Biblio

A Quick Response (QR) Code is a type of barcode that can be read by the digital devices and which stores the information in a square-shaped. The QR Code readers can extract data from the patterns which are presented in the QR Code matrix. A QR Code can be acting as an attack vector that can harm indirectly. In such case a QR Code can carry malicious or phishing URLs and redirect users to a site which is well conceived by the attacker and pretends to be an authorized one. Once the QR Code is decoded the commands are triggered and executed, causing damage to information, operating system and other possible sequence the attacker expects to gain. In this paper, a new model for QR Code authentication and phishing detection has been presented. The proposed model will be able to detect the phishing and malicious URLs in the process of the QR Code validation as well as to prevent the user from validating it. The development of this application will help to prevent users from being tricked by the harmful QR Codes.

In order to solve the problem of large data volume brought by the traditional Nyquist sampling theorem in radar signal detection, a compressive detection (CD) model based on compressed sensing (CS) theory is proposed by analyzing the sparsity of the radar target in the range domain. The lower sampling rate completes the compressive sampling of the radar signal on the range field. On this basis, the two-dimensional distribution of the Doppler unit is established by moving target detention moving target detention (MTD), and the detection of the target is achieved with the two-dimensional constant false alarm rate (2D-CFAR) detection algorithm. The simulation experiment results prove that the algorithm can effectively detect the target without the need for reconstruction signals, and has good detection performance.

The cryptology science has gradually gained importance with our digitalized lives. Ensuring the security of data transmitted, processed and stored across digital channels is a major challenge. One of the frequently used components in cryptographic algorithms to ensure security is substitution-box structures. Random selection-based substitution-box structures have become increasingly important lately, especially because of their advantages to prevent side channel attacks. However, the low nonlinearity value of these designs is a problem. In this study, a dataset consisting of twenty different substitution-box structures have been publicly presented to the researchers. The fact that the proposed dataset has high nonlinearity values will allow it to be used in many practical applications in the future studies. The proposed dataset provides a contribution to the literature as it can be used both as an input dataset for the new post-processing algorithm and as a countermeasure to prevent the success of side-channel analyzes.

The prevalence of Internet of Things (IoT) allows heterogeneous and lightweight smart devices to collaboratively provide services with or without human intervention. With an ever-increasing presence of IoT-based smart applications and their ubiquitous visibility from the Internet, user data generated by highly connected smart IoT devices also incur more concerns on security and privacy. While a lot of efforts are reported to develop lightweight information assurance approaches that are affordable to resource-constrained IoT devices, there is not sufficient attention paid from the aspect of security solutions against hardware-oriented attacks, i.e. side channel attacks. In this paper, a COTS (commercial off-the-shelf) based Randomized Switched-Mode Voltage Regulation System (RSMVRS) is proposed to prevent power analysis based side channel attacks (P-SCA) on bare metal IoT edge device. The RSMVRS is implemented to direct power to IoT edge devices. The power is supplied to the target device by randomly activating power stages with random time delays. Therefore, the cryptography algorithm executing on the IoT device will not correlate to a predictable power profile, if an adversary performs a SCA by measuring the power traces. The RSMVRS leverages COTS components and experimental study has verified the correctness and effectiveness of the proposed solution.

Maintaining critical data and process availability is an important challenge of Industry 4.0. Given the variety of smart nodes, data and the access latency that can be tolerated by consumers in modern IoT-based industry, we propose a method for analyzing the resiliency of an IoT network. Due to the complexity of modern system structures, different components in the system can affect the system’s resiliency. Therefore, a fundamental problem is to propose methods to quantify the value of resilience contribution of a node in each system effectively. This paper aims to identify the most critical vertices of the network with respect to the latency constraint resiliency metric. Using important centrality metrics, we identify critical nodes in industrial IoT networks to analyze the degree of resiliency in the IoT environments. The results show that when nodes with the highest value of Closeness Centrality (CC) were disrupted Resiliency of Latency (RL) would have the lowest value. In other words, the results indicate the nodes with the high values for CC are most critical in an IoT network.

The data-driven period produces more and more security-related challenges that even experts can hardly deal with. One of the most complex threats is ransomware, which is very taxing and devastating to detect and mainly prevent. Our research methods showed significant results in identifying ransomware processes using the honeypot concept augmented with symbolic linking to reduce damage made to the file system. The CIA (confidentiality, integrity, availability) metrics have been adhered to. We propose to optimize the malware process termination procedure and introduce an artificial intelligence-human collaboration to enhance ransomware classification and detection.

