| 1. |
- Lundberg, Hampus, et al.
(författare)
-
Experimental Analysis of Trustworthy In-Vehicle Intrusion Detection System Using eXplainable Artificial Intelligence (XAI)
- 2022
-
Ingår i: IEEE Access. - : Institute of Electrical and Electronics Engineers Inc.. - 2169-3536. ; 10, s. 102831-102841
-
Tidskriftsartikel (refereegranskat)abstract
- Anomaly-based In-Vehicle Intrusion Detection System (IV-IDS) is one of the protection mechanisms to detect cyber attacks on automotive vehicles. Using artificial intelligence (AI) for anomaly detection to thwart cyber attacks is promising but suffers from generating false alarms and making decisions that are hard to interpret. Consequently, this issue leads to uncertainty and distrust towards such IDS design unless it can explain its behavior, e.g., by using eXplainable AI (XAI). In this paper, we consider the XAI-powered design of such an IV-IDS using CAN bus data from a public dataset, named 'Survival'. Novel features are engineered, and a Deep Neural Network (DNN) is trained over the dataset. A visualization-based explanation, 'VisExp', is created to explain the behavior of the AI-based IV-IDS, which is evaluated by experts in a survey, in relation to a rule-based explanation. Our results show that experts' trust in the AI-based IV-IDS is significantly increased when they are provided with VisExp (more so than the rule-based explanation). These findings confirm the effect, and by extension the need, of explainability in automated systems, and VisExp, being a source of increased explainability, shows promise in helping involved parties gain trust in such systems.
|
|
| 2. |
- Aslam, Mudassar, et al.
(författare)
-
FoNAC - An automated Fog Node Audit and Certification scheme
- 2020
-
Ingår i: Computers & security (Print). - : Elsevier Ltd. - 0167-4048 .- 1872-6208. ; 93
-
Tidskriftsartikel (refereegranskat)abstract
- Meeting the security and privacy needs for IoT data becomes equally important in the newly introduced intermediary Fog Computing layer, as it was in its former technological layer - Cloud; but the accomplishment of such security is critical and challenging. While security assurance of the fog layer devices is imperative due to their exposure to the public Internet, it becomes even more complex, than the cloud layer, as it involves a large number of heterogeneous devices deployed hierarchically. Manual audit and certification schemes are unsuitable for large number of fog nodes thereby inhibiting the involved stakeholders to use manual security assurance schemes altogether. However, scalable and feasible security assurance can be provided by introducing automated and continuous monitoring and auditing of fog nodes to ensure a trusted, updated and vulnerability free fog layer. This paper presents such an solution in the form of an automated Fog Node Audit and Certification scheme (FoNAC) which guarantees a secure fog layer through the proposed fog layer assurance mechanism. FoNAC leverages Trusted Platform Module (TPM 2.0) capabilities to evaluate/audit the platform integrity of the operating fog nodes and grants certificate to the individual node after a successful security audit. FoNAC security is also validated through its formal security analysis performed using AVISPA under Dolev-Yao intruder model. The security analysis of FoNAC shows its resistance against cyber-attacks like impersonation, replay attack, forgery, Denial of Service(DoS) and MITM attack.
|
|
| 3. |
- Aslam, Mudassar, et al.
(författare)
-
Security and trust preserving inter- and intra-cloud VM migrations
- 2020
-
Ingår i: International Journal of Network Management. - : John Wiley and Sons Ltd. - 1055-7148 .- 1099-1190.
