Summary
Billions of Internet of Things (IoT) devices are expected to populate our environments and provide novel pervasive services by interconnecting the physical and digital world. However, the ...increased connectivity of everyday objects can open manifold security vectors for cybercriminals to perform malicious attacks. These threats are even augmented by the resource constraints and heterogeneity of low‐cost IoT devices, which make current host‐based and static perimeter‐oriented defense mechanisms unsuitable for dynamic IoT environments. Accounting for all these considerations, we reckon that the novel softwarization capabilities of Telco network can fully leverage its privileged position to provide the desired levels of security. To this aim, the emerging software‐defined networking (SDN) and network function virtualization (NFV) paradigms can introduce new security enablers able to increase the level of IoT systems protection. In this paper, we design a novel policy‐based framework aiming to exploit SDN/NFV‐based security features, by efficiently coupling with existing IoT security approaches. A proof of concept test bed has been developed to assess the feasibility of the proposed architecture. The presented performance evaluation illustrates the benefits of adopting SDN security mechanisms in integrated IoT environments and provides interesting insights in the policy enforcement process to drive future research.
The paper defines a novel policy‐based framework aiming to exploit SDN/NFV‐based security features, by efficiently coupling with existing IoT security approaches.
The security framework has been partially implemented and evaluated, validating the feasibility of the proposed policy translation and refinement processes, from high‐level security policies to low‐level configurations, deployed through Security Orchestrator in SDN/NFV enabled IoT networks.
The performance assessment and comparison using ONOS, ODL, and legacy solutions has highlighted the benefits of enforcing SDN‐based security countermeasures with respect to conventional approaches.
Computer security incident response teams typically rely on threat intelligence platforms for information about sightings of cyber threat events and indicators of compromise. Other security building ...blocks, such as Network Intrusion Detection Systems, can leverage the information to prevent malicious adversaries from spreading malware across critical infrastructures. The effectiveness of threat intelligence platforms heavily depends on the willingness to share among organizations and the responsible use of sensitive information that may potentially harm the reputation of the reporting organization. The challenge that we address is the lack of trust in the source providing the threat intelligence and the information itself. We enhance our security framework TATIS—offering fine-grained protection for threat intelligence platform APIs—with distributed ledger capabilities to enable reliable and trustworthy threat intelligence sharing with the ability to audit the provenance of threat intelligence. We have implemented and evaluated the feasibility of our distributed framework on top of the Malware Information Sharing Platform (MISP) solution, and we evaluate the performance impact using real-world open-source threat intelligence feeds.
The pervasive nature of the Internet of Things (IoT) entails additional threats that compromise the security and privacy of IoT devices and, eventually, the users. This issue is aggravated in ...constrained IoT devices equipped with minimal hardware resources. Current security and privacy implementations need to be redesigned and implemented maintaining its level of assurance, aiming for this family of devices. To cope with this issue, this paper proposes the first novel attempt to leverage anonymous credential systems (ACSs) to preserve the privacy of autonomous IoT constrained devices. Concretely, we have designed a solution to integrate IBM's identity mixer into constrained IoT ecosystems, endowing the IoT with ACSs' privacy-preserving capabilities. The solution has been designed, implemented, and evaluated, proving its feasibility.
As the Internet of Things evolves, citizens are starting to change the way they share information and communicate with their surrounding environment, enabling a constant, invisible and sometimes ...unintended information exchange. This trend raises new challenges regarding user’s privacy and personal consent about the disclosure of personal data that must be addressed by flexible and scalable mechanisms. Towards this end, this work introduces the concept of bubble, as a coalition or group of smart objects that can be created according to the relationship between their owners. The proposed approach is based on the use of attribute-based encryption to protect the associated data according to users’ preferences, and FI-WARE components for deployment purposes. As a scenario example, the solution is integrated with a radio localization system, in order to protect location data in the context of smart buildings. Finally, this work provides implementation details about the required components, as well as their evaluation on real smart environment scenarios.
