Biblio

Wireless Sensor networks can be composed of smart buildings, smart homes, smart grids, and smart mobility, and they can even interconnect all these fields into a large-scale smart city network. Software-Defined Networking is an ideal technology to realize Internet-of-Things (IoT) Network and WSN network requirements and to efficiently enhance the security of these networks. Software defines Networking (SDN) is used to support IoT and WSN related networking elements, additional security concerns rise, due to the elevated vulnerability of such deployments to specific types of attacks and the necessity of inter-cloud communication any IoT application would require. This work is a study of different security mechanisms available in SDN for IoT and WSN network secure communication. This work also formulates the problems when existing methods are implemented with different networks parameters.

Intelligent Systems for Personal Data Cyber Security is a critical component of the Personal Information Management of Medicaid Enterprises. Intelligent Systems for Personal Data Cyber Security combines components of Cyber Security Systems with Human-Computer Interaction. It also uses the technology and principles applied to the Internet of Things. The use of software-hardware concepts and solutions presented in this report is, in the authors’ opinion, some step in the working-out of the Intelligent Systems for Personal Data Cyber Security in Medicaid Enterprises. These concepts may also be useful for developers of these types of systems.

Evaluating the security gains brought by software diversity is one key issue of software diversity research, but the existing software diversity evaluation methods are generally based on conventional code features and are relatively single, which are difficult to accurately reflect the security gains brought by software diversity. To solve these problems, from the perspective of return-oriented programming (ROP) attack, we present a software diversity evaluation method which integrates metrics for the quality and distribution of gadgets. Based on the proposed evaluation method and SpiderMonkey JavaScript engine, we implement a software diversity evaluation system for compiled languages and script languages. Diversity techniques with different granularities are used to test. The evaluation results show that the proposed evaluation method can accurately and comprehensively reflect the security gains brought by software diversity.

Common Vulnerabilities and Exposures (CVE) databases contain information about vulnerabilities of software products and source code. If individual elements of CVE descriptions can be extracted and structured, then the data can be used to search and analyze CVE descriptions. Herein we propose a method to label each element in CVE descriptions by applying Named Entity Recognition (NER). For NER, we used BERT, a transformer-based natural language processing model. Using NER with machine learning can label information from CVE descriptions even if there are some distortions in the data. An experiment involving manually prepared label information for 1000 CVE descriptions shows that the labeling accuracy of the proposed method is about 0.81 for precision and about 0.89 for recall. In addition, we devise a way to train the data by dividing it into labels. Our proposed method can be used to label each element automatically from CVE descriptions.

The experimental results demonstrated that, With the development of cloud computing, more and more people use cloud computing to do all kinds of things. However, for cloud computing, the most important thing is to ensure the stability of user data and improve security at the same time. From an analysis of the experimental results, it can be found that Cloud computing makes extensive use of technical means such as computing virtualization, storage system virtualization and network system virtualization, abstracts the underlying physical facilities into external unified interfaces, maps several virtual networks with different topologies to the underlying infrastructure, and provides differentiated services for external users. By comparing and analyzing the experimental results, it is clear that virtualization technology will be the main way to solve cloud computing security. Virtualization technology introduces a virtual layer between software and hardware, provides an independent running environment for applications, shields the dynamics, distribution and differences of hardware platforms, supports the sharing and reuse of hardware resources, provides each user with an independent and isolated computer environment, and facilitates the efficient and dynamic management and maintenance of software and hardware resources of the whole system. Applying virtualization technology to cloud security reduces the hardware cost and management cost of "cloud security" enterprises to a certain extent, and improves the security of "cloud security" technology to a certain extent. This paper will outline the basic cloud computing security methods, and focus on the analysis of virtualization cloud security technology

