Biblio

As the Internet of Things (IoT) continues to grow, there arises concerns and challenges with regard to the security and privacy of the IoT system. In this paper, we propose a FOg CompUting-based Security (FOCUS) system to address the security challenges in the IoT. The proposed FOCUS system leverages the virtual private network (VPN) to secure the access channel to the IoT devices. In addition, FOCUS adopts a challenge-response authentication to protect the VPN server against distributed denial of service (DDoS) attacks, which can further enhance the security of the IoT system. FOCUS is implemented in fog computing that is close to the end users, thus achieving a fast and efficient protection. We demonstrate FOCUS in a proof-of-concept prototype, and conduct experiments to evaluate its performance. The results show that FOCUS can effectively filter out malicious attacks with a very low response latency.

In the existing remote data integrity checking schemes, dynamic update operates on block level, which usually restricts the location of the data inserted in a file due to the fixed size of a data block. In this paper, we propose a remote data integrity checking scheme with fine-grained update for big data storage. The proposed scheme achieves basic operations of insertion, modification, deletion on line level at any location in a file by designing a mapping relationship between line level update and block level update. Scheme analysis shows that the proposed scheme supports public verification and privacy preservation. Meanwhile, it performs data integrity checking with low computation and communication cost.

Secure logging as an indispensable part of any secure system in practice is well-understood by both academia and industry. However, providing security for audit logs on an untrusted machine in a large distributed system is still a challenging task. The emergence and wide availability of log management tools prompted plenty of work in the security community that allows clients or auditors to verify integrity of the log data. Most recent solutions to this problem focus on the space-efficiency or public verifiability of forward security. Unfortunately, existing secure audit logging schemes have significant performance limitations that make them impractical for realtime large-scale distributed applications: Existing cryptographic hashing is computationally expensive for logging in task intensive or resource-constrained systems especially to prove individual log events, while Merkle-tree approach has fundamental limitations when face with highly concurrent, large-scale log streams due to its serially appending feature. The verification step of Merkle-tree based approach requiring a logarithmic number of hash computations is becoming a bottleneck to improve the overall performance. There is a huge gap between the flux of log streams collected and the computational efficiency of integrity verification in the large-scale distributed systems. In this work, we develop a novel scheme, performance of which favorably compares with the existing solutions. The performance guarantees that we achieve stem from a novel data structure called concurrent authenticated tree, which allows log events concurrently appending and removes the need to wait for append operations to complete sequentially. We implement a prototype using chameleon hashing based on discrete log and Merkle history tree. A comprehensive experimental evaluation of the proposed and existing approaches is used to validate the analytical models and verify our claims. The results demonstrate that our proposed scheme verifying in a concurrent way is significantly more efficient than the previous tree-based approach.

In the open network environment, the strange entities can establish the mutual trust through Automated Trust Negotiation (ATN) that is based on exchanging digital credentials. In traditional ATN, the attribute certificate required to either satisfied or not, and in the strategy, the importance of the certificate is same, it may cause some unnecessary negotiation failure. And in the actual situation, the properties is not just 0 or 1, it is likely to between 0 and 1, so the satisfaction degree is different, and the negotiation strategy need to be quantified. This paper analyzes the fuzzy negotiation process, in order to improve the trust establishment in high efficiency and accuracy further.

Along with the growing popularisation of Cloud Computing. Cloud storage technology has been paid more and more attention as an emerging network storage technology which is extended and developed by cloud computing concepts. Cloud computing environment depends on user services such as high-speed storage and retrieval provided by cloud computing system. Meanwhile, data security is an important problem to solve urgently for cloud storage technology. In recent years, There are more and more malicious attacks on cloud storage systems, and cloud storage system of data leaking also frequently occurred. Cloud storage security concerns the user's data security. The purpose of this paper is to achieve data security of cloud storage and to formulate corresponding cloud storage security policy. Those were combined with the results of existing academic research by analyzing the security risks of user data in cloud storage and approach a subject of the relevant security technology, which based on the structural characteristics of cloud storage system.

