Biblio

The security control problem of cyber-physical system (CPS) under actuator attacks is studied in the paper. Considering the strict-feedback cyber-physical systems with external disturbance, a security control scheme is proposed by combining backstepping method and super-twisting sliding mode technology when the transmission control input signal of network layer is under false data injection(FDI) attack. Firstly, the unknown nonlinear function of the CPS is identified by Radial Basis Function Neural Network. Secondly, the backstepping method and super-twisting sliding mode algorithm are combined to eliminate the influence of actuator attack and ensure the robustness of the control system. Then, by Lyapunov stability theory, it is proved that the proposed control scheme can ensure that all signals in the closed-loop system are semi-global and ultimately uniformly bounded. Finally, the effectiveness of the proposed control scheme is verified by the inverted pendulum simulation.

In this paper, a data-driven security detection approach is proposed in a simple manner. The detector is designed to deal with false data injection attacks suffered by industrial cyber-physical systems with unknown model information. First, the attacks are modeled from the perspective of the generalized plant mismatch, rather than the operating data being tampered. Second, some subsystems are selected to reduce the design complexity of the detector, and based on them, an output estimator with iterative form is presented in a theoretical way. Then, a security detector is constructed based on the proposed estimator and its cost function. Finally, the effectiveness of the proposed approach is verified by simulations of a Western States Coordinated Council 9-bus power system.

Since the cyber and physical layers in the distribution system are deeply integrated, the traditional distribution system has gradually developed into the cyber-physical distribution system (CPDS), and the failures of the cyber layer will affect the reliable and safe operation of the whole distribution system. Therefore, this paper proposes an CPDS planning method considering the reliability of the cyber-physical system. First, the reliability evaluation model of CPDS is proposed. Specifically, the functional reliability model of the cyber layer is introduced, based on which the physical equipment reliability model is further investigated. Second, an optimal planning model of CPDS considering cyber-physical random failures is developed, which is solved using the Monte Carlo Simulation technique. The proposed model is tested on the modified IEEE 33-node distribution system, and the results demonstrate the effectiveness of the proposed method.

A methodology for studying the level of security for various types of CPS through the analysis of the consequences was developed during the research process. An analysis of the architecture of cyber-physical systems was carried out, vulnerabilities and threats of specific devices were identified, a list of possible information attacks and their consequences after the exploitation of vulnerabilities was identified. The object of research is models of cyber-physical systems, including IoT devices, microcomputers, various sensors that function through communication channels, organized by cyber-physical objects. The main subjects of this investigation are methods and means of security testing of cyber-physical systems (CPS). The main objective of this investigation is to update the problem of security in cyber-physical systems, to analyze the security of these systems. In practice, the testing methodology for the cyber-physical system “Smart Factory” was implemented, which simulates the operation of a real CPS, with different types of links and protocols used.

Due to the rapid development of cyber-physical systems, there are more and more security problems. The purpose of this work is to develop the concept of a knowledge base in the field of security of cyber-physical systems based on an ontological approach. To create the concept of a knowledge base, it was necessary to consider the system of a cyber-physical system and highlight its structural parts. As a result, the main concepts of the security of a cyber-physical system were identified and the concept of a knowledge base was drawn up, which in the future will help to analyze potential threats to cyber-physical systems.

As cyber-physical systems are becoming more wide spread, it is imperative to secure these systems. In the real world these systems produce large amounts of data. However, it is generally impractical to test security techniques on operational cyber-physical systems. Thus, there exists a need to have realistic systems and data for testing security of cyber-physical systems [1]. This is often done in testbeds and cyber ranges. Most cyber ranges and testbeds focus on traditional network systems and few incorporate cyber-physical components. When they do, the cyber-physical components are often simulated. In the systems that incorporate cyber-physical components, generally only the network data is analyzed for attack detection and diagnosis. While there is some study in using physical signals to detect and diagnosis attacks, this data is not incorporated into current testbeds and cyber ranges. This study surveys currents testbeds and cyber ranges and demonstrates a prototype testbed that includes cyber-physical components and sensor data in addition to traditional cyber data monitoring.

