Biblio

As the number of Internet users increases, their usage also diversifies, and it is important to prevent Identity on the Internet (Digital Identity) from being violated. Unauthorized authentication is one of the methods to infringe Digital Identity. Multi-factor authentication has been proposed as a method for preventing unauthorized authentication. However, the cryptographic authenticator required for multi-factor authentication is expensive both financially and UX-wise for the user. In this paper, we design, implement and evaluate multi-factor authentication using My Number Card provided by public personal identification service and WebUSB, which is being standardized.

SSL certificates are a core component of the public key infrastructure that underpins encrypted communication in the Internet. In this paper, we report the results of a longitudinal study of the characteristics of SSL certificate chains presented to clients during secure web (HTTPS) connection setup. Our data set consists of 23B SSL certificate chains collected from a global panel consisting of over 2M residential client machines over a period of 6 months. The data informing our analyses provide perspective on the entire chain of trust, including root certificates, across a wide distribution of client machines. We identify over 35M unique certificate chains with diverse relationships at all levels of the PKI hierarchy. We report on the characteristics of valid certificates, which make up 99.7% of the total corpus. We also examine invalid certificate chains, finding that 93% of them contain an untrusted root certificate and we find they have shorter average chain length than their valid counterparts. Finally, we examine two unintended but prevalent behaviors in our data: the deprecation of root certificates and secure traffic interception. Our results support aspects of prior, scan-based studies on certificate characteristics but contradict other findings, highlighting the importance of the residential client-side perspective.

In this paper, development of cyber communication package in the application of grid connected solar system has been presented. Here, implemented communication methodology supports communication process with reduced latency, high security arrangement with various degrees of freedom. Faithful transferring of various electrical data for the purpose of measurement, monitoring and controlling actions depend on the bidirectional communication strategy. Thus, real-time communication of data through cyber network has been emphasized in this paper. The C\# language based coding is done to develop the communication program. The notable features of proposed communication process are reduction of latency during data exchange by usage of advanced encryption standard (AES) algorithm, tightening of cyber security arrangement by implementing secured socket layer (SSL) and Rivest, Shamir and Adleman (RSA) algorithms. Various real-time experiments using internet connected computers have been done to verify the usability of the proposed communication concept along with its notable features in the application.

In this paper, we present a combinatorial testing methodology for testing web applications in regards to SQL injection vulnerabilities. We describe three attack grammars that were developed and used to generate concrete attack vectors. Furthermore, we present and evaluate two different oracles used to observe the application's behavior when subjected to such attack vectors. We also present a prototype tool called SQLInjector capable of automated SQL injection vulnerability testing for web applications. The developed methodology can be applied to any web application that uses server side scripting and HTML for handling user input and has a SQL database backend. Our approach relies on the use of a database proxy, making this a gray-box testing method. We establish the effectiveness of the proposed tool with the WAVSEP verification framework and conduct a case study on real-world web applications, where we are able to discover both known vulnerabilities and additional previously undiscovered flaws.

Stealing confidential information from a database has become a severe vulnerability issue for web applications. The attacks can be prevented by defining a whitelist of SQL queries issued by web applications and detecting queries not in list. For large-scale web applications, automated generation of the whitelist is conducted because manually defining numerous query patterns is impractical for developers. Conventional methods for automated generation are unable to detect attacks immediately because of the long time required for collecting legitimate queries. Moreover, they require application-specific implementations that reduce the versatility of the methods. As described herein, we propose a method to generate a whitelist automatically using queries issued during web application tests. Our proposed method uses the queries generated during application tests. It is independent of specific applications, which yields improved timeliness against attacks and versatility for multiple applications.

In the last few years, the usage and dependency on web applications and websites has significantly increased across a number of different areas such as online banking, shopping, financial transactions etc. amongst the several other areas. This has even directly multiplied the threat of SQL injection issue. A number of past studies have suggested that SQL injection should be handled as effectively as possible in order to avoid long term threats and dangers. This paper in specific attempts to discuss and evaluate some of the main SQL injection prevention methods.

