 |
Secure File Sharing 2015 |
Data leakage while file sharing continues to be a major problem for cybersecurity, especially with the advent of cloud storage. Secure file sharing is relevant to the Science of Security community hard topics of resilience, composability, metrics, and human behavior. The articles cited here were presented in 2015.
A. Afanasyev, Zhenkai Zhu, Yingdi Yu, Lijing Wang, and Lixia Zhang, “The Story of ChronoShare, or How NDN Brought Distributed Secure File Sharing Back,” Mobile Ad Hoc and Sensor Systems (MASS), 2015 IEEE 12th International Conference on, Dallas, TX, 2015, pp. 525-530. doi: 10.1109/MASS.2015.59
Abstract: Information sharing among a group of friends or colleagues in real life is usually a distributed process: we tell each other interesting or important news without any mandatory assistance or approval from a third party. Surprisingly, this is not what happens when sharing files among a group of friends over the Internet. While the goal of file sharing is to disseminate files among multiple parties, due to the constraints imposed by IP’s point-to-point communication model, most of today’s file sharing applications, such as Drop box, Google Drive, etc., resort to a centralized design paradigm: a user first uploads files to the server (cloud), and the server (cloud) re-distributes these files to other users, resulting in unnecessary tussles and inefficient data distribution paths. To bring the truly distributed file sharing back into the cyberspace, this paper presents Chrono Share, a distributed file sharing application built on top of the Named Data Networking (NDN) architecture. By walking through Chrono Share design details, we show how file sharing, as well as many other similar applications, can be effectively implemented over NDN in a truly distributed and secure manner.
Keywords: Internet; peer-to-peer computing; security of data; ChronoShare; NDN architecture; Named Data Networking architecture; distributed secure file sharing; Cryptography; Distributed databases; IP networks; Peer-to-peer computing; Servers; Synchronization; File Sharing; Named Data Networking (ID#: 16-10597)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7366987&isnumber=7366897
M. I. Yousuf and S. Kim, “Coping with Bad-Mouthing in Peer-to-Peer File Sharing Networks,” Peer-to-Peer Computing (P2P), 2015 IEEE International Conference on, Boston, MA, 2015, pp. 1-9. doi: 10.1109/P2P.2015.7328514
Abstract: In the recent years, the P2P file sharing systems have adopted rating systems in the hope to stop the propagation of bad files. In a rating system, users rate files after downloading and a file with positive feedback is considered a good file. However, a dishonest rater can undermine the rating system by giving positive rating to bad files and negative rating to good files. In this paper, we design two filters based on probabilistic models such that the good files with negative feedback are not completely kept out of the system. The first filter is based on the binomial distribution of the ratings of a file, and the second filter considers the confidence of the downloading peer and the difference of positive and negative ratings of a file to calculate the probability to take a risk to download the file or reject it. Our filters only need the ratings of a file and this makes them suitable for popular torrent sharing websites that rank the files using a binary rating system without any information about raters. In addition, we can implement them entirely on the client side without any modification to the content sharing sites.
Keywords: information filters; peer-to-peer computing; security of data; P2P file sharing systems; bad-mouthing; binary rating system; filters; peer-to-peer file sharing networks; torrent sharing Websites; Data models; Peer-to-peer computing; Predictive models; Probabilistic logic; Probability; Probability density function; Radiation detectors (ID#: 16-10598)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7328514&isnumber=7328510
A. Sarkar and N. Prakash, “File Sharing System Encapsulated with Customized Social Networking and Learning Management System,” Computing and Communication (IEMCON), 2015 International Conference and Workshop on, Vancouver, BC, 2015, pp. 1-7. doi: 10.1109/IEMCON.2015.7344450
Abstract: In the proposed system, we have developed an application which aids in file sharing coupled with security. The application is modeled in such a way that there exists a hierarchical classification of employees. A root is at the topmost position in the organization with levels below him. The application enables a user to create files and share them with other users depending upon his or her position in the hierarchy. This application encapsulates several security measures integrated with the flexibility of sharing files easily with a single or multiple users without the use of ‘email’. This application is simple, easy to use and secure. Security of files is implemented by the use of cryptography in various file modes. In this paper, we have created an application which aids in file sharing within an organization coupled with a security system.
Keywords: cryptography; electronic mail; learning management systems; peer-to-peer computing; personnel; social networking (online); cryptography; customized social networking; e-mail; file creation; file security; file sharing; file sharing system encapsulation; hierarchical employee classification; learning management system; security measure; Computer science; Computers; Cryptography; Electronic mail; Organizations; Peer-to-peer computing; File sharing; Hierarchical position; encryption; flexibility in sharing; replacement of email in organization; security of files by different modes (ID#: 16-10599)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7344450&isnumber=7344420
Atiq ur Rehman et al., “Web & Android Based File Sharing, Hardware Monitoring and Control,” Emerging Technologies (ICET), 2015 International Conference on, Peshawar, 2015, pp. 1-5. doi: 10.1109/ICET.2015.7389170
Abstract: Web based file sharing and storage has recently became a necessary part of everyday data on the Enterprise level is needed to be stored in such a way that it can be retrieved easily from anywhere. This is the main concept of cloud computing & storage. Cloud computing has revolutionized the software industry, as the storage capacity on the internet is virtually infinite and it is most suited for enterprises to store and backup their vast life for every individual. Not only on the individual level but also amounts of data. One of the special and amazing feature of cloud storage is data synchronization. This allows the data to be synchronized i.e. mirrored on different platforms automatically. Another important concept is of web based connectivity of objects embedded with Electronics, Software and Sensors known as Internet of Things (IoT). These two concepts are key in fourth generation industrial revolution (Industry 4.0). The main theme of this paper is to combine the cloud storage and IoT as single software for an Enterprise. We have targeted the three main needs of an enterprise i.e. Data management, Hardware monitoring & control and Security. Different modules are designed for this purpose. A website, a Desktop Application and an Android Application is designed for data synchronization. Hardware is also monitored and controlled through the website and Android Application. Live video streaming feature is also included in the Website for security and surveillance purposes.
Keywords: Android (operating system); DP industry; Internet of Things; Web sites; cloud computing; peer-to-peer computing; storage management; synchronisation; Android application; Android based file sharing; Industry 4.0; IoT; Web based connectivity; Web based file sharing; Web based file storage; Web site; World Wide Web; cloud computing; cloud storage; data management; data synchronization; desktop application; enterprise level; fourth generation industrial revolution; hardware control; hardware monitoring & control; live video streaming feature; software industry; storage capacity; surveillance purpose; Buildings; Cities and towns; Databases; Man machine systems; Monitoring; Servers (ID#: 16-10600)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7389170&isnumber=7389159
M. R. Heckman, R. R. Schell, and E. E. Reed, “A Multi-Level Secure File Sharing Server and Its Application to a Multi-Level Secure Coud,” Military Communications Conference, MILCOM 2015 - 2015 IEEE, Tampa, FL, 2015, pp. 1224-1229. doi: 10.1109/MILCOM.2015.7357613
Abstract: Contemporary cloud environments are built on low-assurance components, so they cannot provide a high level of assurance about the isolation and protection of information. A “multi-level” secure cloud environment thus typically consists of multiple, isolated clouds, each of which handles data of only one security level. Not only are such environments duplicative and costly, data “sharing” must be implemented by massive, wasteful copying of data from low-level domains to high-level domains. The requirements for certifiable, scalable, multi-level cloud security are threefold: (1) To have trusted, high-assurance components available for use in creating a multi-level secure cloud environment; (2) To design a cloud architecture that efficiently uses the high-assurance components in a scalable way, and (3) To compose the secure components within the scalable architecture while still verifiably maintaining the system security properties. This paper introduces a trusted, high-assurance file server and architecture that satisfies all three requirements. The file server is built on mature technology that was previously certified and deployed across domains from TS/SCI to Unclassified and that supports high-performance, low-to-high and high-to-low file sharing with verifiable security.