Dual Connectivity is a key approach to achieving optimization of throughput and latency in heterogeneous networks. Originally a technique introduced by the 3rd Generation Partnership Project (3GPP) for terrestrial communications, it is not been widely explored in satellite systems. In this paper, Dual Connectivity is implemented in a multi-orbital satellite network, where a network model is developed by employing the diversity gains from Dual Connectivity and Carrier Aggregation for the enhancement of satellite uplink capacity. An introduction of software defined network controller is performed at the network layer coupled with a carefully designed hybrid resource allocation algorithm which is implemented strategically. The algorithm performs optimum dynamic flow control and traffic steering by considering the availability of resources and the channel propagation information of the orbital links to arrive at a resource allocation pattern suitable in enhancing uplink system performance. Simulation results are shown to evaluate the achievable gains in throughput and latency; in addition we provide useful insight in the design of multi-orbital satellite networks with implementable scheduler design.

Since its inception, the Internet has experienced tremendous speed and functionality improvements. Among these developments are innovative approaches such as the design and deployment of Internet Protocol version six (IPv6) and the continuous modification of TCP. New transport protocols like Stream Communication Transport Protocol (SCTP) and Multipath TCP (MPTCP), which can use multiple data paths, have been developed to overcome the IP-coupled challenge in TCP. However, given the difficulties of packet modifiers over the Internet that prevent the deployment of newly proposed protocols, e.g., SCTP, a UDP innovative approach with QUIC (Quick UDP Internet Connection) has been put forward as an alternative. QUIC reduces the connection establishment complexity in TCP and its variants, high security, stream multiplexing, and pluggable congestion control. Motivated by the gains and acceptability of MPTCP, Multipath QUIC has been developed to enable multipath transmission in QUIC. While several researchers have reviewed the progress of improvement and application of MPTCP, the review on MPQUIC improvement is limited. To breach the gap, this paper provides a brief survey on the practical application and progress of MPQUIC in data communication. We first review the fundamentals of multipath transport protocols. We then provide details on the design of QUIC and MPQUIC. Based on the articles reviewed, we looked at the various applications of MPQUIC, identifying the application domain, tools used, and evaluation parameters. Finally, we highlighted the open research issues and directions for further investigations.

The demand for increasing flexibility use in power systems is stressed by the changing grid utilization. Making use of largely untapped flexibility potential is possible through novel flexibility markets. Different approaches for these markets are being developed and vary considering their handling of transaction schemes and relation of participating entities. This paper delivers the conceptual development of a holistic system architecture for the realization of an interregional flexibility market, which targets a market based congestion management in the transmission and distribution system through trading between system operators and flexibility providers. The framework combines a market mechanism with the required supplements like appropriate control algorithms for emergency situations, cyber-physical system monitoring and cyber-security assessment. The resulting methods are being implemented and verified in a remote-power-hardware-in-the-loop setup coupling a real world low voltage grid with a geographically distant real time simulation using state of the art control system applications with an integration of the aforementioned architecture components.

The excess buffering of packets in network elements, also referred to as bufferbloat, results in high latency. Considering the requirements of traffic generated by video conferencing systems like Zoom, cloud rendered gaming platforms like Google Stadia, or even video streaming services such as Netflix, Amazon Prime and YouTube, timeliness of such traffic is important. Ensuring low latency to IP flows with a high throughput calls for the application of Active Queue Management (AQM) schemes. This introduces yet another problem as the co-existence of scalable and classic congestion controls leads to the starvation of classic TCP flows. Technologies such as Low Latency Low Loss Scalable Throughput (L4S) and the corresponding dual queue coupled AQM, DualPI2, provide a robust solution to these problems. However, their deployment on hardware targets such as programmable switches is quite challenging due to the complexity of algorithms and architectural constraints of switching ASICs. In this study, we provide proof of concept implementations of two AQMs that enable the co-existence of scalable and traditional TCP traffic, namely DualPI2 and the preceding single-queue PI2 AQM, on an Intel Tofino switching ASIC. Given the fixed operation of the switch’s traffic manager, we investigate to what extent it is possible to implement a fully RFC-compliant version of the two AQMs on the Tofino ASIC. The study shows that an appropriate split between control and data plane operations is required while we also exploit fixed functionality of the traffic manager to support such solutions.

