Biblio

Networked embedded systems (which include IoT, CPS, etc.) are vulnerable. Even though we know how to secure these systems, their heterogeneity and the heterogeneity of security policies remains a major problem. Designers face ever more sophisticated attacks while they are not always security experts and have to get a trade-off on design criteria. We propose in this paper the CLASA architecture (Cross-Layer Agent Security Architecture), a generic, integrated, inter-operable, decentralized and modular architecture which relies on cross-layering.

This work establishes a game-theoretic framework to study cross-layer coordinated attacks on cyber-physical systems (CPSs). The attacker can interfere with the physical process and launch jamming attacks on the communication channels simultaneously. At the same time, the defender can dodge the jamming by dispensing with observations. The generic framework captures a wide variety of classic attack models on CPSs. Leveraging dynamic programming techniques, we fully characterize the Subgame Perfect Equilibrium (SPE) control strategies. We also derive the SPE observation and jamming strategies and provide efficient computational methods to compute them. The results demonstrate that the physical and cyber attacks are coordinated and depend on each other.On the one hand, the control strategies are linear in the state estimate, and the estimate error caused by jamming attacks will induce performance degradation. On the other hand, the interactions between the attacker and the defender in the physical layer significantly impact the observation and jamming strategies. Numerical examples illustrate the inter-actions between the defender and the attacker through their observation and jamming strategies.

We analyze the prandom pseudo random number generator (PRNG) in use in the Linux kernel (which is the kernel of the Linux operating system, as well as of Android) and demonstrate that this PRNG is weak. The prandom PRNG is in use by many "consumers" in the Linux kernel. We focused on three consumers at the network level – the UDP source port generation algorithm, the IPv6 flow label generation algorithm and the IPv4 ID generation algorithm. The flawed prandom PRNG is shared by all these consumers, which enables us to mount "cross layer attacks" against the Linux kernel. In these attacks, we infer the internal state of the prandom PRNG from one OSI layer, and use it to either predict the values of the PRNG employed by the other OSI layer, or to correlate it to an internal state of the PRNG inferred from the other protocol.Using this approach we can mount a very efficient DNS cache poisoning attack against Linux. We collect TCP/IPv6 flow label values, or UDP source ports, or TCP/IPv4 IP ID values, reconstruct the internal PRNG state, then predict an outbound DNS query UDP source port, which speeds up the attack by a factor of x3000 to x6000. This attack works remotely, but can also be mounted locally, across Linux users and across containers, and (depending on the stub resolver) can poison the cache with an arbitrary DNS record. Additionally, we can identify and track Linux and Android devices – we collect TCP/IPv6 flow label values and/or UDP source port values and/or TCP/IPv4 ID fields, reconstruct the PRNG internal state and correlate this new state to previously extracted PRNG states to identify the same device.

In order to identify potential weakness in communication and data in transit, a microgrid testbed is being developed at Boise State University. This testbed will be used to verify microgrid models and communication methods in an effort to increase the resiliency of these systems to cyber-attacks. If vulnerabilities are found in these communication methods, then risk mitigation techniques will be developed to address them.

Cyber-attacks toward cyber-physical systems are one of the main concerns of smart grid's operators. However, many of these cyber-attacks, are toward unmanned substations where the cyber-attackers needs to be close enough to substation to malfunction protection and control systems in substations, using Electromagnetic signals. Therefore, in this paper, a new threat detection algorithm is proposed to prevent possible cyber-attacks toward unmanned substations. Using surveillance camera's streams and based on You Only Look Once (YOLO) V3, suspicious objects in the image are detected. Then, using Intersection over Union (IOU) and Generalized Intersection Over Union (GIOU), threat distance is estimated. Finally, the estimated threats are categorized into three categories using color codes red, orange and green. The deep network used for detection consists of 106 convolutional layers and three output prediction with different resolutions for different distances. The pre-trained network is transferred from Darknet-53 weights trained on 80 classes.

