REMOTE ATTESTATION IN NETWORK

Abstract

The present disclosure relates to a remote attestation in a network. Embodiments provide a method comprising: attesting a first node in a network, by a node adjacent to the first node in the network; and generating an attestation result of the first node. A plurality of attestation results of the first node generated by a plurality of nodes adjacent to the first node in the network are combined to determine a credibility of the first node. In such embodiments, a fixed verifier for other nodes is eliminated, and a risk of a collapse due to a failure of such fixed verifier may be avoided.

Claims

1-60. (canceled)

61. An apparatus, comprising: at least one processor; and at least one memory comprising computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following: attest a first node in a network, by a node adjacent to the first node in the network; and generate an attestation result of the first node; wherein a plurality of attestation results of the first node generated by a plurality of nodes adjacent to the first node in the network are combined to determine a credibility of the first node.

62. The apparatus according to claim 61, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus to: obtain the credibility of the first node; and disconnect from the first node, in response to the credibility of the first node indicating the first node is untrustworthy.

63. The apparatus according to claim 61, wherein in attesting the first node, the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus to: obtain a credit value of the first node; determine whether the credit value is less than a credit threshold; and attest the first node, in response to the credit value being less than the credit threshold.

64. The apparatus according to claim 61, wherein in attesting the first node, the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus to attest the first node periodically.

65. The apparatus according to claim 61, wherein in attesting the first node, the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus to: send an attestation request to the first node; and receive an attestation response from the first node; wherein the attestation result is generated based on the attestation response.

66. The apparatus according to claim 65, wherein in generating the attestation result based on the attestation response, the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus to: determine a response time of the first node; generate the attestation result indicating the attestation fails, in response to the response time is longer than a response time threshold; verify the attestation response, in response to the response time being less than the response time threshold; generate the attestation result indicating the attestation fails, in response to the attestation response being unsuccessfully verified; and generate the attestation result indicating the attestation succeeds, in response to the attestation response being successfully verified.

67. The apparatus according to claim 61, wherein the at least one memory and the computer program code are configured to, with the at least one processor, further cause the apparatus to: detect an abnormal behavior of the first node; and report the abnormal behavior of the first node.

68. An apparatus, comprising: at least one processor; and at least one memory comprising computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following: obtain a plurality of attestation results of a first node from a plurality of second nodes adjacent to the first node in a network; and determine a credibility of the first node based on the plurality of attestation results.

69. The apparatus according to claim 68, wherein the at least one memory and the computer program code are configured to, with the at least one processor, further cause the apparatus to: send the credibility of the first node to the plurality of second nodes; and report the credibility of the first node through a tree structure in the network.

70. The apparatus according to claim 68, wherein the at least one memory and the computer program code are configured to, with the at least one processor, further cause the apparatus to: set, in response to the credibility of the first node indicating the first node is trustworthy, a credit value of the first node to a predetermined value.

71. The apparatus according to claim 68, wherein the at least one memory and the computer program code are configured to, with the at least one processor, further cause the apparatus to: compare the credibility of the first node and the plurality of attestation results; reduce, in response to one of the plurality of attestation results is contrary to the credibility of the first node, a credit value of the second node of the plurality of second nodes corresponding to the one attestation result; and increase, in response to one of the plurality of attestation results corresponds to the credibility of the first node, a credit value of the second node of the plurality of second nodes corresponding to the one attestation result.

72. The apparatus according to claim 68, wherein in determining the credibility of the first node based on the plurality of attestation results, the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus to: compute a confidence level of the first node based on the plurality of attestation results and credit values of the plurality of second nodes; and determine the credibility of the first node based on the confidence level.

73. The apparatus according to claim 72, wherein in determining the credibility of the first node based on the confidence level, the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus to: compare the confidence level with an attestation threshold; determine the credibility of the first node to indicate the first node is untrustworthy, in response to the confidence level being less than the attestation threshold; and determine the credibility of the first node to indicate the first node is trustworthy, in response to the confidence level being equal to or greater than the attestation threshold.

74. The apparatus according to claim 68, wherein the at least one memory and the computer program code are configured to, with the at least one processor, further cause the apparatus to: receive a report of an abnormal behavior of the first node from a second node; reduce a credit value of the first node; and reduce a credit value of the second node.

75. An apparatus, comprising: at least one processor; and at least one memory comprising computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following: set a credit value for a plurality of nodes in a network, respectively; assign the plurality of nodes into a plurality of clusters; and select a third node with the highest credit value in a cluster as a cluster head; wherein the third node is configured to: obtain a plurality of attestation results of a first node from a plurality of second nodes adjacent to the first node in the cluster; and determine a credibility of the first node based on the plurality of attestation results.

