Nastaran Shekofte; Siavash Bayat Sarmadi; hatameh Mosanaei Boorani
Abstract
Hardware Trojans have emerged as a major concern for integrated circuits in recent years. As a result, detecting Trojans has become an important issue in critical applications, such as finance and health. The Trojan detection methods are mainly categorized ...
Read More
Hardware Trojans have emerged as a major concern for integrated circuits in recent years. As a result, detecting Trojans has become an important issue in critical applications, such as finance and health. The Trojan detection methods are mainly categorized into functional and side channel based ones. To increase the capability of both mentioned detection methods, one can increase the transition activity of the circuit. This paper proposes a trusted platform for detecting Trojans in FPGA bitstreams. The proposed methodology takes advantage of increased Trojan activation, caused by transition aware partitioning of the circuit. Meanwhile, it benefits partial reconfiguration feature of FPGAs to reduce area overhead. Experimental studies on the mapped version of s38417 ISCAS89 benchmark show that for the transition probability thresholds of 10^{-4} and 2*10^{-5}, our method increases the ratio of the number of transitions (TCTCR) in the Trojan circuit by about 290.93% and 131.48%, respectively, compared to the unpartitioned circuit. Similar experiments on s15850 for the transition probability thresholds of 10^{-4} and 2*10^{-5} show an increase of 290.26% and 203.11% in TCTCR, respectively. Furthermore, this method improves the functional Trojan detection capability due to a significant increase in the ratio of observing wrong results in primary outputs.
M. Soodkhah Mohammadi; A. Ghaemi Bafghi
Abstract
In this paper, a new broadcast encryption scheme is presented based on threshold secret sharing and secure multiparty computation. This scheme is maintained to be dynamic in that a broadcaster can broadcast a message to any of the dynamic groups of users in the system and it is also fair in the sense ...
Read More
In this paper, a new broadcast encryption scheme is presented based on threshold secret sharing and secure multiparty computation. This scheme is maintained to be dynamic in that a broadcaster can broadcast a message to any of the dynamic groups of users in the system and it is also fair in the sense that no cheater is able to gain an unfair advantage over other users. Another important feature of our scheme is collusion resistance. Using secure multiparty computation, a traitor needs k cooperators in order to create a decryption machine. The broadcaster can choose the value of k as he decides to make a trade-off between communication complexity and collusion resistance. Comparison with other Broadcast Encryption schemes indicates enhanced performance and complexity on the part of the proposed scheme (in terms of message encryption and decryption, key storage requirements, and ciphertext size) relative to similar schemes. In addition, the scheme is modeled using applied pi calculus and its security is verified by means of an automated verification tool, i.e., ProVerif.
Omid Torki; Maede Ashouri-Talouki; Mojtaba Mahdavi
Abstract
Steganography is a solution for covert communication and blockchain is a p2p network for data transmission, so the benefits of blockchain can be used in steganography. In this paper, we discuss the advantages of blockchain in steganography, which include the ability to embed hidden data without manual ...
Read More
Steganography is a solution for covert communication and blockchain is a p2p network for data transmission, so the benefits of blockchain can be used in steganography. In this paper, we discuss the advantages of blockchain in steganography, which include the ability to embed hidden data without manual change in the original data, as well as the readiness of the blockchain platform for data transmission and storage. By reviewing the previous four steganography schemes in blockchain, we have examined their drawback and shown that most of them are non-practical schemes for steganography in blockchain. We have proposed two algorithms for steganography in blockchain, the first one is a high-capacity algorithm for the key and the steganography algorithm exchange and switching, and the second one is a medium-capacity algorithm for embedding hidden data. The proposed method is a general method for steganography in each blockchain, and we investigate how it can be implemented in two most popular blockchains, Bitcoin and Ethereum. Experimental result shows the efficiency and practicality of proposed method in terms of execution time, latency and steganography fee. Finally, we have explained the challenges of steganography in blockchain from the steganographers' and steganalyzers' point of view.
H. Farhadi; M. AmirHaeri; M. Khansari
Abstract
Intrusion Detection Systems (IDSs) are security tools widely used in computer networks. While they seem to be promising technologies, they pose some serious drawbacks: When utilized in large and high traffic networks, IDSs generate high volumes of low-level alerts which are hardly manageable. Accordingly, ...
