Biblio

The Internet of Things is progressively turning into a pervasive computing service, needing enormous volumes of data storage and processing. However, due to the distinctive properties of resource constraints, self-organization, and short-range communication in Internet of Things (IoT), it always adopts to cloud for outsourced storage and computation. This integration of IoT with cloud has a row of unfamiliar security challenges for the data at rest. Cloud computing delivers highly scalable and flexible computing and storage resources on pay-per-use policy. Cloud computing services for computation and storage are getting increasingly popular and many organizations are now moving their data from in-house data centers to the Cloud Storage Providers (CSPs). Time varying workload and data intensive IoT applications are vulnerable to encounter challenges while using cloud computing services. Additionally, the encryption techniques and third-party auditors to maintain data integrity are still in their developing stage and therefore the data at rest is still a concern for IoT applications. In this paper, we perform an analysis study to investigate the challenges and strategies adapted by Cloud Computing to facilitate a safe transition of IoT applications to the Cloud.

In this paper, we observed Continuous Attacks are one kind of common side channel attack scenarios, where an adversary frequently probes the same target cache lines in a short time. Continuous Attacks cause target cache lines to go through multiple load-evict processes, exhibiting Ping-Pong Patterns. Identifying and obscuring Ping-Pong Patterns effectively interferes with the attacker's probe and mitigates Continuous Attacks. Based on the observations, this paper proposes Ping-Pong Regulator to identify multiple Ping-Pong Patterns and block them with different strategies (Preload or Lock). The Preload proactively loads target lines into the cache, causing the attacker to mistakenly infer that the victim has accessed these lines; the Lock fixes the attacked lines' directory entries on the last level cache directory until they are evicted out of caches, making an attacker's observation of the locked lines is always the L2 cache miss. The experimental evaluation demonstrates that the Ping-Pong Regulator efficiently identifies and secures attacked lines, induces negligible performance impacts and storage overhead, and does not require any software support.

The popularity of cloud storage among data users is due to easy maintenance, and no initial infrastructure setup cost as compared to local storage. However, although the data users outsource their data to cloud storage (a third party) still, they concern about their physical data. To check whether the data stored in the cloud storage has been modified or not, public auditing of the data is required before its utilization. To audit over vast outsourced data, the availability of the auditor is an essential requirement as nowadays, data owners are using mobile devices. But unfortunately, a single auditor leads to a single point of failure and inefficient to preserve the security and correctness of outsourced data. So, we introduce a distributed public auditing scheme which is based on peer-to-peer (P2P) architecture. In this work, the auditors are organized using a distributed hash table (DHT) mechanism and audit the outsourced data with the help of a published hashed key of the data. The computation and communication overhead of our proposed scheme is compared with the existing schemes, and it found to be an effective solution for public auditing on outsourced data with no single point of failure.

This paper presents an initial architecture to manage End-to-End Network Slices which, once deployed, are associated with Security Service Level Agreement(s) to increase the security on the virtual deployed resources and create End-to-End Secure Network Slices. Moreover, the workflows regarding the Network Slicing provisioning and the whole SSLA Lifecycle management is detailed.

Software Defined Networking (SDN) is disruptive networking technology which adopts a centralised framework to facilitate fine-grained network management. However security in SDN is still in its infancy and there is need for significant work to deal with different attacks in SDN. In this paper we discuss some of the possible attacks on SDN switches and propose techniques for detecting the attacks on switches. We have developed a Switch Security Application (SSA)for SDN Controller which makes use of trusted computing technology and some additional components for detecting attacks on the switches. In particular TPM attestation is used to ensure that switches are in trusted state during boot time before configuring the flow rules on the switches. The additional components are used for storing and validating messages related to the flow rule configuration of the switches. The stored information is used for generating a trusted report on the expected flow rules in the switches and using this information for validating the flow rules that are actually enforced in the switches. If there is any variation to flow rules that are enforced in the switches compared to the expected flow rules by the SSA, then, the switch is considered to be under attack and an alert is raised to the SDN Administrator. The administrator can isolate the switch from network or make use of trusted report for restoring the flow rules in the switches. We will also present a prototype implementation of our technique.

