Biblio

Current programming models for developing Internet of Things (IoT) applications are logically centralized and ill-suited for most IoT applications. We contribute Protocols over Things, a decentralized programming model that represents an IoT application via a protocol between the parties involved and provides improved performance over network-level delivery guarantees.

Due to the rapid growth of using Internet of Things (IoT) devices in the daily life, the need to achieve an acceptable level of security and privacy according to the real security risks for these devices is rising. Security risks may include privacy threats like gaining sensitive information from a device, and authentication problems from counterfeit or cloned devices. It becomes more challenging to add strong security features to extremely constrained devices compared to battery operated devices that have more computational and storage capabilities. We propose a novel application specific instruction-set architecture that allows flexibility on many design levels and achieves the required security level for the Electronic Product Code (EPC) passive Radio Frequency Identification (RFID) tag device. Our solution moves a major design effort from hardware to software, which largely reduces the final unit cost. The proposed architecture can be implemented with 4,662 gate equivalent units (GEs) for 65 nm CMOS technology excluding the memory and the cryptographic units. The synthesis results fulfill the requirements of extremely constrained devices and allow the inclusion of cryptographic units into the datapath of the proposed application-specific instruction set processor (ASIP).

Radio frequency identification system (RFID) is a wireless technology based on radio waves. These radio waves transmit data from the tag to a reader, which then transmits the information to a server. RFID tags have several advantages, they can be used in merchandise, to track vehicles, and even patients. Connecting RFID tags to internet terminal or server it called Internet of Things (IoT). Many people have shown interest in connected objects or the Internet of Things (IoT). The IoT is composed of many complementary elements each having their own specificities. The RFID is often seen as a prerequisite for the IoT. The main challenge of RFID is the security issues. Connecting RFID with IoT poses security threats and challenges which are needed to be discussed properly before deployment. In this paper, we proposed a new distributed encryption algorithm to be used in the IoT structure in order to reduce the security risks that are confronted in RFID technology.

As the core of the third information revolution, the Internet of things plays an important role in the development of the times. According to the relevant investigation and research, we can find that the research on the Internet of things is still in the stage of LAN and private network, and its open advantages have not been fully utilized[1]. In this context, RFID technology as the core technology of the Internet of things, the security protocol plays an important role in the normal use of the technology. With the continuous development of Internet information technology, the disadvantages of security protocol become more and more obvious. These problems seriously affect the popularity of Internet of things technology. Therefore, in the future work, the relevant staff need to continue to strengthen research, according to the future development plan, effectively play the advantages of technology, and further promote its development.

We introduce a lightweight architecture of Intrusion Detection Systems (IDS) for ad-hoc IoT networks. Current state-of-the-art IDS have been designed based on assumptions holding from conventional computer networks, and therefore, do not properly address the nature of IoT networks. In this work, we first identify the correlation between the communication overheads and the placement of an IDS (as captured by proper placement of active IDS agents in the network). We model such networks as Random Geometric Graphs. We then introduce a novel IDS architectural approach by having only a minimum subset of the nodes acting as IDS agents. These nodes are able to monitor the network and detect attacks at the networking layer in a collaborative manner by monitoring 1-hop network information provided by routing protocols such as RPL. Conducted experiments show that our proposed IDS architecture is resilient and robust against frequent topology changes due to node failures. Our detailed experimental evaluation demonstrates significant performance gains in terms of communication overhead and energy dissipation while maintaining high detection rates.

This work adopts an online resiliency monitoring framework employing metric temporal logic (MTL) under cyber-physical anomalies, namely false-data injection attacks, denial-of-service attacks, and physical faults. Such anomalies adversely affect the frequency synchronization, load sharing, and voltage regulation in microgrids. MTL formalism is adopted to monitor the outputs of inverters/converters against operational bounds, detect and quantify cyber-physical anomalies, monitor the microgrid's resiliency during runtime, and compare mitigation strategies. Since the proposed framework does not require system knowledge, it can be deployed on a complex microgrid. This is verified using an IEEE 34-bus feeder system and a DC microgrid cluster in a controller/hardware-in-the-loop environment.

