Embedded systems are well known for their dependability, and that is one of the reasons that they... more Embedded systems are well known for their dependability, and that is one of the reasons that they are preferred over general purpose machines in various applications. Traditional embedded computing is changing nowadays mainly due to the increasing number of heterogeneous embedded devices that are, more often than not, interconnected. Security in the field of networked embedded systems is becoming particularly important, because: • Connected embedded devices can be attacked remotely. • They are resource constrained. This means, that due to their limited computational capabilities, a full-blown operating system that runs virus scanners and advanced intrusion detection techniques cannot be v supported. The two facts lead us to the conclusion that a new set of vulnerabilities emerges in the networked embedded system area, which cannot be tackled using traditional security solutions. This work is focused on embedded systems that are used in the network domain. A very exciting instance of an embedded system that requires high performance, has limited processing resources and communicates with other embedded devises is a network processor (NP). Powerful network processors are central components of modern routers, which help them achieve flexibility and perform tasks with advanced processing requirements. In my work, I identified a new class of vulnerabilities specific to routers. The same set of vulnerabilities can apply to any other type of networked embedded device that is not traditionally programmable, but is gradually shifting towards programmability. Security in the networking field is a crucial concern. Many attacks in existing networks are based on security vulnerabilities in end-systems or in the end-to-end protocols that they use. Inside the network, most practical attacks have focused on the control plane where routing information and other control data are exchanged. With the emergence of router systems that use programmable embedded processors, the data plane of the network also becomes a potential target for attacks. This trend towards attacks on the forwarding component in router systems is likely to speed up in next-generation networks, where virtualization requires even higher levels of programmability in the data path. This dissertation demonstrates a real attack scenario on a programmable router and discusses how similar attacks can be realized. Specifically, we present an attack example that can launch a devastating denial-of-service attack by sending just a single packet. We show that vulnerable packet processing code can be exploited on a Click modular router as well as on a custom packet processor on the NetFPGA platform. Several defenses to target this specific type of attacks are presented, which are broadly applicable to a large scale of embedded devices. Security vulnerabilities can be addressed efficiently using hardware based extensions. For example, defense techniques based on processor monitoring can help vi in detecting and avoiding such attacks. We believe that this work is an important step at providing comprehensive security solutions that can protect the data path of current and future networks. vii
Design of an adaptive security mechanism for modern routers
ABSTRACT Modern routers should be able to support many new functions to meet the needs of custome... more ABSTRACT Modern routers should be able to support many new functions to meet the needs of customers. To achieve such flexibility, programmable packet processors have replaced traditional fixed-function custom logic in the data path of routers. This programmability introduces new vulnerabilities in these systems that can lead to new types of network attacks. We propose a monitoring subsystem which functions in parallel with the processing core of the router and aids in the detection of such attacks. Upon detection, our system has the ability to restore the router's operation to a different, but functionally equivalent state.
Microgrids: Technical and security recommendations for future implementations
ABSTRACT Microgrids are modern, localized versions of the centralized utility grid. They have bee... more ABSTRACT Microgrids are modern, localized versions of the centralized utility grid. They have been gaining popularity due to the increased power demand and the development of various renewable resources. In this paper, we present technical and security recommendations for modern microgrid implementations to ensure interoperability, reliability, and security.
Design of an SDN Security Mechanism to Detect Malicious Activities
Software Defined Networks (SDN) is a modern networking paradigm that introduces lots of benefits ... more Software Defined Networks (SDN) is a modern networking paradigm that introduces lots of benefits to the next-generation networks. It offers the necessary programmability that allows the dynamic configuration of the networks and thus the deployment of new services on the fly to meet the different use cases. This programmability allows the development of a plethora of third-party applications that can be used by network administrators in order to implement different networking functionalities. However, this programmability also induces various threats regarding potential malicious activities against the SDN networks. In this paper, we propose the design and implementation of an SDN security mechanism that helps in the detection of malicious activities that might target the SDN network. The design we are proposing leverages the benefits of centralized control and programmability of SDN in order to periodically monitor the system calls utilization of the different SDN applications installed and statistically correlates such information to the baseline/benchmark information, thus detecting the existence of an unusual activity or a malicious application.
