Network Security Architecture and Resilience 2015
SoS Newsletter- Advanced Book Block
Network Security Architecture and Resilience 2015 |
The requirement for resilience in network security architecture is part of the hard problem in the Science of Security. The work cited here on these interrelated subjects was presented in 2015.
Kishore, R.; Pappa, A.C.; Varshini S, I., "Light Weight Security Architecture for Cluster Based Wireless Sensor Networks," in Ubiquitous Wireless Broadband (ICUWB), 2015 IEEE International Conference on, pp. 1-5, 4-7 Oct. 2015. doi: 10.1109/ICUWB.2015.7324468
Abstract: Recent technological advancements and increasing potential applications have led to the use of Wireless Sensor Networks in various fields. Since the sensor nodes are usually deployed in places where there is no human surveillance, these networks are highly vulnerable to various security threats. The memory, power and processing constraints of the sensor nodes pose challenges to developing efficient security algorithms. Although many cryptographic techniques have been proposed to mitigate outside attacks, the securing of networks against inside attacks has not been addressed effectively. In this paper, a novel security system has been proposed to address the overall security requirement for Wireless Sensor Networks. Defense against outside attacks is provided using a cluster-based authentication and key management scheme using Elliptic Curve Cryptography, while inside attacks are taken care by a Hybrid Intrusion Detection System using Bayesian probabilistic model for decision making. The simulation results show the overall effectiveness of the proposed scheme, revealing better performance in terms of resilience to outside attacks, memory capacity, energy efficiency and false alarm rate.
Keywords: Bayes methods; energy conservation; pattern clustering; public key cryptography; telecommunication security; wireless sensor networks; Bayesian probabilistic model; cluster based wireless sensor network; cluster-based authentication scheme; cryptographic technique; decision making; elliptic curve cryptography; energy efficiency; false alarm rate; hybrid intrusion detection system; key management scheme; light weight security architecture; memory capacity; outside attack mitigation; sensor node pose processing constraint; Authentication; Bayes methods; Decision making; Elliptic curve cryptography; Intrusion detection; Wireless sensor networks (ID#: 16-9492)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7324468&isnumber=7324387
Penera, E.; Chasaki, D., "Packet Scheduling Attacks on Shipboard Networked Control Systems," in Resilience Week (RWS), 2015, pp. 1-6, 18-20 Aug. 2015. doi: 10.1109/RWEEK.2015.7287421
Abstract: Shipboard networked control systems are based on a distributed control system architecture that provides remote and local control monitoring. In order to allow the network to scale a hierarchical communication network is composed of highspeed Ethernet based network switches. Ethernet is the prevalent medium to transfer control data, such as control signals, alarm signal, and sensor measurements on the network. However, communication capabilities bring new security vulnerabilities and make communication links a potential target for various kinds of cyber/physical attacks. The goal of this work is to implement and demonstrate a network layer attack against networked control systems, by tampering with temporal characteristics of the network, leading to time varying delays and packet scheduling abnormalities.
Keywords: computer network security; delay systems; local area networks; networked control systems; scheduling; ships; telecommunication control; time-varying systems; alarm signal; communication capability; communication link; control data; control signal; cyber attack; distributed control system architecture; hierarchical communication network; highspeed Ethernet based network switch; network layer attack; packet scheduling abnormality; packet scheduling attack; physical attack; remote and local control monitoring; security vulnerability; sensor measurement; shipboard networked control system; temporal characteristics; time varying delay; Delays; IP networks; Network topology; Networked control systems; Security; Topology (ID#: 16-9493)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7287421&isnumber=7287407
Harshe, O.A.; Teja Chiluvuri, N.; Patterson, C.D.; Baumann, W.T., "Design and Implementation of a Security Framework for Industrial Control Systems," in Industrial Instrumentation and Control (ICIC), 2015 International Conference on, pp. 127-132, 28-30 May 2015. doi: 10.1109/IIC.2015.7150724
Abstract: We address the problems of network and reconfiguration attacks on an industrial control system (ICS) by describing a trustworthy autonomic interface guardian architecture (TAIGA) that provides security against attacks originating from both supervisory and plant control nodes. In contrast to the existing security techniques which attempt to bolster perimeter security at supervisory levels, TAIGA physically isolates trusted defense mechanisms from untrusted components and monitors the physical process to detect an attack. Trusted components in TAIGA are implemented in programmable logic (PL). Our implementation of TAIGA integrates a trusted safety-preserving backup controller, and a mechanism for preemptive switching to a backup controller when an attack is detected. A hardware implementation of our approach on an inverted pendulum system illustrates how TAIGA improves resilience against software reconfiguration and network attacks.
