Information and Communications Security

Lately, end-users and database administrators face continuously personal data exposures. Among different type of vulnerabilities an adversary might exploit, to gain access to this data, SQL injections are considered one of the most serious vulnerabilities, which remain at the top twenty most known vulnerabilities more than a decade. Though various defenses have been proposed against SQL injections for database protection, most of them require “modifications” on the underlying infrastructure, such as proxy interposition, middleware drivers, etc., while they cannot be employed transparently. In this paper, we propose a practical framework that enables the transparent enforcement of randomization to any given database for enhancing protection against SQL injection attacks, while being agnostic to the underlying database and completely transparent to end-user. We demonstrate a methodology for identifying automatically SQL statements on a given database application, and we introduce a runtime environment for enforcing the randomization and de-randomization mechanism in a completely transparent way, without requiring access to its source code. We evaluate in terms of overhead our approach using the well-known MySQL database under different configurations. Results indicate the employment feasibility of the proposed framework.

Kernel-level malwares are a serious threat to the integrity and security of the operating system. Current kernel integrity measurement methods have one-sidedness in selecting the measurement objects, and the characters of periodic measurement make TOC-TOU attacks unavoidable. The kernel integrity measurement methods based on hardware usually suffer high cost due to the additional hardware, while the kernel integrity measurement methods based on host are always likely to be passed. To address these problems, a kernel integrity protection approach based on memory forensics technique implemented in Hypervisor (KIPBMFH) is proposed in this paper. We first use memory forensics technology to extract the static and dynamic measurement objects, and then adopt time randomization algorithm to weaken TOC-TOU attacks. The experimental results show that KIPBMFH can measure the integrity of the operating system effectively, and has reasonable performance overhead.

Due to the demand for low-cost cryptosystems from industry, there spring up a lot of lightweight block ciphers which are excellent for some different implementation features. An innovative design is the block cipher PRINCE. To meet the requirement for low-latency and instantaneously encryption, NXP Semiconductors and its academic partners cooperate and design the low-latency block cipher PRINCE. Another good example is the block cipher LED which is very compact in hardware, and whose designers also aim to maintain a reasonable software performance. In this paper, we demonstrate how to achieve high software performance of these two ciphers on the AVR 8-bit microcontrollers using bitslice technique. Our bitsliced implementations speed up the execution of these two ciphers several times with less memory usage than previous work. In addition to these two nibble-oriented ciphers, we also evaluate the software performance of a newly proposed lightweight block cipher RECTANGLE, whose design takes bitslicing into consider. Our results show that RECTANGLE has very high ranks among the existing block ciphers on 8-bit microcontrollers in the real-world usage scenarios.

In 2009, Blömer and Naewe proposed the Generalized Shortest Vector Problem $$(\text {GSVP})$$(GSVP). We initiate the study of the promise problem ($$\text {GAPSAM}$$GAPSAM) for $$\text {GSVP}$$GSVP. It is a promise problem associated with estimating the subspace avoiding minimum. We show $$\text {GAPSAM}_{c\cdot n}$$GAPSAMc·n lies in coNP, where c is a constant. Furthermore, we study relationships between $$\text {GAPSAM}$$GAPSAM of a lattice and the nth successive minimum, the shortest basis, and the shortest vector in the dual of the saturated sublattice, and obtain new transference theorems for $$\text {GAPSAM}$$GAPSAM. Then, using the new transference theorems, we give various deterministic polynomial time reductions among the promise problems for some lattice problems. We also show $$\text {GAPSAM}_{\gamma }$$GAPSAMγ can be reduced to the promise problem associated to the Closest Vector Problem ($$\text {GAPCVP}_{\gamma }$$GAPCVPγ) under a deterministic polynomial time rank-preserving reduction.

The existing scheme of secret key extraction based on the channel properties can be implemented in the three steps: quantization, information reconciliation and privacy amplification. Despite the tremendous researches of quantization and information reconciliation techniques, there is little consideration about the risk of information reconstruction by the unauthorized node due to the high correlation of subsequent quantization bits, which is unavoidably leaked on the public channel between quantization and information reconciliation. In this paper, we propose an improved scheme of secret key extraction with quantization randomness using Hadamard matrix on QuaDRiGa channel. Simulation results show that with this kind of quantization randomness, the correlation between the subsequent quantization bits can be significantly decreased, which can reduce the possibility of information reconstruction by the unauthorized node, and the improved scheme can increase the randomness of the final secret key bits as compared with the existing ones.

