,including APs and stations, and they cannot be used untilthey are pre‐processed. After being handled, the frames areclassified according to their sources (senders) and are thensent timestamps to form several link lists. Each frame isone node in the link lists, and each link list is composed ofthe frames sent by the same source MAC address. Thenodes in each link list are ordered by their sending time;the frame link lists are not the flow‐net.

Next, the flow‐net is created from the frame link lists. Theframe link lists are organized by the frames lists, whereas the

34 Se

flow‐net is formed by the flows (wireless devices). Eachframe has the sourceMAC address and the destinationMACaddress. The information needed by the flow‐net may bederived from the analysis of the frame link lists.

The last step is to show the topology of the flow‐net.We use CClientDC class in Microsoft Foundation Classesto show the flow‐net.

4.2.2. Capturing the 802.11 wireless frames.The first step of the flow‐net methodology is to capture

the frames from the wireless networks. These wirelessadapters, which support promiscuous mode [13], may beused as the sniffers to capture wireless frames from an802.11 network. We selected the AirPcap USB adapter[156,157], developed by CACE Technologies, as oursniffer adapter. The AirPcap provides the developer’spackage, which is needed by the program in order tooperate the adapter by calling its application programminginterface; this makes it easier to save and handle thecaptured frames. Another reason for choosing the AirPcapis the wide use of the USB interface. Although theinterfaces of most wireless adapters are Cardbus, miniPCI,or PCI, which cannot be used on most computers andespecially on desktops, the USB interfaces are supportedby most computers, whether desktops or laptops; further-more, we do not need to select special computers toperform the simplified implementation.

The data fields of the captured frames include the radioheader and the WLAN data body. The radio headercontains channel frequency, signal strength, noise level,TX power, antenna, and so on. The WLAN data bodyincludes the frame information from the MAC layer to theapplication layer. The implementation of flow‐net willfocus on the analysis of the 802.11 MAC layer. In the nextstep, we will analyze the frames from the wireless networkand classify them in order to form the frame link lists.

4.2.3. Analyzing and classifying the frames.The frames should be analyzed and reclassified after

being acquired from the wireless sniffers. The analysis ofthe frames follows the 802.11 WLAN protocol. The frame



type, source MAC address, destination MAC address,transmitting time, and other information may be obtainedfrom the analysis. We skip the detailed process foranalyzing the frames and go directly to the topology of thelink list structure, which is used to save the informationobtained from the frames. The organization of the link listis shown in Figure 7.

4.2.4. Constructing the flow‐net.In order to construct the flow‐net, the frame link lists

need to be reanalyzed and rearranged. As mentioned in theprevious sections, each frame link list is composed ofthose frames, which have the same source MAC address.Each node in the frame link list is one frame, of whichthe source MAC address is from this link list, and thedestination MAC address points to another link list. Thestructure of the node in the frame link lists is the framestructure. The horizontal link list in the flow‐net representsthe flow of a wireless device, and each node in the link listis the action of the device. The action is sending frames,including the management frames, control frames, anddata frames. As a result, the format of the frame link listneeds to be transformed to the format of the flow‐net.

The creation of the flow‐net node is easier. As weknow, the MAC layer of the frames includes the sourceMAC address, the destination MAC address transmittingtime, and so on. The node structure can be formed byextracting the information from the frames. We schedule

Figure 7. Organizatio


the nodes in the order of transmitting time in order toconstruct the horizontal list in flow‐net. The vertical link inflow‐net is more complicated; for each node, thedestination MAC address is extracted and then comparedwith the MAC address in other link lists. If these areequivalent, an arrow will be drawn from the node to thelink list.

The real flow‐net is so complex that it includes manykinds of frames, including control frames, managementframes, and data frames. In this implementation, the flow‐net is simplified so that only the association request,association response, and data frames are considered. Inactuality, the three types of frames may constitute thewhole process for the wireless devices. In order to furthersimplify the implementation, we only showed twocommunicating devices and the relation frames betweenthe devices each time. This does not mean that our flow‐net implementation only has two devices. The flow‐net inthe simplified implementation is composed of a compli-cated lattice‐like structure. It is difficult to show the flow‐net topology in a two‐dimensional paper. The method thatwe used shows the device about which we are concernedand the related device that engages in the communication.

4.2.5. Program interface implementation result.The program is completed by Microsoft Foundation

Classes. The frames’ capturing and analyzing tools call forAirPcap application programming interfaces in order to

n of the link list.

35


capture the frames in the selected channel; then, the flow‐nettopology is constructed according to the aforementionedsections. We skip the detailed program implementation andlook at the program interface and simplified implementationresults directly.

4.2.5.1. Program interface Figure 8 shows themain interface for the program.

During the startup process, the program initializes thenetwork card and shows the devices on the interface that areavailable for the user to select. As we know, the wirelessadapters can only work on one channel at one time. When theadapters are scanning the APs, they continually switchchannels during the scanning process in order to acquire allthe APs at each channel. However, the switching methodcannot be used in a frame‐capturing program because theswitching process dropsmost of the frames. As a result, we areonly concerned with the frames in one channel; we let theinterface provide the option to select the channel number forthe frames capturing. In order to capture the frames of all thechannels in the future, we will use enough sniffer cards tocollect the frames and will then send this binary data to acentral server. The central server will be used to process theanalysis and construct the flow‐net. In this way, the wirelessframes capturingmay be distributed to every channel andmaybe extended over more area. The program also allows the userto select the refresh time,which is used to update the node lists.

Pressing the scan button will start the frame‐capturingprocess in the selected channel. The message box on the topright will show an error message if the configuration iswrong. Users will still have the choice to save all the cap-tured frames; the format of saved frames is “cap,” which iscompatible with “wireshark” (http://www.wireshark.org/)and allows us to conduct analysis with these kinds of tools.

Figure 8. The main interf

36 Se

After capturing each wireless frame, the function offrameAnalysis(·) is to parse the MAC layer content quickly.The detailed information for frame type, subtype, destination,and source MAC addresses, BSSID, and receiving time isacquired from the analysis of the captured frames. After theanalysis, the search process proceeds in order to insertthe frame at the proper position in the frame link lists. Thesearching of the frame starts from the link list head pointer; itcompares the source MAC address and then the destinationMACaddress. The frameswith the same sourceMACaddressform one link list, and each frame is one node in the link list.

