Biblio

Blockchain is a powerful and distributed platform for transactions which require a unified, resilient, transparent and consensus-based record keeping system. It has been applied to scenarios like smart city, supply chain, medical data storing and sharing, and etc. Many works have been done on improving the performance and security of such systems. However, there is a lack of the mechanism of identity binding when a human being is involved in corresponding physical world, i.e., if one is involved in an activity, his/her identity in the real world should be correctly reflected in the blockchain system. To mitigate this gap, we propose BlockID, a novel framework for people identity management that leverages biometric authentication and trusted computing technology. We also develop a prototype to demonstrate its feasibility in practice.

Since radio frequency identification (RFID) technology has been used in various scenarios such as supply chain, access control system and credit card, tremendous efforts have been made to improve the authentication between tags and readers to prevent potential attacks. Though effective in certain circumstances, these existing methods usually require a server to maintain a database of identity related information for every tag, which makes the system vulnerable to the SQL injection attack and not suitable for distributed environment. To address these problems, we now propose a novel blockchain-based mutual authentication security protocol. In this new scheme, there is no need for the trusted third parties to provide security and privacy for the system. Authentication is executed as an unmodifiable transaction based on blockchain rather than database, which applies to distributed RFID systems with high security demand and relatively low real-time requirement. Analysis shows that our protocol is logically correct and can prevent multiple attacks.

One of the biggest challenges for the Internet of Things (IoT) is to bridge the currently fragmented trust domains. The traditional PKI model relies on a common root of trust and does not fit well with the heterogeneous IoT ecosystem where constrained devices belong to independent administrative domains. In this work we describe a distributed trust model for the IoT that leverages the existing trust domains and bridges them to create end-to-end trust between IoT devices without relying on any common root of trust. Furthermore we define a new cryptographic primitive, denoted as obligation chain designed as a credit-based Blockchain with a built-in reputation mechanism. Its innovative design enables a wide range of use cases and business models that are simply not possible with current Blockchain-based solutions while not experiencing traditional blockchain delays. We provide a security analysis for both the obligation chain and the overall architecture and provide experimental tests that show its viability and quality.

The growing number of devices we interact with require a convenient yet secure solution for user identification, authorization and authentication. Current approaches are cumbersome, susceptible to eavesdropping and relay attacks, or energy inefficient. In this paper, we propose a body-guided communication mechanism to secure every touch when users interact with a variety of devices and objects. The method is implemented in a hardware token worn on user's body, for example in the form of a wristband, which interacts with a receiver embedded inside the touched device through a body-guided channel established when the user touches the device. Experiments show low-power (uJ/bit) operation while achieving superior resilience to attacks, with the received signal at the intended receiver through the body channel being at least 20dB higher than that of an adversary in cm range.

A beneficial botnet, which tries to cope with technology of malicious botnets such as peer to peer (P2P) networking and Domain Generation Algorithm (DGA), is discussed. In order to cope with such botnets' technology, we are developing a beneficial botnet as an anti-bot measure, using our previous beneficial bot. The beneficial botnet is a group of beneficial bots. The peer to peer (P2P) communication of malicious botnet is hard to detect by a single Intrusion Detection System (IDS). Our beneficial botnet has the ability to detect P2P communication, using collaboration of our beneficial bots. The beneficial bot could detect communication of the pseudo botnet which mimics malicious botnet communication. Our beneficial botnet may also detect communication using DGA. Furthermore, our beneficial botnet has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolve, as same as malicious botnets.

The paper presents a new technique for the botnets' detection in the corporate area networks. It is based on the usage of the algorithms of the artificial immune systems. Proposed approach is able to distinguish benign network traffic from malicious one using the clonal selection algorithm taking into account the features of the botnet's presence in the network. An approach present the main improvements of the BotGRABBER system. It is able to detect the IRC, HTTP, DNS and P2P botnets.

Botnets represent a widely deployed framework for remotely infecting and controlling hundreds of networked computing devices for malicious ends. Traditionally detection of Botnets from network data using machine learning approaches is framed as an offline, supervised learning activity. However, in practice both normal behaviours and Botnet behaviours represent non-stationary processes in which there are continuous developments to both as new services/applications and malicious behaviours appear. This work formulates the task of Botnet detection as a streaming data task in which finite label budgets, class imbalance and incremental/online learning predominate. We demonstrate that effective Botnet detection is possible for label budgets as low as 0.5% when an active learning approach is adopted for genetic programming (GP) streaming data analysis. The full article appears as S. Khanchi et al., (2018) "On Botnet Detection with Genetic Programming under Streaming Data, Label Budgets and Class Imbalance" in Swarm and Evolutionary Computation, 39:139--140. https://doi.org/10.1016/j.swevo.2017.09.008