A real or potential threat to various large and small security objects, which comes from both internal and external attackers, determines one or another activities to ensure internal and external security. These actions depend on the spheres of life of state and society, which are targeted by the security threats. These threats can be conveniently classified into political threats (or threats to the existing constitutional order), economic, military, informational, technogenic, environmental, corporate, and other threats. The article discusses a model of an information system, which main criterion is the system security based on the concept of risk. When considering the model, it was determined that it possess multi-criteria aspects. Therefore the establishing the quantitative and qualitative characteristics is a complex and dynamic task. The paper proposes to use the mathematical apparatus of the teletraffic theory in one of the elements of the protected system, namely, in the end-to-end security subsystem.

Network security policies provide high-level directives regarding acceptable and unacceptable use of the network. Organizations specify these high-level directives in policy documents written using human-readable natural language. The challenge is to convert these natural language policies to the network configurations/specifications needed to enforce the policy. Network administrators, who are responsible for enforcing the policies, typically translate the policies manually, which is a challenging and error-prone process. As a result, network operators (as well as the policy authors) often want to verify that network policies are being correctly enforced. In this paper, we propose Network Policy Conversation Engine (NPCE), a system designed to help network operators (or policy writers) interact with the network using natural language (similar to the language used in the network policy statements themselves) to understand whether policies are being correctly enforced. The system leverages emerging big data collection and analysis techniques to record flow and packet level activity throughout the network that can be used to answer users policy questions. The system also takes advantage of recent advances in Natural Language Processing (NLP) to translate natural language policy questions into the corresponding network queries. To evaluate our system, we demonstrate a wide range of policy questions – inspired by actual networks policies posted on university websites – that can be asked of the system to determine if a policy violation has occurred.

Firewall is the first defense line for network security. Packet filtering is a basic function in firewall, which filter network packets according to a series of rules called firewall policy. The design of firewall policy is invariably under the instruction of security policy, which is a generic guideline that lists the needs for network access permissions. The design of firewall policy should observe the regulations of security policy. However, even for IPv4 firewall policy, it is extremely difficult to keep the consistency between security policy and firewall policy. Some consistency decision methods of security policy and IPv4 firewall policy were proposed. However, the address space of IPv6 address is a very large, the existing consistency decision methods can not be directly used to deal with IPv6 firewall policy. To resolve the above problem, in this paper, we use a formal technique to decide the consistency between IPv6 firewall policy and security policy effectively and rapidly. We also developed a prototype model and evaluated the effectiveness of the proposed method.

With a broad spectrum of technologies for the protection of personal data, it is important to be able to reliably compare these technologies to choose the most suitable one for a given problem. Although technologies like Homomorphic Encryption have matured over decades, Confidential Computing is still in its infancy with not only informal but also incomplete and even conflicting definitions by the Confidential Computing Consortium (CCC). In this work, we present key issues in definitions and comparison among existing technologies by CCC. We also provide recommendations to achieve clarity and precision in the definitions as well as fair and scientific comparison among existing technologies. We emphasize on the need of formal definitions of the terms and pose it as an open challenge to the community.

Distributed Denial of service attack(DDoS)is a network security attack and now the attackers intruded into almost every technology such as cloud computing, IoT, and edge computing to make themselves stronger. As per the behaviour of DDoS, all the available resources like memory, cpu or may be the entire network are consumed by the attacker in order to shutdown the victim`s machine or server. Though, the plenty of defensive mechanism are proposed, but they are not efficient as the attackers get themselves trained by the newly available automated attacking tools. Therefore, we proposed a classification based machine learning approach for detection of DDoS attack in cloud computing. With the help of three classification machine learning algorithms K Nearest Neighbor, Random Forest and Naive Bayes, the mechanism can detect a DDoS attack with the accuracy of 99.76%.

Distributed denial of service (DDoS) attack is a common way of network attack. It has the characteristics of wide distribution, low cost and difficult defense. The traditional algorithms of machine learning (ML) have such shortcomings as excessive systemic overhead and low accuracy in detection of DDoS. In this paper, a CGAN (conditional generative adversarial networks, conditional GAN) -based method is proposed to detect the attack of DDoS. On off-line training, five features are extracted in order to adapt the input of neural network. On the online recognition, CGAN model is adopted to recognize the packets of DDoS attack. The experimental results demonstrate that our proposed method obtains the better performance than the random forest-based method.

