Biblio

What you see is not definitely believable is not a rare case in the cyber security monitoring. However, due to various tricks of camouflages, such as packing or virutal private network (VPN), detecting "advanced persistent threat"(APT) by only signature based malware detection system becomes more and more intractable. On the other hand, by carefully modeling users' subsequent behaviors of daily routines, probability for one account to generate certain operations can be estimated and used in anomaly detection. To the best of our knowledge so far, a novel behavioral analytic framework, which is dedicated to analyze Active Directory domain service logs and to monitor potential inside threat, is now first proposed in this project. Experiments on real dataset not only show that the proposed idea indeed explores a new feasible direction for cyber security monitoring, but also gives a guideline on how to deploy this framework to various environments.

Quadrature compressive sampling (QuadCS) is a newly introduced sub-Nyquist sampling for acquiring inphase and quadrature components of radio-frequency signals. This paper develops a target detection scheme of pulsed-type radars in the presence of digital radio frequency memory (DRFM) repeat jammers with the radar echoes sampled by the QuadCS system. For diversifying pulses, the proposed scheme first separates the target echoes from the DRFM repeat jammers using CS recovery algorithms, and then removes the jammers to perform the target detection. Because of the separation processing, the jammer leakage through range sidelobe variation of the classical match-filter processing will not appear. Simulation results confirm our findings. The proposed scheme with the data at one eighth the Nyquist rate outperforms the classic processing with Nyquist samples in the presence of DRFM repeat jammers.

Side Channel Attacks (SCA) using power measurements are a known method of breaking cryptographic algorithms such as AES. Published research into attacks on AES frequently target only AES-128, and often target only the core Electronic Code-Book (ECB) algorithm, without discussing surrounding issues such as triggering, along with breaking the initialization vector. This paper demonstrates a complete attack on a secure bootloader, where the firmware files have been encrypted with AES-256-CBC. A classic Correlation Power Analysis (CPA) attack is performed on AES-256 to recover the complete 32-byte key, and a CPA attack is also used to attempt recovery of the initialization vector (IV).

Proactive security reviews and test efforts are a necessary component of the software development lifecycle. Resource limitations often preclude reviewing the entire code base. Making informed decisions on what code to review can improve a team's ability to find and remove vulnerabilities. Risk-based attack surface approximation (RASA) is a technique that uses crash dump stack traces to predict what code may contain exploitable vulnerabilities. The goal of this research is to help software development teams prioritize security efforts by the efficient development of a risk-based attack surface approximation. We explore the use of RASA using Mozilla Firefox and Microsoft Windows stack traces from crash dumps. We create RASA at the file level for Firefox, in which the 15.8% of the files that were part of the approximation contained 73.6% of the vulnerabilities seen for the product. We also explore the effect of random sampling of crashes on the approximation, as it may be impractical for organizations to store and process every crash received. We find that 10-fold random sampling of crashes at a rate of 10% resulted in 3% less vulnerabilities identified than using the entire set of stack traces for Mozilla Firefox. Sampling crashes in Windows 8.1 at a rate of 40% resulted in insignificant differences in vulnerability and file coverage as compared to a rate of 100%.

Massively Open Online Courses (MOOCs) provide a unique opportunity to reach out to students who would not normally be reached by alleviating the need to be physically present in the classroom. However, teaching software security coursework outside of a classroom setting can be challenging. What are the challenges when converting security material from an on-campus course to the MOOC format? The goal of this research is to assist educators in constructing software security coursework by providing a comparison of classroom courses and MOOCs. In this work, we compare demographic information, student motivations, and student results from an on-campus software security course and a MOOC version of the same course. We found that the two populations of students differed, with the MOOC reaching a more diverse set of students than the on-campus course. We found that students in the on-campus course had higher quiz scores, on average, than students in the MOOC. Finally, we document our experience running the courses and what we would do differently to assist future educators constructing similar MOOC's.

