Biblio

Authentication is a challenging and emerging issue for Fog-IoT security paradigms. The fog nodes toward large-scale end-users offer various interacted IoT services. The authentication process usually involves expressing users' personal information such as username, email, and password to the Authentication Server (AS). However, users are not intended to express their identities or information over the fog or cloud servers. Hence, we have proposed an Anonymous User Authentication Scheme for Fog-IoT (AUASF) to keep the anonymity existence of the IoT users and detect the intruders. To provide anonymity, the user can send encrypted credentials such as username, email, and mobile number through the Cloud Service Provider (CSP) for registration. IoT user receives the response with a default password and a secret Id from the CSP. After that, the IoT user submits the default password for first-time access to Fog Service Provider (FSP). The FSP assigns a One Time Password (OTP) to each user for further access. The developed scheme is equipped with hash functions, symmetric encryptions, and decryptions for security perceptions across fog that serves better than the existing anonymity schemes.

Exploring the intrinsic interconnections between the knowledge encoded in PRe-trained Deep Neural Networks (PR-DNNs) of heterogeneous tasks sheds light on their mutual transferability, and consequently enables knowledge transfer from one task to another so as to reduce the training effort of the latter. In this paper, we propose the DEeP Attribution gRAph (DEPARA) to investigate the transferability of knowledge learned from PR-DNNs. In DEPARA, nodes correspond to the inputs and are represented by their vectorized attribution maps with regards to the outputs of the PR-DNN. Edges denote the relatedness between inputs and are measured by the similarity of their features extracted from the PR-DNN. The knowledge transferability of two PR-DNNs is measured by the similarity of their corresponding DEPARAs. We apply DEPARA to two important yet under-studied problems in transfer learning: pre-trained model selection and layer selection. Extensive experiments are conducted to demonstrate the effectiveness and superiority of the proposed method in solving both these problems. Code, data and models reproducing the results in this paper are available at https://github.com/zju-vipa/DEPARA.

A approach to research on the attack mechanism designs through attack surface technology due to the complexity of the attack mechanism. The attack mechanism of a mimic architecture is analyzed in a relative way using attack surface metrics to indicate whether mimic architectures are safer than non-mimic architectures. The definition of the architectures attack surface in terms of the mimic brackets along three abstract dimensions referenced the system attack surface. The larger the attack surface, the more likely the architecture will be attacked.

The Open Data Cube (ODC) initiative, with support from the Committee on Earth Observation Satellites (CEOS) System Engineering Office (SEO) has developed a state-of-the-art suite of software tools and products to facilitate the analysis of Earth Observation data. This paper presents a short summary of our novel architecture approach in a project related to the Open Data Cube (ODC) community that provides users with their own ODC sandbox environment. Users can have a sandbox environment all to themselves for the purpose of running Jupyter notebooks that leverage the ODC. This novel architecture layout will remove the necessity of hosting multiple users on a single Jupyter notebook server and provides better management tooling for handling resource usage. In this new layout each user will have their own credentials which will give them access to a personal Jupyter notebook server with access to a fully deployed ODC environment enabling exploration of solutions to problems that can be supported by Earth observation data.

The Internet of Things (IoT) is rapidly evolving, while introducing several new challenges regarding security, resilience and operational assurance. In the face of an increasing attack landscape, it is necessary to cater for the provision of efficient mechanisms to collectively detect sophisticated malware resulting in undesirable (run-time) device and network modifications. This is not an easy task considering the dynamic and heterogeneous nature of IoT environments; i.e., different operating systems, varied connected networks and a wide gamut of underlying protocols and devices. Malicious IoT nodes or gateways can potentially lead to the compromise of the whole IoT network infrastructure. On the other hand, the SDN control plane has the capability to be orchestrated towards providing enhanced security services to all layers of the IoT networking stack. In this paper, we propose an SDN-enabled control plane based orchestration that leverages emerging Long Short-Term Memory (LSTM) classification models; a Deep Learning (DL) based architecture to combat malicious IoT nodes. It is a first step towards a new line of security mechanisms that enables the provision of scalable AI-based intrusion detection focusing on the operational assurance of only those specific, critical infrastructure components,thus, allowing for a much more efficient security solution. The proposed mechanism has been evaluated with current state of the art datasets (i.e., N\_BaIoT 2018) using standard performance evaluation metrics. Our preliminary results show an outstanding detection accuracy (i.e., 99.9%) which significantly outperforms state-of-the-art approaches. Based on our findings, we posit open issues and challenges, and discuss possible ways to address them, so that security does not hinder the deployment of intelligent IoT-based computing systems.

