Biblio

Process anomaly is used for detecting cyber-physical attacks on critical infrastructure such as plants for water treatment and electric power generation. Identification of process anomaly is possible using rules that govern the physical and chemical behavior of the process within a plant. These rules, often referred to as invariants, can be derived either directly from plant design or from the data generated in an operational. However, for operational legacy plants, one might consider a data-centric approach for the derivation of invariants. The study reported here is a comparison of design-centric and data-centric approaches to derive process invariants. The study was conducted using the design of, and the data generated from, an operational water treatment plant. The outcome of the study supports the conjecture that neither approach is adequate in itself, and hence, the two ought to be integrated.

Honeynet is deployed to trap attackers and learn their behavior patterns and motivations. Conventional honeynet is implemented by dedicated hardware and software. It suffers from inflexibility, high CAPEX and OPEX. There have been several virtualized honeynet architectures to solve those problems. But they lack a standard operating environment and common architecture for dynamic scheduling and adaptive resource allocation. Software Defined Security (SDS) framework has a centralized control mechanism and intelligent decision making ability for different security functions. In this paper, we present a new intelligent honeynet architecture based on SDS framework. It implements security functions over Network Function Virtualization Infrastructure (NFVI). Under uniform and intelligent control, security functional modules can be dynamically deployed and collaborated to complete different tasks. It migrates resources according to the workloads of each honeypot and power off unused modules. Simulation results show that intelligent honeynet has a better performance in conserving resources and reducing energy consumption. The new architecture can fit the needs of future honeynet development and deployment.

The performance evaluation of distribution network operators is essential for the electrical utilities to know how prepared the operators are to execute their operation standards and rules, searching for minimizing the time of power outage, after some contingency. The performance of operators can be evaluated by the impact of their actions on several technical and economic indicators of the distribution system. This issue is a complex problem, whose solution involves necessarily some expertise and a multi-criteria evaluation. This paper presents a Tutorial Expert System (TES) for performance evaluation of electrical distribution network operators after a given contingency in the electrical network. The proposed TES guides the evaluation process, taking into account technical, economic and personal criteria, aiding the quantification of these criteria. A case study based on real data demonstrates the applicability of the performance evaluation procedure of distribution network operators.

This electronic document is a “live” template and already defines the components of your paper [title, text, heads, etc.] in its style sheet. The paper considers the possibility and necessity of using in modern control and training systems with a natural language interface methods and mechanisms, characteristic for knowledge processing systems. This symbiosis assumes the introduction of specialized inference machines into the testing systems. For the effective operation of such an intelligent interpreter, it is necessary to “translate” the user's answers into one of the known forms of the knowledge representation, for example, into the expressions (rules) of the first-order predicate calculus. A lexical processor, performing morphological, syntactic and semantic analysis, solves this task. To simplify further work with the rules, the Skolem-transformation is used, which allows to get rid of quantifiers and to present semantic structures in the form of sequents (clauses, disjuncts). The basic principles of operation of the inference machine are described, which is the main component of the developed intellectual subsystem. To improve the performance of the machine, one of the fastest methods was chosen - a parallel method of deductive inference based on the division of clauses. The parallelism inherent in the method, and the use of the dataflow architecture, allow parallel computations in the output machine to be implemented without additional effort on the part of the programmer. All this makes it possible to reduce the time for comparing the sequences stored in the knowledge base by several times as compared to traditional inference mechanisms that implement various versions of the principle of resolutions. Formulas and features of the technique of numerical estimation of the user's answers are given. In general, the development of the human-computer dialogue capabilities in test systems- through the development of a specialized module for processing knowledge, will increase the intelligence of such systems and allow us to directly consider the semantics of sentences, more accurately determine the relevance of the user's response to standard knowledge and, ultimately, get rid of the skeptical attitude of many managers to machine testing systems.

