Biblio

Nowadays, in this COVID era, work from home is quietly more preferred than work from the office. Due to this, the need for a firewall has been increased day by day. Every organization uses the firewall to secure their network and create VPN servers to allow their employees to work from home. Due to this, the security of the firewall plays a crucial role. In this paper, we have compared the two most popular open-source firewalls named pfSense and OPNSense. We have examined the security they provide by default without any other attachment. To do this, we performed four different attacks on the firewalls and compared the results. As a result, we have observed that both provide the same security still pfSense has a slight edge when an attacker tries to perform a Brute force attack over OPNSense.

The recent experience in the use of virtual reality (VR) technology has shown that users prefer Electromyography (EMG) sensor-based controllers over hand controllers. The results presented in this paper show the potential of EMG-based controllers, in particular the Myo armband, to identify a computer system user. In the first scenario, we train various classifiers with 25 keyboard typing movements for training and test with 75. The results with a 1-dimensional convolutional neural network indicate that we are able to identify the user with an accuracy of 93% by analyzing only the EMG data from the Myo armband. When we use 75 moves for training, accuracy increases to 96.45% after cross-validation.

Blockchain technology has made it possible to store and send digital currencies. Bitcoin wallets and marketplaces have made it easy for nontechnical users to use the protocol. Since its inception, the price of Bitcoin is going up and the number of nodes in the network has increased drastically. The increasing popularity of Bitcoin has made exchanges and individual nodes a target for an attack. Understanding the Bitcoin protocol better helps security engineers to harden the network and helps regular users secure their hot wallets. In this paper, Bitcoin protocol is presented with description of the mining process which secures transactions. In addition, the Bitcoin algorithms and their security are described with potential vulnerabilities in the protocol and potential exploits for attackers. Finally, we propose some security solutions to help mitigate attacks on Bitcoin exchanges and hot wallets.

Blind identification of channel codes is crucial in intelligent communication and non-cooperative signal processing, and it plays a significant role in wireless physical layer security, information interception, and information confrontation. Previous researches show a high computation complexity by manual feature extractions, in addition, problems of indisposed accuracy and poor robustness are to be resolved in a low signal-to-noise ratio (SNR). For solving these difficulties, based on deep residual shrinkage network (DRSN), this paper proposes a novel recognizer by deep learning technologies to blindly distinguish the type and the parameter of channel codes without any prior knowledge or channel state, furthermore, feature extractions by the neural network from codewords can avoid intricate calculations. We evaluated the performance of this recognizer in AWGN, single-path fading, and multi-path fading channels, the results of the experiments showed that the method we proposed worked well. It could achieve over 85 % of recognition accuracy for channel codes in AWGN channels when SNR is not lower than 4dB, and provide an improvement of more than 5% over the previous research in recognition accuracy, which proves the validation of the proposed method.

In the smart grid, the sharing of power data among various energy entities can make the data play a higher value. However, there may be unauthorized access while sharing data, which makes many entities unwilling to share their data to prevent data leakage. Based on blockchain and ABAC (Attribute-based Access Control) technology, this paper proposes an access control scheme, so that users can achieve fine-grained access control of their data when sharing them. The solution uses smart contract to achieve automated and reliable policy evaluation. IPFS (Interplanetary File System) is used for off-chain distributed storage to share the storage pressure of blockchain and guarantee the reliable storage of data. At the same time, all processes in the system are stored in the blockchain, ensuring the accountability of the system. Finally, the experiment proves the feasibility of the proposed scheme.

In this work, the use of an undercover conversational agent, acting as a participative student in a synchronous virtual reality distance learning scenario is proposed to stimulate social interaction between teacher and students. The outcome of an exploratory user study indicated that the undercover conversational agent is capable of fostering interaction, relieving social pressure, and overall leading to a more satisfactory and engaging learning experience without sacrificing learning performance.

