Biblio

Expressing Keystroke Dynamics (KD) in form of sound opens new avenues to apply sound analysis techniques on KD. However this mapping is not straight-forward as varied feature space, differences in magnitudes of features and human interpretability of the music bring in complexities. We present a musical interface to KD by mapping keystroke features to music features. Music elements like melody, harmony, rhythm, pitch and tempo are varied with respect to the magnitude of their corresponding keystroke features. A pitch embedding technique makes the music discernible among users. Using the data from 30 users, who typed fixed strings multiple times on a desktop, shows that these auditory signals are distinguishable between users by both standard classifiers (SVM, Random Forests and Naive Bayes) and humans alike.

Wireless security is confronted with the complexity of the secret key distribution process, which is difficult to implement on an Ad Hoc network without a key management infrastructure. The symmetric key extraction mechanism from a response channel in a wireless environment is a very promising alternative solution with the simplicity of the key distribution process. Various mechanisms have been proposed for extracting the symmetric key, but many mechanisms produce low rates of the symmetric key due to the high bit differences that occur. This led to the fact that the reconciliation phase was unable to make corrections, as a result of which many key bits were lost, and the time required to obtain a symmetric key was increased. In this paper, we propose the use of an interval approach that divides the response channel into segments at specific intervals to reduce the key bit difference and increase the key rates. The results of tests conducted in the wireless environment show that the use of these mechanisms can increase the rate of the keys up to 35% compared to existing mechanisms.

Internet of Things (IoT) enable information transmission and sharing among massive IoT devices. However, the key establishment and management in IoT become more challenging due to the low latency requirements and resource constrained IoT devices. In this work, we propose a practical physical layer based secret key sharing scheme for MIMO (multiple-input-multiple-output) IoT devices to reduce the communication delay caused by key establishment of MIMO IoT devices. This is because the proposed scheme attachs secret key sharing with communication simultaneously. It is achieved by the proposed MIMO self-injection AN (SAN) tranmsission, which is designed to deliberately maximum the receive SNR (signal to noise ratio) at different antenna of the legitimate IoT device, based on the value of secret key sharing to him. The simulation results verified the validity and security of the proposed scheme.

The open and broadcast nature of wireless channels makes eavesdropping possible, leading to the inherent problem of information leakage. Inherent problems should be solved by endogenous security functions. Accordingly, wireless security problems should be resolved by channel-based endogenous security mechanisms. Firstly, this paper analyzes the endogenous security principle of the physical-layer-secret-key method. Afterward, we propose a novel conjecture that in a fast-fading environment, there must exist wireless systems where the endogenous secret key rate can match the user data rate. Moreover, the conjecture is well founded by the instantiation validation in a wireless system with BPSK inputs from the perspectives of both theoretical analysis and simulation experiments. These results indicate that it is possible to accomplish the one-time pad via endogenous secret keys in wireless communication.

Vehicular Social Networks (VSNs) are expected to become a reality soon, where commuters having common interests in the virtual community of vehicles, drivers, passengers can share information, both about road conditions and their surroundings. This will improve transportation efficiency and public safety. However, social networking exposes vehicles to different kinds of cyber-attacks. This concern can be addressed through an efficient and secure key management framework. This study presents a Secure and Transparent Public-key Management (ST-PKMS) based on blockchain and notary system, but it addresses security and privacy challenges specific to VSNs. ST-PKMS significantly enhances the efficiency and trustworthiness of mutual authentication. In ST-PKMS, each vehicle has multiple short-lived anonymous public-keys, which are recorded on the blockchain platform. However, public-keys get activated only when a notary system notarizes it, and clients accept only notarized public-keys during mutual authentication. Compromised vehicles can be effectively removed from the VSNs by blocking notarization of their public-keys; thus, the need to distribute Certificate Revocation List (CRL) is eliminated in the proposed scheme. ST-PKMS ensures transparency, security, privacy, and availability, even in the face of an active adversary. The simulation and evaluation results show that the ST-PKMS meets real-time performance requirements, and it is cost-effective in terms of scalability, delay, and communication overhead.