A new method for the detection of ransomware in an infected host is described and evaluated. The method utilizes data streams from on-board sensors to fingerprint the initiation of a ransomware infection. These sensor streams, which are common in modern computing systems, are used as a side channel for understanding the state of the system. It is shown that ransomware detection can be achieved in a rapid manner and that the use of slight, yet distinguishable changes in the physical state of a system as derived from a machine learning predictive model is an effective technique. A feature vector, consisting of various sensor outputs, is coupled with a detection criteria to predict the binary state of ransomware present versus normal operation. An advantage of this approach is that previously unknown or zero-day version s of ransomware are vulnerable to this detection method since no apriori knowledge of the malware characteristics are required. Experiments are carried out with a variety of different system loads and with different encryption methods used during a ransomware attack. Two test systems were utilized with one having a relatively low amount of available sensor data and the other having a relatively high amount of available sensor data. The average time for attack detection in the "sensor-rich" system was 7.79 seconds with an average Matthews correlation coefficient of 0.8905 for binary system state predictions regardless of encryption method and system load. The model flagged all attacks tested.

Security of physical layer key generation is based on the randomness and reciprocity of wireless fading channel, which has attracted more and more attention in recent years. This paper proposes a rate adaptive key agreement scheme and utilizes the received signal strength (RSS) of the channel between two wireless devices to generate the key. In conventional information reconciliation process, the bit inconsistency rate is usually eliminated by using the filter method, which increases the possibility of exposing the generated key bit string. Building on the strengths of existing secret key extraction approaches, this paper develops a scheme that uses Reed-Solomon (RS) codes, one of forward error correction channel codes, for information reconciliation. Owing to strong error correction performance of RS codes, the proposed scheme can solve the problem of inconsistent key bit string in the process of channel sensing. At the same time, the composition of RS codes can help the scheme realize rate adaptation well due to the construction principle of error correction code, which can freely control the code rate and achieve the reconciliation method of different key bit string length. Through experiments, we find that when the number of inconsistent key bits is not greater than the maximum error correction number of RS codes, it can well meet the purpose of reconciliation.

Internet of Things (IoT) networks are often attacked to compromise the security and privacy of application data and disrupt the services offered by them. The attacks are being launched at different layers of IoT protocol stack by exploiting their inherent weaknesses. Forensic investigations need substantial artifacts and datasets to support the decisions taken during analysis and while attributing the attack to the adversary. Network provenance plays a crucial role in establishing the relationships between network entities. Hence IoT networks can be made forensic ready so that network provenance may be collected to help in constructing these artifacts. The paper proposes Ready-IoT, a novel forensic readiness model for IoT environment to collect provenance from the network which comprises of both network parameters and traffic. A link layer dataset, Link-IoT Dataset is also generated by querying provenance graphs. Finally, Link-IoT dataset is compared with other IoT datasets to draw a line of difference and applicability to IoT environments. We believe that the proposed features have the potential to detect the attacks performed on the IoT network.

In recent times, attackers are continuously developing advanced techniques for evading security, stealing personal financial data, Intellectual Property (IP) and sensitive information. These attacks often employ multiple attack vectors for gaining initial access to the systems. Analysts are often challenged to identify malware objective, initial attack vectors, attack propagation, evading techniques, protective mechanisms and unseen techniques. Most of these attacks are frequently referred to as Multi stage attacks and pose a grave threat to organizations, individuals and the government. Early multistage attack detection is a crucial measure to counter malware and deactivate it. Most traditional security solutions use signature-based detection, which frequently fails to thwart zero-day attacks. Manual analysis of these samples requires enormous effort for effectively counter exponential growth of malware samples. In this paper, we present a novel approach leveraging Machine Learning and MITRE Adversary Tactic Technique and Common knowledge (ATT&CK) framework for early multistage attack detection in real time. Firstly, we have developed a run-time engine that receives notification while malicious executable is downloaded via browser or a launch of a new process in the system. Upon notification, the engine extracts the features from static executable for learning if the executable is malicious. Secondly, we use the MITRE ATT&CK framework, evolved based on the real-world observations of the cyber attacks, that best describes the multistage attack with respect to the adversary Tactics, Techniques and Procedure (TTP) for detecting the malicious executable as well as predict the stages that the malware executes during the attack. Lastly, we propose a real-time system that combines both these techniques for early multistage attack detection. The proposed model has been tested on 6000 unpacked malware samples and it achieves 98 % accuracy. The other major contribution in this paper is identifying the Windows API calls for each of the adversary techniques based on the MITRE ATT&CK.

