Visible to the public APIs 2015 (Part 1)Conflict Detection Enabled

SoS Newsletter- Advanced Book Block


SoS Logo


2015 (Part 1)


Applications Programming Interfaces, APIs, are definitions of interfaces to systems or modules. As code is reused, more and more are modified from earlier code. For the Science of Security community, the problems of compositionality and resilience are direct. The research work cited here was presented in 2015.

A. Masood and J. Java, “Static Analysis for Web Service Security — Tools & Techniques for a Secure Development Life Cycle,” Technologies for Homeland Security (HST), 2015 IEEE International Symposium on, Waltham, MA, 2015, pp. 1-6. doi: 10.1109/THS.2015.7225337
Abstract: In this ubiquitous IoT (Internet of Things) era, web services have become a vital part of today's critical national and public sector infrastructure. With the industry wide adaptation of service-oriented architecture (SOA), web services have become an integral component of enterprise software eco-system, resulting in new security challenges. Web services are strategic components used by wide variety of organizations for information exchange on the internet scale. The public deployments of mission critical APIs opens up possibility of software bugs to be maliciously exploited. Therefore, vulnerability identification in web services through static as well as dynamic analysis is a thriving and interesting area of research in academia, national security and industry. Using OWASP (Open Web Application Security Project) web services guidelines, this paper discusses the challenges of existing standards, and reviews new techniques and tools to improve services security by detecting vulnerabilities. Recent vulnerabilities like Shellshock and Heartbleed has shifted the focus of risk assessment to the application layer, which for majority of organization means public facing web services and web/mobile applications. RESTFul services have now become the new service development paradigm normal; therefore SOAP centric standards such as XML Encryption, XML Signature, WS-Security, and WS-SecureConversation are nearly not as relevant. In this paper we provide an overview of the OWASP top 10 vulnerabilities for web services, and discuss the potential static code analysis techniques to discover these vulnerabilities. The paper reviews the security issues targeting web services, software/program verification and security development lifecycle.
Keywords: Web services; program diagnostics; program verification; security of data; Heartbleed; Internet of Things; Internet scale; OWASP; Open Web Application Security Project; RESTFul services; SOAP centric standards; Shellshock; WS-SecureConversation; WS-security; Web applications; Web service security; Web services guidelines; XML encryption; XML signature; critical national infrastructure; dynamic analysis; enterprise software ecosystem; information exchange; mission critical API; mobile applications; national security and industry; program verification; public deployments; public sector infrastructure; risk assessment; secure development life cycle; security challenges; service development paradigm; service-oriented architecture; services security; software bugs; software verification; static code analysis; strategic components; ubiquitous IoT; vulnerabilities detection; vulnerability identification; Computer crime; Cryptography; Simple object access protocol; Testing; XML; Cyber Security; Penetration Testing; RESTFul API; SOA; SOAP; Secure Design; Secure Software Development; Security Code Review; Service Oriented Architecture; Source Code Analysis; Static Analysis Tool; Static Code Analysis; Web Application security; Web Services; Web Services Security (ID#: 16-10020)


L. Tang, Liubo Ouyang and W. T. Tsai, “Multi-factor Web API Security for Securing Mobile Cloud,” Fuzzy Systems and Knowledge Discovery (FSKD), 2015 12th International Conference on, Zhangjiajie, 2015, pp. 2163-2168. doi: 10.1109/FSKD.2015.7382287
Abstract: Mobile Cloud Computing is gaining more popularity in both mobile users and enterprises. With mobile-first becoming enterprise IT strategy and more enterprises exposing their business services to mobile cloud through Web API, the security of mobile cloud computing becomes a main concern and key successful factor as well. This paper shows the security challenges of mobile cloud computing and defines an end-to-end secure mobile cloud computing reference architecture. Then it shows Web API security is a key to the end-to-end security stack and specifies traditional API security mechanism and two multi-factor Web API security strategy and mechanism. Finally, it compares the security features provided by ten API gateway providers.
Keywords: application program interfaces; cloud computing; mobile computing; security of data; API gateway providers; API security mechanism; business services; end-to-end secure mobile cloud computing; enterprise IT strategy; mobile cloud computing; mobile users; multifactor Web API security; securing mobile cloud; Authentication; Authorization; Business; Cloud computing; Mobile communication; end-to-end; mobile cloud; security mechanism; web API (ID#: 16-10021)


M. F. F. Khan and K. Sakamura, “Tamper-Resistant Security for Cyber-Physical Systems with eTRON Architecture,” 2015 IEEE International Conference on Data Science and Data Intensive Systems, Sydney, NSW, 2015, pp. 196-203. doi: 10.1109/DSDIS.2015.98
Abstract: This article posits tamper-resistance as a necessary security measure for cyber-physical systems (CPS). With omnipresent connectivity and pervasive use of mobile devices, software security alone is arguably not sufficient to safeguard sensitive digital information we use everyday. As a result, utilization of a variety of tamper-resistant devices - including smartcards, secure digital cards with integrated circuits, and mobile phones with subscriber identity module - has become standard industry practice. Recognizing the need for effective hardware security alongside software security, in this paper, we present the eTRON architecture - at the core of which lies the tamper-resistant eTRON chip, equipped with functions for mutual authentication, encrypted communication and access control. Besides the security features, the eTRON architecture also offers a wide range of functionalities through a coherent set of application programming interfaces (API) leveraging tamper-resistance. In this paper, we discuss various features of the eTRON architecture, and present two representative eTRON-based applications with a view to evaluating its effectiveness by comparing with other existing applications.
Keywords: authorisation; cyber-physical systems; electronic commerce; smart cards; ubiquitous computing; API; CPS; application programming interfaces; cyber-physical systems; eTRON architecture; hardware security; integrated circuits; mobile phones; secure digital cards; security features; smartcards; software security; subscriber identity module; tamper-resistant devices; tamper-resistant security; Access control; Authentication; Computer architecture; Cryptography; Hardware; Libraries; CPS; Tamper-resistance; access control; authentication; e-commerce; secure filesystem; smartcards (ID#: 16-10022)


Y. Sun, S. Nanda and T. Jaeger, “Security-as-a-Service for Microservices-Based Cloud Applications,” 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom), Vancouver, BC, 2015, pp. 50-57. doi: 10.1109/CloudCom.2015.93
Abstract: Microservice architecture allows different parts of an application to be developed, deployed and scaled independently, therefore becoming a trend for developing cloud applications. However, it comes with challenging security issues. First, the network complexity introduced by the large number of microservices greatly increases the difficulty in monitoring the security of the entire application. Second, microservices are often designed to completely trust each other therefore compromise of a single microservice may bring down the entire application. The problems are only exacerbated by the cloud, since applications no longer have complete control over their networks. In this paper, we propose a design for security-as-a-service for microservices-based cloud applications. By adding a new API primitive FlowTap for the network hypervisor, we build a flexible monitoring and policy enforcement infrastructure for network traffic to secure cloud applications. We demonstrate the effectiveness of our solution by deploying the Bro network monitor using FlowTap. Results show that our solution is flexible enough to support various kinds of monitoring scenarios and policies and it incurs minimal overhead (~6%) for real world usage. As a result, cloud applications can leverage our solution to deploy network security monitors to flexibly detect and block threats both external and internal to their network.
Keywords: application program interfaces; cloud computing; security of data; trusted computing; API primitive FlowTap; Bro network monitor; microservice-based cloud applications; network hypervisor; policy enforcement infrastructure; security-as-a-service; Cloud computing; Complexity theory; Computer architecture; DVD; Electronic mail; Monitoring; Security; microservices; network monitoring; security (ID#: 16-10023)


W. You et al., “Promoting Mobile Computing and Security Learning Using Mobile Devices,” Integrated STEM Education Conference (ISEC), 2015 IEEE, Princeton, NJ, 2015, pp. 205-209. doi: 10.1109/ISECon.2015.7119924
Abstract: It is of vital importance to provide mobile computing and security education to students in the computing fields. As the mobile applications become increasingly popular and inexpensive ways for people to communicate, share information and take advantage of convenient functionality in people's daily lives, they also regularly attract the interests of malicious attackers. Malware and spyware that may damage smart phones or steal sensitive information are also growing in every aspect of people's lives. Another concern lies in insecure mobile application development. This kind of programming makes mobile devices more vulnerable. For example, some insecure exposures of the APIs or the abuse of some components while developing apps will make the applications suffer from potential threats. Although many academic institutions have started to or planned to offer mobile computing courses, there is a shortage of hands-on lab modules and resources that can be integrated into multiple existing computing courses. In this paper, we present our development on mobile computing and security hands-on Labs and share our experiences in teaching courses on mobile computing and security with students' learning feedback using Android mobile devices.
Keywords: Android (operating system); computer science education; invasive software; mobile computing; smart phones; teaching; API; Android mobile devices; hands-on lab modules; malicious attackers; malware; mobile application development; mobile computing and security education; mobile computing courses; mobile computing hands-on labs; mobile security hands-on labs; sensitive information; spyware; student learning feedback; teaching; Mobile communication; Mobile computing; Programming; Security; Smart phones; Android development; Mobile security education; Secure programming (ID#: 16-10024)


