In this contemporary era internet of things are used in every realm of life. Recent software’s (e.g., vehicle networking, smart grid, and wearable) are established in result of its use: furthermore, as development, consolidation, and revolution of varied ancient areas (e.g., medical and automotive). The number of devices connected in conjunction with the ad-hoc nature of the system any exacerbates the case. Therefore, security and privacy has emerged as a big challenge for the IoT. This paper provides an outline of IoT security attacks on Three-Layer Architecture: Three-layer such as application layer, network layer, perception layer/physical layer and attacks that are associated with these layers will be discussed. Moreover, this paper will provide some possible solution mechanisms for such attacks. The aim is to produce a radical survey associated with the privacy and security challenges of the IoT. This paper addresses these challenges from the attitude of technologies and design used. The objective of this paper is to rendering possible solution for various attacks on different layers of IoT architecture. It also presents comparison based on reviewing multiple solutions and defines the best one solution for a specific attack on particular layer.
{"title":"A Systemic Security and Privacy Review: Attacks and Prevention Mechanisms over IOT Layers","authors":"M. Akhtar, Tao Feng","doi":"10.4108/eetss.v8i30.590","DOIUrl":"https://doi.org/10.4108/eetss.v8i30.590","url":null,"abstract":"In this contemporary era internet of things are used in every realm of life. Recent software’s (e.g., vehicle networking, smart grid, and wearable) are established in result of its use: furthermore, as development, consolidation, and revolution of varied ancient areas (e.g., medical and automotive). The number of devices connected in conjunction with the ad-hoc nature of the system any exacerbates the case. Therefore, security and privacy has emerged as a big challenge for the IoT. This paper provides an outline of IoT security attacks on Three-Layer Architecture: Three-layer such as application layer, network layer, perception layer/physical layer and attacks that are associated with these layers will be discussed. Moreover, this paper will provide some possible solution mechanisms for such attacks. The aim is to produce a radical survey associated with the privacy and security challenges of the IoT. This paper addresses these challenges from the attitude of technologies and design used. The objective of this paper is to rendering possible solution for various attacks on different layers of IoT architecture. It also presents comparison based on reviewing multiple solutions and defines the best one solution for a specific attack on particular layer.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114982540","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Many techniques have been proposed to harden programs with protection mechanisms to defend against vulnerability exploits. Unfortunately the vast majority of them cannot be applied to closed source software because they require access to program source code. This paper presents our work on automatically hardening binary code with security workarounds, a protection mechanism that prevents vulnerabilities from being triggered by disabling vulnerable code. By working solely with binary code, our approach is applicable to closed source software. To automatically synthesize security workarounds, we develop binary program analysis techniques to identify existing error handling code in binary code, synthesize security workarounds in the form of binary code, and instrument security workarounds into binary programs. We designed and implemented a prototype or our approach for Windows and Linux binary programs. Our evaluation shows that our approach can apply security workarounds to an average of 69.3% of program code and the security workarounds successfully prevents exploits to trigger real-world vulnerabilities.
{"title":"Mitigating Vulnerabilities in Closed Source Software","authors":"Zhen Huang, Gang Tan, Xiaowei Yu","doi":"10.4108/eetss.v8i30.253","DOIUrl":"https://doi.org/10.4108/eetss.v8i30.253","url":null,"abstract":"Many techniques have been proposed to harden programs with protection mechanisms to defend against vulnerability exploits. Unfortunately the vast majority of them cannot be applied to closed source software because they require access to program source code. This paper presents our work on automatically hardening binary code with security workarounds, a protection mechanism that prevents vulnerabilities from being triggered by disabling vulnerable code. By working solely with binary code, our approach is applicable to closed source software. To automatically synthesize security workarounds, we develop binary program analysis techniques to identify existing error handling code in binary code, synthesize security workarounds in the form of binary code, and instrument security workarounds into binary programs. We designed and implemented a prototype or our approach for Windows and Linux binary programs. Our evaluation shows that our approach can apply security workarounds to an average of 69.3% of program code and the security workarounds successfully prevents exploits to trigger real-world vulnerabilities.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"50 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114933505","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-02-08DOI: 10.4108/eai.8-2-2022.173334
Anne Wagner, Anna M Bakas, S. Kennison, Eric Chan-Tin
People have many accounts and usually need to create a password for each. They tend to create insecure passwords and re-use passwords, which can lead to compromised data. This research examines if there is a link between personality type and password security among a variety of participants in two groups of participants: SONA and MTurk. Each participant in both surveys answered questions based on password security and their personality type. Our results show that participants in the MTurk survey were more likely to choose a strong password and to exhibit better security behaviors and knowledge than participants in the SONA survey. This is mostly attributed to the age di ff erence. However, the distribution of the results was similar for both MTurk and SONA. In the second part of our study, we found that security behaviors actually went down – this could be due to the pandemic or indicative of a need for more regular messaging/training.