Fast regular expression matching in hardware using NFA-BDD combination
ABSTRACT The development of Network Intrusion Detection Systems (NIDS) is nowadays a powerful sol... more ABSTRACT The development of Network Intrusion Detection Systems (NIDS) is nowadays a powerful solution to defend against various network security threats. There has been a lot of research effort devoted to hardware-based NIDS, because of (1) the massive amount of computation performed by regular expression matching algorithms and (2) the gigabit per second performance requirement of modern NIDS. Hardware-based NIDS take advantage of parallelization inherent in FPGAs, ASICs or network processors to support very high network speeds, while software approaches fail to do so.
Programmable packet processors have replaced traditional fixed-function custom logic in the data ... more Programmable packet processors have replaced traditional fixed-function custom logic in the data path of routers. Programmability of these systems allows the introduction of new packet processing functions, which is essential for today's Internet as well as for next-generation network architectures. Software development for many existing implementations of these network processors requires a deep understanding of the architecture and careful resource management by the software developer. Resource management that is tied to application development makes it difficult for packet processors to adapt to changes in the workload that are based on traffic conditions and the deployment of new functionality. Therefore, we present a network processor design that separates programming from resource management, which simplifies the software development process and improves the system's ability to adapt to network conditions. Based on our initial system design, we present a prototype implementation of a 4-core network processor using the NetFPGA platform. We demonstrate the operation of the system using header-processing and payload-processing applications. For packet forwarding, our simplified network processor can achieve a throughput of 2.79 Gigabits per second at a clock rate of only 62.5 MHz. Our results indicate the proposed design can scale to configurations with many more processors that operate at much higher clock rates and thus can achieve considerable higher throughput while using modest amounts of hardware resources.
Selective encryption of video transmissions over multi-hop wireless networks
ABSTRACT From a user perspective both security and power consumption during video transmissions a... more ABSTRACT From a user perspective both security and power consumption during video transmissions are critical. On the one hand, assuming an eavesdropper on the wireless link, the transmitted video should be encrypted so that the unauthorized user is not able to reconstruct it. On the other hand, depending on the strength and the type of cryptographic method used during information exchange, there is a corresponding power consumption overhead. Since encryption protocols are oblivious to the wireless channel conditions, all packets are encrypted regardless of the probability of them getting lost. However, if the application layer protocol received feedback from the link layer on the channel losses, the protocol could decide how much encryption effort is actually needed so that the eavesdropper cannot reconstruct the video clip successfully. To an eavesdropper packets lost due to interference or encrypted packets do not make any difference; both are invisible to the passive attacker. In this paper, we map the percentage of lost/encrypted packets to an objective video quality metric (PSNR). We also create a look-up table through experiments on real multi-hop video transmission traffic, which allows the application layer to adjust the amount of encryption performed.
Programmability in the data path of routers provides the basis for modern router implementations ... more Programmability in the data path of routers provides the basis for modern router implementations that can adapt to new functional requirements. This programmability is typically achieved through software-programmable packet processing systems. One key concern with the proliferation of these programmable devices throughout the Internet is the potential impact of software vulnerabilities that can be exploited remotely. We present a design and proof-of-concept implementation of a packet processing system that uses two security techniques to defend against potential attacks: a processing monitor is used to track operations on each processor core to detect attacks at the processing instruction level; an I/O monitor is used to track operations of the router to detect attacks at the protocol level. Our prototype implementation on the NetFPGA system shows that these monitors can be implemented to operate at high data rates and with little additional hardware resources.
We present the first practical example of an entirely new class of network attacks-attacks that t... more We present the first practical example of an entirely new class of network attacks-attacks that target the network infrastructure. Modern routers in computer networks use generalpurpose programmable packet processors. The software used for packet processing on these systems is potentially vulnerable to remote exploits. In this paper, we demonstrate a specific attack that can launch a devastating denial-of-service attack by sending just a single packet. We show that vulnerable packet processing code can be exploited on a Click modular router as well as on a custom packet processor on the NetFPGA platform. We also show that defense techniques based on processor monitoring that we have proposed in prior work can help in detecting and avoiding such attacks.
Ensemble Machine Learning for Intrusion Detection in Cyber-Physical Systems
In this work, we evaluate the benefits of applying ensemble machine learning techniques to CPS at... more In this work, we evaluate the benefits of applying ensemble machine learning techniques to CPS attack detection, together with the application of data imbalance techniques. We also compare the performance improvements obtained from bagging, boosting, and stacking ensemble techniques. The stacking models that build upon bagging and boosting provide the best detection performance. After scoring both superior detection performance and low computation cost, the "Stack-2" models provide the best detection efficacy and can easily be deployed to production environment and can be scaled for the protection of hundreds of thousands of network flows per second.
