Visible to the public Biblio

Filters: Keyword is Ecosystems  [Clear All Filters]
2023-09-08
Hamdaoui, Ikram, Fissaoui, Mohamed El, Makkaoui, Khalid El, Allali, Zakaria El.  2022.  An intelligent traffic monitoring approach based on Hadoop ecosystem. 2022 5th International Conference on Networking, Information Systems and Security: Envisage Intelligent Systems in 5g//6G-based Interconnected Digital Worlds (NISS). :1–6.
Nowadays, smart cities (SCs) use technologies and different types of data collected to improve the lifestyles of their citizens. Indeed, connected smart vehicles are technologies used for an SC’s intelligent traffic monitoring systems (ITMSs). However, most proposed monitoring approaches do not consider realtime monitoring. This paper presents real-time data processing for an intelligent traffic monitoring dashboard using the Hadoop ecosystem dashboard components. Many data are available due to our proposed monitoring approach, such as the total number of vehicles on different routes and data on trucks within a radius (10KM) of a specific point given. Based on our generated data, we can make real-time decisions to improve circulation and optimize traffic flow.
2023-07-28
Ksibi, Sondes, JAIDI, Faouzi, BOUHOULA, Adel.  2022.  A User-Centric Fuzzy AHP-based Method for Medical Devices Security Assessment. 2022 15th International Conference on Security of Information and Networks (SIN). :01—07.

One of the most challenging issues facing Internet of Medical Things (IoMT) cyber defense is the complexity of their ecosystem coupled with the development of cyber-attacks. Medical equipments lack built-in security and are increasingly becoming connected. Moving beyond traditional security solutions becomes a necessity to protect patients and organizations. In order to effectively deal with the security risks of networked medical devices in such a complex and heterogeneous system, we need to measure security risks and prioritize mitigation actions. In this context, we propose a Fuzzy AHP-based method to assess security attributes of connected medical devices and compare different device models against a selected profile with regards to the user requirements. The proposal aims to empower user security awareness to make well-educated decisions.

2023-07-13
Wu, Yuhao, Wang, Yujie, Zhai, Shixuan, Li, Zihan, Li, Ao, Wang, Jinwen, Zhang, Ning.  2022.  Work-in-Progress: Measuring Security Protection in Real-time Embedded Firmware. 2022 IEEE Real-Time Systems Symposium (RTSS). :495–498.
The proliferation of real-time cyber-physical systems (CPS) is making profound changes to our daily life. Many real-time CPSs are security and safety-critical because of their continuous interactions with the physical world. While the general perception is that the security protection mechanism deployment is often absent in real-time embedded systems, there is no existing empirical study that measures the adoption of these mechanisms in the ecosystem. To bridge this gap, we conduct a measurement study for real-time embedded firmware from both a security perspective and a real-time perspective. To begin with, we collected more than 16 terabytes of embedded firmware and sampled 1,000 of them for the study. Then, we analyzed the adoption of security protection mechanisms and their potential impacts on the timeliness of real-time embedded systems. Besides, we measured the scheduling algorithms supported by real-time embedded systems since they are also security-critical.
ISSN: 2576-3172
2023-06-09
Liu, Chengwei, Chen, Sen, Fan, Lingling, Chen, Bihuan, Liu, Yang, Peng, Xin.  2022.  Demystifying the Vulnerability Propagation and Its Evolution via Dependency Trees in the NPM Ecosystem. 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE). :672—684.
Third-party libraries with rich functionalities facilitate the fast development of JavaScript software, leading to the explosive growth of the NPM ecosystem. However, it also brings new security threats that vulnerabilities could be introduced through dependencies from third-party libraries. In particular, the threats could be excessively amplified by transitive dependencies. Existing research only considers direct dependencies or reasoning transitive dependencies based on reachability analysis, which neglects the NPM-specific dependency resolution rules as adapted during real installation, resulting in wrongly resolved dependencies. Consequently, further fine-grained analysis, such as precise vulnerability propagation and their evolution over time in dependencies, cannot be carried out precisely at a large scale, as well as deriving ecosystem-wide solutions for vulnerabilities in dependencies. To fill this gap, we propose a knowledge graph-based dependency resolution, which resolves the inner dependency relations of dependencies as trees (i.e., dependency trees), and investigates the security threats from vulnerabilities in dependency trees at a large scale. Specifically, we first construct a complete dependency-vulnerability knowledge graph (DVGraph) that captures the whole NPM ecosystem (over 10 million library versions and 60 million well-resolved dependency relations). Based on it, we propose a novel algorithm (DTResolver) to statically and precisely resolve dependency trees, as well as transitive vulnerability propagation paths, for each package by taking the official dependency resolution rules into account. Based on that, we carry out an ecosystem-wide empirical study on vulnerability propagation and its evolution in dependency trees. Our study unveils lots of useful findings, and we further discuss the lessons learned and solutions for different stakeholders to mitigate the vulnerability impact in NPM based on our findings. For example, we implement a dependency tree based vulnerability remediation method (DTReme) for NPM packages, and receive much better performance than the official tool (npm audit fix).
