Biblio

Attacks targeting several millions of non-internet based application users are on the rise. These applications such as SMS and USSD typically do not benefit from existing multi-factor authentication methods due to the nature of their interaction interfaces and mode of operations. To address this problem, we propose an approach that augments blockchain with multi-factor authentication based on evidence from blockchain transactions combined with risk analysis. A profile of how a user performs transactions is built overtime and is used to analyse the risk level of each new transaction. If a transaction is flagged as high risk, we generate n-factor layers of authentication using past endorsed blockchain transactions. A demonstration of how we used the proposed approach to authenticate critical financial transactions in a blockchain-based asset financing platform is also discussed.

To achieve a substantial reliability and safety level, it is imperative to provide electronic computing systems with appropriate mechanisms to tackle soft errors. This paper proposes a low-cost system-level soft error mitigation technique, which allocates the critical application function to a pool of specific general-purpose processor registers. Both the critical function and the register pool are automatically selected by a developed profiling tool. The proposed technique was validated through more than 320K fault injections considering a Linux kernel, different benchmarks and two multicore ARM processors. Results show that our technique significantly reduces the code size and performance overheads while providing reliability improvement, w.r.t. the Triple Modular Redundancy (TMR) technique.

The article discusses new models and methods for timely identification and blocking of malicious code of critically important information infrastructure based on static and dynamic analysis of executable program codes. A two-stage method for detecting malicious code in the executable program codes (the so-called "digital bombs") is described. The first step of the method is to build the initial program model in the form of a control graph, the construction is carried out at the stage of static analysis of the program. The article discusses the purpose, features and construction criteria of an ordered control graph. The second step of the method is to embed control points in the program's executable code for organizing control of the possible behavior of the program using a specially designed recognition automaton - an automaton of dynamic control. Structural criteria for the completeness of the functional control of the subprogram are given. The practical implementation of the proposed models and methods was completed and presented in a special instrumental complex IRIDA.

Vehicular ad hoc networks (VANETs) ensure improvement in road safety and traffic management by allowing the vehicles and infrastructure that are connected to them to exchange safety messages. Due to the open wireless communication channels, security and privacy issues are a major concern in VANETs. A typical attack consists of a malicious third party intercepting, modifying and retransmitting messages. Heterogeneous vehicular communication in VANETs occurs when vehicles (only) or vehicles and other infrastructure communicate using different cryptographic techniques. To address the security and privacy issues in heterogeneous vehicular communication, some heterogeneous signcryption schemes have been proposed. These schemes simultaneously satisfy the confidentiality, authentication, integrity and non-repudiation security requirements. They however fail to properly address the efficiency with respect to the computational cost involved in unsigncrypting ciphertexts, which is often affected by the speeds at which vehicles travel in VANETs. In this paper, we propose an efficient conditional privacy-preserving hybrid signcryption (CPP-HSC) scheme that uses bilinear pairing to satisfy the security requirements of heterogeneous vehicular communication in a single logical step. Our scheme ensures the transmission of a message from a vehicle with a background of an identity-based cryptosystem (IBC) to a receiver with a background of a public-key infrastructure (PKI). Furthermore, it supports a batch unsigncryption method, which allows the receiver to speed up the process by processing multiple messages simultaneously. The security of our CPP-HSC scheme ensures the indistinguishability against adaptive chosen ciphertext attack (IND-CCA2) under the intractability assumption of q-bilinear Diffie-Hellman inversion (q-BDHI) problem and the existential unforgeability against adaptive chosen message attack (EUF-CMA) under the intractability assumption of q-strong Diffie-Hellman (q-SDH) problem in the random oracle model (ROM). The performance analysis indicates that our scheme has an improvement over the existing related schemes with respect to the computational cost without an increase in the communication cost.

The controller is an indispensable entity in software-defined networking (SDN), as it maintains a global view of the underlying network. However, if the controller fails to respond to the network due to a distributed denial of service (DDoS) attacks. Then, the attacker takes charge of the whole network via launching a spoof controller and can also modify the flow tables. Hence, faster, and accurate detection of DDoS attacks against the controller will make the SDN reliable and secure. Moreover, the Internet traffic is drastically increasing due to unprecedented growth of connected devices. Consequently, the processing of large number of requests cause a performance bottleneck regarding SDN controller. In this paper, we propose a hierarchical control plane SDN architecture for multi-domain communication that uses a statistical method called principal component analysis (PCA) to reduce the dimensionality of the big data traffic and the support vector machine (SVM) classifier is employed to detect a DDoS attack. SVM has high accuracy and less false positive rate while the PCA filters attribute drastically. Consequently, the performance of classification and accuracy is improved while the false positive rate is reduced.

