Abstract: IoT device forensics is a difficult problem given that manufactured IoT devices are not standardized, many store little to no historical data, and are always connected; making them extremely volatile. The goal of this paper was to address these challenges by presenting a primary account for a general framework and practical approach we term Forensic State Acquisition from Internet of Things (FSAIoT). We argue that by leveraging the acquisition of the state of IoT devices (e.g. if an IoT lock is open or locked), it becomes possible to paint a clear picture of events that have occurred. To this end, FSAIoT consists of a centralized Forensic State Acquisition Controller (FSAC) employed in three state collection modes: controller to IoT device, controller to cloud, and controller to controller. We present a proof of concept implementation using openHAB -- a device agnostic open source IoT device controller -- and self-created scripts, to resemble a FSAC implementation. Our proof of concept employed an Insteon IP Camera as a controller to device test, an Insteon Hub as a controller to controller test, and a nest thermostat for a a controller to cloud test. Our findings show that it is possible to practically pull forensically relevant state data from IoT devices. Future work and open research problems are shared.

Abstract: Besides its enormous benefits to the industry and community the Internet of Things (IoT) has introduced unique security challenges to its enablers and adopters. As the trend in cybersecurity threats continue to grow, it is likely to influence IoT deployments. Therefore it is eminent that besides strengthening the security of IoT systems we develop effective digital forensics techniques that when breaches occur we can track the sources of attacks and bring perpetrators to the due process with reliable digital evidence. The biggest challenge in this regard is the heterogeneous nature of devices in IoT systems and lack of unified standards. In this paper we investigate digital forensics from IoT perspectives. We argue that besides traditional digital forensics practices it is important to have application-specific forensics in place to ensure collection of evidence in context of specific IoT applications. We consider top three IoT applications and introduce a model which deals with not just traditional forensics but is applicable in digital as well as application-specific forensics process. We believe that the proposed model will enable collection, examination, analysis and reporting of forensically sound evidence in an IoT application-specific digital forensics investigation.

Abstract: Local-area networks comprising the Internet of Things (IoT) consist mainly of devices that have limited processing capabilities and face energy constraints. This has an implication on developing security mechanisms, as they require significant computing resources. In this paper, we design a trust-based routing solution with IoT devices in mind. Specifically, we propose a trust-based approach for managing the reputation of every node of an IoT network. The approach is based on the emerging Routing Protocol for Low power and Lossy networks (RPL). The proposed solution is simulated for its routing resilience and compared with two other variants of RPL.

Abstract: Bitcoin is a cryptocurrency and a peer-to-peer payment system, where transactions directly take place between pseudo-anonymous users, without any centralised authority. Since the block-chain (i.e., the public ledger where transactions are registered) is an example of Big Data, a straightforward visualisation is not very informative. For this reason, we employ techniques from Visual Analytics to filter out undesired information in order to obtain a tool to visually analyse the transactions and help its analysis. For instance, different views can highlight miners, or sources and leaves of bitcoin flows, together with the balance of each address and transaction. Moreover, the main view sees transactions as grouped into disconnected "islands", making it possible to focus on only one of them at once.

Abstract: Anomaly detection based on white-listing and self-learning has proven to be a promising approach to detect customized and advanced cyber attacks. Anomaly detection aims at detecting significant deviations from normal system and network behavior. A well-known method to classify anomalous and normal system behavior is clustering of log lines. However, this approach has been applied for forensic purposes only, where log data dumps are investigated retrospectively. In order to make this concept applicable for on-line anomaly detection, i.e., at the time the log lines are produced, some major extensions to existing approaches are required. Especially distance based clustering approaches usually fail building the required large distance matrices and rely on time-consuming recalculations of the cluster-map on every arriving log line. An incremental clustering approach seems suitable to solve this issues. Thus, we introduce a semi-supervised concept for incremental clustering of log data that builds the basis for a novel on-line anomaly detection solution based on log data streams. Its operation is independent from the syntax and semantics of the processed log lines, which makes it generally applicable. We demonstrate that that the introduced anomaly detection approach allows to achieve both a high recall and a high precision while maintaining linear complexity.

