Biblio

As a new paradigm for the monitoring and troubleshooting of backbone networks, the multilayer in-band network telemetry (ML-INT) with deep learning (DL) based data analytics (DA) has recently been proven to be effective on realtime visualization and fine-grained monitoring. However, the existing studies on ML-INT&DA systems have overlooked the privacy and security issues, i.e., a malicious party can apply tapping in the data reporting channels between the data and control planes to illegally obtain plaintext ML-INT data in them. In this paper, we discuss a privacy-preserving DL-based ML-INT&DA system for realizing AI-assisted network automation in backbone networks in the form of IP-over-Optical. We first show a lightweight encryption scheme based on integer vector homomorphic encryption (IVHE), which is used to encrypt plaintext ML-INT data. Then, we architect a DL model for anomaly detection, which can directly analyze the ciphertext ML-INT data. Finally, we present the implementation and experimental demonstrations of the proposed system. The privacy-preserving DL-based ML-INT&DA system is realized in a real IP over elastic optical network (IP-over-EON) testbed, and the experimental results verify the feasibility and effectiveness of our proposal.

Current Internet Protocol routing provides minimal privacy, which enables multiple exploits. The main issue is that the source and destination addresses of all packets appear in plain text. This enables numerous attacks, including surveillance, man-in-the-middle (MITM), and denial of service (DoS). The talk explains how these attacks work in the current network. Endpoints often believe that use of Network Address Translation (NAT), and Dynamic Host Configuration Protocol (DHCP) can minimize the loss of privacy.We will explain how the regularity of human behavior can be used to overcome these countermeasures. Once packets leave the local autonomous system (AS), they are routed through the network by the Border Gateway Protocol (BGP). The talk will discuss the unreliability of BGP and current attacks on the routing protocol. This will include an introduction to BGP injects and the PEERING testbed for BGP experimentation. One experiment we have performed uses statistical methods (CUSUM and F-test) to detect BGP injection events. We describe work we performed that applies BGP injects to Internet Protocol (IP) address randomization to replace fixed IP addresses in headers with randomized addresses. We explain the similarities and differences of this approach with virtual private networks (VPNs). Analysis of this work shows that BGP reliance on autonomous system (AS) numbers removes privacy from the concept, even though it would disable the current generation of MITM and DoS attacks. We end by presenting a compromise approach that creates software-defined data exchanges (SDX), which mix traffic randomization with VPN concepts. We contrast this approach with the Tor overlay network and provide some performance data.

With the emergence of smart automotive devices, the data communication between these devices gains increasing importance. SOME/IP is a light-weight protocol to facilitate inter- process/device communication, which supports both procedural calls and event notifications. Because of its simplicity and capability, SOME/IP is getting adopted by more and more automotive devices. Subsequently, the security of SOME/IP applications becomes crucial. However, previous security testing techniques cannot fit the scenario of vulnerability detection SOME/IP applications due to miscellaneous challenges such as the difficulty of server-side testing programs in parallel, etc. By addressing these challenges, we propose Ori - a greybox fuzzer for SOME/IP applications, which features two key innovations: the attach fuzzing mode and structural mutation. The attach fuzzing mode enables Ori to test server programs efficiently, and the structural mutation allows Ori to generate valid SOME/IP packets to reach deep paths of the target program effectively. Our evaluation shows that Ori can detect vulnerabilities in SOME/IP applications effectively and efficiently.

As the scale of integrated circuits continues to expand, electronic design automation (EDA) and intellectual property (IP) reuse play an increasingly important role in the integrated circuit design process. Although many Web-EDA platforms have begun to provide online EDA software to reduce the threshold for the use of EDA tools, IP protection on the Web- EDA platform is an issue. This article uses blockchain technology to design an IP trading system for the Web-EDA platform to achieve mutual trust and transactions between IP owners and users. The structure of the IP trading system is described in detail, and a blockchain wallet for the Web-EDA platform is developed.

