SDN Enabled Secure IoT Architecture
- K. Karmakar, V. Varadharajan, S. Nepal, U. Tupakula, “SDN Enabled Secure IoT Architecture”, IFIP/IEEE International Symposium on Integrated Network Management Washington DC, April 2019
In this paper we present a security architecture for IoT networks that restricts network access to authenticated IoT devices and uses fine granular policies to secure flows in IoT network infrastructures. We discuss how such an approach can help to protect IoT networks from malicious IoT devices and attacks.
Control based Dynamic Path Establishment for Securing Flows from User Devices
- U.Tupakula, V.Varadharajan, K.Karmakar, “Access Control based Dynamic Path Establishment for Securing Flows from the User Devices with different Security Clearance”, 33rd International Conference on Advanced Information Networking and Applications (AINA) March 2019
In this work we propose Software Defined Networking (SDN) based access control techniques for preventing unauthorised access to secure networks. We develop an Access Control Application (ACA) for the SDN Controller to differentiate flow requests from devices of varying security levels and to configure routes with physical or virtual separation between flows. This separation of flows makes it difficult for malicious users with low security clearance to access flows that belong to users with higher security clearance. Hence, this work significantly minimises the attack surface in secure environments. We also discuss the prototype implementation of our model and performance characteristics.
Policy-based Security Management in Software-defined Networks
- K. Sood, K. Karmakar, V. Varadharajan , U. Tupakula, S. Yu “Analysis of Policy-based Security Management System in Software-defined Networks”, IEEE Communications Letters PP(99):1-1, Feb 2019
This paper examines policy-based security management as a method of dynamically controlling a software defined network. We observe that the method enables fine grained control over end user behaviour. However, we also observe that the performance of the architecture can be seriously impacted by dynamic variations in the network, a rapid increase in security attacks, geographical distribution of nodes and complex heterogeneous networks.
Learning Latent Byte-level Feature Representation for Malware Detection
- Mahmood Yousefi-Azar, Len Hamey, Vijay Varadharajan and Shiping Chen, "Learning Latent Byte-level Feature Representation for Malware Detection", Proceedings of the 25th International Conference on Neural Information Processing (ICONIP 2018) Dec 13 - 16, 2018
This paper proposes two different byte level representations of binary files for malware detection. We compare their performance and show that the proposed techniques can successfully be used for analysing full malware apps and infected files.
QoS and Security in Software Driven Networks
- K. Sood, K. Karmakar, V. Varadharajan, U. Tupakula, S. Yu, "Towards QoS and Security in Software-driven Heterogeneous Autonomous Networks", 2018 IEEE Global Communications Conference, Abu Dhabi, Dec 2018
In this paper we cite significant reasons for researchers to study QoS and security hand-in-hand. We propose a theoretical framework to transform heterogeneous systems to homogeneous groups and demonstrate its performance. This early analysis will help researchers to address heterogeneity and security in more effective ways.
Malytics: A Malware Detection Scheme
- Yousefi-Azar, M., Hamey L., Varadharajan V., Chen S., "Malytics: A Malware Detection Scheme", IEEE Access Journal, December 2018
In this paper we propose ‘Malytics’, a novel scheme that distinguishes malware from benign. Malytics consists of three stages: feature extraction, similarity measurement and classification. The three phases are implemented by a neural network. We demonstrate that Malytics outperforms a wide range of techniques on Windows and Android platforms.
Modeling Identity for the Internet of Things
- Pal, S., Hitchens, M., & Varadharajan, V., "Modeling Identity for the Internet of Things: Survey, Classification and Trends", 12th International Conference on Sensing Technology (ICST), Dec 2018
In this paper we survey IoT identity and outline the foundations for building a formal model of IoT identity based on attributes. We use the model to demonstrate its reliability using different use-case scenarios. Our study shows that it is feasible to use the model to achieve both fine-grained and flexible system design in large-scale IoT systems.