S. Hosseinzadeh, S. Rauti, S. Hyrynsalmi and V. Leppanen, “Security in the Internet of Things Through Obfuscation and Diversification,” Computing, Communication and Security (ICCCS), 2015 International Conference on, Pamplemousses, 2015, pp. 1-5. doi: 10.1109/CCCS.2015.7374189
Abstract: Internet of Things (IoT) is composed of heterogeneous embedded and wearable sensors and devices that collect and share information over the Internet. This may contain private information of the users. Thus, securing the information and preserving the privacy of the users are of paramount importance. In this paper we look into the possibility of applying the two techniques, obfuscation and diversification, in IoT. Diversification and obfuscation techniques are two outstanding security techniques used for proactively protecting the software and code. We propose obfuscating and diversifying the operating systems and APIs on the IoT devices, and also some communication protocols enabling the external use of IoT devices. We believe that the proposed ideas mitigate the risk of unknown zero-day attacks, large-scale attacks, and also the targeted attacks.
Keywords: Internet of Things; application program interfaces; operating systems (computers); security of data; API; IoT; diversification techniques; obfuscation techniques; operating systems; security techniques; Apertures; Feeds; Impedance; Radar antennas; Substrates; Wireless LAN; diversification; obfuscation; privacy; security (ID#: 16-10025)


M. A. Saied, O. Benomar, H. Abdeen and H. Sahraoui, “Mining Multi-level API Usage Patterns,” 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER), Montreal, QC, 2015, pp. 23-32. doi: 10.1109/SANER.2015.7081812
Abstract: Software developers need to cope with complexity of Application Programming Interfaces (APIs) of external libraries or frameworks. However, typical APIs provide several thousands of methods to their client programs, and such large APIs are difficult to learn and use. An API method is generally used within client programs along with other methods of the API of interest. Despite this, co-usage relationships between API methods are often not documented. We propose a technique for mining Multi-Level API Usage Patterns (MLUP) to exhibit the co-usage relationships between methods of the API of interest across interfering usage scenarios. We detect multi-level usage patterns as distinct groups of API methods, where each group is uniformly used across variable client programs, independently of usage contexts. We evaluated our technique through the usage of four APIs having up to 22 client programs per API. For all the studied APIs, our technique was able to detect usage patterns that are, almost all, highly consistent and highly cohesive across a considerable variability of client programs.
Keywords: application program interfaces; data mining; software libraries; MLUP; application programming interface; multilevel API usage pattern mining; Clustering algorithms; Context; Documentation; Graphical user interfaces; Java; Layout; Security; API Documentation; API Usage; Software Clustering; Usage Pattern (ID#: 16-10026)


M. N. Aneci, L. Gheorghe, M. Carabas, S. Soriga and R. A. Somesan, “SDN-based Security Mechanism,” 2015 14th RoEduNet International Conference - Networking in Education and Research (RoEduNet NER), Craiova, 2015, pp. 12-17. doi: 10.1109/RoEduNet.2015.7311820
Abstract: Nowadays most hardware configurations are being replaced with software configurations in order to virtualize everything is possible. At this rate, in the networking research domain, the concept of Software Defined Network (SDN) is evolving. This paper proposes an SDN-based security mechanism that provides confidentiality and integrity by using custom cryptographic algorithms between two routers. The mechanism is able to secure for both TCP and UDP traffic. It provides the possibility to choose what information to secure: the Layer 4 header and Layer 7 payload, or just the Layer 7 payload. The implementation of the proposed security mechanism relies on the Cisco model for SDN and is using OnePK API.
Keywords: computer network security; cryptography; software defined networking; transport protocols; OnePK API; SDN-based security mechanism; TCP traffic; UDP traffic; application program interface; cryptographic algorithms; software configuration; software defined network; transport control protocol; user defined protocol; Decision support systems; Cisco; Software Defined Networking; confidentiality; custom encryption; integrity; onePK (ID#: 16-10027)


R. Beniwal, P. Zavarsky and D. Lindskog, “Study of Compliance of Apple's Location based APIs with Recommendations of the IETF Geopriv,” 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), London, 2015, pp. 214-219. doi: 10.1109/ICITST.2015.7412092
Abstract: Location Based Services (LBS) are services offered by smart phone applications which use device location data to offer the location-related services. Privacy of location information is a major concern in LBS applications. This paper compares the location APIs of iOS with the IETF Geopriv architecture to determine what mechanisms are in place to protect location privacy of an iOS user. The focus of the study is on the distribution phase of the Geopriv architecture and its applicability in enhancing location privacy on iOS mobile platforms. The presented review shows that two iOS APIs features known as Geocoder and turning off location services provide to some extent location privacy for iOS users. However, only a limited number of functionalities can be considered as compliant with Geopriv's recommendations. The paper also presents possible ways how to address limited location privacy offered by iOS mobile devices based on Geopriv recommendations.
Keywords: application program interfaces; data privacy; iOS (operating system); recommender systems; smart phones; Apple location based API; Geocoder; Geopriv recommendation; IETF Geopriv architecture; LBS; device location data; distribution phase; iOS mobile device; iOS mobile platform; iOS user; location based service; location information privacy; location privacy; location-related service; off location service; smart phone application; Global Positioning System; Internet; Mobile communication; Operating systems; Privacy; Servers; Smart phones; APIs; Geopriv; iOS; location information (ID#: 16-10028)


A. Alotaibi and A. Mahmmod, “Enhancing OAuth Services Security by an Authentication Service with Face Recognition,” Systems, Applications and Technology Conference (LISAT), 2015 IEEE Long Island, Farmingdale, NY, 2015, pp. 1-6. doi: 10.1109/LISAT.2015.7160208
Abstract: Controlling secure access to web Application Programming Interfaces (APIs) and web services has become more vital with advancement and use of the web technologies. The security of web services APIs is encountering critical issues in managing authenticated and authorized identities of users. Open Authorization (OAuth) is a secure protocol that allows the resource owner to grant permission to a third-party application in order to access the resource owner's protected resource on their behalf, without releasing their credentials. Most web APIs are still using the traditional authentication which is vulnerable to many attacks such as man-in-the middle attack. To reduce such vulnerability, we enhance the security of OAuth through the implementation of a biometric service. We introduce a face verification system based on Local Binary Patterns as an authentication service handled by the authorization server. The entire authentication process consists of three services: Image registration service, verification service, and access token service. The developed system is most useful in securing those services where a human identification is required.
Keywords: Web services; application program interfaces; authorisation; biometrics (access control); face recognition; image registration; OAuth service security; Web application programming interfaces; Web services API; Web technologies; access token service; authentication service; authorization server; biometric service; face verification system; human identification; image registration service; local binary patterns; open authorization; resource owner protected resource; third-party application; verification service; Authentication; Authorization; Databases; Protocols; Servers; Access Token; Face Recognition; OAuth; Open Authorization; Web API; Web Services (ID#: 16-10029)


G. Suddul, K. Nundran, J. L. K. Cheung and M. Richomme, “Rapid Prototyping with a Local Geolocation API,” Computing, Communication and Security (ICCCS), 2015 International Conference on, Pamplemousses, 2015, pp. 1-4. doi: 10.1109/CCCS.2015.7374192
Abstract: Geolocation technology provides the ability to target content and services to users visiting specific locations. There is an expanding growth of device features and Web Application Programming Interfaces (APIs) supporting the development of applications with geolocation services on mobile platforms. However, to be effective, these applications rely on the availability of broadband networks which are not readily available in various developing countries, especially Africa. We propose a geolocation API for the Orange Emerginov Platform which keeps geolocation data in an offline environment and periodically synchronises with its online database. The API also has a set of new features like categorisation and shortest path. It has been successfully implemented and tested with geolocation data of Mauritius, consumed by mobile applications. Our result demonstrates reduction of response time around 80% for some features, when compared with other online Web APIs.
Keywords: application program interfaces; mobile computing; software prototyping; Mauritius; Orange Emerginov Platform; application programming interfaces; local geolocation API; mobile applications; rapid prototyping; Artificial neural networks; Computational modeling; Industries; Liquids; Mathematical model; Process control; Training; OSM geolocation API; Web API; geolocation; micro-services (ID#: 16-10030)