Dave, Madhavi.  2022.  Internet of Things Security and Forensics: Concern and Challenges for Inspecting Cyber Attacks. 2022 Second International Conference on Next Generation Intelligent Systems (ICNGIS). :1—6.
The Internet of Things is an emerging technology for recent marketplace. In IoT, the heterogeneous devices are connected through the medium of the Internet for seamless communication. The devices used in IoT are resource-constrained in terms of memory, power and processing. Due to that, IoT system is unable to implement hi-end security for malicious cyber-attacks. The recent era is all about connecting IoT devices in various domains like medical, agriculture, transport, power, manufacturing, supply chain, education, etc. and thus need to be prevented from attacks and analyzed after attacks for legal action. The legal analysis of IoT data, devices and communication is called IoT forensics which is highly indispensable for various types of attacks on IoT system. This paper will review types of IoT attacks and its preventive measures in cyber security. It will also help in ascertaining IoT forensics and its challenges in detail. This paper will conclude with the high requirement of cyber security in IoT domains with implementation of standard rules for IoT forensics.
2023-05-12
Ranieri, Angelo, Ruggiero, Andrea.  2022.  Complementary role of conversational agents in e-health services. 2022 IEEE International Conference on Metrology for Extended Reality, Artificial Intelligence and Neural Engineering (MetroXRAINE). :528–533.
In recent years, business environments are undergoing disruptive changes across sectors [1]. Globalization and technological advances, such as artificial intelligence and the internet of things, have completely redesigned business activities, bringing to light an ever-increasing interest and attention towards the customer [2], especially in healthcare sector. In this context, researchers is paying more and more attention to the introduction of new technologies capable of meeting the patients’ needs [3, 4] and the Covid-19 pandemic has contributed and still contributes to accelerate this phenomenon [5]. Therefore, emerging technologies (i.e., AI-enabled solutions, service robots, conversational agents) are proving to be effective partners in improving medical care and quality of life [6]. Conversational agents, often identified in other ways as “chatbots”, are AI-enabled service robots based on the use of text [7] and capable of interpreting natural language and ensuring automation of responses by emulating human behavior [8, 9, 10]. Their introduction is linked to help institutions and doctors in the management of their patients [11, 12], at the same time maintaining the negligible incremental costs thanks to their virtual aspect [13–14]. However, while the utilization of these tools has significantly increased during the pandemic [15, 16, 17], it is unclear what benefits they bring to service delivery. In order to identify their contributions, there is a need to find out which activities can be supported by conversational agents.This paper takes a grounded approach [18] to achieve contextual understanding design and to effectively interpret the context and meanings related to conversational agents in healthcare interactions. The study context concerns six chatbots adopted in the healthcare sector through semi-structured interviews conducted in the health ecosystem. Secondary data relating to these tools under consideration are also used to complete the picture on them. Observation, interviewing and archival documents [19] could be used in qualitative research to make comparisons and obtain enriched results due to the opportunity to bridge the weaknesses of one source by compensating it with the strengths of others. Conversational agents automate customer interactions with smart meaningful interactions powered by Artificial Intelligence, making support, information provision and contextual understanding scalable. They help doctors to conduct the conversations that matter with their patients. In this context, conversational agents play a critical role in making relevant healthcare information accessible to the right stakeholders at the right time, defining an ever-present accessible solution for patients’ needs. In summary, conversational agents cannot replace the role of doctors but help them to manage patients. By conveying constant presence and fast information, they help doctors to build close relationships and trust with patients.
2023-03-31
Saraswat, Deepti, Ladhiya, Karan, Bhattacharya, Pronaya, Zuhair, Mohd.  2022.  PHBio: A Pallier Homomorphic Biometric Encryption Scheme in Healthcare 4.0 Ecosystems. 2022 3rd International Conference on Intelligent Engineering and Management (ICIEM). :306–312.

