Biblio

The rapid growth of the connected devices driven by Internet of Things (IoT) concept requires a complete rethinking of the conventional approaches for the network design. One of the key constraints of the IoT devices are their low capabilities in order to optimize energy consumption. On the other hand, many IoT applications require high level of data protection and privacy, which can be provided only by advanced cryptographic algorithms, which are not feasible for IoT devices. In this paper, we propose a scalable quadrature modulation aiming to solve the problem of secure communications at the physical layer. The key idea of the proposed approach is to transmit only part of information in way that allows target receiver to retrieve the complete information. Such approach allows to ensure the security of wireless channel, while reducing the overhead of advanced cryptographic algorithms.

Nowadays the role of Information systems in our life has greatly increased, which has become one of the biggest challenges for citizens, organizations and governments. Every single day we are becoming more and more dependent on information and communication technology (ICT). A major goal of information security is to find the best ways to mitigate the risks. The context-role and perimeter protection approaches can reduce and prevent an unauthorized penetration to protected zones and information systems inside the zones. The result of this work can be useful for the security system analysis and optimization of their organizations.

Regulatory efforts such as the General Data Protection Regulation (GDPR) embody a notion of privacy risk that is centered around the fundamental rights of data subjects. This is, however, a fundamentally different notion of privacy risk than the one commonly used in threat modeling which is largely agnostic of involved data subjects. This mismatch hampers the applicability of privacy threat modeling approaches such as LINDDUN in a Data Protection by Design (DPbD) context. In this paper, we present a data subject-aware privacy risk assessment model in specific support of privacy threat modeling activities. This model allows the threat modeler to draw upon a more holistic understanding of privacy risk while assessing the relevance of specific privacy threats to the system under design. Additionally, we propose a number of improvements to privacy threat modeling, such as enriching Data Flow Diagram (DFD) system models with appropriate risk inputs (e.g., information on data types and involved data subjects). Incorporation of these risk inputs in DFDs, in combination with a risk estimation approach using Monte Carlo simulations, leads to a more comprehensive assessment of privacy risk. The proposed risk model has been integrated in threat modeling tool prototype and validated in the context of a realistic eHealth application.

Runtime cloud security auditing plays a vital role in mitigating security concerns in a cloud. However, there currently does not exist a comprehensive solution that can protect a cloud tenant against the threats rendered from the multiple levels (e.g., user, virtual, and physical) of the cloud design. Furthermore, most of the existing solutions suffer from slow response time and require significant manual efforts. Therefore, a simple integration of the existing solutions for different levels is not a practical solution. In this paper, we propose a multilevel proactive security auditing system, which overcomes all the above-mentioned limitations. To this end, our main idea is to automatically build a predictive model based on the dependency relationships between cloud events, proactively verify the security policies related to different levels of a cloud by leveraging this model, and finally enforce those policies on the cloud based on the verification results. Our experiments using both synthetic and real data show the practicality and effectiveness of this solution (e.g., responding in a few milliseconds to verify each level of the cloud).

Data leakage and disclosure to attackers is a significant problem in embedded systems, considering the ability of attackers to get physical access to the systems. We present methods to protect memory data leakage in tamper-proof embedded systems. We present methods that exploit memory supply voltage manipulation to change the memory contents, leading to an operational and reusable memory or to destroy memory cell circuitry. For the case of memory data change, we present scenaria for data change to a known state and to a random state. The data change scenaria are effective against attackers who cannot detect the existence of the protection circuitry; furthermore, original data can be calculated in the case of data change to a known state, if the attacker identifies the protection circuitry and its operation. The methods that change memory contents to a random state or destroy memory cell circuitry lead to irreversible loss of the original data. However, since the known state can be used to calculate the original data.