P. Sun, S. Chandrasekaran, S. Zhu and B. Chapman, “Deploying OpenMP Task Parallelism on Multicore Embedded Systems with MCA Task APIs,” High Performance Computing and Communications (HPCC), 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), 2015 IEEE 12th International Conference on Embedded Software and Systems (ICESS), 2015 IEEE 17th International Conference on, New York, NY, 2015, pp. 843-847. doi: 10.1109/HPCC-CSS-ICESS.2015.88
Abstract: Heterogeneous multicore embedded systems are rapidly growing with cores of varying types and capacity. Programming these devices and exploiting the hardware has been a real challenge. The programming models and its execution are typically meant for general purpose computation, they are mostly too heavy to be adopted for the resource-constrained embedded systems. Embedded programmers are still expected to use low-level and proprietary APIs, making the software built less and less portable. These challenges motivated us to explore how OpenMP, a high-level directive-based model, could be used for embedded platforms. In this paper, we translate OpenMP to Multicore Association Task Management API (MTAPI), which is a standard API for leveraging task parallelism on embedded platforms. Our results demonstrate that the performance of our OpenMP runtime library is comparable to the state-of-the-art task parallel solutions. We believe this approach will provide a portable solution since it abstracts the low-level details of the hardware and no longer depends on vendor-specific API.
Keywords: application program interfaces; embedded systems; multiprocessing systems; parallel processing; MCA; MTAPI; OpenMP runtime library; OpenMP task parallelism; heterogeneous multicore embedded system; high-level directive-based model; multicore association task management API; multicore embedded system; resource-constrained embedded system; vendor-specific API; Computational modeling; Embedded systems; Hardware; Multicore processing; Parallel processing; Programming; Heterogeneous Multicore Embedded Systems; MTAPI; OpenMP; Parallel Computing (ID#: 16-10031)


N. Kawaguchi and K. Omote, “Malware Function Classification Using APIs in Initial Behavior,” Information Security (AsiaJCIS), 2015 10th Asia Joint Conference on, Kaohsiung, 2015, pp. 138-144. doi: 10.1109/AsiaJCIS.2015.15
Abstract: Malware proliferation has become a serious threat to the Internet in recent years. Most of the current malware are subspecies of existing malware that have been automatically generated by illegal tools. To conduct an efficient analysis of malware, estimating their functions in advance is effective when we give priority to analyze. However, estimating malware functions has been difficult due to the increasing sophistication of malware. Although various approaches for malware detection and classification have been considered, the classification accuracy is still low. In this paper, we propose a new classification method which estimates malware's functions from APIs observed by dynamic analysis on a host. We examining whether the proposed method can correctly classify unknown malware based on function by machine learning. The results show that our new method can classify each malware's function with an average accuracy of 83.4%.
Keywords: Internet; invasive software; learning (artificial intelligence); pattern classification; API; dynamic analysis; efficient malware analysis; illegal tools; initial behavior; machine learning; malware detection; malware function classification; malware proliferation; Accuracy; Data mining; Feature extraction; Machine learning algorithms; Malware; Software; Support vector machines; machine learning; malware classification (ID#: 16-10032)


M. A. Saied, H. Abdeen, O. Benomar and H. Sahraoui, “Could We Infer Unordered API Usage Patterns Only Using the Library Source Code?,” 2015 IEEE 23rd International Conference on Program Comprehension, Florence, 2015, pp. 71-81. doi: 10.1109/ICPC.2015.16
Abstract: Learning to use existing or new software libraries is a difficult task for software developers, which would impede their productivity. Much existing work has provided different techniques to mine API usage patterns from client programs in order to help developers on understanding and using existing libraries. However, considering only client programs to identify API usage patterns is a strong constraint as the client programs source code is not always available or the clients themselves do not exist yet for newly released APIs. In this paper, we propose a technique for mining Non Client-based Usage Patterns (NCBUP miner). We detect unordered API usage patterns as distinct groups of API methods that are structurally and semantically related and thus may contribute together to the implementation of a particular functionality for potential client programs. We evaluated our technique through four APIs. The obtained results are comparable to those of client-based approaches in terms of usage-patterns cohesion.
Keywords: application program interfaces; data mining; software libraries; source code (software); NCBUP miner; client programs; library source code; non client-based usage patterns; software libraries; unordered API usage patterns; Clustering algorithms; Context; Java; Matrix decomposition; Measurement; Security; Semantics; API Documentation; API Usage; Software Clustering; Usage Pattern (ID#: 16-10033)


Y. E. Oktian, SangGon Lee, HoonJae Lee and JunHuy Lam, “Secure Your Northbound SDN API,” 2015 Seventh International Conference on Ubiquitous and Future Networks, Sapporo, 2015, pp. 919-920. doi: 10.1109/ICUFN.2015.7182679
Abstract: A lot of new features and capabilities emerge in the network because of separation of data plane and control plane in Software Defined Network (SDN) terminology. One of them is the possibility to implement Northbound API to allow third-party application to access resources of the network. However, most of the current implementations of Northbound API do not consider the security aspect. Therefore, we design more secure scheme for it. The design consists of token authentication for application and user, who is responsible to control/use the application/network, using OAuth 2.0 protocol.
Keywords: application program interfaces; computer network security; cryptographic protocols; software defined networking; Northbound SDN API; OAuth 2.0 protocol; SDN terminology; authentication; software defined network terminology; Authentication; Authorization; Proposals; Protocols; Servers; Software defined networking; Northbound API; SDN; authentication; token
(ID#: 16-10034)


C. I. Fan, H. W. Hsiao, C. H. Chou and Y. F. Tseng, “Malware Detection Systems Based on API Log Data Mining,” Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, Taichung, 2015, pp. 255-260. doi: 10.1109/COMPSAC.2015.241
Abstract: As information technology improves, the Internet is involved in every area in our daily life. When the mobile devices and cloud computing technology start to play important parts of our life, they have become more susceptible to attacks. In recent years, phishing and malicious websites have increasingly become serious problems in the field of network security. Attackers use many approaches to implant malware into target hosts in order to steal significant data and cause substantial damage. The growth of malware has been very rapid, and the purpose has changed from destruction to penetration. The signatures of malware have become more difficult to detect. In addition to static signatures, malware also tries to conceal dynamic signatures from anti-virus inspection. In this research, we use hooking techniques to trace the dynamic signatures that malware tries to hide. We then compare the behavioural differences between malware and benign programs by using data mining techniques in order to identify the malware. The experimental results show that our detection rate reaches 95% with only 80 attributes. This means that our method can achieve a high detection rate with low complexity.
Keywords: Web sites; application program interfaces; cloud computing; computer viruses; data mining; API log data mining; Internet; antivirus inspection; cloud computing technology; dynamic signature tracing; dynamic signatures; hooking techniques; information technology; malicious Web sites; malware detection systems; mobile devices; network security; phishing; static signatures; Accuracy; Bayes methods; Data mining; Feature extraction; Malware; Monitoring; Training; API; Classification; Data Mining; Malware; System Call (ID#: 16-10035)


G. G. Sundarkumar, V. Ravi, I. Nwogu and V. Govindaraju, “Malware Detection via API Calls, Topic Models and Machine Learning,” 2015 IEEE International Conference on Automation Science and Engineering (CASE), Gothenburg, 2015, pp. 1212-1217. doi: 10.1109/CoASE.2015.7294263
Abstract: Dissemination of malicious code, also known as malware, poses severe challenges to cyber security. Malware authors embed software in seemingly innocuous executables, unknown to a user. The malware subsequently interacts with security-critical OS resources on the host system or network, in order to destroy their information or to gather sensitive information such as passwords and credit card numbers. Malware authors typically use Application Programming Interface (API) calls to perpetrate these crimes. We present a model that uses text mining and topic modeling to detect malware, based on the types of API call sequences. We evaluated our technique on two publicly available datasets. We observed that Decision Tree and Support Vector Machine yielded significant results. We performed t-test with respect to sensitivity for the two models and found that statistically there is no significant difference between these models. We recommend Decision Tree as it yields 'if-then' rules, which could be used as an early warning expert system.
Keywords: application program interfaces; data mining; decision trees; expert systems; invasive software; learning (artificial intelligence); support vector machines; API calls; application programming interface calls; cyber security; decision tree; early warning expert system; if-then rules; machine learning; malicious code dissemination; malware detection; security-critical OS resources; support vector machine text mining; topic modeling; topic models; Feature extraction; Grippers; Sensitivity; Support vector machines; Text mining; Trojan horses (ID#: 16-10036)


M. Sneps-Sneppe and D. Namiot, “Metadata in SDN API for WSN,” 2015 7th International Conference on New Technologies, Mobility and Security (NTMS), Paris, 2015, pp. 1-5. doi: 10.1109/NTMS.2015.7266504
Abstract: This paper discusses the system aspects of the development of applied programming interfaces in Software-Defined Networking (SDN). SDN is a prospect software enablement for Wireless Sensor Networks (WSN). So, application layer SDN API will be the main application API for WSN. Almost all existing SDN interfaces use so-called Representational State Transfer (REST) services as a basic model. This model is simple and straightforward for developers, but often does not support the information (metadata) necessary for programming automation. In this article, we cover the issues of representation of metadata in the SDN API.
Keywords: meta data; software defined networking; wireless sensor networks; REST services; SDN interfaces; WSN; metadata; programming automation; programming interfaces; representational state transfer; software-defined networking; Computer architecture; Metadata; Programming; service-oriented architecture; Wireless sensor networks; Parlay; REST; SDN; WSDL; northbound API (ID#: 16-10037)


