Biblio

Emergence of Information and Communication Technology (ICT) has facilitated its users to access electronic services through open channel like Internet. This approach of digital communication has its specific security lapses, which should be addressed properly to ensure Privacy, Integrity, Non-repudiation and Authentication (PINA) of information. During message communication, intruders may mount infringement attempts to compromise the communication. The situation becomes critical, if an user is identified by multiple identification numbers, as in that case, intruder have a wide window open to use any of its identification number to fulfill its ill intentions. To resolve this issue, author have proposed a single window based cloud service delivery model, where a smart card serves as a single interface to access multifaceted electronic services like banking, healthcare, employment, etc. To detect and prevent unauthorized access, in this paper, authors have focused on the intrusion detection system of the cloud service model during cloud banking transaction.

Software-defined networking (SDN) allows the smart grid to be centrally controlled and managed by decoupling the control plane from the data plane, but it also expands attack surface for attackers. Existing studies about the security of SDN-enabled smart grid (SDSG) mainly focused on static methods such as access control and identity authentication, which is vulnerable to attackers that carefully probe the system. As the attacks become more variable and complex, there is an urgent need for dynamic defense methods. In this paper, we propose a security function virtualization (SFV) based moving target defense of SDSG which makes the attack surface constantly changing. First, we design a dynamic defense mechanism by migrating virtual security function (VSF) instances as the traffic state changes. The centralized SDN controller is re-designed for global status monitoring and migration management. Moreover, we formalize the VSF instances migration problem as an integer nonlinear programming problem with multiple constraints and design a pre-migration algorithm to prevent VSF instances' resources from being exhausted. Simulation results indicate the feasibility of the proposed scheme.

With the interconnection of services and customers, network attacks are capable of large amounts of damage. Flexible Random Virtual IP Multiplexing (FRVM) is a Moving Target Defence (MTD) technique that protects against reconnaissance and access with address mutation and multiplexing. Security techniques must be trusted, however, FRVM, along with past MTD techniques, have gaps in realistic evaluation and thorough analysis of security and performance. FRVM, and two comparison techniques, were deployed on a virtualised network to demonstrate FRVM's security and performance trade-offs. The key results include the security and performance trade-offs of address multiplexing and address mutation. The security benefit of IP address multiplexing is much greater than its performance overhead, deployed on top of address mutation. Frequent address mutation significantly increases an attackers' network scan durations as well as effectively obfuscating and hiding network configurations.

Nowadays, video streaming over HTTP is one of the most dominant Internet applications, using adaptive video techniques. Network assisted approaches have been proposed and are being standardized in order to provide high QoE for the end-users of such applications. SAND is a recent MPEG standard where DASH Aware Network Elements (DANEs) are introduced for this purpose. As web-caches are one of the main components of the SAND architecture, the location and the connectivity of these web-caches plays an important role in the user's QoE. The nature of SAND and DANE provides a good foundation for software controlled virtualized DASH environments, and in this paper, we propose a cache location algorithm and a cache migration algorithm for virtualized SAND deployments. The optimal locations for the virtualized DANEs is determined by an SDN controller and migrates it based on gathered statistics. The performance of the resulting system shows that, when SDN and NFV technologies are leveraged in such systems, software controlled virtualized approaches can provide an increase in QoE.

As Web traffics is increasing on the Internet, caching solutions for Web systems are becoming more important since they can greatly expand system scalability. An important part of a caching solution is cache replacement policy, which is responsible for selecting victim items that should be removed in order to make space for new objects. Typical replacement policies used in practice only take advantage of temporal reference locality by removing the least recently/frequently requested items from the cache. Although those policies work well in memory or filesystem cache, they are inefficient for Web systems since they do not exploit semantic relationship between Web items. This paper presents a semantic-aware caching policy that can be used in Web systems to enhance scalability. The proposed caching mechanism defines semantic distance from a web page to a set of pivot pages and use the semantic distances as a metric for choosing victims. Also, it use a function-based metric that combines access frequency and cache item size for tie-breaking. Our simulations show that out enhancements outperform traditional methods in terms of hit rate, which can be useful for websites with many small and similar-in-size web objects.