We present a practical lattice-based fault attack against SM2 signature algorithm in a smart card. This seems to be the first combination of the lattice attack presented in SAC’2013 and fault attack against SM2 in practice. We successfully utilize the laser fault attack to skip the instructions of nonces being written into RAM, so that the nonces in signatures share partial same bits from each other. Next, we build the model of lattice attack and recover the private key. The experimental results show we only need 3 faulty signatures to mount lattice attack successfully in about 32 $$\upmu $$μs. Moreover, we propose a new countermeasure for SM2 signature algorithm to resist lattice-based fault attack by destroying the condition of lattice attack rather than thwarting fault attack. It is proved the countermeasure can guarantee the ability to resist lattice attack, even if some information of the nonces is leaked.

In this paper, we study the relations between the security of Diffie-Hellman (DH) key and the leakage of polynomial information of it again. Given a fixed sparse polynomial F(X) and an oracle, which returns value of polynomial of DH key i.e., $$F(g^{xy})$$F(gxy) when called by $$g^{x}$$gx and $$g^{y}$$gy, we obtain a probabilistic algorithm to recover the key. It is an extension of Shparlinski’s result in 2004. This shows that finding polynomial information of DH key is as difficult as the whole key again. Furthermore, we study a variant of DH problem given 2 and $$g^{y}$$gy to compute $$2^{y}$$2y and the n-DH problem with this method respectively, and obtain similar results.

Bitcoin is the first decentralized crypto-currency that is currently by far the most popular one in use. The bitcoin transaction syntax is expressive enough to setup digital contracts whose fund transfer can be enforced automatically.In this paper, we design protocols for the bitcoin voting problem, in which there are n voters, each of which wishes to fund exactly one of two candidates A and B. The winning candidate is determined by majority voting, while the privacy of individual vote is preserved. Moreover, the decision is irrevocable in the sense that once the outcome is revealed, the winning candidate is guaranteed to have the funding from all n voters. As in previous works, each voter is incentivized to follow the protocol by being required to put a deposit in the system, which will be used as compensation if he deviates from the protocol. Our solution is similar to previous protocols used for lottery, but needs an additional phase to distribute secret random numbers via zero-knowledge-proofs. Moreover, we have resolved a security issue in previous protocols that could prevent compensation from being paid.

LBlock-s is the kernel block cipher of the authentication encryption algorithm LAC submitted to CAESAR competition. The LBlock-s algorithm is almost the same as LBlock except that the former adopts an improved key schedule algorithm with better diffusion property. Using the shifting relation of certain subkeys derived by the new key schedule algorithm, we present a multidimensional zero-correlation linear cryptanalysis on 23-round LBlock-s. The time complexity of the attack is about $$2^{75.4}$$ 23-round encryptions, where $$2^{62.3}$$ known plaintexts are used and 60 subkey bits are guessed, which is three bits less than that of LBlock. Our research showed that the improved key schedule algorithm did not enhance their ability to protect against zero-correlation linear cryptanalysis, and it is better to use the irregular bit-shifting to disturb the shifting relation between subkeys.

In Ciphertext-Policy Attribute-Based Encryption (CP-ABE), access policies associated with the ciphertexts are generally role-based and the attributes satisfying the policies are generally shared by multiple users. If a malicious user, with his attributes shared with multiple other users, created a decryption blackbox for sale, this malicious user could be difficult to identify from the blackbox. Hence in practice, a useful CP-ABE scheme should have some tracing mechanism to identify this ‘traitor’ from the blackbox. In this paper, we propose the first CP-ABE scheme which simultaneously achieves (1) fully collusion-resistant blackbox traceability in the standard model, (2) full security in the standard model, and (3) on prime order groups. When compared with the latest fully collusion-resistant blackbox traceable CP-ABE schemes, this new scheme achieves the same efficiency level, enjoying the sub-linear overhead of $$O(\sqrt{N})$$O(N), where N is the number of users in the system. This new scheme is highly expressive and can take any monotonic access structures as ciphertext policies.

