Biblio

In this digital era, the usage of technology has increased rapidly and led to the deployment of more innovative technologies for storing and transferring the generated data. The most important aspect of the emerging communication technologies is to ensure the safety and security of the generated huge amount of data. Hence, cryptography is considered as a pathway that can securely transfer and save the data. Cryptography comprises of ciphers that act like an algorithm, where the data is encrypted at the source and decrypted at the destination. This paper comprises of two ciphers namely PRESENT and AES ciphers. In the real-time applications, AES is no more relevant especially for segmenting the organizations that leverage RFID, Sensors and IoT devices. In order to overcome the strategic issues faced by these organization, PRESENT ciphers work appropriately with its super lightweight block figure, which has the equivalent significance to both security and equipment arrangements. This paper compares the AES (Advance encryption standard) symmetric block cipher with PRESENT symmetric block cipher to leverage in the industries mentioned earlier, where the huge consumption of resources becomes a significant factor. For the comparison of different ciphers, the results of area, timing analysis and the waveforms are taken into consideration.

Alongside the rapid expansion of Internet of Things (IoT), and network evolution (5G, 6G technologies), comes the need for security of higher level and less hardware demanding modules. New cryptographic systems are developed, in order to satisfy the special needs of security, that have emerged in modern applications. In this paper, a novel lightweight data streaming system, is proposed, which operates in alternative modes. Each one of them, performs efficiently as one of three in total, stream ciphering modules. The operation of the proposed system, is based on reconfigurable logic. It aims at a lower hardware utilization and good performance, at the same time. In addition, in order to have a fair and detailed comparison, a second one design is also integrated and introduced. This one proposes a conventional architecture, consisting of the same three stream ciphering modes, implemented on the same device, as separate operation modules. The FPGA synthesis results prove that the proposed reconfigurable design achieves to minimize the area resources, from 18% to 30%, compared to the conventional one, while maintaining high performance values, for the supported modes.

Wireless Sensor Networks (WSNs) are attracted great attention in the past decade due to the unlimited number of applications they support. However, security has always been a serious concern for these networks due to the insecure communication links they exploit. In order to mitigate the possible security threats, sophisticated key management schemes must be employed to ensure the generating, distributing and revocation of the cryptographic keys that are needed to implement variety of security measures. In this paper, we propose a novel decentralized key management scheme for hierarchical grid organized WSNs. The main goal of our scheme is to reduce the total number of cryptographic keys stored in sensor nodes while maintaining the desired network connectivity. The performance analysis shows the efficiency of the proposed protocol in terms of communication overhead, storage cost and network connectivity.

Cloud computing has transformed the way of utilizing the computing, storage and network resources as per the user demand. Consequently, the field of robotics performs high complexity tasks that exploit the clouds with the capability to build low-cost light weight and intelligent robots. Recently various researchers have been emerged in the cloud robotics field which are related to offloading computations to the cloud infrastructure, storing and sharing knowledge, coordination and collective learning among robots. However, there are issues related to security and privacy that needs to be addressed while deploying the robotics application in the cloud. Significant research attention is required to build a secure cloud robotic infrastructure. The foremost factor of our research entails the development of standard web services that will allow heterogeneous robots to execute the computationally intense algorithms like map building as a service over the cloud. We have proposed the model that presents the mutual authentication and encryption mechanism for getting access to the hosted robotic services. For mutual authentication, we have used Kerberos module and ECIES (Elliptic Curve Integrated Encryption Scheme) for data encryption. Moreover, we have also performed the cryptanalysis of the proposed protocol by using a Proverif tool. After the cryptanalysis, it is found that our system can also withstand against various type of attacks.

Big data analytics, in essence, is becoming the revolution of business intelligence around the world. This momentum has given rise to the hype around analytic technologies, including Apache Hadoop. Hadoop was not originally developed with security in mind. Despite the evolving efforts to integrate security in Hadoop through developing new tools (e.g., Apache Sentry and Ranger) and employing traditional mechanisms (e.g., Kerberos and LDAP), they mainly focus on providing encryption and authentication features, albeit with limited authorization support. Existing solutions in the literature extended these evolving efforts. However, they suffer from limitations, hindering them from providing robust authorization that effectively meets the unique requirements of big data environments. Towards covering this gap, this paper proposes a hybrid authority (HBD-Authority) as a formal attribute-based access control model with context support. This model is established on a novel hybrid approach of authorization transparency that pertains to three fundamental properties of accuracy: correctness, security, and completeness. The model leverages streaming data analytics to foster distributed parallel processing capabilities that achieve multifold benefits: a) efficiently managing the security policies and promptly updating the privileges assigned to a high number of users interacting with the analytic services; b) swiftly deciding and enforcing authorization of requests over data characterized by the 5Vs; and c) providing dynamic protection for data which is frequently updated. The implementation details and experimental evaluation of the proposed model are presented, demonstrating its performance efficiency.

