Subjects -> LAW (Total: 1397 journals)
    - CIVIL LAW (30 journals)
    - CONSTITUTIONAL LAW (52 journals)
    - CORPORATE LAW (65 journals)
    - CRIMINAL LAW (28 journals)
    - CRIMINOLOGY AND LAW ENFORCEMENT (161 journals)
    - FAMILY AND MATRIMONIAL LAW (23 journals)
    - INTERNATIONAL LAW (161 journals)
    - JUDICIAL SYSTEMS (23 journals)
    - LAW (843 journals)
    - LAW: GENERAL (11 journals)

CRIMINOLOGY AND LAW ENFORCEMENT (161 journals)                     

Showing 1 - 160 of 160 Journals sorted alphabetically
Acta Criminologica : Southern African Journal of Criminology     Full-text available via subscription  
Advances in Cement Research     Hybrid Journal   (Followers: 7)
African Safety Promotion     Full-text available via subscription   (Followers: 4)
African Security Review     Partially Free   (Followers: 7)
Aggression and Violent Behavior     Hybrid Journal   (Followers: 362)
Aggressive Behavior     Hybrid Journal   (Followers: 16)
Annual Review of Criminology     Full-text available via subscription   (Followers: 9)
Asian Journal of Criminology     Hybrid Journal   (Followers: 9)
Australian and New Zealand Journal of Criminology     Hybrid Journal   (Followers: 406)
Australian Journal of Forensic Sciences     Hybrid Journal   (Followers: 351)
Biometric Technology Today     Full-text available via subscription   (Followers: 4)
Boletín Criminológico     Open Access  
Brill Research Perspectives in Transnational Crime     Full-text available via subscription   (Followers: 1)
British Journal of Criminology     Hybrid Journal   (Followers: 399)
Campbell Systematic Reviews     Open Access   (Followers: 5)
Canadian Graduate Journal of Sociology and Criminology     Open Access   (Followers: 6)
Canadian Journal of Criminology and Criminal Justice / La Revue canadienne de criminologie et de justice pénale     Full-text available via subscription   (Followers: 15)
Canadian Society of Forensic Science Journal     Hybrid Journal   (Followers: 258)
Champ pénal/Penal field     Open Access  
Computer Fraud & Security     Full-text available via subscription   (Followers: 286)
Computer Law & Security Review     Hybrid Journal   (Followers: 22)
Contemporary Challenges : The Global Crime, Justice and Security Journal     Open Access   (Followers: 3)
Contemporary Justice Review: Issues in Criminal, Social, and Restorative Justice     Hybrid Journal   (Followers: 39)
Corrections : Policy, Practice and Research     Hybrid Journal   (Followers: 1)
Crime & Delinquency     Hybrid Journal   (Followers: 83)
Crime and Justice     Full-text available via subscription   (Followers: 27)
Crime Prevention and Community Safety     Hybrid Journal   (Followers: 110)
Crime Psychology Review     Hybrid Journal   (Followers: 2)
Crime Science     Open Access   (Followers: 56)
Crime, Histoire & Sociétés     Open Access   (Followers: 10)
Crime, Security and Society     Open Access   (Followers: 2)
Criminal Justice and Behavior     Hybrid Journal   (Followers: 61)
Criminal Justice Ethics     Hybrid Journal   (Followers: 10)
Criminal Justice Matters     Hybrid Journal   (Followers: 9)
Criminal Justice Policy Review     Hybrid Journal   (Followers: 31)
Criminal Justice Review     Hybrid Journal   (Followers: 15)
Criminal Justice Studies: A Critical Journal of Crime, Law and Society     Hybrid Journal   (Followers: 24)
Criminal Law and Philosophy     Hybrid Journal   (Followers: 13)
Criminal Law Forum     Hybrid Journal   (Followers: 8)
Criminocorpus, revue hypermédia     Open Access  
Criminological Studies     Open Access  
Criminologie     Open Access   (Followers: 3)
Criminology and Criminal Justice     Hybrid Journal   (Followers: 51)
Crítica Penal y Poder     Open Access  
Critical Criminology     Hybrid Journal   (Followers: 24)
Critical Studies on Terrorism     Hybrid Journal   (Followers: 55)
Cryptologia     Hybrid Journal   (Followers: 3)
Current Issues in Criminal Justice     Hybrid Journal   (Followers: 13)
Datenschutz und Datensicherheit - DuD     Hybrid Journal  
Delito y Sociedad : Revista de Ciencias Sociales     Open Access  
Derecho Penal y Criminología     Open Access   (Followers: 2)
Detection     Open Access   (Followers: 3)
Dynamics of Asymmetric Conflict: Pathways toward terrorism and genocide     Hybrid Journal   (Followers: 11)
EDPACS: The EDP Audit, Control, and Security Newsletter     Hybrid Journal  
Estudios Penales y Criminológicos     Open Access  
EURASIP Journal on Information Security     Open Access   (Followers: 7)
European Journal of Crime, Criminal Law and Criminal Justice     Hybrid Journal   (Followers: 271)
European Journal of Criminology     Hybrid Journal   (Followers: 32)
European Journal of Probation     Hybrid Journal  
European Journal on Criminal Policy and Research     Hybrid Journal   (Followers: 9)
European Polygraph     Open Access  
European Review of Organised Crime     Open Access   (Followers: 46)
Feminist Criminology     Hybrid Journal   (Followers: 17)
Forensic Science International     Hybrid Journal   (Followers: 361)
Forensic Science International : Reports     Open Access   (Followers: 5)
Forensic Science International: Genetics     Hybrid Journal   (Followers: 15)
Forensic Science, Medicine, and Pathology     Hybrid Journal   (Followers: 27)
Forensic Toxicology     Hybrid Journal   (Followers: 18)
Global Crime     Hybrid Journal   (Followers: 283)
Health & Justice     Open Access   (Followers: 5)
Homicide Studies     Hybrid Journal   (Followers: 8)
IEEE Security & Privacy Magazine     Full-text available via subscription   (Followers: 30)
IEEE Transactions on Dependable and Secure Computing     Hybrid Journal   (Followers: 16)
IEEE Transactions on Information Forensics and Security     Hybrid Journal   (Followers: 25)
Incarceration     Full-text available via subscription  
Information Security Journal : A Global Perspective     Hybrid Journal   (Followers: 10)
International Annals of Criminology     Hybrid Journal  
International Criminal Justice Review     Hybrid Journal   (Followers: 14)
International Criminal Law Review     Hybrid Journal   (Followers: 18)
International Criminology     Hybrid Journal   (Followers: 4)
International Journal for Crime, Justice and Social Democracy     Open Access   (Followers: 7)
International Journal of Applied Cryptography     Hybrid Journal   (Followers: 9)
International Journal of Comparative and Applied Criminal Justice     Hybrid Journal   (Followers: 4)
International Journal of Conflict and Violence     Open Access   (Followers: 25)
International Journal of Criminology and Sociology     Open Access   (Followers: 1)
International Journal of Discrimination and the Law     Hybrid Journal   (Followers: 7)
International Journal of Electronic Security and Digital Forensics     Hybrid Journal   (Followers: 11)
International Journal of Information and Coding Theory     Hybrid Journal   (Followers: 7)
International Journal of Police Science and Management     Full-text available via subscription   (Followers: 313)
International Journal of Prisoner Health     Hybrid Journal   (Followers: 16)
International Journal of Punishment and Sentencing, The     Full-text available via subscription   (Followers: 8)
International Review of Victimology     Hybrid Journal   (Followers: 19)
Journal of Addictions & Offender Counseling     Partially Free   (Followers: 6)
Journal of Adult Protection, The     Hybrid Journal   (Followers: 16)
Journal of Aggression, Conflict and Peace Research     Hybrid Journal   (Followers: 43)
Journal of Computer Security     Hybrid Journal   (Followers: 12)
Journal of Computer Virology and Hacking Techniques     Hybrid Journal   (Followers: 6)
Journal of Contemporary Criminal Justice     Hybrid Journal   (Followers: 24)
Journal of Correctional Education     Full-text available via subscription   (Followers: 2)
Journal of Crime and Justice     Hybrid Journal   (Followers: 14)
Journal of Criminal Justice     Hybrid Journal   (Followers: 58)
Journal of Criminal Justice Education     Hybrid Journal   (Followers: 8)
Journal of Criminal Psychology     Hybrid Journal   (Followers: 126)
Journal of Criminological Research, Policy and Practice     Hybrid Journal   (Followers: 62)
Journal of Criminology     Open Access   (Followers: 12)
Journal of Criminology and Forensic Science     Open Access   (Followers: 7)
Journal of Developmental and Life-Course Criminology     Hybrid Journal  
Journal of Ethnicity in Criminal Justice     Hybrid Journal   (Followers: 3)
Journal of Forensic and Legal Medicine     Hybrid Journal   (Followers: 292)
Journal of Forensic Practice     Hybrid Journal   (Followers: 61)
Journal of Forensic Psychiatry & Psychology     Hybrid Journal   (Followers: 50)
Journal of Forensic Sciences     Hybrid Journal   (Followers: 369)
Journal of Gender-Based Violence     Hybrid Journal   (Followers: 13)
Journal of Genocide Research     Hybrid Journal   (Followers: 13)
Journal of Illicit Economies and Development     Open Access  
Journal of International Criminal Justice     Hybrid Journal   (Followers: 38)
Journal of Investigative Psychology and Offender Profiling     Hybrid Journal   (Followers: 11)
Journal of Learning Disabilities and Offending Behaviour     Hybrid Journal   (Followers: 30)
Journal of Penal Law & Criminology     Open Access   (Followers: 2)
Journal of Perpetrator Research     Open Access   (Followers: 1)
Journal of Policing, Intelligence and Counter Terrorism     Hybrid Journal   (Followers: 417)
Journal of Quantitative Criminology     Hybrid Journal   (Followers: 32)
Journal of Scandinavian Studies in Criminology and Crime Prevention     Hybrid Journal   (Followers: 10)
Journal of Strategic Security     Open Access   (Followers: 11)
Justice Evaluation Journal     Hybrid Journal   (Followers: 1)
Justice Research and Policy     Full-text available via subscription  
Juvenile and Family Court Journal     Hybrid Journal   (Followers: 34)
Kriminologia ikasten : Irakaskuntzarako aldizkaria     Open Access  
Kriminologisches Journal     Full-text available via subscription  
Law, Innovation and Technology     Hybrid Journal   (Followers: 15)
Nordic Journal of Criminology     Hybrid Journal   (Followers: 1)
Occasional Series in Criminal Justice and International Studies     Full-text available via subscription   (Followers: 3)
Police Journal : Theory, Practice and Principles     Hybrid Journal   (Followers: 320)
Police Quarterly     Hybrid Journal   (Followers: 298)
Policing: A Journal of Policy and Practice     Hybrid Journal   (Followers: 296)
Policing: An International Journal of Police Strategies & Management     Hybrid Journal   (Followers: 327)
Policy & Internet     Hybrid Journal   (Followers: 12)
Política Criminal     Open Access  
Psychology of Violence     Full-text available via subscription   (Followers: 15)
Psychology, Crime & Law     Hybrid Journal   (Followers: 27)
Punishment & Society     Hybrid Journal   (Followers: 37)
Research and Reports in Forensic Medical Science     Open Access   (Followers: 7)
Revista Arbitrada de Ciencias Jurídicas y Criminalísticas Iustitia Socialis     Open Access  
Revista Brasileira de Criminalística     Open Access  
Revista de Estudios Jurídicos y Criminológicos     Open Access  
Revista de Movimentos Sociais e Conflitos     Open Access  
Revista Digital de la Maestría en Ciencias Penales     Open Access  
Rivista di Studi e Ricerche sulla criminalità organizzata     Open Access  
Science & Global Security: The Technical Basis for Arms Control, Disarmament, and Nonproliferation Initiatives     Hybrid Journal   (Followers: 4)
Security and Defence Quarterly     Open Access   (Followers: 6)
Security Journal     Hybrid Journal   (Followers: 22)
Sexual Abuse in Australia and New Zealand     Full-text available via subscription   (Followers: 9)
South African Crime Quarterly     Open Access   (Followers: 4)
The Howard Journal of Criminal Justice     Hybrid Journal   (Followers: 9)
Theory and Practice of Forensic Science     Open Access   (Followers: 1)
Trauma, Violence, & Abuse     Hybrid Journal   (Followers: 58)
Trends in Organized Crime     Hybrid Journal   (Followers: 374)
URVIO - Revista Latinoamericana de Estudios de Seguridad     Open Access  
Women & Criminal Justice     Hybrid Journal   (Followers: 282)
Women Against Violence : An Australian Feminist Journal     Full-text available via subscription   (Followers: 15)

