Biblio

Mobile Ad-hoc Networks (MANET) is an autonomous network consisting of movable devices that can form a network using wireless media. MANET routing protocols can be used for selecting an efficient and shortest path for data transmission between nodes in a smart environment formed by the Internet of Things (IoT). Networking in such MANET-enabled IoT system is based on the routing protocols of MANET, data sensing from things, and data handling and processing using IoT. This paper studies proactive approach-based secure routing protocols for MANET-enabled IoT and analyses these protocols to identify security issues in it. Since this fusion network is resource-constrained in nature, each of the studied protocol is evaluated to check if it is lightweight or not. Also, the solution to defend against active attacks in this network is discussed.

With the development in IC technology, testing the designs is becoming more and more complex. In the design, process testing consumes 60-80% of the time. The basic testing principle is providing the circuit under test (CUT) with input patterns, observing output responses, and comparing against the desired response called the golden response. As the density of the device are rising leads to difficulty in examining the sub-circuit of the chip. So, testing of design is becoming a time-consuming and costly process. Attaching additional logic to the circuit resolves the issue by testing itself. BIST is a relatively a design for testability technique to facilitate thorough testing of ICs and it comprises the test pattern generator, circuit under test, and output response analyzer. Quick diagnosis and very high fault coverage can be ensured by BIST. As complexity in the circuit is increasing, testing urges TPGs (Test Pattern Generators) to generate the test patterns for the CUT to sensitize the faults. TPGs are vulnerable to malicious activities such as scan-based side-channel attacks. Secret data saved on the chip can be extracted by an attacker by scanning out the test outcomes. These threats lead to the emergence of securing TPGs. This work demonstrates providing a secured test pattern generator for BIST circuits by locking the logic of TPG with a password or key generated by the key generation circuit. Only when the key is provided test patterns are generated. This provides versatile protection to TPG from malicious attacks such as scan-based side-channel attacks, Intellectual Property (IP) privacy, and IC overproduction.

The Internet of Things (IoT) is a technology that allows connection between devices using the internet to collect and exchange data with each other. Privacy and security have become the most pressing issues in the IoT network, especially in the smart home. Nevertheless, there are still many smart home devices that have not implemented security and privacy policies. This study proposes a remote sensor control system built on ESP32 to implement a smart home through the Message Queuing Telemetry Transport(MQTT) protocol by applying the Advanced Encryption Standard (AES) algorithm with a 256-bit key. It addresses security issues in the smart home by encrypting messages sent from users to sensors. Besides ESP32, the system implementation also uses Raspberry Pi and smartphone with Android applications. The network was analyzed using Wireshark, and it showed that the message sent was encrypted. This implementation could prevent brute force attacks, with the result that it could guarantee the confidentiality of a message. Meanwhile, from several experiments conducted in this study, the difference in the average time of sending encrypted and unencrypted messages was not too significant, i.e., 20 ms.

The concept of usage control goes beyond traditional access control by regulating not only the retrieval but also the processing of data. To be able to remotely enforce usage control policy the processing party requires a trusted execution environ-ment such as Intel SGX which creates so-called enclaves. In this paper we introduce Multi Enclave based Code from Template (MECT), an SGX-based architecture for trusted remote policy enforcement. MECT uses a multi-enclave approach in which an enclave generation service dynamically generates enclaves from pre-defined code and dynamic policy parameters. This approach leads to a small trusted computing base and highly simplified attestation while preserving functionality benefits. Our proof of concept implementation consumes customisable code from templates. We compare the implementation with other architectures regarding the trusted computing base, flexibility, performance, and modularity. This comparison highlights the security benefits for remote attestation of MECT.

Robotic systems are becoming an ever-increasing part of everyday life due to their capacity to carry out physical tasks on behalf of human beings. Found in nearly every facet of our lives, robotic systems are used domestically, in small and large-scale factories, for the production and processing of agriculture, for military operations, to name a few. The Robotic Operating System (ROS) is the standard operating system used today for the development of modular robotic systems. However, in its development, ROS has been notorious for the absence of security mechanisms, placing people in danger both physically and digitally. This dissertation summary presents the development of a suite of ROS tools, leading up to the development of a modular, secure framework for ROS. An integrated approach for the security of ROS-enabled robotic systems is described, to set a baseline for the continual development to increase ROS security. The work culminates in the ROS security tool ROS-Immunity, combining internal system defense, external system verification, and automated vulnerability detection in an integrated tool that, in conjunction with Secure-ROS, provides a suite of defenses for ROS systems against malicious attackers.

