|
|
|
 |
Search published articles |
 |
|
Showing 39 results for Security
Amirhossein Pourshams, Mohammad Reza Hasani Ahangar, Mahmoud Saleh Esfahani,
Volume 8, Issue 2 (2-2020)
Abstract
Increased broadband data rate for end users and the cost of resource provisioning to an agreed SLA in telecom service providers, are forcing operators in order to adhere to employment Virtual Network Functions (VNF) in an NFV solution. The newly 5G mobile telecom technology is also based on NFV and Software Define Network (SDN) which inherit opportunities and threats of such constructs. Thus a thorough understanding of security challenges and their solutions are required to reduce security concerns while developing new services. In this article, cloud computing, NFV and its VNFs from a security perspective is explained. Then, their security challenges with respect to cloud computing infrastructure and current solutions are discussed in a comparative scenario based way. Finally, proper security solutions for each scenario are proposed.
Mr Mohamad Jari, Miss Fariba Nazari,
Volume 8, Issue 2 (2-2020)
Abstract
The purpose of this study is to identify and prioritize the effective technical and technical stress factors of information security by IT experts identified in Aghajari oil and gas Exploitation Company. The statistical population of the study consisted of 100 ICT managers and experts in Aghajari Oil and Gas Co. which directly related to the security of information in the company, 80 of them were selected as samples. In this research, the first questionnaire was designed with the aim of identifying the factors and half-openness. The second questionnaire was designed with the aim of screening the identified factors as closed and based on Likert's five-choice spectrum. Finally, a third questionnaire was designed with the aim of determining the weights and rank of each one of the factors and in a pair comparison. The necessary analysis was carried out through the software SSS, Excel, ExpressChevis and MATLAB. The results of the research led to the identification of two main factors (occupational stressors and technical stressful factors influencing information security by IT experts in Aghajari oil and gas Exploitation Company) and 14 sub factors and then their rank were determined.
Masoud Mohammadalipour, Saeed Shokrollahi,
Volume 9, Issue 1 (8-2020)
Abstract
Most networks without fixed infrastructure are based on cloud computing face various challenges. In recent years, different methods have been used to distribute software defined network to address these challenges. This technology, while having many capabilities, faces some vulnerabilities in the face of some common threats and destructive factors such as distributed Denial of Service. A review of various studies shows that in order to eliminate vulnerabilities, we need to combine appropriate defense solutions with the distributed Software Defined Network structure. Therefore, in this study, a general classification of the types of defense solutions against the above attack is presented. Then, while classifying the intrusion detection solutions into two threshold and non-threshold categories, we examined some practical examples of the above solutions. We conclude that the threshold of intrusion detection method exacerbates the vulnerability, and we are required to use non-threshold defense solutions with flat distributed software defined network architecture.
Mohammad Pishdar, Younes Seifi, Mozafar Bag-Mohammadi,
Volume 9, Issue 1 (8-2020)
Abstract
RPL (Routing Protocol for Low Power and Lossy Networks) has been designed for low power networks with high packet loss. Generally, devices with low processing power and limited memory are used in this type of network. IoT (Internet of Things) is a typical example of low power lossy networks. In this technology, objects are interconnected through a network consisted of low-power circuits. Example IoT applications are smart energy grid, smart home, connected car, intelligent transport systems, and smart cities. IoT is different from many similar technologies due to the existence of low power electronic circuits and limited connectivity. Information security is one of the main IoT concerns. The emergence of new types of security vulnerabilities in IoT devices and the escalation of their damages through numerous IoT applications is considered a major deployment drawback for RPL. In this paper, major cyberattacks against RPL, as well as related security solutions are addressed. Then, these solutions are classified and their weaknesses and strengths are investigated. Finally, it discusses the state-of-the-art status of information security in RPL.
