Covert channels are data transmission methods that bypass the detection of security mechanisms and pose a serious threat to critical infrastructure. Meanwhile, it is also an effective way to ensure the secure transmission of private data. Therefore, research on covert channels helps us to quickly detect attacks and protect the security of data transmission. This paper proposes covert channels based on the timestamp of the Internet Control Message Protocol echo reply packet in the Linux system. By considering the concealment, we improve our proposed covert channels, ensuring that changing trends in the timestamp of modified consecutive packets are consistent with consecutive regular packets. Besides, we design an Iptables rule based on the current system time to analyze the performance of the proposed covert channels. Finally, it is shown through experiments that the channels complete the private data transmission in the industrial control network. Furthermore, the results demonstrate that the improved covert channels offer better performance in concealment, time cost, and the firewall test.
Authored by Jie Lu, Yong Ding, Zhenyu Li, Chunhui Wang
The excess buffering of packets in network elements, also referred to as bufferbloat, results in high latency. Considering the requirements of traffic generated by video conferencing systems like Zoom, cloud rendered gaming platforms like Google Stadia, or even video streaming services such as Netflix, Amazon Prime and YouTube, timeliness of such traffic is important. Ensuring low latency to IP flows with a high throughput calls for the application of Active Queue Management (AQM) schemes. This introduces yet another problem as the co-existence of scalable and classic congestion controls leads to the starvation of classic TCP flows. Technologies such as Low Latency Low Loss Scalable Throughput (L4S) and the corresponding dual queue coupled AQM, DualPI2, provide a robust solution to these problems. However, their deployment on hardware targets such as programmable switches is quite challenging due to the complexity of algorithms and architectural constraints of switching ASICs. In this study, we provide proof of concept implementations of two AQMs that enable the co-existence of scalable and traditional TCP traffic, namely DualPI2 and the preceding single-queue PI2 AQM, on an Intel Tofino switching ASIC. Given the fixed operation of the switch’s traffic manager, we investigate to what extent it is possible to implement a fully RFC-compliant version of the two AQMs on the Tofino ASIC. The study shows that an appropriate split between control and data plane operations is required while we also exploit fixed functionality of the traffic manager to support such solutions.
Authored by Gergő Gombos, Maurice Mouw, Sándor Laki, Chrysa Papagianni, Koen De Schepper
The demand for increasing flexibility use in power systems is stressed by the changing grid utilization. Making use of largely untapped flexibility potential is possible through novel flexibility markets. Different approaches for these markets are being developed and vary considering their handling of transaction schemes and relation of participating entities. This paper delivers the conceptual development of a holistic system architecture for the realization of an interregional flexibility market, which targets a market based congestion management in the transmission and distribution system through trading between system operators and flexibility providers. The framework combines a market mechanism with the required supplements like appropriate control algorithms for emergency situations, cyber-physical system monitoring and cyber-security assessment. The resulting methods are being implemented and verified in a remote-power-hardware-in-the-loop setup coupling a real world low voltage grid with a geographically distant real time simulation using state of the art control system applications with an integration of the aforementioned architecture components.
Authored by Oliver Kraft, Oliver Pohl, Ulf Häger, Kai Heussen, Nils Müller, Zeeshan Afzal, Mathias Ekstedt, Hossein Farahmand, Dmytro Ivanko, Ankit Singh, Sasiphong Leksawat, Andreas Kubis
Since its inception, the Internet has experienced tremendous speed and functionality improvements. Among these developments are innovative approaches such as the design and deployment of Internet Protocol version six (IPv6) and the continuous modification of TCP. New transport protocols like Stream Communication Transport Protocol (SCTP) and Multipath TCP (MPTCP), which can use multiple data paths, have been developed to overcome the IP-coupled challenge in TCP. However, given the difficulties of packet modifiers over the Internet that prevent the deployment of newly proposed protocols, e.g., SCTP, a UDP innovative approach with QUIC (Quick UDP Internet Connection) has been put forward as an alternative. QUIC reduces the connection establishment complexity in TCP and its variants, high security, stream multiplexing, and pluggable congestion control. Motivated by the gains and acceptability of MPTCP, Multipath QUIC has been developed to enable multipath transmission in QUIC. While several researchers have reviewed the progress of improvement and application of MPTCP, the review on MPQUIC improvement is limited. To breach the gap, this paper provides a brief survey on the practical application and progress of MPQUIC in data communication. We first review the fundamentals of multipath transport protocols. We then provide details on the design of QUIC and MPQUIC. Based on the articles reviewed, we looked at the various applications of MPQUIC, identifying the application domain, tools used, and evaluation parameters. Finally, we highlighted the open research issues and directions for further investigations.