During the capturing process, the nodes, including APsand stations, are shown in the table. In order to simplifythe link lists, the information of one link list is shown inone row of the table. The content of each row includes theframe type (either an AP or a station), the MAC address,and the length of the link (the number of frames the devicesent). Each node contains a vertical link list, which showsthe destination of the frames.

4.2.5.2. Showing the flow‐net. The aforemen-tioned section shows the construction of the frame linklist. We then select any link list in the table and click the“Show FlowNet” button; the flow‐net that is related to theselected device will then be displayed in a new window, asshown in Figure 9.

Figure 9 shows the composed flow‐net, in which thedata frames during each connection period are only shownonce. The first row in the figure shows the frames sentfrom the selected node as Flow1; these are accompaniedby the MAC address and the sending time. The secondrow shows the related node (Flow2) that has communi-cated with the selected node. The arrows imply the dataflow between the selected node and the related node. The

ace for the program.


Figure 9. Composed flow‐net.


data flows with different destination nodes are drawn withdifferent colors. Because of the limitations of the computerscreen, we only show the communicated frames during thetimes of the two connections.

As shown in Figure 9, the two devices have sentassociation request and association response at 15:27 inorder to establish an association, and they then began tosend data (26 frames). At 15:30, the two devicesestablished another connection and transferred 22 frames.

4.2.6. Future improvementThis simplified implementation of flow‐net is based on

a simple network, and it filters out many kinds of frames; itcannot capture multiple channels simultaneously, and it isnot suited for multi‐hop 802.11 networks. Most impor-tantly, the program only shows the communication of theconcerned wireless device, and the program cannot see thewhole flow‐net topology. However, the simplified imple-mentation partly constructs a simple flow‐net and provesthe idea of this paper.

5. PERFORMANCE EVALUATION

Experiments are conducted for the purpose of studying theperformance of flow‐net and comparing it with the log file,where we use Flow‐Net and Log‐File to represent theflow‐net and log file approaches, respectively. Weimplement the truth finding methodology introduced in[1]. The truth‐finding algorithm [1] is introduced asfollows.

Flow‐net truth‐tracking methodology is a way to trackthe truth: once an event has transpired (such as the leakingof secure information or an outside attack), the events thattook place are traceable so that the causes may bedetermined afterwards [1]. For example, in a computer ornetwork system, if at some point it is already known thatthe content of a secret file is leaking, we can search partial


or entire log files to figure out the reasons of the leakingand to find direct or indirect accesses to the file; because auser who previously accessed the secret may sendmessages containing the secret to other users (the secretis being leaked because of indirect accesses) via packets ina computer network or via pipe First‐In‐First‐Out (FIFO)message queue in a computer system, it is no trivial task tofind the reasons for the leaking. Using audit log files, therelationship among different layers may be lost so thattracing is not possible and so that it is difficult to searchaudit log files. In the proposed flow‐net truth findingmethodology, tracing with truth becomes much easier. Forexample, as shown in Figure 10, assume that we want tofind the truth of whether the information in File B wasleaked to Account D between 1:00 AM, 1 July 2007, and1:00 AM, 2 July 2007 (recorded system time, not searchingtime). Figure 10 shows that the proposed methods startfrom the flow of File B and go through the flow‐net alongthe time in order to search whether it may find an eventrelated to Account D within a 24‐h time period (note thatan event has time as a field). The algorithm starts at FileB’s flow, and it searches the flow‐net along the increasingtime. The searching process is a tree‐searching algorithm,which can be depth‐first or breadth‐first. The worst, best,and average searching time can be easily obtained.

The results of the truth searching in Figure 10 may beas follows: (i) there are two possible paths to have sucha leak; or (ii) the best case needs three steps to find apossible path. For example, in one path, Account Aaccesses File B, and it may be possible to leak theinformation of File B to Account D. On the other hand, asimple example of the truth finding in Figure 10 is quitedifficult to achieve in regular sequential log files.

Our programs actually create a Flow‐Net and a Log‐File, and they run searching algorithms. At this point, aLog‐File is simply a linked list of logged events inchronological order. Two types of searches are conducted:depth‐first based and breadth‐first based. In both cases,

37

time

time

File/packet B(source)

Entity D(Target)

Event with Two Entities

Entity C

Entity B

Entity A

Goal: to find whether or how the information in File/packet B was leaking to entity D

Results: (i) There are two possible paths to have such a leaking.(ii) The best case needs three steps to find a possible path

Entity E

Searching Flow

Found and Stop

Start Point

Legends

Figure 10. Flow‐net truth finding.


searches start at an event where a message/file thatcontained leaking information (secret) was first listened to/accessed by some station/user, and the searches finish afterarriving at an event where information leakage wasrevealed. Algorithms count the numbers of steps that weretaken. In other words, experiments count how many linkedevents are visited as well as the cost of retrieving a currentevent from time ordered logged events. Execution ofsearching (counting) was conducted 1000 times, and theaverage was calculated from the sum of the 1000 results.

Moreover, for both the depth‐first based and breadth‐first based algorithms (readers please refer to [157] forthese two algorithms), two types of experiments areconducted. The first experiment compares searching timesbased on the number of events between the depth‐first‐based and breadth‐first‐based algorithms. In this case, amaximum of 10 distinct subjects and objects show up inthe events, where subject and object stand for station/user/account and frame/file, respectively. On the other hand, inthe second type of the experiment, the number of events isfixed at 1000, whereas the numbers of subjects and objectsare gradually increased.

5.1. Finding a possible route forinformation leakage

We first measure the searching times for finding a possibleroute for the information leakage shown in Figure 10; thedepth‐first‐based searching algorithm and the breadth‐firstbased searching algorithm are used.

Figure 11 shows a result from the first experiment. BothFlow‐Net and Log‐File show linear transitions, but thedepth‐first‐based searching algorithm for the Log‐Filegrows faster than that for Flow‐Net; Log‐File actually

38 Se

requires nearly 10 times more searching complexity thanFlow‐Net (e.g., 1144 to 111 at 1000 events and 2212 to211 for 2000 events).

On the other hand, in the second type of experimentshown in Figure 12, initially (e.g., 5 × 5 through 9 × 9), bothapproaches show a minor decline in the searchingcomplexity. However, after the 9 × 9 size of the subjectand object sets, the complexity continues to decline in Flow‐Net, whereas it begins to grow in Log‐File. Eventually, thesearching complexity of the Log‐File becomes about 20times as high as that for Flow‐Net at 20 × 20 subject andobject sets. This is because, in the case of Flow‐Net,increasing the sizes of the subject and object sets isequivalent to reducing the average number of elements thateach subject or object list has. This average number ofelements is very similar to the load factor of the hash list.