Many detection approaches have been proposed to address growing threat of Distributed Denial of Service (DDoS) attacks on the Internet. The attack detection is the initial step in most of the mitigation systems. This study examined the methods used to detect DDoS attacks with the focus on learning based approaches. These approaches were compared based on their efficiency, operating load and scalability. Finally, it is discussed in details.

The Controller Area Network (CAN) bus system works inside connected cars as a central system for communication between electronic control units (ECUs). Despite its central importance, the CAN does not support an authentication mechanism, i.e., CAN messages are broadcast without basic security features. As a result, it is easy for attackers to launch attacks at the CAN bus network system. Attackers can compromise the CAN bus system in several ways: denial of service, fuzzing, spoofing, etc. It is imperative to devise methodologies to protect modern cars against the aforementioned attacks. In this paper, we propose a Long Short-Term Memory (LSTM)-based Intrusion Detection System (IDS) to detect and mitigate the CAN bus network attacks. We first inject attacks at the CAN bus system in a car that we have at our disposal to generate the attack dataset, which we use to test and train our model. Our results demonstrate that our classifier is efficient in detecting the CAN attacks. We achieved a detection accuracy of 99.9949%.

Recently, phishing attacks have taking a new dimension with the addition of quick response code to phishing attacks vectors. Quick response code phishing attack is when an attacker lures its victims to voluntarily divulge personal information such as password, personal identification number, username and other information such as online banking details through the use of quick response code. This attack is on the rise as more and more people have adopted mobile phone usage not just for communication only but to perform transaction seamlessly. The ease of creation and use of quick response code has made it easily acceptable to both provider of goods and services and consumers. This attack is semantic as it exploits human vulnerabilities; as users can hardly know what is hidden in the quick response code before usage. This study reviewed various methodologies that earlier researcher have used to detect this semantic-based attack of phishing. The strength of each methodology, its weakness and general research gaps identified.

This paper presents a new incremental parallelizable message authentication code (MAC) scheme adaptable to lightweight block ciphers for memory integrity verification. The highlight of the proposed scheme is to achieve both incremental update capability and sufficient security bound with lightweight block ciphers, which is a novel feature. We extend the conventional parallelizable MAC to realize the incremental update capability while keeping the original security bound. We prove that a comparable security bound can be obtained even if this change is incorporated. We also present a hardware architecture for the proposed MAC scheme with lightweight block ciphers and demonstrate the effectiveness through FPGA implementation. The evaluation results indicate that the proposed MAC hardware achieves 3.4 times improvement in the latency-area product for the tag update compared with the conventional MAC.

Future wearable devices are expected to increasingly exchange their positioning information with various Location-Based Services (LBSs). Wearable applications can include activity-based health and fitness recommendations, location-based social networking, location-based gamification, among many others. With the growing opportunities for LBSs, it is expected that location privacy concerns will also increase significantly. Particularly, in opportunistic wireless networks based on device-to-device (D2D) connectivity, a user can request a higher level of control over own location privacy, which may result in more flexible permissions granted to wearable devices. This translates into the ability to perform location obfuscation to the desired degree when interacting with other wearables or service providers across the network. In this paper, we argue that specific errors in the disclosed location information feature two components: a measurement error inherent to the localization algorithm used by a wearable device and an intentional (or obfuscation) error that may be based on a trade-off between a particular LBS and a desired location privacy level. This work aims to study the trade-off between positioning accuracy and location information privacy in densely crowded scenarios by introducing two privacy-centric metrics.

Side-channel attacks occur on smartphone keystrokes, where the input can be intercepted by a tapping sound. Ilia et al. reported that keystrokes can be predicted with 61% accuracy from tapping sounds listened to by the built-in microphone of a legitimate user's device. Li et al. reported that by emitting sonar sounds from an attacker smartphone's built-in speaker and analyzing the reflected waves from a legitimate user's finger at the time of tap input, keystrokes can be estimated with 90% accuracy. However, the method proposed by Ilia et al. requires prior penetration of the target smartphone and the attack scenario lacks plausibility; if the attacker's smartphone can be penetrated, the keylogger can directly acquire the keystrokes of a legitimate user. In addition, the method proposed by Li et al. is a side-channel attack in which the attacker actively interferes with the terminals of legitimate users and can be described as an active attack scenario. Herein, we analyze the extent to which a user's keystrokes are leaked to the attacker in a passive attack scenario, where the attacker wiretaps the sounds of the legitimate user's keystrokes using an external microphone. First, we limited the keystrokes to the personal identification number input. Subsequently, mel-frequency cepstrum coefficients of tapping sound data were represented as image data. Consequently, we found that the input is discriminated with high accuracy using a convolutional neural network to estimate the key input.

