Biblio

The router's buffer size imposes significant impli-cations on the performance of the network. Network operators nowadays configure the router's buffer size manually and stati-cally. They typically configure large buffers that fill up and never go empty, increasing the Round-trip Time (RTT) of packets significantly and decreasing the application performance. Few works in the literature dynamically adjust the buffer size, but are implemented only in simulators, and therefore cannot be tested and deployed in production networks with real traffic. Previous work suggested setting the buffer size to the Bandwidth-delay Product (BDP) divided by the square root of the number of long flows. Such formula is adequate when the RTT and the number of long flows are known in advance. This paper proposes a system that leverages programmable switches as passive instruments to measure the RTT and count the number of flows traversing a legacy router. Based on the measurements, the programmable switch dynamically adjusts the buffer size of the legacy router in order to mitigate the unnecessary large queuing delays. Results show that when the buffer is adjusted dynamically, the RTT, the loss rate, and the fairness among long flows are enhanced. Additionally, the Flow Completion Time (FCT) of short flows sharing the queue is greatly improved. The system can be adopted in campus, enterprise, and service provider networks, without the need to replace legacy routers.

The ecosystem of the Internet of Things (IoT) continues growing now and covers more and more fields. One of these areas is the Industrial Internet of Things (IIoT) which integrates sensors and actuators, business applications, open web applications, multimedia security systems, positioning, and tracking systems. Each of these components creates its own data stream and has its own parameters of the probability distribution when transmitting information packets. One such distribution, specific to the TrumpfTruPrint 1000 IIoT system, is the beta distribution. We described issues of the processing of such a data flow by an agent model of the \$5\textbackslashtextbackslashtimes5\$ NoC switch fabric. The concepts of modern telecommunication networks 5G/6G imply the processing of “small” data in the place of their origin, not excluding the centralized processing of big data. This process, which involves the transmission, distribution, and processing of data, involves a large number of devices: routers, multiprocessor systems, multi-core systems, etc. We assumed that the data stream is processed by a device with the network structure, such as NoC, and goes to its built-in router. We carried out a study how the average queues of the \$5\textbackslashtextbackslashtimes5\$ router change with changes in the parameters of a data stream that has a beta distribution.

The vast majority of nowadays remote code execution attacks target virtual function tables (vtables). Attackers hijack vtable pointers to change the control flow of a vulnerable program to their will, resulting in full control over the underlying system. In this paper, we present NoVT, a compiler-based defense against vtable hijacking. Instead of protecting vtables for virtual dispatch, our solution replaces them with switch-case constructs that are inherently control-flow safe, thus preserving control flow integrity of C++ virtual dispatch. NoVT extends Clang to perform a class hierarchy analysis on C++ source code. Instead of a vtable, each class gets unique identifier numbers which are used to dispatch the correct method implementation. Thereby, NoVT inherently protects all usages of a vtable, not just virtual dispatch. We evaluate NoVT on common benchmark applications and real-world programs including Chromium. Despite its strong security guarantees, NoVT improves runtime performance of most programs (mean overhead −0.5%, −3.7% min, 2% max). In addition, protected binaries are slightly smaller than unprotected ones. NoVT works on different CPU architectures and protects complex C++ programs against strong attacks like COOP and ShrinkWrap.

When a fault occurs in power grid, the analytic model for power grid fault diagnosis could generate multiple solutions under one or more protective relays (PRs) and/or circuit breakers (CBs) malfunctioning, and/or one or more their alarm information failing. Hence, this paper, calling the electrical quantities, presents an optimal solution discrimination method, which determines the optimal solution by constructing the electrical criteria of suspicious faulty components. Furthermore, combining the established electrical criteria with the existing analytic model, a hierarchical fault diagnosis mode is proposed. It uses the analytic model for the first level diagnosis based on the switching quantities. Thereafter, aiming at multiple solutions, it applies the electrical criteria for the second level diagnosis to determine the diagnostic result. Finally, the examples of fault diagnosis demonstrate the feasibility and effectiveness of the developed method.