The rapid development of low-power integrated circuits, wireless communication, intelligent sensors and microelectronics has allowed the realization of wireless body area networks (WBANs), which can monitor patients' vital body parameters remotely in real time to offer timely treatment. These vital body parameters are related to patients' life and health; and these highly private data are subject to many security threats. To guarantee privacy, many secure communication protocols have been proposed. However, most of these protocols have a one-to-one structure in extra-body communication and cannot support multidisciplinary team (MDT). Hence, we propose a lightweight and certificateless multi-receiver secure data transmission protocol for WBANs to support MDT treatment in this paper. In particular, a novel multi-receiver certificateless generalized signcryption (MR-CLGSC) scheme is proposed that can adaptively use only one algorithm to implement one of three cryptographic primitives: signature, encryption or signcryption. Then, a multi-receiver secure data transmission protocol based on the MR-CLGSC scheme with many security properties, such as data integrity and confidentiality, non-repudiation, anonymity, forward and backward secrecy, unlinkability and data freshness, is designed. Both security analysis and performance analysis show that the proposed protocol for WBANs is secure, efficient and highly practical.

Ensuring security to IoT devices is important in order to provide privacy and quality of services. Proposing a security solution is considered an important step towards achieving protection, however, proving the soundness of the solution is also crucial. In this paper, we propose a methodology for the performance evaluation of lightweight IoT-based authentication protocols based on execution time. Then, a formal verification test is conducted on a lightweight protocol proposed in the literature. The formal verification test conducted with Scyther tool proofs that the model provides mutual authentication, authorization, integrity, confidentiality, non-repudiation, and accountability. The protocol also was proven to provide protection from various attacks.

For optimal use of cloud resources and to reduce the latency of cloud users, the cloud computing model extends the services such as networking facilities, computational capabilities and storage facilities based on demand. Due to the dynamic behavior, distributed paradigm and heterogeneity present among the processing elements, devices and service oriented pay per use policies; the cloud computing environment is having its availability, security and privacy issues. Among these various issues one of the important issues in cloud computing paradigm is DDoS attack. This paper put in plain words the DDoS attack, its detection as well as prevention mechanisms in cloud computing environment. The inclusive study also explains about the effects of DDoS attack on cloud platform and the related defense mechanisms required to be considered.

DDoS attacks are pre-dominant in traditional networks, they are used to bring down the services of important servers in the network, thereby affecting its performance. One such kind of attack is HTTP GET Flood DDoS attack in which a lot of HTTP GET request messages are sent to the victim web server, overwhelming its resources and bringing down its services to the legitimate clients. The solution to such attacks in traditional networks is usually implemented at the servers, but this consumes its resources which could otherwise be used to process genuine client requests. Software Defined Network (SDN) is a new network architecture that helps to deal with these attacks in a different way. In SDN the mitigation can be done using the controller without burdening the server. In this paper, we first show how an HTTP GET Flood DDoS attack can be performed on the webserver in an SDN environment and then propose a solution to mitigate the same with the help of the SDN controller. At the server, the attack is detected by checking the number of requests arriving to the web server for a certain period of time, if the number of request is greater than a particular threshold then the hosts generating such attacks will be blocked for the attack duration.

Distributed Denial of Service (DDoS) attacks have been one of the persistent forms of attacks on information technology infrastructure connected to a public network due to the ease of access to DDoS attack tools. Researchers have been able to develop several techniques to curb volumetric DDoS attacks which overwhelms the target with large number of request packets. However, compared to volumetric DDoS, low amount of research has been executed on mitigating slow DDoS. Data mining approaches and various Artificial Intelligence techniques have been proved by researchers to be effective for reduce DDoS attacks. This paper provides the scholarly community with slow DDoS attack detection techniques using Genetic Algorithm and Support Vector Machine aimed at mitigating slow DDoS attack in a Software-Defined Networking (SDN) environment simulated in GNS3. Genetic algorithm was employed to select the features which indicates the presence of an attack and also determine the appropriate regularization parameter, C, and gamma parameter for the Support Vector Machine classifier. Results obtained shows that the classifier had detection accuracy, Area Under Receiver Operating Curve (AUC), true positive rate, false positive rate and false negative rate of 99.89%, 99.89%, 99.95%, 0.18%, and 0.05% respectively. Also, the algorithm for subsequent implementation of the selective adaptive bubble burst mitigation mechanism was presented.