Mr Mohammad Hossein Noorallahzadeh, Mr Ahmad Gholami, Mr Reza Alimoradi,
Volume 9, Issue 2 (2-2021)
Abstract
With the advent of cloud computing, data owners tend to submit their data to cloud servers and allow users to access data when needed. However, outsourcing sensitive data will lead to privacy issues. Encrypting data before outsourcing solves privacy issues, but in this case, we will lose the ability to search the data. Searchable encryption (SE) schemes have been proposed to achieve this feature of searching encrypted data without compromising privacy. This method will protect both the user's sensitive information and the ability to search for encrypted data. In this article, we review the various SE designs. In this review, we present the classification of SE designs: symmetric searchable encryption, public key searchable encryption, and search attribute-based encryption schemes, and then a detailed discussion of SE designs in terms of index structure. And provide search functionality. There is also a comparison of SE design analysis in terms of security, performance and security. In addition, we talked about the challenges, leading directions and applications of SE schemes.
Elnaz Katanchi, Babak Porghahramani,
Volume 9, Issue 2 (2-2021)
Abstract
The COVID-19 pandemic was a remarkable and unprecedented event that changed the lives of billions of citizens around the world and resulted in what is known as a new term in terms of social norms and lifestyles. In addition to the tremendous impact on society and business in general, the epidemic created a unique set of cybercrime circumstances that also affected society and business. Increased anxiety due to this epidemic increases the probability of success of cyber attacks by increasing the number and scope of cyber attacks. This article analyzes the COVID-19 epidemic from the perspective of cybercrime and highlights the wide range of cyberattacks experienced worldwide during the epidemic. Cyberattacks are analyzed in the context of major global events to reveal how cyberattacks work. This analysis shows how, following what appears to be a large gap between the outbreak in China and the first COVID-19-related cyberattack, attacks are steadily becoming more prevalent than in some on days, 3 or 4 unique cyber attacks were reported. This analysis uses surveys in the UK as a case study to show how cybercriminals use key events and government announcements to build and design cybercrime campaigns.
, ,
Volume 10, Issue 2 (3-2022)
Abstract
Wireless sensor networks have many applications in the real world and have been developed in various environments. But the limitations of these networks, including the limitations on the energy and processing power of the sensors, have posed many challenges to researchers. One of the major challenges is the security of these networks, and in particular the issue of authentication in the wireless sensor network. An authentication scheme in a wireless sensor network must have the following security features: anonymity, Unlink sessions, session key agreement, session key security, and perfect forward secrecy and prevent attacker’s attacks. An important feature of the authentication scheme is that by capturing the sensor, the attacker will not be able to obtain the private values of the protocol parties. Chen et al propose an authentication scheme with key agreement using wireless sensor network for an agricultural monitoring system, which claims to have security features. This articcle proves that Chen et al’s scheme is vulnerable to sensor capture attacks that Obtain session key, sensor impersonation, User anonymity violation, forward and backward secrecy violation, and sessions link. In the rest of the article, the proposed solution to improve the design of Chen et al. will be presented and the improved design will be evaluated.
Azam Mozafari , Leila Zafari, Negin Hamian,
Volume 11, Issue 1 (9-2022)
Abstract
As an economic and technical point of view, operation of without operator or unmanned substations is of interest to power industry managers, so it is an opportunity to investigate cyber security carefully at this time. In this article, while studying the importance of SCADA (Supervisory Control and Data Acquisition) centers cyber security, the cyber security requirements of two types of DCS (Distribution Control System) and traditional substations and the communication of these types of substations and the corresponding SCADA center were examined. In this article, based on the documents and standards of industrial cyber security and power industry, the security requirements of substations and their communications with the relevant centers were extracted, and these requirements were prioritized based on knowledge of the industry and the importance of existing departments and processes. In addition, due to the non-implementation of security requirements in high power substations, it was emphasized to pay attention to the cyber security considerations of this area, such as preparing security risk management documents, paying attention to personnel training and receiving security approvals.
Ali Khazaei, Hossein Homaei , Monireh Houshmand ,
Volume 11, Issue 2 (3-2023)
Abstract
Quantum dialogue is a type of quantum communication in which users can simultaneously send messages to each other. The earliest instances of quantum dialogue protocols faced security problems such as information leakage and were vulnerable to intercept and resend attacks. Therefore, several protocols have been presented that try to solve these defects. Despite these improvements, the quantum dialogue still faces some challenges. Currently, the limited number of participants and the impossibility of expanding users during the conversation are among the most important challenges of this kind of protocol. In this research, we have designed a multi-user quantum dialogue protocol that solves the mentioned challenges. The proposed protocol is a generalized type of quantum dialogue in which users can communicate simultaneously. The number of participating users is not limited and can be changed dynamically (i.e. without the need to restart the protocol). It means that, during the execution of the protocol, a user can leave the conversation, or a new user can join it. Communication between users is established through a central semi-trusted server. The investigations show that the proposed protocol does not have information leakage. In other words, no unauthorized entity (not even the intermediate server) can access the raw data exchanged between users.
