On Security Management: Improving Energy Efficiency, Decreasing Negative Environmental Impact, and Reducing Financial Costs for Data Centers

Security management is one of the most significant issues in nowadays data centers. Selection of appropriate security mechanisms and effective energy consumption management together with caring for the environment enforces a profound analysis of the considered system. In this paper, we propose a specialized decision support system with a multilevel, comprehensive analysis scheme. As a result of the extensive use of mathematical methods and statistics, guidelines and indicators returned by the proposed approach facilitate the decision-making process and conserve decision-maker’s time and attention. In the paper we utilized proposed multilevel analysis scheme to manage security-based data flow in the example data center. Determining the most secure, energy-efficient, environmental friendly security mechanisms, we implemented the role-based access control method in Quality of Protection Modeling Language (QoP-ML) and evaluated its performance in terms of mentioned factors

Performance assessment of security mechanisms for cooperative mobile health applications

Mobile health (m-Health) applications aim to deliver healthcare services through mobile applications regardless of time and place. An mHealth application makes use of wireless communications to sustain its health services and often providing a patient-doctor interaction. Therefore, m-Health applications present several challenging issues and constraints, such as, mobile devices battery and storage capacity, broadcast constraints, interferences, disconnections, noises, limited bandwidths, network delays, and of most importance, privacy and security concerns. In a typical m-Health system, information transmitted through wireless channels may contain sensitive information such as patient’s clinic history, patient’s personal diseases information (e.g. infectious disease as HIV - human immunodeficiency virus). Carrying such type of information presents many issues related to its privacy and protection. In this work, a cryptographic solution for m-Health applications under a cooperative environment is proposed in order to approach two common drawbacks in mobile health systems: the data privacy and protection. Two different approaches were proposed: i) DE4MHA that aims to guarantee the best confidentiality, integrity, and authenticity of mhealth systems users data and ii) eC4MHA that also focuses on assuring and guarantying the m-Health application data confidentiality, integrity, and authenticity, although with a different paradigm. While DE4MHA considers a peer-to-peer node message forward, with encryption/decryption tasks on each node, eC4MHA focuses on simply encrypting data at the requester node and decrypting it when it reaches the Web service. It relays information through cooperative mobile nodes, giving them the only strictly required information, in order to be able to forward a request, until it reaches the Web service responsible to manage the request, and possibly answer to that same request. In this sense, the referred solutions aim any mobile health application with cooperation mechanism embedded. For test purposes a specific mobile health application, namely SapoFit, was used. Cryptographic mechanisms were created and integrated in SapoFit application with built in cooperation mechanisms. A performance evaluation of both approaches in a real scenario with different mobile devices is performed and presented in this work. A comparison with the performance evaluations of both solutions is also presented.Fundação para a Ciência e a Tecnologia (FCT)European Community Fund FEDER through COMPETE – Programa Operacional Factores de Competitividad

DATA SECURITY IN THE CLOUD: Study and Simulations

Cloud technology is a nascent technology, thriving in information communication and data storage, and is still under development. Securing the communication links and data has been very paramount to the development of this technology and system. Various techniques, methods and technologies have been implemented in order to secure this system. Security of the cloud has recently witnessed much attention, as there have on-going research and studies towards the development of more potent solutions. Cryptography is one of the feasible and in demand solutions here, as it offers a set of security measures such as confidentiality, integrity and availability. This thesis work is aimed at understanding the data security in the cloud systems, and the various security threats associated with such technology. To better understand this, a thorough literature review is conducted on a cloud technology, and some of the cloud attacks are simulated. The distributed denial of service is simulated using NS3 and EstiNet, ARP poisoning is simulated using Ettercap, and the SQL injection is simulated using Damn Vulnerable Web Application. At the end of the task, the simulation scenarios were analyzed for better understanding and the observations were concluded. It was found out that these attacks are threat to the communication channels, network bandwidth, and the information being transferred. It was also realized that these attacks could be managed effectively using appropriate cryptographic techniques or technologies to block any unauthorised access to the network.fi=Opinnäytetyö kokotekstinä PDF-muodossa.|en=Thesis fulltext in PDF format.|sv=Lärdomsprov tillgängligt som fulltext i PDF-format

Fast Internet-Wide Scanning: A New Security Perspective

Techniques like passive observation and random sampling let researchers understand many aspects of Internet day-to-day operation, yet these methodologies often focus on popular services or a small demographic of users, rather than providing a comprehensive view of the devices and services that constitute the Internet. As the diversity of devices and the role they play in critical infrastructure increases, so does understanding the dynamics of and securing these hosts. This dissertation shows how fast Internet-wide scanning provides a near-global perspective of edge hosts that enables researchers to uncover security weaknesses that only emerge at scale. First, I show that it is possible to efficiently scan the IPv4 address space. ZMap: a network scanner specifically architected for large-scale research studies can survey the entire IPv4 address space from a single machine in under an hour at 97% of the theoretical maximum speed of gigabit Ethernet with an estimated 98% coverage of publicly available hosts. Building on ZMap, I introduce Censys, a public service that maintains up-to-date and legacy snapshots of the hosts and services running across the public IPv4 address space. Censys enables researchers to efficiently ask a range of security questions. Next, I present four case studies that highlight how Internet-wide scanning can identify new classes of weaknesses that only emerge at scale, uncover unexpected attacks, shed light on previously opaque distributed systems on the Internet, and understand the impact of consequential vulnerabilities. Finally, I explore how in- creased contention over IPv4 addresses introduces new challenges for performing large-scale empirical studies. I conclude with suggested directions that the re- search community needs to consider to retain the degree of visibility that Internet-wide scanning currently provides.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/138660/1/zakir_1.pd

