Biblio

In this paper, we design a technique for mapping the source code into a vector space and we show its application in the recognition of security weaknesses. By applying ideas commonly used in Natural Language Processing, we train a model for producing an embedding of programs starting from their Abstract Syntax Trees. We then show how such embedding is able to infer clusters roughly separating different classes of software weaknesses. Even if the training of the embedding is unsupervised and made on a generic Java dataset, we show that the model can be used for supervised learning of specific classes of vulnerabilities, helping to capture some features distinguishing them in code. Finally, we discuss how our model performs over the different types of vulnerabilities categorized by the CWE initiative.

Large scale deployment of IoT devices has made Bluetooth Protocol (IEEE 802.15.1) the wireless protocol of choice for close-range communications. Devices such as keyboards, smartwatches, headphones, computer mouse, and various wearable connecting devices use Bluetooth network for communication. Moreover, Bluetooth networks are widely used in medical devices like heart monitors, blood glucose monitors, asthma inhalers, and pulse oximeters. Also, Bluetooth has replaced cables for wire-free equipment in a surgical environment. In hospitals, devices communicate with one another, sharing sensitive and critical information over Bluetooth scatter-networks. Thus, it is imperative to secure the Bluetooth networks against attacks like Man in the Middle attack (MITM), eavesdropping attacks, and Denial of Service (DoS) attacks. This paper presents a Multi-Level Bluetooth Intrusion Detection System (ML-BIDS) to detect malicious attacks against Bluetooth devices. In the ML-IDS framework, we perform continuous device identification and authorization in Bluetooth networks following the zero-trust principle [ref]. The ML-BIDS framework includes an anomaly-based intrusion detection system (ABIDS) to detect attacks on the Bluetooth protocol. The ABIDS tracks the normal behavior of the Bluetooth protocol by comparing it with the Bluetooth protocol state machine. Bluetooth frame flows consisting of Bluetooth frames received over 10 seconds are split into n-grams to track the current state of the protocol in the state machine. We evaluated the performance of several machine learning algorithms like C4.5, Adaboost, SVM, Naive Bayes, Jrip, and Bagging to classify normal Bluetooth protocol flows from abnormal Bluetooth protocol flows. The ABIDS detects attacks on Bluetooth protocols with a precision of up to 99.6% and recall up to 99.6%. The ML-BIDS framework also performs whitelisting of the devices on the Bluetooth network to prevent unauthorized devices from connecting to the network. ML-BIDS uses a combination of the Bluetooth Address, mac address, and IP address to uniquely identify a Bluetooth device connecting to the network, and hence ensuring only authorized devices can connect to the Bluetooth network.

As the increasing demands of social services, unmanned aerial vehicles (UAVs)-assisted networks promote the promising prospect for implementing high-rate information transmission and applications. The sensing data can be collected by UAVs, a large number of applications based on UAVs have been realized in the 5G networks. However, the malicious UAVs may provide false information and destroy the services. The 5G UAV communication systems face the security threats. Therefore, this paper develops a novel trust-based security scheme for 5G UAV communication systems. Firstly, the architecture of the 5G UAV communication system is presented to improve the communication performance. Secondly, the trust evaluation scheme for UAVs is developed to evaluate the reliability of UAVs. By introducing the trust threshold, the malicious UAVs will be filtered out from the systems to protect the security of systems. Finally, the simulation results have been demonstrated the effectiveness of the proposed scheme.

Browser extensions have by and large become a normal and accepted omnipresent feature within modern browsers. However, since their inception, browser extensions have remained under scrutiny for opening vulnerabilities for users. While a large amount of effort has been dedicated to patching such issues as they arise, including the implementation of extension sandboxes and explicit permissions, issues remain within the browser extension ecosystem through user-scripts. User-scripts, or micro-script extensions hosted by a top-level extension, are largely unregulated but inherit the permissions of the top-level application manager, which popularly includes extensions such as Greasemonkey, Tampermonkey, or xStyle. While most user-scripts are docile and serve a specific beneficial functionality, due to their inherently open nature and the unregulated ecosystem, they are easy for malicious parties to exploit. Common attacks through this method involve hijacking of DOM elements to execute malicious javascript and/or XSS attacks, although other more advanced attacks can be deployed as well. User-scripts have not received much attention, and this vulnerability has persisted despite attempts to make browser extensions more secure. This ongoing vulnerability remains an unknown threat to many users who employ user-scripts, and circumvents security mechanisms otherwise put in place by browsers. This paper discusses this extension derivative vulnerability as it pertains to current browser security paradigms.