76. The apparatus according to claim 75, wherein the at least one memory and the computer program code are configured to, with the at least one processor, further cause the apparatus to: receive a report of the credibility of the first node; and check the first node, in response to the credibility of the first node indicating the first node is untrustworthy.

77. The apparatus according to claim 75, wherein a plurality of third nodes in the network are organized in a tree structure.

78. The apparatus according to claim 75, wherein the third node is reselected periodically.

79. The apparatus according to claim 75, wherein the third node is reselected, in response to a decrease of a credit value for the third node.

80. The apparatus according to claim 75, wherein the at least one memory and the computer program code are configured to, with the at least one processor, further cause the apparatus to: fill a blank area in a memory with an incompressible noise, during an initialization for a node of the plurality of nodes.

Description

BRIEF DESCRIPTION OF DRAWINGS

[0031] Through the more detailed description of some embodiments of the present disclosure in the accompanying drawings, the above and other objects, features and advantages of the present disclosure will become more apparent, wherein the same reference generally refers to the same components in the embodiments of the present disclosure.

[0032] FIG. 1 is a schematic showing a network structure including a node to be attested in accordance with some embodiments.

[0033] FIG. 2 is a schematic showing a first exemplary method for attestation in the network in FIG. 1 in accordance with some embodiments;

[0034] FIG. 3 is a schematic showing an exemplary sub process of S201 and S202 in FIG. 2;

[0035] FIG. 4 is schematic showing other exemplary steps of method shown in FIG. 2 in accordance with some embodiments.

[0036] FIG. 5 is a schematic showing a second exemplary method for attestation in the network in FIG. 1 in accordance with some embodiments;

[0037] FIG. 6 is a schematic showing other exemplary steps of method shown in FIG. 5 in accordance with some embodiments;

[0038] FIG. 7 is a schematic showing a third exemplary method for attestation in the network in FIG. 1 in accordance with some embodiments;

[0039] FIG. 8 is a schematic showing a tree structure in the network;

[0040] FIG. 9 is a schematic showing other exemplary steps of method shown in FIG. 7 in accordance with some embodiments;

[0041] FIG. 10 is a schematic showing a memory layout of the first node during initialization; and

[0042] FIG. 11 is a simplified block diagram of various apparatuses which are suitable for use in practicing exemplary embodiments of the present disclosure.

DETAILED DESCRIPTION

[0043] Some of the embodiments contemplated herein will now be described more fully with reference to the accompanying drawings. Other embodiments, however, are contained within the scope of the subject matter disclosed herein, the disclosed subject matter should not be construed as limited to only the embodiments set forth herein; rather, these embodiments are provided by way of example to convey the scope of the subject matter to those skilled in the art.

[0044] Generally, all terms used herein are to be interpreted according to their ordinary meaning in the relevant technical field, unless a different meaning is clearly given and/or is implied from the context in which it is used. All references to a/an/the element, apparatus, component, means, step, etc. are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any methods disclosed herein do not have to be performed in the exact order disclosed, unless a step is explicitly described as following or preceding another step and/or where it is implicit that a step must follow or precede another step. Any feature of any of the embodiments disclosed herein may be applied to any other embodiment, wherever appropriate. Likewise, any advantage of any of the embodiments may apply to any other embodiments, and vice versa. Other objectives, features and advantages of the enclosed embodiments will be apparent from the following description.

[0045] FIG. 1 is a schematic showing a network structure including a node to be attested in accordance with some embodiments.

[0046] In an exemplary network, a network owner 100 is responsible for the operation of the network. The network owner 100 manages nodes, for example including V.sub.10, V.sub.11, V.sub.12, V.sub.13, and V.sub.14. The network owner 100 may be any computing device capable of managing a network, such as a computer sever. The nodes in the network may be any electronic device capable of accessing network, such as a distributed industrial controller, a smart home device, or a wearable device. Communication link 104 between nodes V.sub.10, V.sub.11, V.sub.12, V.sub.13, and V14, or between a node and the network owner 100 may be established and maintained by the network owner 100. The communication link 104 may be based on either wired hardware connection or wireless hardware connection, and may use any kind of communication protocol. The communication link 104 show an exemplary logic link, which does not necessarily mean that the two nodes of the communication link 104 are limited to transfer signals with each other directly in physical. The communication link 104 may be established with one or more intermedia nodes, such as a signal transfer router.

[0047] For the security of the whole network, the nodes needs to be attested regularly. For example, the network owner 100 may periodically send a specified message to each node in the network, and determine an attestation result for each node based on a response for the specified message. Such attestation manner may also be called as a challengeresponse manner. This manner is easily to be implemented.

