The derivation of a conceptual model for IT security outsourcing

IT security outsourcing is the establishment of a contractual relationship between an organization with an outside vendor which assumes responsibility for the organisation’s security functions. Outsourcing in IS has had a variable history of success and the complexity of the decision making process leads to a substantial degree of uncertainty. This is especially so in the realm of IS security since the protection of both hardware and software systems is placed in the hands of an external provider. This paper is a fuller and more comprehensive paper of a previous paper outlining the effectiveness of the decision making process by means of a conceptual model using Soft System Methodology techniques that integratessecurity benefits, costs and their respective performance measures. In this paper the methodology used to develop the model is discussed in detail.

Flexible deterministic packet marking: an IP traceback system to find the real source of attacks

Internet Protocol (IP) traceback is the enabling technology to control Internet crime. In this paper, we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. The motivation of this traceback system is from DDoS defense. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic. It has a wide array of applications for other security systems.

Scalable RFID security framework and protocol supporting Internet of Things

Radio-frequency identification (RFID) is seen as one of the requirements for the implementation of the Internet-of-Things (IoT). However, an RFID system has to be equipped with a holistic security framework for a secure and scalable operation. Although much work has been done to provide privacy and anonymity, little focus has been given to performance, scalability and customizability issues to support robust implementation of IoT. Also, existing protocols suffer from a number of deficiencies such as insecure or inefficient identification techniques, throughput delay and inadaptability. In this paper, we propose a novel identification technique based on a hybrid approach (group-based approach and collaborative approach) and security check handoff (SCH) for RFID systems with mobility. The proposed protocol provides customizability and adaptability as well as ensuring the secure and scalable deployment of an RFID system to support a robust distributed structure such as the IoT. The protocol has an extra fold of protection against malware using an incorporated malware detection technique. We evaluated the protocol using a randomness battery test and the results show that the protocol offers better security, scalability and customizability than the existing protocols. © 2014 Elsevier B.V. All rights reserved.

Cost-effective authentic and anonymous data sharing with forward security

Data sharing has never been easier with the advances of cloud computing, and an accurate analysis on the shared data provides an array of benefits to both the society and individuals. Data sharing with a large number of participants must take into account several issues, including efficiency, data integrity and privacy of data owner. Ring signature is a promising candidate to construct an anonymous and authentic data sharing system. It allows a data owner to anonymously authenticate his data which can be put into the cloud for storage or analysis purpose. Yet the costly certificate verification in the traditional public key infrastructure (PKI) setting becomes a bottleneck for this solution to be scalable. Identity-based (ID-based) ring signature, which eliminates the process of certificate verification, can be used instead. In this paper, we further enhance the security of ID-based ring signature by providing forward security: If a secret key of any user has been compromised, all previous generated signatures that include this user still remain valid. This property is especially important to any large scale data sharing system, as it is impossible to ask all data owners to re-authenticate their data even if a secret key of one single user has been compromised. We provide a concrete and efficient instantiation of our scheme, prove its security and provide an implementation to show its practicality.