Figure 13 shows the complexity comparison betweenLog‐File and Flow‐Net using the breadth‐first‐basedsearching algorithm in order to find out one possibleroute to an event where information leaked. In the bothcases, because the secret leakage occurred at an event thatis at the end of the time sequence, this event must beplaced on a leaf node of a constructed binary tree. Moreprecisely, in the use of Flow‐Net, this event is the lastevent in one of the linked lists in Flow‐Net. Therefore, thissituation is quite disadvantageous to the breadth‐first‐based searching algorithm because the breadth‐first searchtraverses nodes level‐by‐level; thus, the search happens atan event where a secret leaked at the end of the searchingphase. This inevitably reveals many redundant steps, andthe results in Figure 13 show this redundancy very well.When compared with the case of the depth‐first‐basedsearch, both Log‐File and Flow‐Net experience around 10times poorer efficiency for connecting a secret to an event


0

500

1000

1500

2000

2500

100

300

500

700

900

1100

1300

1500

1700

1900

No. of Events

No

. of

Ste

ps

Log-File

Flow-Net

Figure 11. Complexity comparison for finding one possible route of information leakage with the depth‐first‐based searching algorithmfor Log‐File and Flow‐Net (versus no. of events).

0

200

400

600

800

1000

1200

1400

1600

55

66

77

88

99

1010

1111

1212

1313

1414

1515

1616

1717

1818

1919

2020

No. of Subjects No. of Objects

No

. of

Ste

ps

Log-File

Flow-Net

Figure 12. Complexity comparison for finding one possible route of information leakage with the depth‐first‐based searching algorithmfor Log‐File and Flow‐Net (versus no. of subjects×no. of objects).


where its leakage happened. Moreover, at 2000 eventsbetween these events, both cases become almost 20 timesless efficient than the depth‐first‐based search.

On the other hand, in Figure 14, when the variation ofevents is allowed to be more diverse (i.e., the number ofboth the subjects and objects grows large), the complexityof the search in Flow‐Net gradually decreases, whereasthat for Log‐File linearly increases. This situation is similarto the case of the depth‐first‐based searching algorithm;thus, at the level of 10 × 10 events, the difference of the


complexity between Flow‐Net and Log‐File becomesnearly 40 000.

5.2. Finding all possible suspectsconcerning an information leakage

At this time, an auxiliary stack is used to store everysuspect concerning an information leakage. The searchesessentially traverse the entire binary tree until they finallyarrived at the rightmost leaf of the binary tree (note: this is

39

0

5000

10 000

15 000

20 000

25 000

30 000

35 000

40 000

45 000

50 000

100 300500

700900

1100

1300

1500

170019

00

No. of Events

No

. o

f S

tep

s

Log-File

Flow-Net

Figure 13. Complexity comparison for finding one possible route of information leakage with the breadth‐first‐based searching algorithmbetween Log‐File and Flow‐Net (versus no. of events).

0

5000

10 000

15 000

20 000

25 000

30 000

35 000

40 000

45 000


No

. of

Ste

ps

Log-File

Flow-Net

55

66

77

88

99

1010

1111

1212

1313

1414

1515

1616

1717

1818

1919

2020

Figure 14. Complexity comparison for finding one possible route of information leakage with the breadth‐first‐based searching algorithmbetween Log‐File and Flow‐Net (versus no. of subjects×no. of objects).


not always the last event in the time sequence). Unlikefinding a possible route connecting information leakage,because the searching algorithms inevitably traverse theentire binary tree, their complexity is poorer than those ofthe previous cases. Therefore, even in the use of Flow‐Net, as shown in Figure 15, it requires more than 4000steps at the base value of 2000, whereas it requires 200 tofind a possible route; yet, compared with Log‐File, therate of the complexity rising in Flow‐Net is very efficientbecause it avoids auxiliary searches for events from theoriginal time sequential record. This avoidance is derivedfrom the fact that there are links to associate related events fora binary tree.

40 Se

Furthermore, as shown in Figure 16, when increasingthe diversity of the event set, the complexity transition ofLog‐File reveals a square curve growth. Although thecomplexity shows a linear rise in the case of Flow‐Net, itonly moderately increases.

Intersection operation:

curity Comm. Networks 201

An experiment comparing the com-
plexity of the intersection operation of Log‐File and Flow‐Net is made. Figure 17 shows the linear clime for both, butLog‐File obviously ascends faster than Flow‐Net. InFigure 18, in both Log‐File and Flow‐Net, the complexitiesof executing the intersection operations decrease because oflower load factors (i.e., the average number of events that are
2; 5:29–49 © 2011 John Wiley & Sons, Ltd.DOI: 10.1002/sec

0

5000

10 000

15 000

20 000

25 000

30 000

35 000

40 000

100300

500700

9001100

1300150

0170

0190

0

No. of Events

No

. of S

tep

s

Log-FileFlow-Net

Figure 15. Complexity comparison for finding all possible suspects concerning an information leakagewith the depth‐first‐based searchingalgorithm between Log‐File and Flow‐Net (versus no. of events).

0

5000

10 000

15 000

20 000

25 000

30 000

35 000

40 000

45 000


No

. of S

tep

s

Log-File

Flow-Net

55

66

77

88

99

1010

1111

1212

1313

1414

1515

1616

1717

1818

1919

2020

Figure 16. Complexity comparison for finding all possible suspects concerning an information leakagewith the depth‐first‐based searchingalgorithm between Log‐File and Flow‐Net.


related to a particular object (or subject)). This reduces theoverhead for the sort–merge in the algorithms.
Construction time: Exp
Security Comm. NetworDOI: 10.1002/sec

eriments for measuring the con-
struction time of both Flow‐Net and Log‐File areconducted using the system time in a millisecond scale.At this point, we mention that constructing Log‐File meansconstructing linked lists of sequential event logs in orderof the time sequence. In other words, when constructingLog‐File, the algorithm simply adds a new event to the tailof the linked lists.
On the other hand, while constructing a Flow‐Net, thealgorithm is required to first search for a linked list that

ks 2012; 5:29–49 © 2011 John Wiley & Sons, Ltd.

contains the subjects’ events as an event to be added to aFlow‐Net because, due to the nature of Flow‐Net, eventsthat have the same subject must be put in the same linkedlist. Object linked lists are constructed in the same way;therefore, the construction of a Flow‐Net has twosearching phases (for subjects and objects), after which itputs events at the tail of appropriate linked lists.