The development of IPv6-based wireless local area networks is becoming increasingly mature, and it has defined no less than different standards to meet the needs of different applications. Wireless home networks are widely used because they can be seamlessly connected to daily life, especially smart home devices linked to it. There are certain security issues with smart home devices deployed in wireless home networks, such as data tampering and leakage of sensitive information. This paper proposes a smart home management system based on IPv6 wireless home network, and develops a prototype system deployed on mobile portable devices. Through this system, different roles in the wireless home network can be dynamically authorized and smart home resources can be allocated to achieve the purpose of access control and management.

Fast IPv4 scanning has made sufficient progress in network measurement and security research. However, it is infeasible to perform brute-force scanning of the IPv6 address space. We can find active IPv6 addresses through scanning candidate addresses generated by the state-of-the-art algorithms, whose probing efficiency of active IPv6 addresses, however, is still very low. In this paper, we aim to improve the probing efficiency of IPv6 addresses in two ways. Firstly, we perform a longitudinal active measurement study over four months, building a high-quality dataset called hitlist with more than 1.3 billion IPv6 addresses distributed in 45.2k BGP prefixes. Different from previous work, we probe the announced BGP prefixes using a pattern-based algorithm, which makes our dataset overcome the problems of uneven address distribution and low active rate. Secondly, we propose an efficient address generation algorithm DET, which builds a density space tree to learn high-density address regions of the seed addresses in linear time and improves the probing efficiency of active addresses. On the public hitlist and our hitlist, we compare our algorithm DET against state-of-the-art algorithms and find that DET increases the de-aliased active address ratio by 10%, and active address (including aliased addresses) ratio by 14%, by scanning 50 million addresses.

The rapid growth of IPv6 traffic makes security issues become more important. This paper proposes an IPv6 network security system that integrates signature-based Intrusion Detection Systems (IDS) and machine learning classification technologies to improve the accuracy of IPv6 denial-of-service (DoS) attacks detection. In addition, this paper has also enhanced IPv6 network security defense capabilities through software-defined networking (SDN) and network function virtualization (NFV) technologies. The experimental results prove that the detection and defense mechanisms proposed in this paper can effectively strengthen IPv6 network security.

In recent years, IPv6 and its application are more and more widely deployed. Most network devices support and open IPv6 protocol stack. The security of IPv6 network is also concerned. In the IPv6 network security technology, address scanning is a key and difficult point. This paper presents a TGAs-based IPv6 address scanning method. It takes the known alive IPv6 addresses as input, and then utilizes the information entropy and clustering technology to mine the distribution law of seed addresses. Then, the final optimized target address set can be obtained by expanding from the seed address set according to the distribution law. Experimental results show that it can effectively improve the efficiency of IPv6 address scanning.

In the last couple of years ARM-based servers have been gradually adopted by cloud service providers and utilized in the data centers. Such tendency may provide great business opportunities for various companies in the industry. Hence, the ability to timely track the development trend of the ARM-based server ecosystem (ASE) from technical perspective is of great importance. In this paper the level of development of the ASE is quantitatively assessed based on open-source data analysis. In particular, statistical data is extracted from 42 Linux kernels to analyze the development process of the ASE. Furthermore, an estimate of the development trend of the ASE in the next 10 years is made based on the statistical data. The estimated results provide insight on when the ASE may become as mature as today's x86-based server ecosystem.

Deception technology is a useful approach to improve the security posture of IoT systems. The deployment of replication techniques as a deception tactic is presented with a summary of our research progress towards quantifying the defensive improvement as part of overall risk management considerations.

With the development of technology, application of the Internet in daily life is increasing, making our connection with the Internet closer. However, with the improvement of convenience, information security has become more and more important. How to ensure information security in a convenient living environment is a question worth discussing. For instance, the widespread deployment of IP-cameras has made great progress in terms of convenience. On the contrary, it increases the risk of privacy exposure. Poorly designed surveillance devices may be implanted with suspicious software, which might be a thorny issue to human life. To effectively identify vulnerable devices, we design an SDN-based identification system that uses machine learning technology to identify brands and probable model types by identifying packet features. The identifying results make it possible for further vulnerability analysis.

