Biblio

IoT devices have evolved with the goal of becoming more connected. However, for security it is necessary to reduce the attack surface by allowing only necessary devices to be connected. In addition, as the number of IoT devices increases, DDoS attacks targeting IoT devices also increase. In this paper, we propose a method to apply the zero trust concept of SDP as a way to enhance security and prevent DDoS attacks in the IoT device network to which the OCF platform, one of the IoT standard platforms, is applied. The protocol proposed in this paper needs to perform additional functions in IoT devices, and the processing overhead due to the functions is 62.6ms on average. Therefore, by applying the method proposed in this paper, although there is a small amount of processing overhead, DDoS attacks targeting the IoT network can be defended and the security of the IoT network can be improved.

Mathematical model of web server protection is being proposed based on filtering HTTP (Hypertext Transfer Protocol) packets that do not match the semantic parameters of the request standards of this protocol. The model is defined as a graph, and the relationship between the parameters - the sets of vulnerabilities of the corporate network, the methods of attacks and their consequences-is described by the Cartesian product, which provides the correct interpretation of a corporate network cyber attack. To represent the individual stages of simulated attacks, it is possible to separate graph models in order to model more complex attacks based on the existing simplest ones. The unity of the model proposed representation of cyber attack in three variants is shown, namely: graphic, text and formula.

Recently, modern networks have been made up of connections of small devices that have less memory, small CPU capability, and limited resources. Such networks apparently known as Internet of Things networks. Devices in such network promising high standards of live for human, however, they increase the size of threats lead to bring more risks to network security. One of the most popular threats against such networks is known as Distributed Denial of Service (DDoS). Reports from security solution providers show that number of such attacks are in increase considerably. Therefore, more researches on detecting the DDoS attacks are necessary. Such works need monitoring network packets that move over Internet and networks and, through some intelligent techniques, monitored packets could be classified as benign or as DDoS attack. This work focuses on combining Neighborhood Component Analysis and Artificial Neural Network-Backpropagation to classify and identify packets as forward by attackers or as come from authorized and illegible users. This work utilized the activities of four type of the network protocols to distinguish five types of attacks from benign packets. The proposed model shows the ability of classifying packets to normal or to attack classes with an accuracy of 99.4%.

There will be a fatal risk when the submitted file is stolen or altered by someone else during the file submission process. To maintain the security of sending files from sender to recipient, it is necessary to secure files. The science of maintaining the security of messages is called cryptography. The authors were interested in examining the Three Pass Protocol scheme in this study because it eliminated the necessity for sender and receiver to exchange keys during the operation of the Hill Cipher 3x3 algorithm. The Hill Cipher algorithm was chosen because the key has an inverse and matrix-shaped value. Then the key used must be checked whether it has a GCD (Greatest Common Divisor) grade 1 or not and will be shaped like matrix. System implementation using the Java programming language using Android Studio software. System testing is done by encrypting and decrypting files. System testing results illustrate that the process encryption and decryption by the sender is faster than the recipient, so the encryption and decryption time needed directly proportional; the larger the pixel size of the image on the image file used, the longer it takes.

The Internet of Things (IoT) is a technology that allows connection between devices using the internet to collect and exchange data with each other. Privacy and security have become the most pressing issues in the IoT network, especially in the smart home. Nevertheless, there are still many smart home devices that have not implemented security and privacy policies. This study proposes a remote sensor control system built on ESP32 to implement a smart home through the Message Queuing Telemetry Transport(MQTT) protocol by applying the Advanced Encryption Standard (AES) algorithm with a 256-bit key. It addresses security issues in the smart home by encrypting messages sent from users to sensors. Besides ESP32, the system implementation also uses Raspberry Pi and smartphone with Android applications. The network was analyzed using Wireshark, and it showed that the message sent was encrypted. This implementation could prevent brute force attacks, with the result that it could guarantee the confidentiality of a message. Meanwhile, from several experiments conducted in this study, the difference in the average time of sending encrypted and unencrypted messages was not too significant, i.e., 20 ms.

