Biblio

In this short position paper, we discuss several potential security concerns that can be found at the physical layer of 6th-generation (6G) cellular networks. Discussion on 6G cellular networks is still at its early stage and thus several candidate radio technologies have been proposed but no single technology has yet been finally selected for 6G systems. Among several radio technologies, we focus on three promising ones for 6G physical-layer technologies: reconfigurable intelligent surface (RIS), Open-RAN (O-RAN), and full-duplex radios. We hope this position paper will spark more active discussion on the security concerns in these new radio technologies.

For the huge charging demands of numerous electric vehicles (EVs), coordinated charging is increasing in power grid. However, since connected with public networks, the coordinated charging control system is in a low-level cyber security and greatly vulnerable to malicious attacks. This paper investigates the malicious mode attack (MMA), which is a new cyber-attack pattern that simultaneously attacks massive EV charging piles to generate continuous sinusoidal power disturbance with the same frequency as the poorly-damped wide-area electromechanical mode. Thereby, high amplitude forced oscillations are stimulated by MMA, which seriously threats the stability of power systems and the power supply of charging stations. The potential threat of MMA is clarified by investigating the vulnerability of the IoT-based coordinated charging load control system, and an MMA process like Mirai is pointed out as an example. An MMA model is established for impact analysis. A hardware test platform is built for the verification of the MMA model. Test result verified the existence of MMA and the accuracy of the MMA model.

Power system robustness against high-impact low probability events is becoming a major concern. To depict distinct phases of a system response during these disturbances, an irregular polygon model is derived from the conventional trapezoid model and the model is analytically investigated for transmission system performance, based on which resiliency metrics are developed for the same. Furthermore, the system resiliency to windstorms is evaluated on the IEEE reliability test system (RTS) by performing steady-state and dynamic security assessment incorporating protection modelling and corrective action schemes using the Power System Simulator for Engineering (PSS®E) software. Based on the results of steady-state and dynamic analysis, modified resiliency metrics are quantified. Finally, this paper quantifies the interdependency of operational and infrastructure resiliency as they cannot be considered discrete characteristics of the system.

It is well-known that the most existing machine learning (ML)-based safety-critical applications are vulnerable to carefully crafted input instances called adversarial examples (AXs). An adversary can conveniently attack these target systems from digital as well as physical worlds. This paper aims to the generation of robust physical AXs against face recognition systems. We present a novel smoothness loss function and a patch-noise combo attack for realizing powerful physical AXs. The smoothness loss interjects the concept of delayed constraints during the attack generation process, thereby causing better handling of optimization complexity and smoother AXs for the physical domain. The patch-noise combo attack combines patch noise and imperceptibly small noises from different distributions to generate powerful registration-based physical AXs. An extensive experimental analysis found that our smoothness loss results in robust and more transferable digital and physical AXs than the conventional techniques. Notably, our smoothness loss results in a 1.17 and 1.97 times better mean attack success rate (ASR) in physical white-box and black-box attacks, respectively. Our patch-noise combo attack furthers the performance gains and results in 2.39 and 4.74 times higher mean ASR than conventional technique in physical world white-box and black-box attacks, respectively.

The Software Defined Networking (SDN) is a solution for Data Center Networks (DCN). This solution offers a centralized control that helps to simplify the management and reduce the big data issues of storage management and data analysis. This paper investigates the performance of deploying an SDN controller in DCN. The paper considers the network topology with a different number of hosts using the Mininet emulator. The paper evaluates the performance of DCN based on Python SDN controllers with a different number of hosts. This evaluation compares POX and RYU controllers as DCN solutions using the throughput, delay, overhead, and convergence time. The results show that the POX outperforms the RYU controller and is the best choice for DCN.

SQL Injection has been around as a harmful and prolific threat on web applications for more than 20 years, yet it still poses a huge threat to the World Wide Web. Rapidly evolving web technology has not eradicated this threat; In 2017 51 % of web application attacks are SQL injection attacks. Most conventional practices to prevent SQL injection attacks revolves around secure web and database programming and administration techniques. Despite developer ignorance, a large number of online applications remain susceptible to SQL injection attacks. There is a need for a more effective method to detect and prevent SQL Injection attacks. In this research, we offer a unique machine learning-based strategy for identifying potential SQL injection attack (SQL injection attack) threats. Application of the proposed method in a Security Information and Event Management(SIEM) system will be discussed. SIEM can aggregate and normalize event information from multiple sources, and detect malicious events from analysis of these information. The result of this work shows that a machine learning based SQL injection attack detector which uses SIEM approach possess high accuracy in detecting malicious SQL queries.