In the RFID technology, the privacy of low-cost tag is a hot issue in recent years. A new mutual authentication protocol is achieved with the time stamps, hash function and PRNG. This paper analyzes some common attack against RFID and the relevant solutions. We also make the security performance comparison with original security authentication protocol. This protocol can not only speed up the proof procedure but also save cost and it can prevent the RFID system from being attacked by replay, clone and DOS, etc..

Currently, different forms of ransomware are increasingly threatening Internet users. Modern ransomware encrypts important user data, and it is only possible to recover it once a ransom has been paid. In this article we show how software-defined networking can be utilized to improve ransomware mitigation. In more detail, we analyze the behavior of popular ransomware - CryptoWall - and, based on this knowledge, propose two real-time mitigation methods. Then we describe the design of an SDN-based system, implemented using OpenFlow, that facilitates a timely reaction to this threat, and is a crucial factor in the case of crypto ransomware. What is important is that such a design does not significantly affect overall network performance. Experimental results confirm that the proposed approach is feasible and efficient.

Currently 5G communication networks are gaining on importance among industry, academia, and governments worldwide as they are envisioned to offer wide range of high-quality services and unfaltering user experiences. However, certain security, privacy and trust challenges need to be addressed in order for the 5G networks to be widely welcomed and accepted. That is why in this paper, we take a step towards these requirements and we introduce a dedicated SDN-based integrated security framework for the Internet of Radio Light (IoRL) system that is following 5G architecture design. In particular, we present how TCP SYN-based scanning activities which typically comprise the first phase of the attack chain can be detected and mitigated using such an approach. Enclosed experimental results prove that the proposed security framework has potential to become an effective defensive solution.

Currently, due to improvements in defensive systems network covert channels are increasingly drawing attention of cybercriminals and malware developers as they can provide stealthiness of the malicious communication and thus to bypass existing security solutions. On the other hand, the utilized data hiding methods are getting increasingly sophisticated as the attackers, in order to stay under the radar, distribute the covert data among many connections, protocols, etc. That is why, the detection of such threats becomes a pressing issue. In this paper we make an initial step in this direction by presenting a data mining-based detection of such advanced threats which relies on pattern discovery technique. The obtained, initial experimental results indicate that such solution has potential and should be further investigated.

In the management of transport and logistics, which includes the delivery, movement and collection of goods through roads, ports and airports, participate, in general, many different actors. The most critical aspects of supply chain systems include time, space and interdependencies. Besides, there are several security challenges that can be caused both by unintentional and intentional errors. With all this in mind, this work proposes the combination of technologies such as RFID, GPS, WiFi Direct and LTE/3G to automate product authentication and merchandise tracking, reducing the negative effects caused either by mismanagement or attacks against the process of the supply chain. In this way, this work proposes a ubiquitous management scheme for the monitoring through the cloud of freight and logistics systems, including demand management, customization and automatic replenishment of out-of-stock goods. The proposal implies an improvement in the efficiency of the systems, which can be quantified in a reduction of time and cost in the inventory and distribution processes, and in a greater facility for the detection of counterfeit versions of branded articles. In addition, it can be used to create safer and more efficient schemes that help companies and organizations to improve the quality of the service and the traceability of the transported goods.

Vehicular Ad-Hoc Network (VANET) is a subcategory of Intelligent Transportation Systems (ITS) that allows vehicles to communicate with other vehicles and static roadside infrastructure. However, the integration of cyber and physical systems introduce many possible points of attack that make VANET vulnerable to cyber attacks. In this paper, we implemented a machine learning-based intrusion detection system that identifies False Data Injection (FDI) attacks on a vehicular network. A co-simulation framework between MATLAB and NS-3 is used to simulate the system. The intrusion detection system is installed in every vehicle and processes the information obtained from the packets sent by other vehicles. The packet is classified into either trusted or malicious using Support Vector Machines (SVM). The comparison of the performance of the system is evaluated in different scenarios using the following metrics: classification rate, attack detection rate, false positive rate, and detection speed. Simulation results show that the SVM-based IDS is able to provide high accuracy detection, low false positive rate, consequently improving the traffic congestion in the simulated highway.

