Biblio
This paper describes biometric-based cryptographic techniques for providing confidential communications and strong, mutual and multifactor authentication on the Internet of Things. The described security techniques support the goals of universal access when users are allowed to select from multiple choice alternatives to authenticate their identities. By using a Biometric Authenticated Key Exchange (BAKE) protocol, user credentials are protected against phishing and Man-in-the-Middle attacks. Forward secrecy is achieved using a Diffie-Hellman key establishment scheme with fresh random values each time the BAKE protocol is operated. Confidentiality is achieved using lightweight cryptographic algorithms that are well suited for implementation in resource constrained environments, those limited by processing speed, limited memory and power availability. Lightweight cryptography can offer strong confidentiality solutions that are practical to implement in Internet of Things systems, where efficient execution, and small memory requirements and code size are required.
The rapid increase of connected devices and the major advances in information and communication technologies have led to great emergence in the Internet of Things (IoT). IoT devices require software adaptation as they are in continuous transition. Multi-agent based solutions offer adaptable composition for IoT systems. Mobile agents can also be used to enable interoperability and global intelligence with smart objects in the Internet of Things. The use of agents carrying personal data and the rapid increasing number of connected IoT devices require the use of security protocols to secure the user data. Elliptic Curve Cryptography (ECC) Algorithm has emerged as an attractive and efficient public-key cryptosystem. We recommend the use of ECC in the proposed Broadcast based Secure Mobile Agent Protocol (BROSMAP) which is one of the most secure protocols that provides confidentiality, authentication, authorization, accountability, integrity and non-repudiation. We provide a methodology to improve BROSMAP to fulfill the needs of Multi-agent based IoT Systems in general. The new BROSMAP performs better than its predecessor and provides the same security requirements. We have formally verified ECC-BROSMAP using Scyther and compared it with BROSMAP in terms of execution time and computational cost. The effect of varying the key size on BROSMAP is also presented. A new ECC-based BROSMAP takes half the time of Rivest-Shamir-Adleman (RSA) 2048 BROSMAP and 4 times better than its equivalent RSA 3072 version. The computational cost was found in favor of ECC-BROSMAP which is more efficient by a factor of 561 as compared to the RSA-BROSMAP.
As the Internet of Things (IoT) continues to grow, there arises concerns and challenges with regard to the security and privacy of the IoT system. In this paper, we propose a FOg CompUting-based Security (FOCUS) system to address the security challenges in the IoT. The proposed FOCUS system leverages the virtual private network (VPN) to secure the access channel to the IoT devices. In addition, FOCUS adopts a challenge-response authentication to protect the VPN server against distributed denial of service (DDoS) attacks, which can further enhance the security of the IoT system. FOCUS is implemented in fog computing that is close to the end users, thus achieving a fast and efficient protection. We demonstrate FOCUS in a proof-of-concept prototype, and conduct experiments to evaluate its performance. The results show that FOCUS can effectively filter out malicious attacks with a very low response latency.
Aerial photography is fast becoming essential in scientific research that requires multi-agent system in several perspective and we proposed a secured system using one of the well-known public key cryptosystem namely NTRU that is somewhat homomorphic in nature. Here we processed images of aerial photography that were captured by multi-agents. The agents encrypt the images and upload those in the cloud server that is untrusted. Cloud computing is a buzzword in modern era and public cloud is being used by people everywhere for its shared, on-demand nature. Cloud Environment faces a lot of security and privacy issues that needs to be solved. This paper focuses on how to use cloud so effectively that there remains no possibility of data or computation breaches from the cloud server itself as it is prone to the attack of treachery in different ways. The cloud server computes on the encrypted data without knowing the contents of the images. After concatenation, encrypted result is delivered to the concerned authority where it is decrypted retaining its originality. We set up our experiment in Amazon EC2 cloud server where several instances were the agents and an instance acted as the server. We varied several parameters so that we could minimize encryption time. After experimentation we produced our desired result within feasible time sustaining the image quality. This work ensures data security in public cloud that was our main concern.