Keywords: cloud computing; file servers; peer-to-peer computing; security of data; data sharing; multilevel secure cloud; multilevel secure file sharing server; Cloud computing; Computer architecture; Computer security; File servers; Kernel; Servers; GEMSOS; Multi-level security; Network file service; Security kernel (ID#: 16-10601)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7357613&isnumber=7357245
P. Rad, M. Muppidi, A. S. Jaimes, S. S. Agaian, and M. Jamshidi, “Secure Proxy Service Using p-Fibonacci Transformation of Cosine Coefficients on Cloud File Sharing Environment,” High Performance Computing and Communications (HPCC), 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), 2015 IEEE 12th International Conference on Embedded Software and Systems (ICESS), 2015 IEEE 17th International Conference on, New York, NY, 2015, pp. 1454-1459. doi:10.1109/HPCC-CSS-ICESS.2015.304
Abstract: In this paper, we sketch the idea of double image encryption service to provide the privacy and authentication on big-data image libraries on cloud computing environment. The encoding of the image is done using the P-Fibonacci transform of Discrete Cosine Coefficients “PFCC” algorithm. First, using Discrete Cosine Transfer (DCT), we transfer an image from the spatial domain to the frequency domain. Second, we utilize the Fibonacci P-code for image bit-plane decomposition and the 2D P-Fibonacci transform for image encryption. Furthermore detailed simulations have been carried out to test the encryption service on cloud file sharing environment such as OpenStack Object Storage and flicker.
Keywords: Big Data; cloud computing; cryptography; data privacy; discrete cosine transforms; image coding; libraries; peer-to-peer computing; 2D P-Fibonacci transform; Big-Data image libraries authentication; Big-Data image libraries privacy; DCT; Fibonacci P-code; cloud computing environment; cloud file sharing environment; discrete cosine coefficients PFCC algorithm; discrete cosine transfer; double image encryption service; frequency domain; image bit-plane decomposition; image encoding; p-Fibonacci transformation; secure proxy service; spatial domain; Discrete cosine transforms; Encryption; Image reconstruction; Cloud computing; Discrete Cosine Transform; Image encryption; OpenStack Object Storage; p-Fibonacci Transform (ID#: 16-10602)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7336373&isnumber=7336120
Yan Zhu, Feng Pu, Guohua Gan, Ruiqi Guo, and Shuqing Zhang, “Traitor Tracing and Revocation for Secure Decoders in File Syncing-and-Sharing Service,” Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, Taichung, 2015, pp. 504-509. doi: 10.1109/COMPSAC.2015.62
Abstract: Today, many cloud storage services have been available to small-to-medium business and individuals by file syncing-and-sharing (FSS) service. To meet the security requirement of FSS, we present a new architecture based on secure Player/Reader box with RBAC-compatible cryptosystem, which supports to access the encrypted data in the cloud, as well as traitor tracing and revocation mechanisms for pirate box. We improve a cryptosystem, called Partially-ordered Hierarchical Encryption (PHE) to realize this architecture. In this system, two security mechanisms, traitor tracing and revocation, are provided to support efficient digital forensics. The result of performance evaluation shows that our scheme is more efficient than the existing schemes with traitor tracing and revocation.
Keywords: cloud computing; peer-to-peer computing; security of data; small-to-medium enterprises; RBAC-compatible cryptosystem; cloud storage services; digital forensics; file syncing-and-sharing service; partially-ordered hierarchical encryption; pirate box; revocation mechanisms; secure Player box; secure Reader box; secure decoders; security requirement; small-to-medium business; traitor revocation; traitor tracing; Access control; Computer architecture; Encryption; Frequency selective surfaces; Cloud Storage; Partial Order Key Hierarchy; Revocation; Security; Traitor Tracing (ID#: 16-10603)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7273659&isnumber=7273573
V. S. S. Nadendla, Y. S. Han, and P. K. Varshney, “Information-Dispersal Games for Security in Cognitive-Radio Networks,” Information Theory (ISIT), 2015 IEEE International Symposium on, Hong Kong, 2015, pp. 1600-1604. doi: 10.1109/ISIT.2015.7282726
Abstract: Rabin’s information dispersal algorithm (IDA) simultaneously addresses secrecy and fault-tolerance by encoding a data file and parsing it into unrecognizable data-packets before transmitting or storing them in a network. In this paper, we redesign Rabin’s IDA for cognitive-radio networks where the routing paths are available with uncertainty. In addition, we also assume the presence of an attacker in the network which attempts to simultaneously compromise the confidentiality and data-integrity of the source message. Due to the presence of two rational entities with conflicting motives, we model the problem as a zero-sum game between the source and the attacker and investigate the mixed-strategy Nash Equilibrium by decoupling the game into two linear programs which have a primal-dual relationship.
Keywords: cognitive radio; data integrity; fault tolerance; game theory; linear programming; message authentication; network coding; packet radio networks; source coding; telecommunication network reliability; telecommunication network routing; Rabin IDA; Rabin information dispersal algorithm; cognitive radio network security; data file encoding; data file parsing; data packet storage; data packet transmission; fault tolerance; information-dispersal game; linear program; mixed-strategy Nash equilibrium; primal-dual relationship; routing path; secrecy; source message confidentiality; source message data integrity; unrecognizable data packet; zero-sum game; Fault tolerance; Fault tolerant systems; Game theory; Games; Network topology; Random variables; Reed-Solomon codes; Byzantine Attacks; Cognitive-Radio Networks; File-Sharing Networks; Information Dispersal Games; Reed-Solomon Codes (ID#: 16-10604)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7282726&isnumber=7282397
S. J. Shivankar and M. P. Tembhurkar, “Comparative Analysis on Security Techniques in VoIP Environment,” Electronics and Communication Systems (ICECS), 2015 2nd International Conference on, Coimbatore, 2015, pp. 1176-1180. doi: 10.1109/ECS.2015.7124770
Abstract: VoIP is technology for transmitting voice and data over IP for communication. It has various benefits such as, voice messaging, calling, video messaging as well as video conferencing with file sharing. VoIP is better than Public Switched Telephone Network (PSTN) and cellular network. We can see all the services in VoIP based application such as Skype, Google talk. Due to the file sharing and information transformation in VoIP, there are more chances to loss valuable data information. For that the security provisions must be there. To prevent from such problem there are various techniques designed. In this research paper we study that various techniques proposed for security in VoIP environment.
