Publications
272 results found
Turner HCM, Chizari H, Lupu E, 2018, Step intervals and arterial pressure in PVS schemes, Living in the Internet of Things: Cybersecurity of the IoT - 2018, Publisher: Institution of Engineering and Technology, Pages: 36-45
We build upon the idea of Physiological Value Based Security schemes as a means of securing body sensor networks (BSN). Such schemes provide a secure means for sensors in a BSN to communicate with one another, as long as they can measure the same underlying physiological signal. This avoids the use of pre-distributed keys and allows re-keying to be done easily. Such techniques require identifying signals and encoding methods that can be used in the scheme. Hence we first evaluate step interval as our physiological signal, using existing modular encoding method and our proposed learned partitioning function as the encoding methods. We show that both of these are usable with the scheme and identify a suitable parametrisation. We then go on to evaluate arterial blood pressure using our proposed learned mean FFT coefficients method. We demonstrate that with the correct parameters this could also be used in the scheme. This further improves the usability of PVS schemes, by identify two more signals that could be used, as well as two encoding methods that may also be useful for other signals.
Chizari H, Lupu E, Thomas P, 2018, Randomness of physiological signals in generation cryptographic key for secure communication between implantable medical devices inside the body and the outside world, Living in the Internet of Things: Cybersecurity of the IoT - 2018, Publisher: Institution of Engineering and Technology
A physiological signal must have a certain level of randomness inside it to be a good source of randomness for generating cryptographic key. Dependency to the history is one of the measures to examine the strength of a randomness source. In dependency to the history, the adversary has infinite access to the history of generated random bits from the source and wants to predict the next random number based on that. Although many physiological signals have been proposed in literature as good source of randomness, no dependency to history analysis has been carried out to examine this fact. In this paper, using a large dataset of physiological signals collected from PhysioNet, the dependency to history of Interpuls Interval (IPI), QRS Complex, and EEG signals (including Alpha, Beta, Delta, Gamma and Theta waves) were examined. The results showed that despite the general assumption that the physiological signals are random, all of them are weak sources of randomness with high dependency to their history. Among them, Alpha wave of EEG signal shows a much better randomness and is a good candidate for post-processing and randomness extraction algorithm.
Taylor P, Allpress S, Carr M, et al., 2018, Internet of Things: Realising the Potential of a Trusted Smart World, Internet of Things: Realising the Potential of a Trusted Smart World, London, Publisher: Royal Academy of Engineering: London
This report examines the policy challenges for the Internet of Things (IoT), and raises a broad range of issues that need to be considered if policy is to be effective and the potential economic value of IoT is harnessed. It builds on the Blackett review, The Internet of Things: making the most of the second digital revolution, adding detailed knowledge based on research from the PETRAS Cybersecurity of the Internet of Things Research Hub and input from Fellows of the Royal Academy of Engineering. The report targets government policymakers, regulators, standards bodies and national funding bodies, and will also be of interest to suppliers and adopters of IoT products and services.
Munoz Gonzalez L, Lupu E, 2018, The secret of machine learning, ITNOW, Vol: 60, Pages: 38-39, ISSN: 1746-5702
Luis Muñoz-González and Emil C. Lupu, from Imperial College London, explore the vulnerabilities of machine learning algorithms.
Paudice A, Muñoz-González L, Gyorgy A, et al., 2018, Detection of Adversarial Training Examples in Poisoning Attacks through Anomaly Detection
Machine learning has become an important component for many systems andapplications including computer vision, spam filtering, malware and networkintrusion detection, among others. Despite the capabilities of machine learningalgorithms to extract valuable information from data and produce accuratepredictions, it has been shown that these algorithms are vulnerable to attacks.Data poisoning is one of the most relevant security threats against machinelearning systems, where attackers can subvert the learning process by injectingmalicious samples in the training data. Recent work in adversarial machinelearning has shown that the so-called optimal attack strategies cansuccessfully poison linear classifiers, degrading the performance of the systemdramatically after compromising a small fraction of the training dataset. Inthis paper we propose a defence mechanism to mitigate the effect of theseoptimal poisoning attacks based on outlier detection. We show empirically thatthe adversarial examples generated by these attack strategies are quitedifferent from genuine points, as no detectability constrains are considered tocraft the attack. Hence, they can be detected with an appropriate pre-filteringof the training dataset.
