Biblio

This paper proposes a simple topological characterization of a large class of fair adversarial models via affine tasks: sub-complexes of the second iteration of the standard chromatic subdivision. We show that the task computability of a model in the class is precisely captured by iterations of the corresponding affine task. Fair adversaries include, but are not restricted to, the models of wait-freedom, t-resilience, and k-concurrency. Our results generalize and improve all previously derived topological characterizations of the ability of a model to solve distributed tasks.

This article is devoted to new asynchronous methods for rendering text information in mobile applications for iOS operating system.

Despite the very high volatility of the cryptocurrency markets, the interest in the development and adaptation of existing cryptocurrencies such as Bitcoin as well as new distributed ledger technologies is increasing. Therefore, understanding the security and vulnerability issues of such blockchain systems plays a critical role. In this work, we propose a configurable distributed simulation framework for analyzing Bitcoin-like blockchain systems which are based on Proof-of-Work protocols. The simulator facilitates investigating security properties of blockchain systems by enabling users to configure several characteristics of the blockchain network and executing different attack scenarios, such as double-spending attacks and flood attacks and observing the effects of the attacks on the blockchain network.

In recent days, organizational networks are becoming target of sophisticated multi-hop attacks. Attack Graph has been proposed as a useful modeling tool for complex attack scenarios by combining multiple vulnerabilities in causal chains. Analysis of attack scenarios enables security administrators to calculate quantitative security measurements. These measurements justify security investments in the organization. Different security metrics based on attack graph have been introduced for evaluation of comparable security measurements. Studies show that difficulty of exploiting the same vulnerability changes with change of its position in the causal chains of attack graph. In this paper, a new security metric based on attack graph, namely Attack Difficulty has been proposed to include this position factor. The security metrics are classified in two major categories viz. counting metrics and difficulty-based metrics. The proposed Attack Difficulty Metric employs both categories of metrics as the basis for its measurement. Case studies have been presented for demonstrating applicability of the proposed metric. Comparison of this new metric with other attack graph based security metrics has also been included to validate its acceptance in real life situations.

Modern distributed systems are characterized by complex deployment designed to ensure high availability through replication and diversity, to tolerate the presence of failures and to limit the possibility of successful compromising. However, software is not free from bugs that generate vulnerabilities that could be exploited by an attacker through multiple steps. This paper presents an attack-graph based multi-step attack detector aiming at detecting a possible on-going attack early enough to take proper countermeasures through; a Visualization interfaced with the described attack detector presents the security operator with the relevant pieces of information, allowing a better comprehension of the network status and providing assistance in managing attack situations (i.e., reactive analysis mode). We first propose an architecture and then we present the implementation of each building block. Finally, we provide an evaluation of the proposed approach aimed at highlighting the existing trade-off between accuracy of the detection and detection time.

In this work, we perform security analysis of using an e-mail as a self-service password reset point, and exploit some of the vulnerabilities of e-mail servers' forgotten password reset paths. We perform and illustrate three different attacks on a personal Email account, using a variety of tools such as: public knowledge attainable through social media or public records to answer security questions and execute a social engineering attack, hardware available to the public to perform a man in the middle attack, and free software to perform a brute-force attack on the login of the email account. Our results expose some of the inherent vulnerabilities in using emails as password reset points. The findings are extremely relevant to the security of mobile devices since users' trend has leaned towards usage of mobile devices over desktops for Internet access.

In recent years, many users have uploaded data to the cloud for easy storage and sharing with other users. At the same time, security and privacy concerns for the data are growing. Attribute-based encryption (ABE) enables both data security and access control by defining users with attributes so that only those users who have matching attributes can decrypt them. For real-world applications of ABE, revocation of users or their attributes is necessary so that revoked users can no longer decrypt the data. In actual implementations, ABE is used in hybrid with a symmetric encryption scheme such as the advanced encryption standard (AES) where data is encrypted with AES and the AES key is encrypted with ABE. The hybrid encryption scheme requires re-encryption of the data upon revocation to ensure that the revoked users can no longer decrypt that data. To re-encrypt the data, the data owner (DO) must download the data from the cloud, then decrypt, encrypt, and upload the data back to the cloud, resulting in both huge communication costs and computational burden on the DO depending on the size of the data to be re-encrypted. In this paper, we propose an attribute-based proxy re-encryption method in which data can be re-encrypted in the cloud without downloading any data by adopting both ABE and Syalim's encryption scheme. Our proposed scheme reduces the communication cost between the DO and cloud storage. Experimental results show that the proposed method reduces the communication cost by as much as one quarter compared to that of the trivial solution.

