The ISC International Journal of Information Security

Abstract Due to wireless nature and hostile environment, providing of security is a critical and vital task in wireless sensor networks (WSNs). It is known that key management is an integral part of a secure network. Unfortunately, in most of the previous methods, security is compromised in favor of reducing energy consumption. Consequently, they lack perfect resilience and are not fit for applications with high security demands. In this paper, a novel method is proposed to improve the security of key management system based on broadcast messages from the base station. Another problem with WSNs is the cryptographic materials (such as private keys) stored in dead nodes. Adversaries may exploit these nodes to mount more effective attacks. Any secure key management system should also address this problem. It is argued that in the proposed method keying materials of dead nodes lose their validity, and therefore are of no use for an adversary. Finally, it is shown through simulation that the proposed method is almost three times more energy-efficient than conventional certificate-based key management systems.

Abstract FPGA platforms have been widely used in many modern digital applications due to their low prototyping cost, short time-to-market and flexibility. Field-programmability of FPGA bitstream has made it as a flexible and easy-to-use platform. However, access to bitstream degraded the security of FPGA IPs because there is no efficient method to authenticate the originality of bitstream by the FPGA programmer. The issue of secure transmission of configuration information to the FPGAs is of paramount importance to both users and IP providers. In this paper we presented a "Self Authentication" methodology in which the originality of sub-components in bitstream is authenticated in parallel with the intrinsic operation of the design. In the case of discovering violation, the normal data flow is obfuscated and the circuit would be locked. Experimental results show that this methodology considerably improves the IP security against malicious updates with reasonable overheads.

Abstract The medical system remains among the fastest to adopt the Internet of Things. The reason for this trend is that integration Internet of Things(IoT) features into medical devices greatly improve the quality and effectiveness of service. However, there are many unsolved security problems. Due to medical information is critical and important, authentication between users and medical servers is an essential issue.
Recently, Park et al. proposed an authentication scheme using Shamir's threshold technique for IoT-based medical information system and claimed that their scheme satisfies all security requirements and is immune to various types of attacks. However, in this paper, we show that Park et al.'s scheme does not achieve user anonymity, forward security, and mutual authentication and it is not resistant to the DoS attacks and then we introduce an improved mutual authentication scheme based on Elliptic Curve Cryptography (ECC) and Shamir 's secret sharing for IoT-based medical information system.
In this paper, we formally analyze the security properties of our scheme via the ProVerif. Moreover, we compare our proposed scheme with other related schemes in terms of security and performance.

Abstract In recent years, due to their potential applications, proxy blind signatures became an active research topic and are an extension of the basic proxy signature. A proxy blind signature scheme enables a proxy signer to produce a blind signature on behalf of an original signer. Such schemes are useful in many practical applications such as e-commerce, e-voting, e-tendering systems. Many proxy blind signature schemes have been proposed in the literature. In order to improve the efficiency and to adopt resource constrained devices, in this paper, we propose a pairing free ID-based proxy blind signature scheme with message recovery. The proposed scheme is proven secure against the random oracle model under the hardness assumption of the elliptic curve discrete logarithm problem. We compare our scheme with the other proxy blind signature schemes. The efficiency analysis shows that our scheme is more efficient in terms of computational and communicational point of view. Also due to the message recovery property, our scheme can be deployed easily in low band width devices.

Abstract Ensuring fair task validation and reward distribution remains a significant challenge in decentralized crowdsourcing systems. Existing platforms often suffer from malicious evaluations, unfair compensation, central points of failure, and limited transparency. In this work, we propose a fully decentralized crowdsourcing protocol built on blockchain technology and smart contracts to address these issues. Our system introduces a validator-based task evaluation process and ensures secure and private task handling through encryption and decentralized IPFS storage. Participants interact through smart contracts, which manage task assignment, output verification, and automated reward distribution. To promote fairness, we employ a reward allocation strategy based on the actual contribution of each participant. The proposed system addresses critical crowdsourcing challenges including malicious or biased evaluations, Sybil attacks, collusion, single points of failure, lack of revision mechanisms, and excessive transaction costs. Experimental results show that our smart contracts are executed with low cost (total deployment cost of 0.0511 ETH, with function calls as low as 47,878 gas units). The system sustains reliable operation and maintains integrity even when adversarial validators control up to 49% of the total reputation.

