Biblio

Despite decades of research on the Internet security, we constantly hear about mega data breaches and malware infections affecting hundreds of millions of hosts. The key reason is that the current threat model of the Internet relies on two assumptions that no longer hold true: (1) Web servers, hosting the content, are secure, (2) each Internet connection starts from the original content provider and terminates at the content consumer. Internet security is today merely patched on top of the TCP/IP protocol stack. In order to achieve comprehensive security for the Internet, we believe that a clean-slate approach must be adopted where a content based security model is employed. Named Data Networking (NDN) is a step in this direction which is envisioned to be the next generation Internet architecture based on a content centric communication model. NDN is currently being designed with security as a key requirement, and thus to support content integrity, authenticity, confidentiality and privacy. However, in order to meet such a requirement, one needs to overcome several challenges, especially in either large operational environments or resource constrained networks. In this paper, we explore the security challenges in achieving comprehensive content security in NDN and propose a research agenda to address some of the challenges.

Combining conventional power networks and information communication technologies forms smart grid concept. Researches on the evolution of conventional power grid system into smart grid continue thanks to the development of communication and information technologies hopefully. Testing of smart grid systems is usually performed in simulation environments. However, achieving more effective real-world implementations, a smart grid application needs a real-world test environment, called testbed. Smart grid, which is the combination of conventional electricity line with information communication technologies, is vulnerable to cyber-attacks and this is a key challenge improving the smart grid. The vulnerabilities to cyber-attacks in smart grid arise from information communication technologies' nature inherently. Testbeds, which cyber-security researches and studies can be performed, are needed to find effective solutions against cyber-attacks capabilities in smart grid practices. In this paper, an evaluation of existing smart grid testbeds with the capability of cyber security is presented. First, background, domains, research areas and security issues in smart grid are introduced briefly. Then smart grid testbeds and features are explained. Also, existing security-oriented testbeds and cyber-attack testing capabilities of testbeds are evaluated. Finally, we conclude the study and give some recommendations for security-oriented testbed implementations.

This work explores attack and attacker profiles using a VoIP-based Honeypot. We implemented a low interaction honeypot environment to identify the behaviors of the attackers and the services most frequently used. We watched honeypot for 180 days and collected 242.812 events related to FTP, SIP, MSSQL, MySQL, SSH, SMB protocols. The results provide an in-depth analysis about both attacks and attackers profile, their tactics and purposes. It also allows understanding user interaction with a vulnerable honeypot environment.

With the pervasiveness of the Internet of Things (IoT) and the rapid progress of wireless communications, Wireless Body Area Networks (WBANs) have attracted significant interest from the research community in recent years. As a promising networking paradigm, it is adopted to improve the healthcare services and create a highly reliable ubiquitous healthcare system. However, the flourish of WBANs still faces many challenges related to security and privacy preserving. In such pervasive environment where the context conditions dynamically and frequently change, context-aware solutions are needed to satisfy the users' changing needs. Therefore, it is essential to design an adaptive access control scheme that can simultaneously authorize and authenticate users while considering the dynamic context changes. In this paper, we propose a context-aware access control and anonymous authentication approach based on a secure and efficient Hybrid Certificateless Signcryption (H-CLSC) scheme. The proposed scheme combines the merits of Ciphertext-Policy Attribute-Based Signcryption (CP-ABSC) and Identity-Based Broadcast Signcryption (IBBSC) in order to satisfy the security requirements and provide an adaptive contextual privacy. From a security perspective, it achieves confidentiality, integrity, anonymity, context-aware privacy, public verifiability, and ciphertext authenticity. Moreover, the key escrow and public key certificate problems are solved through this mechanism. Performance analysis demonstrates the efficiency and the effectiveness of the proposed scheme compared to benchmark schemes in terms of functional security, storage, communication and computational cost.

The concept of cyber-physical production systems is highly discussed amongst researchers and industry experts, however, the implementation options for these systems rely mainly on obsolete technologies. Despite the fact that the blockchain is most often associated with cryptocurrency, it is fundamentally wrong to deny the universality of this technology and the prospects for its application in other industries. For example, in the insurance sector or in a number of identity verification services. This article discusses the deployment of the CPPS backbone network based on the Ethereum private blockchain system. The structure of the network is described as well as its interaction with the help of smart contracts, based on the consumption of cryptocurrency for various operations.