Keywords: control engineering computing; industrial control; nonlinear systems; pendulums; production engineering computing; programmable controllers; software engineering; switching systems (control); trusted computing; ICS; TAIGA; industrial control system; inverted pendulum system; network attack; perimeter security; plant control node; preemptive switching; programmable logic; reconfiguration attack; security framework; security technique; software reconfiguration; supervisory control node; supervisory level; trusted defense mechanism; trusted safety-preserving backup controller; trustworthy autonomic interface guardian architecture; untrusted component; Production; Safety; Security; Sensors; Servomotors; Switches (ID#: 16-9494)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7150724&isnumber=7150576
Lyn, K.G.; Lerner, L.W.; McCarty, C.J.; Patterson, C.D., "The Trustworthy Autonomic Interface Guardian Architecture for Cyber-Physical Systems," in Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (CIT/IUCC/DASC/PICOM), 2015 IEEE International Conference on, pp. 1803-1810, 26-28 Oct. 2015. doi: 10.1109/CIT/IUCC/DASC/PICOM.2015.263
Abstract: The growing connectivity of cyber-physical systems (CPSes) has led to an increased concern over the ability of cyber-attacks to inflict physical damage. Current cyber-security measures focus on preventing attacks from penetrating control supervisory networks. These reactive techniques, however, are often plagued with vulnerabilities and zero-day exploits. Embedded processors in CPS field devices often possess little security of their own, and are easily exploited once the network is penetrated. We identify four possible outcomes of a cyber-attack on a CPS embedded processor. We then discuss five trust requirements that a device must satisfy to guarantee correct behavior through the device's lifecycle. Next, we examine the Trustworthy Autonomic Interface Guardian Architecture (TAIGA) which monitors communication between the embedded controller and physical process. This autonomic architecture provides the physical process with a last line of defense against cyber-attacks. TAIGA switches process control to a trusted backup controller if an attack causes a system specification violation. We conclude with experimental results of an implementation of TAIGA on a hazardous cargo-carrying robot.
Keywords: cyber-physical systems; trusted computing; CPS embedded processor; TAIGA; cyber-attacks; cyber-physical systems; cyber-security measures; embedded controller; physical process; reactive techniques; trusted backup controller; trustworthy autonomic interface guardian architecture; Control systems; Process control; Program processors; Sensors; Trojan horses; Cyber-physical systems; autonomic control; embedded device security; resilience; trust (ID#: 16-9495)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7363316&isnumber=7362962
Dayal, A.; Tbaileh, A.; Yi Deng; Shukla, S., "Distributed VSCADA: An Integrated Heterogeneous Framework for Power System Utility Security Modeling and Simulation," in Modeling and Simulation of Cyber-Physical Energy Systems (MSCPES), 2015 Workshop on, pp. 1-6, 13-13 April 2015. doi: 10.1109/MSCPES.2015.7115408
Abstract: The economic machinery of the United States is reliant on complex large-scale cyber-physical systems which include electric power grids, oil and gas systems, transportation systems, etc. Protection of these systems and their control from security threats and improvement of the robustness and resilience of these systems, are important goals. Since all these systems have Supervisory Control and Data Acquisition (SCADA) in their control centers, a number of test beds have been developed at various laboratories. Usually on such test beds, people are trained to operate and protect these critical systems. In this paper, we describe a virtualized distributed test bed that we developed for modeling and simulating SCADA applications and to carry out related security research. The test bed is a virtualized by integrating various heterogeneous simulation components. This test bed can be reconfigured to simulate the SCADA of a power system, or a transportation system or any other critical systems, provided a back-end domain specific simulator for such systems are attached to it. In this paper, we describe how we created a scalable architecture capable of simulating larger infrastructures and by integrating communication models to simulate different network protocols. We also developed a series of middleware packages that integrates various simulation platforms into our test bed using the Python scripting language. To validate the usability of the test bed, we briefly describe how a power system SCADA scenario can be modeled and simulated in our test bed.