Forced by regulations and industry demand, banks worldwide are working to open their customers' online banking accounts to third-party services via web-based APIs. By using these so-called Open Banking APIs, third-party companies, such as FinTechs, are able to read information about and initiate payments from their users' bank accounts. Such access to financial data and resources needs to meet particularly high security requirements to protect customers. One of the most promising standards in this segment is the OpenID Financial-grade API (FAPI), currently under development in an open process by the OpenID Foundation and backed by large industry partners. The FAPI is a profile of OAuth 2.0 designed for high-risk scenarios and aiming to be secure against very strong attackers. To achieve this level of security, the FAPI employs a range of mechanisms that have been developed to harden OAuth 2.0, such as Code and Token Binding (including mTLS and OAUTB), JWS Client Assertions, and Proof Key for Code Exchange. In this paper, we perform a rigorous, systematic formal analysis of the security of the FAPI, based on an existing comprehensive model of the web infrastructure - the Web Infrastructure Model (WIM) proposed by Fett, Küsters, and Schmitz. To this end, we first develop a precise model of the FAPI in the WIM, including different profiles for read-only and read-write access, different flows, different types of clients, and different combinations of security features, capturing the complex interactions in a web-based environment. We then use our model of the FAPI to precisely define central security properties. In an attempt to prove these properties, we uncover partly severe attacks, breaking authentication, authorization, and session integrity properties. We develop mitigations against these attacks and finally are able to formally prove the security of a fixed version of the FAPI. Although financial applications are high-stakes environments, this work is the first to formally analyze and, importantly, verify an Open Banking security profile. By itself, this analysis is an important contribution to the development of the FAPI since it helps to define exact security properties and attacker models, and to avoid severe security risks before the first implementations of the standard go live. Of independent interest, we also uncover weaknesses in the aforementioned security mechanisms for hardening OAuth 2.0. We illustrate that these mechanisms do not necessarily achieve the security properties they have been designed for.

With the emergence of IoT, wearable devices are drawing attention and becoming part of our daily life. These wearable devices collect private information about their wearers. Mostly, a secure authentication process is used to verify a legitimate user that relies on the mobile terminal. Similarly, remote cloud services are used for verification and authentication of both wearable devices and wearers. Security is necessary to preserve the privacy of users. Some traditional authentication protocols are proposed which have vulnerabilities and are prone to different attacks like forgery, de-synchronization, and un-traceability issues. To address these vulnerabilities, recently, Wu et al. (2017) proposed a cloud-assisted authentication scheme which is costly in terms of computations required. Therefore this paper proposed an improved, lightweight and computationally efficient authentication scheme for wearable devices. The proposed scheme provides similar level of security as compared to Wu's (2017) scheme but requires 41.2% lesser computations.

Due to the rise of huge population in mankind and the large variety of upcoming utilization of power, the energy requirement has substantially increased. Smart Grid is a very important part of the Smart Cities initiative and is one of the crucial components in distribution and reconciliation of energy. Security of the smart grid infrastructure, which is an integral part of the smart grid framework, intended at transitioning the conventional power grid system into a robust, reliable, adaptable and intelligent energy utility, is an impending problem that needs to be arrested quickly. With the increasingly intensifying integration of smart devices in the smart grid infrastructure with other interconnected applications and the communication backbone is compelling both the energy users and the energy utilities to thoroughly look into the privacy and security issues of the smart grid. In this paper, we present challenges of the existing security mechanisms deployed in the smart grid framework and we tried to bring forward the unresolved problems that would highlight the security aspects of Smart Grid as a challenging area of research and development in the future.

Computer security has gained more and more attention in a public over the last years, since computer systems are suffering from significant and increasing security threats that cause security breaches by exploiting software vulnerabilities. The most efficient way to ensure the system security is to patch the vulnerable system before a malicious attack occurs. Besides the commonly-used push-type patch management, the pull-type patch management is also adopted. The main issues in the pull-type patch management are two-fold; when to check the vulnerability information and when to apply a patch? This paper considers the security patch management for a virtual machine (VM) based intrusion tolerant system (ITS), where the system undergoes the patch management with a periodic vulnerability checking strategy, and evaluates the system security from the availability aspect. A composite stochastic reward net (SRN) model is applied to capture the attack behavior of adversary and the defense behaviors of system. Two availability measures; interval availability and point-wise availability are formulated to quantify the system security via phase expansion. The proposed approach and metrics not only enable us to quantitatively assess the system security, but also provide insights on the patch management. In numerical experiments, we evaluate effects of the intrusion rate and the number of vulnerability checking on the system security.