This study offers an alternative to current implementations of key exchange by utilizing NFC technologies within android mobile devices. Supporting key exchange protocols along with cryptographic algorithms are offered, which meet current security standards whilst maintaining a short key length for optimal transfer between devices. Peer-to-peer and Host Card Emulation operational modes are observed to determine the best suited approach for key exchange. The proposed model offers end to end encryption between Client-Client as opposed to the usual Client-Server encryption offered by most Instant Messaging applications.

In order to guarantee the normal operation of the power Internet of things devices, the zero-trust idea was used for studying the security protection strategies of devices from four aspects: user authentication, equipment trust, application integrity and flow baselines. Firstly, device trust is constructed based on device portrait; then, verification of device application integrity based on MD5 message digest algorithm to achieve device application trustworthiness. Next, the terminal network traffic baselines are mined from OpenFlow, a southbound protocol in SDN. Finally, according to the dynamic user trust degree attribute access control model, the comprehensive user trust degree was obtained by weighting the direct trust degree. It obtained from user authentication and the trust degree of user access to terminal communication traffic. And according to the comprehensive trust degree, users are assigned the minimum authority to access the terminal to realize the security protection of the terminal. According to the comprehensive trust degree, the minimum permissions for users to access the terminal were assigned to achieve the security protection of the terminal. The research shows that the zero-trust mechanism is applied to the terminal security protection of power Internet of Things, which can improve the reliability of the safe operation of terminal equipment.

Perimeter models, which provide access control for protecting resources on networks, make authorization decisions using the source network of access requests as one of critical factors. However, such models are problematic because once a network is intruded, the attacker gains access to all of its resources. To overcome the above problem, a Zero Trust Network (ZTN) is proposed as a new security model in which access control is performed by authenticating users who request access and then authorizing such requests using various information about users and devices called contexts. To correctly make authorization decisions, this model must take a large amount of various contexts into account. However, in some cases, an access control mechanism cannot collect enough context to make decisions, e.g., when an organization that enforces access control joins the identity federation and uses systems operated by other organizations. This is because the contexts collected using the systems are stored in individual systems and no federation exists for sharing contexts. In this study, we propose the concept of a Zero Trust Federation (ZTF), which applies the concept of ZTN under the identity federation, and a method for sharing context among systems of organizations. Since context is sensitive to user privacy, we also propose a mechanism for sharing contexts under user control. We also verify context sharing by implementing a ZTF prototype.

This paper presents Zero-Day Attack Packet Highlighting System. Proposed system outputs zero-day attack packet information from flow extracted as result of regression inspection of packets stored in flow-based PCA. It also highlights raw data of the packet matched with rule. Also, we design communication protocols for sending and receiving data within proposed system. Purpose of the proposed system is to solve existing flow-based problems and provides users with raw data information of zero-day packets so that they can analyze raw data for the packets.

Generally, the defense measures taken against new cyber-attack methods are insufficient for cybersecurity risk management. Contrary to classical attack methods, the existence of undiscovered attack types called' zero-day attacks' can invalidate the actions taken. It is possible with honeypot systems to implement new security measures by recording the attacker's behavior. The purpose of the honeypot is to learn about the methods and tools used by the attacker or malicious activity. In particular, it allows us to discover zero-day attack types and develop new defense methods for them. Attackers have made protocols such as SSH (Secure Shell) and Telnet, which are widely used for remote access to devices, primary targets. In this study, SSHTelnet honeypot was established using Cowrie software. Attackers attempted to connect, and attackers record their activity after providing access. These collected attacker log records and files uploaded to the system are published on Github to other researchers1. We shared the observations and analysis results of attacks on SSH and Telnet protocols with honeypot.

