Biblio

Cloud computing is an assured progression inside the future of facts generation. It's far a sub-domain of network security. These days, many huge or small organizations are switching to cloud which will shop and arrange their facts. As a result, protection of cloud networks is the want of the hour. DDoS is a killer software for cloud computing environments on net today. It is a distributed denial of carrier. we will beat the ddos attacks if we have the enough assets. ddos attacks can be countered by means of dynamic allocation of the assets. In this paper the attack is detected as early as possible and prevention methods is done and also mitigation method is also implemented thus attack can be avoided before it may occur.

Dozens of signature and anomaly based solutions have been proposed to detect malicious activities in computer networks. However, the number of successful attacks are increasing every day. In this paper, we developed a novel entropy based technique, called Edmund, to detect and mitigate Network attacks. While analyzing full payload network traffic was not recommended due to users' privacy, Edmund used netflow data to detect abnormal behavior. The experimental results showed that Edmund was able to highly accurate detect (around 95%) different application, transport, and network layers attacks. It could identify more than 100K malicious flows raised by 1168 different attackers in our campus. Identifying the attackers, is a great feature, which enables the network administrators to mitigate DDoS effects during the attack time.

Millimeter Wave (mmWave) networks can deliver multi-Gbps wireless links that use extremely narrow directional beams. This provides us with a new way to exploit spatial reuse in order to scale network throughput. In this work, we present MilliNet, the first millimeter wave network that can exploit dense spatial reuse to allow many links to operate in parallel in a confined space and scale the wireless throughput with the number of clients. Results from a 60 GHz testbed show that MilliNet can deliver a total wireless network data rate of more than 38 Gbps for 10 clients which is 5.8× higher than current 802.11 mmWave standards.

Oblivious RAM is a cryptographic primitive that embodies one of the cornerstones of privacy-preserving technologies for database protection. While any Oblivious RAM (ORAM) construction offers access pattern hiding, there does not seem to be a construction that is safe against the potential leakage due to knowledge about the number of accesses performed by a client. Such leakage constitutes a privacy violation, as client data may be stored in a domain specific fashion. In this work, we examine this leakage by considering an adversary that can probe the server that stores an ORAM database, and who takes regular snapshots of it. We show that even against such a weak adversary, no major ORAM architecture is resilient, except for the trivial case, where the client scans the whole database in order to access a single element. In fact, we argue that constructing a non-trivial ORAM that is formally resilient seems impossible. Moreover, we quantify the leakage of different constructions to show which architecture offers the best privacy in practice.

In this paper, we present an embodied conversational agent (ECA) that includes a cognitive-affective architecture based on the Soar cognitive architecture, integrates an emotion model based on ALMA that uses a three-layered model of emotions, mood and personality, from the point of view of the user and the agent. These features allow to modify the behavior and personality of the agent to achieve a more realistic and believable interaction with the user. This ECA works as a virtual assistant to search information from Wikipedia and show personalized results to the user. It is only a prototipe, but can be used to show some of the possibilities of the system. A first evaluation was conducted to prove these possibilities, with satisfactory results that also give guidance for some future work that can be done with this ECA.

\textbackslashtextbackslashtextitBackground: JavaScript frameworks are widely used to create client-side and server-side parts of contemporary web applications. Vulnerabilities like cross-site scripting introduce significant risks in web applications.\textbackslashtextbackslash\textbackslashtextbackslash \textbackslashtextbackslashtextitAim: The goal of our study is to understand how the security features of a framework impact the security of the applications written using that framework.\textbackslashtextbackslash\textbackslashtextbackslash \textbackslashtextbackslashtextitMethod: In this paper, we present four locations in an application, relative to the framework being used, where a mitigation can be applied. We perform an empirical study of JavaScript applications that use the three most common template engines: Jade/Pug, EJS, and Angular. Using automated and manual analysis of each group of applications, we identify the number of projects vulnerable to cross-site scripting, and the number of vulnerabilities in each project, based on the framework used.\textbackslashtextbackslash\textbackslashtextbackslash \textbackslashtextbackslashtextitResults: We analyze the results to compare the number of vulnerable projects to the mitigation locations used in each framework and perform statistical analysis of confounding variables.\textbackslashtextbackslash\textbackslashtextbackslash \textbackslashtextbackslashtextitConclusions: The location of the mitigation impacts the application's security posture, with mitigations placed within the framework resulting in more secure applications.

