International Journal of Security and Networks (18 papers in press)
XOR-based Unexpanded Meaningful Visual Secret Sharing Scheme
by Suresh Prasad Kannojia, Jasvant Kumar
Abstract: Visual cryptography is a technique to conceal the secret information into n shares, distributed to n participants. When any k ≤ n, 2 ≤ k ≤ n, shares are printed on transparencies and stacked together, information about secret image can be revealed
directly by the human visual system with poor visual quality. It is an issue for the
researchers, to improve the quality of shares and reconstructed image. This paper proposes n-out-of- n, n = 2
Keywords: Visually Pleasing shares;Meaningful Shares;Unexpanded Shares; XOR-operation; Secret Sharing; Visual Cryptography; Visual secret sharing Schemes; Pixel Expansion.
Group-IKEv2 for Multicast IPsec in the Internet of Things
by Kiki Rizki, Argyro Lamproudi, Marco Tiloca, Shahid Raza
Abstract: This paper presents Group-IKEv2, a group key management protocol supporting secure group communication based on multicast IPsec. Group-IKEv2 is an adaptation of the IKEv2 protocol for the IPsec suite, and is especially designed to address Internet of Things (IoT) scenarios composed of resource-constrained devices. Compared to static approaches, Group-IKEv2 enables dynamic and flexible establishment of IPsec Group Security Associations as well as group key material. Also, it enables the management and renewal of group key material on a periodical fashion and upon group membership changes. We have implemented Group-IKEv2 for the Contiki OS and tested it on the OpenMote resource-constrained platform. Our experimental performance evaluation confirms that Group-IKEv2 is affordable and deployable also on constrained IoT platforms.
Keywords: Security; Group IKEv2; Multicast IPsec; Group communication; Secure communication; Key management; Internet of Things.
A DV-Hop Positioning algorithm Based on the Glowworm Swarm Optimization of Mixed Chaotic Strategy
by Ling Song, Liqin Zhao, Jin Ye
Abstract: DV-Hop, as a typical location algorithm without ranging, is widely used in node localization of wireless sensor networks. However, in the third phase of DV-Hop, a least square method is used to solve the nonlinear equations. Using this method to locate the unknown nodes will produce large coordinates errors, poor stability of positioning accuracy, low location coverage and high energy consumption. An improved localization algorithm based on hybrid chaotic strategy (MGDV-Hop) is proposed in this paper. Firstly, a glowworm swarm optimization of hybrid chaotic strategy based on chaotic mutation and chaotic inertial weight updating (MC-GSO) is proposed. Then, MC-GSO is used to replace the least square method in estimating node coordinates. By establishing the error fitness function, the linear solution of coordinates is transformed into a two-dimensional combinatorial optimization problem. Simulation results show that the average location error is reduced, while the location coverage is increased and the energy consumption is decreased.
Keywords: node positioning; DV-Hop algorithm; glowworm swarm optimization algorithm.
A formation generation algorithm of multiple agents in naval battlefield environments
by Yani CUI, Jia REN, Delong FU, Chao DONG
Abstract: This study aims to present a model of the formation generation for multiple agents using a modified binary particle swarm optimization (MBPSO). The major objective of this study is to maximize the formation combat capability and reduce the formation generation cost. We treat the ratio of the aforementioned two values as a measure of formation combat effectiveness. Additionally, chaos theory is adopted in the initialization of MBPSO to acquire diversified particle population. Moreover, particle diversity is utilized to dynamically adjust the particle position updating process to guarantee the global convergence. A case study for multi-agent formation generation model in a naval battlefield is conducted. It is shown that the proposed algorithm can accomplish multi-agent formation generation under multiple constraints. Compared with the existing related algorithms, the proposed algorithm has improved search performance and better convergence characteristics.
Keywords: multiple agents; formation generation; particle swarm optimization; chaos theory; particle diversity.