This paper shows how the Xtensa architecture can be attacked with Return-Oriented-Programming (ROP). The presented techniques include possibilities for both supported Application Binary Interfaces (ABIs). Especially for the windowed ABI a powerful mechanism is presented that not only allows to jump to gadgets but also to manipulate registers without relying on specific gadgets. This paper purely focuses on how the properties of the architecture itself can be exploited to chain gadgets and not on specific attacks or a gadget catalog.

The rapid growth of power Internet of Things devices has led to traditional data security sharing mechanisms that are no longer suitable for attribute and permission management of massive devices. In response to this problem, this article proposes a blockchain-based data security sharing mechanism for the power Internet of Things, which reduces the risk of data leakage through decentralization in the architecture and promotes the integration of multiple information and methods.

Password-based authentication is the most common authentication method for either online or offline system. Password composition policies become too burdensome and put the user in a state of struggle to remember their password. Thus, most of the user save their password on the browser or even list it down in their personal gadgets. Therefore, a multi agent-based password management application have been developed to helps user in keeping their password safely. However, multi-agent system facing security issues such as man in the middle attack, data modification and eavesdropping. This paper proposed a security protocol for multi agent-based architecture in order to reduce potential threats. The security protocol focuess on the authentication of mobile agents, data transmission and the data local protection. The communication channels are secured using cryptography techniques.

Microservices architecture has become one of the most prominent software architectures in the software development processes due to its features such as scalability, maintainability, resilience, and composability. It allows developing business applications in a decentralized manner by dividing the important business logic into separate independent services. Digital certificates are used to verify the identity of microservices in most cases. However, the certificate authorities (CA) who issue the certificates to microservices cannot be trusted always since they can issue certificates without the consent of the relevant microservice. Nevertheless, existing implementations of certificate transparency are mostly centralized and has the vulnerability of the single point of failure. The distributed ledger technologies such as blockchain can be used to achieve decentralized nature in certificate transparency implementations. A blockchain-based decentralized certificate transparency system specified for microservices architecture is proposed in this paper to ensure secure communication among services. After the implementation and deployment in a cloud service, the system expressed average certificate querying time of 643 milliseconds along with the highly secured service provided.

Following the same trend of consumer electronics, safety-critical industries are starting to adopt Over-The-Air Software Updates (OTASU) on their embedded systems. The motivation behind this trend is twofold. On the one hand, OTASU offer several benefits to the product makers and users by improving or adding new functionality and services to the product without a complete redesign. On the other hand, the increasing connectivity trend makes OTASU a crucial cyber-security demand to download latest security patches. However, the application of OTASU in the safety-critical domain is not free of challenges, specially when considering the dramatic increase of software complexity and the resulting high computing performance demands. This is the mission of UP2DATE, a recently launched project funded within the European H2020 programme focused on new software update architectures for heterogeneous high-performance mixed-criticality systems. This paper gives an overview of UP2DATE and its foundations, which seeks to improve existing OTASU solutions by considering safety, security and availability from the ground up in an architecture that builds around composability and modularity.

Problems related to privacy and cyber-attacks have increased in recent years as a result of the rapid development of cloud computing. This work concerns secure cloud computing services on a blockchain platform, called cloud@blockchain, which benefit from the anonymity and immutability of blockchain. Two functions- anonymous file sharing and inspections to find illegally uploaded files- on cloud@blockchain are designed. On cloud@blockchain, cloud users can access data through smart contracts, and recognize all users within the application layer. The performance of three architectures- a pure blockchain, a hybrid blockchain with cache and a traditional database in accessing data is analyzed. The results reveal the superiority of the hybrid blockchain with the cache over the pure blockchain and the traditional database, which it outperforms by 500% and 53.19%, respectively.