M. Panda and A. Nag, “Plain Text Encryption Using AES, DES and SALSA20 by Java Based Bouncy Castle API on Windows and Linux,” Advances in Computing and Communication Engineering (ICACCE), 2015 Second International Conference on, Dehradun, 2015, pp. 541-548. doi: 10.1109/ICACCE.2015.130
Abstract: Information Security has become an important element of data communication. Various encryption algorithms have been proposed and implemented as a solution and play an important role in information security system. But on the other hand these algorithms consume a significant amount of computing resources such as CPU time, memory and battery power. However, for all practical applications, performance and the cost of implementation are also important concerns. Therefore it is essential to assess the performance of encryption algorithms. In this paper, the performance of three Symmetric Key based algorithms-AES, Blowfish and Salsa20 has been evaluated based on execution time, memory required for implementation and throughput across two different operating systems. Based on the simulation results, it can be concluded that AES and Salsa20 are preferred over Blowfish for plain text data encryption.
Keywords: Java; Linux; application program interfaces; cryptography; AES; Blowfish; Bouncy Castle API; DES; SALSA20; Salsa20; Windows; data communication; information security system; operating systems; performance assessment; plain text data encryption; plain text encryption; symmetric key based algorithms; Algorithm design and analysis; Ciphers; Classification algorithms; Encryption; Memory management; Performance Analysis (ID#: 16-10038)


V. Casola, A. D. Benedictis, M. Rak and U. Villano, “SLA-Based Secure Cloud Application Development: The SPECS Framework,” 2015 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), Timisoara, 2015, pp. 337-344. doi: 10.1109/SYNASC.2015.59
Abstract: The perception of lack of control over resources deployed in the cloud may represent one of the critical factors for an organization to decide to cloudify or not their own services. Furthermore, in spite of the idea of offering security-as-a-service, the development of secure cloud applications requires security skills that can slow down the adoption of the cloud for nonexpert users. In the recent years, the concept of Security Service Level Agreements (Security SLA) is assuming a key role in the provisioning of cloud resources. This paper presents the SPECS framework, which enables the development of secure cloud applications covered by a Security SLA. The SPECS framework offers APIs to manage the whole Security SLA life cycle and provides all the functionalities needed to automatize the enforcement of proper security mechanisms and to monitor user defined security features. The development process of SPECS applications offering security-enhanced services is illustrated, presenting as a real-world case study the provisioning of a secure web server.
Keywords: application program interfaces; cloud computing; contracts; security of data; API; SLA-based secure cloud application development; SPECS framework; secure Web server; security SLA; security service level agreement; security-as-a-service; security-enhanced service; user-defined security feature; Cloud computing; Context; Monitoring; Security; Supply chains; Unified modeling language; SPECS; Secure Cloud Application Development; Secure Web Server; Security Service Level Agreement (ID#: 16-10039)


N. Paladi and C. Gehrmann, “Towards Secure Multi-Tenant Virtualized Networks,” Trustcom/BigDataSE/ISPA, 2015 IEEE, Helsinki, 2015, pp. 1180-1185. doi: 10.1109/Trustcom.2015.502
Abstract: Network virtualization enables multi-tenancy over physical network infrastructure, with a side-effect of increased network complexity. Software-defined networking (SDN) is a novel network architectural model – one where the control plane is separated from the data plane by a standardized API – which aims to reduce the network management overhead. However, as the SDN model itself is evolving, its application to multi-tenant virtualized networks raises multiple security challenges. In this paper, we present a security analysis of SDN-based multi-tenant virtualized networks: we outline the security assumptions applicable to such networks, define the relevant adversarial model, identify the main attack vectors for such network infrastructure deployments and finally synthesize a set of high-level security requirements for SDN-based multi-tenant virtualized networks. This paper sets the foundation for future design of secure SDN-based multi-tenant virtualized networks.
Keywords: application program interfaces; computer network management; computer network security; software defined networking; virtualisation; SDN; main attack vectors; multitenant virtualized network security; multitenant virtualized networks; network architectural model; network complexity; network infrastructure deployments; network management overhead reduction; network virtualization; physical network infrastructure; software-defined networking; standardized API; Cloud computing; Computer architecture; Hardware; Network operating systems; Routing; Security; Virtualization; Multi-tenant Virtualized Networks; Network Virtualization; Security; Software Defined Networks (ID#: 16-10040)


A. Bianchi, J. Corbetta, L. Invernizzi, Y. Fratantonio, C. Kruegel and G. Vigna, “What the App is That? Deception and Countermeasures in the Android User Interface,” 2015 IEEE Symposium on Security and Privacy, San Jose, CA, 2015,
pp. 931-948. doi: 10.1109/SP.2015.62
Abstract: Mobile applications are part of the everyday lives of billions of people, who often trust them with sensitive information. These users identify the currently focused app solely by its visual appearance, since the GUIs of the most popular mobile OSes do not show any trusted indication of the app origin. In this paper, we analyze in detail the many ways in which Android users can be confused into misidentifying an app, thus, for instance, being deceived into giving sensitive information to a malicious app. Our analysis of the Android platform APIs, assisted by an automated state-exploration tool, led us to identify and categorize a variety of attack vectors (some previously known, others novel, such as a non-escapable full screen overlay) that allow a malicious app to surreptitiously replace or mimic the GUI of other apps and mount phishing and click-jacking attacks. Limitations in the system GUI make these attacks significantly harder to notice than on a desktop machine, leaving users completely defenseless against them. To mitigate GUI attacks, we have developed a two-layer defense. To detect malicious apps at the market level, we developed a tool that uses static analysis to identify code that could launch GUI confusion attacks. We show how this tool detects apps that might launch GUI attacks, such as ransom ware programs. Since these attacks are meant to confuse humans, we have also designed and implemented an on-device defense that addresses the underlying issue of the lack of a security indicator in the Android GUI. We add such an indicator to the system navigation bar, this indicator securely informs users about the origin of the app with which they are interacting (e.g., The Pay Pal app is backed by “Pay Pal, Inc.”). We demonstrate the effectiveness of our attacks and the proposed on-device defense with a user study involving 308 human subjects, whose ability to detect the attacks increased significantly when using a system equipped with our defense.
Keywords: Android (operating system); graphical user interfaces; invasive software; program diagnostics; smart phones; Android platform API; Android user interface; GUI confusion attacks; app origin; attack vectors; automated state-exploration tool; click-jacking attacks; desktop machine; malicious app; mobile OS; mobile applications; on-device defense; phishing attacks; ransomware programs; security indicator; sensitive information; static analysis; system navigation bar; trusted indication; two-layer defense; visual appearance; Androids; Graphical user interfaces; Humanoid robots; Navigation; Security; Smart phones; mobile-security; static-analysis; usable-security (ID#: 16-10041)


E. Markoska, N. Ackovska, S. Ristov, M. Gusev and M. Kostoska, “Software Design Patterns to Develop an Interoperable Cloud Environment,” Telecommunications Forum Telfor (TELFOR), 2015 23rd, Belgrade, 2015, pp. 986-989. doi: 10.1109/TELFOR.2015.7377630
Abstract: Software development has provided methods and tools to facilitate the development process, resulting in scalable, efficient, testable, readable and bug-free code. This endeavor has resulted in a multitude of products, many of them nowadays known as good practices, specialized environments, improved compilers, as well as software design patterns. Software design patterns are a tested methodology, and are most often language neutral. In this paper, we identify the problem of the heterogeneous cloud market, as well as the various APIs per a single cloud. By using a set of software design patterns, we developed a pilot software component that unifies the APIs of heterogeneous clouds. It offers an interface that would greatly simplify the development process of cloud based applications. The pilot adapter is developed for two open source clouds - Eucalyptus and OpenStack, but the usage of software design patterns allows an easy enhancement for all other clouds that have APIs for cloud management, either open source or commercial.
Keywords: application program interfaces; cloud computing; object-oriented methods; object-oriented programming; public domain software; software engineering; API; Eucalyptus; OpenStack; application program interface; cloud environment interoperability; open source cloud; software design pattern; software development; Cloud computing; Interoperability; Java; Production facilities; Security; Software design; cloud; design patterns; interoperability (ID#: 16-10042)


S. Betgé-Brezetz, G. B. Kamga and M. Tazi, “Trust Support for SDN Controllers and Virtualized Network Applications,” Network Softwarization (NetSoft), 2015 1st IEEE Conference on, London, 2015, pp. 1-5. doi: 10.1109/NETSOFT.2015.7116153
Abstract: The SDN paradigm allows networks to be dynamically reconfigurable by network applications. SDN is also of particular interest for NFV which deals with the virtualization of network functions. The network programmability offered by SDN presents then various advantages but it also induces various threats regarding potential attacks on the network. For instance, there is a critical risk that a hacker takes over the network control by exploiting this SDN network programmability (e.g., using the SDN API or tampering a network application running on the SDN controller). This paper proposes then an approach to deal with this possible lack of trust in the SDN controller or in their applications. This approach consists in not relying on a single controller but on several `redundant' controllers that may also run in different execution environments. The network configuration requests coming from these controllers are then compared and, if deemed sufficiently consistent and then trustable, they are actually sent to the network. This approach has been implemented in an intermediary layer (based on a network hypervisor) inserted between the network equipments and the controllers. Experimentations have been performed showing the feasibility of the approach and providing some first evaluations of its impact on the network and the services.
Keywords: application program interfaces; computer network security; software defined networking; trusted computing; virtualisation; NFV; SDN API; SDN controllers; SDN network programmability; SDN paradigm; network configuration requests; network control; network equipments; network function virtualization; network hypervisor; network programmability; redundant controllers; trust support; virtualized network applications; Computer architecture; Network topology; Prototypes; Routing; Security; Virtual machine monitors; Virtualization; SDN; network applications; network virtualization; security; trust (ID#: 16-10043)


