Cloud computing technology has succeeded in attracting the interest of both academics and industries because of its ability to provide flexible, cost-effective, and adaptable services in IT solution deployment. The services offered to Cloud Service Subscriber (CSS) are based on the concept of on-demand self-service, scalability, and rapid elasticity, which allows fast deployment of IT solutions, whilst leads to possible misconfiguration, un-patched system, etc. which, allows security threats to compromise the cloud services operations. From the viewpoint of Cloud Service Provider (CSP), incidents such as data loss and information breach, will tarnish their reputations, whilst allow them to conserve the issues internally, in which there is no transparency between CSP and CSS. In the aspects of information security, CSP is encouraged to practice cybersecurity in their cloud services by adopting ISO/IEC27017:2015 inclusive of all additional security controls as mandatory requirements. This study was conducted to identify factors that are influencing the CSP readiness level in the cybersecurity implementation of their cloud services by leveraging the developed pre-assessment model to determine the level of cloud security readiness. Approached the study is based on the combination of qualitative and quantitative assessment method in validating the proposed model through interview and prototype testing. The findings of this study had shown that factors that influence the CSP level of cloud security readiness are based on these domains; technology, organisation, policy, stakeholders, culture, knowledge, and environment. The contribution of the study as a Pre-Assessment Model for CSP which is suitable to be used as a guideline to provide a safer cloud computing environment.
OpenFlow makes a network highly flexible and fast-evolving by separating control and data planes. The control plane thus becomes responsive to changes in topology and load balancing requirements. OpenFlow also offers a new approach to handle security threats accurately and responsively. Therefore, it is used as an innovative firewall that acts as a first-hop security to protect networks against malicious users. However, the firewall provided by OpenFlow suffers from Internet protocol version 6 (IPv6) fragmentation, which can be used to bypass the OpenFlow firewall. The OpenFlow firewall cannot identify the message payload unless the switch implements IPv6 fragment reassembly. This study tests the IPv6 fragmented packets that can evade the OpenFlow firewall, and proposes a new mechanism to guard against attacks carried out by malicious users to exploit IPv6 fragmentation loophole in OpenFlow networks. The proposed mechanism is evaluated in a simulated environment by using six scenarios, and results exhibit that the proposed mechanism effectively fixes the loophole and successfully prevents the abuse of IPv6 fragmentation in OpenFlow networks.
As a result of a shift in the world of technology, the combination of ubiquitous mobile networks and cloud computing produced the mobile cloud computing (MCC) domain. As a consequence of a major concern of cloud users, privacy and data protection are getting substantial attention in the field. Currently, a considerable number of papers have been published on MCC with a growing interest in privacy and data protection. Along with this advance in MCC, however, no specific investigation highlights the results of the existing studies in privacy and data protection. In addition, there are no particular exploration highlights trends and open issues in the domain. Accordingly, the objective of this paper is to highlight the results of existing primary studies published in privacy and data protection in MCC to identify current trends and open issues. In this investigation, a systematic mapping study was conducted with a set of six research questions. A total of 1711 studies published from 2009 to 2019 were obtained. Following a filtering process, a collection of 74 primary studies were selected. As a result, the present data privacy threats, attacks, and solutions were identified. Also, the ongoing trends of data privacy exercise were observed. Moreover, the most utilized measures, research type, and contribution type facets were emphasized. Additionally, the current open research issues in privacy and data protection in MCC were highlighted. Furthermore, the results demonstrate the current state-of-the-art of privacy and data protection in MCC, and the conclusion will help to identify research trends and open issues in MCC for researchers and offer useful information in MCC for practitioners.