Policy Based Security Architecture for Software Defined Networks
- V. Varadharajan, K. Karmakar, U. Tupakula and M. Hitchens, “A Policy based Security Architecture for Software Defined Networks”, IEEE Transactions on Information Forensics and Security, August 2018
In this paper we propose a policy-driven security architecture for securing end-to-end services across multiple SDN domains. We demonstrate the specification of fine-grained security policies based on a variety of attributes such as parameters associated with users and devices/switches, context information, and services accessed. An important feature of our architecture is its ability to specify path- and flow-based security policies. We demonstrate its use in scenarios involving both intra- and inter-domain communications and we analyse its performance characteristics.
Privacy-Preserving Biometric Based Remote User Authentication with Leakage Resilience
- Yangguang Tian, Yingjiu Li, Rongmao Chen, Nan Li, Ximeng Liu, Bing Chang, Xinjie Yu, "Privacy-Preserving Biometric-Based Remote User Authentication with Leakage Resilience", SecureComm August 2018
In this paper we propose a novel leakage-resilient and privacy-preserving biometric-based remote user authentication framework. Registered users can securely and privately authenticate to a server in the cloud using symmetric-key cryptography. We formalize several new security models for biometric-based remote user authentication, and demonstrate the security of the proposed framework under standard assumptions.
Secure Network-index Code Equivalence
- L. Ong, J. Kliewer, B.N.Vellabi, "Secure Network-index Code Equivalence: Extension to Non-zero Error and Leakage", Proceedings of the 2018 IEEE International Symposium on Information Theory (ISIT), USA June 2018
In this paper we demonstrate that any index-coding instance can be mapped to a network-coding instance, and vice versa. We extend this equivalence to secure index coding and secure network coding, where eavesdroppers are present in the networks, and where any code needs to guarantee security constraints in addition to decoding-error performance.
Using Machine Learning Techniques for Intrusion Detection
- P Mishra, V Varadharajan, U Tupakula, ES Pilli, "A Detailed Investigation and Analysis of using Machine Learning Techniques for Intrusion Detection", IEEE Communications Surveys & Tutorials, June 2018
In this paper we carry out a detailed analysis of various machine learning techniques to investigate issues associated with their detection of intrusive activities. We discuss issues related to detecting low-frequency attacks using network attack datasets and we suggest viable methods for improvement. We discuss limitations associated with each category of attack and we suggest future directions for attack detection using machine learning techniques.
Policy Based Access Control for Constrained Healthcare Resources
- Shantanu Pal, Michael Hitchens, Vijay Varadharajan, "Policy-Based Access Control for Constrained Healthcare Resources", Proceedings of WoWMoM June 2018
In this paper we propose an access control architecture for constrained healthcare resources in the IoT. Our policy-based approach provides fine-grained access to services for authorised users while protecting resources from unauthorised access. The proposed scheme is XACML driven. Our approach requires very little additional overhead when compared against other schemes employing capabilities for access control in the IoT. We implement a proof of concept prototype and evaluate its performance.
VMGuard: a VMI-based Security Architecture for Intrusion Detection in the Cloud
- P Mishra, V Varadharajan, E Pilli, U Tupakula, "VMGuard: A VMI-based Security Architecture for Intrusion Detection in Cloud Environment", IEEE Transactions on Cloud Computing, April 2018
In this paper we propose a Virtual Machine introspection-based security architecture for fine granular monitoring of the Tenant Virtual Machines (TVMs) in the cloud. We monitor TVMs at both the process and system call levels to detect known and zero-day attacks. Our architecture, VMGuard, uses software breakpoint injection to trap the execution of programs running in a TVM. VMGuard extracts and selects features of normal and attack traces, and produces a generic behaviour for different categories of intrusions. We implement a prototype with promising results and we compare VMGuard with existing techniques.