Covert channels are data transmission methods that bypass the detection of security mechanisms and pose a serious threat to critical infrastructure. Meanwhile, it is also an effective way to ensure the secure transmission of private data. Therefore, research on covert channels helps us to quickly detect attacks and protect the security of data transmission. This paper proposes covert channels based on the timestamp of the Internet Control Message Protocol echo reply packet in the Linux system. By considering the concealment, we improve our proposed covert channels, ensuring that changing trends in the timestamp of modified consecutive packets are consistent with consecutive regular packets. Besides, we design an Iptables rule based on the current system time to analyze the performance of the proposed covert channels. Finally, it is shown through experiments that the channels complete the private data transmission in the industrial control network. Furthermore, the results demonstrate that the improved covert channels offer better performance in concealment, time cost, and the firewall test.

The modern networking world is being exposed to many risks more frequently every day. Most of systems strongly rely on remaining anonymous throughout the whole endpoint exploitation process. Covert channels represent risk since they ex-ploit legitimate communications and network protocols to evade typical filtering. This firewall avoidance sees covert channels frequently used for malicious communication of intruders with systems they compromised, and thus a real threat to network security. While there are commercial tools to safeguard computer networks, novel applications such as automotive connectivity and V2X present new challenges. This paper focuses on the analysis of the recent ways of using covert channels and detecting them, but also on the state-of-the-art possibilities of protection against them. We investigate observing the timing covert channels behavior simulated via injected ICMP traffic into standard network communications. Most importantly, we concentrate on enhancing firewall with detection and prevention of such attack built-in features. The main contribution of the paper is design for detection timing covert channel threats utilizing detection methods based on statistical analysis. These detection methods are combined and implemented in one program as a simple host-based intrusion detection system (HIDS). As a result, the proposed design can analyze and detect timing covert channels, with the addition of taking preventive measures to block any future attempts to breach the security of an end device.

Can quantum entanglement increase the capacity of (classical) covert channels? To one familiar with Holevo's Theorem it is tempting to think that the answer is obviously no. However, in this work we show: quantum entanglement can in fact increase the capacity of a classical covert channel, in the presence of an active adversary; on the other hand, a zero-capacity channel is not improved by entanglement, so entanglement cannot create ‘purely quantum’ covert channels; the problem of determining the capacity of a given channel in the presence of entanglement is undecidable; but there is an algorithm to bound the entangled capacity of a channel from above, adapted from the semi-definite hierarchy from the theory of non-local games, whose close connection to channel capacity is at the core of all of our results.

We introduce the notion of an application-based covert channel—or ABCC—which provides a formal syntax for describing covert channels that tunnel messages through existing protocols. Our syntax captures many recent systems, including DeltaShaper (PETS 2017) and Protozoa (CCS 2020). We also define what it means for an ABCC to be secure against a passive eavesdropper, and prove that suitable abstractions of existing censorship circumvention systems satisfy our security notion. In doing so, we define a number of important non-cryptographic security assumptions that are often made implicitly in prior work. We believe our formalisms may be useful to censorship circumvention developers for reasoning about the security of their systems and the associated security assumptions required.

In this work, we propose a novel framework to identify and mitigate a recently disclosed covert channel scheme exploiting unprotected broadcast messages in cellular MAC layer protocols. Examples of covert channel are used in data exfiltration, remote command-and-control (CnC) and espionage. Responsibly disclosed to GSMA (CVD-2021-0045), the SPAR-ROW covert channel scheme exploits the downlink power of LTE/5G base-stations that broadcast contention resolution identity (CRI) from any anonymous device according to the 3GPP standards. Thus, the SPARROW devices can covertly relay short messages across long-distance which can be potentially harmful to critical infrastructure. The SPARROW schemes can also complement the solutions for long-range M2M applications. This work investigates the security vs. performance trade-off in CRI-based contention resolution mechanisms. Then it offers a rig-orously designed method to randomly obfuscate CRI broadcast in future 5G/6G standards. Compared to CRI length reduction, the proposed method achieves considerable protection against SPARROW exploitation with less impact on the random-access performance as shown in the numerical results.

As IoT technologies mature, they are increasingly finding their way into more sensitive domains, such as Medical and Industrial IoT, in which safety and cyber-security are paramount. While the number of deployed IoT devices continues to increase annually, they still present severe cyber-security vulnerabilities, turning them into potential targets and entry points to support further attacks. Naturally, as these nodes are compromised, attackers aim at setting up stealthy communication behaviours, to exfiltrate data or to orchestrate nodes of a botnet in a cloaked fashion. Network covert channels are increasingly being used with such malicious intents. The IEEE 802.15.4 is one of the most pervasive protocols in IoT, and a fundamental part of many communication infrastructures. Despite this fact, the possibility of setting up such covert communication techniques on this medium has received very little attention. We aim at analysing the performance and feasibility of such covert-channel implementations upon the IEEE 802.15.4 protocol. This will enable a better understanding of the involved risk and help supporting the development of further cyber-security mechanisms to mitigate this threat.