Existing logic-locking attacks are known to successfully decrypt functionally correct key of a locked combinational circuit. It is possible to extend these attacks to real-world Silicon-based Intellectual Properties (IPs, which are sequential circuits) through scan-chains by selectively initializing the combinational logic and analyzing the responses. In this paper, we propose SeqL, which achieves functional isolation and locks selective flip-flop functional-input/scan-output pairs, thus rendering the decrypted key functionally incorrect. We conduct a formal study of the scan-locking problem and demonstrate automating our proposed defense on any given IP. We show that SeqL hides functionally correct keys from the attacker, thereby increasing the likelihood of the decrypted key being functionally incorrect. When tested on pipelined combinational benchmarks (ISCAS, MCNC), sequential benchmarks (ITC) and a fully-fledged RISC-V CPU, SeqL gave 100% resilience to a broad range of state-of-the-art attacks including SAT [1], Double-DIP [2], HackTest [3], SMT [4], FALL [5], Shift-and-Leak [6] and Multi-cycle attacks [7].

Logic encryption is a popular Design-for-Security(DfS) solution that offers protection against the potential adversaries in the third-party fab labs and end-users. However, over the years, logic encryption has been a target of several attacks, especially Boolean satisfiability attacks. This paper exploits SAT attack's inability of deobfuscating sequential circuits as a defense against it. We propose several strategies capable of preventing the SAT attack by obfuscating the scan-based Design-for-Testability (DfT) infrastructure. Unlike the existing SAT-resilient schemes, the proposed techniques do not suffer from poor output corruption for wrong keys. This paper also offers various probable solutions for inserting the key-gates into the circuit that ensures protection against numerous other attacks, which exploit weak key-gate locations. Along with several gate-level obfuscation strategies, this paper also presents a Cellular Automata (CA) guided FSM obfuscation strategy to offer protection at a higher abstraction level, that is, RTL-level. For all the proposed schemes, rigorous security analysis against various attacks evaluates their strengths and limitations. Testability analysis also ensures that none of the proposed techniques hamper the basic testing properties of the ICs. We also present a CA-based FSM watermarking strategy that helps to detect potential theft of the designer's IP by any adversary.

Distributed denial of service (DDoS) attacks can bring tremendous damage to online services and ISPs. Existing adopted mitigation methods either require the victim to have a sufficient number of resources for traffic filtering or to pay a third party cloud service to filter the traffic. In our previous work we proposed CoFence, a collaborative network that allows member domains to help each other in terms of DDoS traffic handling. In that network, victim servers facing a DDoS attack can redirect excessive connection requests to other helping servers in different domains for filtering. Only filtered traffic will continue to interact with the victim server. However, sending traffic to third party servers brings up the issue of privacy: specifically leaked client source IP addresses. In this work we propose a privacy protection mechanism for defense so that the helping servers will not be able to see the IP address of the client traffic while it has minimum impact to the data filtering function. We implemented the design through a test bed to demonstrated the feasibility of the proposed design.

GDSII layouts of IP-confidential products are heavily controlled and access is only granted to certain privileged personnel. Failure analysts are generally excluded. Without guidance from GDSII, failure analysis, specifically physical inspection based on fault isolation findings cannot proceed. To overcome this challenge, we develop an automated approach that enables image snapshots relevant to failure analysts to be furnished without compromising the confidentiality of the GDSII content in this paper. Modules built are executed to trace the suspected nets and extract them into multiple images of different pre-defined frame specifications to facilitate failure analysis.

IP geolocation technology is widely adopted in network security, privacy protection, online advertising, etc. However, existing IP geolocation methods are vulnerable to delay inflation, which reduces their reliability and applicability, especially in weakly connected networks. To solve this problem, a ranking nodes based IP geolocation method (RNBG) is proposed. RNBG leverages the scale-free nature of complex networks to find a few important and stable nodes in networks. And then these nodes are used in the geolocation of IPs in different regions. Experimental results in China and the US show that RNBG can achieve high accuracy even in weakly connected network. Compared with typical methods, the geolocation accuracy is increased by 2.60%-14.27%, up to 97.55%.