Abstract To control the exponential growth of malware files, security analysts pursue dynamic approaches that automatically identify and analyze malicious software samples. Obfuscation and polymorphism employed by malwares make it difficult for signature-based systems to detect sophisticated malware files. The dynamic analysis or run-time behavior provides a better technique to identify the threat. In this paper, a dynamic approach is proposed in order to extract features from binaries. The run-time behavior of the binary files were found and recorded using a homemade tool that provides a controlled environment. The approach based on DyVSoR assumes that the run-time behavior of each binary can be represented by the values of registers. A method to compute the similarity between two binaries based on the value sets of the registers is presented. Hence, the values are traced before and after invoked API calls in each binary and mapped to some vectors. To detect an unknown file, it is enough to compare it with dataset binaries by computing the distance between registers, content of this file and all binaries. This method could detect malicious samples with 96.1% accuracy and 4% false positive rate. The list of execution traces and the dataset are reachable at: http://home.shirazu.ac.ir/˷ sami/malware

Abstract Ciphertext-policy attribute-based encryption(CP-ABE) is considered a promising solution for secure data sharing in the cloud environment. Although very well expressiveness in ABE constructions can be achieved using a linear secret sharing scheme(LSSS), there is a significant drawback in such constructions. In the LSSS-based ABE constructions, the number of heavy pairing operations increases with an increase in the number of required attributes in the decryption. In this paper, we propose an LSSS-based CP-ABE scheme with a fixed number of pairings(four pairings) during the decryption process. In our scheme increasing the number of required attributes in the decryption does not affect the number of pairings. The simulation shows that our scheme has significant advantages in the encryption and the decryption processes compared to previous schemes. In addition, we use the outsourcing method in the decryption to get better performance on the user side. The main burden of decryption computations is done by the cloud without revealing any information about the plaintext. Furthermore, in our revocation method, the users’ communication channels are not used during the revocation process. All of these features make our scheme suitable for applications such as IoT. The proposed scheme is selectively CPA-secure in the standard model.

Abstract Distributed Denial of Service (DDoS) is a common attack in recent years that can deplete the bandwidth of victim nodes by flooding packets. Based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target, DDoS attacks are grouped into three categories as Volumetric attacks, Protocol attacks and Application attacks. The volumetric attack, which the proposed method attempts to detect it, is the most common type of DDoS attacks. The aim of this paper is to reduce the delay of real-time detection of DDoS attacks utilizing hybrid structures based on data stream algorithms. The proposed data structure (BHM ) improves the data storing mechanism presented in STONE method and consequently reduces the detection time. STONE characterizes regular network traffic of a service by aggregating it into common prefixes of IP addresses, and detecting attacks when the aggregated traffic deviates from the regular one. In BHM, history refers to the output traffic information obtained from each monitoring period to form a reference profile. The reference profile is created by employing historical information and only includes normal traffic information. The delay of DDoS attack detection increases in STONE due to long-time intervals between each monitoring period. The proposed method (F-STONE) has been compared to STONE based on attack detection time, Expected Profile Update Time (EPUT), and rate of attack detection. The evaluation results indicated significant improvements in terms of the EPUT, acceleration of attack detection and reduction of false positive rate.

Abstract In recent years, determining the common information privately and efficiently between two mutually mistrusting parties have become an important issue in social networks. Many Private Set Intersection (PSI) protocols have been introduced to address this issue. By applying these protocols, two parties can compute the intersection between their sets without disclosing any information about components that are not in the intersection. Due to the broad range of computational resources that the cloud can provide for its users, determining the set intersection by cloud may decrease the computational cost of the users. The proposed protocols by Abadi et al. are two protocols in this context. In this paper, we show that their protocols are vulnerable to eavesdropping attack. Also, a solution is proposed to secure the protocol against mentioned attack. Moreover, we analyze the performance of both O-PSI and modified O-PSI protocols and show that our scheme is comparable with the O-PSI protocol. Actually, one trivial solution for the Abadi et al.’s proposed schemes is to use a secure channel like TLS. However, in the performance evaluation, we compare our applied modification with this trivial solution, and show that our proposed modification is more efficient as some extra encryptions imposed by TLS are no longer required.

Abstract Perturbed Quantization (PQ) steganography scheme is almost undetectable with the current steganalysis methods. We present a new steganalysis method for detection of this data hiding algorithm. We show that the PQ method distorts the dependencies of DCT coefficient values; especially changes much lower than significant bit planes. For steganalysis of PQ, we propose features extraction from the empirical matrix. The proposed features can be exploited within an empirical matrix of DCT coefficients which some most significant bit planes were deleted. We obtain four empirical matrices and fuse resulted features from these matrices which have been employed for steganalysis. This technique can detect PQ embedding on stego images with 77 percent detection accuracy on mixed embedding rates between 0.05 _ 0.4 bits per non-zero DCT AC coefficients (BPNZC). Comparing the results, we also show that the detection rates are effectively comparable with respect to current steganalysis techniques for PQ steganography.