This paper develops an adaptive neural network (NN) asymptotic tracking control scheme for nonstrict-feedback switched nonlinear systems with unknown nonlinearities. The NNs are used to dispose the unknown nonlinearities. Different from the published results, the asymptotic convergence character is achieved based on the bound estimation method. By combining some smooth functions with the adaptive backstepping scheme, the asymptotic tracking control strategy is presented. It is proved that the fabricated scheme can guarantee that the system output can asymptotically follow the desired signal, and also that all signals of the entire system are bounded. The validity of the devised scheme is evaluated by a simulation example.

This paper presents an observer-based security control scheme for a Cyber-Physical System (CPS). In the considered system, the feedback channel of the CPS may suffer from Denial-of-Service (DoS). To begin with, a time-delayed switching CPS model is constructed according to two different attack situations. And then, based on the switching model, an observer-based controller is designed in the cyber-layer, Meanwhile, the stability of the closed-loop system is analyzed based on H$ınfty$ stability of switching systems in view of Average Dwell Time (ADT). At last, the performance of the proposed security control scheme is illustrated by an numerical example in Simulation.

With the advancement of VLSI technology, Tiled Chip Multicore Processors (TCMP) with packet switched Network-on-Chip (NoC) have been emerged as the backbone of the modern data intensive parallel systems. Due to tight time-to-market constraints, manufacturers are exploring the possibility of integrating several third-party Intellectual Property (IP) cores in their TCMP designs. Presence of malicious Hardware Trojan (HT) in the NoC routers can adversely affect communication between tiles leading to degradation of overall system performance. In this paper, we model an HT mounted on the input buffers of NoC routers that can alter the destination address field of selected NoC packets. We study the impact of such HTs and analyse its first and second order impacts at the core level, cache level, and NoC level both quantitatively and qualitatively. Our experimental study shows that the proposed HT can bring application to a complete halt by stalling instruction issue and can significantly impact the miss penalty of L1 caches. The impact of re-transmission techniques in the context of HT impacted packets getting discarded is also studied. We also expose the unrealistic assumptions and unacceptable latency overheads of existing mitigation techniques for packet header attacks and emphasise the need for alternative cost effective HT management techniques for the same.

The globalized supply chain in the semiconductor industry raises several security concerns such as IC overproduction, intellectual property piracy and design tampering. Logic locking has emerged as a Design-for-Trust countermeasure to address these issues. Original logic locking proposals provide a high degree of output corruption – i.e., errors on circuit outputs – unless it is unlocked with the correct key. This is a prerequisite for making a manufactured circuit unusable without the designer’s intervention. Since the introduction of SAT-based attacks – highly efficient attacks for retrieving the correct key from an oracle and the corresponding locked design – resulting design-based countermeasures have compromised output corruption for the benefit of better resilience against such attacks. Our proposed logic locking scheme, referred to as SKG-Lock, aims to thwart SAT-based attacks while maintaining significant output corruption. The proposed provable SAT-resilience scheme is based on the novel concept of decoy key-inputs. Compared with recent related works, SKG-Lock provides higher output corruption, while having high resistance to evaluated attacks.

In order to suppress the spread of zero-day virus in the network effectively, a zero-day virus suppression strategy was proposed. Based on the mechanism of zero-day virus transmission and the idea of platform dynamic defense, the corresponding methods of virus transmission suppression are put forward. By changing the platform switching frequency, the scale of zero-day virus transmission and its inhibition effect are simulated in a small-world network model. Theory and computer simulation results show that the idea of platform switching can effectively restrain the spread of virus.

With the proliferation of cloud services, cloud-based image retrieval services enable large-scale image outsourcing and ubiquitous image searching. While enjoying the benefits of the cloud-based image retrieval services, critical privacy concerns may arise in such services since they may contain sensitive personal information. In this paper, we propose an efficient and Privacy-Preserving Image Retrieval scheme with Key Switching Technique (PPIRS). PPIRS utilizes the inner product encryption for measuring Euclidean distances between image feature vectors and query vectors in a privacy-preserving manner. Due to the high dimension of the image feature vectors and the large scale of the image databases, traditional secure Euclidean distance comparison methods provide insufficient search efficiency. To prune the search space of image retrieval, PPIRS tailors key switching technique (KST) for reducing the dimension of the encrypted image feature vectors and further achieves low communication overhead. Meanwhile, by introducing locality sensitive hashing (LSH), PPIRS builds efficient searchable indexes for image retrieval by organizing similar images into a bucket. Security analysis shows that the privacy of both outsourced images and queries are guaranteed. Extensive experiments on a real-world dataset demonstrate that PPIRS achieves efficient image retrieval in terms of computational cost.