SQL injection attacks are a kind of the greatest security risks on Web applications. Much research has been done to detect SQL injection attacks by rule matching and syntax tree. However, due to the complexity and variety of SQL injection vulnerabilities, these approaches fail to detect unknown and variable SQL injection attacks. In this paper, we propose a model, ATTAR, to detect SQL injection attacks using grammar pattern recognition and access behavior mining. The most important idea of our model is to extract and analyze features of SQL injection attacks in Web access logs. To achieve this goal, we first extract and customize Web access log fields from Web applications. Then we design a grammar pattern recognizer and an access behavior miner to obtain the grammatical and behavioral features of SQL injection attacks, respectively. Finally, based on two feature sets, machine learning algorithms, e.g., Naive Bayesian, SVM, ID3, Random Forest, and K-means, are used to train and detect our model. We evaluated our model on these two feature sets, and the results show that the proposed model can effectively detect SQL injection attacks with lower false negative rate and false positive rate. In addition, comparing the accuracy of our model based on different algorithms, ID3 and Random Forest have a better ability to detect various kinds of SQL injection attacks.

In recent years, websites that incorporate user reviews, such as Amazon, IMDB and YELP, have become exceedingly popular. As an important factor affecting users purchasing behavior, review information has been becoming increasingly important, and accordingly, the reliability of review information becomes an important issue. This paper proposes a method to more accurately detect the appearance period of spam reviews and to identify the spam reviews by verifying the consistency of review information among multiple review sites. Evaluation experiments were conducted to show the accuracy of the detection results, and compared the newly proposed method with our previously proposed method.

Comment spam is one of the great challenges faced by forum administrators. Detecting and blocking comment spam can relieve the load on servers, improve user experience and purify the network conditions. This paper focuses on the detection of comment spam. The behaviors of spammer and the content of spam were analyzed. According to analysis results, two types of effective features are extracted which can make a better description of spammer characteristics. Additionally, a gradient boosting tree algorithm was used to construct the comment spam detector based on the extracted features. Our proposed method is examined on a blog spam dataset which was published by previous research, and the result illustrates that our method performs better than the previous method on detection accuracy. Moreover, the CPU time is recorded to demonstrate that the time spent on both training and testing maintains a small value.

Emails are the fundamental unit of web applications. There is an exponential growth in sending and receiving emails online. However, spam mail has turned into an intense issue in email correspondence condition. There are number of substance based channel systems accessible to be specific content based filter(CBF), picture based sifting and many other systems to channel spam messages. The existing technological solution consists of a combination of porter stemer algorithm(PSA) and k means clustering which is adaptive in nature. These procedures are more expensive in regard of the calculation and system assets as they required the examination of entire spam message and calculation of the entire substance of the server. These are the channels must additionally not powerful in nature life on the grounds that the idea of spam block mail and spamming changes much of the time. We propose a starting point based spam mail-sifting system benefit, which works considering top head notcher data of the mail message paying little respect to the body substance of the mail. It streamlines the system and server execution by increasing the precision, recall and accuracy than the existing methods. To design an effective and efficient of autonomous and efficient spam detection system to improve network performance from unknown privileged user attacks.

E-mail is widespread and an essential communication technology in modern times. Since e-mail has problems with spam mails and spoofed e-mails, countermeasures are required. Although SPF, DKIM and DMARC have been proposed as sender domain authentication, these mechanisms cannot detect non-spoofing spam mails. To overcome this issue, this paper proposes a method to detect spam domains by supervised learning with features extracted from e-mail reception log and active DNS data, such as the result of Sender Authentication, the Sender IP address, the number of each DNS record, and so on. As a result of the experiment, our method can detect spam domains with 88.09% accuracy and 97.11% precision. We confirmed that our method can detect spam domains with detection accuracy 19.40% higher than the previous study by utilizing not only active DNS data but also e-mail reception log in combination.

