Biblio

Modern computing networks that enable distributed computing are comprised of a wide range of heterogeneous devices with different levels of resources, which are interconnected by different networking technologies and communication protocols. This integration, together with the state of the art technologies, has brought into play new uncertainties, associated with physical world and the cyber space. In heterogeneous networked control systems environments, awareness and resilience are two important properties that these systems should bear and comply with. In this work the problem of resilience enhancement in heterogeneous networked control systems is addressed based on a distributed middleware, which is propped up on a hierarchical multi-agent framework, where each of the constituent agents is devoted to a specific task. The proposed architecture takes into account physical and cyber vulnerabilities and ensures state and context awareness, and a minimum level of acceptable operational performance, in response to physical and cyber disturbances. Experiments on a IPv6-based test-bed proved the relevance and benefits offered by the proposed architecture.

The advent of high performance fog and edge computing and high bandwidth connectivity has brought about changes to Internet-of-Things (IoT) service architectures, allowing for greater quantities of high quality information to be extracted from their environments to be processed. However, recently introduced international regulations, along with heightened awareness among consumers, have strengthened requirements to ensure data security, with significant financial and reputational penalties for organisations who fail to protect customers' data. This paper proposes the leveraging of fog and edge computing to facilitate processing of confidential user data, to reduce the quantity and availability of raw confidential data at various levels of the IoT architecture. This ultimately reduces attack surface area, however it also increases efficiency of the architecture by distributing processing amongst nodes and transmitting only processed data. However, such an approach is vulnerable to device level attacks. To approach this issue, a proposed System Security Manager is used to continuously monitor system resources and ensure confidential data is confined only to parts of the device that require it. In event of an attack, critical data can be isolated and the system informed, to prevent data confidentiality breach.

Attackers can leverage several techniques to compromise computer networks, ranging from sophisticated malware to DDoS (Distributed Denial of Service) attacks that target the application layer. Application layer DDoS attacks, such as Slow Read, are implemented with just enough traffic to tie up CPU or memory resources causing web and application servers to go offline. Such attacks can mimic legitimate network requests making them difficult to detect. They also utilize less volume than traditional DDoS attacks. These low volume attack methods can often go undetected by network security solutions until it is too late. In this paper, we explore the use of machine learners for detecting Slow Read DDoS attacks on web servers at the application layer. Our approach uses a generated dataset based upon Netflow data collected at the application layer on a live network environment. Our Netflow data uses the IP Flow Information Export (IPFIX) standard providing significant flexibility and features. These Netflow features can process and handle a growing amount of traffic and have worked well in our previous DDoS work detecting evasion techniques. Our generated dataset consists of real-world network data collected from a production network. We use eight different classifiers to build Slow Read attack detection models. Our wide selection of learners provides us with a more comprehensive analysis of Slow Read detection models. Experimental results show that the machine learners were quite successful in identifying the Slow Read attacks with a high detection and low false alarm rate. The experiment demonstrates that our chosen Netflow features are discriminative enough to detect such attacks accurately.

Real-Time Ethernet has become the major communication technology for modern automation and industrial control systems. On the one hand, this trend increases the need for an automation-friendly security solution, as such networks can no longer be considered sufficiently isolated. On the other hand, it shows that, despite diverging requirements, the domain of Operational Technology (OT) can derive advantage from high-volume technology of the Information Technology (IT) domain. Based on these two sides of the same coin, we study the challenges and prospects of approaches to communication security in real-time Ethernet automation systems. In order to capitalize the expertise aggregated in decades of research and development, we put a special focus on the reuse of well-established security technology from the IT domain. We argue that enhancing such technology to become automation-friendly is likely to result in more robust and secure designs than greenfield designs. Because of its widespread deployment and the (to this date) nonexistence of a consistent security architecture, we use PROFINET as a showcase of our considerations. Security requirements for this technology are defined and different well-known solutions are examined according their suitability for PROFINET. Based on these findings, we elaborate the necessary adaptions for the deployment on PROFINET.