This work investigates the impact of mechanical strain on wake-up behavior of planar HfO2 ferroelectric capacitor-based memory. External in-plane strain was applied using a four-point bending tool and strain impact on remanent polarization and coercive voltage of the ferroelectric was monitored. It was established that compressive strain is beneficial for 2Pr improvement, while tensile strain leads to its degradation, with a sensitivity of -8.4 ± 0.5 % per 0.1 % of strain. Strain-induced polarization rotation is considered to be the most likely mechanism affecting 2Pr At the same time, no strain impact on Vcwas observed in the investigated strain range. The results seen here can be utilized to undertake stress engineering of ferroelectric memory in order to improve its performance.

This work introduces a new microcomputing node with long-term resistant data security, based on asymmetric and symmetric encryption combined with the modern and established scripting language Python. The presented microcomputing node integrates a MicroPython runtime environment to address a wide audience of application engineers as user base instead of a selected group of embedded engineers, who have deep knowledge in programming IoT devices using C/C++. It combines its scripting capabilities with security features of modern smartcards and secure cellular networking based on 4G.

Attacks on mobile devices have gained a significant amount of attention lately. This is because more and more individuals are switching to smartphones from traditional non-smartphones. Therefore, attackers or cybercriminals are now getting on the bandwagon to have an opportunity at obtaining information stored on smartphones. In this paper, we present an Android mobile application that will aid to minimize data exfiltration from attacks, such as, Acoustic Side-Channel Attack, Clipboard Jacking, Permission Misuse and Malicious Apps. This paper will commence its inception with an introduction explaining the current issues in general and how attacks such as side-channel attacks and clipboard jacking paved the way for data exfiltration. We will also discuss a few already existing solutions that try to mitigate these problems. Moving on to the methodology we will emphasize how we came about the solution and what methods we followed to achieve the end goal of securing the smartphone. In the final section, we will discuss the outcomes of the project and conclude what needs to be done in the future to enhance this project so that this mobile application will continue to keep the user's data safe from the criminals' grasps.

Distributed denial of service attacks are still one of the greatest threats for computer systems and networks. We propose an intelligent moving target solution against DDOS flooding attacks. Our solution will use a fast-flux approach combined with moving target techniques to increase attack cost and complexity by bringing dynamics and randomization in network address space. It continually increases attack costs and makes it harder and almost infeasible for botnets to launch an attack. Along with performing selective proxy server replication and shuffling clients among this proxy, our solution can successfully separate and isolate attackers from benign clients and mitigate large-scale and complex flooding attacks. Our approach effectively stops both network and application-layer attacks at a minimum cost. However, while we try to make prevalent attack launches difficult and expensive for Bot Masters, this approach is good enough to combat zero-day attacks, too. Using DNS capabilities to change IP addresses frequently along with the proxy servers included in the proposed architecture, it is possible to hide the original server address from the attacker and invalidate the data attackers gathered during the reconnaissance phase of attack and make them repeat this step over and over. Our simulations demonstrate that we can mitigate large-scale attacks with minimum possible cost and overhead.

Software Defined Network (SDN) is a new paradigm in network architecture. The basic concept of SDN itself is to separate the control plane and forwarding plane explicitly. In the last few years, SDN technology has become one of the exciting topics for researchers, the development of SDN which was carried out, one of which was implementing the Internet of Things (IoT) devices in the SDN network architecture model. Mininet-IoT is developing the Mininet network emulator by adding virtualized IoT devices, 6LoWPAN based on wireless Linux standards, and 802.15.4 wireless simulation drivers. Mininet-IoT expands the Mininet code class by adding or modifying functions in it. This research will discuss the performance of the 6LoWPAN device on the internet of things (IoT) network by applying the SDN paradigm. We use the Mininet-IoT emulator and the Open Network Operating System (ONOS) controller using the internet of things (IoT) IPv6 forwarding. Performance testing by comparing some of the topologies of the addition of host, switch, and cluster. The test results of the two scenarios tested can be concluded; the throughput value obtained has decreased compared to the value of back-traffic traffic. While the packet loss value obtained is on average above 15%. Jitter value, delay, throughput, and packet loss are still in the category of enough, good, and very good based on TIPHON and ITU-T standards.