Read More
Intrusion Detection Systems (IDSs) are security tools widely used in computer networks. While they seem to be promising technologies, they pose some serious drawbacks: When utilized in large and high traffic networks, IDSs generate high volumes of low-level alerts which are hardly manageable. Accordingly, there emerged a recent track of security research, focused on alert correlation, which extracts useful and high-level alerts, and helps to make timely decisions when a security breach occurs.
In this paper, we propose an alert correlation system consisting of two major components; first, we introduce an Attack Scenario Extraction Algorithm (ASEA), which mines the stream of alerts for attack scenarios. The ASEA has a relatively good performance, both in speed and memory consumption. Contrary to previous approaches, the ASEA combines both prior knowledge as well as statistical relationships. Second, we propose a Hidden Markov Model (HMM)-based correlation method of intrusion alerts, fired from different IDS sensors across an enterprise. We use HMM to predict the next attack class of the intruder, also known as plan recognition. This component has two advantages:
Firstly, it does not require any usage or modeling of network topology, system vulnerabilities, and system configurations; Secondly, as we perform high-level prediction, the model is more robust against over-fitting. In contrast, other published plan-recognition methods try to predict exactly the next attacker action. We applied our system to DARPA 2000 intrusion detection scenario dataset. The ASEA experiment shows that it can extract attack strategies efficiently. We evaluated our plan-recognition component both with supervised and unsupervised learning techniques using DARPA 2000 dataset. To the best of our knowledge, this is the first unsupervised method in attack plan recognition.
A. Fanian; M. Berenjkoub; H. Saidi; T. A. Gulliver
Abstract
An essential requirement for providing secure services in wireless sensor networks is the ability to establish pairwise keys among sensors. Due to resource constraints on the sensors, the key establishment scheme should not create significant overhead. To date, several key establishment schemes have ...
Read More
An essential requirement for providing secure services in wireless sensor networks is the ability to establish pairwise keys among sensors. Due to resource constraints on the sensors, the key establishment scheme should not create significant overhead. To date, several key establishment schemes have been proposed. Some of these have appropriate connectivity and resistance against key exposure, but the resources needed in the sensors are substantial. Others are appropriate from the resource consumption perspective, but have weak performance. This paper proposes a key establishment protocol based on symmetric polynomials. To improve performance, the protocol uses a new model to distribute polynomial shares to the sensors. A key feature of the proposed protocol is the trade-off between performance, security and resource consumption. Analysis shows that our solution has good performance compared to other approaches.
I. G. Harris; T. Alrahem; A. Chen; N. DiGiuseppe; J. Gee; Sh. P. Hsiao; S. Mattox; T. Park; S. Selvaraj; A. Tam; M. Carlsson
Abstract
The mechanisms which enable the vast majority of computer attacks are based on design and programming errors in networked applications. The growing use of voice over IP (VOIP) phone technology makes these phone applications potential targets. We present a tool to perform security testing of VOIP applications ...
Read More
The mechanisms which enable the vast majority of computer attacks are based on design and programming errors in networked applications. The growing use of voice over IP (VOIP) phone technology makes these phone applications potential targets. We present a tool to perform security testing of VOIP applications to identify security vulnerabilities which can be exploited by an attacker. Session Initiation Protocol (SIP) is the widespread standard for establishing and ending VOIP communication sessions. Our tool generates an input sequence for a SIP phone which is designed to reveal security vulnerabilities in the SIP phone application. The input sequence includes SIP messages and external graphical user interface (GUI) events which might contribute to triggering vulnerability. The input sequence is generated to perform a random walk through the state space of the protocol. The generation of external GUI events is critical to testing a stateful protocol such as SIP because GUI interaction is required to explore a significant portion of the state space. We have used our security testing tool to identify a previously unknown vulnerability in an existing open source SIP phone.
Ali Zaghian; Bagher Bagherpour
Abstract
A non-interactive (t,n)-publicly veriable secret sharing scheme (non-interactive (t,n)-PVSS scheme) is a (t,n)-secret sharing scheme in which anyone, not only the participants of the scheme, can verify the correctness of the produced shares without interacting with the dealer and participants. The (t,n)-PVSS ...