To improve production efficiency, more industrial control systems are connected to IT networks, and more IT technologies are applied to industrial control networks, network security has become an important problem. Industrial control network security analysis and decision-making is a effective method to solve the problem, which can predict risks and support to make decisions before the actual fault of the industrial control network system has not occurred. This paper proposes a security analysis and decision-making method with forward reasoning based on strong relevant logic for industrial control networks. The paper presents a case study in security analysis and decision-making for industrial control networks. The result of the case study shows that the proposed method is effective.

In this paper we propose a responsive autonomic and data-driven adaptive virtual networking framework (RAvN) that integrates the adaptive reconfigurable features of a popular SDN platform called open networking operating system (ONOS), the network performance statistics provided by traffic monitoring tools such as T-shark or sflow-RT and analytics and decision making skills provided from new and current machine learning techniques to detect and mitigate anomalous behavior. For this paper we focus on the development of novel detection schemes using a developed Centroid-based clustering technique and the Intragroup variance of data features within network traffic (C. Intra), with a multivariate gaussian distribution model fitted to the constant changes in the IP addresses of the network to accurately assist in the detection of low rate and high rate denial of service (DoS) attacks. We briefly discuss our ideas on the development of the decision-making and execution component using the concept of generating adaptive policy updates (i.e. anomalous mitigation solutions) on-the-fly to the ONOS SDN controller for updating network configurations and flows. In addition we provide the analysis on anomaly detection schemes used for detecting low rate and high rate DoS attacks versus a commonly used unsupervised machine learning technique Kmeans. The proposed schemes outperformed Kmeans significantly. The multivariate clustering method and the intragroup variance recorded 80.54% and 96.13% accuracy respectively while Kmeans recorded 72.38% accuracy.

Manufacturing enterprises are constantly exploring new ways to improve their own production processes to address the increasing demand of customized production. However, such enterprises show a low degree of flexibility, which mainly results from the need to configure new production equipment at design and run time. In this paper we propose self-adaptation as an approach to improve data transmission flexibility in Industry 4.0 environments. We implement an autonomic manager using a generic autonomic management framework, which applies the most appropriate data transmission configuration based on security and business process related requirements, such as performance. The experimental evaluation is carried out in a MQTT infrastructure and the results show that using self-adaptation can significantly improve the trade-off between security and performance. We then propose to integrate anomaly detection methods as a solution to support self-adaptation by monitoring and learning the normal behavior of an industrial system and show how this can be used by the generic autonomic management framework.

Autonomic resource management for distributed edge computing systems provides an effective means of enabling dynamic placement and adaptation in the face of network changes, load dynamics, and failures. However, adaptation in-and-of-itself offers a side channel by which malicious entities can extract valuable information. An attacker can take advantage of autonomic resource management techniques to fool a system into misallocating resources and crippling applications. Using a few scenarios, we outline how attacks can be launched using partial knowledge of the resource management substrate - with as little as a single compromised node. We argue that any system that provides adaptation must consider resource management as an attack surface. As such, we propose ADAPT2, a framework that incorporates concepts taken from Moving-Target Defense and state estimation techniques to ensure correctness and obfuscate resource management, thereby protecting valuable system and application information from leaking.

Point of Sale (POS) systems has become the technology of choice for most businesses and offering number of advantages over traditional cash registers. They manage staffs, customers, transaction, inventory, sale and labor reporting, price adjustment, as well as keeping track of cash flow, expense management, reducing human errors and more. Whether traditional on-premise POS, or Cloud-Bases POS, they help businesses to run more efficiently. However, despite all these advantages, POS systems are becoming targets of a number of cyber-attacks. Security of a POS system is a key requirement of the Payment Card Industry Data Security Standard (PCI DSS). This paper undertakes research into the PCI DSS and its accompanying standards, in an attempt to break or bypass security measures using varying degrees of vulnerability and penetration attacks in a methodological format. The resounding goal of this experimentation is to achieve a basis from which attacks can be made against a realistic networking environment from whence an intruder can bypass security measures thus exposing a vulnerability in the PCI DSS and potentially exposing confidential customer payment information.