In this paper, we propose an efficient and secure physically unclonable function based multi-factor authenticated key exchange (PUF-MAKE). In a PUF-MAKE setting, we suppose two participants; a user and a server. The user keeps multi-factor authenticators and securely holds a PUF-embedded device while the server maintains PUF outputs for authentication. We first study on how to efficiently construct a PUF-MAKE protocol. The main difficulty comes from that it should establish a common key from both multi-factor authenticators and a PUF-embedded device. Our construction is the first secure PUF-MAKE protocol that just needs three communication flows.

As the number of Internet users increases, their usage also diversifies, and it is important to prevent Identity on the Internet (Digital Identity) from being violated. Unauthorized authentication is one of the methods to infringe Digital Identity. Multi-factor authentication has been proposed as a method for preventing unauthorized authentication. However, the cryptographic authenticator required for multi-factor authentication is expensive both financially and UX-wise for the user. In this paper, we design, implement and evaluate multi-factor authentication using My Number Card provided by public personal identification service and WebUSB, which is being standardized.

Authentication is achieved by using different techniques, like using smart-card, identity password and biometric techniques. Some of the proposed schemes use a single factor for authentication while others combine multiple ways to provide multi-factor authentication for better security. lately, a new scheme for multi-factor authentication was presented by Cao and Ge and claimed that their scheme is highly secure and can withstand against all known attacks. In this paper, it is revealed that their scheme is still vulnerable and have some loopholes in term of reflection attack. Therefore, an improved scheme is proposed to overcome the security weaknesses of Cao and Ge's scheme. The proposed scheme resists security attacks and secure. Formal testing is carried out under a broadly-accepted simulated tool ProVerif which demonstrates that the proposed scheme is well secure.

Practitioners use infrastructure as code (IaC) scripts to provision servers and development environments. While developing IaC scripts, practitioners may inadvertently introduce security smells. Security smells are recurring coding patterns that are indicative of security weakness and can potentially lead to security breaches. The goal of this paper is to help practitioners avoid insecure coding practices while developing infrastructure as code (IaC) scripts through an empirical study of security smells in IaC scripts. We apply qualitative analysis on 1,726 IaC scripts to identify seven security smells. Next, we implement and validate a static analysis tool called Security Linter for Infrastructure as Code scripts (SLIC) to identify the occurrence of each smell in 15,232 IaC scripts collected from 293 open source repositories. We identify 21,201 occurrences of security smells that include 1,326 occurrences of hard-coded passwords. We submitted bug reports for 1,000 randomly-selected security smell occurrences. We obtain 212 responses to these bug reports, of which 148 occurrences were accepted by the development teams to be fixed. We observe security smells can have a long lifetime, e.g., a hard-coded secret can persist for as long as 98 months, with a median lifetime of 20 months.

We propose an efficient and secure two-server password-only remote user authentication protocol for consumer electronic devices, such as smartphones and laptops. Our protocol works on-top of any existing trust model, like Secure Sockets Layer protocol (SSL). The proposed protocol is secure against dictionary and impersonation attacks.

SSL certificates are a core component of the public key infrastructure that underpins encrypted communication in the Internet. In this paper, we report the results of a longitudinal study of the characteristics of SSL certificate chains presented to clients during secure web (HTTPS) connection setup. Our data set consists of 23B SSL certificate chains collected from a global panel consisting of over 2M residential client machines over a period of 6 months. The data informing our analyses provide perspective on the entire chain of trust, including root certificates, across a wide distribution of client machines. We identify over 35M unique certificate chains with diverse relationships at all levels of the PKI hierarchy. We report on the characteristics of valid certificates, which make up 99.7% of the total corpus. We also examine invalid certificate chains, finding that 93% of them contain an untrusted root certificate and we find they have shorter average chain length than their valid counterparts. Finally, we examine two unintended but prevalent behaviors in our data: the deprecation of root certificates and secure traffic interception. Our results support aspects of prior, scan-based studies on certificate characteristics but contradict other findings, highlighting the importance of the residential client-side perspective.

