Biblio

Wireless communication network (WCN) performance is primarily depends on physical layer security which is critical among all other layers of OSI network model. It is typically prone to anomaly/malicious user's attacks owing to openness of wireless channels. Cognitive radio networking (CRN) is a recently emerged wireless technology that is having numerous security challenges because of its unlicensed access of wireless channels. In CRNs, the security issues occur mainly during spectrum sensing and is more pronounced during distributed spectrum sensing. In recent past, various anomaly effects are modelled and developed detectors by applying advanced statistical techniques. Nevertheless, many of these detectors have been developed based on sensing data of one variable (energy measurement) and degrades their performance drastically when the data is contaminated with multiple anomaly nodes, that attack the network cooperatively. Hence, one has to develop an efficient multiple anomaly detection algorithm to eliminate all possible cooperative attacks. To achieve this, in this work, the impact of anomaly on detection probability is verified beforehand in developing an efficient algorithm using bivariate data to detect possible attacks with mahalanobis distance measure. Result discloses that detection error of cooperative attacks by anomaly has significant impact on eigenvalue-based sensing.

On C-ITS (Cooperative Intelligent Transport Systems) vehicles send and receive sensitive messages informing about events on roads (accidents, traffic jams, etc,..). The authentication of these messages is highly recommended in order to increase the users confidence about this system. This authentication ensures that only messages coming from trusted vehicles are accepted by receivers. An adapted PKI (Public Key Infrastructure) for C-ITS provides certificates for each vehicle. The certificate will be used to sign messages. This principle is used within deployed C-ITS solutions over the world. This solution is easy to implement but has one major flaw: each message needs to be sent with its signature and its certificate. The size of the message to send becomes high. In the meantime, for many C-ITS use cases, each message is sent many times for robustness reasons. The communication channel could be overloaded. In this paper, we propose to split the signature into some equal parts. When a message has to be sent, it will be sent with one of these parts. A receiver will save the received message with its actual part. For each reception, it will collect the remaining signature parts until all the signature parts are received. Our solution is implemented in a C-ITS architecture working through Bluetooth protocol using the advertising model. The solution is applicable for vehicle speeds reaching 130 km/h. We have proved, through a set of real experimentations, that our solution is possible.

Public key infrastructures (PKIs) are one of the main building blocks for securing communications over the Internet. Currently, PKIs are under the control of centralized authorities, which is problematic as evidenced by numerous incidents where they have been compromised. The distributed, fault tolerant log of transactions provided by blockchains and more recently, smart contract platforms, constitutes a powerful tool for the decentralization of PKIs. To verify the validity of identity records, blockchain-based identity systems store on chain either all identity records, or, a small (or even constant) sized amount of data for verifying identity records stored off chain. However, as most of these systems have never been implemented, there is little information regarding the practical implications of each design's tradeoffs. In this work, we first implement and evaluate the only provably secure, smart contract based PKI of Patsonakis et al. on top of Ethereum. This construction incurs constant-sized storage at the expense of computational complexity. To explore this tradeoff, we propose and implement a second construction which, eliminates the need for trusted setup, preserves the security properties of Patsonakis et al. and, as illustrated through our evaluation, is the only version with constant-sized state that can be deployed on the live chain of Ethereum. Furthermore, we compare these two systems with the simple approach of most prior works, e.g., the Ethereum Name Service, where all identity records are stored on the smart contract's state, to illustrate several shortcomings of Ethereum and its cost model. We propose several modifications for fine tuning the model, which would be useful to be considered for any smart contract platform like Ethereum so that it reaches its full potential to support arbitrary distributed applications.

Considering application to communication among wireless sensors, Ma and Tsudik introduced the notion of forward-secure sequential aggregate (FssAgg) authentication in 2007. They also proposed an FssAgg MAC scheme composed of a MAC function and cryptographic hash functions at the same time. The security of their proposed scheme has not been analyzed yet and remains open. It is shown in this paper that a slight variant of the Ma-Tsudik FssAgg MAC scheme is secure under reasonable and standard assumptions on security of the underlying primitives. An efficient instantiation of the underlying MAC function using a cryptographic hash function is also discussed.