Blockchain has been applied to study data privacy and network security recently. In this paper, we propose a punishment scheme based on the action record on the blockchain to suppress the attack motivation of the edge servers and the mobile devices in the edge network. The interactions between a mobile device and an edge server are formulated as a blockchain security game, in which the mobile device sends a request to the server to obtain real-time service or launches attacks against the server for illegal security gains, and the server chooses to perform the request from the device or attack it. The Nash equilibria (NEs) of the game are derived and the conditions that each NE exists are provided to disclose how the punishment scheme impacts the adversary behaviors of the mobile device and the edge server.

We present an approach to tracking the behaviour of an attacker on a decoy system, where the decoy communicates with the real system only through low energy bluetooth. The result is a low-cost solution that does not interrupt the live system, while limiting potential damage. The attacker has no way to detect that they are being monitored, while their actions are being logged for further investigation. The system has been physically implemented using Raspberry PI and Arduino boards to replicate practical performance.

Live migration is the process used in virtualization environment of datacenters in order to take the benefit of zero downtime during system maintenance. But during migrating live virtual machines along with system files and storage data, network traffic gets increases across network bandwidth and delays in migration time. There is need to reduce the migration time in order to maintain the system performance by analyzing and optimizing the storage overheads which mainly creates due to unnecessary duplicated data transferred during live migration. So there is need of such storage device which will keep the duplicated data residing in both the source as well as target physical host i.e. NAS. The proposed hash map based algorithm maps all I/O operations in order to track the duplicated data by assigning hash value to both NAS and RAM data. Only the unique data then will be sent data to the target host without affecting service level agreement (SLA), without affecting VM migration time, application downtime, SLA violations, VM pre-migration and downtime post migration overheads during pre and post migration of virtual machines.

Mobile cloud computing paradigm enables cloud servers to extend the limited hardware resources of mobile devices improving availability and reliability of the services provided. Consequently, private, financial, business and critical data pass through wireless access media exposed to malicious attacks. Mobile cloud infrastructure requires new security mechanisms, at the same time as offloading operations need to maintain the advantages of saving processing and energy of the device. Thus, this paper implements a middleware-based computational offloading with cryptographic algorithms and evaluates two mechanisms (symmetric and asymmetric), to provide the integrity and authenticity of data that a smartphone offloads to mobile cloud servers. Also, the paper discusses the factors that impact on power consumption and performance on smartphones that's run resource-intensive applications.

Recent increases in the field of infrastructure has led to the emerging of cloud computing a virtualized computing platform. This technology provides a lot of pros like rapid elasticity, ubiquitous network access and on-demand access etc. Compare to other technologies cloud computing provides many essential services. As the elasticity and scalability increases the chance for vulnerability of the system is also high. There are many known and unknown security risks and challenges present in this environment. In this research an environment is proposed which can handle security issues and deploys various security levels. The system handles the security of various infrastructure like VM and also handles the Dynamic infrastructure request control. One of the key feature of proposed approach is Dual authorization in which all account related data will be authorized by two privileged administrators of the cloud. The auto scalability feature of the cloud is be made secure for on-demand service request handling by providing an on-demand scheduler who will process the on-demand request and assign the required infrastructure. Combining these two approaches provides a secure environment for cloud users as well as handle On-demand Infrastructure request.

Existing data management and searching system for Internet of Things uses centralized database. For this reason, security vulnerabilities are found in this system which consists of server such as IP spoofing, single point of failure and Sybil attack. This paper proposes data management system is based on blockchain which ensures security by using ECDSA digital signature and SHA-256 hash function. Location that is indicated as IP address of data owner and data name are transcribed in block which is included in the blockchain. Furthermore, we devise data manegement and searching method through analyzing block hash value. By using security properties of blockchain such as authentication, non-repudiation and data integrity, this system has advantage of security comparing to previous data management and searching system using centralized database or P2P networks.