Dependence of the individuals on the Internet for performing the several actions require secure data communication. Thus, the reliable data communication improves the confidentiality. As, enhanced security leads to reliable and faster communication. To improve the reliability and confidentiality, there is dire need of fully secured authentication method. There are several methods of password protections were introduced to protect the confidentiality and reliability. Most of the existing methods are based on alphanumeric approaches, but few methods provide the dual authentication process. In this paper, we introduce improved graphical password authentication using Twofish Encryption and Visual Cryptography (TEVC) method. Our proposed TEVC is unpredictably organized as predicting the correct graphical password and arranging its particles in the proper order is harder as compared to traditional alphanumeric password system. TEVC is tested by using JAVA platform. Based on the testing results, we confirm that proposed TEVC provides secure authentication. TEVC encryption algorithm detected as more prudent and possessing lower time complexity as compared to other known existing algorithms message code confirmation and fingerprint scan with password.

We have analyzed the hardware full-disk encryption of several solid state drives (SSDs) by reverse engineering their firmware. These drives were produced by three manufacturers between 2014 and 2018, and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form factor) and external models using the USB interface. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many models using hardware encryption have critical security weaknesses due to specification, design, and implementation issues. For many models, these security weaknesses allow for complete recovery of the data without knowledge of any secret (such as the password). BitLocker, the encryption software built into Microsoft Windows will rely exclusively on hardware full-disk encryption if the SSD advertises support for it. Thus, for these drives, data protected by BitLocker is also compromised. We conclude that, given the state of affairs affecting roughly 60% of the market, currently one should not rely solely on hardware encryption offered by SSDs and users should take additional measures to protect their data.

Recently, several health care wearable devices which can intervene in health and collect personal health data have emerged in the medical market. Although health care wearable devices promote the integration of multi-layer medical resources and bring new ways of health applications for users, it is inevitable that some problems will be brought. This is mainly manifested in the safety protection of medical and health data and the protection of user's privacy. From the users' point of view, the irrational use of medical and health data may bring psychological and physical negative effects to users. From the government's perspective, it may be sold by private businesses in the international arena and threaten national security. The most direct precaution against the problem is users' initiative. For better understanding, a research model is designed by the following five aspects: Security knowledge (SK), Security attitude (SAT), Security practice (SP), Security awareness (SAW) and Security conduct (SC). To verify the model, structural equation analysis which is an empirical approach was applied to examine the validity and all the results showed that SK, SAT, SP, SAW and SC are important factors affecting users' data security and privacy protection awareness.

Smart Grids require extensive communication to enable safe and stable energy supply in the age of decentralized and dynamic energy production and consumption. To protect the communication in this critical infrastructure, public authorities mandate smart meter gateways (SMGWs) to be in control of the communication security. To this end, the SMGW intercepts all inbound and outbound communication of its premise, e.g., a factory or smart home, and forwards it on secure channels that the SMGW established itself. However, using the SMGW as proxy, local devices can neither review the security of these remote connections established by the SMGW nor enforce higher security guarantees than established by the all in one configuration of the SMGW which does not allow for use case-specific security settings. We present mechanisms that enable local devices to regain this insight and control over the full connection, i.e., up to the final receiver, while retaining the SMGW's ability to ensure a suitable security level. Our evaluation shows modest computation and transmission overheads for this increased security in the critical smart grid infrastructure.

This SQL injection attack is one of the common means for hackers to attack database. With the development of B/S mode application development, more and more programmers use this mode to write applications. However, due to the uneven level and experience of programmers, a considerable number of programmers do not judge the legitimacy of user input data when writing code, which makes the application security risks. Users can submit a database query code and get some data they want to know according to the results of the program. SQL injection attack belongs to one of the means of database security attack. It can be effectively protected by database security protection technology. This paper introduces the principle of SQL injection, the main form of SQL injection attack, the types of injection attack, and how to prevent SQL injection. Discussed and illustrated with examples.