Deep Packet Inspection (DPI) is instrumental in investigating the presence of malicious activity in network traffic and most existing DPI tools work on unencrypted payloads. As the internet is moving towards fully encrypted data-transfer, there is a critical requirement for privacy-aware techniques to efficiently decrypt network payloads. Until recently, passive proxying using certain aspects of TLS 1.2 were used to perform decryption and further DPI analysis. With the introduction of TLS 1.3 standard that only supports protocols with Perfect Forward Secrecy (PFS), many such techniques will become ineffective. Several security solutions will be forced to adopt active proxying that will become a big-data problem considering the velocity and veracity of network traffic involved. We have developed an ABAC (Attribute Based Access Control) framework that efficiently supports existing DPI tools while respecting user's privacy requirements and organizational policies. It gives the user the ability to accept or decline access decision based on his privileges. Our solution evaluates various observed and derived attributes of network connections against user access privileges using policies described with semantic technologies. In this paper, we describe our framework and demonstrate the efficacy of our technique with the help of use-case scenarios to identify network connections that are candidates for Deep Packet Inspection. Since our technique makes selective identification of connections based on policies, both processing and memory load at the gateway will be reduced significantly.

Protecting privacy of individuals is a basic right, which has to be considered in our data-centered society in which new technologies emerge rapidly. To preserve the privacy of individuals de-identifying technologies have been developed including pseudonymization, personal privacy anonymization, and privacy models. Each having several variations with different properties and contexts which poses the challenge for the proper selection and application of de-identification methods. We tackle this challenge proposing a policy-based de-identification test framework for a systematic approach to experimenting and evaluation of various combinations of methods and their interplay. Evaluation of the experimental results regarding performance and utility is considered within the framework. We propose a domain-specific language, expressing the required complex configuration options, including data-set, policy generator, and various de-identification methods.

With the increasing advancement of services on the Internet, due to the strengthening of cloud computing, the exchange of data between providers and users is intense. Management of access control and applications need data to identify users and/or perform services in an automated and more practical way. Applications have to protect access to data collected. However, users often provide data in cloud environments and do not know what was collected, how or by whom data will be used. Privacy of personal data has been a challenge for information security. This paper presents the development and use of a privacy policy strategy, i. e., it was proposed a privacy policy model and format to be integrated with the authorization task. An access control language and the preferences defined by the owner of information were used to implement the proposals. The results showed that the strategy is feasible, guaranteeing to the users the right over their data.

Bluetooth Low Energy (BLE) beacons are an emerging type of technology in the Internet-of-Things (IoT) realm, which use BLE signals to broadcast a unique identifier that is detected by a compatible device to determine the location of nearby users. Beacons can be used to provide a tailored user experience with each encounter, yet can also constitute an invasion of privacy, due to their covertness and ability to track user behavior. Therefore, we hypothesize that user-driven privacy policy configuration is key to enabling effective and trustworthy privacy management during beacon encounters. We developed a framework for beacon privacy management that provides a policy configuration platform. Through an empirical analysis with 90 users, we evaluated this framework through a proof-of-concept app called Beacon Privacy Manager (BPM), which focused on the user experience of such a tool. Using BPM, we provided users with the ability to create privacy policies for beacons, testing different configuration schemes to refine the framework and then offer recommendations for future research.

We present a new consensus protocol for Blockchain ecosystems - PPoM - Predictive Proof of Metrics. First, we describe the motivation for PPoM - why we need it. Then, we outline its architecture, components, and operation. As part of this, we detail our reputation and reward based approach to bring about consensus in the Blockchain. We also address security and scalability for a PPoM based Blockchain, and discuss potential improvements for future work. Finally, we present measurements for our short term Provider Prediction engine.