The main limitation of acoustic particle separation for microfluidic application is its low sorting efficiency. This is due to the weak coupling of surface acoustic waves (SAWs) into the microchannel. In this work, we demonstrate bulk acoustic wave (BAW) particle sorting using capacitive micromachined ultrasonic transducers (CMUTs) for the first time. A collapsed mode CMUT was driven in air to generate acoustic pressure within the silicon substrate in the in-plane direction of the silicon die. This acoustic pressure was coupled into a water droplet, positioned at the side of the CMUT die, and measured with an optical hydrophone. By using a beam steering approach, the ultrasound generated from 32 CMUT elements were added in-phase to generate a maximum peak-to-peak pressure of 0.9 MPa. Using this pressure, 10 µm latex beads were sorted almost instantaneously.

This paper presents CaptchaGG, a model for recognizing linear graphical CAPTCHAs. As in the previous society, CAPTCHA is becoming more and more complex, but in some scenarios, complex CAPTCHA is not needed, and usually, linear graphical CAPTCHA can meet the corresponding functional scenarios, such as message boards of websites and registration of accounts with low security. The scheme is based on convolutional neural networks for feature extraction of CAPTCHAs, recurrent neural forests A neural network that is too complex will lead to problems such as difficulty in training and gradient disappearance, and too simple will lead to underfitting of the model. For the single problem of linear graphical CAPTCHA recognition, the model which has a simple architecture, extracting features by convolutional neural network, sequence modeling by recurrent neural network, and finally classification and recognition, can achieve an accuracy of 96% or more recognition at a lower complexity.

FPGA bitstream protection schemes are often the first line of defense for secure hardware designs. In general, breaking the bitstream encryption would enable attackers to subvert the confidentiality and infringe on the IP. Or breaking the authenticity enables manipulating the design, e.g., inserting hardware Trojans. Since FPGAs see widespread use in our interconnected world, such attacks can lead to severe damages, including physical harm. Recently we [1] presented a surprising attack — Starbleed — on Xilinx 7-Series FPGAs, tricking an FPGA into acting as a decryption oracle. For their UltraScale(+) series, Xilinx independently upgraded the security features to AES-GCM, RSA signatures, and a periodic GHASH-based checksum to validate the bitstream during decryption. Hence, UltraScale(+) devices were considered not affected by Starbleed-like attacks [2], [1].We identified novel security weaknesses in Xilinx UltraScale(+) FPGAs if configured outside recommended settings. In particular, we present four attacks in this situation: two attacks on the AES encryption and novel GHASH-based checksum and two authentication downgrade attacks. As a major contribution, we show that the Starbleed attack is still possible within the UltraScale(+) series by developing an attack against the GHASH-based checksum. After describing and analyzing the attacks, we list the subtle configuration changes which can lead to security vulnerabilities and secure configurations not affected by our attacks. As Xilinx only recommends configurations not affected by our attacks, users should be largely secure. However, it is not unlikely that users employ settings outside the recommendations, given the rather large number of configuration options and the fact that Security Misconfiguration is among the leading top 10 OWASP security issues. We note that these security weaknesses shown in this paper had been unknown before.

As the IPv6 protocol has been rapidly developed and applied, the security of IPv6 networks has become the focus of academic and industrial attention. Despite the fact that the IPv6 protocol is designed with security in mind, due to insufficient defense measures of current firewalls and intrusion detection systems for IPv6 networks, the construction of covert channels using fields not defined or reserved in IPv6 protocols may compromise the information systems. By discussing the possibility of constructing storage covert channels within IPv6 protocol fields, 10 types of IPv6 covert channels are constructed with undefined and reserved fields, including the flow label field, the traffic class field of IPv6 header, the reserved fields of IPv6 extension headers and the code field of ICMPv6 header. An IPv6 covert channel detection method based on field matching (CC-Guard) is proposed, and a typical IPv6 network environment is built for testing. In comparison with existing detection tools, the experimental results show that the CC-Guard not only can detect more covert channels consisting of IPv6 extension headers and ICMPv6 headers, but also achieves real-time detection with a lower detection overhead.