Low-level programming languages with weak/static type systems, such as C and C++, are vulnerable to errors relating to the misuse of memory at runtime, such as (sub-)object bounds overflows, (re)use-after-free, and type confusion. Such errors account for many security and other undefined behavior bugs for programs written in these languages. In this paper, we introduce the notion of dynamically typed C/C++, which aims to detect such errors by dynamically checking the "effective type" of each object before use at runtime. We also present an implementation of dynamically typed C/C++ in the form of the Effective Type Sanitizer (EffectiveSan). EffectiveSan enforces type and memory safety using a combination of low-fat pointers, type meta data and type/bounds check instrumentation. We evaluate EffectiveSan against the SPEC2006 benchmark suite and the Firefox web browser, and detect several new type and memory errors. We also show that EffectiveSan achieves high compatibility and reasonable overheads for the given error coverage. Finally, we highlight that EffectiveSan is one of only a few tools that can detect sub-object bounds errors, and uses a novel approach (dynamic type checking) to do so.

We present a methodology for using the EasyCrypt proof assistant (originally designed for mechanizing the generation of proofs of game-based security of cryptographic schemes and protocols) to mechanize proofs of security of cryptographic protocols within the universally composable (UC) security framework. This allows, for the first time, the mechanization and formal verification of the entire sequence of steps needed for proving simulation-based security in a modular way: Specifying a protocol and the desired ideal functionality; Constructing a simulator and demonstrating its validity, via reduction to hard computational problems; Invoking the universal composition operation and demonstrating that it indeed preserves security. We demonstrate our methodology on a simple example: stating and proving the security of secure message communication via a one-time pad, where the key comes from a Diffie-Hellman key-exchange, assuming ideally authenticated communication. We first put together EasyCrypt-verified proofs that: (a) the Diffie-Hellman protocol UC-realizes an ideal key-exchange functionality, assuming hardness of the Decisional Diffie-Hellman problem, and (b) one-time-pad encryption, with a key obtained using ideal key-exchange, UC-realizes an ideal secure-communication functionality. We then mechanically combine the two proofs into an EasyCrypt-verified proof that the composed protocol realizes the same ideal secure-communication functionality. Although formulating a methodology that is both sound and workable has proven to be a complex task, we are hopeful that it will prove to be the basis for mechanized UC security analyses for significantly more complex protocols and tasks.

Traditional image compressed sensing (CS) coding frameworks solve an inverse problem that is based on the measurement coding tools (prediction, quantization, entropy coding, etc.) and the optimization based image reconstruction method. These CS coding frameworks face the challenges of improving the coding efficiency at the encoder, while also suffering from high computational complexity at the decoder. In this paper, we move forward a step and propose a novel deep network based CS coding framework of natural images, which consists of three sub-networks: sampling sub-network, offset sub-network and reconstruction sub-network that responsible for sampling, quantization and reconstruction, respectively. By cooperatively utilizing these sub-networks, it can be trained in the form of an end-to-end metric with a proposed rate-distortion optimization loss function. The proposed framework not only improves the coding performance, but also reduces the computational cost of the image reconstruction dramatically. Experimental results on benchmark datasets demonstrate that the proposed method is capable of achieving superior rate-distortion performance against state-of-the-art methods.

Trust is an important topic in today's interconnected world. Breaches of trust in today's systems has had profound effects upon us all, and they are very difficult and costly to fix especially when caused by flaws in the system's architecture. Trust modeling can expose these types of issues, but modeling trust in complex multi-tiered system architectures can be very difficult. Often experts have differing views of trust and how it applies to systems within their domain. This work presents a graph-based modeling methodology that normalizes the application of trust across disparate system domains allowing the modeling of complex intersystem trust relationships. An algorithm is proposed that applies graph theory to model, validate and evaluate trust in system architectures. Also, it provides the means to apply metrics to compare and prioritize the effectiveness of trust management in system and component architectures. The results produced by the algorithm can be used in conjunction with systems engineering processes to ensure both trust and the efficient use of resources.