Recent advances in the development of the first generation of quantum computing devices have provided researchers with computational platforms to explore new ideas and reformulate conventional computational codes suitable for a quantum computer. Developers can now implement these reformulations on both quantum simulators and hardware platforms through a cloud computing software environment. For example, the IBM Q Experience provides the direct access to their quantum simulators and quantum computing hardware platforms. However these current access options may not be an optimal environment for developers needing to download and modify the source codes and libraries. This paper focuses on the construction of a Docker container environment with Qiskit source codes and libraries running on a local cloud computing system that can directly access the IBM Q Experience. This prototype container based system allows single user and small project groups to do rapid prototype development, testing and implementation of extreme capability algorithms with more agility and flexibility than can be provided through the IBM Q Experience website. This prototype environment also provides an excellent teaching environment for labs and project assignments within graduate courses in cloud computing and quantum computing. The paper also discusses computer security challenges for expanding this prototype container system to larger groups of quantum computing researchers.

With the increasing popularity and adoption of IoT technology, fog computing has been used as an advancement to cloud computing. Although trust management issues in cloud have been addressed, there are still very few studies in a fog area. Trust is needed for collaborating among fog nodes and trust can further improve the reliability by assisting in selecting the fog nodes to collaborate. To address this issue, we present a provenance based trust mechanism that traces the behavior of the process among fog nodes. Our approach adopts the completion rate and failure rate as the process provenance in trust scores of computing workload, especially obvious measures of trustworthiness. Simulation results demonstrate that the proposed system can effectively be used for collaboration in a fog environment.

Machine Learning (ML) has become essential in several industries. In Computational Science and Engineering (CSE), the complexity of the ML lifecycle comes from the large variety of data, scientists' expertise, tools, and workflows. If data are not tracked properly during the lifecycle, it becomes unfeasible to recreate a ML model from scratch or to explain to stackholders how it was created. The main limitation of provenance tracking solutions is that they cannot cope with provenance capture and integration of domain and ML data processed in the multiple workflows in the lifecycle, while keeping the provenance capture overhead low. To handle this problem, in this paper we contribute with a detailed characterization of provenance data in the ML lifecycle in CSE; a new provenance data representation, called PROV-ML, built on top of W3C PROV and ML Schema; and extensions to a system that tracks provenance from multiple workflows to address the characteristics of ML and CSE, and to allow for provenance queries with a standard vocabulary. We show a practical use in a real case in the O&G industry, along with its evaluation using 239,616 CUDA cores in parallel.

New software vulnerabilities are published daily. Prioritizing vulnerabilities according to their relevance to the collection of software an organization uses is a costly and slow process. While recommender systems were earlier proposed to address this issue, they ignore the security of the vulnerability prioritization data. As a result, a malicious operator or a third party adversary can collect vulnerability prioritization data to identify the security assets in the enterprise deployments of client organizations. To address this, we propose a solution that leverages isolated execution to protect the privacy of vulnerability profiles without compromising data integrity. To validate an implementation of the proposed solution we integrated it with an existing recommender system for software vulnerabilities. The evaluation of our implementation shows that the proposed solution can effectively complement existing recommender systems for software vulnerabilities.

IPTV is capable of providing recommendations for upcoming TV programs based on consumer feedback. With the increasing popularity and performance of recommender systems, risks of user privacy breach emerge. Although several works about privacy-preserving designs of recommender systems exist in the literature, a detailed analysis of the current state-of-the-art regarding privacy as well as an investigation of the usability aspects of such systems, so far, have not received consideration. In this paper, we survey current approaches for recommender systems by studying their privacy and usability properties in the context of IPTV.

This paper provides a proof of concept for using SRAM based Physically Unclonable Functions (PUFs) to generate private keys for IoT devices. PUFs are utilized, as there is inadequate protection for secret keys stored in the memory of the IoT devices. We utilize a custom-made Arduino mega shield to extract the fingerprint from SRAM chip on demand. We utilize the concepts of ternary states to exclude the cells which are easily prone to flip, allowing us to extract stable bits from the fingerprint of the SRAM. Using the custom-made software for our SRAM device, we can control the error rate of the PUF to achieve an adjustable memory-based PUF for key generation. We utilize several fuzzy extractor techniques based on using different error correction coding methods to generate secret keys from the SRAM PUF, and study the trade-off between the false authentication rate and false rejection rate of the PUF.