In this paper, audit logging schemes with forward privacy and authenticity are formalized in the symmetric-key setting. Then, two generic audit logging schemes with forward privacy and authenticity are proposed. One consists of an authenticated encryption scheme with associated data. The other consists of a symmetric encryption scheme and a MAC function. Both of them also uses a forward-secure pseudorandom generator to achieve forward security. Finally, the forward privacy and authenticity of the schemes are confirmed in the manner of provable security. The security properties of the proposed schemes are reduced to the standard security properties of the underlying primitives.

The confidential information can be reconstructed by received weak electromagnetic signal from a radiation object, such as a computer display. Usually, the radiation signal is submerged in strong noise and faded in channel, so it is not an easy task to understand the information existed in the signal. In this paper, we propose a new post-processing system to improve the visual quality of reconstruction image in sparse domain. Different from filter and enhancement technologies in image filed, our system focuses on data shrink and repair using the methods in machine learning. It can not only remove the noise interference, but also complement the lost high-frequency and compensate the distortion. Experimental section displays complete procedures and better performance, and it also proves the effectiveness of the novel framework.

The security of sensitive data and the safety of control signal are two core issues in industrial control system (ICS). However, the prevalence of USB storage devices brings a great challenge on protecting ICS in those respects. Unfortunately, there is currently no solution specially for ICS to provide a complete defense against communication between untrusted USB storage devices and critical equipment without forbidding normal USB device function. This paper proposes a trust management scheme of USB storage devices for ICS (TMSUI). By fully considering application scenarios, TMSUI is designed based on security chip to flexibly achieve authorizing a certain USB storage device to only access some exact protected terminals in ICS for a particular period of time. The scheme enables administrators to revoke authorized devices. We analyze six security properties of TMSUI. The prototype system is finally implemented. The evaluation results indicate that our scheme meets the security goals with high compatibility and good efficiency.

In this paper, a structural approach for determining CELCS (critical error linear complexity spectrum) for the k-error linear complexity distribution of $$2^n$$2n-periodic binary sequences is developed via the sieve method and Games-Chan algorithm. Accordingly, the third descent point (critical point) distribution of the k-error linear complexity for $$2^n$$2n-periodic binary sequences is characterized. As a consequence, we derive the complete counting functions on the 5-error linear complexity of $$2^n$$2n-periodic binary sequences when it is the third descent point. With the structural approach proposed here, one can further characterize other third and fourth descent points of the k-error linear complexity for $$2^n$$2n-periodic binary sequences.

Dual-Rail Precharge Logic (DPL) has proven to be an effective countermeasure logic style against Differential Power Analysis (DPA). All previous DPL architectures employ the precharge mechanism to achieve DPA resistance. However, due to its additional precharge phase, an inherent drawback of these DPL architectures lies within its degraded performance (less than 1/2 times compared to the nominal data rate), and hence they are not suitable for applications where high performance is required. In this paper, we present Quadruple-Rail Logic (QRL), a new DPA-hardened approach for cryptographic implementations in FPGA. The main merit of this proposal is that the system throughput can be effectively maintained by removing the precharge phase. By introducing a synchronized and identical quadruple-rail network, strengthened DPA resistance can be achieved. In order to test the robustness of QRL against DPA, we launch DPA on a QRL-based standard AES processor on Xilinx Virtex-5 FPGA. The experimental results show that DPA on QRL AES is failed by analyzing 100,000 power consumption traces, which achieves the competitive DPA resistance level as typical DPL schemes, and gains at least 110 times stronger than the unprotected AES.

In this paper, we propose a new strategy of relations collection in factoring RSA modulus. The strategy has absolute advantage at computation efficiency with a highly parallel structure, and the reports have higher probability of being relations, since the strategy only considers small and medium primes in factor base without large primes. Besides, it is worth noting that the proposed algorithm used in strategy, only involves a multiplication, which can speed up relations collection step. Furthermore, we propose an architecture for multiplier that is based on our algorithm. Due to the inherent characters of the algorithm, our proposed architecture can perform with less registers, which makes for VLSI area optimization. Additionally, the comparison results with the published achievements show that our strategy could be a good choice for relations collection in factoring RSA modulus.