Providing security and privacy to the Internet of Things (IoT) networks while achieving it with minimum performance requirements is an open research challenge. Blockchain technology, as a distributed and decentralized ledger, is a potential solution to tackle the limitations of the current peer-to-peer IoT networks. This paper presents the development of an integrated IoT system implementing the permissioned blockchain Hyperledger Fabric (HLF) to secure the edge computing devices by employing a local authentication process. In addition, the proposed model provides traceability for the data generated by the IoT devices. The presented solution also addresses the IoT systems' scalability challenges, the processing power and storage issues of the IoT edge devices in the blockchain network. A set of built-in queries is leveraged by smart-contracts technology to define the rules and conditions. The paper validates the performance of the proposed model with practical implementation by measuring performance metrics such as transaction throughput and latency, resource consumption, and network use. The results show that the proposed platform with the HLF implementation is promising for the security of resource-constrained IoT devices and is scalable for deployment in various IoT scenarios.
The proliferation of smart devices in the Internet of Things (IoT) networks creates significant security challenges for the communications between such devices. Blockchain is a decentralized and distributed technology that can potentially tackle the security problems within the 5G-enabled IoT networks. This paper proposes a Multi layer Blockchain Security model to protect IoT networks while simplifying the implementation. The concept of clustering is utilized in order to facilitate the multi-layer architecture. The K-unknown clusters are defined within the IoT network by applying techniques that utillize a hybrid Evolutionary Computation Algorithm while using Simulated Annealing and Genetic Algorithms. The chosen cluster heads are responsible for local authentication and authorization. Local private blockchain implementation facilitates communications between the cluster heads and relevant base stations. Such a blockchain enhances credibility assurance and security while also providing a network authentication mechanism. The open-source Hyperledger Fabric Blockchain platform is deployed for the proposed model development. Base stations adopt a global blockchain approach to communicate with each other securely. The simulation results demonstrate that the proposed clustering algorithm performs well when compared to the earlier reported approaches. The proposed lightweight blockchain model is also shown to be better suited to balance network latency and throughput as compared to a traditional global blockchain.
The development of the industrial Internet of Things (IIoT) promotes the integration of the cross-platform systems in fog computing, which enable users to obtain access to multiple application located in different geographical locations. Fog users at the network's edge communicate with many fog servers in different fogs and newly joined servers that they had never contacted before. This communication complexity brings enormous security challenges and potential vulnerability to malicious threats. The attacker may replace the edge device with a fake one and authenticate it as a legitimate device. Therefore, to prevent unauthorized users from accessing fog servers, we propose a new secure and lightweight multi-factor authentication scheme for cross-platform IoT systems (SELAMAT). The proposed scheme extends the Kerberos workflow and utilizes the AES-ECC algorithm for efficient encryption keys management and secure communication between the edge nodes and fog node servers to establish secure mutual authentication. The scheme was tested for its security analysis using the formal security verification under the widely accepted AVISPA tool. We proved our scheme using Burrows Abdi Needham's logic (BAN logic) to prove secure mutual authentication. The results show that the SELAMAT scheme provides better security, functionality, communication, and computation cost than the existing schemes.
Postquantum cryptography for elevating security against attacks by quantum computers in the Internet of Everything (IoE) is still in its infancy. Most postquantum based cryptosystems have longer keys and signature sizes and require more computations that span several orders of magnitude in energy consumption and computation time, hence the sizes of the keys and signature are considered as another aspect of security by green design. To address these issues, the security solutions should migrate to the advanced and potent methods for protection against quantum attacks and offer energy efficient and faster cryptocomputations. In this context, a novel security framework Lightweight Postquantum ID-based Signature (LPQS) for secure communication in the IoE environment is presented. The proposed LPQS framework incorporates a supersingular isogeny curve to present a digital signature with small key sizes which is quantum-resistant. To reduce the size of the keys, compressed curves are used and the validation of the signature depends on the commutative property of the curves. The unforgeability of LPQS under an adaptively chosen message attack is proved. Security analysis and the experimental validation of LPQS are performed under a realistic software simulation environment to assess its lightweight performance considering embedded nodes. It is evident that the size of keys and the signature of LPQS is smaller than that of existing signature-based postquantum security techniques for IoE. It is robust in the postquantum environment and efficient in terms of energy and computations.