Encryption schemes for network security usually require a key distribution center to share or distribute the secret keys, which is difficult to deploy in wireless networks without fixed infrastructure. A novel key generation scheme based on the physical layer can generate a shared key between a pair of correlated parties by sharing random sources. The existing physical layer key generation scheme is based on the half-duplex mode with time division duplex (TDD) mode, which makes it impossible for the correlated communication parties to detect the channel simultaneously in order to improve the channel coherence. In this paper, we propose a full-duplex physical layer key generation scheme, which allows each legal communication nodes to transmit and receive signals at the same time, in order to reduce channel probing time and increase channel coherence performance. The simulation experiments show that the proposed scheme can much outperform some typical existing schemes in terms of the key performance evaluation indicators, key disagreement rate, key generation rate, entropy of the scheme improved, and the randomness of generated keys passed the National Institute of Standards and Technology (NIST) test.

Spreadsheets are widely used in industries for tabular data analysis, visualization and storage. Users often exchange spreadsheets' semi-structured data to collaborative analyze them. Recently, office suites integrated a software module that enables collaborative authoring of office files, including spreadsheets, to facilitate the sharing process. Typically spreadsheets collaborative authoring applications, like Google Sheets or Excel online, need to delocalize the entire file in public cloud storage servers. This choice is not secure for enterprise use because it exposes shared content to the risk of third party access. Moreover, available platforms usually provide coarse grained spreadsheet file sharing, where collaborators have access to all data stored inside a workbook and to all the spreadsheets' formulas used to manipulate those data. This approach limits users' possibilities to disclose only a small portion of tabular data and integrate data coming from different sources (spreadsheets or software platforms). For these reasons enterprise users prefer to control fine grained confidential data exchange and their updates manually through copy, paste, attach-to-email, extract-from-email operations. However unsupervised data sharing and circulation often leads to errors or, at the very least, to inconsistencies, data losses, and proliferation of multiple copies. We propose a model that gives business users a different level of spreadsheet data sharing control, privacy and management. Our approach enables collaborative analytics of tabular data focusing on fine grained spreadsheet data sharing instead of coarse grained file sharing. This solution works with a platform that implements an end to end encrypted protocol for sensitive data sharing that prevents third party access to confidential content. Data are never shared into public clouds but they are transferred encrypted among the administrative domains of collaborators. In this paper we describe the model and the implemented system that enable our solution. We focus on two enterprise use cases we implemented describing how we deployed our platform to speed up and optimize industry processes that involve spreadsheet usage.

Up to now, Software-defined network (SDN) has been developing for many years and various controller implementations have appeared. Most of these controllers contain the normal business logic as well as security defense function. This makes the business logic on the controller tightly coupled with the security function, which increases the burden of the controller and is not conducive to the evolution of the controller. To address this problem, we propose a proactive security framework PSA, which decouples the business logic and security function of the controller, and deploys the security function in the proactive security layer which lies between the data plane and the control plane, so as to provide a unified security defense framework for different controller implementations. Based on PSA, we design a security defense application for the data-to-control plane saturation attack, which overloads the infrastructure of SDN networks. We evaluate the prototype implementation of PSA in the software environments. The results show that PSA is effective with adding only minor overhead into the entire SDN infrastructure.

Cybersecurity education and training have gained increasing attention in all sectors due to the prevalence and quick evolution of cyberattacks. A variety of platforms and systems have been proposed and developed to accommodate the growing needs of hands-on cybersecurity practice. However, those systems are either lacking sufficient flexibility (e.g., tied to a specific virtual computing service provider, little customization support) or difficult to scale. In this work, we present a cloud-based platform named EZSetup for hands-on cybersecurity practice at scale and our experience of using it in class. EZSetup is customizable and cloud-agnostic. Users can create labs through an intuitive Web interface and deploy them onto one or multiple clouds. We have used NSF funded Chameleon cloud and our private OpenStack cloud to develop, test and deploy EZSetup. We have developed 14 network and security labs using the tool and included six labs in an undergraduate network security course in spring 2019. Our survey results show that students have very positive feedback on using EZSetup and computing clouds for hands-on cybersecurity practice.