Illiano V, Lupu E, Muñoz-González L, et al., 2018, Determining Resilience Gains from Anomaly Detection for Event Integrity in Wireless Sensor Networks, ACM Transactions on Sensor Networks, Vol: 14, ISSN: 1550-4859
Measurements collected in a wireless sensor network (WSN) can be maliciously compromised through several attacks, but anomaly detection algorithms may provide resilience by detecting inconsistencies in the data. Anomaly detection can identify severe threats to WSN applications, provided that there is a sufficient amount of genuine information. This article presents a novel method to calculate an assurance measure for the network by estimating the maximum number of malicious measurements that can be tolerated. In previous work, the resilience of anomaly detection to malicious measurements has been tested only against arbitrary attacks, which are not necessarily sophisticated. The novel method presented here is based on an optimization algorithm, which maximizes the attack’s chance of staying undetected while causing damage to the application, thus seeking the worst-case scenario for the anomaly detection algorithm. The algorithm is tested on a wildfire monitoring WSN to estimate the benefits of anomaly detection on the system’s resilience. The algorithm also returns the measurements that the attacker needs to synthesize, which are studied to highlight the weak spots of anomaly detection. Finally, this article presents a novel methodology that takes in input the degree of resilience required and automatically designs the deployment that satisfies such a requirement.
Barrere Cambrun M, Vieira Steiner R, Mohsen R, et al., 2018, Tracking the bad guys: an efficient forensic methodology to trace multi-step attacks using core attack graphs, 13th International Conference on Network and Service Management (CNSM'17), Publisher: IEEE, ISSN: 2165-963X
In this paper, we describe an efficient methodology to guide investigators during network forensic analysis. To this end, we introduce the concept of core attack graph, a compact representation of the main routes an attacker can take towards specific network targets. Such compactness allows forensic investigators to focus their efforts on critical nodes that are more likely to be part of attack paths, thus reducing the overall number of nodes (devices, network privileges) that need to be examined. Nevertheless, core graphs also allow investigators to hierarchically explore the graph in order to retrieve different levels of summarised information. We have evaluated our approach over different network topologies varying parameters such as network size, density, and forensic evaluation threshold. Our results demonstrate that we can achieve the same level of accuracy provided by standard logical attack graphs while significantly reducing the exploration rate of the network.
Karafili E, Lupu E, Cullen A, et al., 2018, Improving data sharing in data rich environments, 1st IEEE Big Data International Workshop on Policy-based Autonomic Data Governance, IEEE BigData, Publisher: IEEE
The increasing use of big data comes along with the problem of ensuring correct and secure data access. There is a need to maximise the data dissemination whilst controlling their access. Depending on the type of users different qualities and parts of data are shared. We introduce an alteration mechanism, more precisely a restriction one, based on a policy analysis language. The alteration reflects the level of trust and relations the users have, and are represented as policies inside the data sharing agreements. These agreements are attached to the data and are enforced every time the data are accessed, used or shared. We show the use of our alteration mechanism with a military use case, where different parties are involved during the missions, and they have different relations of trust and partnership.
Calo S, Lupu E, Bertino E, et al., 2018, Research Challenges in Dynamic Policy-Based Autonomous Security, IEEE International Conference on Big Data (IEEE Big Data), Publisher: IEEE, Pages: 2970-2973
Barrere M, Lupu EC, 2017, Naggen: a Network Attack Graph GENeration tool, 2017 IEEE Conference on Communications and Network Security, CNS 2017, Publisher: IEEE, Pages: 378-379
Attack graphs constitute a powerful security tool aimed at modelling the many ways in which an attacker may compromise different assets in a network. Despite their usefulness in several security-related activities (e.g. hardening, monitoring, forensics), the complexity of these graphs can massively grow as the network becomes denser and larger, thus defying their practical usability. In this presentation, we first describe some of the problems that currently challenge the practical use of attack graphs. We then explain our approach based on core attack graphs, a novel perspective to address attack graph complexity. Finally, we present Naggen, a tool for generating, visualising and exploring core attack graphs. We use Naggen to show the advantages of our approach on different security applications.