Read More
A non-interactive (t,n)-publicly veriable secret sharing scheme (non-interactive (t,n)-PVSS scheme) is a (t,n)-secret sharing scheme in which anyone, not only the participants of the scheme, can verify the correctness of the produced shares without interacting with the dealer and participants. The (t,n)-PVSS schemes have found a lot of applications in cryptography because they are suitable for real-life scenarios in which an external verifier is required to check the correctness of the produced shares without interacting with the dealer and participants. In this paper, we propose a non-interactive (t,n)-PVSS scheme using the non-homogeneous linear recursions (NHLRs), and prove its security with a formal method. We compare the computational complexity of our scheme with that of Schoenmakers's scheme and show that our non-interactive (t,n)-PVSS scheme runs faster than Schoenmakers's scheme when n > 5 and n> t >(2n+9)/n. The communicational complexity of our scheme is almost equal to that of Schoenmakers's scheme.
F. Moazami; A.R. Mehrdad; H. Soleimany
Abstract
Deoxys is a final-round candidate of the CAESAR competition. Deoxys is built upon an internal tweakable block cipher Deoxys-BC, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. This paper presents the first impossible differential cryptanalysis of Deoxys-BC-256 ...
Read More
Deoxys is a final-round candidate of the CAESAR competition. Deoxys is built upon an internal tweakable block cipher Deoxys-BC, where in addition to the plaintext and key, it takes an extra non-secret input called a tweak. This paper presents the first impossible differential cryptanalysis of Deoxys-BC-256 which is used in Deoxys as an internal tweakable block cipher. First, we find a 4.5-round ID characteristic by utilizing a miss-in-the-middle-approach. We then present several cryptanalysis based upon the 4.5 rounds distinguisher against round-reduced Deoxys-BC-256 in both single-key and related-key settings. Our contributions include impossible differential attacks on up to 8-round Deoxys-BC-256 in the single-key model. Our attack reaches 9 rounds in the related-key related-tweak model which has a slightly higher data complexity than the best previous results obtained by a related-key related-tweak rectangle attack presented at FSE 2018, but requires a lower memory complexity with an equal time complexity.
B. Rashidi; R. Rezaeian Farashahi; S. M. Sayedi
Abstract
This paper presents two efficient implementations of fast and pipelined bit-parallel polynomial basis multipliers over GF (2m) by irreducible pentanomials and trinomials. The architecture of the first multiplier is based on a parallel and independent computation of powers of the polynomial variable. ...
Read More
This paper presents two efficient implementations of fast and pipelined bit-parallel polynomial basis multipliers over GF (2m) by irreducible pentanomials and trinomials. The architecture of the first multiplier is based on a parallel and independent computation of powers of the polynomial variable. In the second structure only even powers of the polynomial variable are used. The parallel computation provides regular and low-cost structure with low critical path delay. In addition, the pipelining technique is applied to the proposed structures to shorten the critical path and to perform the computation in two clock cycles. The implementations of the proposed methods over the binary extension fields GF (2163) and GF (2233) have been successfully verified and synthesized using Xilinx ISE 11 by Virtex-4, XC4VLX200 FPGA.
S. Sajjadi Ghaemmaghami; A. Haghbin; M. Mirmohseni
Abstract
Radio Frequency Identification (RFID) applications have spread all over the world. In order to provide their security and privacy, researchers proposed different kinds of protocols. In this paper, we analyze the privacy of a new protocol, proposed by Yu-Jehn in 2015 which is based on Electronic Product ...
Read More
Radio Frequency Identification (RFID) applications have spread all over the world. In order to provide their security and privacy, researchers proposed different kinds of protocols. In this paper, we analyze the privacy of a new protocol, proposed by Yu-Jehn in 2015 which is based on Electronic Product Code Class1 Generation 2 (EPC C1 G2) standard. By applying the Ouafi_Phan privacy model, we show that the Yu-Jehn protocol is vulnerable to secret parameter reveal attack, traceability attacks, forward traceability attack and it also does not provide the privacy of RFID users. To enhance the privacy of the analyzed protocol, an improved version of the protocol is proposed which eliminates the existing weaknesses of Yu-Jehn protocol.
V. Amin Ghafari; A. Vardasbi; J. Mohajeri
Abstract
The A5/1 algorithm is one of the most famous stream cipher algorithms used for over-the-air communication privacy in GSM. The purpose of this paper is to analyze several weaknesses of A5/1, including an improvement to an attack and investigation of the A5/1 state transition. Biham and Dunkelman proposed ...