Keywords: Internet telephony; computer network security; peer-to-peer computing; VoIP environment security technique; data over IP transmission; file sharing; information transformation; voice transmission; Computer crime; Computer science; IP networks; Internet telephony; Protocols; Servers; Denial of service attack; Voice over Internet Protocol (VoIP); detection and prevention techniques; security (ID#: 16-10605)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7124770&isnumber=7124722
Kyunghee Oh and Dooho Choi, “A Distributed File System over Unreliable Network Storages,” Information and Communication Technology Convergence (ICTC), 2015 International Conference on, Jeju, 2015, pp. 653-657. doi: 10.1109/ICTC.2015.7354631
Abstract: Nowadays, an individual uses multiple ICT devices such as PCs, laptops, smart phones and others. And the content files are not dedicated to a specific device, but shared by the devices. One of the sharing services is the personal cloud computing. Users can backup, synchronize, share and manage their files with it. But most cloud systems have their own dedicated interfaces and it is not easy to use files in various applications. We propose a distributed file system which works with the legacy internet protocols. Applications on devices can share files with the general file i/o interface, and our system enhanced reliability of file storages in both aspects of failures of servers and security risks.
Keywords: client-server systems; cloud computing; computer network security; distributed databases; transport protocols; ICT devices; cloud systems; content files; distributed file system; file backup; file management; file sharing; file storage reliability enhancement; file synchronization; file systems; general file I/O interface; legacy Internet protocols; personal cloud computing; security risk failures; server failures; sharing services; unreliable network storages; Cloud computing; File systems; Peer-to-peer computing; Protocols; Servers; Synchronization; clustered file system; erasure code; personal cloud storage (ID#: 16-10606)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7354631&isnumber=7354472
S. Huda, A. Sudarsono, and T. Harsono, “Secure Data Exchange Using Authenticated Ciphertext-Policy Attributed-Based Encryption,” Electronics Symposium (IES), 2015 International, Surabaya, 2015, pp. 134-139. doi: 10.1109/ELECSYM.2015.7380829
Abstract: Easy sharing files in public network that is intended only for certain people often resulting in the leaking of sharing folders or files and able to be read also by others who are not authorized. Secure data is one of the most challenging issues in data sharing systems. Here, Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is a reliable asymmetric encryption mechanism which deals with secure data and used for data encryption. It is not necessary encrypted to one particular user, but recipient is only able to decrypt if and only if the attribute set of his private key match with the specified policy in the ciphertext. In this paper, we propose a secure data exchange using CP-ABE with authentication feature. The data is attribute-based encrypted to satisfy confidentiality feature and authenticated to satisfy data authentication simultaneously.
Keywords: electronic data interchange; private key cryptography; set theory; CP-ABE; asymmetric encryption mechanism; authentication feature; ciphertext-policy attribute-based encryption; confidentiality feature; data authentication; data encryption; data sharing systems; file sharing; private key attribute set; public network; secure data exchange; Access control; Ad hoc networks; Authentication; Encryption; Military aircraft; Authentication; CP-ABE; Data security; Data sharing (ID#: 16-10607)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7380829&isnumber=7380788
J. M. Reddy and C. Hota, “Heuristic-Based Real-Time P2P Traffic Identification,” Emerging Information Technology and Engineering Solutions (EITES), 2015 International Conference on, Pune, 2015, pp. 38-43. doi: 10.1109/EITES.2015.16
Abstract: Peer-to-Peer (P2P) networks have seen a rapid growth, spanning diverse applications like online anonymity (Tor), online payment (Bit coin), file sharing (Bit Torrent), etc. However, the success of these applications has raised concerns among ISPs and Network administrators. These types of traffic worsen the congestion of the network, and create security vulnerabilities. Hence, P2P traffic identification has been researched actively in recent times. Early P2P traffic identification approaches were based on port-based inspection. Presently, Deep Packet Inspection (DPI) is a prominent technique used to identify P2P traffic. But it relies on payload signatures which are not resilient against port masquerading, traffic encryption and NATing. In this paper, we propose a novel P2P traffic identification mechanism based on the host behaviour from the transport layer headers. A set of heuristics was identified by analysing the off-line datasets collected in our test bed. This approach is privacy preserving as it does not examine the payload content. The usefulness of these heuristics is shown on real-time traffic traces received from our campus backbone, where in the best case only 0.20% of flows were unknown.
Keywords: cryptography; data privacy; peer-to-peer computing; telecommunication security; telecommunication traffic; Bit coin; DPI; ISP; NATing; P2P network; P2P traffic identification mechanism; bit torrent; deep packet inspection; file sharing; heuristic-based real-time P2P traffic identification; network administrator; off-line dataset; online anonymity; online payment; payload signature; peer-to-peer network; port masquerading; port-based inspection; privacy preserving; real-time traffic; security vulnerability; traffic encryption; transport layer header; Accuracy; Internet; Payloads; Peer-to-peer computing; Ports (Computers); Protocols; Servers (ID#: 16-10608)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7083382&isnumber=7082065
A. Naghizadeh, S. Berenjian, B. Razeghi, S. Shahanggar, and N. R. Pour, “Preserving Receiver’s Anonymity for Circular Structured P2P Networks,” Consumer Communications and Networking Conference (CCNC), 2015 12th Annual IEEE, Las Vegas, NV, 2015, pp. 71-76. doi: 10.1109/CCNC.2015.7157949
Abstract: Some unique attributes of P2P networks such as cost efficiency and scalability, contributed for the widespread adaptation of these networks. Since P2P applications are mostly used in file-sharing, preserving anonymity of users has become a very important subject for researchers. As a result, a lot of methods are suggested for P2P networks to preserve anonymity of users. Most of these methods, by relying on established anonymous solutions on client/server applications, are presented for unstructured P2P networks. But structured overlays, by using Distributed Hash Tables (DHT) for their routing, do not resemble traditional paradigms. Therefore, current anonymous methods can not be implemented for them easily. In this paper, we introduce a novel methodology to provide receiver’s anonymity for circular P2P structures. With this method, we get help from inherited features of network infrastructure to establish a standard way for making tunnels. Our purpose is to introduce a flexible design which is able to manage different parts of the tunnels on current infrastructures. For this purpose, we implement our method on top of Chord to show how such design can be managed for real world applications. The results of applied method on a chord-like network shows that by managing critical features of our method, a trade-off can be made between stronger security and performance of the network.