{"title":"Comparing Online Surveys for Cybersecurity: SONA and MTurk","authors":"Anne Wagner, Anna M Bakas, S. Kennison, Eric Chan-Tin","doi":"10.4108/eai.8-2-2022.173334","DOIUrl":"https://doi.org/10.4108/eai.8-2-2022.173334","url":null,"abstract":"People have many accounts and usually need to create a password for each. They tend to create insecure passwords and re-use passwords, which can lead to compromised data. This research examines if there is a link between personality type and password security among a variety of participants in two groups of participants: SONA and MTurk. Each participant in both surveys answered questions based on password security and their personality type. Our results show that participants in the MTurk survey were more likely to choose a strong password and to exhibit better security behaviors and knowledge than participants in the SONA survey. This is mostly attributed to the age di ff erence. However, the distribution of the results was similar for both MTurk and SONA. In the second part of our study, we found that security behaviors actually went down – this could be due to the pandemic or indicative of a need for more regular messaging/training.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-02-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123860389","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-01-25DOI: 10.4108/eai.25-1-2022.172997
Adeel A. Malik, Deepak K. Tosh
Cyberspace is growing at full tilt creating an amalgamation of disparate systems. This heterogeneity leads to increased system complexity and security flaws. It is crucial to understand and identify these flaws to prevent catastrophic events. However, the current state-of-the-art solutions are threat-specific and focus on either risk, vulnerabilities, or adversary emulation. In this work, we present a scalable Cyber-threats and Vulnerability Information Analyzer (CyVIA) framework. CyVIA analyzes cyber risks and abnormalities in real-time using multi-formatted knowledge bases derived from open-source vulnerability databases. CyVIA achieves the following goals: 1) assess the target network for risk and vulnerabilities, 2) map services and policies to network nodes, 3) classify nodes based on severity, and 4) provide consequences, mitigation, and relationships for the found vulnerabilities. We use CyVIA and other tools to examine a simulated network for threats and compare the results.
{"title":"Dynamic Risk Assessment and Analysis Framework for Large-Scale Cyber-Physical Systems","authors":"Adeel A. Malik, Deepak K. Tosh","doi":"10.4108/eai.25-1-2022.172997","DOIUrl":"https://doi.org/10.4108/eai.25-1-2022.172997","url":null,"abstract":"Cyberspace is growing at full tilt creating an amalgamation of disparate systems. This heterogeneity leads to increased system complexity and security flaws. It is crucial to understand and identify these flaws to prevent catastrophic events. However, the current state-of-the-art solutions are threat-specific and focus on either risk, vulnerabilities, or adversary emulation. In this work, we present a scalable Cyber-threats and Vulnerability Information Analyzer (CyVIA) framework. CyVIA analyzes cyber risks and abnormalities in real-time using multi-formatted knowledge bases derived from open-source vulnerability databases. CyVIA achieves the following goals: 1) assess the target network for risk and vulnerabilities, 2) map services and policies to network nodes, 3) classify nodes based on severity, and 4) provide consequences, mitigation, and relationships for the found vulnerabilities. We use CyVIA and other tools to examine a simulated network for threats and compare the results.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-01-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123590288","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-21DOI: 10.4108/eai.21-12-2021.172440
Yang Lu, Shujun Li, A. Freitas, A. Ioannou
INTRODUCTION: Many online services use data-sharing nudges to solicit personal data from their customers for personalized services. OBJECTIVES: This study aims to study people’s privacy preferences in sharing di ff erent types of personal data under di ff erent nudging conditions, how digital nudging can change their data sharing willingness, and if people’s data sharing preferences can be predicted using their responses to a questionnaire. METHODS: This paper reports a machine learning-based analysis on people’s privacy preference patterns under four di ff erent data-sharing nudging conditions (without nudging, monetary incentives, non-monetary incentives, and privacy assurance). The analysis is based on data collected from 685 UK residents who participated in a panel survey. Their self-reported willingness levels towards sharing 23 di ff erent types of personal data were analyzed by using both unsupervised (clustering) and supervised (classification) machine learning algorithms. RESULTS: The results led to a better understanding of people’s privacy preference patterns across di ff erent data-sharing nudging conditions, e.g., our participants’ preferences are distributed in a space of 48 possible profiles more sparsely than we expected, and the unexpected observation that all the three data-sharing nudging strategies led to an overall negative e ff ect: they led to a reduced level of self-reported willingness for more participants, comparing with the case of no nudging at all. Our experiments with supervised machine learning models also showed that people’s privacy (data-sharing) preference profiles can be automatically predicted with a good accuracy, even when a small questionnaire with just seven questions is used. CONCLUSION: Our work revealed a more complicated structure of people’s privacy preference profiles, which have some dependencies on the type of data nudging and the type of personal data shared. Such complicated privacy preference profiles can be e ff ectively analyzed using machine learning methods, including automatic prediction based on a small questionnaire. The negative results on the overall e ff ect of di ff erent data-sharing nudges imply that service providers should consider if and how to use such mechanisms to incentivise their consumers to share personal data. We believe that more consumer-centric and transparent methods and tools should be used to help improve trust between consumers and service providers.