The training process of deep learning model is costly. As such, deep learning model can be treated as an intellectual property (IP) of the model creator. However, a pirate can illegally copy, redistribute or abuse the model without permission. In recent years, a few Deep Neural Networks (DNN) IP protection works have been proposed. However, most of existing works passively verify the copyright of the model after the piracy occurs, and lack of user identity management, thus cannot provide commercial copyright management functions. In this paper, a novel user fingerprint management and DNN authorization control technique based on backdoor is proposed to provide active DNN IP protection. The proposed method can not only verify the ownership of the model, but can also authenticate and manage the user's unique identity, so as to provide a commercially applicable DNN IP management mechanism. Experimental results on CIFAR-10, CIFAR-100 and Fashion-MNIST datasets show that the proposed method can achieve high detection rate for user authentication (up to 100% in the three datasets). Illegal users with forged fingerprints cannot pass authentication as the detection rates are all 0 % in the three datasets. Model owner can verify his ownership since he can trigger the backdoor with a high confidence. In addition, the accuracy drops are only 0.52%, 1.61 % and -0.65% on CIFAR-10, CIFAR-100 and Fashion-MNIST, respectively, which indicate that the proposed method will not affect the performance of the DNN models. The proposed method is also robust to model fine-tuning and pruning attacks. The detection rates for owner verification on CIFAR-10, CIFAR-100 and Fashion-MNIST are all 100% after model pruning attack, and are 90 %, 83 % and 93 % respectively after model fine-tuning attack, on the premise that the attacker wants to preserve the accuracy of the model.

Current Internet Protocol routing provides minimal privacy, which enables multiple exploits. The main issue is that the source and destination addresses of all packets appear in plain text. This enables numerous attacks, including surveillance, man-in-the-middle (MITM), and denial of service (DoS). The talk explains how these attacks work in the current network. Endpoints often believe that use of Network Address Translation (NAT), and Dynamic Host Configuration Protocol (DHCP) can minimize the loss of privacy.We will explain how the regularity of human behavior can be used to overcome these countermeasures. Once packets leave the local autonomous system (AS), they are routed through the network by the Border Gateway Protocol (BGP). The talk will discuss the unreliability of BGP and current attacks on the routing protocol. This will include an introduction to BGP injects and the PEERING testbed for BGP experimentation. One experiment we have performed uses statistical methods (CUSUM and F-test) to detect BGP injection events. We describe work we performed that applies BGP injects to Internet Protocol (IP) address randomization to replace fixed IP addresses in headers with randomized addresses. We explain the similarities and differences of this approach with virtual private networks (VPNs). Analysis of this work shows that BGP reliance on autonomous system (AS) numbers removes privacy from the concept, even though it would disable the current generation of MITM and DoS attacks. We end by presenting a compromise approach that creates software-defined data exchanges (SDX), which mix traffic randomization with VPN concepts. We contrast this approach with the Tor overlay network and provide some performance data.

With the emergence of smart automotive devices, the data communication between these devices gains increasing importance. SOME/IP is a light-weight protocol to facilitate inter- process/device communication, which supports both procedural calls and event notifications. Because of its simplicity and capability, SOME/IP is getting adopted by more and more automotive devices. Subsequently, the security of SOME/IP applications becomes crucial. However, previous security testing techniques cannot fit the scenario of vulnerability detection SOME/IP applications due to miscellaneous challenges such as the difficulty of server-side testing programs in parallel, etc. By addressing these challenges, we propose Ori - a greybox fuzzer for SOME/IP applications, which features two key innovations: the attach fuzzing mode and structural mutation. The attach fuzzing mode enables Ori to test server programs efficiently, and the structural mutation allows Ori to generate valid SOME/IP packets to reach deep paths of the target program effectively. Our evaluation shows that Ori can detect vulnerabilities in SOME/IP applications effectively and efficiently.

As a typical representative of a new generation military information technology, the value and significance of Internet of Battlefield Things (IoBT) has been widely recognized by the world's military forces. At the same time, Internet of Battlefield Things (IoBT) is facing serious scalability and security challenges. This paper presents the basic concept and six-domain model of IoBT, explains the integration security framework of IoBT and blockchain. Furthermore, we design and build a novel IoT framework called IoBTChain based on blockchain and smart contracts, which adopts a credit-based resource management system to control the amount of resources that an IoBT device can obtain from a cloud server based on pre-defined priority rules, application types, and behavior history. We illustrate the deployment procedure of blockchain and smart contracts, the device registration procedure on blockchain, the IoBT behavior regulation workflow and the pricing-based resource allocation algorithm.