Power-aware selective encryption of video transmissions in smart devices
ABSTRACT From a user perspective, both security and power consumption during video transmissions ... more ABSTRACT From a user perspective, both security and power consumption during video transmissions are critical. On the one hand, assuming an eavesdropper on the wireless link, the transmitted video should be encrypted so that an unauthorized user is not able to reconstruct it. On the other hand, depending on the strength and the type of cryptographic method used during information exchange, there is a corresponding power consumption overhead. Since encryption protocols are oblivious to the wireless channel conditions, all packets are encrypted regardless of the probability of them getting lost. However, if the application layer protocol received feedback from the link layer on the channel losses between the sender and the receiver, the protocol could decide how much encryption effort is actually needed so that the eavesdropper cannot reconstruct the video clip successfully. To an eavesdropper, packets lost due to interference or encrypted packets do not make any difference; both are invisible to the passive attacker. In this paper, we use a mathematical framework to quantify the effect of lost and encrypted packets on video quality (PSNR), and we design an algorithm that allows the application layer to adjust the amount of encryption performed depending on the channel's signal-to-interference-and-noise ratio (SINR).
Secure operation of mobile ad-hoc networks requires the ability to track the flow of traffic thro... more Secure operation of mobile ad-hoc networks requires the ability to track the flow of traffic through the network. Knowledge of the path of a packet allows inference of correct operation or potential attacks. In prior work, we have described a number of different techniques for recording such path information and ensuring its correctness through cryptographic techniques. In this paper, we evaluate these path recording techniques in a realistic military scenario. Using topology information and traffic traces from the Lakehurst scenario, we provide a quantitative evaluation of our techniques and determine the overhead for path recording in terms of data structure size and computational requirements.
The next wave of wireless technologies is proliferating in connecting things among themselves as ... more The next wave of wireless technologies is proliferating in connecting things among themselves as well as to humans. In the era of the Internet of things (IoT), billions of sensors, machines, vehicles, drones, and robots will be connected, making the world around us smarter. The IoT will encompass devices that must wirelessly communicate a diverse set of data gathered from the environment for myriad new applications. The ultimate goal is to extract insights from this data and develop solutions that improve quality of life and generate new revenue. Providing large-scale, long-lasting, reliable, and near real-time connectivity is the major challenge in enabling a smart connected world. This paper provides a comprehensive survey on existing and emerging communication solutions for serving IoT applications in the context of cellular, wide-area, as well as non-terrestrial networks. Specifically, wireless technology enhancements for providing IoT access in fifth-generation (5G) and beyond cellular networks, and communication networks over the unlicensed spectrum are presented. Aligned with the main key performance indicators of 5G and beyond 5G networks, we investigate solutions and standards that enable energy efficiency, reliability, low latency, and scalability (connection density) of current and future IoT networks. The solutions include grant-free access and channel coding for short-packet communications, nonorthogonal multiple access, and on-device intelligence. Further, a vision of new paradigm shifts in communication networks in the 2030s is provided, and the integration of the associated new technologies like artificial intelligence, non-terrestrial networks, and new spectra is elaborated. In particular, the potential of using emerging deep learning and federated learning techniques for enhancing the efficiency and security of IoT communication are discussed, and their promises and challenges are introduced. Finally, future research directions toward beyond 5G IoT networks are pointed out.
Intrinsic Security in MANET via Trusted Connectivity Information
International Journal of Research, Dec 31, 2015
Mobile Ad-hoc Networks are increasingly deployed in military networks as well as special kinds of... more Mobile Ad-hoc Networks are increasingly deployed in military networks as well as special kinds of civil law enforcement and emergency operation domains. Compared to wired and other types of wireless networks, MANETs are particularly vulnerable to a wide range of attacks and require high security and privacy guarantees due to their critical mission. Research efforts have focused on developing secure routing protocols for MANETs but very little attention has been given to the data plane and the information we can extract about the actual communication links. Wireless networks that require high levels of security may use data path information to validate routing information. In this paper, we develop a scheme that allows us to track and validate mobile node connectivity in order to identify potential malicious behavior. We propose a novel algorithm to accomplish connectivity tracking based on a space-efficient Bloom filter data structure and the use of aggregate signatures. We present simulation results on a real network trace that show the effectiveness of our design.