Majority of the daily and business activities nowadays are integrated and interconnected to the world across national, geographic and boundaries. Securing the Internet of Things (IoT) system is a challenge as these low powered devices in IoT system are very vulnerable to cyber-attacks and this will reduce the reliability of the system. Software Defined Network (SDN) intends to greatly facilitate the policy enforcement and dynamic network reconfiguration. This paper presents several architectures in the integration of IoT via SDN to improve security in the network and system.

Hardware-assisted isolation technology provide a Trusted Execution Environment (TEE) for the Trusted Computing Base (TCB) of a system. Since there is no standardization for such systems, many technologies using different approaches have been implemented over time. Before selecting or implementing a TEE, it is essential to understand the security architecture, features and analyze the technologies with respect to the new security vulnerabilities (i.e. Micro-architectural class of vulnerabilities). These technologies can be divided into two main types: 1) Isolation by software virtualization and 2) Isolation by hardware. In this paper, we discuss technology implementation of each type i.e. Intel SGX and ARM TrustZone for type-1; Intel ME and AMD Secure Processor for type-2. We also cover the vulnerability analysis against each technology with respect to the latest discovered attacks. This would enable a user to precisely appreciate the security capabilities of each technology.

The characteristics of resource sharing and centralized deployment of network function virtualization (NFV) make the physical boundary under the traditional closed management mode disappear, bringing many new security threats to the network. To improve the security of the NFV network, this paper proposes a network function virtualization security architecture based on mimic defense. At the same time, to ensure the differences between heterogeneous entities, a genetic algorithm-based heterogeneous entities pool construction method is proposed. Simulation results show that this method can effectively guarantee the difference between heterogeneous entities and increase the difficulty of attackers.

With the improvement of people's living standards, more and more network users access the network, including a large number of infrastructure, these devices constitute the Internet of things(IoT). With the rapid expansion of devices in the IoT, the data transmission between the IoT has become more complex, and the security issues are facing greater challenges. SDN as a mature network architecture, its security has been affirmed by the industry, it separates the data layer from the control layer, thus greatly improving the security of the network. In this paper, we apply the SDN to the IoT, and propose a IoT network architecture based on SDN. In this architecture, we not only make use of the security features of SDN, but also deploy different security modules in each layer of SDN to integrate, analyze and plan various data through the IoT, which undoubtedly improves the security performance of the network. In the end, we give a comprehensive introduction to the system and verify its performance.

The new network based on software-defined network SDN and network function virtualization NFV will replace the traditional network, so it is urgent to study the network security architecture based on the new network environment. This paper presents a software - defined security SDS architecture. It is open and universal. It provides an open interface for security services, security devices, and security management. It enables different network security vendors to deploy security products and security solutions. It can realize the deployment, arrangement and customization of virtual security function VSFs. It implements fine-grained data flow control and security policy management. The author analyzes the different types of attacks that different parts of the system are vulnerable to. The defender can disable the network attacks by changing the server-side security configuration scheme. The future research direction of network security is put forward.

Internet of Things (IoT) development and the addition of billions of computationally limited devices prohibit the use of classical security measures such as Intrusion Detection Systems (IDS). In this paper, we study the influence of the implementation of different feed-forward type of Neural Networks (NNs) on the detection Rate of the Negative Selection Neural Network (NSNN) algorithm. Feed-forward and cascade forward NN structures with different number of neurons and different number of hidden layers are tested. For training and testing the NSNN algorithm the labeled KDD NSL dataset is applied. The detection rates provided by the algorithm with several NN structures to determine the optimal solution are calculated and compared. The results show how these different feed-forward based NN architectures impact the performance of the NSNN algorithm.