Keywords: SCADA systems; authoring languages; control engineering computing; middleware; power system security; power system simulation; Python scripting language; back-end domain specific simulator; complex large-scale cyber-physical systems; distributed VSCADA; economic machinery; heterogeneous simulation components; integrated heterogeneous framework; middleware packages; network protocols; power system utility security modeling; power system utility security simulation platform; supervisory control and data acquisition; system protection; transportation system; virtualized distributed test bed; Databases; Load modeling; Power systems; Protocols; SCADA systems; Servers; Software; Cyber Physical Systems; Cyber-Security; Distributed Systems; NetworkSimulation; SCADA (ID#: 16-9496)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7115408&isnumber=7115373
Januario, F.; Santos, A.; Palma, L.; Cardoso, A.; Gil, P., "A Distributed Multi-Agent Approach for Resilient Supervision Over a IPv6 WSAN Infrastructure," in Industrial Technology (ICIT), 2015 IEEE International Conference on, pp. 1802-1807, 17-19 March 2015. doi: 10.1109/ICIT.2015.7125358
Abstract: Wireless Sensor and Actuator Networks has become an important area of research. They can provide flexibility, low operational and maintenance costs and they are inherently scalable. In the realm of Internet of Things the majority of devices is able to communicate with one another, and in some cases they can be deployed with an IP address. This feature is undoubtedly very beneficial in wireless sensor and actuator networks applications, such as monitoring and control systems. However, this kind of communication infrastructure is rather challenging as it can compromise the overall system performance due to several factors, namely outliers, intermittent communication breakdown or security issues. In order to improve the overall resilience of the system, this work proposes a distributed hierarchical multi-agent architecture implemented over a IPv6 communication infrastructure. The Contiki Operating System and RPL routing protocol were used together to provide a IPv6 based communication between nodes and an external network. Experimental results collected from a laboratory IPv6 based WSAN test-bed, show the relevance and benefits of the proposed methodology to cope with communication loss between nodes and the server.
Keywords: Internet of Things; multi-agent systems; routing protocols; wireless sensor networks; Contiki operating system; IP address; IPv6 WSAN infrastructure; IPv6 communication infrastructure; Internet of Things; RPL routing protocol; distributed hierarchical multiagent architecture; distributed multiagent approach; external network; intermittent communication; resilient supervision; wireless sensor and actuator networks; Actuators; Electric breakdown; Monitoring; Peer-to-peer computing; Routing protocols; Security (ID#: 16-9497)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7125358&isnumber=7125066
Hoefling, M.; Heimgaertner, F.; Menth, M.; Katsaros, K.V.; Romano, P.; Zanni, L.; Kamel, G., "Enabling Resilient Smart Grid Communication over the Information-Centric C-DAX Middleware," in Networked Systems (NetSys), 2015 International Conference and Workshops on, pp. 1-8, 9-12 March 2015
doi: 10.1109/NetSys.2015.7089080
Abstract: Limited scalability, reliability, and security of today’s utility communication infrastructures are main obstacles to the deployment of smart grid applications. The C-DAX project aims at providing and investigating a communication middleware for smart grids to address these problems, applying the information-centric networking and publish/subscribe paradigm. We briefly describe the C-DAX architecture, and extend it with a flexible resilience concept, based on resilient data forwarding and data redundancy. Different levels of resilience support are defined, and their underlying mechanisms are described. Experiments show fast and reliable performance of the resilience mechanism.