In this research work, we attempted to predict the creditworthiness of smartphone users in Indonesia during the COVID-19 pandemic using machine learning. Principal Component Analysis (PCA) and Kmeans algorithms are used for the prediction of creditworthiness with the used a dataset of 1050 respondents consisting of twelve questions to smartphone users in Indonesia during the COVID-19 pandemic. The four different classification algorithms (Logistic Regression, Support Vector Machine, Decision Tree, and Naive Bayes) were tested to classify the creditworthiness of smartphone users in Indonesia. The tests carried out included testing for accuracy, precision, recall, F1-score, and Area Under Curve Receiver Operating Characteristics (AUCROC) assesment. Logistic Regression algorithm shows the perfect performances whereas Naïve Bayes (NB) shows the least. The results of this research also provide new knowledge about the influential and non-influential variables based on the twelve questions conducted to the respondents of smartphone users in Indonesia during the COVID-19 pandemic.

A persistent and serious danger to the Internet is a denial of service attack on a large scale (DDoS) attack using machine learning. Because they originate at the low layers, new Infections that use genuine hypertext transfer protocol requests to overload target resources are more untraceable than application layer-based cyberattacks. Using network flow traces to construct an access matrix, this research presents a method for detecting distributed denial of service attack machine learning assaults. Independent component analysis decreases the number of attributes utilized in detection because it is multidimensional. Independent component analysis can be used to translate features into high dimensions and then locate feature subsets. Furthermore, during the training and testing phase of the updated source support vector machine for classification, their performance it is possible to keep track of the detection rate and false alarms. Modified source support vector machine is popular for pattern classification because it produces good results when compared to other approaches, and it outperforms other methods in testing even when given less information about the dataset. To increase classification rate, modified source support Vector machine is used, which is optimized using BAT and the modified Cuckoo Search method. When compared to standard classifiers, the acquired findings indicate better performance.

Real-time data transmissions from a vehicle enhance road safety and traffic efficiency by aggregating data in a central server for data analytics. When drivers share their instantaneous vehicular information for a service provider to perform a legitimate task, a curious service provider may also infer private information it has not been authorized for. In this paper, we propose a privacy preservation framework based on the Hilbert Schmidt Independence Criterion (HSIC) to sanitize driving data to protect the vehicle’s trajectory from adversarial inference while ensuring the data is still useful for driver behavior detection. We develop a deep learning model to learn the HSIC sanitizer and demonstrate through two datasets that our approach achieves better utility-privacy trade-offs when compared to three other benchmarks.

There is an increase in interest and necessity for an interoperable and efficient railway network across Europe, creating a key distribution problem between train and trackside entities’ key management centres (KMC). Train and trackside entities establish a secure session using symmetric keys (KMAC) loaded beforehand by their respective KMC using procedures that are not scalable and prone to operational mistakes. A single system would simplify the KMAC distribution between KMCs; nevertheless, it is difficult to place the responsibility for such a system for the whole European area within one central organization. A single system could also expose relationships between KMCs, revealing information, such as plans to use an alternative route or serve a new region, jeopardizing competitive advantage. This paper proposes a scalable and decentralised key management system that allows KMC to share cryptographic keys using transactions while keeping relationships anonymous. Using non-interactive proofs of knowledge and assigning each entity a private and public key, private key owners can issue valid transactions while all system actors can validate them. Our performance analysis shows that the proposed system is scalable when a proof of concept is implemented with settings close to the expected railway landscape in 2030.