           

Similar Journals
Journal Cover
IEEE Transactions on Dependable and Secure Computing
Journal Prestige (SJR): 0.802
Citation Impact (citeScore): 4
Number of Followers: 16  
 
  Hybrid Journal Hybrid journal (It can contain Open Access articles)
ISSN (Print) 1545-5971
Published by IEEE Homepage  [228 journals]
  • Explainable Artificial Intelligence for Cyber Threat Intelligence
           (XAI-CTI)

    • Free pre-print version: Loading...

      Authors: Sagar Samtani;Hsinchun Chen;Murat Kantarcioglu;Bhavani Thuraisingham;
      Pages: 2149 - 2150
      Abstract: The papers in this special section focus on explainable artificial intelligence for cyber threat intelligence. Despite concerted efforts from industry, academia, and government on improving cybersecurity capabilities, cyber-threats such as ransomware, fake news, advanced malware, and others, continue to exact a substantial toll on modern infrastructure and day-to-day societal operations. To help combat the ever-growing quantity and severity of cyber-threats, many organizations are adopting Cyber Threat Intelligence (CTI). At its core, CTI is a data-driven process that aims to identify emerging threats and key threat actors to help enable effective cybersecurity decision-making.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • A Multi-Criteria Analysis of Benchmark Results With Expert Support for
           Security Tools

    • Free pre-print version: Loading...

      Authors: Miquel Martínez;Juan-Carlos Ruiz;Nuno Antunes;David de Andrés;Marco Vieira;
      Pages: 2151 - 2164
      Abstract: The benchmarking of security tools is endeavored to determine which tools are more suitable to detect system vulnerabilities or intrusions. The analysis process is usually oversimplified by employing just a single metric out of the large set of those available. Accordingly, the decision may be biased by not considering relevant information provided by neglected metrics. This article proposes a novel approach to take into account several metrics, different scenarios, and the advice of multiple experts. The proposal relies on experts quantifying the relative importance of each pair of metrics towards the requirements of a given scenario. Their judgments are aggregated using group decision making techniques, and pondered according to the familiarity of experts with the metrics and scenario, to compute a set of weights accounting for the relative importance of each metric. Then, weight-based multi-criteria-decision-making techniques can be used to rank the benchmarked tools. The usefulness of this approach is showed by analyzing two different sets of vulnerability and intrusion detection tools from the perspective of multiple/single metrics and different scenarios.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Orchestration or Automation: Authentication Flaw Detection in Android Apps

    • Free pre-print version: Loading...

      Authors: Siqi Ma;Juanru Li;Surya Nepal;Diethelm Ostry;David Lo;Sanjay Kumar Jha;Robert H. Deng;Elisa Bertino;
      Pages: 2165 - 2178
      Abstract: Passwords are pervasively used to authenticate users’ identities in mobile apps. To secure passwords against attacks, protection is applied to the password authentication protocol (PAP). The implementation of the protection scheme becomes an important factor in protecting PAP against attacks. We focus on two basic protection in Android, i.e., SSL/TLS-based PAP and timestamp-based PAP. Previously, we proposed an automated tool, GLACIATE, to detect authentication flaws. We were curious whether orchestration (i.e., involving manual-effort) works better than automation. To answer this question, we propose an orchestrated approach, AuthExploit and compare its effectiveness GLACIATE. We study requirements for correct implementation of PAP and then apply GLACIATE to identify protection enhancements automatically. Through dependency analysis, GLACIATE matches the implementations against the abstracted flaws to recognise defective apps. To evaluate AuthExploit, we collected 1,200 Android apps from Google Play. We compared AuthExploit with the automation tool, GLACIATE, and two other orchestration tools, ${sf MalloDroid}$MalloDroid and ${sf SMV-Hunter}$SMV-Hunter. The results demonstrated that orchestration tools detect flaws more precisely although the F1 score of GLACIATE is higher than AuthExploit. Further analysis of the results reveals that highly popular apps and --commerce apps are not more secure than other apps.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Efficient Cyber Attack Detection in Industrial Control Systems Using
           Lightweight Neural Networks and PCA

    • Free pre-print version: Loading...

      Authors: Moshe Kravchik;Asaf Shabtai;
      Pages: 2179 - 2197
      Abstract: Industrial control systems (ICSs) are widely used and vital to industry and society. Their failure can have severe impact on both the economy and human life. Hence, these systems have become an attractive target for physical and cyber attacks alike. In this article, we examine an attack detection method based on simple and lightweight neural networks, namely, 1D convolutional neural networks and autoencoders. We apply these networks to both the time and frequency domains of the data and discuss the pros and cons of each representation approach. The suggested method is evaluated on three popular public datasets, and detection rates matching or exceeding previously published detection results are achieved, while demonstrating a small footprint, short training and detection times, and generality. We also show the effectiveness of PCA, which, given proper data preprocessing and feature selection, can provide high attack detection rates in many settings. Finally, we study the proposed method’s robustness against adversarial attacks that exploit inherent blind spots of neural networks to evade detection while achieving their intended physical effect. Our results show that the proposed method is robust to such evasion attacks: in order to evade detection, the attacker is forced to sacrifice the desired physical impact on the system.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • A Privacy-Preserving and Untraceable Group Data Sharing Scheme in Cloud
           Computing

    • Free pre-print version: Loading...

      Authors: Jian Shen;Huijie Yang;Pandi Vijayakumar;Neeraj Kumar;
      Pages: 2198 - 2210
      Abstract: With the development of cloud computing, the great amount of storage data requires safe and efficient data sharing. In multiparty storage data sharing, first, the confidentiality of shared data is ensured to achieve data privacy preservation. Second, the security of stored data is ensured. That is, when stored shared data are subject to frequent access operations, the address sequence or access pattern of data is hidden. Therefore, determining how to ensure the untraceability of stored data or efficient hide the data access pattern in sharing stored data is a challenge. By employing the proxy re-encryption algorithm and oblivious random access memory (ORAM), a privacy-preserving and untraceable scheme is proposed to support multiple users in sharing data in cloud computing. On the one hand, group members and a proxy use the key exchange phase to obtain keys and resist multiparty collusion if necessary. The ciphertext obtained according to the proxy re-encryption phase enables group members to implement access control and store data, thereby completing secure data sharing. On the other hand, this article realizes data untraceability and a hidden data access pattern through a one-way circular linked table in a binary tree (OCLT) and obfuscation operation. Additionally, based on the designed structure and pointer tuple, malicious users are identified and data tampering is prevented. The security analysis shows that the protocol designed in this article can meet the security requirements of proxy re-encryption and ORAM. Both theoretical and experimental analyses demonstrate that the proposed scheme is secure and efficient for group data sharing in cloud computing.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • A New Robust Reference Image Hashing System

    • Free pre-print version: Loading...

      Authors: Satendra Pal Singh;Gaurav Bhatnagar;Amit Kumar Singh;
      Pages: 2211 - 2225
      Abstract: The authentication and content protection of multimedia data is a challenging task in the present scenario. One solution is to generate the perceptual hash which essentially authenticates the multimedia data and can also be dealt with image database search problems. In this article, a novel system for generating an image hash is presented. The proposed system utilizes the global and local features in the hash generation process. The local features are obtained from non-linear scale-space based KAZE features. These KAZE features have the ability to capture the most stable point under several content preserving distortions. In contrast, first the input image is converted to a normalized image, it is transformed to the log-polar coordinate system, and then a reference image using the local contrast in the wavelet domain is obtained to extrcat the global features. An intermediate hash sequence is achieved by extracting the significant information from the reference image using the singular value decomposition. The final hash sequence combines both the vectors followed by the randomization process. Extensive experiments are conducted to demonstrate the feasibility and the robustness of the proposed hashing system against a wide range of intentional/unintentional distortions. Further, the comparative analysis with some state-of-the-art techniques validates the better discrimination of the proposed work.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Privacy-Preserving and Collusion-Resistant Charging Coordination Schemes
           for Smart Grids

    • Free pre-print version: Loading...