Signatures are used on documents as written proof that the document was verified by the person indicated. Signature also indicated that the document originated from the signer if the document is transferred to another party. A document maybe in physical print form but may also be a digital print. A digital print requires additional security since a digital document may easily be altered by anyone although the said document is signed using a photographed or scanned signature. One of the means of security is by using the RSA Digital Signature method which is a combination of the RSA algorithm with Digital Signature. RSA algorithm is one of the public key cryptography algorithms, while Digital Signature is a security scheme which may guarantee the authenticity, non-repudiation, and integrity of a file by means of a hash function. This research implemented a web-based combination of RSA Digital Signature with SHA-3 hash function to secure the integrity of PDF files using PHP programming language. The result is a web-based system which could guarantee the authenticity, non repudiation and integrity of PDF files. Testing were carried out on six different sizes of PDF files ranging from 6 KB, up to 23285 KB on three different web browsers: Google Chrome, Microsoft Edge, and Mozilla Firefox. Average processing times of signing and verifying on each browsers were 1.3309 seconds, 1.2565 seconds, and 1.2667 seconds.

The Internet of Things (IoT) paradigm, with its highly distributed and interconnected architecture, is gaining ground in Industry 4.0 and in critical infrastructures like the eHealth sector, the Smart Grid, Intelligent Power Plants and Smart Mobility. In these critical sectors, the preservation of metrological characteristics and their traceability is a strong legal requirement, just like cyber-security, since it offers the ground for liability. Any vulnerability in the system in which the metrological network is embedded can endanger human lives, the environment or entire economies. This paper presents a framework comprised of a methodology and some tools for the governance of the metrological chain. The proposed methodology combines the RAMI 4.0 model, which is a Reference Architecture used in the field of Industrial Internet of Things (IIoT), with the the Reference Model for Information Assurance & Security (RMIAS), a framework employed to guarantee information assurance and security, merging them with the well established paradigms to preserve calibration and referability of metrological instruments. Thus, metrological traceability and cyber-security are taken into account straight from design time, providing a conceptual space to achieve security by design and to support the maintenance of the metrological chain over the entire system lifecycle. The framework lends itself to be completely automatized with Model Checking to support automatic detection of non conformity and anomalies at run time.

Internet of Things (IoT), Cloud and Augmented Reality (AR) are the emerging and developing technologies and are at the horizon and hype of their life cycle. Lots of commercial applications based on IoT, cloud and AR provide unrestricted access to data. The real-time applications based on these technologies are at the cusp of their innovations. The most frequent security attacks for IoT, cloud and AR applications are DDoS attacks. In this paper a detailed account of various DDoS attacks that can be the hindrance of many important sensitive services and can degrade the overall performance of recent services which are purely based on network communications. The DDoS attacks should be dealt with carefully and a set of a new generations of algorithm need to be developed to mitigate the problems caused by non-repudiation kinds of attacks.

Cyber-physical systems are used in many areas of human life. But people do not pay enough attention to ensuring the security of these systems. As a result of the resulting security gaps, an attacker can launch an attack, not only shutting down the system, but also having some negative impact on the environment. The article examines denial of service attacks in ad-hoc networks, conducts experiments and considers the consequences of their successful execution. As a result of the research, it was determined that an attack can be detected by changes in transmitted traffic and processor load. The cyber-physical system operates on stable algorithms, and even if legal changes occur, they can be easily distinguished from those caused by the attack. The article shows that the use of statistical methods for analyzing traffic and other parameters can be justified for detecting an attack. This study shows that each attack affects traffic in its own way and creates unique patterns of behavior change. The experiments were carried out according to methodology with changings in the intensity of the attacks, with a change in normal behavior. The results of this study can further be used to implement a system for detecting attacks on cyber-physical systems. The collected datasets can be used to train the neural network.