Abstract: Intrusion detection has attracted a considerable interest from researchers and industries. After many years of research the community still faces the problem of building reliable and efficient intrusion detection systems (IDS) capable of handling large quantities of data with changing patterns in real time situations. The Tor network is popular in providing privacy and security to end user by anonymising the identity of internet users connecting through a series of tunnels and nodes. This work focuses on the classification of Tor traffic and nonTor traffic to expose the activities within Tor traffic that minimizes the protection of users. A study to compare the reliability and efficiency of Artificial Neural Network and Support vector machine in detecting nonTor traffic in UNB-CIC Tor Network Traffic dataset is presented in this paper. The results are analysed based on the overall accuracy, detection rate and false positive rate of the two algorithms. Experimental results show that both algorithms could detect nonTor traffic in the dataset. A hybrid Artificial neural network proved a better classifier than SVM in detecting nonTor traffic in UNB-CIC Tor Network Traffic dataset.

Abstract: Sanitizable signature schemes (SSS), as well as redactable signature schemes (RSS), gained a lot of attention in the recent past. In a nutshell, both types of signature schemes allow to alter signed data in a controlled way by a, potentially semi-trusted, third party. The resulting signatures still verify. Thus, the authenticity of the subsequently modified content is preserved. In this position paper, we discuss the state-of-the-art, and highlight potential future research opportunities. We hope this work gives rise to additional ideas, real-life use-cases, and interesting upcoming research, helping to bring both primitives into practice. Hence, this paper is meant as a starting point for readers interested in these primitives, looking for new research and application opportunities. In other words, we think that both primitives deserve further attention.

Abstract: In this paper, we present REMI, a reliable and secure multicast routing protocol for IoT networks. The main aim of REMI is to enable efficient communication in low-power and lossy networks such as IoT, by ensuring that a message will be received by all its intended destinations, irrespective of the network size and the presence of misbehaving nodes. REMI uses a cluster-based routing approach that triggers a faster multicast dissemination of messages within the network. We implemented REMI with Contiki, a multitasking operating system which is widely adopted by industry for deploying energy-constrained and memory-efficient wireless networks. To assess the effectiveness and efficiency of REMI, we run a thorough set of simulations. Our results show the effectiveness of our protocol over state-of-art protocols in terms of network throughput, propagation delay, and scalability at the cost of minimal overheads in terms of energy consumption and memory utilization.

Abstract: A trend in modern in-vehicle networks is the use of network technologies with higher bandwidth such as Automotive Ethernet. As a result, more sophisticated security technologies may be used to secure the communication. In this paper, we investigate whether the Transport Layer Security Protocol (TLS) is applicable to secure in-vehicle networks. First, we identify the security and performance requirements as well as the communication scenarios which must be supported by the TLS communication. Next, we discuss how these requirements can be realized with TLS. This also includes the discussion of the certificate management. Finally, we present and discuss our prototypical TLS implementation on a typical automotive platform and show that TLS is able to fulfill most performance requirements of the automotive industry.

Abstract: Additive Manufacturing, a.k.a. 3D Printing, is increasingly used to manufacture functional parts, including components of safety critical systems. Therefore, assuring part quality has become of paramount importance. In-situ infrared (IR) imaging systems are a promising solution to increase final build quality and minimize time-consuming and costly post processing and characterization. However, it also raises novel security concerns. We argue that, if compromised, the same in-situ quality control can be abused to sabotage manufactured parts. As a basis for our discussion, we first detail how IR thermography is used in open-loop and, experimentally, in closed-loop quality control for powder bed fusion (PBF) systems. We then identify malicious manipulations that an adversary can perform. We discuss the consequences of the manipulations on the manufactured part's quality. For selected attacks, we also provide experimental proof of the identified manipulations and their consequences.