Deep neural networks are widely used in many walks of life. Techniques such as transfer learning enable neural networks pre-trained on certain tasks to be retrained for a new duty, often with much less data. Users have access to both pre-trained model parameters and model definitions along with testing data but have either limited access to training data or just a subset of it. This is risky for system-critical applications, where adversarial information can be maliciously included during the training phase to attack the system. Determining the existence and level of attack in a model is challenging. In this paper, we present evidence on how adversarially attacking training data increases the boundary of model parameters using as an example of a CNN model and the MNIST data set as a test. This expansion is due to new characteristics of the poisonous data that are added to the training data. Approaching the problem from the feature space learned by the network provides a relation between them and the possible parameters taken by the model on the training phase. An algorithm is proposed to determine if a given network was attacked in the training by comparing the boundaries of parameters distribution on intermediate layers of the model estimated by using the Maximum Entropy Principle and the Variational inference approach.

Recently, the novel networking technology Software-Defined Networking(SDN) and Service Function Chaining(SFC) are rapidly growing, and security issues are also emerging for SDN and SFC. However, the research about security and safety on a novel networking environment is still unsatisfactory, and the vulnerabilities have been revealed continuously. Among these security issues, this paper addresses the ARP Poisoning attack to exploit SFC vulnerability, and proposes a method to defend the attack. The proposed method recognizes the repetitive ARP reply which is a feature of ARP Poisoning attack, and detects ARP Poisoning attack. The proposed method overcomes the limitations of the existing detection methods. The proposed method also detects the presence of an attack more accurately.

DNS based domain name resolution has been known as one of the most fundamental Internet services. In the meanwhile, DNS cache poisoning attacks also have become a critical threat in the cyber world. In addition to Kaminsky attacks, the falsified data from the compromised authoritative DNS servers also have become the threats nowadays. Several solutions have been proposed in order to prevent DNS cache poisoning attacks in the literature for the former case such as DNSSEC (DNS Security Extensions), however no effective solutions have been proposed for the later case. Moreover, due to the performance issue and significant workload increase on DNS cache servers, DNSSEC has not been deployed widely yet. In this work, we propose an advanced detection method against DNS cache poisoning attacks using machine learning techniques. In the proposed method, in addition to the basic 5-tuple information of a DNS packet, we intend to add a lot of special features extracted based on the standard DNS protocols as well as the heuristic aspects such as “time related features”, “GeoIP related features” and “trigger of cached DNS data”, etc., in order to identify the DNS response packets used for cache poisoning attacks especially those from compromised authoritative DNS servers. In this paper, as a work in progress, we describe the basic idea and concept of our proposed method as well as the intended network topology of the experimental environment while the prototype implementation, training data preparation and model creation as well as the evaluations will belong to the future work.

Researchers develop bioassays following rigorous experimentation in the lab that involves considerable fiscal and highly-skilled-person-hour investment. Previous work shows that a bioassay implementation can be reverse engineered by using images or video and control signals of the biochip. Hence, techniques must be devised to protect the intellectual property (IP) rights of the bioassay developer. This study is the first step in this direction and it makes the following contributions: (1) it introduces use of a sieve-valve as a security primitive to obfuscate bioassay implementations; (2) it shows how sieve-valves can be used to obscure biochip building blocks such as multiplexers and mixers; (3) it presents design rules and security metrics to design and measure obfuscated biochips. We assess the cost-security trade-offs associated with this solution and demonstrate practical sieve-valve based obfuscation on real-life biochips.

Internet of Vehicle (IoV) is an essential part of the Intelligent Transportation system (ITS) which is growing exponentially in the automotive industry domain. The term IoV is used in this paper for Internet of Vehicles. IoV is conceptualized for sharing traffic, safety and several other vehicle-related information between vehicles and end user. In recent years, the number of connected vehicles has increased allover the world. Having information sharing and connectivity as its advantage, IoV also faces the challenging task in the cybersecurity-related matters. The future consists of crowded places in an interconnected world through wearable's, sensors, smart phones etc. We are converging towards IoV technology and interactions with crowded space of connected peoples. However, this convergence demands high-security mechanism from the connected crowd as-well-as other connected vehicles to safeguard of proposed IoV system. In this paper, we coin the term of smart people crowd (SPC) and the smart vehicular crowd (SVC) for the Internet of Vehicles (IoV). These specific crowds of SPC and SVC are the potential cyber attackers of the smart IoV. People connected to the internet in the crowded place are known as a smart crowd. They have interfacing devices with sensors and the environment. A smart crowd would also consist of the random number of smart vehicles. With the future converging in to the smart connected framework for crowds, vehicles and connected vehicles, we present a novel cyber-physical surveillance system (CPSS) framework to tackle the security threats in the crowded environment for the smart automotive industry and provide the cyber security mechanism in the crowded places. We also describe an overview of use cases and their security challenges on the Internet of Vehicles.