The advancement of technology in the creation of new tools to solve problems such as information storage generates proportionally developing methods that search for security flaws or breaches that compromise said information. The need to periodically generate security reports on database managers is given by the complexity and number of attacks that can be carried out today. This project seeks to carry out an evaluation of the security of NoSQL database managers. The work methodology is developed according to the order of the objectives, it begins by synthesizing the types of vulnerabilities, attacks and protection schemes limited to MongoDB, Redis and Apache Cassandra. Once established, a prototype of a web system that stores information with a non-relational database will be designed on which a series of attacks defined by a test plan will be applied seeking to add, consult, modify or eliminate information. Finally, a report will be presented that sets out the attacks carried out, the way in which they were applied, the results, possible countermeasures, security advantages and disadvantages for each manager and the conclusions obtained. Thus, it is possible to select which tool is more convenient to use for a person or organization in a particular case. The results showed that MongoDB is more vulnerable to NoSQL injection attacks, Redis is more vulnerable to attacks registered in the CVE and that Cassandra is more complex to use but is less vulnerable.

This paper represents the experimental implementation of an encryption-based visible light communication system for indoor communication over 14m, two single LED transmitters as the data source, and four receivers considered as data receivers for performance evaluation.

Subscription permanent identifier has been concealed in the 5G systems by using the asymmetric encryption scheme as specified in standard 3GPP TS 33.501 to protect the subscriber privacy. The standardized scheme is however subject to the SUPI guess attack as the public key of the home network is publicly available. Moreover, it lacks the inherent mechanism to prevent SUCI replay attacks. In this paper, we propose three methods to enhance the security of the 3GPP scheme to thwart the SUPI guess attack and replay attack. One of these methods is suggested to be used to strengthen the security of the current subscriber protection scheme.

This position paper presents and illustrates the concept of security requirements as code – a novel approach to security requirements specification. The aspiration to minimize code duplication and maximize its reuse has always been driving the evolution of software development approaches. Object-Oriented programming (OOP) takes these approaches to the state in which the resulting code conceptually maps to the problem that the code is supposed to solve. People nowadays start learning to program in the primary school. On the other hand, requirements engineers still heavily rely on natural language based techniques to specify requirements. The key idea of this paper is: artifacts produced by the requirements process should be treated as input to the regular object-oriented analysis. Therefore, the contribution of this paper is the presentation of the major concepts for the security requirements as the code method that is illustrated with a real industry example from the VeriDevOps project.

As permissioned blockchain becomes a common foundation of blockchain-based applications for current organizations, related stakeholders need a means to assess the security risks of the applications. Therefore, this study proposes a security risk management framework for permissioned blockchain applications. The framework divides itself into different implementation stacks and provides guidelines to control the security risks of permissioned blockchain applications. According to the best of our knowledge, this study is the first research that provides a means to evaluate the security risks of permissioned blockchain applications from a holistic point of view. If users can trust the applications that adopted this framework, this study can hopefully contribute to the adoption of permissioned blockchain technologies.

SELinux policies used in practice are generally large and complex. As a result, it is difficult for the policy writers to completely understand the policy and ensure that the policy meets the intended security goals. To remedy this, we have developed a tool called SEFlowViz that helps in visualizing the information flows of a policy and thereby helps in creating flow-secure policies. The tool uses the graph database Neo4j to visualize the policy. Along with visualization, the tool also supports extracting various information regarding the policy and its components through queries. Furthermore, the tool also supports the addition and deletion of rules which is useful in converting inconsistent policies into consistent policies.

This paper presents an IoT enabled real time occupancy semantic search system leveraging ETSI defined context information and interface meta model standard- ``Next Generation Service Interface for Linked Data'' (NGSI-LD). It facilitates interoperability, integration and federation of information exchange related to spatial infrastructure among geo-distributed deployed IoT entities, different stakeholders, and process domains. This system, in the presented use case, solves the problem of adhoc booking of meetings in real time through semantic discovery of spatial data and metadata related to room occupancy and thus enables optimum utilization of spatial infrastructure in university campuses. Therefore, the proposed system has the capability to save on effort, cost and productivity in institutional spatial management contexts in the longer run and as well provide a new enriched user experience in smart public buildings. Additionally, the system empowers different stakeholders to plan, forecast and fulfill their spatial infrastructure requirements through semantic data search analysis and real time data driven planning. The initial performance results of the system have shown quick response enabled semantic discovery of data and metadata (textless2 seconds mostly). The proposed system would be a steppingstone towards smart management of spatial infrastructure which offers scalability, federation, vendor agnostic ecosystem, seamless interoperability and integration and security by design. The proposed system provides the fundamental work for its extension and potential in relevant spatial domains of the future.