Control Architecture for Securing IoT-Enabled Smart Healthcare Systems
- S. Pal, M. Hitchens, V. Varadharajan and T. Rabehaja, “On Design of A Fine-Grained Access Control Architecture for Securing IoT-Enabled Smart Healthcare Systems”, Proceedings of the International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services, Mobiquitous Nov 2017, Australia
In this work we propose a novel access control architecture which improves policy management by reducing the required number of authentication policies in a large-scale healthcare system. We provide a formal specification of the model and a description of its implementation. We apply the architecture to a range of scenarios and provide results demonstrating its sound performance.
Malware and Secure Systems Research
- M. Yousefi Azar, L. Hamey, V. Varadharajan and M.D. McDonnell, "Extremely Fast, Automatic and Scalable Learning to Detect Android Malware", Proceedings of the 24th International Conference on Neural Information Processing, ICONIP Nov 2017
This paper proposes a novel scheme for Android malware detection. The scheme has two phases – in the first we extract a fixed sized vector for each binary file and reshape it into an image representation. In the second phase a machine learning algorithm learns to distinguish between malicious and clean files. This scalable scheme is extremely fast, both in learning and prediction. We demonstrate that this scheme produces better performance than three non-parametric models and a state-of-the-art parametric model.
Secure Monitoring of Patients with Wandering Behaviour in Hospital Environments
- V. Varadharajan, U.Tupakula and K.Karmakar, "Secure Monitoring of Patients with Wandering Behaviour in Hospital Environments", IEEE Access Nov 2017.
In this paper we discuss the requirements of healthcare applications and propose techniques for secure monitoring of patients with wandering behaviour in a hospital or elderly care environment. Our approach makes use of software defined networking (SDN), Wireless LAN (WLAN), and wearable devices for the patients. We discuss the security challenges involved in using WLAN for patient monitoring and we demonstrate how SDN can resolve some of these. We develop a security application for an SDN controller that can be used to provide real time location tracking of the patients, while dealing with attacks on hospital networks. Finally we present a prototype implementation of our model.
- S. Pal, M. Hitchens and V. Varadharajan, “Towards A Secure Access Control Architecture for the Internet of Things”, Proc of the IEEE 42nd Conference on Local Computer Networks (LCN), Oct 2017, Singapore
In this paper we propose an access control architecture for IoT systems in the form of a hybrid model with role-based access control. We apply attributes for role-membership assignment and capabilities are used to access specific services provided by things. We demonstrate that this approach improves policy management for IoT systems with a large number of things and users.
Cloud Services Security
- U. Tupakula, V. Varadharajan and K. Karmakar, "SDN-based Dynamic Policy Specification and Enforcement for Provisioning Security as a Service in Cloud", 18th International Conference on Web Information Systems Engineering (WISE 2017), Russia, Oct 2017
In this paper we make use of SDN for provisioning of Security as a Service (SECaaS) to the tenant, and simplify security management in cloud. We develop a Security Application (SA) for the SDN Controller which captures tenant security requirements and enforces related policies for securing their virtual machines (VMs). We develop a security policy specification language for enforcing TPM, Access Control and Intrusion Detection related policies. Finally we present a prototype implementation of our approach and performance results.
An Eclat Algorithm Based Energy Detection for Cognitive Radio Networks
- F. Jin, V. Varadharajan and U.Tupakula, "An Eclat Algorithm Based Energy Detection for Cognitive Radio Networks" IEEE International Symposium on Security, Privacy and Trust in Internet of Things, Sydney, August 2017
In this paper we explore the use of Cognitive Radio (CR) to improve the utilization of the spectrum. We investigate the pros and cons of using a collaborative sensing mechanism and evaluate security performance. In this paper we propose an Eclat algorithm based detection strategy to mitigate SSDF attacks. Simulation results show that the sensing performance of the scheme is better than the traditional majority based voting decision in the presence of SSDF attacks.
Integrated Security Architecture for the Cloud with Improved Resilience
- V Varadharajan, U Tupakula, "On the design and implementation of an integrated security architecture for cloud with improved resilience", IEEE Transactions on Cloud Computing 5 (3), 375-389, July 2017.