To enhance the programmability and flexibility of network and service management, the Software-Defined Networking (SDN) paradigm is gaining growing attention by academia and industry. Motivated by its success in wired networks, researchers have recently started to embrace SDN towards developing next generation wireless networks such as Software-Defined Internet of Vehicles (SD-IoV). As the SD-IoV evolves, new security threats would emerge and demand attention. And since the core of the SD-IoV would be the control plane, it is highly vulnerable to Distributed Denial of Service (DDoS) Attacks. In this work, we investigate the impact of DDoS attacks on the controllers in a SD-IoV environment. Through experimental evaluations, we highlight the drastic effects DDoS attacks could have on a SD-IoV in terms of throughput and controller load. Our results could be a starting point to motivate further research in the area of SD-IoV security and would give deeper insights into the problems of DDoS attacks on SD-IoV.

In many industry Internet of Things applications, resources like CPU, memory, and battery power are limited and cannot afford the classic cryptographic security solutions. Silicon physical unclonable function (PUF) is a lightweight security primitive that exploits manufacturing variations during the chip fabrication process for key generation and/or device authentication. However, traditional weak PUFs such as ring oscillator (RO) PUF generate chip-unique key for each device, which restricts their application in security protocols where the same key is required to be shared in resource-constrained devices. In this article, in order to address this issue, we propose a PUF-based key sharing method for the first time. The basic idea is to implement one-to-one input-output mapping with lookup table (LUT)-based interstage crossing structures in each level of inverters of RO PUF. Individual customization on configuration bits of interstage crossing structure and different RO selections with challenges bring high flexibility. Therefore, with the flexible configuration of interstage crossing structures and challenges, crossover RO PUF can generate the same shared key for resource-constrained devices, which enables a new application for lightweight key sharing protocols.

The extensive increase in the number of IoT devices and the massive data generated and sent to the cloud hinder the cloud abilities to handle it. Further, some IoT devices are latency-sensitive. Such sensitivity makes it harder for far clouds to handle the IoT needs in a timely manner. A new technology named "Fog computing" has emerged as a solution to such problems. Fog computing relies on close by computational devices to handle the conventional cloud load. However, Fog computing introduced additional problems related to the trustworthiness and safety of such devices. Unfortunately, the suggested architectures did not consider such problem. In this paper we present a novel self-configuring fog architecture to support IoT networks with security and trust in mind. We realize the concept of Moving-target defense by mobilizing the applications inside the fog using live migrations. Performance evaluations using a benchmark for mobilized applications showed that the added overhead of live migrations is very small making it deployable in real scenarios. Finally, we presented a mathematical model to estimate the survival probabilities of both static and mobile applications within the fog. Moreover, this work can be extended to other systems such as mobile ad-hoc networks (MANETS) or in vehicular cloud computing (VCC).

Vehicular Adhoc Network (VANET), a specialized form of MANET in which safety is the major concern as critical information related to driver's safety and assistance need to be disseminated between the vehicle nodes. The security of the nodes can be increased, if the network availability is increased. The availability of the network is decreased, if there is Denial of Service Attacks (DoS) in the network. In this paper, a packet detection algorithm for the prevention of DoS attacks is proposed. This algorithm will be able to detect the multiple malicious nodes in the network which are sending irrelevant packets to jam the network and that will eventually stop the network to send the safety messages. The proposed algorithm was simulated in NS-2 and the quantitative values of packet delivery ratio, packet loss ratio, network throughput proves that the proposed algorithm enhance the security of the network by detecting the DoS attack well in time.

Location privacy is one of most frequently discussed terms in the mobile devices security breaches and data leaks. With the expected growth of the number of IoT devices, which is 20 billions by 2020., location privacy issues will be further brought to focus. In this paper we give an overview of location privacy implications in wireless networks, mainly focusing on user's Preferred Network List (list of previously used WiFi Access Points) contained within WiFi Probe Request packets. We will showcase the existing work and suggest interesting topics for future work. A chronological overview of sensitive location data we collected on a musical festival in years 2014, 2015, 2017 and 2018 is provided. We conclude that using passive WiFi monitoring scans produces different results through years, with a significant increase in the usage of a more secure Broadcast Probe Request packets and MAC address randomizations by the smartphone operating systems.

