Biblio

Dealing with algorithms, which process large amount of similar data by using significant number of small and various sizes of memory allocation/de-allocation in a dynamic yet deterministic way, is an important issue for soft real-time systems designs. In order to improve the response time, efficiency and security of this kind of processing, we propose a software-based memory management method based on hierarchy of shared memory pools, which could be used to replace standard heap management mechanism of the operating system for some cases. Implementation of this memory management scheme can allocate memory through processing allocation/de-allocation requests of required space. Lockable implementation of this model can safely deal with the multi-threaded concurrent access. We also provide the results of experiments, according to which response time of test systems with soft time-bounded execution demand were considerably improved.

Cyber resilient organizations, their functions and computing infrastructures, should be tolerant towards rapid and unexpected changes in the environment. Information security is an organization-wide common mission; whose success strongly depends on efficient knowledge sharing. For this purpose, semantic wikis have proved their strength as a flexible collaboration and knowledge sharing platforms. However, there has not been notable academic research on how semantic wikis could be used as information security management platform in organizations for improved cyber resilience. In this paper, we propose to use semantic wiki as an agile information security management platform. More precisely, the wiki contents are based on the structured model of the NIST Special Publication 800-53 information security control catalogue that is extended in the research with the additional properties that support the information security management and especially the security control implementation. We present common uses cases to manage the information security in organizations and how the use cases can be implemented using the semantic wiki platform. As organizations seek cyber resilience, where focus is in the availability of cyber-related assets and services, we extend the control selection with option to focus on availability. The results of the study show that a semantic wiki based information security management and collaboration platform can provide a cost-efficient solution for improved cyber resilience, especially for small and medium sized organizations that struggle to develop information security with the limited resources.

Modbus TCP/IP protocol is a commonly used protocol in industrial automation control systems, systems responsible for sensitive operations such as gas turbine operation and refinery control. The protocol was designed decades ago with no security features in mind. Denial of service attack and malicious parameter command injection are examples of attacks that can exploit vulnerabilities in industrial control systems that use Modbus/TCP protocol. This paper discusses and explores the use of intrusion detection and prevention systems (IDPS) with deep packet inspection (DPI) capabilities and DPI industrial firewalls that have capability to detect and stop highly specialized attacks hidden deep in the communication flow. The paper has the following objectives: (i) to develop signatures for IDPS for common attacks on Modbus/TCP based network architectures; (ii) to evaluate performance of three IDPS - Snort, Suricata and Bro - in detecting and preventing common attacks on Modbus/TCP based control systems; and (iii) to illustrate and emphasize that the IDPS and industrial firewalls with DPI capabilities are not preventing but only mitigating likelihood of exploitation of Modbus/TCP vulnerabilities in the industrial and automation control systems. The results presented in the paper illustrate that it might be challenging task to achieve requirements on real-time communication in some industrial and automation control systems in case the DPI is implemented because of the latency and jitter introduced by these IDPS and DPI industrial firewall.

In recent years, software defined networking (SDN) has been proposed for enhancing the security of industrial control networks. However, its ability to guarantee the quality of service (QoS) requirements of such networks in the presence of adversarial flow still needs to be investigated. Queueing theory and particularly queueing network models have long been employed to study the performance and QoS characteristics of networks. The latter appears to be particularly suitable to capture the behaviour of SDN owing to the dependencies between layers, planes and components in an SDN architecture. Also, several authors have used queueing network models to study the behaviour of different application of SDN architectures, but none of the existing works have considered the strong periodic network traffic in software-defined industrial control networks. In this paper, we propose a queueing network model for softwaredefined industrial control networks, taking into account the strong periodic patterns of the network traffic in the data plane. We derive the performance measures for the analytical model and apply the queueing network model to study the effect of adversarial flow in software-defined industrial control networks.

Software-Defined Networks (SDN) are being adopted widely and are also likely to be deployed as the infrastructure of systems with critical real-time properties such as Industrial Control Systems (ICS). This raises the question of what security and performance guarantees can be given for the data plane of such critical systems and whether any control plane actions will adversely affect these guarantees, particularly for quality of service in real-time systems. In this paper we study the existing literature on the analysis of SDN using queueing networks and show ways in which models need to be extended to study attacks that are based on arrival rates and service time distributions of flows in SDN.