This paper presents the Helix SandBox, an open platform for quick prototyping of smart environment applications. Its architecture was designed to be a lightweight solution that aimed to simplify the instance integration and setup of the main Generic Enablers provided in the FIWARE architecture. As a Powered by FIWARE platform, the SandBox operates with the NGSI standard for interoperability between systems. The platform offers a container-based multicloud architecture capable of running in public, private and bare metal clouds or even in the leading hypervisors available. This paper also proposes a multi-layered architecture capable of integrates the cloud, fog, edge and IoT layers through the federation concept. Lastly, we present two Smart Cities applications conducted in the form of Proof of Concept (PoC) that use the Helix SandBox platform as back-end.

Distributed storage platforms draw much attention due to their high reliability and scalability for handling a massive amount of data. To protect user and data privacy, encryption is considered as a necessary feature for production systems like Storj. But it prohibits the nodes from performing content search. To preserve the functionality, we observe that a protocol of integration with searchable encryption and keyword search via distributed hash table allows the nodes in a network to search over encrypted and distributed data. However, this protocol does not address a practical threat in a fully distributed scenario. Malicious nodes would sabotage search results, and easily infiltrate the system as the network grows. Using primitives such as MAC and verifiable data structure may empower the users to verify the search result, but the robustness of the overall system can hardly be ensured. In this paper, we address this issue by proposing a protocol that is seamlessly incorporated to encrypted search in distributed network to attest and monitor nodes. From the moment a node joins the system, it will be attested and continuously monitored through verifiable search queries. The result of each attestation is determined via a standard quorum-based voting protocol, and then recorded on the blockchain as a consensus view of trusted nodes. Based on the proposed protocols, malicious nodes can be detected and removed by a majority of nodes in a self-determining manner. To demonstrate the security and efficiency, we conduct robustness analysis against several potential attacks, and perform performance and overhead evaluation on the proposed protocol.

Learning-enabled components (LECs) are widely used in cyber-physical systems (CPS) since they can handle the uncertainty and variability of the environment and increase the level of autonomy. However, it has been shown that LECs such as deep neural networks (DNN) are not robust and adversarial examples can cause the model to make a false prediction. The paper considers the problem of efficiently detecting adversarial examples in LECs used for regression in CPS. The proposed approach is based on inductive conformal prediction and uses a regression model based on variational autoencoder. The architecture allows to take into consideration both the input and the neural network prediction for detecting adversarial, and more generally, out-of-distribution examples. We demonstrate the method using an advanced emergency braking system implemented in an open source simulator for self-driving cars where a DNN is used to estimate the distance to an obstacle. The simulation results show that the method can effectively detect adversarial examples with a short detection delay.

In order to solve the problem that there is no effective means to find the optimal number of hidden nodes of single-hidden-layer feedforward neural network, in this paper, a method will be introduced to solve it effectively by using singular value decomposition. First, the training data need to be normalized strictly by attribute-based data normalization and sample-based data normalization. Then, the normalized data is decomposed based on the singular value decomposition, and the number of hidden nodes is determined according to main eigenvalues. The experimental results of MNIST data set and APS data set show that the feedforward neural network can attain satisfactory performance in the classification task.

Wearable Internet-of-Things (WIoT) environments have demonstrated great potential in a broad range of applications in healthcare and well-being. Security is essential for WIoT environments. Lack of security in WIoTs not only harms user privacy, but may also harm the user's safety. Though devices in the WIoT can be attacked in many ways, in this paper we focus on adversaries who mount what we call sensor-hijacking attacks, which prevent the constituent medical devices from accurately collecting and reporting the user's health state (e.g., reporting old or wrong physiological measurements). In this paper we outline some of our experiences in implementing a data-driven security solution for detecting sensor-hijacking attack on a secure wearable internet-of-things (WIoT) base station called the Amulet. Given the limited capabilities (computation, memory, battery power) of the Amulet platform, implementing such a security solution is quite challenging and presents several trade-offs with respect to detection accuracy and resources requirements. We conclude the paper with a list of insights into what capabilities constrained WIoT platforms should provide developers so as to make the inclusion of data-driven security primitives in such systems.