Karafili E, Spanaki K, Lupu E, 2017, An Argumentation Reasoning Approach for Data Processing, Computers in Industry, Vol: 94, Pages: 52-61, ISSN: 0166-3615
Data-intensive environments enable us to capture information and knowledge about the physical surroundings, to optimise our resources, enjoy personalised services and gain unprecedented insights into our lives. However, to obtain these endeavours extracted from the data, this data should be generated, collected and the insight should be exploited. Following an argumentation reasoning approach for data processing and building on the theoretical background of data management, we highlight the importance of data sharing agreements (DSAs) and quality attributes for the proposed data processing mechanism. The proposed approach is taking into account the DSAs and usage policies as well as the quality attributes of the data, which were previously neglected compared to existing methods in the data processing and management field. Previous research provided techniques towards this direction; however, a more intensive research approach for processing techniques should be introduced for the future to enhance the value creation from the data and new strategies should be formed around this data generated daily from various devices and sources.
Muñoz-González L, Biggio B, Demontis A, et al., 2017, Towards Poisoning of Deep Learning Algorithms with Back-gradient Optimization., CoRR, Vol: abs/1708.08689
Muñoz-González L, Biggio B, Demontis A, et al., 2017, Towards poisoning of deep learning algorithms with back-gradient optimization, Pages: 27-38
© 2017 Association for Computing Machinery. A number of online services nowadays rely upon machine learning to extract valuable information from data collected in the wild. This exposes learning algorithms to the threat of data poisoning, i.e., a coordinate attack in which a fraction of the training data is controlled by the attacker and manipulated to subvert the learning process. To date, these attacks have been devised only against a limited class of binary learning algorithms, due to the inherent complexity of the gradient-based procedure used to optimize the poisoning points (a.k.a. adversarial training examples). In this work, we first extend the definition of poisoning attacks to multiclass problems. We then propose a novel poisoning algorithm based on the idea of back-gradient optimization, i.e., to compute the gradient of interest through automatic differentiation, while also reversing the learning procedure to drastically reduce the attack complexity. Compared to current poisoning strategies, our approach is able to target a wider class of learning algorithms, trained with gradient-based procedures, including neural networks and deep learning architectures. We empirically evaluate its effectiveness on several application examples, including spam filtering, malware detection, and handwritten digit recognition. We finally show that, similarly to adversarial test examples, adversarial training examples can also be transferred across different learning algorithms.
Munoz Gonzalez L, Lupu E, 2017, Bayesian Attack Graphs for Security Risk Assessment, IST-153 NATO Workshop on Cyber Resilience
Muñoz-González L, Sgandurra D, Paudice A, et al., 2017, Efficient Attack Graph Analysis through Approximate Inference, ACM Transactions on Privacy and Security, Vol: 20, ISSN: 2471-2566
Attack graphs provide compact representations of the attack paths an attacker can follow to compromise network resources from the analysis of network vulnerabilities and topology. These representations are a powerful tool for security risk assessment. Bayesian inference on attack graphs enables the estimation of the risk of compromise to the system's components given their vulnerabilities and interconnections, and accounts for multi-step attacks spreading through the system. Whilst static analysis considers the risk posture at rest, dynamic analysis also accounts for evidence of compromise, e.g. from SIEM software or forensic investigation. However, in this context, exact Bayesian inference techniques do not scale well. In this paper we show how Loopy Belief Propagation - an approximate inference technique - can be applied to attack graphs, and that it scales linearly in the number of nodes for both static and dynamic analysis, making such analyses viable for larger networks. We experiment with different topologies and network clustering on synthetic Bayesian attack graphs with thousands of nodes to show that the algorithm's accuracy is acceptable and that it converges to a stable solution. We compare sequential and parallel versions of Loopy Belief Propagation with exact inference techniques for both static and dynamic analysis, showing the advantages and gains of approximate inference techniques when scaling to larger attack graphs.