The Internet has gradually penetrated into the national economy, politics, culture, military, education and other fields. Due to its openness, interconnectivity and other characteristics, the Internet is vulnerable to all kinds of malicious attacks. The research uses a honeynet to collect attacker information, and proposes a network penetration recognition technology based on interactive behavior analysis. Using Sebek technology to capture the attacker's keystroke record, time series modeling of the keystroke sequences of the interaction behavior is proposed, using a Recurrent Neural Network. The attack recognition method is constructed by using Long Short-Term Memory that solves the problem of gradient disappearance, gradient explosion and long-term memory shortage in ordinary Recurrent Neural Network. Finally, the experiment verifies that the short-short time memory network has a high accuracy rate for the recognition of penetration attacks.

More and more industrial devices are expected to connect to the internet seamlessly. IPv6-based industrial wireless network can solve the address resources limitation problem. It is a challenge about how to ensure the wireless node join security after introducing the IPv6. In this paper, we propose a multiple nodes join mechanism, which includes a timeslot allocation method and secure join process for the IPv6 over IEEE 802.15.4e network. The timeslot allocation method is designed in order to configure communication resources in the join process for the new nodes. The test platform is implemented to verify the feasibility of the mechanism. The result shows that the proposed mechanism can reduce the communication cost for multiple nodes join process and improve the efficiency.

The emergence of IPv6 protocol extends the address pool, but it also exposes all the Internet-connected devices to danger. Currently, there are some traditional schemes on security management of network addresses, such as prevention, traceability and encryption authentication, but few studies work on IPv6 protocol. In this paper, we propose a hierarchical authentication mechanism for the IPv6 source address with the technology of software defined network (SDN). This mechanism combines the authentication of three parts, namely the access network, the intra-domain and the inter-domain. And it can provide a fine-grained security protection for the devices using IPv6 addresses.

Network attacks have become a growing threat to the current Internet. For the enhancement of network security and accountability, it is urgent to find the origin and identity of the adversary who misbehaves in the network. Some studies focus on embedding users' identities into IPv6 addresses, but such design cannot support the Stateless Address Autoconfiguration (SLAAC) protocol which is widely deployed nowadays. In this paper, we propose SDN-Ti, a general solution to traceback and identification for attackers in IPv6 networks based on Software Defined Network (SDN). In our proposal, the SDN switch performs a translation between the source IPv6 address of the packet and its trusted ID-encoded address generated by the SDN controller. The network administrator can effectively identify the attacker by parsing the malicious packets when the attack incident happens. Our solution not only avoids the heavy storage overhead and time synchronism problems, but also supports multiple IPv6 address assignment scenarios. What's more, SDN-Ti does not require any modification on the end device, hence can be easily deployed. We implement SDN-Ti prototype and evaluate it in a real IPv6 testbed. Experiment results show that our solution only brings very little extra performance cost, and it shows considerable performance in terms of latency, CPU consumption and packet loss compared to the normal forwarding method. The results indicate that SDN-Ti is feasible to be deployed in practice with a large number of users.

Accountability and privacy are considered valuable but conflicting properties in the Internet, which at present does not provide native support for either. Past efforts to balance accountability and privacy in the Internet have unsatisfactory deployability due to the introduction of new communication identifiers, and because of large-scale modifications to fully deployed infrastructures and protocols. The IPv6 is being deployed around the world and this trend will accelerate. In this paper, we propose a private and accountable proposal based on IPv6 called PAVI that seeks to bootstrap accountability and privacy to the IPv6 Internet without introducing new communication identifiers and large-scale modifications to the deployed base. A dedicated quantitative analysis shows that the proposed PAVI achieves satisfactory levels of accountability and privacy. The results of evaluation of a PAVI prototype show that it incurs little performance overhead, and is widely deployable.