      Authors: Mohamed Baza;Marbin Pazos-Revilla;Ahmed Sherif;Mahmoud Nabil;Abdulah Jeza Aljohani;Mohamed Mahmoud;Waleed Alasmary;
      Pages: 2226 - 2243
      Abstract: Charging coordination is necessary for the successful integration of the Energy Storage Units (ESUs), including electric vehicles and home batteries, into the smart grid. To coordinate charging, the ESUs should send charging requests including time-to-complete-charging (TCC) and battery state-of-charge (SoC) to the charging controller (CC) for scheduling charging, but these data can reveal sensitive information on the ESUs’ owners such as their locations, when they return home and whether they are on travel. In this article, we propose centralized and decentralized privacy-preserving and collusion-resistant charging coordination schemes for ESUs. In the centralized scheme, ESUs authenticate their requests using anonymous tokens. To thwart linkability attacks where the CC uses TCC and SoC to link requests sent from the same ESU at consecutive time slots, an ESU needs to send multiple charging requests with different TCC and SoC values instead of only one request. In the decentralized scheme, charging is coordinated in a distributed way using a privacy-preserving data aggregation technique. The idea is that each ESU selects some ESUs to act as proxies, and shares a secret mask with each proxy. Then, each ESU adds a mask to its charging request and encrypts it so that by aggregating all requests, all masks are nullified and the total charging demand is known, and then it is used to compute the charging schedules. Due to using masking technique, the scheme is secure against collusion attacks. The results of extensive experiments and simulations confirm that our schemes are efficient and secure, and can preserve ESU owners’ privacy and thwart linkability attacks.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • SySeVR: A Framework for Using Deep Learning to Detect Software
           Vulnerabilities

    • Free pre-print version: Loading...

      Authors: Zhen Li;Deqing Zou;Shouhuai Xu;Hai Jin;Yawei Zhu;Zhaoxuan Chen;
      Pages: 2244 - 2258
      Abstract: The detection of software vulnerabilities (or vulnerabilities for short) is an important problem that has yet to be tackled, as manifested by the many vulnerabilities reported on a daily basis. This calls for machine learning methods for vulnerability detection. Deep learning is attractive for this purpose because it alleviates the requirement to manually define features. Despite the tremendous success of deep learning in other application domains, its applicability to vulnerability detection is not systematically understood. In order to fill this void, we propose the first systematic framework for using deep learning to detect vulnerabilities in C/C++ programs with source code. The framework, dubbed Syntax-based, Semantics-based, and Vector Representations (SySeVR), focuses on obtaining program representations that can accommodate syntax and semantic information pertinent to vulnerabilities. Our experiments with four software products demonstrate the usefulness of the framework: we detect 15 vulnerabilities that are not reported in the National Vulnerability Database. Among these 15 vulnerabilities, seven are unknown and have been reported to the vendors, and the other eight have been “silently” patched by the vendors when releasing newer versions of the pertinent software products.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Function Representations for Binary Similarity

    • Free pre-print version: Loading...

      Authors: Luca Massarelli;Giuseppe Antonio Di Luna;Fabio Petroni;Leonardo Querzoni;Roberto Baldoni;
      Pages: 2259 - 2273
      Abstract: The binary similarity problem consists in determining if two functions are similar considering only their compiled form. Advanced techniques for binary similarity recently gained momentum as they can be applied in several fields, such as copyright disputes, malware analysis, vulnerability detection, etc. In this article we describe SAFE, a novel architecture for function representation based on a self-attentive neural network. SAFE works directly on disassembled binary functions, does not require manual feature extraction, is computationally more efficient than existing solutions, and is more general as it works on stripped binaries and on multiple architectures. Results from our experimental evaluation show how SAFE provides a performance improvement with respect to previous solutions. Furthermore, we show how SAFE can be used in widely different use cases, thus providing a general solution for several application scenarios.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • A Matrix Factorization Model for Hellinger-Based Trust Management in
           Social Internet of Things

    • Free pre-print version: Loading...

      Authors: Soroush Aalibagi;Hamidreza Mahyar;Ali Movaghar;H. Eugene Stanley;
      Pages: 2274 - 2285
      Abstract: The Social Internet of Things (SIoT), integration of the Internet of Things, and Social Networks paradigms, has been introduced to build a network of smart nodes that are capable of establishing social links. In order to deal with misbehaving service provider nodes, service requestor nodes must evaluate their trustworthiness levels. In this article, we propose a novel trust management mechanism in the SIoT to predict the most reliable service providers for each service requestor, which leads to reduce the risk of being exposed to malicious nodes. We model the SIoT with a flexible bipartite graph (containing two sets of nodes: service providers and service requestors), then build a social network among the service requestor nodes, using the Hellinger distance. Afterward, we develop a social trust model using nodes’ centrality and similarity measures to extract trust behaviors among the social network nodes. Finally, a matrix factorization technique is designed to extract latent features of SIoT nodes, find trustworthy nodes, and mitigate the data sparsity and cold start problems. We analyze the effect of parameters in the proposed trust prediction mechanism on prediction accuracy. The results indicate that feedbacks from the neighboring nodes of a specific service requestor with high Hellinger similarity in our mechanism outperforms the best existing methods. We also show that utilizing the social trust model, which only considers a similarity measure, significantly improves the accuracy of the prediction mechanism. Furthermore, we evaluate the effectiveness of the proposed trust management system through a real-world SIoT use case. Our results demonstrate that the proposed mechanism is resilient to different types of network attacks, and it can accurately find the most proper and trustworthy service provider.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • DAENet: Making Strong Anonymity Scale in a Fully Decentralized Network

    • Free pre-print version: Loading...

      Authors: Tianxiang Shen;Jianyu Jiang;Yunpeng Jiang;Xusheng Chen;Ji Qi;Shixiong Zhao;Fengwei Zhang;Xiapu Luo;Heming Cui;
      Pages: 2286 - 2303
      Abstract: Traditional anonymous networks (e.g., Tor) are vulnerable to traffic analysis attacks that monitor the whole network traffic to determine which users are communicating. To preserve user anonymity against traffic analysis attacks, the emerging mix networks mess up the order of packets through a set of centralized and explicit shuffling nodes. However, this centralized design of mix networks is insecure against targeted DoS attacks that can completely block these shuffling nodes. In this article, we present DAENet, an efficient mix network that resists both targeted DoS attacks and traffic analysis attacks with a new abstraction called Stealthy Peer-to-Peer (P2P) Network. The stealthy P2P network effectively hides the shuffling nodes used in a routing path into the whole network, such that adversaries cannot distinguish specific shuffling nodes and conduct targeted DoS attacks to block these nodes. In addition, to handle traffic analysis attacks, we leverage the confidentiality and integrity protection of Intel SGX to ensure trustworthy packet shuffles at each distributed host and use multiple routing paths to prevent adversaries from tracking and revealing user identities. We show that our system is scalable with moderate latency (2.2s) when running in a cluster of 10,000 participants and is robust in the case of machine failures, making it an attractive new design for decentralized anonymous communication. DAENet ’s code is released on https://github.com/hku-systems/DAENet.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • An Automatic Attribute-Based Access Control Policy Extraction From Access
           Logs

    • Free pre-print version: Loading...

      Authors: Leila Karimi;Maryam Aldairi;James Joshi;Mai Abdelhakim;
      Pages: 2304 - 2317
      Abstract: With the rapid advances in computing and information technologies, traditional access control models have become inadequate in terms of capturing fine-grained, and expressive security requirements of newly emerging applications. An attribute-based access control (ABAC) model provides a more flexible approach to addressing the authorization needs of complex and dynamic systems. While organizations are interested in employing newer authorization models, migrating to such models pose as a significant challenge. Many large-scale businesses need to grant authorizations to their user populations that are potentially distributed across disparate and heterogeneous computing environments. Each of these computing environments may have its own access control model. The manual development of a single policy framework for an entire organization is tedious, costly, and error-prone. In this article, we present a methodology for automatically learning ABAC policy rules from access logs of a system to simplify the policy development process. The proposed approach employs an unsupervised learning-based algorithm for detecting patterns in access logs and extracting ABAC authorization rules from these patterns. In addition, we present two policy improvement algorithms, including rule pruning and policy refinement algorithms to generate a higher quality mined policy. Finally, we implement a prototype of the proposed approach to demonstrate its feasibility.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Enabling (End-to-End) Encrypted Cloud Emails With Practical Forward
           Secrecy

    • Free pre-print version: Loading...

      Authors: Jianghong Wei;Xiaofeng Chen;Jianfeng Wang;Xuexian Hu;Jianfeng Ma;
      Pages: 2318 - 2332
      Abstract: With the widespread use of cloud emails and frequent reports on large-scale email leakage events, a security property so-called forward secrecy becomes desirable and indispensable for both individuals and cloud email service providers to strengthen the security of cloud email systems. Specifically, forward secrecy can guarantee the confidentiality of those previously encrypted emails even if the user’s secret key gets exposed. However, due to the failure to meet the security and practicality requirements of email systems simultaneously, typical methods of achieving forward secrecy, such as Diffie-Hellman key exchange and forward-secure public-key encryption, have not been widely approved and adopted. In this article, to capture forward secrecy of encrypted cloud email systems without sacrificing the practicability, we introduce a new cryptographic primitive named forward-secure puncturable identity-based encryption (fs-PIBE), which enables an email user to perform fine-grained revocation of decryption capacity. In more detail, the user is allowed to preserve the decryption capacity of unreceived encrypted emails, while abolishing that of those received ones. Thus, it provides more practical forward secrecy than typical manners, in which the decryption capacity of received and unreceived encrypted emails is revoked simultaneously. Based on such a primitive, we build a framework of encrypted cloud email systems, and instantiate it with a concrete fs-PIBE construction that has constant size of ciphertext and provable security in the standard model. Furthermore, to improve the security and efficiency of the presented framework, we extend the proposed fs-PIBE scheme to support end-to-end encryption and outsourced decryption, respectively. In addition, as a proof-of-concept of the proposed fs-PIBE scheme, we implement it and produce various experiments to demonstrate its practicability and correctness.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • A Game-Theoretical Approach for Mitigating Edge DDoS Attack

    • Free pre-print version: Loading...

