Biblio

The concept of cyber-physical production systems is highly discussed amongst researchers and industry experts, however, the implementation options for these systems rely mainly on obsolete technologies. Despite the fact that the blockchain is most often associated with cryptocurrency, it is fundamentally wrong to deny the universality of this technology and the prospects for its application in other industries. For example, in the insurance sector or in a number of identity verification services. This article discusses the deployment of the CPPS backbone network based on the Ethereum private blockchain system. The structure of the network is described as well as its interaction with the help of smart contracts, based on the consumption of cryptocurrency for various operations.

Smart spammers and telemarketers circumvent the standalone spam detection systems by making low rate spam-ming activity to a large number of recipients distributed across many telecommunication operators. The collaboration among multiple telecommunication operators (OPs) will allow operators to get rid of unwanted callers at the early stage of their spamming activity. The challenge in the design of collaborative spam detection system is that OPs are not willing to share certain information about behaviour of their users/customers because of privacy concerns. Ideally, operators agree to share certain aggregated statistical information if collaboration process ensures complete privacy protection of users and their network data. To address this challenge and convince OPs for the collaboration, this paper proposes a decentralized reputation aggregation protocol that enables OPs to take part in a collaboration process without use of a trusted third party centralized system and without developing a predefined trust relationship with other OPs. To this extent, the collaboration among operators is achieved through the exchange of cryptographic reputation scores among OPs thus fully protects relationship network and reputation scores of users even in the presence of colluders. We evaluate the performance of proposed protocol over the simulated data consisting of five collaborators. Experimental results revealed that proposed approach outperforms standalone systems in terms of true positive rate and false positive rate.

Cloud is the requirement of today's competitive world that demand flexible, agile and adaptable technology to be at par with rapidly changing IT industry. Cloud offers scalable, on-demand, pay-as-you-go services to enterprise and has hence become a part of growing trend of organizations IT service model. With emerging trend of cloud the security concerns have further increased and one of the biggest concerns related to cloud is DDoS attack. DDoS attack tends to exhaust all the available resources and leads to unavailability of services in cloud to legitimate users. In this paper the concept of fog computing is used, it is nothing but an extension to cloud computing that performs analysis at the edge of the network, i.e. bring intelligence at the edge of the network for quick real time decision making and reducing the amount of data that is forwarded to cloud. We have proposed a framework in which DDoS attack traffic is generated using different tools which is made to pass through fog defender to cloud. Furthermore, rules are applied on fog defender to detect and filter DDoS attack traffic targeted to cloud.

With the scale of big data increasing in large-scale IoT application, fog computing is a recent computing paradigm that is extending cloud computing towards the edge of network in the field. There are a large number of storage resources placed on the edge of the network to form a geographical distributed storage system in fog computing system (FCS). It is used to store the big data collected by the fog computing nodes and to reduce the management costs for moving big data to the cloud. However, the storage of fog nodes at the edge of the network faces a direct attack of external threats. In order to improve the security of the storage of fog nodes in FCS, in this paper, we proposed a data security storage model for fog computing (FCDSSM) to realize the integration of storage and security management in large-scale IoT application. We designed a detail of the FCDSSM system architecture, gave a design of the multi-level trusted domain, cooperative working mechanism, data synchronization and key management strategy for the FCDSSM. Experimental results show that the loss of computing and communication performance caused by data security storage in the FCDSSM is within the acceptable range, and the FCDSSM has good scalability. It can be adapted to big data security storage in large-scale IoT application.

Cloud computing has established itself as an alternative IT infrastructure and service model. However, as with all logically centralized resource and service provisioning infrastructures, cloud does not handle well local issues involving a large number of networked elements (IoTs) and it is not responsive enough for many applications that require immediate attention of a local controller. Fog computing preserves many benefits of cloud computing and it is also in a good position to address these local and performance issues because its resources and specific services are virtualized and located at the edge of the customer premise. However, data security is a critical challenge in fog computing especially when fog nodes and their data move frequently in its environment. This paper addresses the data protection and the performance issues by 1) proposing a Region-Based Trust-Aware (RBTA) model for trust translation among fog nodes of regions, 2) introducing a Fog-based Privacy-aware Role Based Access Control (FPRBAC) for access control at fog nodes, and 3) developing a mobility management service to handle changes of users and fog devices' locations. The implementation results demonstrate the feasibility and the efficiency of our proposed framework.