Code-reuse attacks (including ROP/JOP) severely threaten computer security. Control-flow integrity (CFI), which can restrict control flow in legal scope, is recognised as an effective defence mechanism against code-reuse attacks. Hardware-based CFI uses Instruction Set Architecture (ISA) extensions with additional hardware modules to implement CFI and achieve better performance. However, hardware-based fine-grained CFI adds new instructions to the ISA, which can not be executed on old processors and breaks the compatibility of programs. Some coarse-grained CFI designs, such as Intel IBT, maintain the compatibility of programs but can not provide enough security guarantees.To balance the security and compatibility of hardware CFI, we propose Transparent Forward CFI (TFCFI). TFCFI implements hardware-based fine-grained CFI designs without changing the ISA. The software modification of TFCFI utilizes address information and hint instructions in RISC-V as transparent labels to mark the program. The hardware module of TFCFI monitors the control flow during execution. The program modified by TFCFI can be executed on old processors without TFCFI. Benefiting from transparent labels, TFCFI also solves the destination equivalence problem. The experiment on FPGA shows that TFCFI incurs negligible performance overhead (1.82% on average).

With the development of software defined network and network function virtualization, network operators can flexibly deploy service function chains (SFC) to provide network security services more than before according to the network security requirements of business systems. At present, most research on verifying the correctness of SFC is based on whether the logical sequence between service functions (SF) in SFC is correct before deployment, and there is less research on verifying the correctness after SFC deployment. Therefore, this paper proposes a method of using Colored Petri Net (CPN) to establish a verification model offline and verify whether each SF deployment in SFC is correct after online deployment. After the SFC deployment is completed, the information is obtained online and input into the established model for verification. The experimental results show that the SFC correctness verification method proposed in this paper can effectively verify whether each SF in the deployed SFC is deployed correctly. In this process, the correctness of SF model is verified by using SF model in the model library, and the model reuse technology is preliminarily discussed.

This work expands on our prior work on an architecture and supporting protocols to efficiently integrate constrained devices into an Information-Centric Network-based Internet of Things in a way that is both secure and scalable. In this work, we propose a scheme for addressing additional threats and integrating trust-based behavioral observations and attribute-based access control by leveraging the capabilities of less constrained coordinating nodes at the network edge close to IoT devices. These coordinating devices have better insight into the behavior of their constituent devices and access to a trusted overall security management cloud service. We leverage two modules, the security manager (SM) and trust manager (TM). The former provides data confidentiality, integrity, authentication, and authorization, while the latter analyzes the nodes' behavior using a trust model factoring in a set of service and network communication attributes. The trust model allows trust to be integrated into the SM's access control policies, allowing access to resources to be restricted to trusted nodes.

Named in-network computing is an emerging technology of Named Data Networking (NDN). Through deploying the named computing services/functions on NDN router, the router can utilize its free resources to provide nearby computation for users while relieving the pressure of cloud and network edge. Benefitted from the characteristic of named addressing, named computing services/functions can be easily discovered and migrated in the network. To implement named in-network computing, integrating the computing services as Virtual Machines (VMs) into the software router is a feasible way, but how to effectively deploy the service VMs to optimize the local processing capability is still a challenge. Focusing on this problem, we first give the design of NDN-enabled software router in this paper, then propose a service earning based named service deployment scheme (SE-NSD). For available service VMs, SE-NSD not only considers their popularities but further evaluates their service earnings (processed data amount per CPU cycle). Through modelling the deployment problem as the knapsack problem, SE-NSD determines the optimal service VMs deployment scheme. The simulation results show that, comparing with the popularity-based deployment scheme, SE-NSD can promote about 30% in-network computing capability while slightly reducing the service invoking RTT of user.

The advancement of modern multimedia and data-intensive classes of applications demands the development of hardware that delivers better performance. Due to the evolution of 5G, Edge-Computing, the Internet of Things, Software-Defined networks, etc., the data produced by the devices such as sensors are increasing. A software-Defined network is a powerful paradigm that is capable of automating networking and cloud computing. Software-Defined Network has controllers, devices, and applications which produce a huge amount of data. The processing of data inside the device as well as between the devices needs a better hardware architecture with more cores to ensure speedy performance. The System-on-Chip approach alone will not be capable to handle this dense core comprised of hardware. We have to blend Network-on-Chip along with System-on-Chip to increase the potential to include more cores capable to handle more threads. Artificial Intelligence, a key enabler in next-generation devices is capable of producing a better architecture design with optimized performance. In this paper, we are discussing and endeavouring how System-on-Chip, Network-on-Chip, Software-Defined Networks, and Artificial Intelligence can be physically, logically, and contextually incorporated to deliver improved computation and networking outcomes.