Sara Moqimi , Mohammad Ali Hadavi,
Volume 11, Issue 2 (3-2023)
Abstract
How to exploit vulnerabilities and their damage potentials are mainly affected by the capability of attackers. The more powerful the attacker, the greater risk of threats and vulnerabilities. Therefore, the security analysis of a web application and choosing risk mitigation countermeasures depend on the ability of the attackers threaten the application. Focusing on SQL injection attacks, this paper is aimed at modeling the attacker’s capability to be further used for appropriate security evaluation and choosing cost-effective security controls. We model the attacker’s capability with the triple ⟨Type, Technique, Entry_Point⟩. The value in each component of the triple is obtained from the payloads through which the attacker tries to exploit the injection vulnerabilities. The Type represents the injection type, including a known set of injection attack types namely, Error_based, Union_based, Boolean_based_Blind and etc. The Technique represents the techniques, which are used by the attacker during the attack, e.g. using Special Character, using UNION, using Complex Query, using Encoding and etc. Finally, the Entry_Point represents the set of known injection entry points including GET/POST method, Http_Variables, Frequenc_based_Primary_Application and etc. This model is used for leveling and comparing the attacker’s capabilities as well as for leveling the security of a web application with respect to the level of the attacker who is able to compromise the web application. The results of the experimental evaluation show that the proposed model can be used to determine the attacker’s capability level. The model can be simply extended to adopt other security vulnerabilities attacks.
Dr Somayeh Dolatnezhad Samarin, Dr Morteza Amini,
Volume 12, Issue 1 (9-2023)
Abstract
In recent years, one of the main topics of interest in the security of outsource computations is checking the integrity of the results received from the outsourced computations. Outsourced computations can be run on data received from single or multiple data sources. There are a few methods proposed for system models with distributed data sources. The main solutions provided in this area to verify the correctness of the execution of any or some special functions such as linear, polynomial or aggregate functions are categorised to: (1) verifiable computations, (2) homomorphic authenticators, and (3) methods proposed for specific applications such as outsourced databases, wireless sensor networks and data stream management systems. In this paper, these methods, especially the methods proposed for outsourced computations in data stream management systems, have been reviewed and compared.
Amin Hosseingholizadeh, Farhad Rahmati, Mohammad Ali,
Volume 12, Issue 1 (9-2023)
Abstract
With the emergence of new phenomena in the telecommunications and information technology fields, such as cloud computing and smart networks, we are witnessing new challenges in these areas. One of the most significant challenges is the privacy of outsourced data. Due to the limited processing power of new intelligent devices such as tablets and mobile phones, outsourcing computations to these platforms has gained more attention from users. In addition to data privacy, the security of algorithms used in online software is also of great importance. Therefore, software providers may be concerned about the disclosure of their algorithms after outsourcing them to cloud environments. Existing homomorphic encryption systems can provide privacy for data that needs to be processed online. However, the concurrent privacy of algorithms in these systems has not been addressed. To address this, we introduce a simultaneous homomorphic encryption of data and function called SHDF. This system can homomorphically encrypt all algorithms used in the software and the data to be processed on them, enabling necessary computations to be performed on an insecure server. Furthermore, we show that the proposed system is provably secure. Our implementation results indicate that it is usable in cloud environments with the desired efficiency.
Mr. Nasser Zarbi, Dr Ali Zaeembashi, Dr Nasour Bagheri,
Volume 12, Issue 1 (9-2023)
Abstract
Leakage-resilient cryptography aims to design key exchange protocols to withstand leakage attacks. These protocols are examined using a leakage-resilient security model to determine whether they possess the claimed security properties. The security analysis focuses on how the leakage-resilient security model has evolved to meet increasing security requirements and cover a broader range of attacks. By studying and analyzing the presented security properties of these models, potential vulnerabilities in protocol design can be effectively addressed. This article delves into various leakage-resilient security models based on two models, CK and eCK, and provides examples of secure key exchange protocols defined within these models. Additionally, it explores the relationship between adversaries' capabilities in these models and different attack schemes in the real world. By offering insights into various leakage-resilient security models, leakage attacks, and the development of secure protocols, it contributes to advancing knowledge in this field.