Directional Overcurrent Relays (DOCRs) play an essential role in the power system protection to guarantee the reliability, speed of relay operation and avoiding mal-trip in the primary and backup relays when unintentional fault conditions occur in the system. Moreover, the dual setting protection scheme is more efficient protection schemes for offering fast response protection and providing flexibility in the coordination of relay. In this paper, the Adaptive Modified Firefly Algorithm (AMFA) is used to determine the optimal coordination of dual setting DOCRs in the ring distribution system. The AMFA is completed by choosing the minimum value of pickup current (\textbackslashtextbackslashpmbI\textbackslashtextbackslashpmbP) and time dial setting (TDS). On the other hand, dual setting DOCRs protection scheme also proposed for operating in both forward and reverse directions that consisted of individual time current characteristics (TCC) curve for each direction. The previous method is applied to the ring distribution system network of PT. Pupuk Sriwidjaja by considering the fault on each bus. The result illustration that the AMFA within dual setting protection scheme is significantly reaching the optimized coordination and the relay coordination is certain for all simulation scenarios with the minimum operation. The AMFA has been successfully implemented in MATLAB software programming.

In this paper Intelligent Electronic Devices (IED) that use ethernet for communicating with substation devices on the grid where modelled in OPNET. There is a need to test the communication protocol performance over the network. A model for the substation communication network was implemented in OPNET. This was done for ESKOM, which is the electrical power generation and distribution authority in South Africa. The substation communication model consists of 10 ethernet nodes which simulate protection Intelligent Electronic Devices (IEDs), 13 ethernet switches, a server which simulates the substation Remote Terminal Unit (RTU) and the DNP3 Protocol over TCP/IP simulated on the model. DNP3 is a protocol that can be used in a power utility computer network to provide communication service for the grid components. It was selected as the communication protocol because it is widely used in the energy sector in South Africa. The network load and packet delay parameters were sampled when 10%, 50%, 90% and 100% of devices are online. Analysis of the results showed that with an increase in number of nodes there was an increase in packet delay as well as the network load. The load on the network should be taken into consideration when designing a substation communication network that requires a quick response such as a smart gird.

The globalization of IC manufacturing has increased the likelihood for IP providers to suffer financial and reputational loss from IP piracy. Logic locking prevents IP piracy by corrupting the functionality of an IP unless a correct secret key is inserted. However, existing logic-locking techniques can impose significant area overhead and performance impact (delay and power) on designs. In this work, we propose BISTLock, a logic-locking technique that utilizes built-in self-test (BIST) to isolate functional inputs when the circuit is locked. We also propose a set of security metrics and use the proposed metrics to quantify BISTLock's security strength for an open-source AES core. Our experimental results demonstrate that BISTLock is easy to implement and introduces an average of 0.74% area and no power or delay overhead across the set of benchmarks used for evaluation.

Recent advances in resistive synaptic devices have enabled the emergence of brain-inspired smart chips. These chips can execute complex cognitive tasks in digital signal processing precisely and efficiently using an efficient neuromorphic system. The neuromorphic synapses used in such chips, however, are different from the traditional integrated circuit architectures, thereby weakening their resistance to malicious transformation and intellectual property (IP) counterfeiting. Accordingly, in this paper, we propose an effective hybrid encryption methodology for IP core protection in neuromorphic computing systems, in-corporating elliptic curve cryptography and SM4 simultaneously. Experimental results confirm that the proposed method can implement real-time encryption of any number of crossbar arrays in neuromorphic systems accurately, while reducing the time overhead by 14.40%-26.08%.

As massive research efforts are poured into server-side DNS security enhancement in online cloud service platforms, sophisticated APTs tend to develop client-side DNS attacks, where defenders only have limited resources and abilities. The collaborative DNS attack is a representative newest client-side paradigm to stealthily undermine user cache by falsifying DNS responses. Different from existing static methods, in this paper, we propose a moving target defense solution named multi-vNIC intelligent mutation to free defenders from arduous work and thwart elusive client-side DNS attack in the meantime. Multiple virtual network interface cards are created and switched in a mutating manner. Thus attackers have to blindly guess the actual NIC with a high risk of exposure. Firstly, we construct a dynamic game-theoretic model to capture the main characteristics of both attacker and defender. Secondly, a reinforcement learning mechanism is developed to generate adaptive optimal defense strategy. Experiment results also highlight the security performance of our defense method compared to several state-of-the-art technologies.