The IRC botnet is the earliest and most significant botnet group that has a significant impact. Its characteristic is to control multiple zombies hosts through the IRC protocol and constructing command control channels. Relevant research analyzes the large amount of network traffic generated by command interaction between the botnet client and the C&C server. Packet capture traffic monitoring on the network is currently a more effective detection method, but this information does not reflect the essential characteristics of the IRC botnet. The increase in the amount of erroneous judgments has often occurred. To identify whether the botnet control server is a homogenous botnet, dynamic network communication characteristic curves are extracted. For unequal time series, dynamic time warping distance clustering is used to identify the homologous botnets by category, and in order to improve detection. Speed, experiments will use SAX to reduce the dimension of the extracted curve, reducing the time cost without reducing the accuracy.

This chapter explores the relationship between the concept of emergence, the goal of theoretical completeness, and the Principle of Sufficient Reason. Samuel Alexander and C. D. Broad argued for limits to the power of scientific explanation. Chemical explanation played a central role in their thinking. After Schrödinger’s work in the 1920s their examples seem to fall flat. However, there are more general lessons from the emergentists that need to be explored. There are cases where we know that explanation of some phenomenon is impossible. What are the implications of known limits to the explanatory power of science, and the apparent ineliminability of brute facts for emergence? One lesson drawn here is that we must embrace a methodological rather than a metaphysical conception of the Principle of Sufficient Reason.

Interactive environments are more and more entering our daily life. Our homes are becoming increasingly smart and so do our working environments. Aiming to provide assistance that is not only suitable to the current situation, but as well for the involved individuals usually comes along with an increased scale of personal data being collected/requested and processed. While this may not be exceptionally critical as long as data does not leave one's smart home, circumstances change dramatically once smart home data is processed by cloud services, and, all the more, as soon as an interactive assistance system is operated by our employer who may have interest in exploiting the data beyond its original purpose, e. g. for secretly evaluating the work performance of his personnel. In this paper we discuss how a federated identity management could be augmented with distributed usage control and trusted computing technology so as to reliably arrange and enforce privacy-related requirements in externally operated interactive environments.

Security practitioners use the attack surface of software systems to prioritize areas of systems to test and analyze. To date, approaches for predicting which code artifacts are vulnerable have utilized a binary classification of code as vulnerable or not vulnerable. To better understand the strengths and weaknesses of vulnerability prediction approaches, vulnerability datasets with classification and severity data are needed. The goal of this paper is to help researchers and practitioners make security effort prioritization decisions by evaluating which classifications and severities of vulnerabilities are on an attack surface approximated using crash dump stack traces. In this work, we use crash dump stack traces to approximate the attack surface of Mozilla Firefox. We then generate a dataset of 271 vulnerable files in Firefox, classified using the Common Weakness Enumeration (CWE) system. We use these files as an oracle for the evaluation of the attack surface generated using crash data. In the Firefox vulnerability dataset, 14 different classifications of vulnerabilities appeared at least once. In our study, 85.3%
of vulnerable files were on the attack surface generated using crash data. We found no difference between the severity of vulnerabilities found on the attack surface generated using crash data and vulnerabilities not occurring on the attack surface. Additionally, we discuss lessons learned during the development of this vulnerability dataset.

There are different traditional approaches to handling a large number of computers or workstations in a campus setting, ranging from imaging to virtualized environments. The common factor among the traditional approaches is to have a user workstation with a local hard drive (nonvolatile storage), scratchpad volatile memory, a CPU (Central Processing Unit) and connectivity to access resources on the network. This paper presents the use of block streaming, normally used for storage, to serve operating system and applications on-demand over the network to a workstation, also referred to as a client, a client computer, or a client workstation. In order to avoid per seat licensing, an Open Source solution is used, and in order to minimize the field maintenance and meet security privacy constraints, a workstation need not have a permanent storage such as a hard disk drive. A complete blue print, based on performance analyses, is provided to determine the type of network architecture, servers, workstations per server, and minimum workstation configuration, suitable for supporting such a solution. The results of implementing the proposed solution campus wide, supporting more than 450 workstations, are presented as well.

In this paper, security of networked control system (NCS) under denial of service (DoS) attack is considered. Different from the existing literatures from the perspective of control systems, this paper considers a novel method of dynamic allocation of network bandwidth for NCS under DoS attack. Firstly, time-constrained DoS attack and its impact on the communication channel of NCS are introduced. Secondly, details for the proposed dynamic bandwidth allocation structure are presented along with an implementation, which is a bandwidth allocation strategy based on error between current state and equilibrium state and available bandwidth. Finally, a numerical example is given to demonstrate the effectiveness of the proposed bandwidth allocation approach.