[0048] However, such manner may be inefficient in some case. In the network, the communication link between the node and the network owner 100 is usually indirect. The specified message has to pass through a plurality of intermediate nodes, thus the response time for the specified message would be unpredictable. The timing cost and the computing cost for the network owner 100 is increased. Further, without a predictable time limitation, an attacker may have enough time to forge or modify the response of a compromised node to pretend normal. Additionally, a periodical response for the specified message to the network owner 100 is also a burden for the node, since the node in the network, especially in IoT, is usually limited in energy capacity.

[0049] FIG. 2 is a schematic showing a first exemplary method for attestation in the network in FIG. 1 in accordance with some embodiments.

[0050] See FIG. 2, embodiments of the present disclosure introduce a method to further improve the attestation for a first node in the network. The method includes: step S201, attesting a first node in a network, by a node adjacent to the first node in the network, and step S202, generating an attestation result of the first node. A plurality of attestation results of the first node generated by a plurality of nodes adjacent to the first node in the network are combined to determine a credibility of the first node.

[0051] For the first node in the network, there usually are a plurality of second nodes adjacent to the first node. As an example, node V.sub.11 in FIG. 1 is illustrated as the first node 101 to be attested, and nodes V.sub.12, V.sub.13, V.sub.14 are illustrated as the plurality of second nodes 102 to implement the method shown in FIG. 2. 11, 12, 13, 14 are used as ID numbers for the nodes. Attestation interactions 105 exist between the first node 101 and the second nodes 102.

[0052] As shown in FIG. 2, each of the second nodes V.sub.12, V.sub.13, V.sub.14 may attest the first node V.sub.11. In such manner, one prover (the first node 101) may be attested by many verifiers (the second nodes 102). Therefore, a fixed verifier for other nodes is eliminated, and a risk of a collapse due to a failure of such fixed verifier may be avoided. This many-to-one attestation scheme would improve the security performance for the network, particularly for a network including many distributed nodes, such as swarms of IoT.

[0053] The method further includes: step S203, obtaining the credibility of the first node; and step S204, disconnecting from the first node, in response to the credibility of the first node indicating the first node is untrustworthy.

[0054] Namely, once the nodes V.sub.12, V.sub.13, V.sub.14 find that the node V.sub.11 is untrustworthy, they all disconnect form the node V.sub.11 immediately. Therefore, the damage due to a compromised node V.sub.11 may be limited.

[0055] The specific attestation interactions 105 may utilize any attestation strategy. As an example, an improved challenge-response strategy will be illustrated bellow.

[0056] FIG. 3 is a schematic showing an exemplary sub process of S201 and S202 in FIG. 2.

[0057] See FIG. 3, an attestation for the first node by a second node of the at least one second node may include: step S301, sending an attestation request to the first node; and step S302, receiving an attestation response from the first node. Then the attestation result may be generated based on the attestation response as in the following steps: step S303, determining a response time of the first node; step S304, generating the attestation result indicating the attestation fails, in response to the response time is longer than a response time threshold; step S305, verifying the attestation response, in response to the response time being less than the response time threshold; step S306, generating the attestation result indicating the attestation fails, in response to the attestation response being unsuccessfully verified; and step S307, generating the attestation result indicating the attestation succeeds, in response to the attestation response being successfully verified.

[0058] Taking the attestation interaction 105 between the node V.sub.11 and the node V.sub.12 as an example, in step S301, the node V.sub.12 sends a first message ch, as attestation request (also named as a challenge) to the node V.sub.11. The first message ch may contain a specifical identifier, such a nonce a which may also prevent replay attacks. The first node V.sub.11 uses the nonce a to produce a response r, and then sends a second message including the response r to the node V.sub.12. The second message may be encrypted by the node V.sub.11 to prevent accessing not from the node V.sub.12.

[0059] In step S302, the node V.sub.12 receives the second message, and obtains the response r. An attestation result b will be generated, based on the second message including the response r.

[0060] In step S303, the node V.sub.12 determines a response time of the first node, the response time is a time period form sending the first message to receiving the second message.

[0061] In step S304, the response time is verified at first. If the response time is longer than a response time threshold, the attestation fails, since the node V.sub.11 may be compromised to make extra calculation or process which need extra time. The strict time control improves the security of the network.