The current global Internet USES the TCP/IP protocol cluster, the current version is IPv4. The IPv4 is with 32-bit addresses, the maximum number of computers connected to the Internet in the world is 232. With the development of Internet of things, big data and cloud storage and other technologies, the limited address space defined by IPv4 has been exhausted. To expand the address space, the IETF designed the next generation IPv6 to replace IPv4. IPv6 using a 128-bit address length that provides almost unlimited addresses. However, with the development and application of the Internet of things, big data and cloud storage, IPv6 has some shortcomings in its addressing structure design; security and network compatibility, These technologies are gradually applied in recent years, the continuous development of new technologies application show that the IPv6 address structure design ideas have some fatal defects. This paper proposed a route to upgrade the original IPv4 by studying on the structure of IPv6 "spliced address", and point out the defects in the design of IPv6 interface ID and the potential problems such as security holes.

With the rapid development of Internet of Things applications, the power Internet of Things technologies and applications covering the various production links of the power grid "transmission, transmission, transformation, distribution and use" are becoming more and more popular, and the terminal, network and application security risks brought by them are receiving more and more attention. Combined with the architecture and risk of power Internet of Things, this paper first proposes the overall security protection technology system and strategy for power Internet of Things; then analyzes terminal identity authentication and authority control, edge area autonomy and data transmission protection, and application layer cloud fog security management. And the whole process real-time security monitoring; Finally, through the analysis of security risks and protection, the technical difficulties and directions for the security protection of the Internet of Things are proposed.

The growth in Internet usage has increased the use of electronic services requiring users to register their identity on each service they subscribe to. This has resulted in the prevalence of redundant users data on different services. To protect and regulate access by users to these services identity management systems (IdMs)are put in place. IdMs uses frameworks and standards e.g SAML, OAuth and Shibboleth to manage digital identities of users for identification and authentication process for a service provider. However, current IdMs have not been able to address privacy issues (unauthorised and fine-grained access)that relate to protecting users identity and private data on web services. Many implementations of these frameworks are only concerned with the identification and authentication process of users but not authorisation. They mostly give full control of users digital identities and data to identity and service providers with less or no users participation. This results in a less privacy enhanced solutions that manage users available data in the electronic space. This article proposes a user-centred mandate representation system that empowers resource owners to take full of their digital data; determine and delegate access rights using their mobile phone. Thereby giving users autonomous powers on their resources to grant access to authenticated entities at their will. Our solution is based on the OpenID Connect framework for authorisation service. To evaluate the proposal, we've compared it with some related works and the privacy requirements yardstick outlined in GDPR regulation [1] and [2]. Compared to other systems that use OAuth 2.0 or SAML our solution uses an additional layer of security, where data owner assumes full control over the disclosure of their identity data through an assertion issued from their mobile phones to authorisation server (AS), which in turn issues an access token. This would enable data owners to assert the authenticity of a request, while service providers and requestors also benefit from the correctness and freshness of identity data disclosed to them.

The emergence of Blockchain technology as the biggest innovations of the 21stcentury, has given rise to new concepts of Identity Management to deal with the privacy and security challenges on the one hand, and to enhance the decentralization and user control in transactions on Blockchain infrastructures on the other hand. This paper investigates and gives analysis of the most popular Identity Management Systems using Blockchain: uPort, Sovrin, and ShoCard. It then evaluates them under a set of features of digital identity that characterizes the successful of an Identity Management solution. The result of the comparative analysis is presented in a concise way to allow readers to find out easily which systems satisfy what requirements in order to select the appropriate one to fit into a specific scenario.