Adversarial models are well-established for cryptographic protocols, but distributed real-time protocols have requirements that these abstractions are not intended to cover. The IEEE/IEC 61850 standard for communication networks and systems for power utility automation in particular not only requires distributed processing, but in case of the generic object oriented substation events and sampled value (GOOSE/SV) protocols also hard real-time characteristics. This motivates the desire to include both quality of service (QoS) and explicit network topology in an adversary model based on a π-calculus process algebraic formalism based on earlier work. This allows reasoning over process states, placement of adversarial entities and communication behaviour. We demonstrate the use of our model for the simple case of a replay attack against the publish/subscribe GOOSE/SV subprotocol, showing bounds for non-detectability of such an attack.

Given the centralized architecture of cloud computing, there is a genuine concern about its ability to adequately cope with the demands of connecting devices which are sharply increasing in number and capacity. This has led to the emergence of edge computing technologies, including but not limited to mobile edge-clouds. As a branch of Peer-to-Peer (P2P) networks, mobile edge-clouds inherits disturbing security concerns which have not been adequately addressed in previous methods. P2P security systems have featured many trust-based methods owing to their suitability and cost advantage, but these approaches still lack in a number of ways. They mostly focus on protecting client nodes from malicious service providers, but downplay the security of service provider nodes, thereby creating potential loopholes for bandwidth attack. Similarly, trust bootstrapping is often via default scores, or based on heuristics that does not reflect the identity of a newcomer. This work has patched these inherent loopholes and improved fairness among participating peers. The use cases of mobile edge-clouds have been particularly considered and a scalable reputation based security mechanism was derived to suit them. BitTorrent protocol was modified to form a suitable test bed, using Peersim simulator. The proposed method was compared to some related methods in the literature through detailed simulations. Results show that the new method can foster trust and significantly improve network security, in comparison to previous similar systems.

For the operation of electrical distribution system an increased shift towards smart grid operation can be observed. This shift provides operators with a high level of reliability and efficiency when dealing with highly dynamic distribution grids. Technically, this implies that the support for a bidirectional flow of data is critical to realizing smart grid operation, culminating in the demand for equipping grid entities (such as sensors) with communication and processing capabilities. Unfortunately, the retrofitting of brown-field electric substations in distribution grids with these capabilities is not straightforward - this scenario requires a solution that provides "industry-grade" Internet of Things capabilities at "consumer-grade" prices (e.g., off-the-shelf communication standards and hardware). In this paper, we discuss the particular challenge of precisely time-synchronized wireless data collection in secondary substations that at the same time supports on-site configuration by authorized maintenance personnel through a mobile application: to achieve this, we propose a combined implementation of IPv6 over Bluetooth Low Energy.

Cyberinfrastructure is increasingly becoming target of a wide spectrum of attacks from Denial of
Service to large-scale defacement of the digital presence of an organization. Intrusion Detection System
(IDSs) provide administrators a defensive edge over intruders lodging such malicious attacks. However,
with the sheer number of different IDSs available, one has to objectively assess the capabilities of different
IDSs to select an IDS that meets specific organizational requirements. A prerequisite to enable such
an objective assessment is the implicit comparability of IDS literature. In this study, we review IDS
literature to understand the implicit comparability of IDS literature from the perspective of metrics
used in the empirical evaluation of the IDS. We identified 22 metrics commonly used in the empirical
evaluation of IDS and constructed search terms to retrieve papers that mention the metric. We manually
reviewed a sample of 495 papers and found 159 of them to be relevant. We then estimated the number
of relevant papers in the entire set of papers retrieved from IEEE. We found that, in the evaluation
of IDSs, multiple different metrics are used and the trade-off between metrics is rarely considered. In
a retrospective analysis of the IDS literature, we found the the evaluation criteria has been improving
over time, albeit marginally. The inconsistencies in the use of evaluation metrics may not enable direct
comparison of one IDS to another.

Modern software development frequently uses third-party packages, raising the concern of supply chain security attacks. Many attackers target popular package managers, like npm, and their users with supply chain attacks. In 2021 there was a 650% year-on-year growth in security attacks by exploiting Open Source Software's supply chain. Proactive approaches are needed to predict package vulnerability to high-risk supply chain attacks. The goal of this work is to help software developers and security specialists in measuring npm supply chain weak link signals to prevent future supply chain attacks by empirically studying npm package metadata.