[0062] The node V.sub.12 records the time of sending the first message ch, and the time of receiving the second message. The time period from sending to receiving is calculated, and is compared with the response time threshold Tt, which is pre-determined. If the time period is larger than the response time threshold Tt, the first attestation result b is set as a value indicating failed, such as 1. The response time threshold Tt may be determined according to the specific type of the first node. A plurality of attestation tests may be done in a normal situation for the specific type of the first node previously, so as to collect the normal response time for this type of the first node. Then, the normal response time itself, or a value which is a little bigger than the normal response time may be used for the response time threshold Tt.

[0063] In step S305, if the response time is less than a response time threshold, the response r will be further verified. The response r is compared with an expected response re stored in the second node. As a usual example, the expected response re is calculated by the node V.sub.12, based on the nonce a and previously stored information, such as a specified calculation function previously exchanged with the node V.sub.11. The response r should correspond to the expected response re. For example, there may be a fixed relationship between them, or they may be just exactly the same.

[0064] In the step S306, if the response r does not correspond to the expected response re, the first attestation result b is set as a value indicating failed, such as 1. In the step S307, if the response time period is not larger than the response time threshold Tt, and the response r corresponds to expected response re, the first attestation result b is set as a value indicating passed, such as 1. It should be understood any other numeric may be adopted to indicate the result of failed or passed, such as 1 for passed, 0 for failed.

[0065] In embodiments of the present disclosure, adjacent nodes are utilized to attest a prover, which makes it much easier to estimate the time of attestation and improve the security performance of the network.

[0066] FIG. 4 is schematic showing other exemplary steps of method shown in FIG. 2 in accordance with some embodiments.

[0067] In embodiments of the present disclosure, attesting the first node includes: step S401, obtaining a credit value of the first node; step S402, determining whether the credit value is less than a credit threshold; and step S403, attesting the first node, in response to the credit value being less than the credit threshold.

[0068] The credit value of the first node is adjustable for indicating whether the first node needs attestation or not. As an example, for adjusting the credit value of the first node, the method further includes: step S404, detecting an abnormal behavior of the first node; and step S405, reporting the abnormal behavior of the first node. The report of the abnormal behavior will lead a decrease of the credit value of the first node.

[0069] The node V.sub.11 may have a credit value w.sub.11, initialized as 3. The credit value may be limited from 0 to 5. With an upper limitation, even the highest credit value is decreased quickly to trigger the attestation, in response to one or a few more abnormal behavior. A credit value threshold may be set to 1. In embodiments, the credit value threshold may be adjusted according to the actual situation.

[0070] Table 1 shows an exemplary abnormal behavior form, wherein the points for each abnormal behavior may be adjusted according to actual situation.

TABLE-US-00001 TABLE 1 Abnormal behavior form Abnormal behavior Points Abnormal request 1 Abnormal delay 1 Operation stopped 3 Unreasonable energy costs 2 Abnormal information transmission 1 Abnormal position movement 2

[0071] According to the table 1, when the node V.sub.12 detects an abnormal request form the node V.sub.11, the node V.sub.12 reports the detection of the abnormal request. The credit value w.sub.11 may be subtracted by, for example 1, to equal to 2. After several times, the credit value w.sub.11 may be subtracted to 0, which is less than 1. Accordingly, the attestation for the node V.sub.11 will be started due to this detection of its abnormal behavior.

[0072] Therefore, with the credit value and the detection of the abnormal behavior, the attestation for a node may be quickly implemented, as soon as the node behaves suspiciously.

[0073] As another example, the first node may be attested periodically. A valid time period of attestation may be used to trigger the attestation, additionally or alternatively with the credit value. If the first node joined the network for the first time, an attestation time certificate cert(t.sub.a, t.sub.e) will be issued to the first node. Wherein t.sub.a represents the time point of joining the network or the last attestation, and t.sub.e represents the valid time period of attestation. When another time point (t.sub.a+t.sub.e) is reached, the first node will be attested by its adjacent nodes. Namely, in every time period of t.sub.e, the first node will be attestated at least once. Thus, the situation that a node is never be attested may be avoided.

[0074] FIG. 5 is a schematic showing a second exemplary method for attestation in the network in FIG. 1 in accordance with some embodiments.

[0075] Embodiments of the present disclosure may provide a method, including: step S501, obtaining a plurality of attestation results of a first node from a plurality of second nodes adjacent to the first node in a network; and step S502, determining a credibility of the first node based on the plurality of attestation results.

[0076] The a plurality of second nodes V.sub.12, V.sub.13, V.sub.14 in FIG. 1 may produce a plurality of attestation results b.sub.12,11, b.sub.13,11, b.sub.14,11, wherein b.sub.12,11 means the attestation result to V.sub.11 made by V.sub.12, b.sub.13,11 means the attestation result to V.sub.11 made by V.sub.13, and b.sub.14,11 means the attestation result to V.sub.11 made by V.sub.14. These attestation results b.sub.12,11, b.sub.13,11, b.sub.14,11 may be further aggregated to generate a credibility.