-
Tidskriftsartikel (refereegranskat)abstract
- This paper focus on providing a secure and trustworthy solution for virtual machine (VM) migration within an existing cloud provider domain, and/or to the other federating cloud providers. The infrastructure-as-a-service (IaaS) cloud service model is mainly addressed to extend and complement the previous Trusted Computing techniques for secure VM launch and VM migration case. The VM migration solution proposed in this paper uses a Trust_Token based to guarantee that the user VMs can only be migrated and hosted on a trustworthy and/or compliant cloud platforms. The possibility to also check the compliance of the cloud platforms with the pre-defined baseline configurations makes our solution compatible with an existing widely accepted standards-based, security-focused cloud frameworks like FedRAMP. Our proposed solution can be used for both inter- and intra-cloud VM migrations. Different from previous schemes, our solution is not dependent on an active (on-line) trusted third party; that is, the trusted third party only performs the platform certification and is not involved in the actual VM migration process. We use the Tamarin solver to realize a formal security analysis of the proposed migration protocol and show that our protocol is safe under the Dolev-Yao intruder model. Finally, we show how our proposed mechanisms fulfill major security and trust requirements for secure VM migration in cloud environments.
|
|
| 4. |
- Figueiredo, S., et al.
(författare)
-
ARCADIAN-IoT - Enabling Autonomous Trust, Security and Privacy Management for IoT
- 2022
-
Ingår i: Lect. Notes Comput. Sci. 5th The Global IoT Summit, GIoTS 2022. Dublin 20 June 2022 through 23 June 2022. - Cham : Springer Science and Business Media Deutschland GmbH. - 9783031209352 ; , s. 348-359
-
Konferensbidrag (refereegranskat)abstract
- Cybersecurity incidents have been growing both in number and associated impact, as a result from society’s increased dependency in information and communication technologies - accelerated by the recent pandemic. In particular, IoT. technologies, which enable significant flexibility and cost-efficiency, but are also associated to more relaxed security mechanisms, have been quickly adopted across all sectors of the society, including critical infrastructures (e.g. smart grids) and services (e.g. eHealth). Gaps such as high dependence on 3rd party IT suppliers and device manufacturers increase the importance of trustworthy and secure solutions for future digital services. This paper presents ARCADIAN-IoT, a framework aimed at holistically enabling trust, security, privacy and recovery in IoT systems, and enabling a Chain of Trust between the different IoT entities (persons, objects and services). It builds on features such as federated AI for effective and privacy-preserving cybersecurity, distributed ledger technologies for decentralized management of trust, or transparent, user-controllable and decentralized privacy. © 2022, The Author(s)
|
|
| 5. |
- He, Zhitao
(författare)
-
Enabling Scalable Security in Internet of Things
- 2023
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The popular notion of Internet of Things (IoT) implies two salient features: 1. a diversity of small things, i.e., constrained devices; 2. their seamless integration with the Internet. Pioneering work in Wireless Sensor Networks (WSNs) have laid a solid technological foundation for autonomous, low power wireless communication among battery-powered, microcontroller-based devices. On the other hand, as devices are being connected to the Internet in large numbers, industry experts and regulators have associated IoT with enormous security risk. Sensitive personal information, highly complex business workflows, and critical infrastructure for public safety are at stake. In this dissertation, we first explore the scalability of IoT. Approaching from the particular angle of radio interference, we study unstable and faulty network behavior when links between low power radios are disrupted. Our low cost and practical interference generation tools fill a gap between protocol design and test. We then underline the threat of novel attacks at the physical layer, which lead to denial of service and battery draining of low power radios. Launched from low cost hardware, the attacks we devise are power-efficient and hard to detect; and they reach longer ranges than jamming. Finally, we take a step closer to realization of secure and large-scale IoT deployment by enabling certificate enrollment, a key component in a public key infrastructure, for small devices. We show that automated enrollment of device certificates becomes feasible when a memory and power efficient IoT protocol stack is leveraged. Spanning between the physical layer and the application layer, our work has enriched the knowledge domain of IoT and advanced the technological frontier of scalable and secure IoT deployment.