With the increasing application of Information and Communication Technologies (ICTs), cyberattacks have become more prevalent against Cyber-Physical Systems (CPSs) such as the modern power grids. Various methods have been proposed to model the cybersecurity threats, but so far limited studies have been focused on the defensive strategies subject to the limited security budget. In this paper, the power supply reliability is evaluated considering the strategic allocation of defense resources. Specifically, the optimal mixed strategies are formulated by the Stackelberg Security Game (SSG) to allocate the defense resources on multiple targets subject to cyberattacks. The cyberattacks against the intrusion-tolerant Supervisory Control and Data Acquisition (SCADA) system are mathematically modeled by Semi-Markov Process (SMP) kernel. The intrusion tolerance capability of the SCADA system provides buffered residence time before the substation failure to enhance the network robustness against cyberattacks. Case studies of the cyberattack scenarios are carried out to demonstrate the intrusion tolerance capability. Depending on the defense resource allocation scheme, the intrusion-tolerant SCADA system possesses varying degrees of self-healing capability to restore to the good state and prevent the substations from failure. If more defense resources are invested on the substations, the intrusion tolerant capability can be further enhanced for protecting the substations. Finally, the actuarial insurance principle is designed to estimate transmission companies' individual premiums considering correlated cybersecurity risks. The proposed insurance premium principle is designed to provide incentive for investments on enhancing the intrusion tolerance capability, which is verified by the results of case studies.

Semantic metadata is an important means to promote the integration of information and services and improve the level of search and discovery automation. Aiming at the problems that machine is difficult to handle service metadata description and lack of information metadata description in current SWIM information services, this paper analyzes the methods of metadata sematic empowerment and mainstream semantic metadata standards related to air traffic control system, constructs the SWIM information, and service sematic metadata model based on semantic expansion. The method of semantic metadata model mapping is given from two aspects of service and data, which can be used to improve the level of information sharing and intelligent processing.

Achieving efficient and secure accesses to real-time information from the designated IoT node is the fundamental key requirement for the applications of the Internet of Things. However, IoT nodes are prone to physical attacks, public channels reveal the sensitive information, and gateways that manage the IoT nodes suffer from the single-point failure, thereby causing the security and privacy problems. In this paper, a blockchain-based user remote authentication scheme using physical unclonable functions (PUFs) is proposed to overcome these problems. The PUFs provide physically secure identities for the IoT nodes and the blockchain acts as a distributed database to manage the key materials reliably for gateways. The security analysis is conducted and shows that our scheme realizes reliable security features and resists various attacks. Furthermore, a prototype was implemented to prove our scheme is efficient, scalable, and suitable for IoT scenarios.

Facial biometrics have the advantages of high reliability, strong distinguishability and easily acquired for authentication. Therefore, it is becoming wildly used in identity authentication filed. However, there are stability, security and privacy issues in generating face key, which brings great challenges to face biometric authentication. In this paper, we propose a biometric key generation scheme based on face image. On the one hand, a deep neural network model for feature extraction is used to improve the stability of identity authentication. On the other hand, a key generation mechanism is designed to generate random biometric key while hiding original facial biometrics to enhance security and privacy of user authentication. The results show the FAR reach to 0.53% and the FRR reach to 0.57% in LFW face database, which achieves the better performance of biometric identification, and the proposed method is able to realize randomness of the generated biometric keys by NIST statistical test suite.

This paper presents a multi-channel, 12 bit, ADC IP core with programmable gain amplifier which is implemented as part of novel Security SoC. The measurement results show that effective number of bits (ENOB) of the ADC IP core reaches 8 bits, SNDR of 47.14dB and SFDR of 56.55dB at 100Ksps sampling rate. The input voltage range is 0V to 3.3V, active die area of 700um*620um in 0.35um CMOS process, and the ADC consumes 22mW in all channel auto-scan mode at 3.3V power supply.