Blockchain technology provides a tremendous opportunity to transform current personal health record (PHR) systems into a decentralised network infrastructure. However, such technology possesses some drawbacks, such as issues in privacy and storage capacity. Given its transparency and decentralised features, medical data are visible to everyone on the network and are inappropriate for certain medical applications. By contrast, storing vast medical data, such as patient medical history, laboratory tests, X-rays, and MRIs, significantly affect the repository storage of blockchain. This study bridges the gap between PHRs and blockchain technology by offloading the vast medical data into the InterPlanetary File System (IPFS) storage and establishing an enforced cryptographic authorisation and access control scheme for outsourced encrypted medical data. The access control scheme is constructed on the basis of the new lightweight cryptographic concept named smart contract-based attribute-based searchable encryption (SC-ABSE). This newly cryptographic primitive is developed by extending ciphertext-policy attribute-based encryption (CP-ABE) and searchable symmetric encryption (SSE) and by leveraging the technology of smart contracts to achieve the following: (1) efficient and secure fine-grained access control of outsourced encrypted data, (2) confidentiality of data by eliminating trusted private key generators, and (3) multikeyword searchable mechanism. Based on decisional bilinear Diffie-Hellman hardness assumptions (DBDH) and discrete logarithm (DL) problems, the rigorous security indistinguishability analysis indicates that SC-ABSE is secure against the chosen-keyword attack (CKA) and keyword secrecy (KS) in the standard model. In addition, user collusion attacks are prevented, and the tamper-proof resistance of data is ensured. Furthermore, security validation is verified by simulating a formal verification scenario using Automated Validation of Internet Security Protocols and Applications (AVISPA), thereby unveiling that SC-ABSE is resistant to man-in-the-middle (MIM) and replay attacks. The experimental analysis utilised real-world datasets to demonstrate the efficiency and utility of SC-ABSE in terms of computation overhead, storage cost and communication overhead. The proposed scheme is also designed and developed to evaluate throughput and latency transactions using a standard benchmark tool known as Caliper. Lastly, simulation results show that SC-ABSE has high throughput and low latency, with an ultimate increase in network life compared with traditional healthcare systems.
Successful cyber-attacks are caused by the exploitation of some vulnerabilities in the software and/or hardware that exist in systems deployed in premises or the cloud. Although hundreds of vulnerabilities are discovered every year, only a small fraction of them actually become exploited, thereby there exists a severe class imbalance between the number of exploited and non-exploited vulnerabilities. The open source national vulnerability database, the largest repository to index and maintain all known vulnerabilities, assigns a unique identifier to each vulnerability. Each registered vulnerability also gets a severity score based on the impact it might inflict upon if compromised. Recent research works showed that the cvss score is not the only factor to select a vulnerability for exploitation, and other attributes in the national vulnerability database can be effectively utilized as predictive feature to predict the most exploitable vulnerabilities. Since cybersecurity management is highly resource savvy, organizations such as cloud systems will benefit when the most likely exploitable vulnerabilities that exist in their system software or hardware can be predicted with as much accuracy and reliability as possible, to best utilize the available resources to fix those first. Various existing research works have developed vulnerability exploitation prediction models by addressing the existing class imbalance based on algorithmic and artificial data resampling techniques but still suffer greatly from the overfitting problem to the major class rendering them practically unreliable. In this research, we have designed a novel cost function feature to address the existing class imbalance. We also have utilized the available large text corpus in the extracted dataset to develop a custom-trained word vector that can better capture the context of the local text data for utilization as an embedded layer in neural networks. Our developed vulnerability exploitation prediction models powered by a novel cost function and custom-trained word vector have achieved very high overall performance metrics for accuracy, precision, recall, F1-Score and AUC score with values of 0.92, 0.89, 0.98, 0.94 and 0.97, respectively, thereby outperforming any existing models while successfully overcoming the existing overfitting problem for class imbalance.