Mohammad Dakhilalian, Masomeh Safkhani, Fatemeh Pirmoradian,
Volume 12, Issue 1 (9-2023)
Abstract
Providing all remote services requires mutual authentication of participating parties. The framework by which this authentication is done is called authentication protocols. In other words, cryptographic or cryptographic protocol is a distributed cryptographic algorithm that establishes interactions between at least two or more hosts with a specific purpose. In fact, these protocols have provided secure and insecure channels for communication between the parties participating in the protocol. Usually, secure channels are used for registration and insecure channels for mutual authentication. After registering on the server and verifying its identity by the server, the user can benefit from the services provided by the server. Many authentication protocols have been proposed in fields such as e-medical care, Internet of Things, cloud computing, etc. The privacy and anonymity of users in these plans is the biggest challenge in implementing a platform to benefit from remote services. Due to the fact that authentication of users takes place on the insecure platform of the Internet, it can be vulnerable to all existing Internet attacks. In general, there are two methods to analyze and prove the security of authentication protocols. Formal method and In-formal method. The In-formal method, which is based on intuitive arguments, analyst's creativity and mathematical concepts, tries to find errors and prove security. While the formal method, which is done both manually and automatically, has used a variety of mathematical logics and automatic security analysis tools. Manual method using mathematical models such as Real Or Random and mathematical logics such as BAN logic, GNY logic, etc., and automatic method using AVISPA, Scyther, ProVerif, TAMARIN, etc. tools. In fact, the methods of proving and analyzing the security of security protocols are divided into two general categories based on proof of theorem and model verification, and in this article, the details of each of these methods of proving security are explained. It should be noted that most of the security protocol verification tools are based on model verification. The methods based on model checking and then the methods based on proving the theorem are described.
Ahmad Rahdari, Mohammad Hesam Tadayon,
Volume 12, Issue 2 (2-2024)
Abstract
Cyber security education in Iran is not aligned with global standards and approaches, and three factors, the educational sector, training applicants and stakeholders, and companies do not have proper knowledge of the required specializations and work roles. Different specializations in cyber security work fields in Iran do not match the international standard puzzles and this has created security holes in the country's cyber ecosystem. People working in cyberspace need a combination of domain-specific knowledge, skills, abilities, and other expertise to be as reliable and resilient as the technologies they work with.
At the international level, several frameworks have been designed and implemented for the training and employment of cybersecurity professionals. The most important of which are the US National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, the European Cybersecurity Skills Framework (ECSF), and the Australian Signals Directorate (ASD) Cyber Skills Framework. In this paper, each of these frameworks is briefly introduced and their key features, including purpose, structure, and components, are reviewed and analyzed. In addition, their effectiveness in handling global organizations' challenges in creating and developing cybersecurity expert human resources is evaluated and analyzed critically. This review highlights the strengths and weaknesses of each framework, shows the propinquity of one of the frameworks to Iran's educational and labor markets, and provides recommendations for designing a national framework for training and employing cybersecurity professionals, which can be a great lesson for the country to ensure that the necessary measures are taken as soon as possible by those in charge.
Zahra Jafari, Sahar Palimi, Mohamadamin Sabaei, Rahman Hajian, Hossein Erfani,
Volume 12, Issue 2 (2-2024)
Abstract
In the Internet of Things (IoT) environment, security and privacy are paramount concerns for critical applications. The LoRa protocol efficiently enables long-range communication for resource-constrained end devices in LoRaWAN networks. To foster technology adoption and user trust, safeguarding the data collected by end devices is essential. Authentication and key agreement protocols play a pivotal role in achieving this goal. Here, we introduce a novel scheme for authentication and key exchange in LoRaWAN, enabling mutual authentication among participants. This scheme empowers users/end devices and network servers to establish secure end-to-end session keys without unconditional trust. We assess the scheme's security informally and provide formal verification using AVISPA tools and the BAN logic. Furthermore, we compare it to existing authentication schemes, demonstrating its efficiency in terms of computational and communication overhead.