Anonymous Zether, proposed by Bünz, Agrawal, Zamani, and Boneh (FC'20), is a private payment design whose wallets demand little bandwidth and need not remain online; this unique property makes it a compelling choice for resource-constrained devices. In this work, we describe an efficient construction of Anonymous Zether. Our protocol features proofs which grow only logarithmically in the size of the "anonymity sets" used, improving upon the linear growth attained by prior efforts. It also features competitive transaction sizes in practice (on the order of 3 kilobytes).Our central tool is a new family of extensions to Groth and Kohlweiss's one-out-of-many proofs (Eurocrypt 2015), which efficiently prove statements about many messages among a list of commitments. These extensions prove knowledge of a secret subset of a public list, and assert that the commitments in the subset satisfy certain properties (expressed as linear equations). Remarkably, our communication remains logarithmic; our computation increases only by a logarithmic multiplicative factor. This technique is likely to be of independent interest.We present an open-source, Ethereum-based implementation of our Anonymous Zether construction.

We study the problem of randomized Leader Election in synchronous distributed networks with indistinguishable nodes. We consider algorithms that work on networks of arbitrary topology in two settings, depending on whether the size of the network, i.e., the number of nodes \$n\$, is known or not. In the former setting, we present a new Leader Election protocol that improves over previous work by lowering message complexity and making it close to a lower bound by a factor in \$$\backslash$widetildeO($\backslash$sqrtt\_mix$\backslash$sqrt$\backslash$Phi)\$, where $\Phi$ is the conductance and \textsubscriptmix is the mixing time of the network graph. We then show that lacking the network size no Leader Election algorithm can guarantee that the election is final with constant probability, even with unbounded communication. Hence, we further classify the problem as Leader Election (the classic one, requiring knowledge of \$n\$ - as is our first protocol) or Revocable Leader Election, and present a new polynomial time and message complexity Revocable Leader Election algorithm in the setting without knowledge of network size. We analyze time and message complexity of our protocols in the CONGEST model of communication.

In proof-of-stake (PoS) blockchains, stakeholders that extend the chain are selected according to the amount of stake they own. In S&P 2019 the "Ouroboros Crypsinous" system of Kerber et al. (and concurrently Ganesh et al. in EUROCRYPT 2019) presented a mechanism that hides the identity of the stakeholder when adding blocks, hence preserving anonymity of stakeholders both during payment and mining in the Ouroboros blockchain. They focus on anonymizing the messages of the blockchain protocol, but suggest that potential identity leaks from the network-layer can be removed as well by employing anonymous broadcast channels.In this work we show that this intuition is flawed. Even ideal anonymous broadcast channels do not suffice to protect the identity of the stakeholder who proposes a block.We make the following contributions. First, we show a formal network-attack against Ouroboros Crypsinous, where the adversary can leverage network delays to distinguish who is the stakeholder that added a block on the blockchain. Second, we abstract the above attack and show that whenever the adversary has control over the network delay – within the synchrony bound – loss of anonymity is inherent for any protocol that provides liveness guarantees. We do so, by first proving that it is impossible to devise a (deterministic) state-machine replication protocol that achieves basic liveness guarantees and better than (1-2f) anonymity at the same time (where f is the fraction of corrupted parties). We then connect this result to the PoS setting by presenting the tagging and reverse tagging attack that allows an adversary, across several executions of the PoS protocol, to learn the stake of a target node, by simply delaying messages for the target. We demonstrate that our assumption on the delaying power of the adversary is realistic by describing how our attack could be mounted over the Zcash blockchain network (even when Tor is used). We conclude by suggesting approaches that can mitigate such attacks.

