International Journal of Security and Networks (15 papers in press)
A Cloud/Edge Computing Streaming System for Network Traffic Monitoring and Threat Detection
by Zhijiang Chen, Sixiao Wei, Wei Yu, James Nguyen, William Hatcher
Abstract: The unyielding trend of increasing cyber threats has made cyber security paramount in protecting personal and private intellectual property. In order to provide the most highly secured network environment, network traffic monitoring and threat detection systems must handle real-time big data from varied and branching places in enterprise networks. Although numerous investigations have yielded real-time threat detection systems, how to handle the large volumes of network traffic data (big network traffic data) in enterprise networks, while simultaneously providing real-time monitoring and detection, remains unsolved. In this paper, we introduce and evaluate a streaming-based threat detection system that can rapidly analyze highly intensive network traffic data in real-time, utilizing streaming-based clustering algorithms to detect abnormal network activities. The developed system integrates the streaming and high-performance data analysis capabilities of Flume, Sharp, and Hadoop into a cloud-computing environment to provide network monitoring and intrusion detection. Our performance evaluation and experimental results demonstrate that the developed system can cope with a significant volume of streaming data in a high detection accuracy and good system performance. We further extend our designed system for edge computing and discuss some key challenges, as well as some potential solutions, aiming to improve the scalability of our designed system. Finally, we discuss other issues related to extending our designed system.
Keywords: Streaming Analysis; Network Traffic Monitoring; Threat Detection; Big Network Data Analysis; Cloud Computing; Edge Computing.
Preserving Source and Destination Location Privacy with Controlled Routing Protocol
by Rajorshi Biswas, Jie Wu
Abstract: Efficiency in routing and security are two competitive design issues in wireless sensor networks. The most efficient and least secure routing protocol is shortest path routing. On the other hand, the most secure and least efficient routing protocol is random routing. In this paper, we propose the controlled routing protocol, a mixture of these two routing protocols that maintains a good balance between security and efficiency. Our proposed protocol is based on two principles: if all the messages do not follow the same path, then backtracking to the source node is not possible and when an adversary is very far away from the source and destination locations, then efficiency is more important than security. Based on these principles, we proposed the controlled routing protocol, in which the forwarding node forwards the message either to the node on the shortest path or a random neighbor with a variable probability. The probability of taking the shortest path increases by distance from the source and the destination node. In this paper, we also present our simulation results compared to other routing protocols.
Keywords: Source Location Privacy; Security; Random Routing; Routing Protocol; Controlled Routing Protocol.
Enhanced Source Location Privacy Mechanism for WSNs
by Mourad Amad, Lachemi Khenous, Abdellah Boukerram
Abstract: Source location privacy in wireless sensor networks is an important security issue when a wireless sensor network is used in monitoring valuable assets or the source is a sensitive object. However, the open nature of a sensor network makes relatively easy for an adversary to detect message flows and trace back the message hop-by-hop to it source by moving in the reverse direction of the flows. Many schemes have been proposed recently to provide source location privacy but all peforms poorly, because either with insu
Keywords: Source-Location Privacy; Context Privacy; Wireless Sensor Networks.
Information Centric Approach to Analyzing Security Threats and Node Behavior in Underwater Sensor Networks
by Robert Martin, Sanguthevar Rajasekaran
Abstract: Underwater Sensor Networks (UWSN) have a range of applications such as aquatic mammal tracking, exploration, and pollution monitoring. Such applications require accurate and efficient data management, especially in UWSN's harsh environment. Additionally, due to the restricted energy of underwater modems, we must ensure transmissions are efficient. Due to the open nature of many UWSN applications we must consider the possibility of mobile malicious nodes interjecting false packets into our network. Information-centric architectures have proven to be a potential solution through the integration of security for better data protection. But, with the proper incite, a Denial of Service (DoS) attack can still drastically effect an UWSN using adapted information-centric techniques. In this work we first analyze different types of DoS attacks in which UWSNs may be vulnerable. Next, we purpose an adapted algorithm to help detect and restrict potential malicious nodes. And finally, we analyze node behavior using three different machine learning techniques to find statistical, adaptive, and predictive approaches to DoS restriction. Simulation results of our proposed algorithm are depicted for single and multiple DoS attackers. Our findings show a strong correlation between DoS defensive methods and decreased network traffic in typical attack scenarios. Furthermore, we introduce more advanced attacker scenarios to test our machine learning techniques in various network topologies.
