Biblio

Third-party libraries with rich functionalities facilitate the fast development of JavaScript software, leading to the explosive growth of the NPM ecosystem. However, it also brings new security threats that vulnerabilities could be introduced through dependencies from third-party libraries. In particular, the threats could be excessively amplified by transitive dependencies. Existing research only considers direct dependencies or reasoning transitive dependencies based on reachability analysis, which neglects the NPM-specific dependency resolution rules as adapted during real installation, resulting in wrongly resolved dependencies. Consequently, further fine-grained analysis, such as precise vulnerability propagation and their evolution over time in dependencies, cannot be carried out precisely at a large scale, as well as deriving ecosystem-wide solutions for vulnerabilities in dependencies. To fill this gap, we propose a knowledge graph-based dependency resolution, which resolves the inner dependency relations of dependencies as trees (i.e., dependency trees), and investigates the security threats from vulnerabilities in dependency trees at a large scale. Specifically, we first construct a complete dependency-vulnerability knowledge graph (DVGraph) that captures the whole NPM ecosystem (over 10 million library versions and 60 million well-resolved dependency relations). Based on it, we propose a novel algorithm (DTResolver) to statically and precisely resolve dependency trees, as well as transitive vulnerability propagation paths, for each package by taking the official dependency resolution rules into account. Based on that, we carry out an ecosystem-wide empirical study on vulnerability propagation and its evolution in dependency trees. Our study unveils lots of useful findings, and we further discuss the lessons learned and solutions for different stakeholders to mitigate the vulnerability impact in NPM based on our findings. For example, we implement a dependency tree based vulnerability remediation method (DTReme) for NPM packages, and receive much better performance than the official tool (npm audit fix).

For the smart campus of Guangdong Ocean University, we analyze the current situation of the university's network construction, as well as the problems in infrastructure, equipment, operation management, and network security. We focus on the construction objectives and design scheme of the smart campus, including the design of network structure and basic network services. The followings are considered in this study: optimization of network structure simplification, business integration, multi-operator access environment, operation and maintenance guarantee system, organic integration of production, and teaching and research after network leveling transformation.

Cyber Attack is the most challenging issue all over the world. Nowadays, Cyber-attacks are increasing on digital systems and organizations. Innovation and utilization of new digital technology, infrastructure, connectivity, and dependency on digital strategies are transforming day by day. The cyber threat scope has extended significantly. Currently, attackers are becoming more sophisticated, well-organized, and professional in generating malware programs in Python, C Programming, C++ Programming, Java, SQL, PHP, JavaScript, Ruby etc. Accurate attack modeling techniques provide cyber-attack planning, which can be applied quickly during a different ongoing cyber-attack. This paper aims to create a new cyber-attack model that will extend the existing model, which provides a better understanding of the network’s vulnerabilities.Moreover, It helps protect the company or private network infrastructure from future cyber-attacks. The final goal is to handle cyber-attacks efficacious manner using attack modeling techniques. Nowadays, many organizations, companies, authorities, industries, and individuals have faced cybercrime. To execute attacks using our model where honeypot, the firewall, DMZ and any other security are available in any environment.

Nowadays Osmotic Computing is emerging as one of the paradigms used to guarantee the Cloud Continuum, and this popularity is strictly related to the capacity to embrace inside it some hot topics like containers, microservices, orchestration and Function as a Service (FaaS). The Osmotic principle is quite simple, it aims to create a federated heterogeneous infrastructure, where an application's components can smoothly move following a concentration rule. In this work, we aim to solve two big constraints of Osmotic Computing related to the incapacity to manage dynamic access rules for accessing the applications inside the Osmotic Infrastructure and the incapacity to keep alive and secure the access to these applications even in presence of network disconnections. For overcoming these limits we designed and implemented a new Osmotic component, that acts as an eventually consistent distributed peer to peer access management system. This new component is used to keep a local Identity and Access Manager (IAM) that permits at any time to access the resource available in an Osmotic node and to update the access rules that allow or deny access to hosted applications. This component has been already integrated inside a Kubernetes based Osmotic Infrastructure and we presented two typical use cases where it can be exploited.