The first experiment, shown in Figure 19, demonstratesthe time transition of both approaches’ construction phasesin terms of the number of events. In other words, wemeasure the growth of the construction time as the numberof events grows larger. In the experiment, we increase thesize of the event set from 1000 to 20 000 by factors of

41

0

500

1000

1500

2000

2500

100

300

500

700

900

1100

1300

1500

1700

1900

No. of Events

No

. of

Ste

ps

Log-File

Flow-Net

Figure 17. Complexity transitions of executing the intersection operation (i.e., finding out all suspects concerning two different files)(versus no. of events).

0

200

400

600

800

1000

1200

1400

1600


No

. of

Ste

ps

Log-File

Flow-Net

55

66

77

88

99

1010

1111

1212

1313

1414

1515

1616

1717

1818

1919

2020

Figure 18. Complexity transitions of executing the intersection operation (i.e., finding out all suspects concerning two different files)(versus no. of subjects × no. of objects).


1000. Figure 19 shows that the difference of time spentbetween two constructions becomes larger as the size of anevent pool becomes larger. At 20 000 events, thedifference becomes nearly 0.1 s; however, relativelyspeaking, the difference is not large.

When incrementing the size of the subject and objectsets, as shown in Figure 20, both Log‐File and Flow‐Netconstruction times nearly transit the same level. In other

42 Se

words, the difference of the two construction times is as lowas 0.02 s when the set size is increased from 5× 5 to 20× 20.

6. CONCLUSIONS

This paper addressed the very important issue ofaccountability. A flow‐net methodology was proposed


0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

1000

3000

5000

7000

9000

11 00

0

13 00

0

15 00

0

17 00

0

19 00

0

No. of Events

Tim

e (s

)

Log-File

Flow-Net

Figure 19. Comparison of time spent to construct Flow‐Net and Log‐File in terms of the size of events.

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09

0.1


Tim

e (s

)

Log-File

Flow-Net

55

66

77

88

99

1010

1111

1212

1313

1414

1515

1616

1717

1818

1919

2020

Figure 20. Comparison of time spent to construct Flow‐Net and Log‐File in terms of the diversity of events.


for accountability and applied to MAC and routing layersin wireless networks. Implementation of the flow‐net inreal systems as a prototype was described. Measurementsof the performances of flow‐net and audit log file werecompared. Results show the advantages of the proposedflow‐net methodology with the trade‐off of a slightlyhigher construction time.

ACKNOWLEDGEMENT

This work is supported in part by the US National ScienceFoundation (NSF) under the grant numbers CNS‐0737325,CNS‐0716211, CCF‐0829827, and CNS‐1059265.


REFERENCES

1. Xiao Y. Flow‐net methodology for accountability inwireless networks. IEEE Network 2009; 23(5): 30–37.

2. Sun B, Yu F, Wu K, Xiao Y, Leung VCM. Enhancingsecurity using mobility‐based anomaly detection incellular mobile networks. IEEE Transactions onVehicular Technology 2006; 55(4): 1385–1396.

3. Kailar R. Accountability in electronic commerceprotocols. IEEE Transactions on Software Engineering1996; 22(5): 313–328.

4. Kungpisdan S, Permpoontanalarp Y. Practical reason-ing about accountability in electronic commerce

43


protocols. In Proc. of the 4th International ConferenceSeoul on Information Security and Cryptology, 06–07December 2001, Vol. 2288, Springer‐Verlag: London,2001; 268–284.

5. Rosenberg AL. Accountable web‐computing. IEEETransactions on Parallel and Distributed Systems2003; 14(2): 97–106.

6. Butt AR, Adabala S, Kapadia NH, Figueiredo R,Fortes JAB. Fine‐grain access control for securingshared resources in computational grids. In Proc. ofIPDPS, 2002.

7. Smith G, Volpano D. Secure information flow in amultithreaded imperative language. In Proc. ACMSymp. on Principles of Programming Languages,Jan. 1998; 355–364.

8. Wallach DS, Appel AW, Felten EW. The securityarchitecture formerly known as stack inspection: asecurity mechanism for language‐based systems.ACM Transactions on Software Engineering andMethodology Oct. 2000; 9(4): 341–378.

9. Mulligan DK, Burstein A. Implementing copyrightlimitations in rights expression languages. In 2002ACM Workshop on Digital Rights Management,Washington DC, 18 November 2002.

10. Samuelson P. Digital rights management {and, or, vs.}the law. Communications of the ACM 2003; 46(4):41–45.

11. Helman P, Liepins G. Statistical foundations of audittrail analysis for the detection of computer misuse.IEEE Transactions on Software Engineering 1993;19(9): 886–901.

12. Morse JM, Barrett M, Mayan M, Olson K, Spiers J.Verification strategies for establishing reliability andvalidity in qualitative research. International Journalof Qualitative Methods 2002; 1(2): 1–19.

13. http://en.wikipedia.org/wiki/Promiscuous_mode14. Xiao Y, Meng K, Takahashi D. Implementation and

evaluation of accountability using flow‐net in wirelessnetworks. Proceedings of the IEEE Military Commu-nications Conference 2010 (IEEE MILCOM 2010), 31Oct.–3 Nov. 2010.

15. Liu J, Xiao Y. Temporal accountability and ano-nymity in medical sensor networks. ACM/SpringerMobile Networks and Applications (MONET), Spe-cial issue on Ubiquitous Body Sensor Networks,accepted.

16. Xiao Y. Accountability for wireless LANs, ad hocnetworks, and wireless mesh networks. IEEE Com-munication Magazine, special issue on Security inMobile Ad Hoc and Sensor Networks 2008; 46(4):116–126. Doi: 10.1109/MCOM.2008.4481350

17. Takahashi D, Xiao Y. Retrieving knowledge fromauditing log files for computer and network forensics

44 Se

and accountability. Security and CommunicationNetworks 2008; 1(2): 147–160.

18. Liu J, Xiao Y, Gao J. Accountability in Smart Grids.Proceedings of IEEE Consumer Communicationsand Networking Conference 2011 (IEEE CCNC2011), Smart Grids Special Session, accepted.