To ensure secure information exchange, demand for hardware implementation of elliptic curve cryptography (ECC) is increasing rapidly in recent years. In this paper, we propose an ASIC design for ECC over SCA-256 prime field, delivering both high performance and great SPA resistance. For algorithm selection, we integrate calculation simplification into the classic algorithm, Montgomery Powering Ladder (MPL). Based on the deduction of Fast NIST Reduction, we innovatively achieve the configurable modular multiplication module and then the isochronous point addition and double units. Pipeline architecture, execution order optimization and modular design are all applied to improved performance. Evaluated by CMOS standard cell library of 0.13 $$\upmu $$μm, this ECC processor costs only 208 $$\upmu $$μs and 6.8 $$\upmu $$μJ for one scalar multiplication and runs at high frequency of 228 MHz with area of 156 k gates. Compared to related works, it is much more advantageous in not only area-time product but also SPA resistant protection.

We study functional encryption and its application in outsourcing computation. Functional encryption is a new primitive first defined by Boneh, Sahai and Waters: given an encryption of a message x and a decryption key $$sk_f$$skf for a function f, anyone can obtain f(x) but cannot learn anything else about x. In multi-input functional encryption, the secret key $$sk_f$$skf corresponds to an n-ary function f and takes multiple ciphertexts as its input. Prior works on multi-input functional encryption are based on indistinguishability obfuscation which is either rely on a polynomial set of assumptions or an exponential number of assumptions. In this paper, we construct a multi-input functional encryption scheme without obfuscation. And we show its application in outsourcing computation and construct a multi-client outsourcing computation scheme that is publicly verifiable.

Multivariate Public Key Cryptosystems (MPKC) are a candidate of post-quantum cryptography. The MPKC signature scheme Rainbow is endowed of efficient signature generation and verification, while no major attack has been reported so far. In this paper, we propose a MPKC encryption scheme based on Rainbow. The public key of Rainbow is a surjective polynomial map, whereas the encryption scheme requires an injective polynomial map. We explain how to change the public key of Rainbow to an injective map.

We propose an IBPMS scheme from pairings, which is more efficient in the sense of computation and operation time than the existing schemes. We also prove on random oracle that the propose d scheme is secure against existential forgery on adaptive chosen-message and adaptive-chosen ID attack under the k-CAA assumption. Additionally, our scheme fulfills all the security requirements of a proxy signature scheme. Moreover we do an efficiency analysis and show that our scheme is significantly more efficient than the existing IBPMS schemes in the sense of computation and operation time.

This paper present an identity-based encryption (IBE) scheme with full security in prime order bilinear groups by using dual pairing vector space. The security of our scheme is based upon decisional linear and three party Diffie-Hellman assumption by adapting the dual system encryption. We obtain a tighter security reduction compared to previous works based on dual system encryption. The loss for security reduction of our scheme is $${\mathcal {O}}(q_{1})$$O(q1), where $$q_{1}$$q1 is the number of key queries in Phase 1.

Motivated by the natural features of ID/location decoupling and self-certifying in Expressive Internet Architecture (XIA), we designs a secure mechanism to protect the binding update message for route optimization in XIA mobility. The proposed mechanism protects the vulnerabilities by combining identity authentication and reachability verification. Meanwhile, in order to reduce the signaling overhead in the following movement of the mobile node, we divide the routing optimization procedure into two phases and replace the public-key cryptography with hashing operation to authenticate the subsequent binding update messages. The analysis shows that our protocol is efficient, especially for nodes that move frequently and the movement can be predicted.

This paper proposes an approach of encrypted network traffic classification based on entropy calculation and machine learning technique. Apart from using ordinary Shannon’s entropy, we examine entropy after encoding and a weighted average of Shannon binary entropy called BiEntropy. The objective of this paper is to identify any application flows as part of encrypted traffic. To achieve this we (i) calculate entropy-based features from the packet payload: encoded payload or binary payload, n-length word of the payload, (ii) employ a Genetic-search feature selection algorithm on the extracted features where fitness function is calculated from True Positive Rate, False Positive Rate and number of selected features, and (iii) propose a data driven supervised machine learning model from Support Vector Machine (SVM) for automatic identification of encrypted traffic. To the best of our knowledge, this is the first attempt to tackle the problem of classifying encrypted traffic using extensive entropy-based features and machine learning techniques.

In this work, we propose a probabilistic value-passing CCS (Calculus of Communicating System) approach to model and analyze a typical network security scenario with one attacker and one defender. By minimizing this model with respect to probabilistic bisimulation and abstracting it through graph-theoretic methods, two algorithms based on backward induction are designed to compute Nash Equilibrium strategy and Social Optimal strategy respectively. For each algorithm, the correctness is proved and an implementation is realized. Finally, this approach is illustrated by a detailed case study.