|
|
| 6. |
- Hewage, Kasun
(författare)
-
Towards Secure Synchronous Communication Architectures for Wireless Networks
- 2023
-
Doktorsavhandling (övrigt vetenskapligt/konstnärligt)abstract
- The vision behind the Internet of Things (IoT) revolves around creating a connected ecosystem where devices, people, and systems collaborate seamlessly, unlocking new possibilities, improving efficiency, and enhancing our daily lives. IoT encloses many device classes, including low-power wireless devices that rely on batteries or energy harvesting. Due to the low-power nature and the instability of the wireless links, networks comprising these IoT devices are commonly known as Low-power and Lossy Networks (LLNs).Several network-wide flooding-based communication primitives that employ synchronous transmissions have emerged as an alternative to traditional multi-hop routing, thereby creating a new dimension of LLN research. While these primitives have demonstrated superior performance in terms of latency and reliability, they have received little attention regarding network security. In this dissertation, we study the effectiveness of several attacks that strive to disrupt synchronous transmission-based protocols. Based on the findings from this work, we examine the security requirements and propose encryption and lightweight flood verification methods to protect synchronous transmission-based flooding protocols from these attacks.Realising the IoT's vision demands employing well-established communication technologies like the Internet Protocol (IP) suite protocols to ensure interoperability. However, the IP suite protocols are not explicitly designed for low-power networks; hence using them in LLNs encounters numerous challenges. Some of my work included in this dissertation focuses on the performance issues of two widely used IP suite protocols: Transmission Control Protocol (TCP) and Datagram Transport Layer Security (DTLS). We propose to replace the conventional link layer protocols of the LLN stacks with a synchronous transmission-based protocol to enhance the reliability that TCP expects in lower layers, thereby improving the TCP performance. We introduce novel header compression mechanisms to reduce the size of DTLS messages without violating end-to-end security. Reducing the size of DTLS messages lowers the transmission overhead, improving its performance in LLNs.Optical Wireless Communication (OWC) is a complementary technology to radio frequency communication. Specifically, visible light communication (VLC) has proven its capability to offer higher data transfer rates, enabling faster and more efficient communication. The last work of this dissertation draws inspiration from synchronous transmissions in LLNs and presents an OWC-based time synchronisation system for high-speed VLC access points to synchronise their transmissions. This time synchronisation system has a considerably lower synchronisation jitter than the widely-used Precision Time Protocol (PTP).
|
|
| 7. |
- Hummen, Rene, et al.
(författare)
-
Towards viable certificate-based authentication for the Internet of Things
- 2013
-
Ingår i: HotWiSec 2013 - Proceedings of the 2013 ACM Workshop on Hot Topics on Wireless Network Security and Privacy. - New York, NY, USA : ACM. - 9781450320030 ; , s. 37-41
-
Konferensbidrag (refereegranskat)abstract
- The vision of the Internet of Things considers smart objects in the physical world as first-class citizens of the digital world. Especially IP technology and RESTful web services on smart objects promise simple interactions with Internet services in the Web of Things, e.g., for building automation or in e-health scenarios. Peer authentication and secure data transmission are vital aspects in many of these scenarios to prevent leakage of personal information and harmful actuating tasks. While standard security solutions exist for traditional IP networks, the constraints of smart objects demand for more lightweight security mechanisms. Thus, the use of certificates for peer authentication is predominantly considered impracticable. In this paper, we investigate if this assumption is valid. To this end, we present preliminary overhead estimates for the certificate-based DTLS handshake and argue that certificates - with improvements to the handshake - are a viable method of authentication in many network scenarios. We propose three design ideas to reduce the overheads of the DTLS handshake. These ideas are based on (i) pre-validation, (ii) session resumption, and (iii) handshake delegation. We qualitatively analyze the expected overhead reductions and discuss their applicability.
|
|
| 8. |
- Höglund, Joel, 1979-, et al.
(författare)
-
AutoPKI : public key infrastructure for IoT with automated trust transfer
- 2024
-
Ingår i: International Journal of Information Security. - : Springer Science and Business Media Deutschland GmbH. - 1615-5262 .- 1615-5270.