Developers of mobile applications rely on the trust of their customers. On the one hand the requirement exists to create feature-rich and secure apps, which adhere to privacy standards to not deliberately disclose user information. On the other hand the development process must be streamlined to reduce costs. Here third-party libraries come into play. Inclusion of many, possibly nested libraries pose security risks, app-creators are often not aware of. This paper presents a way to combine free open-source tools to support developers in checking their application that it does not induce security issues by using third-party libraries. The tools FlowDroid, Frida, and mitm-proxy are used in combination in a simple and viable way to perform checks to identify privacy leaks of third-party apps. Our proposed setup and configuration empowers average app developers to preserve user privacy without being dedicated security experts and without expensive external advice.

New advancements in cloud computing technology enable the usage of cloud platforms for business purposes rapidly increasing every day. Data accumulation related to business transactions, Communications, business model architecture and much other information are stored in the cloud platform and access Dubai the business Associates commonly. Considering the security point of view data stored in the cloud need to be highly secured and accessed through authentication. The proposed system is focused on evaluating a cloud integrity auditing model in which the security and privacy preserving system is being audited, privacy is decided using a machine learning algorithm. The proposed model is developed using a hybrid CatBoost algorithm (HCBA) in which the input data is stored into the cloud platform using Bring your own encryption Key (BYOEK). The security of BYOEK model is evaluated and validated with respect to the given test model in terms of Execution time comparison Vs. Data transactions.

Cloud computing solutions enable Cyber-Physical Systems (CPSs) to utilize significant computational resources and implement sophisticated control algorithms even if limited computation capabilities are locally available for these systems. However, such a control architecture suffers from an important concern related to the privacy of sensor measurements and the computed control inputs within the cloud. This paper proposes a solution that allows implementing a set-theoretic model predictive controller on the cloud while preserving this privacy. This is achieved by exploiting the offline computations of the robust one-step controllable sets used by the controller and two affine transformations of the sensor measurements and control optimization problem. It is shown that the transformed and original control problems are equivalent (i.e., the optimal control input can be recovered from the transformed one) and that privacy is preserved if the control algorithm is executed on the cloud. Moreover, we show how the actuator can take advantage of the set-theoretic nature of the controller to verify, through simple set-membership tests, if the control input received from the cloud is admissible. The correctness of the proposed solution is verified by means of a simulation experiment involving a dual-tank water system.

Large capacity, fast-paced, diversified and high-value data are becoming a hotbed of data processing and research. Privacy security protection based on data life cycle is a method to protect privacy. It is used to protect the confidentiality, integrity and availability of personal data and prevent unauthorized access or use. The main advantage of using this method is that it can fully control all aspects related to the information system and its users. With the opening of the cloud, attackers use the cloud to recalculate and analyze big data that may infringe on others' privacy. Privacy protection based on data life cycle is a means of privacy protection based on the whole process of data production, collection, storage and use. This approach involves all stages from the creation of personal information by individuals (e.g. by filling out forms online or at work) to destruction after use for the intended purpose (e.g. deleting records). Privacy security based on the data life cycle ensures that any personal information collected is used only for the purpose of initial collection and destroyed as soon as possible.

With the variety of cloud services, the cloud service provider delivers the machine learning service, which is used in many applications, including risk assessment, product recommen-dation, and image recognition. The cloud service provider initiates a protocol for the classification service to enable the data owners to request an evaluation of their data. The owners may not entirely rely on the cloud environment as the third parties manage it. However, protecting data privacy while sharing it is a significant challenge. A novel privacy-preserving model is proposed, which is based on differential privacy and machine learning approaches. The proposed model allows the various data owners for storage, sharing, and utilization in the cloud environment. The experiments are conducted on Blood transfusion service center, Phoneme, and Wilt datasets to lay down the proposed model's efficiency in accuracy, precision, recall, and Fl-score terms. The results exhibit that the proposed model specifies high accuracy, precision, recall, and Fl-score up to 97.72%, 98.04%, 97.72%, and 98.80%, respectively.

