Proposed Security Solution Research Articles

A Network Defense System for Detecting and Preventing Hacking

Many computing systems have recently suffered significantly from hacking and preventing hacking is important in protecting business, sensitive information and every day network communications. Many efforts have been made to provide security assurance by proposing security solutions. However, the gap between hacking incidents and current security solutions is significant. Fortunately, hacking attempts can be addressed if the pre-hacking step, called scanning, is properly investigated and good counter measures are in place. The importance of scanning appears is in providing sophisticated hackers with the necessary information about nominated victims systems which eventually forms their hacking strategies. Therefore, this article proposes a security solution that aims to make scanning difficult by addressing its properties, which makes developing hacking strategies against protected computer networks unpractical. The proposed security solution protects computer networks by dynamically generating a unique protocol to replace the expected standard protocols and changing network paths periodically in order to confuse scanning attempts, as well as to prevent unauthorized scanning and hacking traffic. Key Words: hacking,sensitive information, unauthorized scanning, hacking traffic, network communications

Security architecture for authorized anonymous communication in 5G MEC

The use of services provided in modern mobile networks using edge servers (5G MEC) requires extended security solutions. One of them is an access control system adapted to the different needs and requirements of end users and service providers. Another, equally important, is the protection against the takeover of the service during its lifetime, which leads to the inevitable leakage of information and economic losses. In this paper, we present a new access control architecture for the 5G MEC network, which meets both security requirements in a flexible and lightweight way. First, we specify the architecture scheme and its central element, MEC Enabler, which manages access control security policies and generates access credentials (tokens). Next, we describe the method of securing data packets in the communication process related to the service provided by the MEC server, preventing the session from being intercepted by an unauthorized user. The countermeasure is designed to protect data identifying packets (node addresses, port numbers) and prevent identification of packets’ connection with the protected service. Experiments on the operation of the service with the implemented protection mechanism made in a testbed show that the proposed security solution has a negligible effect on the MEC-hosted application delays.

Securing Network-on-chips Against Fault-injection and Crypto-analysis Attacks via Stochastic Anonymous Routing

Network-on-chip (NoC) is widely used as an efficient communication architecture in multi-core and many-core System-on-chips (SoCs). However, the shared communication resources in an NoC platform, e.g., channels, buffers, and routers, might be used to conduct attacks compromising the security of NoC-based SoCs. Most of the proposed encryption-based protection methods in the literature require leaving some parts of the packet unencrypted to allow the routers to process/forward packets accordingly. This reveals the source/destination information of the packet to malicious routers, which can be exploited in various attacks. For the first time, we propose the idea of secure, anonymous routing with minimal hardware overhead to encrypt the entire packet while exchanging secure information over the network. We have designed and implemented a new NoC architecture that works with encrypted addresses. The proposed method can manage malicious and benign failures at NoC channels and buffers by bypassing failed components with a situation-driven stochastic path diversification approach. Hardware evaluations show that the proposed security solution combats the security threats at the affordable cost of 1.5% area and 20% power overheads chip-wide.

Cyber Attack Detection for Self-Driving Vehicle Networks Using Deep Autoencoder Algorithms.

Connected and autonomous vehicles (CAVs) present exciting opportunities for the improvement of both the mobility of people and the efficiency of transportation systems. The small computers in autonomous vehicles (CAVs) are referred to as electronic control units (ECUs) and are often perceived as being a component of a broader cyber-physical system. Subsystems of ECUs are often networked together via a variety of in-vehicle networks (IVNs) so that data may be exchanged, and the vehicle can operate more efficiently. The purpose of this work is to explore the use of machine learning and deep learning methods in defence against cyber threats to autonomous cars. Our primary emphasis is on identifying erroneous information implanted in the data buses of various automobiles. In order to categorise this type of erroneous data, the gradient boosting method is used, providing a productive illustration of machine learning. To examine the performance of the proposed model, two real datasets, namely the Car-Hacking and UNSE-NB15 datasets, were used. Real automated vehicle network datasets were used in the verification process of the proposed security solution. These datasets included spoofing, flooding and replay attacks, as well as benign packets. The categorical data were transformed into numerical form via pre-processing. Machine learning and deep learning algorithms, namely k-nearest neighbour (KNN) and decision trees, long short-term memory (LSTM), and deep autoencoders, were employed to detect CAN attacks. According to the findings of the experiments, using the decision tree and KNN algorithms as machine learning approaches resulted in accuracy levels of 98.80% and 99%, respectively. On the other hand, the use of LSTM and deep autoencoder algorithms as deep learning approaches resulted in accuracy levels of 96% and 99.98%, respectively. The maximum accuracy was achieved when using the decision tree and deep autoencoder algorithms. Statistical analysis methods were used to analyse the results of the classification algorithms, and the determination coefficient measurement for the deep autoencoder was found to reach a value of R2 = 95%. The performance of all of the models that were built in this way surpassed that of those already in use, with almost perfect levels of accuracy being achieved. The system developed is able to overcome security issues in IVNs.