Top-level domains play an important role in domain name system. Close attention should be paid to security of top level domains. In this paper, we found many configuration anomalies of top-level domains by analyzing their resource records. We got resource records of top-level domains from root name servers and authoritative servers of top-level domains. By comparing these resource records, we observed the anomalies in top-level domains. For example, there are 8 servers shared by more than one hundred top-level domains; Some TTL fields or SERIAL fields of resource records obtained on each NS servers of the same top-level domain were inconsistent; some authoritative servers of top-level domains were unreachable. Those anomalies may affect the availability of top-level domains. We hope that these anomalies can draw top-level domain administrators' attention to security of top-level domains.

Currently, no major browser fully checks for TLS/SSL certificate revocations. This is largely due to the fact that the deployed mechanisms for disseminating revocations (CRLs, OCSP, OCSP Stapling, CRLSet, and OneCRL) are each either incomplete, insecure, inefficient, slow to update, not private, or some combination thereof. In this paper, we present CRLite, an efficient and easily-deployable system for proactively pushing all TLS certificate revocations to browsers. CRLite servers aggregate revocation information for all known, valid TLS certificates on the web, and store them in a space-efficient filter cascade data structure. Browsers periodically download and use this data to check for revocations of observed certificates in real-time. CRLite does not require any additional trust beyond the existing PKI, and it allows clients to adopt a fail-closed security posture even in the face of network errors or attacks that make revocation information temporarily unavailable. We present a prototype of name that processes TLS certificates gathered by Rapid7, the University of Michigan, and Google's Certificate Transparency on the server-side, with a Firefox extension on the client-side. Comparing CRLite to an idealized browser that performs correct CRL/OCSP checking, we show that CRLite reduces latency and eliminates privacy concerns. Moreover, CRLite has low bandwidth costs: it can represent all certificates with an initial download of 10 MB (less than 1 byte per revocation) followed by daily updates of 580 KB on average. Taken together, our results demonstrate that complete TLS/SSL revocation checking is within reach for all clients.

SQL injection attack (SQLIA) pose a serious security threat to the database driven web applications. This kind of attack gives attackers easily access to the application's underlying database and to the potentially sensitive information these databases contain. A hacker through specifically designed input, can access content of the database that cannot otherwise be able to do so. This is usually done by altering SQL statements that are used within web applications. Due to importance of security of web applications, researchers have studied SQLIA detection and prevention extensively and have developed various methods. In this research, after reviewing the existing research in this field, we present a new hybrid method to reduce the vulnerability of the web applications. Our method is specifically designed to detect and prevent SQLIA. Our proposed method is consists of three phases namely, the database design, implementation, and at the common gateway interface (CGI). Details of our approach along with its pros and cons are discussed in detail.

Figuring innovations and development of web diminishes the exertion required for different procedures. Among them the most profited businesses are electronic frameworks, managing an account, showcasing, web based business and so on. This framework mostly includes the data trades ceaselessly starting with one host then onto the next. Amid this move there are such a variety of spots where the secrecy of the information and client gets loosed. Ordinarily the zone where there is greater likelihood of assault event is known as defenceless zones. Electronic framework association is one of such place where numerous clients performs there undertaking as indicated by the benefits allotted to them by the director. Here the aggressor makes the utilization of open ranges, for example, login or some different spots from where the noxious script is embedded into the framework. This scripts points towards trading off the security imperatives intended for the framework. Few of them identified with clients embedded scripts towards web communications are SQL infusion and cross webpage scripting (XSS). Such assaults must be distinguished and evacuated before they have an effect on the security and classification of the information. Amid the most recent couple of years different arrangements have been incorporated to the framework for making such security issues settled on time. Input approvals is one of the notable fields however experiences the issue of execution drops and constrained coordinating. Some other component, for example, disinfection and polluting will create high false report demonstrating the misclassified designs. At the center, both include string assessment and change investigation towards un-trusted hotspots for totally deciphering the effect and profundity of the assault. This work proposes an enhanced lead based assault discovery with specifically message fields for viably identifying the malevolent scripts. The work obstructs the ordinary access for malignant so- rce utilizing and hearty manage coordinating through unified vault which routinely gets refreshed. At the underlying level of assessment, the work appears to give a solid base to further research.