19. Xiao Z, Xiao Y, Wu J. A Quantitative Study ofAccountability in Wireless Multi‐hop Networks.Proceedings of 2010 39th International Conferenceon Parallel Processing (ICPP 2010), 13–16 Sept.2010.

20. Xiao Z, Xiao Y. PeerReview analysis and re‐evaluation for accountability in distributed systemsor networks. In Proceedings of the 4th InternationalConference on Information Security and Assurance(ISA2010), CCIS 76, 2010; 149–162.

21. Xiao Z, Xiao Y. P‐accountable networked systems.Proceeding of INFOCOM 2010, Work in Progress(WIP) Track.

22. Ramsey BW, Mullins BE, Thomas RW, Andel TR.Subjective audio quality over a secure IEEE 802.11nnetwork. International Journal of Security andNetworks 2011; 6(1): 53–63.

23. Xiao Y. Editorial. International Journal of Securityand Networks 2011; 6(1): 1–1.

24. Kundur D, Feng X, Mashayekh S, Liu S, Zourntos T,Butler‐Purry KL. Towards modelling the impact ofcyber attacks on a smart grid. International Journalof Security and Networks 2011; 6(1): 2–13.

25. Kalogridis G, Denic SZ, Lewis T, Cepeda R. Privacyprotection system and metrics for hiding electricalevents. International Journal of Security and Net-works 2011; 6(1): 14–27.

26. Li F, Luo B, Liu P. Secure and privacy‐preservinginformation aggregation for smart grids. Interna-tional Journal of Security and Networks 2011; 6(1):28–39.

27. Zhang J, Gunter CA. Application‐aware secure multi-cast for power grid communications. InternationalJournal of Security and Networks 2011; 6(1): 40–52.

28. Zhuang Z, Li Y, Chen Z. Enhancing intrusiondetection system with proximity information. Inter-national Journal of Security and Networks 2010; 5(4):207–219.

29. Abbes T, Bouhoula A, Rusinowitch M. Efficientdecision tree for protocol analysis in intrusion detec-tion. International Journal of Security and Networks2010; 5(4): 220–235.

30. Schrader KR, Mullins BE, Peterson GL, Mills RF.An FPGA‐based system for tracking digital informa-tion transmitted via peer‐to‐peer protocols. Interna-tional Journal of Security and Networks 2010; 5(4):236–247.



31. Chen Z, Chen C, Wang Q. On the scalability ofdelay‐tolerant botnets. International Journal ofSecurity and Networks 2010; 5(4): 248–258.

32. Guo Y, Perreau S. Detect DDoS flooding attacks inmobile ad hoc networks. International Journal ofSecurity and Networks 2010; 5(4): 259–269.

33. Guo H, Mu Y, Zhang XY, Li ZJ. EnhancedMcCullagh–Barreto identity‐based key exchangeprotocols with master key forward security. Interna-tional Journal of Security and Networks 2010; 5(2/3):173–187.

34. Richard AO, Ahmad A, Kiseon K. Security assess-ments of IEEE 802.15.4 standard based on X.805framework. International Journal of Security andNetworks 2010; 5(2/3): 188–197.

35. Dong Y, Hsu S, Rajput S, Wu B. Experimentalanalysis of application‐level intrusion detectionalgorithms. International Journal of Security andNetworks 2010; 5(2/3): 198–205.

36. Wang H, Jia X. Editorial. International Journal ofSecurity and Networks 2010; 5(2/3): 77–78.

37. Leng X, Lien Y, Mayes K, Markantonakis K. AnRFID grouping proof protocol exploiting anti‐collisionalgorithm for subgroup dividing. International Journalof Security and Networks 2010; 5(2/3): 79–86.

38. Dalton GC, II, Edge KS, Mills RF, Raines RA.Analysing security risks in computer and radiofrequency identification (RFID) networks usingattack and protection trees. International Journal ofSecurity and Networks 2010; 5(2/3): 87–95.

39. Mahinderjit‐Singh M, Li X. Trust in RFID‐enabledsupply‐chain management. International Journal ofSecurity and Networks 2010; 5(2/3): 96–105.

40. Hutter M, Plos T, Feldhofer M. On the security ofRFID devices against implementation attacks. Interna-tional Journal of Security and Networks 2010; 5(2/3):106–118.

41. Imasaki Y, Zhang Y, Ji Y. Secure and efficient datatransmission in RFID sensor networks. InternationalJournal of Security and Networks 2010; 5(2/3):119–127.

42. Sun L. Security and privacy on low‐cost radiofrequency identification systems. InternationalJournal of Security and Networks 2010; 5(2/3):128–134.

43. Zhang X, Gao Q, Saad MK. Looking at a class ofRFID APs through GNY logic. InternationalJournal of Security and Networks 2010; 5(2/3):135–146.

44. Azevedo SG, Ferreira JJ. Radio frequency identifi-cation: a case study of healthcare organisations.International Journal of Security and Networks2010; 5(2/3): 147–155.


45. Raad M. A ubiquitous mobile telemedicine systemfor the elderly using RFID. International Journal ofSecurity and Networks 2010; 5(2/3): 156–164.

46. Rodrigues MJ, James K. Perceived barriers to thewidespread commercial use of radio frequencyidentification technology. International Journal ofSecurity and Networks 2010; 5(2/3): 165–172.

47. Yang M, Liu JCL, Tseng Y. Editorial. InternationalJournal of Security and Networks 2010; 5(1): 1–3.

48. Malliga S, Tamilarasi A. A backpressure techniquefor filtering spoofed traffic at upstream routers.International Journal of Security and Networks2010; 5(1): 3–14.

49. Huang S, Shieh S. Authentication and secret searchmechanisms for RFID‐aware wireless sensor networks.International Journal of Security and Networks 2010;5(1): 15–25.

50. Hsiao Y, Hwang R. An efficient secure datadissemination scheme for grid structure wirelesssensor networks. International Journal of Securityand Networks 2010; 5(1): 26–34.

51. Xu L, Chen S, Huang X, Mu Y. Bloom filter basedsecure and anonymous DSR protocol in wireless adhoc networks. International Journal of Security andNetworks 2010; 5(1): 35–44.

52. Tsai K, Hsu C, Wu T. Mutual anonymity protocolwith integrity protection for mobile peer‐to‐peernetworks. International Journal of Security andNetworks 2010; 5(1): 45–52.