      Authors: Qiang He;Cheng Wang;Guangming Cui;Bo Li;Rui Zhou;Qingguo Zhou;Yang Xiang;Hai Jin;Yun Yang;
      Pages: 2333 - 2348
      Abstract: Edge computing (EC) is an emerging paradigm that extends cloud computing by pushing computing resources onto edge servers that are attached to base stations or access points at the edge of the cloud in close proximity with end-users. Due to edge servers’ geographic distribution, the EC paradigm is challenged by many new security threats, including the notorious distributed Denial-of-Service (DDoS) attack. In the EC environment, edge servers usually have constrained processing capacities due to their limited sizes. Thus, they are particularly vulnerable to DDoS attacks. DDoS attacks in the EC environment render existing DDoS mitigation approaches obsolete with its new characteristics. In this article, we make the first attempt to tackle the edge DDoS mitigation (EDM) problem. We model it as a constraint optimization problem and prove its $mathcal {NP}$NP-hardness. To solve this problem, we propose an optimal approach named EDMOpti and a novel game-theoretical approach named EDMGame for mitigating edge DDoS attacks. EDMGame formulates the EDM problem as a potential EDM Game that admits a Nash equilibrium and employs a decentralized algorithm to find the Nash equilibrium as the solution to the EDM problem. Through theoretical analysis and experimental evaluation, we demonstrate that our approaches can solve the EDM problem effectively and efficiently.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Design and Evaluation of a Multi-Domain Trojan Detection Method on Deep
           Neural Networks

    • Free pre-print version: Loading...

      Authors: Yansong Gao;Yeonjae Kim;Bao Gia Doan;Zhi Zhang;Gongxuan Zhang;Surya Nepal;Damith C. Ranasinghe;Hyoungshick Kim;
      Pages: 2349 - 2364
      Abstract: Trojan attacks on deep neural networks (DNNs) exploit a backdoor embedded in a DNN model that can hijack any input with an attacker’s chosen signature trigger. Emerging defence mechanisms are mainly designed and validated on vision domain tasks (e.g., image classification) on 2D Convolutional Neural Network (CNN) model architectures; a defence mechanism that is general across vision, text, and audio domain tasks is demanded. This work designs and evaluates a run-time Trojan detection method exploiting STRong Intentional Perturbation of inputs that is a multi-domain input-agnostic Trojan detection defence across Vision, Text and Audio domains—thus termed as STRIP-ViTA. Specifically, STRIP-ViTA is demonstratively independent of not only task domain but also model architectures. Most importantly, unlike other detection mechanisms, it requires neither machine learning expertise nor expensive computational resource, which are the reason behind DNN model outsourcing scenario—one main attack surface of Trojan attack. We have extensively evaluated the performance of STRIP-ViTA over: i) CIFAR10 and GTSRB datasets using 2D CNNs for vision tasks; ii) IMDB and consumer complaint datasets using both LSTM and 1D CNNs for text tasks; and iii) speech command dataset using both 1D CNNs and 2D CNNs for audio tasks. Experimental results based on more than 30 tested Trojaned models (including publicly Trojaned model) corroborate that STRIP-ViTA performs well across all nine architectures and five datasets. Overall, STRIP-ViTA can effectively detect trigger inputs with small false acceptance rate (FAR) with an acceptable preset false rejection rate (FRR). In particular, for vision tasks, we can always achieve a 0 percent FRR and FAR given str-ng attack success rate always preferred by the attacker. By setting FRR to be 3 percent, average FAR of 1.1 and 3.55 percent are achieved for text and audio tasks, respectively. Moreover, we have evaluated STRIP-ViTA against a number of advanced backdoor attacks and compare its effectiveness with other recent state-of-the-arts.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Optimization-Time Analysis for Cybersecurity

    • Free pre-print version: Loading...

      Authors: Yunxiao Zhang;Pasquale Malacaria;
      Pages: 2365 - 2383
      Abstract: A mathematical framework to reason about time resilience in cybersecurity is here introduced. We first consider an attacker who is able to mount several multi-stage attacks on the organization: the defender’s objective is to select an optimal portfolio of security controls, within a given budget, to withstand the highest number of attacks. The mathematical model is a Markov chain with an initial state called the safe state, intermediate states for all possible attacks (each attack state denoting a probabilistic attack graph), and a sink state denoting a successful attack. The overall defence problem is formulated as a bi-level multi-objective optimization, i.e., the defender selects an optimal portfolio of security controls to mitigate an optimal attacker. In order to determine the probability of success of an attack two cases will be considered: (a) the expected probability of success and (b) the highest probability of success. We refer to these two cases as expected-time analysis and worst-case time analysis, respectively. To solve precisely these bi-level optimizations strong duality and Mixed Integer Linear Programming are used. We then extend the framework to investigate resilience in terms of the total duration of the attacks; variations of the previous optimizations are presented to this purpose. Finally numerical evaluations are provided to compare the results obtained from the expected-time analysis and the worst-case time analysis.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Lessons to be Learned for a Good Design of Private RFID Schemes

    • Free pre-print version: Loading...

      Authors: Ferucio Laurenţiu Ţiplea;
      Pages: 2384 - 2395
      Abstract: RFID technology is increasingly used in various areas of society, where privacy plays a critical role. Due to this aspect, a sustained effort has been devoted in recent years to develop privacy models for RFID systems. Two widely accepted such models are Vaudenay’s model and the HPVP model. An incursion into the broad diversity of the RFID schemes developed so far shows that many of them do not assure privacy in any of the two models. That is either due to design errors or because their authors did not run any privacy analysis or have used weaker ad hoc privacy models. This article presents five design scenarios underlying constructions of RFID schemes that cannot provide certain levels of privacy in any of the two models. Each scenario is richly exemplified by RFID schemes proposed in the literature, and it is concluded by a lesson to guide us to a better design of such schemes.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Security and Effectiveness Analysis of the Gateway Integrity Checking
           Protocol

    • Free pre-print version: Loading...

      Authors: Mateus M. de Lucena;Antônio Augusto Fröhlich;
      Pages: 2396 - 2404
      Abstract: Industrial Internet of Things (IIoT) gateways connected to the Internet are often based on conventional operating systems such as Linux and on conventional communication protocols such as HTTPS and therefore are valuable targets for malicious attackers. When compromised, a malicious IIoT gateway can interfere with data exchanged between IIoT devices and systems running on servers or the Cloud. The Gateway Integrity Checking Protocol (GIP), proposed in previous work, defines a gossip mechanism to collect data from sets of IIoT devices to respond to security challenges issued by an External Security Agent (ESA) to assess a gateway's trustworthiness. GIP relies on a secure channel between IIoT devices and the ESA, which is achieved using a Public Key Infrastructure (PKI) for message authentication and encryption. In this article, we perform an analysis of the security measures employed by GIP, using formal descriptions to demonstrate that GIP is no less secure than the hash algorithm and the public key infrastructure used. Additionally, we simulate different configurations of GIP to measure detection rate and time to detect integrity faults.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • DDCA: A Distortion Drift-Based Cost Assignment Method for Adaptive Video
           Steganography in the Transform Domain

    • Free pre-print version: Loading...

      Authors: Yi Chen;Hongxia Wang;Kim-Kwang Raymond Choo;Peisong He;Zoran Salcic;Dali Kaafar;Xuyun Zhang;
      Pages: 2405 - 2420
      Abstract: Cost assignment plays a key role in coding performance and security of video steganography. Existing cost assignment methods (for adaptive video steganography) are designed for specific transform coefficients rather than all transform coefficients. In addition, existing video steganographic frameworks do not allow Syndrome-Trellis Codes (STCs) to modify all transform coefficients in both intra-coded and inter-coded frames at the same time. To address these limitations, in this article, we first propose a novel video steganographic framework. Then, we give a theoretical analysis of distortion drift in both intra- and inter-coding procedures. Based on the analysis, we design a Distortion Drift-Based Cost Assignment method, hereafter referred to as DDCA. DDCA considers the inner-block, inter-block and inter-frame distortion costs in order to improve the coding performance and the security of stego videos when the embedding payload is fixed. We conducted extensive experiments using two video datasets to evaluate the proposed video steganographic framework and DDCA, in terms of the coding performance and the security. Our experiments show that the proposed framework outperforms three recent state-of-the-art methods, for example the coding performance and the security of stego videos can benefit from DDCA by making full use of all nonzero transform coefficients.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Breaking Cuckoo Hash: Black Box Attacks

    • Free pre-print version: Loading...

      Authors: Pedro Reviriego;Daniel Ting;
      Pages: 2421 - 2427
      Abstract: Introduced less than twenty years ago, cuckoo hashing has a number of attractive features like a constant worst case number of memory accesses for queries and close to full memory utilization. Cuckoo hashing has been widely adopted to perform exact matching of an incoming key with a set of stored (key, value) pairs in both software and hardware implementations. This widespread adoption makes it important to consider the security of cuckoo hashing. Most hash based data structures can be attacked by generating collisions that reduce their performance. In fact, for cuckoo hashing collisions could lead to insertion failures which in some systems would lead to a system failure. For example, if cuckoo hashing is used to perform Ethernet lookup and a given MAC address cannot be added to the cuckoo hash, the switch would not be able to correctly forward frames to that address. Previous works have shown that this can be done when the attacker knows the hash functions used in the implementation. However, in many cases the attacker would not have that information and would only have access to the cuckoo hash operations to perform insertions, removals or queries. This article considers the security of a cuckoo hash to an attacker that has only a black box access to it. The analysis shows that by carefully performing user operations on the cuckoo hash, the attacker can force insertion failures with a small set of elements. The proposed attack has been implemented and tested for different configurations to demonstrate its feasibility. The fact that cuckoo hash can be broken with only access to its user functions should be taken into account when implementing it in critical systems. The article also discusses potential approaches to mitigate this vulnerability.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Generating Fake Documents Using Probabilistic Logic Graphs

    • Free pre-print version: Loading...