Data are generated and stored in databases at a very high speed and hence it need to be handled and analyzed properly. Nowadays industries are extensively using Hadoop and Spark to analyze the datasets. Both the frameworks are used for increasing processing speeds in computing huge complex datasets. Many researchers are comparing both of them. Now, the big questions arising are, Is Spark a substitute for Hadoop? Is hadoop going to be replaced by spark in mere future?. Spark is “built on top of” Hadoop and it extends the model to deploy more types of computations which incorporates Stream Processing and Interactive Queries. No doubt, Spark's execution speed is much faster than Hadoop, but talking in terms of fault tolerance, hadoop is slightly more fault tolerant than spark. In this article comparison of various bigdata analytics tools are done and Hadoop and Spark are discussed in detail. This article further gives an overview of bigdata, spark and hadoop issues. In this survey paper, the approaches to resolve the issues of spark and hadoop are discussed elaborately.

In the digital payment system, the transactions and their data about clients are very sensitive, so the security and privacy of personal information of the client is a big concern. The confirmation towards security necessities prevents the data from a stolen and unauthorized person over the digital transactions, So the stronger authentication methods required, which must be based on cryptography. Initially, in the payment ecosystem, they were using the Kerberos protocol, but now different approaches such as Challenge-Handshake Authentication Protocol (CHAP), Tokenization, Two-Factor Authentication(PIN, MPIN, OTP), etc. such protocols are being used in the payment system. This paper presents the use cases of different authentication protocols. Further, the use of these protocols in online payment systems to verify each individual are explained.

As the key platform to deal with big data, Hadoop cannot fully protect data security of users by relying on a single Kerberos authentication mechanism. In addition, the single Namenode has disadvantages such as single point failure, performance bottleneck and poor scalability. To solve these problems, a big data security protection scheme is proposed. In this scheme, blockchain technology is adopted to deploy distributed Namenode server cluster to take joint efforts to safeguard the metadata and to allocate access tasks of users. We also improved the heartbeat model to collect user behavior so as to make a faster response to Datanode failure. The smart contract conducts reasonable allocation of user role through the judgment of user tag and risk value. It also establishes a tracking chain of risk value to monitor user behavior in real time. Experiments show that this scheme can better protect data security in Hadoop. It has the advantage of metadata decentralization and the data is hard to be tampered.

Recent IoT services are being used in various fields such as smart homes, smart factories, smart cars and industrial systems. These various IoT services are implemented through hyper-connected IoT devices, and accordingly, security requirements of these devices are being highlighted. In order to satisfy the security requirements of IoT devices, various studies have been conducted such as HSM, Security SoC, and TrustZone. In particular, ARM proposed Platform Security Architecture (PSA), which is a security architecture that provide execution isolation to safely manage and protect the computing resources of low- end IoT devices. PSA can ensure confidentiality and integrity of IoT devices based on its structural features, but conversely, it has the problem of increasing development difficulty in using the security functions of PSA. To solve this problem, this paper analyzes the security requirements of an IoT platform and proposes secure platform based on PSA. To evaluate the proposed secure platform, a PoC implementation is provided based on hardware prototype consisting of FPGA. Our experiments with the PoC implementation verify that the proposed secure platform offers not only high security but also convenience of application development for IoT devices.