In recent years, the design of anomaly detectors has attracted a tremendous surge of interest due to security issues in industrial control systems (ICS). Restricted by hardware resources, most anomaly detectors can only be deployed at the remote monitoring ends, far away from the control sites, which brings potential threats to anomaly detection. In this paper, we propose an active real-time anomaly detection framework deployed in the controller of OpenPLC, which is a standardized open-source PLC and has high scalability. Specifically, we add adaptive active noises to control signals, and then identify a linear dynamic system model of the plant offline and implement it in the controller. Finally, we design two filters to process the estimated residuals based on the obtained model and use χ2 detector for anomaly detection. Extensive experiments are conducted on an industrial control virtual platform to show the effectiveness of the proposed detection framework.

One way to detect and assess software vulnerabilities is by extracting security-related information from commit messages. Automating the detection and assessment of vulnerabilities upon security commit messages is still challenging due to the lack of structured and clear messages. We created a convention, called SECOM, for security commit messages that structure and include bits of security-related information that are essential for detecting and assessing vulnerabilities for both humans and tools. The full convention and details are available here: https://tqrg.github.io/secom/.

This paper presents topological sorting methods to minimize the multiplicative depth of encrypted arithmetic expressions. The research aims to increase compatibility between nonlinear dynamic control schemes and homomorphic encryption methods, which are known to be limited by the quantity of multiplicative operations. The proposed method adapts rewrite rules originally developed for encrypted binary circuits to depth manipulation of arithmetic circuits. The paper further introduces methods to normalize circuit paths that have incompatible depth. Finally, the paper provides benchmarks demonstrating the improved depth in encrypted computed torque control of a dynamic manipulator and discusses how achieved improvements translate to increased cybersecurity.

In order to control users’ access to the information system, it is necessary to develop a security system that can work in real time and easily reconfigure. This problem can be solved using a fuzzy logic. In this paper the authors propose a fuzzy distribution system for access to the student assessment system, which takes into account the level of user access, identifier and the risk of attack during the request. This approach allows process fuzzy or incomplete information about the user and implement a sufficient level of confidential information protection.

Fog computing is defined as a decentralized infrastructure that locations storage and processing aspects at the side of the cloud, the place records sources such as software customers and sensors exist. The Fog Computing is the time period coined via Cisco that refers to extending cloud computing to an area of the enterprise’s network. Thus, it is additionally recognized as Edge Computing or Fogging. It allows the operation of computing, storage, and networking offerings between give up units and computing facts centers. Fog computing is defined as a decentralized infrastructure that locations storage and processing aspects at the side of the cloud, the place records sources such as software customers and sensors exist. The fog computing Intelligence as Artificial Intelligence (AI) is furnished by way of Fog Nodes in cooperation with Clouds. In Fog Nodes several sorts of AI studying can be realized - such as e.g., Machine Learning (ML), Deep Learning (DL). Thanks to the Genius of Fog Nodes, for example, we communicate of Intelligent IoT.

While the existence of many security elements in software can be measured (e.g., vulnerabilities, security controls, or privacy controls), it is challenging to measure their relative security impact. In the physical world we can often measure the impact of individual elements to a system. However, in cyber security we often lack ground truth (i.e., the ability to directly measure significance). In this work we propose to solve this by leveraging human expert opinion to provide ground truth. Experts are iteratively asked to compare pairs of security elements to determine their relative significance. On the back end our knowledge encoding tool performs a form of binary insertion sort on a set of security elements using each expert as an oracle for the element comparisons. The tool not only sorts the elements (note that equality may be permitted), but it also records the strength or degree of each relationship. The output is a directed acyclic ‘constraint’ graph that provides a total ordering among the sets of equivalent elements. Multiple constraint graphs are then unified together to form a single graph that is used to generate a scoring or prioritization system.For our empirical study, we apply this domain-agnostic measurement approach to generate scoring/prioritization systems in the areas of vulnerability scoring, privacy control prioritization, and cyber security control evaluation.