In the cloud computing environment, a growing number of users share their own data files through cloud storage. However, there will be some security and privacy problems due to the reason that the cloud is not completely trusted, so it needs to be resolved by access control. Attribute-based encryption (ABE) and searchable encryption (SE) can solve fine-grained access control. At present, researchers combine the two to propose an attribute-based searchable encryption scheme and achieved remarkable results. Nevertheless, most of existing attribute-based searchable encryption schemes cannot resist online/offline keyword guessing attack. To solve the problem, we present an attribute-based (CP-ABE) searchable encryption scheme that supports trapdoor updating (CSES-TU). In this scheme, the data owner can formulate an access strategy for the encrypted data. Only the attributes of the data user are matched with the strategy can the effective trapdoor be generated and the ciphertext be searched, and that this scheme will update trapdoors at the same time. Even if the keywords are the same, new trapdoors will be generated every time when the keyword is searched, thus minimizing the damage caused by online/offline keyword guessing attack. Finally, the performance of the scheme is analyzed, and the proof of correctness and security are given at the same time.

Named Data Networking (or NDN) represents a potential new approach to the current host based Internet architecture which prioritize content over the communication between end nodes. NDN relies on caching functionalities and local data storage, such as a content request could be satisfied by any node holding a copy of the content in its storage. Due to the fact that users in the same network domain can share their cached content with each other and in order to reduce the transmission cost for obtaining the desired content, a cooperative network coding mechanism is proposed in this paper. We first formulate our optimal coding and homomorphic signature scheme as a MIP problem and we show how to leverage Software Defined Networking to provide seamless implementation of the proposed solution. Evaluation results demonstrate the efficiency of the proposed coding scheme which achieves better performance than conventional NDN with random coding especially in terms of transmission cost and security.

The data transmitted from the wearable device commonly includes sensitive data. So, application service using the data collected from the unauthorized wearable devices can cause serious problems. Also, it is important to authenticate any wearable device and then, protect the transmitted data between the wearable devices and the application server. In this paper, we propose an authentication protocol, which is designed by using the Transport Layer Security (TLS) handshake protocol combined with a mobile authentication proxy. By using the proposed authentication protocol, we can authenticate the wearable device. And we can secure data transmission since session key is shared between the wearable device and the application server. In addition, the proposed authentication protocol is secure even when the mobile authentication proxy is unreliable.

While the standard language XACML is very expressive for specifying fine-grained access control policies, defects can get into XACML policies for various reasons, such as misunderstanding of access control requirements, omissions, and coding errors. These defects may result in unauthorized accesses, escalation of privileges, and denial of service. Therefore, quality assurance of XACML policies for real-world information systems has become an important issue. To address this issue, this paper presents a family of coverage criteria for XACML policies, such as rule coverage, rule pair coverage, decision coverage, and Modified Condition/Decision Coverage (MC/DC). To demonstrate the assurance levels of these coverage criteria, we have developed methods for automatically generating tests, i.e., access requests, to satisfy the coverage criteria using a constraint solver. We have evaluated these methods through mutation analysis of various policies with different levels of complexity. The experiment results have shown that the rule coverage is far from adequate for revealing the majority of defects in XACML policies, and that both MC/DC and decision coverage tests have outperformed the existing methods for testing XACML policies. In particular, MC/DC tests achieve a very high level of quality assurance of XACML policies.

The security content automation includes configurations of large number of systems, installation of patches securely, verification of security-related configuration settings, compliance with security policies and regulatory requirements, and ability to respond quickly when new threats are discovered [1]. Although humans are important in information security management, humans sometimes introduce errors and inconsistencies in an organization due to manual nature of their tasks [2]. Security Content Automation Protocol was developed by the U.S. NIST to automate information security management tasks such as vulnerability and patch management, and to achieve continuous monitoring of security configurations in an organization. In this paper, SCAP is employed to develop an automated security configuration checklist for use in verifying Apple iOS device configuration against the defined security baseline to enforce policy compliance in an enterprise.