[0077] As an example, in step S502, the attestation results may be directly summed up to obtain the credibility, since they are set as values as above described. The bigger the sum is, the more credible the first node is.

[0078] As another example, in S502, determining the credibility of the first node based on the plurality of attestation results includes: computing a confidence level of the first node based on the plurality of attestation results and credit values of the plurality of second nodes; and determining the credibility of the first node based on the confidence level.

[0079] In embodiments of the present disclosure, determining the credibility of the first node based on the confidence level includes: comparing the confidence level with an attestation threshold; determining the credibility of the first node to indicate the first node is untrustworthy, in response to the confidence level being less than the attestation threshold; and determining the credibility of the first node to indicate the first node is trustworthy, in response to the confidence level being equal to or greater than the attestation threshold.

[0080] In such steps, firstly, a normalized sum s.sub.j may be calculated by the following formula, as the confidence level:

[00001] $s_{j} = \frac{(b_{i, j} w_{i})}{.Math. .Math. w_{i}},$

wherein j is the ID number of the first node, i is the ID number of the second node. Since b.sub.i,j equals to 1 or 1, s.sub.j is value in a range from 1 to 1. As to the FIG. 1, the normalized sum s.sub.j is calculated accordingly:

[00002] $s_{1 .Math. 1} = \frac{b_{1 .Math. 2, 1 .Math. 1} w_{1 .Math. 2} + b_{1 .Math. 3, 1 .Math. 1} w_{1 .Math. 3} + b_{1 .Math. 4, 1 .Math. 1} w_{1 .Math. 4}}{w_{1 .Math. 2} + w_{1 .Math. 3} + w_{1 .Math. 4}},$

wherein W.sub.13 is the credit value for the node V.sub.13, and w.sub.14 is the credit value for the node V.sub.14.

[0081] An attestation threshold g indicates the evaluation standard. The bigger the attestation threshold g is, the harder it is for the node V.sub.11 to pass the attestation. For example, if the attestation threshold g is 1, the node V.sub.11 will pass the attestation only when every b.sub.i,j equals to 1. The attestation threshold g may be set to 0.5 as an example, which is selected form a range from 0 to 1.

[0082] Other formulas are presented to implement the calculation:

[00003] $e = \frac{s_{j}}{g};$ $f = {\begin{matrix} \frac{e - 1}{.Math. e - 1 .Math.}, & e 1 \\ 1, & otherwise \end{matrix}$

wherein e indicates the rate about s.sub.j and g, f is the credibility. According to the formulas, if s.sub.j is bigger than g, then e is bigger than 1, and f=1. If s.sub.j is less than g, then e is less than 1, and f=1. When e=1 or g=0, these formula needs not to be calculated, and the first node 101 is determined as passed. According to such formulas, the value of the credibility f has the same meaning with the attestation result b.sub.i,j, 1 indicates passed, 1 indicates failed. When the node V.sub.11 passes the attestation, the network owner 100 or the node V.sub.10 will increase the credit value w.sub.11 to be bigger than the credit value threshold, so as to stop the attestation process. When the first node 101 fails the attestation, the network owner 100 will disconnect the node V.sub.11 from other nodes. Additionally, the network owner 100 may take further check or report to a user or engineer, so as to isolate protect or recover the node V.sub.11. When the node V.sub.11 is trustworthy, the confidence level may be further used to set the new credit value, to close the attestation process. For example, the confidence level may be multiplied with the upper limitation of the credit value.

[0083] This aggregation process may be implemented by any node, such as one of second nodes V.sub.12, V.sub.13, and V.sub.14 which is further authorized, or just by the network owner 100. In FIG. 1, as an example, a node V.sub.10 is selected by the network owner 100 as a third node 103, to implement the aggregation process. The third node 103 may be also a cluster head in the network. The arrangement of node V.sub.10 may increase the speed of attestation, and reduce the burden of the network owner and the network transmission.

[0084] The method implemented at the third node further include: step S503, sending the credibility of the first node to the plurality of second nodes; and step S504, reporting the credibility of the first node through a tree structure in the network.

[0085] After the node V.sub.10 finished the aggregation process, the credibility is sent from the node V.sub.10 to the nodes V.sub.12, V.sub.13, and V.sub.14, and the network owner 100. The nodes and the network owner 100 then operates according to the credibility. For example, if the credibility indicates the node V.sub.11 is untrustworthy, as described above, the node V.sub.12, V.sub.13, and V.sub.14 will disconnect from the node V.sub.11. If the credibility indicates the node V.sub.11 is trustworthy, the nodes and the network owner will operate with the node V.sub.11 as normal, and the node V.sub.10 will set the credit value of the first node to a predetermined value as in step S505. The predetermined value may be just bigger than the credit value threshold, so as to close the attestation process.