ARP-attack often occurs in LAN network [1], which directly affects the user's online experience. The common type of ARP-attack is MITM-Attack (Man-in-the-Middle Attack) with two-types, disguising a host or a gateway. Common means of ARP-attack prevention is by deploying network-security equipment or binding IP-MAC in LAN manually[10]. This paper studies an automatic ARP-attack prevention technology for multi-object, based on the domain-control technology and batch-processing technology. Compared with the common ARP-attack-prevention measure, this study has advantages of low-cost, wide-application, and maintenance-free. By experimentally researching, this paper demonstrates the research correctness and technical feasibility. This research result, multi-object-oriented automatic defense technology for ARP-attacking, can apply to enterprise network.

Software Defined Networking (SDN) is disruptive networking technology which adopts a centralised framework to facilitate fine-grained network management. However security in SDN is still in its infancy and there is need for significant work to deal with different attacks in SDN. In this paper we discuss some of the possible attacks on SDN switches and propose techniques for detecting the attacks on switches. We have developed a Switch Security Application (SSA)for SDN Controller which makes use of trusted computing technology and some additional components for detecting attacks on the switches. In particular TPM attestation is used to ensure that switches are in trusted state during boot time before configuring the flow rules on the switches. The additional components are used for storing and validating messages related to the flow rule configuration of the switches. The stored information is used for generating a trusted report on the expected flow rules in the switches and using this information for validating the flow rules that are actually enforced in the switches. If there is any variation to flow rules that are enforced in the switches compared to the expected flow rules by the SSA, then, the switch is considered to be under attack and an alert is raised to the SDN Administrator. The administrator can isolate the switch from network or make use of trusted report for restoring the flow rules in the switches. We will also present a prototype implementation of our technique.

The new network based on software-defined network SDN and network function virtualization NFV will replace the traditional network, so it is urgent to study the network security architecture based on the new network environment. This paper presents a software - defined security SDS architecture. It is open and universal. It provides an open interface for security services, security devices, and security management. It enables different network security vendors to deploy security products and security solutions. It can realize the deployment, arrangement and customization of virtual security function VSFs. It implements fine-grained data flow control and security policy management. The author analyzes the different types of attacks that different parts of the system are vulnerable to. The defender can disable the network attacks by changing the server-side security configuration scheme. The future research direction of network security is put forward.

In many-cores based on Network-on-Chip (NoC), several applications execute simultaneously, sharing computation, communication and memory resources. This resource sharing leads to security and trust problems. Hardware Trojans (HTs) may steal sensitive information, degrade system performance, and in extreme cases, induce physical damages. Methods available in the literature to prevent attacks include firewalls, denial-of-service detection, dedicated routing algorithms, cryptography, task migration, and secure zones. The goal of this paper is to add an HT in an NoC, able to execute three types of attacks: packet duplication, block applications, and misrouting. The paper qualitatively evaluates the attacks' effect against methods available in the literature, and its effects showed in an NoC-based many-core. The resulting system is an open-source NoC-based many-core for researchers to evaluate new methods against HT attacks.

Multicast on-chip communication is encountered in various cache-coherence protocols targeting multi-core processors, and its pervasiveness is increasing due to the proliferation of machine learning accelerators. In-network handling of multicast traffic imposes additional switching-level restrictions to guarantee deadlock freedom, while it stresses the allocation efficiency of Network-on-Chip (NoC) routers. In this work, we propose a novel NoC router microarchitecture, called SmartFork, which employs a versatile and cost-efficient multicast packet replication scheme that allows the design of high-throughput and low-cost NoCs. The design is adapted to the average branch splitting observed in real-world multicast routing algorithms. Compared to state-of-the-art NoC multicast approaches, SmartFork is demonstrated to yield higher performance in terms of latency and throughput, while still offering a cost-effective implementation.