DDoS attacks are very difficult to detect, researches have been in the pursuit of highly efficient and flexible DDoS attacks detection methods. For this purpose, we put forward an improved Non-parametric CUSUM method (NPCUSUM), which combined with adaptive sliding windows (ASW), to detect DDoS attacks. In order to evaluate our method, we do experiments on 2000 DARPA Intrusion Detection Scenario Specific Data Set (DARPA 2000 Dataset). The results show that the proposed method improves the detection efficiency and has good flexibility.

Honeypots are a type of security tools aimed to capture malicious activity. Related to their data capture function, two main factors are important: scalability and fidelity. A hybrid honeypot is a special honeypot system consisting of frontends and backends that can achieve a good balance between scalability and fidelity, as the frontends can monitor large-scale IP address spaces and the backends can provide fully functional systems to guarantee fidelity. The traffic redirection function is used to bridge the frontends and the backends, allowing to redirect the interesting traffic from the frontends to the backends. In this paper, a dynamic hybrid honeypot system based transparent traffic redirection mechanism is proposed in order to address the identical-fingerprint problem. The experimental results show that this mechanism can keep the traffic redirection stealthy and effective.

In this preliminary study, we introduce a framework to predict anomaly behavior from Virtual Machines (VMs) deployed in public IaaS cloud model. Within this framework we propose to use a static probe instrumentation technique inside hypervisor in order to collect monitoring data and a black-box signature based feature selection method using Linear Discriminant Analysis. As a proof of concept, we run several evaluation tests to measure the output quality and computation overhead of our Anomaly Detection System (ADS) using feature selection. The results show that our feature selection technique does not significantly reduce the anomaly prediction quality when compared with full featured ADS and gives a better accuracy when compared to ADS with system-call data. Furthermore, ADS with feature selection method creates lower computing overhead compared to the other two ADS.

Outsourcing data to are remote cloud service provider allows organizations or individual users to store more data on the cloud storage than on private computer systems. However, a specific problem encountered in cloud storage is how to ensure user’s confidence of the integrity of their outsourced data on cloud. One important approach is Proof of Retrievability (POR) which allows a verifier to check and repair the data stored in the cloud server. However, most of existing PORs can only deal with static data and provide one single recovery method which may lead to inefficiency and inflexibility. To address these cloud storage issues, we propose a map-based dynamic data integrity verification and recovery scheme in cloud storages. We first present two recovery methods with different granularity and introduce a new data structure. Relying on algebraic signature with homomorphism property, our integrity verification is highly efficient. Furthermore, our solution can prevent multiple cloud servers from colluding to fabricate consistent signatures.

Near field communication (NFC) is applied in payment services, setup of high-bandwidth connection and information sharing. Therefore, NFC devices represent an increasing valuable target for adversaries. One of the major threats is relay attack, in which an adversary directly relays messages between a pair of communication peers referred to as initiator and target device. A successful relay attack allows an adversary to temporarily posses a ‘virtual’ initiator/target and thereby to gain associated benefits. In this paper, we propose a lightweight and automated method featuring role transitions and thus called Chameleon to thwart relay attacks. The principle of the method is: Chameleon exchanges the roles of the two devices after every NFC session in a random manner. The information of exchanged role is included in the messages of every session and encrypted by pre-shared key of the two legitimate devices. In this condition, the adversary cannot decrypt the message and configure themselves to appropriate role during the connection. Consequently, the relayed communication will be interrupted and a transaction is aborted due to uncompleted data packet. This method is implemented in real communication scenario and works well on thwarting relay attack. Our experiments indicate that it is an easy-to-implement and effective defense against relay attacks.

With the popularity of Android operating system, the Android platform has become one of the major targets of attackers. One of the main threats is code-tampering and repackaging attack against Android APPs. By tampering Android APPs, an attacker is able to complete copyright theft, malicious code injection and other actions. Confronted with this situation, numerous researchers have proposed many protection and detection strategies. But all of these strategies are a kind of passive defenses. A trust mechanism in Android is in demand to defense code-tampering in active. In this paper, we propose a new strategy to actively defense code-tampering and repackaging attacks. We make a thorough analysis of the signature verification mechanism via Android source code, and add certificate authentication mechanism in Android, which improves the security of Android system greatly. With this mechanism, Android can easily recognize repackaged APPs before installing, users can also quickly find the developers who take responsibility for the APPs, as a result, the attackers will be less motivated to tamper APP and upload it to the marketplace.