Internet device graphs identify relationships between user-centric internet connected devices such as desktops, laptops, smartphones, tablets, gaming consoles, TV's, etc. The ability to create such graphs is compelling for online advertising, content customization, recommendation systems, security, and operations. We begin by describing an algorithm for generating a device graph based on IP-colocation, and then apply the algorithm to a corpus of over 2.5 trillion internet events collected over the period of six weeks in the United States. The resulting graph exhibits immense scale with greater than 7.3 billion edges (pair-wise relationships) between more than 1.2 billion nodes (devices), accounting for the vast majority of internet connected devices in the US. Next, we apply community detection algorithms to the graph resulting in a partitioning of internet devices into 100 million small communities representing physical households. We validate this partition with a unique ground truth dataset. We report on the characteristics of the graph and the communities. Lastly, we discuss the important issues of ethics and privacy that must be considered when creating and studying device graphs, and suggest further opportunities for device graph enrichment and application.

Bluetooth Low Energy device is increasing in popularity due to its lower energy consumption and reliable connectivity compared to the classic Bluetooth. Some of these BLE devices collects and transmits health care data like the heart rate as in a Fitbit smart band. This paper will demonstrate that Bluetooth Low Energy devices that relies on BLE security has weak communication security and how to solve that problem using a private-key encryption algorithm.

IoT systems continue to grow in scale and exhibit similarities to complex systems seen in nature and biology: Systems are composed of heterogeneous entities (mobile devices, servers, sensors, data items, databases, etc.) coordinated in a Cloud environment forming a digital eco-system. Properties of such systems include variety, emergent outcome, self-organisation, etc. The scale of IoT systems, and the disparity in the capabilities of the devices on the market, means there needs to be a unifying model to enable a secure and assured interaction among those `things'. The authors propose conceptual designs for an efficient architecture, run-time decision models using assured models for such an interaction in a digital eco-system. This is done using the situation calculus modelling to represent the fundamental requirements for adjustable decentralised feedback control mechanisms necessary for the IoT-ready software systems: It is shown that complex properties and emergent outcomes of the system can be deduced, emanating from the simple distributed interaction models. A case study from the rail industry is used to assess the design and possible implementation.

Thanks to the occurrence of the Internet of Things (IoT), the devices are able to collect and transmit data via the Internet and contributing to our big data world. It will permit devices to exchange monitoring data content in real time. Real-time communication (RTC) with these devices was analyzed in respect to the Network delay. Network coding (NC) combines data packets and the output packet which is a mixture of the input packets. This technique can provide many potential gains to the network, including reducing Round-Trip Time (RTT), decreasing latency and improving Network delay (ND). In the present paper, the authors improve network delay metrics in the context of the remote management of renewable energy using a random NC with an efficient strategy technique.

In contrast to other studies in IC supply chain security where foundries are classified as either untrusted or trusted, a more realistic threat model is that the foundries are legally and economically obliged to perform trustworthy service, and it is the individual employees that introduce security risks. We call the above as the trusted foundry and untrusted employee (TFUE) model. Based on this model, we investigate new opportunities of establishing trustworthy operations in foundries made possible by double patterning lithography (DPL). DPL is used to setup two independent mask development lines which do not need to share any information. Under this setup, we consider the attack model where the untrusted employee(s) may try to insert Trojans into the circuit. As a countermeasure, we customize DPL to decompose the layout into two sub-layouts in such a way that each sub-layout individually expose minimum information to the untrusted employee.