Keywords: Underwater Sensor Networks; Secuirty; Information-Centric; Denial of Service Attack; Routing; Interest Flooding.
A Smart Urban Flood Control and Warning System Based on Big Data
by Guanlin Chen, Zhikang Zhou, Rongxin Zheng, Tongjun Qi
Abstract: With the great-leap-forward development of social economy in recent years, urban-scale has expanded rapidly and the problem of urban flood control has become more prominent. The normal flood control system has been unable to meet the requirement of rapid urban development. As the urban drainage facilities improve and the Internet of Things monitoring equipment increase, the big data era has come. Therefore, a smart urban flood control and warning system based on big data will be crucial. In this paper, a system named SUFCWS (Smart Urban Flood Control and Warning System) based on big data is proposed. The system is composed of user login, flood control basic data entry, water level and rainfall data search, real-time display, statistical analysis and flood warning, which integrates J2EE platform, SSH2 (Spring+Struts2+Hibernate) framework, the Bootstrap front-end development kit, Highcharts graphics library and Baidu Maps API. Using GM(1,1) algorithm of grey forecasting model and back propagation neural network algorithm, SUFCWS can give available early warning of potential urban flood.
VOUCH-AP: priVacy preserving Open-access 802.11 pUbliC Hotspot AP authentication mechanism with colocated evil-twins
by Avinash Srinivasan, Jie Wu
Abstract: Open-access 802.11 public Wi-Fi hotspots have become a basic necessity for hundreds of millions of mobile users' persistent on-the-go access to the Internet. 802.11 Wi-Fi networks are designed and deployed to support rudimentary low-level authentication at the link layer enabling an AP to decide whether to allow a client to associate. Similar authentication mechanisms are not provisioned for the clients. Hence, there is a fundamental information asymmetry at play in an 802.11 public hotspot, which tilts the balance in favor of an adversary intending to launch AP-based evil-twin attacks. Furthermore, link-layer authentication has little security since the link itself is completely open to numerous attacks. In this paper, we address this information asymmetry problem and propose a simple yet powerful solution for identifying and eliminating malicious APs, thereby providing users safe and private 802.11 public hotspots. Our proposed AP authentication framework is called VOUCH-AP, a portable and platform-independent solution. VOUCH-AP is, to the best of our knowledge, the first work to consider digital certificate based AP authentication. VOUCH-AP makes use of a modified version of a X.509 digital certificate consisting of additional fields for provisioning robust security and privacy to counter evil-twin attacks. The proposed solution does not require any hardware upgrades or specialized hardware, unlike 802.11i (aka WPA2). Finally, through security analysis, we show the security robustness of the proposed VOUCH-AP framework to counter evil-twin attacks.
Keywords: Authentication; captive portal; evil-twin; identity theft; privacy; security; vulnerability.
A Novel Flood Defense Decision Support System for Smart Urban Management Based on Classification and Regression Tree
by Guanlin Chen
Abstract: With the development of the Internet of Things Technology and Awareness Technology, all kinds of big data in the city have started to emerge. Under the background in Internet Plus Era, using big data to effectively forecast urban flood disaster, formulating the flood control and disaster mitigation countermeasures in time, is an important subject of urban flood control and research. In this paper, a NFDDSS (Novel Flood Defense Decision Support System) is proposed. Using historical hydrology data in Hangzhou, this paper proposed a comprehensive consideration of time correlation and spatial correlation of water level prediction model based on classification and regression tree. This model can predict the water level in 1 to 6 hours effectively. With this system, supervisors can get timely and effective guidance of flood control and disaster mitigation when the flood season comes.