Privacy-preserving smart nudging system: resistant to traffic analysis and data breach

A solution like Green Transportation Choices with IoT and Smart Nudging (SN) is aiming to resolve urban challenges (e.g., increased traffic, congestion, air pollution, and noise pollution) by influencing people towards environment-friendly decisions in their daily life. The essential aspect of this system is to construct personalized suggestion and positive reinforcement for people to achieve environmentally preferable outcomes. However, the process of tailoring a nudge for a specific person requires a significant amount of personal data (e.g., user's location data, health data, activity and more) analysis. People are willingly giving up their private data for the greater good of society and making SN system a target for adversaries to get people's data and misuse them. Yet, preserving user privacy is subtly discussed and often overlooked in the SN system. Meanwhile, the European union's General data protection regulation (GDPR) tightens European Unions's (EU) already stricter privacy policy. Thus, preserving user privacy is inevitable for a system like SN. Privacy-preserving smart nudging (PPSN) is a new middleware that gives privacy guarantee for both the users and the SN system and additionally offers GDPR compliance. In the PPSN system, users have the full autonomy of their data, and users data is well protected and inaccessible without the participation of the data owner. In addition to that, PPSN system gives protection against adversaries that control all the server but one, observe network traffics and control malicious users. PPSN system's primary insight is to encrypt as much as observable variables if not all and hide the remainder by adding noise. A prototype implementation of the PPSN system achieves a throughput of 105 messages per second with 24 seconds end-to-end latency for 125k users on a quadcore machine and scales linearly with the number of users

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Privacy by evidence: a software development methodology to provide privacy assurance.

Em um mundo cada vez mais conectado, uma diversidade de softwares e sensores coletam dados dos ambientes e seus habitantes. Devido à riqueza das informações coletadas, privacidade se torna um requisito importante. Aplicações estão sendo desenvolvidas, e, apesar de existirem princípios e regras para lidar com a privacidade dos indivíduos, faltam metodologias para guiar a integração das diretrizes de privacidade em um processo de desenvolvimento. Metodologias existentes como o Privacidade desde a Concepção (do inglês Privacy by Design – PbD) ainda são vagas e deixam muitos questionamentos em aberto sobre como aplicá-las na prática. Neste trabalho, nós propomos o conceito de Privacidade por Evidência (do inglês Privacy by Evidence – PbE), uma metodologia de desenvolvimento de software para prover privacidade. Dada a dificuldade em prover privacidade total, propomos que as documentações das mitigações sejam em formas de evidências de privacidade, objetivando aumentar a confiança no projeto. Para validar a eficácia, PbE tem sido utilizada durante o desenvolvimento de quatro aplicações que servem como estudos de caso. O primeiro estudo de caso considerado é uma aplicação de medição inteligente de energia; o segundo considera uma aplicação de contagem e monitoramento de pessoas; o terceiro considera um sistema de monitoramento de eficiência energética; e o quarto considera um sistema de autenticação de dois fatores. Para estas aplicações, os times proveram sete,cinco,cinco e quatro evidências de privacidade, respectivamente, e concluimos que a PbE pode ser efetiva em ajudar a entender e a tratar as necessidades de proteção à privacidade quando se está desenvolvendo software.In anincreasinglyconnectedworld,adiversityofsoftwareandsensorscollectdatafromthe environmentanditsinhabitants.Becauseoftherichnessoftheinformationcollected,privacy becomes animportantrequirement.Applicationsarebeingdeveloped,and,althoughthere are principlesandrulesregardingtheprivacyofindividuals,thereisstillalackofmethod- ologies toguidetheintegrationofprivacyguidelinesintothedevelopmentprocess.Existing methodologies likethe Privacy byDesign (PbD) arestillvagueandleavemanyopenques- tions onhowtoapplytheminpractice.Inthisworkweproposetheconceptof Privacy by Evidence (PbE), asoftwaredevelopmentmethodologytoprovideprivacyassurance.Given the difficultyinprovidingtotalprivacyinmanyapplications,weproposetodocumentthe mitigationsinformofevidencesofprivacy,aimingtoincreasetheconfidenceoftheproject. Tovalidateitseffectiveness, PbE has beenusedduringthedevelopmentoffourapplications that serveascasestudies.Thefirstconsideredcasestudyisasmartmeteringapplication; the secondconsidersapeoplecountingandmonitoringapplication;thethirdconsidersan energyefficiencymonitoringsystem;andthefourthconsidersatwofactorauthentication system. Fortheseapplications,theteamswereabletoprovideseven,five,five,andfour evidencesofprivacy,respectively,andweconcludethat PbE can beeffectiveinhelpingto understand andtoaddresstheprivacyprotectionneedswhendevelopingsoftware.Cape

