[ieee 2013 eighth international conference on availability, reliability and security (ares) -...

6
Collaboratively Exchanging Warning Messages Between Peers While Under Attack Mirko Haustein, Herbert Sighart Cassidian / EADS Deutschland GmbH Unterschleißheim Email: fi[email protected] Dennis Titze, Peter Schoo Fraunhofer AISEC Garching near Munich Email: fi[email protected] Abstract—Secure Multi-party Computation (MPC) allows a secure joint cooperation within a distributed group of peers. In this paper we investigate an extended Secure MPC solution that allows mutual information exchange and distribution of warnings among a group of participating peers within an information sharing network. The implementation of this MPC solution is deployed in a peer-to-peer network. This paper evaluates the performance of the implementation based on two scenarios that stress the network load and thus simulate the implementation under attack. Using a network simulation provides a connection between a simulated network model and real systems by use of System-in-the-loop (SITL) technology for the validation of the considered MPC implementation. KeywordsSecure Multi-party Computation, Warning Ex- change, Simulation I. I NTRODUCTION As of today it is understood that correlating security inci- dent related data from only one administrative domain often does not provide enough information to efficiently counter and mitigate broad scale or sophisticated attacks. This is specif- ically the case for attacks emerging from multiple sources or multi-step malware [1]. To overcome this problem, dis- tributed, collaborative systems, such as Collaborative Intrusion Detection Systems (CIDSs) and Information Sharing Networks (ISNs), have been researched for several years [2]. These distributed systems provide a larger base of available infor- mation with regard to suspicious events within Information and Communication Technology (ICT) systems. Noteworthy coincidences and upcoming widespread threats can be detected earlier, e.g., to generate alerts. This can help supporting ICT’s operators to react as early as possible to these detected or indicated incidents and to mitigate or even avert the impact of the observed phenomena. An example application domain is the information ex- change between network operators and Internet Service Providers (ISPs). While these operators may already exchange information about counter strategies or specific actions, we focus on the exchange of information where data is generated automatically, e.g., by forwarding from sensors. In this ap- plication domain there is a need for anonymous distribution of messages, e.g., containing information about recognized attacks, or the status of the network, to improve the security level of the operators’ communication networks [3]. There are more examples in the realm of critical infrastructure where even competing parties benefit from collaboration, and the absence of a centralized controlling entity. Although collaboration is advantageous for such operators, it comes along with some challenges to be solved. One of the most important issues is the disclosure of internal and therefore private information related to an incident. For a network operator’s infrastructure such a disclosure may lead to a loss of reputation, if revealed to entities outside the own administrative domain – especially competitors. On the other hand collaboration may benefit from each piece of information that can be provided even if the input data is private. This leads to a difficult to estimate trade-off between information sharing for collaboration and considerations about loss of reputation, especially for organizations whose core business is not the handling of, or notification about incidents. Solutions for such problems have been actively investigated for several decades and led to the development of privacy- preserving techniques such as Secure MPC initially introduced by Yao’s Millionaires’ Problem [4]. Since then a considerable number of protocols have been developed taking into account various aspects, such as different MPC techniques and attacker models. However, most of these protocols are optimized for specific applications such as public auctions [5] and supply chain management [6]. They were seldom applied to the network security domain. In 2010, Burkhart et al. [7] presented the MPC library SEPIA (Security through Private Information Aggregation). This library allows aggregating private input data about computer networks of up to 140 nodes for near real-time collaborative computations. In this paper we describe the behavior of an implemented MPC system called Collaborative Resilient Exchange of Warn- ings (CREW) while under attack. This implementation allows the usage of the built-in MPC protocols for anonymous dis- tribution of arbitrary binary input data to participating peers. Since this collaborative procedure is meant to support the exchange of security related warnings in a network of peers, we are interested how this network will behave if the network is under attack and communications are severely hindered. The content of this paper is structured as follows: Section II describes related work regarding anonymous and privacy pre- serving information exchange in IT early warning systems. Section III introduces the relevant internals of the underlying CREW system, whereas Section IV depicts and motivates the scenarios we have used for the simulation. Section V presents the results of our simulations and discusses these in Section VI. Section VII concludes our work, before Section VIII discusses our next steps and future work. 2013 International Conference on Availability, Reliability and Security 978-0-7695-5008-4/13 $26.00 © 2013 IEEE DOI 10.1109/ARES.2013.95 726

