Security and Privacy in New Computing Environments

Traditional power grids are evolving to keep pace with the demands of the modern age. Smart grids contain integrated IT systems for better management and efficiency, but in doing so, also inherit a plethora of cyber-security threats and vulnerabilities. Denial-of-Service (DoS) is one such threat. At the same time, the smart grid has particular characteristics (e.g. minimal delay tolerance), which can influence the nature of threats and so require special consideration. In this paper, we identify a set of possible smart grid-specific DoS scenarios based on current research, and analyse them in the context of the grid components they target. Based on this, we propose a novel target-based classification scheme and further characterise each scenario by qualitatively exploring it in the context of the underlying grid infrastructure. This culminates in a smart grid-centric analysis of the threat to reveal the nature of DoS in this environment.

5G is a new generation mobile network that enables innovation and supports progressive change across all vertical industries and across our society. 5G usage scenarios face new security risks due to the technology used and the characteristics of the specific application scenario. The security risks have become a key factor affecting the development of 5G convergence services. First we summarize the technical characteristics and typical usage scenarios of 5G. Then, we analyze the security and privacy risks faced by 5G applications, and give the system reference architecture and overall security and privacy solutions for 5G applications. Based on the three major applications scenarios of eMBB, uRLLC, and mMTC, we also provide specific suggestions for coping with security and privacy risks.

To improve network security situation prediction accuracy, an adaptive network security situation prediction model based on alarm elements was proposed. Firstly, we used the entropy correlation method to generate the network security situation time series according to Alarm Frequency (AF), Alarm Criticality (AC) and Alarm Severity (AS). Then, the initial situation predicted value is calculated through sliding adaptive cubic exponential smoothing. Finally, based on the error state, we built the time-varying weighted Markov chain to predict the error value and modify the initial predicted value. The experimental results show that the network security situation prediction results of this model have a better fit with the real results than other models.

Anonymous network is widely used to access the Internet, causing varieties of cyber security incidents because of its anonymity, which increasingly affects the security of cyberspace. How to detect anonymous network flow to position the anonymous users, is becoming to a research hotspot. However, with rapid development of the encryption and network technology, it is a nontrivial task to detect and position the anonymous user in such a complex network environment.In this paper, we design a prototype system called Watermark based Tor Cross-domain Tracking System that is effectively detects and determine the sender and the receiver on the real Tor network to testify its function. Moreover, instead of conventional passive network flow analysis, this paper learns from active network flow analysis to design three digital watermark models to implement the embedding, extracting and matching of watermark information, and meanwhile it will not affect the network flow’s content and transmission. Experimental results on the real data sets show that when embedding the three watermark models on the sender, watermark based Tor cross-domain tracking system indeed yields the positioning function.

With the development of 5G technology, Internet of Things (IoT) is highly developing and deeply integrated with social life and industry productions, which brings about many security issues. In this paper, we first analyze the security risks for IoT in the 5G era, then summarize related security policies and standards. Furthermore, we propose security requirements and measures in aspects of sensor control equipment and IoT card, IoT network and transmission exchange, IoT business application and service, and IoT security management and operation. Finally, we put forward suggestions for promoting IoT security technology and the standardization work in the 5G era.

The accuracy of existing information system security situation assessment methods is affected by expert evaluation preferences. This paper proposes an Information System Security Situation Assessment Model (ISSSAM), which is based on the Modified Interval Matrix-Entropy Weight based Cloud (MIMEC). Based on the system security situation assessment index system, the interval number judgment matrix reflecting the relative importance of different indicators is modified to improve the objectivity of the indicator layer weight vector. Then, the entropy weight based cloud is used to quantify the criterion layer and the target layer security situation index, and the security level of the system is graded. The feasibility and effectiveness of this model are verified by the security situation assessment of the Departure Control System (DCS). Through the comparison and analysis of the evaluation results based on entropy weight coefficient method and traditional AHP method, it is shown that the model we proposed has good stability and reliability.

