Computer Security

Cyber-physical systems (CPS) integrate computation and networking resources to control a physical process. The adoption of new communication capabilities comes at the cost of introducing new security threats that need to be handled properly. Threats must be addressed at cyber and physical domains at the same time in order to detect and automatically mitigate the threats. In this paper, we elaborate an approach to attenuate cyber-physical attacks driven by reflective programmable networking actions, in order to take control of adversarial actions against cyber-physical systems. The approach builds upon the concept of programmable reflection and programmable networking. We validate the approach using experimental work.

The Internet of Things (IoT) is playing a key role in consumer and business environments. Due to the sensitivity of the information IoT devices collect and share, and the potential impact a data breach can have in people’s lives, securing communication and access to data in IoT has become a critical feature. Multiple application layer protocols are used nowadays in IoT, with the Constrained Application Protocol (CoAP) and the Message Queue Telemetry Transport (MQTT) being two of the most widely popular. In this paper, we propose a solution to increase the security of both CoAP and MQTT based on the distributed Usage Control (UCON) framework. The inclusion of UCON provides dynamic access control to the data shared using these protocols. This occurs by monitoring mutable attributes related to the local protocol nodes and also by sharing data values between remote nodes via the distributed instances of UCON. We present the architecture and the workflow of our approach together with a real implementation for performance evaluation purposes.

The maritime ecosystem has undergone through changes due to the increasing use of information systems and smart devices. The newly introduced technologies give rise to new attack surface in maritime infrastructures. In this position paper, we propose the MAritime Threat INtelligence FRAMEwork (MAINFRAME), which is tailored towards collection and analysis of threat intelligence in maritime environments. MAINFRAME combines: (i) data collection from ship sensors; (ii) collection of publicly available data from social media; (iii) variety of honeypots emulating different hardware and software component; (iv) event detection assisted by deep learning; (v) blockchain implementation that maintains audit trail for activities and transactions, and electronic IDs; and (vi) visual threat analytics. To highlight the interdependencies between cyber and cyber-physical threats in autonomous ships, MAINFRAME’s operation is evaluated through the liquefied natural gas (LNG) Carrier case study.

Recent innovations in the smart city domain include new autonomous transportation solutions such as buses and cars, while Autonomous Passenger Ships (APS) are being considered for carrying passengers across urban waterways. APS integrate several interconnected systems and services that are required to communicate in a reliable manner to provide safe and secure real-time operations. In this paper, we discuss the APS context, stakeholders, regulations, standards and functions in order to identify communication and cybersecurity requirements towards designing a secure communication architecture suitable for APS.

The goal of this paper is to simulate the effects of different Distributed Denial of Service (DDoS) attack scenarios which might be launched against smart grid Supervisory Control and Data Acquisition systems, i.e. SCADAs. We will analyze attacks which are launched from compromised Remote Terminal Units (RTUs) located in the process environment. We created an ICS testbed and industrial DDoS simulator environment consisting of a single C&C server and a configurable number of bots. We simulated scenarios with different numbers of hacked RTUs trying to overwhelm the SCADA with unwanted messages. We analyzed the effects of DDoS-type attacks against SCADAs with different internal queue architectures used to manage the incoming messages, i.e. no queues, single queue and separate queue for each connected RTU.

Security, safety and human factors engineering techniques are largely disconnected although the concepts are interlinked. We present a tool-supported approach based on the Integrating Requirements and Information Security (IRIS) framework using Computer Aided Integration of Requirements and Information Security (CAIRIS) platform to identify the safety and human factors issues in rail. We illustrate this approach with a case study, which provides a vehicle for increasing the existing collaboration between engineers in security, safety and human factors.

The assessment of the potential impact for an organization from a privacy violation incident is important for three main reasons: the organization will have a justified estimate of the cost (financial, reputation or other) that may be raised, will facilitate the selection of the appropriate technical, procedural and organizational protection mechanisms and also will be compliant with the new General Data Protection Regulation that will be in effect from May 2018. Today, there are several methods to do a Privacy Impact Assessment but none of these quantifies the results according to specific metrics and thus can be significantly affected by various subjective parameters. Furthermore, the specific organizational characteristics (size, activities, number of clients, type of offered services etc.) are very rarely accounted, a fact that also affects the accuracy of the results. In this paper, a privacy impact assessment method that explicitly takes into account the organizational characteristics and employs a list of well-defined metrics as input, is presented.

