Biblio

Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650% year-on-year growth in security attacks by exploiting Open Source Software's supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks. The goal of this work is to help software developers and security specialists in measuring npm supply chain weak link signals to prevent future supply chain attacks by empirically studying npm package metadata.

In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages. We propose six signals of security weaknesses in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers. One of our case studies identified 11 malicious packages from the install scripts signal. We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts. We obtained feedback on our weak link signals through a survey responded to by 470 npm package developers. The majority of the developers supported three out of our six proposed weak link signals. The developers also indicated that they would want to be notified about weak links signals before using third-party packages. Additionally, we discussed eight new signals suggested by package developers.

IoT has been an efficient technology for interconnecting different physical objects with the internet. Several cyber-attacks have resulted in compromise in security. Blockchain distributed ledger provide immutability that can answer IoT security concerns. The paper aims at highlighting the challenges & problems currently associated with IoT implementation in real world and how these problems can be minimized by implementing Blockchain based solutions and smart contracts. Blockchain helps in creation of new highly robust IoT known as Blockchain of Things(BCoT). We will also examine presently employed projects working with integrating Blockchain & IoT together for creating desired solutions. We will also try to understand challenges & roadblocks preventing the further implementation of both technologies merger.

Many smartphones are lost every year, with a meager percentage recovered. In many cases, users with malicious intent access these phones and use them to acquire sensitive data. There is a need for continuous monitoring and surveillance in smartphones, and keystroke dynamics play an essential role in identifying whether a phone is being used by its owner or an impersonator. Also, there is a growing need to replace expensive 2-tier authentication methods like One-time passwords (OTP) with cheaper and more robust methods. The methods proposed in this paper are applied to existing data and are proven to train more robust classifiers. A novel feature extraction method by wavelet transformation is demonstrated to convert keystroke data into features. The comparative study of classifiers trained on the extracted features vs. features extracted by existing methods shows that the processes proposed perform better than the state-of-art feature extraction methods.

Using the methods of literature and interview, this paper analyzes the current situation of performance evaluation of volunteers in large-scale games based on mobile Internet, By analyzing the popularity of mobile Internet, the convenience of performance evaluation, the security and privacy of performance evaluation, this paper demonstrates the necessity of performance evaluation of volunteers in large-scale games based on mobile Internet, This paper puts forward the Countermeasures of performance evaluation of volunteers in large-scale games based on mobile Internet.

The current face recognition technology has rapidly come into the public life, from unlocking cell phone face to mobile payment, which has brought a lot of convenience to life. However, it is undeniable that it also brings security challenges. Based on this paper, we will discuss the risks of face recognition in the mobile payment and put forward relevant suggestions.

Forming a secure autonomous vehicle group is extremely challenging since we have to consider threats and vulnerability of autonomous vehicles. Existing studies focus on communications among risk-free autonomous vehicles, which lack metrics to measure passenger security and cargo values. This work proposes a novel autonomous vehicle group formation method. We introduce risk assessment scoring to assess passenger security and cargo values, and propose an autonomous vehicle group formation method based on it. Our vehicle group is composed of a master node, and a number of core and border ones. Finally, the extensive simulation results show that our method is better than a Connectivity Prediction-based Dynamic Clustering model and a Low-InDependently clustering architecture in terms of node survival time, average change count of master nodes, and average risk assessment scoring.

Controller Area Network with Flexible Data-rate(CAN FD) has the advantages of high bandwidth and data field length to meet the higher communication requirements of parallel in-vehicle applications. If the CAN FD lacking the authentication security mechanism is used, it is easy to make it suffer from masquerade attack. Therefore, a two-stage method based on message authentication is proposed to enhance the security of it. In the first stage, an anti-exhaustive message exchange and comparison algorithm is proposed. After exchanging the message comparison sequence, the lower bound of the vehicle application and redundant message space is obtained. In the second stage, an enhanced round accumulation algorithm is proposed to enhance security, which adds Message Authentication Codes(MACs) to the redundant message space in a way of fewer accumulation rounds. Experimental examples show that the proposed two-stage approach enables both small-scale and large-scale parallel in-vehicle applications security to be enhanced. Among them, in the Adaptive Cruise Control Application(ACCA), when the laxity interval is 1300μs, the total increased MACs is as high as 388Bit, and the accumulation rounds is as low as 40 rounds.

The Internet of Things poses some of the biggest security challenges in the present day. Companies, users and infrastructures are constantly under attack by malicious actors. Increasingly, attacks are being launched by hacking into one vulnerable device and hence disabling entire networks resulting in great loss. A strong identity management framework can help better protect these devices by issuing a unique identity and managing the same through its lifecycle. Identity of Things (IDoT) is a term that has been used to describe the importance of device identities in IoT networks. Since the traditional identity and access management (IAM) solutions are inadequate in managing identities for IoT, the Identity of Things (IDoT) is emerging as the solution for issuance of Identities to every type of device within the IoT IAM infrastructure. This paper presents the survey of recent research works proposed in the area of device identities and various commercial solutions offered by organizations specializing in IoT device security.