The Controller Area Network (CAN) bus system works inside connected cars as a central system for communication between electronic control units (ECUs). Despite its central importance, the CAN does not support an authentication mechanism, i.e., CAN messages are broadcast without basic security features. As a result, it is easy for attackers to launch attacks at the CAN bus network system. Attackers can compromise the CAN bus system in several ways: denial of service, fuzzing, spoofing, etc. It is imperative to devise methodologies to protect modern cars against the aforementioned attacks. In this paper, we propose a Long Short-Term Memory (LSTM)-based Intrusion Detection System (IDS) to detect and mitigate the CAN bus network attacks. We first inject attacks at the CAN bus system in a car that we have at our disposal to generate the attack dataset, which we use to test and train our model. Our results demonstrate that our classifier is efficient in detecting the CAN attacks. We achieved a detection accuracy of 99.9949%.

The recent advancement in the automotive sector has led to a technological explosion. As a result, the modern car provides a wide range of features supported by state of the art hardware and software. Unfortunately, while this is the case of most major components, in the same vehicle we find dozens of sensors and sub-systems built over legacy hardware and software with limited computational capabilities. This paper presents LOKI, a lightweight cryptographic key distribution scheme applicable in the case of the classical invehicle communication systems. The LOKI protocol stands out compared to already proposed protocols in the literature due to its ability to use only a single broadcast message to initiate the generation of a new cryptographic key across a group of nodes. It's lightweight key derivation algorithm takes advantage of a reverse hash chain traversal algorithm to generate fresh session keys. Experimental results consisting of a laboratory-scale system based on Vector Informatik's CANoe simulation environment demonstrate the effectiveness of the developed methodology and its seamless impact manifested on the network.

The massive proliferation of state of the art interfaces into the automotive sector has triggered a revolution in terms of the technological ecosystem that is found in today's modern car. Accordingly, on the one hand, we find dozens of Electronic Control Units (ECUs) running several hundred MB of code, and more and more sophisticated dashboards with integrated wireless communications. On the other hand, in the same vehicle we find the underlying communication infrastructure struggling to keep up with the pace of these radical changes. This paper presents MixCAN (MIXed data authentication for Control Area Networks), an approach for mixing different message signatures (i.e., authentication tags) in order to reduce the overhead of Controller Area Network (CAN) communications. MixCAN leverages the attributes of Bloom Filters in order to ensure that an ECU can sign messages with different CAN identifiers (i.e., mix different message signatures), and that other ECUs can verify the signature for a subset of monitored CAN identifiers. Extensive experimental results based on Vectors Informatik's CANoe/CANalyzer simulation environment and the data set provided by Hacking and Countermeasure Research Lab (HCRL) confirm the validity and applicability of the developed approach. Subsequent experiments including a test bed consisting of Raspberry Pi 3 Model B+ systems equipped with CAN communication modules demonstrate the practical integration of MixCAN in real automotive systems.

Nowadays, industrial control systems are increasingly subject to cyber-attacks. In this regard, the relevance of ICS modeling for security research and for teaching employees the basics of information security is increasing. Most of the existing testbeds for research on information security of industrial control systems are software and hardware solutions that contain elements of industrial equipment. However, when implementing distance-learning programs, it is not possible to fully use such testbeds. This paper describes the approach of complete virtualization of technological processes in ICS based on the open source programmable logic controller OpenPLC. This enables a complete information security training from any device with Internet access. A unique feature of this stand is also the support of several PLCs and a lower-level subsystem implemented by a distributed I/O system. The study describes the implementation scheme of the stand, and several case of reproduction of attacks. Scaling approaches for this solution are also considered.