We present DeepPicar, a low-cost deep neural network based autonomous car platform. DeepPicar is a small scale replication of a real self-driving car called DAVE-2 by NVIDIA. DAVE-2 uses a deep convolutional neural network (CNN), which takes images from a front-facing camera as input and produces car steering angles as output. DeepPicar uses the same network architecture—9 layers, 27 million connections and 250K parameters—and can drive itself in real-time using a web camera and a Raspberry Pi 3 quad-core platform. Using DeepPicar, we analyze the Pi 3’s computing capabilities to support end-to-end deep learning based real-time control of autonomous vehicles. We also systematically compare other contemporary embedded computing platforms using the DeepPicar’s CNN-based real-time control workload. We find that all tested platforms, including the Pi 3, are capable of supporting the CNN-based real-time control, from 20 Hz up to 100 Hz, depending on hardware platform. However, we find that shared resource contention remains an important issue that must be considered in applying CNN models on shared memory based embedded computing platforms; we observe up to 11.6X execution time increase in the CNN based control loop due to shared resource contention. To protect the CNN workload, we also evaluate state-of-the-art cache partitioning and memory bandwidth throttling techniques on the Pi 3. We find that cache partitioning is ineffective, while memory bandwidth throttling is an effective solution.

Hadoop is developed as a distributed data processing platform for analyzing big data. Enterprises can analyze big data containing users' sensitive information by using Hadoop and utilize them for their marketing. Therefore, researches on data encryption have been widely done to protect the leakage of sensitive data stored in Hadoop. However, the existing researches support only the AES international standard data encryption algorithm. Meanwhile, the Korean government selected ARIA algorithm as a standard data encryption scheme for domestic usages. In this paper, we propose a HDFS data encryption scheme which supports both ARIA and AES algorithms on Hadoop. First, the proposed scheme provides a HDFS block-splitting component that performs ARIA/AES encryption and decryption under the Hadoop distributed computing environment. Second, the proposed scheme provides a variable-length data processing component that can perform encryption and decryption by adding dummy data, in case when the last data block does not contains 128-bit data. Finally, we show from performance analysis that our proposed scheme is efficient for various applications, such as word counting, sorting, k-Means, and hierarchical clustering.

Big data is a buzzword used to describe massive volumes of data that provides opportunities of exploring new insights through data analytics. However, big data is mostly structured but can be semi-structured or unstructured. It is normally so large that it is not only difficult but also slow to process using traditional computing systems. One of the solutions is to format the data as graph data structures and process them on shared memory architecture to use fast and novel policies such as transactional memory. In most graph applications in big data type problems such as bioinformatics, social networks, and cybersecurity, graphs are sparse in nature. Due to this sparsity, we have the opportunity to use Transactional Memory (TM) as the synchronization policy for critical sections to speedup applications. At low conflict probability TM performs better than most synchronization policies due to its inherent non-blocking characteristics. TM can be implemented in Software, Hardware or a combination of both. However, hardware TM implementations are fast but limited by scarce hardware resources while software implementations have high overheads which can degrade performance. In this paper, we develop a low overhead, yet simple, dynamically adaptive (i.e., at runtime) hybrid (i.e., combines hardware and software) TM (DyAd-HyTM) scheme that combines the best features of both Hardware TM (HTM) and Software TM (STM) while adapting to application's requirements. It performs better than coarse-grain lock by up to 8.12x, a low overhead STM by up to 2.68x, a couple of implementations of HTMs (by up to 2.59x), and other HyTMs (by up to 1.55x) for SSCA-2 graph benchmark running on a multicore machine with a large shared memory.

Recently, digital transactions in real estate, insurance, etc. have become popular, and researchers are actively studying digital signatures as a method for distinguishing individuals. However, existing digital signature systems have different methods for making signatures depending on the platform and device, and because they are used on platforms owned by corporations, they have the disadvantage of being highly platform-dependent and having low software extensibility. Therefore, in this paper we have analyzed existing digital signature systems and designed a heterogeneous integrated digital signature system which has per-user contract management features and can guarantee platform independence and increase the ease of software extension and maintenance by using a browser environment.