SECURING CENTRALIZED SDN CONTROL WITH DISTRIBUTED BLOCKCHAIN TECHNOLOGY

Software Defined Networks (SDN) advocates segregation of network control logic, forwarding functions and management applications into different planes to achieve network programmability, automated and dynamic flow control in next generation networks. It promotes deployment of novel and augmented network management functions to have flexible, robust, scalable and cost-effective network deployments. All these features introduce new research challenges and require secure communication protocols among the segregated network planes. This manuscript focuses on the security issue of southbound interface which operates between the SDN control and data plane. We have highlighted the security threats associated with an unprotected southbound interface and the issues related with the existing TLS based security solution. A lightweight blockchain based decentralized security solution is proposed for southbound interface to secure the resources of logically centralized SDN controllers and distributed forwarding devices from opponents. The proposed mechanism can operate in multi-domain SDN deployment and can be used with wide range of network controllers and data plane devices. In addition to it, the proposed security solution is analyzed in terms of security features, communication and reauthentication overhead.

A Multi-Stage Security Solution for Medical Color Images in Healthcare Applications

This paper presents a robust multi-stage security solution based on fusion, encryption, and watermarking processes to transmit color healthcare images, efficiently. The presented solution depends on the features of discrete cosine transform (DCT), lifting wavelet transform (LWT), and singular value decomposition (SVD). The primary objective of this proposed solution is to ensure robustness for the color medical watermarked images against transmission attacks. During watermark embedding, the host color medical image is transformed into four sub-bands by employing three stages of LWT. The resulting low-frequency sub-band is then transformed by employing three stages of DCT followed by SVD operation. Furthermore, a fusion process is used for combining different watermarks into a single watermark image. This single fused image is then ciphered using Deoxyribose Nucleic Acid (DNA) encryption to strengthen the security. Then, the DNA-ciphered fused watermark is embedded in the host medical image by applying the suggested watermarking technique to obtain the watermarked image. The main contribution of this work is embedding multiple watermarks to prevent identity theft. In the presence of different multimedia attacks, several simulation tests on different color medical images have been performed. The results prove that the proposed security solution achieves a decent imperceptibility quality with high Peak Signal-to-Noise Ratio (PSNR) values and high correlation between the extracted and original watermark images. Moreover, the watermark image extraction process succeeds in achieving high efficiency in the presence of attacks compared with related works.

Smart contract-based security architecture for collaborative services in municipal smart cities

The Internet of Things (IoT) can provide intelligent and effective solutions to various applications with higher accuracy that requires less or no human intervention. Smart Cities are one of the significant applications of the IoT comprising a collection of various services such as intelligent transportation, waste management, smart homes, etc. These heterogeneous services offer a wide range of collaborative applications in smart cities. A smart municipality in a smart city is a concept in which a digital municipal corporation is developed to provide comprehensive local government collaboration services based on digitization and automation aiming towards raising the living standards of citizens. Interoperability between heterogeneous services for collaborative tasks creates challenges for data security and privacy. Ensuring integrity and confidentiality of information is critical, and reliable data is essential to both the government and its citizens. In this paper, we proposed a service security architecture based on authentication and authorization for constrained environments during collaborative tasks for Software Defined Networking (SDN) and smart contract-enabled municipal smart cities. The proposed collaborative service security framework is being tested on the Multichain Blockchain networks. We present a novel method for using smart contracts in multichain blockchains for data security during collaborative tasks in smart city municipal architecture. The proposed security solution is based on the dynamism of smart contracts to govern and control all interactions and transactions securely between different heterogeneous IoT networks. We implemented a supportive use case for collaborative services in an SDN-enabled IoT architecture to evaluate the feasibility of the proposed service security architecture.