In healthcare 4.0 ecosystems, authentication of healthcare information allows health stakeholders to be assured that data is originated from correct source. Recently, biometric based authentication is a preferred choice, but as the templates are stored on central servers, there are high chances of copying and generating fake biometrics. An adversary can forge the biometric pattern, and gain access to critical health systems. Thus, to address the limitation, the paper proposes a scheme, PHBio, where an encryption-based biometric system is designed prior before storing the template to the server. Once a user provides his biometrics, the authentication process does not decrypt the data, rather uses a homomorphic-enabled Paillier cryptosystem. The scheme presents the encryption and the comparison part which is based on euclidean distance (EUD) strategy between the user input and the stored template on the server. We consider the minimum distance, and compare the same with a predefined threshold distance value to confirm a biometric match, and authenticate the user. The scheme is compared against parameters like accuracy, false rejection rates (FARs), and execution time. The proposed results indicate the validity of the scheme in real-time health setups.

Chapman, Jon, Venugopalan, Hari.  2022.  Open Source Software Computed Risk Framework. 2022 IEEE 17th International Conference on Computer Sciences and Information Technologies (CSIT). :172–175.
The increased dissemination of open source software to a broader audience has led to a proportional increase in the dissemination of vulnerabilities. These vulnerabilities are introduced by developers, some intentionally or negligently. In this paper, we work to quantity the relative risk that a given developer represents to a software project. We propose using empirical software engineering based analysis on the vast data made available by GitHub to create a Developer Risk Score (DRS) for prolific contributors on GitHub. The DRS can then be aggregated across a project as a derived vulnerability assessment, we call this the Computational Vulnerability Assessment Score (CVAS). The CVAS represents the correlation between the Developer Risk score across projects and vulnerabilities attributed to those projects. We believe this to be a contribution in trying to quantity risk introduced by specific developers across open source projects. Both of the risk scores, those for contributors and projects, are derived from an amalgamation of data, both from GitHub and outside GitHub. We seek to provide this risk metric as a force multiplier for the project maintainers that are responsible for reviewing code contributions. We hope this will lead to a reduction in the number of introduced vulnerabilities for projects in the Open Source ecosystem.
ISSN: 2766-3639
2023-03-17
Bátrla, Michael, Harašta, Jakub.  2022.  ‘Releasing the Hounds?’1 Disruption of the Ransomware Ecosystem Through Offensive Cyber Operations 2022 14th International Conference on Cyber Conflict: Keep Moving! (CyCon). 700:93–115.
Ransomware groups represent a significant cyber threat to Western states. Most high-end ransomware actors reside in territorial safe-haven jurisdictions and prove to be resistant to traditional law enforcement activities. This has prompted public sector and cybersecurity industry leaders to perceive ransomware as a national security threat requiring a whole-of-government approach, including cyber operations. In this paper, we investigate whether cyber operations or the threat of cyber operations influence the ransomware ecosystem. Subsequently, we assess the vectors of influence and characteristics of past operations that have disrupted the ecosystem. We describe the specifics of the ransomware-as-a-service system and provide three case studies (DarkSide/BlackMatter, REvil, Conti) highly representative of the current ecosystem and the effect cyber operations have on it. Additionally, we present initial observations about the influence of cyber operations on the system, including best practices from cyber operations against non-state groups. We conclude that even professional, highly skilled, and top-performing ransomware groups can be disrupted through cyber operations. In fact, cyber operations can even bypass some limits imposed on law enforcement operations. Even when ransomware groups rebrand or resurface after a hiatus, we suggest their infrastructure (both technical, human, and reputational) will still suffer mid-to long-term disruption. Although cyber operations are unlikely to be a silver bullet, they are an essential tool in the whole-of-government and multinational efforts and may even grow in importance in the next several years.1‘Releasing the hounds’ is a term for offensive cyber operations aimed at disrupting global ransomware gangs, especially those conducted by militaries or intelligence agencies. First use is found in Patrick Gray and Adam Boileau, ‘Feature Podcast: Releasing the Hounds with Bobby Chesney’, Risky Business, 28 May 2020, https://risky.biz/HF6/.
ISSN: 2325-5374
2023-03-03
Hong, Geng, Yang, Zhemin, Yang, Sen, Liaoy, Xiaojing, Du, Xiaolin, Yang, Min, Duan, Haixin.  2022.  Analyzing Ground-Truth Data of Mobile Gambling Scams. 2022 IEEE Symposium on Security and Privacy (SP). :2176–2193.