With the repaid growth of social tagging users, it becomes very important for social tagging systems how the required resources are recommended to users rapidly and accurately. Firstly, the architecture of an agent-based intelligent social tagging system is constructed using agent technology. Secondly, the design and implementation of user interest mining, personalized recommendation and common preference group recommendation are presented. Finally, a self-adaptive recommendation strategy for social tagging and its implementation are proposed based on the analysis to the shortcoming of the personalized recommendation strategy and the common preference group recommendation strategy. The self-adaptive recommendation strategy achieves equilibrium selection between efficiency and accuracy, so that it solves the contradiction between efficiency and accuracy in the personalized recommendation model and the common preference recommendation model.

Since the Information Networks are added to the current electricity networks, the security and privacy of individuals is challenged. This combination of technologies creates vulnerabilities in the context of smart grid power which disrupt the consumer energy supply. Methods based on encryption are against the countermeasures attacks that have targeted the integrity and confidentiality factors. Although the cryptography strategies are used in Smart Grid, key management which is different in size from tens to millions of keys (for meters), is considered as the critical processes. The Key mismanagement causes to reveal the secret keys for attacker, a symmetric key distribution method is recently suggested by [7] which is based on a symmetric key distribution, this strategy is very suitable for smart electric meters. The problem with this method is its vulnerability to impersonating respondents attack. The proposed approach to solve this problem is to send the both side identifiers in encrypted form based on hash functions and a random value, the proposed solution is appropriate for devices such as meters that have very little computing power.

Integration of information technologies with the current power infrastructure promises something further than a smart grid: implementation of smart cities. Power efficient cities will be a significant step toward greener cities and a cleaner environment. However, the extensive use of information technologies in smart cities comes at a cost of reduced privacy. In particular, consumers' power profiles will be accessible by third parties seeking information over consumers' personal habits. In this paper, a methodology for enhancing privacy of electricity consumption patterns is proposed and tested. The proposed method exploits digital connectivity and predictive tools offered via smart grids to morph consumption patterns by grouping consumers via an optimization scheme. To that end, load anticipation, correlation and Theil coefficients are utilized synergistically with genetic algorithms to find an optimal assembly of consumers whose aggregated pattern hides individual consumption features. Results highlight the efficiency of the proposed method in enhancing privacy in the environment of smart cities.

Attacks on web services are major concerns and can expose organizations valuable information resources. Despite there are increasing awareness in secure programming, we still find vulnerabilities in web services. To protect deployed web services, it is important to have defense techniques. Signaturebased Intrusion Detection Systems (IDS) have gained popularity to protect applications against attacks. However, signature IDSs have limited number of attack signatures. In this paper, we propose a Genetic Algorithm (GA)-based attack signature generation approach and show its application for web services. GA algorithm has the capability of generating new member from a set of initial population. We leverage this by generating new attack signatures at SOAP message level to overcome the challenge of limited number of attack signatures. The key contributions include defining chromosomes and fitness functions. The initial results show that the GA-based IDS can generate new signatures and complement the limitation of existing web security testing tools. The approach can generate new attack signatures for injection, privilege escalation, denial of service and information leakage.