Cloud computing offers many advantages as flexibility or resource efficiency and can significantly reduce costs. However, when sensitive data is outsourced to a cloud provider, classified records can leak. To protect data owners and application providers from a privacy breach data must be encrypted before it is uploaded. In this work, we present a distributed key management scheme that handles user-specific keys in a single-tenant scenario. The underlying database is encrypted and the secret key is split into parts and only reconstructed temporarily in memory. Our scheme distributes shares of the key to the different entities. We address bootstrapping, key recovery, the adversary model and the resulting security guarantees.
Along with the growing popularisation of Cloud Computing. Cloud storage technology has been paid more and more attention as an emerging network storage technology which is extended and developed by cloud computing concepts. Cloud computing environment depends on user services such as high-speed storage and retrieval provided by cloud computing system. Meanwhile, data security is an important problem to solve urgently for cloud storage technology. In recent years, There are more and more malicious attacks on cloud storage systems, and cloud storage system of data leaking also frequently occurred. Cloud storage security concerns the user's data security. The purpose of this paper is to achieve data security of cloud storage and to formulate corresponding cloud storage security policy. Those were combined with the results of existing academic research by analyzing the security risks of user data in cloud storage and approach a subject of the relevant security technology, which based on the structural characteristics of cloud storage system.
This paper is based on the previous research that selects the proper surrogate nodes for fast recovery mechanism in industrial IoT (Internet of Things) Environment which uses a variety of sensors to collect the data and exchange the collected data in real-time for creating added value. We are going to suggest the way that how to decide the number of surrogate node automatically in different deployed industrial IoT Environment so that minimize the system recovery time when the central server likes IoT gateway is in failure. We are going to use the network simulator to measure the recovery time depending on the number of the selected surrogate nodes according to the sub-devices which are connected to the IoT gateway.
Many modern defenses rely on address space layout randomization (ASLR) to efficiently hide security-sensitive metadata in the address space. Absent implementation flaws, an attacker can only bypass such defenses by repeatedly probing the address space for mapped (security-sensitive) regions, incurring a noisy application crash on any wrong guess. Recent work shows that modern applications contain idioms that allow the construction of crash-resistant code primitives, allowing an attacker to efficiently probe the address space without causing any visible crash. In this paper, we classify different crash-resistant primitives and show that this problem is much more prominent than previously assumed. More specifically, we show that rather than relying on labor-intensive source code inspection to find a few "hidden" application-specific primitives, an attacker can find such primitives semi-automatically, on many classes of real-world programs, at the binary level. To support our claims, we develop methods to locate such primitives in real-world binaries. We successfully identified 29 new potential primitives and constructed proof-of-concept exploits for four of them.
Data assurance and resilience are crucial security issues in cloud-based IoT applications. With the widespread adoption of drones in IoT scenarios such as warfare, agriculture and delivery, effective solutions to protect data integrity and communications between drones and the control system have been in urgent demand to prevent potential vulnerabilities that may cause heavy losses. To secure drone communication during data collection and transmission, as well as preserve the integrity of collected data, we propose a distributed solution by utilizing blockchain technology along with the traditional cloud server. Instead of registering the drone itself to the blockchain, we anchor the hashed data records collected from drones to the blockchain network and generate a blockchain receipt for each data record stored in the cloud, reducing the burden of moving drones with the limit of battery and process capability while gaining enhanced security guarantee of the data. This paper presents the idea of securing drone data collection and communication in combination with a public blockchain for provisioning data integrity and cloud auditing. The evaluation shows that our system is a reliable and distributed system for drone data assurance and resilience with acceptable overhead and scalability for a large number of drones.
SDN networks rely mainly on a set of software defined modules, running on generic hardware platforms, and managed by a central SDN controller. The tight coupling and lack of isolation between the controller and the underlying host limit the controller resilience against host-based attacks and failures. That controller is a single point of failure and a target for attackers. ``Linux-containers'' is a successful thin virtualization technique that enables encapsulated, host-isolated execution-environments for running applications. In this paper we present PAFR, a controller sandboxing mechanism based on Linux-containers. PAFR enables controller/host isolation, plug-and-play operation, failure-and-attack-resilient execution, and fast recovery. PAFR employs and manages live remote checkpointing and migration between different hosts to evade failures and attacks. Experiments and simulations show that the frequent employment of PAFR's live-migration minimizes the chance of successful attack/failure with limited to no impact on network performance.