With 3.78 billion social media users worldwide in 2021 (48% of the human population), almost 3 billion images are shared daily. At the same time, a consistent evolution of smartphone cameras has led to a photography explosion with 85% of all new pictures being captured using smartphones. However, lately, there has been an increased discussion of privacy concerns when a person being photographed is unaware of the picture being taken or has reservations about the same being shared. These privacy violations are amplified for people with disabilities, who may find it challenging to raise dissent even if they are aware. Such unauthorized image captures may also be misused to gain sympathy by third-party organizations, leading to a privacy breach. Privacy for people with disabilities has so far received comparatively less attention from the AI community. This motivates us to work towards a solution to generate privacy-conscious cues for raising awareness in smartphone users of any sensitivity in their viewfinder content. To this end, we introduce PrivPAS (A real time Privacy-Preserving AI System) a novel framework to identify sensitive content. Additionally, we curate and annotate a dataset to identify and localize accessibility markers and classify whether an image is sensitive to a featured subject with a disability. We demonstrate that the proposed lightweight architecture, with a memory footprint of a mere 8.49MB, achieves a high mAP of 89.52% on resource-constrained devices. Furthermore, our pipeline, trained on face anonymized data. achieves an F1-score of 73.1%.

The NIST standardization process for post-quantum cryptography has been drawing the attention of researchers to the submitted candidates. One direction of research consists in implementing those candidates on embedded systems and that exposes them to physical attacks in return. The Classic McEliece cryptosystem, which is among the four finalists of round 3 in the Key Encapsulation Mechanism category, builds its security on the hardness of the syndrome decoding problem, which is a classic hard problem in code-based cryptography. This cryptosystem was recently targeted by a laser fault injection attack leading to message recovery. Regrettably, the attack setting is very restrictive and it does not tolerate any error in the faulty syndrome. Moreover, it depends on the very strong attacker model of laser fault injection, and does not apply to optimised implementations of the algorithm that make optimal usage of the machine words capacity. In this article, we propose a to change the angle and perform a message-recovery attack that relies on side-channel information only. We improve on the previously published work in several key aspects. First, we show that side-channel information, obtained with power consumption analysis, is sufficient to obtain an integer syndrome, as required by the attack framework. This is done by leveraging classic machine learning techniques that recover the Hamming weight information very accurately. Second, we put forward a computationally-efficient method, based on a simple dot product and information-set decoding algorithms, to recover the message from the, possibly inaccurate, recovered integer syndrome. Finally, we present a masking countermeasure against the proposed attack.

With the advent of information and communication technology, the digital space is becoming a playing ground for criminal activities. Criminals typically prefer darkness or a hidden place to perform their illegal activities in a real-world while sometimes covering their face to avoid being exposed and getting caught. The same applies in a digital world where criminals prefer features which provide anonymity or hidden features to perform illegal activities. It is from this spirit the Darkweb is attracting all kinds of criminal activities conducted over the Internet such as selling drugs, illegal weapons, child pornography, assassination for hire, hackers for hire, and selling of malicious exploits, to mention a few. Although the anonymity offered by Darkweb can be exploited as a tool to arrest criminals involved in cybercrime, an in-depth research is needed to advance criminal investigation on Darkweb. Analysis of illegal activities conducted in Darkweb is in its infancy and faces several challenges like lack of standard operating procedures. This study proposes progressive standard operating procedures (SOPs) for Darkweb forensics investigation. We provide the four stages of SOP for Darkweb investigation. The proposed SOP consists of the following stages; identification and profiling, discovery, acquisition and preservation, and the last stage is analysis and reporting. In each stage, we consider the objectives, tools and expected results of that particular stage. Careful consideration of this SOP revealed promising results in the Darkweb investigation.

With the ever-increasing use of large-scale IoT networks in different sectors of the industry, it has become critical to realise seamless and secure communication between devices in the network. Realising secure group communication in the IoT requires solving the problem of group-key establishment. In this work, we solve the problem by designing a new lattice-based Key Encapsulation Mechanism (KEM) for resource-constrained devices that enable the distribution of a symmetric key or any other data between all the devices in a given network. This is achieved by coupling multiple private keys to a unique public key. Moreover, we present a proof-of-concept implementation based on the GGH algorithm. The results show it is feasible to use lattice-based cryptography to allow for seamless and secure group communications within a decentralised IoT network. It has been bench-marked against other common post-quantum constructs and proven to be more practical with respect to memory consumption and security, although considerably slower due to lack of optimisation in the implementation.