Software Defined Network (SDN) is a revolutionary networking paradigm which provides the flexibility of programming the network interface as per the need and demand of the user. Software Defined Network (SDN) is independent of vendor specific hardware or protocols and offers the easy extensions in the networking. A customized network as per on user demand facilitates communication control via a single entity i.e. SDN controller. Due to this SDN Controller has become more vulnerable to SDN security attacks and more specifically a single point of failure. It is worth noticing that vulnerabilities were identified because of customized applications which are semi-independent of underlying network infrastructure. No doubt, SDN has provided numerous benefits like breaking vendor lock-ins, reducing overhead cost, easy innovations, increasing programmability among devices, introducing new features and so on. But security of SDN cannot be neglected and it has become a major topic of debate. The communication channel used in SDN is OpenFlow which has made TLS implementation an optional approach in SDN. TLS adoption is important and still vulnerable. This paper focuses on making SDN OpenFlow communication more secure by following extended TLS support and defensive algorithm.

In this paper, development of cyber communication package in the application of grid connected solar system has been presented. Here, implemented communication methodology supports communication process with reduced latency, high security arrangement with various degrees of freedom. Faithful transferring of various electrical data for the purpose of measurement, monitoring and controlling actions depend on the bidirectional communication strategy. Thus, real-time communication of data through cyber network has been emphasized in this paper. The C\# language based coding is done to develop the communication program. The notable features of proposed communication process are reduction of latency during data exchange by usage of advanced encryption standard (AES) algorithm, tightening of cyber security arrangement by implementing secured socket layer (SSL) and Rivest, Shamir and Adleman (RSA) algorithms. Various real-time experiments using internet connected computers have been done to verify the usability of the proposed communication concept along with its notable features in the application.

With the unprecedented prevalence of mobile network applications, cryptographic protocols, such as the Secure Socket Layer/Transport Layer Security (SSL/TLS), are widely used in mobile network applications for communication security. The proven methods for encrypted video stream classification or encrypted protocol detection are unsuitable for the SSL/TLS traffic. Consequently, application-level traffic classification based networking and security services are facing severe challenges in effectiveness. Existing encrypted traffic classification methods exhibit unsatisfying accuracy for applications with similar state characteristics. In this paper, we propose a multiple-attribute-based encrypted traffic classification system named Multi-Attribute Associated Fingerprints (MAAF). We develop MAAF based on the two key insights that the DNS traces generated during the application runtime contain classification guidance information and that the handshake certificates in the encrypted flows can provide classification clues. Apart from the exploitation of key insights, MAAF employs the context of the encrypted traffic to overcome the attribute-lacking problem during the classification. Our experimental results demonstrate that MAAF achieves 98.69% accuracy on the real-world traceset that consists of 16 applications, supports the early prediction, and is robust to the scale of the training traceset. Besides, MAAF is superior to the state-of-the-art methods in terms of both accuracy and robustness.

This SQL injection attack is one of the common means for hackers to attack database. With the development of B/S mode application development, more and more programmers use this mode to write applications. However, due to the uneven level and experience of programmers, a considerable number of programmers do not judge the legitimacy of user input data when writing code, which makes the application security risks. Users can submit a database query code and get some data they want to know according to the results of the program. SQL injection attack belongs to one of the means of database security attack. It can be effectively protected by database security protection technology. This paper introduces the principle of SQL injection, the main form of SQL injection attack, the types of injection attack, and how to prevent SQL injection. Discussed and illustrated with examples.