A separation and protection scheme for on-chip memory blocks in FPGAs
State-of-the-art FPGAs are quickly evolving into a complete system-on-chip (SoC) platform with ag... more State-of-the-art FPGAs are quickly evolving into a complete system-on-chip (SoC) platform with aggressive integration of high-performance hard processor cores, gigabytes of dedicated memory blocks, and many commonly used peripherals. As FPGAs increasingly find their way into many critical and sensitive applications, including speeding cryptographic algorithms, security concerns about themselves start mounting. Current countermeasures mostly target hardware trojans, cloning, side-channel attacks, and reverse engineering. Little attention has been devoted to securing dedicated on-chip memory blocks. Moreover, the dynamic reconfigurability nature of FPGAs makes static-only approaches less effective and less efficient. In this paper, we present the design and implementation of a runtime protection scheme for FPGA on-chip memory blocks. To secure on-chip memory inside FPGAs, careful design choices must be taken because of their very low latency and simple flat memory model. A series of rules, called security policies are made. These policies are enforced by a reference monitor who mediates the communications between the intellectual properties (IP) or modules that requires the memory, and the memory itself. The memory security scheme is an implementation of a security kernel, enforced by a series of security policies, with a specific policy algorithm which tells four security monitors to control the memory accesses between IPs and the on-chip memory inside the FPGA used. The results on a Xilinx Virtex-6 FPGA board show that the security monitors themselves are successful in preventing unauthorized accesses from IPs that are marked as “untrusted” while allowing full access from other IPs that are marked as “trusted”, without incurring on a serious area or latency penalty. Also, by preventing the access from “untrusted” IPs and marking connections as “not traversable”, the connections between the untrusted IPs and the memory that it has to share with “trusted” IPs are secured.
The exchange of topology information is a potential attack target in mobile ad-hoc networks. To p... more The exchange of topology information is a potential attack target in mobile ad-hoc networks. To provide an intrinsic security mechanism, it is possible to validate topology advertisements in the control plane against records of the path taken by transmission in the data plane. In this context, we provide a discussion of different path recording mechanisms. We evaluate their performance in terms of packet overhead and reconstruction complexity. • Topology information via control plane: Routing message
Embedded systems are well known for their dependability, and that is one of the reasons that they... more Embedded systems are well known for their dependability, and that is one of the reasons that they are preferred over general purpose machines in various applications. Traditional embedded computing is changing nowadays mainly due to the increasing number of heterogeneous embedded devices that are, more often than not, interconnected. Security in the field of networked embedded systems is becoming particularly important, because: • Connected embedded devices can be attacked remotely. • They are resource constrained. This means, that due to their limited computational capabilities, a full-blown operating system that runs virus scanners and advanced intrusion detection techniques cannot be v supported. The two facts lead us to the conclusion that a new set of vulnerabilities emerges in the networked embedded system area, which cannot be tackled using traditional security solutions. This work is focused on embedded systems that are used in the network domain. A very exciting instance of an embedded system that requires high performance, has limited processing resources and communicates with other embedded devises is a network processor (NP). Powerful network processors are central components of modern routers, which help them achieve flexibility and perform tasks with advanced processing requirements. In my work, I identified a new class of vulnerabilities specific to routers. The same set of vulnerabilities can apply to any other type of networked embedded device that is not traditionally programmable, but is gradually shifting towards programmability. Security in the networking field is a crucial concern. Many attacks in existing networks are based on security vulnerabilities in end-systems or in the end-to-end protocols that they use. Inside the network, most practical attacks have focused on the control plane where routing information and other control data are exchanged. With the emergence of router systems that use programmable embedded processors, the data plane of the network also becomes a potential target for attacks. This trend towards attacks on the forwarding component in router systems is likely to speed up in next-generation networks, where virtualization requires even higher levels of programmability in the data path. This dissertation demonstrates a real attack scenario on a programmable router and discusses how similar attacks can be realized. Specifically, we present an attack example that can launch a devastating denial-of-service attack by sending just a single packet. We show that vulnerable packet processing code can be exploited on a Click modular router as well as on a custom packet processor on the NetFPGA platform. Several defenses to target this specific type of attacks are presented, which are broadly applicable to a large scale of embedded devices. Security vulnerabilities can be addressed efficiently using hardware based extensions. For example, defense techniques based on processor monitoring can help vi in detecting and avoiding such attacks. We believe that this work is an important step at providing comprehensive security solutions that can protect the data path of current and future networks. vii
Design of an adaptive security mechanism for modern routers
ABSTRACT Modern routers should be able to support many new functions to meet the needs of custome... more ABSTRACT Modern routers should be able to support many new functions to meet the needs of customers. To achieve such flexibility, programmable packet processors have replaced traditional fixed-function custom logic in the data path of routers. This programmability introduces new vulnerabilities in these systems that can lead to new types of network attacks. We propose a monitoring subsystem which functions in parallel with the processing core of the router and aids in the detection of such attacks. Upon detection, our system has the ability to restore the router's operation to a different, but functionally equivalent state.