Implementação do protocolo TCP/IP para sistemas de intrumentação

Baseado na tecnologia de interligação de redes, este trabalho apresenta uma proposta de conexão de dois sistemas com processamento próprio com o intuito de troca de informações, utilizando a pilha de protocolos TCP/IP. Este sistema será empregado em ambientes de controle industrial, permitindo o envio de informações do servidor de dados para o cliente. Os dados são constituídos de leituras feitas em equipamentos de campo, apresentando ao cliente remoto, medições dos mais diversos tipos. Por outro lado, o cliente poderá enviar comandos aos equipamentos de campo visando o telecontrole. Como ponto de partida para a elaboração do trabalho prático, foi utilizado o ambiente de controle do sistema de potência da companhia energética do estado do Rio Grande do Sul (CEEE). Um microcomputador com um browser acessa, através de uma rede local, os equipamentos controlados, que poderão ser qualquer tipo de equipamento de campo empregado em subestações de energia elétrica, como disjuntores, transformadores ou chaves. Para permitir o acesso remoto de tais equipamentos, foi elaborado um servidor de dados constituído de um controlador de rede do tipo Ethernet e um microcontrolador de aplicação específica que se encarrega do processamento da pilha de protocolos. O controlador Ethernet utilizado é um circuito integrado dedicado comercial, que executa o tratamento dos sinais de nível físico e de enlace de dados conforme o padrão IEEE 802.2. O processador TCP/IP, enfoque principal deste trabalho, foi elaborado através da linguagem de programação C, e a seguir traduzido para o Java, que é o ponto de partida para a ferramenta SASHIMI, de geração da descrição em VHDL do microcontrolador de aplicação específica utilizado. O processador TCP/IP encarrega-se da aquisição de dados do equipamento de campo, do processamento da pilha de protocolos TCP/IP, e do gerenciamento do controlador Ethernet. A partir desta descrição VHDL, foi sintetizado o hardware do microcontrolador em um FPGA, que juntamente com o software aplicativo, também fornecido pela ferramenta utilizada, desempenha o papel de processador TCP/IP para o sistema proposto. Neste ambiente, então, o cliente localizado no centro de operação, acessa através de um browser o equipamento de campo, visando obter suas medições, bem como enviar comandos, destacando o aspecto bidirecional para a troca de dados e a facilidade de conexão de dois sistemas heterogêneos. Este sistema pretende apresentar baixo custo de aquisição e de instalação, facilidade de interconexão local ou remota e transparência ao usuário final.

Soft IP para criptografia usando o algoritmo Rijndael e implementação em lógica programável

A criptografia assumiu papel de destaque no cotidiano das pessoas, em virtude da necessidade de segurança em inúmeras transações eletrônicas. Em determinadas áreas, a utilização de hardware dedicado à tarefa de criptografia apresenta vantagens em relação à implementação em software, devido principalmente ao ganho de desempenho. Recentemente, o National Institute of Standards and Technology (NIST) publicou o novo padrão norte-americano de criptografia simétrica, chamado de Advanced Encryption Standard (AES). Após um período de aproximadamente 3 anos, no qual várias alternativas foram analisadas, adotou-se o algoritmo Rijndael. Assim, este trabalho apresenta um Soft IP do padrão AES, codificado em VHDL, visando a implementação em FPGA Altera. Todo o projeto foi construído com funções e bibliotecas genéricas, a fim de permitir a posterior implementação sobre outras tecnologias. Foram geradas duas versões: uma priorizando desempenho e outra priorizando a área ocupada nos componentes. Para cada uma das versões, produziu-se um circuito para encriptar e outro para decriptar. O desempenho alcançado em termos de velocidade de processamento superou todos os outros trabalhos publicados na área, sobre a mesma tecnologia. São apresentados os detalhes de implementação, arquiteturas envolvidas e decisões de projeto, bem como todos os resultados. A dissertação contém ainda conceitos básicos de criptografia e uma descrição do algoritmo Rijndael.

Uma ferramenta de manipulação de pacotes para análise de protocolos de redes industriais baseados em TCP/IP

This work presents a packet manipulation tool developed to realize tests in industrial devices that implements TCP/IP-based communication protocols. The tool was developed in Python programming language, as a Scapy extension. This tool, named IndPM- Industrial Packet Manipulator, can realize vulnerability tests in devices of industrial networks, industrial protocol compliance tests, receive server replies and utilize the Python interpreter to build tests. The Modbus/TCP protocol was implemented as proof-of-concept. The DNP3 over TCP protocol was also implemented but tests could not be realized because of the lack of resources. The IndPM results with Modbus/TCP protocol show some implementation faults in a Programmable Logic Controller communication module frequently utilized in automation companies

Transmission network expansion planning with security constraints

A mathematical model and a methodology to solve the transmission network expansion planning problem with security constraints are presented. The methodology allows one to find an optimal and reliable transmission network expansion plan using a DC model to represent the electrical network. The security (n-1) criterion is used. The model presented is solved using a genetic algorithm designed to solve the reliable expansion planning in an efficient way. The results obtained for several known systems from literature show the excellent performance of the proposed methodology. A comparative analysis of the results obtained with the proposed methodology is also presented.