With the growth of mobile computing techniques, mobile gambling scams have seen a rampant increase in the recent past. In mobile gambling scams, miscreants deliver scamming messages via mobile instant messaging, host scam gambling platforms on mobile apps, and adopt mobile payment channels. To date, there is little quantitative knowledge about how this trending cybercrime operates, despite causing daily fraud losses estimated at more than \$\$\$522,262 USD. This paper presents the first empirical study based on ground-truth data of mobile gambling scams, associated with 1,461 scam incident reports and 1,487 gambling scam apps, spanning from January 1, 2020 to December 31, 2020. The qualitative and quantitative analysis of this ground-truth data allows us to characterize the operational pipeline and full fraud kill chain of mobile gambling scams. In particular, we study the social engineering tricks used by scammers and reveal their effectiveness. Our work provides a systematic analysis of 1,068 confirmed Android and 419 iOS scam apps, including their development frameworks, declared permissions, compatibility, and backend network infrastructure. Perhaps surprisingly, our study unveils that public online app generators have been abused to develop gambling scam apps. Our analysis reveals several payment channels (ab)used by gambling scam app and uncovers a new type of money mule-based payment channel with the average daily gambling deposit of \$\$\$400,000 USD. Our findings enable a better understanding of the mobile gambling scam ecosystem, and suggest potential avenues to disrupt these scam activities.
ISSN: 2375-1207
Rahkema, Kristiina, Pfahl, Dietmar.  2022.  Quality Analysis of iOS Applications with Focus on Maintainability and Security. 2022 IEEE International Conference on Software Maintenance and Evolution (ICSME). :602–606.
We use mobile apps on a daily basis and there is an app for everything. We trust these applications with our most personal data. It is therefore important that these apps are as secure and well usable as possible. So far most studies on the maintenance and security of mobile applications have been done on Android applications. We do, however, not know how well these results translate to iOS.This research project aims to close this gap by analysing iOS applications with regards to maintainability and security. Regarding maintainability, we analyse code smells in iOS applications, the evolution of code smells in iOS applications and compare code smell distributions in iOS and Android applications. Regarding security, we analyse the evolution of the third-party library dependency network for the iOS ecosystem. Additionally, we analyse how publicly reported vulnerabilities spread in the library dependency network.Regarding maintainability, we found that the distributions of code smells in iOS and Android applications differ. Code smells in iOS applications tend to correspond to smaller classes, such as Lazy Class. Regarding security, we found that the library dependency network of the iOS ecosystem is not growing as fast as in some other ecosystems. There are less dependencies on average than for example in the npm ecosystem and, therefore, vulnerabilities do not spread as far.
ISSN: 2576-3148
2023-02-17
Anderegg, Alfred H. Andy, Ferrell, Uma D..  2022.  Assurance Case Along a Safety Continuum. 2022 IEEE/AIAA 41st Digital Avionics Systems Conference (DASC). :1–10.
The FAA proposes Safety Continuum that recognizes the public expectation for safety outcomes vary with aviation sectors that have different missions, aircraft, and environments. The purpose is to align the rigor of oversight to the public expectations. An aircraft, its variants or derivatives may be used in operations with different expectations. The differences in mission might bring immutable risks for some applications that reuse or revise the original aircraft type design. The continuum enables a more agile design approval process for innovations in the context of a dynamic ecosystems, addressing the creation of variants for different sectors and needs. Since an aircraft type design can be reused in various operations under part 91 or 135 with different mission risks the assurance case will have many branches reflecting the variants and derivatives.This paper proposes a model for the holistic, performance-based, through-life safety assurance case that focuses applicant and oversight alike on achieving the safety outcomes. This paper describes the application of goal-based, technology-neutral features of performance-based assurance cases extending the philosophy of UL 4600, to the Safety Continuum. This paper specifically addresses component reuse including third-party vehicle modifications and changes to operational concept or eco-system. The performance-based assurance argument offers a way to combine the design approval more seamlessly with the oversight functions by focusing all aspects of the argument and practice together to manage the safety outcomes. The model provides the context to assure mitigated risk are consistent with an operation’s place on the safety continuum, while allowing the applicant to reuse parts of the assurance argument to innovate variants or derivatives. The focus on monitoring performance to constantly verify the safety argument complements compliance checking as a way to assure products are "fit-for-use". The paper explains how continued operational safety becomes a natural part of monitoring the assurance case for growing variety in a product line by accounting for the ecosystem changes. Such a model could be used with the Safety Continuum to promote applicant and operator accountability delivering the expected safety outcomes.
ISSN: 2155-7209
Ferrell, Uma D., Anderegg, Alfred H. Andy.  2022.  Holistic Assurance Case for System-of-Systems. 2022 IEEE/AIAA 41st Digital Avionics Systems Conference (DASC). :1–9.