Microgrids: Technical and security recommendations for future implementations
ABSTRACT Microgrids are modern, localized versions of the centralized utility grid. They have bee... more ABSTRACT Microgrids are modern, localized versions of the centralized utility grid. They have been gaining popularity due to the increased power demand and the development of various renewable resources. In this paper, we present technical and security recommendations for modern microgrid implementations to ensure interoperability, reliability, and security.
Design of an SDN Security Mechanism to Detect Malicious Activities
Software Defined Networks (SDN) is a modern networking paradigm that introduces lots of benefits ... more Software Defined Networks (SDN) is a modern networking paradigm that introduces lots of benefits to the next-generation networks. It offers the necessary programmability that allows the dynamic configuration of the networks and thus the deployment of new services on the fly to meet the different use cases. This programmability allows the development of a plethora of third-party applications that can be used by network administrators in order to implement different networking functionalities. However, this programmability also induces various threats regarding potential malicious activities against the SDN networks. In this paper, we propose the design and implementation of an SDN security mechanism that helps in the detection of malicious activities that might target the SDN network. The design we are proposing leverages the benefits of centralized control and programmability of SDN in order to periodically monitor the system calls utilization of the different SDN applications installed and statistically correlates such information to the baseline/benchmark information, thus detecting the existence of an unusual activity or a malicious application.
Fast regular expression matching in hardware using NFA-BDD combination
ABSTRACT The development of Network Intrusion Detection Systems (NIDS) is nowadays a powerful sol... more ABSTRACT The development of Network Intrusion Detection Systems (NIDS) is nowadays a powerful solution to defend against various network security threats. There has been a lot of research effort devoted to hardware-based NIDS, because of (1) the massive amount of computation performed by regular expression matching algorithms and (2) the gigabit per second performance requirement of modern NIDS. Hardware-based NIDS take advantage of parallelization inherent in FPGAs, ASICs or network processors to support very high network speeds, while software approaches fail to do so.
Programmable packet processors have replaced traditional fixed-function custom logic in the data ... more Programmable packet processors have replaced traditional fixed-function custom logic in the data path of routers. Programmability of these systems allows the introduction of new packet processing functions, which is essential for today's Internet as well as for next-generation network architectures. Software development for many existing implementations of these network processors requires a deep understanding of the architecture and careful resource management by the software developer. Resource management that is tied to application development makes it difficult for packet processors to adapt to changes in the workload that are based on traffic conditions and the deployment of new functionality. Therefore, we present a network processor design that separates programming from resource management, which simplifies the software development process and improves the system's ability to adapt to network conditions. Based on our initial system design, we present a prototype implementation of a 4-core network processor using the NetFPGA platform. We demonstrate the operation of the system using header-processing and payload-processing applications. For packet forwarding, our simplified network processor can achieve a throughput of 2.79 Gigabits per second at a clock rate of only 62.5 MHz. Our results indicate the proposed design can scale to configurations with many more processors that operate at much higher clock rates and thus can achieve considerable higher throughput while using modest amounts of hardware resources.
Selective encryption of video transmissions over multi-hop wireless networks
ABSTRACT From a user perspective both security and power consumption during video transmissions a... more ABSTRACT From a user perspective both security and power consumption during video transmissions are critical. On the one hand, assuming an eavesdropper on the wireless link, the transmitted video should be encrypted so that the unauthorized user is not able to reconstruct it. On the other hand, depending on the strength and the type of cryptographic method used during information exchange, there is a corresponding power consumption overhead. Since encryption protocols are oblivious to the wireless channel conditions, all packets are encrypted regardless of the probability of them getting lost. However, if the application layer protocol received feedback from the link layer on the channel losses, the protocol could decide how much encryption effort is actually needed so that the eavesdropper cannot reconstruct the video clip successfully. To an eavesdropper packets lost due to interference or encrypted packets do not make any difference; both are invisible to the passive attacker. In this paper, we map the percentage of lost/encrypted packets to an objective video quality metric (PSNR). We also create a look-up table through experiments on real multi-hop video transmission traffic, which allows the application layer to adjust the amount of encryption performed.