The Android mobile platform supports billions of devices across more than 190 countries around the world. This popularity coupled with user data collection by Android apps has made privacy protection a well-known challenge in the Android ecosystem. In practice, app producers provide privacy policies disclosing what information is collected and processed by the app. However, it is difficult to trace such claims to the corresponding app code to verify whether the implementation is consistent with the policy. Existing approaches for privacy policy alignment focus on information directly accessed through the Android platform (e.g., location and device ID), but are unable to handle user input, a major source of private information. In this paper, we propose a novel approach that automatically detects privacy leaks of user-entered data for a given Android app and determines whether such leakage may violate the app's privacy policy claims. For evaluation, we applied our approach to 120 popular apps from three privacy-relevant app categories: finance, health, and dating. The results show that our approach was able to detect 21 strong violations and 18 weak violations from the studied apps.

Cyber-physical systems (CPS) consist of sensors, actuators, and controllers all communicating over a network; if any subset becomes compromised, an attacker could cause significant damage. With access to data logs and a model of the CPS, the physical effects of an attack could potentially be detected before any damage is done. Manually building a model that is accurate enough in practice, however, is extremely difficult. In this paper, we propose a novel approach for constructing models of CPS automatically, by applying supervised machine learning to data traces obtained after systematically seeding their software components with faults ("mutants"). We demonstrate the efficacy of this approach on the simulator of a real-world water purification plant, presenting a framework that automatically generates mutants, collects data traces, and learns an SVM-based model. Using cross-validation and statistical model checking, we show that the learnt model characterises an invariant physical property of the system. Furthermore, we demonstrate the usefulness of the invariant by subjecting the system to 55 network and code-modification attacks, and showing that it can detect 85% of them from the data logs generated at runtime.

In rural/remote areas, resource constrained smart micro-grid (RCSMG) architectures can offer a cost-effective power management and supply alternative to national power grid connections. RCSMG architectures handle communications over distributed lossy networks to minimize operation costs. However, the unreliable nature of lossy networks makes privacy an important consideration. Existing anonymisation works on data perturbation work mainly by distortion with additive noise. Apply these solutions to RCSMGs is problematic, because deliberate noise additions must be distinguishable both from system and adversarial generated noise. In this paper, we present a brief survey of privacy risks in RCSMGs centered on inference, and propose a method of mitigating these risks. The lesson here is that while RCSMGs give users more control over power management and distribution, good anonymisation is essential to protecting personal information on RCSMGs.

SQL injection is well known a method of executing SQL queries and retrieving sensitive information from a website connected database. This process poses a threat to those applications which are poorly coded in the today's world. SQL is considered as one of the top 10 vulnerabilities even in 2018. To keep a track of the vulnerabilities that each of the websites are facing, we employ a tool called Acunetix which allows us to find the vulnerabilities of a specific website. This tool also suggests measures on how to ensure preventive measures. Using this implementation, we discover vulnerabilities in an actual website. Such a real-world implementation would be useful for instructional use in a foundational cybersecurity course.

Self-assembled semiconductor quantum dots possess an intrinsic geometric symmetry due to the crystal periodic structure. In order to systematically analyze the symmetric properties of quantum dots' bound states resulting only from geometric confinement, we apply group representation theory. We label each bound state for two kinds of popular quantum dot shapes: pyramid and half ellipsoid with the irreducible representation of the corresponding symmetric groups, i.e., C4v and C2v, respectively. Our study completes all the possible irreducible representation cases of groups C4v and C2v. Using the character theory of point groups, we predict the selection rule for electric dipole induced transitions. We also investigate the impact of quantum dot aspect ratio on the symmetric properties of the state wavefunction. This research provides a solid foundation to continue exploring quantum dot symmetry reduction or broken phenomena because of strain, band-mixing and shape irregularity. The results will benefit the researchers who are interested in quantum dot symmetry related effects such as absorption or emission spectra, or those who are studying quantum dots using analytical or numerical simulation approaches.