In recent years, users may store their Personal Identifiable Information (PII) in the Cloud environment so that Cloud services may access and use it on demand. When users do not store personal data in their local machines, but in the Cloud, they may be interested in questions such as where their data are, who access it except themselves. Even if Cloud services specify privacy policies, we cannot guarantee that they will follow their policies and will not transfer user data to another party. In the past 10 years, many efforts have been taken in protecting PII. They target certain issues but still have limitations. For instance, users require interacting with the services over the frontend, they do not protect identity propagation between intermediaries and against an untrusted host, or they require Cloud services to accept a new protocol. In this paper, we propose a broader approach that covers all the above issues. We prove that our solution is efficient: the implementation can be easily adapted to existing Identity Management systems and the performance is fast. Most importantly, our approach is compliant with the General Data Protection Regulation from the European Union.

The paper presents a conceptual framework for security embedded task offloading requirements for IoT-Fog based future communication networks. The focus of the paper is to enumerate the need of embedded security requirements in this IoT-Fog paradigm including the middleware technologies in the overall architecture. Task offloading plays a significant role in the load balancing, energy and data management, security, reducing information processing and propagation latencies. The motivation behind introducing the embedded security is to meet the challenges of future smart networks including two main reasons namely; to improve the data protection and to minimize the internet disturbance and intrusiveness. We further discuss the middleware technologies such as cloudlets, mobile edge computing, micro datacenters, self-healing infrastructures and delay tolerant networks for security provision, optimized energy consumption and to reduce the latency. The paper introduces concepts of system virtualization and parallelism in IoT-Fog based systems and highlight the security features of the system. Some research opportunities and challenges are discussed to improve secure offloading from IoT into fog.

How to protect users' private data during network data mining has become a hot issue in the fields of big data and network information security. Most current researches on differential privacy k-means clustering algorithms focus on optimizing the selection of initial centroids. However, the traditional privacy budget allocation has the problem that the random noise becomes too large as the number of iterations increases, which will reduce the performance of data clustering. To solve the problem, we improved the way of privacy budget allocation in differentially private clustering algorithm DPk-means, and proposed APDPk-means, a new differential privacy clustering algorithm based on arithmetic progression privacy budget allocation. APDPk-means decomposes the total privacy budget into a decreasing arithmetic progression, allocating the privacy budgets from large to small in the iterative process, so as to ensure the rapid convergence in early iteration. The experiment results show that compared with the other differentially private k-means algorithms, APDPk-means has better performance in availability and quality of the clustering result under the same level of privacy protection.

We investigate how to protect features corresponding to personal information using homomorphic encryption when matching people in several camera views. Homomorphic encryption can compute a distance between features without decryption. Thus, our method is able to use a computing server on a public network while protecting personal information. To apply homomorphic encryption, our method uses linear quantization to represent each element of the feature as integers. Experimental results show that there is no significant difference in the accuracy of person re-identification with or without homomorphic encryption and linear quantization.

In recent decades, data protection (PPDM), which not only hides information, but also provides information that is useful to make decisions, has become a critical concern. We present a sanitization algorithm with the consideration of four side effects based on multi-objective PSO and hierarchical clustering methods to find optimized solutions for PPDM. Experiments showed that compared to existing approaches, the designed sanitization algorithm based on the hierarchical clustering method achieves satisfactory performance in terms of hiding failure, missing cost, and artificial cost.

Cryptography is widely adopted in computer systems to protect the confidentiality of sensitive information. The security relies on the assumption that cryptography keys are never leaked, which may be broken by the memory disclosure attacks, e.g., the Heartbleed and coldboot attacks. Various schemes are proposed to defend against memory disclosure attacks, e.g., performing the cryptographic computations in registers, or adopting the hardware features (e.g., Intel TSX and Intel SGX) to ensure that the plaintext of the cryptography key never appears in memory. However, these schemes are still not widely deployed due to the following limitations: (a) Most of the schemes are deployed in the OS kernel and require the root (or administrator) privileges of the host; and (b) They require the programmers to integrate these protection schemes in the implementation of different cryptography algorithms on different platforms. In this paper, we propose a tool implemented in Clang/LLVM, named Peapods, which provides the user-mode protection for cryptographic keys in software engines. It introduces one qualifier and three intrinsics for the programmers to specify the sensitive variables and code fragments to be protected, making it easier to be deployed. Peapods adopts transactional memory to protect cryptographic keys, while it is OS-independent and does not require the cryptographic computation performed in the OS kernel. Peapods supports the automatic protection between transactions for better performance. We have implemented the prototype of Peapods. Evaluation results demonstrate that Peapods achieves the design goals with a modest overhead (less than 10%).

The Data Encryption Standard (DES) of the multimedia cryptography possesses the weak point of key conducting that is why it reaches to the triple form of DES. However, the triple DES obtains the better characteristic to secure the protection of data to against the attacks, it still contains an extremely inappropriate performance (speed) and efficiency in doing so. This paper provides the effective performance and the results of a single and triple chaotic cryptography using chaos in digital filter, compare to DES and triple DES. This comparison has been made pair-to-pair of single structure respectively to the triple form. Finally the implementation aspects of a single chaotic cryptography using chaos in digital filter can stand efficiently as better performance speed with the small complexity algorithm, points out the resemblances to DES and triple DES with the similar security confirmation results without reaching to the triple form of the structure. Simulation has been conducted using Matlab simulation with the input of grayscale image.

The confidentiality of data stored in embedded and handheld devices has become an urgent necessity more than ever before. Encryption of sensitive data is a well-known technique to preserve their confidentiality, however it comes with certain costs that can heavily impact the device processing resources. Utilizing multicore processors, which are equipped with current embedded devices, has brought a new era to enhance data confidentiality while maintaining suitable device performance. Encrypting the complete storage area, also known as Full Disk Encryption (FDE) can still be challenging, especially with newly emerging massive storage systems. Alternatively, since the most user sensitive data are residing inside persisting databases, it will be more efficient to focus on securing SQLite databases, through encryption, where SQLite is the most common RDBMS in handheld and embedded systems. This paper addresses the problem of ensuring data protection in embedded and mobile devices while maintaining suitable device performance by mitigating the impact of encryption. We presented here a proposed design for a parallel database encryption system, called SQLite-XTS. The proposed system encrypts data stored in databases transparently on-the-fly without the need for any user intervention. To maintain a proper device performance, the system takes advantage of the commodity multicore processors available with most embedded and mobile devices.

The General Data Protection Regulation mandates data protection in the European Union. This includes data protection by design and having privacy-preserving defaults. This legislation has been in force since May 2018, promising severe consequences for violation. Fulfilling its mandate for data protection is not trivial, though. One approach for realizing this is the use of privacy design patterns. We have recently started consolidating such patterns into useful collections. In this paper we improve a subset of these, constructing a pattern system. This helps to identify contextually appropriate patterns. It better illustrates their application and relation to each other. The pattern system guides software developers, so that they can help users understand how their information system uses personal data. To achieve this, we rewrite our patterns to meet specific requirements. In particular, we add implementability and interconnection, while improving consistency and organization. This results in a system of patterns for informing users.

Power communication network is an important infrastructure of power system. For a large number of widely distributed business terminals and communication terminals. The data protection is related to the safe and stable operation of the whole power grid. How to solve the problem that lots of nodes need a large number of keys and avoid the situation that these nodes cannot exchange information safely because of the lack of keys. In order to solve the problem, this paper proposed a segmentation and combination technology based on quantum key to extend the limited key. The basic idea was to obtain a division scheme according to different conditions, and divide a key into several different sub-keys, and then combine these key segments to generate new keys and distribute them to different terminals in the system. Sufficient keys were beneficial to key updating, and could effectively enhance the ability of communication system to resist damage and intrusion. Through the analysis and calculation, the validity of this method in the use of limited quantum keys to achieve the business data secure transmission of a large number of terminal was further verified.