      Authors: Qian Han;Cristian Molinaro;Antonio Picariello;Giancarlo Sperlì;V. S. Subrahmanian;Yanhai Xiong;
      Pages: 2428 - 2441
      Abstract: Past research has shown that over 8 months may elapse between the time when a network is compromised and the time the attack is discovered. During this long gap, attackers can steal valuable intellectual property from the victim. The recent FORGE system [8] has suggested that automatically generating fake—but believable—versions of documents can delay the attacker, cost him money, and increase his uncertainty. However, in order to generate fakes, FORGE only modifies the textual component of the document in question. But in the real world, documents consist of many non-textual components such as charts, equations, formulas, diagrams, and tables. We propose the concept of a Probabilistic Logic Graph (PLG) and show that PLGs provide a single, unified framework within which the different parts of a document can be expressed. We then define the problem of generating, for a given PLG representation of a document, a set of fake yet highly believable PLGs (i.e., documents), so that an attacker looking at them (both the original and the fake ones) cannot easily identify the original document. We show that the problem of generating fake PLGs is intractable—but we propose an approximation algorithm that solves it efficiently. We evaluate the use of PLGs over a corpus of patents and show that our fakes can effectively deceive an adversary.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Decentralized Privacy-Preserving Fair Exchange Scheme for V2G Based on
           Blockchain

    • Free pre-print version: Loading...

      Authors: Zhiguo Wan;Tong Zhang;Weizhuang Liu;Mingqiang Wang;Liehuang Zhu;
      Pages: 2442 - 2456
      Abstract: With the fast development of the electric vehicle (EV) technology, EVs are expected to be the mainstream in future. The large number of EVs facilitate development of the emerging vehicle-to-grid (V2G) technology, which realizes two-way electricity flows between EVs and the power grid. How to achieve fairness and privacy for EVs during electricity/service exchanges remains a challenging problem for V2G. In this article, we propose a privacy-preserving fair exchange scheme V2GEx for V2G based on the blockchain. V2GEx is composed of an extended blockchain that supports zero-knowledge funds, a fair exchange smart contract based on the hashchain micropayment mechanism, and a privacy-preserving protocol for V2G. We further propose a simpler and more efficient scheme called Uni-V2GEx, which preserves privacy for only one party. We also provide a rigorous security proof under the universal composability (UC) model to prove V2GEx's security. To evaluate its efficiency, we implement V2GEx and conduct comprehensive experiments to test its performance in terms of computation cost and processing delay. The experiment results show that V2GEx is highly efficient in that verification of V2GEx transactions costs only 20 ms and the average transaction processing latency is around 6 seconds in a 200-node blockchain network.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • PUF-RAKE: A PUF-Based Robust and Lightweight Authentication and Key
           Establishment Protocol

    • Free pre-print version: Loading...

      Authors: Mahmood Azhar Qureshi;Arslan Munir;
      Pages: 2457 - 2475
      Abstract: Physically unclonable functions (PUFs) bind a device's identity to its physical hardware and thus, can be employed for device identification, authentication and cryptographic key generation. However, PUFs are susceptible to modeling attacks if a number of PUFs’ challenge-response pairs (CRPs) are exposed to the adversary. Furthermore, many of the embedded devices requiring authentication and inter-device communication in a real-time environment/system have stringent resource and low latency requirements, and thus require a lightweight authentication and key establishment mechanism to quickly realize an authenticated and secure connection. We propose PUF-RAKE, a PUF-based lightweight, highly reliable authentication and key establishment scheme. The proposed scheme enhances the reliability of PUF as well as alleviates the resource constraints by employing error correction in the server instead of the device as well as removing cryptographic hashing required by earlier PUF-based protocols. The proposed PUF-RAKE is robust against masquerade, brute force, replay, and modeling attacks. In PUF-RAKE, we introduce an inexpensive yet secure stream authentication scheme inside the device which authenticates the server before the underlying PUF can be invoked. This prevents an adversary from brute forcing the device's PUF to acquire CRPs essentially locking out the device from unauthorized model generation. Additionally, we also introduce a lightweight CRP obfuscation mechanism involving XOR and shuffle operations. The security of PUF-RAKE has been formally verified. A prototype of the protocol has been implemented on two Xilinx Zynq 7000 system-on-chips with one present on Xilinx zc706 evaluation board and the other present on the Avnet Zedboard. Observations, security analysis and results verify that the PUF-RAKE is secure against a probabilistic polynomial time adversary under both the unauthenticated link and authent-cated link adversarial models while providing ∼99% reliable authentication. In addition, PUF-RAKE provides a reduction of 60 and 72 percent for look-up tables (LUTs) and register count, respectively, in the programmable logic (PL) part of the Zynq 7000 as compared to a recently proposed approach while providing additional advantages.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Privacy-Preserving Distributed Data Access Control for CloudIoT

    • Free pre-print version: Loading...

      Authors: Hassan Nasiraee;Maede Ashouri-Talouki;
      Pages: 2476 - 2487
      Abstract: The Edge-Fog-Cloud interplay in the Internet-of-Things (IoT) leads to many exciting data-sharing applications that use access control systems as primary requirements. To ensure a fine-grained data access control for such data-sharings on untrusted storage (e.g., Cloud), Attribute-Based Encryption (ABE) is a promising tool. To address privacy concerns in such ABE-based access control systems, we propose a new Privacy-preserving Distributed data Access control (PDAC) in CloudIoT. Our PDAC improves the previous privacy-preserving distributed ABE systems in three aspects. The first introduces a new user's anonymity approach against the colluding untrusted (honest-but-curious) authorities. The second presents a novel policy-hiding mechanism that efficiently preserves the privacy of policy-forming attributes (metadata) against colluding parties. The third introduces an independent-authorities system for our privacy-preserving improvements, where an authority can join and leave the system without reinitializing other authorities. Moreover, our PDAC offloads the user's computations over the Cloud servers for efficiency enhancement. We prove the security of our PDAC through formal analysis. Then, we present empirical results on different classes of mobile devices, including a laptop and a smartphone.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Session Invariant EEG Signatures using Elicitation Protocol Fusion and
           Convolutional Neural Network

    • Free pre-print version: Loading...

      Authors: Essam Debie;Nour Moustafa;Athanasios Vasilakos;
      Pages: 2488 - 2500
      Abstract: Brain signals are potential biometric markers in user authentication, complementing existing biometric authentication techniques (such as those based on fingerprint, iris and facial recognition). This article proposes a novel EEG fusion method to examine the reliability and durability of EEG biometric markers across recording sessions. Our hypothesis is that models trained using EEG signals collected during various elicitation protocols can capture generalised brain patterns that pertain personalised information which can improve the durability of biometric systems. Different protocols are likely to produce different responses across brain regions, which can result in more identifiable responses from EEG. In our approach, an end-to-end convolutional neural network (CNN) model is adopted for feature extraction and classification of raw EEG data. The proposed method is evaluated on two EEG datasets which were collected over two separate sessions on different days using multiple different EEG elicitation protocols. Within-session and across-session experiments were conducted. Results for within session experiments showed that CNN models with protocol fusion can achieve similar if not better results than models trained with single protocol. In across-session scenarios, models trained with the proposed protocol fusion approach significantly outperformed single protocol based models. The obtained results illustrate the durability and reliability capabilities of the proposed fusion approach.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Efficient and Privacy-Preserving Similarity Range Query Over Encrypted
           Time Series Data

    • Free pre-print version: Loading...

      Authors: Yandong Zheng;Rongxing Lu;Yunguo Guan;Jun Shao;Hui Zhu;
      Pages: 2501 - 2516
      Abstract: Similarity query over time series data plays a significant role in various applications, such as signal processing, speech recognition, and disease diagnosis. Meanwhile, driven by the reliable and flexible cloud services, encrypted time series data are often outsourced to the cloud, and as a result, the similarity query over encrypted time series data has recently attracted considerable attention. Nevertheless, existing solutions still have issues in supporting similarity queries over time series data with different lengths, query accuracy and query efficiency. To address these issues, in this article, we propose a new efficient and privacy-preserving similarity range query scheme, where the time warp edit distance (TWED) is used as the similarity metric. Specifically, we first organize time series data into a $k$kd-tree by leveraging TWED’s triangle inequality, and design an efficient similarity range query algorithm for the $k$kd-tree. Second, based on a symmetric homomorphic encryption technique, we carefully devise a suite of privacy-preserving protocols to provide a security guarantee for $k$kd-tree based similarity range queries. After that, by using the similarity range query algorithm and these protocols, we propose our privacy-preserving similarity range query scheme, in which we elaborate on two strategies to make our scheme resist against the cloud inference attack. Finally, we anal-ze the security of our scheme and conduct extensive experiments to evaluate its performance, and the results indicate that our proposed scheme is indeed privacy-preserving and efficient.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • ProSAS: Proactive Security Auditing System for Clouds

    • Free pre-print version: Loading...

      Authors: Suryadipta Majumdar;Gagandeep Singh Chawla;Amir Alimohammadifar;Taous Madi;Yosr Jarraya;Makan Pourzandi;Lingyu Wang;Mourad Debbabi;
      Pages: 2517 - 2534
      Abstract: The multi-tenancy in a cloud along with its dynamic and self-service nature could cause severe security concerns, such as isolation breaches among cloud tenants. To mitigate such concerns and ensure the accountability and transparency of the cloud providers towards their tenants, verifying cloud states against a list of security policies, a.k.a. security auditing, is a promising solution. However, the existing security auditing solutions for clouds suffer from several limitations. First, the traditional auditing approach, which is retroactive in nature, can only detect violations after the fact and hence, often becomes ineffective while dealing with the dynamic nature of a cloud. Second, the existing runtime approaches can cause significant delay in the response time while dealing with the sheer size of a cloud. Finally, the current proactive approaches typically rely on prior knowledge about future changes in a cloud and also require significant manual efforts, and thus become less practical for a dynamic environment like cloud. To address those limitations, we present a novel proactive security auditing system, namely, ProSAS, which can prevent violations to security policies at runtime with a practical response time, and yet does not require prior knowledge about future changes. More specifically, ProSAS first establishes its models (e.g., dependency relationships between cloud events, and critical events) through learning from historical data (e.g., logs); it then predicts future critical events which would likely follow a received event by leveraging the dependency relationships; afterwards, it proactively verifies the impacts of those future events, and prevents those events which can cause violations of security policies. ProSAS is integrated into OpenStack, a popular cloud management platform, and we provide a concrete guideline to port ProSAS to other popular cloud platforms, such a- Google Cloud Platform, and Amazon EC2. Our experiment results using both real and synthetic data demonstrate the improvement of efficiency (i.e., reducing response time to 1,450 nanoseconds at best and 8.5 milliseconds on average for a large-scale cloud with 10,000 tenants) and level of automation (i.e., learning more than 20 new critical events spanning 100 days) in proactive security auditing by ProSAS.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Security of Multi-Adjustable Join Schemes: Separations and Implications

    • Free pre-print version: Loading...

