2014 Conference on Information Assurance and Cyber Security (CIACS) was held 12-13 June 2014 at Rawalpindi, Pakistan. Sponsored by the Department of Information Security (IS Department) at Military College of Signals, NUST, Pakistan, CIACS is a forum of academic and professional research, the conference includes 5 regular papers and 5 short papers that have been selected through double blind review process from a total of 65 high quality technical paper submissions, thereby having an acceptance rate of about 7.69% for regular papers and 15.38% for short papers. The papers collected in these proceedings cover topics like Authentication and Access Control, Botnets, Cryptography and Cryptanalysis, Data Security and Privacy, Digital Signatures, Information Hiding, Key Management, Secure Programming, Cloud Security, Computer Security, Database Security, Distributed Systems Security, Internet Security, Operating Systems Security, Physical Security, Social Networks Security, Web Services Security, Wireless Networks Security, Cyber Crime and Social Implications, Cyber Laws, Information Security Auditing and Management, Information Security Strategy, Security Standards and Best Practices, Cloud Forensics, Computer Emergency Response Team (CERT), Digital Forensics, Ethical Hacking, Future of Information Security, Incident Response, Malware Detection and Analysis, Penetration Testing and Vulnerability Assessment.
Zahid, A.; Masood, R.; Shibli, M.A., "Security of Sharded Nosql Databases: A Comparative Analysis," Information Assurance and Cyber Security (CIACS), 2014 Conference on, pp.1, 8, 12-13 June 2014. doi: 10.1109/CIACS.2014.6861323 NoSQL databases are easy to scale-out because of their flexible schema and support for BASE (Basically Available, Soft State and Eventually Consistent) properties. The process of scaling-out in most of these databases is supported by sharding which is considered as the key feature in providing faster reads and writes to the database. However, securing the data sharded over various servers is a challenging problem because of the data being distributedly processed and transmitted over the unsecured network. Though, extensive research has been performed on NoSQL sharding mechanisms but no specific criterion has been defined to analyze the security of sharded architecture. This paper proposes an assessment criterion comprising various security features for the analysis of sharded NoSQL databases. It presents a detailed view of the security features offered by NoSQL databases and analyzes them with respect to proposed assessment criteria. The presented analysis helps various organizations in the selection of appropriate and reliable database in accordance with their preferences and security requirements.
Keywords: SQL; security of data; BASE; NoSQL sharding mechanisms; assessment criterion ;security features; sharded NoSQL databases; Access control; Authentication; Distributed databases; Encryption; Servers; Comparative Analysis; Data and Applications Security; Database Security; NoSQL; Sharding (ID#: 14-3382)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861323&isnumber=6861314
Sajjad, S.M.; Yousaf, M., "Security Analysis of IEEE 802.15.4 MAC in the Context of Internet of Things (IoT)," Information Assurance and Cyber Security (CIACS), 2014 Conference on, pp.9,14, 12-13 June 2014. doi: 10.1109/CIACS.2014.6861324 A paradigm in which household substances around us with embedded computational competences and capable of producing and distributing information is referred to as Internet of Things (IoT). IEEE 802.15.4 presents power efficient MAC layer for Internet of Things (IoT). For the preservation of privacy and security, Internet of Things (IoT) needs stern security mechanism so as to stop mischievous communication inside the IoT structure. For this purpose security weaknesses of the MAC protocol of IEEE 802.15.4 and their most important attacks have to be examined. Also security charter of IEEE 802.15.4 is to be analyzed in order to ascertain their limitations with regard to Internet of Things (IoT). Various ranges of attacks taking place in the Contention Free Period (CFP) in addition to Contention Access Period (CAP) of the super-frame structure needs to be explored and discussed. In view of the shortlisted weaknesses we would be arriving at the conclusion that the IEEE 802.15.4 security charter may be harmonized in accordance with the requirements of the Internet of Things. The missing functionalities may be incorporated in the upper layers of Internet of Things (IoT) Architecture.