Keywords: client-server systems; computer network security; peer-to-peer computing; telecommunication network routing; chord-like network; circular structured P2P networks; client-server applications; cost efficiency; file-sharing; receiver anonymity preservation; scalability; unstructured P2P networks; Conferences; Cryptography; Peer-to-peer computing; Receivers; Routing; Tunneling; Anonymity; Chord; P2P; Security (ID#: 16-10609)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7157949&isnumber=7157933
R. Mohan, V. Vaidehi, A. Krishna A, M. Mahalakshmi, and S. S. Chakkaravarthy, “Complex Event Processing Based Hybrid Intrusion Detection System,” Signal Processing, Communication and Networking (ICSCN), 2015 3rd International Conference on, Chennai, 2015, pp. 1-6. doi: 10.1109/ICSCN.2015.7219827
Abstract: Insider threats are evolving constantly and misuse the granted resource access for various malicious activities. These insider threats make use of internal network flaws as the loop holes and are the root cause for data exfiltration and infiltration (Data leakage). Organizations are devising and deploying new solutions for analyzing, monitoring and predicting these insider threats. However data leakage and network breach problems still exist and are increasing day by day. This is due to multiple root accounts, top priority privileges, shared root access, shared file system privileges etc. In this paper a new Hybrid Intrusion Detection System (IDS) is developed to overcome the above stated problem. The objective of this research is to develop a Complex Event Processing (CEP) based Hybrid IDS that integrates the output of the Host IDS and Network IDS into the CEP Module and produces a consolidated output with higher accuracy. The overall deployment protects the internal information system without any data leakage by Stateful Packet Inspection. Multivariate Correlation Analysis (MCA) is used to estimate and characterize the normal behavior of the network and send the values to the CEP Engine which alerts in case of any deviation from the normal pattern. The performance of the proposed Hybrid IDS is examined using test bed with normal and various attack scenarios.
Keywords: computer network security; peer-to-peer computing; CEP engine; CEP module; complex event processing; data exfiltration; data infiltration; data leakage problem; file system privilege sharing; file system sharing; host IDS; hybrid IDS; hybrid intrusion detection system; internal information system; internal network flaw; loop hole; multivariate correlation analysis; network IDS; network breach problem; root access sharing; stateful packet inspection; threat analysis; threat monitoring; threat prediction; Covariance matrices; Feature extraction; Linux; Random access memory; Servers; Standards; Testing; CEP; Hybrid IDS; IDS; Insider Threat; MCA; Multivariate Correlation Analysis (ID#: 16-10610)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7219827&isnumber=7219823
B. Tozer, T. Mazzuchi, and S. Sarkani, “Optimizing Attack Surface and Configuration Diversity Using Multi-Objective Reinforcement Learning,” 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), Miami, FL, USA, 2015, pp. 144-149. doi: 10.1109/ICMLA.2015.144
Abstract: Minimizing the attack surface of a system and introducing diversity into a system are two effective ways to improve system security. However, determining how to include diversity in a system without increasing the attack surface more than necessary is a difficult problem, requiring knowledge about the system characteristics, operating environment, and available permutations that is generally not available prior to system deployment. We propose viewing a system’s components, interfaces, and communication channels as a set of states and actions that can be analyzed using a sequential decision making process, and using a multi-objective reinforcement learning algorithm to learn a set of policies that minimize a system’s attack surface and execute those policies to obtain configuration diversity while a system is operating. We describe a methodology for designing a system such that its components and behaviors can be translated into a multi-objective Markov Decision Process, demonstrate the use of multi-objective reinforcement learning to learn a set of optimal policies using three different multi-objective reinforcement learning algorithms in the context of an online file sharing application, and show that our multi-objective temporal difference afterstate algorithm outperforms the alternatives for the example problem.
Keywords: Algorithm design and analysis; Communication channels; Computer architecture; Learning (artificial intelligence); Markov processes; Security; Surface treatment; cybersecurity; moving target defense; multi-objective reinforcement learning}, (ID#: 16-10611)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7424300&isnumber=7424247
H. Seuschek and S. Rass, “Side-Channel Leakage Models for RISC Instruction Set Architectures from Empirical Data,” Digital System Design (DSD), 2015 Euromicro Conference on, Funchal, 2015, pp. 423-430. doi: 10.1109/DSD.2015.117
Abstract: Side-channel attacks are currently among the most serious threats for embedded systems. Popular countermeasures to mitigate the impact of such attacks are masking schemes, where secret intermediate values are split in two or more values by virtue of secret sharing. Processing the secret happens on separate execution paths, which are executed on the same central processing unit (CPU). In case of unwanted correlations between different registers inside the CPU the shared secret may leak out through a side-channel. This problem is particularly evident on low cost embedded systems, such as nodes for the Internet of Things (IoT), where cryptographic algorithms are often implemented in pure software on a reduced instruction set computer (RISC). On such an architecture, all data manipulation operations are carried out on the contents of the CPU’s register file. This means that all intermediate values of the cryptographic algorithm at some stage pass through the register file. Towards avoiding unwanted correlations and leakages thereof, special care has to be taken in the mapping of the registers to intermediate values of the algorithm. In this work, we describe an empirical study that reveals effects of unintended unmasking of masked intermediate values and thus leaking secret values. The observed phenomena are related to the leakage of masked hardware implementations caused by glitches in the combinatorial path of the circuit but the effects are abstracted to the level of the instruction set architecture on a RISC CPU. Furthermore, we discuss countermeasures to have the compiler thwart such leakages.
Keywords: cryptography; embedded systems; program compilers; reduced instruction set computing; RISC CPU; RISC instruction set architectures; central processing unit; compiler; cryptographic algorithm; data manipulation operations; embedded systems; masked hardware implementations; masking schemes; secret sharing; side-channel attacks; side-channel leakage models; Central Processing Unit; Computer architecture; Correlation; Cryptography; Hamming distance; Reduced instruction set computing; Registers (ID#: 16-10612)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7302305&isnumber=7302233
Deepika K. S. and R. Balakrishnan, “Secure Multiowner Data Sharing in the Cloud,” Innovations in Information, Embedded and Communication Systems (ICIIECS), 2015 International Conference on, Coimbatore, 2015, pp. 1-6. doi: 10.1109/ICIIECS.2015.7192920
Abstract: Cloud computing provides a cheap and economical resolution for sharing cluster resource among cloud users sharing knowledge during a multi-owner manner whereas protective knowledge and identity privacy from an untrusted cloud continues to be a difficult issue, as a result of the frequent modification of the membership. This project proposes a secure knowledge sharing, for dynamic teams within the cloud. It implies that any user within the cluster will firmly share knowledge with others by the untrusted cloud. With efficiency, specifically, new granted users will directly decipher knowledge files uploaded before their participation while not contacting with knowledge house owners. User revocation will be simply achieved through a completely unique revocation list while not changing the keys of the remaining users. The scale and computation overhead of secret writing are constant and freelance with the quantity of revoked users. This projected theme satisfies the required security necessities and guarantees potency furthermore with real time implementation in Google app engine.