For complex technical objects the research of cybersecurity problems should take into account both physical and information properties of the object. The paper considers a hybrid model that unifies information and physical models and may be used as a tool for countering cyber threats and for cybersecurity risk assessment at the design and operational stage of an object's lifecycle.

The design and implementation of exascale system is nowadays an important challenge. Such a system is expected to combine HPC with Big Data methods and technologies to allow the execution of scientific workloads which are not tractable at this present time. In this paper we focus on an event and anomaly detection framework which is crucial in giving a global overview of a exascale system (which in turn is necessary for the successful implementation and exploitation of the system). We propose an architecture for such a framework and show how it can be used to handle failures during job execution.

Continuously growing amount of research experiments using High Performance Computing (HPC) leads to the questions of research data management and in particular how to preserve a scientific experiment including all related data for long term for its future reproduction. This paper covers some challenges and possible solutions related to the preservation of scientific experiments on HPC systems and represents a concept of the preservation system for HPC computations. Storage of the experiment itself with some related data is not only enough for its future reproduction, especially in the long term. For that case preservation of the whole experiment's environment (operating system, used libraries, environment variables, input data, etc.) via containerization technology (e.g. using Docker, Singularity) is proposed. This approach allows to preserve the entire environment, but is not always possible on every HPC system because of security issues. And it also leaves a question, how to deal with commercial software that was used within the experiment. As a possible solution we propose to run a preservation process outside of the computing system on the web-server and to replace all commercial software inside the created experiment's image with open source analogues that should allow future reproduction of the experiment without any legal issues. The prototype of such a system was developed, the paper provides the scheme of the system, its main features and describes the first experimental results and further research steps.

In the component-based software system, certain behaviours of components and their composition may affect system reliability at runtime. This problem can be early detected through the automated verification of software architecture design, by which model checking is one of the techniques to achieve this. However, its practicality and performance issue remain challenges. This paper presents a scalable approach for the software architecture verification. The modelling is proposed to manifest the behaviours in the software component, in order to detect problematic behaviours, such as circular dependency and performance bottleneck. The outcome of the verification identifies the problem and the scenarios that cause it. In order to mitigate the verification performance issue, the parallelism is applied to the verification process so that multiple decomposed models can be simultaneously verified on a multi-threaded environment. As some software systems are designed as the monolithic architecture, we present a method that helps to automatically decompose a large monolithic model into a set of smaller sub-models. Our approach was evaluated and proved to enhance the performance of the verification process for the large-scale complex software systems.

Our goal is to refocus the question about cybersecurity research from 'is this process scientific' to 'why is this scientific process producing unsatisfactory results'. We focus on five common complaints that claim cybersecurity is not or cannot be scientific. Many of these complaints presume views associated with the philosophical school known as Logical Empiricism that more recent scholarship has largely modified or rejected. Modern philosophy of science, supported by mathematical modeling methods, provides constructive resources to mitigate all purported challenges to a science of security. Therefore, we argue the community currently practices a science of cybersecurity. A philosophy of science perspective suggests the following form of practice: structured observation to seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized fields (including engineering and forensics) constraining explanations within their own expertise, inter-translating where necessary. A natural question to pursue in future work is how collecting, evaluating, and analyzing evidence for such explanations is different in security than other sciences.

A major challenge for utilities is energy theft, wherein malicious actors steal energy for financial gain. One such form of theft in the smart grid is the fraudulent amplification of energy generation measurements from DERs, such as photo-voltaics. It is important to detect this form of malicious activity, but in a way that ensures the privacy of customers. Not considering privacy aspects could result in a backlash from customers and a heavily curtailed deployment of services, for example. In this short paper, we present a novel privacy-preserving approach to the detection of manipulated DER generation measurements.