Authored by John Wejin, Joke Badejo, Oluranti Jonathan, Folasade Dahunsi
Dual Connectivity is a key approach to achieving optimization of throughput and latency in heterogeneous networks. Originally a technique introduced by the 3rd Generation Partnership Project (3GPP) for terrestrial communications, it is not been widely explored in satellite systems. In this paper, Dual Connectivity is implemented in a multi-orbital satellite network, where a network model is developed by employing the diversity gains from Dual Connectivity and Carrier Aggregation for the enhancement of satellite uplink capacity. An introduction of software defined network controller is performed at the network layer coupled with a carefully designed hybrid resource allocation algorithm which is implemented strategically. The algorithm performs optimum dynamic flow control and traffic steering by considering the availability of resources and the channel propagation information of the orbital links to arrive at a resource allocation pattern suitable in enhancing uplink system performance. Simulation results are shown to evaluate the achievable gains in throughput and latency; in addition we provide useful insight in the design of multi-orbital satellite networks with implementable scheduler design.
Authored by Michael Dazhi, Hayder Al-Hraishawi, Mysore Shankar, Symeon Chatzinotas
As cyber-physical systems are becoming more wide spread, it is imperative to secure these systems. In the real world these systems produce large amounts of data. However, it is generally impractical to test security techniques on operational cyber-physical systems. Thus, there exists a need to have realistic systems and data for testing security of cyber-physical systems [1]. This is often done in testbeds and cyber ranges. Most cyber ranges and testbeds focus on traditional network systems and few incorporate cyber-physical components. When they do, the cyber-physical components are often simulated. In the systems that incorporate cyber-physical components, generally only the network data is analyzed for attack detection and diagnosis. While there is some study in using physical signals to detect and diagnosis attacks, this data is not incorporated into current testbeds and cyber ranges. This study surveys currents testbeds and cyber ranges and demonstrates a prototype testbed that includes cyber-physical components and sensor data in addition to traditional cyber data monitoring.
Authored by Stephen Coshatt, Qi Li, Bowen Yang, Shushan Wu, Darpan Shrivastava, Jin Ye, WenZhan Song, Feraidoon Zahiri
Due to the rapid development of cyber-physical systems, there are more and more security problems. The purpose of this work is to develop the concept of a knowledge base in the field of security of cyber-physical systems based on an ontological approach. To create the concept of a knowledge base, it was necessary to consider the system of a cyber-physical system and highlight its structural parts. As a result, the main concepts of the security of a cyber-physical system were identified and the concept of a knowledge base was drawn up, which in the future will help to analyze potential threats to cyber-physical systems.
Authored by Basan Sergeevich, Basan Sergeevna, Ivannikova Nikolaevna, Korchalovsky Vitalievich, Mikhailova Dmitrievna, Shulika Gennadievna
A methodology for studying the level of security for various types of CPS through the analysis of the consequences was developed during the research process. An analysis of the architecture of cyber-physical systems was carried out, vulnerabilities and threats of specific devices were identified, a list of possible information attacks and their consequences after the exploitation of vulnerabilities was identified. The object of research is models of cyber-physical systems, including IoT devices, microcomputers, various sensors that function through communication channels, organized by cyber-physical objects. The main subjects of this investigation are methods and means of security testing of cyber-physical systems (CPS). The main objective of this investigation is to update the problem of security in cyber-physical systems, to analyze the security of these systems. In practice, the testing methodology for the cyber-physical system “Smart Factory” was implemented, which simulates the operation of a real CPS, with different types of links and protocols used.