Security Requirements and Challenges of 6G Technologies and Applications.

After implementing 5G technology, academia and industry started researching 6th generation wireless network technology (6G). 6G is expected to be implemented around the year 2030. It will offer a significant experience for everyone by enabling hyper-connectivity between people and everything. In addition, it is expected to extend mobile communication possibilities where earlier generations could not have developed. Several potential technologies are predicted to serve as the foundation of 6G networks. These include upcoming and current technologies such as post-quantum cryptography, artificial intelligence (AI), machine learning (ML), enhanced edge computing, molecular communication, THz, visible light communication (VLC), and distributed ledger (DL) technologies such as blockchain. From a security and privacy perspective, these developments need a reconsideration of prior security traditional methods. New novel authentication, encryption, access control, communication, and malicious activity detection must satisfy the higher significant requirements of future networks. In addition, new security approaches are necessary to ensure trustworthiness and privacy. This paper provides insights into the critical problems and difficulties related to the security, privacy, and trust issues of 6G networks. Moreover, the standard technologies and security challenges per each technology are clarified. This paper introduces the 6G security architecture and improvements over the 5G architecture. We also introduce the security issues and challenges of the 6G physical layer. In addition, the AI/ML layers and the proposed security solution in each layer are studied. The paper summarizes the security evolution in legacy mobile networks and concludes with their security problems and the most essential 6G application services and their security requirements. Finally, this paper provides a complete discussion of 6G networks’ trustworthiness and solutions.

АНАЛИЗ БЕЗОПАСНОСТИ ПОДСИСТЕМ ЛОКАЛЬНОЙ АУТЕНТИФИКАЦИИ ОС СЕМЕЙСТВ WINDOWS И LINUX

The paper is devoted to the security analysis of authority subsystem services for Windows and Linux operating systems. The paper provides security analysis for both local and network-based authentication in Windows. The Mimikatz (France) will be presented to demonstrate attacks on the authentication subsystem. Mimikatz is a software tool that can extract users’ credentials and password information from the memory of the LSASS process. To prevent such attacks on process memory Windows OS includes several security mechanisms: Security Reference Monitor, Protected Process Light, and Virtualization-Based Security. However, attackers can bypass these mechanisms to get illegal access to the process memory and steal users’ credentials. A similar analysis of the local authority subsystem for Linux OSes shows that gnome-keyring-daemon stores the users’ passwords in plain text. As a result, attackers can easily extract this sensitive information using memory forensics techniques via user-mode applications. Several modern Linux Distributions based on Red Hat Enterprise Linux (RHEL) still have this security issue: CentOS, Ubuntu, GNU/ Linux Rolling. Experts have developed software tools to locate and remove passwords from the memory to tackle this security challenge: MimiPenguin (USA) and Mimipy (USA). Comparison analysis of these tools reveals their drawbacks: these security tools cannot locate passwords with Unicode characters, and these tools have low speed. The proposed security solution called MimiDove is designed to solve both these issues. MimiDove expands features of MimiPenguin and Mimipy by locating and deleting passwords with ASCII and Unicode characters. MimiDove is faster than MimiPenguin and Mimipy.

Survey on Smart Security Surveillance System

Abstract: As an integral part of the safety and security many organizations, video rental has established its value and benefits many times by providing immediate management of property, people, the environment and property. This project operates in the form of the Embedded Real-Time Surveillance System Based Raspberry Pi SBC for internal detection that enhances monitoring technology to provide critical safety in our lives as well as consistent performance and alert operation. The proposed security solution depends on our integration of cameras and motion detectors into a web application. Raspberry Pi operates and controls motion detectors and video cameras for remote hearing and monitoring, streams streaming video and recording for future playback. This research focuses on the development of a detection system that detects strangers and responds quickly by taking and transferring images to wireless modules based on owners. This Raspberry Pi program based on Smart Surveillance System provides a remote location monitoring concept. The proposed solution provides a fully functional, efficient and easy-to-use global solution. This project will also introduce the concept of motion detection and tracking using image processing. This type of technology is very important when it comes to surveillance and security. The live video stream will be used to show how things can be found and tracked. The detection and tracking process will be based on the pixel threshold. Keyword: Internet Of Things (IOT), Raspberry pi, Picamera, PIR Sensor, Dropbox.

Interoperable Blockchains for Highly-Integrated Supply Chains in Collaborative Manufacturing

Blockchain technology plays a pivotal role in the undergoing fourth industrial revolution or Industry 4.0. It is considered a tremendous boost to company digitalization; thus, considerable investments in blockchain are being made. However, there is no single blockchain technology, but various solutions exist, and they cannot interoperate with one each other. The ecosystem envisioned by the Industry 4.0 does not have centralized management or leading organization, so a single blockchain solution cannot be imposed. The various organizations hold their own blockchains, which must interoperate seamlessly. Despite some solutions for blockchain interoperability being proposed, the problem is still open. This paper aims to devise a secure solution for blockchain interoperability. The proposed approach consists of a relay scheme based on Trusted Execution Environment to provide higher security guarantees than the current literature. In particular, the proposed solution adopts an off-chain secure computation element invoked by a smart contract on a blockchain to securely communicate with its peered counterpart. A prototype has been implemented and used for the performance assessment, e.g., to measure the latency increase due to cross-blockchain interactions. The achieved and reported experimental results show that the proposed security solution introduces an additional latency that is entirely tolerable for transactions. At the same time, the usage of the Trusted Execution Environment imposes a negligible overhead.

A Lightweight Architecture for Hardware-Based Security in the Emerging Era of Systems of Systems

In recent years, a new generation of the Internet of Things (IoT 2.0) is emerging, based on artificial intelligence, the blockchain technology, machine learning, and the constant consolidation of pre-existing systems and subsystems into larger systems. In this work, we construct and examine a proof-of-concept prototype of such a system of systems, which consists of heterogeneous commercial off-the-shelf components, and utilises diverse communication protocols. We recognise the inherent need for lightweight security in this context, and address it by employing a low-cost state-of-the-art security solution. Our solution is based on a novel hardware and software co-engineering paradigm, utilising well-known software-based cryptographic algorithms, in order to maximise the security potential of the hardware security primitive (a Physical Unclonable Function) that is used as a security anchor. The performance of the proposed security solution is evaluated, proving its suitability even for real-time applications. Additionally, the Dolev-Yao attacker model is considered in order to assess the resilience of our solution towards attacks against the confidentiality, integrity, and availability of the examined system of systems. In this way, it is confirmed that the proposed solution is able to address the emerging security challenges of the oncoming era of systems of systems.

Anonymization Framework for IoT Resource Discovery based on Edge Centric Privacy Model

As the efficacy of Internet of Things is expeditiously growing, maintaining privacy with respect users and applications has become a significant aspect. Since the data is getting generated at tremendous rate that includes Sensitive data (any data considered as private by the Data-owner) which has to be hidden, especially the data collected from the Crowd-Source. Due to resource-constrained sensing devices, IoT infrastructures use Edge devices for real-time data processing. Protecting sensitive data from malicious activity becomes a key factor, as all the communication flows through insecure channels. To develop security infrastructures for IoT and distributed Edge networks, this article proposes a user-centric security solution. The proposed security solution shifts from a network-centric approach to a user-centric security approach by authenticating users and devices before communication is established. The method presented herein is applied to an amusement park scenario, which is modeled as a typical smart IoT network. Here, data from sensors and social networks can boost smart lighting to provide citizens with an elegant and safe environment. However, it is challenging and infeasible to transfer and process zillions bytes of data using the current cloud-device architecture due to bandwidth constraints of networks, potentially uncontrollable latency of cloud services, and privacy concerns while collecting data from IoT devices. Firstly, a standalone IoT-edge system is developed, and later, an integrated IoT-based edge-cloud system is designed to compare the systems’ effectiveness. The implementation results show a close correlation between the standalone edge and dual mode edge system. However, the edge-cloud system provides more flexibility and capability to counter the sensitive data streaming and analytics services within the constrained IoT framework. In this paper we have developed a system that uses fog computing approach to perform various tasks and filters the sensitive data, thus helps in preserving privacy.