Software vulnerabilities are closely monitored by the security community to timely address the security and privacy issues in software systems. Before a vulnerability is published by vulnerability management systems, it needs to be characterized to highlight its unique attributes, including affected software products and versions, to help security professionals prioritize their patches. Associating product names and versions with disclosed vulnerabilities may require a labor-intensive process that may delay their publication and fix, and thereby give attackers more time to exploit them. This work proposes a machine learning method to extract software product names and versions from unstructured CVE descriptions automatically. It uses Word2Vec and Char2Vec models to create context-aware features from CVE descriptions and uses these features to train a Named Entity Recognition (NER) model using bidirectional Long short-term memory (LSTM) networks. Based on the attributes of the product names and versions in previously published CVE descriptions, we created a set of Expert System (ES) rules to refine the predictions of the NER model and improve the performance of the developed method. Experiment results on real-life CVE examples indicate that using the trained NER model and the set of ES rules, software names and versions in unstructured CVE descriptions could be identified with F-Measure values above 0.95.

The development of marine environment monitoring equipment has been improved by leaps and bounds in recent years. Numerous types of marine environment monitoring equipment have mushroomed with a wide range of high-performance capabilities. However, the existing data recording software cannot meet the demands of real-time and comprehensive data recording in view of the growing data types and the exponential data growth rate generated by various types of marine environment monitoring equipment. Based on the above-mentioned conundrum, this paper proposes a multi-source heterogeneous marine environmental data acquisition and storage method, which can record and replay multi-source heterogeneous data based upon the needs of real-time and accurate performance and also possess good compatibility and expandability.

In this paper, the reader’s attention is directed to the problem of inefficiency of the add-on information security tools, that are installed in operating systems, including virtualization systems. The paper shows the disadvantages, that significantly affect the maintenance of an adequate level of security in the operating system. The results allowing to control all areas hierarchical of protection of the specialized operating system are presented.

The design of safety-critical embedded systems is a complex process that involves the reuse of proven solutions to fulfill a set of requirements. While safety is considered as the major requirement to be satisfied in safety-critical embedded systems, the security attacks can affect the security as well as the safety of these systems. Therefore, ensuring the security of the safety-critical embedded systems is as important as ensuring the safety requirements. The concept of design patterns, which provides common solutions to widely recurring design problems, have been extensively engaged in the design of the hardware and software in many fields, including embedded systems. However, there is an inadequacy of experience with security patterns in the field of safety-critical embedded systems. To address this problem, this paper proposes an approach to integrate security patterns with safety patterns in the design of safety-critical embedded systems. Moreover, it presents a customized representation for security patterns to be more relevant to the common safety patterns in the context of safety-critical embedded systems.

Cloud computing is a fast growing field that provides the user with resources like software, infrastructure and virtual hardware processing power. The steady rise of cloud computing in recent times allowed large companies and even individual users to move towards working with cloud storage systems. However, the risks of leakage of uploaded data in the cloud storage and the questions about the privacy of such systems are becoming a huge problem. Security incidents occur frequently everywhere around the world. Sometimes, data leak may occur at the server side by hackers for their own profit. Data being shared must be encrypted before outsourcing it to the cloud storage. Existing encryption/decryption systems utilize large computational power and have troubles managing the files. This paper introduces a file system that is a more efficient, virtual, with encryption/decryption scheme using parallel encryption. To make encryption and decryption of files easier, Parallel encryption is used in place of serial encryption which is integrated with Identity-Based Encryption in the file system. The proposed file system aims to secure files, reduce the chances of file stored in cloud storage getting leaked thus providing better security. The proposed file system, OutFS+, is more robust and secure than its predecessor, OutFS. Cloud outsourcing takes place faster and the files can be downloaded to the OutFS+ instance on the other side. Moreover, OutFS+ is secure since it is a virtual layer on the operating system and can be unmounted whenever the user wants to.