The concept of Virtualized Network Functions (VNFs) aims to move Network Functions (NFs) out of dedicated hardware devices into software that runs on commodity hardware. A single NF consists of multiple VNF instances, usually running on virtual machines in a cloud infrastructure. The elastic management of an NF refers to load management across the VNF instances and the autonomic scaling of the number of VNF instances as the load on the NF changes. In this paper, we present EL-SEC, an autonomic framework to elastically manage security NFs on a virtualized infrastructure. As a use case, we deploy the Snort Intrusion Detection System as the NF on the GENI testbed. Concepts from control theory are used to create an Elastic Manager, which implements various controllers - in this paper, Proportional Integral (PI) and Proportional Integral Derivative (PID) - to direct traffic across the VNF Snort instances by monitoring the current load. RINA (a clean-slate Recursive InterNetwork Architecture) is used to build a distributed application that monitors load and collects Snort alerts, which are processed by the Elastic Manager and an Attack Analyzer, respectively. Software Defined Networking (SDN) is used to steer traffic through the VNF instances, and to block attack traffic. Our results show that virtualized security NFs can be easily deployed using our EL-SEC framework. With the help of real-time graphs, we show that PI and PID controllers can be used to easily scale the system, which leads to quicker detection of attacks.

Underpinning the operation of Bitcoin is a peer-to-peer (P2P) network [1] that facilitates the execution of transactions by end users, as well as the transaction confirmation process known as bitcoin mining. The security of this P2P network is vital for the currency to function and subversion of the underlying network can lead to attacks on bitcoin users including theft of bitcoins, manipulation of the mining process and denial of service (DoS). As part of this paper the network protocol and bitcoin core software are analysed, with three bitcoin message exchanges (the connection handshake, GETHEADERS/HEADERS and MEMPOOL/INV) found to be potentially vulnerable to spoofing and use in distributed denial of service (DDoS) attacks. Possible solutions to the identified weaknesses and vulnerabilities are evaluated, such as the introduction of random nonces into network messages exchanges.

Smartphone has become the tool which is used daily in modern human life. Some activities in human life, according to the usage of the smartphone can be related to the information which has a high privilege and needs a privacy. It causes the owners of the smartphone needs a system which can protect their privacy. Unfortunately, the secure the system, the unease of the usage. Hence, the system which has an invulnerable environment but also gives the ease of use is very needful. The aspect which is related to the ease of use is an authentication mechanism. Sometimes, this aspect correspondence to the effectiveness and the efficiency. This study is going to analyze the application related to this aspect which is a lock screen application. This lock screen application uses the context data based on the environment condition around the user. The context data used are GPS location and Mac Address of Wi-Fi. The system is going to detect the context and is going to determine if the smartphone needs to run the authentication mechanism or to bypass it based on the analysis of the context data. Hopefully, the smartphone application which is developed still can provide mobility and usability features, and also can protect the user privacy even though it is located in the environment which its context data is unknown.

In this paper, a new image encryption algorithm is presented with one chaotic map and one group of secret keys. Double permutations for pixel positions are designed followed by a function of diffusion to alter gray distribution in the plain-image. In the proposed algorithm, the keystream is produced and dependent on the plain-image. As a result, the method can frustrate the known plaintext attack and chosen plaintext attack. Moreover, diffusion encryption by row-only is applied to the permuted image to save time consumption. Then, the experimental results show that our method can perform high security and is suitable for both gray and color images.

It is well known that superposition coding, namely separately encoding the independent sources, is optimal for symmetric multilevel diversity coding (SMDC) (Yeung-Zhang 1999). However, the characterization of the coding rate region therein involves uncountably many linear inequalities and the constant term (i.e., the lower bound) in each inequality is given in terms of the solution of a linear optimization problem. Thus this implicit characterization of the coding rate region does not enable the determination of the achievability of a given rate tuple. In this paper, we first obtain closed-form expressions of these uncountably many inequalities. Then we identify a finite subset of inequalities that is sufficient for characterizing the coding rate region. This gives an explicit characterization of the coding rate region. We further show by the symmetry of the problem that only a much smaller subset of this finite set of inequalities needs to be verified in determining the achievability of a given rate tuple. Yet, the cardinality of this smaller set grows at least exponentially fast with L.