One of the most dangerous kinds of attacks affecting computers is a distributed denial of services (DDoS) attack. The main goal of this attack is to bring the targeted machine down and make their services unavailable to legal users. This can be accomplished mainly by directing many machines to send a very large number of packets toward the specified machine to consume its resources and stop it from working. We implemented a method using Java based on entropy and sequential probabilities ratio test (ESPRT) methods to identify malicious flows and their switch interfaces that aid them in passing through. Entropy (E) is the first technique, and the sequential probabilities ratio test (SPRT) is the second technique. The entropy method alone compares its results with a certain threshold in order to make a decision. The accuracy and F-scores for entropy results thus changed when the threshold values changed. Using both entropy and SPRT removed the uncertainty associated with the entropy threshold. The false positive rate was also reduced when combining both techniques. Entropy-based detection methods divide incoming traffic into groups of traffic that have the same size. The size of these groups is determined by a parameter called window size. The Defense Advanced Research Projects Agency (DARPA) 1998, DARPA2000, and Canadian Institute for Cybersecurity (CIC-DDoS2019) databases were used to evaluate the implementation of this method. The metric of a confusion matrix was used to compare the ESPRT results with the results of other methods. The accuracy and f-scores for the DARPA 1998 dataset were 0.995 and 0.997, respectively, for the ESPRT method when the window size was set at 50 and 75 packets. The detection rate of ESPRT for the same dataset was 0.995 when the window size was set to 10 packets. The average accuracy for the DARPA 2000 dataset for ESPRT was 0.905, and the detection rate was 0.929. Finally, ESPRT was scalable to a multiple domain topology application.
The inherent complexities of Industrial Internet of Things (IIoT) architecture make its security and privacy issues becoming critically challenging. Numerous surveys have been published to review IoT security issues and challenges. The studies gave a general overview of IIoT security threats or a detailed analysis that explicitly focuses on specific technologies. However, recent studies fail to analyze the gap between security requirements of these technologies and their deployed countermeasure in the industry recently. Whether recent industry countermeasure is still adequate to address the security challenges of IIoT environment are questionable. This article presents a comprehensive survey of IIoT security and provides insight into today's industry countermeasure, current research proposals and ongoing challenges. We classify IIoT technologies into the four-layer security architecture, examine the deployed countermeasure based on CIA+ security requirements, report the deficiencies of today's countermeasure, and highlight the remaining open issues and challenges. As no single solution can fix the entire IIoT ecosystem, IIoT security architecture with a higher abstraction level using the bottom-up approach is needed. Moving towards a data-centric approach that assures data protection whenever and wherever it goes could potentially solve the challenges of industry deployment.
Cyberattacks have changed dramatically and have become highly advanced. This latest phenomenon has a massive negative impact on organizations, such as financial losses and shutting-down of operations. Therefore, developing and implementing the Cyber Security Operations Centre (SOC) is imperative and timely. Based on previous research, there are no international guidelines and standards used by organizations that can contribute to the successful implementation and development of SOC. In this regard, this study focuses on highlighting the significant factors that will impact and contribute to the success of SOC. Simultaneously, it will further design a model for the successful development and implementation of SOC for the organization. The study was conducted quantitatively and involved 63 respondents from 25 ministries and agencies in Malaysia. The results of this study will enable the retrieval of ten success factors for SOC, and it specifically focuses on humans, processes, and technology. The descriptive analysis shows that the top management support factor is the most influential factor in the success of the development and implementation of SOC. The study also contributes to the empirical finding that technology and process factors are more significant in the success of SOCs. Based on the regression test, the technology factor has major impact on determining the success of SOC, followed by the process and human factors. Relevant organizations or agencies can use the proposed model to develop and implement SOCs, formulate policies and guidelines, strengthen human models, and enhance cyber security.