In the deep nano-scale regime, reliability has emerged as one of the major design issues for high-density integrated systems. Among others, key reliability-related issues are soft errors, high temperature, and aging effects (e.g., NBTI-Negative Bias Temperature Instability), which jeopardize the correct applications' execution. Tremendous amount of research effort has been invested at individual system layers. Moreover, in the era of growing cyber-security threats, modern computing systems experience a wide range of security threats at different layers of the software and hardware stacks. However, considering the escalating reliability and security costs, designing a highly reliable and secure system would require engaging multiple system layers (i.e. both hardware and software) to achieve cost-effective robustness. This talk provides an overview of important reliability issues, prominent state-of-the-art techniques, and various hardwaresoftware collaborative reliability modeling and optimization techniques developed at our lab, with a focus on the recent works on ML-based reliability techniques. Afterwards, this talk will also discuss how advanced ML techniques can be leveraged to devise new types of hardware security attacks, for instance on logic locked circuits. Towards the end of the talk, I will also give a quick pitch on the reliability and security challenges for the embedded machine learning (ML) on resource/energy-constrained devices subjected to unpredictable and harsh scenarios.

Recently, unmanned aerial vehicle (UAV) swarm has been advocated to provide diverse data-centric services including data relay, content caching and computing task offloading in vehicular networks due to their flexibility and conveniences. Since only offloading computing tasks to edge computing devices (ECDs) can not meet the real-time demand of vehicles in peak traffic flow, this paper proposes to combine edge computing and UAV swarm for cooperative task offloading in vehicular networks. Specifically, we first design a cooperative task offloading framework that vehicles' computing tasks can be executed locally, offloaded to UAV swarm, or offloaded to ECDs. Then, the selection of offloading strategy is formulated as a mixed integer nonlinear programming problem, the object of which is to maximize the utility of the vehicle. To solve the problem, we further decompose the original problem into two subproblems: minimizing the completion time when offloading to UAV swarm and optimizing the computing resources when offloading to ECD. For offloading to UAV swarm, the computing task will be split into multiple subtasks that are offloaded to different UAVs simultaneously for parallel computing. A Q-learning based iterative algorithm is proposed to minimize the computing task's completion time by equalizing the completion time of its subtasks assigned to each UAV. For offloading to ECDs, a gradient descent algorithm is used to optimally allocate computing resources for offloaded tasks. Extensive simulations are lastly conducted to demonstrate that the proposed scheme can significantly improve the utility of vehicles compared with conventional schemes.

The concept of a connected vehicle refers to the linking of vehicles to each other and to other things. Today, developments in the Internet of Things (IoT) and 5G have made a significant contribution to connected vehicle technology. In addition to many positive contributions, connected vehicle technology also brings with it many security-related problems. In this study, a digital signature algorithm based on elliptic curve cryptography is proposed to verify the message and identity sent to the vehicles. In the proposed model, with the anonymous identification given to the vehicle by the central unit, the vehicle is prevented from being detected by other vehicles and third parties. Thus, even if the personal data produced in the vehicles is shared, it cannot be found which vehicle it belongs to.

When we setup a computer network, we need to know if an attacker can get into the system. We need to do a series of test that shows the vulnerabilities of the network setup. These series of tests are commonly known Penetration Test. The need for penetration testing was not well known before. This paper highlights how penetration started and how it became as popular as it has today. The internet played a big part into the push to getting the idea of penetration testing started. The styles of penetration testing can vary from physical to network or virtual based testing which either can be a benefit to how a company becomes more secure. This paper presents the steps of penetration testing that a company or organization needs to carry out, to find out their own security flaws.