Considering the security of message exchange between service robot and cloud, we propose to authenticate the message integrity based on RSA algorithm and digital signature. In the process of message transmission, RSA algorithm is used to encrypt message for service robot and decrypt message for cloud. The digital signature algorithm is used to authenticate the source of the message. The results of experiment have proved that the proposed scheme can guarantee the security of message transmission.

In order to improve production and management efficiency, traditional industrial control systems are gradually connected to the Internet, and more likely to use advanced modern information technologies, such as cloud computing, big data technology, and artificial intelligence. Industrial control system is widely used in national key infrastructure. Meanwhile, a variety of attack threats and risks follow, and once the industrial control network suffers maliciously attack, the loss caused is immeasurable. In order to improve the security and stability of the industrial Internet, this paper studies the industrial control network traffic threat identification technology based on machine learning methods, including GK-SVDD, RNN and KPCA reconstruction error algorithm, and proposes a heuristic method for selecting Gaussian kernel width parameter in GK-SVDD to accelerate real-time threat detection in industrial control environments. Experiments were conducted on two public industrial control network traffic datasets. Compared with the existing methods, these methods can obtain faster detection efficiency and better threat identification performance.

Particle swarm optimization (PSO), as a kind of swarm intelligence algorithm, has the advantages of simple algorithm principle, less programmable parameters and easy programming. Many scholars have applied particle swarm optimization (PSO) to various fields through learning it, and successfully solved linear problems, nonlinear problems, multiobjective optimization and other problems. However, the algorithm also has obvious problems in solving problems, such as slow convergence speed, too early maturity, falling into local optimization in advance, etc., which makes the convergence speed slow, search the optimal value accuracy is not high, and the optimization effect is not ideal. Therefore, many scholars have improved the particle swarm optimization algorithm. Taking into account the improvement ideas proposed by scholars in the early stage and the shortcomings still existing in the improvement, this paper puts forward the idea of improving particle swarm optimization algorithm in the future.

Lots of traditional embedded systems can be called closed systems in that they do not connect and communicate with systems or devices outside of the entities they are embedded, and some part of these systems are designed based on proprietary protocols or standards. Open embedded systems connect and communicate with other systems or devices through the Internet or other networks, and are designed based on open protocols and standards. This paper discusses two types of security challenges facing open embedded systems: the security of the devices themselves that host embedded systems, and the security of information collected, processed, communicated, and consumed by embedded systems. We also discuss solution techniques to address these challenges.

Recently, mobile ad-hoc networks (MANET) have been widely used in several scenarios. Due to its generally high demands on clock synchronization accuracy, the conventional synchronization algorithms cannot be applied in many high-speed MANET applications. Hence, in this paper, a clock synchronization algorithm based on motion information such as the speed of nodes is proposed to eliminate the error of round-trip-time correction. Meanwhile, a simplified version of our algorithm is put forward to cope with some resource-constrained scenes. Our algorithm can perform well in most situations and effectively improve the clock synchronization accuracy with reasonable communication overhead, especially in high-speed scenes. Simulation results confirm the superior accuracy performance achieved by our algorithm.