Upload: peter

Post on 22-Mar-2017

213 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: [IEEE 2013 Eighth International Conference on Availability, Reliability and Security (ARES) - Regensburg, Germany (2013.09.2-2013.09.6)] 2013 International Conference on Availability,

Collaboratively Exchanging Warning MessagesBetween Peers While Under Attack

Mirko Haustein, Herbert SighartCassidian / EADS Deutschland GmbH

Unterschleißheim

Email: [email protected]

Dennis Titze, Peter SchooFraunhofer AISEC

Garching near Munich

Email: [email protected]

Abstract—Secure Multi-party Computation (MPC) allows asecure joint cooperation within a distributed group of peers. Inthis paper we investigate an extended Secure MPC solution thatallows mutual information exchange and distribution of warningsamong a group of participating peers within an informationsharing network. The implementation of this MPC solution isdeployed in a peer-to-peer network. This paper evaluates theperformance of the implementation based on two scenarios thatstress the network load and thus simulate the implementationunder attack. Using a network simulation provides a connectionbetween a simulated network model and real systems by use ofSystem-in-the-loop (SITL) technology for the validation of theconsidered MPC implementation.

Keywords—Secure Multi-party Computation, Warning Ex-change, Simulation

I. INTRODUCTION

As of today it is understood that correlating security inci-dent related data from only one administrative domain oftendoes not provide enough information to efficiently counter andmitigate broad scale or sophisticated attacks. This is specif-ically the case for attacks emerging from multiple sourcesor multi-step malware [1]. To overcome this problem, dis-tributed, collaborative systems, such as Collaborative IntrusionDetection Systems (CIDSs) and Information Sharing Networks(ISNs), have been researched for several years [2]. Thesedistributed systems provide a larger base of available infor-mation with regard to suspicious events within Informationand Communication Technology (ICT) systems. Noteworthycoincidences and upcoming widespread threats can be detectedearlier, e.g., to generate alerts. This can help supporting ICT’soperators to react as early as possible to these detected orindicated incidents and to mitigate or even avert the impact ofthe observed phenomena.

An example application domain is the information ex-change between network operators and Internet ServiceProviders (ISPs). While these operators may already exchangeinformation about counter strategies or specific actions, wefocus on the exchange of information where data is generatedautomatically, e.g., by forwarding from sensors. In this ap-plication domain there is a need for anonymous distributionof messages, e.g., containing information about recognizedattacks, or the status of the network, to improve the securitylevel of the operators’ communication networks [3]. There aremore examples in the realm of critical infrastructure whereeven competing parties benefit from collaboration, and theabsence of a centralized controlling entity.

Although collaboration is advantageous for such operators,it comes along with some challenges to be solved. One ofthe most important issues is the disclosure of internal andtherefore private information related to an incident. For anetwork operator’s infrastructure such a disclosure may leadto a loss of reputation, if revealed to entities outside the ownadministrative domain – especially competitors. On the otherhand collaboration may benefit from each piece of informationthat can be provided even if the input data is private. This leadsto a difficult to estimate trade-off between information sharingfor collaboration and considerations about loss of reputation,especially for organizations whose core business is not thehandling of, or notification about incidents.

Solutions for such problems have been actively investigatedfor several decades and led to the development of privacy-preserving techniques such as Secure MPC initially introducedby Yao’s Millionaires’ Problem [4]. Since then a considerablenumber of protocols have been developed taking into accountvarious aspects, such as different MPC techniques and attackermodels. However, most of these protocols are optimized forspecific applications such as public auctions [5] and supplychain management [6]. They were seldom applied to thenetwork security domain. In 2010, Burkhart et al. [7] presentedthe MPC library SEPIA (Security through Private InformationAggregation). This library allows aggregating private inputdata about computer networks of up to 140 nodes for nearreal-time collaborative computations.

In this paper we describe the behavior of an implementedMPC system called Collaborative Resilient Exchange of Warn-ings (CREW) while under attack. This implementation allowsthe usage of the built-in MPC protocols for anonymous dis-tribution of arbitrary binary input data to participating peers.Since this collaborative procedure is meant to support theexchange of security related warnings in a network of peers,we are interested how this network will behave if the networkis under attack and communications are severely hindered.

The content of this paper is structured as follows: Section IIdescribes related work regarding anonymous and privacy pre-serving information exchange in IT early warning systems.Section III introduces the relevant internals of the underlyingCREW system, whereas Section IV depicts and motivates thescenarios we have used for the simulation. Section V presentsthe results of our simulations and discusses these in Section VI.Section VII concludes our work, before Section VIII discussesour next steps and future work.