With the construction of State Grid informatization, professional data such as operation inspection, marketing, and regulation have gradually shifted from offline to online. In recent years, cyberspace security incidents have occurred frequently, and national and group cybersecurity threats have emerged. As the next-generation communication system, quantum security has to satisfy the security requirements. Also, it is especially important to build the fusion application of energy network quantum private communication technology and conventional network, and to form a safe and reliable quantum-level communication technology solution suitable for the power grid. In this paper, from the perspective of the multi-terminal quantum key application, combined with a mature electricity consumption information collection system, a handheld meter reading solution based on quantum private communication technology is proposed to effectively integrate the two and achieve technological upgrading. First, from the technical theory and application fields, the current situation of quantum private communication technology and its feasibility of combining with classical facilities are introduced and analyzed. Then, the hardware security module and handheld meter reading terminal equipment are taken as typical examples to design and realize quantum key shared storage, business security process application model; finally, based on the overall environment of quantum key distribution, the architecture design of multi-terminal quantum key application verification is implemented to verify the quantum key business application process.

This work examines metrics that can be used to measure the ability of agile software development methods to meet security and privacy requirements of communications applications. Many implementations of communication protocols, including those in vehicular networks, occur within regulated environments where agile development methods are traditionally discouraged. We propose a framework and metrics to measure adherence to security, quality and software effectiveness regulations if developers desire the cost and schedule benefits of agile methods. After providing an overview of specific challenges that a regulated environment imposes on communications software development, we proceed to examine the 12 agile principles and how they relate to a regulatory environment. From this review we identify two metrics to measure performance of three key regulatory attributes of software for communications applications, and then recommend an approach of either tools, agile methods or DevOps that is best positioned to satisfy its regulated environment attributes. By considering the recommendations in this paper, managers of software-dominant communications programs in a regulated environment can gain insight into leveraging the benefits of agile methods.

The rapid developments of mobile communication and wearable devices greatly improve our daily life, while the massive entities and emerging services also make Cyber-Physical System (CPS) much more complicated. The maintenance of CPS security tends to be more and more difficult. As a ”gamechanging” new active defense concept, Moving Target Defense (MTD) handle this tricky problem by periodically upsetting and recombining connections between users and servers in the protected system, which is so-called ”shuffle”. By this means, adversaries can hardly obtain enough time to compromise the potential victims, which is the indispensable condition to collect necessary information or conduct further malicious attacks. But every coin has two sides, MTD also introduce unbearable high energy consumption and resource occupation in the meantime, which hinders the large-scale application of MTD for quite a long time. In this paper, we propose a novel deep reinforcement learning-based MOTAG system called DQ-MOTAG. To our knowledge, this is the first work to provide self-adaptive shuffle period adjustment ability for MTD with reinforcement learning-based intelligent control mechanism. We also design an algorithm to generate optimal duration of next period to guide subsequent shuffle. Finally, we conduct a series of experiments to prove the availability and performance of DQ-MOTAG compared to exist methods. The result highlights our solution in terms of defense performance, error block rate and network source consumption.

Lightweight virtualization represented by container technology provides a virtual environment for cloud services with more flexibility and efficiency due to the kernel-sharing property. However, the shared kernel also means that the system isolation mechanisms are incomplete. Attackers can scan the shared system configuration files to explore vulnerabilities for launching attacks. Previous works mainly eliminate the problem by fixing operating systems or using access control policies, but these methods require significant modifications and cannot meet the security needs of individual containers accurately. In this paper, we present ConfigRand, a moving target defense framework to prevent the information leakages due to the shared kernel in the container-based cloud. The ConfigRand deploys deceptive system configurations for each container, bounding the scan of attackers aimed at the shared kernel. In design of ConfigRand, we (1) propose a framework applying the moving target defense philosophy to periodically generate, distribute, and deploy the deceptive system configurations in the container-based cloud; (2) establish a model to formalize these configurations and quantify their heterogeneity; (3) present a configuration movement strategy to evaluate and optimize the variation of configurations. The results show that ConfigRand can effectively prevent the information leakages due to the shared kernel and apply to typical container applications with minimal system modification and performance degradation.