Keywords: cloud computing; data handling; Google app engine; cloud computing; data sharing; decipher; Companies; Engines; Gold; Indexes; Knowledge engineering; Cloud computing; Data sharing; Dynamic groups; Google App Engine; Security; Web Server (ID#: 16-10613)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7192920&isnumber=7192777
Yun Tian, Xiao Qin, and Yafei Jia, “Secure Replica Allocation in Cloud Storage Systems with Heterogeneous Vulnerabilities,” Networking, Architecture and Storage (NAS), 2015 IEEE International Conference on, Boston, MA, 2015, pp. 205-214. doi: 10.1109/NAS.2015.7255217
Abstract: Highly available cloud storage is often implemented with complex, multi-tiered distributed systems built on top of clusters of commodity servers and disk drives. Storage reliability, security and performance are among the top desired features when clients consider storing data on cloud storage. Although replication improves reliability and performance in cloud storage systems, data replication increases the risk of data storage in an insecure network environment. When a cloud storage scales up, storage nodes are very likely to become heterogeneous in nature. In this study, we propose a secure replica allocation scheme called SecRA to improve security, reliability, and performance of a cloud storage system where storage nodes have a wide variety of vulnerabilities. Our SecRA integrates the techniques of replication and fragmentation with secret sharing in a heterogeneous cloud system, where storage nodes are comprised of various server types in terms of vulnerability characteristics. SecRA allocates data replicas of fragments of a file to as many different types of nodes as possible. For the replicas of the same fragment, SecRA tries to allocate these replicas to the same type of nodes in the system. Data assurance is significantly improved, because the replicas of different fragments of a file are allocated to multiple types of storage nodes. To quantitatively evaluate the quality of security offered by SecRA, we develop a storage assurance model. Our analytically results show that replica allocations made by SecRA lead to enhanced security thanks to the consideration of heterogeneous vulnerabilities in cloud storage systems.
Keywords: cloud computing; disc drives; file servers; secure storage; security of data; storage management; SecRA; cloud storage systems; commodity server clusters; data assurance; data replication; data storage risk; disk drives; heterogeneous cloud system; heterogeneous vulnerabilities; multitiered distributed systems; network environment; secret sharing; secure replica allocation scheme; storage assurance model; storage nodes; storage performance; storage reliability; storage security; vulnerability characteristics; Cloud computing; Cryptography; Reliability; Resource management; Secure storage; Servers (ID#: 16-10614)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7255217&isnumber=7255186
K. Patel and L. Ragha, “Binary Image Steganography in Wavelet Domain,” Industrial Instrumentation and Control (ICIC), 2015 International Conference on, Pune, 2015, pp. 1635-1640. doi: 10.1109/IIC.2015.7151012
Abstract: In today’s era sharing of secret data over internet has increased widely. Along with increase in frequent information sharing on Internet threat of malicious access also pulls significant attraction. Cryptography and Steganography are solution to this problem. Steganography is a technique to make private or secret data invisible to the world in order to send it over the network securely. In this paper we proposed an algorithm which is in transform domain and simple in calculation. To increase the level of security we encrypt the data before embedding it into the carrier file. We perform discrete wavelet transform on cover image followed by fusion. At last we perform inverse wavelet transform to get stego image. We compare original cover image and stego image; the results we obtained are good as both the images are almost identical. This is proved by high PSNR (Peak Signal to Noise Ratio) values we have obtained.
Keywords: cryptography; discrete wavelet transforms; image coding; inverse transforms; steganography; binary image steganography; image fusion; inverse wavelet transform; peak signal to noise ratio values; stego image; wavelet transform domain; Arrays; Cryptography; Discrete wavelet transforms; PSNR; Wavelet domain; Discrete Wavelet Transform; Steganography; special domain; transform domain (ID#: 16-10615)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7151012&isnumber=7150576
A. Bergh, “Distributing the Disruption,” Military Communications and Information Systems (ICMCIS), 2015 International Conference on, Cracow, 2015, pp. 1-6. doi: 10.1109/ICMCIS.2015.7158688
Abstract: The rapid uptake of smart mobile devices such as smartphones and the use of apps has been the great communication disruptor in civilian life in since 2007. This change has enabled always on and easy to use access to vast amounts of data and information, ranging from mapping via social media through to constant news updates and streaming media. This disruption is also rapidly spreading from the civilian to the military sphere. However, military work in this field has often focused on hardware and networking issues. Little has been done in terms of providing tools for staff within the armed forces for sustainable collaboration through the sharing of information and knowledge in the app format. In other words, the communication disruption is disrupted through the lack of useable utilities by the rank and file. These are often the ones who are best positioned to know what type of information (and information sharing) can be useful in the field.
Keywords: media streaming; mobile computing; smart phones; app format; communication disruption; information sharing; knowledge sharing; smart mobile device; smartphone; social media; streaming media; sustainable collaboration; Collaboration; Information management; Media; Security; Servers; Smart phones; app; collaboration; disruption; mil-app market; mobile devices; network (ID#: 16-10616)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7158688&isnumber=7158667
A. Upadhyaya and M. Bansal, “Deployment of Secure Sharing: Authenticity and Authorization Using Cryptography in Cloud Environment,” Computer Engineering and Applications (ICACEA), 2015 International Conference on Advances in, Ghaziabad, 2015, pp. 852-855. doi: 10.1109/ICACEA.2015.7164823
Abstract: Cloud computing is a cost-effective, scalable and flexible model of providing network services to a range of users including individual and business over the Internet. It has brought the revolution in the era of traditional method of storing and sharing of resources. It provides a variety of benefits to its users such as effective and efficient use of dynamically allocated shared resources, economics of scale, availability of resources etc. On the other part, cloud computing presents level of security risks because essential services are often controlled and handled by third party which makes it difficult to maintain data security and privacy and support data and service availability. Since cloud is a collection of machines called servers and all users’ data stored on these machines, it emerges the security issues of confidentiality, integrity and availability. Authentication and authorization for data access on cloud is more than a necessity. Our work attempts to overcome these security challenges. The proposed methodology provides more control of owner on the data stored on cloud by restricting the access to specific user for specific file with limited privileges and for limited time period on the basis of secret key using symmetric as well as asymmetric mechanism. The integrity and confidentiality of data is ensured doubly by not only encrypting the secret key but also to the access permission and limited file information.
Keywords: authorisation; cloud computing; commerce; cryptography; economies of scale; information retrieval; Internet; authenticity; authorization; availability of resources; business; cloud computing; cloud environment; cryptography; data access; dynamically allocated shared resources; economics of scale; network services; secure sharing; Authorization; Cloud computing; Computational modeling; Computers; Cryptography; Servers; Asymmetric Cryptography; Cloud Computing; Economics of Scale; Scalability; Symmetric Cryptography (ID#: 16-10617)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7164823&isnumber=7164643
S. Patil, P. R. Deshmukh, T. Chavan, P. Sangwan, V. Shastri, and A. Sunthwal, “Reduced Share Size Audio Secret Sharing,” Pervasive Computing (ICPC), 2015 International Conference on, Pune, 2015, pp. 1-4. doi: 10.1109/PERVASIVE.2015.7087082
Abstract: Communication over the network generally consists of conveying the messages in the form of texts and images. In recent times communication through audio has been introduced and has changed the scenario of transmission and reception of messages, which makes it mandatory to provide proper security to the audio data. Audio Secret Sharing provides a means of transmitting the secret audio message over a network securely. This is done essentially by dividing the original secret message into a pre-defined number of shares. To formulate the original secret a specified number of shares have to be combined and anything less than the specification provided would render the message unattainable. This paper puts forth the Audio Secret Sharing scheme based on Matrix Projection. The proposed scheme lends security and reliability to the audio files and also the share size has been reduced to a great extent.