Keywords: {Internet of Things; Zigbee; access protocols; computer network security; CAP; CFP; IEEE 802.15.4 MAC protocol; IEEE 802.15.4 security charter; Internet of Things; IoT; contention access period; contention free period; security mechanism; IEEE 802.15 Standards; Internet of Things; Payloads; Protocols; Radiation detectors; Security; Synchronization; IEEE 802.15.4;Internet of Things; IoT IETF Standardization; IoT Protocol Stack; Security (ID#: 14-3383)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861324&isnumber=6861314
Mahmood, A.; Akbar, A.H., "Threats in End To End Commercial Deployments Of Wireless Sensor Networks And Their Cross Layer Solution," Information Assurance and Cyber Security (CIACS), 2014 Conference on, pp.15,22, 12-13 June 2014. doi: 10.1109/CIACS.2014.6861325 Commercial Wireless Sensor Networks (WSNs) can be accessed through sensor web portals. However, associated security implications and threats to the 1) users/subscribers 2) investors and 3) third party operators regarding sensor web portals are not seen in completeness, rather the contemporary work handles them in parts. In this paper, we discuss different kind of security attacks and vulnerabilities at different layers to the users, investors including Wireless Sensor Network Service Providers (WSNSPs) and WSN itself in relation with the two well-known documents i.e., “Department of Homeland Security” (DHS) and “Department of Defense (DOD)”, as these are standard security documents till date. Further we propose a comprehensive cross layer security solution in the light of guidelines given in the aforementioned documents that is minimalist in implementation and achieves the purported security goals.
Keywords: {telecommunication security; wireless sensor networks; Department of Defense; Department of Homeland Security; WSNSP; cross layer security solution; cross layer solution; end to end commercial deployments; security attacks; security goals; sensor web portals; standard security documents; wireless sensor network service providers; Availability; Mobile communication; Portals; Security; Web servers; Wireless sensor networks; Wireless sensor network; attacks; commercial; security; sensor portal; threats; web services (ID#: 14-3384)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861325&isnumber=6861314
Waqas, A.; Yusof, Z.M.; Shah, A.; Khan, M.A., "ReSA: Architecture for Resources Sharing Between Clouds," Information Assurance and Cyber Security (CIACS), 2014 Conference on, pp.23, 28, 12-13 June 2014. doi: 10.1109/CIACS.2014.6861326 Cloud computing has emerged as paradigm for hosting and delivering services over the Internet. It is evolved as a key computing platform for delivering on-demand resources that include infrastructures, software, applications, and business processes. Mostly, clouds are deployed in a way that they are often isolated from each other. These implementations cause lacking of resources collaboration between different clouds. For example, cloud consumer requests some resource and that is not available at that point in time. Client satisfaction is important for business as denying the client may be expensive in many ways. To fulfill the client request, the cloud may ask the requested resource from some other cloud. In this research paper we aim to propose a trust worthy architecture named ReSA (Resource Sharing Architecture) for sharing on-demand resources between different clouds that may be managed under same or different rules, policies and management.
Keywords: cloud computing; resource allocation; security of data; software architecture; Internet; ReSA; Resource Sharing Architecture; client request; client satisfaction; cloud computing; resources collaboration; service delivery; service hosting; trust worthy architecture; Cloud computing; Computational modeling; Computer architecture; Resource management; Software as a service; Standards organizations; cloud architecture; cloud computing; federated clouds; resource collaboration; resource management (ID#: 14-3385)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861326&isnumber=6861314
Arshad, A.; Kundi, D.-e.-S.; Aziz, A., "Compact Implementation of SHA3-512 on FPGA," Information Assurance and Cyber Security (CIACS), 2014 Conference on, pp. 29, 33, 12-13 June 2014. doi: 10.1109/CIACS.2014.6861327 In this work we present a compact design of newly selected Secure Hash Algorithm (SHA-3) on Xilinx Field Programable Gate Array (FPGA) device Virtex-5. The design is logically optimized for area efficiency by merging Rho, Pi and Chi steps of algorithm into single step. By logically merging these three steps we save 16 % logical resources for overall implementation. It in turn reduced latency and enhanced maximum operating frequency of design. It utilizes only 240 Slices and has frequency of 301.02 MHz. Comparing the results of our design with the previously reported FPGA implementations of SHA3-512, our design shows the best throughput per slice (TPS) ratio of 30.1.