A Novel Architecture for An Integrated Enterprise Network Security System
by Thanudas Bhoothanathapillai, Sreelal Sreedharan Pillai, Cyril Raj Vellankanni, Anugolu Purnesh Sairam, Vinay Gajmoti, Palash Joshi
Abstract: Securing an enterprise network has become a challenging task as the cyber malware attacks are improving in sophistication. Traditional centralized gateway solutions such as firewall and intrusion detection systems fail to detect highly sophisticated cyber malwares and are no longer helpful for complete protection of large sized enterprise networks. In this paper, we propose a novel architecture, integrated enterprise network security system~(IENSS), that consists of distributed security agents and a central controller. Each network segment is covered by one or more agents which operate based on instructions from the controller. The agents gather network traffic as well as other information and process the inputs before sending them to the controller. The controller receives the information collected by agents and processes the data in order to detect various malwares, attacks, or back doors to the enterprise network. Controller utilizes machine learning, data mining, and traffic analysis to accomplish various detection approaches. We have presented the IENSS architecture and five detection techniques those are implemented over it. New solutions can be incorporated in our architecture.
Keywords: IENSS; distributed architecture; agent design; controller design; botnet detection techniques.
A dynamic evolution model of balanced energy consumption scale-free fault-tolerant topology based on fitness function for wireless sensor networks
by Chao Wang
Abstract: The network life can be prolonged to some extent by the scale-free topology which has strong fault-tolerance for the random failure of nodes. However, the unevenness of the scale-free topological structure can result in the imbalance of consumption of network. In order to resolve the problem, a dynamic evolution model of consumption of balanced energy with scale-free fault-tolerant topology based on fitness function for wireless sensor networks is proposed. First, the effect of nodal energy and the distance between the nodes on the network life is analyzed as per the energy consumption model. Thereafter, the ratio between the residual energy of the node and the distance between nodes is used as the fitness function along with the dynamic behavior of link and variations in network topology Thus, a fault-tolerant topology model with scale-free properties is obtained. The simulation results indicate that the proposed model can not only balance the energy consumption of the nodes and the network by prolonging the life of network, but can enhance the fault tolerance and the invasion ability of the network by comparing with Barab
Keywords: wireless sensor networks; balanced energy consumption; scale-free topology; fault-tolerance; fitness function; dynamic evolution.
An improved multi-objective genetic algorithm and data fusion in structural damage identification
by Along Yu, Jiajia Ji, Shiyu Sun
Abstract: With the aging of civil engineering structures, it is urgent to detect the damage status of structures for timely maintenance. Genetic algorithm has been gradually applied to structural damage identification owing to its powerful global search capability and better adaptability. In this paper, we present a novel multi-objective genetic algorithm based on fuzzy optimization theory to identify damage for large-scale structures. Furthermore, fuzzy logic data fusion is implemented to process a large amount of data collected by displacement sensors, acceleration sensors and stress sensors in order to improve the accuracy of identification results. The experimental results show that the improved multi-objective genetic algorithm has faster convergence speed and higher computational efficiency than traditional genetic algorithm. Besides, the data fusion method can process the displacement parameter and the frequency mode parameter synchronously, which shows more reliable recognition results than single-class parameter identification.
Keywords: large-scale structures; genetic algorithm; damage identification; fuzzy optimization; data fusion.
A secure communication model using lightweight Diffie-Hellman method in vehicular ad hoc networks
by Tayeb Diab, Marc Gilg, Pascal LORENZ
Abstract: Nowadays, vehicular ad hoc networks (VANETs) have become more interesting research area. High number of safety, traffic management and even comfort applications have been developed to secure driving and make travellers satisfied. This evolution opens up a vast area of research in several fields. Specifically in the security domain, huge researches are proposed to give new approaches and mechanisms of security. VANETs as wireless and mobile networks require the implementation of secure and lightweight algorithms dealing with its critical characteristics to face different attacks. In this paper, we propose a novel approach of security to face some known attacks. We design a model of communication that combines digital signature, message authentication mechanisms, to securely generate the secret key, and thereby, achieve integrity, confidentiality, session key security and non-repudiation. In the end, we prove the security of our model by analysing different cases of attacks.