Read More
The A5/1 algorithm is one of the most famous stream cipher algorithms used for over-the-air communication privacy in GSM. The purpose of this paper is to analyze several weaknesses of A5/1, including an improvement to an attack and investigation of the A5/1 state transition. Biham and Dunkelman proposed an attack on A5/1 with a time and data complexity of 239.91and 221.1, respectively. In this paper, we propose a method for identification and elimination of useless states from the pre-computed tables and a new approach to access the table in the online phase of the attack which reduces the time complexity to 237.89 and the required memory in half. Furthermore, we discuss another weakness of A5/1 by investigating its internal state transition and its key stream sequence period. Consequently, the internal states are divided into two classes, initially periodic and ultimately periodic. The presented model is verified using a variety of simulations which are consistent with the theoretical results.
B. Mafakheri; T. Eghlidos; H. Pilaram
Abstract
In this paper, we propose a new framework for joint encryption encoding scheme based on polar codes, namely efficient and secure joint secret key encryption channel coding scheme. The issue of using new coding structure, i.e. polar codes in Rao-Nam (RN) like schemes is addressed. Cryptanalysis methods ...
Read More
In this paper, we propose a new framework for joint encryption encoding scheme based on polar codes, namely efficient and secure joint secret key encryption channel coding scheme. The issue of using new coding structure, i.e. polar codes in Rao-Nam (RN) like schemes is addressed. Cryptanalysis methods show that the proposed scheme has an acceptable level of security with a relatively smaller key size in comparison with the previous works. The results indicate that the scheme provides an efficient error performance and benefits from a higher code rate which can approach the channel capacity for large enough polar codes. The most important property of the proposed scheme is that if we increase the block length of the code, we can have a higher code rate and higher level of security without significant changes in the key size of the scheme. The resulting characteristics of the proposed scheme make it suitable for high-speed communications, such as deep space communication systems.
Majid Bayat; Zahra Zare Jousheghani; Ashok Kumar Das; Pitam Singh; Saru Kumari; Mohammad Reza Aref
Abstract
Smart grid concept is introduced to modify the power grid by utilizing new information and communication technology. Smart grid needs live power consumption monitoring to provide required services and for this issue, bi-directional communication is essential. Security and privacy are the most important ...
Read More
Smart grid concept is introduced to modify the power grid by utilizing new information and communication technology. Smart grid needs live power consumption monitoring to provide required services and for this issue, bi-directional communication is essential. Security and privacy are the most important requirements that should be provided in the communication. Because of the complex design of smart grid systems, and utilizing different new technologies, there are many opportunities for adversaries to attack the smart grid system that can result fatal problems for the customers. A privacy preserving authentication scheme is a critical element for secure development of smart grid. Recently, Mahmood et al. [1] proposed a lightweight message authentication scheme for smart grid communications and claimed that it satisfies the security requirements. Unfortunately, we found that Mahmood et al.'s scheme has some security vulnerabilities and it has not adequate security features to be utilized in smart grid. To address these drawbacks, we propose an efficient and secure lightweight privacy-preserving authentication scheme for a smart grid. Security of our scheme are evaluated, and the formal security analysis and verification are introduced via the broadly-accepted Burrows-Abadi-Needham (BAN) logic and Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. Finally, the security and efficiency comparisons are provided, which indicate the security and efficiency of the proposed scheme as compared to other existing related schemes.
Mohammad Ali Hadavi; Arash Bagherdaei; Simin Ghasemi
Volume 13, Issue 2 , July 2021, , Pages 117-129
Abstract
< p>Automatic detection of access control violations in software applications is a challenging problem. Insecure Direct Object Reference (IDOR) is among top-ranked vulnerabilities, which violates access control policies and cannot be yet detected by automated vulnerability scanners. While such ...
Read More
< p>Automatic detection of access control violations in software applications is a challenging problem. Insecure Direct Object Reference (IDOR) is among top-ranked vulnerabilities, which violates access control policies and cannot be yet detected by automated vulnerability scanners. While such tools may detect the absence of access control by static or dynamic testing, they cannot verify if it is properly functioning when it is present. When a tool detects requesting access to an object, it is not aware of access control policies to infer whether the request is permitted. This completely depends on the access control logic and there is no automatic way to fully and precisely capture it from software behavior. Taking this challenge into consideration, this article proposes a black-box method to detect IDOR vulnerabilities in web applications without knowing access control logic. To this purpose, we first, gather information from the web application by a semi-automatic crawling process. Then, we tricksily manipulate legal requests to create effective attacks on the web application. Finally, we analyze received responses to check whether the requests are vulnerable to IDOR. The detection process in the analysis phase is supported by our set theory based formal modeling of such vulnerabilities. The proposed method has been implemented as an IDOR detection tool (IDOT) and evaluated on a couple of vulnerable web applications. Evaluation results show that the method can effectively detect IDOR vulnerabilities provided that enough information is gathered in the crawling phase.