As more and more technologies to store and analyze massive amount of data become available, it is extremely important to make privacy-sensitive data de-identified so that further analysis can be conducted by different parties. For example, data needs to go through data de-identification process before being transferred to institutes for further value added analysis. As such, privacy protection issues associated with the release of data and data mining have become a popular field of study in the domain of big data. As a strict and verifiable definition of privacy, differential privacy has attracted noteworthy attention and widespread research in recent years. Nevertheless, differential privacy is not practical for most applications due to its performance of synthetic dataset generation for data query. Moreover, the definition of data protection by randomized noise in native differential privacy is abstract to users. Therefore, we design a pragmatic DP-based data de-identification protection and risk of data disclosure estimation system, in which a DP-based noise addition mechanism is applied to generate synthetic datasets. Furthermore, the risk of data disclosure to these synthetic datasets can be evaluated before releasing to buyers/consumers.

To enhance privacy protection and improve data availability, a differential privacy data protection method ICMD-DP is proposed. Based on insensitive clustering algorithm, ICMD-DP performs differential privacy on the results of ICMD (insensitive clustering method for mixed data). The combination of clustering and differential privacy realizes the differentiation of query sensitivity from single record to group record. At the meanwhile, it reduces the risk of information loss and information disclosure. In addition, to satisfy the requirement of maintaining differential privacy for mixed data, ICMD-DP uses different methods to calculate the distance and centroid of categorical and numerical attributes. Finally, experiments are given to illustrate the availability of the method.

One of the biggest problems of today's internet technologies is cyber attacks. In this paper whether DDoS attacks will be determined by deep packet inspection. Initially packets are captured by listening of network traffic. Packet filtering was achieved at desired number and type. These packets are recorded to database to be analyzed, daily values and average values are compared by known attack patterns and will be determined whether a DDoS attack attempts in real time systems.

Nowadays, Internet Service Providers (ISPs) have been depending on Deep Packet Inspection (DPI) approaches, which are the most precise techniques for traffic identification and classification. However, constructing high performance DPI approaches imposes a vigilant and an in-depth computing system design because the demands for the memory and processing power. Membership query data structures, specifically Bloom filter (BF), have been employed as a matching check tool in DPI approaches. It has been utilized to store signatures fingerprint in order to examine the presence of these signatures in the incoming network flow. The main issue that arise when employing Bloom filter in DPI approaches is the need to use k hash functions which, in turn, imposes more calculations overhead that degrade the performance. Consequently, in this paper, a new design and implementation for a DPI approach have been proposed. This DPI utilizes a membership query data structure called Cuckoo filter (CF) as a matching check tool. CF has many advantages over BF like: less memory consumption, less false positive rate, higher insert performance, higher lookup throughput, support delete operation. The achieved experiments show that the proposed approach offers better performance results than others that utilize Bloom filter.

DPI Management application which resides on the north-bound of SDN architecture is to analyze the application signature data from the network. The data being read and analyzed are of format JSON for effective data representation and flows provisioned from North-bound application is also of JSON format. The data analytic engine analyzes the data stored in the non-relational data base and provides the information about real-time applications used by the network users. Allows the operator to provision flows dynamically with the data from the network to allow/block flows and also to boost the bandwidth. The DPI Management application allows decoupling of application with the controller; thus providing the facility to run it in any hyper-visor within network. Able to publish SNMP trap notifications to the network operators with application threshold and flow provisioning behavior. Data purging from non-relational database at frequent intervals to remove the obsolete analyzed data.

Searching and retrieving information from the Web is a primary activity needed to monitor the development and usage of Web resources. Possible benefits include improving user experience (e.g. by optimizing query results) and enforcing data/user security (e.g. by identifying harmful websites). Motivated by the lack of ready-to-use solutions, in this paper we present a flexible and accessible toolkit for structure and content mining, able to crawl, download, extract and index resources from the Web. While being easily configurable to work in the "surface" Web, our suite is specifically tailored to explore the Tor dark Web, i.e. the ensemble of Web servers composing the world's most famous darknet. Notably, the toolkit is not just a Web scraper, but it includes two mining modules, respectively able to prepare content to be fed to an (external) semantic engine, and to reconstruct the graph structure of the explored portion of the Web. Other than discussing in detail the design, features and performance of our toolkit, we report the findings of a preliminary run over Tor, that clarify the potential of our solution.