H. L. Choo, S. Oh, J. Jung and H. Kim, “The Behavior-Based Analysis Techniques for HTML5 Malicious Features,” Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2015 9th International Conference on, Blumenau, 2015, pp. 436-440. doi: 10.1109/IMIS.2015.67
Abstract: HTML5 announced in October 2014 contains many more functions than previous HTML versions. It includes the media controls of audio, video, canvas, etc., and it is designed to access the browser file system through the Java Script API such as the web storage and file reader API. In addition, it provides the powerful functions to replace existing active X. As the HTML5 standard is adopted, the conversion of web services to HTML5 is being carried out all over the world. The browser developers particularly have high expectation for HTML5 as it provides many mobile functions. However, as there is much expectation of HTML5, the damage of malicious attacks using HTML5 is also expected to be large. The script, which is the key to HTML5 functions, is a different type from existing malware attacks as a malicious attack can be generated merely by only a user accessing a browser. The existing known attacks can also be reused by bypassing the detection systems through the new HTML5 elements. This paper intends to define the unique HTML5 behavior data through the browser execution data and to propose the detection of malware by categorizing the malicious HTML5 features.
Keywords: Internet; Java; hypermedia markup languages; invasive software; mobile computing; multimedia computing; online front-ends; telecommunication control; HTML versions; HTML5 behavior data; HTML5 elements; HTML5 functions; HTML5 malicious features; HTML5 standard; Java Script API; Web services; Web storage; behavior-based analysis techniques; browser developers; browser execution data; browser file system; detection systems; file reader API; malicious attacks; malware attacks; media controls; mobile functions; Browsers; Engines; Feature extraction; HTML; Malware; Standards; Behavior-Based Analysis; HTML5 Malicious Features; Script-based CyberAttack; Web Contents Security (ID#: 16-10044)


H. Graupner, K. Torkura, P. Berger, C. Meinel and M. Schnjakin, “Secure Access Control for Multi-Cloud Resources,” Local Computer Networks Conference Workshops (LCN Workshops), 2015 IEEE 40th, Clearwater Beach, FL, 2015, pp. 722-729. doi: 10.1109/LCNW.2015.7365920
Abstract: Privacy, security, and trust concerns are continuously hindering the growth of cloud computing despite its attractive features. To mitigate these concerns, an emerging approach targets the use of multi-cloud architectures to achieve portability and reduce cost. Multi-cloud architectures however suffer several challenges including inadequate cross-provider APIs, insufficient support from cloud service providers, and especially non-unified access control mechanisms. Consequently, the available multi-cloud proposals are unhandy or insecure. This paper proposes two contributions. At first, we survey existing cloud storage provider interfaces. Following, we propose a novel technique that deals with the challenges of connecting modern authentication standards and multiple cloud authorization methods.
Keywords: authorisation; cloud computing; data privacy; storage management; trusted computing; cloud storage provider interfaces inadequate cross-provider APIs; modern authentication standards; multicloud resources; multiple cloud authorization methods; nonunified access control mechanisms; privacy; secure access control; security; trust concerns; Access control; Authentication; Cloud computing; Containers; Google; Standards; Cloud storage; access control management; data security; multi-cloud systems
(ID#: 16-10045)


J. Xu and X. Yuan, “Developing a Course Module for Teaching Cryptography Programming on Android,” Frontiers in Education Conference (FIE), 2015. 32614 2015. IEEE, El Paso, TX, 2015, pp. 1-4. doi: 10.1109/FIE.2015.7344086
Abstract: Mobile platforms have become extremely popular among users and hence become an important platform for developers. Mobile devices often store tremendous amount of personal, financial and commercial data. Several studies have shown that large number of the mobile applications that use cryptography APIs have made mistakes. This could potentially attract both targeted and mass-scale attacks, which will cause great loss to the mobile users. Therefore, it is vitally important to provide education in secure mobile programming to students in computer science and other related disciplines. It is very hard to find pedagogical resources on this topic that many educators urgently need. This paper introduces a course module that teaches students how to develop secure Android applications by correctly using Android's cryptography APIs. This course module is targeted to two areas where programmers commonly make many mistakes: password based encryption and SSL certificate validation. The core of the module includes a real world sample Android program for students to secure by implementing cryptographic components correctly. The course module will use open-ended problem solving to let students freely explore the multiple options in securing the application. The course module includes a lecture slide on Android's Crypto library, its common misuses, and suggested good practices. Assessment materials will also be included in the course module. This course module could be used in mobile programming class or network security class. It could also be taught as a module in advanced programming class or used as a self-teaching tool for general public.
Keywords: application program interfaces; computer aided instruction; computer science education; cryptography; educational courses; mobile computing; smart phones; teaching; Android crypto library; Android program; SSL certificate validation; assessment materials; computer science; course module development; cryptographic components; cryptography API; cryptography programming; education; lecture slide; mass-scale attacks; mobile applications; mobile devices; mobile platforms; network security class; open-ended problem solving; password based encryption; pedagogical resources; secure Android applications; secure mobile programming class; targeted attacks; teaching; Androids; Encryption; Humanoid robots; Mobile communication; Programming; Android programming; SSL; course module; cryptography; programming; security (ID#: 16-10046)


J. Li, D. Tian and C. Hu, “Dynamic Tracking Reinforcement Based on Simplified Control Flow,” 2015 11th International Conference on Computational Intelligence and Security (CIS), Shenzhen, 2015, pp. 358-362. doi: 10.1109/CIS.2015.93
Abstract: With the rapid development of computer science and Internet technology, software security issues have become one of the main threats to information system. The technique of execution path tracking based on control flow integrity is an effective method to improve software security. However, the dynamic tracking method may incur considerable performance overhead. To address this problem, this paper proposes a method of dynamic control flow enforcement based on API invocations. Our method is based on a key observation: most control flow attackers will invoke the sensitive APIs to achieve their malicious purpose. To defeat these attacks, we first extract the normal execution path of API calls by offline analysis. Then, we utilize the offline information for run-time enforcement. The results of the experiment showed that our method is able to detect and prevent the control flow attacks with malicious API invocations. Compared with existing methods, the system performance is improved.
Keywords: Internet; application program interfaces; information systems; security of data; API calls; API invocations; Internet technology; computer science; control flow attacks; control flow integrity; dynamic control flow enforcement; dynamic tracking reinforcement; information system; offline analysis; offline information; run-time enforcement; simplified control flow; software security; software security issues; Algorithm design and analysis; Heuristic algorithms; Instruments; Registers; Security; Software; Yttrium; API calls; inserted reinforcement; path tracking; simplified control flow (ID#: 16-10047)


V. S. Sinha, D. Saha, P. Dhoolia, R. Padhye and S. Mani, “Detecting and Mitigating Secret-Key Leaks in Source Code Repositories,” 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories, Florence, 2015, pp. 396-400. doi: 10.1109/MSR.2015.48
Abstract: Several news articles in the past year highlighted incidents in which malicious users stole API keys embedded in files hosted on public source code repositories such as GitHub and Bit Bucket in order to drive their own work-loads for free. While some service providers such as Amazon have started taking steps to actively discover such developer carelessness by scouting public repositories and suspending leaked API keys, there is little support for tackling the problem from the code sharing platforms themselves. In this paper, we discuss practical solutions to detecting, preventing and fixing API key leaks. We first outline a handful of methods for detecting API keys embedded within source code, and evaluate their effectiveness using a sample set of projects from GitHub. Second, we enumerate the mechanisms which could be used by developers to prevent or fix key leaks in code repositories manually. Finally, we outline a possible solution that combines these techniques to provide tool support for protecting against key leaks in version control systems.
Keywords: application program interfaces; public key cryptography; source code (software); code repositories; fix key leaks; key leaks protection; secret-key leaks detection; secret-key leaks mitigation; source code repositories; version control systems; Control systems; Facebook; History; Java; Leak detection; Pattern matching; Software; api keys; git; mining software repositories; security
(ID#: 16-10048)