Authored by Elena Basan, Vasilisa Mikhailova, Maria Shulika
Since the cyber and physical layers in the distribution system are deeply integrated, the traditional distribution system has gradually developed into the cyber-physical distribution system (CPDS), and the failures of the cyber layer will affect the reliable and safe operation of the whole distribution system. Therefore, this paper proposes an CPDS planning method considering the reliability of the cyber-physical system. First, the reliability evaluation model of CPDS is proposed. Specifically, the functional reliability model of the cyber layer is introduced, based on which the physical equipment reliability model is further investigated. Second, an optimal planning model of CPDS considering cyber-physical random failures is developed, which is solved using the Monte Carlo Simulation technique. The proposed model is tested on the modified IEEE 33-node distribution system, and the results demonstrate the effectiveness of the proposed method.
Authored by Changjiang Wang, Chutian Yu, Xunhu Yin, Lijun Zhang, Xiang Yuan, Mingxia Fan
In this paper, a data-driven security detection approach is proposed in a simple manner. The detector is designed to deal with false data injection attacks suffered by industrial cyber-physical systems with unknown model information. First, the attacks are modeled from the perspective of the generalized plant mismatch, rather than the operating data being tampered. Second, some subsystems are selected to reduce the design complexity of the detector, and based on them, an output estimator with iterative form is presented in a theoretical way. Then, a security detector is constructed based on the proposed estimator and its cost function. Finally, the effectiveness of the proposed approach is verified by simulations of a Western States Coordinated Council 9-bus power system.
Authored by Bin Liu, Jingzhao Chen, Yong Hu
The security control problem of cyber-physical system (CPS) under actuator attacks is studied in the paper. Considering the strict-feedback cyber-physical systems with external disturbance, a security control scheme is proposed by combining backstepping method and super-twisting sliding mode technology when the transmission control input signal of network layer is under false data injection(FDI) attack. Firstly, the unknown nonlinear function of the CPS is identified by Radial Basis Function Neural Network. Secondly, the backstepping method and super-twisting sliding mode algorithm are combined to eliminate the influence of actuator attack and ensure the robustness of the control system. Then, by Lyapunov stability theory, it is proved that the proposed control scheme can ensure that all signals in the closed-loop system are semi-global and ultimately uniformly bounded. Finally, the effectiveness of the proposed control scheme is verified by the inverted pendulum simulation.
Authored by Dahua Li, Dapeng Li, Junjie Liu, Yu Song, Yuehui Ji
With the intelligent development of power system, due to the double-layer structure of smart grid and the characteristics of failure propagation across layers, the attack path also changes significantly: from single-layer to multi-layer and from static to dynamic. In response to the shortcomings of the single-layer attack path of traditional attack path identification methods, this paper proposes the idea of cross-layer attack, which integrates the threat propagation mechanism of the information layer and the failure propagation mechanism of the physical layer to establish a forward-backward bi-directional detection model. The model is mainly used to predict possible cross-layer attack paths and evaluate their path generation probabilities to provide theoretical guidance and technical support for defenders. The experimental results show that the method proposed in this paper can well identify the dynamic cross-layer attacks in the smart grid.
Authored by Binbin Wang, Yi Wu, Naiwang Guo, Lei Zhang, Chang Liu
Security of Internet of Things (IoT) is one of the most prevalent crucial challenges ever since. The diversified devices and their specification along with resource constrained protocols made it more complex to address over all security need of IoT. Denial of Service attacks, being the most powerful and frequent attacks on IoT have been considered so forth. However, the attack happens on multiple layers and thus a single detection technique for each layer is not sufficient and effective to combat these attacks. Current study focuses on cross layer intrusion detection system (IDS) for detection of multiple Denial of Service (DoS) attacks. Presently, two attacks at Transmission Control Protocol (TCP) and Routing Protocol are considered for Low power and Lossy Networks (RPL) and a neural network-based IDS approach has been proposed for the detection of such attacks. The attacks are simulated on NetSim and detection and the performance shows up to 80% detection probabilities.