      Authors: Mojtaba Rafiee;Shahram Khazaei;
      Pages: 2535 - 2545
      Abstract: Database management systems (DBMS) are one of cloud services with major applications in industry and business. In the use of such services, since the cloud service provider cannot be entrusted with the plain data, the databases are typically encrypted prior to outsourcing. One of the most challenging issues in designing these services is supporting SQL join queries on the encrypted database. The multi-adjustable join scheme (M-Adjoin) [Khazaei-Rafiee 2020], an extension of Adjoin [Popa-Zeldovich 2012 and Mironov-Segev-Shahaf 2017], is a symmetric-key primitive that supports the join queries for a list of column labels on an encrypted database. In previous works, the following security notions were introduced for $text{Adjoin}$Adjoin and $text{M-Adjoin}$M-Adjoin schemes: $mathtt {3Partition}$3Partition, $mathtt {M3Partition}$M3Partition and $mathtt {M3P}_{k}$M3Pk, for every integer $k$k. In this article, we first extend the simulation-based and indistinguishability-based security notions for $text{Adjoin}$Adjoin, defined by Mironov et al., to $text{M-Adjoin}$M-Adjoin. Then, we study the relations between all these security notions for $text{M-Adjoin}$M-Adjoin. In particular, some non-trivial relations are proved which resolve some open problems raised by Mironov et al.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Making Convolutions Resilient Via Algorithm-Based Error Detection
           Techniques

    • Free pre-print version: Loading...

      Authors: Siva Kumar Sastry Hari;Michael B. Sullivan;Timothy Tsai;Stephen W. Keckler;
      Pages: 2546 - 2558
      Abstract: Convolutional Neural Networks (CNNs) are being increasingly used in safety-critical and high-performance computing systems. As such systems require high levels of resilience to errors, CNNs must execute correctly in the presence of hardware faults. Full duplication provides the needed assurance but incurs a prohibitive 100 percent overhead. In this article, we focus on algorithmically verifying convolutions, the most resource-demanding operations in CNNs. We use checksums to verify convolutions. We identify the feasibility and performance related challenges that arise in algorithmically detecting errors in convolutions in optimized CNN inference deployment platforms (e.g., TensorFlow or TensorRT on GPUs) that fuse multiple network layers and use reduced-precision operations, and demonstrate how to overcome them. We propose and evaluate variations of the algorithm-based error detection (ABED) techniques that offer implementation complexity, runtime overhead, and coverage trade-offs. Results show that ABED can detect all transient hardware errors that might otherwise corrupt output with low runtime overheads (6-23 percent). Only about 1.4 percent of the total computations in a CNN are not protected by ABED, which can be duplicated for full CNN protection. ABED for the compute-intensive convolutions and duplicating the rest can offer at least 1.6× throughput compared to full duplication.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • SaVioR: Thwarting Stack-Based Memory Safety Violations by Randomizing
           Stack Layout

    • Free pre-print version: Loading...

      Authors: Seongman Lee;Hyeonwoo Kang;Jinsoo Jang;Brent Byunghoon Kang;
      Pages: 2559 - 2575
      Abstract: Stack-based memory corruption vulnerabilities have been exploited, allowing attackers to execute arbitrary code and read/write arbitrary memory. Although several solutions have been proposed to prevent memory errors on the stack, they are either limited to a specific type of attack (either spatial or temporal attacks) or cause significant performance degradation. In this article, we introduce SaVioR, an efficient and comprehensive stack protection mechanism. The key technique involves randomization of the stack layout to reduce its predictability and exploitability. SaVioR isolates an individual object from spatially and temporally adjacent vulnerable objects and randomizes each object's location, which prevents attackers from predicting the stack layout and thus reduces the likelihood of memory errors being exploited. We implemented SaVioR based on the LLVM compiler framework and applied it to the SPEC CPU2006 benchmarks and real-world applications. Our security evaluation showed that SaVioR provides a high degree of randomness in the stack layout and thus reduces the likelihood of successful exploitation of spatial and temporal memory errors on the stack. Our performance evaluation also demonstrated that it incurs a modest performance overhead (14 percent) with the SPEC CPU2006 benchmark suite, which improves performance compared to the state-of-the-art stack protection while achieving a comparable security level.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Making Information Hiding Effective Again

    • Free pre-print version: Loading...

      Authors: Zhe Wang;Chenggang Wu;Yinqian Zhang;Bowen Tang;Pen-Chung Yew;Mengyao Xie;Yuanming Lai;Yan Kang;Yueqiang Cheng;Zhiping Shi;
      Pages: 2576 - 2594
      Abstract: Information hiding (IH) is an important building block for many defenses against code reuse attacks, such as code-pointer integrity (CPI), control-flow integrity (CFI) and fine-grained code (re-)randomization, because of its effectiveness and performance. It employs randomization to probabilistically “hide” sensitive memory areas, called safe areas, from attackers and ensures their addresses are not leaked by any pointers directly. These defenses used safe areas to protect their critical data, such as jump targets and randomization secrets. However, recent works have shown that IH is vulnerable to various attacks. In this article, we propose a new IH technique called SafeHidden. It continuously re-randomizes the locations of safe areas and thus prevents the attackers from probing and inferring the memory layout to find its location. A new thread-private memory mechanism is proposed to isolate the thread-local safe areas and prevent adversaries from reducing the randomization entropy. It also randomizes the safe areas after the TLB misses to prevent attackers from inferring the address of safe areas using cache side-channels. Existing IH-based defenses can utilize SafeHidden directly without any change. Our experiments show that SafeHidden not only prevents existing attacks effectively but also incurs low performance overhead.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • SGXTuner: Performance Enhancement of Intel SGX Applications Via Stochastic
           Optimization

    • Free pre-print version: Loading...

      Authors: Giovanni Mazzeo;Sergei Arnautov;Christof Fetzer;Luigi Romano;
      Pages: 2595 - 2608
      Abstract: Intel SGX has started to be widely adopted. Cloud providers (Microsoft Azure, IBM Cloud, Alibaba Cloud) are offering new solutions, implementing data-in-use protection via SGX. A major challenge faced by both academia and industry is providing transparent SGX support to legacy applications. The approach with the highest consensus is linking the target software with SGX-extended libc libraries. Unfortunately, the increased security entails a dramatic performance penalty, which is mainly due to the intrinsic overhead of context switches, and the limited size of protected memory. Performance optimization is non-trivial since it depends on key parameters whose manual tuning is a very long process. We present the architecture of an automated tool, called SGXTuner, which is able to find the best setting of SGX-extended libc library parameters, by iteratively adjusting such parameters based on continuous monitoring of performance data. The tool is — to a large extent — algorithm agnostic. We decided to base the current implementation on a particular type of stochastic optimization algorithm, specifically Simulated Annealing. A massive experimental campaign was conducted on a relevant case study. Three client-server applications — Memcached, Redis, and Apache — were compiled with SCONE's sgx-musl and tuned for best performance. Results demonstrate the effectiveness of SGXTuner.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Practical Encrypted Network Traffic Pattern Matching for Secure
           Middleboxes

    • Free pre-print version: Loading...

      Authors: Shangqi Lai;Xingliang Yuan;Shi-Feng Sun;Joseph K. Liu;Ron Steinfeld;Amin Sakzad;Dongxi Liu;
      Pages: 2609 - 2621
      Abstract: Network Function Virtualisation (NFV) advances the adoption of composable software middleboxes. Accordingly, cloud data centres become major NFV vendors for enterprise traffic processing. Due to the privacy concern of traffic redirection to the cloud, secure middlebox systems (e.g., BlindBox) draw much attention; they can process encrypted packets against encrypted rules directly. However, most of the existing systems supporting pattern matching based network functions require the enterprise gateway to tokenise packet payloads via sliding windows. Such tokenisation induces a considerable communication overhead, which can be over 100× to the packet size. To overcome this bottleneck, in this article, we propose the first bandwidth-efficient encrypted pattern matching protocol for secure middleboxes. We resort to a primitive called symmetric hidden vector encryption (SHVE), and propose a variant of it, aka SHVE+, to achieve constant and moderate communication cost. To speed up, we devise encrypted filters to reduce the number of accesses to SHVE+ during matching highly. We formalise the security of our proposed protocol and conduct comprehensive evaluations over real-world rulesets and traffic dumps. The results show that our design can inspect a packet over 20 k rules within 100 $mu$μs. Compared to prior work, it brings a saving of 94 percent in bandwidth consumption.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • CryptoRec: Novel Collaborative Filtering Recommender Made
           Privacy-Preserving Easy

    • Free pre-print version: Loading...

      Authors: Jun Wang;Chao Jin;Qiang Tang;Zhe Liu;Khin Mi Mi Aung;
      Pages: 2622 - 2634
      Abstract: With the explosive growth of user data, recommenders have become increasingly complicated. State-of-the-art algorithms often have high computational complexity and heavily use non-linear transformations. This fact makes the privacy-preserving problem more challenging, despite the significant advances in cryptography. To alleviate this problem, we propose a privacy-friendly recommender, CryptoRec. It only relies on additions and multiplications, which are efficiently supported by most cryptographic primitives. Different from others, in CryptoRec, the parameter space only contains item features (user features can be directly computed from the item features). This property allows CryptoRec to, (1) naturally achieve transferability if two datasets share the same item entries, which can benefit differential privacy protection; (2) directly estimate the preference of new users whose data is not included in the training set, drastically improving recommendation efficiency. We first evaluate CryptoRec on three real-world datasets. The evaluation results show that the accuracy is competitive with state-of-the-art. Then, we build differential privacy into CryptoRec and leverage its transferability property to reduce the overall privacy loss. Lastly, we demonstrate the simplicity and efficiency of using CryptoRec to construct secure recommendation protocols based on homomorphic encryption schemes. Our results show that CryptoRec outperforms existing solutions in terms of both accuracy and efficiency.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • A New Facial Authentication Pitfall and Remedy in Web Services

    • Free pre-print version: Loading...