In this paper, we analyzed the metadata of 1.63 million JavaScript npm packages. We propose six signals of security weaknesses in a software supply chain, such as the presence of install scripts, maintainer accounts associated with an expired email domain, and inactive packages with inactive maintainers. One of our case studies identified 11 malicious packages from the install scripts signal. We also found 2,818 maintainer email addresses associated with expired domains, allowing an attacker to hijack 8,494 packages by taking over the npm accounts. We obtained feedback on our weak link signals through a survey responded to by 470 npm package developers. The majority of the developers supported three out of our six proposed weak link signals. The developers also indicated that they would want to be notified about weak links signals before using third-party packages. Additionally, we discussed eight new signals suggested by package developers.

Mobile Ad Hoc Network (MANET) is one of the types of Ad-hoc Network which is comprised of wireless in a network. The main problem in this research is the vulnerability of the protocol routing Dymo against jellyfish attack, so it needs detection from a jellyfish attack. This research implements the DELPHI method to detect jellyfish attacks on a DYMO protocol which has better performance because the Delay Per-Hop Indicator (DELPHI) gathers the amount of hop and information delay from the disjoint path and calculates the delays per-hop as an indicator of a jellyfish attack. The evaluation results indicate an increase in the end-to-end delay average, start from 112.59s in 10 nodes increased to 143.732s in 30 nodes but reduced to 84,2142s in 50 nodes. But when the DYMO routing did not experience any jellyfish attacks both the delivery ratio and throughput are decreased. The delivery ratio, where decreased from 10.09% to 8.19% in 10 nodes, decreased from 20.35% to 16.85%, and decreased from 93.5644% to 82.825% in 50 nodes. As for the throughput, for 10 nodes decreased from 76.7677kbps to 68.689kbps, for 30 nodes decreased from 100kbps to 83.5821kbps and for 50 nodes decreased from 18.94kbps to 15.94kbps.

Distributed Denial of Service (DDoS) attacks became a true threat to network infrastructure. DDoS attacks are capable of inflicting major disruption to the information communication technology infrastructure. DDoS attacks aim to paralyze networks by overloading servers, network links, and network devices with illegitimate traffic. Therefore, it is important to detect and mitigate DDoS attacks to reduce the impact of DDoS attacks. In traditional networks, the hardware and software to detect and mitigate DDoS attacks are expensive and difficult to deploy. Software-Defined Network (SDN) is a new paradigm in network architecture by separating the control plane and data plane, thereby increasing scalability, flexibility, control, and network management. Therefore, SDN can dynamically change DDoS traffic forwarding rules and improve network security. In this study, a DDoS attack detection and mitigation system was built on the SDN architecture using the random forest machine-learning algorithm. The random forest algorithm will classify normal and attack packets based on flow entries. If packets are classified as a DDoS attack, it will be mitigated by adding flow rules to the switch. Based on tests that have been done, the detection system can detect DDoS attacks with an average accuracy of 98.38% and an average detection time of 36 ms. Then the mitigation system can mitigate DDoS attacks with an average mitigation time of 1179 ms and can reduce the average number of attack packets that enter the victim host by 15672 packets and can reduce the average number of CPU usage on the controller by 44,9%.

The development of the internet and the web makes human activities more practical, comfortable, and inexpensive. So that the use of the internet and websites is increasing in various ways. Public networks make the security of websites vulnerable to attack. This research proposes a Honeypot for server security against attackers who want to steal data by carrying out a brute force attack. In this research, Honeypot is integrated on the server to protect the server by creating a shadow server. This server is responsible for tricking the attacker into not being able to enter the original server. Brute force attacks tested using Medusa tools. With the application of Honeypot on the server, it is proven that the server can be secured from the attacker. Even the log of activities carried out by the attacker in the shadow server is stored in the Kippo log activities.