Over the last few years, the deployment of Internet of Things (IoT) is attaining much more concern on smart computing devices. With the exponential growth of small devices and at the same time cheap prices of these sensing devices, there raises an important question for the security of the stored information as these devices generate a large amount of private data for observing and controlling purposes. Distributed Denial of Service (DDoS) attacks are current examples of major security threats to IoT devices. As yet, no standard protocol can fully ensure the security of IoT devices. But adaptive decision making along with elasticity and incessant monitoring is required. These difficulties can be resolved with the assistance of Software Defined Networking (SDN) which can viably deal with the security dangers to the IoT devices in a powerful and versatile way without hampering the lightweightness of the IoT devices. Although SDN performs quite well for managing and controlling IoT devices, security is still an open concern. Nonetheless, there are a few challenges relating to the mitigation of DDoS attacks in IoT systems implemented with SDN architecture. In this paper, a brief overview of some of the popular DDoS attack mitigation techniques and their limitations are described. Also, the challenges of implementing these techniques in SDN-based architecture to IoT devices have been presented.

The Industrial Internet of Things (IIoT) also referred as Cyber Physical Systems (CPS) as critical elements, expected to play a key role in Industry 4.0 and always been vulnerable to cyber-attacks and vulnerabilities. Terrorists use cyber vulnerability as weapons for mass destruction. The dark web's strong transparency and hard-to-track systems offer a safe haven for criminal activity. On the dark web (DW), there is a wide variety of illicit material that is posted regularly. For supervised training, large-scale web pages are used in traditional DW categorization. However, new study is being hampered by the impossibility of gathering sufficiently illicit DW material and the time spent manually tagging web pages. We suggest a system for accurately classifying criminal activity on the DW in this article. Rather than depending on the vast DW training package, we used authorized regulatory to various types of illicit activity for training Machine Learning (ML) classifiers and get appreciable categorization results. Espionage, Sabotage, Electrical power grid, Propaganda and Economic disruption are the cyber warfare motivations and We choose appropriate data from the open source links for supervised Learning and run a categorization experiment on the illicit material obtained from the actual DW. The results shows that in the experimental setting, using TF-IDF function extraction and a AdaBoost classifier, we were able to achieve an accuracy of 0.942. Our method enables the researchers and System authoritarian agency to verify if their DW corpus includes such illicit activity depending on the applicable rules of the illicit categories they are interested in, allowing them to identify and track possible illicit websites in real time. Because broad training set and expert-supplied seed keywords are not required, this categorization approach offers another option for defining illicit activities on the DW.

IoT systems commonly rely on cloud services. However, utilizing cloud providers can be problematic in terms of data security. Data stored in the cloud need to be secured from unauthorized malicious nodes and from the cloud providers themselves. Using a simple symmetric cipher can encrypt the data before uploading and decrypt it while retrieving. However, such a solution can be only applied between two parties with no support for multiple nodes. Whereas in IoT scenarios, many smart devices communicate and share data with each other. This paper proposes a solution that tackles the issue of sharing data securely between IoT devices by implementing a system that allows secure sharing of encrypted data in untrusted clouds. The implementation of the system performs the computation on connectionless clients with no involvement of the cloud server nor any third party. The cloud server is only used as a passive storage server. Analysis of the implemented prototype demonstrates that the system can be used in real-life applications with relatively small overhead. Based on the used hardware, key generation takes about 60 nanoseconds and the storage overhead is only a few kilobytes for large number of files and/or users.

Security, efficiency and availability are three key factors that affect the application of searchable encryption schemes in mobile cloud computing environments. In order to meet the above characteristics, this paper proposes a certificateless public key encryption with a keyword search (CLPEKS) scheme. In this scheme, a CLPEKS generation method and a Trapdoor generation method are designed to support multiple receivers to query. Based on the elliptic curve scalar multiplication, the efficiencies of encrypting keywords, generating Trapdoors, and testing are improved. By adding a random number factor to the Trapdoor generation, the scheme can resist the internal keyword guessing attacks. Under the random oracle model, it is proved that the scheme can resist keyword guessing attacks. Theoretical analyses and implementation show that the proposed scheme is more efficient than the existing schemes.