In construction machinery, connectivity delivers higher advantages in terms of higher productivity, lower costs, and most importantly safer work environment. As the machinery grows more dependent on internet-connected technologies, data security and product cybersecurity become more critical than ever. These machines have more cyber risks compared to other automotive segments since there are more complexities in software, larger after-market options, use more standardized SAE J1939 protocol, and connectivity through long-distance wireless communication channels (LTE interfaces for fleet management systems). Construction machinery also operates throughout the day, which means connected and monitored endlessly. Till today, construction machinery manufacturers are investigating the product cybersecurity challenges in threat monitoring, security testing, and establishing security governance and policies. There are limited security testing methodologies on SAE J1939 CAN protocols. There are several testing frameworks proposed for fuzz testing CAN networks according to [1]. This paper proposes security testing methods (Fuzzing, Pen testing) for in-vehicle communication protocols in construction machinery.

The intrusion detection systems are vital for the sustainability of Cooperative Intelligent Transportation Systems (C-ITS) and the detection of sybil attacks are particularly challenging. In this work, we propose a novel approach for the detection of sybil attacks in C-ITS environments. We provide an evaluation of our approach using extensive simulations that rely on real traces, showing our detection approach's effectiveness.

Embedded systems involve an integration of a large number of intellectual property (IP) blocks to shorten chip's time to market, in which, many IPs are acquired from the untrusted third-party suppliers. However, existing IP trust verification techniques cannot provide an adequate security assurance that no hardware Trojan was implanted inside the untrusted IPs. Hardware Trojans in untrusted IPs may cause processor program execution failures by tampering instruction code and return address. Therefore, this paper presents a secure RISC-V embedded system by integrating a Security Monitoring Unit (SMU), in which, instruction integrity monitoring by the fine-grained program basic blocks and function return address monitoring by the shadow stack are implemented, respectively. The hardware-assisted SMU is tested and validated that while CPU executes a CoreMark program, the SMU does not incur significant performance overhead on providing instruction security monitoring. And the proposed RISC-V embedded system satisfies good balance between performance overhead and resource consumption.

Cybersecurity for complex systems operating in cyber-physical environment is becoming more and more critical because of the increasing cyber threats and systems' vulnerabilities. Security by design is quite an important method to ensure the systems' normal operations and services supply. For the aim of coping with cyber-attack affections properly, this paper studies the resilient security control issue for time-varying delay systems in cyber-physical environment with state estimation and moving defense approach. Time-varying delay factor induced by communication and network transmission, or data acquisition and processing, or certain cyber-attacks, is considered. To settle the cyber-attacks from the perspective of system control, a dynamic system model considering attacks is presented, and the corresponding switched control model with time-varying delay against attacks is formulated. Then the state estimator for system states is designed to overcome the problem that certain states cannot be measured directly. Estimated states serve as the input of the resilient security controller. Sufficient conditions of the stability of the observer and control system are derived out with the Lyapunov stability analysis method jointly. A moving defense strategy based on anomaly detection and random switching is presented, in which an optimization problem for calculating the proper switching probability of each candidate actuator-controller pair is given. Simulation experimental results are shown to illustrate the effectiveness of the presented scheme.

Early detection of conflict potentials around the community is vital for the Central Java Regional Police Department, especially in the Analyst section of the Directorate of Security Intelligence. Performance in carrying out early detection will affect the peace and security of the community. The performance of potential conflict detection activities can be improved using an integrated early detection information system by shortening the time after observation, report preparation, information processing, and analysis. Developed using Unified Process as a software life cycle, the obtained result shows the time-based performance variables of the officers are significantly improved, including observation time, report production, data finding, and document formatting.

The service mesh is a dedicated infrastructure layer in a microservice architecture. It manages service-to-service communication within an application between decoupled or loosely coupled microservices (called services) without modifying their implementations. The service mesh includes APIs for security, traffic and policy management, and observability features. These features are enabled using a pre-defined configuration, which can be changed at runtime with human intervention. However, it has no autonomy to self-manage changes to the microservice application’s operational environment. A better configuration is one that can be customized according to environmental conditions during execution to protect the application from potential threats. This customization requires enabling self-protection mechanisms within the service mesh that evaluate the risk of environmental condition changes and enable appropriate configurations to defend the application from impending threats. In this paper, we design an assessment component into a service mesh that includes a security assurance case to define the threat model and dynamically assess the application given environment changes. We experiment with a demo application, Bookinfo, using an open-source service mesh platform, Istio, to enable self-protection. We consider certain parameters extracted from the service request as environmental conditions. We evaluate those parameters against the threat model and determine the risk of violating a security requirement for controlled and authorized information flow.