Deep packet inspection (DPI) is a critical component to prevent intrusion detection. This requires a detailed analysis of each network packet header and body. Although this is often done on dedicated high-power servers in most networked systems, mobile systems could potentially be vulnerable to attack if utilized on an unprotected network. In this case, having DPI hardware on the mobile system would be highly beneficial. Unfortunately, DPI hardware is generally area and power consuming, making its implementation difficult in mobile systems. We developed a memristor crossbar-based approach, inspired by memristor crossbar neuromorphic circuits, for a low-power, low-area, and high-throughput DPI system that examines both the header and body of a packet. Two key types of circuits are presented: static pattern matching and regular expression circuits. This system is able to reduce execution time and power consumption due to its high-density grid and massive parallelism. Independent searches are performed using low-power memristor crossbar arrays giving rise to a throughput of 160Gbps with no loss in the classification accuracy.

Electromagnetic (EM) analysis is to reveal the secret information by analyzing the EM emission from a cryptographic device. EM analysis (EMA) attack is emerging as a serious threat to hardware security. It has been noted that the on-chip power grid (PG) has a security implication on EMA attack by affecting the fluctuations of supply current. However, there is little study on exploiting this intrinsic property as an active countermeasure against EMA. In this paper, we investigate the effect of PG on EM emission and propose an active countermeasure against EMA, i.e. EM Equalizer (EME). By adjusting the PG impedance, the current waveform can be flattened, equalizing the EM profile. Therefore, the correlation between secret data and EM emission is significantly reduced. As a first attempt to the co-optimization for power and EM security, we extend the EME method by fixing the vulnerability of power analysis. To verify the EME method, several cryptographic designs are implemented. The measurement to disclose (MTD) is improved by 1138x with area and power overheads of 0.62% and 1.36%, respectively.

This paper describes how a privacy policy framework can be extended with timing information to not only decide if requests for data are allowed at a given point in time, but also to decide for how long such permission is granted. Augmenting policy decisions with expiration information eliminates the need to reason about access permissions prior to every individual data access operation. This facilitates the application of privacy policy frameworks to protect multimedia streaming data where repeated re-computations of policy decisions are not a viable option. We show how timing information can be integrated into an existing declarative privacy policy framework. In particular, we discuss how to obtain valid expiration information in the presence of complex sets of policies with potentially interacting policies and varying timing information.

In the past few years, Internet of Things (IoT) devices have emerged and spread everywhere. Many researchers have been motivated to study the security issues of IoT devices due to the sensitive information they carry about their owners. Privacy is not simply about encryption and access authorization, but also about what kind of information is transmitted, how it used and to whom it will be shared with. Thus, IoT manufacturers should be compelled to issue Privacy Policy Agreements for their respective devices as well as ensure that the actual behavior of the IoT device complies with the issued privacy policy. In this paper, we implement a test bed for ensuring compliance of Internet of Things data disclosure to the corresponding privacy policy. The fundamental approach used in the test bed is to capture the data traffic between the IoT device and the cloud, between the IoT device and its application on the smart-phone, and between the IoT application and the cloud and analyze those packets for various features. We test 11 IoT manufacturers and the results reveal that half of those IoT manufacturers do not have an adequate privacy policy specifically for their IoT devices. In addition, we prove that the action of two IoT devices does not comply with what they stated in their privacy policy agreement.

Control flow integrity (CFI) has received significant attention in the community to combat control hijacking attacks in the presence of memory corruption vulnerabilities. The challenges in creating a practical CFI has resulted in the development of a new type of CFI based on runtime type checking (RTC). RTC-based CFI has been implemented in a number of recent practical efforts such as GRSecurity Reuse Attack Protector (RAP) and LLVM-CFI. While there has been a number of previous efforts that studied the strengths and limitations of other types of CFI techniques, little has been done to evaluate the RTC-based CFI. In this work, we study the effectiveness of RTC from the security and practicality aspects. From the security perspective, we observe that type collisions are abundant in sufficiently large code bases but exploiting them to build a functional attack is not straightforward. Then we show how an attacker can successfully bypass RTC techniques using a variant of ROP attacks that respect type checking (called TROP) and also built two proof-of-concept exploits, one against Nginx web server and the other against Exim mail server. We also discuss practical challenges of implementing RTC. Our findings suggest that while RTC is more practical for applying CFI to large code bases, its policy is not strong enough when facing a motivated attacker.