In recent years, one of the important and interesting tasks has become the protection of civilian and military objects from unmanned aerial vehicles (UAVs) carrying a potential threat. To solve this problem, it is required to detect UAVs and activate protective systems. UAVs can be represented as aerodynamic objects of the monoplane or multicopter type with acoustic fingerprints. In this paper we consider algorithm for UAV acoustic detection and recognition system. Preliminary results of analysis of experimental data show effectiveness of proposed approach.

Modern power grids are dependent on communication systems for data collection, visualization, and control. Distributed Network Protocol 3 (DNP3) is commonly used in supervisory control and data acquisition (SCADA) systems in power systems to allow control system software and hardware to communicate. To study the dependencies between communication network security, power system data collection, and industrial hardware, it is important to enable communication capabilities with real-time power system simulation. In this paper, we present the integration of new functionality of a power systems dynamic simulation package into our cyber-physical power system testbed that supports real-time power system data transfer using DNP3, demonstrated with an industrial real-time automation controller (RTAC). The usage and configuration of DNP3 with real-world equipment in to achieve power system monitoring and control of a large-scale synthetic electric grid via this DNP3 communication is presented. Then, an exemplar of DNP3 data collection and control is achieved in software and hardware using the 2000-bus Texas synthetic grid.

Autonomous cyber-physical systems (CPS) are susceptible to non-invasive physical attacks such as sensor spoofing attacks that are beyond the classical cybersecurity domain. These attacks have motivated numerous research efforts on attack detection, but little attention on what to do after detecting an attack. The importance of attack recovery is emphasized by the need to mitigate the attack’s impact on a system and restore it to continue functioning. There are only a few works addressing attack recovery, but they all rely on prior knowledge of system dynamics. To overcome this limitation, we propose Recovery-by-Learning, a data-driven attack recovery framework that restores CPS from sensor attacks. The framework leverages natural redundancy among heterogeneous sensors and historical data for attack recovery. Specially, the framework consists of two major components: state predictor and data checkpointer. First, the predictor is triggered to estimate systems states after the detection of an attack. We propose a deep learning-based prediction model that exploits the temporal correlation among heterogeneous sensors. Second, the checkpointer executes when no attack is detected. We propose a double sliding window based checkpointing protocol to remove compromised data and keep trustful data as input to the state predictor. Third, we implement and evaluate the effectiveness of our framework using a realistic data set and a ground vehicle simulator. The results show that our method restores a system to continue functioning in presence of sensor attacks.

Containerization technology becomes one of alternatives in virtualization. Docker requires docker daemon to build, distribute and run the container and this makes the docker vulnerable to an attack surface called Docker daemon Attack Surface - an attack against docker daemon taking over the access (root). Using rootless mode is one way to prevent the attack. Therefore, this research demonstrates the attack prevention by making and running the docker container in the rootless mode. The success of the attack can be proven when the user is able to access the file /etc/shadow that is supposed to be only accessible for the rooted users. Findings of this research demonstrated that the file is inaccessible when the docker is run using the rootless mode. CPU usage is measured when the attack is being simulated using the docker run through root privileges and rootless mode, to identify whether the use of rootless mode in the docker adds the load of CPU usage and to what extent its increased. Results showed that the CPU use was 39% when using the docker with the rootless mode. Meanwhile, using the docker with the right of the root access was only 0%. The increase of 39% is commensurate with the benefit that can prevent the docker daemon attack surface.