The interconnectivity of 6LoWPAN networks with the Internet raises serious security concerns, as constrained 6LoWPAN devices are accessible anywhere from the untrusted global Internet. Also, 6LoWPAN devices are mostly deployed in unattended environments, hence easy to capture and clone. Despite that state of the art crypto solutions provide information security, IPv6 enabled smart objects are vulnerable to attacks from outside and inside 6LoWPAN networks that are aimed to disrupt networks. This paper attempts to identify intrusions aimed to disrupt the Routing Protocol for Low-Power and Lossy Networks (RPL).In order to improve the security within 6LoWPAN networks, we extend SVELTE, an intrusion detection system for the Internet of Things, with an intrusion detection module that uses the ETX (Expected Transmissions) metric. In RPL, ETX is a link reliability metric and monitoring the ETX value can prevent an intruder from actively engaging 6LoWPAN nodes in malicious activities. We also propose geographic hints to identify malicious nodes that conduct attacks against ETX-based networks. We implement these extensions in the Contiki OS and evaluate them using the Cooja simulator.

Based on our previous work for a novel logging methodology, called flow-net, we propose an Intrusion Detection System (IDS) using Flow-Net Based Fingerprint (IDS-FF) in this paper. We apply the IDS-FF scheme in TCP/IP (Transmission Control Protocol/Internet Protocol) networks for intrusion detection. Experimental results show good performance of the proposed scheme.

The Controller Area Network (CAN) is a broadcast communications network invented by Robert Bosch GmbH in 1986. CAN is the standard communication network found in automobiles, industry equipment, and many space applications. To be used in these environments, CAN is designed for efficiency and reliability, rather than security. This research paper closely examines the security risks within the CAN protocol and proposes a feasible solution. In this research, we investigate the problems with implementing certain security features in the CAN protocol, such as message authentication and protections against replay and denial-of-service (DoS) attacks. We identify the restrictions of the CAN bus, and we demonstrate how our proposed implementation meets these restrictions. Many previously proposed solutions lack security, feasibility, and/or efficiency; however, a solution must not drastically hinder the real-time operation speed of the network. The solution proposed in this research is tested with a simulative CAN environment. This paper proposes an alteration to the standard CAN bus nodes and the CAN protocol to better protect automobiles and other CAN-related systems from attacks.

We introduce a new cybersecurity project named RIVALS. RIVALS will assist in developing network defense strategies through modeling adversarial network attack and defense dynamics. RIVALS will focus on peer-to-peer networks and use coevolutionary algorithms. In this contribution, we describe RIVALS' current suite of coevolutionary algorithms that use archiving to maintain progressive exploration and that support different solution concepts as fitness metrics. We compare and contrast their effectiveness by executing a standard coevolutionary benchmark (Compare-on-one) and RIVALS simulations on 3 different network topologies. Currently, we model denial of service (DOS) attack strategies by the attacker selecting one or more network servers to disable for some duration. Defenders can choose one of three different network routing protocols: shortest path, flooding and a peer-to-peer ring overlay to try to maintain their performance. Attack completion and resource cost minimization serve as attacker objectives. Mission completion and resource cost minimization are the reciprocal defender objectives. Our experiments show that existing algorithms either sacrifice execution speed or forgo the assurance of consistent results. rIPCA, our adaptation of a known coevolutionary algorithm named IPC A, is able to more consistently produce high quality results, albeit without IPCA's guarantees for results with monotonically increasing performance, without sacrificing speed.

This research introduces an electromagnetic (EM) noise generator known as the FRIES noise generator to mitigate and obfuscate Side Channel Analysis (SCA) attacks against a Raspberry Pi. The FRIES noise generator utilizes the implementation of the Secure Hash Algorithm (SHA) from OpenSSL to generate white noise within the EM spectrum. This research further contributes to the body of knowledge by demonstrating that the SHA implementation of libcrypto++ and OpenSSL had different EM signatures. It was further revealed that as a more secure implementation of the SHA was executed additional data lines were used, resulting in increased EM emissions. It was demonstrated that the OpenSSL implementations of the SHA was more optimized as opposed to the libcrypto++ implementation by utilizing less resources and not leaving the device in a bottleneck. The FRIES daemon added noise to the EM leakage which prevents the visual location of the AES-128 cryptographic implementation. Finally, the cross-correlation test demonstrated that the EM features of the AES-128 algorithm was not detected within the FRIES noise.