Increasing penetration of distributed energy resources (DERs) in distribution networks expands the cyberattack surface. Moreover, the widely used standard protocols for communicating DER inverters such as Modbus is more vulnerable to data-integrity attacks and denial of service (DoS) attacks because of its native clear-text packet format. This paper proposes a distributed intrusion detection system (D-IDS) architecture and algorithms for detecting anomalies on the DER Modbus communication. We devised a model-based approach to define physics-based threshold bands for analog data points and transaction-based threshold bands for both the analog and discrete data points. The proposed IDS algorithm uses the model- based approach to develop Modbus-specific IDS rule sets, which can enhance the detection accuracy of the anomalies either by data-integrity attacks or maloperation on cyber-physical DER Modbus devices. Further, the IDS algorithm autogenerates the Modbus-specific IDS rulesets in compliance with various open- source IDS rule syntax formats, such as Snort and Suricata, for seamless integration and mitigation of semantic/syntax errors in the development and production environment. We considered the IEEE 13-bus distribution grid, including DERs, as a case study. We conducted various DoS type attacks and data-integrity attacks on the hardware-in-the-loop (HIL) CPS DER testbed at ISU to evaluate the proposed D-IDS. Consequently, we computed the performance metrics such as IDS detection accuracy, IDS detection rate, and end-to-end latency. The results demonstrated that 100% detection accuracy, 100% detection rate for 60k DoS packets, 99.96% detection rate for 80k DoS packets, and 0.25 ms end-to-end latency between DERs to Control Center.

Code randomization is considered as the basis of mitigation against code reuse attacks, fundamentally supporting some recent proposals such as execute-only memory (XOM) that aims at dynamic return-oriented programming (ROP) attacks. However, existing code randomization methods are hard to achieve a good balance between high-randomization entropy and semantic consistency. In particular, they always ignore code semantic consistency, incurring performance loss and incompatibility with current security schemes, e.g., control flow integrity (CFI). In this paper, we present an enhanced code randomization method termed as HCRESC, which can improve the randomization entropy significantly, meanwhile ensure the semantic consistency between variants and the original code. HCRESC reschedules instructions within the range of functions rather than basic blocks, thus producing more variants of the original code and preserving the code's semantic. We implement HCRESC on Linux platform of x86-64 architecture and demonstrate that HCRESC can increase the randomization entropy of x86-64 code over than 120% compared with existing methods while ensuring control flow and size of the code unaltered.

As the next-generation network architecture, Information-Centric Networking (ICN) has emerged as a novel paradigm to cope with the increasing demand for content delivery on the Internet. In contrast to the conventional host-centric architectures, ICN focuses on content retrieval based on their name rather than their storage location. However, ICN is vulnerable to various security and privacy attacks due to the inherent attributes of the ICN architectures. For example, a curious ICN node can monitor the network traffic to reveal the sensitive data issued by specific users. Hence, further research on privacy protection for ICN is needed. This paper presents a practical approach to effectively enhancing the security and privacy of ICN by utilizing Intel SGX, a commodity trusted execution environment. The main idea is to leverage secure enclaves residing on ICN nodes to do computations on sensitive data. Performance evaluations on the real-world datasets demonstrate the efficiency of the proposed scheme. Moreover, our scheme outperforms the cryptography based method.

Internet of Things (IoT) systems are becoming widely used, which makes them to be a high-value target for both hackers and crackers. From gaining access to sensitive information to using them as bots for complex attacks, the variety of advantages after exploiting different security vulnerabilities makes the security of IoT devices to be one of the most challenging desideratum for cyber security experts. In this paper, we will propose a new IoT system, designed to ensure five data principles: confidentiality, integrity, availability, authentication and authorization. The innovative aspects are both the usage of a web-based communication and a custom dynamic data request structure.

Emotions are a powerful tool in communication and one way that humans show their emotions is through their facial expressions. One of the challenging and powerful tasks in social communications is facial expression recognition, as in non-verbal communication, facial expressions are key. In the field of Artificial Intelligence, Facial Expression Recognition (FER) is an active research area, with several recent studies using Convolutional Neural Networks (CNNs). In this paper, we demonstrate the classification of FER based on static images, using CNNs, without requiring any pre-processing or feature extraction tasks. The paper also illustrates techniques to improve future accuracy in this area by using pre-processing, which includes face detection and illumination correction. Feature extraction is used to extract the most prominent parts of the face, including the jaw, mouth, eyes, nose, and eyebrows. Furthermore, we also discuss the literature review and present our CNN architecture, and the challenges of using max-pooling and dropout, which eventually aided in better performance. We obtained a test accuracy of 61.7% on FER2013 in a seven-classes classification task compared to 75.2% in state-of-the-art classification.