This paper presents a self-securing decentralized on-chip network interface (NI) architecture to Multicore System-on-Chip (McSoC) platforms. To protect intra-chip communication within McSoC, security framework proposal resides in initiator and target NIs. A comparison between block cipher and lightweight cryptographic algorithms is then given, so we can figure out the most suitable cipher for network-on-chip (NoC) architectures. AES and LED security algorithms was a subject of this comparison. The designs are developed in Xilinx ISE 14.7 tool using VHDL language.

Network-on-chip (NoC) has become the standard communication fabric for on-chip components in modern System-on-chip (SoC) designs. Since NoC has visibility to all communications in the SoC, it has been one of the primary targets for security attacks. While packet encryption can provide secure communication, it can introduce unacceptable energy and performance overhead due to the resource-constrained nature of SoC designs. In this paper, we propose a lightweight encryption scheme that is implemented on the network interface. Our approach improves the performance of encryption without compromising security using incremental cryptography, which exploits the unique NoC traffic characteristics. Experimental results demonstrate that our proposed approach significantly (up to 57%, 30% on average) reduces the encryption time compared to traditional approaches with negligible (less than 2%) impact on area overhead.

Since the number of processors and cores on a single chip is increasing, the interconnection among them becomes significant. Network-on-Chip (NoC) has direct access to all resources and information within a System-on-Chip (SoC), rendering it appealing to attackers. Malicious attacks targeting NoC are a major cause of performance depletion and they can cause arbitrary behavior of links or routers, that is, Byzantine faults. Byzantine faults have been thoroughly investigated in the context of Distributed systems however not in Very Large Scale Integration (VLSI) systems. Hence, in this paper we propose a novel fault model followed by the design and implementation of lightweight algorithms, based on Software Defined Network-on-Chip (SDNoC) architecture. The proposed algorithms can be used to build highly available NoCs and can tolerate Byzantine faults. Additionally, a set of different scenarios has been simulated and the results demonstrate that by using the proposed algorithms the packet loss decreases between 65% and 76% under Transpose traffic, 67% and 77% under BitReverse and 55% and 66% under Uniform traffic.

Adapting parallel scheduling function in the design of multi-scheduling algorithm results significant impact in the operation of high performance parallel systems. The various methods of parallelizing scheduling functions are widely applied in traditional multiprocessor systems. In this paper a novel algorithm is introduced which works not only for parallel execution of jobs but also focuses the parallelization of scheduling function. It gives attention on reducing the execution time, minimizing the load balance performance by selecting the volume of tasks for migration in terms of packets. Jobs are grouped into packets consisting of 2n jobs which are scheduled in parallel. Thus, an enhancement in the scheduling mechanism by packet formation is made to carry out high utilization of underlying architecture with increased throughput. The proposed method is assessed on a desktop computer equipped with multi-core processors in cube based multiprocessor systems. The algorithm is implemented with different configuration of multi-core systems. The simulation results indicate that the proposed technique reduces the overall makespan of execution with an improved performance of the system.

With the application of virtualization and multi-core processor in embedded system, the computing capacity of embedded system has been improved comprehensively, but it is also faced with malicious attacks against virtualization technology. First, it was analyzed the security requirements of each layer of embedded virtualization computing platform. Aiming at the security requirements, it was proposed the security architecture of embedded virtualization computing platform based on trusted computing module. It was designed the hardware trusted root on the hardware layer, the virtualization trusted root on the virtual machine manager layer, trusted computing component and security function component on guest operation system layer. Based on the trusted roots, it was built the static extension of the trusted chain on the platform. This security architecture can improve the active security protection capability of embedded virtualization computing platform.

Malware classification remains at the forefront of ongoing research as the prevalence of metamorphic malware introduces new challenges to anti-virus vendors and firms alike. One approach to malware classification is Static Analysis - a form of analysis which does not require malware to be executed before classification can be performed. For this reason, a lightweight classifier based on the features of a malware binary is preferred, with relatively low computational overhead. In this work a modified convolutional neural network (CNN) architecture was deployed which integrated a complexity-based evaluation based on box-counting. This was implemented by setting up max-pooling layers in parallel, and then extracting the fractal dimension using a polyscalar relationship based on the resolution of the measurement scale and the number of elements of a malware image covered in the measurement under consideration. To test the robustness and efficacy of our approach we trained and tested on over 9300 malware binaries from 25 unique malware families. This work was compared to other award-winning image recognition models, and results showed categorical accuracy in excess of 96.54%.