With the continuous development of edge computing, the application scope of mobile crowdsourcing (MCS) is constantly increasing. The distributed nature of edge computing can transmit data at the edge of processing to meet the needs of low latency. The trustworthiness of the third-party platform will affect the level of privacy protection, because managers of the platform may disclose the information of workers. Anonymous servers also belong to third-party platforms. For unreal third-party platforms, this paper recommends that workers first use the localized differential privacy mechanism to interfere with the real location information, and then upload it to an anonymous server to request services, called the localized differential anonymous privacy protection mechanism (LDNP). The two privacy protection mechanisms further enhance privacy protection, but exacerbate the loss of service quality. Therefore, this paper proposes to give corresponding compensation based on the authenticity of the location information uploaded by workers, so as to encourage more workers to upload real location information. Through comparative experiments on real data, the LDNP algorithm not only protects the location privacy of workers, but also maintains the availability of data. The simulation experiment verifies the effectiveness of the incentive mechanism.

The course of operating system's labs usually fall behind the state of art technology. In this paper, we propose a Software Diversity-Assisted Defense (SDAD) lab based on software diversity, mainly targeting for students majoring in cyber security and computer science. This lab is consisted of multiple modules and covers most of the important concepts and principles in operating systems. Thus, the knowledge learned from the theoretical course will be deepened with the lab. For students majoring in cyber security, they can learn this new software diversity-based defense technology and understand how an exploit works from the attacker's side. The experiment is also quite stretchable, which can fit all level students.

This paper is a systemization of knowledge of autonomic cybersecurity. Disruptive technologies, such as IoT, AI and autonomous systems, are becoming more prevalent and often have little or no cybersecurity protections. This lack of security is contributing to the expanding cybersecurity attack surface. The autonomic computing initiative was started to address the complexity of administering complex computing systems by making them self-managing. Autonomic systems contain attributes to address cyberattacks, such as self-protecting and self-healing that can secure new technologies. There has been a number of research projects on autonomic cybersecurity, with different approaches and target technologies, many of them disruptive. This paper reviews autonomic computing, analyzes research on autonomic cybersecurity, and provides a systemization of knowledge of the research. The paper concludes with identification of gaps in autonomic cybersecurity for future research.

Emerging blockchain and cryptocurrency-based technologies are redefining the way we conduct business in cyberspace. Today, a myriad of blockchain and cryp-tocurrency systems, applications, and technologies are widely available to companies, end-users, and even malicious actors who want to exploit the computational resources of regular users through cryptojacking malware. Especially with ready-to-use mining scripts easily provided by service providers (e.g., Coinhive) and untraceable cryptocurrencies (e.g., Monero), cryptojacking malware has become an indispensable tool for attackers. Indeed, the banking industry, major commercial websites, government and military servers (e.g., US Dept. of Defense), online video sharing platforms (e.g., Youtube), gaming platforms (e.g., Nintendo), critical infrastructure resources (e.g., routers), and even recently widely popular remote video conferencing/meeting programs (e.g., Zoom during the Covid-19 pandemic) have all been the victims of powerful cryptojacking malware campaigns. Nonetheless, existing detection methods such as browser extensions that protect users with blacklist methods or antivirus programs with different analysis methods can only provide a partial panacea to this emerging crypto-jacking issue as the attackers can easily bypass them by using obfuscation techniques or changing their domains or scripts frequently. Therefore, many studies in the literature proposed cryptojacking malware detection methods using various dynamic/behavioral features. However, the literature lacks a systemic study with a deep understanding of the emerging cryptojacking malware and a comprehensive review of studies in the literature. To fill this gap in the literature, in this SoK paper, we present a systematic overview of cryptojacking malware based on the information obtained from the combination of academic research papers, two large cryptojacking datasets of samples, and 45 major attack instances. Finally, we also present lessons learned and new research directions to help the research community in this emerging area.