The necessity for peer-to-peer (p2p) communications is obvious; current centralized solutions are capturing and storing too much information from the individual people communicating with each other. Privacy concerns with a centralized solution in possession of all the users data are a difficult matter. HELIOS platform introduces a new social-media platform that is not in control of any central operator, but brings the power of possession of the data back to the users. It does not have centralized servers that store and handle receiving/sending of the messages. Instead, it relies on the current open-source solutions available in the p2p communities to propagate the messages to the wanted recipients of the data and/or messages. The p2p communications also introduce new problems in terms of privacy and tracking of the user, as the nodes part of a p2p network can see what data the other nodes provide and ask for. How the sharing of data in a p2p network can be achieved securely, taking into account the user's privacy is a question that has not been fully answered so far. We do not claim we answer this question fully in this paper either, but we propose a set of protocols to help answer one specific problem. Especially, this paper proposes how to privately share data (end-point address or other) of the user between other users, provided that they have previously connected with each other securely, either offline or online.

The Ad-hoc vehicle networks (VANETs) recently stressed communications and networking technologies. VANETs vary from MANETs in tasks, obstacles, system architecture and operation. Smart vehicles and RSUs communicate through unsafe wireless media. By nature, they are vulnerable to threats that can lead to life-threatening circumstances. Due to potentially bad impacts, security measures are needed to recognize these VANET assaults. In this review paper of VANET security, the new VANET approaches are summarized by addressing security complexities. Second, we're reviewing these possible threats and literature recognition mechanisms. Finally, the attacks and their effects are identified and clarified and the responses addressed together.

Future intelligent transportation systems necessitate a fine-grained and accurate estimation of vehicular traffic flows across critical paths of the underlying road network. This task is relatively trivial if we are able to collect detailed trajectories from every moving vehicle throughout the day. Nevertheless, this approach compromises the location privacy of the vehicles and may be used to build accurate profiles of the corresponding individuals. To this end, this work introduces a privacy-preserving protocol that leverages roadside units (RSUs) to communicate with the passing vehicles, in order to construct encrypted Bloom filters stemming from the vehicle IDs. The aggregate Bloom filters are encrypted with a threshold cryptosystem and can only be decrypted by the transportation authority in collaboration with multiple trusted entities. As a result, the individual communications between the vehicles and the RSUs remain secret. The decrypted Bloom filters reveal the aggregate traffic information at each RSU, but may also serve as a means to compute an approximation of the traffic flow between any pair of RSUs, by simply estimating the number of common vehicles in their respective Bloom filters. We performed extensive simulation experiments with various configuration parameters and demonstrate that our protocol reduces the estimation error considerably when compared to the current state-of-the-art approaches. Furthermore, our implementation of the underlying cryptographic primitives illustrates the feasibility, practicality, and scalability of the system.

Dynamic Random Access Memory (DRAM) is widely used for data storage and, when a computer system is in operation, the DRAM can contain sensitive information such as passwords and cryptographic keys. Therefore, the DRAM is a prime target for hardware-based cryptanalytic attacks. These attacks can be performed in the supply chain to capture default key mechanisms enabling a later cyber attack or predisposition the system to remote effects. Two prominent attack classes against memory are the Cold Boot attack which recovers the data from the DRAM even after a supposed power-down and Rowhammer attack which violates memory integrity by influencing the stored bits to flip. In this paper, we propose an on-chip technique that obfuscates the memory addresses and data and provides a fast detect-response to defend against these hardware-based security attacks on DRAM. We advance the prior hardware security research by making two contributions. First, the key material is detected and erased before the Cold Boot attacker can extract the memory data. Second, our solution is on-chip and does not require nor depend on additional hardware or software which are open to additional supply chain attack vectors. We analyze the efficacy of our scheme through circuit simulation and compare the results to the previous mitigation approaches based on DRAM write operations. Our simulation and analysis results show that purging key information used for address and data randomization can be achieved much faster and with lower power than with typical DRAM write techniques used for sanitizing memory content. We demonstrate through circuit simulation of the key register design a technique that clears key information within 2.4ns which is faster by more than two orders magnitude compared to typical DRAM write operations for 180nm technology, and with a power consumption of 0.15 picoWatts.

Cloud computing has made the life of individual users and work of business corporations so much easier by providing them data storage services at very low costs. Individual users can store and access their data through shared cloud storage service anywhere anytime. Similarly, business corporation consumers of cloud computing can store, manage, process and access their big data with quite an ease. However, the security and privacy of users' data remains vulnerable in cloud computing Availability, integrity and confidentiality are the three primary elements that users consider before signing up for cloud computing services. Many public and private cloud services have experienced security breaches and unauthorized access incidents. This paper suggests user end cryptography of data before uploading it to a cloud storage service platform like Google Drive, Microsoft, Amazon and CloudSim etc. The proposed cryptography algorithm is based on symmetric key cryptography model and has been implemented on Amazon S3 cloud space service.