2013 International Conference on Availability, Reliability and Security

978-0-7695-5008-4/13 $26.00 © 2013 IEEE

DOI 10.1109/ARES.2013.95

726

Page 2: [IEEE 2013 Eighth International Conference on Availability, Reliability and Security (ARES) - Regensburg, Germany (2013.09.2-2013.09.6)] 2013 International Conference on Availability,

II. RELATED WORK

Anonymity and privacy play a vital role in collaborativeinformation sharing and early warning systems [2]. In 2010Brunner et al. [8] proposed a concept combing TraceableAnonymous Certificates and anonymous Peer-to-Peer OverlayNetworks such as GNUnet to address anonymity and privacyissues for IT early warning systems. This paper leaves theselection and sanitization of the exchanged data to the origi-nator of an early warning message and focuses on the aspectsof originator anonymity. The application of MPC techniquesfor IT early warning use cases is mentioned in this paper butnot discussed in more detail.

Burkhart et al. [7] discuss the usage of the SEPIA libraryto aggregate network data for IT early warning applications.However, they focus on the prediction of network anomaliesindicating potential cyber attacks or misbehavior of systems.

While the SEPIA library is based on secret sharing, Lauteret al. [9] discuss and implement homomorphic encryptionbased MPC protocols. Although their results show that evenunoptimized versions of their implementation are equal tooptimized comparable frameworks regarding performance, theprotocols presented in their paper mainly consider cloud ser-vice applications instead of the information sharing or earlywarning domain.

The collaborative warning exchange system investigatedin this paper is an extension to the SEPIA library and ispresented in [10]. It allows the anonymous and privacy-preserving distribution of arbitrary input data, e.g., sensor data,to entities participating in a Information Sharing Network. Theextension uses the existing addition protocol of SEPIA to en-able information sharing within a closed user group but withoutrevealing a message’s originator. The authors further describehow CREW handles collisions which can occur when two ormore peers are sending messages to the Information SharingNetwork at the same time. They evaluate the performance ofthe proposed protocol during normal execution and withoutinfluence from outside the system.

Beyond related work concerning the CREW design andimplementation, there is nothing known that can be consideredrelated to the simulation results we present on CREW inthe following. Each such simulation result would depend onthe system to be simulated, in our case CREW under attack.However, to enable comparative discussion with other attacksimulations, we point to a recent publication by Chapman etal., proposing a taxonomy of cyber attacks based on the levelof access required by the attacker to launch the attack [11].According to this taxonomy the attack we simulate assumesthat the attack has no access to the network that CREW isestablishing. The attack may not even have CREW in mind asa target of the attack.

III. COLLABORATIVE RESILIENT EXCHANGE OF

WARNINGS

The CREW system is an extension to the SEPIA librarydeveloped by Buckhart et al. [7] and allows the participants ofthe ISN to share arbitrary messages whilst providing originatoranonymity. Since the system builds on SEPIA, it also inheritsits properties, e.g., resilience and fairness (c.f. [7]). The ISN

Fig. 1. CREW Highlevel Architecture

consists of at least three peers which are connected to eachother (as seen in Figure 1), and which exchange messages viaTCP over a SSL secured connection. Since CREW makes useof the MPC provided by SEPIA, it can e.g., guarantee that noeavesdropper and not even the participating peers can deducethe origin of any message. This assumes, that the message itselfdoes not contain any information which can leak the originof a message (e.g., a signature). Therefore the content of themessage has to be sanitized (e.g., anonymized) by the senderof the message before distribution. The design further assumes,that the participants of CREW stick to predefined rules, e.g.,negotiated between all peers and enforced by contracts. Thisincludes in particular, that the peers of the system do not try tocompromise the system. Since all participants want to benefitfrom such a system, it is reasonable that they abide to thesepredefined rules.

CREW utilized the vector addition protocol of SEPIA,which takes a vector of a certain size from all participants,calculates the element-wise sum, and distributes the result tothe participants. After the initial setup of the system where thepeers connect to each other, the message exchange proceedsin the following separate rounds:

• Reservation of a channel: if a peer wants to send amessage, it first has to send a reservation message.This guarantees, that the actual distribution of themessage does not result in a collision. C.f. [10] formore details on collision avoidance in CREW.

• Encoding of the message into a vector: the messageis split into elements of a vector upon which themultiparty computation can be executed.