Illiano V, Steiner RV, Lupu EC, 2017, Unity is strength! Combining attestation and measurements inspection to handle malicious data injections in WSNs, Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) 2017, Publisher: ACM, Pages: 134-144
Aestation and measurements inspection are dierent but com-plementary approaches towards the same goal: ascertaining theintegrity of sensor nodes in wireless sensor networks. In this paperwe compare the benets and drawbacks of both techniques and seekto determine how to best combine them. However, our study showsthat no single solution exists, as each choice introduces changesin the measurements collection process, aects the aestation pro-tocol, and gives a dierent balance between the high detectionrate of aestation and the low power overhead of measurementsinspection. erefore, we propose three strategies that combinemeasurements inspection and aestation in dierent ways, and away to choose between them based on the requirements of dierentapplications. We analyse their performance both analytically andin a simulator. e results show that the combined strategies canachieve a detection rate close to aestation, in the range 96-99%,whilst keeping a power overhead close to measurements inspection,in the range 1-10%.
Cullen A, Williams B, Bertino E, et al., 2017, Mission support for drones: a policy based approach, International Workshop on Micro Aerial Vehicle Networks, Systems, and Applications (DRONET 17), Publisher: ACM, Pages: 7-12
We examine the impact of increasing autonomy on the use of airborne drones in joint operations by collaborative parties. As the degree of automation employed increases towards the level implied by the term ‘autonomous’, it becomes apparent that existing control mechanisms are insufficiently flexible. Using an architecture introduced by Bertino et al. in [1] and Verma et al. in [2], we consider the use of dynamic policy modification as a means to adjust to rapidly evolving scenarios. We show mechanisms which allow this approach to improve the effectiveness of operations without compromise to security or safety.
Karafili E, Lupu E, 2017, Enabling Data Sharing in Contextual Environments: Policy Representation and Analysis, ACM Symposium on Access Control Models and Technologies (SACMAT), Publisher: ACM, Pages: 231-238
Internet of Things environments enable us to capture more and more data about the physical environment we live in and about ourselves. The data enable us to optimise resources, personalise services and offer unprecedented insights into our lives. However, to achieve these insights data need to be shared (and sometimes sold) between organisations imposing rights and obligations upon the sharing parties and in accordance with multiple layers of sometimes conflicting legislation at international, national and organisational levels. In this work, we show how such rules can be captured in a formal representation called ``Data Sharing Agreements''. We introduce the use of abductive reasoning and argumentation based techniques to work with context dependent rules, detect inconsistencies between them, and resolve the inconsistencies by assigning priorities to the rules. We show how through the use of argumentation based techniques use-cases taken from real life application are handled flexibly addressing trade-offs between confidentiality, privacy, availability and safety.
Karafili E, Lupu E, Arunkumar S, et al., 2017, Argumentation-based policy analysis for drone systems, Dais Workshop, 2017 IEEE SmartWorld Congress, Publisher: IEEE
The use of drone systems is increasing especially in dangerous environments where manned operations are too risky. Different entities are involved in drone systems’ missions and they come along with their vast varieties of specifications. The behaviour of the system is described by its set of policies that should satisfy the requirements and specifications of the different entities and the system itself. Deciding the policies that describe the actions to be taken is not trivial, as the different requirements and specifications can lead to conflicting actions. We introduce an argumentation-based policy analysis that captures conflicts for which properties have been specified. Our solution allows different rules to take priority in different contexts. We propose a decision making process that solves the detected conflicts by using a dynamic conflict resolution based on the priorities between rules. We apply our solution to two case studies where drone systems are used for military and disaster rescue operations.
Karafili E, Kakas A, Spanoudakis N, et al., 2017, Argumentation-based security for social good, AAAI Spring Symposium 2017, AI for the Social Good, Publisher: AAAI
The increase of connectivity and the impact it has in every day life is raising new and existing security problems that are becoming important for social good. We introduce two particular problems: cyber attack attribution and regulatory data sharing. For both problems, decisions about which rules to apply, should be taken under incomplete and context dependent information. The solution we propose is based on argumentation reasoning, that isa well suited technique for implementing decision making mechanisms under conflicting and incomplete information. Our proposal permits us to identify the attacker of a cyber attack and decide the regulation rule that should be used while using and sharing data. We illustrate our solution through concrete examples.
