Towards a Secure Zero-rating Framework with Three Parties

Zero-rating services allow mobile users to access contents from contracted CP free of data charge. In this thesis, we introduce attacks against the zero rating service which allows extra non-contracted traffic to be transported free of charge. We call this types of attack the \u27free-riding\u27 attack. Specifically, we create two types of free-riding attacks: 1) masquerade zero-rating CP attack; 2) response packets modification attack. We conducted multiple experiments on several major commercial cellular and WiFi ISPs in the United States and China. The experimental results show that all these ISPs are vulnerable to free-riding attacks.In this thesis, we also propose a secure and backward compatible zero-rating framework, called ZFree. ZFree authorizes network traffic from valid CP to be zero-rated. Next, we perform a formal security verification using ProVerif on ZFree. The formal verification results show that ZFree is secure in preserving packet integrity and CP server authenticity. Our evaluation shows that ZFree is lightweight, scalable and secure

TRIDEnT: Building Decentralized Incentives for Collaborative Security

Sophisticated mass attacks, especially when exploiting zero-day vulnerabilities, have the potential to cause destructive damage to organizations and critical infrastructure. To timely detect and contain such attacks, collaboration among the defenders is critical. By correlating real-time detection information (alerts) from multiple sources (collaborative intrusion detection), defenders can detect attacks and take the appropriate defensive measures in time. However, although the technical tools to facilitate collaboration exist, real-world adoption of such collaborative security mechanisms is still underwhelming. This is largely due to a lack of trust and participation incentives for companies and organizations. This paper proposes TRIDEnT, a novel collaborative platform that aims to enable and incentivize parties to exchange network alert data, thus increasing their overall detection capabilities. TRIDEnT allows parties that may be in a competitive relationship, to selectively advertise, sell and acquire security alerts in the form of (near) real-time peer-to-peer streams. To validate the basic principles behind TRIDEnT, we present an intuitive game-theoretic model of alert sharing, that is of independent interest, and show that collaboration is bound to take place infinitely often. Furthermore, to demonstrate the feasibility of our approach, we instantiate our design in a decentralized manner using Ethereum smart contracts and provide a fully functional prototype.Comment: 28 page

Municipal Bonds : Is India ready for more?

In India, municipal development projects benefiting the public often get impeded by the political and institutional framework of the Central Government. In many cases in India, a major constraint is financing these projects. According to the 12th Finance Commission report most of the infrastructure initiatives have been stalled due to financial constraints. For instance, the shortfall in financing to achieve the water and sanitation sector goals in India’s Tenth Plan is estimated at INR 179 billion. Without the discretion to issue municipal bonds, municipalities are often dependent on transfers from the Government of India (GOI) since direct investment for these projects is difficult to secure. While municipal governments are responsible for public service provision, their ability to do so is often constrained by inadequate GOI appropriations and/or missing municipal bond markets. On the other hand, private investors often lack the incentives to invest in public service projects due to high risks and insufficient returns. As a result, the provision of public goods such as infrastructure projects can be delayed or cancelled. Tax-free municipal bonds provide a potential mechanism to bridge the financing gap. We have described the actual process of municipal bond process using the example of Corporation of Chennai and the desalination water project they propose to build. We present how tax incentives, transfers and private savings tie into the municipal bond framework. We believe that only a well performing municipality can be allowed to be fiscally independent and thus chose the Corporation of Chennai for analysis and go on to show what checks and balances are needed in the Indian scenario to support such a move towards sustainable financial decentralization. This policy paper analyzes four key dimensions of the expansion of the municipal bond market. Firstly, we analyze the driving forces for the evolution of a municipal bond market. Secondly, we develop an economic framework to value a municipal debt instrument and to estimate the optimal debt for the municipality to issue. In this section we also discuss the dynamics of the model and impacts of shocks and economic transfers on the municipal debt. Thirdly, we map the stakeholders and analyze the threats and benefits of a municipal bond issuance for these stakeholders. Finally, we recommend a framework for expansion of the municipal bond market while minimizing the potential for fiscal irresponsibility and uncontrolled growth of sub-national debt. We propose the creation of Special Municipal Zones based on strong credit rating, accrual based accounting systems, optimal debt to revenue collection ratios and a strong financial need of the municipalities. To support such Special Municipal Zones, we recommend several key changes in the institutional framework including creation of the Municipal Securities Board of India.COC Corporation of Chennai, CRISIL Credit Rating Agency in India, FED Federal Reserve Bank, GOI Government of India, HUDCO Housing and Urban Development Corporation, INR Currency code for Indian Currency Rupee, MSBI Municipal Securities Board of India, MSRB Municipal Securities Regulation Board, MWSSB Metropolitan Water Supply and Sewerage Board, RBI Reserve Bank of India, SEBI Securities and Exchange Board of India, SMZ Special Municipal Zone, TNULB Tamil Nadu Urban Local Body, ULB Urban Local Bodies (Municipality),