We present a system architecture for autonomic operation, administration and maintenance of both the optical and digital layers within the integrated optical transport network infrastructure. This framework encompasses the end-to-end instrumentation: From equipment commissioning to automatic discovery and bring-up, to self-managed, self-(re)configuring optical transport layer. We leverage prevalent networking protocols to build an autonomic control plane for the optical network elements. Various aspects of security, a critical element for self-managed operations, are addressed. We conclude with a discussion on the interaction with SDN, and how autonomic functions can benefit from these capabilities, a brief survey of standardization activities and scope for future work.

As an inevitable trend of information development of hospitals, Internet hospitals provide a series of convenient online services for patients such as registration, consultation, queuing, payment and medicine pick-up. However, hospitals have to face huge challenges, and deploy an Internet medical care-oriented service security open platform to ensure the security of personal privacy data and avoid malicious attacks from the Internet, so as to prevent illegal stealing of medical data. The service security open platform provides visualized control for the unified and standardized connection process and data access process.

High performance computing is widely used for large-scale simulations, designs and analysis of critical problems especially through the use of cloud computing systems nowadays because cloud computing provides ubiquitous, on-demand computing capabilities with large variety of hardware configurations including GPUs and FPGAs that are highly used for high performance computing. However, it is well known that inefficient management of such systems results in excessive power consumption affecting the budget, cooling challenges, as well as reducing reliability due to the overheating and hotspots. Furthermore, considering the latest trends in the attack scenarios and crypto-currency based intrusions, security has become a major problem for high performance computing. Therefore, to address both challenges, in this paper we present an autonomic management methodology for both security and power/performance. Our proposed approach first builds knowledge of the environment in terms of power consumption and the security tools' deployment. Next, it provisions virtual resources so that the power consumption can be reduced while maintaining the required performance and deploy the security tools based on the system behavior. Using this approach, we can utilize a wide range of secure resources efficiently in HPC system, cloud computing systems, servers, embedded systems, etc.

Cybersecurity plays a critical role in protecting sensitive information and the structural integrity of networked systems. As networked systems continue to expand in numbers as well as in complexity, so does the threat of malicious activity and the necessity for advanced cybersecurity solutions. Furthermore, both the quantity and quality of available data on malicious content as well as the fact that malicious activity continuously evolves makes automated protection systems for this type of environment particularly challenging. Not only is the data quality a concern, but the volume of the data can be quite small for some of the classes. This creates a class imbalance in the data used to train a classifier; however, many classifiers are not well equipped to deal with class imbalance. One such example is detecting malicious HMTL files from static features. Unfortunately, collecting malicious HMTL files is extremely difficult and can be quite noisy from HTML files being mislabeled. This paper evaluates a specific application that is afflicted by these modern cybersecurity challenges: detection of malicious HTML files. Previous work presented a general framework for malicious HTML file classification that we modify in this work to use a $\chi$2 feature selection technique and synthetic minority oversampling technique (SMOTE). We experiment with different classifiers (i.e., AdaBoost, Gentle-Boost, RobustBoost, RusBoost, and Random Forest) and a pure detection model (i.e., Isolation Forest). We benchmark the different classifiers using SMOTE on a real dataset that contains a limited number of malicious files (40) with respect to the normal files (7,263). It was found that the modified framework performed better than the previous framework's results. However, additional evidence was found to imply that algorithms which train on both the normal and malicious samples are likely overtraining to the malicious distribution. We demonstrate the likely overtraining by determining that a subset of the malicious files, while suspicious, did not come from a malicious source.