Programmability in the data path of routers provides the basis for modern router implementations ... more Programmability in the data path of routers provides the basis for modern router implementations that can adapt to new functional requirements. This programmability is typically achieved through software-programmable packet processing systems. One key concern with the proliferation of these programmable devices throughout the Internet is the potential impact of software vulnerabilities that can be exploited remotely. We present a design and proof-of-concept implementation of a packet processing system that uses two security techniques to defend against potential attacks: a processing monitor is used to track operations on each processor core to detect attacks at the processing instruction level; an I/O monitor is used to track operations of the router to detect attacks at the protocol level. Our prototype implementation on the NetFPGA system shows that these monitors can be implemented to operate at high data rates and with little additional hardware resources.
We present the first practical example of an entirely new class of network attacks-attacks that t... more We present the first practical example of an entirely new class of network attacks-attacks that target the network infrastructure. Modern routers in computer networks use generalpurpose programmable packet processors. The software used for packet processing on these systems is potentially vulnerable to remote exploits. In this paper, we demonstrate a specific attack that can launch a devastating denial-of-service attack by sending just a single packet. We show that vulnerable packet processing code can be exploited on a Click modular router as well as on a custom packet processor on the NetFPGA platform. We also show that defense techniques based on processor monitoring that we have proposed in prior work can help in detecting and avoiding such attacks.
Ensemble Machine Learning for Intrusion Detection in Cyber-Physical Systems
In this work, we evaluate the benefits of applying ensemble machine learning techniques to CPS at... more In this work, we evaluate the benefits of applying ensemble machine learning techniques to CPS attack detection, together with the application of data imbalance techniques. We also compare the performance improvements obtained from bagging, boosting, and stacking ensemble techniques. The stacking models that build upon bagging and boosting provide the best detection performance. After scoring both superior detection performance and low computation cost, the "Stack-2" models provide the best detection efficacy and can easily be deployed to production environment and can be scaled for the protection of hundreds of thousands of network flows per second.
Power-aware selective encryption of video transmissions in smart devices
ABSTRACT From a user perspective, both security and power consumption during video transmissions ... more ABSTRACT From a user perspective, both security and power consumption during video transmissions are critical. On the one hand, assuming an eavesdropper on the wireless link, the transmitted video should be encrypted so that an unauthorized user is not able to reconstruct it. On the other hand, depending on the strength and the type of cryptographic method used during information exchange, there is a corresponding power consumption overhead. Since encryption protocols are oblivious to the wireless channel conditions, all packets are encrypted regardless of the probability of them getting lost. However, if the application layer protocol received feedback from the link layer on the channel losses between the sender and the receiver, the protocol could decide how much encryption effort is actually needed so that the eavesdropper cannot reconstruct the video clip successfully. To an eavesdropper, packets lost due to interference or encrypted packets do not make any difference; both are invisible to the passive attacker. In this paper, we use a mathematical framework to quantify the effect of lost and encrypted packets on video quality (PSNR), and we design an algorithm that allows the application layer to adjust the amount of encryption performed depending on the channel's signal-to-interference-and-noise ratio (SINR).
Secure operation of mobile ad-hoc networks requires the ability to track the flow of traffic thro... more Secure operation of mobile ad-hoc networks requires the ability to track the flow of traffic through the network. Knowledge of the path of a packet allows inference of correct operation or potential attacks. In prior work, we have described a number of different techniques for recording such path information and ensuring its correctness through cryptographic techniques. In this paper, we evaluate these path recording techniques in a realistic military scenario. Using topology information and traffic traces from the Lakehurst scenario, we provide a quantitative evaluation of our techniques and determine the overhead for path recording in terms of data structure size and computational requirements.