The following is a research conducted on the Dark Web to study and identify the ins and outs of the dark web, what the dark web is all about, the various methods available to access the dark web and many others. The researchers have also included the steps and precautions taken before the dark web was opened. Apart from that, the findings and the website links / URL are also included along with a description of the sites. The primary usage of the dark web and some of the researcher's experience has been further documented in this research paper.

In this paper, we analyze the security of cyber-physical systems using the ADversary VIew Security Evaluation (ADVISE) meta modeling approach, taking into consideration the effects of physical attacks. To build our model of the system, we construct an ontology that describes the system components and the relationships among them. The ontology also defines attack steps that represent cyber and physical actions that affect the system entities. We apply the ADVISE meta modeling approach, which admits as input our defined ontology, to a railway system use case to obtain insights regarding the system's security. The ADVISE Meta tool takes in a system model of a railway station and generates an attack execution graph that shows the actions that adversaries may take to reach their goal. We consider several adversary profiles, ranging from outsiders to insider staff members, and compare their attack paths in terms of targeted assets, time to achieve the goal, and probability of detection. The generated results show that even adversaries with access to noncritical assets can affect system service by intelligently crafting their attacks to trigger a physical sequence of effects. We also identify the physical devices and user actions that require more in-depth monitoring to reinforce the system's security.

The Controller Area Network (CAN) is still the most widely employed bus in the automotive sector. Its lack of security mechanisms led to a high number of attacks and consequently several security countermeasures were proposed, i.e., authentication protocols or intrusion detection mechanisms. We discuss vulnerabilities of the CAN data link layer that can be triggered from the application level with the use of an off the shelf CAN transceiver. Namely, due to the wired-AND design of the CAN bus, dominant bits will always overwrite recessive ones, a functionality normally used to assure priority for frames with low value identifiers. We exploit this characteristic and show Denial of Service attacks both on senders and receivers based on bit injections by using bit banging to maliciously control the CAN transceiver. We demonstrate the effects and limitations of such attacks through experimental analysis and discuss possible countermeasures. In particular, these attacks may have high impact on centralized authentication mechanisms that were frequently proposed in the literature since these attacks can place monitoring nodes in a bus-off state for certain periods of time.

Personal health records (PHR) are an emerging health information exchange model, which facilitates PHR owners to efficiently manage their health data. Typically, PHRs are outsourced and stored in third-party cloud platforms. Although, outsourcing private health data to third-party platforms is an appealing solution for PHR owners, it may lead to significant privacy concerns, because there is a higher risk of leaking private data to unauthorized parties. As a way of ensuring PHR owners' control of their outsourced PHR data, attribute based encryption (ABE) mechanisms have been considered due to the fact that such schemes facilitate a mechanism of sharing encrypted data among a set of intended recipients. However, such existing PHR solutions suffer from inflexibility and scalability issues due to the limitations associated with the adopted ABE mechanisms. To address these issues, we propose a distributed multi-authority ABE scheme and thereby we show how a patient-centric, attribute based PHR sharing scheme which can provide flexible access for both professional users such as doctors as well as personal users such as family and friends is realized. We have shown that the proposed scheme supports on-demand user revocation as well as secure under standard security assumptions. In addition, the simulation results provide evidence for the fact that our scheme can function efficiently in practice. Furthermore, we have shown that the proposed scheme can cater the access requirements associated with distributed multiuser PHR sharing environments as well as more realistic and scalable compared with similar existing PHR sharing schemes.

SDN provides a way to manage complex networks by introducing programmability and abstraction of the control plane. All networks suffer from attacks to critical infrastructure and services such as DDoS attacks. We make use of the programmability provided by the SDN environment to provide a game theoretic attack analysis and countermeasure selection model in this research work. The model is based on reward and punishment in a dynamic game with multiple players. The network bandwidth of attackers is downgraded for a certain period of time, and restored to normal when the player resumes cooperation. The presented solution is based on Nash Folk Theorem, which is used to implement a punishment mechanism for attackers who are part of DDoS traffic, and reward for players who cooperate, in effect enforcing desired outcome for the network administrator.