The access control mechanism of most consortium blockchain is implemented through traditional Certificate Authority scheme based on trust chain and centralized key management such as PKI/CA at present. However, the uneven power distribution of CA nodes may cause problems with leakage of certificate keys, illegal issuance of certificates, malicious rejection of certificates issuance, manipulation of issuance logs and metadata, it could compromise the security and dependability of consortium blockchain. Therefore, this paper design and implement a Certificate Authority scheme based on trust ring model that can not only enhance the reliability of consortium blockchain, but also ensure high performance. Combined public key, transformation matrix and elliptic curve cryptography are applied to the scheme to generate and store keys in a cluster of CA nodes dispersedly and securely for consortium nodes. It greatly reduced the possibility of malicious behavior and key leakage. To achieve the immutability of logs and metadata, the scheme also utilized public blockchain and smart contract technology to organize the whole procedure of certificate issuance, the issuance logs and metadata for certificate validation are stored in public blockchain. Experimental results showed that the scheme can surmount the disadvantages of the traditional scheme while maintaining sufficiently good performance, including issuance speed and storage efficiency of certificates.

Cloud computing is becoming a demanding technology due to its flexibility, sensibility and remote accessibility. Apart from these applications of cloud computing, privacy and security are two terms that pose a circumstantial discussion. Various authors have argued on this topic that cloud computing is more secure than other data sharing and storing methods. The conventional data storing system is a computer system or smartphone storage. The argument debate also states that cloud computing is vulnerable to enormous types of attacks which make it a more concerning technology. This current study has also tried to draw the circumstantial and controversial debate on the security and privacy system of cloud computing. Primary research has been conducted with 65 cloud computing experts to understand whether a cloud computing security technique is highly secure or not. An online survey has been conducted with them where they provided their opinions based on the security and privacy system of cloud computing. Findings showed that no particular technology is available which can provide maximum security. Although the respondents agreed that blockchain is a more secure cloud computing technology; however, the blockchain also has certain threats which need to be addressed. The study has found essential encryption systems that can be integrated to strengthen security; however, continuous improvement is required.

With the development of the digital development transformation of the power grid, the classification of power unstructured encrypted data is an important basis for data security protection. However, most studies focus on exact match classification or single-keyword fuzzy match classification. This paper proposes a fuzzy matching classification method for power unstructured encrypted data. The data owner generates an index vector based on the power unstructured file, and the data user generates a query vector by querying the file through the same process. The index and query vector are uploaded to the cloud server in encrypted form, and the cloud server calculates the relevance score and sorts it, and returns the classification result with the highest score to the user. This method realizes the multi-keyword fuzzy matching classification of unstructured encrypted data of electric power, and through the experimental simulation of a large number of data sets, the effect and feasibility of the method are proved.

With the popularization of cloud computing and the deepening of its application, more and more cloud block storage systems have been put into use. The performance optimization of cloud block storage systems has become an important challenge facing today, which is manifested in the reduction of system performance caused by the unbalanced resource load of cloud block storage systems. Accurately predicting the I/O load status of the cloud block storage system can effectively avoid the load imbalance problem. However, the cloud block storage system has the characteristics of frequent random reads and writes, and a large amount of I/O requests, which makes prediction difficult. Therefore, we propose a novel I/O load prediction method for XB-IOPS feature engineering. The feature engineering is designed according to the I/O request pattern, I/O size and I/O interference, and realizes the prediction of the actual load value at a certain moment in the future and the average load value in the continuous time interval in the future. Validated on a real dataset of Alibaba Cloud block storage system, the results show that the XB-IOPS feature engineering prediction model in this paper has better performance in Alibaba Cloud block storage devices where random I/O and small I/O dominate. The prediction performance is better, and the prediction time is shorter than other prediction models.

This paper presents a program-code mutation technique that is applied in-field to embedded systems in order to create diversity in a population of systems that are identical at the time of their deployment. With this diversity, it becomes more difficult for attackers to carry out the very popular Return-Oriented-Programming (ROP) attack in a large scale, since the gadgets in different systems are located at different program addresses after code permutation. In order to prevent the system from a system crash after a failed ROP attack, we further propose the combination of the code mutation with a return address checking. We will report the overhead in time and memory along with a security analysis.

