Human-Computer Interaction Considerations When Developing Cyber Ranges
Authors: Lynsay A. Shepherd, Stefano De Paoli, Jim Conacher
Abstract: The number of cyber-attacks are continuing to rise globally. It is therefore vital for organisations to develop the necessary skills to secure their assets and to protect critical national infrastructure. In this short paper, we outline upon human-computer interaction elements which should be considered when developing a cybersecurity training platform, in an effort to maintain levels of user engagement. We provide an overview of existing training platforms before covering specialist cyber ranges. Aspects of human-computer interaction are noted with regards to their relevance in the context of cyber ranges. We conclude with design suggestions when developing a cyber range platform.Comment: 5 pages, short discussion paper
Date: 9 Jul 2020
PDF »Main page »
The Road Not Taken: Re-thinking the Feasibility of Voice Calling Over Tor
Authors: Piyush Kumar Sharma, Shashwat Chaudhary, Nikhil Hassija, Mukulika Maity, Sambuddho Chakravarty
Abstract: Anonymous VoIP calls over the Internet holds great significance for privacy-conscious users, whistle-blowers and political activists alike. Prior research deems popular anonymization systems like Tor unsuitable for providing requisite performance guarantees that real-time applications like VoIP need. Their claims are backed by studies that may no longer be valid due to constant advancements in Tor. Moreover, we believe that these studies lacked the requisite diversity and comprehensiveness. Thus, conclusions from these studies led them to propose novel and tailored solutions. However, no such system is available for immediate use. Additionally, operating such new systems would incur significant costs for recruiting users and volunteered relays, to provide the necessary anonymity guarantees. It thus becomes imperative that the exact performance of VoIP over Tor be quantified and analyzed so that the potential performance bottlenecks can be amended. We thus conducted an extensive empirical study across various in-lab and real-world scenarios to shed light on VoIP performance over Tor. In over 0.5 million measurements spanning 12 months, across seven countries and covering about 6650 Tor relays, we observed that Tor supports good voice quality (Perceptual Evaluation of Speech Quality (PESQ) >3 and oneway delay <400ms) in more than 85% of cases. Further analysis indicates that in general for most Tor relays, the contentions due to cross-traffic were low enough to support VoIP calls, that are anyways transmitted at low rates (<120 Kbps). Our findings are supported by concordant measurements using iperf that show more than the adequate available bandwidth for most cases. Data published by the Tor Metrics also corroborates the same. Hence, unlike prior efforts, our research reveals that Tor is suitable for supporting anonymous VoIP calls.Date: 9 Jul 2020
PDF »Main page »
Serverless Electronic Mail
Authors: Geoffrey Goodell
Abstract: We describe a simple approach to peer-to-peer electronic mail that would allow users of ordinary workstations and mobile devices to exchange messages without relying upon third-party mail server operators. Crucially, the system allows participants to establish and use multiple unlinked identities for communication with each other. The architecture leverages ordinary SMTP \cite{smtp} for message delivery and Tor \cite{tor} for peer-to-peer communication. The design offers a robust, unintrusive method to use self-certifying Tor onion service names to bootstrap a web of trust based on public keys for end-to-end authentication and encryption, which in turn can be used to facilitate message delivery when the sender and recipient are not online simultaneously. We show how the system can interoperate with existing email systems and paradigms, allowing users to hold messages that others can retrieve via IMAP \cite{imap} or to operate as a relay between system participants and external email users. Finally, we show how it is possible to use a broadcast protocol to implement mailing lists and how distributed ledger technology might be used to bootstrap consensus about shared knowledge among list members.Comment: 9 pages, 8 figures
Date: 9 Jul 2020
PDF »Main page »
A Secure Back-up and Restore for Resource-Constrained IoT based on Nanotechnology
Authors: Mesbah Uddin, Md. Badruddoja Majumder, Md. Sakib Hasan, Garrett S. Rose
Abstract: With the emergence of IoT (Internet of things), huge amounts of sensitive data are being processed and transmitted everyday in edge devices with little to no security. Due to their aggressive power management schemes, it is a common and necessary technique to make a back-up of their program states and other necessary data in a non-volatile memory (NVM) before going to sleep or low power mode. However, this memory is often left unprotected as adding robust security measures tends to be expensive for these resource constrained systems. In this paper, we propose a lightweight security system for NVM during low power mode. This security architecture uses the memristor, an emerging nanoscale device which is used to build hardware security primitives like PUF (physical unclonable function) based encryption-decryption, true random number generators (TRNG), and memory integrity checking. A reliability enhancement technique for this PUF is also proposed which shows how this system would work even with less-than-100\% reliable PUF responses. Together, with all these techniques, we have established a dual layer security protocol (data encryption+integrity check) which provides reasonable security to an embedded processor while being very lightweight in terms of area, power, and computation time. A complete system design is demonstrated with 65$n$m CMOS and emerging memristive technology. With this, we have provided a detailed and accurate estimation of resource overhead. Analysis of the security of the whole system is also provided.Comment: Content: 17 pages with 15 figures and 7 tables Submitted to IEEE IoT Journal