A quantum high secure direct communication with authentication protocol is proposed by using single photons. The high security of the protocol is achieved on levels. The first level involves the verification of the quantum channel security by using fake photons. The authentication process is also ensured by the fake photons. The second level of security is given by the use of multiple polarization bases. The secret message is encoded in groups of photons; each single character of the message is associated with m (m≥7) photons. Thus, at least 27 (128) characters will be encoded. In order to defeat the quantum teleportation attack, the string of bits associated to the secret message is encrypted with a secret string of bits by using XOR operator. Encryption of the sender's identity string and the receiver's identity string by the XOR operator with a random string of fake photons defends quantum man-in-the-middle attack efficiently. Quantum memory is required to implement our protocol. Storage of quantum information is a key element in quantum information processing and provides a more flexible, effective and efficient communication. Our protocol is feasible with current technologies.

Development in the area of quantum technologies led to the appearance of first quantum computers. The threat of using a quantum computer for cryptanalysis requires wide implementing post-quantum security in computing algorithms and communication protocols. We evaluate the computational power of some existing quantum computers to illustrate the relevance of research in post-quantum security. One of the best ways to test post-quantum protocols is to embed them into some non-critical but widely-used sphere. Secure messaging is an excellent example of such an application. In the paper, we analyze the post-quantum security of well-known messaging specification Signal, which is considered to have high-security properties. The core of Signal specification is the Double Ratchet protocol. We notice and explain why it is not a post-quantum secure scheme. After that, we suggest some possible ways to improve the security features of Signal specification.

VSS (Verifiable Secret Sharing) protocols are used in a number of block-chain systems, such as Dfinity and Ouroboros to generate unpredicted random number flow, they can be used to determine the proposer list and the voting powers of the voters at each height. To prevent random numbers from being predicted and attackers from corrupting a sufficient number of participants to violate the underlying trust assumptions, updatable VSS protocol in distributed protocols is important. The updatable VSS universal setup is also a hot topic in zkSNARKS protocols such as Sonic [19]. The way that we make it updatable is to execute the share exchange process repeatedly on chain, this process is challenging to be implemented in asynchronous network model, because it involves the wrong shares and the complaints, it requires the participant has the same view towards the qualified key generators, we take this process on chain and rely on BFT consensus mechanism to solve this. The group secret is thus updatable on chain. This is an enhancement to Dfinity. Therefore, even if all the coefficients of the random polynomials of epoch n are leaked, the attacker can use them only in epoch n+2. And the threshold group members of the DKG protocol can be updated along with the updates of the staked accounts and nodes.

This paper investigates the use of Software-Defined Networking (SDN) in the detection and mitigation of malware threat, focusing on the example of ExPetr ransomware. Extensive static and dynamic analysis of ExPetr is performed in a purpose-built SDN testbed. The results acquired from this analysis are then used to design and implement an SDN-based solution to detect the malware and prevent it from spreading to other machines inside a local network. Our solution consists of three security mechanisms that have been implemented as components/modules of the Python-based POX controller. These mechanisms include: port blocking, SMB payload inspection, and HTTP payload inspection. When malicious activity is detected, the controller communicates with the SDN switches via the OpenFlow protocol and installs appropriate entries in their flow tables. In particular, the controller blocks machines which are considered infected, by monitoring and reacting in real time to the network traffic they produce. Our experimental results demonstrate that the proposed designs are effective against self-propagating malware in local networks. The implemented system can respond to malicious activities quickly and in real time. Furthermore, by tuning certain thresholds of the detection mechanisms it is possible to trade-off the detection time with the false positive rate.