The Information-Centric Network possessing the content-centric features, is the innovative architecture of the next generation of network. Collaborating with fog computing characterized by its strong edge power, ICN will become the development trend of the future network. The emergence of Information-Centric Multimedia Network (ICMN) can meet the increasing demand for transmission of multimedia streams in the current Internet environment. The data transmission has become more delay-constrained and convenient because of the distributed storage, the separation between the location of information and terminals, and the strong cacheability of each node in ICN. However, at the same time, the security of the multimedia streams in the delivery process still requires further protection against wiretapping, interception or attacking. In this paper, we propose the delay-constrained green security communications for ICMN based on chaotic encryption and fog computing so as to transmit multimedia streams in a more secure and time-saving way. We adapt a chaotic cryptographic method to ICMN, implementing the encryption and decryption of multimedia streams. Meanwhile, the network edge capability to process the encryption and decryption is enhanced. Thanks to the fog computing, the strengthened transmission speed of the multimedia streams can fulfill the need for short latency. The work in the paper is of great significance to improve the green security communications of multimedia streams in ICMN.

Being the revolutionary future networking architecture, information-centric networking (ICN) conducts network distribution based on content, which is ideally suitable for Internet of things (IoT). With the rapid growth of network traffic, compared to the conventional IoT, information-centric Internet of things (IC-IoT) is expected to provide users with the better satisfaction of the network quality of service (QoS). However, due to IC-IoT requirements of low latency, large data volume, marginalization, and intelligent processing, it urgently needs an efficient content distribution system. In this paper, we propose an edge learning based green content distribution scheme for IC-IoT. We implement intelligent path selection based on decision tree and edge calculation. Moreover, we apply distributed coding based content transmission to enhance the speed and recovery capability of content. Meanwhile, we have verified the effectiveness and performance of this scheme based on a large number of simulation experiments. The work of this paper is of great significance to improve the efficiency and flexibility of content distribution in IC-IoT.

Network Function Virtualization (NFV) is a novel paradigm which enables the deployment of network functions on commodity hardware. As such, it also stands for a deployment en-abler for any novel networking function or networking paradigm such as Named Data Networking (NDN), the most promising solution relying on the Information-Centric Networking (ICN) paradigm. However, dedicated solutions for the security and performance orchestration of such an emerging paradigm are still lacking thus preventing its adoption by network operators. In this paper, we propose a first step toward a content-oriented orchestration whose purpose is to deploy, manage and secure an NDN virtual network. We present the way we leverage the TOSCA standard, using a crafted NDN oriented extension to enable the specification of both deployment and operational behavior requirements of NDN services. We also highlight NDN-related security and performance policies to produce counter-measures against anomalies that can either come from attacks or performance incidents.

Information-centric networking (ICN) is a novel networking architecture with subscription-based naming mechanism and efficient caching, which has abundant semantic features. However, existing defense studies in ICN fails to isolate or block efficiently novel content threats including malicious penetration and semantic obfuscation for the lack of researches considering ICN semantic features. More importantly, to detect potential threats, existing security works in ICN fail to use semantic reasoning to construct security knowledge-based defense mechanism. Thus ICN needs a smart and content-based defense mechanism. Current works are not able to block content threats implicated in semantics. Additionally, based on traditional computing resources, they are incompatible with ICN protocols. In this paper, we propose smart reasoning based content threat defense for semantics knowledge enhanced ICN. A fog computing based defense mechanism with content semantic awareness is designed to build ICN edge defense system. In addition, smart reasoning algorithms is proposed to detect implicit knowledge and semantic relations in packet names and contents with context communication content and knowledge graph. On top of inference knowledge, the mechanism can perceive threats from ICN interests. Simulations demonstrate the validity and efficiency of the proposed mechanism.

Named Data Networking (NDN) is a promising candidate for future internet architecture. It is one of the implementations of the Information-Centric Networking (ICN) architectures where the focus is on the data rather than the owner of the data. While the data security is assured by definition, these networks are susceptible of various Denial of Service (DoS) attacks, mainly Interest Flooding Attacks (IFA). IFAs overwhelm an NDN router with a huge amount of interests (Data requests). Various solutions have been proposed in the literature to mitigate IFAs; however; these solutions do not make a difference between intentional and unintentional misbehavior due to the network congestion. In this paper, we propose a novel congestion-aware IFA detection and mitigation solution. We performed extensive simulations and the results clearly depict the efficiency of our proposal in detecting truly occurring IFA attacks.