Keywords: cryptography; field programmable gate arrays; logic design; Chi step; FPGA; Pi step; Rho step;SHA3-512;TPS;Virtex-5;Xilinx field programable gate array device; area efficiency; compact implementation; cryptographic hash function; latency reduction; maximum operating frequency enhancement; secure hash algorithm; throughput-per-slice ratio; Algorithm design and analysis; Arrays; Clocks; Field programmable gate arrays; Hardware; Signal processing algorithms;Throughput;Cryptography;FPGA;SHA3;Security; Xilinx (ID#: 14-3386)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861327&isnumber=6861314
Chattha, N.A., "NFC — Vulnerabilities and Defense," Information Assurance and Cyber Security (CIACS), 2014 Conference on, pp.35,38, 12-13 June 2014. doi: 10.1109/CIACS.2014.6861328 Near Field Communication (NFC) has been in use for quite some time by many users in mobile devices. Its use is increasing by the rapid increase in the availability of the NFC enabled devices in the market. It enables data transfer by bringing the two devices in close proximity, about 3-5 inches. It is designed for integration with mobile phones, which can communicate with other phones (peer-to-peer) or read information on tags and cards (reader). An NFC device can also be put in card emulation mode, to offer compatibility with other contactless smart card standards. This enables NFC enabled smart-phones to replace traditional contactless plastic cards used in public transport ticketing, access control, ATMs and other similar applications. NFC is a new and innovative technology with futuristic uses, but technology comes at a price both in terms of financial effects as well as the maintenance costs. The most pertinent concern would be that how much vulnerable the new technology is. There had already been instances where the security of NFC has been put to questions. It is vulnerable to numerous kinds of attacks. This research paper will list down the basic working principles of NFC, the protocols involved, vulnerabilities reported so far and possible countermeasures against the weaknesses.
Keywords: near-field communication; protocols; radiofrequency identification; smart cards; smart phones; telecommunication security; NFC enabled devices; NFC enabled smart-phones; NFC security; card emulation mode; contactless smart card standards; data transfer; mobile devices; mobile phones; near field communication; protocols; radio frequency identification; Emulation; Mobile handsets; Peer-to-peer computing; Protocols; Radio frequency; Radiofrequency identification; Security; NFC; NFC security; Near Field Communication; RFID; Radio Frequency Identification (ID#: 14-3387)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861328&isnumber=6861314
Javid, T.; Riaz, T.; Rasheed, A., "A Layer2 Firewall For Software Defined Network," Information Assurance and Cyber Security (CIACS), 2014 Conference on, pp.39,42, 12-13 June 2014. doi: 10.1109/CIACS.2014.6861329 The software defined networking is an emerging three layer architecture which defines data, control, and application planes. Data and control planes implement forwarding and routing functions, respectively. Application plane contains communicating processes. This paper presents a layer2 fire-wall implementation using an example tree topology with one controller, three switches, and four hosts. Our implementation uses POX controller at control plane of the architecture. The modified code successfully controlled flow of packets between hosts according to firewall rules.
Keywords: firewalls; POX controller; example tree topology; forwarding function; layer2 firewall implementation; routing function; software defined networking; three layer architecture; Computer architecture; Control systems ;Firewalls (computing); Flowcharts; Network topology; Ports (Computers);Topology; Firewall; Mininet; OpenFlow; POX; SDN (ID#: 14-3388)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861329&isnumber=6861314
Durrani, A., "Analysis and Prevention Of Vulnerabilities In Cloud Applications," Information Assurance and Cyber Security (CIACS), 2014 Conference on, pp.43, 46, 12-13 June 2014. doi: 10.1109/CIACS.2014.6861330 Cloud computing has emerged as the single most talked about technology of recent times. Its aim, to provide agile information technology solutions and infrastructure is the primary reason for its popularity. It enables the organizations to ensure that their resources are utilized efficiently, development process is enhanced and investments or costs incurred to buy technological resources are reduced. At the same time Cloud computing is being scrutinized in the security world due to the various vulnerabilities and threats that it poses to the user data or resources. This paper highlights the vulnerabilities that exist in applications available on the cloud and aims to make an analysis of different types of security holes found in these applications by using open source vulnerability assessment tools. It identifies the security requirements pertinent to these applications and makes an assessment whether these requirements were met by them by testing two of these applications using the vulnerability tools. It also provides remedial measures for the security holes found in these applications and enables the user to select a secure provider for themselves while at the same time enabling the cloud provider to improve their services and find a competitive edge in the market.
