Open Access


Certrust: An SDN-Based Framework for the Trust of Certificates against Crossfire Attacks in IoT Scenarios

Lei Yan1, Maode Ma2, Dandan Li1, Xiaohong Huang1,*, Yan Ma1, Kun Xie1
1 School of Computer Science (National Pilot Software Engineering School), Beijing University of Posts and Telecommunications, Beijing, China
2 College of Engineering, Qatar University, Doha, Qatar
* Corresponding Author: Xiaohong Huang. Email:
(This article belongs to this Special Issue: Models of Computation: Specification, Implementation and Challenges)

Computer Modeling in Engineering & Sciences 2023, 134(3), 2137-2162.

Received 10 March 2022; Accepted 12 May 2022; Issue published 20 September 2022


The low-intensity attack flows used by Crossfire attacks are hard to distinguish from legitimate flows. Traditional methods to identify the malicious flows in Crossfire attacks are rerouting, which is based on statistics. In these existing mechanisms, the identification of malicious flows depends on the IP address. However, the IP address is easy to be changed by attacks. Compared with the IP address, the certificate is more challenging to be tampered with or forged. Moreover, the traffic trend in the network is towards encryption. The certificates are popularly utilized by IoT devices for authentication in encryption protocols. DTLShps proposed a new way to verify certificates for resource-constrained IoT devices by using the SDN controller. Based on DTLShps, the SDN controller can collect statistics on certificates. In this paper, we propose Certrust, a framework based on the trust of certificates, to mitigate the Crossfire attack by using SDN for IoT. Our goal is threefold. First, the trust model is built based on the Bayesian trust system with the statistics on the participation of certificates in each Crossfire attack. Moreover, the forgetting curve is utilized instead of the traditional decay method in the Bayesian trust system for achieving a moderate decay rate. Second, for detecting the Crossfire attack accurately, a method based on graph connectivity is proposed. Third, several trust-based routing principles are proposed to mitigate the Crossfire attack. These principles can also encourage users to use certificates in communication. The performance evaluation shows that Certrust is more effective in mitigating the Crossfire attack than the traditional rerouting schemes. Moreover, our trust model has a more appropriate decay rate than the traditional methods.

Graphical Abstract

Certrust: An SDN-Based Framework for the Trust of Certificates against Crossfire Attacks in IoT Scenarios


Trust model; certificate; SDN; Crossfire attack; bayesian trust system; forgetting curve; IoT

Cite This Article

Yan, L., Ma, M., Li, D., Huang, X., Ma, Y. et al. (2023). Certrust: An SDN-Based Framework for the Trust of Certificates against Crossfire Attacks in IoT Scenarios. CMES-Computer Modeling in Engineering & Sciences, 134(3), 2137–2162.

This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
  • 486


  • 252


  • 0


Share Link

WeChat scan