• Calculating the sum of all input vectors: using thevector addition protocol of SEPIA, the peers calculatethe sum of all input vectors. Since only the peerwhich reserved the channel sends actual content, andall other peers only send an empty vector, this sumrepresents the actual message. Once the calculation ofthe vector sum is completed, the result is distributedto all participants of the ISN.

• Decoding of the result vector: the result vector canbe decoded by every peer, the message exchange iscomplete.

More details about the CREW system can be found in [10],and in the document ’Methods for Collaborative Detection andAnalysis’ of the ASMONIA project [3].

727

Page 3: [IEEE 2013 Eighth International Conference on Availability, Reliability and Security (ARES) - Regensburg, Germany (2013.09.2-2013.09.6)] 2013 International Conference on Availability,

Fig. 2. Network Overview

IV. SIMULATION SCENARIOS

A. Simulation Based Validation

The ASMONIA study [3] relies partially on theoreticalmodels and it is necessary to have a proof of concept vali-dation of these models and the concepts they are based on.Since investigations in the cyber security domain should notbe executed in real networks, simulation will be consideredas a tool for the validation of such theoretical models andconcepts and to generate reproducible and comparable resultsfor analysis purposes.

B. Scenario Description

Goal of the simulation was a behavior analysis of theCREW implementation in a communication network whichwas target of a cyber attack. To get a more realistic behaviorfor the considered CREW process, a real CREW environmentwas connected over a simulated communication network. Thechosen simulation platform to carry out the experiment wasOPNET Modeler [12]. In order to enable the CREW processand to get valid results from the simulation a minimum of threepeers had to be connected to the communication network andthe network simulation had to run in real-time. The scenarioimplementation was a proof of concept running on a simplifiednetwork structure.

On the basis of Figure 2 the setup will be explained briefly.The CREW environment included four administrative MobileNetwork Operator (MNO) domains. All necessary informationexchange for the operation of the CREW process was carriedout in a specific format. Data processing was performed by realpeers, represented by the four elements ’CREW Peer A’ up to

element ’CREW Peer D’. The routing of the information frompeer to peer was task of the network simulation representedby the central IP Cloud; all data transfer was led over thiscloud which was considered as non-disturbed area. To getthe opportunity for a provider related simulation of irregularnetwork behavior, four provider specific sub-networks wereadded to the simulation model (represented by the domains’A’ to ’D’).

Exchanging data originated from outside the simulationwas accomplished using SITL technology. That means theconnection between each real CREW peer and the simulatednetwork was realized by a number of LAN-interfaces, eachwith its unique MAC- and IP-address to ensure all exchangeddata between the connected CREW-peers were executed bythe network simulation. A gateway model between each realCREW peer and the IP Cloud were implemented withinthe provider-specific domain for data collection purposes. Ofinterest are the constraints in which CREW could exchange allpackets until a threshold will be reached, or if there are anyother limitations.

C. Degraded Throughput during Cyber Attacks

In this study the intrinsic DDoS-Attack [13] was notmodeled in detail, instead the significant effect of this attackrepresented by packet drops at the IP-layer in the communi-cation between the CREW participants and its influence onthe CREW process were analyzed. The relation between theintensity of an attack and the resulting packet-drop-rate orpacket loss is not discussed in detail in this paper. In principlethe drop rate depends on the performance of the used network

728

Page 4: [IEEE 2013 Eighth International Conference on Availability, Reliability and Security (ARES) - Regensburg, Germany (2013.09.2-2013.09.6)] 2013 International Conference on Availability,

device and because of this only an assumed drop rate wasdefined.

In this scenario it was assumed that one of the provider net-works (Domain ’D’ in Figure 2) was victim of a cyber attackwhich caused packet drops. The packet drop rate was selectedas an influential parameter since it demonstrates the impact ofan attack without the necessity of an exact specification forthis attack. It corresponds to the intensity of the cyber attack.Interactive applications like video conferencing and voice overIP require a low packet drop rate [14].

In case of CREW, packets which are lost will be re-transmitted but this retransmission consumes a certain time,based on the grade of network disruption. The percentage forstatistical packet drops in selected network areas was definedin the present scenario for ’Gateway D’. The resulting perfor-mance degradation for this part of the communication network(caused by a retransmission of dropped packets) was visible asan increasing transmission delay. For the examination of thenetwork behavior, drop rates from 0% to 25% in steps of 5%have been applied.