Bitcoin is a decentralized digital currency, widely used for its perceived anonymity property, and has surged in popularity in recent years. Bitcoin publishes the complete transaction history in a public ledger, under pseudonyms of users. This is an alternative way to prevent double-spending attack instead of central authority. Therefore, if pseudonyms of users are attached to their identities in real world, the anonymity of Bitcoin will be a serious vulnerability. It is necessary to enhance anonymity of Bitcoin by a coin mixing service or other modifications in Bitcoin protocol. But in a coin mixing service, the relationship among input and output addresses is not hidden from the mixing service provider. So the mixing server still has the ability to track the transaction records of Bitcoin users. To solve this problem, We present a new coin mixing scheme to ensure that the relationship between input and output addresses of any users is invisible for the mixing server. We make use of a ring signature algorithm to ensure that the mixing server can't distinguish specific transaction from all these addresses. The ring signature ensures that a signature is signed by one of its users in the ring and doesn't leak any information about who signed it. Furthermore, the scheme is fully compatible with existing Bitcoin protocol and easily to scale for large amount of users.

The ubiquity of the Internet and email, have provided a mostly insecure communication medium for the consumer. During the last few decades, we have seen the development of several ways to secure email messages. However, these solutions are inflexible and difficult to use for encrypting email messages to protect security and privacy while communicating or collaborating via email. Under the current paradigm, the arduous process of setting up email encryption is non-intuitive for the average user. The complexity of the current practices has also yielded to incorrect developers' interpretation of architecture which has resulted in interoperability issues. As a result, the lack of simple and easy-to-use infrastructure in current practices means that the consumers still use plain text emails over insecure networks. In this paper, we introduce and describe a novel, holistic model with new techniques for protecting email messages. The architecture of our innovative model is simpler and easier to use than those currently employed. We use the simplified trust model, which can relieve users from having to perform many complex steps to achieve email security. Utilizing the new techniques presented in this paper can safeguard users' email from unauthorized access and protect their privacy. In addition, a simplified infrastructure enables developers to understand the architecture more readily eliminating interoperability.

Code signing which at present is the only methodology of trusting a code that is distributed to others. It heavily relies on the security of the software providers private key. Attackers employ targeted attacks on the code signing infrastructure for stealing the signing keys which are used later for distributing malware in disguise of genuine software. Differentiating a malware from a benign software becomes extremely difficult once it gets signed by a trusted software providers private key as the operating systems implicitly trusts this signed code. In this paper, we analyze the growing menace of signed malware by examining several real world incidents and present a threat model for the current code signing infrastructure. We also propose a novel solution that prevents this issue of malicious code signing by requiring additional verification of the executable. We also present the serious threat it poses and it consequences. To our knowledge this is the first time this specific issue of Malicious code signing has been thoroughly studied and an implementable solution is proposed.

Recently perceived vulnerabilities in public key infrastructures (PKI) demand that a semantic or cognitive definition of trust is essential for augmenting the security through trust formulations. In this paper, we examine the meaning of trust in PKIs. Properly categorized trust can help in developing intelligent algorithms that can adapt to the security and privacy requirements of the clients. We delineate the different types of trust in a generic PKI model.

The IoT node works mostly in a specific scenario, and executes the fixed program. In order to make it suitable for more scenarios, this paper introduces a kind of the IoT node, which can change program at any time. And this node has intelligent and dynamic reconfigurable features. Then, a transport protocol is proposed. It enables this node to work in different scenarios and perform corresponding program. Finally, we use Verilog to design and FPGA to verify. The result shows that this protocol is feasible. It also offers a novel way of the IoT.

Internet of Things (IoT) will be emerged over many of devices that are dynamically networked. Because of distributed and dynamic nature of IoT, designing a recommender system for them is a challenging problem. Recently, cognitive systems are used to design modern frameworks in different types of computer applications such as cognitive radio networks and cognitive peer-to-peer networks. A cognitive system can learn to improve its performance while operating under its unknown environment. In this paper, we propose a framework for cognitive recommender systems in IoT. To the best of our knowledge, there is no recommender system based on cognitive systems in the IoT. The proposed algorithm is compared with the existing recommender systems.