The 5G technology will play a crucial role in global economic growth through numerous industrial developments. However, it is essential to ensure the security of these developed systems, while 5G brings unique security challenges. This paper contributes explicitly to the need for an effective Vulnerability Assessment Approach (VAA) to identify and assess the vulnerabilities in 5G networks in an accurate, salable, and dynamic way. The proposed approach develops an optimized mechanism based on the Technique for Order Preference by Similarity to an Ideal Solution (TOPSIS) to analyze the vulnerabilities in 5G Edge networks from the attacker perspective while considering the dynamic and scalable Edge properties. Furthermore, we introduce a cloud-based 5G Edge security testbed to test and evaluate the accuracy, scalability, and performance of the proposed VAA.

Haptic communications and 5G networks in conjunction with AI and robotics will augment the human user experience by enabling real-time task performance via the control of objects remotely. This represents a paradigm shift from content delivery-based networks to task-oriented networks for remote skill set delivery. The transmission of user skill sets in remote task performance marks the advent of a haptic-enabled Internet of Skills (IoS), through which the transmission of touch and actuation sensations will be possible. In this proposed research, a conceptual Task-Technology Fit (TTF) model of a haptic-enabled IoS is developed to link human users and haptic-enabled technologies to technology use and task performance between master (control) and remote (controlled) domains to provide a Quality of Experience (QoE) and Quality of Task (QoT) oriented perspective of a Haptic Internet. Future 5G-enabled applications promise the high availability, security, fast reaction speeds, and reliability characteristics required for the transmission of human user skills over large geographical distances. The 5G network and haptic-enabled IoS considered in this research will support a number of critical applications. One such novel scenario in which a TTF of a Haptic Internet can be modelled is the use case of remote-controlled Unmanned Aerial Vehicles (UAVs). This paper is a contribution towards the realization of a 5G network and haptic-enabled QoE-QoT-centric IoS for augmented user task performance. Future empirical results of this research will be useful to understanding the role that varying degrees of a fit between context-specific task and technology characteristics play in influencing the impact of haptic-enabled technology use for real-time immersive remote UAV (drone) control task performance.

The transportation sector is undergoing rapid changes to reduce pollution and increase life quality in urban areas. One of the most effective approaches is flexible car rental and sharing to reduce traffic congestion and parking space issues. In this paper, we envision a flexible car sharing framework where vehicle owners want to make their vehicles available for flexible rental to other users. The owners delegate the management of their vehicles to intermediate services under certain policies, such as municipalities or authorized services, which manage the due infrastructure and services that can be accessed by users. We investigate the design of an accountable solution that allow vehicles owners, who want to share their vehicles securely under certain usage policies, to control that delegated services and users comply with the policies. While monitoring users behavior, our approach also takes care of users privacy, preventing tracking or profiling procedures by other parties. Existing approaches put high trust assumptions on users and third parties, do not consider users' privacy requirements, or have limitations in terms of flexibility or applicability. We propose an accountable protocol that extends standard delegated authorizations and integrate it with Security Credential Management Systems (SCMS), while considering the requirements and constraints of vehicular networks. We show that the proposed approach represents a practical approach to guarantee accountability in realistic scenarios with acceptable overhead.

Security is a most concerning matter for client's data in today's emerging technological world in each field, like banking, management, retail, shopping, communication, education, etc. Arise in cyber-crime due to the black hat community, there is always a need for a better way to secure the client's sensitive information, Security is the key point in online banking as the threat of unapproved online access to a client's data is very significant as it ultimately danger to bank reputation. The more secure and powerful methods can allow a client to work with untrusted parties. Paper is focusing on how secure banking transaction system can work by using homomorphic encryption and steganography techniques. For data encryption NTRU, homomorphic encryption can be used and to hide details through the QR code, a cover image can be embed using steganography techniques.

One of the measures to prevent multi-pass social engineering attacks is to identify the chains of user, which are most susceptible to such attacks. The aim of the study is to combine a mathematical model for estimating the probability of success of the propagation of a multi-pass social engineering attack between users with a model for calculating information influence. Namely, it is proposed to include in estimating the intensity of interactions between users (which used in the model of the propagation of a multi-pass social engineering attack) estimating of power of influence actions of agents. The scientific significance of the work consists in the development of a mathematical structure for modeling the actions of an attacker-social engineer and creating a foundation for the subsequent analysis of the social graph of the organization's employees. The practical significance lies in the formation of opportunities for decision-makers. Therefore, they will be able to take more precise measures for increase the level of security as individual employees as the organization generally.