V. SIMULATION RESULTS

A. Impact of Packet Loss

Figure 3 shows the data transmission on a time scale toensure a correct understanding of the discussed results. Thedata transfer between all connected peers starts after an ini-tialization phase, for the simulation and for the CREW-process,of approximately 180 seconds and six transfer cycles had beencarried out. This phase was necessary for the initialization ofthe network simulation as well as for all the connected CREWpeers in this proof of concept implementation. The effectivetest duration was 260 seconds. The diagrams in Figure 3show a number of successive peaks. Each peak (representingthe amount of transmitted data) symbolizes one successfullyprocessed CREW cycle. A CREW cycle was successful whenthe information passed all peers as described in Section III.The start of the next transmission cycle was only possible aftera successful execution of a previous transmission cycle. Asexpected all peaks showed the same behavior because CREWis a sequential peer-to-peer process.

The dependency between the CREW data transfer behaviorand selected data drop rates is depicted in Figure 4 and showsthe influence of the packet drop rate on the transferred datavolume per time and the resulting data-delay in a successfulCREW transmission.

During our tests we investigated the transmission behaviorfor drop rates up to 25%, based on a warning messagecontaining 5 kB of random data. The results showed a rapidlyincreasing time delay in the information exchange betweenthe peers. CREW-cycle times for drop rates above 25% wereestimated by an exponential extrapolation of the measuredresults (see Figure 5).

The effect of a delayed data transfer is also recognizable onnot directly concerned network sections. As an example, thetransmission behavior on ’Gateway A’ is considered and repre-sented in Figure 6. This element was not part of the disturbedsub-network. Nevertheless the influence of the disturbances inthe far network can also be recognized clearly.

Fig. 3. Transmitted Data for Each Peer on Non-disturbed Communication

Fig. 4. Measured Time for CREW Cycles on ’Gateway D’ RegardingIncreased Packet Drop Probability

This is based on the fact that all peers had to wait for theinformation sent from other peers to get data for their ownprocessing. That means, in case of a disturbed transmission,all other peers also had to wait to get their necessary datafor further processing. During this time it is not possible tostart a new information exchange. It is recognizable that by anincreasing drop rate the delay for the necessary informationexchange (the CREW process) will also increase rapidly. Dueto this fact it was also of interest how CREW performs in caseof a failed network element.

B. Network Element Failure

The simulation also supported the analysis of what hap-pened if one peer lost its connection completely for a certaintime while CREW was running. Simulated timeouts of 60and 180 seconds for a failure on ’Gateway D’ had causedno problems for the tested CREW implementation. In this

729

Page 5: [IEEE 2013 Eighth International Conference on Availability, Reliability and Security (ARES) - Regensburg, Germany (2013.09.2-2013.09.6)] 2013 International Conference on Availability,

Fig. 5. Estimated Transmission Time Due to Increased Dropped Packets

Fig. 6. Influence of Increased Packet Drop Probability on ’Gateway A’

case the peers waited during this defined timeout for gettingthe necessary information from the other peers and thenresumed their processing. After this timeout CREW was ableto exchange data continuously. The continuation of the datatransfer is shown in Figure 7. The simulation of a malfunctionfor a defined time and the resulting disruption of the CREWprocess as well as the continuity of the process after linkre-establishment demonstrated the robustness of the CREWimplementation against short-timed network failures.

Fig. 7. Node Failure for 60 and 180 seconds at ’Gateway D’

VI. SUMMARY

The validation by means of simulation shows that net-work degradation will not disable the information exchangecompletely between the peers but will influence the transmis-sion times. Furthermore the simulation shows that networkdegradation, caused by cyber attacks in a sub-part of thecommunication network, also has influence on the CREWcommunication between uninvolved parts of the network. Thiscan result in an increasing delay in information exchange andfinally disable an established early warning system. Specialrestrictions regarding the packet latency have to be consideredin the CREW processing. Large latencies on a CREW nodeshould be avoided, otherwise all other participants could notexchange warning message within this cycle. The test resultsshowed that the CREW-process requires measures to diminishthe impact of failure of one or more peers. This can be adefined timeout per CREW-cycle, i.e., the CREW-process willbe reset after a defined time and started again without theblocked peers. Another possibility to prevent from CREW-blockades by overloaded network sections could be the provi-sioning of a separate communication channel exclusively forCREW-communications.

VII. CONCLUSION

The accomplished investigation confirmed that this ex-tended Secure Multiparty Computation solution for mutualinformation exchange and distribution of warnings among agroup of participating peers within an information sharingnetwork provides the necessary robustness to be suitable forthe deployment in early warning systems against cyber attacks.CREW therefore optimizes the warning exchange provided bySEPIA and could be used e.g., to distribute warning messagesbetween Mobile Network Operators.