Ben-Or and Linial (1985) introduced the full information model for coin-tossing protocols involving \$n\$ processors with unbounded computational power using a common broadcast channel for all their communications. For most adversarial settings, the characterization of the exact or asymptotically optimal protocols remains open. Furthermore, even for the settings where near-optimal asymptotic constructions are known, the exact constants or poly-logarithmic multiplicative factors involved are not entirely well-understood. This work studies \$n\$-processor coin-tossing protocols where every processor broadcasts an arbitrary-length message once. An adaptive Byzantine adversary, based on the messages broadcast so far, can corrupt \$k=1\$ processor. A bias-\$X\$ coin-tossing protocol outputs 1 with probability \$X\$; otherwise, it outputs 0 with probability (\$1-X\$). A coin-tossing protocol's insecurity is the maximum change in the output distribution (in the statistical distance) that a Byzantine adversary can cause. Our objective is to identify bias-\$X\$ coin-tossing protocols achieving near-optimal minimum insecurity for every \$Xın[0,1]\$. Lichtenstein, Linial, and Saks (1989) studied bias-\$X\$ coin-tossing protocols in this adversarial model where each party broadcasts an independent and uniformly random bit. They proved that the elegant “threshold coin-tossing protocols” are optimal for all \$n\$ and \$k\$. Furthermore, Goldwasser, Kalai, and Park (2015), Kalai, Komargodski, and Raz (2018), and Haitner and Karidi-Heller (2020) prove that \$k=\textbackslashtextbackslashmathcalO(\textbackslashtextbackslashsqrtn \textbackslashtextbackslashcdot \textbackslashtextbackslashmathsfpolylog(n)\$) corruptions suffice to fix the output of any bias-\$X\$ coin-tossing protocol. These results encompass parties who send arbitrary-length messages, and each processor has multiple turns to reveal its entire message. We use an inductive approach to constructing coin-tossing protocols using a potential function as a proxy for measuring any bias-\$X\$ coin-tossing protocol's susceptibility to attacks in our adversarial model. Our technique is inherently constructive and yields protocols that minimize the potential function. It is incidentally the case that the threshold protocols minimize the potential function, even for arbitrary-length messages. We demonstrate that these coin-tossing protocols' insecurity is a 2-approximation of the optimal protocol in our adversarial model. For any other \$Xın[0,1]\$ that threshold protocols cannot realize, we prove that an appropriate (convex) combination of the threshold protocols is a 4-approximation of the optimal protocol. Finally, these results entail new (vertex) isoperimetric inequalities for density-\$X\$ subsets of product spaces of arbitrary-size alphabets.

A promising paradigm in protocol design is to hold parties accountable for misbehavior, instead of postulating that they are trustworthy. Recent approaches in defining this property, called accountability, characterized malicious behavior as a deviation from the protocol that causes a violation of the desired security property, but did so under the assumption that all deviating parties are controlled by a single, centralized adversary. In this work, we investigate the setting where multiple parties can deviate with or without coordination in a variant of the applied-π calculus.We first demonstrate that, under realistic assumptions, it is impossible to determine all misbehaving parties; however, we show that accountability can be relaxed to exclude causal dependencies that arise from the behavior of deviating parties, and not from the protocol as specified. We map out the design space for the relaxation, point out protocol classes separating these notions and define conditions under which we can guarantee fairness and completeness. Most importantly, we discover under which circumstances it is correct to consider accountability in the single-adversary setting, where this property can be verified with off-the-shelf protocol verification tools.

Critical infrastructures have to withstand advanced and persistent threats, which can be addressed using Byzantine fault tolerant state-machine replication (BFT-SMR). In practice, unattended cyberdefense systems rely on threat level detectors that synchronously inform them of changing threat levels. However, to have a BFT-SMR protocol operate unattended, the state-of-the-art is still to configure them to withstand the highest possible number of faulty replicas \$f\$ they might encounter, which limits their performance, or to make the strong assumption that a trusted external reconfiguration service is available, which introduces a single point of failure. In this work, we present ThreatAdaptive the first BFT-SMR protocol that is automatically strengthened or optimized by its replicas in reaction to threat level changes. We first determine under which conditions replicas can safely reconfigure a BFT-SMR system, i.e., adapt the number of replicas \$n\$ and the fault threshold \$f\$ so as to outpace an adversary. Since replicas typically communicate with each other using an asynchronous network they cannot rely on consensus to decide how the system should be reconfigured. ThreatAdaptive avoids this pitfall by proactively preparing the reconfiguration that may be triggered by an increasing threat when it optimizes its performance. Our evaluation shows that ThreatAdaptive can meet the latency and throughput of BFT baselines configured statically for a particular level of threat, and adapt 30% faster than previous methods, which make stronger assumptions to provide safety.