Attack-Surface Metrics, OSSTMM and Common Criteria Based Approach to “Composable Security” in Complex Systems

In recent studies on Complex Systems and Systems-of-Systems theory, a huge effort has been put to cope with behavioral problems, i.e. the possibility of controlling a desired overall or end-to-end behavior by acting on the individual elements that constitute the system itself. This problem is particularly important in the “SMART” environments, where the huge number of devices, their significant computational capabilities as well as their tight interconnection produce a complex architecture for which it is difficult to predict (and control) a desired behavior; furthermore, if the scenario is allowed to dynamically evolve through the modification of both topology and subsystems composition, then the control problem becomes a real challenge. In this perspective, the purpose of this paper is to cope with a specific class of control problems in complex systems, the “composability of security functionalities”, recently introduced by the European Funded research through the pSHIELD and nSHIELD projects (ARTEMIS-JU programme). In a nutshell, the objective of this research is to define a control framework that, given a target security level for a specific application scenario, is able to i) discover the system elements, ii) quantify the security level of each element as well as its contribution to the security of the overall system, and iii) compute the control action to be applied on such elements to reach the security target. The main innovations proposed by the authors are: i) the definition of a comprehensive methodology to quantify the security of a generic system independently from the technology and the environment and ii) the integration of the derived metrics into a closed-loop scheme that allows real-time control of the system. The solution described in this work moves from the proof-of-concepts performed in the early phase of the pSHIELD research and enrich es it through an innovative metric with a sound foundation, able to potentially cope with any kind of pplication scenarios (railways, automotive, manufacturing, ...)

Prochlo: Strong Privacy for Analytics in the Crowd

The large-scale monitoring of computer users' software activities has become commonplace, e.g., for application telemetry, error reporting, or demographic profiling. This paper describes a principled systems architecture---Encode, Shuffle, Analyze (ESA)---for performing such monitoring with high utility while also protecting user privacy. The ESA design, and its Prochlo implementation, are informed by our practical experiences with an existing, large deployment of privacy-preserving software monitoring. (cont.; see the paper

Trust Model for Optimized Cloud Services

Cloud computing with its inherent advantages draws attention for business critical applications, but concurrently expects high level of trust in cloud service providers. Reputation-based trust is emerging as a good choice to model trust of cloud service providers based on available evidence. Many existing reputation based systems either ignore or give less importance to uncertainty linked with the evidence. In this paper, we propose an uncertainty model and define our approach to compute opinion for cloud service providers. Using subjective logic operators along with the computed opinion values, we propose mechanisms to calculate the reputation of cloud service providers. We evaluate and compare our proposed model with existing reputation models

“Financial alchemy” or a zero sum game? Real estate finance, securitisation and the UK property market

Following the US model, the UK has seen considerable innovation in the funding, finance and procurement of real estate in the last decade. In the growing CMBS market asset backed securitisations have included $2.25billion secured on the Broadgate office development and issues secured on Canary Wharf and the Trafford Centre regional mall. Major occupiers (retailer Sainsbury’s, retail bank Abbey National) have engaged in innovative sale & leaseback and outsourcing schemes. Strong claims are made concerning the benefits of such schemes – e.g. British Land were reported to have reduced their weighted cost of debt by 150bp as a result of the Broadgate issue. The paper reports preliminary findings from a project funded by the Corporation of London and the RICS Research Foundation examining a number of innovative schemes to identify, within a formal finance framework, sources of added value and hidden costs. The analysis indicates that many of the gains claimed conceal costs – in terms of market value of debt or flexibility of management – while others result from unusual firm or market conditions (for example utilising the UK long lease and the unusual shape of the yield curve). Nonetheless, there are real gains resulting from the innovations, reflecting arbitrage and institutional constraints in the direct (private) real estate marke