Security constraints that enforce security requirements characterize healthcare systems. These constraints have a substantial impact on the resiliency of the final system. Security requirements modelling approaches allow the prevention of cyber incidents; however, the focus to date has been on prevention rather than resiliency. Resiliency extends into the detection, mitigation and recovery after security violations. In this paper, we propose an enhanced at a conceptual level that attempts to align cybersecurity with resiliency. It does so by extending the Secure Tropos cybersecurity modelling language to include resiliency. The proposed conceptual model examines resiliency from three viewpoints, namely the security requirements, the healthcare context and its implementational capability. We present an overview of our conceptual model of a cyber resiliency language and discuss a case study to attest the healthcare context in our approach.

Individuals today shape a digital identity through which they “introduce” themselves to others in Social Network Sites (SNS). SNS embody features that enable users to customize their digital identity at will and to disclose desirable elements of their personality. The processes by which users shape their digital identity through information disclosure are largely unknown, including the role of privacy concerns. In this paper we identify the data elements that users consider important for shaping their digital identity in SNS and how privacy concerns shape this process.

In order to explore the above, we conducted an online survey research with 759 participants. Our findings reveal the elements that users consider as important for shaping their digital identity. They also demonstrate that users’ privacy concerns do not seem to affect the amount of information users choose to publish when shaping their digital identity. Finally, we show that particular characteristics of social networking platforms affect the way that users shape their digital identity and privacy behavior.

The process of GDPR compliance for cloud computing environments may turn out to be a demanding process in terms of the technical, organizational and procedural measures that should be adopted. This paper identifies the requirements and the appropriate countermeasures for GDPR compliance in cloud environments. Furthermore, it describes the necessary GDPR related roles and separates the requirements and measures in accordance to the cloud architecture (IAAS, PAAS, SAAS).

Elicitative threat modeling approaches such as Microsoft STRIDE and LINDDUN for respectively security and privacy use Data Flow Diagrams (DFDs) to model the system under analysis. Distinguishing between external entities, processes, data stores and data flows, these system models are particularly suited for modeling centralized, traditional multi-tiered system architectures.

This raises the question whether these approaches are also suited for inherently decentralized architectures such as distributed ledgers or blockchains, in which the processing, storage, and control flow is shared among many equal participants.

To answer this question, we perform an in-depth analysis of the compatibility between blockchain security and privacy threat types documented in literature and these threat modeling approaches. Our findings identify areas for future improvement of elicitative threat modeling approaches.

GDPR entered into force in May 2018 for enhancing user data protection. Even though GDPR leads towards a radical change with many advantages for the data subjects it turned out to be a significant challenge. Organizations need to make long and complex changes for the personal data processing activities to become GDPR compliant. Citizens as data subjects are empowered with new rights, which however they need to become aware of and understand. Finally, the role of data protection authorities changes as well as their expectations from organizations. GDPR compliance being a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of the Data govErnance For supportiNg gDpr (DEFeND) EU Project is to deliver such a platform. To succeed, the platform needs to satisfy legal and privacy requirements, be effective in supporting organizations in GDPR compliance, and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, we describe the process, within the DEFeND EU Project, for eliciting and analyzing requirements for such a complex platform, by involving stakeholders from the banking, energy, health and public administration sectors, and using advanced frameworks for privacy requirements and acceptance requirements. The paper also contributes by providing elicited privacy and acceptance requirements concerning a holistic platform for supporting GDPR compliance.

Handling the process of authentication for the hundred million of computer embedded devices in Internet of Things (IoT) is not achievable without considering inherent IoT characteristics like scalability, heterogeneity, dependency and dynamism. In one hand, traditional and emerging access control models cannot handle indeterminate data access scenarios in IoT by applying deterministic access policies. On the other hand, moving towards resilient access control paradigms needs new attitudes and current manual risk analysis methods that rely on vulnerability calculations do not fit in IoT. This holds true as considering vulnerability as the key player in risk assessment is no longer efficient way to tackle with indeterminate access scenarios due to complicated dependency and scalability of IoT environment. Moreover, most of the IoT devices are not patchable so by discovering new vulnerabilities the vulnerable devices need to be replaced. Therefore, IoT needs agile, resilient and automatic authentication process. This work suggests a novel authentication method based on our previous work in which uncertainty was introduced as one of the neglected challenges in IoT. Uncertainty in authentication derived from incomplete information about incident happening upon authenticating an entity. Part of IoT characteristics makes such an uncertainty worse. Therefore, we have proposed an uncertainty-aware authentication model based on Attribute-Based Access Control (ABAC). Our prediction model is able to consider the uncertainty factor of mobile entities as well as fixed ones in authentication. In doing so, we have built our prediction model using boosting classifiers (AdaBoost and Gradient Boosting algorithms) besides voting classifier. We have compared the results with our previous work. Our designated model (AdaBoost) can achieve authentication performance with 86.54% accuracy.