Keywords: VANETs; security; communication model; authenticity; Diffie-Hellman; session key; signature; encryption; network databases.
Dynamic Key Password Authentication
by Mikhail Styugin
Abstract: Passwords still remain the most popular method of user authentication. Passwords appear to be the easiest way of registration and logging into remote services such as web sites. However, passwords also appear to be the most insecure authentication method. One of the most popular attack techniques aimed at compromising passwords is to leak their hashes directly from their storage location to be cracked off-line. rnThe paper presents an authentication method with passwords, which complicates carrying out the attacks that succeed in extracting information sufficient for password cracking. The authentication method is called Dynamic Key Password Authentication (DKAuth).The method is based on a password ''blurring'' using a number of network hosts. The ''blurring'' is performed by encryption of password hash with a key that is not stored anywhere. The key is divided into parts and distributed among a number of different hosts. The key is modified for every password and changes due to change of the number of hosts in the system. Storage and authentication of a dynamic key is arranged so that it can never be recovered completely, that is even assuming cracking or rearrangement of each and every host where DKAuth key data is stored, an adversary will not be able to recover hashes and will have to crack them by brute-force attack. Practical implementation of DKAuth as an authentication service for external web sites demonstrated low time and computational requirements for user registration and authentication.
Keywords: Authentication; Hash Functions; Passwords; Password Storage; Secret Sharing.
Efficient Revocable CP-ABE for Big Data Access Control in Cloud Computing
by Praveen Kumar Premkamal, Syam Kumar Pasupuleti, P.J.A. Alphonse
Abstract: Due to huge volume of big data, cloud is a better choice to store big data. Since the cloud is not trustworthy, privacy and access control is a big concern. Ciphertext Policy Attribute Based Encryption (CP-ABE) is a promising technique to enable both privacy and access control in the cloud. However, directly applying CP-ABE scheme for big data in the cloud is a challenging task because of revocation. Existing CP-ABE with revocation schemes are lacking in efficiency. In this paper, we propose an efficient revocable CP-ABE (R-CP-ABE) scheme for big data access control in cloud using proxy based updates in which the proxy server performs the ciphertext and secret key updates instead of data owner and data user respectively during revocation. This outsourced updates during revocation reduces the communication and computation overhead of data owner and data users. In security analysis, we prove that our R-CP-ABE scheme is secure against chosen plain-text and user collusion attacks. In addition, we also show that our scheme achieves forward and backward secrecy. The performance analysis demonstrates that our method is efficient when comparing with existing schemes.
Keywords: Cloud computing; Privacy; Access control; CP-ABE; Big data; User revocation; Attribute revocation.
Mobile Botnets Detection based on Machine Learning over System Calls
by Victor G. Turrisi Costa, Sylvio Barbon, Rodrigo Miani, Joel J. P. C. Rodrigues, Bruno B. Zarpelão
Abstract: Mobile botnets are a growing threat to the Internet security field. These botnets target less secure devices with lower computational power, while sometimes taking advantage of features specific to them, e.g., SMS messages. We propose a host-based approach using machine learning techniques to detect mobile botnets with features derived from system calls. Patterns created tend to be shared among applications with similar actions. Therefore, different botnets are likely to share similar system call patterns. To measure the effectiveness of our approach, a dataset containing multiple botnets and legitimate applications was created.
We performed three experiments, namely detecting the best time-window, performing feature selection and hyperparameter tuning. A high performance (over 84%) was achieved in multiple metrics across multiple machine learning algorithms. An in-depth analysis of the features is also presented to help future work with a solid discussion about system call-based features.