{"title":"How data-sharing nudges influence people's privacy preferences: A machine learning-based analysis","authors":"Yang Lu, Shujun Li, A. Freitas, A. Ioannou","doi":"10.4108/eai.21-12-2021.172440","DOIUrl":"https://doi.org/10.4108/eai.21-12-2021.172440","url":null,"abstract":"INTRODUCTION: Many online services use data-sharing nudges to solicit personal data from their customers for personalized services. OBJECTIVES: This study aims to study people’s privacy preferences in sharing di ff erent types of personal data under di ff erent nudging conditions, how digital nudging can change their data sharing willingness, and if people’s data sharing preferences can be predicted using their responses to a questionnaire. METHODS: This paper reports a machine learning-based analysis on people’s privacy preference patterns under four di ff erent data-sharing nudging conditions (without nudging, monetary incentives, non-monetary incentives, and privacy assurance). The analysis is based on data collected from 685 UK residents who participated in a panel survey. Their self-reported willingness levels towards sharing 23 di ff erent types of personal data were analyzed by using both unsupervised (clustering) and supervised (classification) machine learning algorithms. RESULTS: The results led to a better understanding of people’s privacy preference patterns across di ff erent data-sharing nudging conditions, e.g., our participants’ preferences are distributed in a space of 48 possible profiles more sparsely than we expected, and the unexpected observation that all the three data-sharing nudging strategies led to an overall negative e ff ect: they led to a reduced level of self-reported willingness for more participants, comparing with the case of no nudging at all. Our experiments with supervised machine learning models also showed that people’s privacy (data-sharing) preference profiles can be automatically predicted with a good accuracy, even when a small questionnaire with just seven questions is used. CONCLUSION: Our work revealed a more complicated structure of people’s privacy preference profiles, which have some dependencies on the type of data nudging and the type of personal data shared. Such complicated privacy preference profiles can be e ff ectively analyzed using machine learning methods, including automatic prediction based on a small questionnaire. The negative results on the overall e ff ect of di ff erent data-sharing nudges imply that service providers should consider if and how to use such mechanisms to incentivise their consumers to share personal data. We believe that more consumer-centric and transparent methods and tools should be used to help improve trust between consumers and service providers.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-12-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131810706","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-10-21DOI: 10.4108/eai.21-10-2021.171595
Zezhang Yang, Jian Li, Ping Yang
With the proliferation of mobile devices and smart cameras, detecting anomalies and predicting their mobility are critical for enhancing safety in ubiquitous computing systems. Due to data privacy regulations and limited communication bandwidth, it is infeasible to collect, transmit, and store all data from mobile devices at a central location. To overcome this challenge, we propose FedADMP, a federated learning based joint Anomaly Detection and Mobility Prediction framework. FedADMP adaptively splits the training process between the server and clients to reduce computation loads on clients. To protect the privacy of user data, clients in FedADMP upload only intermediate model parameters to the cloud server. We also develop a di ff erential privacy method to prevent the cloud server and external attackers from inferring private information during the model upload procedure. Extensive experiments using real-world datasets show that FedADMP consistently outperforms existing methods.