J. Alizadeh; M. R. Aref; N. Bagheri
Abstract
Authenticated encryption schemes establish both privacy and authenticity. This paper specifies a family of the dedicated authenticated encryption schemes, Artemia. It is an online nonce-based authenticated encryption scheme which supports the associated data. Artemia uses the permutation based mode, ...
Read More
Authenticated encryption schemes establish both privacy and authenticity. This paper specifies a family of the dedicated authenticated encryption schemes, Artemia. It is an online nonce-based authenticated encryption scheme which supports the associated data. Artemia uses the permutation based mode, JHAE, that is provably secure in the ideal permutation model. The scheme does not require the inverse of the permutation in the decryption function, which causes the resource efficiency. Artemia permutations have an efficient and a simple structure and are provably secure against the differential and linear cryptanalysis. In the permutations, MDS recursive layers are used that can be easily implemented in both software and hardware.
M. Amoozgar; R. Ramezanian
Abstract
The spread of rumors, which are known as unverified statements of uncertain origin, may threaten the society and it's controlling, is important for national security councils of countries. If it would be possible to identify factors affecting spreading a rumor (such as agents’ desires, trust network, ...
Read More
The spread of rumors, which are known as unverified statements of uncertain origin, may threaten the society and it's controlling, is important for national security councils of countries. If it would be possible to identify factors affecting spreading a rumor (such as agents’ desires, trust network, etc.) then, this could be used to slow down or stop its spreading. Therefore, a computational model that includes rumor features, and the way rumor is spread among society’s members, based on their desires, is needed. Our research is focused on the relation between the homogeneity of the society and rumor convergence in it. Our result shows that the homogeneity of the society is a necessary condition for convergence of the spread rumor.
Faeze Rasouli; Mohammad Taheri
Abstract
Fragile watermarking is a technique of authenticating the originality of the media (e.g., image). Although the watermark is destroyed with any small modification (tamper), it may be used to recover the original image. There is no method yet, based on our knowledge, to guarantee the perfect recovery of ...
Read More
Fragile watermarking is a technique of authenticating the originality of the media (e.g., image). Although the watermark is destroyed with any small modification (tamper), it may be used to recover the original image. There is no method yet, based on our knowledge, to guarantee the perfect recovery of small tampers. Although data-bits are embedded in Least Significant Bits of some other pixel(s), a tamper may destroy both data and authentication sets which makes recovery impossible. In this paper, a novel fragile watermarking scheme is proposed for both tamper detection and tampered image recovery. Here, all bits are reorganized in virtual pixels distributed in the image called as Distributed Pixels (DP). Distance of each pair of bits in a DP is sufficiently large. This is why; tampers smaller than a threshold, cannot destroy more than one bit of a DP. Hamming code guarantees that changing at most one bit can be perfectly detected and recovered. Then, Hamming (7,4) is extended to (8,5) to support embedding in eight-bits pixels. According to the experimental results, the proposed method could perfectly detect and recover the tampered parts not greater than a quarter of image in diameter. It also achieved acceptable performance in other conditions, compared to state-of-the-art methods.
Ali Ahmadian Ramaki; Abbas Ghaemi-Bafghi; Abbas Rasoolzadegan
Abstract
Nowadays, targeted attacks like Advanced Persistent Threats (APTs) has become one of the major concern of many enterprise networks. As a common approach to counter these attacks, security staff deploy a variety of heterogeneous security and non-security sensors at different lines of defense (Network, ...
Read More
Nowadays, targeted attacks like Advanced Persistent Threats (APTs) has become one of the major concern of many enterprise networks. As a common approach to counter these attacks, security staff deploy a variety of heterogeneous security and non-security sensors at different lines of defense (Network, Host, and Application) to track the attacker's behaviors during their kill chain. However, one of the drawbacks of this approach is the huge amount of events raised by heterogeneous sensors which makes it difficult to analyze logged events for later processing i.e. event correlation for timely detection of APT attacks. The main focus of the existing works is only on the degree to which the event volume is reduced, while the amount of security information lost during the event aggregation process is also very important. In this paper, we propose a three-phase event aggregation method to reduce the volume of heterogeneous events during APT attacks considering the lowest rate of loss of security information. To this aim, at first, low-level events of the sensors are clustered into some similar event groups and then, after filtering noisy event clusters, the remained clusters are summarized based on an Attribute-Oriented Induction (AOI) method in a controllable manner to reduce the unimportant or duplicated events. The method has been evaluated on the three publicly available datasets: SotM34, Bryant, and LANL. The experimental results show that the method is efficient enough in event aggregation and can reduce events volume up to 99.7 with an acceptable level of information loss ratio (ILR).