Modern industrial control systems (ICS) act as victims of cyber attacks more often in last years. These cyber attacks often can not be detected by classical information security methods. Moreover, the consequences of cyber attack's impact can be catastrophic. Since cyber attacks leads to appearance of anomalies in the ICS and technological equipment controlled by it, the task of intrusion detection for ICS can be reformulated as the task of industrial process anomaly detection. This paper considers the applicability of generative adversarial networks (GANs) in the field of industrial processes anomaly detection. Existing approaches for GANs usage in the field of information security (such as anomaly detection in network traffic) were described. It is proposed to use the BiGAN architecture in order to detect anomalies in the industrial processes. The proposed approach has been tested on Secure Water Treatment Dataset (SWaT). The obtained results indicate the prospects of using the examined method in practice.

Software Defined Networking (SDN) focus on the isolation of control plane and data plane, greatly enhancing the network's support for heterogeneity and flexibility. However, although the programmable network greatly improves the performance of all aspects of the network, flexible load balancing across controllers still challenges the current SDN architecture. Complex application scenarios lead to flexible and changeable communication requirements, making it difficult to guarantee the Quality of Service (QoS) for SDN users. To address this issue, this paper proposes a paradigm that uses blockchain to incentive safe load balancing for multiple controllers. We proposed a controller consortium blockchain for secure and efficient load balancing of multi-controllers, which includes a new cryptographic currency balance coin and a novel consensus mechanism Proof-of-Balance (PoB). In addition, we have designed a novel game theory-based incentive mechanism to incentive controllers with tight communication resources to offload tasks to idle controllers. The security analysis and performance simulation results indicate the superiority and effectiveness of the proposed scheme.

This paper proposes a hardware Self-Organizing Map (SOM) for high dimensional vectors. The proposed SOM is based on nested architecture with pipeline processing. Due to homogeneous modular structure, the nested architecture provides high expandability. The original nested SOM was designed to handle low-dimensional vectors with fully parallel computation, and it yielded very high performance. In this paper, the architecture is extended to handle much higher dimensional vectors by using sequential computation, which requires multiple clocks to process a single vector. To increase the performance, the proposed architecture employs pipeline computation, in which search of winner neuron and weight vector update are carried out simultaneously. Operable clock frequency for the system was 60 MHz, and its throughput reached 15012 million connection updates per second (MCUPS).

Multiple techniques for modeling cybersecurity attacks and defense have been developed. The use of tree- structures as well as techniques proposed by several firms (such as Lockheed Martin's Cyber Kill Chain, Microsoft's STRIDE and the MITRE ATT&CK frameworks) have all been demonstrated. These approaches model actions that can be taken to attack or stopped to secure infrastructure and other resources, at different levels of detail.This paper builds on prior work on using the Blackboard Architecture for cyberwarfare and proposes a generalized solution for modeling framework/paradigm-based attacks that go beyond the deployment of a single exploit against a single identified target. The Blackboard Architecture Cyber Command Entity attack Route (BACCER) identification system combines rules and facts that implement attack type determination and attack decision making logic with actions that implement reconnaissance techniques and attack and defense actions. BACCER's efficacy to model examples of tree-structures and other models is demonstrated herein.

This paper describes a novel distributed mobility management (DMM) scheme for the "named-object" information centric network (ICN) architecture in which the routers forward data based on unique identifiers which are dynamically mapped to the current network addresses of a device. The work proposes and evaluates two specific handover schemes namely, hard handoff with rebinding and soft handoff with multihoming intended to provide seamless data transfer with improved throughput during handovers. The evaluation of the proposed handover schemes using system simulation along with proof-of-concept implementation in ORBIT testbed is described. The proposed handoff and scheduling throughput gains are 12.5% and 44% respectively over multiple interfaces when compared to traditional IP network with equal share split scheme. The handover performance with respect to RTT and throughput demonstrate the benefits of clean slate network architecture for beyond 5G networks.