{"title":"FedADMP: A Joint Anomaly Detection and Mobility Prediction Framework via Federated Learning","authors":"Zezhang Yang, Jian Li, Ping Yang","doi":"10.4108/eai.21-10-2021.171595","DOIUrl":"https://doi.org/10.4108/eai.21-10-2021.171595","url":null,"abstract":"With the proliferation of mobile devices and smart cameras, detecting anomalies and predicting their mobility are critical for enhancing safety in ubiquitous computing systems. Due to data privacy regulations and limited communication bandwidth, it is infeasible to collect, transmit, and store all data from mobile devices at a central location. To overcome this challenge, we propose FedADMP, a federated learning based joint Anomaly Detection and Mobility Prediction framework. FedADMP adaptively splits the training process between the server and clients to reduce computation loads on clients. To protect the privacy of user data, clients in FedADMP upload only intermediate model parameters to the cloud server. We also develop a di ff erential privacy method to prevent the cloud server and external attackers from inferring private information during the model upload procedure. Extensive experiments using real-world datasets show that FedADMP consistently outperforms existing methods.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116761013","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-09-10DOI: 10.4108/eai.10-9-2021.170949
Kamrul Hasan, S. Shetty, Sharif Ullah, Amin Hassanzadeh, T. Islam
A prioritized cyber defense remediation plan is critical for effective risk management in Energy Delivery System (EDS). Due to the complexity of EDS in terms of heterogeneous nature blending Information Technology (IT) and Operation Technology (OT) and Industrial Control System (ICS), scale and critical processes tasks, prioritized remediations should be applied gradually to protect critical assets. In this work, we propose a methodology for a prioritized cyber risk remediation plan by detecting and evaluating paths to critical nodes in EDS. We propose critical nodes characteristics evaluation based on nodes’ architectural positions, a measure of centrality based on nodes’ connectivity and frequency of network traffic, as well as the controlled amount of physical loads. The paper also examines the relationship between cost models of budget allocation for the removal of vulnerabilities on critical nodes and its impact on gradual readiness. Received on 15 June 2021; accepted on 01 September 2021; published on 10 September 2021
{"title":"Criticality based Optimal Cyber Defense Remediation in Energy Delivery Systems","authors":"Kamrul Hasan, S. Shetty, Sharif Ullah, Amin Hassanzadeh, T. Islam","doi":"10.4108/eai.10-9-2021.170949","DOIUrl":"https://doi.org/10.4108/eai.10-9-2021.170949","url":null,"abstract":"A prioritized cyber defense remediation plan is critical for effective risk management in Energy Delivery System (EDS). Due to the complexity of EDS in terms of heterogeneous nature blending Information Technology (IT) and Operation Technology (OT) and Industrial Control System (ICS), scale and critical processes tasks, prioritized remediations should be applied gradually to protect critical assets. In this work, we propose a methodology for a prioritized cyber risk remediation plan by detecting and evaluating paths to critical nodes in EDS. We propose critical nodes characteristics evaluation based on nodes’ architectural positions, a measure of centrality based on nodes’ connectivity and frequency of network traffic, as well as the controlled amount of physical loads. The paper also examines the relationship between cost models of budget allocation for the removal of vulnerabilities on critical nodes and its impact on gradual readiness. Received on 15 June 2021; accepted on 01 September 2021; published on 10 September 2021","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"173 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132172475","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-09-10DOI: 10.4108/eai.10-9-2021.170948
M. Rahman, Amarjit Datta, E. Al-Shaer
An Advanced Metering Infrastructure (AMI) comprises a large number of smart meters along with heterogeneous cyber-physical components that are interconnected through di ff erent communication media, protocols, and delivery modes for transmitting usage reports or control commands between meters and the utility. Due to misconfigurations or lack of security controls, there can be operational disruptions leading to economic damage in an AMI. Therefore, the resiliency of an AMI is crucial. In this paper, we present an automated configuration synthesis framework that mitigates potential threats by eliminating misconfigurations and keeps the damage limited under contingencies by introducing robustness. We formally model AMI configurations, including operational integrity and robustness properties considering the interdependencies among AMI devices’ configurations, attacks or failures, and resiliency guidelines. We implement the model using Satisfiability Modulo Theories (SMT) and demonstrate its execution on an example case study that illustrates the synthesis of AMI configurations satisfying resiliency requirements. We also evaluate the framework on synthetic AMI networks.