It is important to assess the cost benefits of IT security investments. Typically, this is done by manual risk assessment process. In this paper, we propose an approach to automate this using graphical security models (GSMs). GSMs have been used to assess the security of networked systems using various security metrics. Most of the existing GSMs assumed that networks are static, however, modern networks (e.g., Cloud and Software Defined Networking) are dynamic with changes. Thus, it is important to develop an approach that takes into account the dynamic aspects of networks. To this end, we automate security investments analysis of dynamic networks using a GSM named Temporal-Hierarchical Attack Representation Model (T-HARM) in order to automatically evaluate the security investments and their effectiveness for a given period of time. We demonstrate our approach via simulations.

Recent studies have revealed that cyber criminals tend to exchange knowledge about cyber attacks in online social networks (OSNs). Cyber security experts are another set of information providers on OSNs who frequently share information about cyber security incidents and their personal opinions and analyses. Therefore, in order to improve our knowledge about evolving cyber attacks and the underlying human behavior for different purposes (e.g., crime investigation, understanding career development of cyber criminals and cyber security professionals, detection of impeding cyber attacks), it will be very useful to detect cyber security related accounts on OSNs automatically, and monitor their activities. This paper reports our preliminarywork on automatic detection of cyber security related accounts on OSNs using Twitter as an example. Three machine learning based classification algorithms were applied and compared: decision trees, random forests, and SVM (support vector machines). Experimental results showed that both decision trees and random forests had performed well with an overall accuracy over 95%, and when random forests were used with behavioral features the accuracy had reached as high as 97.877%.

Producing an editable model texture could be a challenging problem if the model is scanned from real world or generated by multi-view reconstruction algorithm. To solve this problem, we present a novel re-topology and UV remapping method based on neural network, which transforms arbitrary models with textured coordinates to a semi-regular meshes, and keeps models texture and removes the influence of lighting information. The main innovation of this paper is to use a neural network to find the appropriate location of the starting and ending points for models in the UV maps. Then each fragmented mesh is projected to the 2D planar domain. After calculating and optimizing the orientation field, a semi-regular mesh for each patch is then generated. Those patches can be projected back to three-dimension space and be spliced to a complete mesh. Experiments show that our method can achieve satisfactory performance.

This paper presents work towards realizing architectural support for Bluetooth Trusted I/O on SGX-enabled platforms, with the goal of providing I/O data protection that does not rely on system software security. Indeed, we are primarily concerned with protecting I/O from all software adversaries, including privileged software. In this paper we describe the challenges in designing and implementing Trusted I/O at the architectural level for Bluetooth. We propose solutions to these challenges. In addition, we describe our proof-of-concept work that extends existing over-the-air Bluetooth security all the way to an SGX enclave by securing user data between the Bluetooth Controller and an SGX enclave.

Insider threat detection represents a challenging problem to companies and organizations where malicious actions are performed by authorized users. This is a highly skewed data problem, where the huge class imbalance makes the adaptation of learning algorithms to the real world context very difficult. In this work, applications of genetic programming (GP) and stream active learning are evaluated for insider threat detection. Linear GP with lexicase/multi-objective selection is employed to address the problem under a stationary data assumption. Moreover, streaming GP is employed to address the problem under a non-stationary data assumption. Experiments conducted on a publicly available corporate data set show the capability of the approaches in dealing with extreme class imbalance, stream learning and adaptation to the real world context.

One of the most important strength features of crypto-system's is the key space. As a result, whenever the system has more key space, it will be more resistant to attack. The weakest type of attack on the key space is Brute Force attack, which tests all the keys on the ciphertext in order to get the plaintext. But there are several strategies that can be considered by the attacker and cryptographer related to the selection of the right key with the lowest cost (time). Game theory is a mathematical theory that draws the best strategies for most problems. This research propose a new evaluation method which is employing game theory to draw best strategies for both players (cryptographer & attacker).

Internet of Things (IoT) Devices are monitoring and controlling systems that interact with the physical world by collecting, processing and transmitting data using the internet. IoT devices include home automation systems, smart grid, transportation systems, medical devices, building controls, manufacturing and industrial control systems. With the increase in deployment of IoT devices, there will be a corresponding increase in the amount of data generated by these devices, therefore, resulting in the need of large scale data processing systems to process and extract information for efficient and impactful decision making that will improve quality of living.