Information Centric Networking (ICN) changed the communication model from host-based to content-based to cope with the high volume of traffic due to the rapidly increasing number of users, data objects, devices, and applications. ICN communication model requires new security solutions that will be integrated with ICN architectures. In this paper, we present a security framework to manage ICN traffic by detecting, preventing, and responding to ICN attacks. The framework consists of three components: availability, access control, and privacy. The availability component ensures that contents are available for legitimate users. The access control component allows only legitimate users to get restrictedaccess contents. The privacy component prevents attackers from knowing content popularities or user requests. We also show our specific solutions as examples of the framework components.

The fifth generation of cellular networks (5G) will enable different use cases where security will be more critical than ever before (e.g. autonomous vehicles and critical IoT devices). Unfortunately, the new networks are being built on the certainty that security problems cannot be solved in the short term. Far from reinventing the wheel, one of our goals is to allow security software developers to implement and test their reactive solutions for the capillary network of 5G devices. Therefore, in this paper a solution for analysing proximity-based attacks in 5G environments is modelled and tested using OMNET++. The solution, named CRAT, is able to decouple the security analysis from the hardware of the device with the aim to extend the analysis of proximity-based attacks to different use-cases in 5G. We follow a high-level approach, in which the devices can take the role of victim, offender and guardian following the principles of the routine activity theory.

In recent years, there has been progress in applying information technology to industrial control systems (ICS), which is expected to make the development cost of control devices and systems lower. On the other hand, the security threats are becoming important problems. In 2017, a command injection issue on a data logger was reported. In this paper, we focus on the risk assessment in security design for data loggers used in industrial control systems. Our aim is to provide a risk assessment method optimized for control devices and systems in such a way that one can prioritize threats more preciously, that would lead work resource (time and budget) can be assigned for more important threats than others. We discuss problems with application of the automotive-security guideline of JASO TP15002 to ICS risk assessment. Consequently, we propose a three-phase risk assessment method with a novel Risk Scoring Systems (RSS) for quantitative risk assessment, RSS-CWSS. The idea behind this method is to apply CWSS scoring systems to RSS by fixing values for some of CWSS metrics, considering what the designers can evaluate during the concept phase. Our case study with ICS employing a data logger clarifies that RSS-CWSS can offer an interesting property that it has better risk-score dispersion than the TP15002-specified RSS.

The analysis of security-related event logs is an important step for the investigation of cyber-attacks. It allows tracing malicious activities and lets a security operator find out what has happened. However, since IT landscapes are growing in size and diversity, the amount of events and their highly different representations are becoming a Big Data challenge. Unfortunately, current solutions for the analysis of security-related events, so called Security Information and Event Management (SIEM) systems, are not able to keep up with the load. In this work, we propose a distributed SIEM platform that makes use of highly efficient distributed normalization and persists event data into an in-memory database. We implement the normalization on common distribution frameworks, i.e. Spark, Storm, Trident and Heron, and compare their performance with our custom-built distribution solution. Additionally, different tuning options are introduced and their speed advantage is presented. In the end, we show how the writing into an in-memory database can be tuned to achieve optimal persistence speed. Using the proposed approach, we are able to not only fully normalize, but also persist more than 20 billion events per day with relatively small client hardware. Therefore, we are confident that our approach can handle the load of events in even very large IT landscapes.

Cloud computing is the major paradigm in today's IT world with the capabilities of security management, high performance, flexibility, scalability. Customers valuing these features can better benefit if they use a cloud environment built using HPC fabric architecture. However, security is still a major concern, not only on the software side but also on the hardware side. There are multiple studies showing that the malicious users can affect the regular customers through the hardware if they are co-located on the same physical system. Therefore, solving possible security concerns on the HPC fabric architecture will clearly make the fabric industries leader in this area. In this paper, we propose an autonomic HPC fabric architecture that leverages both resilient computing capabilities and adaptive anomaly analysis for further security.