Authored by Ayushi Kharkwal, Saumya Mishra, Aditi Paul
The Internet of Things is a developing technology that converts physical objects into virtual objects connected to the internet using wired and wireless network architecture. Use of cross-layer techniques in the internet of things is primarily driven by the high heterogeneity of hardware and software capabilities. Although traditional layered architecture has been effective for a while, cross-layer protocols have the potential to greatly improve a number of wireless network characteristics, including bandwidth and energy usage. Also, one of the main concerns with the internet of things is security, and machine learning (ML) techniques are thought to be the most cuttingedge and viable approach. This has led to a plethora of new research directions for tackling IoT's growing security issues. In the proposed study, a number of cross-layer approaches based on machine learning techniques that have been offered in the past to address issues and challenges brought on by the variety of IoT are in-depth examined. Additionally, the main issues are mentioned and analyzed, including those related to scalability, interoperability, security, privacy, mobility, and energy utilization.
Authored by K. Saranya, Dr. A. Valarmathi
As a mature and open mobile operating system, Android runs on many IoT devices, which has led to Android-based IoT devices have become a hotbed of malware. Existing static detection methods for malware using artificial intelligence algorithms focus only on the java code layer when extracting API features, however there is a lot of malicious behavior involving native layer code. Thus, to make up for the neglect of the native code layer, we propose a heterogeneous information network-based Android malware detection method with cross-layer features. We first translate the semantic information of apps and API calls into the form of meta-paths, and construct the adjacency of apps based on API calls, then combine information from different meta-paths using multi-core learning. We implemented our method on the dataset from VirusShare and AndroZoo, and the experimental results show that the accuracy of our method is 93.4%, which is at least 2% higher than other related methods using heterogeneous information networks for malware detection.
Authored by Ren Xixuan, Zhao Lirui, Wang Kai, Xue Zhixing, Hou Anran, Shao Qiao
Multi-label image classification task aims to predict multiple object labels in a given image and faces the challenge of variable-sized objects. Limited by the size of CNN convolution kernels, existing CNN-based methods have difficulty capturing global dependencies and effectively fusing multiple layers features, which is critical for this task. Recently, transformers have utilized multi-head attention to extract feature with long range dependencies. Inspired by this, this paper proposes a Cross-layer Aggregation with Transformers (CAT) framework, which leverages transformers to capture the long range dependencies of CNN-based features with Long Range Dependencies module and aggregate the features layer by layer with Cross-Layer Fusion module. To make the framework efficient, a multi-head pre-max attention is designed to reduce the computation cost when fusing the high-resolution features of lower-layers. On two widely-used benchmarks (i.e., VOC2007 and MS-COCO), CAT provides a stable improvement over the baseline and produces a competitive performance.
Authored by Weibo Zhang, Fuqing Zhu, Jizhong Han, Tao Guo, Songlin Hu
Physical-layer key (PLK) generation scheme is a new key generation scheme based on wireless channel reciprocity. However, the security of physical layer keys still lacks sufficient theoretical support in the presence of eavesdropping attacks until now, which affects the promotion in practical applications. By analyzing the propagation mode of multipath signals under non-line-of-sight (nLoS), an improved spatial cross-correlation model is constructed, where the spatial cross-correlation is between eavesdropping channel and legitimate channel. Results show that compared with the multipath and obstacle distribution of the channel, the azimuth and distance between the eavesdropper and the eavesdropped user have a greater impact on the cross-correlation.
Authored by Xuyang Wang, Aiqun Hu, Yongming Huang, Xiangning Fan
In the deep nano-scale regime, reliability has emerged as one of the major design issues for high-density integrated systems. Among others, key reliability-related issues are soft errors, high temperature, and aging effects (e.g., NBTI-Negative Bias Temperature Instability), which jeopardize the correct applications' execution. Tremendous amount of research effort has been invested at individual system layers. Moreover, in the era of growing cyber-security threats, modern computing systems experience a wide range of security threats at different layers of the software and hardware stacks. However, considering the escalating reliability and security costs, designing a highly reliable and secure system would require engaging multiple system layers (i.e. both hardware and software) to achieve cost-effective robustness. This talk provides an overview of important reliability issues, prominent state-of-the-art techniques, and various hardwaresoftware collaborative reliability modeling and optimization techniques developed at our lab, with a focus on the recent works on ML-based reliability techniques. Afterwards, this talk will also discuss how advanced ML techniques can be leveraged to devise new types of hardware security attacks, for instance on logic locked circuits. Towards the end of the talk, I will also give a quick pitch on the reliability and security challenges for the embedded machine learning (ML) on resource/energy-constrained devices subjected to unpredictable and harsh scenarios.