Abstract Database outsourcing is an idea to eliminate the burden of database management from organizations. Since data is a critical asset of organizations, preserving its privacy from outside adversary and untrusted server should be warranted. In this paper, we present a distributed scheme based on storing shares of data on different servers and separating indexes from data on a distinct server. Shamir's secret sharing scheme is used for distributing data to data share servers. A B+-tree index on the order preserved encrypted values for each searchable attribute is stored in the index server. To process a query, the client receives responses including record numbers from the index server and asks these records from data share servers. The final result is computed by the client using data shares. While the proposed approach is secure against different database attacks, it supports exact match, range, aggregation, and pattern matching queries efficiently. Simulation results show the prominence of our approach in comparison with the bucketing scheme as it imposes lower computation and communication costs on the client.

Abstract Elliptic Curve Cryptosystems (ECC) have recently received significant attention by researchers due to their high performance such as low computational cost and small key size. In this paper a novel untraceable blind signature scheme is presented. Since the security of proposed method is based on difficulty of solving discrete logarithm over an elliptic curve, performance of the proposed scheme is quite commendable in comparison with the previous work in terms of security and time complexity.

Abstract Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. In this paper a new IDS alert correlation method is proposed that can be used to detect attack scenarios in real-time. The proposed method is based on a causal approach due to the strength of causal methods in practice. To provide a picture of the current intrusive activity on the network, we need a real-time alert correlation. Most causal methods can be deployed offline but not in real-time due to time and memory limitations. In the proposed method, the knowledge base of the attack patterns is represented in a graph model called the Causal Relations Graph. In the offline mode, we construct Queue trees related to alerts' probable correlations. In the real-time mode, for each received alert, we can find its correlations with previously received alerts by performing a search only in the corresponding tree. Therefore, the processing time of each alert decreases significantly. In addition, the proposed method is immune to deliberately slowed attacks. To verify the proposed method, it was implemented and tested using DARPA2000 dataset. Experimental results show the correctness of the proposed alert correlation and its efficiency with respect to the running time.

Abstract ΑΕS _ CMCCv₁, ΑVΑLΑNCHEv₁, CLΟCv₁, and SILCv₁ are four candidates of the first round of CAESAR. CLΟCv₁ is presented in FSE 2014 and SILCv₁ is designed upon it with the aim of optimizing the hardware implementation cost. In this paper, structural weaknesses of these candidates are studied. We present distinguishing attacks against ΑES  _ CMCCv₁ with the complexity of two queries and the success probability of almost 1, and distinguishing attacks on CLΟCv₁ and SILCv₁ with the complexity of Ο (2^n/2) queries and the success probability of 0.63, in which n is bit length of message blocks. In addition, a forgery attack is presented against ΑVΑLΑNCHEv₁ which requires only one query and has the success probability of 1. The attacks reveal weaknesses in the structure of these first round candidates and inaccuracy of their security claims.

Abstract This paper investigates the multiplicative spread spectrum watermarking method for the image. The information bit is spreaded into middle-frequency Discrete Cosine Transform (DCT) coefficients of each block of an image using a generated pseudo-random sequence. Unlike the conventional signal modeling, we suppose that both signal and noise are distributed with Laplacian distribution, because the sample loss of digital media can be better modeled with this distribution than the Gaussian one. We derive the optimum decoder for the proposed embedding method thanks to the maximum likelihood decoding scheme. We also analyze our watermarking system in the presence of noise and provide analytical evaluations and several simulations. The results show that it has the suitable performance and transparency required for watermarking applications.

Abstract Recently permutation multimedia ciphers were broken in a chosen-plaintext scenario. That attack models a very resourceful adversary which may not always be the case. To show insecurity of these ciphers, we present a cipher-text only attack on speech permutation ciphers. We show inherent redundancies of speech can pave the path for a successful cipher-text only attack. To that end, regularities of speech are extracted in time and frequency using short time Fourier transform. We show that spectrograms of cipher-texts are in fact scrambled puzzles. Then, different techniques including estimation, image processing, and graph theory are fused together in order to create and solve these puzzles. Conducted tests show that the proposed method achieves accuracy of 87.8% and intelligibility of 92.9%. These scores are 50.9% and 34.6%, respectively, higher than scores of previous method. Finally a novel method, based on moving spectrogram distance, is proposed that can give accurate estimation of segment length of the scrambler system.

Abstract Recent advances in Machine Learning and Deep Learning have significantly expanded their applications in various domains. The resource-intensive process of training deep neural networks, in terms of substantial labeled data acquisition and computational power, makes these models valuable intellectual property for organizations, hence rising an increasingly crucial need for securing them. A major security threat to deep neural networks is the adversarial examples problem, specifically the black-box type. In these attacks, adversaries generate inputs with often imperceptible crafted perturbations to deceive the model into incorrect classifications, all with no access to the model internals and solely by interacting with it via queries and responses. Among the two primary methods for creating black-box adversarial examples i.e. model extraction-based and query-based approaches, this research focuses on the query-based type, and it explores a novel defense mechanism to mitigate their success. Our proposed method called Divergent Twins Fencing (DTF), employs two subtly different models trained with two different loss functions to incline the execution burden of these attacks. The evaluation criteria for this defense method include measuring the success rate and the average number of queries required to generate adversarial examples using two of the most potent attack methods
from recent studies and comparing its defense performance against a leading defense strategy in the literature, i.e., Random Noise Defense (RND) Method, demonstrating our method’s efficacy in enhancing model security against black-box adversarial attacks.

Abstract GOST block cipher designed in the 1970s and published in 1989 as the Soviet and Russian standard GOST 28147-89. In order to enhance the security of GOST block cipher after proposing various attacks on it, designers published a modified version of GOST, namely GOST2, in 2015 which has a new key schedule and explicit choice for S-boxes. In this paper, by using three exactly identical portions of GOST2 and fixed point idea, more enhanced fixed point attacks for filtration of wrong keys are presented. More precisely, the focus of the new attacks is on reducing memory complexity while keeping other complexities unchanged as well. The results show a significant reduction in the memory complexity of the attacks, while the time complexity slightly increased in comparison to the previous fixed point attacks. To the best of our knowledge, the lowest memory complexity for an attack on full-round GOST2 block cipher is provided here.

Abstract Nowadays, from one hand multimedia authentication techniques are widely used to achieve trustworthiness, on the other hand, due to the rapid growth of image processing software technologies, having a secure method to protect the copyright of these data seems fairly essential. Multipurpose watermarking emerged in order to simultaneously accomplish multimedia authentication and copyright protection. In this paper, we propose a multipurpose watermarking method which achieves perfect security, the ability to detect tampered areas of the watermarked image as well as a lower BER rate, at the cost of reducing capacity by half. This watermarking scheme is blind in the sense that on the receiver side, neither the original host image nor the embedded watermark is needed for ownership watermark extraction or tamper detection. Experimental results show that our method is able to reconstruct extracted tampered watermarks even after various attacks such as JPEG compression, average filtering, gamma correction, median filtering, speckle noise, JPEG compression, sharpening, Wiener filter, and median filtering. Comparisons are provided with other multipurpose watermarking methods which primarily aim at simultaneous goals of copyright protection and authentication. We also show the superiority of our proposed method to three watermarking methods attaining these objectives on a one-goal-at-a-time basis.

Abstract Nowadays, information plays an important role in organizations. Sensitive information is often stored in databases. Traditional mechanisms such as encryption, access control, and authentication cannot provide a high level of confidence. Therefore, the existence of Intrusion Detection Systems in databases is necessary. In this paper, we propose an intrusion detection system for detecting attacks in both database transaction level and inter-transaction level (user task level). For this purpose, we propose a detection method at transaction level, which is based on describing the expected transactions within the database applications. Then at inter-transaction level, we propose a detection method that is based on anomaly detection and uses data mining to find dependency and sequence rules. The main advantage of this system, in comparison with the previous database intrusion detection systems, is that it can detect malicious behaviors in both transaction and inter-transaction levels. Also, it gains advantages of a hybrid method, including specification-based detection and anomaly detection, to minimize both false positive and false negative alarms. In order to evaluate the accuracy of the proposed system, some experiments have been done. The experiment results demonstrate that the true positive rate (recall metric) is higher than 80%, and the false positive rate is lower than 10% per different data sets and choosing appropriate ranges for support and confidence thresholds. The experimental evaluation results show high accuracy and effectiveness of the proposed system.