The increasing amount of malware variants seen in the wild is causing problems for Antivirus Software vendors, unable to keep up by creating signatures for each. The methods used to develop a signature, static and dynamic analysis, have various limitations. Machine learning has been used by Antivirus vendors to detect malware based on the information gathered from the analysis process. However, adversarial examples can cause machine learning algorithms to miss-classify new data. In this paper we describe a method for malware analysis by converting malware binaries to images and then preparing those images for training within a Generative Adversarial Network. These unsupervised deep neural networks are not susceptible to adversarial examples. The conversion to images from malware binaries should be faster than using dynamic analysis and it would still be possible to link malware families together. Using the Generative Adversarial Network, malware detection could be much more effective and reliable.

Large enterprises and organizations from both private and public sectors typically outsource a platform solution, as part of the Managed Security Services (MSSs), from 3rd party providers (MSSPs) to monitor and analyze their data containing cyber security information. Sharing such data among these large entities is believed to improve their effectiveness and efficiency at tackling cybercrimes, via improved analytics and insights. However, MSS platform customers currently are not able or not willing to share data among themselves because of multiple reasons, including privacy and confidentiality concerns, even when they are using the same MSS platform. Therefore any proposed mechanism or technique to address such a challenge need to ensure that sharing is achieved in a secure and controlled way. In this paper, we propose a new architecture and use case driven designs to enable confidential, flexible and collaborative data sharing among such organizations using the same MSS platform. MSS platform is a complex environment where different stakeholders, including authorized MSSP personnel and customers' own users, have access to the same platform but with different types of rights and tasks. Hence we make every effort to improve the usability of the platform supporting sharing while keeping the existing rights and tasks intact. As an innovative and pioneering attempt to address the challenge of data sharing in the MSS platform, we hope to encourage further work to follow so that confidential and collaborative sharing eventually happens among MSS platform customers.

Lately, we are facing the Malware crisis due to various types of malware or malicious programs or scripts available in the huge virtual world - the Internet. But, what is malware? Malware can be a malicious software or a program or a script which can be harmful to the user's computer. These malicious programs can perform a variety of functions, including stealing, encrypting or deleting sensitive data, altering or hijacking core computing functions and monitoring users' computer activity without their permission. There are various entry points for these programs and scripts in the user environment, but only one way to remove them is to find them and kick them out of the system which isn't an easy job as these small piece of script or code can be anywhere in the user system. This paper involves the understanding of different types of malware and how we will use Machine Learning to detect these malwares.

Autonomous systems are gaining momentum in various application domains, such as autonomous vehicles, autonomous transport robotics and self-adaptation in smart homes. Product liability regulations impose high standards on manufacturers of such systems with respect to dependability (safety, security and privacy). Today's conventional engineering methods are not adequate for providing guarantees with respect to dependability requirements in a cost-efficient manner, e.g. road tests in the automotive industry sum up millions of miles before a system can be considered sufficiently safe. System engineers will no longer be able to test and respectively formally verify autonomous systems during development time in order to guarantee the dependability requirements in advance. In this vision paper, we introduce a new holistic software systems engineering approach for autonomous systems, which integrates development time methods as well as operation time techniques. With this approach, we aim to give the users a transparent view of the confidence level of the autonomous system under use with respect to the dependability requirements. We present already obtained results and point out research goals to be addressed in the future.

Privacy preservation on social networks is nowadays a societal issue. In this paper, our contributions are to establish such a model for privacy preservation. We use differential privacy for personal privacy analysis and measurement. Our conclusion is that privacy could be measured and preserved if the corresponding approaches could be taken.

Privacy preservation on social networks is nowadays a societal issue. In this paper, our contributions are to establish such a model for privacy preservation. We use differential privacy for personal privacy analysis and measurement. Our conclusion is that privacy could be measured and preserved if the corresponding approaches could be taken.

In this paper, a multi-objective particle swarm optimization (MOPSO)-based framework is presented to find the multiple solutions rather than a single one. The presented grid-based algorithm is used to assign the probability of the non-dominated solution for next iteration. Based on the designed algorithm, it is unnecessary to pre-define the weights of the side effects for evaluation but the non-dominated solutions can be discovered as an alternative way for data sanitization. Extensive experiments are carried on two datasets to show that the designed grid-based algorithm achieves good performance than the traditional single-objective evolution algorithms.