We introduce a lightweight architecture of Intrusion Detection Systems (IDS) for ad-hoc IoT networks. Current state-of-the-art IDS have been designed based on assumptions holding from conventional computer networks, and therefore, do not properly address the nature of IoT networks. In this work, we first identify the correlation between the communication overheads and the placement of an IDS (as captured by proper placement of active IDS agents in the network). We model such networks as Random Geometric Graphs. We then introduce a novel IDS architectural approach by having only a minimum subset of the nodes acting as IDS agents. These nodes are able to monitor the network and detect attacks at the networking layer in a collaborative manner by monitoring 1-hop network information provided by routing protocols such as RPL. Conducted experiments show that our proposed IDS architecture is resilient and robust against frequent topology changes due to node failures. Our detailed experimental evaluation demonstrates significant performance gains in terms of communication overhead and energy dissipation while maintaining high detection rates.

In the era of edge computing and Artificial Intelligence (AI), securing billions of edge devices within a network against intelligent attacks is crucial. We propose PUFGAN, an innovative machine learning attack-proof security architecture, by embedding a self-adversarial agent within a device fingerprint- based security primitive, public PUF (PPUF) known for its strong fingerprint-driven cryptography. The self-adversarial agent is implemented using Generative Adversarial Networks (GANs). The agent attempts to self-attack the system based on two GAN variants, vanilla GAN and conditional GAN. By turning the attacking quality through generating realistic secret keys used in the PPUF primitive into system vulnerability, the security architecture is able to monitor its internal vulnerability. If the vulnerability level reaches at a specific value, PUFGAN allows the system to restructure its underlying security primitive via feedback to the PPUF hardware, maintaining security entropy at as high a level as possible. We evaluated PUFGAN on three different machine environments: Google Colab, a desktop PC, and a Raspberry Pi 2, using a real-world PPUF dataset. Extensive experiments demonstrated that even a strong device fingerprint security primitive can become vulnerable, necessitating active restructuring of the current primitive, making the system resilient against extreme attacking environments.

Recent advances in adversarial attacks uncover the intrinsic vulnerability of modern deep neural networks. Since then, extensive efforts have been devoted to enhancing the robustness of deep networks via specialized learning algorithms and loss functions. In this work, we take an architectural perspective and investigate the patterns of network architectures that are resilient to adversarial attacks. To obtain the large number of networks needed for this study, we adopt one-shot neural architecture search, training a large network for once and then finetuning the sub-networks sampled therefrom. The sampled architectures together with the accuracies they achieve provide a rich basis for our study. Our ''robust architecture Odyssey'' reveals several valuable observations: 1) densely connected patterns result in improved robustness; 2) under computational budget, adding convolution operations to direct connection edge is effective; 3) flow of solution procedure (FSP) matrix is a good indicator of network robustness. Based on these observations, we discover a family of robust architectures (RobNets). On various datasets, including CIFAR, SVHN, Tiny-ImageNet, and ImageNet, RobNets exhibit superior robustness performance to other widely used architectures. Notably, RobNets substantially improve the robust accuracy ( 5% absolute gains) under both white-box and black-box attacks, even with fewer parameter numbers. Code is available at https://github.com/gmh14/RobNets.