{"title":"Automated Configuration Synthesis for Resilient Smart Metering Infrastructure","authors":"M. Rahman, Amarjit Datta, E. Al-Shaer","doi":"10.4108/eai.10-9-2021.170948","DOIUrl":"https://doi.org/10.4108/eai.10-9-2021.170948","url":null,"abstract":"An Advanced Metering Infrastructure (AMI) comprises a large number of smart meters along with heterogeneous cyber-physical components that are interconnected through di ff erent communication media, protocols, and delivery modes for transmitting usage reports or control commands between meters and the utility. Due to misconfigurations or lack of security controls, there can be operational disruptions leading to economic damage in an AMI. Therefore, the resiliency of an AMI is crucial. In this paper, we present an automated configuration synthesis framework that mitigates potential threats by eliminating misconfigurations and keeps the damage limited under contingencies by introducing robustness. We formally model AMI configurations, including operational integrity and robustness properties considering the interdependencies among AMI devices’ configurations, attacks or failures, and resiliency guidelines. We implement the model using Satisfiability Modulo Theories (SMT) and demonstrate its execution on an example case study that illustrates the synthesis of AMI configurations satisfying resiliency requirements. We also evaluate the framework on synthetic AMI networks.","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131875861","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-07-14DOI: 10.4108/EAI.14-7-2021.170295
Zheyuan Liu, Rui Zhang
Collaborative machine learning is a promising paradigm that allows multiple participants to jointly train a machine learning model without exposing their private datasets to other parties. Although collaborative machine learning is more privacy-friendly compared with conventional machine learning methods, the intermediate model parameters exchanged among different participants in the training process may still reveal sensitive information about participants’ local datasets. In this paper, we introduce a novel privacypreserving collaborative machine learning mechanism by utilizing two non-colluding servers to perform secure aggregation of the intermediate parameters from participants. Compared with other existing solutions, our solution can achieve the same level of accuracy while incurring significantly lower computational cost. Received on 23 February 2021; accepted on 15 June 2021; published on 14 July 2021
{"title":"Privacy Preserving Collaborative Machine Learning","authors":"Zheyuan Liu, Rui Zhang","doi":"10.4108/EAI.14-7-2021.170295","DOIUrl":"https://doi.org/10.4108/EAI.14-7-2021.170295","url":null,"abstract":"Collaborative machine learning is a promising paradigm that allows multiple participants to jointly train a machine learning model without exposing their private datasets to other parties. Although collaborative machine learning is more privacy-friendly compared with conventional machine learning methods, the intermediate model parameters exchanged among different participants in the training process may still reveal sensitive information about participants’ local datasets. In this paper, we introduce a novel privacypreserving collaborative machine learning mechanism by utilizing two non-colluding servers to perform secure aggregation of the intermediate parameters from participants. Compared with other existing solutions, our solution can achieve the same level of accuracy while incurring significantly lower computational cost. Received on 23 February 2021; accepted on 15 June 2021; published on 14 July 2021","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-07-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114425097","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-06-02DOI: 10.4108/EAI.2-6-2021.170013
Hong Liu, Eugene Y. Vasserman
Verifying software integrity for embedded systems, especially legacy and deployed systems, is very challenging. Ordinary integrity protection and verification methods rely on sophisticated processors or security hardware, and cannot be applied to many embedded systems due to cost, energy consumption, and inability of update. Furthermore, embedded systems are often small computers on a single chip, making it more difficult to verify integrity without invasive access to the hardware. In this work, we propose “side-channel programming”, a novel method to assist with non-intrusive software integrity checking by transforming code in a functionality-preserving manner while making it possible to verify the internal state of a running device via side-channels. To do so, we first need to accurately profile the side-channel emanations of an embedded device. Using new black-box side-channel profiling techniques, we show that it is possible to build accurate side-channel models of a PIC microcontroller with no prior knowledge of the detailed microcontroller architecture. It even allows us to uncover undocumented behavior of the microcontroller. Then we show how to “side-channel program” the target device in a way that we can verify its internal state from simply measuring the passive side-channel emanations. Received on 23 March 2021; accepted on 27 May 2021; published on 02 June 2021
{"title":"Side-channel Programming for Software Integrity Checking","authors":"Hong Liu, Eugene Y. Vasserman","doi":"10.4108/EAI.2-6-2021.170013","DOIUrl":"https://doi.org/10.4108/EAI.2-6-2021.170013","url":null,"abstract":"Verifying software integrity for embedded systems, especially legacy and deployed systems, is very challenging. Ordinary integrity protection and verification methods rely on sophisticated processors or security hardware, and cannot be applied to many embedded systems due to cost, energy consumption, and inability of update. Furthermore, embedded systems are often small computers on a single chip, making it more difficult to verify integrity without invasive access to the hardware. In this work, we propose “side-channel programming”, a novel method to assist with non-intrusive software integrity checking by transforming code in a functionality-preserving manner while making it possible to verify the internal state of a running device via side-channels. To do so, we first need to accurately profile the side-channel emanations of an embedded device. Using new black-box side-channel profiling techniques, we show that it is possible to build accurate side-channel models of a PIC microcontroller with no prior knowledge of the detailed microcontroller architecture. It even allows us to uncover undocumented behavior of the microcontroller. Then we show how to “side-channel program” the target device in a way that we can verify its internal state from simply measuring the passive side-channel emanations. Received on 23 March 2021; accepted on 27 May 2021; published on 02 June 2021","PeriodicalId":335727,"journal":{"name":"EAI Endorsed Trans. Security Safety","volume":"3 8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-06-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127265236","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: