Arun Mishra

Quantitative analysis of information leakage in service-oriented architecture-based Web services

Purpose Any computing architecture cannot be designed with complete confidentiality. As a result, at any point, it may leak the information. So, it is important to decide leakage threshold in any computing architecture. To prevent leakage more than the predefined threshold, quantitative analysis is helpful. This paper aims to provide a method to quantify information leakage in service-oriented architecture (SOA)-based Web services. Design/methodology/approach To visualize the dynamic binding of SOA components, first, the orchestration of components is modeled. The modeling helps to information-theoretically quantify information leakage in SOA-based Web services. Then, the paper considers the non-interference policy in a global way to quantify information leakage. It considers not only variables which interfere with security sensitive content but also other architectural parameters to quantify leakage in Web services. To illustrate the attacker’s ability, a strong threat model has been proposed in the paper. Findings The paper finds that information leakage can be quantified in SOA-based Web services by considering parameters that interfere with security sensitive content and information theory. A hypothetical case study scenario of flight ticket booking Web services has been considered in the present paper in which leakage of 18.89 per cent information is calculated. Originality/value The paper shows that it is practically possible to quantify information leakage in SOA-based Web services. While modeling the SOA-based Web services, it will be of help to architects to identify parameters which may cause the leakage of secret contents.

Relation between cybernetics and information security: from Norbert Wiener’s perspectives

Purpose Nowadays, to design the information security mechanism for computing and communication systems, there are various approaches available like cryptographic approach, game-theoretic approach, quantitative–qualitative analysis-based approach, cognitive-behavioral approach, digital forensic-based approach and swarm computing-based approach. The contemporary research in these various fields is independent in nature. The purpose of this paper is to investigate the relationship between these various approaches to information security and cybernetics. Design/methodology/approach To investigate the relationship between information security mechanisms and cybernetics, Norbert Wiener’s concepts and philosophy of the cybernetics have been used in the present work. For a detailed study, concepts, techniques and philosophy of the cybernetics have been extracted from the books of Norbert Wiener titled “The human use of human beings” and “Cybernetics or control and communication in the animal and the machine”. Findings By revisiting the concepts of the cybernetics from the information security perspectives, it has been found that the aspects of information security and the aspects of cybernetics have great bonding. Originality/value The present paper demonstrates how bonding between cybernetics and information security can be used to solve some of the complex research challenges in information security area.

Monitoring Information Leakage in a Web Browser

This paper outlines the potential problem of information leakage between programs running inside a web browser. A program to which user’s information is voluntarily provided can leak it to other malicious programs; likewise, a program may steal information from another program. A number of ways through which such leakage may take place using the operating system’s inter process communication mechanism is listed. The proposed solution includes a ’controller’ that monitors all processes running in a browser for their access to the kernel’s services through system calls, intercepts and thwarts an attempt at communication with another process.

Relating Wiener’s cybernetics aspects and a situation awareness model implementation for information security risk management

Purpose Situation awareness theory is a primary mean to take decisions and actions in a dynamically changing environment. Nowadays, to implement situation awareness, theories and models in organizational scenarios have become an important research challenge. The purpose of this paper is to investigate the relationship between the situation awareness theory and cybernetics. Further, the aim is to use this relationship to check the feasibility of situation awareness-based information security risk management (ISRM) implementation in the organizational scenario. Design/methodology/approach To investigate the relationship between situation awareness theory and cybernetics, Endsley’s situation awareness theory and Norbert Wiener’s cybernetics concepts and philosophy have been used in the present work. For a detailed study, concepts, techniques and philosophy of the cybernetics have been extracted from the thesis of Norbert Wiener titled “The human use of human beings” and “Cybernetics or control and communication in the animal and the machine”. Findings The present paper demonstrates that relationship can be successfully established between cybernetics and situation awareness theory. Further, this relationship can be used to solve organizational implementation issues related to situation awareness based systems. To demonstrate relationship and solutions of implementation issues, two case studies related to ISRM are also incorporated in the present case study. Originality/value The present work bridges two parallel and prominent theories of situation awareness and cybernetics. It also demonstrates that combination of both the theories can be used to feasibly implement situation awareness based systems in organizations.