Karafili E, Kakas AC, Spanoudakis NI, et al., 2017, Argumentation-Based Security for Social Good., Publisher: AAAI Press, Pages: 164-170
Illiano V, Muñoz-Gonzàlez L, Lupu E, 2016, Don't fool me!: Detection, Characterisation and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks, IEEE Transactions on Dependable and Secure Computing, Vol: 14, Pages: 279-293, ISSN: 1545-5971
Wireless Sensor Networks carry a high risk of being compromised, as their deployments are often unattended, physicallyaccessible and the wireless medium is difficult to secure. Malicious data injections take place when the sensed measurements aremaliciously altered to trigger wrong and potentially dangerous responses. When many sensors are compromised, they can collude witheach other to alter the measurements making such changes difficult to detect. Distinguishing between genuine and maliciousmeasurements is even more difficult when significant variations may be introduced because of events, especially if more events occursimultaneously. We propose a novel methodology based on wavelet transform to detect malicious data injections, to characterise theresponsible sensors, and to distinguish malicious interference from faulty behaviours. The results, both with simulated and realmeasurements, show that our approach is able to counteract sophisticated attacks, achieving a significant improvement overstate-of-the-art approaches.
Vieira Steiner R, Lupu EC, 2016, Attestation in Wireless Sensor Networks: a Survey, ACM Computing Surveys, Vol: 49, ISSN: 1557-7341
Attestation is a mechanism used by a trusted entity to validate the software integrity of an untrusted platform. Over the past few years, several attestation techniques have been proposed. While they all use variants of a challenge-response protocol, they make different assumptions about what an attacker can and cannot do. Thus, they propose intrinsically divergent validation approaches. We survey in this article the different approaches to attestation, focusing in particular on those aimed at Wireless Sensor Networks. We discuss the motivations, challenges, assumptions, and attacks of each approach. We then organise them into a taxonomy and discuss the state of the art, carefully analysing the advantages and disadvantages of each proposal. We also point towards the open research problems and give directions on how to address them.
Spanaki K, Adams R, Mulligan C, et al., 2016, A Research Agenda on Data Supply Chains (DSC), British Academy of Management (BAM) Conference
Competition among organizations supports initiatives and collaborative use of data whilecreating value based on the strategy and best performance of each data supply chain.Supporting this direction, and building on the theoretical background of the supply chain, wepropose the Data Supply Chain (DSC) as a novel concept to aid investigations for data-drivencollaboration impacting organizational performance. In this study we initially propose adefinition for the DSC paying particular attention to the need for collaboration for the supplychains of data. Furthermore, we develop a conceptual model of DSC collaboration couplingtheoretical background of strategy and operations literature including, the resource-basedview (RBV), supply chain management (SCM) and collaboration (SCC). Finally, we setpropositions and a future research agenda including testing and validating the model fit.
Sgandurra D, Karafili E, Lupu EC, 2016, Formalizing Threat Models for Virtualized Systems, Data and Applications Security and Privacy (DBSec 2016), Publisher: Springer International Publishing, Pages: 251-267, ISSN: 0302-9743
We propose a framework, called FATHoM (FormAlizing THreat Models), to define threat models for virtualized systems. For each component of a virtualized system, we specify a set of security properties that defines its control responsibility, its vulnerability and protection states. Relations are used to represent how assumptions made about a component’s security state restrict the assumptions that can be made on the other components. FATHoM includes a set of rules to compute the derived security states from the assumptions and the components’ relations. A further set of relations and rules is used to define how to protect the derived vulnerable components. The resulting system is then analysed, among others, for consistency of the threat model. We have developed a tool that implements FATHoM, and have validated it with use-cases adapted from the literature.
Spanaki K, Adams R, Mulligan C, et al., 2016, Data Supply Chain (DSC): development and validation of a measurement instrument, 23rd EurOMA Conference
The volume and availability of data produced and affordably stored has become animportant new resource for building organizational competitive advantage. Reflectingthis, and expanding the concept of the supply chain, we propose the Data Supply Chain(DSC) as a novel concept to aid investigations into how the interconnected datacharacteristics relate to and impact organizational performance. Initially, we define theconcept and develop a research agenda on DSC coupling theoretical background ofstrategy and operations literature. Along with the conceptualization, we develop a set ofpropositions and make suggestions for future research including testing and validatingthe model fit.