IoT Network Monitor is an intuitive and user-friendly interface for consumers to visualize vulnerabilities of IoT devices in their home. Running on a Raspberry Pi configured as a router, the IoT Network Monitor analyzes the traffic of connected devices in three ways. First, it detects devices with default passwords exploited by previous attacks such as the Mirai Botnet, changes default device passwords to randomly generated 12 character strings, and reports the new passwords to the user. Second, it conducts deep packet analysis on the network data from each device and notifies the user of potentially sensitive personal information that is being transmitted in cleartext. Lastly, it detects botnet traffic originating from an IoT device connected to the network and instructs the user to disconnect the device if it has been hacked. The user-friendly IoT Network Monitor will enable homeowners to maintain the security of their home network and better understand what actions are appropriate when a certain security vulnerability is detected. Wide adoption of this tool will make consumer home IoT networks more secure.

The Internet of Things (IoT) is continuously growing and is now reaching into the industrial environment through new services such as remote maintenance for machine tools. Industrial applications of IoT require an increased awareness of security at all times. It is not only necessary that the data is exchanged securely; also the design of the hardware of the devices themselves needs to be considered. Security has to be designed right from the start into the IoT devices rather than added on later. This paper lays the foundation for the creation of a modular safe remote monitoring and maintenance system for machine tools through IoT devices at the hardware level. This article introduces a fully modular secure data acquisition system design approach with greater versatility, ready to be used in modern IoT manufacturing environments or for safe upgrading of existing legacy machinery.

Modern databases contain an enormous amount of information stored in a structured format. This information is processed to acquire knowledge. However, the process of information extraction from a Database System is cumbersome for non-expert users as it requires an extensive knowledge of DBMS languages. Therefore, an inevitable need arises to bridge the gap between user requirements and the provision of a simple information retrieval system whereby the role of a specialized Database Administrator is annulled. In this paper, we propose a methodology for building an Intelligent Querying System (IQS) by which a user can fire queries in his own (natural) language. The system first parses the input sentences and then generates SQL queries from the natural language expressions of the input. These queries are in turn mapped with the desired information to generate the required output. Hence, it makes the information retrieval process simple, effective and reliable.

The continued acceptance of enhanced security technologies in the private sector, such as two-factor authentication, has prompted significant changes of organizational security practices. While past work has focused on understanding how users in consumer settings react to enhanced security measures for banking, email, and more, little work has been done to explore how these technological transitions and applications occur within organizational settings. Moreover, while many corporations have invested significantly to secure their networks for the sake of protecting valuable intellectual property, academic institutions, which also create troves of intellectual property, have fallen behind in this endeavor. In this paper, we detail a transition from a token-based, two-factor authentication system within an academic institution to an entirely digital system utilizing employee-owned mobile devices. To accomplish this, we first conducted discussions with staff from the Information Security Office to understand the administrative perspective of the transition. Second, our key contribution is the analysis of an in-depth survey to explore the perceived benefits and usability of the novel technological requirements from the employee perspective. In particular, we investigate the implications of the new authentication system based on employee acceptance or opposition to the mandated technological transition, with a specific focus on the utilization of personal devices for workplace authentication.

Data storage in cloud should come along with high safety and confidentiality. It is accountability of cloud service provider to guarantee the availability and security of client data. There exist various alternatives for storage services but confidentiality and complexity solutions for database as a service are still not satisfactory. Proposed system gives alternative solution for database as a service that integrates benefits of different services along with advance encryption techniques. It yields possibility of applying concurrency on encrypted data. This alternative provides supporting facility to connect dispersed clients with elimination of intermediate proxy by which simplicity can acquired. Performance of proposed system evaluated on basis of theoretical analyses.