The evolution of malware is causing mobile devices to crash with increasing frequency. Therefore, adequate security evaluations that detect Android malware are crucial. Two techniques can be used in this regard: Static analysis, which meticulously examines the full codes of applications, and dynamic analysis, which monitors malware behaviour. While both perform security evaluations successfully, there is still room for improvement. The goal of this research is to examine the effectiveness of static analysis to detect Android malware by using permission-based features. This study proposes machine learning with different sets of classifiers was used to evaluate Android malware detection. The feature selection method in this study was applied to determine which features were most capable of distinguishing malware. A total of 5,000 Drebin malware samples and 5,000 Androzoo benign samples were utilised. The performances of the different sets of classifiers were then compared. The results indicated that with a TPR value of 91.6%, the Random Forest algorithm achieved the highest level of accuracy in malware detection.
Digital signature schemes (DSS) are ubiquitously used for public authentication in the infrastructure of the internet, in addition to their use as a cryptographic tool to construct even more sophisticated schemes such as those that are identity-based. The security of DSS is analyzed through the existential unforgeability under chosen message attack (EUF-CMA) experiment which promises unforgeability of signatures on new messages even when the attacker has access to an arbitrary set of messages and their corresponding signatures. However, the EUF-CMA model does not account for attacks such as an attacker forging a different signature on an existing message, even though the attack could be devastating in the real world and constitutes a severe breach of the security system. Nonetheless, most of the DSS are not analyzed in this security model, which possibly makes them vulnerable to such an attack. In contrast, a better security notion known as strong EUF-CMA (sEUF-CMA) is designed to be resistant to such attacks. This review aims to identify DSS in the literature that are secure in the sEUF-CMA model. In addition, the article discusses the challenges and future directions of DSS. In our review, we consider the security of existing DSS that fit our criterion in the sEUF-CMA model; our criterion is simple as we only require the DSS to be at least secure against the minimum of existential forgery. Our findings are categorized into two classes: the direct and indirect classes of sEUF-CMA. The former is inherently sEUF-CMA without any modification while the latter requires some transformation. Our comprehensive review contributes to the security and cryptographic research community by discussing the efficiency and security of DSS that are sEUF-CMA, which aids in selecting robust DSS in future design considerations.
Smart home technologies have attracted more users in recent years due to significant advancements in their underlying enabler components, such as sensors, actuators, and processors, which are spreading in various domains and have become more affordable. However, these IoT-based solutions are prone to data leakage; this privacy issue has motivated researchers to seek a secure solution to overcome this challenge. In this regard, wireless signal eavesdropping is one of the most severe threats that enables attackers to obtain residents' sensitive information. Even if the system encrypts all communications, some cyber attacks can still steal information by interpreting the contextual data related to the transmitted signals. For example, a "fingerprint and timing-based snooping (FATS)" attack is a side-channel attack (SCA) developed to infer in-home activities passively from a remote location near the targeted house. An SCA is a sort of cyber attack that extracts valuable information from smart systems without accessing the content of data packets. This paper reviews the SCAs associated with cyber-physical systems, focusing on the proposed solutions to protect the privacy of smart homes against FATS attacks in detail. Moreover, this work clarifies shortcomings and future opportunities by analyzing the existing gaps in the reviewed methods.
The COVID-19 pandemic is currently having disastrous effects on every part of human life everywhere in the world. There have been terrible losses for the entire human race in all nations and areas. It is crucial to take good precautions and prevent COVID-19 because of its high infectiousness and fatality rate. One of the key spreading routes has been identified to be transportation systems. Therefore, improving infection tracking and healthcare monitoring for high-mobility transportation systems is impractical for pandemic control. In order to enhance driving enjoyment and road safety, 5G-enabled vehicular fog computing may gather and interpret pertinent vehicle data, which open the door to non-contact autonomous healthcare monitoring. Due to the urgent need to contain the automotive pandemic, this paper proposes a COVID-19 vehicle based on an efficient mutual authentication scheme for 5G-enabled vehicular fog computing. The proposed scheme consists of two different aspects of the special flag, SF = 0 and SF = 1, denoting normal and COVID-19 vehicles, respectively. The proposed scheme satisfies privacy and security requirements as well as achieves COVID-19 and healthcare solutions. Finally, the performance evaluation section shows that the proposed scheme is more efficient in terms of communication and computation costs as compared to most recent related works.