-
Tidskriftsartikel (refereegranskat)abstract
- IoT deployments grow in numbers and size, which makes questions of long-term support and maintainability increasingly important. Without scalable and standard-compliant capabilities to transfer the control of IoT devices between service providers, IoT system owners cannot ensure long-term maintainability, and risk vendor lock-in. The manual overhead must be kept low for large-scale IoT installations to be economically feasible. We propose AutoPKI, a lightweight protocol to update the IoT PKI credentials and shift the trusted domains, enabling the transfer of control between IoT service providers, building upon the latest IoT standards for secure communication and efficient encodings. We show that the overhead for the involved IoT devices is small and that the overall required manual overhead can be minimized. We analyse the fulfilment of the security requirements, and for a subset of them, we demonstrate that the desired security properties hold through formal verification using the Tamarin prover.
|
|
| 9. |
- Höglund, Joel, et al.
(författare)
-
BLEND : Efficient and blended IoT data storage and communication with application layer security
- 2022
-
Ingår i: Proceedings of the 2022 IEEE International Conference on Cyber Security and Resilience, CSR 2022. - : Institute of Electrical and Electronics Engineers Inc.. - 9781665499521 ; , s. 253-260
-
Konferensbidrag (refereegranskat)abstract
- Many IoT use cases demand both secure storage and secure communication. Resource-constrained devices cannot afford having one set of crypto protocols for storage and another for communication. Lightweight application layer security standards are being developed for IoT communication. Extending these protocols for secure storage can significantly reduce communication latency and local processing.We present BLEND, combining secure storage and communication by storing IoT data as pre-computed encrypted network packets. Unlike local methods, BLEND not only eliminates separate crypto for secure storage needs, but also eliminates a need for real-time crypto operations, reducing the communication latency significantly. Our evaluation shows that compared with a local solution, BLEND reduces send latency from 630 μs to 110 μs per packet. BLEND enables PKI based key management while being sufficiently lightweight for IoT. BLEND doesn't need modifications to communication standards used when extended for secure storage, and can therefore preserve underlying protocols' security guarantees.
|
|
| 10. |
- Höglund, Joel, 1979-, et al.
(författare)
-
Lightweight certificate revocation for low-power IoT with end-to-end security
- 2023
-
Ingår i: Journal of Information Security and Applications. - Amsterdam : Elsevier Ltd. - 2214-2134 .- 2214-2126. ; 73
-
Tidskriftsartikel (refereegranskat)abstract
- Public key infrastructure (PKI) provides the basis of authentication and access control in most networked systems. In the Internet of Things (IoT), however, security has predominantly been based on pre-shared keys (PSK), which cannot be revoked and do not provide strong authentication. The prevalence of PSK in the IoT is due primarily to a lack of lightweight protocols for accessing PKI services. Principal among these services are digital certificate enrollment and revocation, the former of which is addressed in recent research and is being pushed for standardization in IETF. However, no protocol yet exists for retrieving certificate status information on constrained devices, and revocation is not possible unless such a service is available. In this work, we start with implementing the Online Certificate Status Protocol (OCSP), the de facto standard for certificate validation on the Web, on state-of-the-art constrained hardware. In doing so, we demonstrate that the resource overhead of this protocol is unacceptable for highly constrained environments. We design, implement and evaluate a lightweight alternative to OCSP, TinyOCSP, which leverages recently standardized IoT protocols, such as CoAP and CBOR. In our experiments, validating eight certificates with TinyOCSP required 41% less energy than validating just one with OCSP on an ARM Cortex-M3 SoC. Moreover, validation transactions encoded with TinyOCSP are at least 73% smaller than the OCSP equivalent. We design a protocol for compressed certificate revocation lists (CCRL) using Bloom filters which together with TinyOCSP can further reduce validation overhead. We derive a set of equations for computing the optimal filter parameters, and confirm these results through empirical evaluation. © 2023 The Authors
|
|