Delegated authorization protocols have become wide-spread to implement Web applications and services, where some popular providers managing people identity information and personal data allow their users to delegate third party Web services to access their data. In this paper, we analyze the risks related to untrusted providers not behaving correctly, and we solve this problem by proposing the first verifiable delegated authorization protocol that allows third party services to verify the correctness of users data returned by the provider. The contribution of the paper is twofold: we show how delegated authorization can be cryptographically enforced through authenticated data structures protocols, we extend the standard OAuth2 protocol by supporting efficient and verifiable delegated authorization including database updates and privileges revocation.
NEtwork MObility (NEMO) has gained recently a lot of attention from a number of standardization and researches committees. Although NEMO-Basic Support Protocol (NEMO-BSP) seems to be suitable in the context of the Intelligent Transport Systems (ITS), it has several shortcomings, such as packets loss and lack of security, since it is a host-based mobility scheme. Therefore, in order to improve handoff performance and solve these limitations, schemes adapting Proxy MIPv6 for NEMO have been appeared. But the majorities did not deal with the case of the handover of the Visiting Mobile Nodes (VMN) located below the Mobile Router (MR). Thus, this paper proposes a Visiting Mobile Node Authentication Protocol for Proxy MIPv6-Based NEtwork MObility which ensures strong authentication between entities. To evaluate the security performance of our proposition, we have used the AVISPA/SPAN software which guarantees that our proposed protocol is a safe scheme.
Wikipedia is one of the most popular information platforms on the Internet. The user access pattern to Wikipedia pages depends on their relevance in the current worldwide social discourse. We use publically available statistics about the top-1000 most popular pages on each day to estimate the efficiency of caches for support of the platform. While the data volumes are moderate, the main goal of Wikipedia caches is to reduce access times for page views and edits. We study the impact of most popular pages on the achievable cache hit rate in comparison to Zipf request distributions and we include daily dynamics in popularity.
Authentication and encryption within an embedded system environment using cameras, sensors, thermostats, autonomous vehicles, medical implants, RFID, etc. is becoming increasing important with ubiquitious wireless connectivity. Hardware-based authentication and encryption offer several advantages in these types of resource-constrained applications, including smaller footprints and lower energy consumption. Bitstring and key generation implemented with Physical Unclonable Functions or PUFs can further reduce resource utilization for authentication and encryption operations and reduce overall system cost by eliminating on-chip non-volatile-memory (NVM). In this paper, we propose a dynamic partial reconfiguration (DPR) strategy for implementing both authentication and encryption using a PUF for bitstring and key generation on FPGAs as a means of optimizing the utilization of the limited area resources. We show that the time and energy penalties associated with DPR are small in modern SoC-based architectures, such as the Xilinx Zynq SoC, and therefore, the overall approach is very attractive for emerging resource-constrained IoT applications.
The Cloud Computing is a developing IT concept that faces some issues, which are slowing down its evolution and adoption by users across the world. The lack of security has been the main concern. Organizations and entities need to ensure, inter alia, the integrity and confidentiality of their outsourced sensible data within a cloud provider server. Solutions have been examined in order to strengthen security models (strong authentication, encryption and fragmentation before storing, access control policies...). More particularly, data remanence is undoubtedly a major threat. How could we be sure that data are, when is requested, truly and appropriately deleted from remote servers? In this paper, we aim to produce a survey about this interesting subject and to address the problem of residual data in a cloud-computing environment, which is characterized by the use of virtual machines instantiated in remote servers owned by a third party.
The Web today is a growing universe of pages and applications teeming with interactive content. The security of such applications is of the utmost importance, as exploits can have a devastating impact on personal and economic levels. The number one programming language in Web applications is PHP, powering more than 80% of the top ten million websites. Yet it was not designed with security in mind and, today, bears a patchwork of fixes and inconsistently designed functions with often unexpected and hardly predictable behavior that typically yield a large attack surface. Consequently, it is prone to different types of vulnerabilities, such as SQL Injection or Cross-Site Scripting. In this paper, we present an interprocedural analysis technique for PHP applications based on code property graphs that scales well to large amounts of code and is highly adaptable in its nature. We implement our prototype using the latest features of PHP 7, leverage an efficient graph database to store code property graphs for PHP, and subsequently identify different types of Web application vulnerabilities by means of programmable graph traversals. We show the efficacy and the scalability of our approach by reporting on an analysis of 1,854 popular open-source projects, comprising almost 80 million lines of code.