As the IPv6 protocol has been rapidly developed and applied, the security of IPv6 networks has become the focus of academic and industrial attention. Despite the fact that the IPv6 protocol is designed with security in mind, due to insufficient defense measures of current firewalls and intrusion detection systems for IPv6 networks, the construction of covert channels using fields not defined or reserved in IPv6 protocols may compromise the information systems. By discussing the possibility of constructing storage covert channels within IPv6 protocol fields, 10 types of IPv6 covert channels are constructed with undefined and reserved fields, including the flow label field, the traffic class field of IPv6 header, the reserved fields of IPv6 extension headers and the code field of ICMPv6 header. An IPv6 covert channel detection method based on field matching (CC-Guard) is proposed, and a typical IPv6 network environment is built for testing. In comparison with existing detection tools, the experimental results show that the CC-Guard not only can detect more covert channels consisting of IPv6 extension headers and ICMPv6 headers, but also achieves real-time detection with a lower detection overhead.

In covert communication systems, covert messages can be transmitted without being noticed by the monitors or adversaries. Therefore, the covert communication technology has emerged as a novel method for network authentication, copyright protection, and the evidence of cybercrimes. However, how to design the covert communication in the physical layer of wireless networks and how to improve the channel capacity for the covert communication systems are very challenging. In this paper, we propose a wireless covert communication system, where data streams from the antennas of the transmitter are coded according to a code book to transmit covert and public messages. We adopt a modulation scheme, named covert quadrature amplitude modulation (QAM), to modulate the messages, where the constellation of covert information bits deviates from its normal coordinates. Moreover, the covert receiver can detect the covert information bits according to the constellation departure. Simulation results show that proposed covert communication system can significantly improve the covert data rate and reduce the covert bit error rate, in comparison with the traditional covert communication systems.

Information leaks are a top concern to industry and government leaders. The Internet of Things (IoT) is a rapidly growing technology capable of sensing real-world events. IoT devices lack a common security standard and typically use lightweight security solutions, exposing the sensitive real-world data they gather. Covert channels are a practical method of exfiltrating data from these devices.This research presents a novel IoT covert timing channel (CTC) that encodes data within preexisting network information, namely ports or addresses. This method eliminates the need for inter-packet delays (IPD) to encode data. Seven different encoding methods are implemented between two IoT protocols, TCP/IP and ZigBee. The TCP/IP covert channel is created by mimicking a Ring smart doorbell and implemented using Amazon Web Services (AWS) servers to generate traffic. The ZigBee channel is built by copying a Philips Hue lighting system and executed on an isolated local area network (LAN). Variants of the CTC focus either on Stealth or Bandwidth. Stealth methods mimic legitimate traffic captures to make them difficult to detect while the Bandwidth methods forgo this approach for maximum throughput. Detection results are presented using shape-based and regularity-based detection tests.The Stealth results have a throughput of 4.61 bits per second (bps) for TCP/IP and 3.90 bps for ZigBee. They also evade shape and regularity-based detection tests. The Bandwidth methods average 81.7 Kbps for TCP/IP and 9.76 bps for ZigBee but are evident in detection tests. The results show that CTC using address or port encoding can have superior throughput or detectability compared to IPD-based CTCs.

The traditional ciphertext-policy attribute-based encryption (CP-ABE) has the problems of poor security of key distribution by a single attribute authorization center and too much calculation on the client in the process of encryption and decryption. A CP-ABE scheme that can outsource encryption and decryption and support multi-authorization centers is introduced to solve the above two problems. In the key generation stage, the user's private key is generated by the attribute authorization center and the key generation center jointly executing the two-party secure computing protocol; In the encryption and decryption stage, the cloud encryption server and cloud storage server are used to handle most of the computing work. Security proof and performance analysis show that the scheme not only can effectively make up for the defect of all key leakage when the attribute authorization center is broken, but also can enhance the security of the system; Moreover, after using the cloud server to process data, users only need to perform a simple calculation on the client to complete encryption or decryption, thus reducing the user's computing workload.