The Business Intelligence (BI) paradigm is challenged by emerging use cases such as news and social media analytics in which the source data are unstructured, the analysis metrics are unspecified, and the appropriate visual representations are unsupported by mainstream tools. This case study documents the work undertaken in Microsoft Research to enable these use cases in the Microsoft Power BI product. Our approach comprises: (a) back-end pipelines that use AI to infer navigable data structures from streams of unstructured text, media and metadata; and (b) front-end representations of these structures grounded in the Visual Analytics literature. Through our creation of multiple end-to-end data applications, we learned that representing the varying quality of inferred data structures was crucial for making the use and limitations of AI transparent to users. We conclude with reflections on BI in the age of AI, big data, and democratized access to data analytics.

This paper presents the development and configuration of a virtually air-gapped cloud environment in AWS, to secure the production software workloads and patient data (ePHI) and to achieve HIPAA compliance.

The public key infrastructure (PKI) based authentication protocol provides the basic security services for vehicular ad-hoc networks (VANETs). However, trust and privacy are still open issues due to the unique characteristics of vehicles. It is crucial for VANETs to prevent internal vehicles from broadcasting forged messages while simultaneously protecting the privacy of each vehicle against tracking attacks. In this paper, we propose a blockchain-based anonymous reputation system (BARS) to break the linkability between real identities and public keys to preserve privacy. The certificate and revocation transparency is implemented efficiently using two blockchains. We design a trust model to improve the trustworthiness of messages relying on the reputation of the sender based on both direct historical interactions and indirect opinions about the sender. Experiments are conducted to evaluate BARS in terms of security and performance and the results show that BARS is able to establish distributed trust management, while protecting the privacy of vehicles.

To ensure reliable and predictable service in the electrical grid it is important to gauge the level of trust present within critical components and substations. Although trust throughout a smart grid is temporal and dynamically varies according to measured states, it is possible to accurately formulate communications and service level strategies based on such trust measurements. Utilizing an effective set of machine learning and statistical methods, it is shown that establishment of trust levels between substations using behavioral pattern analysis is possible. It is also shown that the establishment of such trust can facilitate simple secure communications routing between substations.

The U.S. power grid is a complex system of systems that requires a trustworthy, reliable, and secure global supply chain. A formidable challenge considering the increasing number of networked industrial control systems (ICS) and energy delivery systems (EDS) and growing number of intermediary distributors, vendors and integrators involved. Grid modernization has increased the use of “smart” energy devices that automate, digitize, network, and bring together the cyber-physical energy supply chain. In the current Energy Internet of Things (EIoT) environment, the growth of data speed and size requirements as well as the number of critical cyber assets has generated new North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) compliance requirements and cyber supply chain security challenges for vendors, regulators, and utilities. The issuance of Order No. 829 by the Federal Energy Regulatory Commission (FERC) instructed the North American Electric Reliability Corporation (NERC) to confront cybersecurity supply chain risk management for ICS software and hardware, as well as the networking and computing services associated with Bulk Electric System (BES) operations. To meet these goals, current technology and processes must be improved to better identify, monitor, and audit vulnerable EIoT environments. This paper examines how blockchain technology can enable NERC CIP compliance as well as aid in the security of the BES supply chain through an immutable cryptographically signed distributed ledger that allows for improved data security, provenance and auditability.

As a result of the globalization of integrated circuits (ICs) design and fabrication process, ICs are becoming vulnerable to hardware Trojans. Most of the existing hardware Trojan detection works suppose that the testing stage is trustworthy. However, testing parties may conspire with malicious attackers to modify the results of hardware Trojan detection. In this paper, we propose a trusted and robust hardware Trojan detection framework against untrustworthy testing parties exploiting a novel clustering ensemble method. The proposed technique can expose the malicious modifications on Trojan detection results introduced by untrustworthy testing parties. Compared with the state-of-the-art detection methods, the proposed technique does not require fabricated golden chips or simulated golden models. The experiment results on ISCAS89 benchmark circuits show that the proposed technique can resist modifications robustly and detect hardware Trojans with decent accuracy (up to 91%).