Network traffic identification has been a hot topic in network security area. The identification of abnormal traffic can detect attack traffic and helps network manager enforce corresponding security policies to prevent attacks. Support Vector Machines (SVMs) are one of the most promising supervised machine learning (ML) algorithms that can be applied to the identification of traffic in IP networks as well as detection of abnormal traffic. SVM shows better performance because it can avoid local optimization problems existed in many supervised learning algorithms. However, as a binary classification approach, SVM needs more research in multiclass classification. In this paper, we proposed an abnormal traffic identification system(ATIS) that can classify and identify multiple attack traffic applications. Each component of ATIS is introduced in detail and experiments are carried out based on ATIS. Through the test of KDD CUP dataset, SVM shows good performance. Furthermore, the comparison of experiments reveals that scaling and parameters has a vital impact on SVM training results.

This paper presents our results from identifying anddocumenting false positives generated by static code analysistools. By false positives, we mean a static code analysis toolgenerates a warning message, but the warning message isnot really an error. The goal of our study is to understandthe different kinds of false positives generated so we can (1)automatically determine if an error message is truly indeed a truepositive, and (2) reduce the number of false positives developersand testers must triage. We have used two open-source tools andone commercial tool in our study. The results of our study haveled to 14 core false positive patterns, some of which we haveconfirmed with static code analysis tool developers.

Malicious emails pose substantial threats to businesses. Whether it is a malware attachment or a URL leading to malware, exploitation or phishing, attackers have been employing emails as an effective way to gain a foothold inside organizations of all kinds. To combat email threats, especially targeted attacks, traditional signature- and rule-based email filtering as well as advanced sandboxing technology both have their own weaknesses. In this paper, we propose a predictive analysis approach that learns the differences between legit and malicious emails through static analysis, creates a machine learning model and makes detection and prediction on unseen emails effectively and efficiently. By comparing three different machine learning algorithms, our preliminary evaluation reveals that a Random Forests model performs the best.

The high mobility of Army tactical networks, combined with their close proximity to hostile actors, elevates the risks associated with short-range network attacks. The connectivity model for such short range connections under active operations is extremely fluid, and highly dependent upon the physical space within which the element is operating, as well as the patterns of movement within that space. To handle these dependencies, we introduce the notion of "key cyber-physical terrain": locations within an area of operations that allow for effective control over the spread of proximity-dependent malware in a mobile tactical network, even as the elements of that network are in constant motion with an unpredictable pattern of node-to-node connectivity. We provide an analysis of movement models and approximation strategies for finding such critical nodes, and demonstrate via simulation that we can identify such key cyber-physical terrain quickly and effectively.

With millions of apps available to users, the mobile app market is rapidly becoming very crowded. Given the intense competition, the time to market is a critical factor for the success and profitability of an app. In order to shorten the development cycle, developers often focus their efforts on the unique features and workflows of their apps and rely on third-party Open Source Software (OSS) for the common features. Unfortunately, despite their benefits, careless use of OSS can introduce significant legal and security risks, which if ignored can not only jeopardize security and privacy of end users, but can also cause app developers high financial loss. However, tracking OSS components, their versions, and interdependencies can be very tedious and error-prone, particularly if an OSS is imported with little to no knowledge of its provenance. We therefore propose OSSPolice, a scalable and fully-automated tool for mobile app developers to quickly analyze their apps and identify free software license violations as well as usage of known vulnerable versions of OSS. OSSPolice introduces a novel hierarchical indexing scheme to achieve both high scalability and accuracy, and is capable of efficiently comparing similarities of app binaries against a database of hundreds of thousands of OSS sources (billions of lines of code). We populated OSSPolice with 60K C/C++ and 77K Java OSS sources and analyzed 1.6M free Google Play Store apps. Our results show that 1) over 40K apps potentially violate GPL/AGPL licensing terms, and 2) over 100K of apps use known vulnerable versions of OSS. Further analysis shows that developers violate GPL/AGPL licensing terms due to lack of alternatives, and use vulnerable versions of OSS despite efforts from companies like Google to improve app security. OSSPolice is available on GitHub.