The numerical analysis of transient quantum effects in heterostructure devices with conventional numerical methods tends to pose problems. To overcome these limitations, a novel numerical scheme for the transient non-equilibrium solution of the quantum Liouville equation utilizing a finite volume discretization technique is proposed. Additionally, the solution with regard to the stationary regime, which can serve as a reference solution, is inherently included within the discretization scheme for the transient regime. Resulting in a highly oscillating interference pattern of the statistical density matrix as well in the stationary as in the transient regime, the reflecting nature of the conventional boundary conditions can be an additional source of error. Avoiding these non-physical reflections, the concept of a complex absorbing potential used for the Schrödinger equation is utilized to redefine the drift operator in order to render open boundary conditions for quantum transport equations. Furthermore, the method allows the application of the commonly used concept of inflow boundary conditions.

Many governments organizations in Libya have started transferring traditional government services to e-government. These e-services will benefit a wide range of public. However, deployment of e-government bring many new security issues. Attackers would take advantages of vulnerabilities in these e-services and would conduct cyber attacks that would result in data loss, services interruptions, privacy loss, financial loss, and other significant loss. The number of vulnerabilities in e-services have increase due to the complexity of the e-services system, a lack of secure programming practices, miss-configuration of systems and web applications vulnerabilities, or not staying up-to-date with security patches. Unfortunately, there is a lack of study being done to assess the current security level of Libyan government websites. Therefore, this study aims to assess the current security of 16 Libyan government websites using penetration testing framework. In this assessment, no exploits were committed or tried on the websites. In penetration testing framework (pen test), there are four main phases: Reconnaissance, Scanning, Enumeration, Vulnerability Assessment and, SSL encryption evaluation. The aim of a security assessment is to discover vulnerabilities that could be exploited by attackers. We also conducted a Content Analysis phase for all websites. In this phase, we searched for security and privacy policies implementation information on the government websites. The aim is to determine whether the websites are aware of current accepted standard for security and privacy. From our security assessment results of 16 Libyan government websites, we compared the websites based on the number of vulnerabilities found and the level of security policies. We only found 9 websites with high and medium vulnerabilities. Many of these vulnerabilities are due to outdated software and systems, miss-configuration of systems and not applying the latest security patches. These vulnerabilities could be used by cyber hackers to attack the systems and caused damages to the systems. Also, we found 5 websites didn't implement any SSL encryption for data transactions. Lastly, only 2 websites have published security and privacy policies on their websites. This seems to indicate that these websites were not concerned with current standard in security and privacy. Finally, we classify the 16 websites into 4 safety categories: highly unsafe, unsafe, somewhat unsafe and safe. We found only 1 website with a highly unsafe ranking. Based on our finding, we concluded that the security level of the Libyan government websites are adequate, but can be further improved. However, immediate actions need to be taken to mitigate possible cyber attacks by fixing the vulnerabilities and implementing SSL encryption. Also, the websites need to publish their security and privacy policy so the users could trust their websites.

In this paper, We propose DNA sticker model based algorithm, a computability model, which is a simulation of the parallel computations using the Molecular computing as in Adelman's DNA computing experiment, it demonstrates how to use a sticker-based model to design a simple DNA-based algorithm for attacking a linear and a non-linear feedback shift register (FSR) based stream cipher. The algorithm first construct the TEST TUBE contains all overall solution space of memory complexes for the cipher and initials of registers via the sticker-based model. Then, with biological operations, separate and combine, we remove those which encode illegal plain and key stream from the TEST TUBE of memory complexes, the decision based on verifying a key stream bit this bit represented by output of LFSRs equation. The model anticipates two basic groups of single stranded DNA molecules in its representation one of a genetic bases and second of a bit string, It invests parallel search into the space of solutions through the possibilities of DNA computing and makes use of the method of cryptanalysis of algebraic code as a decision technique to accept the solution or not, and their operations are repeated until one solution or limited group of solutions is reached. The main advantages of the suggested algorithm are limited number of cipher characters, and finding one exact solution The present work concentrates on showing the applicability of DNA computing concepts as a powerful tool in breaking cryptographic systems.