Aviation is a highly sophisticated and complex System-of-Systems (SoSs) with equally complex safety oversight. As novel products with autonomous functions and interactions between component systems are adopted, the number of interdependencies within and among the SoS grows. These interactions may not always be obvious. Understanding how proposed products (component systems) fit into the context of a larger SoS is essential to promote the safe use of new as well as conventional technology.UL 4600, is a Standard for Safety for the Evaluation of Autonomous Products specifically written for completely autonomous Load vehicles. The goal-based, technology-neutral features of this standard make it adaptable to other industries and applications.This paper, using the philosophy of UL 4600, gives guidance for creating an assurance case for products in an SoS context. An assurance argument is a cogent structured argument concluding that an autonomous aircraft system possesses all applicable through-life performance and safety properties. The assurance case process can be repeated at each level in the SoS: aircraft, aircraft system, unmodified components, and modified components. The original Equipment Manufacturer (OEM) develops the assurance case for the whole aircraft envisioned in the type certification process. Assurance cases are continuously validated by collecting and analyzing Safety Performance Indicators (SPIs). SPIs provide predictive safety information, thus offering an opportunity to improve safety by preventing incidents and accidents. Continuous validation is essential for risk-based approval of autonomously evolving (dynamic) systems, learning systems, and new technology. System variants, derivatives, and components are captured in a subordinate assurance case by their developer. These variants of the assurance case inherently reflect the evolution of the vehicle-level derivatives and options in the context of their specific target ecosystem. These subordinate assurance cases are nested under the argument put forward by the OEM of components and aircraft, for certification credit.It has become a common practice in aviation to address design hazards through operational mitigations. It is also common for hazards noted in an aircraft component system to be mitigated within another component system. Where a component system depends on risk mitigation in another component of the SoS, organizational responsibilities must be stated explicitly in the assurance case. However, current practices do not formalize accounting for these dependencies by the parties responsible for design; consequently, subsequent modifications are made without the benefit of critical safety-related information from the OEMs. The resulting assurance cases, including 3rd party vehicle modifications, must be scrutinized as part of the holistic validation process.When changes are made to a product represented within the assurance case, their impact must be analyzed and reflected in an updated assurance case. An OEM can facilitate this by integrating affected assurance cases across their customer’s supply chains to ensure their validity. The OEM is expected to exercise the sphere-of-control over their product even if it includes outsourced components. Any organization that modifies a product (with or without assurance argumentation information from other suppliers) is accountable for validating the conditions for any dependent mitigations. For example, the OEM may manage the assurance argumentation by identifying requirements and supporting SPI that must be applied in all component assurance cases. For their part, component assurance cases must accommodate all spheres-of-control that mitigate the risks they present in their respective contexts. The assurance case must express how interdependent mitigations will collectively assure the outcome. These considerations are much more than interface requirements and include explicit hazard mitigation dependencies between SoS components. A properly integrated SoS assurance case reflects a set of interdependent systems that could be independently developed..Even in this extremely interconnected environment, stakeholders must make accommodations for the independent evolution of products in a manner that protects proprietary information, domain knowledge, and safety data. The collective safety outcome for the SoS is based on the interdependence of mitigations by each constituent component and could not be accomplished by any single component. This dependency must be explicit in the assurance case and should include operational mitigations predicated on people and processes.Assurance cases could be used to gain regulatory approval of conventional and new technology. They can also serve to demonstrate consistency with a desired level of safety, especially in SoSs whose existing standards may not be adequate. This paper also provides guidelines for preserving alignment between component assurance cases along a product supply chain, and the respective SoSs that they support. It shows how assurance is a continuous process that spans product evolution through the monitoring of interdependent requirements and SPI. The interdependency necessary for a successful assurance case encourages stakeholders to identify and formally accept critical interconnections between related organizations. The resulting coordination promotes accountability for safety through increased awareness and the cultivation of a positive safety culture.
ISSN: 2155-7209
Caramancion, Kevin Matthe.  2022.  An Exploration of Mis/Disinformation in Audio Format Disseminated in Podcasts: Case Study of Spotify. 2022 IEEE International IOT, Electronics and Mechatronics Conference (IEMTRONICS). :1–6.
This paper examines audio-based social networking platforms and how their environments can affect the persistence of fake news and mis/disinformation in the whole information ecosystem. This is performed through an exploration of their features and how they compare to that of general-purpose multimodal platforms. A case study on Spotify and its recent issue on free speech and misinformation is the application area of this paper. As a supplementary, a demographic analysis of the current statistics of podcast streamers is outlined to give an overview of the target audience of possible deception attacks in the future. As for the conclusion, this paper confers a recommendation to policymakers and experts in preparing for future mis-affordance of the features in social environments that may unintentionally give the agents of mis/disinformation prowess to create and sow discord and deception.