In the pursuit of cities to be more efficient and responsive, various kind of Internet of Things (IoT) devices, such as actuators and sensors are used. This paper focuses on one specific IoT application - the smart building, and investigates the security and privacy issues in an integrated IoT-fog-cloud (IoTFC) smart building architecture. We consider the surveillance, maintenance, environment, and concierge use cases for smart building, in terms of their characteristics, compatible communication technology, and security and privacy requirements. IoTFC provides a comprehensive solution to the security and privacy challenges of authentication, access control, anomaly detection, data privacy and location privacy. To the best of our knowledge, IoTFC is a novel architecture, as it combines a complete set of light-weight security and privacy solutions suitable for smart buildings.

The undergoing digital transformation of the aviation industry is driven by the rise of cyber-physical systems and sensors and their massive deployment in airplanes, the proliferation of autonomous drones and next-level interfaces in the airports, connected aircrafts-airports-aviation ecosystems and is acknowledged as one of the most significant step-function changes in the aviation history. The aviation industry as well as the industries that benefit and are highly dependent or linked to it (e.g. tourism, health, security, transport, public administration) are ripe for innovation in the form of Big Data analytics. Leveraging Big Data requires the effective and efficient analysis of huge amounts of unstructured data that are harnessed and processed towards revealing trends, unseen patterns, hidden correlations, and new information, and towards immediately extracting knowledgeable information that can enable prediction and decision making. Conceptually, the big data lifecycle can be divided into three main phases: i) the data acquisition, ii) the data storage and iii) the data analytics. For each phase, the number of available big data technologies and tools that exploit these technologies is constantly growing, while at the same time the existing tools are rapidly evolving and empowered with new features. However, the Big Data era comes with new challenges and one of the crucial challenges faced nowadays is how to effectively handle information security while managing massive and rapidly evolving data from heterogeneous data sources. While multiple technologies and techniques have emerged, there is a need to find a balance between multiple security requirements, privacy obligations, system performance and rapid dynamic analysis on diverse large data sets. The current paper aims to introduce the ICARUS Secure Experimentation Sandbox of the ICARUS platform. The ICARUS platform aims to provide a big data-enabled platform that aspires to become an “one-stop shop” for aviation data and intelligence marketplace that provides a trusted and secure “sandboxed” analytics workspace, allowing the exploration, curation, integration and deep analysis of original, synthesized and derivative data characterized by different velocity, variety and volume in a trusted and fair manner. Towards this end, a Secure Experimentation Sandbox has been designed and integrated in the holistic ICARUS platform offering, that enables the provisioning of a sophisticated environment that can completely guarantee the safety and confidentiality of data, allowing to any interested party to utilize the platform to conduct analytical experiments in closed-lab conditions.

Time series prediction methods were widely used in various fields. The prediction method for non-stationary and nonlinear time series was studied in this paper. This method decomposed non-stationary time series into stationary sub-sequences using the Empirical Mode Decomposition method. And then an appropriate time-step was chosen and the Support Vector Regression algorithm was applied to predict each stationary sub-sequence. The sum of predicted values was the forecasting results of the original sequence. The method was applied to building energy consumption datasets, which were collected in some buildings. The experimental results showed that the hybrid algorithm of Support Vector Regression and Empirical Mode Decomposition had higher accuracy and was suitable for predicting non-linear and non-stationary time series. Moreover, this hybrid algorithm was used to predict the time series with outliers and to test its noise-resistant performance. The forecasting results also illustrated EMD-SVR algorithm was more robust than SVR algorithm.

A large number of open source threat intelligence resources provide regularly updated threat sources that can be applied to a variety of security analysis solutions. Fragmented security news, security forums, and vulnerability information are important sources of cyber threat intelligence, but it is difficult to correlate these multiple-source data. Cybersecurity knowledge graph is a powerful tool for data-driven thread intelligence computing. Relation extraction is a very important task in construction of cybersecurity knowledge graph from unstructured data. In order to reduce the influence of noisy data in deep learning model, we propose a distant supervised relation extraction model ResPCNN-ATT based on deep residual convolutional neural network and attention mechanism. This method takes word vector and position vector of the word as input of the model, extracts semantic features of texts through the piecewise convolutional neural network model PCNN, achieves the learning effect of less noisy data and better extracts deep semantic features in sentenses by using deep residuals Compared with other models, the model proposed in this paper achieves higher accuracy than other models.

User Identity Linkage (UIL) across social networks refers to the recognition of the accounts belonging to the same individual among multiple social network platforms. The most existing methods usually apply network embedding to map the network structure space to the low-dimensional vector space and then use linear models or standard neural network layers to measure the correlations between users across social networks. However, they can hardly model the complicated interactions between users. In this paper, we propose a novel Neural Tensor Network-based model for UIL, called NUIL. Firstly, we use the Random Walks and Skip-gram model to learn the vector representations of users. Then, we apply the Neural Tensor Network, which has a stronger ability to express the interactions between entities, to mine relationships between users from a higher dimension. A series of experiments conducted on a real-world dataset show that NUIL outperforms the state-of-the-art network structure-based methods in terms of precision, recall, and F1-measure, specifically the F1-measure exceeds 0.66, with an increase of more than 20%.

In this work, an efficient and privacy-preserving physiological case classification scheme for e-healthcare system (EPPC) is proposed. Specifically, a homomorphic cryptosystem combined with a support vector machine (SVM) algorithm is applied to efficiently classify the physiological cases without compromising patients’ privacy. In terms of the EPPC, it has the capability of diagnosing the patient’s symptom in a timely manner. In addition, a signature authentication technology applied in EPPC can efficiently prevent data from being forged or modified. Security analysis result shows that the proposed EPPC scheme has the following advantages: protect the privacy of patients; ensure that the classification parameters of SVM are secured. Compared with the existing works, the proposed EPPC scheme shows significant advantages in terms of computational costs and communication overheads.

The visual recognition of Android malicious applications(Apps) is mainly focused on the binary classification using gray-scale images, while the multi-classification of malicious App families is rarely studied. If we can visualize the Android malicious Apps as color images, we will get more features than using grayscale images. In this paper, a method of color visualization for Android Apps is proposed and implemented. Based on this, combined with deep learning models, a multi-classifier for the Android malicious App families is implemented, which can classify 131 common malicious App families. Compared with the App classifier based on the gray-scale visualization method, it is verified that the classifier using the color visualization method can achieve better classification results. This paper uses three classes of Android App APK features: classes.dex file, class name collection and API call sequence as input for App visualization, and analyzes the classifier detection accuracy and detection time under each input characteristics. According to the experimental results, we found that using the API call sequence as the color visualization input feature can achieve the highest detection accuracy rate, which is 96.01% in the ten malicious family classification and 100% in the binary classification.

Various IoT-based applications such as smart home, intelligent medical and VANETs, have been put into practical utilization. Smart home is one of the most concerned environments, which allows users to remotely access and control smart devices via a public network. With development of the mobile network and smart devices, more services can be provided to users by smart devices. To securely access devices and obtain collected data over the public network, multi-factor authentication schemes for smart home have obtained wide attention. However, most of these schemes cannot withstand impersonation attack, physical device lost attack, privileged-insider attack, smart card lost attack and so on. Besides, high communication and computational costs weaken the system performance, which causes that most authentication schemes are not suitable for resource-constrained smart devices. To mitigate the aforementioned drawbacks, we proposed a two-factor anonymous group authentication scheme to implement secure access to multiple devices simultaneously using chinese remainder theorem and secret sharing technology. Our scheme also utilizes fuzzy extractor to extract personal biometric information, which helps uniquely validate authorized users in smart home. Our scheme can support various security features and withstand the most well-known attacks in smart home. Performance analysis indicates that the proposed scheme can efficiently reduce communication/computational costs when the user accesses multiple devices simultaneously.

Industrial Cyber-Physical Systems (ICPS), as a new industrial revolution, are to provide advanced intellectual foundation for next generation industrial systems. While such systems present substantial security challenges for the host-centric communication with the growing trend of sensor data streams. Information Centric Networking (ICN) architecture suggests features exploitable in ICPS applications, reducing delivery latency and promoting quality of services that applies broadly across Industrial Internet. Emerging available solutions for secure communication, however, few of them have thoroughly addressed concerns related to securing access due to the dependence on an online provider server. In this work, we propose a concrete authentication framework for ICN ICPS based on proxy signature, which guarantees authentic sensor data access only to legitimate users and does not require interaction between users. This framework would help lower the level of the complexity of the entire system and reduce the cost of authentication by leveraging edge cache. We prove the security of the proposed authentication scheme and present performance analysis to show its efficiency.