Nowadays, exploits often rely on a code-reuse approach. Short pieces of code called gadgets are chained together to execute some payload. Code-reuse attacks can exploit vul-nerabilities in the presence of operating system protection that prohibits data memory execution. The ROP chain construction task is the code generation for the virtual machine defined by an exploited executable. It is crucial to understand how powerful ROP attacks can be. Such knowledge can be used to improve software security. We implement MAJORCA that generates ROP and JOP payloads in an architecture agnostic manner and thoroughly consider restricted symbols such as null bytes that terminate data copying via strcpy. The paper covers the whole code-reuse payloads construction pipeline: cataloging gadgets, chaining them in DAG, scheduling, linearizing to the ready-to-run payload. MAJORCA automatically generates both ROP and JOP payloads for x86 and MIPS. MAJORCA constructs payloads respecting restricted symbols both in gadget addresses and data. We evaluate MAJORCA performance and accuracy with rop-benchmark and compare it with open-source compilers. We show that MAJORCA outperforms open-source tools. We propose a ROP chaining metric and use it to estimate the probabilities of successful ROP chaining for different operating systems with MAJORCA as well as other ROP compilers to show that ROP chaining is still feasible. This metric can estimate the efficiency of OS defences.

Distributed Denial of Service (DDoS) attacks are among the most harmful cyberattack types in the Internet. The main goal of a DDoS defense mechanism is to reduce the attack's effect as close as possible to their sources to prevent malicious traffic in the Internet. In this work, we examine the DDoS attacks as a rate management and congestion control problem and propose a collaborative fair rate throttling mechanism to combat DDoS attacks. Additionally, we propose anomaly detection mechanisms to detect attacks at the victim site, early attack detection mechanisms by intermediate Autonomous Systems (ASes), and feedback mechanisms between ASes to achieve distributed defense against DDoS attacks. To reduce additional vulnerabilities for the feedback mechanism, we use a secure, private, and authenticated communication channel between AS monitors to control the process. Our mathematical model presents proactive resource management, where the victim site sends rate adjustment requests to upstream routers. We conducted several experiments using a real-world dataset to demonstrate the efficiency of our approach under DDoS attacks. Our results show that the proposed method can significantly reduce the impact of DDoS attacks with minimal overhead to routers. Moreover, the proposed anomaly detection techniques can help ASes to detect possible attacks and early attack detection by intermediate ASes.

Modern power systems today are protected and controlled increasingly by embedded systems of computing technologies with a great degree of collaboration enabled by communication. Energy cyber-physical systems such as power systems infrastructures are increasingly vulnerable to cyber-attacks on the protection and control layer. We present a method of securing protective relays from malicious change in protective relay settings via collaboration of devices. Each device checks the proposed setting changes of its neighboring devices for consistency and coordination with its own settings using setting rules based on relay coordination principles. The method is enabled via peer-to-peer communication between IEDs. It is validated in a cyber-physical test bed containing a real time digital simulator and actual relays that communicate via IEC 61850 GOOSE messages. Test results showed improvement in cyber physical security by using domain based rules to block malicious changes in protection settings caused by simulated cyber-attacks. The method promotes the use of defense systems that are aware of the physical systems which they are designed to secure.

This article describes an analysis of the key technologies currently applied to improve the quality, efficiency, safety and sustainability of Smart Grid systems and identifies the tools to optimize them and possible gaps in this area, considering the different energy sources, distributed generation, microgrids and energy consumption and production capacity. The research was conducted with a qualitative methodological approach, where the literature review was carried out with studies published from 2019 to 2022, in five (5) databases following the selection of studies recommended by the PRISMA guide. Of the five hundred and four (504) publications identified, ten (10) studies provided insight into the technological trends that are impacting this scenario, namely: Internet of Things, Big Data, Edge Computing, Artificial Intelligence and Blockchain. It is concluded that to obtain the best performance within Smart Grids, it is necessary to have the maximum synergy between these technologies, since this union will enable the application of advanced smart digital technology solutions to energy generation and distribution operations, thus allowing to conquer a new level of optimization.

A major challenge in cyber-threat analysis is combining information from different sources to find the person or the group responsible for the cyber-attack. It is one of the most important technical and policy challenges in cybersecurity. The lack of ground truth for an individual responsible for an attack has limited previous studies. In this paper, we take a first step towards overcoming this limitation by building a dataset from the capture-the-flag event held at DEFCON, and propose an argumentation model based on a formal reasoning framework called DeLP (Defeasible Logic Programming) designed to aid an analyst in attributing a cyber-attack. We build models from latent variables to reduce the search space of culprits (attackers), and show that this reduction significantly improves the performance of classification-based approaches from 37% to 62% in identifying the attacker.