Networks have evolved very rapidly, which allow secret data transformation speedily through the Internet. However, the security of secret data has posed a serious threat due to openness of these networks. Thus, researchers draw their attention on cryptography field for this reason. Due to the traditional cryptographic techniques which are vulnerable to intruders nowadays. Deoxyribonucleic Acid (DNA) considered as a promising technology for cryptography field due to extraordinary data density and vast parallelism. With the help of the various DNA arithmetic and biological operations are also Blum Blum Shub (BBS) generator, a multi-level of DNA encryption algorithm is proposed here. The algorithm first uses the dynamic key generation to encrypt sensitive information as a first level; second, it uses BBS generator to generate a random DNA sequence; third, the BBS-DNA sequence spliced with a DNA Gen Bank reference to produce a new DNA reference. Then, substitution, permutation, and dynamic key are used to scramble the new DNA reference nucleotides locations. Finally, for further enhanced security, an injective mapping is established to combine encrypted information with encrypted DNA reference using Knight tour movement in Hadamard matrix. The National Institute of Standard and Technology (NIST) tests have been used to test the proposed algorithm. The results of the tests demonstrate that they effectively passed all the randomness tests of NIST which means they can effectively resist attack operations.

An advanced metering infrastructure (AMI) allows real-time fine-grained monitoring of the energy consumption data of individual consumers. Collected metering data can be used for a multitude of applications. For example, energy demand forecasting, based on the reported fine-grained consumption, can help manage the near future energy production. However, fine- grained metering data reporting can lead to privacy concerns. It is, therefore, imperative that the utility company receives the fine-grained data needed to perform the intended demand response service, without learning any sensitive information about individual consumers. In this paper, we propose an anonymous privacy preserving fine-grained data aggregation scheme for AMI networks. In this scheme, the utility company receives only the distribution of the energy consumption by the consumers at different time slots. We leverage a network tree topology structure in which each smart meter randomly reports its energy consumption data to its parent smart meter (according to the tree). The parent node updates the consumption distribution and forwards the data to the utility company. Our analysis results show that the proposed scheme can preserve the privacy and security of individual consumers while guaranteeing the demand response service.

Wearable smart sensing devices presently become more and more popular in people's daily life, which also brings serious problems related to personal data privacy. In order to provide users better experiences, wearable smart sensing devices are collecting users' personal data all the time and uploading the data to service provider to get computing services, which objectively let service provider master each user's condition and cause a lot of problems such as spam, harassing call, etc. This paper designs a blockchain based scheme to solve such problems by cutting off the association between user identifier and its sensing data from perspective of shielding service providers and adversaries. Firstly, privacy requirements and situations in smart sensing area are reviewed. Then, three key technologies are introduced in the scheme including its theories, purposes and usage. Next, the designed protocol is shown and analyzed in detail. Finally, security analysis and engineering feasibility of the scheme are given. This scheme will give user better experience from privacy protection perspective in smart sensing area.

An exciting network called smart IoT has great potential to improve the level of our daily activities and the communication. Source location privacy is one of the critical problems in the wireless sensor network (WSN). Privacy protections, especially source location protection, prevent sensor nodes from revealing valuable information about targets. In this paper, we first discuss about the current security architecture and attack modes. Then we propose a scheme based on cloud for protecting source location, which is named CPSLP. This proposed CPSLP scheme transforms the location of the hotspot to cause an obvious traffic inconsistency. We adopt multiple sinks to change the destination of packet randomly in each transmission. The intermediate node makes routing path more varied. The simulation results demonstrate that our scheme can confuse the detection of adversary and reduce the capture probability.

Wireless Sensor Networks (WSNs) are used in sensitive applications such as in asset monitoring applications. Due to the sensitivity of information in these applications, it is important to ensure that flow of data between sensor nodes is secure and does not expose any information about the source node or the monitored assets. This paper proposes a scheme to preserve the source location privacy based on random routing techniques. To achieve high privacy, the proposed scheme randomly sends packet to sink node through tactically positioned agent nodes. The position of agent nodes is designed to guarantee that successive packets are routed through highly random and perplexing routing paths as compared to other routing schemes. Simulation results demonstrate that proposed scheme provides longer safety period and higher privacy against both, patient and cautious adversaries.