Keywords: Flood Defense; Water Level Prediction; Classification and Regression Tree; Decision Support System; Big Data.
A security scheme of digital rights management based on agent encryption and key distribution in cloud computing
by Wengeng Ge
Abstract: Cloud computing is a convenient and flexible mode of data transmission and sharing. Data security is the biggest challenge today owing to the wide application of cloud computing in various fields. This study proposed a security scheme of digital rights management based on digital license and agent encryption in cloud computing. First, a secure and effective framework of digital rights management was presented, allowing the agent encryption provider (such as centralized data server) to encrypt the data content and the common users to use the data resource based on digital license generated by a license server. The novel scheme could accomplish the privacy protection by permitting anonymous users to request different services from the key server and service provider. The performance analysis showed that the proposed scheme could assure the security and efficiency of data resource, thereby establishing its significance and application value for promoting a widespread application of cloud computing.
Keywords: digital rights management; cloud computing; digital license; agent encryption; key distribution.
Graphical Passwords for Older Computer Users
by Nancy Carter, Cheng Li, Qun Li, Jennifer Stevens, Ed Novak, Zhengrui Qin
Abstract: Traditional text password authentication is widely used to gain access to computing resources. Not all users possess the same cognitive and manual dexterity skills required to easily create, recall, and enter strong text passwords. We interviewed a group of older users, over the age of 60, and identified challenges with recall and typing of strong text passwords. We developed and evaluated our Graphical Password user password system based on familiar facial images embedded randomly among unfamiliar, yet similar images. It assists older users through use of culturally familiar, and age-relevant images forming personalized password image sequences. Our usability study with nineteen older volunteers measured recall, and timing with varying password image sequence lengths, increasing display complexity, and two input modalities, touchscreen and mouse. Our Graphical Password technique demonstrated a recall rate of 97%, password entropy superior to short PINs, and authentication time comparable to short text passwords.
Keywords: authentication; security; graphical passwords; human computer interaction; older users.
Security mechanism of dynamic and differentiated protection for telecommunications services based on cloud computing
by Huijuan Xu, Xin Zheng
Abstract: Security threats in the processes of data migration has increased than ever before with the development of cloud computing. Traditionally, device-centric security systems are not efficient enough because a large number of data resources float in the cloud and are out of the owners control. The security requirements of telecommunications services based on cloud computing comprise three aspects: data storage, data processing, and data transmission. Therefore, this study aimed to design a novel data-centric security protection system. A security model based on the security domain division was proposed. That is to say, the security protection measures were carried out from three data domains: storage, processing, and transmission. The analyses indicated that the novel model could not only provide dynamic and differentiated protection but also be implemented at a lower cost for telecommunications services in cloud computing.
Keywords: telecommunications services; cloud computing; security mechanism; security domain division.
Toward signature extraction of Metasploit encoding algorithms using static analysis
by Mohammadreza Ramezani-Chemazi, Maede Ashouri-Talouki
Abstract: Shellcode is a code injected by the attackers to vulnerable software to gain access to the command prompt. The byte patterns of shellcodes help the intrusion detection systems to detect this type of shellcodes. To avoid detection, encoding algorithms is used by the attacker to encode the byte patterns. The detection of these encoded shellcodes is a challenging problem. To detect these encoded shellcodes, we perform a static analysis of encoding algorithms of Metasploit engine to extract the byte patterns (signature) of these algorithms. Then, we introduce a regular expression-based language called GtS to express these signatures. The experimental results show the effectiveness of our signatures in terms of accuracy and false positive rate.
Keywords: shellcode; Metasploit; encoding algorithms; static analysis; signatures.