J. Spring, S. Kern and A. Summers, “Global Adversarial Capability Modeling,” 2015 APWG Symposium on Electronic Crime Research (eCrime), Barcelona, 2015, pp. 1-21. doi: 10.1109/ECRIME.2015.7120797
Abstract: Intro: Computer network defense has models for attacks and incidents comprised of multiple attacks after the fact. However, we lack an evidence-based model the likelihood and intensity of attacks and incidents. Purpose: We propose a model of global capability advancement, the adversarial capability chain (ACC), to fit this need. The model enables cyber risk analysis to better understand the costs for an adversary to attack a system, which directly influences the cost to defend it. Method: The model is based on four historical studies of adversarial capabilities: capability to exploit Windows XP, to exploit the Android API, to exploit Apache, and to administer compromised industrial control systems. Result: We propose the ACC with five phases: Discovery, Validation, Escalation, Democratization, and Ubiquity. We use the four case studies as examples as to how the ACC can be applied and used to predict attack likelihood and intensity.
Keywords: Analytical models; Androids; Biological system modeling; Computational modeling; Humanoid robots; Integrated circuit modeling; Software systems; CND; computer network defense; cybersecurity; Incident response; intelligence; intrusion detection; modeling; security (ID#: 16-10049)


K. Shah and D. K. Singh, “A Survey on Data Mining Approaches for Dynamic Analysis of Malwares,” Green Computing and Internet of Things (ICGCIoT), 2015 International Conference on, Noida, 2015, pp. 495-499. doi: 10.1109/ICGCIoT.2015.7380515
Abstract: The number of samples being analyzed by the security vendors is continuously increasing on daily basis. Therefore generic automated malware detection tools are needed, to detect zero day threats. Using machine learning techniques, the exploitation of behavioral patterns obtained, can be done for classifying malwares (unknown samples) to their families. Variable length instructions of Intel x86 placed at any arbitrary addresses makes it affected by obfuscation techniques. Padding bytes insertion at locations that are unreachable during runtime tends static analyzers being contused to misinterpret binaries of program. Often the code that is actually running may not necessarily be the code which static analyzer analyzed. Such programs use polymorphism, metamorphism techniques and are self modifying. In this paper, using dynamic analysis of executable and based on mining techniques. Application Programming Interface (API) calls invoked by samples during execution are used as parameter of experimentation.
Keywords: application program interfaces; data mining; invasive software; learning (artificial intelligence); pattern classification; system monitoring; application programming interface; behavioral pattern exploitation; data mining approach; dynamic malware analysis; generic automated malware detection tools; machine learning techniques; malware classification; metamorphism techniques; obfuscation techniques; padding byte insertion; polymorphism; security vendors; variable length instructions; Classification algorithms; API Calls; AdaBoost; Classifiers; Dynamic Analysis (ID#: 16-10050)


N. S. Gawale and N. N. Patil, “Implementation of a System to Detect Malicious URLs  for Twitter Users,” Pervasive Computing (ICPC), 2015 International Conference on, Pune, 2015, pp. 1-5. doi: 10.1109/PERVASIVE.2015.7087078
Abstract: Over the last few years, there is tremendous use of online social networking sites. It's also providing opportunities for hackers to enter easily in network and do their unauthorized activities. There are many notable social networking websites like Twitter, Facebook and Google+ etc. These are popularly practiced by numerous people to become linked up with each other and partake their daily happenings through it. Here we focus on twitter for an experiment which is more popular for micro-blogging and its community interact through publishing text-based posts of 140 characters known as tweets. By considering this popularity of tweeter hacker's use of short Uniform Resource Locator (URL), as a result it disseminates viruses on user accounts. Our study is based on examining the malicious content or their short URLs and protect the user from unauthorized activities. We introduce such a system which provides the security to multiple users of twitter. Besides, they get some alert mails. Our goal is to download URLs in real time from multiple accounts. Then we get entry points of correlated URLs. Crawler browser marks the suspicious URL. This system finds such malicious URLs by using five features like initial URL, similar text, friend follower ratio and relative URLs. Then alert mail is sent to users, which is added to the host.
Keywords: authorisation; computer crime; computer viruses; social networking (online); Facebook; Google+; Twitter; Uniform Resource Locator; alert mail; crawler browser; friend follower ratio; hackers; malicious URL detection; malicious content; microblogging; online social networking Web sites; suspicious URL; text-based post publishing; unauthorized activities; user accounts; virus dissemination; Crawlers; Databases; Real-time systems; Servers; Uniform resource locators; API keys; Conditional redirect; Suspicious URL;  classifier; crawler (ID#: 16-10051)


Y. Li, J. Fang, C. Liu, M. Liu and S. Wu, “Study on the Application of Dalvik Injection Technique for the Detection of Malicious Programs in Android,” Electronics Information and Emergency Communication (ICEIEC), 2015 5th International Conference on, Beijing, 2015, pp. 309-312. doi: 10.1109/ICEIEC.2015.7284546
Abstract: With the increasing popularization of smart phones in life, malicious software targeting smart phones is emerging in an endless stream. As the phone system possessing the highest current market share, Android is facing a full-scale security challenge. This article focuses on analyzing the application of Dalvik injection technique in the detection of Android malware. Modify the system API (Application Program Interface) through Dalvik injection technique can detect the programs on an Android phone directly. Through the list of sensitive API called by malicious programs, eventually judge the target program as malicious or not.
Keywords: Android (operating system); application program interfaces; invasive software; API; Android malware; Dalvik injection technique; application program interface; malicious program detection; Google; Java; Libraries; Security; Smart phones; Software; Dalvik injection; detection of malicious programs; sensitive API (ID#: 16-10052)


A. d. Benedictis, M. Rak, M. Turtur and U. Villano, “REST-Based SLA Management for Cloud Applications,” 2015 IEEE 24th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises, Larnaca, 2015, pp. 93-98. doi: 10.1109/WETICE.2015.36
Abstract: In cloud computing, possible risks linked to availability, performance and security can be mitigated by the adoption of Service Level Agreements (SLAs) formally agreed upon by cloud service providers and their users. This paper presents the design of services for the management of cloud-oriented SLAs that hinge on the use of a REST-based API. Such services can be easily integrated into existing cloud applications, platforms and infrastructures, in order to support SLA-based cloud services delivery. After a discussion on the SLA life-cycle, an agreement protocol state diagram is introduced. It takes explicitly into account negotiation, remediation and renegotiation issues, is compliant with all the active standards, and is compatible with the WS-Agreement standard. The requirement analysis and the design of a solution able to support the proposed SLA protocol is presented, introducing the REST API used. This API aims at being the basis for a framework to build SLA-based applications.
Keywords: application program interfaces; cloud computing; contracts; diagrams; formal specification; formal verification; protocols; systems analysis; CSP; REST-based API; REST-based SLA management; SLA-based cloud services delivery; agreement protocol state diagram;  cloud service provider; requirement analysis; service level agreement; Cloud computing; Monitoring; Protocols; Security; Standards; Uniform resource locators; XML; API; Cloud; REST; SLA; WS-Agreement (ID#: 16-10053)


K. Shekanayaki, A. Chakure and A. Jain, “A Survey of Journey of Cloud and Its Future,” Computing Communication Control and Automation (ICCUBEA), 2015 International Conference on, Pune, 2015, pp. 60-64. doi: 10.1109/ICCUBEA.2015.20
Abstract: Cloud computing in the past few years has grown from a promising business idea to one of the fastest growing field of the IT industry. Still the IT organization is concern about critical issues (like security, data loss) existing with the implementation of cloud computing, related to security in particular. Consequently issues arise due to client switching to cloud computing. This paper briefs about the role of cloud in IT business enterprise, its woes and its projected solutions. It proposes the use of “Honey-Comb Infrastructure” for flexible, secure and reliable storage supported by parallel computing.
Keywords: cloud computing; electronic commerce; parallel processing; security of data; IT business enterprise; IT industry; IT organization; honey-comb infrastructure; information technology; parallel computing; security issue; Business; Cloud computing; Computational modeling; Computer architecture; Security; Servers; Software as a service; API (Application Programming Interface); CSP (Cloud Service Provider); Cloud Computing; DC (Data-centers); PAAS (Platform as a Service); SAAS (Software as a Service); SOA (Service-Oriented Architecture); TC (Telecommunications Closet); Virtualization (ID#: 16-10054)


M. Coblenz, R. Seacord, B. Myers, J. Sunshine and J. Aldrich, “A Course-Based Usability Analysis of Cilk Plus and OpenMP,” Visual Languages and Human-Centric Computing (VL/HCC), 2015 IEEE Symposium on, Atlanta, GA, 2015, pp. 245-249. doi: 10.1109/VLHCC.2015.7357223
Abstract: Cilk Plus and OpenMP are parallel language extensions for the C and C++ programming languages. The CPLEX Study Group of the ISO/IEC C Standards Committee is developing a proposal for a parallel programming extension to C that combines ideas from Cilk Plus and OpenMP. We conducted a preliminary comparison of Cilk Plus and OpenMP in a master's level course on security to evaluate the design tradeoffs in the usability and security of these two approaches. The eventual goal is to inform decision-making within the committee. We found several usability problems worthy of further investigation based on student performance, including declaring and using reductions, multi-line compiler directives, and the understandability of task assignment to threads.
Keywords: C++ language; application program interfaces; computer aided instruction; computer science education; human factors; multi-threading; program compilers; C programming language; C++ programming language; CPLEX Study Group; Cilk Plus; ISO/IEC C Standards Committee; OpenMP; course-based usability analysis; decision-making; master level course; multiline compiler directives; parallel language extensions; student performance analysis; task assignment understandability; Programming; API usability; Cilk Plus; OpenMP; empirical studies of programmers; parallel programming (ID#: 16-10055)