Accurate short-term traffic flow forecasting is of great significance for real-time traffic control, guidance and management. The k-nearest neighbor (k-NN) model is a classic data-driven method which is relatively effective yet simple to implement for short-term traffic flow forecasting. For conventional prediction mechanism of k-NN model, the k nearest neighbors' outputs weighted by similarities between the current traffic flow vector and historical traffic flow vectors is directly used to generate prediction values, so that the prediction results are always not ideal. It is observed that there are always some outliers in k nearest neighbors' outputs, which may have a bad influences on the prediction value, and the local similarities between current traffic flow and historical traffic flows at the current sampling period should have a greater relevant to the prediction value. In this paper, we focus on improving the prediction mechanism of k-NN model and proposed a k-nearest neighbor locally search regression algorithm (k-LSR). The k-LSR algorithm can use locally search strategy to search for optimal nearest neighbors' outputs and use optimal nearest neighbors' outputs weighted by local similarities to forecast short-term traffic flow so as to improve the prediction mechanism of k-NN model. The proposed algorithm is tested on the actual data and compared with other algorithms in performance. We use the root mean squared error (RMSE) as the evaluation indicator. The comparison results show that the k-LSR algorithm is more successful than the k-NN and k-nearest neighbor locally weighted regression algorithm (k-LWR) in forecasting short-term traffic flow, and which prove the superiority and good practicability of the proposed algorithm.

Many blockchain applications use decentralized oracles to trustlessly retrieve external information as those platforms are agnostic to real-world information. Some existing decentralized oracle protocols make use of majority-voting schemes to determine the outcomes and/or rewards to participants. In these cases, the awards (or penalties) grow linearly to the participant stakes, therefore voters are indifferent between voting through a single or multiple identities. Furthermore, the voters receive a reward only when they agree with the majority outcome, a tactic that may lead to herd behavior. This paper proposes an oracle protocol based on peer prediction mechanisms with non-linear staking rules. In the proposed approach, instead of being rewarded when agreeing with a majority outcome, a voter receives awards when their report achieves a relatively high score based on a peer prediction scoring scheme. The scoring scheme is designed to be incentive compatible so that the maximized expected score is achieved only with honest reporting. A non-linear stake scaling rule is proposed to discourage Sybil attacks. This paper also provides a theoretical analysis and guidelines for implementation as reference.

TEE(Trusted Execution Environment) has became one of the most popular security features for mobile platforms. Current TEE solutions usually implement secure functions in Trusted applications (TA) running over a trusted OS in the secure world. Host App may access these secure functions through the TEE driver. Unfortunately, such architecture is not very secure. A trusted OS has to be loaded in secure world to support TA running. Thus, the code size in secure world became large. As more and more TA is installed, the secure code size will be further larger and larger. Lots of real attack case have been reported [1]. In this paper, we present a novel TEE constructing method named ALTEE. Different from existing TEE solutions, ALTEE includes secure code in host app, and constructs a trustworthy execution environment for it dynamically whenever the code needs to be run.

This paper studies the deletion propagation problem in terms of minimizing view side-effect. It is a problem funda-mental to data lineage and quality management which could be a key step in analyzing view propagation and repairing data. The investigated problem is a variant of the standard deletion propagation problem, where given a source database D, a set of key preserving conjunctive queries Q, and the set of views V obtained by the queries in Q, we try to identify a set T of tuples from D whose elimination prevents all the tuples in a given set of deletions on views △V while preserving any other results. The complexity of this problem has been well studied for the case with only a single query. Dichotomies, even trichotomies, for different settings are developed. However, no results on multiple queries are given which is a more realistic case. We study the complexity and approximations of optimizing the side-effect on the views, i.e., find T to minimize the additional damage on V after removing all the tuples of △V. We focus on the class of key-preserving conjunctive queries which is a dichotomy for the single query case. It is surprising to find that except the single query case, this problem is NP-hard to approximate within any constant even for a non-trivial set of multiple project-free conjunctive queries in terms of view side-effect. The proposed algorithm shows that it can be approximated within a bound depending on the number of tuples of both V and △V. We identify a class of polynomial tractable inputs, and provide a dynamic programming algorithm to solve the problem. Besides data lineage, study on this problem could also provide important foundations for the computational issues in data repairing. Furthermore, we introduce some related applications of this problem, especially for query feedback based data cleaning.