With continuous advancements in Internet technology and the increased use of cryptographic techniques, the cloud has become the obvious choice for data sharing. Generally, the data are outsourced to cloud storage servers in encrypted form. Access control methods can be used on encrypted outsourced data to facilitate and regulate access. Multi-authority attribute-based encryption is a propitious technique to control who can access encrypted data in inter-domain applications such as sharing data between organizations, sharing data in healthcare, etc. The data owner may require the flexibility to share the data with known and unknown users. The known or closed-domain users may be internal employees of the organization, and unknown or open-domain users may be outside agencies, third-party users, etc. In the case of closed-domain users, the data owner becomes the key issuing authority, and in the case of open-domain users, various established attribute authorities perform the task of key issuance. Privacy preservation is also a crucial requirement in cloud-based data-sharing systems. This work proposes the SP-MAACS scheme, a secure and privacy-preserving multi-authority access control system for cloud-based healthcare data sharing. Both open and closed domain users are considered, and policy privacy is ensured by only disclosing the names of policy attributes. The values of the attributes are kept hidden. Characteristic comparison with similar existing schemes shows that our scheme simultaneously provides features such as multi-authority setting, expressive and flexible access policy structure, privacy preservation, and scalability. The performance analysis carried out by us shows that the decryption cost is reasonable enough. Furthermore, the scheme is demonstrated to be adaptively secure under the standard model.
The Internet of Things (IoT) uses wireless networks without infrastructure to install a huge number of wireless sensors that track system, physical, and environmental factors. There are a variety of WSN uses, and some well-known application factors include energy consumption and lifespan duration for routing purposes. The sensors have detecting, processing, and communication capabilities. In this paper, an intelligent healthcare system is proposed which consists of nano sensors that collect real-time health status and transfer it to the doctor's server. Time consumption and various attacks are major concerns, and some existing techniques contain stumbling blocks. Therefore, in this research, a genetic-based encryption method is advocated to protect data transmitted over a wireless channel using sensors to avoid an uncomfortable data transmission environment. An authentication procedure is also proposed for legitimate users to access the data channel. Results show that the proposed algorithm is lightweight and energy efficient, and time consumption is 90% lower with a higher security ratio.
The Internet of vehicles (IoVs) is an innovative paradigm which ensures a safe journey by communicating with other vehicles. It involves a basic safety message (BSM) that contains sensitive information in a plain text that can be subverted by an adversary. To reduce such attacks, a pool of pseudonyms is allotted which are changed regularly in different zones or contexts. In base schemes, the BSM is sent to neighbors just by considering their speed. However, this parameter is not enough because network topology is very dynamic and vehicles can change their route at any time. This problem increases pseudonym consumption which ultimately increases communication overhead, increases traceability and has high BSM loss. This paper presents an efficient pseudonym consumption protocol (EPCP) which considers the vehicles in the same direction, and similar estimated location. The BSM is shared only to these relevant vehicles. The performance of the purposed scheme in contrast to base schemes is validated via extensive simulations. The results prove that the proposed EPCP technique outperformed compared to its counterparts in terms of pseudonym consumption, BSM loss rate and achieved traceability.
Programmable Object Interfaces are increasingly intriguing researchers because of their broader applications, especially in the medical field. In a Wireless Body Area Network (WBAN), for example, patients' health can be monitored using clinical nano sensors. Exchanging such sensitive data requires a high level of security and protection against attacks. To that end, the literature is rich with security schemes that include the advanced encryption standard, secure hashing algorithm, and digital signatures that aim to secure the data exchange. However, such schemes elevate the time complexity, rendering the data transmission slower. Cognitive radio technology with a medical body area network system involves communication links between WBAN gateways, server and nano sensors, which renders the entire system vulnerable to security attacks. In this paper, a novel DNA-based encryption technique is proposed to secure medical data sharing between sensing devices and central repositories. It has less computational time throughout authentication, encryption, and decryption. Our analysis of experimental attack scenarios shows that our technique is better than its counterparts.