A User-centric Security Solution for Internet of Things and Edge Convergence

The Internet of Things (IoT) is becoming a backbone of sensing infrastructure to several mission-critical applications such as smart health, disaster management, and smart cities. Due to resource-constrained sensing devices, IoT infrastructures use Edge datacenters (EDCs) for real-time data processing. EDCs can be either static or mobile in nature, and this article considers both of these scenarios. Generally, EDCs communicate with IoT devices in emergency scenarios to evaluate data in real-time. Protecting data communications from malicious activity becomes a key factor, as all the communication flows through insecure channels. In such infrastructures, it is a challenging task for EDCs to ensure the trustworthiness of the data for emergency evaluations. The current communication security pattern of “communication before authentication” leaves a “black hole” for intruders to become part of communication processes without authentication. To overcome this issue and to develop security infrastructures for IoT and distributed Edge datacenters, this article proposes a user-centric security solution. The proposed security solution shifts from a network-centric approach to a user-centric security approach by authenticating users and devices before communication is established. A trusted controller is initialized to authenticate and establishes the secure channel between the devices before they start communication between themselves. The centralized controller draws a perimeter for secure communications within the boundary. Theoretical analysis and experimental evaluation of the proposed security model show that it not only secures the communication infrastructure but also improves the overall network performance.

Counteracting Attacks From Malicious End Hosts in Software Defined Networks

This paper proposes security techniques for counteracting attacks from malicious end hosts in a software defined networking (SDN) environment. This paper describes the design of a security architecture, which comprises a security management application running in the SDN controller for specifying and evaluating security policies, and security components in the switches for enforcing these security policies on network flows. Our proposed security solution helps to detect the attacking end hosts even before the flow requests from the malicious end hosts are forwarded to the SDN controller. Furthermore, if the end hosts become malicious after the interactions with the SDN controller and generate attacks in the data plane, then our architecture has mechanisms to address these attacks that occur after the establishment of routes by the SDN controller. The domain wide network visibility of the SDN controller enables our security architecture to achieve dynamic management of the security policies. The enforcement of security policies in the data plane is tailored to the functionality available in the network switches, making the proposed security solution practical. We describe the implementation of the proposed security architecture and analyze its security and performance characteristics. We also discuss the advantages of the proposed security architecture over existing solutions.

Blockchain and Random Subspace Learning-Based IDS for SDN-Enabled Industrial IoT Security.

The industrial control systems are facing an increasing number of sophisticated cyber attacks that can have very dangerous consequences on humans and their environments. In order to deal with these issues, novel technologies and approaches should be adopted. In this paper, we focus on the security of commands in industrial IoT against forged commands and misrouting of commands. To this end, we propose a security architecture that integrates the Blockchain and the Software-defined network (SDN) technologies. The proposed security architecture is composed of: (a) an intrusion detection system, namely RSL-KNN, which combines the Random Subspace Learning (RSL) and K-Nearest Neighbor (KNN) to defend against the forged commands, which target the industrial control process, and (b) a Blockchain-based Integrity Checking System (BICS), which can prevent the misrouting attack, which tampers with the OpenFlow rules of the SDN-enabled industrial IoT systems. We test the proposed security solution on an Industrial Control System Cyber attack Dataset and on an experimental platform combining software-defined networking and blockchain technologies. The evaluation results demonstrate the effectiveness and efficiency of the proposed security solution.

A Lightweight and Secure Data Collection Serverless Protocol Demonstrated in an Active RFIDs Scenario

In the growing Internet of Things context, thousands of computing devices with various functionalities are producing data (from environmental sensors or other sources). However, they are also collecting, storing, processing and transmitting data to eventually communicate them securely to third parties (e.g., owners of devices or cloud data storage). The deployed devices are often battery-powered mobile or static nodes equipped with sensors and/or actuators, and they communicate using wireless technologies. Examples include unmanned aerial vehicles, wireless sensor nodes, smart beacons, and wearable health objects. Such resource-constrained devices include Active Radio Frequency IDentification (RFID) nodes, and these are used to illustrate our proposal. In most scenarios, these nodes are unattended in an adverse environment, so data confidentiality must be ensured from the sensing phase through to delivery to authorized entities: in other words, data must be securely stored and transmitted to prevent attack by active adversaries even if the nodes are captured. However, due to the scarce resources available to nodes in terms of energy, storage, and/or computation, the proposed security solution has to be lightweight. In this article, we propose a serverless protocol to enable Mobile Data Collectors (MDCs), such as drones, to securely collect data from mobile and static Active RFID nodes and then deliver them later to an authorized third party. The whole solution ensures data confidentiality at each step (from the sensing phase, before data collection by the MDC, once data have been collected by MDC, and during final delivery), while fulfilling the lightweight requirements for the resource-limited entities involved. To assess the suitability of the protocol against the performance requirements, it was implemented on the most resource-constrained devices to get the worst possible results. In addition, to prove the protocol fulfills the security requirements, it was analyzed using security games and also formally verified using the AVISPA and ProVerif tools.