53. Yang M. Lightweight authentication protocol formobile RFID networks. International Journal ofSecurity and Networks 2010; 5(1): 53–62.

54. Wang J, Smith GL. A cross‐layer authenticationdesign for secure video transportation in wirelesssensor network. International Journal of Securityand Networks 2010; 5(1): 63–76.

55. Bai L, Zou X. A proactive secret sharing scheme inmatrix projection method. International Journal ofSecurity and Networks 2009; 4(4): 201–209.

56. Bettahar H, Alkubeily M, Bouabdallah A. TKS: atransition key management scheme for secureapplication level multicast. International Journal ofSecurity and Networks 2009; 4(4): 210–222.

57. Huang H, Kirchner H, Liu S, Wu W. Handlinginheritance violation for secure interoperation ofheterogeneous systems. International Journal ofSecurity and Networks 2009; 4(4): 223–233.

58. Rekhis S, Boudriga NA. Visibility: a novel conceptfor characterising provable network digital evi-dences. International Journal of Security and Net-works 2009; 4(4): 234–245.

59. Djenouri D, Bouamama M, Mahmoudi O. Black‐hole‐resistant ENADAIR‐based routing protocol for

45


mobile ad hoc networks. International Journal ofSecurity and Networks 2009; 4(4): 246–262.

60. Hu F,DongD,XiaoY. Attacks and countermeasures inmulti‐hop cognitive radio networks. InternationalJournal of Security and Networks 2009; 4(4): 263–271.

61. Chen Z, Chen C, Li Y. Deriving a closed‐formexpression for worm‐scanning strategies. Interna-tional Journal of Security and Networks 2009; 4(3):135–144.

62. Lee S, Sivalingam KM. An efficient one‐timepassword authentication scheme using a smart card.International Journal of Security and Networks2009; 4(3): 145–152.

63. Watkins L, Beyah R, Corbett C. Using link RTT topassively detect unapproved wireless nodesd. Inter-national Journal of Security and Networks 2009;4(3): 153–163.

64. Drakakis KE, Panagopoulos AD, Cottis PG. Over-view of satellite communication networks security:introduction of EAP. International Journal ofSecurity and Networks 2009; 4(3): 164–170.

65. Chakrabarti S, Chandrasekhar S, Singhal M. Anescrow‐less identity‐based group‐key agreementprotocol for dynamic peer groups. InternationalJournal of Security and Networks 2009; 4(3):171–188.

66. Ehlert S, Rebahi Y, Magedanz T. Intrusion detectionsystem for denial‐of‐service flooding attacks in SIPcommunication networks. International Journal ofSecurity and Networks 2009; 4(3): 189–200.

67. Berthier R, Cukier M. An evaluation of connectioncharacteristics for separating network attacks. Interna-tional Journal of Security and Networks 2009; 4(1/2):110–124.

68. Wu B, Wu J, Dong Y. An efficient group keymanagement scheme for mobile ad hoc networks.International Journal of Security and Networks2009; 4(1/2): 125–134.

69. Mayrhofer R, Nyberg K, Kindberg T. Foreword.International Journal of Security and Networks2009; 4(1/2): 1–3.

70. Scannell A, Varshavsky A, LaMarca A, De Lara E.Proximity‐based authentication of mobile devices.International Journal of Security and Networks2009; 4(1/2): 4–16.

71. Soriente C, Tsudik G, Uzun E. Secure pairing ofinterface constrained devices. International Journalof Security and Networks 2009; 4(1/2): 17–26.

72. Buhan I, Boom B, Doumen J, Hartel PH, VeldhuisRNJ. Secure pairing with biometrics. InternationalJournal of Security and Networks 2009; 4(1/2): 27–42.

73. McCune JM, Perrig A, Reiter MK. Seeing‐is‐believing: using camera phones for human‐verifiable

46 Se

authentication. International Journal of Security andNetworks 2009; 4(1/2): 43–56.

74. Goodrich MT, Sirivianos M, Solis J, Soriente C,Tsudik G, Uzun E. Using audio in secure devicepairing. International Journal of Security andNetworks2009; 4(1/2): 57–68.

75. Laur S, Pasini S. User‐aided data authentication.International Journal of Security and Networks2009; 4(1/2): 69–86.

76. Suomalainen J, Valkonen J, Asokan N. Standards forsecurity associations in personal networks: a com-parative analysis. International Journal of Securityand Networks 2009; 4(1/2): 87–100.

77. Kuo C, Perrig A, Walker J. Designing user studiesfor security applications: a case study with wirelessnetwork configuration. International Journal ofSecurity and Networks 2009; 409(1/2): 101–109.

78. Ma L, Teymorian AY, Xing K, Du D. An one‐way function based framework for pairwise keyestablishment in sensor networks. InternationalJournal of Security and Networks 2008; 3(4):217–225.

79. Srinivasan A, Li F, Wu J, Li M. Clique‐based groupkey assignment in Wireless Sensor Networks.International Journal of Security and Networks2008; 3(4): 226–239.

80. Hsieh C, Chen J, Lin Y‐B, Chen K, Liao H, Liang C.NTP‐DownloadT: a conformance test tool forsecured mobile download services. InternationalJournal of Security and Networks 2008; 3(4):240–249.

81. Sadowitz M, Latifi S, Walker D. An iris and retinamultimodal biometric system. International Journalof Security and Networks 2008; 3(4): 250–257.

82. Kandikattu R, Jacob L. Secure hybrid routing withmicro/macro‐mobility handoff mechanisms for urbanwireless mesh networks. International Journal ofSecurity and Networks 2008; 3(4): 258–274.

83. Xu H, Ayachit M, Reddyreddy A. Formal modellingand analysis of XML firewall for service‐orientedsystems. International Journal of Security andNetworks 2008; 3(3): 147–160.

84. Bouhoula A, Trabelsi Z, Barka E, Benelbahri M.Firewall filtering rules analysis for anomalies detec-tion. International Journal of Security and Networks2008; 3(3): 161–172.

85. Li F, Srinivasan A, Wu J. PVFS: a probabilisticvotingbbased filtering scheme in wireless sensornetworks. International Journal of Security andNetworks 2008; 3(3): 173–182.

86. Ma X, Cheng X. Verifying security protocols byknowledge analysis. International Journal of Secu-rity and Networks 2008; 3(3): 183–192.



87. Uphoff B, Wong JS. An agent‐based framework forintrusion detection alert verification and eventcorrelation. International Journal of Security andNetworks 2008; 3(3): 193–200.