Keywords: Machine Learning; Mobile Botnet Detection; Feature Selection; Host-based Approach; Android Devices.
Efficient and Secure Data Sharing with Outsourced Decryption and Efficient Revocation for Cloud Storage Systems
by Imad El Ghoubach, Rachid Ben Abbou, Fatiha Mrabti
Abstract: Data access control is one of the major issues in cloud storage systems, especially when having multiple co-existing authorities requiring a multi-authority access control scheme. Existing multi-authority systems were able to achieve the required level of security and fine-grained access control, but since the cloud services can be accessed using devices with various computation capabilities, it is highly required to have a scheme with efficient encryption and decryption operations. In this paper, we propose a scheme able to achieve the desired level of security and fine-grained access control while having an efficient revocation operation. Moreover, we were able to increase the efficiency of the decryption operation by outsourcing most of the computation to a proxy-server without compromising the confidentiality of the data. In addition, we propose the usage of parallel processing in order to increase the efficiency of the various operations to efficiently use the computational power in low-end devices and the proxy-server. The analysis and simulation results show that ESS-ODER is efficient and provably secure.
Keywords: Access Control ; Encryption; CP-ABE ; Decryption Outsourcing ; Fine-grained Access Control; Attribute Revocation ; Multi-authority Cloud ; Forward Security; Backward Security;Parallel Computing;.
Techniques to Detect Data Leakage in Mobile Applications
by Thiago Rocha, Eduardo Souto, Khalil El-Khatib
Abstract: The popularity of mobile devices has skyrocketed over the past few years and has consequently given rise to various attacks in mobile platforms. The most serious among these threats is data leakage as most devices store sensitive information about their users, including location, bank information, to list a few. There has been a large number of data leakage detection proposals for mobile platforms, and a number of researches have looked at specific aspects of the mobile environment and used several techniques to provide protection. This survey provides an analysis of the data leakage problem, explains what it is, what kind of data it can expose, and the main techniques that have been used to circumvent this problem. It also looks at these various individual efforts and group them into categories. We also discuss the strengths and shortcomings of these efforts. Finally, some future works and opportunities of research are presented.
Keywords: Data Leakage; Mobile Applications; Security; Mobile Devices; Android; Taint Tracking; Machine Learning.
Why What & How to Measure and Improve the Security of Networks
(A snapshot of the current situation of security metrics and the way forward)
by Naveen Bindra, Manu Sood
Abstract: Networks are vulnerable to many threats. Every now and then incidents happen in the networks causing damage to the businesses. Terrorists and cyber-criminals exploit the existing vulnerabilities of the networks to their advantage. In traditional networks, i.e. the networks before the advent of Software Defined Networks (SDNs), implementation of security policies was very cumbersome. One augments/overhauls the security of the network if he has assessed the present situation. The answers to queries like how susceptible the networks are, what security solutions are required and the degree of a security deterrent for the network may lie embedded in security metrics. Nevertheless, the security of current systems needs to be revisited for taking timely actions according to the demand of the situation. SDNs architecture with centralized control and availability of Active Programming Interfaces (APIs) help to devise novel security metrics. The factors like challenges of finding sources, defining parameters and focal areas to develop novel metrics have motivated the authors to analyze the existing work and suggest a new framework to design simple, quantifiable, practical and customized security metrics for Networks of organizations. Our work is unique and different from other studies in the sense that not only it critically analyzed the existing work but also suggest the much-needed approaches to build security metrics. This study presented here deals with all existing uncertainties in the development of metrics and put forth the review of the need and utility of security metrics for improving the situation of networks.
Keywords: Security metrics; vulnerabilities; network threats; DDoS detection; DDoS mitigation; SDN security.