We address the problem of recovering signals from compressed measurements based on generative priors. Recently, generative-model based compressive sensing (GMCS) methods have shown superior performance over traditional compressive sensing (CS) techniques in recovering signals from fewer measurements. However, it is possible to further improve the performance of GMCS by introducing controlled sparsity in the latent-space. We propose a proximal meta-learning (PML) algorithm to enforce sparsity in the latent-space while training the generator. Enforcing sparsity naturally leads to a union-of-submanifolds model in the solution space. The overall framework is named as sparsity driven latent space sampling (SDLSS). In addition, we derive the sample complexity bounds for the proposed model. Furthermore, we demonstrate the efficacy of the proposed framework over the state-of-the-art techniques with application to CS on standard datasets such as MNIST and CIFAR-10. In particular, we evaluate the performance of the proposed method as a function of the number of measurements and sparsity factor in the latent space using standard objective measures. Our findings show that the sparsity driven latent space sampling approach improves the accuracy and aids in faster recovery of the signal in GMCS.

An efficient quantum circuit (program) compiler aims to minimize the gate-count - through efficient instruction translation, routing, gate, and cancellation - to improve run-time and noise. Therefore, a high-efficiency compiler is paramount to enable the game-changing promises of quantum computers. To date, the quantum computing hardware providers are offering a software stack supporting their hardware. However, several third-party software toolchains, including compilers, are emerging. They support hardware from different vendors and potentially offer better efficiency. As the quantum computing ecosystem becomes more popular and practical, it is only prudent to assume that more companies will start offering software-as-a-service for quantum computers, including high-performance compilers. With the emergence of third-party compilers, the security and privacy issues of quantum intellectual properties (IPs) will follow. A quantum circuit can include sensitive information such as critical financial analysis and proprietary algorithms. Therefore, submitting quantum circuits to untrusted compilers creates opportunities for adversaries to steal IPs. In this paper, we present a split compilation methodology to secure IPs from untrusted compilers while taking advantage of their optimizations. In this methodology, a quantum circuit is split into multiple parts that are sent to a single compiler at different times or to multiple compilers. In this way, the adversary has access to partial information. With analysis of over 152 circuits on three IBM hardware architectures, we demonstrate the split compilation methodology can completely secure IPs (when multiple compilers are used) or can introduce factorial time reconstruction complexity while incurring a modest overhead ( 3% to 6% on average).

Attestation of audio signals for recognition of forgery in voice is challenging task. In this research work, a deep convolutional neural network (CNN) is utilized to detect audio operations i.e. pitch shifted and amplitude varied signals. Short-time Fourier transform (STFT) and Modified Discrete Cosine Transform (MDCT) features are chosen for audio processing and their plotted patterns are fed to CNN. Experimental results show that our model can successfully distinguish tampered signals to facilitate the audio authentication on TIMIT dataset. Proposed CNN architecture can distinguish spoofed voices of shifting pitch with accuracy of 97.55% and of varying amplitude with accuracy of 98.85%.

With the world moving towards digitalization, more applications and servers are online hosted on the internet, more number of vulnerabilities came out which directly affects an individual and an organization financially and in terms of reputation too. Out of those many vulnerabilities such as Injection, Deserialization, Cross site scripting and more. Injection stand top as the most critical vulnerability found in the web application. Injection itself is a broad vulnerability as it further consists of SQL Injection, Command injection, LDAP Injection, No-SQL Injection etc. In this paper we have reviewed SQL Injection, different types of SQL injection attacks, their causes and remediation to comprehend this attack.

Semantic data has semantic information about the relationship between information and resources of data collected in a smart city so that all different domains and data can be organically connected. Various services using semantic data such as public data integration of smart cities, semantic search, and linked open data are emerging, and services that open and freely use semantic data are also increasing. By using semantic data, it is possible to create a variety of services regardless of platform and resource characteristics. However, despite the many advantages of semantic data, it is not easy to use because it requires a high understanding of semantics such as SPARQL. Therefore, in this paper, we propose a semantic framework for users of semantic data so that new services can be created without a high understanding of semantics. The semantics framework includes a template-based annotator that supports automatically generating semantic data based on user input and a semantic REST API that allows you to utilize semantic data without understanding SPAROL.