The emerging vehicular edge computing (VEC) technology has the potential to bring revolutionary development to vehicular ad hoc network (VANET). However, the edge computing servers (ECSs) are subjected to a variety of security threats. One of the most dangerous types of security attacks is the Sybil attack, which can create fabricated virtual vehicles (called Sybil vehicles) to significantly overload ECSs' limited computation resources and thus disrupt legitimate vehicles' edge computing applications. In this paper, we present a novel Sybil attack detection system on ECSs that is based on the design of a credibility enhanced temporal graph convolutional network. Our approach can identify the malicious vehicles in a dynamic traffic environment while preserving the legitimate vehicles' privacy, particularly their local position information. We evaluate our proposed approach in the SUMO simulator. The results demonstrate that our proposed detection system can accurately identify most Sybil vehicles while maintaining a low error rate.

Modern embedded IoT devices are an attractive target for cyber attacks. For example, they can be used to disable entire factories and ask for ransom. Recovery of compromised devices is not an easy task, because malware can subvert the original software and make itself persistent. In addition, many embedded devices do not implement remote recovery procedures and, therefore, require manual intervention.Recent proposals from NIST and TCG define concepts and building blocks for cyber resilience: protection, detection and recovery. In this paper, we describe a system which allows implementing cyber resilient IoT devices that can be recovered remotely and timely. The proposed architecture consists of trusted data monitoring, local and remote attack detection, and enforced connections to remote services as building blocks for attack detection and recovery. Further, hardware- and software-based implementations of such a system are presented.

Distributed Denial of Service (DDoS) attacks are among the most harmful cyberattack types in the Internet. The main goal of a DDoS defense mechanism is to reduce the attack's effect as close as possible to their sources to prevent malicious traffic in the Internet. In this work, we examine the DDoS attacks as a rate management and congestion control problem and propose a collaborative fair rate throttling mechanism to combat DDoS attacks. Additionally, we propose anomaly detection mechanisms to detect attacks at the victim site, early attack detection mechanisms by intermediate Autonomous Systems (ASes), and feedback mechanisms between ASes to achieve distributed defense against DDoS attacks. To reduce additional vulnerabilities for the feedback mechanism, we use a secure, private, and authenticated communication channel between AS monitors to control the process. Our mathematical model presents proactive resource management, where the victim site sends rate adjustment requests to upstream routers. We conducted several experiments using a real-world dataset to demonstrate the efficiency of our approach under DDoS attacks. Our results show that the proposed method can significantly reduce the impact of DDoS attacks with minimal overhead to routers. Moreover, the proposed anomaly detection techniques can help ASes to detect possible attacks and early attack detection by intermediate ASes.

Cyber attacks are increasing at a rapid pace targeting financial institutions and the corporate sector, especially during pandemics such as COVID-19. Honeypots are implemented in data centers and servers, to capture these types of attacks and malicious activities. In this work, an experimental prototype is created simulating the attacker and victim environments and the results are consolidated. Attacker information is extracted using the Meterpreter framework and uses reverse TCP for capturing the data. Normal honeypots does not capture an attacker and his identity. Information such as user ID, Internet Protocol(IP) address, proxy servers, incoming and outgoing traffic, webcam snapshot, Media Access Control(MAC) address, operating system architecture, and router information of the attacker such as ARP cache can be extracted by this honeypot with "biteback" feature.

The pervasive presence of smart objects in almost every corner of our everyday life urges the security of such embedded systems to be the point of attention. Memory vulnerabilities in the embedded program code, such as buffer overflow, are the entry point for powerful attack paradigms such as Code-Reuse Attacks (CRAs), in which attackers corrupt systems’ execution flow and maliciously alter their behavior. Control-Flow Integrity (CFI) has been proven to be the most promising approach against such kinds of attacks, and in the literature, a wide range of flow monitors are proposed, both hardware-based and software-based. While the formers are hardly applicable as they impose design alteration of underlying hardware modules, on the contrary, software solutions are more flexible and also portable to the existing devices. Real-Time Operating Systems (RTOS) and their key role in application development for embedded systems is the main concern regarding the application of the CFI solutions.This paper discusses the still open challenges and issues regarding the implementation of control-flow integrity policies on operating systems for embedded systems, analyzing the solutions proposed so far in the literature, highlighting possible limits in terms of performance, applicability, and protection coverage, and proposing possible improvement directions.