Wireless body area network (WBAN) is a network providing healthcare, which is becoming more and more popular. However, the crucial issues of security and privacy in WBAN should still be considered. In this paper, we propose a secure access control scheme for WBAN, which is based on ciphertext policy attribute-based encryption (CP-ABE). Specifically, if the physician has attributes that satisfy the access structure set by the patient, he/she can decrypt the patient’s physiological data. A secure two-party protocol is adopted to protect data from internal attacks. In addition, our scheme can implement the strategy that physicians at different levels can only access the corresponding information of patient, which is conducive to improving the efficiency of access. Security analysis indicates that proposed scheme can resist various security threats and achieve privacy preservation of patients’ sensitive information. Compared with related schemes, our scheme is more secure and efficient.

FIDO is an authentication technology based on the mathematics of public key cryptography that emerged in the 1970s and the 1980s. It is promoted by a large industry backed consortium as the two-factor successor to the username/password mechanism, which is well understood as being no longer fit for purpose. But intrinsic to FIDO is the requirement for both client-side secure hardware and a vulnerable server-side credentials database. Here we propose a better solution which would ditch both of these requirements by separating the registration and authentication processes, and which provides true multi-factor authentication using more modern ideas that have emerged from cryptographic research.

The Internet of Things (IoT) connects increasing number of smart devices, which makes the central authorities or third parties (e.g., cloud, fog, firewall, etc.) based authentication scheme very challenging. In recent, the blockchain shows great promises in IoT to provide secure and flexible authentication schemes. In this work, a blockchain enabled authentication scheme is proposed for IoT devices, which ensures a more secure and easily interoperable alternative to IoT systems. It makes it possible to switch smart devices from an untrust to a trusted data using blockchain.

Cloud storage has emerged as a promising solution to the scalability problem of massive data management for both individuals and organizations, but it still faces some serious limitations in reliability and security. Recently, Tian et al. proposed a novel public auditing scheme for cloud storage (DHT-PA) based on dynamic hash table (DHT), with which their scheme achieves higher efficiency in dynamic auditing than the state-of-the-art schemes. They claimed that their scheme is provably secure against forging data signatures under the CDH assumption. Unfortunately, by presenting a concrete attack, we demonstrate that their scheme is vulnerable to the signature forgery attack, i.e., the cloud service provider (CSP) can forge a valid signature of an arbitrary data block. Thus, a malicious cloud service provider can pass the audit without correct data storage. The cryptanalysis shows that DHT-PA is not secure for public data verification. The purposed of our work is to help cryptographers and engineers design/implement more secure and efficient identity-based public auditing schemes for cloud storage by avoiding such kind of attacks.

In the cloud storage applications, the cloud service provider (CSP) may delete or damage the user’s data. In order to avoid the responsibility, CSP will not actively inform the users after the data damage, which brings the loss to the user. Therefore, increasing research focuses on the public auditing technology recently. However, most of the current auditing schemes rely on the trusted third public auditor (TPA). Although the TPA brings the advantages of fairness and efficiency, it cannot get rid of the possibility of malicious auditors, because there is no fully trusted third party in the real world. As an emerging technology, blockchain technology can effectively solve the trust problem among multiple individuals, which is suitable to solve the security bottleneck in the TPA based public auditing scheme. This paper proposed a public auditing scheme with the blockchain technology to resist the malicious auditors. In addition, through the experimental analysis, we demonstrate that our scheme is feasible and efficient.

In smart applications, such as smart medical devices, in order to prevent privacy leaks, more data needs to be processed and trained locally or near the local end. However, the storage and computing capabilities of smart devices are limited, so some computing tasks need to be outsourced; concurrently, the prevention of malicious nodes from accessing user data during outsourcing computing is required. Therefore, this paper proposes EVPP (efficient, verifiable, and privacy-preserving), a machine learning method based on a collaboration of edge computing devices. In this solution, the computationally intensive part of the model training process is outsourced. Meanwhile, a random encryption perturbation is performed on the outsourced training matrix, and verification factors are introduced to ensure the verifiability of the results. In addition, when a malicious service node is found, verifiable evidence can be generated to build a trust mechanism. Through the analysis of theoretical and experimental data, it can be shown that the scheme proposed in this paper can effectively use the computing power of the equipment.