Abstract: Agile development such as Scrum and Extreme Programming deliver software in short iterations for quick response to rapid business requirement and market changes. However, established secure software development methodologies are mostly based on linear models such as waterfall and V-model, making them unsuitable for direct application in an agile environment. This paper presents a proposal for integrating security activities into Scrum process for developing secure Web applications. We identify gaps in existing approaches to secure agile development and analyze established security engineering activities. We then adapt these activities and orchestrate them into Scrum development process to achieve both security and agility. Our proposal is evaluated by a Scrum team developing commercial JAVA EE applications in an opinion survey.

Abstract: Engineering methods are essential in software development, and form a crucial element in the design and implementation of software security. Security engineering processes and activities have a long and well-standardized history of integration with software development methods. The inception of iterative and incremental software development methods raised suspicions of an inherent incompatibility between the traditional non-agile security processes and the new agile methods. This suspicion still affects the attitude towards agile security. To examine and explore this myth, this study presents a literature review of a selected set of agile secure software development methods. A systematic literature method was used to find the definitive set of secure agile software development methods, of which a core set of 11 papers was selected for analysis, and the security activities documented in the methods were extracted. The results show a wide and well-documented adaptation of security activities in agile software development, with the observed activities covering the whole security development life cycle. Based on the analysis, the inherent insecurity of the agile software development methods can be declared to be a mere myth.

Abstract: Nowadays, contactless payments are becoming increasingly common as new smartphones, tablets, point-of-sale (POS) terminals and payment cards (often termed "tap-and-pay" cards) are designed to support Near Field Communication (NFC) technology. However, as NFC technology becomes pervasive, there have been concerns about how well NFC-enabled contactless payment systems protect individuals and organizations from emerging security and privacy threats. In this paper, we examine the security of contactless payment systems by considering the privacy threats and the different adversarial attacks that these systems must defend against. We focus our analysis on the underlying trust assumptions, security measures and technologies that form the basis on which contactless payment cards and NFC-enabled mobile wallets exchange sensitive transaction data with contactless POS terminals. We also explore the EMV and ISO standards for contactless payments and disclose their shortcomings with regards to enforcing security and privacy in contactless payment transactions. Our findings shed light on the discrepancies between the EMV and ISO standards, as well as how card issuing banks and mobile wallet providers configure their contactless payment cards and NFC-enabled mobile wallets based on these standards, respectively. These inconsistencies are disconcerting as they can be exploited by an adversary to compromise the integrity of contactless payment transactions.

Abstract: Data mining is well-known for its ability to extract concealed and indistinct patterns in the data, which is a common task in the field of cyber security. However, data mining is not always used to its full potential among cyber security community. In this paper, we discuss usability of sequential pattern and rule mining, a subset of data mining methods, in an analysis of cyber security alerts. First, we survey the use case of data mining, namely alert correlation and attack prediction. Subsequently, we evaluate sequential pattern and rule mining methods to find the one that is both fast and provides valuable results while dealing with the peculiarities of security alerts. An experiment was performed using the dataset of real alerts from an alert sharing platform. Finally, we present lessons learned from the experiment and a comparison of the selected methods based on their performance and soundness of the results.

Abstract: The DevOps paradigm means that development and operations for an organisation blend together. For security, this implies that information on detected attacks can be fed back to the development, enabling faster eradication of vulnerabilities in software. This is particularly important in cloud installations, where release cycles can be less than a day. This paper argues that DevOps can be employed for overall improved software security.

Abstract: Substation security plays an important role in the delivery system of electrical energy. During the past years, there has been an increase in the number of attacks on automation systems. In spite of that, there has not been enough focus dedicated to the protection of such networks. In this paper, we introduce a novel machine learning based intrusion detection system targeted at automation networks of substations based on the IEC 60780-5-104 protocol. The novelty of our approach opposed to the state-of-the-art is the monitoring of several features on multiple protocol layers, which enables the identification of multiple types of attacks. Firstly, we simulate the communication between the substation slave and the server based on data gained from real substations and we simulate the systems behaviour under attack, too. Secondly, we observe the system's normal behavior and its behavior under the attack, in order to extract features needed for building an anomaly detection system. Lastly, based on these features we suggest an anomaly detection system for the asynchronous IEC 60870-5-104 protocol. We designed the anomaly detection model by using machine learning from the IEC 60870-5-104 protocol data acquired. The classifier with the highest performance was chosen by comparing 7 different classification algorithms: the Rule Learner classifier algorithm turned out to be the best.