Proxy re-encryption scheme allows a semi-trusted proxy to re-encrypt ciphertexts of a client into ciphertexts of a receiver. However, the proxy might not as honest or reliable as supposed in practice.Ohata et al. [16] recently introduced a new functionality for proxy re-encryption with verifiability of the re-encryption soundness. However, careful inspection reveals that the construction in their work can not resist against normal collusion attack. Specifically, if the proxy and the receiver collude, the master key of the client will be leaked. We consider this as a serious weakness. Moreover, the storage of keys for a receiver in that work will increase linearly with the number of clients.In this paper, we present a novel generic scheme for verifiable proxy re-encryption from indistinguishability obfuscation. It can ensure the security of master secret key even when the proxy and the receiver collude. In addition, our scheme possesses the advantage that any receiver’s key storage will remain constant, no matter how many clients he deals with. Furthermore, the re-encryption mechanism in our construction is very succinct in that the size of re-encrypted ciphertext relies only on the size of the encrypted message and the security parameter, compared to that in [16], which relies on the size of the original ciphertext and the receiver’s public key as well.

is a highly optimized lightweight block cipher designed by the U.S. National Security Agency (NSA) and it is considered a promising candidate for resource-constrained embedded applications. Previous analysis results show that its unprotected implementations are vulnerable to side-channel attack (SCA). Thus, for its implementations on embedded platforms, protection against side-channel attacks must be taken into account. Up to now, several masking schemes were presented for . However, those schemes just provide resistance against the first-order SCA and can be broken in practice by second-order or higher-order SCA. In order to deal with those attacks, higher-order masking is needed. The existing higher-order masking schemes were mainly designed for block ciphers based on s-box, invalid for . Therefore it is necessary to design higher-order masking schemes for . In this paper, we present two higher-order boolean masking schemes for the software implementations of . The first is based on the famous ISW scheme proposed at Crypto 2003, and the second is based on the design principle similar to the masking scheme proposed by Coron et al. at FSE 2013. The two proposals are proven to achieve $$d^{th}$$dth-order SCA security in the probing model and they are shown to have a reasonable implementation cost on 8-bit AVR platforms by the evaluation of implementation efficiency.

We construct a statistically secure ORAM with computational overhead of $$O(\log ^2N\log \log N)$$O(log2NloglogN). Moreover, when accessing continuous blocks, our scheme can achieve an amortized complexity $$O(\log N\log \log N)$$O(logNloglogN), which almost matches the theoretical lower bound of the ORAM problem. Our construction is based on a tree-based construction [16]. The technical novelty comes from the idea of combining $$O(\log N)$$O(logN) blocks into a big block together with a more aggressive and efficient “flush” operation, which is the bottleneck of existing ORAM schemes. All in all, we can achieve better amortized overhead in our new scheme.

The deduplication technology can significantly reduce the amount of storage in data centers, thus to save network bandwidth and decrease the cost of construction and maintenance. Having inspired by the sliding block method of the Sliding Block (SB) algorithm and independent block-dividing thought of the Content Defined Chunking (CDC) algorithm, a Self-Matching Sliding Block (SMSB) algorithm for deduplication is proposed. Via communication with metadata node, the storage system client builds a matching table in local memory that contains fingerprint and checksum, based on the matching table to realize sliding block self-matching so as to detect the duplicate blocks. The experimental results show that the deduplication rate and the disk space utilization rate of SMSB algorithm is respectively 2.03 times and 1.28 times of the CDC algorithm and that the data processing speed is 0.83 times of the CDC algorithm. The SMSB algorithm is suitable for distributed storage system.

In this paper, 3 classic suffix type algorithms: QS, Tuned BM and BMHq were improved by reducing the average cost of basic operations. Firstly, the multi-windows method was used to let the calculations of the jump distance run in parallel and pipelining. Secondly, the comparison unit was increased to integer to reduce the total number and the average cost of comparisons. Especially for BMHq, the jump distance was increased by good prefix rule and the operations to get the jump distance were simplified by unaligned integer read. Thus, 3 algorithms named QSMI, TBMMI and BMHqMI were presented. These algorithms are faster than other known algorithms in many cases.