P. Gohar and L. Purohit, “Discovery and Prioritization of Web Services Based on Fuzzy User Preferences for QoS,” Computer, Communication and Control (IC4), 2015 International Conference on, Indore, 2015, pp. 1-6. doi: 10.1109/IC4.2015.7375702 
Abstract: Web services are the key technologies for the web applications developed using Service Oriented Architecture (SOA). There are many challenges involved in implementing web services. Some of them are web service selection and discovery which involves matchmaking and finding the most suitable web service from a large collection of functionally-equivalent web services. In this paper a fuzzy-based approach for web service discovery is developed that model the ranking of QoS-aware web services as a fuzzy multi-criteria decision-making problem. To describe the web services available in the registry, ontology is created for each web service; and to represent the functional and imprecise Quality of Service (QoS) preferences of both the web service consumer and provider in linguistics term, fuzzy rule base is created with the help of Java Expert System Shell (JESS) API. To make decisions on multiple and conflicting QoS requirements, enhanced Preference Ranking Organization METHod for Enrichment Evaluation (PROMETHEE) model is adopted for QoS-based web service ranking. To demonstrate the abilities of the proposed framework, a web based system “E-Recruitment System“ is implemented. 
Keywords: Java; Web services; decision making; fuzzy set theory; ontologies (artificial intelligence);operations research; quality of service; service-oriented architecture; E-Recruitment System; JESS API; Java Expert System Shell API;PROMETHEE model; Preference Ranking Organization METHod for Enrichment Evaluation; QoS requirements; QoS-aware Web service ranking; SOA; Web applications; Web based system; Web service consumer; Web service discovery; Web service prioritization; Web service selection; fuzzy multicriteria decision-making problem; fuzzy rule base; fuzzy user preference; fuzzy-based approach; linguistics term; ontology; quality of service preference; service oriented architecture; Computer architecture; Computers; Conferences; Quality of service; Security; Service-oriented architecture; Fuzzy Discovery; JESS API; PROMETHEE; QoS Parameters; Web Service (ID#: 16-10056)


F. Yamaguchi, A. Maier, H. Gascon and K. Rieck, “Automatic Inference of Search Patterns for Taint-Style Vulnerabilities,” 2015 IEEE Symposium on Security and Privacy, San Jose, CA, 2015, pp. 797-812. doi: 10.1109/SP.2015.54
Abstract: Taint-style vulnerabilities are a persistent problem in software development, as the recently discovered “Heart bleed” vulnerability strikingly illustrates. In this class of vulnerabilities, attacker-controlled data is passed unsanitized from an input source to a sensitive sink. While simple instances of this vulnerability class can be detected automatically, more subtle defects involving data flow across several functions or project-specific APIs are mainly discovered by manual auditing. Different techniques have been proposed to accelerate this process by searching for typical patterns of vulnerable code. However, all of these approaches require a security expert to manually model and specify appropriate patterns in practice. In this paper, we propose a method for automatically inferring search patterns for taint-style vulnerabilities in C code. Given a security-sensitive sink, such as a memory function, our method automatically identifies corresponding source-sink systems and constructs patterns that model the data flow and sanitization in these systems. The inferred patterns are expressed as traversals in a code property graph and enable efficiently searching for unsanitized data flows — across several functions as well as with project-specific APIs. We demonstrate the efficacy of this approach in different experiments with 5 open-source projects. The inferred search patterns reduce the amount of code to inspect for finding known vulnerabilities by 94.9% and also enable us to uncover 8 previously unknown vulnerabilities.
Keywords: application program interfaces; data flow analysis; public domain software; security of data; software engineering; C code; attacker-controlled data; automatic inference; code property graph; data flow; data security; inferred search pattern; memory function; open-source project; project- specific API; search pattern; security-sensitive sink; sensitive sink; software development; source-sink system; taint-style vulnerability; Databases; Libraries; Payloads; Programming; Security; Software; Syntactics; Clustering; Graph Databases; Vulnerabilities (ID#: 16-10057) 


P. Jia, X. He, L. Liu, B. Gu and Y. Fang, “A Framework for Privacy Information Protection on Android,” Computing, Networking and Communications (ICNC), 2015 International Conference on, Garden Grove, CA, 2015, pp. 1127-1131. doi: 10.1109/ICCNC.2015.7069508
Abstract: Permissions-based security model of Android increasingly shows its vulnerability in protecting users' privacy information. According to the permissions-based security model, an application should have the appropriate permissions before gaining various resources (including data and hardware) in the phone. This model can only restrict an application to access system resources without appropriate permissions, but can not prevent malicious accesses to privacy data after the application having obtained permissions. During the installation of an application, the system will prompt what permissions the application is requesting. Users have no choice but to allow all the requested permissions if they want to use the application. Once an application is successfully installed, the system is unable to control its behavior dynamically, and at this time the application can obtain privacy information and send them out without the acknowledgements of users. Therefore, there is a great security risk of the permissions-based security model. This paper researches on different ways to access users' privacy information and proposes a framework named PriGuard for dynamically protecting users' privacy information based on Binder communication interception technology and feature selection algorithm. Applications customarily call system services remotely by using the Binder mechanism, then access the equipment and obtain information through system services. By redirecting the Binder interface function of Native layer, PriGuard intercepts Binder messages, as a result, intercepting the application's Remote Procedure Call (RPC) for system services, then it can dynamically monitor the application's behaviors that access privacy information. In this paper, we collect many different types of benign Application Package File (APK) samples, and get the Application Programming Interface (API) calls of each sample when it is running. Afterwards we transform these API calls of each sample into f- ature vectors. Feature selection algorithm is used to generate the optimal feature subset. PriGuard automatically completes the privacy policy configuration on the newly installed software according to the optimal feature subset, and then control the calls on system service of the software using Binder message interception technology, which achieves the purpose of protecting users' privacy information.
Keywords: Android (operating system); application program interfaces; authorisation; data protection; remote procedure calls; API; APK; Android; Binder communication interception technology; Binder interface function; Binder message interception technology; PriGuard framework; RPC; application installation; application package file; application programming interface; application remote procedure call; dynamic application behavior monitoring; dynamic user privacy information protection; feature selection algorithm; native layer; optimal feature subset generation; permission-based security model; privacy policy configuration; security risk; system resource access; system services; user privacy information access; user privacy information protection; Conferences; Monitoring; Privacy; Security; Smart phones; Software; Vectors; RPC intercept; android; binder; feature selection algorithm; privacy protection (ID#: 16-10058)


B. He et al., “Vetting SSL Usage in Applications with SSLINT,” 2015 IEEE Symposium on Security and Privacy, San Jose, CA, 2015, pp. 519-534. doi: 10.1109/SP.2015.38
Abstract: Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols have become the security backbone of the Web and Internet today. Many systems including mobile and desktop applications are protected by SSL/TLS protocols against network attacks. However, many vulnerabilities caused by incorrect use of SSL/TLS APIs have been uncovered in recent years. Such vulnerabilities, many of which are caused due to poor API design and inexperience of application developers, often lead to confidential data leakage or man-in-the-middle attacks. In this paper, to guarantee code quality and logic correctness of SSL/TLS applications, we design and implement SSLINT, a scalable, automated, static analysis system for detecting incorrect use of SSL/TLS APIs. SSLINT is capable of performing automatic logic verification with high efficiency and good accuracy. To demonstrate it, we apply SSLINT to one of the most popular Linux distributions -- Ubuntu. We find 27 previously unknown SSL/TLS vulnerabilities in Ubuntu applications, most of which are also distributed with other Linux distributions.
Keywords: Linux; application program interfaces; formal verification; program diagnostics; protocols; security of data; API design; Linux distributions; SSL usage vetting; SSL-TLS protocols; SSLINT; Ubuntu; automatic logic verification; code quality; logic correctness; network attacks; secure sockets layer; static analysis system; transport layer security; Accuracy; Libraries; Protocols; Security; Servers; Software; Testing (ID#: 16-10059)


N. Pazos, M. Müller, M. Aeberli and N. Ouerhani, “ConnectOpen – Automatic Integration of IoT Devices,” Internet of Things (WF-IoT), 2015 IEEE 2nd World Forum on, Milan, 2015, pp. 640-644. doi: 10.1109/WF-IoT.2015.7389129
Abstract: There exists, today, a wide consensus that Internet of Things (IoT) is creating a wide range of business opportunities for various industries and sectors like Manufacturing, Healthcare, Public infrastructure management, Telecommunications and many others. On the other hand, the technological evolution of IoT facing serious challenges. The fragmentation in terms of communication protocols and data formats at device level is one of these challenges. Vendor specific application architectures, proprietary communication protocols and lack of IoT standards are some reasons behind the IoT fragmentation. In this paper we propose a software enabled framework to address the fragmentation challenge. The framework is based on flexible communication agents that are deployed on a gateway and can be adapted to various devices communicating different data formats using different communication protocol. The communication agent is automatically generated based on specifications and automatically deployed on the Gateway in order to connect the devices to a central platform where data are consolidated and exposed via REST APIs to third party services. Security and scalability aspects are also addressed in this work.
Keywords: Internet of Things; application program interfaces; cloud computing; computer network security; internetworking; transport protocols; ConnectOpen;  IoT fragmentation; REST API; automatic IoT device integration; central platform; communication agents; communication protocol; communication protocols; data formats; device level; scalability aspect; security aspect; software enabled framework; third party services; Business; Embedded systems; Logic gates; Protocols; Scalability; Security; Sensors; Communication Agent; End Device; Gateway; IoT; Kura; MQTT; OSGi (ID#: 16-10060)