Software-defined networking (SDN) is a recently developed approach to computer networking that brings a centralized orientation to network control, thereby improving network architecture and management. However, as with any communication environment that involves message transmission among users, SDN is confronted by the ongoing challenge of protecting user privacy. In this “Work in Progress (WIP)” research, we propose an SDN security model that applies the moving target defense (MTD) technique to protect communication links from sensitive data leakages. MTD is a security solution aimed at increasing complexity and uncertainty for attackers by concealing sensitive information that may serve as a gateway from which to launch different types of attacks. The proposed MTD-based security model is intended to protect user identities contained in transmitted messages in a way that prevents network intruders from identifying the real identities of senders and receivers. According to the results from preliminary experiments, the proposed MTD model has potential to protect the identities contained in transmitted messages within communication links. This work will be extended to protect sensitive data if an attacker gets access to the network device.

Covert or low probability of detection communication is crucial to protect user privacy and provide a strong security. We analyze the joint impact of imperfect knowledge of the channel gain (channel uncertainty) and noise power (noise uncertainty) on the average probability of detection error at the eavesdropper and the covert throughput in Rayleigh fading channel. We characterize the covert throughput gain provided by the channel uncertainty as well as the covert throughput loss caused by the channel fading as a function of the noise uncertainty. Our result shows that the channel fading is essential to hiding the signal transmission, particularly when the noise uncertainty is below a threshold and/or the receive SNR is above a threshold. The impact of the channel uncertainty on the average probability of detection error and covert throughput is more significant when the noise uncertainty is larger.

There are over 1 billion websites today, and most of them are designed using content management systems. Cybersecurity is one of the most discussed topics when it comes to a web application and protecting the confidentiality, integrity of data has become paramount. SQLi is one of the most commonly used techniques that hackers use to exploit a security vulnerability in a web application. In this paper, we compared SQLi vulnerabilities found on the three most commonly used content management systems using a vulnerability scanner called Nikto, then SQLMAP for penetration testing. This was carried on default WordPress, Drupal and Joomla website pages installed on a LAMP server (Iocalhost). Results showed that each of the content management systems was not susceptible to SQLi attacks but gave warnings about other vulnerabilities that could be exploited. Also, we suggested practices that could be implemented to prevent SQL injections.

To prevent users' privacy from leakage, more and more mobile devices employ biometric-based authentication approaches, such as fingerprint, face recognition, voiceprint authentications, etc., to enhance the privacy protection. However, these approaches are vulnerable to replay attacks. Although state-of-art solutions utilize liveness verification to combat the attacks, existing approaches are sensitive to ambient environments, such as ambient lights and surrounding audible noises. Towards this end, we explore liveness verification of user authentication leveraging users' lip movements, which are robust to noisy environments. In this paper, we propose a lip reading-based user authentication system, LipPass, which extracts unique behavioral characteristics of users' speaking lips leveraging build-in audio devices on smartphones for user authentication. We first investigate Doppler profiles of acoustic signals caused by users' speaking lips, and find that there are unique lip movement patterns for different individuals. To characterize the lip movements, we propose a deep learning-based method to extract efficient features from Doppler profiles, and employ Support Vector Machine and Support Vector Domain Description to construct binary classifiers and spoofer detectors for user identification and spoofer detection, respectively. Afterwards, we develop a binary tree-based authentication approach to accurately identify each individual leveraging these binary classifiers and spoofer detectors with respect to registered users. Through extensive experiments involving 48 volunteers in four real environments, LipPass can achieve 90.21% accuracy in user identification and 93.1% accuracy in spoofer detection.

The recently applied General Data Protection Regulation (GDPR) aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. Consequently, this deeply affects the factory domain and its human-centric automation paradigm. Especially collaboration of human and machines as well as individual support are enabled and enhanced by processing audio and video data, e.g. by using algorithms which re-identify humans or analyse human behaviour. We introduce most significant impacts of the recent legal regulation change towards the automations domain at a glance. Furthermore, we introduce a representative scenario from production, deduce its legal affections from GDPR resulting in a privacy-aware software architecture. This architecture covers modern virtualization techniques along with authorization and end-to-end encryption to ensure a secure communication between distributes services and databases for distinct purposes.