Web services use server-side input sanitization to guard against harmful input. Some web services publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this usability practice poses a security risk. Specifically, services may share the regexes they use to sanitize input strings - and regex-based denial of service (ReDoS) is an emerging threat. Although prominent service outages caused by ReDoS have spurred interest in this topic, we know little about the degree to which live web services are vulnerable to ReDoS. In this paper, we conduct the first black-box study measuring the extent of ReDoS vulnerabilities in live web services. We apply the Consistent Sanitization Assumption: that client-side sanitization logic, including regexes, is consistent with the sanitization logic on the server-side. We identify a service's regex-based input sanitization in its HTML forms or its API, find vulnerable regexes among these regexes, craft ReDoS probes, and pinpoint vulnerabilities. We analyzed the HTML forms of 1,000 services and the APIs of 475 services. Of these, 355 services publish regexes; 17 services publish unsafe regexes; and 6 services are vulnerable to ReDoS through their APIs (6 domains; 15 subdomains). Both Microsoft and Amazon Web Services patched their web services as a result of our disclosure. Since these vulnerabilities were from API specifications, not HTML forms, we proposed a ReDoS defense for a popular API validation library, and our patch has been merged. To summarize: in client-visible sanitization logic, some web services advertise Re-DoS vulnerabilities in plain sight. Our results motivate short-term patches and long-term fundamental solutions. “Make measurable what cannot be measured.” -Galileo Galilei

Nowadays, dynamic testing tools have significantly expedited the discovery of bugs in the Linux kernel. When unveiling kernel bugs, they automatically generate reports, specifying the errors the Linux encounters. The error in the report implies the possible exploitability of the corresponding kernel bug. As a result, many security analysts use the manifested error to infer a bug’s exploitability and thus prioritize their exploit development effort. However, using the error in the report, security researchers might underestimate a bug’s exploitability. The error exhibited in the report may depend upon how the bug is triggered. Through different paths or under different contexts, a bug may manifest various error behaviors implying very different exploitation potentials. This work proposes a new kernel fuzzing technique to explore all the possible error behaviors that a kernel bug might bring about. Unlike conventional kernel fuzzing techniques concentrating on kernel code coverage, our fuzzing technique is more directed towards the buggy code fragment. It introduces an object-driven kernel fuzzing technique to explore various contexts and paths to trigger the reported bug, making the bug manifest various error behaviors. With the newly demonstrated errors, security researchers could better infer a bug’s possible exploitability. To evaluate our proposed technique’s effectiveness, efficiency, and impact, we implement our fuzzing technique as a tool GREBE and apply it to 60 real-world Linux kernel bugs. On average, GREBE could manifest 2+ additional error behaviors for each of the kernel bugs. For 26 kernel bugs, GREBE discovers higher exploitation potential. We report to kernel vendors some of the bugs – the exploitability of which was wrongly assessed and the corresponding patch has not yet been carefully applied – resulting in their rapid patch adoption.

[Purpose/meaning] In this paper, a unified scheme based on blockchain technology to realize the three modules of intellectual property confirmation, utilization, and protection of rights at the application layer is constructed, to solve the problem of unbalanced and inadequate resource distribution and development level in the field of industrial intellectual property. [Method/process] Based on the application of the core technology of blockchain in the field of intellectual property, this paper analyzes the pain points in the current field of intellectual property, and selects matching blockchain types according to the protection of intellectual property and the different decisions involved in the transaction process, to build a heterogeneous multi-chain model based on blockchain technology. [Conclusion] The heterogeneous multi-chain model based on Polkadot[1] network is proposed to realize the intellectual property protection scheme of a heterogeneous multi-chain model, to promote collaborative design and product development between regions, and to make up for the shortcomings of technical exchange, and weaken the phenomenon of "information island" in a certain extent. [Limitation/deficiency] The design of smart contracts in the field of intellectual property, the development of cross-chain protocols, and the formulation of national standards for blockchain technology still need to be developed and improved. At the same time, the intellectual property protection model designed in this paper needs to be verified in the application of practical cases.

People are increasingly sharing their details online as internet usage grows. Therefore, fraudsters have access to a massive amount of information and financial activities. The attackers create web pages that seem like reputable sites and transmit the malevolent content to victims to get them to provide subtle information. Prevailing phishing security measures are inadequate for detecting new phishing assaults. To accomplish this aim, objective to meet for this research is to analyses and compare phishing website and legitimate by analyzing the data collected from open-source platforms through a survey. Another objective for this research is to propose a method to detect fake sites using Decision Tree and Random Forest approaches. Microsoft Form has been utilized to carry out the survey with 30 participants. Majority of the participants have poor awareness and phishing attack and does not obverse the features of interface before accessing the search browser. With the data collection, this survey supports the purpose of identifying the best phishing website detection where Decision Tree and Random Forest were trained and tested. In achieving high number of feature importance detection and accuracy rate, the result demonstrates that Random Forest has the best performance in phishing website detection compared to Decision Tree.