To secure a guest operating system running on a virtual machine (VM), a monitoring method using hardware breakpoints by a virtual machine monitor is required. However, debug registers are visible to guest operating systems; thus, malicious programs on a guest operating system can detect or disable the monitoring method. This paper presents a method to hide access to debug registers from programs running on a VM. Our proposed method detects programs' access to debug registers and disguises the access as having succeeded. The register's actual value is not visible or modifiable to programs, so the monitoring method is hidden. This paper presents the basic design and evaluation results of our method.

Designing an authentication method is a crucial component to secure privacy in information systems. Virtual Reality (VR) is a new interaction platform, in which the users can interact with natural behaviours (e.g. hand, gaze, head, etc.). In this work, we propose a novel authentication method in which user can perform hand motion in an eyes-free manner. We evaluate the usability and security between eyes-engage and eyes-free input with a pilot study. The initial result revealed our purposed method can achieve a trade-off between usability and security, showing a new way to behaviour-based authentication in VR.

This paper presents SWAT - System-Wide Analysis Toolkit. It is based on open source emulation and debugging projects and implements the approaches for non-intrusive system-wide analysis and debugging: lightweight OS-agnostic virtual machine introspection, full system execution replay, non-intrusive debugging with WinDbg, and full system reverse debugging. These features are based on novel non-intrusive introspection and reverse debugging methods. They are useful for stealth debugging and analysis of the platforms with custom kernels. SWAT includes multi-platform emulator QEMU with additional instrumentation and debugging features, GUI for convenient QEMU setup and execution, QEMU plugin for non-intrusive introspection, and modified version of GDB. Our toolkit may be useful for the developers of the virtual platforms, emulators, and firmwares/drivers/operating systems. Virtual machine intospection approach does not require loading any guest agents and source code of the OS. Therefore it may be applied to ROM-based guest systems and enables using of record/replay of the system execution. This paper includes the description of SWAT components, analysis methods, and some SWAT use cases.

Cloud-based infrastructures have grown in popularity over the last decade leveraging virtualisation, server, storage, compute power and network components to develop flexible applications. The requirements for instantaneous deployment and reduced costs have led the shift from virtual machine deployment to containerisation, increasing the overall flexibility of applications and increasing performances. However, containers require a fully fleshed operating system to execute, increasing the attack surface of an application. Unikernels, on the other hand, provide a lightweight memory footprint, ease of application packaging and reduced start-up times. Moreover, Unikernels reduce the attack surface due to the self-contained environment only enabling low-level features. In this work, we provide an exhaustive description of the unikernel ecosystem; we demonstrate unikernel vulnerabilities and further discuss the security implications of Unikernel-enabled environments through different use-cases.

We focus on policy-aware data centers (PADCs), wherein virtual machine (VM) traffic traverses a sequence of middleboxes (MBs) for security and performance purposes, and propose two new VM placement and migration problems. We first study PAL: policy-aware virtual machine placement. Given a PADC with a data center policy that communicating VM pairs must satisfy, the goal of PAL is to place the VMs into the PADC to minimize their total communication cost. Due to dynamic traffic loads in PADCs, however, above VM placement may no longer be optimal after some time. We thus study PAM: policy-aware virtual machine migration. Given an existing VM placement in the PADC and dynamic traffic rates among communicating VMs, PAM migrates VMs in order to minimize the total cost of migration and communication of the VM pairs. We design optimal, approximation, and heuristic policyaware VM placement and migration algorithms. Our experiments show that i) VM migration is an effective technique, reducing total communication cost of VM pairs by 25%, ii) our PAL algorithms outperform state-of-the-art VM placement algorithm that is oblivious to data center policies by 40-50%, and iii) our PAM algorithms outperform the only existing policy-aware VM migration scheme by 30%.