The security and reliability of power grid dispatching system is the basis of the stable development of the whole social economy. With the development of information, computer science and technology, communication technology, and network technology, using more advanced intelligent technology to improve the performance of security and reliability of power grid dispatching system has important research value and practical significance. In order to provide valuable references for relevant researchers and for the construction of future power system related applications. This paper summarizes the latest technical status of attribute encryption and hierarchical identity encryption methods, and introduces the access control method based on attribute and hierarchical identity encryption, the construction method of attribute encryption scheme, revocable CP-ABE scheme and its application in power grid data security access control. Combined with multi authorization center encryption, third-party trusted entity and optimized encryption algorithm, the parallel access control algorithm of hierarchical identity and attribute encryption and its application in power grid data security access control are introduced.

With the rapid innovation of cloud computing technologies, which has enhanced the application of the Internet of Things (IoT), smart health (s-health) is expected to enhance the quality of the healthcare system. However, s-health records (SHRs) outsourcing, storage, and sharing via a cloud server must be protected and users attribute privacy issues from the public domain. Ciphertext policy attribute-based encryption (CP-ABE) is the cryptographic primitive which is promising to provide fine-grained access control in the cloud environment. However, the direct application of traditional CP-ABE has brought a lot of security issues like attributes' privacy violations and vulnerability in the future by potential powerful attackers like side-channel and cold-bot attacks. To solve these problems, a lot of CP-ABE schemes have been proposed but none of them concurrently support partially policy-hidden and leakage resilience. Hence, we propose a new Smart Health Records Sharing Scheme that will be based on Partially Policy-Hidden CP-ABE with Leakage Resilience which is resilient to bound leakage from each of many secret keys per user, as well as many master keys, and ensure attribute privacy. Our scheme hides attribute values of users in both secret key and ciphertext which contain sensitive information in the cloud environment and are fully secure in the standard model under the static assumptions.

The data sharing is a helpful and financial assistance provided by CC. Information substance security also rises out of it since the information is moved to some cloud workers. To ensure the sensitive and important data; different procedures are utilized to improve access manage on collective information. Here strategies, Cipher text-policyattribute based encryption (CP-ABE) might create it very helpful and safe. The conventionalCP-ABE concentrates on information privacy only; whereas client's personal security protection is a significant problem as of now. CP-ABE byhidden access (HA) strategy makes sure information privacy and ensures that client's protection isn't exposed also. Nevertheless, the vast majority of the current plans are ineffectivein correspondence overhead and calculation cost. In addition, the vast majority of thismechanism takes no thought regardingabilityauthenticationor issue of security spillescapein abilityverificationstage. To handle the issues referenced over, a security protectsCP-ABE methodby proficient influenceauthenticationis presented in this manuscript. Furthermore, its privacy keys accomplish consistent size. In the meantime, the suggestedplan accomplishes the specific safetyin decisional n-BDHE issue and decisional direct presumption. The computational outcomes affirm the benefits of introduced method.

Ensuring data rights, openness and transaction flow is important in today’s digital economy. Few scholars have studied in the area of data confirmation, it is only with the development of blockchain that it has started to be taken seriously. However, blockchain has open and transparent natures, so there exists a certain probability of exposing the privacy of data owners. Therefore, in this paper we propose a new measure of data confirmation based on Ciphertext-Policy Attribute-Base Encryption(CP-ABE). The information with unique identification of the data owner is embedded in the ciphertext of CP-ABE by paillier homomorphic encryption, and the data can have multiple sharers. No one has access to the plaintext during the whole confirmation process, which reduces the risk of source data leakage.

At present, the ciphertext-policy attribute based encryption (CP-ABE) has been widely used in different fields of data sharing such as cross-border paperless trade, digital government and etc. However, there still exist some challenges including single point of failure, key abuse and key unaccountable issues in CP-ABE. To address these problems. We propose an accountable CP-ABE mechanism based on block chain system. First, we establish two authorization agencies MskCA and AttrVN(Attribute verify Network),where the MskCA can realize master key escrow, and the AttrVN manages and validates users' attributes. In this way, our system can avoid the single point of failure and improve the privacy of user attributes and security of keys. Moreover, in order to realize auditability of CP-ABE key parameter transfer, we introduce the did and record parameter transfer process on the block chain. Finally, we theoretically prove the security of our CP-ABE. Through comprehensive comparison, the superiority of CP-ABE is verified. At the same time, our proposed schemes have some properties such as fast decryption and so on.