The next wave of wireless technologies is proliferating in connecting things among themselves as ... more The next wave of wireless technologies is proliferating in connecting things among themselves as well as to humans. In the era of the Internet of things (IoT), billions of sensors, machines, vehicles, drones, and robots will be connected, making the world around us smarter. The IoT will encompass devices that must wirelessly communicate a diverse set of data gathered from the environment for myriad new applications. The ultimate goal is to extract insights from this data and develop solutions that improve quality of life and generate new revenue. Providing large-scale, long-lasting, reliable, and near real-time connectivity is the major challenge in enabling a smart connected world. This paper provides a comprehensive survey on existing and emerging communication solutions for serving IoT applications in the context of cellular, wide-area, as well as non-terrestrial networks. Specifically, wireless technology enhancements for providing IoT access in fifth-generation (5G) and beyond cellular networks, and communication networks over the unlicensed spectrum are presented. Aligned with the main key performance indicators of 5G and beyond 5G networks, we investigate solutions and standards that enable energy efficiency, reliability, low latency, and scalability (connection density) of current and future IoT networks. The solutions include grant-free access and channel coding for short-packet communications, nonorthogonal multiple access, and on-device intelligence. Further, a vision of new paradigm shifts in communication networks in the 2030s is provided, and the integration of the associated new technologies like artificial intelligence, non-terrestrial networks, and new spectra is elaborated. In particular, the potential of using emerging deep learning and federated learning techniques for enhancing the efficiency and security of IoT communication are discussed, and their promises and challenges are introduced. Finally, future research directions toward beyond 5G IoT networks are pointed out.
Intrinsic Security in MANET via Trusted Connectivity Information
International Journal of Research, Dec 31, 2015
Mobile Ad-hoc Networks are increasingly deployed in military networks as well as special kinds of... more Mobile Ad-hoc Networks are increasingly deployed in military networks as well as special kinds of civil law enforcement and emergency operation domains. Compared to wired and other types of wireless networks, MANETs are particularly vulnerable to a wide range of attacks and require high security and privacy guarantees due to their critical mission. Research efforts have focused on developing secure routing protocols for MANETs but very little attention has been given to the data plane and the information we can extract about the actual communication links. Wireless networks that require high levels of security may use data path information to validate routing information. In this paper, we develop a scheme that allows us to track and validate mobile node connectivity in order to identify potential malicious behavior. We propose a novel algorithm to accomplish connectivity tracking based on a space-efficient Bloom filter data structure and the use of aggregate signatures. We present simulation results on a real network trace that show the effectiveness of our design.
A separation and protection scheme for on-chip memory blocks in FPGAs
State-of-the-art FPGAs are quickly evolving into a complete system-on-chip (SoC) platform with ag... more State-of-the-art FPGAs are quickly evolving into a complete system-on-chip (SoC) platform with aggressive integration of high-performance hard processor cores, gigabytes of dedicated memory blocks, and many commonly used peripherals. As FPGAs increasingly find their way into many critical and sensitive applications, including speeding cryptographic algorithms, security concerns about themselves start mounting. Current countermeasures mostly target hardware trojans, cloning, side-channel attacks, and reverse engineering. Little attention has been devoted to securing dedicated on-chip memory blocks. Moreover, the dynamic reconfigurability nature of FPGAs makes static-only approaches less effective and less efficient. In this paper, we present the design and implementation of a runtime protection scheme for FPGA on-chip memory blocks. To secure on-chip memory inside FPGAs, careful design choices must be taken because of their very low latency and simple flat memory model. A series of rules, called security policies are made. These policies are enforced by a reference monitor who mediates the communications between the intellectual properties (IP) or modules that requires the memory, and the memory itself. The memory security scheme is an implementation of a security kernel, enforced by a series of security policies, with a specific policy algorithm which tells four security monitors to control the memory accesses between IPs and the on-chip memory inside the FPGA used. The results on a Xilinx Virtex-6 FPGA board show that the security monitors themselves are successful in preventing unauthorized accesses from IPs that are marked as “untrusted” while allowing full access from other IPs that are marked as “trusted”, without incurring on a serious area or latency penalty. Also, by preventing the access from “untrusted” IPs and marking connections as “not traversable”, the connections between the untrusted IPs and the memory that it has to share with “trusted” IPs are secured.
The exchange of topology information is a potential attack target in mobile ad-hoc networks. To p... more The exchange of topology information is a potential attack target in mobile ad-hoc networks. To provide an intrinsic security mechanism, it is possible to validate topology advertisements in the control plane against records of the path taken by transmission in the data plane. In this context, we provide a discussion of different path recording mechanisms. We evaluate their performance in terms of packet overhead and reconstruction complexity. • Topology information via control plane: Routing message
Uploads
Papers by Danai Chasaki