      Authors: Dalton Cole;Sara Newman;Dan Lin;
      Pages: 2635 - 2647
      Abstract: Facial authentication has become more and more popular on personal devices. Due to the ease of use, it has great potential to be widely deployed for web-service authentication in the near future whereby people can easily log on to online accounts from different devices without memorizing lengthy passwords. However, the growing number of attacks on machine learning especially the Deep Neural Networks (DNN) which is commonly used for facial recognition, imposes big challenges on the successful roll-out of such web-service face authentication. Although there have been studies on defending some machine learning attacks, we are not aware of any specific effort devoted to the web-service facial authentication setting. In this article, we first demonstrate a new data poisoning attack that does not require to have any knowledge of the server-side and just needs a handful of malicious photo injections to enable an attacker to easily impersonate the victim in the existing facial authentication systems. We then propose a novel defensive approach called DEFEAT that leverages deep learning techniques to automatically detect such attacks. We have conducted extensive experiments on real datasets and our experimental results show that our defensive approach achieves more than 90 percent detection accuracy.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Who Moves My App Promotion Investment' A Systematic Study About App
           Distribution Fraud

    • Free pre-print version: Loading...

      Authors: Shaoyong Du;Minrui Zhao;Jingyu Hua;Hang Zhang;Xiaoyu Chen;Zhiyun Qian;Sheng Zhong;
      Pages: 2648 - 2664
      Abstract: As the mobile era matures, it is increasingly competitive to market mobile apps, forcing companies to invest heavily on mobile user acquisition campaigns. This has unfortunately given birth to a new form of Internet fraud, which we refer to as “app distribution fraud”. This new fraud involves collusion between ISPs and fraudulent app distributors where app download is hijacked/redirected. In this article, we have the unique opportunity to cooperate with a major e-commerce company (with about 0.2 billion active users per month) to take a first peek at this problem. Through the nationwide measurement results, we find that app distribution fraud is ubiquitous yet stealthy — about 1.55 percent app downloads are hijacked/redirected, affecting more than 75 percent of the cities we tested and causing an estimated 7.46 billion U.S. dollars financial loss per year. We follow up with additional measurements on the technical mechanism of the fraud and the scope of the fraud (i.e., what other apps are also affected). Surprisingly, we find that sometimes the original app a user intends to download can be replaced with a completely different app, rendering the user's device at risks.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Covert Channel-Based Transmitter Authentication in Controller Area
           Networks

    • Free pre-print version: Loading...

      Authors: Xuhang Ying;Giuseppe Bernieri;Mauro Conti;Linda Bushnell;Radha Poovendran;
      Pages: 2665 - 2679
      Abstract: In recent years, the security of automotive Cyber-Physical Systems (CPSs) is facing urgent threats due to the widespread use of legacy in-vehicle communication systems. As a representative legacy bus system, the Controller Area Network (CAN) hosts Electronic Control Units (ECUs) that are crucial for the vehicles functioning. In this scenario, malicious actors can exploit the CAN vulnerabilities, such as the lack of built-in authentication and encryption schemes, to launch CAN bus attacks (e.g., suspension, injection, and masquerade attacks) with life-threatening consequences (e.g., disabling brakes). In this article, we present TACAN (Transmitter Authentication in CAN), which provides secure authentication of ECUs on the legacy CAN bus by exploiting the covert channels, without introducing CAN protocol modifications or traffic overheads (no extra bits or CAN messages are used). TACAN turns upside-down the originally malicious concept of covert channels and exploits it to build an effective defensive technique that facilitates transmitter authentication via a centralized, trusted Monitor Node. TACAN consists of three different covert channels for ECU authentication: 1) the Inter-Arrival Time (IAT)-based, leveraging the IATs of CAN messages; 2) the Least Significant Bit (LSB)-based, concealing authentication messages into the LSBs of normal CAN data; and 3) a hybrid covert channel, exploiting the combination of the first two. In order to validate TACAN, we implement the covert channels on the University of Washington (UW) EcoCAR (Chevrolet Camaro 2016) testbed. We further evaluate the bit error, throughput, and detection performance of TACAN through extensive experiments using the EcoCAR testbed and a publicly available dataset collected from Toyota Camry 2010. We demonstrate the feasibility of TACAN and the effectiveness of detecting CAN bus attacks, highlighting no traffic overheads and attesting the regular functionality of-ECUs.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Monitoring-Based Differential Privacy Mechanism Against Query
           Flooding-Based Model Extraction Attack

    • Free pre-print version: Loading...

      Authors: Haonan Yan;Xiaoguang Li;Hui Li;Jiamin Li;Wenhai Sun;Fenghua Li;
      Pages: 2680 - 2694
      Abstract: Public intelligent services enabled by machine learning algorithms are vulnerable to model extraction attacks that can steal confidential information of the learning models through public queries. Though there are some protection options such as differential privacy (DP) and monitoring, which are considered promising techniques to mitigate this attack, we still find that the vulnerability persists. In this article, we propose an adaptive query-flooding parameter duplication (QPD) attack. The adversary can infer the model information with black-box access and no prior knowledge of any model parameters or training data via QPD. We also develop a defense strategy using DP called monitoring-based DP (MDP) against this new attack. In MDP, we first propose a novel real-time model extraction status assessment scheme called Monitor to evaluate the situation of the model. Then, we design a method to guide the differential privacy budget allocation called APBA adaptively. Finally, all DP-based defenses with MDP could dynamically adjust the amount of noise added in the model response according to the result from Monitor and effectively defends the QPD attack. Furthermore, we thoroughly evaluate and compare the QPD attack and MDP defense performance on real-world models with DP and monitoring protection.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Maximizing Error Injection Realism for Chaos Engineering With System Calls

    • Free pre-print version: Loading...

      Authors: Long Zhang;Brice Morin;Benoit Baudry;Martin Monperrus;
      Pages: 2695 - 2708
      Abstract: In this article, we present a novel fault injection framework for system call invocation errors, called Phoebe. Phoebe is unique as follows; First, Phoebe enables developers to have full observability of system call invocations. Second, Phoebe generates error models that are realistic in the sense that they mimic errors that naturally happen in production. Third, Phoebe is able to automatically conduct experiments to systematically assess the reliability of applications with respect to system call invocation errors in production. We evaluate the effectiveness and runtime overhead of Phoebe on two real-world applications in a production environment for a single software stack: Java. The results show that Phoebe successfully generates realistic error models and is able to detect important reliability weaknesses with respect to system call invocation errors. To our knowledge, this novel concept of “realistic error injection”, which consists of grounding fault injection on production errors, has never been studied before.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Auth-AIS: Secure, Flexible, and Backward-Compatible Authentication of
           Vessels AIS Broadcasts

    • Free pre-print version: Loading...

      Authors: Savio Sciancalepore;Pietro Tedeschi;Ahmed Aziz;Roberto Di Pietro;
      Pages: 2709 - 2726
      Abstract: Automatic Identification System (AIS) is the de-facto communication standard used by vessels to broadcast identification and position information. However, being AIS communications neither encrypted nor authenticated, they can be eavesdropped and spoofed by adversaries, leading to potentially threatening scenarios. Existing solutions, including the ones conceived in the avionics domain, do not consider integration with the AIS standard, and they do not provide protection against rogue messages flooding. In this article, we propose Auth-AIS, a secure, flexible, standard-compliant, and backward-compatible authentication framework to secure AIS broadcast messages. Auth-AIS leverages existing sound cryptographic tools, including TESLA and Bloom Filters, inheriting their security properties while contextualizing them in the AIS technology. Auth-AIS is a software-only solution, that can be seamlessly integrated into existing AIS deployments, without requiring any hardware replacement. Its innovative design also provides backward-compatibility—i.e., Auth-AIS messages can be received also by AIS users not adopting Auth-AIS, while renouncing at its security guarantees. Auth-AIS can work in either two configuration modes: Deterministic Security Configuration, able to achieve low-delay authentication with a message overhead of 75 percent, or Probabilistic Security Configuration, reducing the message overhead down to 35.71 percent, while experiencing a marginal increase in the authentication delay. All these security configurations guarantee an 80 bits equivalent security level and false-positive rate less than 2--40. Note that these latter security parameters can easily be tuned to fit different security requirements. Finally, the source code of Auth-AIS in the GNURadio ecosystem has been released as open-source, to foster research activities from both Industry and Academia on secure AIS communications.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • FVC-Dedup: A Secure Report Deduplication Scheme in a Fog-Assisted
           Vehicular Crowdsensing System

    • Free pre-print version: Loading...

      Authors: Shunrong Jiang;Jianqing Liu;Yong Zhou;Yuguang Fang;
      Pages: 2727 - 2740
      Abstract: It is observed that modern vehicles are becoming more and more powerful in computing, communications, and storage capacity. By interacting with other vehicles or with local infrastructures (i.e., fog) such as road-side units, vehicles and fog devices can collaboratively provide services like crowdsensing in an efficient and secure way. Unfortunately, it is hard to develop a secure and privacy-preserving crowdsensing report deduplication mechanism in such a system. In this article, we propose a scheme FVC-Dedup to address this challenge. Specifically, we develop cryptographic primitives to realize secure task allocation and guarantee the confidentiality of crowdsensing reports. During the report submission, we improve the message-lock encryption (MLE) scheme to realize privacy-preserving report deduplication and resist the fake duplicate attacks. Besides, we construct a novel signature scheme to achieve efficient signature aggregation and record the contributions of each participant fairly without knowing the crowdsensing data. The security analysis and performance evaluation demonstrate that FVC-Dedup can achieve secure and privacy-preserving report deduplication with moderate computing and communication overhead.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • SuperSketch: A Multi-Dimensional Reversible Data Structure for Super Host
           Identification

    • Free pre-print version: Loading...

      Authors: Xuyang Jing;Hui Han;Zheng Yan;Witold Pedrycz;
      Pages: 2741 - 2754
      Abstract: Facing big network traffic data, effective data compression becomes crucially important and urgently needed for estimating host cardinalities and identifying super hosts. However, the current literature confronts several challenges: incapability of simultaneously measuring various types of host cardinalities and inability to efficiently reconstruct super host addresses. To address these challenges, in this article, we propose a novel sketch data structure, named SuperSketch, to simultaneously measure multiple types of host cardinalities with the purpose of efficiently identifying super hosts. SuperSketch has two significant characteristics: multi-dimensionality and reversibility. The multi-dimensionality makes SuperSketch capable of simultaneously measuring Source Cardinality, Destination Cardinality, and Destination Port Cardinality. The reversibility allows SuperSketch to accurately and quickly reconstruct the original addresses of super hosts once they are identified. We conduct both theoretical analysis and performance evaluation based on real-world network traffic. Experimental results show that SuperSketch achieves outstanding performance for multi-cardinality measurement, super host identification, and host address reconstruction.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • On Capturing DDoS Traffic Footprints on the Internet

    • Free pre-print version: Loading...