The position information leakage of under-water sensor networks has been widely concerned. However, the underwater environment has unique characteristics compared with the terrestrial environment, for example, the asynchronous clock, stratification compensation. Therefore, the privacy preserving localization algorithm for terrestrial is not suitable. At present, the proposed privacy preserving localization algorithm is at the cost of reducing the localization accuracy and increasing the complexity of the algorithm. In this paper, a privacy preserving localization algorithm for underwater sensor networks with ray compensation is proposed. Besides, the localization algorithm we designed hides the position information of anchor nodes, and eliminates the influence of asynchronous clock. More importantly, the positioning accuracy is improved. Finally, the simulation results show that the location algorithm with privacy preserving and without privacy preserving have the same location accuracy. In addition, the algorithm proposed in this paper greatly improves the positioning accuracy compared with the existing work.

Source location privacy (SLP) protection ensures security of assets in monitoring wireless sensor networks (WSNs). Also, low end-to-end delay (EED) and high packet delivery ratio (PDR) guarantee high packet delivery reliability. Therefore, it is important to ensure high levels of SLP protection, low EED, and high PDR in mission-critical monitoring applications. Thus, this study proposes a new angle-based agent node routing protocol (APr) which is capable of achieving high levels of SLP protection, low EED, and high PDR. The proposed APr protocol employs multiple routing strategies to enable a dynamic agent node selection process and creation of obfuscating routing paths. Analysis results reveal that the APr protocol achieves high packet delivery reliability to outperform existing intermediate node-based protocols such as the AdrR and tree-based protocols such as the TbR. Furthermore, the APr protocol achieves significantly high levels of SLP protection to outperform the AdrR protocol.

The usage of K-anonymity to preserve location privacy for wireless sensor network (WSN) monitoring systems, where sensor nodes operate together to notify a server with anonymous shared positions. That k-anonymous position is a coated region with at least k people. However, we identify an attack model to show that overlapping aggregate locations remain privacy-risk because the enemy can infer certain overlapping areas with persons under k who violate the privacy requirement for anonymity. Within this paper we suggest a mutual WSN privacy protocol (REAL). Actual needs sensor nodes to arrange their sensing areas separately into a variety of non-overlapping, extremely precise anonymous aggregate positions. We also developed a state transfer framework, a locking mechanism and a time delay mechanism to address the three main REAL challenges, namely self-organisation, shared assets and high precision. We equate REAL's output with current protocols through virtual experiments. The findings demonstrate that REAL preserves the privacy of sites, offers more precise question answers and decreases connectivity and device expense.

Wireless Sensor Networks (WSNs) are attracted great attention in the past decade due to the unlimited number of applications they support. However, security has always been a serious concern for these networks due to the insecure communication links they exploit. In order to mitigate the possible security threats, sophisticated key management schemes must be employed to ensure the generating, distributing and revocation of the cryptographic keys that are needed to implement variety of security measures. In this paper, we propose a novel decentralized key management scheme for hierarchical grid organized WSNs. The main goal of our scheme is to reduce the total number of cryptographic keys stored in sensor nodes while maintaining the desired network connectivity. The performance analysis shows the efficiency of the proposed protocol in terms of communication overhead, storage cost and network connectivity.

The PTPv2.1 standard provides new protection mechanisms to ensure the authenticity and integrity of PTP messages. However, the distribution of the necessary security parameters is not part of the specification. This paper proposes a simple and practical approach for the automated distribution of these parameters by using a key management system that enables the Immediate Security Processing in PTP. It is based on the Network Time Security protocol and offers functions for group management, parameter updating and monitoring mechanisms. A Proof-of-Concept implementation provides initial results of the resources required for the key management system and its use.

Key Management in Delay Tolerant Networks (DTN) still remains an unsolved complex problem. Due to peculiar characteristics of DTN, important challenges that make it difficult to design key management architecture are: 1) no systematic requirement analysis is undertaken to define its components, their composition and prescribed functions; and 2) no framework is available for its seamless integration with Bundle Security Protocol (BSP). This paper proposes a Key Management Architecture for DTN (KMAD) to address challenges in DTN key management. The proposed architecture not only provides guidelines for key management in DTN but also caters for seamless integration with BSP. The framework utilizes public key cryptography to provide required security services to enable exchange of keying material, and information about security policy and cipher suites. The framework also supports secure exchange of control and data information in DTNs.