Abstract: Cyber-physical systems are found in industrial and production systems, as well as critical infrastructures. Due to the increasing integration of IP-based technology and standard computing devices, the threat of cyber-attacks on cyber-physical systems has vastly increased. Furthermore, traditional intrusion defense strategies for IT systems are often not applicable in operational environments. In this paper we present an anomaly-based approach for detection and classification of attacks in cyber-physical systems. To test our approach, we set up a test environment with sensors, actuators and controllers widely used in industry, thus, providing system data as close as possible to reality. First, anomaly detection is used to define a model of normal system behavior by calculating outlier scores from normal system operations. This valid behavior model is then compared with new data in order to detect anomalies. Further, we trained an attack model, based on supervised attacks against the test setup, using the naive Bayes classifier. If an anomaly is detected, the classification process tries to classify the anomaly by applying the attack model and calculating prediction confidences for trained classes. To evaluate the statistical performance of our approach, we tested the model by applying an unlabeled dataset, which contains valid and anomalous data. The results show that this approach was able to detect and classify such attacks with satisfactory accuracy.

Abstract: Identity systems today link users to all of their actions and serve as centralized points of control and data collection. NEXTLEAP proposes an alternative decentralized and privacy-enhanced architecture. First, NEXTLEAP is building privacy-enhanced federated identity systems, using blind signatures based on Algebraic MACs to improve OpenID Connect. Second, secure messaging applications ranging from Signal to WhatsApp may deliver the content in an encrypted form, but they do not protect the metadata of the message and they rely on centralized servers. The EC Project NEXTLEAP is focussed on fixing these two problems by decentralizing traditional identities onto a privacy-enhanced based blockchain that can then be used to build access control lists in a decentralized manner, similar to SDSI. Furthermore, we improve on secure messaging by then using this notion of decentralized identity to build in group messaging, allowing messaging between different servers. NEXTLEAP is also working with the PANORAMIX EC project to use a generic mix networking infrastructure to hide the metadata of the messages themselves and plans to add privacy-enhanced data analytics that work in a decentralized manner.

Abstract: The specification Device Identity Composition Engine (DICE) provides a novel basis for remote attestations specifically suitable in the IoT context. Its purpose is to provide means for remote attestations to devices that are too size-, cost-, energy- or otherwise constrained to have Trusted Platform Module attached.This paper gives a short explanation of DICE and compares different approaches for building up a remote attestation protocol based on it, using symmetric and asymmetric cryptography. Based on this comparison a symmetric attestation protocol is proposed for most resource constrained devices and its implications for attestation servers are discussed. Furthermore a feasibility study is conducted mapping the DICE and the proposed DICE-based attestation approach to commercial off-the-shelf (COTS) hardware -- namely Arduino Uno in this case -- and measurement of the code size, binary size and added computational requirements is provided. The security of the mapping approach is evaluated and its advantages and pitfalls are demonstrated. The goal is to show how DICE-based approaches can be mapped to existing hardware and how a more secure IoT environment can be established on already deployed devices without changes to the hardware.

Abstract: The Internet of Things (IoT) is the integration of a large number of autonomous heterogeneous devices that report information from the physical environment to the monitoring system for analytics and meaningful decisions. The compromised machines in the IoT network may not only be used for spreading unwanted content such as spam, malware, viruses etc, but can also report incorrect information about the physical world that might have a disastrous consequence. The challenge is to design a collaborative reputation system that calculates trustworthiness of machines in the IoT-based machine-to-machine network without consuming high system resources and breaching the privacy of participants. To address the challenge of privacy preserving reputation system for the decentralized IoT environment, this paper presents a novel M2M-REP (Machine to Machine Reputation) system that computes global reputation of the machine by aggregating the encrypted local feedback provided by machines in a fully decentralized and secure way. The privacy of participating machines is well protected such that machines or analyst would not learn any information about the feedback score provided by the participating machines other than the final aggregated statistical score. We present a decentralized reputation aggregation system for two scenarios: a semi-honest (honest-but-curious) setup where machines are trustworthy in providing feedback but are curious to learn sensitive information about the collaborating machines, and the malicious model where machines not only try to learn the sensitive information of participants but also do not follow the protocol specification in providing feedback. We analyzed the security and privacy properties of the M2M-REP system for different adversarial models.