Authored by Muhammad Shafique
In the Smart Grid paradigm, this critical infrastructure operation is increasingly exposed to cyber-threats due to the increased dependency on communication networks. An adversary can launch an attack on a power grid operation through False Data Injection into system measurements and/or through attacks on the communication network, such as flooding the communication channels with unnecessary data or intercepting messages. A cross-layered strategy that combines power grid data, communication grid monitoring and Machine Learning-based processing is a promising solution for detecting cyber-threats. In this paper, an implementation of an integrated solution of a cross-layer framework is presented. The advantage of such a framework is the augmentation of valuable data that enhances the detection of anomalies in the operation of power grid. IEEE 118-bus system is built in Simulink to provide a power grid testing environment and communication network data is emulated using SimComponents. The performance of the framework is investigated under various FDI and communication attacks.
Authored by Nader Aljohani, Dennis Agnew, Keerthiraj Nagaraj, Sharon Boamah, Reynold Mathieu, Arturo Bretas, Janise McNair, Alina Zare
In recent years, research has focused on exploiting the inherent physical (PHY) characteristics of wireless channels to discriminate between different spatially separated network terminals, mitigating the significant costs of signature-based techniques. In this paper, the legitimacy of the corresponding terminal is firstly verified at the protocol stack’s upper layers, and then the re-authentication process is performed at the PHY-layer. In the latter, a unique PHY-layer signature is created for each transmission based on the spatially and temporally correlated channel attributes within the coherence time interval. As part of the verification process, the PHY-layer signature can be used as a message authentication code to prove the packet’s authenticity. Extensive simulation has shown the capability of the proposed scheme to support high detection probability at small signal-to-noise ratios. In addition, security evaluation is conducted against passive and active attacks. Computation and communication comparisons are performed to demonstrate that the proposed scheme provides superior performance compared to conventional cryptographic approaches.
Authored by Mahmoud Shawky, Qammer Abbasi, Muhammad Imran, Shuja Ansari, Ahmad Taha
Researchers have investigated the dark web for various purposes and with various approaches. Most of the dark web data investigation focused on analysing text collected from HTML pages of websites hosted on the dark web. In addition, researchers have documented work on dark web image data analysis for a specific domain, such as identifying and analyzing Child Sexual Abusive Material (CSAM) on the dark web. However, image data from dark web marketplace postings and forums could also be helpful in forensic analysis of the dark web investigation.The presented work attempts to conduct image classification on classes other than CSAM. Nevertheless, manually scanning thousands of websites from the dark web for visual evidence of criminal activity is time and resource intensive. Therefore, the proposed work presented the use of quantum computing to classify the images using a Quantum Convolutional Neural Network (QCNN). Authors classified dark web images into four categories alcohol, drugs, devices, and cards. The provided dataset used for work discussed in the paper consists of around 1242 images. The image dataset combines an open source dataset and data collected by authors. The paper discussed the implementation of QCNN and offered related performance measures.
Authored by Ashwini Dalvi, Soham Bhoir, Irfan Siddavatam, S Bhirud
Cyber threat intelligence (CTI) is vital for enabling effective cybersecurity decisions by providing timely, relevant, and actionable information about emerging threats. Monitoring the dark web to generate CTI is one of the upcoming trends in cybersecurity. As a result, developing CTI capabilities with the dark web investigation is a significant focus for cybersecurity companies like Deepwatch, DarkOwl, SixGill, ThreatConnect, CyLance, ZeroFox, and many others. In addition, the dark web marketplace (DWM) monitoring tools are of much interest to law enforcement agencies (LEAs). The fact that darknet market participants operate anonymously and online transactions are pseudo-anonymous makes it challenging to identify and investigate them. Therefore, keeping up with the DWMs poses significant challenges for LEAs today. Nevertheless, the offerings on the DWM give insights into the dark web economy to LEAs. The present work is one such attempt to describe and analyze dark web market data collected for CTI using a dark web crawler. After processing and labeling, authors have 53 DWMs with their product listings and pricing.