Existing methods for home security monitoring depend on expensive custom battery-powered solutions. In this article, we present a battery-free solution that leverages any off-the-shelf passive radio frequency identification (RFID) tag for real-time entry detection. Sensor consists of a printed RFID antenna on paper, coupled to a magnetic reed switch and is affixed on the door. Opening of the door triggers the reed switch causing RFID signal transmission detected by any off-the-shelf passive RFID reader. This paper shows simulation and experimental results for such magnetically-actuated RFID (or magRFID) opening sensor.

DDoS attacks are pre-dominant in traditional networks, they are used to bring down the services of important servers in the network, thereby affecting its performance. One such kind of attack is HTTP GET Flood DDoS attack in which a lot of HTTP GET request messages are sent to the victim web server, overwhelming its resources and bringing down its services to the legitimate clients. The solution to such attacks in traditional networks is usually implemented at the servers, but this consumes its resources which could otherwise be used to process genuine client requests. Software Defined Network (SDN) is a new network architecture that helps to deal with these attacks in a different way. In SDN the mitigation can be done using the controller without burdening the server. In this paper, we first show how an HTTP GET Flood DDoS attack can be performed on the webserver in an SDN environment and then propose a solution to mitigate the same with the help of the SDN controller. At the server, the attack is detected by checking the number of requests arriving to the web server for a certain period of time, if the number of request is greater than a particular threshold then the hosts generating such attacks will be blocked for the attack duration.

Using erasure codes increases consumption of network traffic and disk I/O tremendously when systems recover data, resulting in high latency of degraded reads. In order to mitigate this problem, we present an adaptive storage scheme based on data access skew, a fact that most data accesses are applied in a small fraction of data. In this scheme, we use both Local Reconstruction Code (LRC), whose recovery cost is low, to store frequently accessed data, and Hitchhiker (HH) code, which guarantees minimum storage cost, to store infrequently accessed data. Besides, an efficient switching algorithm between LRC and HH code with low network and computation costs is provided. The whole system will benefit from low degraded read latency while keeping a low storage overhead, and code-switching will not become a bottleneck.

In order to improve the reliability of power supply in adjacent hydropower stations, the auxiliary power systems of the two stations are connected through a contact transformer. The magnetizing inrush current generated by the connecting transformer of a hydropower station has the characteristics of high frequency, strong energy, and multi-coupling. The harm caused by the connecting transformer is huge. In order to prevent misoperation during the closing process of the connecting transformer, this article aims at the problem of setting the switching current of the connecting transformer of the two hydropower stations, and establishes the analysis model of the excitation inrush current with SimPowerSystem software, and carries out the quantitative simulation calculation of the excitation inrush current of the connecting transformer. A setting strategy for overcurrent protection of tie transformers to suppress the excitation inrush current is proposed. Under the conditions of changing switch closing time, generator load, auxiliary transformer load, tie transformer core remanence, the maximum amplitude of the excitation inrush current is comprehensively judged Value, and then achieve the suppression of the excitation inrush current, and accurately determine the protection setting of the switch.

Path-tracking is essential to provide complete information regarding network breach incidents. It records the direction of the attack and its source of origin thus giving the network manager proper information for the next responses. Nevertheless, the existing path-tracking implementations expose the network topology and routing configurations. In this paper, we propose a privacy-aware path-tracking which mystifies network configurations using in-packet bloom filter. We apply our method by using P4 switch to supports a fine-grain (per-packet) path-tracking with dynamic adaptability via in-switch bloom filter computation. We use a hybrid scheme which consists of a destination-based logging and a path finger print-based marking to minimize the redundant path inferring caused by the bloom filter's false positive. For evaluation, we emulate the network using Mininet and BMv2 software switch. We deploy a source routing mechanism to run the evaluations using a limited testbed machine implementing Rocketfuel topology. By using the hybrid marking and logging technique, we can reduce the redundant path to zero percent, ensuring no-collision in the path-inferring. Based on the experiments, it has a lower space efficiency (56 bit) compared with the bloom filter-only solution (128 bit). Our proposed method guarantees that the recorded path remains secret unless the secret keys of every switch are known.