Reprogramming is an important function required by wireless sensor networks (WSNs). Due to the openness of WSNs, more and more researchers pay attention to the security aspect of reprogramming, but confidentiality is often ignored in this process. However, in some special applications such as battlefield, sending messages demand high levels of confidentiality. Several protocols address this issue, but they use relatively complex cryptography methods, which consume more computational resources and energy. Moreover, those approaches require packets arrive at the receiver in order. However, out-of-order tolerance is often a required feature in some harsh environment. In this paper, we propose an efficient scheme to ensure confidentiality of reprogramming and out-of-order packet delivery can be tolerated. To enhance the confidentiality of code image, we design an encode-then-encrypt scheme. To mitigate the DoS attacks against digital signature packets, we provide an energy-efficient mechanism.

Wireless Sensor Networks (WSN) are often deployed in hostile or difficult scenarios, such as military battlefields and disaster recovery, where it is crucial for the network to be highly fault tolerant, scalable and decentralized. For this reason, peer-to-peer primitives such as Distributed Hash Table (DHT), which can greatly enhance the scalability and resilience of a network, are increasingly being introduced in the design of WSN’s. Securing the communication within the WSN is also imperative in hostile settings. In particular, context information, such as the network topology and the location and identity of base stations (which collect data gathered by the sensors and are a central point of failure) can be protected using traffic encryption and anonymous routing. In this paper, we propose a protocol achieving a modified version of onion routing over wireless sensor networks based on the DHT paradigm. The protocol prevents adversaries from learning the network topology using traffic analysis, and therefore p reserves the context privacy of the network. Furthermore, the proposed scheme is designed to minimize the computational burden and power usage of the nodes, through a novel partitioning scheme and route selection algorithm.

We introduce a novel “prior classification” approach which can be employed in order to enhance the accuracy of stego detectors as well as to estimate it more subtly. The prior classification is intended for selection a subset of a testing set with such a property that a detection error, calculated over this subset, may be substantially lower than that calculated over the whole set. Our experiments demonstrated that it is possible to select about 30 % of the BOSSbase images for which HUGO 0.4 bpp is detected with the error less than 0.003, while the error over the whole set is 0.141. We also demonstrated that it is possible to find about 5 % of the BOSSbase images which provide the detection error for HUGO 0.1 bpp less than 0.05, while the error, calculated over the whole set, is about 0.37 which is not quite a reliable accuracy.

Hadoop has become increasingly popular as it rapidly processes big data in parallel, while security mechanisms have been introduced or studied for Hadoop. In addition, other security issues that should not be neglected still exist. Data leakage is one of the major security challenges. This paper studies the vulnerability of authorization mechanism of services in Hadoop and the threat of information leakage. Some authorization mechanism allow all users to access services by default, an adversary can utilize these services to collect information of other users. We design and implement Eavesdropper, a framework which utilizes k-means clustering to address the nodes that store the processed results. We conduct a comprehensive of experiments, which clearly demonstrate that our detection framework is capable of detecting the nodes that store the results.

With the increasing popularity of online social networks (OSNs) and the ability to access and exchange sensitive user information, user privacy concerns become an important issue which have attracted the attention of researchers and policymakers. For example, deleted pictures or pictures in deleted posts may not be deleted from the OSN server immediately, and hence accessible to another unauthorized user. In this paper, we highlight the deletion delay issue in seven popular OSNs, namely: Facebook, Instagram, MySpace, Tumblr, Flickr, Google+ and Weibo, which can be exploited by another unauthorized user to gain access to these pictures. To ensure OSN users are able to achieve a higher level of privacy, we propose a conceptual privacy-preserving tool for photo sharing, without compromising on transparency and real-time sharing features. We demonstrate the utility of the tool by prototyping a browser extension, which does not require modification of existing OSN systems.

With the wide use of smart phones, a large amount of GPS data are collected, while risks of privacy disclosure are also increasing. The de-anonymization attack is a typical attack which can infer the owner of an anonymous set of mobility traces. However, most existing works only consider spatial influences without considering temporal influences sufficiently. In this paper, we define a User Hidden Markov Model (UHMM) considering spatio-temporal influences, and exploit this model to launch the de-anonymization attack. Moreover, we conduct a set of experiments on a real-world dataset. The results show our approach is more accurate than other methods.