Location-Based Service (LBS) becomes increasingly important for our daily life. However, the localization information in the air is vulnerable to various attacks, which result in serious privacy concerns. To overcome this problem, we formulate a multi-objective optimization problem with considering both the query probability and the practical dummy location region. A low complexity dummy location selection scheme is proposed. We first find several candidate dummy locations with similar query probabilities. Among these selected candidates, a cloaking area based algorithm is then offered to find K - 1 dummy locations to achieve K-anonymity. The intersected area between two dummy locations is also derived to assist to determine the total cloaking area. Security analysis verifies the effectiveness of our scheme against the passive and active adversaries. Compared with other methods, simulation results show that the proposed dummy location scheme can improve the privacy level and enlarge the cloaking area simultaneously.
Cloud computing enables the outsourcing of big data analytics, where a third-party server is responsible for data management and processing. In this paper, we consider the outsourcing model in which a third-party server provides record matching as a service. In particular, given a target record, the service provider returns all records from the outsourced dataset that match the target according to specific distance metrics. Identifying matching records in databases plays an important role in information integration and entity resolution. A major security concern of this outsourcing paradigm is whether the service provider returns the correct record matching results. To solve the problem, we design EARRING, an Efficient Authentication of outsouRced Record matchING framework. EARRING requires the service provider to construct the verification object (VO) of the record matching results. From the VO, the client is able to catch any incorrect result with cheap computational cost. Experiment results on real-world datasets demonstrate the efficiency of EARRING.
Currently, when companies conduct risk analysis of own networks and systems, it is common to outsource risk analysis to third-party experts. At that time, the company passes the information used for risk analysis including confidential information such as network configuration to third-party expert. It raises the risk of leakage and abuse of confidential information. Therefore, a method of risk analysis by using secure computation without passing confidential information of company has been proposed. Although Liu's method have firstly achieved secure risk analysis method using multiparty computation and attack tree analysis, it has several problems to be practical. In this paper, improvement of secure risk analysis method is proposed. It can dynamically reduce compilation time, enhance scale of target network and system without increasing execution time. Experimental work is carried out by prototype implementation. As a result, we achieved improved performance in compile time and enhance scale of target with equivalent performance on execution time.
The ubiquity of the Internet and email, have provided a mostly insecure communication medium for the consumer. During the last few decades, we have seen the development of several ways to secure email messages. However, these solutions are inflexible and difficult to use for encrypting email messages to protect security and privacy while communicating or collaborating via email. Under the current paradigm, the arduous process of setting up email encryption is non-intuitive for the average user. The complexity of the current practices has also yielded to incorrect developers' interpretation of architecture which has resulted in interoperability issues. As a result, the lack of simple and easy-to-use infrastructure in current practices means that the consumers still use plain text emails over insecure networks. In this paper, we introduce and describe a novel, holistic model with new techniques for protecting email messages. The architecture of our innovative model is simpler and easier to use than those currently employed. We use the simplified trust model, which can relieve users from having to perform many complex steps to achieve email security. Utilizing the new techniques presented in this paper can safeguard users' email from unauthorized access and protect their privacy. In addition, a simplified infrastructure enables developers to understand the architecture more readily eliminating interoperability.
With the development of cloud computing and its economic benefit, more and more companies and individuals outsource their data and computation to clouds. Meanwhile, the business way of resource outsourcing makes the data out of control from its owner and results in many security issues. The existing secure keyword search methods assume that cloud servers are curious-but-honest or partial honest, which makes them powerless to deal with the deliberately falsified or fabricated results of insider attacks. In this paper, we propose a verifiable single keyword top-k search scheme against insider attacks which can verify the integrity of search results. Data owners generate verification codes (VCs) for the corresponding files, which embed the ordered sequence information of the relevance scores between files and keywords. Then files and corresponding VCs are outsourced to cloud servers. When a data user performs a keyword search in cloud servers, the qualified result files are determined according to the relevance scores between the files and the interested keyword and then returned to the data user together with a VC. The integrity of the result files is verified by data users through reconstructing a new VC on the received files and comparing it with the received one. Performance evaluation have been conducted to demonstrate the efficiency and result redundancy of the proposed scheme.