      Authors: Lumin Shi;Jun Li;Mingwei Zhang;Peter Reiher;
      Pages: 2755 - 2770
      Abstract: While distributed denial-of-service (DDoS) attacks are easy to launch and are becoming more damaging, the defense against DDoS attacks often suffers from the lack of relevant knowledge of the DDoS traffic, including the paths the DDoS traffic has used, the source addresses (spoofed or not) that appear along each path, and the amount of traffic per path or per source. Though IP traceback and path inference approaches could be considered, they are either expensive and hard to deploy or inaccurate. We propose PathFinder, a service that a DDoS defense system can use to obtain the footprints of the DDoS traffic to the victim. PathFinder employs an architecture that is easy to implement and deploy on today's Internet, a PFTrie data structure that introduces multiple design features to log traffic at line rate, and streaming and zooming mechanisms that facilitates the storage and transmission of DDoS footprints more efficiently. Our evaluation shows that PathFinder can significantly improve the efficacy of a DDoS defense system, its PFTrie data structure is fast and has a manageable overhead, and its streaming and zooming mechanisms significantly reduce the delay and overhead in transmitting DDoS footprints.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Privacy-Preserving Search for a Similar Genomic Makeup in the Cloud

    • Free pre-print version: Loading...

      Authors: Xiaojie Zhu;Erman Ayday;Roman Vitenberg;Narasimha Raghavan Veeraragavan;
      Pages: 2771 - 2788
      Abstract: Increasing affordability of genome sequencing and, as a consequence, widespread availability of genomic data opens up new opportunities for the field of medicine, as also evident from the emergence of popular cloud-based offerings in this area, such as Google Genomics [1]. To utilize this data more efficiently, it is crucial that different entities share their data with each other. However, such data sharing is risky mainly due to privacy concerns. In this article, we attempt to provide a privacy-preserving and efficient solution for the “similar patient search” problem among several parties (e.g., hospitals) by addressing the shortcomings of previous attempts. We consider a scenario in which each hospital has its own genomic dataset and the goal of a physician (or researcher) is to search for a patient similar to a given one (based on a genomic makeup) among all the hospitals in the system. To enable this search, we propose a hierarchical index structure to index each hospital’s dataset with low memory requirement. Furthermore, we develop a novel privacy-preserving index merging mechanism that generates a common search index from individual indices of each hospital to significantly improve the search efficiency. We also consider the storage of medical information associated with genomic data of a patient (e.g., diagnosis and treatment). We allow access to this information via a fine-grained access control policy that we develop through the combination of standard symmetric encryption and ciphertext policy attribute-based encryption. Using this mechanism, a physician can search for similar patients and obtain medical information about the matching records if the access policy holds. We conduct experiments on large-scale genomic data and show the high efficiency of the proposed scheme.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Secure Password-Protected Encryption Key for Deduplicated Cloud Storage
           Systems

    • Free pre-print version: Loading...

      Authors: Yuan Zhang;Chunxiang Xu;Nan Cheng;Xuemin Shen;
      Pages: 2789 - 2806
      Abstract: In this article, we propose SPADE, an encrypted data deduplication scheme that resists compromised key servers and frees users from the key management problem. Specifically, we propose a proactivization mechanism for the servers-aided message-locked encryption (MLE) to periodically substitute key servers with newly employed ones, which renews the security protection and retains encrypted data deduplication. We present a servers-aided password-hardening protocol to resist dictionary guessing attacks. Based on the protocol, we further propose a password-based layered encryption mechanism and a password-based authentication mechanism and integrate them into SPADE to enable users to access their data only using their passwords. Provable security and high efficiency of SPADE are demonstrated by comprehensive analyses and experimental evaluations.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • NN-EMD: Efficiently Training Neural Networks Using Encrypted Multi-Sourced
           Datasets

    • Free pre-print version: Loading...

      Authors: Runhua Xu;James Joshi;Chao Li;
      Pages: 2807 - 2820
      Abstract: Training complex neural network models using third-party cloud-based infrastructure among multiple data sources is a promising approach among existing machine learning solutions. However, privacy concerns of large-scale data collections and recent regulations have restricted the availability and use of privacy sensitive data in the third-party infrastructure. To address such privacy issues, a promising emerging approach is to train a neural network model over an encrypted dataset. Specifically, the model training process can be outsourced to a third party such as a cloud service that is backed by significant computing power, while the encrypted training data keeps the data confidential from the third party. Compared to training a traditional machine learning model over encrypted data, however, it is extremely challenging to train a deep neural network (DNN) model over encrypted data for two reasons: first, it requires large-scale computation over huge datasets; second, the existing solutions for computation over encrypted data, such as using homomorphic encryption, is inefficient. Further, for enhanced performance of a DNN model, we also need to use huge training datasets composed of data from multiple data sources that may not have pre-established trust relationships among each other. We propose a novel framework, NN-EMD, to train DNN over encrypted multiple datasets collected from multiple sources. Toward this, we propose a set of secure computation protocols using hybrid functional encryption schemes. We evaluate our framework for performance with regards to the training time and model accuracy on the MNIST datasets. We show that compared to other existing frameworks, our proposed NN-EMD framework can significantly reduce the training time, while providing comparable model accuracy and privacy guarantees as well as supporting multiple data sources. Furthermore, the depth and complexity of neural netw-rks do not affect the training time despite introducing a privacy-preserving NN-EMD setting.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • VulDeeLocator: A Deep Learning-Based Fine-Grained Vulnerability Detector

    • Free pre-print version: Loading...

      Authors: Zhen Li;Deqing Zou;Shouhuai Xu;Zhaoxuan Chen;Yawei Zhu;Hai Jin;
      Pages: 2821 - 2837
      Abstract: Automatically detecting software vulnerabilities is an important problem that has attracted much attention from the academic research community. However, existing vulnerability detectors still cannot achieve the vulnerability detection capability and the locating precision that would warrant their adoption for real-world use. In this article, we present a vulnerability detector that can simultaneously achieve a high detection capability and a high locating precision, dubbed Vulnerability Deep learning-based Locator (VulDeeLocator). In the course of designing VulDeeLocator, we encounter difficulties including how to accommodate semantic relations between the definitions of types as well as macros and their uses across files, how to accommodate accurate control flows and variable define-use relations, and how to achieve high locating precision. We solve these difficulties by using two innovative ideas: (i) leveraging intermediate code to accommodate extra semantic information, and (ii) using the notion of granularity refinement to pin down locations of vulnerabilities. When applied to 200 files randomly selected from three real-world software products, VulDeeLocator detects 18 confirmed vulnerabilities (i.e., true-positives). Among them, 16 vulnerabilities correspond to known vulnerabilities; the other two are not reported in the National Vulnerability Database (NVD) but have been “silently” patched by the vendor of Libav when releasing newer versions.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • Decentralized Self-Auditing Scheme With Errors Localization for
           Multi-Cloud Storage

    • Free pre-print version: Loading...

      Authors: Yuan Su;Yanping Li;Bo Yang;Yong Ding;
      Pages: 2838 - 2850
      Abstract: With the popularity of cloud storage, increasing users begin to outsource data to the cloud. In order to resist possible data analysis for centralized outsourced data and improve the fault tolerance, users prefer to distribute data to cloud servers of different cloud service providers. However, once the data have been outsourced, it will be out of user’s control and many security issues may occur, such as outsourced data being illegally tamper with, or rarely accessed data being secretly deleted. In this article, we propose a decentralized self-auditing scheme for multi-cloud storage, called DSAS. First, based on the symmetric balanced incomplete block design, DSAS achieves integrity verification for outsourced data via the interactions of cloud servers and the auditing costs are shared by the participating CSs. Second, DSAS can locate misbehavior cloud server with low computation costs, and resist denial of service attack initiated by malicious cloud servers which attempts to destroy the audit. Third, DSAS can recover the corrupted data without fetching data, and support the revocation of cloud servers and batch auditing. Finally, security proof and function evaluation show that DSAS has comprehensive security and functionality, and performance simulations and experiment results show that DSAS is efficient.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
  • DNS Poisoning of Operating System Caches: Attacks and Mitigations

    • Free pre-print version: Loading...

      Authors: Fatemah Alharbi;Yuchen Zhou;Feng Qian;Zhiyun Qian;Nael Abu-Ghazaleh;
      Pages: 2851 - 2863
      Abstract: The Domain Name System (DNS) is a protocol supporting name resolution from Fully Qualified Domain Names (FQDNs) to the IP address of the machines corresponding to them. This resolution process is critical to the operation of the Internet, but is susceptible to a range of attacks. One of the most dangerous attack vectors is DNS poisoning where an attacker injects malicious entries into the DNS resolution forcing clients to be redirected from legitimate to malicious servers. Typically, poisoning attacks target a DNS resolver allowing attackers to poison a DNS entry for all machines that use the compromised resolver. However, recent defenses protect resolvers substantially limiting these attacks. In this paper, we present a new class of DNS poisoning attacks targeting the client-side DNS cache, which is used in mainstream operating systems, circumventing defenses protecting resolvers. We implemented the attack on Windows, Mac OS, and Ubuntu Linux machines. We also generalize the attack to work even when the client is behind a Network Address Translation (NAT) router. Our results show that we can reliably inject malicious DNS mappings, with on average, an order of tens of seconds. We also propose client-side mitigations and demonstrate that they can effectively mitigate the vulnerability.
      PubDate: July-Aug. 1 2022
      Issue No: Vol. 19, No. 4 (2022)
       
 
JournalTOCs
School of Mathematical and Computer Sciences
Heriot-Watt University
Edinburgh, EH14 4AS, UK
Email: journaltocs@hw.ac.uk
Tel: +00 44 (0)131 4513762
 


Your IP address: 3.235.140.84
 
Home (Search)
API
About JournalTOCs
News (blog, publications)
JournalTOCs on Twitter   JournalTOCs on Facebook

JournalTOCs © 2009-