[0086] Further, the node V.sub.10 may send the credibility to the network owner 100 through a tree structure in the network, to improve the transmission efficiency.

[0087] The attestation result b.sub.i,j and the credibility f may be further used to adjust the credit values of the second nodes 102, namely, nodes V.sub.12, V.sub.13, V.sub.14.

[0088] FIG. 6 is a schematic showing other exemplary steps of method shown in FIG. 5 in accordance with some embodiments.

[0089] The method further includes: S601, comparing the credibility of the first node and the plurality of attestation results; S602, reducing, in response to one of the plurality of attestation results is contrary to the credibility of the first node, a credit value of the second node of the plurality of second nodes corresponding to the one attestation result; and S603, increasing, in response to one of the plurality of attestation results corresponds to the credibility of the first node, a credit value of the second node of the plurality of second nodes corresponding to the one attestation result.

[0090] As the example described above, the credibility of the first node and the attestation result are all represented as number 1, or 1. When they are the same, they correspond to each other, and when they are different, they are contrary with each other. For example, for the node V.sub.12, if the first attestation b.sub.12,11 (1) is different with the credibility f(1), the credit value w.sub.12 for the node V.sub.12 is reduced. Otherwise, if they are the same, the credit value w.sub.12 for the node V.sub.12 is increased. Therefore, the credit value, namely, the weight for attestation of the second nodes 102 can be adjusted dynamically after each attestation.

[0091] For adjustment for the credit value with abnormal behavior detection, the method further includes: receiving a report of an abnormal behavior of the first node from a second node; reducing a credit value of the first node; and reducing a credit value of the second node.

[0092] For example, when the node V.sub.12 reports the detection of the abnormal behavior of the node V.sub.11, a credit value w.sub.12 for the node V.sub.12 may also be reduced, so as to avoid malicious report. The reduction of the credit value for the second node may be proportional to the reduction of the credit value for the first node, so as to avoid a too strict rule for the reporter. The proportional rate may be 0.5, thus in this example, the credit value w.sub.12 for the node V.sub.12 may be subtracted by 0.5.

[0093] If the credit value w.sub.12 is also less than the credit value threshold, an attestation for the node V.sub.12 may also be implemented after the attestation for the node V.sub.11. Namely, a role of one node in the network is not limited. The node may be a prover (first node) when itself needs to be attested, and may be a verifier (second node) when an adjacent node needs to be attested.

[0094] FIG. 7 is a schematic showing a third exemplary method for attestation in the network in FIG. 1 in accordance with some embodiments.

[0095] The method includes: step S701, setting a credit value for a plurality of nodes in a network, respectively; step S702, assigning the plurality of nodes into a plurality of clusters; and step S703, selecting a third node with the highest credit value in a cluster as a cluster head. The third node is configured to: obtain a plurality of attestation results of a first node from a plurality of second nodes adjacent to the first node in the cluster; and determine a credibility of the first node based on the plurality of attestation results.

[0096] In step S701, the credit value for each node may be set by the network owner when the network is created and initialized. When a new node is insert to the network, a new credit value for the new node is created and broadcasted to relevant nodes, such as adjacent nodes. Each node may record a credit value table to store credit values for its relevant nodes. When a node received a new credit value broadcasting, if it relates to a relevant node, the new credit value will be added to or refreshed in the credit value table, otherwise the new credit value will be discarded.

[0097] In step S703, the third node 103, namely, a cluster head, is selected based on the credit value. For example, a third node with a highest credit value in a cluster in the network is selected, for obtaining the credibility based on the plurality of attestation result. Namely, in embodiments, the node V.sub.10 is selected, since its credit value w.sub.10 is higher than nodes V.sub.11, V.sub.12, V.sub.13, and V.sub.14.

[0098] With the credit value as a standard, the third node 103 may be periodically reselected. Further, if the credit value for the current third node 103 decreases, the network owner 100 may reselect a new third node 103 immediately. They security performance is further improved.

[0099] The number of cluster heads is determined by the size of the swarm. The selection of cluster heads should take into account the distance between each other so that the cluster heads could distribute as evenly as possible in the swarm. The remaining nodes connect to their nearest cluster head, to form clusters.