Date: 9 Jul 2020
PDF »Main page »
Artificial Intelligence and Machine Learning in 5G Network Security: Opportunities, advantages, and future research trends
Authors: Noman Haider, Muhammad Zeeshan Baig, Muhammad Imran
Abstract: Recent technological and architectural advancements in 5G networks have proven their worth as the deployment has started over the world. Key performance elevating factor from access to core network are softwareization, cloudification and virtualization of key enabling network functions. Along with the rapid evolution comes the risks, threats and vulnerabilities in the system for those who plan to exploit it. Therefore, ensuring fool proof end-to-end (E2E) security becomes a vital concern. Artificial intelligence (AI) and machine learning (ML) can play vital role in design, modelling and automation of efficient security protocols against diverse and wide range of threats. AI and ML has already proven their effectiveness in different fields for classification, identification and automation with higher accuracy. As 5G networks' primary selling point has been higher data rates and speed, it will be difficult to tackle wide range of threats from different points using typical/traditional protective measures. Therefore, AI and ML can play central role in protecting highly data-driven softwareized and virtualized network components. This article presents AI and ML driven applications for 5G network security, their implications and possible research directions. Also, an overview of key data collection points in 5G architecture for threat classification and anomaly detection are discussed.Comment: 7 Pages, 3 figures, 1 table, (Magazine type article)
Date: 9 Jul 2020
PDF »Main page »
Epidemic Exposure Notification with Smartwatch: A Proximity-Based Privacy-Preserving Approach
Authors: Pai Chet Ng, Petros Spachos, Stefano Gregori, Konstantinos Plataniotis
Abstract: Businesses planning for the post-pandemic world are looking for innovative ways to protect the health and welfare of their employees and customers. Wireless technologies can play a key role in assisting contact tracing to quickly halt a local infection outbreak and prevent further spread. In this work, we present a wearable proximity and exposure notification solution based on a smartwatch that also promotes safe physical distancing in business, hospitality, or recreational facilities. Our proximity-based privacy-preserving contact tracing (P$^3$CT) leverages the Bluetooth Low Energy (BLE) technology for reliable proximity sensing, and an ambient signature protocol for preserving identity. Proximity sensing exploits the received signal strength (RSS) to detect the user's interaction and thus classifying them into low- or high-risk with respect to a patient diagnosed with an infectious disease. More precisely, a user is notified of their exposure based on their interactions, in terms of distance and time, with a patient. Our privacy-preserving protocol uses the ambient signatures to ensure that users' identities be anonymized. We demonstrate the feasibility of our proposed solution through extensive experimentation.Date: 8 Jul 2020
PDF »Main page »
A Critical Evaluation of Open-World Machine Learning
Authors: Liwei Song, Vikash Sehwag, Arjun Nitin Bhagoji, Prateek Mittal
Abstract: Open-world machine learning (ML) combines closed-world models trained on in-distribution data with out-of-distribution (OOD) detectors, which aim to detect and reject OOD inputs. Previous works on open-world ML systems usually fail to test their reliability under diverse, and possibly adversarial conditions. Therefore, in this paper, we seek to understand how resilient are state-of-the-art open-world ML systems to changes in system components? With our evaluation across 6 OOD detectors, we find that the choice of in-distribution data, model architecture and OOD data have a strong impact on OOD detection performance, inducing false positive rates in excess of $70\%$. We further show that OOD inputs with 22 unintentional corruptions or adversarial perturbations render open-world ML systems unusable with false positive rates of up to $100\%$. To increase the resilience of open-world ML, we combine robust classifiers with OOD detection techniques and uncover a new trade-off between OOD detection and robustness.Comment: Presented at the ICML 2020 Workshop on Uncertainty and Robustness in Deep Learning
Date: 8 Jul 2020
PDF »Main page »
SmartBugs: A Framework to Analyze Solidity Smart Contracts
Authors: João F. Ferreira, Pedro Cruz, Thomas Durieux, Rui Abreu
Abstract: Over the last few years, there has been substantial research on automated analysis, testing, and debugging of Ethereum smart contracts. However, it is not trivial to compare and reproduce that research. To address this, we present SmartBugs, an extensible and easy-to-use execution framework that simplifies the execution of analysis tools on smart contracts written in Solidity, the primary language used in Ethereum. SmartBugs is currently distributed with support for 10 tools and two datasets of Solidity contracts. The first dataset can be used to evaluate the precision of analysis tools, as it contains 143 annotated vulnerable contracts with 208 tagged vulnerabilities. The second dataset contains 47,518 unique contracts collected through Etherscan. We discuss how SmartBugs supported the largest experimental setup to date both in the number of tools and in execution time. Moreover, we show how it enables easy integration and comparison of analysis tools by presenting a new extension to the tool SmartCheck that improves substantially the detection of vulnerabilities related to the DASP10 categories Bad Randomness, Time Manipulation, and Access Control (identified vulnerabilities increased from 11% to 24%).Comment: arXiv admin note: text overlap with arXiv:1910.10601
Date: 8 Jul 2020
PDF »Main page »