Sgandurra D, Lupu E, 2016, Evolution of attacks, threat models, and solutions for virtualized systems, ACM Computing Surveys, Vol: 48, ISSN: 1557-7341
Virtualization technology enables Cloud providers to efficiently use their computing services and resources. Even if the benefits in terms of performance, maintenance, and cost are evident, however, virtualization has also been exploited by attackers to devise new ways to compromise a system. To address these problems, research security solutions have evolved considerably over the years to cope with new attacks and threat models. In this work, we review the protection strategies proposed in the literature and show how some of the solutions have been invalidated by new attacks, or threat models, that were previously not considered. The goal is to show the evolution of the threats, and of the related security and trust assumptions, in virtualized systems that have given rise to complex threat models and the corresponding sophistication of protection strategies to deal with such attacks. We also categorize threat models, security and trust assumptions, and attacks against a virtualized system at the different layers—in particular, hardware, virtualization, OS, and application.
Illiano VP, Lupu EC, 2015, Detecting Malicious Data Injections in Wireless Sensor Networks: aSurvey, ACM Computing Surveys, Vol: 48, ISSN: 1557-7341
Wireless Sensor Networks are widely advocated to monitor environmental parameters, structural integrity of the built environment and use of urban spaces, services and utilities. However, embedded sensors are vulnerable to compromise by external actors through malware but also through their wireless and physical interfaces. Compromised sensors can be made to report false measurements with the aim to produce inappropriate and potentially dangerous responses. Such malicious data injections can be particularly difficult to detect if multiple sensors have been compromised as they could emulate plausible sensor behaviour such as failures or detection of events where none occur. This survey reviews the related work on malicious data injection in wireless sensor networks, derives general principles and a classification of approaches within this domain, compares related studies and identifies areas that require further investigation.
Illiano V, Lupu E, 2015, Detecting Malicious Data Injections in Event Detection Wireless Sensor Networks, IEEE Transactions on Network and Service Management, Vol: 12, Pages: 496-510, ISSN: 1932-4537
Wireless sensor networks (WSNs) are vulnerable and can be maliciously compromised, either physically or remotely, with potentially devastating effects. When sensor networks are used to detect the occurrence of events such as fires, intruders, or heart attacks, malicious data can be injected to create fake events, and thus trigger an undesired response, or to mask the occurrence of actual events. We propose a novel algorithm to identify malicious data injections and build measurement estimates that are resistant to several compromised sensors even when they collude in the attack. We also propose a methodology to apply this algorithm in different application contexts and evaluate its results on three different datasets drawn from distinct WSN deployments. This leads us to identify different tradeoffs in the design of such algorithms and how they are influenced by the application context.
Schaeffer-Filho A, Lupu EC, Sloman MS, 2015, Federating Policy-Driven Autonomous Systems: Interaction Specification and Management Patterns, Journal of Network and Systems Management, Vol: 23, Pages: 753-793
Ubiquitous systems and applications involve interactions between multiple autonomous entities—for example, robots in a mobile ad-hoc network collaborating to achieve a goal, communications between teams of emergency workers involved in disaster relief operations or interactions between patients’ and healthcare workers’ mobile devices. We have previously proposed the Self-Managed Cell (SMC) as an architectural pattern for managing autonomous ubiquitous systems that comprise both hardware and software components and that implement policy-based adaptation strategies. We have also shown how basic management interactions between autonomous SMCs can be realised through exchanges of notifications and policies, to effectively program management and context-aware adaptations. We present here how autonomous SMCs can be composed and federated into complex structures through the systematic composition of interaction patterns. By composing simpler abstractions as building blocks of more complex interactions it is possible to leverage commonalities across the structural, control and communication views to manage a broad variety of composite autonomous systems including peer-to-peer collaborations, federations and aggregations with varying degrees of devolution of control. Although the approach is more broadly applicable, we focus on systems where declarative policies are used to specify adaptation and on context-aware ubiquitous systems that present some degree of autonomy in the physical world, such as body sensor networks and autonomous vehicles. Finally, we present a formalisation of our model that allows a rigorous verification of the properties satisfied by the SMC interactions before policies are deployed in physical devices.
This data is extracted from the Web of Science and reproduced under a licence from Thomson Reuters. You may not copy or re-distribute this data in whole or in part without the written consent of the Science business of Thomson Reuters.