CAN ID Shuffling Technique (CIST): Moving Target Defense Strategy for Protecting In-Vehicle CAN

New vehicles have become increasingly targeted for cyber-attacks as their rate of digitalization is accelerated. Research on vehicle hacking has highlighted the security vulnerabilities of in-vehicle controller area networks (CANs) as the biggest problem. In particular, a CAN does not offer access control, authentication, or confidentiality, so it fails to prevent reconnaissance operations conducted by an adversary. Because its static configuration (CAN ID, data frame transmission cycle, and data field format) is used in an in-vehicle network environment, the adversary can conduct reconnaissance and easily acquire information to be used for an attack. One of the moving target defense strategies, network address shuffling (NAS), is an extremely practical security solution that can prevent in-vehicle CAN reconnaissance acts. In this paper, we propose a CAN ID shuffling technique using NAS. Our proposed security solution aims to increase the cost burden for the adversary to analyze CAN data frames. To evaluate the performance of the proposed security solution, we conducted an evaluation based on a labcar. Our proposed security solution may be implemented without altering the unique characteristics of the CAN standard. Hence, it can be used as a practical countermeasure to solve the problems affecting in-vehicle CANs.

Armor PLC: A Platform for Cyber Security Threats Assessments for PLCs

Programmable Logic Controllers (PLCs) are essential parts in industrial manufacturing plants. With the emerging Industry 4.0 environment, legacy PLCs are now connected to the Internet to be better automated. However, these PLCs are especially vulnerable when connected to a network, since there is limited inherent security mechanisms built in. In this paper, we discuss various vulnerabilities in these PLCs. We describe threat models, detection and protection techniques. We consider vulnerabilities as compromised PLC logic, which is introduced by over-the-network malicious data injection. We leverage Host-Based Intrusion Detection System (HIDS) techniques, such as output value comparison using majority voting, timing comparison and using known I/O values for detecting such attacks for our Network-Based Intrusion Detection System for PLCs. We mimic functionalities of PLCs, through virtualization of PLCs’ ladder logic on OpenPLC [7]. We use a record & replay technique for attack mitigation and system restoration. The record & replay system captures pin values of a Pulse Width Modulated (PWM) signal with sensitivity of 50 microseconds. We implement the attacks and our proposed security solution on the control flow logic of a sample industrial gas pipeline PLC network. We achieve a false positive rate of 1% along with a latency of 25 milliseconds in our abnormal detection with setting of 4 virtual PLCs (using OpenPLC [7]), and generated receiver operating characteristic results on different attack rates and ST file logic settings.

Fault Tolerant Key Generation and Secure Spread Spectrum Communication

A fundamental characteristic of wireless communications is in its broadcast nature, which allows accessibility of information without placing restrictions on a user’s location. However, accessibility also makes wireless communications vulnerable to eavesdropping. In this context, this paper presents a two-part secure information transmission system. The first part makes use of reciprocity in wireless channels to allow for two asynchronous transceivers to obtain a pair of similar keys. Moreover, a unique augmentation, called strongest path cancellation (SPC), is applied to the keys. In the second part, the concept of artificial noise is introduced to the spread spectrum systems. Keys generated in the first part are used in the spread spectrum system and artificial noise is added to enhance the security of the communications. Two attacks on the proposed security solution are evaluated. First, an adversary following the same steps as the legitimate users is considered. Here, simulation and experimentation results show that SPC provides a boost to security against this type of adversary. The second attack studies an adversary with significant blind detection capabilities. Our observations on this attack indicate that when an ample amount of artificial noise can be used, two legitimate parties can communicate multiple information symbols per key.