Analysis of Malware and Domain Name System Traffic

Malicious domains host Command and Control servers that are used to instruct infected machines to perpetuate malicious activities such as sending spam, stealing credentials, and launching denial of service attacks. Both static and dynamic analysis of malware as well as monitoring Domain Name System (DNS) traffic provide valuable insight into such malicious activities and help security experts detect and protect against many cyber attacks. Advanced crimeware toolkits were responsible for many recent cyber attacks. In order to understand the inner workings of such toolkits, we present a detailed reverse engineering analysis of the Zeus crimeware toolkit to unveil its underlying architecture and enable its mitigation. Our analysis allows us to provide a breakdown for the structure of the Zeus botnet network messages. In the second part of this work, we develop a framework for analyzing dynamic analysis reports of malware samples. This framework can be used to extract valuable cyber intelligence from the analyzed malware. The obtained intelligence helps reveal more insight into different cyber attacks and uncovers abused domains as well as malicious infrastructure networks. Based on this framework, we develop a severity ranking system for domain names. The system leverages the interaction between domain names and malware samples to extract indicators for malicious behaviors or abuse actions. The system utilizes these behavioral features on a daily basis to produce severity or abuse scores for domain names. Since our system assigns maliciousness scores that describe the level of abuse for each analyzed domain name, it can be considered as a complementary component to existing (binary) reputation systems, which produce long lists with no priorities. We also developed a severity system for name servers based on passive DNS traffic. The system leverages the domain names that reside under the authority of name servers to extract indicators for malicious behaviors or abuse actions. It also utilizes these behavioral features on a daily basis to dynamically produce severity or abuse scores for name servers. Finally, we present a system to characterize and detect the payload distribution channels within passive DNS traffic. Our system observes the DNS zone activities of access counts of each resource record type and determines payload distribution channels. Our experiments on near real-time passive DNS traffic demonstrate that our system can detect several resilient malicious payload distribution channels

Securing the in-vehicle network

Recent research into automotive security has shown that once a single electronic vehicle component is compromised, it is possible to take control of the vehicle. These components, called Electronic Control Units, are embedded systems which manage a significant part of the functionality of a modern car. They communicate with each other via the in-vehicle network, known as the Controller Area Network, which is the most widely used automotive bus. In this thesis, we introduce a series of novel proposals to improve the security of both the Controller Area Network bus and the Electronic Control Units. The Controller Area Network suffers from a number of shortfalls, one of which is the lack of source authentication. We propose a protocol that mitigates this fundamental shortcoming in the Controller Area Network bus design, and protects against a number of high profile media attacks that have been published. We derive a set of desirable security and compatibility properties which an authentication protocol for the Controller Area Network bus should possess. We evaluate our protocol, along with other proposed protocols in the literature, with respect to the defined properties. Our systematic analysis of the protocols allows the automotive industry to make an informed choice regarding the adoption suitability of these solutions. However, it is not only the communication of Electronic Control Units that needs to be secure, but the firmware running on them as well. The growing number of Electronic Control Units in a vehicle, together with their increasing complexity, prompts the need for automated tools to test their security. Part of the challenge in designing such a tool is the diversity of Electronic Control Unit architectures. To this end, this thesis presents a methodology for extracting the Control Flow Graph from the Electronic Control Unit firmware. The Control Flow Graph is a platform independent representation of the firmware control flow, allowing us to abstract from the underlying architecture. We present a fuzzer for Electronic Control Unit firmware fuzz-testing via Controller Area Network. The extracted Control Flow Graph is tagged with static data used in instructions which influence the control flow of the firmware. It is then used to create a set of input seeds for the fuzzer, and in altering the inputs during the fuzzing process. This approach represents a step towards an efficient fuzzing methodology for Electronic Control Units. To our knowledge, this is the first proposal that uses static analysis to guide the fuzzing of Electronic Control Units

Lightweight wireless network authentication scheme for constrained oracle sensors

x, 212 leaves : ill. (some col.) ; 29 cmIncludes abstract and appendices.Includes bibliographical references (leaves 136-147).With the significant increase in the dependence of contextual data from constrained IoT, the blockchain has been proposed as a possible solution to address growing concerns from organizations. To address this, the Lightweight Blockchain Authentication for Constrained Sensors (LBACS) scheme was proposed and evaluated using quantitative and qualitative methods. LBACS was designed with constrained Wireless Sensor Networks (WSN) in mind and independent of a blockchain implementation. It asserts the authentication and provenance of constrained IoT on the blockchain utilizing a multi-signature approach facilitated by symmetric and asymmetric methods and sufficient considerations for key and certificate registry management. The metrics, threat assessment and comparison to existing WSN authentication schemes conducted asserted the pragmatic use of LBACS to provide authentication, blockchain provenance, integrity, auditable, revocation, weak backward and forward secrecy and universal forgeability. The research has several implications for the ubiquitous use of IoT and growing interest in the blockchain