Keywords: audio systems; cryptography; audio data security; audio file reliability; matrix projection; reduced share size audio secret sharing scheme; Computers; Cryptography; Matrix converters; Polynomials; Reliability; Routing; Audio Secret Sharing; Information Security; Matrix Projection; Reliability; Secret Sharing (ID#: 16-10618)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7087082&isnumber=7086957
N. Nassar and L. C. Chen, “Seed-Based Authentication,” Collaboration Technologies and Systems (CTS), 2015 International Conference on, Atlanta, GA, 2015, pp. 345-350. doi: 10.1109/CTS.2015.7210447
Abstract: Although web user authentication via username/password is widely used, this approach has many drawbacks. For example, users have to memorize textual passwords and to change the passwords frequently. Most importantly many users save their passwords in plain text that can potentially be exploited later. In this paper we proposed a new method for web applications to enhance user authentication that is less dependent on end users’ memory. This new method incorporates Pseudo Random Numbers that are generated by a seed stemmed from a root file, such as an image file, managed by the user and shared with the authentication server. The Pseudo Random Numbers, generated upon user login, are then served as one-time passwords for server authentication. We described our design, implementation and experiments that tested the randomness of these one-time passwords in a real world scenario. We also discussed how the proposed scheme can withstand common attacks such as replay attacks, dictionary attacks, and the denial-of-service attacks.
Keywords: Internet; message authentication; Web user authentication; denial-of-service attacks; dictionary attacks; end user memory; image file; one-time passwords; pseudorandom numbers; replay attacks; root file; seed-based authentication; server authentication; textual passwords; user login; username; Authentication; Dictionaries; Force; Generators; Servers; Uniform resource locators; authentication; information security; one-time password; pseudo random numbers (ID#: 16-10619)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7210447&isnumber=7210375
K. Rohloff, “Privacy-Preserving Data Exfiltration Monitoring Using Homomorphic Encryption,” Cyber Security and Cloud Computing (CSCloud), 2015 IEEE 2nd International Conference on, New York, NY, 2015, pp. 48-53. doi: 10.1109/CSCloud.2015.96
Abstract: Monitoring and encryption are essential to secure today’s computer networks. Monitoring network traffic data can be especially useful to protect against data exfiltration by detecting signatures in file metadata to identify especially sensitive files that should not be publicly released. Encryption restricts the visibility of signatures, but this may be needed because some signatures used to protect against data exfiltration may themselves be sensitive, as knowledge of signatures could help adversaries circumvent monitoring. We present results on a prototype exfiltration guard to securely and privately monitor flows of encrypted information for encrypted signatures without requiring the decryption of the data flows or the signatures or the sharing of decryption keys. Our approach is based on using homomorphic encryption to enables secure computing on encrypted data. We show experimental results with a prototype proof-of-concept encrypted data guard running on a commodity computing hardware. These designs point to possible future advances driven by ongoing homomorphic encryption improvements to compute on encrypted data for more advanced and secure filtering and exfiltration protection schemes.
Keywords: computer network security; cryptography; data privacy; computer networks; encrypted signatures; exfiltration protection schemes; homomorphic encryption; privacy-preserving data exfiltration monitoring; Computer architecture; Encryption; Monitoring; Prototypes; Public key; Data Guard; Homomorphic Encryption; Security (ID#: 16-10620)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7371458&isnumber=7371418
A. Praveena and C. Sasikala, “Multi Authority Attribute Based Encryption Against Data Integrity and Scalability Issues in Cloud Data Services,” Innovations in Information, Embedded and Communication Systems (ICIIECS), 2015 International Conference on, Coimbatore, 2015, pp. 1-5. doi: 10.1109/ICIIECS.2015.7192940
Abstract: Identity Privacy of the outsourced data as of public auditing is modelled as privacy concern in the cloud data service through the public auditing. With cloud data services, it is common place for data to be not only stored in the cloud, but also shared across frequent users. Regrettably, the integrity of cloud data is focus to cynicism due to the prolongation of hardware/software failures and human errors. We propose a novel privacy-preserving mechanism that supports public auditing on shared data stored in the cloud. Yet, issues such as risks of privacy exposure, scalability in key management, supple access and efficient user revocation, have remained the foremost challenges and achieving fine-grained, cryptographically enforced data access control. In particular, we exploit multi authority attribute based encryption to compute verification of the data stored in the cloud to audit the correctness of shared data. Through imposing the multi authority-ABE technique our mechanism, the identity of the attribute on each block in shared data is kept private from public verifiers so, that they can efficiently verify the data integrity without retrieving the entire file. It can also perform multiple auditing tasks simultaneously.
Keywords: auditing; authorisation; cloud computing; data integrity; data privacy; public key cryptography; cloud data integrity; cloud data service; cynicism; data verification; fine-grained-cryptographically enforced data access control; hardware failure prolongation; human errors; identity privacy; key management scalability risk; multiauthority attribute-based encryption; multiauthority-ABE technique; outsourced data; privacy exposure risk; privacy-preserving mechanism; public auditing; scalability issues; shared data storage; software failure prolongation; user revocation; Algorithm design and analysis; Cloud computing; Conferences; Data privacy; Encryption; Anonymization; Cloud Auditing; Cloud Security; MA-ABE; Privacy Preserving (ID#: 16-10621)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7192940&isnumber=7192777
A. Binbusayyis and Ning Zhang, “Decentralized Attribute-Based Encryption Scheme with Scalable Revocation for Sharing Data in Public Cloud Servers,” Cloud Technologies and Applications (CloudTech), 2015 International Conference on, Marrakech, 2015, pp. 1-8. doi: 10.1109/CloudTech.2015.7336985
Abstract: With the rapid development of cloud computing, it is attractive for enterprise companies to outsource their data files for sharing in cloud servers, as cloud computing can offer desirable characteristics, such as on-demand self-service, broad network access, and rapid elasticity. However, by uploading data files onto cloud servers, data owners (i.e. the companies) will lose control over their own data. This makes it essential to use Attribute-based encryption (ABE) because it can help to protect the data confidentiality by uploading data files in encrypted form. In addition, it can help to facilitate granting access to data by allowing only authorized users to decrypt the encrypted data files based on a set of attributes. However, this ABE approach includes three key issues. The first one is the complexity of user secret key management for large-scale cloud environments. The second is the complexity of revoking the users access rights. The third is the computational complexity involved in assigning user rights, encrypting and accessing data files. This paper addresses these three issues by proposing a decentralized ciphertext-policy ABE scheme (CP-DABE) for a large-scale cooperative cloud environment. The scheme reduces the complexity of user secret key management by providing a secure attribute delegation services between a master authority and a number of multiple attribute authorities. The scheme also reduces the complexity of revocation process by using Proxy Re-encryption technique to revoke any users access right. In addition, by comparing with most relative work, the scheme reduces the computational requirements for assigning user rights, encrypting and accessing data files. The scheme can support any LSSS access structure. In this paper, the cryptographic construction of the CP-DABE scheme is presented, and its efficiency is analyzed and compared with most relative work. The security of the CP-DABE scheme is discussed and selectively proved against chosen-p- aintext attacks under the decisional Bilinear Diffie-Hellman Exponent assumption. Finally, ideas to extend the CP-DABE scheme are discussed.