Figuring innovations and development of web diminishes the exertion required for different procedures. Among them the most profited businesses are electronic frameworks, managing an account, showcasing, web based business and so on. This framework mostly includes the data trades ceaselessly starting with one host then onto the next. Amid this move there are such a variety of spots where the secrecy of the information and client gets loosed. Ordinarily the zone where there is greater likelihood of assault event is known as defenceless zones. Electronic framework association is one of such place where numerous clients performs there undertaking as indicated by the benefits allotted to them by the director. Here the aggressor makes the utilization of open ranges, for example, login or some different spots from where the noxious script is embedded into the framework. This scripts points towards trading off the security imperatives intended for the framework. Few of them identified with clients embedded scripts towards web communications are SQL infusion and cross webpage scripting (XSS). Such assaults must be distinguished and evacuated before they have an effect on the security and classification of the information. Amid the most recent couple of years different arrangements have been incorporated to the framework for making such security issues settled on time. Input approvals is one of the notable fields however experiences the issue of execution drops and constrained coordinating. Some other component, for example, disinfection and polluting will create high false report demonstrating the misclassified designs. At the center, both include string assessment and change investigation towards un-trusted hotspots for totally deciphering the effect and profundity of the assault. This work proposes an enhanced lead based assault discovery with specifically message fields for viably identifying the malevolent scripts. The work obstructs the ordinary access for malignant so- rce utilizing and hearty manage coordinating through unified vault which routinely gets refreshed. At the underlying level of assessment, the work appears to give a solid base to further research.
Security at virtualization level has always been a major issue in cloud computing environment. A large number of virtual machines that are hosted on a single server by various customers/client may face serious security threats due to internal/external network attacks. In this work, we have examined and evaluated these threats and their impact on OpenStack private cloud. We have also discussed the most popular DOS (Denial-of-Service) attack on DHCP server on this private cloud platform and evaluated the vulnerabilities in an OpenStack networking component, Neutron, due to which this attack can be performed through rogue DHCP server. Finally, a solution, a game-theory based cloud architecture, that helps to detect and prevent DOS attacks in OpenStack has been proposed.
Internet of Things (IoT) devices are resource constrained devices in terms of power, memory, bandwidth, and processing. On the other hand, multicast communication is considered more efficient in group oriented applications compared to unicast communication as transmission takes place using fewer resources. That is why many of IoT applications rely on multicast in their transmission. This multicast traffic need to be secured specially for critical applications involving actuators control. Securing multicast traffic by itself is cumbersome as it requires an efficient and scalable Group Key Management (GKM) protocol. In case of IoT, the situation is more difficult because of the dynamic nature of IoT scenarios. This paper introduces a solution based on using context aware security server accompanied with a group of key servers to efficiently distribute group encryption keys to IoT devices in order to secure the multicast sessions. The proposed solution is evaluated relative to the Logical Key Hierarchy (LKH) protocol. The comparison shows that the proposed scheme efficiently reduces the load on the key servers. Moreover, the key storage cost on both members and key servers is reduced.
Graph analysis can capture relationships between network entities and can be used to identify and rank anomalous hosts, users, or applications from various types of cyber logs. It is often the case that the data in the logs can be represented as a bipartite graph (e.g. internal IP-external IP, user-application, or client-server). State-of-the-art graph based anomaly detection often generalizes across all types of graphs — namely bipartite and non-bipartite. This confounds the interpretation and use of specific graph features such as degree, page rank, and eigencentrality that can provide a security analyst with situational awareness and even insights to potential attacks on enterprise scale networks. Furthermore, graph algorithms applied to data collected from large, distributed enterprise scale networks require accompanying methods that allow them to scale to the data collected. In this paper, we provide a novel, scalable, directional graph projection framework that operates on cyber logs that can be represented as bipartite graphs. We also present methodologies to further narrow returned results to anomalous/outlier cases that may be indicative of a cyber security event. This framework computes directional graph projections and identifies a set of interpretable graph features that describe anomalies within each partite.