With the increasing diversity of application needs (datacenters, IoT, content retrieval, industrial automation, etc.), new network architectures are continually being proposed to address specific and particular requirements. From a network management perspective, it is both important and challenging to enable evolution towards such new architectures. Given the ubiquity of the Internet, a clean-slate change of the entire infrastructure to a new architecture is impractical. It is believed that we will see new network architectures coming into existence with support for interoperability between separate architectural islands. We may have servers, and more importantly, content, residing in domains having different architectures. This paper presents COIN, a content-oriented interoperability framework for current and future Internet architectures. We seek to provide seamless connectivity and content accessibility across multiple of these network architectures, including the current Internet. COIN preserves each domain's key architectural features and mechanisms, while allowing flexibility for evolvability and extensibility. We focus on Information-Centric Networks (ICN), the prominent class of Future Internet architectures. COIN avoids expanding domain-specific protocols or namespaces. Instead, it uses an application-layer Object Resolution Service to deliver the right "foreign" names to consumers. COIN uses translation gateways that retain essential interoperability state, leverages encryption for confidentiality, and relies on domain-specific signatures to guarantee provenance and data integrity. Using NDN and MobilityFirst as important candidate solutions of ICN, and IP, we evaluate COIN. Measurements from an implementation of the gateways show that the overhead is manageable and scales well.

Recent studies on attacks exploiting processor hardware vulnerabilities have raised significant concern for information security. Particularly, transient execution attacks such as Spectre augment microarchitectural side channels with speculative executions that lead to exfiltration of secretive data not intended to be accessed. Many prior works have demonstrated the manipulation of branch predictors for triggering speculative executions, and thereafter leaking sensitive information through processor microarchitectural components. In this paper, we present a new class of microarchitectural attack, called BranchSpec, that performs information leakage by exploiting state changes of branch predictors in speculative path. Our key observation is that, branch instruction executions in speculative path alter the states of branch pattern history, which are not restored even after the speculatively executed branches are eventually squashed. Unfortunately, this enables adversaries to harness branch predictors as the transmitting medium in transient execution attacks. More importantly, as compared to existing speculative attacks (e.g., Spectre), BranchSpec can take advantage of much simpler code patterns in victim's code base, making the impact of such exploitation potentially even more severe. To demonstrate this security vulnerability, we have implemented two variants of BranchSpec attacks: a side channel where a malicious spy process infers cross-boundary secrets via victim's speculatively executed nested branches, and a covert channel that communicates secrets through intentionally perturbing the branch pattern history structure via speculative branch executions. Our evaluation on Intel Skylake- and Coffee Lake-based processors reveals that these information leakage attacks are highly accurate and successful. To the best of our knowledge, this is the first work to reveal the information leakage threat due to speculative state update in branch predictor. Our studies further broaden the attack surface of processor microarchitecture, and highlight the needs for branch prediction mechanisms that are secure in transient executions.

Malware threats often go undetected immediately, because attackers can camouflage well within the system. The users realize this after the devices stop working and cause harm for them. One way to deceive malicious content detection, malware authors use packers. Malware analysis is an activity to gain knowledge about malware. Reverse engineering is a technique used to identify and deal with new viruses or to understand malware behavior. Therefore, this technique can be the right choice for conducting malware analysis, especially for malware with packers. The results of the analysis are used as a source for making creating indicator of compromise in the YARA rule format. YARA rule is used as a component for detecting malware using the indicators obtained in the analysis process.

The 5G network solutions currently standardised and deployed do not yet enable the full potential of pervasive networking and computing envisioned in 5G initial visions: network services and slices with different QoS profiles do not span multiple operators; security, trust and automation is limited. The evolution of 5G towards a truly production-level stage needs to heavily rely on automated end-to-end network operations, use of distributed Artificial Intelligence (AI) for cognitive network orchestration and management and minimal manual interventions (zero-touch automation). All these elements are key to implement highly pervasive network infrastructures. Moreover, Distributed Ledger Technologies (DLT) can be adopted to implement distributed security and trust through Smart Contracts among multiple non-trusted parties. In this paper, we propose an initial concept of a zero-touch security and trust architecture for ubiquitous computing and connectivity in 5G networks. Our architecture aims at cross-domain security & trust orchestration mechanisms by coupling DLTs with AI-driven operations and service lifecycle automation in multi-tenant and multi-stakeholder environments. Three representative use cases are identified through which we will validate the work which will be validated in the test facilities at 5GBarcelona and 5TONIC/Madrid.