Security research has made extensive use of exhaustive Internet-wide scans over the recent years, as they can provide significant insights into the overall state of security of the Internet, and ZMap made scanning the entire IPv4 address space practical. However, the IPv4 address space is exhausted, and a switch to IPv6, the only accepted long-term solution, is inevitable. In turn, to better understand the security of devices connected to the Internet, including in particular Internet of Things devices, it is imperative to include IPv6 addresses in security evaluations and scans. Unfortunately, it is practically infeasible to iterate through the entire IPv6 address space, as it is 2ˆ96 times larger than the IPv4 address space. Therefore, enumeration of active hosts prior to scanning is necessary. Without it, we will be unable to investigate the overall security of Internet-connected devices in the future. In this paper, we introduce a novel technique to enumerate an active part of the IPv6 address space by walking DNSSEC-signed IPv6 reverse zones. Subsequently, by scanning the enumerated addresses, we uncover significant security problems: the exposure of sensitive data, and incorrectly controlled access to hosts, such as access to routing infrastructure via administrative interfaces, all of which were accessible via IPv6. Furthermore, from our analysis of the differences between accessing dual-stack hosts via IPv6 and IPv4, we hypothesize that the root cause is that machines automatically and by default take on globally routable IPv6 addresses. This is a practice that the affected system administrators appear unaware of, as the respective services are almost always properly protected from unauthorized access via IPv4. Our findings indicate (i) that enumerating active IPv6 hosts is practical without a preferential network position contrary to common belief, (ii) that the security of active IPv6 hosts is currently still lagging behind the security state of IPv4 hosts, and (iii) that unintended IPv6 connectivity is a major security issue for unaware system administrators.

This paper describes the achievements of project EUBra-BIGSEA, which has delivered programming models and data analytics tools for the development of distributed Big Data applications. As framework components, multiple data models are supported (e.g. data streams, multidimensional data, etc.) and efficient mechanisms to ensure privacy and security, on top of a QoS-aware layer for the smart and rapid provisioning of resources in a cloud-based environment.

The adoption of the HTTPS - i.e. HTTP over TLS - protocol by the Hellenic websites is studied in this work. Since this protocol constitutes a de-facto standard for secure communications in the web, our aim is to identify whether the underlying TLS protocol in popular websites in Greece is properly configured, so as to avoid known vulnerabilities. To this end, a systematic approach utilizing two well-known TLS scanner tools is adopted to evaluate 241 sites of high popularity. The results illustrate that only about half of the sites seem to be at a satisfactory level and, thus, there is still much room for improvement, mainly due to the fact that obsolete ciphers and/or protocol versions are still supported; there is also a small portion - i.e. about 3% of the sites - that do not implement the HTTPS at all, thus posing very high security risks for their users who provide their credentials via a totally insecure channel. We also examined, using an appropriate online questionnaire, whether the users are actually aware of what the HTTPS means and how they check the security of the websites. The outcome of this research shows that much work needs to be done to increase the knowledge and the security awareness of an average Internet user.

Live VM migration is the most vulnerable process in cloud federations for DDOS attacks, loss of data integrity, confidentiality, unauthorized access and injection of malicious viruses on VM disk images. We have scrutinized following set of crucial security features which are; authorization, confidentiality, replay protection (accountability), integrity, mutual authentication and source non-repudiation (availability) to cater different threats and vulnerabilities during live VM migration. The investigated threats and vulnerabilities are catered and implemented in a proposed solution, presented in this paper. Six security features-authorization, confidentiality, replay protection, integrity, mutual authentication and source non-repudiation are focused and modular implementation has been done. Solution is validated in AVISPA tool in modules for threats for all the notorious security requirements and no outbreak were seen.

This article implements a method for expert recommendation based on collaborative filtering. The recommendation model extracts potential evaluation experts from historical data, figures out the relevance between past subjects and current subjects, obtains the evaluation experience index and personal ability index of experts, calculates the relevance of research direction between experts and subjects and finally recommends the most proper experts.