88. Tripathy S, Nandi S. Secure user‐identification andkey distribution scheme preserving anonymity.International Journal of Security and Networks2008; 3(3): 201–205.

89. Li F, Xin X, Hu Y. ID‐based threshold proxysigncryption scheme from bilinear pairings. Interna-tional Journal of Security and Networks 2008; 3(3):206–215.

90. Lin X, Ling X, Zhu H, Ho P, Shen X. A novellocalised authentication scheme in IEEE 802.11based wireless mesh networks. International Journalof Security and Networks 2008; 3(2): 122–132.

91. Challal Y, Gharout S, Bouabdallah A, Bettahar H.Adaptive clustering for scalable key management indynamic group communications. International Jour-nal of Security and Networks 2008; 3(2): 133–146.

92. Memon N, Goel R. Editorial. International Journalof Security and Networks 2008; 3(2): 79.

93. Ray I, Poolsappasit N. Using mobile ad hoc networksto acquire digital evidence from remote autonomousagents. International Journal of Security and Net-works 2008; 3(2): 80–94.

94. Kilpatrick T, Gonzalez J, Chandia R, Papa M,Shenoi S. Forensic analysis of SCADA systemsand networks. International Journal of Security andNetworks 2008; 3(2): 95–102.

95. Cronin E, Sherr M, Blaze M. On the (un)reliability ofeavesdropping. International Journal of Security andNetworks 2008; 3(2): 103–113.

96. Okolica JS, Peterson GL, Mills RF. Using PLSI‐U todetect insider threats by datamining e‐mail. Interna-tional Journal of Security and Networks 2008; 3(2):114–121.

97. Kotzanikolaou P, Vergados DD, Stergiou G,Magkos E. Multilayer key establishment for large‐scale sensor networks. International Journal ofSecurity and Networks 2008; 3(1): 1–9.

98. Wang W, Kong J, Bhargava B, Gerla M. Visualisa-tion of wormholes in underwater sensor networks: adistributed approach. International Journal of Secu-rity and Networks 2008; 3(1): 10–23.

99. Scheirer W, Chuah M. Syntax vs. semantics:competing approaches to dynamic network intrusiondetection. International Journal of Security andNetworks 2008; 3(1): 24–35.

100. Burt AL, Darschewski M, Ray I, Thurimella R,WuH.Origins: an approach to trace fast spreading worms totheir roots. International Journal of Security andNetworks 2008; 3(1): 36–46.


101. Zou X, Karandikar Y. A novel conference keymanagement solution for secure dynamic conferenc-ing. International Journal of Security and Networks2008; 3(1): 47–53.

102. Asadpour M, Sattarzadeh B, Movaghar A. Anony-mous authentication protocol for GSM networks.International Journal of Security and Networks2008; 3(1): 54–62.

103. Hu F, Rughoonundon A, Celentano L. Towards arealistic testbed for wireless network reliability andsecurity performance studies. International Journalof Security and Networks 2008; 3(1): 63–77.

104. Mu Y, Chen L, Chen X, Gong G, Lee P, Miyaji A,et al. Editorial. International Journal of Security andNetworks 2007; 2(3/4): 171–174.

105. Tartary C, Wang H. Efficient multicast streamauthentication for the fully adversarial networkmodel. International Journal of Security and Net-works 2007; 2(3/4): 175–191.

106. Bhaskar R, Herranz J, Laguillaumie F. Aggregatedesignated verifier signatures and application tosecure routing. International Journal of Securityand Networks 2007; 2(3/4): 192–201.

107. Hsu H, Zhu S, Hurson AR. LIP: a lightweightinterlayer protocol for preventing packet injectionattacks in mobile ad hoc network. InternationalJournal of Security and Networks 2007; 2(3/4):202–215.

108. Oliveira LB, Wong H, Loureiro AAF, Dahab R. Onthe design of secure protocols for hierarchical sensornetworks. International Journal of Security andNetworks 2007; 2(3/4): 216–227.

109. Michail HE, Panagiotakopoulos GA, ThanasoulisVN, Kakarountas AP, Goutis CE. Server sidehashing core exceeding 3 Gbps of throughput.International Journal of Security and Networks2007; 2(3/4): 228–238.

110. Hoeper K, Gong G. Preventing or utilising keyescrow in identity‐based schemes employed inmobile ad hoc networks. International Journal ofSecurity and Networks 2007; 2(3/4): 239–250.

111. Cheng Z, Chen L. On security proof of McCullagh–Barreto’s key agreement protocol and its variants.International Journal of Security and Networks2007; 2(3/4): 251–259.

112. Finnigin KM, Mullins BE, Raines RA, Potoczny HB.Cryptanalysis of an elliptic curve cryptosystem forwireless sensor networks. International Journal ofSecurity and Networks 2007; 2(3/4): 260–271.

113. Huang D. Pseudonym‐based cryptography for anon-ymous communications in mobile ad hoc networks.International Journal of Security and Networks2007; 2(3/4): 272–283.

47


114. Abdalla M, Bresson E, Chevassut O, Moller B,Pointcheval D. Strong password‐based authenticationin TLS using the three‐party group Diffie–Hellmanprotocol. International Journal of Security andNetworks 2007; 2(3/4): 284–296.

115. Chen H, Guizani M. Editorial. International Journalof Security and Networks 2007; 2(1/2): 1–2.

116. Li R, Li J, Chen H. DKMS: distributed hierarchicalaccess control for multimedia networks. InternationalJournal of Security and Networks 2007; 2(1/2): 3–10.

117. Sakarindr P, Ansari N. Adaptive trust‐based anony-mous network. International Journal of Security andNetworks 2007; 2(1/2): 11–26.

118. Malaney RA. Securing Wi‐Fi networks with positionverification: extended version. International Journalof Security and Networks 2007; 2(1/2): 27–36.

119. Sun F, Shayman MA. On pairwise connectivity ofwireless multihop networks. International Journal ofSecurity and Networks 2007; 2(1/2): 37–49.

120. Erdogan Oz, Cao P. Hash‐AV: fast virus signaturescanning by cache‐resident filters. International Journalof Security and Networks 2007; 2(1/2): 50–59.

121. Rabinovich P, Simon R. Secure message delivery inpublish/subscribe networks using overlay multicast.International Journal of Security and Networks2007; 2(1/2): 60–70.