Ruaro, Nicola, Pagani, Fabio, Ortolani, Stefano, Kruegel, Christopher, Vigna, Giovanni.  2022.  SYMBEXCEL: Automated Analysis and Understanding of Malicious Excel 4.0 Macros. 2022 IEEE Symposium on Security and Privacy (SP). :1066–1081.
Malicious software (malware) poses a significant threat to the security of our networks and users. In the ever-evolving malware landscape, Excel 4.0 Office macros (XL4) have recently become an important attack vector. These macros are often hidden within apparently legitimate documents and under several layers of obfuscation. As such, they are difficult to analyze using static analysis techniques. Moreover, the analysis in a dynamic analysis environment (a sandbox) is challenging because the macros execute correctly only under specific environmental conditions that are not always easy to create. This paper presents SYMBEXCEL, a novel solution that leverages symbolic execution to deobfuscate and analyze Excel 4.0 macros automatically. Our approach proceeds in three stages: (1) The malicious document is parsed and loaded in memory; (2) Our symbolic execution engine executes the XL4 formulas; and (3) Our Engine concretizes any symbolic values encountered during the symbolic exploration, therefore evaluating the execution of each macro under a broad range of (meaningful) environment configurations. SYMBEXCEL significantly outperforms existing deobfuscation tools, allowing us to reliably extract Indicators of Compromise (IoCs) and other critical forensics information. Our experiments demonstrate the effectiveness of our approach, especially in deobfuscating novel malicious documents that make heavy use of environment variables and are often not identified by commercial anti-virus software.
ISSN: 2375-1207
2023-02-13
Yu, Beiyuan, Li, Pan, Liu, Jianwei, Zhou, Ziyu, Han, Yiran, Li, Zongxiao.  2022.  Advanced Analysis of Email Sender Spoofing Attack and Related Security Problems. 2022 IEEE 9th International Conference on Cyber Security and Cloud Computing (CSCloud)/2022 IEEE 8th International Conference on Edge Computing and Scalable Cloud (EdgeCom). :80—85.

A mail spoofing attack is a harmful activity that modifies the source of the mail and trick users into believing that the message originated from a trusted sender whereas the actual sender is the attacker. Based on the previous work, this paper analyzes the transmission process of an email. Our work identifies new attacks suitable for bypassing SPF, DMARC, and Mail User Agent’s protection mechanisms. We can forge much more realistic emails to penetrate the famous mail service provider like Tencent by conducting the attack. By completing a large-scale experiment on these well-known mail service providers, we find some of them are affected by the related vulnerabilities. Some of the bypass methods are different from previous work. Our work found that this potential security problem can only be effectively protected when all email service providers have a standard view of security and can configure appropriate security policies for each email delivery node. In addition, we also propose a mitigate method to defend against these attacks. We hope our work can draw the attention of email service providers and users and effectively reduce the potential risk of phishing email attacks on them.

2023-02-03
Palani, Lavanya, Pandey, Anoop Kumar, Rajendran, Balaji, Bindhumadhava, B S, Sudarsan, S D.  2022.  A Study of PKI Ecosystem in South Asian and Oceania Countries. 2022 IEEE International Conference on Public Key Infrastructure and its Applications (PKIA). :1–5.
Public Key Infrastructure (PKI) as a techno-policy ecosystem for establishing electronic trust has survived for several decades and evolved as the de-facto model for centralized trust in electronic transactions. In this paper, we study the PKI ecosystem that are prevailing in the South Asian and Oceanic countries and brief them. We also look at how PKI has coped up with the rapid technological changes and how policies have been realigned or formulated to strengthen the PKI ecosystem in these countries.
Patil, Vishwas T., Shyamasundar, R.K..  2022.  Evolving Role of PKI in Facilitating Trust. 2022 IEEE International Conference on Public Key Infrastructure and its Applications (PKIA). :1–7.