Soran Ibrahim; Qing Tan
Abstract
In the recent years, social networks (SN) are now employed for communication and networking, socializing, marketing, as well as one’s daily life. Billions of people in the world are connected though various SN platforms and applications, which results in generating massive amount ...
Read More
In the recent years, social networks (SN) are now employed for communication and networking, socializing, marketing, as well as one’s daily life. Billions of people in the world are connected though various SN platforms and applications, which results in generating massive amount of data online. This includes personal data or Personally Identifiable Information (PII). While more and more data are collected about users by different organizations and companies, privacy concerns on the SNs have become more and more prominent. In this paper, we present a study on information privacy in SNs through exploring the general laws and regulations on collecting, using and disclosure of information from Canadian perspectives based on the Personal Information Protection and Electronic Document Act (PIPEDA). The main focus of this paper is to present results from a survey and the findings of the survey.
F. Barani; M. Abadi
Abstract
Mobile ad hoc networks (MANETs) are multi-hop wireless networks of mobile nodes constructed dynamically without the use of any fixed network infrastructure. Due to inherent characteristics of these networks, malicious nodes can easily disrupt the routing process. A traditional approach to detect such ...
Read More
Mobile ad hoc networks (MANETs) are multi-hop wireless networks of mobile nodes constructed dynamically without the use of any fixed network infrastructure. Due to inherent characteristics of these networks, malicious nodes can easily disrupt the routing process. A traditional approach to detect such malicious network activities is to build a profile of the normal network traffic, and then identify an activity as suspicious if it deviates from this profile. As the topology of a MANET constantly changes over time, the simple use of a static profile is not efficient. In this paper, we present a dynamic hybrid approach based on the artificial bee colony (ABC) and negative selection (NS) algorithms, called BeeID, for intrusion detection in AODV-based MANETs. The approach consists of three phases: training, detection, and updating. In the training phase, a niching artificial bee colony algorithm, called NicheNABC, runs a negative selection algorithm multiple times to generate a set of mature negative detectors to cover the nonself space. In the detection phase, mature negative detectors are used to discriminate between normal and malicious network activities. In the updating phase, the set of mature negative detectors is updated by one of two methods of partial updating or total updating. We use the Monte Carlo integration to estimate the amount of the nonself space covered by negative detectors and to determine when the total updating should be done. We demonstrate the effectiveness of BeeID for detecting several types of routing attacks on AODV-based MANETs simulated using the NS2 simulator. The experimental results show that BeeID can achieve a better tradeoff between detection rate and false-alarm rate as compared to other dynamic approaches previously reported in the literature.
H. T. Poon; A. Miri
Abstract
The Fuzzy Vault scheme is an encryption scheme, which can tolerate errors in the keys. This leads to the possibility of enhancing the security in environments where these errors can be common, such as biometrics storage systems. Although several researchers have provided implementations, we find that ...
Read More
The Fuzzy Vault scheme is an encryption scheme, which can tolerate errors in the keys. This leads to the possibility of enhancing the security in environments where these errors can be common, such as biometrics storage systems. Although several researchers have provided implementations, we find that the scheme is vulnerable to attacks when not properly used. This paper describes an attack on the Fuzzy Vault scheme where the attacker is assumed to have access to multiple vaults locked by the same key and where a non-maximal vault size is used. The attack effectively reduces the vault size by identifying and removing cha_ points. As the vault size decreases, the rate at which cha_ points are identified increases exponentially. Several possible defenses against the attack are also discussed.
M. Amini; M. Arasteh
Abstract
A Virtual Organization (VO) consists of some real organizations with common interests, which aims to provide inter organizational associations to reach some common goals by sharing their resources with each other. Providing security mechanisms, and especially a suitable access control mechanism, which ...