730

Page 6: [IEEE 2013 Eighth International Conference on Availability, Reliability and Security (ARES) - Regensburg, Germany (2013.09.2-2013.09.6)] 2013 International Conference on Availability,

VIII. FUTURE WORK

Resulting from this study there are three interesting topicsin which future work can be directed. First there is an option tofurther improve the way the CREW implementation copes withcollision, such that overall the number of individual messagesthat are fed into a CREW network can be increased. Secondis the scaling of number of participants in the network. Thelimitations we have used to design our implementation, namelyto address support for less than ten parties only related to mo-bile network operator in one national domain. However, thereare also scenarios beyond the mobile network operators whichrequire higher number of participants exchanging messages.Last but not least CREW requires measures to diminish theimpact of failure of one or more peers as seen in the previoussections.

ACKNOWLEDGMENT

This work has been partially funded in the Project AS-MONIA by the German Federal Ministry of Education andResearch under the references 01BY1010 - 01BY1015. Theauthors like to thank all their colleagues in the project thatparticipated in work directly or indirectly for their collabora-tions and discussions.

REFERENCES

[1] P. Lincoln and P. Porras, “Privacy-preserving Sharing and Correlationof Security Alerts,” in In USENIX Security Symposium, 2004, pp. 239–254.

[2] M. Locasto, J. Parekh, V. Misra, and S. Stolfo, “Collaborative Dis-tributed Intrusion Detection,” Columbia University, Tech. Rep., 2004.

[3] ASMONIA consortium, “Attack analysis and Security concepts forMObile Network infrastructures, supported by collaborative InformationexchAnge,” http://www.asmonia.de/, 2013.

[4] A. C. Yao, “Protocols for secure computations,” Foundations of Com-puter Science, Annual IEEE Symposium on, vol. 0, pp. 160–164, 1982.

[5] P. Bogetoft, D. L. Christensen, I. Damgard, M. Geisler, T. Jakobsen,M. Krøigaard, J. D. Nielsen, J. B. Nielsen, K. Nielsen, J. Pagter,M. Schwartzbach, and T. Toft, Secure Multiparty ComputationGoes Live. Berlin, Heidelberg: Springer-Verlag, 2009, pp. 325–343.[Online]. Available: http://dl.acm.org/citation.cfm?id=1601990.1602018

[6] F. Kerschbaum, A. Schroepfer, A. Zilli, R. Pibernik, O. Catrina,S. de Hoogh, B. Schoenmakers, S. Cimato, and E. Damiani, “Securecollaborative supply-chain management,” Computer, vol. 44, no. 9, pp.38 –43, sept. 2011.

[7] M. Burkhart, M. Strasser, D. Many, and X. Dimitropoulos, “Sepia:Privacy-preserving aggregation of multi-domain network events andstatistics,” in 19th USENIX Security Symposium, Washington, DC, USA,Aug. 2010.

[8] M. Brunner, H. Hofinger, C. Roblee, P. Schoo, and S. Todt, “Anonymityand privacy in distributed early warning systems,” in CRITIS 2010:Proceedings of the 5th International Conference on Critical InformationInfrastructures Security. LNCS, 2010, pp. 82–93.

[9] K. Lauter, M. Naehrig, and V. Vaikuntanathan, “Can homomorphicencryption be practical?” Cryptology ePrint Archive, Report 2011/405,2011. [Online]. Available: http://eprint.iacr.org/

[10] D. Titze, H. Hofinger, and P. Schoo, “Using Secure Multiparty Com-putation for Collaborative Information Exchange,” Submitted for pub-lication, 2013.

[11] I. M. Chapman, S. P. Leblanc, and A. Partington, “Taxonomyof cyber attacks and simulation of their effects,” in Proceedingsof the 2011 Military Modeling & Simulation Symposium, ser.MMS ’11. San Diego, CA, USA: Society for ComputerSimulation International, 2011, pp. 73–80. [Online]. Available:http://dl.acm.org/citation.cfm?id=2048558.2048569

[12] OPNET Technologies, Inc, “OPNET Modeler,”http://www.opnet.com/solutions/network rd/modeler.html, 2013.

[13] P. C., M. M., and Z. O., “Distributed denial of service attacks,” TheInternet Protocol Journal, vol. 7, 2004.

[14] S. D. Unit, “Ictp-sdu: about pinger,” http://sdu.ictp.it/pinger/pinger.html,2005.

731