A digital certificate is by far the most widely used artifact to establish secure electronic communication over the Internet. It certifies to its user that the public key encapsulated in it is associated with the subject of the certificate. A Public Key Infrastructure (PKI) is responsible to create, store, distribute, and revoke digital certificates. To establish a secure communication channel two unfamiliar entities rely on a common certificate issuer (a part of PKI) that vouches for both entities' certificates - thus authenticating each other via public keys listed in each other's certificates. Therefore, PKIs act as a trusted third party for two previously unfamiliar entities. Certificates are static data structures, their revocation status must be checked before usage; this step inadvertently involves a PKI for every secure channel establishment - leading to privacy violations of relying parties. As PKIs act as trust anchors for their subjects, any inadvertent event or malfeasance in PKI setup breaches the trust relationship leading to identity theft. Alternative PKI trust models, like PGP and SPKI, have been proposed but with limited deployment. With several retrofitting amendments to the prevalent X.509 standard, the standard has been serving its core objective of entity authentication but with modern requirements of contextual authentication, it is falling short to accommodate the evolving requirements. With the advent of blockchain as a trust management protocol, the time has come to rethink flexible alternatives to PKI core functionality; keeping in mind the modern-day requirements of contextual authentication-cum-authorization, weighted trust anchors, privacy-preservation, usability, and cost-efficient key management. In this paper, we assess this technology's complementary role in modern-day evolving security requirements. We discuss the feasibility of re-engineering PKIs with the help of blockchains, and identity networks.
2023-01-13
Wermke, Dominik, Wöhler, Noah, Klemmer, Jan H., Fourné, Marcel, Acar, Yasemin, Fahl, Sascha.  2022.  Committed to Trust: A Qualitative Study on Security & Trust in Open Source Software Projects. 2022 IEEE Symposium on Security and Privacy (SP). :1880–1896.
Open Source Software plays an important role in many software ecosystems. Whether in operating systems, network stacks, or as low-level system drivers, software we encounter daily is permeated with code contributions from open source projects. Decentralized development and open collaboration in open source projects introduce unique challenges: code submissions from unknown entities, limited personpower for commit or dependency reviews, and bringing new contributors up-to-date in projects’ best practices & processes.In 27 in-depth, semi-structured interviews with owners, maintainers, and contributors from a diverse set of open source projects, we investigate their security and trust practices. For this, we explore projects’ behind-the-scene processes, provided guidance & policies, as well as incident handling & encountered challenges. We find that our participants’ projects are highly diverse both in deployed security measures and trust processes, as well as their underlying motivations. Based on our findings, we discuss implications for the open source software ecosystem and how the research community can better support open source projects in trust and security considerations. Overall, we argue for supporting open source projects in ways that consider their individual strengths and limitations, especially in the case of smaller projects with low contributor numbers and limited access to resources.
2023-01-05
Tzoneva, Albena, Momcheva, Galina, Stoyanov, Borislav.  2022.  Vendor Cybersecurity Risk Assessment in an Autonomous Mobility Ecosystem. 2022 10th International Scientific Conference on Computer Science (COMSCI). :1—7.
Vendor cybersecurity risk assessment is of critical importance to smart city infrastructure and sustainability of the autonomous mobility ecosystem. Lack of engagement in cybersecurity policies and process implementation by the tier companies providing hardware or services to OEMs within this ecosystem poses a significant risk to not only the individual companies but to the ecosystem overall. The proposed quantitative method of estimating cybersecurity risk allows vendors to have visibility to the financial risk associated with potential threats and to consequently allocate adequate resources to cybersecurity. It facilitates faster implementation of defense measures and provides a useful tool in the vendor selection process. The paper focuses on cybersecurity risk assessment as a critical part of the overall company mission to create a sustainable structure for maintaining cybersecurity health. Compound cybersecurity risk and impact on company operations as outputs of this quantitative analysis present a unique opportunity to strategically plan and make informed decisions towards acquiring a reputable position in a sustainable ecosystem. This method provides attack trees and assigns a risk factor to each vendor thus offering a competitive advantage and an insight into the supply chain risk map. This is an innovative way to look at vendor cybersecurity posture. Through a selection of unique industry specific parameters and a modular approach, this risk assessment model can be employed as a tool to navigate the supply base and prevent significant financial cost. It generates synergies within the connected vehicle ecosystem leading to a safe and sustainable economy.
2022-12-06
Tamburello, Marialaura, Caruso, Giuseppe, Giordano, Stefano, Adami, Davide, Ojo, Mike.  2022.  Edge-AI Platform for Realtime Wildlife Repelling. 2022 IEEE 21st Mediterranean Electrotechnical Conference (MELECON). :80-84.

In this paper, we present the architecture of a Smart Industry inspired platform designed for Agriculture 4.0 applications and, specifically, to optimize an ecosystem of SW and HW components for animal repelling. The platform implementation aims to obtain reliability and energy efficiency in a system aimed to detect, recognize, identify, and repel wildlife by generating specific ultrasound signals. The wireless sensor network is composed of OpenMote hardware devices coordinated on a mesh network based on the 6LoWPAN protocol, and connected to an FPGA-based board. The system, activated when an animal is detected, elaborates the data received from a video camera connected to FPGA-based hardware devices and then activates different ultrasonic jammers belonging to the OpenMotes network devices. This way, in real-time wildlife will be progressively moved away from the field to be preserved by the activation of specific ultrasonic generators. To monitor the daily behavior of the wildlife, the ecosystem is expanded using a time series database running on a Cloud platform.