Keywords: cloud computing; computational complexity; cryptography; data protection; CP-DABE scheme; attribute-based encryption scheme; chosen-plaintext attacks; data confidentiality protection; data file access; data files encryption; data sharing; decentralized ciphertext-policy ABE scheme; decisional bilinear Diffie-Hellman exponent assumption; large-scale cooperative cloud environment; master authority; multiple attribute authorities; proxy reencryption technique; public cloud servers; secure attribute delegation services; user rights assignment; user secret key management; users access rights revocation; Cloud computing; Companies; Encryption; Permission; Servers; Access Control; Attribute Based Encryption; Cloud Computing; Public Key Cryptography (ID#: 16-10622)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7336985&isnumber=7336956
V. S. Sinha, D. Saha, P. Dhoolia, R. Padhye, and S. Mani, “Detecting and Mitigating Secret-Key Leaks in Source Code Repositories,” Mining Software Repositories (MSR), 2015 IEEE/ACM 12th Working Conference on, Florence, 2015, pp. 396-400. doi: 10.1109/MSR.2015.48
Abstract: Several news articles in the past year highlighted incidents in which malicious users stole API keys embedded in files hosted on public source code repositories such as GitHub and Bit Bucket in order to drive their own work-loads for free. While some service providers such as Amazon have started taking steps to actively discover such developer carelessness by scouting public repositories and suspending leaked API keys, there is little support for tackling the problem from the code sharing platforms themselves. In this paper, we discuss practical solutions to detecting, preventing and fixing API key leaks. We first outline a handful of methods for detecting API keys embedded within source code, and evaluate their effectiveness using a sample set of projects from GitHub. Second, we enumerate the mechanisms which could be used by developers to prevent or fix key leaks in code repositories manually. Finally, we outline a possible solution that combines these techniques to provide tool support for protecting against key leaks in version control systems.
Keywords: application program interfaces; public key cryptography; source code (software); code repositories; fix key leaks; key leaks protection; secret-key leaks detection; secret-key leaks mitigation; source code repositories; version control systems; Control systems; Facebook; History; Java; Leak detection; Pattern matching; Software; api keys; git; mining software repositories; security (ID#: 16-10623)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7180102&isnumber=7180053
Han Yiliang, Jiang Di, and Yang Xiaoyuan, “The Revocable Attribute Based Encryption Scheme for Social Networks,” Security and Privacy in Social Networks and Big Data (SocialSec), 2015 International Symposium on, Hangzhou, 2015, pp. 44-51. doi: 10.1109/SocialSec2015.18
Abstract: Attribute based encryption is one of the candidates to secure online social network. Providing an efficient revocation mechanism in attribute based encryption scheme is very important. To achieve the hierarchical access control and improve update efficiency, the revocable attribute based encryption scheme with hierarchical revocation based on multilinear maps is proposed. The shared file is divided into three portions. The user with the specific attributes will access the corresponding portion. The analysis shows that it has the constant key size and has the indistinguishability under chosen plaintext attacks.
Keywords: authorisation; cryptography; social networking (online); hierarchical access control; hierarchical revocation; multilinear maps; online social network; plaintext attacks; revocable attribute based encryption scheme; revocation mechanism; update efficiency; Access control; Electronic mail; Encryption; Generators; Social network services; attribute based encryption
(ID#: 16-10624)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7371899&isnumber=7371823
A. Kumara M. A. and C. D. Jaidhar, “Hypervisor and Virtual Machine Dependent Intrusion Detection and Prevention System for Virtualized Cloud Environment,” Telematics and Future Generation Networks (TAFGEN), 2015 1st International Conference on, Kuala Lumpur, 2015, pp. 28-33. doi: 10.1109/TAFGEN.2015.7289570
Abstract: Cloud Computing enabled by virtualization technology exhibits revolutionary change in IT Infrastructure. Hypervisor is a pillar of virtualization and it allows sharing of resources to virtual machines. Vulnerabilities present in virtual machine leveraged by an attacker to launch the advanced persistent attacks such as stealthy rootkit, Trojan, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack etc. Virtual Machines are prime target for malignant cloud user or an attacker to launch attacks as they are easily available for rent from Cloud Service Provider (CSP). Attacks on virtual machine can disrupt the normal operation of cloud infrastructure. In order to secure the virtual environment, defence mechanism is highly imperative at each virtual machine to identify the attacks occurring at virtual machine in timely manner. This work proposes In-and-Out-of-the-Box Virtual Machine and Hypervisor based Intrusion Detection and Prevention System for virtualized environment to ensure robust state of the virtual machine by detecting followed by eradicating rootkits as well as other attacks. We conducted experiments using popular open source Host based Intrusion Detection System (HIDS) called Open Source SECurity Event Correlator (OSSEC). Both Linux and windows based rootkits, DoS attack, Files integrity verification test are conducted and they are successfully detected by OSSEC.
Keywords: Linux; cloud computing; computer network security; formal verification; virtual machines; CSP; DDoS attack; HIDS; IT Infrastructure; OSSEC; Windows based rootkits; cloud computing; cloud infrastructure; cloud service provider; defence mechanism; distributed denial of service attack; files integrity verification test; hypervisor; intrusion prevention system; open source host based intrusion detection system; open source security event correlator; persistent attacks; resource sharing; stealthy rootkit; trojan; virtual machines; virtualization technology; virtualized cloud environment; Computer crime; Databases; Intrusion detection; Kernel; Virtual machine monitors; Virtual machining; Cloud Computing; DoS Attack; Hypervisor; Intrusion Detection and Prevention System; Rootkit; Virtual Machine; Virtualization (ID#: 16-10625)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7289570&isnumber=7289553
M. Mattetti, A. Shulman-Peleg, Y. Allouche, A. Corradi, S. Dolev, and L. Foschini, “Securing the Infrastructure and the Workloads of Linux Containers,” Communications and Network Security (CNS), 2015 IEEE Conference on, Florence, 2015,
pp. 559-567. doi: 10.1109/CNS.2015.7346869
Abstract: One of the central building blocks of cloud platforms are linux containers which simplify the deployment and management of applications for scalability. However, they introduce new risks by allowing attacks on shared resources such as the file system, network and kernel. Existing security hardening mechanisms protect specific applications and are not designed to protect entire environments as those inside the containers. To address these, we present a LiCShield framework for securing of linux containers and their workloads via automatic construction of rules describing the expected activities of containers spawned from a given image. Specifically, given an image of interest LiCShield traces its execution and generates profiles of kernel security modules restricting the containers’ capabilities. We distinguish between the operations on the linux host and the ones inside the container to provide the following protection mechanisms: (1) Increased host protection, by restricting the operations done by containers and container management daemon only to those observed in a testing environment; (2) Narrow container operations, by tightening the internal dynamic and noisy environments, without paying the high performance overhead of their on-line monitoring. Our experimental results show that this approach is efficient to prevent known attacks, while having almost no overhead on the production environment. We present our methodology and its technological insights and provide recommendations regarding its efficient deployment with intrusion detection tools to achieve both optimized performance and increased protection. The code of the LiCShield framework as well as the presented experimental results are freely available for use at https://github.com/LinuxContainerSecurity/LiCShield.git.