Emails are the fundamental unit of web applications. There is an exponential growth in sending and receiving emails online. However, spam mail has turned into an intense issue in email correspondence condition. There are number of substance based channel systems accessible to be specific content based filter(CBF), picture based sifting and many other systems to channel spam messages. The existing technological solution consists of a combination of porter stemer algorithm(PSA) and k means clustering which is adaptive in nature. These procedures are more expensive in regard of the calculation and system assets as they required the examination of entire spam message and calculation of the entire substance of the server. These are the channels must additionally not powerful in nature life on the grounds that the idea of spam block mail and spamming changes much of the time. We propose a starting point based spam mail-sifting system benefit, which works considering top head notcher data of the mail message paying little respect to the body substance of the mail. It streamlines the system and server execution by increasing the precision, recall and accuracy than the existing methods. To design an effective and efficient of autonomous and efficient spam detection system to improve network performance from unknown privileged user attacks.

This paper presents the details of the roving proxy framework for SMS spam and SMS phishing (SMishing) detection. The framework aims to protect organizations and enterprises from the danger of SMishing attacks. Feasibility and functionality studies of the framework are presented along with an update process study to define the minimum requirements for the system to adapt with the latest spam and SMishing trends.

Machine learning has been adopted widely to perform prediction and classification. Implementing machine learning increases security risks when computation process involves sensitive data on training and testing computations. We present a proposed system to protect machine learning engines in IoT environment without modifying internal machine learning architecture. Our proposed system is designed for passwordless and eliminated the third-party in executing machine learning transactions. To evaluate our a proposed system, we conduct experimental with machine learning transactions on IoT board and measure computation time each transaction. The experimental results show that our proposed system can address security issues on machine learning computation with low time consumption.

Many websites induce the browser to send network traffic in response to user input events. This includes websites with autocomplete, a popular feature on search engines that anticipates the user's query while they are typing. Websites with this functionality require HTTP requests to be made as the query input field changes, such as when the user presses a key. The browser responds to input events by generating network traffic to retrieve the search predictions. The traffic emitted by the client can expose the timings of keyboard input events which may lead to a keylogging side channel attack whereby the query is revealed through packet inter-arrival times. We investigate the feasibility of such an attack on several popular search engines by characterizing the behavior of each website and measuring information leakage at the network level. Three out of the five search engines we measure preserve the mutual information between keystrokes and timings to within 1% of what it is on the host. We describe the ways in which two search engines mitigate this vulnerability with minimal effects on usability.

Dynamic Taint Analysis (DTA) technique has been developed for analysis and understanding behavior of Android applications and privacy policy enforcement. Meanwhile, implicit information flows (IIFs) are major concern of security researchers because IIFs can evade DTA technique easily and give attackers an advantage over the researchers. Some researchers suggested approaches to the issue and developed analysis systems supporting privacy policy enforcement against IIF-accompanied attacks; however, there is still no effective technique of comprehensive analysis and privacy policy enforcement against IIF-accompanied attacks. In this paper, we propose an IIF detection technique to enforce privacy policy against IIF-accompanied attacks in Android applications. We developed a new analysis tool, called Smalien, that can discover data leakage caused by IIF-contained information flows as well as explicit information flows. We demonstrated practicability of Smalien by applying it to 16 IIF tricks from ScrubDroid and two IIF tricks from DroidBench. Smalien enforced privacy policy successfully against all the tricks except one trick because the trick loads code dynamically from a remote server at runtime, and Smalien cannot analyze any code outside of a target application. The results show that our approach can be a solution to the current attacker-superior situation.

Nowadays, the industrial control systems (ICS) face many challenges, where security is becoming one of the most crucial. This fact is caused by new connected environment, which brings among new possibilities also new vulnerabilities, threats, or possible attacks. The criminal acts in the ICS area increased over the past years exponentially, which caused the loss of billions of dollars. This also caused classical Intrusion Detection Systems and Intrusion Prevention Systems to evolve in order to protect among IT also ICS networks. However, these systems need sufficient data such as traffic logs, protocol information, attack patterns, anomaly behavior marks and many others. To provide such data, the requirements for the test environment are summarized in this paper. Moreover, we also introduce more than twenty common vulnerabilities across the ICS together with information about possible risk, attack vector (point), possible detection methods and communication layer occurrence. Therefore, the paper might be used as a base-ground for building sufficient data generator for machine learning and artificial intelligence algorithms often used in ICS/IDS systems.