Fog computing is a new computing paradigm in the era of the Internet of Things. Aiming at the problem that fog nodes are closer to user equipment, with heterogeneous nodes, limited storage capacity resources, and greater vulnerability to intrusion, a lightweight support vector machine intrusion detection model based on Cloud-Fog Collaboration (CFC-SVM) is proposed. Due to the high dimensionality of network data, first, Principal Component Analysis (PCA) is used to reduce the dimensionality of the data, eliminate the correlation between attributes and reduce the training time. Then, in the cloud server, a support vector machine (SVM) optimized by the particle swarm algorithm is used to complete the training of the dataset, obtain the optimal SVM intrusion-detection classifier, send it to the fog node, and carry out attack detection at the fog node. Experiments with the classic KDD CUP 99 dataset show that the model in this paper is better than other similar algorithms in regard to detection time, detection rate and accuracy, which can effectively solve the problem of intrusion detection in the fog environment.

With the increase of data scale and computing power, deep learning algorithm has made a prominent breakthrough in computer vision and other complex problems. However, its high complexity and large memory requirements make it very difficult to run in real time on the Internet of things terminal mobile devices. There is still delay the employing of cloud services cannot meet the real-time requirement. With the popularity of mobile terminal devices and the development of Internet of things, it is of great significance to design a real-time deep learning algorithm on IOT edge mobile devices with limited computing and memory resources. This paper proposes a new object detection method based on the current state-of-the-art object detection deep network model RetinaNet and traditional feature extraction method SIFT. RetinaNet is a one-stage detector with excellent detection speed and accuracy. We use RetinaNet as the object location method, then extract the CNN features and SIFT features of the fixed position image and combine them to train a new classifier. The object classification result will be based on the final classifier.

In this paper, a generative image steganography algorithm based on digital Cardan Grille is proposed. Combining the ideas of traditional Cardan Grille and the semantic image inpainting technique, the stego image are driven by secret messages directly. The algorithm first embeds the information based on digital Cardan Grille, and then uses generative adversarial network (GANs) to complete the damaged image. The adversarial game not only reconstruct the corrupted image, but also generate a stego image which contains the logic rationality of image content. The experimental results verify the feasibility of the proposed method.

Most of the traditional 2D image hashing schemes do not take into account the change of viewpoint to construct the hash vector, resulting in the classification accuracy rate is unsatisfactory when applied in identification for Depth-image-based rendering (DBIR) 3D image. In this work, pixel grouping according to histogram shape and Nonnegative matrix factorization (NMF) is applied to design DIBR 3D image hashing with better robustness resist to geometric distortions and higher classification accuracy rate for virtual images identification. Experiments show that the proposed hashing is robust to common signal and geometric distortion attacks, such as additive noise, blurring, JPEG compression, scaling and rotation. When compared with the state-of-art schemes for traditional 2D image hashing, the proposed hashing provides better performances under above distortion attacks when considering the virtual images identification.

This paper describes constructing a Mixed Integer Linear Programming (MILP) model for conditional differential cryptanalysis on nonlinear feedback shift register (NLFSR)-based block ciphers, and proposes an approach for detecting the bit with a strongly-biased difference. The model is successfully applied to the block cipher KATAN32 in the single-key scenario, resulting in practical key-recovery attacks covering more rounds than the previous. In particular, we present two distinguishers for 79 and 81 out of 254 rounds of KATAN32. Based on the 81-round distinguisher we recover 11 equivalent key bits of 98-round KATAN32 with the time complexity being less than $$2^{31}$$ 2 31 encryptions of 98-round KATAN32 and recover 13 equivalent key bits of 99-round KATAN32 with the time complexity being less than $$2^{33}$$ 2 33 encryptions of 99-round KATAN32. Thus far, our results are the best known practical key-recovery attacks for the round-reduced variants of KATAN32 as far as the number of rounds and the time complexity. All the results are verified experimentally.