In the Internet of Vehicles (IoV) paradigm, a model owner is able to leverage on the enhanced capabilities of Intelligent Connected Vehicles (ICV) to develop promising Artificial Intelligence (AI) based applications, e.g., for traffic efficiency. However, in some cases, a model owner may have insufficient data samples to build an effective AI model. To this end, we propose a Federated Learning (FL) based privacy preserving approach to facilitate collaborative FL among multiple model owners in the IoV. Our system model enables collaborative model training without compromising data privacy given that only the model parameters instead of the raw data are exchanged within the federation. However, there are two main challenges of incentive mismatches between workers and model owners, as well as among model owners. For the former, we leverage on the self-revealing mechanism in contract theory under information asymmetry. For the latter, we use the coalitional game theory approach that rewards model owners based on their marginal contributions. The numerical results validate the performance efficiency of our proposed hierarchical incentive mechanism design.

The trust of a robot in its human partner is a significant issue in human-robot interaction, which is seldom explored in the field of robotics. This study addresses a critical issue of robots' trust in humans during the human-robot collaboration process based on the data of human motions, past interactions of the human-robot pair, and the human's current performance in the co-carry task. The trust level is evaluated dynamically throughout the collaborative task that allows the trust level to change if the human performs false positive actions, which can help the robot avoid making unpredictable movements and causing injury to the human. Experimental results showed that the robot effectively assisted the human in collaborative tasks through the proposed computational trust model.

Since the birth of the Internet, the quality of network service has been a widespread concerned problem. With the continuous development of communication and information technology, people gradually realized that the contradiction between the limited resources and the business requirements of network cannot be fundamentally solved. In this paper, we design and develop a distributed security quality of service testing framework called AweQoS(AwesomeQoS), to adapt to the current complex network environment. This paper puts forward the necessity that some security tests should be closely combined with quality of service testing, and further discusses the basic methods of distributed denial of service attack and defense. We introduce the design idea and working process of AweQoS in detail, and introduce a bandwidth test method based on user datagram protocol. Experimental results show that this new test method has better test performance and potential under the AweQoS framework.

The Internet of Things technology has been used in a wide range of fields, ranging from industrial applications to individual lives. As a result, a massive amount of sensitive data is generated and transmitted by IoT devices. Those data may be accessed by a large number of complex users. Therefore, it is necessary to adopt an encryption scheme with access control to achieve more flexible and secure access to sensitive data. The Ciphertext Policy Attribute-Based Encryption (CP-ABE) can achieve access control while encrypting data can match the requirements mentioned above. However, the long ciphertext and the slow decryption operation makes it difficult to be used in most IoT devices which have limited memory size and computing capability. This paper proposes a modified CP-ABE scheme, which can implement the full security (adaptive security) under the access structure of AND gate. Moreover, the decryption overhead and the length of ciphertext are constant. Finally, the analysis and experiments prove the feasibility of our scheme.

Since a lot of information is outsourcing into cloud servers, data confidentiality becomes a higher risk to service providers. To assure data security, Ciphertext Policy Attributes-Based Encryption (CP-ABE) is observed for the cloud environment. Because ciphertexts and secret keys are relying on attributes, the revocation issue becomes a challenge for CP-ABE. This paper proposes an encryption access control (EAC) scheme to fulfill policy revocation which covers both attribute and user revocation. When one of the attributes in an access policy is changed by the data owner, the authorized users should be updated immediately because the revoked users who have gained previous access policy can observe the ciphertext. Especially for data owners, four types of updating policy levels are predefined. By classifying those levels, each secret token key is distinctly generated for each level. Consequently, a new secret key is produced by hashing the secret token key. This paper analyzes the execution times of key generation, encryption, and decryption times between non-revocation and policy revocation cases. Performance analysis for policy revocation is also presented in this paper.