A mobile ad hoc network (MANET) is a collection of mobile nodes that do not need to rely on a pre-existing network infrastructure or centralized administration. Securing MANETs is a serious concern as current research on MANETs continues to progress. Each node in a MANET acts as a router, forwarding data packets for other nodes and exchanging routing information between nodes. It is this intrinsic nature that introduces the serious security issues to routing protocols. A black hole attack is one of the well-known security threats for MANETs. A black hole is a security attack in which a malicious node absorbs all data packets by sending fake routing information and drops them without forwarding them. In order to defend against a black hole attack, in this paper we propose a new threshold-based black hole attack prevention method using multiple RREPs. To investigate the performance of the proposed method, we compared it with existing methods. Our simulation results show that the proposed method outperforms existing methods from the standpoints of packet delivery rate, throughput, and routing overhead.

Mobile Adhoc networks are wireless adhoc networks that have property of self organizing, less infrastructure, multi hoping, which are designed to work under low power vulnerable environment. Due to its very unique characteristics, there is much chances of threat of malicious nodes within the network. Blackhole attack is a menace in MANETs which redirects all traffic to itself and drops it. This paper’s objective is to analyze the effects of blackhole attack under reactive routing protocol such as Adhoc on Demand Distance Vector routing (AODV). The performance of this protocol is assessed to find the vulnerability of attack and also compared the impact of attack on both AODV, AODV with blackhole and proposed AODV protocols. The analysis is done by simulated using NS- 2.35 and QoS parameters such as Throughput, PDR, and Average Energy Consumed are measured further.

Blockchain technology has brought a huge paradigm shift in multiple industries, by integrating distributed ledger, smart contracts and consensus protocol under the same roof. Notable applications of blockchain include cryptocurrencies and large-scale multi-party transaction management systems. The latter fits very well into the domain of manufacturing and supply chain management for Integrated Circuits (IC), which, despite several advanced technologies, is vulnerable to malicious practices, such as overproduction, IP piracy and deleterious design modification to gain unfair advantages. To combat these threats, researchers have proposed several ideas like hardware metering, design obfuscation, split manufacturing and watermarking. In this paper, we show, how these issues can be complementarily dealt with using blockchain technology coupled with identity-based encryption and physical unclonable functions, for improved resilience against certain adversarial motives. As part of our proposed blockchain protocol, titled `BLIC', we propose an authentication mechanism to secure both active and passive IC transactions, and a composite consensus protocol designed for IC supply chains. We also present studies on the security, scalability, privacy and anonymity of the BLIC protocol.

The Blockchain is an emerging paradigm that could solve security and trust issues for Internet of Things (IoT) platforms. We recently introduced in an IETF draft (“Blockchain Transaction Protocol for Constraint Nodes”) the BIoT paradigm, whose main idea is to insert sensor data in blockchain transactions. Because objects are not logically connected to blockchain platforms, controller entities forward all information needed for transaction forgery. Never less in order to generate cryptographic signatures, object needs some trusted computing resources. In previous papers we proposed the Four-Quater Architecture integrating general purpose unit (GPU), radio SoC, sensors/actuators and secure elements including TLS/DTLS stacks. These secure microcontrollers also manage crypto libraries required for blockchain operation. The BIoT concept has four main benefits: publication/duplication of sensors data in public and distributed ledgers, time stamping by the blockchain infrastructure, data authentication, and non repudiation.

The growing demand for safety in urban environments is supported by monitoring using video surveillance. The need to analyze multiple video-flows from different cameras deployed around the city by heterogeneous owners introduces vulnerabilities and privacy issues. Video frames, timestamps, and camera settings can be digitally manipulated by malicious users; the positions of cameras, their orientation and their mechanical settings can be physically manipulated. Digital and physical manipulations may have several effects, including the change of the observed scene and the potential violation of neighbors' privacy. To face these risks, we introduce BlockSee, a blockchain-based video surveillance system that jointly provides validation and immutability to camera settings and surveillance videos, making them readily available to authorized users in case of events. The encouraging results obtained with BlockSee pave the way to new distributed city-wide monitoring systems.

Approximate computing is an emerging paradigm where design accuracy can be traded off for benefits in design metrics such as design area, power consumption or circuit complexity. In this work, we present a novel paradigm to synthesize approximate circuits using Boolean matrix factorization (BMF). In our methodology the truth table of a sub-circuit of the design is approximated using BMF to a controllable approximation degree, and the results of the factorization are used to synthesize a less complex subcircuit. To scale our technique to large circuits, we devise a circuit decomposition method and a subcircuit design-space exploration technique to identify the best order for subcircuit approximations. Our method leads to a smooth trade-off between accuracy and full circuit complexity as measured by design area and power consumption. Using an industrial strength design flow, we extensively evaluate our methodology on a number of testcases, where we demonstrate that the proposed methodology can achieve up to 63% in power savings, while introducing an average relative error of 5%. We also compare our work to previous works in Boolean circuit synthesis and demonstrate significant improvements in design metrics for same accuracy targets.