Abstract: The growth in cloud-based services tailored for users means more and more personal data is being exploited, and with this comes the need to better handle user privacy. Software technologies concentrating on privacy preservation typically present a one-size fits all solution. However, users have different viewpoints of what privacy means to them and therefore, configurable and dynamic privacy preserving solutions have the potential to create useful and tailored services without breaching any user's privacy. In this paper, we present a model of user-centered privacy that can be used to analyse a service's behaviour against user preferences, such that a user can be informed of the privacy implications of that service and what fine-grained actions they can take to maintain their privacy. We show through study that the user-based privacy model can: i) provide customizable privacy aligned with user needs; and ii) identify potential privacy breaches.

Abstract: The MapReduce programming paradigm allows to process big data sets in parallel on a large cluster of commodity machines. The MapReduce users often outsource their data and computations to a public cloud provider. We focus on the fundamental problem of matrix multiplication, and address the inherent security and privacy concerns that occur when outsourcing to a public cloud. Our goal is to enhance the two state-of-the-art algorithms for MapReduce matrix multiplication with privacy guarantees such as: none of the nodes storing an input matrix can learn the other input matrix or the output matrix, and moreover, none of the nodes computing an intermediate result can learn the input or the output matrices. To achieve our goal, we rely on the well-known Paillier's cryptosystem and we use its partially homomorphic property to develop efficient algorithms that satisfy our problem statement. We develop two different approaches called Secure-Private (SP) and Collision-Resistant-Secure-Private (CRSP), and compare their trade-offs with respect to three fundamental criteria: computation cost, communication cost, and privacy guarantees. Finally, we give security proofs of our protocols.

Abstract: The rapid deployment of IoT systems on the public Internet is not without concerns for the security and privacy of consumers. Security in IoT systems is often poorly engineered and engineering for privacy does notseemtobea concern for vendors at all. Thecombination of poor security hygiene and access to valuable knowledge renders IoT systems a much-sought target for attacks.IoT systems are not only Internet-accessible but also play the role of servers according to the established client-server communication model and are thus configured with static and/or easily predictable IPv6 addresses, rendering them an easy target for attacks.We present 6HOP, a novel addressing scheme for IoT devices. Our proposal is lightweight in operation, requires minimal administration overhead, and defends against reconnaissance attacks, address based correlation as well as denial-of-service attacks. 6HOP therefore exploits the ample address space available in IPv6 networks and provides effective protection this way.

Abstract: Enhancing trust among service providers and end-users with respect to data protection is an urgent matter in the growing information society. In response, CREDENTIAL proposes an innovative cloud-based service for storing, managing, and sharing of digital identity information and other highly critical personal data with a demonstrably higher level of security than other current solutions. CREDENTIAL enables end-to-end confidentiality and authenticity as well as improved privacy in cloud-based identity management and data sharing scenarios. In this paper, besides clarifying the vision and use cases, we focus on the adoption of CREDENTIAL. Firstly, for adoption by providers, we elaborate on the functionality of CREDENTIAL, the services implementing these functions, and the physical architecture needed to deploy such services. Secondly, we investigate factors from related research that could be used to facilitate CREDENTIAL's adoption and list key benefits as convincing arguments.