[0100] The method further includes: step S704, receiving a report of the credibility of the first node; and step S705, checking the first node, in response to the credibility of the first node indicating the first node is untrustworthy. After the node V.sub.10 report the credibility of the node V.sub.11 indicating the first node is untrustworthy to the network owner 100, the network owner 100 may remove or reconnect the node V.sub.11 according to the result of checking. Or, with a strict security strategy, the network owner 100 may directly remove the node V.sub.11 from the network without checking.

[0101] FIG. 8 is a schematic showing a tree structure in the network. Several cluster heads (the third nodes 103, namely, nodes V.sub.10, V.sub.20, V.sub.30, V.sub.40, V.sub.50, V.sub.60, V.sub.70, V.sub.80 . . . ) and network owner 100 may be organized in a tree structure according to the proximity principle as shown in FIG. 8. Other nodes (such as V.sub.11, V.sub.12, V.sub.13, and V.sub.14) will send their current credit values and the identifiers to the cluster heads (such as V.sub.10) when connecting. The network owner 100 holds the credit values of all nodes.

[0102] As shown in FIG. 8, the credibility is transmitted form the third nodes 103 to the network owner 100 through a tree-structure in the network. Tree structure in the network can support parallel computing much easier, so as to improving the efficiency of information transfer. Further, utilizing multi-hop message transmission through cluster heads and controlling single-hop transmission distance into a certain range can tremendously reduce the energy cost, since a long distance single hop transmission will be eliminated. Specifically, if all nodes are concentrated in a certain area, there may be only one cluster without the need of multi-hop data transmission.

[0103] FIG. 9 is a schematic showing other exemplary steps of method shown in FIG. 7 in accordance with some embodiments.

[0104] A proper preparation for attestation may be finished during initialization of a newly added node, so as to improve the efficiency. Still taking the node V.sub.11 as a newly added node for example, in step S901, the network owner 100 initializes the node V.sub.11, to generate the basic configuration of V.sub.11, including a secret key sk.sub.11, a public key pk.sub.11, an identity certificate cert(pk.sub.11), an code certificate cert(h.sub.11), an credit value w.sub.11 with an initial number, the maximum attestation time t.sub.11 and a unique device identifier d.sub.11. The maximum attestation time t.sub.11 may be used as the response time threshold Tt for node V.sub.11, when the node V.sub.11 is attested.

[0105] The initialization process may be illustrated as the following formula:

initial (V.sub.i: h.sub.i).fwdarw.(sk.sub.i, pk.sub.i, cert(pk.sub.i), cert(h.sub.i), w.sub.i, t.sub.i, d.sub.i),

wherein i means the ID number of the node, such as 11, h.sub.i means a hash code of V.sub.i.

[0106] In step S702, the node V.sub.11 is linked to other nodes, such as the node V.sub.12. They exchange their code certificates, identity certificates, device identifiers, maximum attestation time and the current credit values. Then they will generate a symmetric keys kg, based on their secret keys and code certificates. The initialization process may be illustrated as the following formula:

link [V.sub.i: sk.sub.i; V.sub.j: sk.sub.j;*: cert(pk.sub.i),cert(pk.sub.i),cert(h.sub.i),cert(h.sub.j), t.sub.i,t.sub.j,d.sub.i, d.sub.j, w.sub.i, w.sub.j].fwdarw.[V.sub.i: k.sub.i; V.sub.j:k.sub.i,j];

wherein i means one ID number of the node, such as 11, and j means another ID number of the node, such as 12. The node V.sub.11 will be able to send a message encrypted with the symmetric key k.sub.11,12 to the node V.sub.12and this encrypted message cannot be decrypted by nodes other than the node V.sub.12. The security performance for normal communication and attestation will be further improved. The utilization of the symmetric key will improve the efficiency.

[0107] During initialization for the node V.sub.11, other steps may also be used for improve the security. For example, a blank area in a memory of the first node may be filled with an incompressible noise, during an initialization for the first node.

[0108] FIG. 10 is a schematic showing a memory layout of the first node during initialization. See FIG. 10, in an original memory layout (a) including original code without the noise, attackers can easily use the blank area to store the original code and do not change the hash code of the whole program at the same time. The memory layout after attack (b) shows the malicious code, original code and blank area. However, if the blank area is filled with incompressible noise, as shown in the memory layout with noise (c), attackers can only delete part of the noise space to store the malicious code, as shown in the memory layout with noise after attack (d). In that case, they also change the hash code which could be detected by the attestation program.