Over time, the use of wireless technologies has significantly increased due to bandwidth improvements, cost-effectiveness, and ease of deployment. Owing to the ease of access to the communication medium, wireless communications and technologies are inherently vulnerable to attacks. These attacks include brute force attacks such as jamming attacks and those that target the communication protocol (Wi-Fi and Bluetooth protocols). Thus, there is a need to make wireless communication resilient and secure against attacks. Existing wireless protocols and applications have attempted to address the need to improve systems security as well as privacy. They have been highly effective in addressing privacy issues, but ineffective in addressing security threats like jamming and session hijacking attacks and other types of Denial of Service Attacks. In this article, we present an ``architecture for resilient wireless communications'' based on the concept of Moving Target Defense. To increase the difficulty of launching successful attacks and achieve resilient operation, we changed the runtime characteristics of wireless links, such as the modulation type, network address, packet size, and channel operating frequency. The architecture reduces the overhead resulting from changing channel configurations using two communication channels, in which one is used for communication, while the other acts as a standby channel. A prototype was built using Software Defined Radio to test the performance of the architecture. Experimental evaluations showed that the approach was resilient against jamming attacks. We also present a mathematical analysis to demonstrate the difficulty of performing a successful attack against our proposed architecture.

The increasing complexity of modern computing devices has rendered security architectures vulnerable to recent side-channel and transient-execution attacks. We discuss the most relevant defenses as well as their drawbacks and how to overcome them for next-generation secure processor design.

Modern System-on-Chip (SoC) designs integrate a number of third party IPs (3PIPs) that coordinate and communicate through a Network-on-Chip (NoC) fabric to realize system functionality. An important class of SoC security attack involves a rogue IP tampering with the inter-IP communication. These attacks include message snoop, message mutation, message misdirection, IP masquerade, and message flooding. Static IP-level trust verification cannot protect against these SoC-level attacks. In this paper, we analyze the vulnerabilities of system level communication among IPs and develop a novel SoC security architecture that provides system resilience against exploitation by untrusted 3PIPs integrated over an NoC fabric. We show how to address the problem through a collection of fine-grained SoC security policies that enable on-the-fly monitoring and control of appropriate security-relevant events. Our approach, for the first time to our knowledge, provides an architecture-level solution for trusted SoC communication through run-time resilience in the presence of untrusted IPs. We demonstrate viability of our approach on a realistic SoC design through a series of attack models and show that our architecture incurs minimal to modest overhead in area, power, and system latency.

In recent years, software defined networking (SDN) has been proposed for enhancing the security of industrial control networks. However, its ability to guarantee the quality of service (QoS) requirements of such networks in the presence of adversarial flow still needs to be investigated. Queueing theory and particularly queueing network models have long been employed to study the performance and QoS characteristics of networks. The latter appears to be particularly suitable to capture the behaviour of SDN owing to the dependencies between layers, planes and components in an SDN architecture. Also, several authors have used queueing network models to study the behaviour of different application of SDN architectures, but none of the existing works have considered the strong periodic network traffic in software-defined industrial control networks. In this paper, we propose a queueing network model for softwaredefined industrial control networks, taking into account the strong periodic patterns of the network traffic in the data plane. We derive the performance measures for the analytical model and apply the queueing network model to study the effect of adversarial flow in software-defined industrial control networks.

The ever-increasing growth of urban populations coupled with recent mobile data usage trends has led to an unprecedented increase in wireless devices, services and applications, with varying quality of service needs in terms of latency, data rate, and connectivity. To cope with these rising demands and challenges, next-generation wireless networks have resorted to cloud radio access network (Cloud-RAN) technology as a way of reducing latency and network traffic. A concrete example of this is New York City's LinkNYC network infrastructure, which replaces the city's payphones with kiosk-like structures, called Links, to provide fast and free public Wi-Fi access to city users. When enabled with data storage capability, these Links can, for example, play the role of edge cloud devices to allow in-network content caching so that access latency and network traffic are reduced. In this paper, we propose HybridCache, a hybrid proactive and reactive in-network caching scheme that reduces content access latency and network traffic congestion substantially. It does so by first grouping edge cloud devices in clusters to minimize intra-cluster content access latency and then enabling cooperative-proactively and reactively-caching using LSTM-based prediction to minimize in-network content redundancy. Using the LinkNYC network as the backbone infrastructure for evaluation, we show that HybridCache reduces the number of hops that content needs to traverse and increases cache hit rates, thereby reducing both network traffic and content access latency.