Access control is a widely used technology to protect information security. The implementation of access control depends on the response generated by access control policies to users’ access requests. Therefore, ensuring the correctness of access control policies is an important step to ensure the smooth implementation of access control mechanisms. To solve this problem, this paper proposes a constraint based access control policy security analysis framework (CACPSAF) to perform security analysis on access control policies. The framework transforms the problem of security analysis of access control policy into the satisfiability of security principle constraints. The analysis and calculation of access control policy can be divided into formal transformation of access control policy, SMT coding of policy model, generation of security principle constraints, policy detection and evaluation. The security analysis of policies is divided into mandatory security principle constraints, optional security principle constraints and user-defined security principle constraints. The multi-dimensional security analysis of access control policies is realized and the semantic expression of policy analysis is stronger. Finally, the effectiveness of this framework is analyzed by performance evaluation, which proves that this framework can provide strong support for fine-grained security analysis of policies, and help to correctly model and conFigure policies during policy modeling, implementation and verification.

The development of industrial robots, as a carrier of artificial intelligence, has played an important role in promoting the popularisation of artificial intelligence super automation technology. The paper introduces the system structure, hardware structure, and software system of the mobile robot climber based on computer big data technology, based on this research background. At the same time, the paper focuses on the climber robot's mechanism compound method and obstacle avoidance control algorithm. Smart home computing focuses on “home” and brings together related peripheral industries to promote smart home services such as smart appliances, home entertainment, home health care, and security monitoring in order to create a safe, secure, energy-efficient, sustainable, and comfortable residential living environment. It's been twenty years. There is still no clear definition of “intelligence at home,” according to Philips Inc., a leading consumer electronics manufacturer, which once stated that intelligence should comprise sensing, connectedness, learning, adaption, and ease of interaction. S mart applications and services are still in the early stages of development, and not all of them can yet exhibit these five intelligent traits.

We performed a large-scale online survey (n=1,880) to study the padlock icon, an established security indicator in web browsers that denotes connection security through HTTPS. In this paper, we evaluate users’ understanding of the padlock icon, and how removing or replacing it might influence their expectations and decisions. We found that the majority of respondents (89%) had misconceptions about the padlock’s meaning. While only a minority (23%-44%) referred to the padlock icon at all when asked to evaluate trustworthiness, these padlock-aware users reported that they would be deterred from a hypothetical shopping transaction when the padlock icon was absent. These users were reassured after seeing secondary UI surfaces (i.e., Chrome Page Info) where more verbose information about connection security was present.We conclude that the padlock icon, displayed by browsers in the address bar, is still misunderstood by many users. The padlock icon guarantees connection security, but is often perceived to indicate the general privacy, security, and trustworthiness of a website. We argue that communicating connection security precisely and clearly is likely to be more effective through secondary UI, where there is more surface area for content. We hope that this paper boosts the discussion about the benefits and drawbacks of showing passive security indicators in the browser UI.

Native code is now commonplace within Android app packages where it co-exists and interacts with Dex bytecode through the Java Native Interface to deliver rich app functionalities. Yet, state-of-the-art static analysis approaches have mostly overlooked the presence of such native code, which, however, may implement some key sensitive, or even malicious, parts of the app behavior. This limitation of the state of the art is a severe threat to validity in a large range of static analyses that do not have a complete view of the executable code in apps. To address this issue, we propose a new advance in the ambitious research direction of building a unified model of all code in Android apps. The JUCIFY approach presented in this paper is a significant step towards such a model, where we extract and merge call graphs of native code and bytecode to make the final model readily-usable by a common Android analysis framework: in our implementation, JUCIFY builds on the Soot internal intermediate representation. We performed empirical investigations to highlight how, without the unified model, a significant amount of Java methods called from the native code are “unreachable” in apps' callgraphs, both in goodware and malware. Using JUCIFY, we were able to enable static analyzers to reveal cases where malware relied on native code to hide invocation of payment library code or of other sensitive code in the Android framework. Additionally, JUCIFY'S model enables state-of-the-art tools to achieve better precision and recall in detecting data leaks through native code. Finally, we show that by using JUCIFY we can find sensitive data leaks that pass through native code.