2022-09-09
Kieras, Timothy, Farooq, Muhammad Junaid, Zhu, Quanyan.  2020.  RIoTS: Risk Analysis of IoT Supply Chain Threats. 2020 IEEE 6th World Forum on Internet of Things (WF-IoT). :1—6.
Securing the supply chain of information and communications technology (ICT) has recently emerged as a critical concern for national security and integrity. With the proliferation of Internet of Things (IoT) devices and their increasing role in controlling real world infrastructure, there is a need to analyze risks in networked systems beyond established security analyses. Existing methods in literature typically leverage attack and fault trees to analyze malicious activity and its impact. In this paper, we develop RIoTS, a security risk assessment framework borrowing from system reliability theory to incorporate the supply chain. We also analyze the impact of grouping within suppliers that may pose hidden risks to the systems from malicious supply chain actors. The results show that the proposed analysis is able to reveal hidden threats posed to the IoT ecosystem from potential supplier collusion.
Maiti, Ankita, Shilpa, R.G.  2020.  Developing a Framework to Digitize Supply Chain Between Supplier and Manufacturer. 2020 5th International Conference on Computing, Communication and Security (ICCCS). :1—6.
Supply chain plays a significant job in an organization making systems between an organization and its supplier to deliver and disperse items and administrations to the last purchasers. Digitization alludes to the way toward moving physical reports into physical documents. Digitization will make incredible open doors for associations and supply chain rehearses. Numerous associations need to turn out to be progressively “advanced” since they have watched the criticality and value of computerized advances for their development and their own organizations. This research study topic presents a review of the supply chain management digitization practices and dreams with a merged image of digitization and stream of data between the Supplier and Manufacturer chain. Value management, in value analysis, assumes a huge job in a viable Digital Supply Chain Management, it is progressively centered around mechanization, digitizing the procedure, and the coordination and reconciliation of the considerable number of components associated with the supply chain. In view of how value-chain management has developed, it assumes an urgent job in managing the ever-expanding unpredictability in supply chains all inclusive. This study presents an overview of the supply chain management digitization practices and visions with a consolidated picture of digitization and flow of information between the Supplier and Manufacturer chain. This study can be further improved by integrating the latest technology and tools AI and IoT-as a future study.
2022-08-03
Palma, Noelia Pérez, Matheu-García, Sara Nieves, Zarca, Alejandro Molina, Ortiz, Jordi, Skarmeta, Antonio.  2021.  Enhancing trust and liability assisted mechanisms for ZSM 5G architectures. 2021 IEEE 4th 5G World Forum (5GWF). :362—367.
5G improves previous generations not only in terms of radio access but the whole infrastructure and services paradigm. Automation, dynamism and orchestration are now key features that allow modifying network behaviour, such as Virtual Network Functions (VNFs), and resource allocation reactively and on demand. However, such dynamic ecosystem must pay special attention to security while ensuring that the system actions are trustworthy and reliable. To this aim, this paper introduces the integration of the Manufacturer Usage Description (MUD) standard alongside a Trust and Reputation Manager (TRM) into the INSPIRE-5GPlus framework, enforcing security properties defined by MUD files while the whole infrastructure, virtual and physical, as well as security metrics are continuously audited to compute trust and reputation values. These values are later fed to enhance trustworthiness on the zero-touch decision making such as the ones orchestrating end-to-end security in a closed-loop.
2022-07-28
Ruohonen, Jukka, Hjerppe, Kalle, Rindell, Kalle.  2021.  A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI. 2021 18th International Conference on Privacy, Security and Trust (PST). :1—10.
Different security issues are a common problem for open source packages archived to and delivered through software ecosystems. These often manifest themselves as software weaknesses that may lead to concrete software vulnerabilities. This paper examines various security issues in Python packages with static analysis. The dataset is based on a snapshot of all packages stored to the Python Package Index (PyPI). In total, over 197 thousand packages and over 749 thousand security issues are covered. Even under the constraints imposed by static analysis, (a) the results indicate prevalence of security issues; at least one issue is present for about 46% of the Python packages. In terms of the issue types, (b) exception handling and different code injections have been the most common issues. The subprocess module stands out in this regard. Reflecting the generally small size of the packages, (c) software size metrics do not predict well the amount of issues revealed through static analysis. With these results and the accompanying discussion, the paper contributes to the field of large-scale empirical studies for better understanding security problems in software ecosystems.