The 2020 Corona pandemic has shown that on-line real-time multimedia communication is of vital importance when regular face-to-face meetings are not possible. One popular choice for conducting these meetings is the open standard WebRTC which is implemented in every major web browser. Even though this technology has found widespread use, there are still open issues with how different congestion control (CC) algorithms of Media- and DataChannels interact. In 2018 we have shown that the issue of self-inflicted queuing delay can be mitigated by introducing a CC coupling mechanism called FSE-NG. Originally, this solution was only capable of linking DataChannel flows controlled by TCP-style CCs and MediaChannels controlled by NADA CC. Standardization has progressed and along with NADA, IETF has also standardized the RTP CC SCReAM. This work extends the FSE-NG algorithm to also incorporate flows controlled by the latter algorithm. By means of simulation, we show that our approach is capable of drastically reducing end-to-end delays while also increasing RTP throughput and thus enabling WebRTC communication in scenarios where it has not been applicable before.

Smart grids have to protect meter measurements against false data injection attacks. By modifying the meter measurements, the attacker misleads the control decisions of the control center, which results in physical damages of power systems. In this paper, we propose a reinforcement learning based vulnerability analysis scheme for data injection attack without relying on the power system topology. This scheme enables the attacker to choose the data injection attack vector based on the meter measurements, the power system status, the previous injected errors and the number of meters to compromise. By combining deep reinforcement learning with prioritized experience replay, the proposed scheme more frequently replays the successful vulnerability detection experiences while bypassing the bad data detection, which is able to accelerate the learning speed. Simulation results based on the IEEE 14 bus system show that this scheme increases the probability of successful vulnerability detection and reduce the number of meters to compromise compared with the benchmark scheme.

Internet of Battlefield Things (IoBT) is the application of Internet of Things (IoT) to a battlefield environment. IoBT networks operate in difficult conditions due to high mobility and unpredictable nature of battle fields and securing them is a challenge. There is increasing interest to use deception techniques to enhance the security of IoBT networks. A honeypot is a system installed on a network as a trap to attract the attention of an attacker and it does not store any valuable data. In this work, we introduce IoBT dual sensor gateways. We propose a Reinforcement Learning (RL)-assisted scheme, in which the IoBT dual sensor gateways intelligently switch between honeypot and real function based on a threshold. The optimal threshold is determined using reinforcement learning approach that adapts to nodes reputation. To focus on the impact of the mobile and uncertain behavior of IoBT networks on the proposed scheme, we consider the nodes as moving vehicles. We statistically analyze the results of our RL-based scheme obtained using ns-3 network simulation, and optimize value of the threshold.

The cloud infrastructure is not new to the society from past one decade. But even in recent time, the companies started migrating from local services to cloud services for better connectivity and for other requirements, this is due to companies financial limitations on existing infrastructure, they are migrating to less cost and hire and fire support based cloud infrastructures. But the proposed cloud infrastructure require security on event logs accessed by different end users on the cloud environment. To adopt the security on local services to cloud service based infrastructure, it need better identify management between end users. Therefore this paper presents the related works of user identity as a service for each user involving in cloud service and the accessing permission and protection will be monitored and controlled by the cloud security infrastructures.

In this paper, we propose a relational anonymous P2P communication network evaluation model based on Markov chain (AEMC), and show how to extend our model to the anonymous evaluation of sender and receiver relationship anonymity when the attacker attacks the anonymous P2P communication network and obtains some information. Firstly, the constraints of the evaluation model (the attacker assumption for message tracing) are specified in detail; then the construction of AEMC anonymous evaluation model and the specific evaluation process are described; finally, the simulation experiment is carried out, and the evaluation model is applied to the probabilistic anonymous evaluation of the sender and receiver relationship of the attacker model, and the evaluation is carried out from the perspective of user (message).

The Internet of Things integrates multiple hardware appliances from large cloud data centres to constrained devices embedded within the physical reality, from multiple vendors and providers, under the same infrastructure. These appliances are subject to different restrictions, have different available resources and show different risk profiles and vulnerabilities. In these scenarios, remote attestation mechanisms are essential, enabling the verification of a distant appliance’s internal state before allowing it to access sensitive data or execute critical workloads. This work proposes a new attestation approach based on a Trusted Platform Module (TPM), devoted to performing Remote Attestation as a Service (RAaaS) while guaranteeing essential properties such as flexibility, generality, domain separation and authorized initiation. The proposed solution can prove both edge devices and IoT devices reliability to services running on cloud data centres. Furthermore, the first prototype of this service has been validated and evaluated via a real use case.