Industry 4.0 or also known as the fourth industrial revolution poses a great cybersecurity risk for Supervisory control and data acquisition (SCADA) systems. Nowadays, lots of enterprises have turned into renewable energy and are changing the energy dependency to be on wind power. The SCADA systems are often vulnerable against different kinds of cyberattacks and thus allowing intruders to successfully and intrude exfiltrate different wind farm SCADA systems. During our research a future concept testbed of a wind farm SCADA system is going to be introduced. The already existing real-world vulnerabilities that are identified are later on going to be demonstrated against the test SCADA wind farm system.

In a cloud data center, the client requests are catered by placing the services in its servers. Such services are deployed through a sandboxing platform to ensure proper isolation among services from different users. Due to the lightweight nature, containers have become increasingly popular to support such sandboxing. However, for supporting effective and efficient data center resource usage with minimum resource footprints, improving the containers' consolidation ratio is significant for the cloud service providers. Towards this end, in this paper, we propose an exciting direction to significantly boost up the consolidation ratio of a data-center environment by effectively managing the containers' states. We observe that many cloud-based application services are event-triggered, so they remain inactive unless some external service request comes. We exploit the fact that the containers remain in an idle state when the underlying service is not active, and thus such idle containers can be checkpointed unless an external service request comes. However, the challenge here is to design an efficient mechanism such that an idle container can be resumed quickly to prevent the loss of the application's quality of service (QoS). We have implemented the system, and the evaluation is performed in Amazon Elastic Compute Cloud. The experimental results have shown that the proposed algorithm can manage the containers' states, ensuring the increase of consolidation ratio.

Natural language processing (NLP) is a division of artificial intelligence. The constructed model's quality is entirely reliant on the training dataset's quality. A data streaming pipeline is an adhesive application, completing a managed connection from data sources to machine learning methods. The recommended NLP pipeline composition has well-defined procedures. The implemented message broker design is a usual apparatus for delivering events. It makes it achievable to construct a robust training dataset for machine learning use-case and serve the model's input. The reconstructed dataset is a valid input for the machine learning processes. Based on the data pipeline's product, the model recreation and redeployment can be scheduled automatically.

CyberIR@MIT is a dynamic, interactive ontology-based knowledge system focused on the evolving, diverse & complex interconnections of cyberspace & international relations.

This paper presents a brief introduction to Cyber-IR@MIT—a dynamic, interactive knowledge and networking system focused on the evolving, diverse, and complex interconnections of cyberspace and international relations. The goal is to highlight key theoretical, substantive, empirical and networking issues. Cyber-IR@MIT is anchored in a multidimensional ontology. It was initially framed as an experiment during the MIT-Harvard collaboration on Explorations in Cyber International Relations (MIT, 2009-2014) to serve as a forum for quality-controlled content and materials generated throughout the research project. The vision for Cyber-IR@MIT is shaped by the research for Cyberpolitics in International Relations, a book written by Nazli Choucri and published by MIT Press in 2012. The operational approach to the knowledge system is influenced by the Global System for Sustainable Development (GSSD), developed earlier and focused on challenges of system sustainability. Cyber-IR@MIT gradually evolved into a knowledge-based system of human interactions in cyberspace and international relations, all embedded in the overarching natural system. The method consists of differentiating among the various facets of human activity in (i) cyberspace, (ii) international relations, and (iii) the intersection of the cyber and “real.” It includes problems created by humans and solution strategies, as well as enabling functions and capabilities, on the one hand, and impediments to behavior and associated barriers, on the other. See https://cyberir.mit.edu for functions. The value of this initiative lies in its conceptual foundations and method of knowledge representation – embedded in an interactive system for knowledge submission, with f search and retrieval functions.