Authored by Ashwini Dalvi, Gunjan Patil, S Bhirud
The value and size of information exchanged through dark-web pages are remarkable. Recently Many researches showed values and interests in using machine-learning methods to extract security-related useful knowledge from those dark-web pages. In this scope, our goals in this research focus on evaluating best prediction models while analyzing traffic level data coming from the dark web. Results and analysis showed that feature selection played an important role when trying to identify the best models. Sometimes the right combination of features would increase the model’s accuracy. For some feature set and classifier combinations, the Src Port and Dst Port both proved to be important features. When available, they were always selected over most other features. When absent, it resulted in many other features being selected to compensate for the information they provided. The Protocol feature was never selected as a feature, regardless of whether Src Port and Dst Port were available.
Authored by Ahmad Al-Omari, Andrew Allhusen, Abdullah Wahbeh, Mohammad Al-Ramahi, Izzat Alsmadi
Web evolution and Web 2.0 social media tools facilitate communication and support the online economy. On the other hand, these tools are actively used by extremist, terrorist and criminal groups. These malicious groups use these new communication channels, such as forums, blogs and social networks, to spread their ideologies, recruit new members, market their malicious goods and raise their funds. They rely on anonymous communication methods that are provided by the new Web. This malicious part of the web is called the “dark web”. Dark web analysis became an active research area in the last few decades, and multiple research studies were conducted in order to understand our enemy and plan for counteract. We have conducted a systematic literature review to identify the state-of-art and open research areas in dark web analysis. We have filtered the available research papers in order to obtain the most relevant work. This filtration yielded 28 studies out of 370. Our systematic review is based on four main factors: the research trends used to analyze dark web, the employed analysis techniques, the analyzed artifacts, and the accuracy and confidence of the available work. Our review results have shown that most of the dark web research relies on content analysis. Also, the results have shown that forum threads are the most analyzed artifacts. Also, the most significant observation is the lack of applying any accuracy metrics or validation techniques by most of the relevant studies. As a result, researchers are advised to consider using acceptance metrics and validation techniques in their future work in order to guarantee the confidence of their study results. In addition, our review has identified some open research areas in dark web analysis which can be considered for future research work.
Authored by Tamer Abdellatif, Raed Said, Taher Ghazal
Currently, the Dark Web is one key platform for the online trading of illegal products and services. Analysing the .onion sites hosting marketplaces is of interest for law enforcement and security researchers. This paper presents a study on 123k listings obtained from 6 different Dark Web markets. While most of current works leverage existing datasets, these are outdated and might not contain new products, e.g., those related to the 2020 COVID pandemic. Thus, we build a custom focused crawler to collect the data. Being able to conduct analyses on current data is of considerable importance as these marketplaces continue to change and grow, both in terms of products offered and users. Also, there are several anti-crawling mechanisms being improved, making this task more difficult and, consequently, reducing the amount of data obtained in recent years on these marketplaces. We conduct a data analysis evaluating multiple characteristics regarding the products, sellers, and markets. These characteristics include, among others, the number of sales, existing categories in the markets, the origin of the products and the sellers. Our study sheds light on the products and services being offered in these markets nowadays. Moreover, we have conducted a case study on one particular productive and dynamic drug market, i.e., Cannazon. Our initial goal was to understand its evolution over time, analyzing the variation of products in stock and their price longitudinally. We realized, though, that during the period of study the market suffered a DDoS attack which damaged its reputation and affected users' trust on it, which was a potential reason which lead to the subsequent closure of the market by its operators. Consequently, our study provides insights regarding the last days of operation of such a productive market, and showcases the effectiveness of a potential intervention approach by means of disrupting the service and fostering mistrust.
Authored by Víctor Labrador, Sergio Pastrana