The maturity of intelligent transportation system, cloud computing and Internet of Things (IoT) technology has encouraged the rapid growth of vehicular ad-hoc networks (VANETs). Currently, vehicles are supposed to carry relatively more storage, on board computing facilities, increased sensing power and communication systems. In order to cope with real world demands such as low latency, low storage cost, mobility, etc., for the deployment of VANETs, numerous attempts have been taken to integrate fog-computing with VANETs. In the recent past, Ma et al. (IEEE Internet of Things, pp 2327-4662, 10. 1109/JIOT.2019.2902840) designed “An Efficient and Provably Secure Authenticated Key Agreement Protocol for Fog-Based Vehicular Ad-Hoc Networks”. Ma et al. claimed that their protocol offers secure communication in fog-based VANETs and is resilient against several security attacks. However, this comment demonstrates that their scheme is defenseless against vehicle-user impersonation attack and reveals secret keys of vehicle-user and fog-node. Moreover, it fails to offer vehicle-user anonymity and has inefficient login phase. This paper also gives some essential suggestions on strengthening resilience of the scheme, which are overlooked by Ma et al.

Fueled by the emergence of IoT-enabled medical sensors and big data analytics, nations all over the world are widely adopting digitalization of healthcare systems. This is certainly a positive trend for improving the entire spectrum of quality of care, but this convenience is also posing a huge challenge on the security of healthcare data. For ensuring privacy and protection of healthcare data, access control is regarded as one of the first-line-of-defense mechanisms. As none of the traditional enterprise access control models can completely cater to the need of the healthcare domain which includes a myriad of contexts, in this paper, we present a context-policy-based access control scheme. Our scheme relies on the eTRON cybersecurity architecture for tamper-resistance and cryptographic functions, and leverages a context-specific blend of classical discretionary and role-based access models for incorporation into legacy systems. Moreover, our scheme adheres to key recommendations of prominent statutory and technical guidelines including HIPAA and HL7. The protocols involved in the proposed access control system have been delineated, and a proof-of-concept implementation has been carried out - along with a comparison with other systems, which clearly suggests that our approach is more responsive to different contexts for protecting healthcare data.

We study the problem of generation of cycles, chains and graphs of pairing-friendly elliptic curves using in succinct non-interactive arguments for knowledge protocols in blockchain. The task to build a “stick” for existing MNT753 cycle is reduced to the factorization problem for big numbers. Together with graphs of pairing friendly elliptic curves we consider auxiliary graphs of their orders (primes or irreducible polynomials) associated to vertices and embedding degrees to edges. Numerical experiments allow us to conjecture that (except of MNT case): 1) for any fixed embedding degrees there exist only finite number of such cycles and, hence, there are no families of such cycles; 2) chains of prime order are very rare; we suppose that there are no polynomial families of such chains. It is hard to find a family of pairing friendly elliptic curves with the base field order q(x) such that ζk ∈ Q[x]/(q(x)) for k \textbackslashtextgreater 6. From other hand our examples show that we can apply Brezing-Weng construction with k=6 and D=3 iteratively to obtain chains of length 3-4. We build 1) a family of 1-chains with embedding degrees 8 and 7, where all orders are given by cyclotomic polynomials; 2) a combination of MNT cycle and near-MNT curve.