With the enforcement of the General Data Protection Regulation (GDPR) in EU, organisations must make adjustments in their business processes and apply appropriate technical and organisational measures to ensure the protection of the personal data they process. Further, organisations need to demonstrate compliance with GDPR. Organisational compliance demands a lot of effort both from a technical and from an organisational perspective. Nonetheless, organisations that have already applied ISO27k standards and employ an Information Security Management System and respective security controls need considerably less effort to comply with GDPR requirements. To this end, this paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, if/where possible, the data protection requirements that the GDPR imposes. Thus, an organisation that already follows ISO/IEC 27001:2013, can use this work as a basis for compliance with the GDPR.

While the widespread use of mobile services offers a variety of benefits to mobile users, it also raises serious privacy concerns. We report the results of a user study that investigated the factors that influence the decision-making process pertaining to the trade-off between privacy and utility in mobile services. Through two focus groups, 16 individual interviews and a questionnaire survey involving 60 participants, the study identified awareness and knowledge of privacy risks, trust in service providers, desire for mobile services, and belief of cyber privacy as four factors that contribute to the perceived trade-off. The results also suggest that, with appropriate adoption, privacy-preserving tools can positively influence the privacy trade-off. In addition, our findings explore the cultural differences regarding privacy between participants from western countries (with the UK as the main representative) and China. In particular, the results suggest that participants from China are more likely to be comfortable with a government department protecting their individual privacy, while participants from western countries are more likely to wish to see such responsibility reside with some combination of individuals and non-governmental organisations.

With the recent introduction of the EU’s General Data Protection Regulation (GDPR), privacy impact assessments (PIA) have become mandatory in many cases. To support organisations in correctly implementing those, researchers and practitioners have provided reference processes and tooling. Integrating automation features into PIA tools can streamline the implementation of compliant privacy impact assessments in organizations. Based on a general reference architecture and reference process based on guidance by authorities, this contribution offers a systematic analysis of which process steps show the most promise with regard to this, and discusses impediments to this approach and directions for future research.

In the last ten years cloud computing has developed from a buzz word to the new computing paradigm on a global scale. Computing power or storage capacity can be bought and consumed flexibly and on-demand, which opens up new opportunities for cost-saving and data processing. However, it also goes with security concerns as it represents a form of IT outsourcing. We investigate how these concerns manifest as a decisive factor in cloud provider selection by interviews with eight practitioners from German companies. As only a moderate interest is discovered, it is further examined why this is the case. Additionally, we compared the results from a systematic literature survey on cloud security assurance to cloud customers’ verification of their providers’ security measures. This paper provides a qualitative in-depth examination of companies’ attitudes towards security in the cloud. The results of the analysed sample show that security is not necessarily decisive in cloud provider selection. Nevertheless, providers are required to guarantee security and comply. Traditional forms of assurance techniques play a role in assessing cloud providers and verifying their security measures. Moreover, compliance is identified as a strong driver to pursue security and assurance.

Justice facilities such as jails are complex adaptive systems. They are people-driven, whether by the organizational culture of those that operate them, or by inmate culture. The development of organizational culture is organic and based on buy-in at all levels, or the lack thereof. Organizational culture evolves, including in response to attempted interventions from within or without. Physical and electronic security’s relationship to detention operations and detainee supervision involves similar dynamics.

In this paper, we explore jail operations. We model human use of a housing unit and associated support spaces via discrete-event simulation. We simulate this system to understand the capacity and limits on human use of building spaces. We explore how this sociotechnical system responds when stressed. We thereby validate the design within limits that correspond to planned operational capacity. The goal of the research is to design spaces and environments that support improved outcomes via improvements in organizational culture.

We introduce the specifics of jail operations via this model while exploring the full range of applications for this type of simulation in the built environment.

Key management is a basic requirement for any security solution. Lightweight key predistribution schemes (KPS) that establish symmetric secrets are best suited for resource constraint devices of low cost Internet of Things (IoT), sensors of Wireless Sensor Networks (WSN). Although there exist numerous elegant KPS, an appropriate hierarchical proposal is absent. To design such a scheme, we propose a combinatorial tool hierarchical set system/design. As an application of such a tool, we propose a deterministic lightweight hierarchical KPS (HKPS) that achieves the desirable design criteria:

To enhance the resilience of the HKPS, we exploited the hash chain idea. Further, we instantiate the HKPS with a very efficient KPS Sensornet. The studies presented here are theoretical and does not contain any experimental and comparative results.