Combinatorial auctions are employed in many fields such as spectrum auction and energy auction. However, data concerning bidders’ bid and bundle might reveal sensitive information, such as personal preference and competitive relation. In order to solve this problem, this paper proposes a privacy-preserving and verifiable combinatorial auction scheme to protect bidders’ privacy and ensure the correctness of the result. In our scheme, we employ a one-way and monotonically increasing function to protect each bidder’s bid, so that the auctioneer is able to pick out the largest bid without disclosing any information about bids. Moreover, we convert the question of judging whether a bidder is a winner to the question of judging whether the vector product is 0. In our scheme, crypto service provider (CSP) is responsible for key distribution and blind signature to verify the authenticity and correctness of the result. Besides, we put forward a privacy-preserving and verifiable payment determination model to compute the payment the winner should pay.

Due to the tremendous benefits of cloud computing, organizations are highly motivated to store electronic records on clouds. However, outsourcing data to cloud servers separates it from physical control, resulting in data privacy disclosure. Although encryption enhances data confidentiality, it also complicates the execution of encrypted database operations. In this paper, we propose a multi-user shared searchable encryption scheme that supports multi-user selective authorization and secure access to encrypted databases. First, we apply the Diffie-Hellman protocol to a trapdoor generate algorithm to facilitate fine-grained search control without incremental conversions. Second, we utilize a private key to generate an encrypted index by bilinear mapping, which makes it impossible for an adversary to obtain trapdoor keywords by traversing the keyword space and to carry out keyword guessing attacks. Third, we use double-layered encryption to encrypt a symmetric decryption key. Only the proxies whose attributes are matched with access control list can obtain the key of decrypted data. Through theoretical security analysis and experimental verifications, we show that our scheme can provide secure and efficacious ciphertext retrieval without the support of a secure channel.

Searchable symmetric encryption (SSE) enables users to efficiently search ciphertext in the cloud and ensures the security of encrypted data. Recent works show that forward security is an important property in dynamic SSE. Many forward secure searchable symmetric encryption (FSSE) schemes supporting single-keyword search have been proposed. Only a few SSE schemes can satisfy the forward security and support conjunctive keyword search at the same time, which are realized by adopting inefficient or complicated cryptography tools. Very recently, Hu proposed a novel construction to achieve conjunctive-keyword search, that is, using inner-product encryption (IPE) to design a conjunctive-keyword FSSE scheme. However, IPE scheme is a conceptually complex and low efficient scheme. In this paper, we use a more efficient cryptographic tool, asymmetric scalar-product-preserving encryption (ASPE), to design an efficient and secure conjunctive-keyword FSSE scheme. To improve practicality, we design our scheme to support multi-user setting. Our scheme achieves sub-linear efficiency, and can easily be used in any single-keyword FSSE scheme to obtain a conjunctive-keyword FSSE scheme supporting multi-user. Compared with the current conjunctive-keyword FSSE scheme, our scheme has a better update and search efficiency.

Researchers believe that anonymous access can protect private information even if it does not store in authorization organization. The current solution supports anonymous access by using a certificate instead of a subject identity or Attribute-Based Encryption. In a solution using a certificate, access may be linked to the certificate, which poses a risk of re-identification. The encryption of objects based on attributes limits the types of objects. The ABAC with anonymous access proposed in this paper called A3BAC inherits the features of the ABAC model, such as fine-grained authorization, policy flexibility, and unlimited object types. By combining HABS, it strengthens the identity-less of ABAC, so that the access does not involve a unique identification, reducing the risk of subject identity re-identification. It is a secure anonymous access framework.

Smart grid is the next-generation grid that combines advanced power technology and modern communication technology. Smart meters face serious security challenges such as the leakage of user privacy and the absence of trusted third parties. Blockchain provides a viable solution that can use its key technologies to solve these problems. In blockchain technology, there is no necessary need of the third party in the energy supply sector. We introduce decentralization into smart grid, and a blockchain-based data aggregation scheme is designed. Due to the transparency of data in blockchain, the privacy of users may be disclosed. Therefore, our scheme adopts Paillier cryptosystem algorithm to encrypt the user’s electricity consumption data, realizing the confidentiality of electricity consumption data, which is convenient for billing and power regulation. Through performance analysis of the scheme, it shows that the scheme has better security and better functions.