In this paper we propose an integrated security architecture in an effort to secure distributed applications running on virtualised systems. The scheme combines policy based access control with intrusion detection techniques and trusted computing technologies. We demonstrate how it detects and counteracts dynamic attacks in an efficient manner and how it secures the life cycle of virtual machines. We show how the architecture can counteract attack scenarios involving malicious users and detect sophisticated, dynamically changing attacks, thereby increasing the resilience of the overall system.
Securing Communication in Autonomous System Domains with Software Defined Networks
- V. Varadharajan, K. Karmakar and U. Tupakula, "Securing Communication in Multiple Autonomous System Domains with Software Defined Networking", 2017 IFIP/IEEE Symposium on Integrated Network and Service Management Portugal, May 2017
This paper proposes policy based security architecture for securing the communication in multiple autonomous system (AS) domains with software defined networks (SDN). It presents a high-level overview of the architecture and detailed discussion on important components for securing communication in multiple AS domains. The paper includes example scenarios to demonstrate the operation of the security architecture to enable end-to-end secure communication within single and multiple AS domains.
Mitigating Attacks in Software Defined Networks
- K. Karmakar, V. Varadharajan and U. Tupakula, "Mitigating Attacks in Software Defined Networks", 2017 Fourth International Conference on Software Defined Systems, Spain, May 2017
In this paper we investigate some of the major vulnerabilities in software defined networking. We develop a policy based security application to mitigate attacks on the SDN domain. We apply real-time attack scenarios to test the efficacy of the application and we compare its performance against existing security approaches.
Learning and Algorithms in Cyber Security Applications
- M. Yousefi Azar, V. Varadharajan, L. Hamey and M.D. McDonnell, "Autoencoder-Based Feature Learning for Cyber Security Applications", Proceedings of the International Joint Conference on Neural Networks, IJCNN May 2017
This paper presents a novel feature learning model for cyber security tasks. We propose the use of auto-encoders (AEs) to learn latent representation of different feature sets. We show how well the AE learns a reasonable notion of semantic similarity among input features, and how it provides more discriminative features than other feature engineering approaches. We analyse the proposed scheme with various classifiers using publicly available datasets for network anomaly intrusion detection and malware classifications. Several appropriate evaluation metrics show improvement compared to earlier results.
Program Semantic Aware Intrusion Detection at Network and Hypervisor Layer
- P. Mishra, E.S. Pilli, V. Varadharajan and U. Tupakula, "PSI-NetVisor: Program Semantic Aware Intrusion Detection at Network and Hypervisor Layer in Cloud", Journal of Intelligent & Fuzzy Systems 32 (4), 2909-2921, April 2017
This paper proposes an out-VM monitoring based approach labelled ‘Program Semantic Aware Intrusion Detection at Network and Hypervisor Layer’ (PSI-NetVisor) to detect attacks in both network and virtualisation layers in the cloud. It further applies depth first search (DFS) techniques to construct program semantics from control flow graph of execution traces. The algorithm employs dynamic analysis and machine learning to learn the behaviour of anomalies, making it secure from obfuscation and encryption based attacks. PSI-NetVisor has been validated with the latest intrusion datasets collected from research centres (UNSW-NB & Evasive Malware) and the results are encouraging.
A New Approach: VMI-Assisted Evasion Detection (VAED) to Detect Malware Attacks
- P. Mishra, E.S. Pilli, V.Varadharajan and U.Tupakula, "VAED: VMI-Assisted Evasion Detection Approach for Infrastructure as a Service Cloud", Concurrency and Computation: Practice and Experience, accepted Feb 2017
This paper proposes an approach named as VMI-assisted evasion detection (VAED), deployed at virtual machine monitor, to detect evasion-based malware attacks. The VAED is validated over evasive samples collected on request from the University of California and results are promising.