Currently in El Salvador, efforts are being made to implement the digital signature and as part of this technology, a Public Key Infrastructure (PKI) is required, which must validate Certificate Authorities (CA). For a CA, it is necessary to implement the software that allows it to manage digital certificates and perform security procedures for the execution of cryptographic operations, such as encryption, digital signatures, and non-repudiation of electronic transactions. The present work makes a proposal for a digital certificate management system according to the Digital Signature Law of El Salvador and secure cryptography standards. Additionally, a security discussion is accomplished.

Web services use server-side input sanitization to guard against harmful input. Some web services publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this usability practice poses a security risk. Specifically, services may share the regexes they use to sanitize input strings - and regex-based denial of service (ReDoS) is an emerging threat. Although prominent service outages caused by ReDoS have spurred interest in this topic, we know little about the degree to which live web services are vulnerable to ReDoS. In this paper, we conduct the first black-box study measuring the extent of ReDoS vulnerabilities in live web services. We apply the Consistent Sanitization Assumption: that client-side sanitization logic, including regexes, is consistent with the sanitization logic on the server-side. We identify a service's regex-based input sanitization in its HTML forms or its API, find vulnerable regexes among these regexes, craft ReDoS probes, and pinpoint vulnerabilities. We analyzed the HTML forms of 1,000 services and the APIs of 475 services. Of these, 355 services publish regexes; 17 services publish unsafe regexes; and 6 services are vulnerable to ReDoS through their APIs (6 domains; 15 subdomains). Both Microsoft and Amazon Web Services patched their web services as a result of our disclosure. Since these vulnerabilities were from API specifications, not HTML forms, we proposed a ReDoS defense for a popular API validation library, and our patch has been merged. To summarize: in client-visible sanitization logic, some web services advertise Re-DoS vulnerabilities in plain sight. Our results motivate short-term patches and long-term fundamental solutions. “Make measurable what cannot be measured.” -Galileo Galilei

Side Channel Attacks (SCAs), an attack that exploits the physical information generated when an encryption algorithm is executed on a device to recover the key, has become one of the key threats to the security of encrypted devices. Recently, with the development of deep learning, deep learning techniques have been applied to SCAs with good results on publicly available dataset experiences. In this paper, we propose a power traces decomposition method that divides the original power traces into two parts, where the data-influenced part is defined as data power traces (Tdata) and the other part is defined as device constant power traces, and use the Tdata for training the network model, which has more obvious advantages than using the original power traces for training the network model. To verify the effectiveness of the approach, we evaluated the ATXmega128D4 microcontroller by capturing the power traces generated when implementing AES-128. Experimental results show that network models trained using Tdata outperform network models trained using raw power traces (Traw ) in terms of classification accuracy, training time, cross-subkey recovery key, and cross-device recovery key.

Documents are a common method of storing infor-mation and one of the most conventional forms of expression of ideas. Cloud servers store a user's documents with thousands of other users in place of physical storage devices. Indexes corresponding to the documents are also stored at the cloud server to enable the users to retrieve documents of their interest. The index includes keywords, document identities in which the keywords appear, along with Term Frequency-Inverse Document Frequency (TF-IDF) values which reflect the keywords' relevance scores of the dataset. Currently, there are no efficient methods to delete keywords from millions of documents over cloud servers while avoiding any compromise to the user's privacy. Most of the existing approaches use algorithms that divide a bigger problem into sub-problems and then combine them like divide and conquer problems. These approaches don't focus entirely on fine-grained deletion. This work is focused on achieving fine-grained deletion of keywords by keeping the size of the TF-IDF matrix constant after processing the deletion query, which comprises of keywords to be deleted. The experimental results of the proposed approach confirm that the precision of ranked search still remains very high after deletion without recalculation of the TF-IDF matrix.