Keywords: cloud computing; security of data; agile information technology solutions; cloud applications; cloud computing; development process enhancement; open source vulnerability assessment tools; resource utilization; security holes; security requirements; vulnerability analysis; vulnerability prevention; Cloud computing; Electronic mail; Encryption; Linux; Organizations; Servers; Kali Linux; Vega; Vmware; cloud computing; degaussing; deployment models; multi client environment (ID#: 14-3389)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861330&isnumber=6861314
Butt, M.I.A., "BIOS Integrity and Advanced Persistent Threat," Information Assurance and Cyber Security (CIACS), 2014 Conference on, pp.47,50, 12-13 June 2014. doi: 10.1109/CIACS.2014.6861331 Basic Input Output System (BIOS) is the most important component of a computer system by virtue of its role i.e., it holds the code which is executed at the time of startup. It is considered as the trusted computing base, and its integrity is extremely important for smooth functioning of the system. On the contrary, BIOS of new computer systems (servers, laptops, desktops, network devices, and other embedded systems) can be easily upgraded using a flash or capsule mechanism which can add new vulnerabilities either through malicious code, or by accidental incidents, and deliberate attack. The recent attack on Iranian Nuclear Power Plant (Stuxnet) [1:2] is an example of advanced persistent attack. This attack vector adds a new dimension into the information security (IS) spectrum, which needs to be guarded by implementing a holistic approach employed at enterprise level. Malicious BIOS upgrades can also cause denial of service, stealing of information or addition of new backdoors which can be exploited by attackers for causing business loss, passive eaves dropping or total destruction of system without knowledge of user. To address this challenge a capability for verification of BIOS integrity needs to be developed and due diligence must be observed for proactive resolution of the issue. This paper explains the BIOS Integrity threats and presents a prevention strategy for effective and proactive resolution.
Keywords: {computer network security; data integrity; firmware; trusted computing; BIOS integrity; Iranian Nuclear Power Plant; Stuxnet; advanced persistent threat; basic input output system; information security spectrum; roots of trust; Biological system modeling; Hardware; Organizations; Security; Servers; Vectors; Advanced Persistent Threat (APT); BIOS Integrity Measurement; Original Equipment Manufacturer (OEM);Roots of Trust (RoTs);Trusted Computing (ID#: 14-3390)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861331&isnumber=6861314
Ullah, R.; Nizamuddin; Umar, A.I.; ul Amin, N., "Blind signcryption scheme based on elliptic curves," Information Assurance and Cyber Security (CIACS), 2014 Conference on , vol., no., pp.51,54, 12-13 June 2014
doi: 10.1109/CIACS.2014.6861332
Abstract: In this paper blind signcryption using elliptic curves cryptosystem is presented. It satisfies the functionalities of Confidentiality, Message Integrity, Unforgeability, Signer Non-repudiation, Message Unlink-ability, Sender anonymity and Forward Secrecy. The proposed scheme has low computation and communication overhead as compared to existing blind Signcryption schemes and best suited for mobile phone voting and m-commerce.
keywords: {public key cryptography; blind signcryption scheme; communication overhead; confidentiality; elliptic curves cryptosystem; forward secrecy; m-commerce; message integrity; message unlink-ability; mobile phone voting; sender anonymity; signer nonrepudiation; unforgeability; Digital signatures; Elliptic curve cryptography; Elliptic curves; Equations; Mobile handsets; Anonymity; Blind Signature; Blind Signcryption; Elliptic curves; Signcryption}, (ID#: 14-3391)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861332&isnumber=6861314
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.