Service workers boost the user experience of modern web applications by taking advantage of the Cache API to improve responsiveness and support offline usage. In this paper, we present the first security analysis of the threats posed by this programming practice, identifying an attack with major security implications. In particular, we show how a traditional XSS attack can abuse the Cache API to escalate into a personin-the-middle attack against cached content, thus compromising its confidentiality and integrity. Remarkably, this attack enables new threats which are beyond the scope of traditional XSS. After defining the attack, we study its prevalence in the wild, finding that the large majority of the sites which register service workers using the Cache API are vulnerable as long as a single webpage in the same origin of the service worker is affected by an XSS. Finally, we propose a browser-side countermeasure against this attack, and we analyze its effectiveness and practicality in terms of security benefits and backward compatibility with existing web applications.

Service workers boost the user experience of modern web applications by taking advantage of the Cache API to improve responsiveness and support offline usage. In this paper, we present the first security analysis of the threats posed by this programming practice, identifying an attack with major security implications. In particular, we show how a traditional XSS attack can abuse the Cache API to escalate into a personin-the-middle attack against cached content, thus compromising its confidentiality and integrity. Remarkably, this attack enables new threats which are beyond the scope of traditional XSS. After defining the attack, we study its prevalence in the wild, finding that the large majority of the sites which register service workers using the Cache API are vulnerable as long as a single webpage in the same origin of the service worker is affected by an XSS. Finally, we propose a browser-side countermeasure against this attack, and we analyze its effectiveness and practicality in terms of security benefits and backward compatibility with existing web applications.

The popularity of P2P (Peer-To-Peer) systems is increased tremendously due to massive increase in the Internet based applications. Initially, P2P systems were mainly designed for wired networks but today people are using more wireless networks and therefore these systems are gaining popularity. There are many wireless networks available today and WMNs (Wireless Mess Networks) are gaining popularity due to hybrid structure. People are using structured P2P systems-based applications within perimeter of a WMN. Structured P2P WMNs will assist the community to fetch the relevant information to accomplish their activities. There are inherent challenges in the structured P2P network and increased in wireless environment like WMNs. Structured P2P systems suffer from many challenges like lack of content availability, malicious content distribution, poor search scalability, free riding behaviour, white washing, lack of a robust trust model etc. Whereas, WMNs have limitations like mobility management, bandwidth constraint, limited battery power of user's devices, security, maintenance etc. in remote/ forward areas. We exploit the better possibility of content availability and search scalability in this paper. We propose replication schemes based on the popularity of content for structured P2P system applications in community based WMNs. The analysis of the performance shows that proposed scheme performs better than the existing replication scheme in different conditions.

Vulnerabilities in the source code of software are critical issues in the realm of software engineering. Coping with vulnerabilities in software source code is becoming more challenging due to several aspects of complexity and volume. Deep learning has gained popularity throughout the years as a means of addressing such issues. In this paper, we propose an evaluation of vulnerability detection performance on source code representations and evaluate how Machine Learning (ML) strategies can improve them. The structure of our experiment consists of 3 Deep Neural Networks (DNNs) in conjunction with five different source code representations; Abstract Syntax Trees (ASTs), Code Gadgets (CGs), Semantics-based Vulnerability Candidates (SeVCs), Lexed Code Representations (LCRs), and Composite Code Representations (CCRs). Experimental results show that employing different ML strategies in conjunction with the base model structure influences the performance results to a varying degree. However, ML-based techniques suffer from poor performance on class imbalance handling when used in conjunction with source code representations for software vulnerability detection.

With the rapid development of the Internet, network traffic is becoming more complex and diverse. At the same time, malicious traffic is growing. This seriously threatens the security of networks and information. However, the current DPI (Deep Packet Inspect) engine based on x86 architecture is slow in monitoring speed, which cannot meet the needs. Generally, two factors affect the detection rate: CPU and memory; The efficiency of data packet acquisition, and multi regular expression matching. Under these circumstances, this paper presents an efficient implementation of the DPI engine based on a generic x86 platform. DPDK is used as the platform of network data packets acquisition and processing. Using the multi-queue of the NIC (network interface controller) and the customized symmetric RSS key, the network traffic is divided and reorganized in the form of conversation. The core of traffic identification is hyperscan, which uses a flow pattern to match the packets load of a single conversation efficiently. It greatly reduces memory requirements. The method makes full use of the system resources and takes into account the advantages of high efficiency of hardware implementation. And it has a remarkable improvement in the efficiency of recognition.