With the development of software defined network and network function virtualization, network operators can flexibly deploy service function chains (SFC) to provide network security services more than before according to the network security requirements of business systems. At present, most research on verifying the correctness of SFC is based on whether the logical sequence between service functions (SF) in SFC is correct before deployment, and there is less research on verifying the correctness after SFC deployment. Therefore, this paper proposes a method of using Colored Petri Net (CPN) to establish a verification model offline and verify whether each SF deployment in SFC is correct after online deployment. After the SFC deployment is completed, the information is obtained online and input into the established model for verification. The experimental results show that the SFC correctness verification method proposed in this paper can effectively verify whether each SF in the deployed SFC is deployed correctly. In this process, the correctness of SF model is verified by using SF model in the model library, and the model reuse technology is preliminarily discussed.

Control flow integrity (CFI) checks are used in desktop systems, in order to protect them from various forms of attacks, but they are rarely investigated for embedded systems, due to their introduced overhead. The contribution of this paper is an efficient software implementation of a CFI-check for ARM-and Xtensa processors. Moreover, we propose the combination of this CFI-check with another defense mechanism against return-oriented-programming (ROP). We show that by this combination the security is significantly improved. Moreover, it will also in-crease the safety of the system, since the combination can detect a failed ROP-attack and bring the system in a safe state, which is not possible when using each technique separately. We will also report on the introduced overhead in code size and run time.

Frame detection is an important part of the reconnaissance satellite receiver to identify the terrestrial application specific messages (ASM) / VHF data exchange (VDE) signal, and has been challenged by Doppler shift and message collision. A constant false alarm rate (CFAR) frame detection strategy insensitive to Doppler shift has been proposed in this paper. Based on the double Barker sequence, a periodical sequence has been constructed, and differential operations have been adopted to eliminate the Doppler shift. Moreover, amplitude normalization is helpful for suppressing the interference introduced by message collision. Simulations prove that the proposed CFAR frame detection strategy is very attractive for the reconnaissance satellite to identify the terrestrial ASM/VDE signal.

This paper proposes a control flow integrity checking method based on the LBR register: through an analysis of the static target program loaded binary modules, gain function attributes such as borders and build the initial transfer of legal control flow boundary, real-time maintenance when combined with the dynamic execution of the program flow of control transfer record, build a complete profile control flow transfer security; Get the call location of /bin/sh or system() in the program to build an internal monitor for control-flow integrity checks. In the process of program execution, on the one hand, the control flow transfer outside the outline is judged as the abnormal control flow transfer with attack threat; On the other hand, abnormal transitions across the contour are picked up by an internal detector. In this method, by identifying abnormal control flow transitions, attacks are initially detected before the attack code is executed, while some attacks that bypass the coarse-grained verification of security profile are captured by the refined internal detector of control flow integrity. This method reduces the cost of control flow integrity check by using the safety profile analysis of coarse-grained check. In addition, a fine-grained shell internal detector is inserted into the contour to improve the safety performance of the system and achieve a good balance between performance and efficiency.

In Production System Engineering (PSE), domain experts from different disciplines reuse assets such as products, production processes, and resources. Therefore, PSE organizations aim at establishing reuse across engineering disciplines. However, the coordination of multi-disciplinary reuse tasks, e.g., the re-validation of related assets after changes, is hampered by the coarse-grained representation of tasks and by scattered, heterogeneous domain knowledge. This paper introduces the Multi-disciplinary Reuse Coordination (MRC) artifact to improve task management for multi-disciplinary reuse. For assets and their properties, the MRC artifact describes sub-tasks with progress and result states to provide references for detailed reuse task management across engineering disciplines. In a feasibility study on a typical robot cell in automotive manufacturing, we investigate the effectiveness of task management with the MRC artifact compared to traditional approaches. Results indicate that the MRC artifact is feasible and provides effective capabilities for coordinating multi-disciplinary re-validation after changes.