Middleware for IoT (Internet of Things) helps application developers face challenges, such as device heterogeneity, service interoperability, security and scalability. While extensively adopted nowadays, IoT middleware systems are static because, after deployment, updates are only possible by stopping the thing. Therefore, adaptive capabilities can improve existing solutions by allowing their dynamic adaptation to changes in the environmental conditions, evolve provided functionalities, or fix bugs. This paper presents AMoT, an adaptive publish/subscribe middleware for IoT whose design and implementation adopt software architecture principles and evolutive adaptation mechanisms. The experimental evaluation of AMoT helps to measure the impact of the proposed adaptation mechanisms while also comparing the performance of AMoT with a widely adopted MQTT (Message Queuing Telemetry Transport) based middleware. In the end, adaptation has an acceptable performance cost and the advantage of tunning the middleware functionality at runtime.

This paper develops an adaptive neural network (NN) asymptotic tracking control scheme for nonstrict-feedback switched nonlinear systems with unknown nonlinearities. The NNs are used to dispose the unknown nonlinearities. Different from the published results, the asymptotic convergence character is achieved based on the bound estimation method. By combining some smooth functions with the adaptive backstepping scheme, the asymptotic tracking control strategy is presented. It is proved that the fabricated scheme can guarantee that the system output can asymptotically follow the desired signal, and also that all signals of the entire system are bounded. The validity of the devised scheme is evaluated by a simulation example.

The main aim of the Internet of things is to improve the safety of the device through inter-Device communication (IDC). Various applications are emerging in Internet of things. Various aspects of Internet of things differ from Internet of things, especially the nodes have more velocity which causes the topology to change rapidly. The requirement of researches in the concept of Internet of things increases rapidly because Internet of things face many challenges on the security, protocols and technology. Despite the fact that the problem of organizing the interaction of IIoT devices has already attracted a lot of attention from many researchers, current research on routing in IIoT cannot effectively solve the problem of data exchange in a self-adaptive and self-organized way, because the number of connected devices is quite large. In this article, an adaptive neuro-fuzzy clustering algorithm is presented for the uniform distribution of load between interacting nodes. We synthesized fuzzy logic and neural network to balance the choice of the optimal number of cluster heads and uniform load distribution between sensors. Comparison is made with other load balancing methods in such wireless sensor networks.

Digital watermarking is the multimedia leading security protection as it permanently escorts the digital content. Image copyright protection is becoming more anxious as the new 5G technology emerged. Protecting images with a robust scheme without distorting them is the main trade-off in digital watermarking. In this paper, a watermarking scheme based on discrete cosine transform (DCT) and singular value decomposition (SVD) using canny edge detector technique is proposed. A binary encrypted watermark is reshaped into a vector and inserted into the edge detected vector from the diagonal matrix of the SVD of DCT DC and low-frequency coefficients. Watermark insertion is performed by using an edge-tracing mechanism. The scheme is evaluated using the Peak Signal to Noise Ratio (PSNR) and Normalized Correlation (NC). Attained results are competitive when compared to present works in the field. Results show that the PSNR values vary from 51 dB to 55 dB.

The widespread adoption of DEP has made most modern attacks follow the same general steps: Attackers try to construct code-reuse attacks by using vulnerable indirect branch instructions in shared objects after successful exploits on memory vulnerabilities. In response to code-reuse attacks, researchers have proposed a large number of defenses. However, most of them require access to source code and/or specific hardware features. These limitations hinder the deployment of these defenses much.In this paper, we propose an address-based code-reuse attack mitigation for shared objects at the binary-level. We emphasize that the execution of indirect branch instruction must follow several principles we propose. More specifically, we first reconstruct function boundaries at the program’s dynamic-linking stage by combining shared object’s dynamic symbols with binary-level instruction analysis. We then leverage static instrumentation to hook vulnerable indirect branch instructions to a novel target address computation and validation routine. At runtime, AddrArmor will protect against code-reuse attacks based on the computed target address.Our experimental results show that AddrArmor provides a strong line of defense against code reuse attacks, and has an acceptable performance overhead of about 6.74% on average using SPEC CPU 2006.

Today we live in a hyper-connected world, where a large amount of applications and services are supported by ad hoc networks. They have a decentralized management, are flexible and versatile but their characteristics are in turn their main weaknesses. This work introduces a preliminary analysis of the evolution, trends and the state of the art in the context of the security in ad hoc networks. To this end, two different methodologies are applied: a bibliometric analysis and a Systematic Literature Review. Results show that security in MANETs and VANETs are still an appealing research field. In addition, we realized that there is no clear separation of solutions by line of defense. This is because they are sometimes misclassified by the authors or simply there is no line of defense that totally fit well with the proposed solution. Because of that, new taxonomies including novel definitions of lines of defense are needed. In this work, we propose the use of tolerant or survivable solutions which are the ones that preserve critical system or network services in presence of fault, malfunctions or attacks.