Read More
A Virtual Organization (VO) consists of some real organizations with common interests, which aims to provide inter organizational associations to reach some common goals by sharing their resources with each other. Providing security mechanisms, and especially a suitable access control mechanism, which enforces the defined security policy is a necessary requirement in VOs. Since VO is a complex environment with the huge number of users and resources, traditional access control models cannot satisfy VOs security requirements. Most of the current proposals are basically based on the attributes of users and resources. In this paper, we suggest using a combination of the semantic based access control (SBAC) model, and the attribute based access control (ABAC) model with the shared ontology of subjects' attributes in VOs. In this model, each participating organization makes its access control decisions according to an enhanced model of the ABAC model. However, access decision in the VO is made in more abstract level through an enhanced model of the SBAC model. Using the ontology of users and resources in this model facilitates access control in large scale VOs with numerous organizations. By the combination of SBAC and ABAC, we attain their benefits and eliminate their shortcomings. In order to show the applicability of the proposed model, an access control system, based on the proposed model, has been implemented in Java using available APIs, including Sun's XACML API, Jena, Pellet, and Protégé.
A. R. Ahadipour; A. R. Keshavarz-Haddad
Abstract
Communication security of wireless sensor networks is achieved using cryptographic keys assigned to the nodes. Due to resource constraints in such networks, random key pre-distribution schemes are of high interest. Although in most of these schemes no location information is considered, there are scenarios ...
Read More
Communication security of wireless sensor networks is achieved using cryptographic keys assigned to the nodes. Due to resource constraints in such networks, random key pre-distribution schemes are of high interest. Although in most of these schemes no location information is considered, there are scenarios that location information can be obtained by nodes after their deployment. In this paper, we propose a novel probabilistic key pre-distribution scheme, for large-scale wireless sensor networks which utilizes location information in order to improve the performance of random key pre-distribution substantially. In order to apply the location information of the nodes in key distribution process, we partition the network into some regions and use graph coloring techniques to efficiently assign the random keys. The proposed scheme has a superior scalability by supporting larger number of nodes and also increasing the probability of existence of a shared exclusive key among the nearby nodes, i.e., the probability of having an isolated node is significantly reduced in comparison with the existing random key pre-distribution schemes. Our simulation results verify these terms.
A. fanian; E. Mahdavi; H. Hassannejad
Abstract
Traffic classification plays an important role in many aspects of network management such as identifying type of the transferred data, detection of malware applications, applying policies to restrict network accesses and so on. Basic methods in this field were using some obvious traffic features like ...
Read More
Traffic classification plays an important role in many aspects of network management such as identifying type of the transferred data, detection of malware applications, applying policies to restrict network accesses and so on. Basic methods in this field were using some obvious traffic features like port number and protocol type to classify the traffic type. However, recent changes in applications make these features imperfect for such tasks. As a remedy, network traffic classification using machine learning techniques is now evolving. In this article, a new semi-supervised learning is proposed which utilizes clustering algorithms and label propagation techniques. The clustering part is based on graph theory and minimum spanning tree (MST) algorithm. In the next level, some pivot data instances are selected for the expert to vote for their classes, and the identified class labels will be used for similar data instances with no labels. In the last part, the decision tree algorithm is used to construct the classification model. The results show that the proposed method has a precise and accurate performance in classification of encrypted traffic for the network applications. It also provides desirable results for plain un-encrypted traffic classification, especially for unbalanced streams of data.
M. Saniee Abadeh; J. Habibi
Abstract
A hybrid approach for intrusion detection in computer networks is presented in this paper. The proposed approach combines an evolutionary-based fuzzy system with an Ant Colony Optimization procedure to generate high-quality fuzzy-classification rules. We applied our hybrid learning approach to network ...
Read More
A hybrid approach for intrusion detection in computer networks is presented in this paper. The proposed approach combines an evolutionary-based fuzzy system with an Ant Colony Optimization procedure to generate high-quality fuzzy-classification rules. We applied our hybrid learning approach to network security and validated it using the DARPA KDD-Cup99 benchmark data set. The results indicate that in comparison to several traditional and new techniques, the proposed hybrid approach achieves better classification accuracies. The compared classification approaches are C4.5, Naïve Bayes, k-NN, SVM, Ripper, PNrule and MOGF-IDS. Moreover the improvement on classification accuracy has been obtained for most of the classes of the intrusion detection classification problem. In addition, the results indicate that the proposed hybrid system's total classification accuracy is 94.33% and its classification cost is 0.1675. Therefore, the resultant fuzzy classification rules can be used to produce a reliable intrusion detection system.