L. Qiu, Z. Zhang, Z. Shen and G. Sun, “AppTrace: Dynamic Trace on Android Devices,” 2015 IEEE International Conference on Communications (ICC), London, 2015, pp. 7145-7150. doi: 10.1109/ICC.2015.7249466
Abstract: Mass vulnerabilities involved in the Android alternative applications could threaten the security of the launched device or users data. To analyze the alternative applications, generally, researchers would like to observe applications' runtime features first. Then they need to decompile the target application and read the complicated code to figure out what the application really does. Traditional dynamic analysis methodology, for instance, the TaintDroid, uses dynamic taint tracking technique to mark information at source APIs. However, TaintDroid is limited to constraint on requiring target application to run in custom sandbox that might be not compatible with all the Android versions. For solving this problem and helping analysts to have insight into the runtime behavior, this paper presents AppTrace, a novel dynamic analysis system that uses dynamic instrumentation technique to trace member methods of target application that could be deployed in any version above Android 4.0. The paper presents an evaluation of AppTrace with 8 apps from Google Play as well as 50 open source apps from F-Droid. The results show that AppTrace could trace methods of target applications successfully and notify users effectively when some sensitive APIs are invoked.
Keywords: application program interfaces; smart phones; system monitoring; API; Android devices; AppTrace; Google Play; TaintDroid; dynamic instrumentation technique; dynamic taint tracking technique; dynamic trace; novel dynamic analysis system; open source apps; Androids; Humanoid robots; Instruments; Java; Runtime; Security; Smart phones (ID#: 16-10061)


S. S. Shinde and S. S. Sambare, “Enhancement on Privacy Permission Management for Android Apps,” Communication Technologies (GCCT), 2015 Global Conference on, Thuckalay, 2015, pp. 838-842. doi: 10.1109/GCCT.2015.7342779
Abstract: Nowadays everyone is using smartphone devices for personal and official data storage. Smartphone apps are usually not secure and need user permission to access protected system resources. Specifically, the existing Android permission system will check whether the calling app has the right permission to invoke sensitive system APIs. Android OS allows third-party applications. Whenever a user installs any third party application user is having, only limited options at the time of installation. Either user can agree to all terms and conditions and install that application or reject from the installation of applications. Existing approaches failed to provide security to user's sensitive data from being violated. To protect user's privacy, there is a need for secure permission management for Android applications. In this paper, to fine-grained the permission management, we have proposed a system which provides a facility to smartphone user's grant or revoke access to user's private sensitive data as per user's choice. Overall Performance of proposed system improves the limitations of existing android permission system shown in detail in terms of results and features in the paper.
Keywords: Android (operating system); authorisation; data privacy; smart phones; APIs; Android OS; Android apps; Android permission system; official data storage; personal data storage; privacy permission management; smartphone apps; smartphone devices; third-party applications; Androids; Databases; Humanoid robots; Internet; Privacy; Security; Smart phones; Android OS; Fine-grained; Permission system; Smartphone user; privacy (ID#: 16-10062)


A. Slominski, V. Muthusamy and R. Khalaf, “Building a Multi-Tenant Cloud Service from Legacy Code with Docker Containers,” Cloud Engineering (IC2E), 2015 IEEE International Conference on, Tempe, AZ, 2015, pp. 394-396. doi: 10.1109/IC2E.2015.66
Abstract: In this paper we address the problem of migrating a legacy Web application to a cloud service. We develop a reusable architectural pattern to do so and validate it with a case study of the Beta release of the IBM Bluemix Workflow Service [1] (herein referred to as the Beta Workflow service). It uses Docker [2] containers and a Cloudant [3] persistence layer to deliver a multi-tenant cloud service by re-using a legacy codebase. We are not aware of any literature that addresses this problem by using containers.The Beta Workflow service provides a scalable, stateful, highly available engine to compose services with REST APIs. The composition is modeled as a graph but authored in a Javascript-based domain specific language that specifies a set of activities and control flow links among these activities. The primitive activities in the language can be used to respond to HTTP REST requests, invoke services with REST APIs, and execute Javascript code to, among other uses, extract and construct the data inputs and outputs to external services, and make calls to these services. Examples of workflows that have been built using the service include distributing surveys and coupons to customers of a retail store [1], the management of sales requests between a salesperson and their regional managers, managing the staged deployment of different versions of an application, and the coordinated transfer of jobs among case workers.
Keywords: Java; application program interfaces; cloud computing; specification languages; Beta Workflow service; Cloudant persistence layer; HTTP REST requests; IBM Bluemix Workflow Service; Javascript code; Javascript-based domain specific language; REST API; docker containers; legacy Web application; legacy codebase; multitenant cloud service; reusable architectural pattern; Browsers; Cloud computing; Containers; Engines; Memory management; Organizations; Security (ID#: 16-10063)


H. Hamadeh, S. Chaudhuri and A. Tyagi, “Area, Energy, and Time Assessment for a Distributed TPM for Distributed Trust in IoT Clusters,” 2015 IEEE International Symposium on Nanoelectronic and Information Systems, Indore, 2015, pp. 225-230. doi: 10.1109/iNIS.2015.17
Abstract: IoT clusters arise from natural human societal clusters such as a house, an airport, and a highway. IoT clusters are heterogeneous with a need for device to device as well as device to user trust. The IoT devices are likely to be thin computing clients. Due to low cost, an individual IoT device is not built to be fault tolerant through redundancy. Hence the trust protocols cannot take the liveness of a device for granted. In fact, the differentiation between a failing device and a malicious device is difficult from the trust protocol perspective. We present a minimal distributed trust layer based on distributed consensus like operations. These distributed primitives are cast in the context of the APIs supported by a trusted platform module (TPM). TPM with its 1024 bit RSA is a significant burden on a thin IoT design. We use RNS based slicing of a TPM where in each slice resides within a single IoT device. The overall TPM functionality is distributed among several IoT devices within a cluster. The VLSI area, energy, and time savings of such a distributed TMP implementation is assessed. A sliced/distributed TPM is better suited for an IoT environment based on its resource needs. We demonstrate over 90% time reduction, over 3% area reduction, and over 90% energy reduction per IoT node in order to support TPM protocols.
Keywords: Internet of Things; VLSI; application program interfaces; cryptographic protocols; residue number systems; trusted computing;1024 bit RSA; APIs; IoT clusters; RNS based slicing; TPM protocols; VLSI area savings; VLSI energy savings; VLSI time savings; distributed TPM; distributed consensus like operations; minimal distributed trust layer; sliced TPM; trust protocol; trusted platform module; Airports; Approximation algorithms; Computers; Delays; Electronic mail; Protocols; Security; Area; IoT; Residue Number System; Time and Energy; Trusted Platform Module (ID#: 16-10064)


A. Aflatoonian, A. Bouabdallah, K. Guillouard, V. Catros and J. M. Bonnin, “BYOC: Bring Your Own Control—A New Concept to Monetize SDN’s Openness,” Network Softwarization (NetSoft), 2015 1st IEEE Conference on, London, 2015, pp. 1-5. doi: 10.1109/NETSOFT.2015.7116147
Abstract: Software Defined Networking (SDN) is supposed to bring flexibility, dynamicity and automation to today's network through a logically centralized network controller. We argue that reaching SDN's full capacities requires however the development of standardized programming capabilities on its top. In this paper we introduce “Bring Your Own Control” (BYOC) as a new concept providing a convenient framework structuring the openness of the SDN on its northbound side. We derive from the lifecycle characterizing the services deployed in an SDN, the parts of services the control of which may be delegated by the operator to external customers through dedicated application programming interfaces (API) located in the northbound interface (NBI). We argue that the exploitation of such services may noticeably be refined by the operator through various business models monetizing the openness of the SDN following the new paradigm of “Earn as Your Bring” (EaYB). We propose an analysis of BYOC and we illustrate our approach with several use cases.
Keywords: application program interfaces; open systems; software defined networking; API; BYOC; EaYB; NBI; SDN openness; bring your own control; dedicated application programming interfaces; earn as your bring; framework structuring; logically centralized network controller; northbound interface; software defined networking; standardized programming capabilities; Business; Computer architecture; Monitoring; Multiprotocol label switching; Real-time systems; Security; Virtual private networks; Bring Your Own Control (BYOC); Business model; Earn as You Bring (EaYB); Northbound Interface (NBI); Software Defined Networking (SDN) (ID#: 16-10065)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.