This paper proposes and analyzes a new virtual machine (VM) placement technique called Group Instance to deal with co-location attacks in public Infrastructure-as-a-Service (IaaS) clouds. Specifically, Group Instance organizes cloud users into groups with pre-determined sizes set by the cloud provider. Our empirical results obtained via experiments with real-world data sets containing million of VM requests have demonstrated the effectiveness of the new technique. In particular, the advantages of Group Instance are three-fold: 1) it is simple and highly configurable to suit the financial and security needs of cloud providers, 2) it produces better or at least similar performance compared to more complicated, state-of-the-art algorithms in terms of resource utilization and co-location security, and 3) it does not require any modifications to the underlying infrastructures of existing public cloud services.

{With the widespread use of cloud computing, energy consumption of cloud data centers is increasing which mainly comes from IT equipment and cooling equipment. This paper argues that once the number of virtual machines on the physical machines reaches a certain level, resource competition occurs, resulting in a performance loss of the virtual machines. Unlike most papers, we do not impose placement constraints on virtual machines by giving a CPU cap to achieve the purpose of energy savings in cloud data centers. Instead, we use the measure of performance loss to weigh. We propose a reinforcement learning-based virtual machine placement strategy(RLVMP) for energy savings in cloud data centers. The strategy considers the weight of virtual machine performance loss and energy consumption, which is finally solved with the greedy strategy. Simulation experiments show that our strategy has a certain improvement in energy savings compared with the other algorithms.

There is very significant role of Virtualization in cloud computing. The physical hardware in the cloud computing reside with the host machine and the virtualization software runs on it. The virtualization allows virtual machines to exist. The host machine shares its physical components such as memory, storage, and processor ultimately to handle the needs of the virtual machines. If an attacker effectively compromises one VM, it could outbreak others on the same host on the network over long periods of time. This is an gradually more popular method for cross-virtual-machine attacks, since traffic between VMs cannot be examined by standard IDS/IPS software programs. As we know that the cloud environment is distributed in nature and hence more susceptible to various types of intrusion attacks which include installing malicious software and generating backdoors. In a cloud environment, where organizations have hosted important and critical data, the security of underlying technologies becomes critical. To alleviate the hazard to cloud environments, Intrusion Detection Systems (IDS) are a cover of defense. In this paper, we are proposing an innovative model for Intrusion Detection System for securing Host machines in cloud infrastructure. This proposed IDS has two important features: (1) signature based and (2) prompt alert system.

Cloud computing dominates the information communication and technology landscape despite the presence of lingering security issues such as the interdependency problem. The latter is a co-residence conundrum where the attacker successfully compromises his target virtual machine by first exploiting the weakest (in terms of security) virtual machine that is hosted in the same server. To tackle this issue, we propose a novel virtual machine allocation policy that is based on the attacker's efficiency and coverage. By default, our allocation policy considers all legitimate users as attackers and then proceeds to host the users' virtual machines to the server where their efficiency and/or coverage are the smallest. Our simulation results show that our proposal performs better than the existing allocation policies that were proposed to tackle the same issue, by reducing the attacker's possibilities to zero and by using between 30 - 48% less hosts.

The Representational State Transfer (REST) is a distributed application architecture style which adopted on providing various network services. The identity authentication protocol Kerberos has been used to guarantee the security identity authentication of many service platforms. However, the deployment of Kerberos protocol is limited by the defects such as password guessing attacks, data tampering, and replay attacks. In this paper, an optimized Kerberos protocol is proposed and applied in a REST-style Cloud Storage Architecture. Firstly, we propose a Lately Used Newly (LUN) key replacement method to resist the password guessing attacks in Kerberos protocol. Secondly, we propose a formatted signature algorithm and a combination of signature string and time stamp method to cope with the problems of tampering and replay attacks which in deploying Kerberos. Finally, we build a security protection module using the optimized Kerberos protocol to guarantee a secure identity authentication and the reliable data communication between the client and the server. Analyses show that the module significantly improves the security of Kerberos protocol in REST-style cloud storage services.

In this paper, an attempt has been made to describe Kerberos authentication with multi factor authentication in context aware systems. Multi factor authentication will make the framework increasingly secure and dependable. The Kerberos convention is one of the most generally utilized security conventions on the planet. The security conventions of Kerberos have been around for a considerable length of time for programmers and other malware to Figure out how to sidestep it. This has required a quick support of the Kerberos convention to make it progressively dependable and productive. Right now, endeavor to help explain this by strengthening Kerberos with the assistance of multifaceted verification.