Desenvolvimento de hardware e software para tratamento e visualização de dados de descargas atmosféricas aplicados à segurança da navegação hidroviária

Pós-graduação em Engenharia Elétrica - FEIS

Real-Time Localization Using Software Defined Radio

Service providers make use of cost-effective wireless solutions to identify, localize, and possibly track users using their carried MDs to support added services, such as geo-advertisement, security, and management. Indoor and outdoor hotspot areas play a significant role for such services. However, GPS does not work in many of these areas. To solve this problem, service providers leverage available indoor radio technologies, such as WiFi, GSM, and LTE, to identify and localize users. We focus our research on passive services provided by third parties, which are responsible for (i) data acquisition and (ii) processing, and network-based services, where (i) and (ii) are done inside the serving network. For better understanding of parameters that affect indoor localization, we investigate several factors that affect indoor signal propagation for both Bluetooth and WiFi technologies. For GSM-based passive services, we developed first a data acquisition module: a GSM receiver that can overhear GSM uplink messages transmitted by MDs while being invisible. A set of optimizations were made for the receiver components to support wideband capturing of the GSM spectrum while operating in real-time. Processing the wide-spectrum of the GSM is possible using a proposed distributed processing approach over an IP network. Then, to overcome the lack of information about tracked devices’ radio settings, we developed two novel localization algorithms that rely on proximity-based solutions to estimate in real environments devices’ locations. Given the challenging indoor environment on radio signals, such as NLOS reception and multipath propagation, we developed an original algorithm to detect and remove contaminated radio signals before being fed to the localization algorithm. To improve the localization algorithm, we extended our work with a hybrid based approach that uses both WiFi and GSM interfaces to localize users. For network-based services, we used a software implementation of a LTE base station to develop our algorithms, which characterize the indoor environment before applying the localization algorithm. Experiments were conducted without any special hardware, any prior knowledge of the indoor layout or any offline calibration of the system.

Real-time localization using software defined radio

Service providers make use of cost-effective wireless solutions to identify, localize, and possibly track users using their carried MDs to support added services, such as geo-advertisement, security, and management. Indoor and outdoor hotspot areas play a significant role for such services. However, GPS does not work in many of these areas. To solve this problem, service providers leverage available indoor radio technologies, such as WiFi, GSM, and LTE, to identify and localize users. We focus our research on passive services provided by third parties, which are responsible for (i) data acquisition and (ii) processing, and network-based services, where (i) and (ii) are done inside the serving network. For better understanding of parameters that affect indoor localization, we investigate several factors that affect indoor signal propagation for both Bluetooth and WiFi technologies. For GSM-based passive services, we developed first a data acquisition module: a GSM receiver that can overhear GSM uplink messages transmitted by MDs while being invisible. A set of optimizations were made for the receiver components to support wideband capturing of the GSM spectrum while operating in real-time. Processing the wide-spectrum of the GSM is possible using a proposed distributed processing approach over an IP network. Then, to overcome the lack of information about tracked devices’ radio settings, we developed two novel localization algorithms that rely on proximity-based solutions to estimate in real environments devices’ locations. Given the challenging indoor environment on radio signals, such as NLOS reception and multipath propagation, we developed an original algorithm to detect and remove contaminated radio signals before being fed to the localization algorithm. To improve the localization algorithm, we extended our work with a hybrid based approach that uses both WiFi and GSM interfaces to localize users. For network-based services, we used a software implementation of a LTE base station to develop our algorithms, which characterize the indoor environment before applying the localization algorithm. Experiments were conducted without any special hardware, any prior knowledge of the indoor layout or any offline calibration of the system.