Abstract A steganography system must embed the message in an unseen and unrecognizable manner in the cover signal. Embedding information in transform coefficients, especially Discrete Wavelet Transform (DWT), is one of the most successful approaches in this field. The proposed method in this paper has two main steps. In the first step, the XOR logical function was used to embed two bits of data in the adjacent DWT coefficient pair. No change in the coefficients will occur if the XOR result of the two bits of low-value data of the two adjacent coefficients is identical to the two bits of secret data. Otherwise, one or both of the coefficient(s) will need a one-unit increase or decrease. In the second step, the genetic algorithm was used to select, between the two possible solutions, a new value for the adjacent coefficient pair that needs to be changed. Using the genetic algorithm, the selections were made such that the generated stego image experienced the least change relative to the cover image. The results of comparing this method with the existing methods in low- and high-level embedding showed that the proposed method was successful in producing stego images with high-quality criteria. In addition, the SPAM steganalysis method did not show high accuracy in its detection. One of the benefits of the proposed method is the need for a short key to embed and extract the secret message. This issue increases the security and feasibility of the proposed method.

Abstract In Social networks, users need a proper estimation of trust in others to be able to initialize reliable relationships. Some trust evaluation mechanisms have been offered, which use direct ratings to calculate or propagate trust values. However, in some web-based social networks where users only have binary relationships, there is no direct rating available. Therefore, a new method is required to infer trust values in these networks. To bridge this gap, this paper aims to propose a new method which takes advantage of user similarity to predict trust values without any need for direct ratings. In this approach, which is based on socio-psychological studies, user similarity is calculated from the profile information and the texts shared by the users via text-mining techniques. Applying Ziegler ratios to our approach revealed that users are more than 50% more similar to their trusted agents than to arbitrary peers, which proves the validity of the original idea of the study about inferring trust from language similarity. In addition, comparing the real assigned ratings, gathered directly from users, with the experimental results indicated that the predicted trust values are sufficiently acceptable (with a precision of 61%). We have also studied the benefits of using context in inferring trust. In this regard, the analysis revealed that the precision of the predictions can be improved up to 72%. Besides the application of this approach in web-based social networks, the proposed technique can also be of much help in any direct rating mechanism to evaluate the correctness of trust values assigned by users, and increase the robustness of trust and reputation mechanisms against possible security threats.

Abstract Midori64 is a lightweight SPN block cipher introduced by Banik et al. at ASIACRYPT 2015 which operates on 64-bit states through 16 rounds using a 128-bit key. In the last decade, Midori64 has been exposed to several attacks intensely. In this paper, we provide the first boomerang attack on Midori64 in the literature, to the best of our knowledge. For this purpose, firstly we present a practical single key 7-round boomerang attack on Midori64 improving the mixture idea of Biryukov by a new technique which we call ``mixture pool", and then extend our attack up to 9 rounds with time complexity $2^{122.3}$, and memory and data complexity $2^{36}$. (The authors of Midori stated that they expect much smaller rounds than 8 rounds of Midori64 are secure against boomerang-type attacks.) We also emphasize that the mixture pool idea provides a kind of data-memory tradeoff and hence presents more usefulness for boomerang-type attacks.

Abstract Fragile watermarking is the task of embedding a watermark in a media (an image in this paper) such that even small changes, called tamper, can be detected or even recovered to prevent unauthorized alteration. A well-known category of spatial fragile watermarking methods is based on embedding the watermark in the least significant bits of the image to preserve the quality. In addition, Hamming code is a coding algorithm in communication that transmits the data-bits by augmenting some check-bits in order to exactly detect and recover single-bit modifications. This property is previously used to detect and perfectly recover the images modified by small tampers less than a quarter of the image in diameter. To achieve this goal, the Hamming code is applied on a distributed pixel, bits of which are gathered from sufficient far pixels in the image. It guarantees that such tampers can toggle at most one bit of each distributed Hamming code that is recoverable. It was the only guaranteed perfect reconstruction method of small tampers, based on our knowledge. In this paper, the method has been extended to support distortion in two bits of a Hamming code by use of common structures of distributed codes. It leads to guarantee recovery of tampers less than half of the image in width and height. According to the experimental results, the proposed method achieved better performance, in terms of recovering the tampered areas, in comparison to state-of-the-art.

Abstract As deep learning models are increasingly deployed in critical sectors such as healthcare, finance, and security, ensuring their protection against emerging threats has become crucial. Among these threats, side-channel attacks (SCAs) represent a particular challenge since they can extract sensitive information such as model architectures, parameters, and even user inputs without requiring direct access to the model. By leveraging the physical and micro-architectural properties of the hardware, attackers can compromise systems. This survey begins by classifying leakage sources and attacker objectives, then analyzes representative studies that demonstrate practical side-channel exploits against deep-learning hardware. It also reviews existing defenses aimed at mitigating these vulnerabilities and concludes by outlining key open research challenges and potential future directions.