There are a large number of illegal websites on the Internet, such as pornographic websites, gambling websites, online fraud websites, online pyramid selling websites, etc. This paper studies the use of crawler technology for digital forensics on illegal websites. First, a crawler based illegal website forensics program is designed and developed, which can detect the peripheral information of illegal websites, such as domain name, IP address, network topology, and crawl key information such as website text, pictures, and scripts. Then, through comprehensive analysis such as word cloud analysis, word frequency analysis and statistics on the obtained data, it can help judge whether a website is illegal.

In this paper, we proposed a data security model of a big data analytical environment in the financial sector. Big Data can be seen as a trend in the advancement of technology that has opened the door to a new approach to understanding and decision making that is used to describe the vast amount of data (structured, unstructured and semi-structured) that is too time consuming and costly to load a relational database for analysis. The increase in cybercriminal attacks on an organization’s assets results in organizations beginning to invest in and care more about their cybersecurity points and controls. The management of business-critical data is an important point for which robust cybersecurity controls should be considered. The proposed model is applied in a datalake and allows the identification of security gaps on an analytical repository, a cybersecurity risk analysis, design of security components and an assessment of inherent risks on high criticality data in a repository of a regulated financial institution. The proposal was validated in financial entities in Lima, Peru. Proofs of concept of the model were carried out to measure the level of maturity focused on: leadership and commitment, risk management, protection control, event detection and risk management. Preliminary results allowed placing the entities in level 3 of the model, knowing their greatest weaknesses, strengths and how these can affect the fulfillment of business objectives.

Cloud computing is a unified management and scheduling model of computing resources. To satisfy multiple resource requirements for various application, edge computing has been proposed. One challenge of edge computing is cross-domain data security sharing problem. Ciphertext policy attribute-based encryption (CP-ABE) is an effective way to ensure data security sharing. However, many existing schemes focus on could computing, and do not consider the features of edge computing. In order to address this issue, we propose a cross-domain data security sharing approach for edge computing based on CP-ABE. Besides data user attributes, we also consider access control from edge nodes to user data. Our scheme first calculates public-secret key peer of each edge node based on its attributes, and then uses it to encrypt secret key of data ciphertext to ensure data security. In addition, our scheme can add non-user access control attributes such as time, location, frequency according to the different demands. In this paper we take time as example. Finally, the simulation experiments and analysis exhibit the feasibility and effectiveness of our approach.

With the intelligent development of power system, due to the double-layer structure of smart grid and the characteristics of failure propagation across layers, the attack path also changes significantly: from single-layer to multi-layer and from static to dynamic. In response to the shortcomings of the single-layer attack path of traditional attack path identification methods, this paper proposes the idea of cross-layer attack, which integrates the threat propagation mechanism of the information layer and the failure propagation mechanism of the physical layer to establish a forward-backward bi-directional detection model. The model is mainly used to predict possible cross-layer attack paths and evaluate their path generation probabilities to provide theoretical guidance and technical support for defenders. The experimental results show that the method proposed in this paper can well identify the dynamic cross-layer attacks in the smart grid.

Unmanned Aerial Vehicle (UAV)-based streaming media transmission may become unstable when the bit rate generated by the source load exceeds the channel capacity owing to the UAV location and speed change. The change of the location can affect the network connection, leading to reduced transmission rate; the change of the flying speed can increase the video payload due to more I-frames. To improve the transmission reliability, in this paper we design a Client-Server-Ground&User (C-S-G&U) framework, and propose an algorithm of splitting-merging stream (SMS) for multi-link concurrent transmission. We also establish multiple transport links and configure the routing rules for the cross-layer design. The multi-link transmission can achieve higher throughput and significantly smaller end-to-end delay than a single-link especially in a heavy load situation. The audio and video data are packaged into the payload by the Real-time Transport Protocol (RTP) before being transmitted over the User Datagram Protocol (UDP). The forward error correction (FEC) algorithm is implemented to promote the reliability of the UDP transmission, and an encryption algorithm to enhance security. In addition, we propose a Quality of Service (QoS) strategy so that the server and the user can control the UAV to adapt its transmission mode dynamically, according to the load, delay, and packet loss. Our design has been implemented on an engineering platform, whose efficacy has been verified through comprehensive experiments.