An efficient remote anonymous authentication scheme with user revocation
by Yun-Xia Deng, Run-Hua Shi
Abstract: Wireless body area network (WBAN for short) is a great technological progress for modern medical treatment. People at home can send their real-time body data (e.g., heart rate) to remote monitoring station for further knowledge of his body. Due to the openness of the wireless channel and the sensitivity of human body data, it is very important for WBAN to build secure and efficient authentication schemes. Accordingly, there appeared several anonymous authentication schemes for WBAN. However, these existing schemes have some limitations, such as overhead costs and untraceability. In this paper, we first present a novel revocable certificateless public key encryption (RCL-PKE) scheme, which is IND-CCA secure under the random oracle model. Furthermore, based on the RCL-PKE scheme, we propose an efficient revocable remote anonymous authentication scheme for WBAN, which can provide the traceability of the client identity when there appears a medical dispute.
Keywords: revocable; certificateless; remote anonymous authentication; wireless body area network; WBAN.
A promising security protocol for protecting near field communication devices from networking attacks
by Abu Asaduzzaman, Shanta Mazumder, Sergio Salinas
Abstract: Near field communication (NFC) is vulnerable to numerous networking attacks such as tag manipulation. In this work, a security protocol for the NFC chip is introduced to protect the NFC devices and associated data from several attacks. In addition, the NFC data exchange format (NDEF) message is modified with a certificate record and the alert mechanism is improved to enhance security. The modified secure protocol in the NFC system checks the authenticity of the incoming NDEF messages sender (by checking the signature record) and validity of the message/data (by checking the certificate), then if appropriate, stores the incoming NDEF messages in the device's memory for further processing. Matrix laboratory (MATLAB) simulation results suggest that the proposed protocol offers better security by detecting certificate modification, message modification, etc. The proposed secure technique for NFC can be extended to enhance security in mobile IoT devices.
Keywords: security-aware architecture; NFC architecture; near field communication; systems security; secure protocol.
A novel approach for graph-based global outlier detection in social networks
by Nabila Zrira, Soufiana Mekouar, El Houssine Bouyakhf
Abstract: Graph representation has high expensive power to model and detect complicated structural patterns. One important area of data mining that uses such representation is anomaly detection, particularly in the social network graph to ensure network privacy, and uncover interesting behaviour. In this work, we suggest a new approach for global outlier detection in social networks based on graph pattern matching. A node signature extraction is combined with an optimal assignment method for matching the original graph data with the graph pattern data, in order to detect two formalised anomalies: anomalous nodes and anomalous edges. First, we introduce Euclidean and Gower formulas to compute the distance between graphs. Then, we conduct graph pattern matching in cubic-time by defining a node-to-node cost in an assignment problem using the Hungarian method. Finally, the obtained experimental results demonstrate that our approach performs on both synthetic and real social network datasets.
Keywords: global outlier detection; social network graph; graph matching; Euclidean and Gower formulas; Hungarian method.
A measurement study of the subresource integrity mechanism on real-world applications
by Ronak Shah, Kailas Patil
Abstract: Today, billions of websites are available to users in just a click to give them required and appropriate service. Most of these websites provide rich functionalities by relying on third-party-hosted resources. Subresource integrity (SRI) is a mechanism that provides ways to examine the integrity of third-party-hosted resources. This paper provides detailed statistics on websites that are using SRI. This research also addresses different aspects of SRI implementation, such as inconsistency in the adoption of SRI and failover management, and it also estimates the amount of effort required to adopt SRI. This research first identifies different issues of SRI implementation and then provides a way to mitigate these issues and make adoption of SRI easier and error-free. We implemented a tool called UserSRI as a browser extension. UserSRI uses dynamic analysis to infer the SRI mechanism, facilitates testing, and gives savvy users the authority to enforce client-side policies on websites.
Keywords: subresource integrity; content restriction; web security; content delivery networks; CDN; cryptographic hash.