Optimizing the DTLS handshake design for Trusted Execution Environment enabled sensor nodes
by Anil Yadav, Nitin Rakesh, Sujata Pandey, Rajat Kumar Singh
Abstract: Time consumed in the handshake process between dtls client and server is optimized by introducing the pre-shared key based handshake process between the remotely located entities. It reduces the number of message exchange between client and resource server without compromising the communication security. However, the pre-shared key based approach is still vulnerable to software attacks. This paper focuses on highlighting the vulnerabilities of dtls handshake process and then optimizing the handshake process of the dtls protocol to prevent the software based attacks in the smart sensor client and sensors (resource servers). We discussed the scenarios where the handshake process is prone to software attacks and proposed the trusted execution environment based design of the dtls handshake to enhance the communication security by eliminating the risk of intermediate keying materials being exposed to a non-secure environment. Our design also considers the resource constrained nature of the sensor nodes and thus split the handshake process such that the memory footprint of the implementation does not overload the TEE. We implemented a dtls client and a dtls server on a TEE enabled hardware and compared the performance thereof. Our preliminary experimental results show significant gain for memory footprint, but with a minor penalty in handshake time consumption.
Keywords: Handshake; pre-shared key; Trust zone; TEE; REE; DTLS; smart sensors.
Hidden Markov models for advanced persistent threats
by Guillaume Brogi, Elena Di Bernardino
Abstract: Advanced Persistent Threats (APT) are a serious security risk and tools suited to their detection are needed. These attack campaigns do leave traces in the system, and it is possible to reconstruct part of the attack campaign from these traces. In this article, we describe a hidden Markov model for the evolution of an APT. The aim of this model is to validate whether the evolution of the partially reconstructed attack campaigns are indeed consistent with the evolution of an APT. Since APTs are hard to detect, we also introduce a score to take into account potentially undetected attacks. In addition, the score also allows comparing the fit of APTs of different lengths. We validate and illustrate both the model and the score using data obtained from experts.
Keywords: intrusion detection; advanced persistent threats; attack campaign; machine learning; hidden Markov models; score; missing observations; undetected attacks; expert knowledge.
Non-malleable encryption with proofs of plaintext knowledge and applications to voting
by Ben Smyth, Yoshikazu Hanatani
Abstract: Non-malleable asymmetric encryption schemes which prove plaintext knowledge are sufficient for secrecy in some domains. For example, ballot secrecy in voting. In these domains, some applications derive encryption schemes by coupling malleable ciphertexts with proofs of plaintext knowledge, without evidence that the sufficient condition (for secrecy) is satisfied nor an independent security proof (of secrecy). Consequently, it is unknown whether these applications satisfy desirable secrecy properties. In this article, we propose a generic construction for such a coupling and show that our construction produces non-malleable encryption schemes which prove plaintext knowledge. Furthermore, we show how our results can be used to prove ballot secrecy of voting systems. Accordingly, we facilitate the development of applications satisfying their security objectives.
Keywords: Asymmetric encryption; ballot secrecy; homomorphic encryption; indistinguishability; non-malleability; privacy; secrecy; voting.
OAP-WMN: Optimized and Secure Authentication Protocol for Wireless Mesh Networks
by Nicopolitidis Petros
Abstract: WMN (Wireless Mesh Networks) proposes many attractive features to mobile networking area such: self-reconfiguration and self-organization which make it more flexibile, easy deployed and not expensive. But, these features make it constantly overwhelmed with different types of security threats. In this article, we propose an optimized and secure authentication and re-authentication schemes based on the EAP (Extensible Authentication Protocol) mechanism. The proposed solution ensures security of WMN handoff and with a better QoS. It achieves this by reducing the number of exchanging messages and computations in the proposed authentication and re-authentication processes. Besides, we choose to secure the link layer that makes the authentication process more efficient and optimized. For performance evaluation, we use the OPENSSL tool to compare our work with some related work and the result is good. Moreover, the security of our authentication scheme has been affirmed with the AVISPA tool.
Keywords: Wireless Mesh Network; IEEE 802.11s; EAP; authentication; handoff; QoS; AVISPA.