The goal of this work was to identify and try to solve some of the vulnerabilities present in the AR Drone 2.0 by Parrot. The approach was to identify how the system worked, find and analyze vulnerabilities and flaws in the system as a whole and in the software, and find solutions to those problems. Analyzing the results of some tests showed that the system has an open WiFi network and the communication between the controller and the drone are unencrypted. Analyzing the Linux operating system that the drone uses, we see that "Pairing Mode" is the only way the system protects itself from unauthorized control. This is a feature that can be easily bypassed. Port scans reveal that the system has all the ports for its services open and exposed. This makes it susceptible to attacks like DoS and takeover. This research also focuses on some of the software vulnerabilities, such as Busybox that the drone runs. Lastly, this paper discuses some of the possible methods that can be used to secure the drone. These methods include securing the messages via SSH Tunnel, closing unused ports, and re-implementing the software used by the drone and the controller.

With the continuous development of the Internet of Vehicles, vehicles are no longer isolated nodes, but become a node in the car network. The open Internet will introduce traditional security issues into the Internet of Things. In order to ensure the safety of the networked cars, we hope to set up an intrusion detection system (IDS) on the vehicle terminal to detect and intercept network attacks. In our work, we designed an intrusion detection system for the Internet of Vehicles based on a convolutional neural network, which can run in a low-powered embedded vehicle terminal to monitor the data in the car network in real time. Moreover, for the case of packet encryption in some car networks, we have also designed a separate version for intrusion detection by analyzing the packet header. Experiments have shown that our system can guarantee high accuracy detection at low latency for attack traffic.

Vehicular ad hoc network is one of most recent research areas to deploy intelligent Transport System. Due to their highly dynamic topology, energy constrained and no central point coordination, routing with minimal delay, minimal energy and maximize throughput is a big challenge. Software Defined Networking (SDN) is new paradigm to improve overall network lifetime. It incorporates dynamic changes with minimal end-end delay, and enhances network intelligence. Along with this, intelligence secure routing is also a major constraint. This paper proposes a novel approach to Energy efficient secured routing protocol for Software Defined Internet of vehicles using Restricted Boltzmann Algorithm. This algorithm is to detect hostile routes with minimum delay, minimum energy and maximum throughput compared with traditional routing protocols.

The evolution of the Internet of Vehicles (IoV) paradigm has recently attracted a lot of researchers and industries. Vehicular Ad Hoc Networks (VANET) is the networking model that lies at the heart of this technology. It enables the vehicles to exchange relevant information concerning road conditions and safety. However, ensuring communication security has been and still is one of the main challenges to vehicles' interconnection. To secure the interconnected vehicular system, many cryptography techniques, communication protocols, and certification and reputation-based security approaches were proposed. Nonetheless, some limitations are still present, preventing the practical implementation of such approaches. In this paper, we first define a set of locally-perceived behavioral reputation parameters that enable a distributed evaluation of vehicles' reputation. Then, we integrate these parameters into the design of a reputation management system to exclude malicious or faulty vehicles from the IoV network. Our system can help in the prevention of several attacks on the VANET environment such as Sybil and Denial of Service attacks, and can be implemented in a fully decentralized fashion.

With the proposal of the national industrial 4.0 strategy, the integration of industrial control network and Internet technology is getting higher and higher. At the same time, the closeness of industrial control networks has been broken to a certain extent, making the problem of industrial control network security increasingly serious. S7 protocol is a private protocol of Siemens Company in Germany, which is widely used in the communication process of industrial control network. In this paper, an industrial control intrusion detection model based on S7 protocol is proposed. Traditional protocol parsing technology cannot resolve private industrial control protocols, so, this model uses deep analysis algorithm to realize the analysis of S7 data packets. At the same time, in order to overcome the complexity and portability of static white list configuration, this model dynamically builds a white list through white list self-learning algorithm. Finally, a composite intrusion detection method combining white list detection and abnormal behavior detection is used to detect anomalies. The experiment proves that the method can effectively detect the abnormal S7 protocol packet in the industrial control network.