As a core problem of multi-agent systems, multiagent pathfinding has an important impact on the efficiency of multi-agent systems. Because of this, many novel multi-agent pathfinding methods have been proposed over the years. However, these methods have focused on different agents with different goals for research, and less research has been done on scenarios where different agents have the same goal. We propose a multiagent pathfinding method incorporating a multi-objective gray wolf optimization algorithm to solve the multi-agent pathfinding problem with the same objective. First, constrained optimization modeling is performed to obtain objective functions about agent wholeness and security. Then, the multi-objective gray wolf optimization algorithm is improved for solving the constrained optimization problem and further optimized for scenarios with insufficient computational resources. To verify the effectiveness of the multi-objective gray wolf optimization algorithm, we conduct experiments in a series of simulation environments and compare the improved multi-objective grey wolf optimization algorithm with some classical swarm intelligence optimization algorithms. The results show that the multi-agent pathfinding method incorporating the multi-objective gray wolf optimization algorithm is more efficient in handling multi-agent pathfinding problems with the same objective.

Many studies have been conducted to detect various malicious activities in cyberspace using classifiers built by machine learning. However, it is natural for any classifier to make mistakes, and hence, human verification is necessary. One method to address this issue is eXplainable AI (XAI), which provides a reason for the classification result. However, when the number of classification results to be verified is large, it is not realistic to check the output of the XAI for all cases. In addition, it is sometimes difficult to interpret the output of XAI. In this study, we propose a machine learning model called classification verifier that verifies the classification results by using the output of XAI as a feature and raises objections when there is doubt about the reliability of the classification results. The results of experiments on malicious website detection and malware detection show that the proposed classification verifier can efficiently identify misclassified malicious activities.

The exponential growth of IoT-type systems has led to a reconsideration of the field of database management systems in terms of storing and handling high-volume data. Recently, many real-time Database Management Systems(DBMS) have been developed to address issues such as security, managing concurrent access to stored data, and optimizing data query performance. This paper studies methods that allow to reduce the temporal validity range for common DBMS. The primary purpose of IoT edge devices is to generate data and make it available for machine learning or statistical algorithms. This is achieved inside the Knowledge Discovery in Databases process. In order to visualize and obtain critical Data Mining results, all the device-generated data must be made available as fast as possible for selection, preprocessing and data transformation. In this research we investigate if IoT edge devices can be used with common DBMS proper configured in order to access data fast instead of working with Real Time DBMS. We will study what kind of transactions are needed in large IoT ecosystems and we will analyze the techniques of controlling concurrent access to common resources (stored data). For this purpose, we built a series of applications that are able to simulate concurrent writing operations to a common DBMS in order to investigate the performance of concurrent access to database resources. Another important procedure that will be tested with the developed applications will be to increase the availability of data for users and data mining applications. This will be achieved by using field indexing.

Port knocking provides an added layer of security on top of the existing security systems of a network. A predefined port knocking sequence is used to open the ports, which are closed by the firewall by default. The server determines the valid request if the knocking sequence is correct and opens the desired port. However, this sequence poses a security threat due to its static nature. This paper presents the port knock sequence-based communication protocol in the Software Defined network (SDN). It provides better management by separating the control plane and data plane. At the same time, it causes a communication overhead between the switches and the controller. To avoid this overhead, we are using the port knocking concept in the data plane without any involvement of the SDN controller. This study proposes three port knock sequence-based protocols (static, partial dynamic, and dynamic) in the data plane. To test the protocol in SDN environment, the P4 implementation of the underlying model is done in the BMV2 (behavioral model version 2) virtual switch. To check the security of the protocols, an informal security analysis is performed, which shows that the proposed protocols are secured to be implemented in the SDN data plane.