The number of Mobile device users in the word has evolved rapidly. Many internet users currently want to connect the internet for all utilities automatically. One of the technologies in the IPv6 network, which supports data access from moving users, is IPv6 Mobile protocol. In its mobility, the users on a range of networks can move the range to another network. High demand for this technology will interest to a hacker or a cracker to carry out an attack. One of them is a DoS attack that compromises a target to denial its services. A firewall is usually used to protect networks from external attacks. However, since the firewall based on the attacker database, the unknown may not be detected. In order to address the obstacle, a detection tool could be used. In this research, IDS as an intrusion detection tool was integrated with a firewall to be implemented in IPv6 Mobile to stop the DoS attack. The results of some experiments showed that the integration system could block the attack at 0.9 s in Correspondent Node and 1.2 s in Home Agent. The blocked attack can decrease the network throughput up to 27.44% when a Mobile Node in Home Agent, 28,87% when the Mobile Node in a Foreign Network. The final result of the blocked attack is reducing the average CPU utilization up to 30.99%.

The Internet Protocol Version 6 (IPV6) proposed to replace IPV4 to solve scalability challenges and improve quality of service and security. Current implementation of IPv6 uses static value that is determined from the Media Access Control (MAC) address as the Interface Identifier (IID). This results in a deterministic IID for each user that is the same regardless of any network changes. This provides an eavesdropper with the ability to easily track the physical location of the communicating nodes using simple tools, such as ping and traceroute. Moreover, this address generation method provides a means to correlate network traffic with a specific user which can be achieved by filtering the IID and traffic analysis. These serious privacy breaches need to be addressed before widespread deployment of IPv6. In this paper we propose a privacy-enhanced method for generating IID which combines different network parameters. The proposed method generates non-deterministic IIDs that is resistance against correlation attack. We validate our approach using Wireshark, ping and traceroute tools and show that our proposed approach achieves better privacy compared to the existing IID generation methods.

Current Internet Protocol routing provides minimal privacy, which enables multiple exploits. The main issue is that the source and destination addresses of all packets appear in plain text. This enables numerous attacks, including surveillance, man-in-the-middle (MITM), and denial of service (DoS). The talk explains how these attacks work in the current network. Endpoints often believe that use of Network Address Translation (NAT), and Dynamic Host Configuration Protocol (DHCP) can minimize the loss of privacy.We will explain how the regularity of human behavior can be used to overcome these countermeasures. Once packets leave the local autonomous system (AS), they are routed through the network by the Border Gateway Protocol (BGP). The talk will discuss the unreliability of BGP and current attacks on the routing protocol. This will include an introduction to BGP injects and the PEERING testbed for BGP experimentation. One experiment we have performed uses statistical methods (CUSUM and F-test) to detect BGP injection events. We describe work we performed that applies BGP injects to Internet Protocol (IP) address randomization to replace fixed IP addresses in headers with randomized addresses. We explain the similarities and differences of this approach with virtual private networks (VPNs). Analysis of this work shows that BGP reliance on autonomous system (AS) numbers removes privacy from the concept, even though it would disable the current generation of MITM and DoS attacks. We end by presenting a compromise approach that creates software-defined data exchanges (SDX), which mix traffic randomization with VPN concepts. We contrast this approach with the Tor overlay network and provide some performance data.

In this paper Intelligent Electronic Devices (IED) that use ethernet for communicating with substation devices on the grid where modelled in OPNET. There is a need to test the communication protocol performance over the network. A model for the substation communication network was implemented in OPNET. This was done for ESKOM, which is the electrical power generation and distribution authority in South Africa. The substation communication model consists of 10 ethernet nodes which simulate protection Intelligent Electronic Devices (IEDs), 13 ethernet switches, a server which simulates the substation Remote Terminal Unit (RTU) and the DNP3 Protocol over TCP/IP simulated on the model. DNP3 is a protocol that can be used in a power utility computer network to provide communication service for the grid components. It was selected as the communication protocol because it is widely used in the energy sector in South Africa. The network load and packet delay parameters were sampled when 10%, 50%, 90% and 100% of devices are online. Analysis of the results showed that with an increase in number of nodes there was an increase in packet delay as well as the network load. The load on the network should be taken into consideration when designing a substation communication network that requires a quick response such as a smart gird.

