Open Access
ARTICLE
Certrust: An SDN-Based Framework for the Trust of Certificates against Crossfire Attacks in IoT Scenarios
1
School of Computer Science (National Pilot Software Engineering School), Beijing University of Posts and Telecommunications,
Beijing, China
2
College of Engineering, Qatar University, Doha, Qatar
* Corresponding Author: Xiaohong Huang. Email:
(This article belongs to the Special Issue: Models of Computation: Specification, Implementation and Challenges)
Computer Modeling in Engineering & Sciences 2023, 134(3), 2137-2162. https://doi.org/10.32604/cmes.2022.022462
Received 10 March 2022; Accepted 12 May 2022; Issue published 20 September 2022
Abstract
The low-intensity attack flows used by Crossfire attacks are hard to distinguish from legitimate flows. Traditional methods to identify the malicious flows in Crossfire attacks are rerouting, which is based on statistics. In these existing mechanisms, the identification of malicious flows depends on the IP address. However, the IP address is easy to be changed by attacks. Compared with the IP address, the certificate is more challenging to be tampered with or forged. Moreover, the traffic trend in the network is towards encryption. The certificates are popularly utilized by IoT devices for authentication in encryption protocols. DTLShps proposed a new way to verify certificates for resource-constrained IoT devices by using the SDN controller. Based on DTLShps, the SDN controller can collect statistics on certificates. In this paper, we propose Certrust, a framework based on the trust of certificates, to mitigate the Crossfire attack by using SDN for IoT. Our goal is threefold. First, the trust model is built based on the Bayesian trust system with the statistics on the participation of certificates in each Crossfire attack. Moreover, the forgetting curve is utilized instead of the traditional decay method in the Bayesian trust system for achieving a moderate decay rate. Second, for detecting the Crossfire attack accurately, a method based on graph connectivity is proposed. Third, several trust-based routing principles are proposed to mitigate the Crossfire attack. These principles can also encourage users to use certificates in communication. The performance evaluation shows that Certrust is more effective in mitigating the Crossfire attack than the traditional rerouting schemes. Moreover, our trust model has a more appropriate decay rate than the traditional methods.Graphic Abstract
Keywords
Cite This Article
This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.