Keywords: Linux; cloud computing; resource allocation; security of data; LiCShield framework; Linux container workloads; automatic rule construction; cloud platforms; container capabilities; container management daemon; host protection; infrastructure security; intrusion detection tools; kernel security modules; narrow container operations; on-line monitoring; production environment; protection mechanisms; resource sharing; security hardening mechanism protection; Conferences; Containers; Intrusion detection; Kernel; Servers (ID#: 16-10626)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7346869&isnumber=7346791
T. Markina, M. Koveshnikov, and D. Bazylev, “Abstract Models for System Virtualization,” Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), 2015 7th International Congress on, Brno, 2015, pp. 210-215. doi: 10.1109/ICUMT.2015.7382429
Abstract: The paper is dedicated to issues of system objects securing (system files and user system or application configuration files) against unauthorized access including denial of service attacks. The method and developed abstract system virtualization models, which are used to research attack scenarios for different virtualization modes, are presented. Effectiveness for system tools virtualization technology is evaluated. Proposed technology is based on redirection of access requests to system objects shared among access subjects. Whole and partial system virtualization modes are modeled. The difference between them is the following: in the whole virtualization mode all copies of the access system objects are created whereon subjects’ requests are redirected including corresponding application objects; in the partial virtualization mode corresponding copies are created only for a part of the system, for example, only system objects for applications. Alternative solutions effectiveness is valued relating to different attack scenarios. Practical significance of the suggested security method is demonstrated.
Keywords: authorisation; computer network security; virtualisation; abstract model; access request redirection; denial of service attack; partial virtualization mode; system object security issue; system virtualization; unauthorized access; Access control; Computer crime; Information security; Operating systems; Virtual machining; Virtualization; abstract model; attack scenario; denial of service; informational security; security; system object; system tool virtualization (ID#: 16-10627)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7382429&isnumber=7382391
J. Yang, C. Fu, N. Shen, Z. Liu, C. Jia, and J. Li, “General Multi-Key Searchable Encryption,” Advanced Information Networking and Applications Workshops (WAINA), 2015 IEEE 29th International Conference on, Gwangiu, 2015, pp. 89-95. doi: 10.1109/WAINA.2015.18
Abstract: We analysis outsourced server with multi-users and classify the data sharing into two main types. We focus on the data sharing between users in Searchable Encryption and the corresponding security goal. Then we present a general scheme for Searchable Encryption in which the cipher text can be generated from parameter by authorized users. With the concept of homomorphism and one-way function, we construct a general model to illustrate and fulfill the goals involved. We also promote such a model to a general Multi-Key Searchable Encryption which enables only a single submission for the retrievals in the documents encrypted by different keys. We also give two concrete examples to illustrate the feasibility and security in such a general model.
Keywords: cryptography; file servers; information retrieval; outsourcing; security of data; authorized users; ciphertext; data sharing classification; document encryption; multikey searchable encryption; one-way function; outsourced server analysis; Access control; Concrete; Data models; Encryption; Servers; Homomorphism; Multi-key; Searchable Encryption (ID#: 16-10628)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7096153&isnumber=7096097
D. Tomović, I. Ognjanović and R. Šendelj, “Security Challenges of Integration of Hash Functions into Cloud Systems,” Embedded Computing (MECO), 2015 4th Mediterranean Conference on, Budva, 2015, pp. 110-114.
doi: 10.1109/MECO.2015.7181879
Abstract: Cloud Computing is a new paradigm for the IT industry. IT services such as infrastructures, platforms and applications are provided remotely, over the Internet, and all resources are virtualized. Challenges about confidentiality, integrity, authenticity, and non-repudiation are still opened representing the main concerns that reduces the growth of cloud computing. Hash based mechanisms are thus mainly used for message authentication and this paper analyses imposed security issues over clouds. To this end, recently developed semantically enhanced Cyber Security Model (CSM) is extended representing a promising solution capable to address all issues of heterogeneity, shared parties and different interests over clouds.
Keywords: cloud computing; file organisation; security of data; CSM; IT industry; IT services; Internet; cloud systems; hash based mechanisms; hash functions integration; security challenges; semantically enhanced cyber security model; shared parties; Cloud computing; Computational modeling; Computer security; Cryptography; Law; Resistance; hash functions; security (ID#: 16-10629)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7181879&isnumber=7181853
S. D. Taru and V. B. Maral, “Object Oriented Accountability Approach in Cloud for Data Sharing with Patchy Image Encryption,” Advances in Computing, Communications and Informatics (ICACCI), 2015 International Conference on, Kochi, 2015, pp. 1688-1693. doi: 10.1109/ICACCI.2015.7275856
Abstract: Cloud computing presents a new approach for delivery model and consumption of different IT services based on internet. Highly scalable and virtualized resources are provided as a service on demand basis. Cloud computing provides flexibility for deploying applications at lower cost while increasing business agility. The main feature of using cloud services is that user’s data are more often processed at remote machines which are unknown to user. As user do not own these remote machine used for speed up data processing or operate them in cloud, users can lose control of own confidential data. Despite of all of advantages of cloud this remains a challenge and acts as a barrier to the large scale adoption of cloud. To address above problem in this paper we present object oriented approach that performs automated logging mechanism to ensure any access to user’s data will trigger authentication with use of decentralized information accountability framework called as CIA (Cloud Information Accountability) [1]. We use the JAR (JAVA Archive File) programmable capabilities to create dynamic travelling object containing user’s data. To strengthen the distributed data security we use the chaos image encryption technique specific to image files. Chaos is patchy image encryption technique based on pixel shuffling. Randomness of the chaos is made utilized to scramble the position of the pixel of image.
Keywords: Java; chaos; cloud computing; cryptography; image coding; message authentication; object-oriented programming; CIA; JAR; JAVA archive file; automated logging mechanism; chaos image encryption technique; cloud information accountability; data sharing; distributed data security; object oriented accountability approach; pixel shuffling; user authentication; Authentication; Chaos; Ciphers; Cloud computing; Encryption; Accountability; Chaos encryption; Cloud computing; Data sharing; Logging mechanism (ID#: 16-10630)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7275856&isnumber=7275573
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.