In the business and research landscape of today, data analysis consumes public and proprietary data from numerous sources, and utilizes any one or more of popular data-parallel frameworks such as Hadoop, Spark and Flink. In the Data Lake setting these frameworks co-exist. Our earlier work has shown that data provenance in Data Lakes can aid with both traceability and management. The sheer volume of fine-grained provenance generated in a multi-framework application motivates the need for on-the-fly provenance processing. We introduce a new parallel stream processing algorithm that reduces fine-grained provenance while preserving backward and forward provenance. The algorithm is resilient to provenance events arriving out-of-order. It is evaluated using several strategies for partitioning a provenance stream. The evaluation shows that the parallel algorithm performs well in processing out-of-order provenance streams, with good scalability and accuracy.

Microsoft BitLocker full-disk encryption has been widely implemented at Lehigh University since 2014 on both laptop and desktop computers. This retrospective review will summarize BitLocker's selection factors, initial testing, mass deployment, and important lessons learned. Additionally, this review will also discuss the university's transition to Windows 10 and how it positively impacted the use of BitLocker.

We introduce BitML, a domain-specific language for specifying contracts that regulate transfers of bitcoins among participants, without relying on trusted intermediaries. We define a symbolic and a computational model for reasoning about BitML security. In the symbolic model, participants act according to the semantics of BitML, while in the computational model they exchange bitstrings, and read/append transactions on the Bitcoin blockchain. A compiler is provided to translate contracts into standard Bitcoin transactions. Participants can execute a contract by appending these transactions on the Bitcoin blockchain, according to their strategies. We prove the correctness of our compiler, showing that computational attacks on compiled contracts are also observable in the symbolic model.

Network measurements are essential for troubleshooting and active management of networks. Protocol analysis of captured network packet traffic is an important passive network measurement technique used by researchers and network operations engineers. In this work, we present a measurement workbench tool named BITS Darshini (Darshini in short) to enable scientific network measurements. We have created Darshini as a modular, concurrent web application that stores experimental meta-data and allows users to specify protocol parse graphs. Darshini performs protocol analysis on a concurrent pipeline architecture, persists the analysis to a database and provides the analysis results via a REST API service. We formulate the problem of mapping protocol parse graph to a concurrent pipeline as a graph embedding problem. Our tool, Darshini, performs protocol analysis up to transport layer and is suitable for the study of small and medium-sized networks. Darshini enables secure collaboration and consultations with experts.

Most modern computing devices make available fine-grained control of operating frequency and voltage for power management. These interfaces, as demonstrated by recent attacks, open up a new class of software fault injection attacks that compromise security on commodity devices. CLKSCREW, a recently-published attack that stretches the frequency of devices beyond their operational limits to induce faults, is one such attack. Statically and permanently limiting frequency and voltage modulation space, i.e., guard-banding, could mitigate such attacks but it incurs large performance degradation and long testing time. Instead, in this paper, we propose a run-time technique which dynamically blacklists unsafe operating performance points using a neural-net model. The model is first trained offline in the design time and then subsequently adjusted at run-time by inspecting a selected set of features such as power management control registers, timing-error signals, and core temperature. We designed the algorithm and hardware, titled a BlackList (BL) core, which is capable of detecting and mitigating such power management-based security attack at high accuracy. The BL core incurs a reasonably small amount of overhead in power, delay, and area.

A digital watermarking technique is an alternative method to protect the intellectual property of digital images. This paper presents a hybrid blind watermarking technique formulated by combining RDWT with SVD considering a trade-off between imperceptibility and robustness. Watermark embedding locations are determined using a modified entropy of the host image. Watermark embedding is employed by examining the orthogonal matrix U obtained from the hybrid scheme RDWT-SVD. In the proposed scheme, the watermark image in binary format is scrambled by Arnold chaotic map to provide extra security. Our scheme is tested under different types of signal processing and geometrical attacks. The test results demonstrate that the proposed scheme provides higher robustness and less distortion than other existing schemes in withstanding JPEG2000 compression, cropping, scaling and other noises.