Common vulnerability scoring system (CVSS) is an industry standard that can assess the vulnerability of nodes in traditional computer systems. The metrics computed by CVSS would determine critical nodes and attack paths. However, traditional IT security models would not fit IoT embedded networks due to distinct nature and unique characteristics of IoT systems. This paper analyses the application of CVSS for IoT embedded systems and proposes an improved vulnerability scoring system based on CVSS v3 framework. The proposed framework, named CVSSIoT, is applied to a realistic IT supply chain system and the results are compared with the actual vulnerabilities from the national vulnerability database. The comparison result validates the proposed model. CVSSIoT is not only effective, simple and capable of vulnerability evaluation for traditional IT system, but also exploits unique characteristics of IoT devices.

In this paper, we propose a new method for optimizing the deployment of security solutions within an IoT network. Our approach uses dominating sets and centrality metrics to propose an IoT security framework where security functions are optimally deployed among devices. An example of such a solution is presented based on EndToEnd like encryption. The results reveal overall increased security within the network with minimal impact on the traffic.

With rapid growth of network size and complexity, network defenders are facing more challenges in protecting networked computers and other devices from acute attacks. Traffic visualization is an essential element in an anomaly detection system for visual observations and detection of distributed DoS attacks. This paper presents an interactive visualization system called TVis, proposed to detect both low-rate and highrate DDoS attacks using Heron's triangle-area mapping. TVis allows network defenders to identify and investigate anomalies in internal and external network traffic at both online and offline modes. We model the network traffic as an undirected graph and compute triangle-area map based on incidences at each vertex for each 5 seconds time window. The system triggers an alarm iff the system finds an area of the mapped triangle beyond the dynamic threshold. TVis performs well for both low-rate and high-rate DDoS detection in comparison to its competitors.

We address the problem of distributed state estimation of a linear dynamical process in an attack-prone environment. A network of sensors, some of which can be compromised by adversaries, aim to estimate the state of the process. In this context, we investigate the impact of making a small subset of the nodes immune to attacks, or “trusted”. Given a set of trusted nodes, we identify separate necessary and sufficient conditions for resilient distributed state estimation. We use such conditions to illustrate how even a small trusted set can achieve a desired degree of robustness (where the robustness metric is specific to the problem under consideration) that could otherwise only be achieved via additional measurement and communication-link augmentation. We then establish that, unfortunately, the problem of selecting trusted nodes is NP-hard. Finally, we develop an attack-resilient, provably-correct distributed state estimation algorithm that appropriately leverages the presence of the trusted nodes.

Cloud systems are becoming more complex and vulnerable to attacks. Cyber attacks are also becoming more sophisticated and harder to detect. Therefore, it is increasingly difficult for a single cloud-based intrusion detection system (IDS) to detect all attacks, because of limited and incomplete knowledge about attacks. The recent researches in cyber-security have shown that a co-operation among IDSs can bring higher detection accuracy in such complex computer systems. Through collaboration, a cloud-based IDS can consult other IDSs about suspicious intrusions and increase the decision accuracy. The problem of existing cooperative IDS approaches is that they overlook having untrusted (malicious or not) IDSs that may negatively effect the decision about suspicious intrusions in the cloud. Moreover, they rely on a centralized architecture in which a central agent regulates the cooperation, which contradicts the distributed nature of the cloud. In this paper, we propose a framework that enables IDSs to distributively form trustworthy IDSs communities. We devise a novel decentralized algorithm, based on coalitional game theory, that allows a set of cloud-based IDSs to cooperatively set up their coalition in such a way to make their individual detection accuracy increase, even in the presence of untrusted IDSs.

Multi-tenant cloud networks have various security and monitoring service functions (SFs) that constitute a service function chain (SFC) between two endpoints. SF rule ordering overlaps and policy conflicts can cause increased latency, service disruption and security breaches in cloud networks. Software Defined Network (SDN) based Network Function Virtualization (NFV) has emerged as a solution that allows dynamic SFC composition and traffic steering in a cloud network. We propose an SDN enabled Universal Policy Checking (SUPC) framework, to provide 1) Flow Composition and Ordering by translating various SF rules into the OpenFlow format. This ensures elimination of redundant rules and policy compliance in SFC. 2) Flow conflict analysis to identify conflicts in header space and actions between various SF rules. Our results show a significant reduction in SF rules on composition. Additionally, our conflict checking mechanism was able to identify several rule conflicts that pose security, efficiency, and service availability issues in the cloud network.