In today's smart healthcare system, medical records of patients are exposed to a large number of users for various purposes, from monitoring the patients' health to data analysis. Preserving the privacy of a patient has become an important and challenging issue. outsourced Ciphertext-Policy Attribute-Based Encryption (CP-ABE) provides a solution for the data sharing and privacy preservation problem in the healthcare system in fog environment. However, the high computational cost in case of frequent attribute updates renders it infeasible for providing access control in healthcare systems. In this paper, we propose an efficient method to overcome the frequent attribute update problem of outsourced CP-ABE. In our proposed approach, we generate two keys for each user (a static key and a dynamic key) based on the constant and changing attributes of the users. Therefore, in case of an attribute change for a user, only the dynamic key is updated. Also, the key update is done at the fog nodes without compromising the security of the system. Thus, both the communication and the computational overhead associated with the key update in the outsourced CP-ABE scheme are reduced, making it an ideal solution for data access control in healthcare systems. The efficacy of our proposed approach is shown through theoretical analysis and experimentation.

In order to improve the buffering performance of the data encrypted by CP-ABE (ciphertext policy attribute based encryption), this paper proposed a Markov prefetching model based on attribute classification. The prefetching model combines the access strategy of CP-ABE encrypted file, establishes the user relationship network according to the attribute value of the user, classifies the user by the modularity-based community partitioning algorithm, and establishes a Markov prefetching model based on attribute classification. In comparison with the traditional Markov prefetching model and the classification-based Markov prefetching model, the attribute-based Markov prefetching model is proposed in this paper has higher prefetch accuracy and coverage.

In this paper, we examine algebraic attacks on the O'zDSt 1105:2009. We begin with a brief review of the meaning of algebraic cryptanalysis, followed by an algebraic cryptanalysis of O'zDSt 1105:2009. Primarily O'zDSt 1105:2009 encryption algorithm is decomposed and each transformation in it is algebraic described separately. Then input and output of each transformation are expressed with other transformation, encryption key, plaintext and cipher text. Created equations, unknowns on it and degree of unknowns are analyzed, and then overall result is given. Based on experimental results, it is impossible to save all system of equations that describes all transformations in O'zDSt 1105:2009 standard. Because, this task requires 273 bytes for the second round. For this reason, it is advisable to evaluate the parameters of the system of algebraic equations, representing the O'zDSt 1105:2009 standard, theoretically.

This article describes the principles of construction, training and use of neural networks. The features of the neural network approach are indicated, as well as the range of tasks for which it is most preferable. Algorithms of functioning, software implementation and results of work of an artificial neural network are presented.

One of the main goals of studying pattern matching techniques is their significant role in real-world applications, such as the intrusion detection systems branch. The purpose of the network attack detection systems NIDS is to protect the infocommunication network from unauthorized access. This article provides an analysis of the exact match and fuzzy matching methods, and discusses a new implementation of the classic Aho-Korasik pattern matching algorithm at the hardware level. The proposed approach to the implementation of the Aho-Korasik algorithm can make it possible to ensure the efficient use of resources, such as memory and energy.

Nowadays, blockchain is very common and widely used in various fields. The properties of blockchain-based algorithms such as being decentralized and uncontrolled by institutions and governments, are the main reasons that has attracted many applications. The security and the scalability limitations are the main challenges for the development of these systems. Using second layer network is one of the various methods proposed to improve the scalability of these systems. This network can increase the total number of transactions per second by creating extra channels between the nodes that operate in a different layer not obligated to be on consensus ledger. In this paper, the optimal structure for the second layer network has been presented. In the proposed structure we try to distribute the parameters of the second layer network as symmetrically as possible. To prove the optimality of this structure we first introduce the maximum scalability bound, and then calculate it for the proposed structure. This paper will show how the second layer method can improve the scalability without any information about the rate of transactions between nodes.