The distribution of Internet of Things (IoT) devices in remote areas and the need for network resilience in such deployments is increasingly important in smart spaces covering scenarios, such as ...agriculture, forest, coast preservation, and connectivity survival against disasters. Although Low-Power Wide Area Network (LPWAN) technologies, like LoRa, support high connectivity ranges, communication paths can suffer from obstruction due to orography or buildings, and large areas are still difficult to cover with wired gateways, due to the lack of network or power infrastructure. The proposal presented herein proposes to mount LPWAN gateways in drones in order to generate airborne network segments providing enhanced connectivity to sensor nodes wherever needed. Our LoRa-drone gateways can be used either to collect data and then report them to the back-office directly, or store-carry-and-forward data until a proper communication link with the infrastructure network is available. The proposed architecture relies on Multi-Access Edge Computing (MEC) capabilities to host a virtualization platform on-board the drone, aiming at providing an intermediate processing layer that runs Virtualized Networking Functions (VNF). This way, both preprocessing or intelligent analytics can be locally performed, saving communications and memory resources. The contribution includes a system architecture that has been successfully validated through experimentation with a real test-bed and comprehensively evaluated through computer simulation. The results show significant communication improvements employing LoRa-drone gateways when compared to traditional fixed LoRa deployments in terms of link availability and covered areas, especially in vast monitored extensions, or at points with difficult access, such as rugged zones.
As Cloud Computing evolves, both customers and Cloud Service Providers are starting to require Intercloud scenarios where different clouds have to interact each other. Although there are some initial ...proposals to manage the Intercloud, there are still few approaches dealing with the associated new security and trust challenges in such a federated environment. To fill this gap, this paper presents SOFIC (Security Ontology For the InterCloud) aimed to formally describe the security aspects that are subject to be modeled in an Intercloud security assessment. SOFIC is based on standards and has been tailored extensible to cope with the security requirements of different Intercloud scenarios. The paper also shows in which way the ontology is used as input for a Trust and Security Decision Support System, in order to assist in the Intercloud security decision making process, quantifying security expectations and trustworthiness about Cloud Service Providers. The implementation, experiments and performance evaluation show the feasibility of the proposed ontology and system.
The increase in the interconnection of physical devices and the emergence of the 5 G paradigm foster the generation and distribution of massive amounts of data. The complexity associated with the ...management of these data requires a suitable access control approach that empowers citizens to control how their data are shared, so potential privacy issues can be mitigated. While well-known access control models are widely used in web and cloud scenarios, the IoT ecosystem needs to address the requirements of lightness, decentralization, and scalability to control the access to data generated by a huge number of heterogeneous devices. This work proposes CapBlock, a design that integrates a capability-based access control model and blockchain technology for a fully distributed evaluation of authorization policies and generation of access credentials using smart contracts. CapBlock is intended to manage the access to information in federated IoT environments where data need to be managed through access control policies defined by different data providers. The feasibility of CapBlock has been successfully evaluated in the scope of the EU research project IoTCrawler, which aims at building a secure search engine for IoT data in large-scale scenarios.
We review and analyze the major security features and concerns in deploying modern commodity operating systems such as Windows 7 and Linux 2.6.38 in a cloud computing environment. We identify the ...security weaknesses and open challenges of these two operating systems when deployed in the cloud environment. In particular, we examine and compare various operating system security features which are critical in providing a secure cloud. These security features include authentication, authorization and access control, physical memory protection, privacy and encryption of stored data, network access and firewalling capabilities, and virtual memory.
The increasing user awareness and regulatory framework (e.g., GDPR, eIDAS2) have contributed to considering data minimization and privacy-by-design as central guiding principles for new systems. ...Among others, this has led to a paradigm shift towards Self-Sovereign Identity solutions to put the user in full control over their data. Despite the promising landscape, privacy-preserving Attribute-Based Credentials (p-ABC) have not been widely adopted, mainly due to the lack of secure, flexible and efficient implementations that cover the basic and advanced needs in p-ABC systems. In this work, we tackle this gap by developing an improved zero-knowledge showing protocol of a distributed p-ABC scheme based on Pointcheval–Sanders Multi-Signatures to allow for modular extensions through commit-and-prove techniques. We use it to implement a flexible p-ABC system with decentralized issuance that, apart from the basic notions of p-ABCs, covers range proofs, pseudonyms, inspection and revocation. Lastly, we thoroughly evaluate the performance of the system under different testbed conditions, showing a significant efficiency improvement over previous implementations.