Keywords: middleware; power engineering computing; smart power grids; communication middleware; data redundancy; flexible resilience concept; information-centric C-DAX middleware; information-centric networking; publish/subscribe paradigm; resilient data forwarding; resilient smart grid communication; smart grids; utility communication infrastructures; Delays; Monitoring; Reliability; Resilience; Security; Subscriptions; Synchronization (ID#: 16-9498)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7089080&isnumber=7089054
Marnerides, A.K.; Bhandari, A.; Murthy, H.; Mauthe, A.U., "A Multi-Level Resilience Framework for Unified Networked Environments," in Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on, pp. 1369-1372, 11-15 May 2015. doi: 10.1109/INM.2015.7140498
Abstract: Networked infrastructures underpin most social and economical interactions nowadays and have become an integral part of the critical infrastructure. Thus, it is crucial that heterogeneous networked environments provide adequate resilience in order to satisfy the quality requirements of the user. In order to achieve this, a coordinated approach to confront potential challenges is required. These challenges can manifest themselves under different circumstances in the various infrastructure components. The objective of this paper is to present a multi-level resilience approach that goes beyond the traditional monolithic resilience schemes that focus mainly on one infrastructure component. The proposed framework considers four main aspects, i.e. users, application, network and system. The latter three are part of the technical infrastructure while the former profiles the service user. Under two selected scenarios this paper illustrates how an integrated approach coordinating knowledge from the different infrastructure elements allows a more effective detection of challenges and facilitates the use of autonomic principles employed during the remediation against challenges.
Keywords: security of data; anomaly detection; autonomic principles; critical infrastructure; heterogeneous networked environments; monolithic resilience schemes; multilevel resilience framework; unified networked environments; Computer architecture; Conferences; Malware; Monitoring; Resilience; Systematics; Anomaly Detection; Autonomic Networks; Network Architectures; Resilience; Security (ID#: 16-9499)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7140498&isnumber=7140257
Bloom, G.; Narahari, B.; Simha, R.; Namazi, A.; Levy, R., "FPGA SoC architecture and runtime to prevent hardware Trojans from leaking secrets," in Hardware Oriented Security and Trust (HOST), 2015 IEEE International Symposium on, pp. 48-51, 5-7 May 2015. doi: 10.1109/HST.2015.7140235
Abstract: Hardware Trojans compromise security by invalidating the assumption that hardware provides a root-of-trust for secure systems. We propose a novel approach for an FPGA system-on-chip (SoC) to ensure confidentiality of trusted software despite hardware Trojan attacks. Our approach employs defensive techniques that feature morphing on-chip resources for moving target defense against fabrication-time Trojans, onion-encryption for confidentiality, and replication of functionally-equivalent variants of processing elements with arbitrated voting for resilience to design-time Trojans. These techniques are enabled by partial runtime reconfiguration (PRR) and are managed by a hardware abstraction layer (HAL) that reduces developer burden. We call our approach the Morph Onion-encryption Replication PRR HAL, or MORPH. MORPH aims to provide a stable interface for embedded systems developers to use in deploying applications that are resilient to hardware Trojans.
Keywords: cryptography; embedded systems; field programmable gate arrays; system-on-chip; trusted computing; FPGA SoC architecture; HAL; MORPH; PRR; arbitrated voting; design-time Trojans; embedded systems developers; fabrication-time trojans; hardware abstraction layer; hardware trojans; morph onion-encryption replication PRR HAL; on-chip resource morphing; partial runtime reconfiguration; root-of-trust; secret leaking; secure systems; system-on-chip; trusted software; Cryptography; Field programmable gate arrays; Hardware; IP networks; System-on-chip; Trojan horses (ID#: 16-9500)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7140235&isnumber=7140225
Chugh, J., "Resilience, survivability and availability in WDM optical mesh network," in Computing for Sustainable Global Development (INDIACom), 2015 2nd International Conference on , vol., no., pp.222-227, 11-13 March 2015. Doi: (not provided)
Abstract: The network has become essential to all aspects of modern life and thus the consequences of network disruption have become increasingly severe. It is widely recognized that the generally network is not sufficiently resilient, survivable, highly available and dependable and that significant research, development and engineering is necessary to improve the situation. This paper describes the high level architecture of WDM optical mesh network for resilience, survivability and availability. This paper also describes about protection and restoration schemes available for optical network and further depicts how these protection and restoration schemes can be used to design highly resilient, highly survivable and highly available network (99.99999).
Keywords: optical communication; telecommunication network reliability; telecommunication security; wavelength division multiplexing; wireless mesh networks; WDM optical mesh network; network disruption; protection schemes; restoration schemes; Availability; Optical fiber networks; Optical fibers; Resilience; Routing; Wavelength division multiplexing; Optical Network; Survivability; WDM (ID#: 16-9501)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7100249&isnumber=7100186
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.