Internet of Things (IoT) has been growing exponentially in the commercial market in recent years. It is also a fact that people hold one or more computing devices at home. Many of them have been developed to operate through internet connectivity with cloud computing technologies that result in the demand for fast, robust, and secure services. In most cases, the lack of these services makes difficult the transfer of data to fulfill the devices' purposes. Under these conditions, an intermediate layer or middleware is needed to process, filter, and send data through a more efficient alternative. This paper presents the adaptive solution of a middleware architecture as an intermediate layer between smart devices and cloud computing to enhance the management of the heterogeneity of data provining from IoT devices. The proposed middleware provides easy configuration, adaptability, and bearability for different environments. Finally, this solution has been implemented in the healthcare domain, in which IoT solutions are deployed into Ambient Assisted Living (AAL) environments.

The design of codes for communicating reliably over a statistically well defined channel is an important endeavor involving deep mathematical research and wide-ranging practical applications. In this work, we present the first family of codes obtained via deep learning, which significantly outperforms state-of-the-art codes designed over several decades of research. The communication channel under consideration is the Gaussian noise channel with feedback, whose study was initiated by Shannon; feedback is known theoretically to improve reliability of communication, but no practical codes that do so have ever been successfully constructed. We break this logjam by integrating information theoretic insights harmoniously with recurrent-neural-network based encoders and decoders to create novel codes that outperform known codes by 3 orders of magnitude in reliability and achieve a 3dB gain in terms of SNR. We also demonstrate several desirable properties of the codes: (a) generalization to larger block lengths, (b) composability with known codes, and (c) adaptation to practical constraints. This result also has broader ramifications for coding theory: even when the channel has a clear mathematical model, deep learning methodologies, when combined with channel-specific information-theoretic insights, can potentially beat state-of-the-art codes constructed over decades of mathematical research.

Current paradigms for client-server authentication often rely on username/password schemes. Studies show such schemes are increasingly vulnerable to heuristic and brute-force attacks. This is either due to poor practices by users such as insecure weak passwords, or insecure systems by server operators. A recurring problem in any system which retains information is insecure management policies for sensitive information, such as logins and passwords, by both hosts and users. Increased processing power on the horizon also threatens the security of many popular hashing algorithms. Furthermore, increasing reliance on applications that exchange sensitive information has resulted in increased urgency. This is demonstrated by a large number of mobile applications being deemed insecure by Open Web Application Security Project (OWASP) standards. This paper proposes a secure alternative technique of authentication that retains the current ecosystem, while minimizes attack vectors without inflating responsibilities on users or server operators. Our proposed authentication scheme uses layered encryption techniques alongside a two-part verification process. In addition, it provides dynamic protection for preventing against common cyber-attacks such as replay and man-in-the-middle attacks. Results show that our proposed authentication mechanism outperform other schemes in terms of deployability and resilience to cyber-attacks, without inflating transaction's speed.

User identity and personal information remain to be hot targets for attackers. From recent surveys, we can categorize that 65.5% of all cyberattacks in 2018 target user information. Sadly, most of the time, the system's security depends on how secure it is the implementation from the provider-side. One defense technique that the user can take part in is applying a two-factor authentication (2FA) system for their account. However, we observe that state-of-the-art 2FAs have several weaknesses and limitations. In this paper, we propose TwoChain, a blockchain-based 2FA system for web services to overcome those issues. Our implementation facilitates an alternative 2FA system that is more secure, disposable, and decentralized. Finally, we release TwoChain for public use.

Studies on two-factor authentication based on RFID and face recognition have been carried out on a large scale. However, these studies didn't discuss the way to overcome the weaknesses of face recognition authentication in the access control systems. In this study, two authentication factors, RFID and face recognition, were implemented using the LBP (Local Binary Pattern) algorithm to overcome weaknesses of face recognition authentication in the access control system. Based on the results of performance testing, the access control system has 100% RFID authentication and 80% face recognition authentication. The average time for the RFID authentication process is 0.03 seconds, the face recognition process is 6.3885 seconds and the verification of the face recognition is 0.1970 seconds. The access control system can still work properly after three days without being switched off. The results of security testing showed that the capabilities spoofing detection has 100% overcome the photo attack.