Recently, due to the increase of outsourcing in integrated circuit (IC) design and manufacturing, the threat of injecting a malicious circuit, called a hardware Trojan, by third party has been increasing. Machine learning has been known to produce a powerful model to detect hardware Trojans. But it is recently reported that such a machine learning based detection is weak against adversarial examples (AEs), which cause misclassification by adding perturbation in input data. Referring to the existing studies on adversarial examples, most of which are discussed in the field of image processing, this paper first proposes a framework generating adversarial examples for hardware-Trojan detection for gate-level netlists utilizing neural networks. The proposed framework replaces hardware Trojan circuits with logically equivalent circuits, and makes it difficult to detect them. Second, we define Trojan-net concealment degree (TCD) as a possibility of misclassification, and modification evaluating value (MEV) as a measure of the amount of modifications. Third, judging from MEV, we pick up adversarial modification patterns to apply to the circuits against hardware-Trojan detection. The experimental results using benchmarks demonstrate that the proposed framework successfully decreases true positive rate (TPR) by at most 30.15 points.

Efforts have been made to improve the security of the Internet of Things (IoT) devices, but there remain some vulnerabilities and misimplementations. This paper describes a new threat to home security devices in which an attacker can disable all functionality of a device, but to the device’s owner, everything still appears to be operational. We targeted home security devices because their security is critical as people may rely on them to protect their homes. In particular, we exploited a feature called “heartbeat”, which is exchanged between the devices and the cloud in order to check that the devices are still connected. Even though network traffic was encrypted, we successfully identified the heartbeats due to their fixed size and periodic nature. Thereafter, we established a man-in-the-middle attack between the device and the cloud and selectively forwarded heartbeats while filtering out other traffic. As a result, the device appears to be still connected (because the heartbeat traffic is being allowed through), while in reality the device’s functionality is disabled (because non-heartbeat traffic is being filtered out). We applied this exploit on a set of six devices, and five were found to be vulnerable. Consequently, an intruder can use this exploit to disable a home security device and break into a house without the awareness of the owner. We carried out a responsible disclosure exercise with the manufacturers of the affected devices, but the response has been limited. This shows that IoT security is still not taken completely seriously and many threats are still undiscovered. Finally, we provide some recommendations on how to detect and prevent the threats posed by insecure IoT devices, which ironically include IoT home security kits.

Internet of Things (IoT) is already playing a significant role in our lives, as more and more industries are adopting IoT for improving existing systems and providing novel applications. However, recent attacks caused by Mirai and Chalubo botnets show that IoT systems are vulnerable and new security mechanisms are required. In this work, we design and implement a prototype of Intrusion Detection System (IDS) for protecting IoT networks and devices from Denial-of-Service (DoS) attacks. Our focus is on detecting attacks that exploit the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL), which is a widely used protocol for packet routing in low-power IoT networks. Our considered Operating System (OS) is the popular ContikiOS and we use the Cooja simulator to study DoS attacks and test the detection algorithms. In particular, we simulated scenarios that involve both benign and malicious/compromised IoT devices. A compromised device exploits RPL control messages to cause other devices perform heavy computations and disrupt the established network routes. The obtained simulation results help us understand the characteristics of an RPL-based IoT network under its normal operation and devise effective countermeasures against malicious activity. A new threshold-based IDS is proposed and a first prototype is implemented in ContikiOS. The IDS relies on tunable parameters and involves both centralised and distributed components in order to effectively detect malicious RPL messages. Experimental results show high detection rate and low false positives in large networks.

As part of this paper, we conducted a study analyzing five devices, four smart home devices and one router as a smart-home gateway connected with the IoT products. Three out of four of the smart home devices are vulnerable, and the router is partially vulnerable because queries reach localhost despite activated DNS rebinding protection; thus, services on localhost are vulnerable. This indicates that the manufacturers of smart home devices rely on the countermeasures of the routers in the first place, but it might even improve the security of the devices if they already implement their own additional countermeasures.

The appearance of the smart houses, buildings, and cities has defined new attack scenarios targeting industrial information systems. The paper suggests a visualization-driven approach to the analysis of the data from heating, ventilating and conditioning system (HVAC). The key element of the approach is the RadViz visualization that is used to form daily operation patterns and can detect suspicious deviations that could be the signs of fraudulent activity in the system. It is supplemented by a matrix-based representation of the HVAC parameters that is constructed in the way that allows highlighting changes in values of parameters being analyzed. The distinctive feature of the proposed visualization models is the ability to display data from different data sources. To demonstrate and evaluate the efficiency of the proposed approach we used the VAST MiniChallenge-2 2016 data set that contains logs from the HVAC system and the access control system.