Quantum communication network is a new type of secure communication technique and has drawn a lot of attentions in recent years, it has absolute safety in theory. However, quantum communication networks can still be attacked in different ways, among which the intermediate basis attack based on intercept-resend is a typical eavesdropping strategy. With this method, The probability of the eavesdropper correctly guessing the sender's code value can reach up to 0.854, resulting in the quantum bit error rate (QBER) of 0.25. To improve the security performance of quantum communication networks, we propose a strategy based on attack basis detection for beating the intermediate basis attack named “WN19”. In WN19, we can reduce QBER and the probability of the eavesdropper obtaining information correctly by adjusting the initial state of the quantum state of the sender according to the result of attack basis detection. The simulation results show that if the polarization angle \$þeta\$ of the attack basis is \$\textbackslashtextbackslashpi/8\$, the QBER reduces from 0.25 to 0.1367 and the probability of eavesdropper correctly obtaining information decreases from 0.854 to 0.5811. It effectively improves the security of quantum cryptography under intermediate basis attack and provides a theoretical basis for the healthy development of quantum communication system.

The standard routing technique that was developed for satisfying low power IoT application needs is RPL which is a protocol in compliance with 6LoWPAN specification. RPL was created for addressing the issues and challenges of constrained and lossy network routing. However, RPL does not accomplish efficiency with respect to power and reliability altogether which are definitely needed in IoT applications. RPL runs on routing metrics and objective function which determines the optimal path in routing. This paper focuses on contributing a comprehensive survey on the improved objective functions proposed by several researchers for RPL. In addition, the paper concentrates on highlighting the strengths and shortcomings of the different approaches in designing the objective function. The approaches built on Fuzzy logic are found to be more efficient and the relevant works related to these are compared. Furthermore, we present the insights drawn from the survey and summarize the challenges which can be effectively utilized for future works.

One of the attacks in the RPL protocol is the Clone ID attack, that the attacker clones the node's ID in the network. In this research, a Clone ID detection system is designed for the Internet of Things (IoT), implemented in Contiki operating system, and evaluated using the Cooja emulator. Our evaluation shows that the proposed method has desirable performance in terms of energy consumption overhead, true positive rate, and detection speed. The overhead cost of the proposed method is low enough that it can be deployed in limited-resource nodes. The proposed method in each node has two phases, which are the steps of gathering information and attack detection. In the proposed scheme, each node detects this type of attack using control packets received from its neighbors and their information such as IP, rank, Path ETX, and RSSI, as well as the use of a routing table. The design of this system will contribute to the security of the IoT network.

Low power and lossy networks (LLNs) devices resource-constrained nature make it difficult to implement security mechanisms to defend against RPL routing attacks. RPLs inbuilt security functions are not efficient in preventing a wide majority of routing attacks. RPLs optional security schemes can defend against external attacks, but cannot mitigate internal attacks. Moreover, RPL does not have any mechanism to verify the integrity of control messages used to keep topology updated and route the traffic. All these factors play a major role in increasing the RPLs threat level against routing attacks. In this paper, a comparative literature review of various researchers suggesting security mechanisms to mitigate security attacks aimed at RPL has been performed and methods have been contrasted.

A distributed denial of service attack is a major security challenge in modern communications networks. In this article, we propose models that capture all the key performance indicators of synchronized denial of service protection mechanisms. As a result of the conducted researches, it is found out that thanks to the method of delay detection it is possible to recognize semi-open connections that are caused by synchronous flood and other attacks at an early stage. The study provides a mechanism for assessing the feasibility of introducing and changing the security system of a wireless sensor network. The proposed methodology will allow you to compare the mechanisms of combating denial of service for synchronized failures and choose the optimal protection settings in real-time.

Nowadays, Security is the biggest challenge in communication networks. Well defined security protocols not only solve the privacy and security issues but also help to reduce the implementation cost and simplify network's operation. Network society demands more reliable and secure network services as well as infrastructure. In communication networks, data theft, hacking, fraud, cyber warfare are serious security threats. Security as defined by experts is confirming protected communication amongst communication/computing systems and consumer applications in private and public networks, it is important for promising privacy, confidentiality, and protection of information. This paper highlights the security related issues and challenges in communication networks. We also present the holistic view for the underlaying physical layer including physical infrastructure attacks, jamming, interception, and eavesdropping. This research focused on improving the security measures and protocols in different communication networks.