Underwater Acoustic Sensor Networks (UASNs) are often deployed in hostile environments, and they face many security threats. Moreover, due to the harsh characteristics of the underwater environment, UASNs are vulnerable to malicious attacks. One of the most dangerous security threats is the eavesdropping attack, where an adversary silently collects the information exchanged between the sensor nodes. Although careful assignment of transmission power levels and optimization of data flow paths help alleviate the extent of eavesdropping attacks, the network lifetime can be negatively affected since routing could be established using sub-optimal paths in terms of energy efficiency. In this work, two optimization models are proposed where the first model minimizes the potential eavesdropping risks in the network while the second model maximizes the network lifetime under a certain level of an eavesdropping risk. The results show that network lifetimes obtained when the eavesdropping risks are minimized significantly shorter than the network lifetimes obtained without considering any eavesdropping risks. Furthermore, as the countermeasures against the eavesdropping risks are relaxed, UASN lifetime is shown to be prolonged, significantly.

Battery energy storage systems are facing risks of unreliable battery sensor data which might be caused by sensor faults in an embedded battery management system, communication failures, and even cyber-attacks. It is crucial to evaluate the trustworthiness of battery sensor data since inaccurate sensor data could lead to not only serious damages to battery energy storage systems, but also threaten the overall reliability of their applications (e.g., electric vehicles or power grids). This paper introduces a battery sensor data trust framework enabling detecting unreliable data using a deep learning algorithm. The proposed sensor data trust mechanism could potentially improve safety and reliability of the battery energy storage systems. The proposed deep learning-based battery sensor fault detection algorithm is validated by simulation studies using a convolutional neural network.

The blockchain is a storage technology and transmission of information, transparent, secure, and operating without central control. In this paper, we propose a new decentralized trust management and cooperation model where data is shared via blockchain and we explore the revenue distribution under different consensus schemes. To reduce the power calculation with respect to the control mechanism, our proposal adopts the possibility of Proof on Trust (PoT) and Proof of proof-of-stake based trust to replace the proof of work (PoW) scheme, to carry out the mining and storage of new data blocks. To detect nodes with malicious behavior to provide false system information, the trust updating algorithm is proposed..

It has been recognized that artificial intelligence (AI) will play an important role in future societies. AI has already been incorporated in many industries to improve business processes and automation. Although the aviation industry has successfully implemented flight management systems or autopilot to automate flight operations, it is expected that full embracement of AI remains a challenge. Given the rigorous validation process and the requirements for the highest level of safety standards and risk management, AI needs to prove itself being safe to operate. This paper addresses the safety issues of AI deployment in an aviation network compatible with the Future Communication Infrastructure that utilizes heterogeneous wireless access technologies for communications between the aircraft and the ground networks. It further considers the exploitation of software defined networking (SDN) technologies in the ground network while the adoption of SDN in the airborne network can be optional. Due to the nature of centralized management in SDN-based network, the SDN controller can become a single point of failure or a target for cyber attacks. To countermeasure such attacks, an intrusion detection system utilises AI techniques, more specifically deep neural network (DNN), is considered. However, an adversary can target the AI-based intrusion detection system. This paper examines the impact of AI security attacks on the performance of the DNN algorithm. Poisoning attacks targeting the DSL-KDD datasets which were used to train the DNN algorithm were launched at the intrusion detection system. Results showed that the performance of the DNN algorithm has been significantly degraded in terms of the mean square error, accuracy rate, precision rate and the recall rate.

We study the optimal control problem of the maximum a posteriori (MAP) state sequence detection of an adversary using smart meter data. The privacy leakage is measured using the Bayesian risk and the privacy-enhancing control is achieved in real-time using an energy storage system. The control strategy is designed to minimize the expected performance of a non-causal adversary at each time instant. With a discrete-state Markov model, we study two detection problems: when the adversary is unaware or aware of the control. We show that the adversary in the former case can be controlled optimally. In the latter case, where the optimal control problem is shown to be non-convex, we propose an adaptive-grid approximation algorithm to obtain a sub-optimal strategy with reduced complexity. Although this work focuses on privacy in smart meters, it can be generalized to other sensor networks.