Aggregate Computing is a promising paradigm for coordinating large numbers of possibly situated devices, typical of scenarios related to the Internet of Things, smart cities, drone coordination, and mass urban events. Currently, little work has been devoted to study and improve security in aggregate programs, and existing works focus solely on application-level countermeasures. Those security systems work under the assumption that the underlying computational model is respected; however, so-called Byzantine behaviour violates such assumption. In this paper, we discuss how Byzantine behaviours can hinder an aggregate program, and exploit application-level protection for creating bigger disruption. We discuss how the blockchain technology can mitigate these attacks by enforcing behaviours consistent with the expected operational semantics, with no impact on the application logic.

Autonomous systems are gaining momentum in various application domains, such as autonomous vehicles, autonomous transport robotics and self-adaptation in smart homes. Product liability regulations impose high standards on manufacturers of such systems with respect to dependability (safety, security and privacy). Today's conventional engineering methods are not adequate for providing guarantees with respect to dependability requirements in a cost-efficient manner, e.g. road tests in the automotive industry sum up millions of miles before a system can be considered sufficiently safe. System engineers will no longer be able to test and respectively formally verify autonomous systems during development time in order to guarantee the dependability requirements in advance. In this vision paper, we introduce a new holistic software systems engineering approach for autonomous systems, which integrates development time methods as well as operation time techniques. With this approach, we aim to give the users a transparent view of the confidence level of the autonomous system under use with respect to the dependability requirements. We present already obtained results and point out research goals to be addressed in the future.

Access control for information has primarily focused on access statically granted to subjects by administrators usually in the context of a specific system. Even if mechanisms are available for access revocation, revocations must still be executed manually by an administrator. However, as physical devices become increasingly embedded and interconnected, access control needs to become an integral part of the resource being protected and be generated dynamically by resources depending on the context in which the resource is being used. In this paper, we discuss a set of scenarios for access control needed in current and future systems and use that to argue that an approach for resources to generate and manage their access control policies dynamically on their own is needed. We discuss some approaches for generating such access control policies that may address the requirements of the scenarios.

Self-Adaptive Systems (SAS) are revolutionizing many aspects of our society. From server clusters to autonomous vehicles, SAS are becoming more ubiquitous and essential to our world. Security is frequently a priority for these systems as many SAS conduct mission-critical operations, or work with sensitive information. Fortunately, security is being more recognized as an indispensable aspect of virtually all aspects of computing systems, in all phases of software development. Despite the growing prominence in security, from computing education to vulnerability detection systems, it is just another concern of creating good software. Despite how critical security is, it is a quality attribute like other aspects such as reliability, stability, or adaptability in a SAS.

The complexity, multiplicity, and impact of cyber-attacks have been increasing at an alarming rate despite the significant research and development investment in cyber security products and tools. The current techniques to detect and protect cyber infrastructures from these smart and sophisticated attacks are mainly characterized as being ad hoc, manual intensive, and too slow. We present in this paper AIM-PSC that is developed jointly by researchers at AVIRTEK and The University of Arizona Center for Cloud and Autonomic Computing that is inspired by biological systems, which can efficiently handle complexity, dynamism and uncertainty. In AIM-PSC system, an online monitoring and multi-level analysis are used to analyze the anomalous behaviors of networks, software systems and applications. By combining the results of different types of analysis using a statistical decision fusion approach we can accurately detect any types of cyber-attacks with high detection and low false alarm rates and proactively respond with corrective actions to mitigate their impacts and stop their propagation.

Due to the trend of under-ocean exploration, realtime monitoring or long-term surveillance of the under-ocean environment, e.g., real-time monitoring for under-ocean oil drilling, is imperative. Underwater wireless sensor networks could provide an optimal option, and have recently attracted intensive attention from researchers. Nevertheless, terrestrial wireless sensor networks (WSNs) have been well investigated and solved by many approaches that rely on the electromagnetic/optical transmission techniques. Deploying an applicable underwater wireless sensor network is still a big challenge. Due to critical conditions of the underwater environment (e.g., high pressure, high salinity, limited energy etc), the cost of the underwater sensor is significant. The dense sensor deployment is not applicable in the underwater condition. Therefore, Autonomous Underwater Vehicle (AUV) becomes an alternative option for implementing underwater surveillance and target detection. In this article, we present a framework to theoretically analyze the target detection probability in the underwater environment by using AUVs. The experimental results further verify our theoretical results.