Abstract: Improving e-government services by using data more effectively is a major focus globally. It requires Public Administrations to be transparent, accountable and provide trustworthy services that improve citizen confidence. However, despite all the technological advantages on developing such services and analysing security and privacy concerns, the literature does not provide evidence of frameworks and platforms that enable privacy analysis, from multiple perspectives, and take into account citizens' needs with regards to transparency and usage of citizens information. This paper presents the VisiOn (Visual Privacy Management in User Centric Open Requirements) platform, an outcome of a H2020 European Project. Our objective is to enable Public Administrations to analyse privacy and security from different perspectives, including requirements, threats, trust and law compliance. Finally, our platform-supported approach introduces the concept of Privacy Level Agreement (PLA) which allows Public Administrations to customise their privacy policies based on the privacy preferences of each citizen.

Abstract: Malicious scripts used in web-based attacks have recently been reported as one of the top internet security threats. However, anti-malware solutions develop and integrate various techniques to defend against malicious scripts, attackers have been increasingly applying different counter techniques to hide their malicious intents and evade detection. One of the most popular techniques used is code obfuscation. In this research, an enhanced system is proposed to automate the process of de-obfuscating malicious JavaScript code. The proposed system was tested on real-world malicious JavaScript samples. Based on the analysis results, the cause of popularity of certain obfuscation techniques is identified. In addition, a set of improvements to the currently used malware detection techniques is proposed1.

Abstract: In order to stay undetected and keep their operations alive, cyber criminals are continuously evolving their methods to stay ahead of current best defense practices. Over the past decade, botnets have developed from using statically hardcoded IP addresses and domain names to randomly-generated ones, so-called domain generation algorithms (DGA). Malicious software coordinated via DGAs leaves however a distinctive signature in network traces of high entropy domain names, and a variety of algorithms have been introduced to detect certain aspects about currently used DGAs.In this paper, we look ahead and evaluate the utility of today's detection mechanisms if botnets make the next obvious evolutionary step, and replace domain names generated from random letters with randomly selected, but actual dictionary words. We find that the performance of state-of-the-art solutions that rely on linguistic feature detection would significantly decline after this transition, and discuss an alternative novel approach to detect DGAs without making any assumptions on the internal structure and generating patterns of these algorithms.

Abstract: A consolidated trend in designing cloud-based applications is to make use of a reactive microservice architecture, which allows to divide an application in several well-partitioned software units with specific responsibilities. Such an architecture perfectly fits in cloud environments, ensuring a number of advantages (i.e., high availability and scalability, ease of deployment and development). However, the new way of designing cloud applications introduces challenging security threats. Besides the difficulty in monitoring security of the overall distributed application, an important aspect of concern relates to the risk of break the chain of trust established among the different microservices belonging to the application. That is, a compromised single microservice may bring down the other related ones.In this paper, we present the approach pursued in the context of SERECA1 project to secure microservice based applications. We leveraged the new extension of Intel's CPU, namely Software Guard eXtension (SGX), to enhance the security of applications using Eclipse Vert.x, the tool-kit for building reactive cloud applications. We developed an infrastructure composed by several SGX-enabled facilities (e.g. Database, Containers, Coordination Services) to support the process of integration between Intel SGX and micro-service applications. Our platform has been, then, validated through two use cases that made use of the developed secure facilities, i.e., a Critical Infrastructure (CI) monitoring application - having strong requirements in terms of data integrity - and an application for performance analysis of cloud-based services where the confidentiality of data is of main interest.

Abstract: Covert channels exploit communication protocols to clandestinely transfer information. They enable criminals to hide malicious activities and can be used for secret data exfiltration, malware spreading or for the stealthy establishment of command and control structures. In this paper we study covert timing channels from a statistical perspective and investigate whether they can be identified as anomalies with unsupervised learning methods. We use a testbed to generate covert timing channels based on seven popular techniques and inject them in real captured traffic. Final datasets are analyzed with diverse outlier detection and classification algorithms. Our results show that, based on their statistical properties, covert channels do not occupy low density regions or take extreme values in the problem space, and therefore are not detectable as strong anomalies. However, they present traceable profiles that can be abstracted by supervised learning models. Such findings reveal that facing the detection of novel (and classic) covert timing channels from an anomaly-detection perspective will probably fail or not suffice; instead, they must be identified based on the similarity to known schemes, using supervised and semi-supervised approaches.