Dr Saeed Banaeian Far, Dr Maryam Rajabzadeh Asaar,
Volume 13, Issue 1 (8-2024)
Abstract
Data outsourcing to reliable centers for data maintenance, protection and accessibility is simple and low-cost and does not require physical infrastructure, hardware, software and human resources. However, real-world events and recent researches have shown that even reliable centers can abuse users' trust. For example, 1) make changes in the data they have, 2) delete them, or 3) make them temporarily/permanently unavailable. Data audit methods assure the data owners that the data recorded in the database is the same as the data sent by the user and reveals the changes made in it. But they only solve the first problem. In 2008, the introduction of a technology called blockchain, which had several attractive features such as transparency, immutability, and autonomy, caused the problems of many systems that needed the mentioned features to be solved. In this article, after reviewing and addressing several blockchain-based data auditing architectures and protocols, we review and analyze their general framework. Finally, we compare the reviewed works and specify some future horizons of this field.
Nasrin Taaj, Amir Mansour Yadegari, Abouzar Arabsorkhi, Reza Kalantari,
Volume 13, Issue 1 (8-2024)
Abstract
The development of the country's infrastructure as an independent, safe and stable infrastructure is one of the strategic priorities of the country, the realization of which, in addition to the technological requirements in the field of information and communication technology, laying the foundation for the establishment, development and supply of various services and content of the country's cyber space, requires the provision of secure communications. And the vital infrastructure of the country is also stable.
Based on the conceptual model contained in the resolution of the 66th meeting of the Supreme Council of Cyberspace, the communication and information infrastructure of the country consists of a series of main modules, whose risk analysis is in line with the reversibility in accidents, protection against threats, monitoring and intelligent response from the basic needs of communication access. It is safe and secure. Due to the space limitations of this article, the author intends to explain how to achieve multi-sample risk analysis from these basic modules and then based on the results, how to exploit the emerging knowledge in the form of a diagram to identify the type of threat and its source and extract Explain the mentioned preventive requirements.
Ghodsieh Karimi , Morteza Adeli, Mohammad Ali Hadavi,
Volume 13, Issue 2 (12-2024)
Abstract
With the increasing use of RFID tags, there is a need for specific protocols to communicate with these tags. Among these protocols, the ownership transfer stands out as it ensures the security and privacy of objects for the new owner after a change of ownership. Recently, a lightweight object ownership transfer protocol has been proposed for RFID networks. This protocol utilizes a lightweight linear function for security. The designers of the protocol claim that it is secure against known attacks while also being lightweight. In this paper, we identify vulnerabilities in the function used in this protocol and demonstrate that it is susceptible to the secret disclosure attack. We show that with at most 4 × L executions of the protocol (where L is the key length), one can obtain the necessary information from intercepted data to execute the attack and subsequently recover the shared keys used in the protocol.
Farnoosh Karimi, Behrouz Tork Ladani, Behrouz Shahgholi Ghahfarokhi,
Volume 13, Issue 2 (12-2024)
Abstract
As the intensity of global cybersecurity threats continues to rise, the need for training security professionals has gained greater significance. Educational programs, complemented by laboratories and the execution of cybersecurity exercises, play a fundamental role in enhancing both offensive and defensive capabilities. The execution of such exercises is particularly crucial in operational networks, where testing cyberattacks may not be feasible. Cyber ranges offer an appropriate platform for conducting these exercises. A primary challenge in cybersecurity education is aligning training programs with the diverse skill levels of learners. Adaptive learning, powered by artificial intelligence and recommendation systems, can provide an effective solution for delivering personalized instruction. This study focuses on the KYPO Cyber Range to examine the potential of substituting or augmenting the role of the instructor with an AI-based recommendation agent. The objective of this research is to minimize human intervention and improve the efficiency of the training process. To this end, data collected from the KYPO Cyber Range, developed by Masaryk University, has been utilized, and various machine learning models have been applied to automate and optimize the training process. The results of this research indicate that the integration of artificial intelligence can enhance the performance of educational systems and reduce evaluation time.
|
|