Securing SDN Controller and Switches from Attacks
- U. Tupakula, V. Varadharajan and P. Mishra, "Securing SDN Controller and Switches from Attacks", International Journal of High Performance Computing and Networking, accepted Jan 2017
In this paper we propose techniques for securing the SDN controller and switches from malicious end-host attacks. We develope a security application for the SDN controller to validate the state of switches in the data plane, and enforce security policies to monitor virtual machines. The attack detection component uses introspection at the hypervisor layer to collect the system call traces of programs running in a monitored VM. We develop a feature extraction method labelled ‘vector of n-grams’ which drops flows from malicious hosts before they are processed by switches or forwarded to the SDN controller. In this way we demonstrate that our model protects switches and the SDN controller from attacks.
Software Component Level Integrity and Cross Verification
- B. Min and V. Varadharajan, “Rethinking Software Component Security: Software Component Level Integrity and Cross Verification", Accepted for Publication in The Computer Journal, May 2016.
In this paper we propose a new security mechanism for software systems that extends the Windows integrity mechanism and code signing technique. Our security mechanism gives rise to three major benefits. First, it prevents a wide range of attacks such as DLL hijacking and DLL injection, and mitigates the impact of shellcode that is executed by successful software vulnerability exploitation. It also prevents the use of untrusted plugins such as web browser add-ons. Second, it achieves developer-enforced security at the software component level so that components cannot be abused by malware. Third, it ensures a flexible environment where untrusted applications and software components are allowed to be loaded/executed at a low integrity level with restricted access permissions to system resources. We implement a prototype and carry out a thorough evaluation of the technique’s ability to mitigate real world malware attacks and prevent unauthorised software use.
Secure Cloud Storage System for Encrypted Patient Centric Health Records
- L. Zhou, V. Varadharajan and K. Gopinath, “A Secure Role-based Cloud Storage System for Encrypted Patient Centric Health Records”, Accepted for Publication in The Computer Journal, Mar 2016.
With the rapid developments occurring in cloud services, there has been a growing trend to use cloud for large-scale data storage. Due to the increasing popularity of cloud storage, many healthcare organizations have started moving electronic health records (EHRs) to cloud-based storage systems. However, this has raised the important security issue of how to protect and prevent unauthorized access to EHR data stored in a public cloud. Several cryptographic access control schemes have been proposed to protect the security of data stored in the cloud by integrating cryptographic techniques with access control models. In this paper, we consider a novel role-based encryption technique to build a secure and flexible large-scale EHR system where role-based access control policies are enforced in a cloud environment. Then we discuss a practical EHR system called the personally controlled electronic health record (PCEHR) system recently developed by the Australian Government, and show how the security weaknesses in the PCEHR system can be addressed by our proposed scheme. The proposed system has the potential to be useful in commercial healthcare systems as it captures practical access policies based on roles in a flexible manner and provides secure data storage in the cloud enforcing these access policies.
A Novel Malware for Subversion of Selfprotection in Anti Virus
- B. Min and V. Varadharajan, "A Novel Malware for Subversion of Self Protection in Anti Virus", Accepted for Publication in Software: Practice and Experience March 2016.
In this paper we investigate 12 anti-virus products from four vendors and demonstrate that they have certain security weaknesses that can be exploited by malware. We design a novel malware which embeds itself to become a part of the vulnerable anti-virus solution. We then propose an effective defence against such malware. We also implement a defensive measure and evaluate its effectiveness. Finally, we show how the proposed defence can be applied to current versions of vulnerable anti-virus solutions without requiring significant modifications.
Securing Services in Networked Cloud Infrastructures
- V. Varadharajan and U. Tupakula, "Securing Services in Networked Cloud Infrastructures", Accepted for Publication in the IEEE Transactions in Cloud Computing, May 2016.
In this paper we propose techniques and architecture for securing services hosted in a multi-tenant networked cloud infrastructure. We describe techniques for detecting a range of attacks and we address security policies for trusted virtual domain management. We make a forensic analysis of attacks and fine granular detection of malicious entities, and we discuss mechanisms for restoration of services. Finally, we implement our security architecture using Xen and illustrate how our architecture is able to secure services in networked cloud infrastructures.