122. Chen Z, Ji C. Optimal worm‐scanning method usingvulnerable‐host distributions. International Journalof Security and Networks 2007; 2(1/2): 71–80.

123. Pan J, Cai L, Shen X. Vulnerabilities in distance‐indexed IP traceback schemes. International Journalof Security and Networks 2007; 2(1/2): 81–94.

124. Korkmaz T, Gong C, Sarac K, Dykes SG. 8 Singlepacket IP traceback in AS‐level partial deploymentscenario. International Journal of Security andNetworks 2007; 2(1/2): 95–10.

125. Ling H, Znati T. End‐to‐end pairwise key establish-ment using node disjoint secure paths in wirelesssensor networks. International Journal of Securityand Networks 2007; 2(1/2): 109–121.

126. Artan NS, Chao HJ. Design and analysis of a multi-packet signature detection system. International Journalof Security and Networks 2007; 2(1/2): 122–136.

127. Zhu Y, Fu X, Bettati R, Zhao W. Analysis of flow‐correlation attacks in anonymity network. Interna-tional Journal of Security and Networks 2007; 2(1/2):137–153.

128. Gu Q, Liu P, Chu C, Zhu S. Defence against packetinjection in ad hoc networks. International Journalof Security and Networks 2007; 2(1/2): 154–169.

129. Hwu J, Hsu S, Lin Y‐B, Chen R. End‐to‐end securitymechanisms for SMS. International Journal ofSecurity and Networks 2006; 1(3/4): 177–183.

48 Se

130. Wang X. The loop fallacy and deterministic serial-isation in tracing intrusion connections throughstepping stones. International Journal of Securityand Networks 2006; 1(3/4): 184–197.

131. Jiang Y, Lin C, Shi M, Shen X. A self‐encryptionauthentication protocol for teleconference services.International Journal of Security and Networks2006; 1(3/4): 198–205.

132. Owens SF, Levary RR. An adaptive expert systemapproach for intrusion detection. International Jour-nal of Security and Networks 2006; 1(3/4): 206–217.

133. Chen Y, Susilo W, Mu Y. Convertible identity‐basedanonymous designated ring signatures. InternationalJournal of Security and Networks 2006; 1(3/4):218–225.

134. Teo J, Tan C, Ng J. Low‐power authenticated groupkey agreement for heterogeneous wireless networks.International Journal of Security and Networks2006; 1(3/4): 226–236.

135. Tan C. A new signature scheme without randomoracles. International Journal of Security and Net-works 2006; 1(3/4): 237–242.

136. Liu Y, Comaniciu C, Man H. Modelling misbeha-viour in ad hoc networks: a game theoretic approachfor intrusion detection. International Journal ofSecurity and Networks 2006; 1(3/4): 243–254.

137. Karyotis V, Papavassiliou S, Grammatikou M,Maglaris V. A novel framework for mobile attackstrategy modelling and vulnerability analysis inwireless ad hoc networks. International Journal ofSecurity and Networks 2006; 1(3/4): 255–265.

138. Xiao Y, Jia X, Sun B, Du X. Editorial: security issueson sensor networks. International Journal of Securityand Networks 2006; 1(3/4): 125–126.

139. Wang H, Sheng B, Li Q. Elliptic curve cryptography‐based access control. International Journal ofSecurity and Networks 2006; 1(3/4): 127–137.

140. Zheng J, Li J, Lee MJ, Anshel M. A lightweightencryption and authentication scheme for wirelesssensor networks. International Journal of Securityand Networks 2006; 1(3/4): 138–146.

141. Al‐Karaki JN. Analysis of routing security‐energytrade‐offs in wireless sensor networks. Internation-al Journal of Security and Networks 2006; 1(3/4):147–157.

142. Araz O, Qi H. Load‐balanced key establishmentmethodologies in wireless sensor networks. Interna-tional Journal of Security and Networks 2006; 1(3/4):158–166.

143. Deng J, Han R, Mishra S. Limiting DoS attacksduring multihop data delivery in wireless sensornetworks. International Journal of Security andNetworks 2006; 1(3/4): 167–178.



144. Xiao Y. Editorial. International Journal of Securityand Networks 2006; 1(1/2): 1–1.

145. Shehab M, Bertino E, Ghafoor A. Workflow authorisa-tion in mediator‐free environments. InternationalJournal of Security and Networks 2006; 1(1/2): 2–12.

146. Jung E, Gouda MG. Vulnerability analysis ofcertificate graphs. International Journal of Securityand Networks 2006; 1(1/2): 13–23.

147. Kiayias A, Yung M. Secure scalable group signaturewith dynamic joins and separable authorities. Interna-tional Journal of Security and Networks 2006; 1(1/2):24–45.

148. Franklin M. A survey of key evolving cryptosystems.International Journal of Security and Networks2006; 1(1/2): 46–53.

149. Hamadeh I, Kesidis G. A taxonomy of internettraceback. International Journal of Security andNetworks 2006; 1(1/2): 54–61.

150. Jhumka A, Freiling F, Fetzer C, Suri N. An approachto synthesise safe systems. International Journal ofSecurity and Networks 2006; 1(1/2): 62–74.

151. Evans JB, Wang W, Ewy BJ. Wireless network-ing security: open issues in trust, management,


interoperation and measurement. InternationalJournal of Security and Networks 2006; 1(1/2):84–94.

152. Englund H, Johansson T. Three ways to mountdistinguishing attacks on irregularly clocked streamciphers. International Journal of Security and Net-works 2006; 1(1/2): 95–102.

153. Zhu B, Jajodia S, Kankanhalli MS. Building trustin peer‐to‐peer systems: a review. InternationalJournal of Security and Networks 2006; 1(1/2):103–112.

154. Ramkumar M, Memon N. Secure collaborations overmessage boards. International Journal of Securityand Networks 2006; 1(1/2): 113–124.

155. Joint SEE‐Mesh/Wi‐Mesh Proposal to 802.11 TGs,IEEE published documents, doc.: IEEE 802.11‐06/0328r0

156. AirPcap interface documentation. Available from:http://wireshark.sourcearchive.com/documentation/1.2.2/main.html

157. Meng K, Xiao Y, Vrbsky SV. Building a wirelesscapturing tool for WiFi. Security and CommunicationNetworks 2009; 2(6): 654–668.

49

Accountability using flow-net: design, implementation, and performance evaluation

Documents

Transcript of Accountability using flow-net: design, implementation, and performance evaluation