Smart cities deploy large numbers of sensors and collect a tremendous amount of data from them. For example, Advanced Metering Infrastructures (AMIs), which consist of physical meters that collect usage data about public utilities such as power and water, are an important building block in a smart city. In a typical sensor network, the measurement devices are connected through a computer network, which exposes them to cyber attacks. Furthermore, the data is centrally managed at the operator’s servers, making it vulnerable to insider threats.Our goal is to protect the integrity of data collected by large-scale sensor networks and the firmware in measurement devices from cyber attacks and insider threats. To this end, we first develop a comprehensive threat model for attacks against data and firmware integrity, which can target any of the stakeholders in the operation of the sensor network. Next, we use our threat model to analyze existing defense mechanisms, including signature checks, remote firmware attestation, anomaly detection, and blockchain-based secure logs. However, the large size of the Trusted Computing Base and a lack of scalability limit the applicability of these existing mechanisms. We propose the Feather-Light Blockchain Infrastructure (FLBI) framework to address these limitations. Our framework leverages a two-layer architecture and cryptographic threshold signature chains to support large networks of low-capacity devices such as meters and data aggregators. We have fully implemented the FLBI’s end-to-end functionality on the Hyperledger Fabric and private Ethereum blockchain platforms. Our experiments show that the FLBI is able to support millions of end devices.

National cultural security has existed since ancient times, but it has become a focal proposition in the context of the times and real needs. From the perspective of national security, national cultural security is an important part of national security, and it has become a strategic task that cannot be ignored in defending national security. Cultural diversity and imbalance are the fundamental prerequisites for the existence of national cultural security. Finally, the artificial intelligence algorithm is used as the theoretical basis for this article, the connotation and characteristics of China's national cultural security theory; Xi Jinping's "network view"; network ideological security view. The fourth part is the analysis of the current cultural security problems, hazards and their root causes in our country.

With the rapid development of information technology, hacker invasion, Internet fraud and privacy disclosure and other events frequently occur, therefore information security issues become the focus of attention. Protecting the secure transmission of information has become a hot topic in today's research. As the carrier of information, image has the characteristics of vivid image and large amount of information. It has become an indispensable part of people's communication. In this paper, we proposed the key simulation analysis research based on M-J set. The research uses a complex iterative mapping to construct M set. On the basis of the constructed M set, the constructed Julia set is used to form the encryption key. The experimental results show that the generalized M-set has the characteristics of chaotic characteristic and initial value sensitivity, and the complex mapping greatly exaggerates the key space. The research on the key space based on the generalized M-J set is helpful to improve the effect of image encryption.

MIMO system makes full use of the space dimension, in the era of increasingly tense spectrum resources, which greatly improves the spectrum efficiency and is one of the future communication support technologies. At the same time, considering the high cost of direct communication between the two parties in a long distance, the relay communication mode has been paid more and more attention. In relay communication network, each node connected by relay has different security levels. In order to forward the information of all nodes, the relay node has the lowest security permission level. Therefore, it is meaningful to study the physical layer security problem in MIMO two-way relay system with relay as the eavesdropper. In view of the above situation, this paper proposes the physical layer security model of MIMO two-way relay cooperative communication network, designs a communication matching grouping algorithm with low complexity and a two-step carrier allocation optimization algorithm, which improves the total security capacity of the system. At the same time, theoretical analysis and simulation verify the effectiveness of the proposed algorithm.

In this paper, we tried to summarize the practical experience of information security audits of nuclear power plants' automated process control system (I&C). The article presents a methodology for auditing the information security of instrumentation and control systems for nuclear power plants. The methodology was developed taking into account international and national Russian norms and rules and standards. The audit taxonomy, classification lifecycle are described. The taxonomy of information security audits shows that form, objectives of the I&C information security audit, and procedures can vary widely. A conceptual program is considered and discussed in details. The distinctive feature of the methodology is the mandatory consideration of the impact of information security on nuclear safety.