Managing and storing big data is non-trivial for traditional relational databases (RDBMS). Therefore, the NoSQL (Not Only SQL) database management system emerged. It is ca-pable of handling the vast amount and the heterogeneity of data. In this research, we are interested in one of its trending types, the graph database, namely, the Directed Property Graph (DPG). This type of database is powerful in dealing with complex relationships (\$\textbackslashmathrme.\textbackslashmathrmg\$., social networks). However, its sen-sitive and private data must be protected against unauthorized access. This research proposes a security model that aims at exploiting and combining the benefits of Access Control, View-Based, and Query-Rewriting approaches. This is a novel combination for securing DPG.

Kerberos protocol is a derivative type of server used for the authentication purpose. Kerberos is a network-based authentication protocol which communicates the tickets from one network to another in a secured manner. Kerberos protocol encrypts the messages and provides mutual authentication. Kerberos uses the symmetric cryptography which uses the public key to strengthen the data confidentiality. The KDS Key Distribution System gives the center of securing the messages. Kerberos has certain disadvantages as it provides public key at both ends. In this proposed approach, the Kerberos are secured by using the HMAC Hash-based Message Authentication Code which is used for the authentication of message for integrity and authentication purpose. It verifies the data by authentication, verifies the e-mail address and message integrity. The computer network and security are authenticated by verifying the user or client. These messages which are transmitted and delivered have to be integrated by authenticating it. Kerberos authentication is used for the verification of a host or user. Authentication is based on the tickets on credentials in a secured way. Kerberos gives faster authentication and uses the unique ticketing system. It supports the authentication delegation with faster efficiency. These encrypt the standard by encrypting the tickets to pass the information.

Sometimes we have the need to inject new services in an operational satellite, but as the injection of new codes in equipment that has communication link is a critical process due to the possibility of injection of broke or malicious codes, this document proposes a protocol for the safe injection of code in satellite microcontrollers of the CubeSat’ type. This protocol is based on the use of HMAC with SHA-3 to guarantee integrity and authenticity and is enhanced by the same security measures to mitigate communication link problems and satellite attacks, such as the guarantee of delivery and displacement between communication windows and periods of high processing.

Systems based on WB protection have a limited lifetime, measured in months and sometimes days. Unfortunately, to understand for how long the application will be uncompromised, if possible, only empirically. However, it is possible to make a preliminary assessment of the security of a particular implementation, depending on the methods and their number used in the implementation, it will allow reallocating resources to more effective means of protection.

The use of image data in multimedia communication based applications like military applications and medical images security applications are increasing every day and the secrecy of the image data is extremely important for such applications. A number of methods and techniques for securely transmitting images are proposed in the literature based on image encryption and steganography approaches. A novel mechanism for transmitting color images securely is proposed in this paper mainly based on public key cryptography mechanism also by combining the advantage of simplicity of symmetric schemes. The technique combines the strengths of Elliptic Curve Cryptography and the classical symmetric cryptographic mechanism called Hill Cipher encryption method. The technique also includes the concept of Magic Square for jumbling the pixels yielding maximum diffusion in the image pixels. In the performance evaluation, the proposed method proved that the new system works pretty well. The method is proved to be effective in maintaining the confidentiality of the image in transit and also for resisting security attacks.

We use mobile apps on a daily basis and there is an app for everything. We trust these applications with our most personal data. It is therefore important that these apps are as secure and well usable as possible. So far most studies on the maintenance and security of mobile applications have been done on Android applications. We do, however, not know how well these results translate to iOS.This research project aims to close this gap by analysing iOS applications with regards to maintainability and security. Regarding maintainability, we analyse code smells in iOS applications, the evolution of code smells in iOS applications and compare code smell distributions in iOS and Android applications. Regarding security, we analyse the evolution of the third-party library dependency network for the iOS ecosystem. Additionally, we analyse how publicly reported vulnerabilities spread in the library dependency network.Regarding maintainability, we found that the distributions of code smells in iOS and Android applications differ. Code smells in iOS applications tend to correspond to smaller classes, such as Lazy Class. Regarding security, we found that the library dependency network of the iOS ecosystem is not growing as fast as in some other ecosystems. There are less dependencies on average than for example in the npm ecosystem and, therefore, vulnerabilities do not spread as far.