A major challenge in cyber-threat analysis is combining information from different sources to find the person or the group responsible for the cyber-attack. It is one of the most important technical and policy challenges in cybersecurity. The lack of ground truth for an individual responsible for an attack has limited previous studies. In this paper, we take a first step towards overcoming this limitation by building a dataset from the capture-the-flag event held at DEFCON, and propose an argumentation model based on a formal reasoning framework called DeLP (Defeasible Logic Programming) designed to aid an analyst in attributing a cyber-attack. We build models from latent variables to reduce the search space of culprits (attackers), and show that this reduction significantly improves the performance of classification-based approaches from 37% to 62% in identifying the attacker.
 

Attributing the culprit of a cyber-attack is widely considered one of the major technical and policy challenges of cyber-security. The lack of ground truth for an individual responsible for a given attack has limited previous studies. Here, we overcome this limitation by leveraging DEFCON capture-the-flag (CTF) exercise data where the actual ground-truth is known. In this work, we use various classification techniques to identify the culprit in a cyberattack and find that deceptive activities account for the majority of misclassified samples. We also explore several heuristics to alleviate some of the misclassification caused by deception.

This paper presents an entirely new RFID tag antenna design that incorporates the QR (Quick Response) code for security purposes. The tag antenna is designed to work at 2.45 GHz frequency. The RFID integrated QR code tag antenna is printed with an additive material deposition system that enables to produce a low cost tag antenna with extended security.

When discussing data center networks (DCN), topology has a significant influence on the availability of data to the host. The performance of DCN is relative to the scale of the network. On a particular network scale, it can even cause a connection to the host to be disconnected due to the overhead of routing information. It takes a long time to get connected again so that the data packet that has been sent is lost. The length of time for updating routing information to all parts of the topology so that it can be reconnected or referred to as the time of convergence is the cause. Scalability of a network is proportional to the time of convergence. This article discusses Aspen Tree and Fat Tree, which is about the modification of multi-root trees that have been modified. In Fat Tree, a final set of hosts from a network can be disconnected from a network topology until there is an update of routing information that is disseminated to each switch on the network, due to a link failure. Aspen Tree is a reference topology because it is considered to reduce convergence time and control the overhead of network failure recovery. The DCN topology performance models are implemented using the open source NS-3 platform to support validation of performance evaluations.

In recent years, Deep Learning (DL) has been utilized for cyber-attack detection mechanisms as it offers highly accurate detection and is able to overcome the limitations of standard machine learning techniques. When applied in a Software-Defined Network (SDN) environment, a DL-based detection mechanism shows satisfying detection performance. However, in the case of adversarial attacks, the detection performance deteriorates. Therefore, in this paper, first, we outline a highly accurate flooding DDoS attack detection framework based on DL for SDN environments. Second, we investigate the performance degradation of our detection framework when being tested with two adversary traffic datasets. Finally, we evaluate three adversarial training procedures for improving the detection performance of our framework concerning adversarial attacks. It is shown that the application of one of the adversarial training procedures can avoid detection performance degradation and thus might be used in a real-time detection system based on continual learning.

Botnets are one of the major threats on the Internet. They are used for malicious activities to compromise the basic network security goals, namely Confidentiality, Integrity, and Availability. For reliable botnet detection and defense, deep learning-based approaches were recently proposed. In this paper, four different deep learning models, namely Convolutional Neural Network (CNN), Long Short-Term Memory (LSTM), hybrid CNN-LSTM, and Multi-layer Perception (MLP) are applied for botnet detection and simulation studies are carried out using the CTU-13 botnet traffic dataset. We use several performance metrics such as accuracy, sensitivity, specificity, precision, and F1 score to evaluate the performance of each model on classifying both known and unknown (zero-day) botnet traffic patterns. The results show that our deep learning models can accurately and reliably detect both known and unknown botnet traffic, and show better performance than other deep learning models.

In this paper, the literature survey of different algorithms for generating encryption keys using fingerprints is presented. The focus is on fingerprint features called minutiae points where fingerprint ridges end or bifurcate. Minutiae points require less memory and are processed faster than other fingerprint features. In addition, presented is the proposed efficient method for cryptographic key generation using finger-codes. The results show that the length of the key, computing time and the memory it requires is efficient for use as a biometric key or even as a password during verification and authentication.