In a software system it is possible to quantify the amount of information that is leaked or corrupted by analysing the flows of information present in the source code. In a cyber-physical system, information flows are not only present at the digital level but also at a physical level, and they are also present to and fro the two levels. In this work, we provide a methodology to formally analyse a composite, cyber-physical system model (combining physics and control) using an information flow-theoretic approach. We use this approach to quantify the level of vulnerability of a system with respect to attackers with different capabilities. We illustrate our approach by means of a water distribution case study.

Ubiquitous deployment of low-cost mobile positioning devices and the widespread use of high-speed wireless networks enable massive collection of large-scale trajectory data of individuals moving on road networks. Trajectory data mining finds numerous applications including understanding users' historical travel preferences and recommending places of interest to new visitors. Privacy-preserving trajectory mining is an important and challenging problem as exposure of sensitive location information in the trajectories can directly invade the location privacy of the users associated with the trajectories. In this paper, we propose a differentially private trajectory analysis algorithm for points-of-interest recommendation to users that aims at maximizing the accuracy of the recommendation results while protecting the privacy of the exposed trajectories with differential privacy guarantees. Our algorithm first transforms the raw trajectory dataset into a bipartite graph with nodes representing the users and the points-of-interest and the edges representing the visits made by the users to the locations, and then extracts the association matrix representing the bipartite graph to inject carefully calibrated noise to meet έ-differential privacy guarantees. A post-processing of the perturbed association matrix is performed to suppress noise prior to performing a Hyperlink-Induced Topic Search (HITS) on the transformed data that generates an ordered list of recommended points-of-interest. Extensive experiments on a real trajectory dataset show that our algorithm is efficient, scalable and demonstrates high recommendation accuracy while meeting the required differential privacy guarantees.

There are many object oriented design patterns and frameworks; to make the Information System robust, scalable and extensible. The objected oriented patterns are classified in the category of creational, structural, behavioral, security, concurrency, and user interface, relational, social and distributed. All the above classified design pattern doesn't work to provide a pathway and standards to make the Information system, to fulfill the requirement of confidentiality, Integrity and availability. This research work will explore the gap and suggest possible object oriented design pattern focusing the information security perspectives of the information system. At application level; this object oriented design pattern/framework shall try to ensure the Confidentiality, Integrity and Availability of the information systems intuitively. The main objective of this research work is to create a theoretical background of object oriented framework and design pattern which ensure confidentiality, integrity and availability of the system developed through the object oriented paradigm.

Middleboxes are crucial for improving network security and performance, but only if the right traffic goes through the right middleboxes at the right time. Existing traffic-steering techniques rely on a central controller to install fine-grained forwarding rules in network elements—at the expense of a large number of rules, a central point of failure, challenges in ensuring all packets of a session traverse the same middleboxes, and difficulties with middleboxes that modify the "five tuple." We argue that a session-level protocol is a fundamentally better approach to traffic steering, while naturally supporting host mobility and multihoming in an integrated fashion. In addition, a session-level protocol can enable new capabilities like dynamic service chaining, where the sequence of middleboxes can change during the life of a session, e.g., to remove a load-balancer that is no longer needed, replace a middlebox undergoing maintenance, or add a packet scrubber when traffic looks suspicious. Our Dysco protocol steers the packets of a TCP session through a service chain, and can dynamically reconfigure the chain for an ongoing session. Dysco requires no changes to end-host and middlebox applications, host TCP stacks, or IP routing. Dysco's distributed reconfiguration protocol handles the removal of proxies that terminate TCP connections, middleboxes that change the size of a byte stream, and concurrent requests to reconfigure different parts of a chain. Through formal verification using Spin and experiments with our Linux-based prototype, we show that Dysco is provably correct, highly scalable, and able to reconfigure service chains across a range of middleboxes.

Current software platforms for service composition are based on orchestration, choreography or hierarchical orchestration. However, such approaches for service composition only support partial compositionality; thereby, increasing the complexity of SOA development. In this paper, we propose DX-MAN, a platform that supports total compositionality. We describe the main concepts of DX-MAN with the help of a case study based on the popular MusicCorp.