SCA security verification on wireless sensor network node

Side Channel Attack (SCA) differs from traditional mathematic attacks. It gets around of the exhaustive mathematic calculation and precisely pin to certain points in the cryptographic algorithm to reveal confidential information from the running crypto-devices. Since the introduction of SCA by Paul Kocher et al [1], it has been considered to be one of the most critical threats to the resource restricted but security demanding applications, such as wireless sensor networks. In this paper, we focus our work on the SCA-concerned security verification on WSN (wireless sensor network). A detailed setup of the platform and an analysis of the results of DPA (power attack) and EMA (electromagnetic attack) is presented. The setup follows the way of low-cost setup to make effective SCAs. Meanwhile, surveying the weaknesses of WSNs in resisting SCA attacks, especially for the EM attack. Finally, SCA-Prevention suggestions based on Differential Security Strategy for the FPGA hardware implementation in WSN will be given, helping to get an improved compromise between security and cost.

Distribution of microservices for hardware interoperability in the Smart Grid

Due to the significant increase of population and their natural desire of improving their standard of living, usage of energy extracted from world commodities, especially shaped as electricity, has increased in an intense manner during the last decades. This fact brings up a challenge with a complicated solution, which is how to guarantee that there will be enough energy so as to satisfy the energy demand of the world population. Among all the possible solutions that can be adopted to mitigate this problem one of them is almost of mandatory adoption, which consists of rationalizing energy utilization, in a way that its wasteful usage is minimized and it can be leveraged during a longer period of time. One of the ways to achieve it is by means of the improvement of the power distribution grid, so that it will be able to react in a more efficient manner against common issues, such as energy demand peaks or inaccurate electricity consumption forecasts. However, in order to be able to implement this improvement it is necessary to use technologies from the ICT (Information and Communication Technologies) sphere that often present challenges in some key areas: advanced metering infrastructure integration, interoperability and interconnectivity of the devices, interfaces to offer the applications, security measures design, etc. All these challenges may imply slowing down the adoption of the smart grid as a system to prolong the lifespan and utilization of the available energy. A proposal for an intermediation architecture that will make possible solving these challenges is put forward in this Master Thesis. Besides, one implementation and the tests that have been carried out to know the performance of the presented concepts have been included as well, in a way that it can be proved that the challenges set out by the smart grid can be resolved. RESUMEN. Debido al incremento significativo de la población y su deseo natural de mejorar su nivel de vida, la utilización de la energía extraída de las materias primas mundiales, especialmente en forma de electricidad, ha aumentado de manera intensa durante las últimas décadas. Este hecho plantea un reto de solución complicada, el cual es cómo garantizar que se dispondrá de la energía suficiente como para satisfacer la demanda energética de la población mundial. De entre todas las soluciones posibles que se pueden adoptar para mitigar este problema una de ellas es de casi obligatoria adopción, la cual consiste en racionalizar la utilización de la energía, de tal forma que se minimice su malgasto y pueda aprovecharse durante más tiempo. Una de las maneras de conseguirlo es mediante la mejora de la red de distribución de electricidad para que ésta pueda reaccionar de manera más eficaz contra problemas comunes, tales como los picos de demanda de energía o previsiones imprecisas acerca del consumo de electricidad. Sin embargo, para poder implementar esta mejora es necesario utilizar tecnologías del ámbito de las TIC (Tecnologías de la Información y la Comunicación) que a menudo presentan problemas en algunas áreas clave: integración de infraestructura de medición avanzada, interoperabilidad e interconectividad de los dispositivos, interfaces que ofrecer a las aplicaciones, diseño de medidas de seguridad, etc. Todos estos retos pueden implicar una ralentización en la adopción de la red eléctrica inteligente como un sistema para alargar la vida y la utilización de la energía disponible. En este Trabajo Fin de Máster se sugiere una propuesta para una arquitectura de intermediación que posibilite la resolución de estos retos. Además, una implementación y las pruebas que se han llevado a cabo para conocer el rendimiento de los conceptos presentados también han sido incluidas, de tal forma que se demuestre que los retos que plantea la red eléctrica inteligente pueden ser solventados.