[0109] FIG. 11 is a simplified block diagram of various apparatuses which are suitable for use in practicing exemplary embodiments of the present disclosure. In FIG. 11, the network owner 100 may include a data processor (DP) 100A, a memory (MEM) 100B that stores a program (PROG) 100C, and a suitable transceiver 100D for communicating with nodes in the network. The first node 101 may include a data processor (DP) 101A, a memory (MEM) 101B that stores a program (PROG) 101C, and a suitable transceiver 101D for communicating with an apparatus such as the second node 102. Similarly, the second node 102 may include a data processor (DP) 102A, a memory (MEM) 102B that stores a program (PROG) 102C, and a suitable transceiver 102D for communicating with an apparatus such as the first node 101. Similarly, the third node 103 may include a data processor (DP) 103A, a memory (MEM) 103B that stores a program (PROG) 103C, and a suitable transceiver 103D for communicating with an apparatus such as the second node 102, or the network owner 100.

[0110] For example, at least one of the transceivers 101D, 102D, 103D, 100D may be an integrated component for transmitting and/or receiving signals and messages. Alternatively, at least one of the transceivers 101D, 102D, 103D, 100D may include separate components to support transmitting and receiving signals/messages, respectively. The respective DPs 101A, 102A, 103A and 100A may be used for processing these signals and messages.

[0111] Alternatively or additionally, the first node 101, the second node 102, the third node 103 and the network owner 100 may include various means and/or components for implementing functions of the foregoing steps and methods described above. For example, the second node 102 may include: attesting means for attesting a first node 101 in a network, and generating means for generating an attestation result of the first node. The third node 103 may include: obtaining means for a plurality of attestation results of a first node from a plurality of second nodes 102 adjacent to the first node 101 in a network, and determining means for determining a credibility of the first node based on the plurality of attestation results. The network owner 100 may include: setting means for setting a credit value for a plurality of nodes in a network (such as the first node 101, the second node 102, and the third node 103), respectively; and assigning means for assigning the plurality of nodes (such as the first node 101, the second node 102, and the third node 103) into a plurality of clusters; and selecting means for selecting a third node 103 with the highest credit value in a cluster as a cluster head.

[0112] At least one of the PROGs 101C, 102C, 103C, 100C is assumed to include program instructions that, when executed by the associated DP, enable an apparatus to operate in accordance with the exemplary embodiments, as discussed above. That is, the exemplary embodiments of the present disclosure may be implemented at least in part by computer software executable by the DP 101A of the first node 101, by the DP 102A of the second node 102, by the DP 103A of the third node 103, and by the DP 100A of the network owner 100, or by hardware, or by a combination of software and hardware.

[0113] The MEMs 101B, 102B, 103B and 100B may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as semiconductor based memory devices, flash memory, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory. The DPs 101A, 102A, 103A and 100A may be of any type suitable to the local technical environment, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multi-core processor architectures, as non-limiting examples.

[0114] In general, the various exemplary embodiments may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. For example, some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device, although the disclosure is not limited thereto. While various aspects of the exemplary embodiments of this disclosure may be illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that these blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.

[0115] It will be appreciated that at least some aspects of the exemplary embodiments of the disclosures may be embodied in computer-executable instructions, such as in one or more program modules, executed by one or more computers or other devices. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types when executed by a processor in a computer or other device. The computer executable instructions may be stored on a computer readable medium such as a hard disk, optical disk, removable storage media, solid state memory, random access memory (RAM), etc. As will be realized by one of skills in the art, the functionality of the program modules may be combined or distributed as desired in various embodiments. In addition, the functionality may be embodied in whole or in part in firmware or hardware equivalents such as integrated circuits, field programmable gate arrays (FPGA), and the like.

[0116] Although specific embodiments of the disclosure have been disclosed, those having ordinary skills in the art will understand that changes can be made to the specific embodiments without departing from the spirit and scope of the disclosure. The scope of the disclosure is not to be restricted therefore to the specific embodiments, and it is intended that the appended claims cover any and all such applications, modifications, and embodiments within the scope of the present disclosure.

[0117] This listing of claims will replace all prior versions, and listings, of claims in the application:

REMOTE ATTESTATION IN NETWORK

Inventors

Cpc classification

Classification Explorer

H04W84/18

ELECTRICITY

Classification Explorer

H04L2463/121

ELECTRICITY

Classification Explorer

G06F21/305

PHYSICS

Classification Explorer

H04L63/1433

ELECTRICITY

Classification Explorer

G06F21/44

PHYSICS

Classification Explorer

H04W12/66

ELECTRICITY

Classification Explorer

H04L63/1483

ELECTRICITY

Classification Explorer

H04L63/1425

ELECTRICITY

Classification Explorer

G06F21/577

PHYSICS

International classification

Classification Explorer

H04L29/06

ELECTRICITY

Abstract

Claims

Description