Implementation of Modified TEA to Enhance Security

Tiny Encryption Algorithm (TEA) is one of the fastest Encryption Algorithms. It is a lightweight cryptographic algorithm with minimal source code. Due to its simple logic in key scheduling TEA has suffered from related key and equivalent key attacks. Therefore a modified key schedule is proposed for TEA. The new key schedule applies Boolean function based SBox to generate different round keys for TEA. The resultant Modified TEA achieves better security than original TEA. The execution time analysis of modified TEA is also presented.

Framework to Secure Browser Using Configuration Analysis

In last few decades, web browser has become one of the most used computer applications. The web browser is available on many devices such as desktops, laptops, palm devices and even in cars. According to recent research reports, the browser is targeted most by exploits in attacks on both home and corporate users. The default browser security configuration may leak users sensitive information. It may also give remote code execution facility to attacker. In this paper, a framework to detect web browser security misconfiguration is proposed. The misconfiguration leads to data sharing to third party and insecure data transfer. The system scans browser configuration and determine deviation of configuration from secure settings. In addition, the system provides facility to achieve the level of security configuration with respect to recommended settings.

Image Based Password Composition Using Inverse Document Frequency

Password remains one of the main authentication methods in today’s time. The challenge with password as authentication system is due to its dependency on humans. Its strength and weakness is decided by the alphanumeric string set by users. A number of the websites demand users to use strong passwords even though they do not safeguard any critical information assets. This results in an unnecessary cognitive burden on users. It can be reduced by minimizing the number of strong passwords that he/she has to remember. A password composition scheme that considers criticality of information asset is required for this purpose. This article presents one such scheme using inverse document frequency. Users are authenticated based on a valid English sentence. Sentences leave alphanumeric strings behind in recall due to their semantic nature. Users select their authentication sentence by using an image as context. Humans are good at recalling context based information.

Information leakage minimization using a negative information flow based confidentiality policy

Recently, quantitative analysis of information flow and information leakage is widely used to decide the threshold of the leakage of information in the computing system. As a result, quantitative analysis based confidentiality policies are also used to protect the information in a computing system. In the present work, one such policy, negative information flow based confidentiality policy and its drawbacks have been discussed. To eliminate the drawbacks of negative information flow policy, a new confidentiality policy has been proposed in the present work. The proposed policy is based on the noise that can be imposed on the system in a controlled way without changing significant system behavior and reliability. The algorithm which can calculate the amount of noise that can be imposed on the computing system without affecting the system reliability is also discussed in the present work.

Authentication of Electronic Control Unit using Arbiter Physical Unclonable Functions in Modern Automobiles

Automobiles gradually favors computers on wheels-complete with various advance safety facilities such as emergency brake assist, safety belts, airbags, Tire-pressure monitoring, etc. Internally automobiles consist of 70 and above Electronic Control Units (ECUs), which communicate with each other using in-vehicle network example- Controller Area Network (CAN). The real time communication between the ECUs via CAN protocol is responsible for supervising safety related issues of car such as an automatic braking system, etc. There is no source ECU authentication in this protocol which leads to various security concerns because safety is futile without security. Security of the car can be compromised by connecting malicious ECU in CAN. Malicious ECU ejecting malign commands can threaten the functioning of steering, brakes, airbags, windows, headlights, etc. This gives rise to safety concern of people in and around the car. To avoid this, we propose a system, which authenticate the ECUs before allowing them to perform any function. The proposed authentication system consists of Physical Unclonable Function (PUF) and BCH. PUF known for its physical and mathematical unclonability is used to provide a unique signature to the system. On giving a challenge for n times it generates n random response, having closeness within them. This closeness is validated by calculating their hamming distance. The response of PUF is prone to noise, hence to remove these noises proposed approach uses BCH. For a challenge, the noise free response being generated is measured for closeness using hamming distance. If the closeness measured is enough, then the ECU is authentic, else it is suspected as malign.

Optimized Multi-Sensor Multi-Target Tracking algorithm for air surveillance system

Multiple Target Tracking is an essential requirement for modern air surveillance system employing with multiple sensors to interpret the environment. The fundamental problem in a multiple target tracking system is that of data association - with the goal of choosing most probable association between a particular observation and target to be tracked. This paper presents an Optimized Multi-Sensor Multi-Target Tracking algorithm (OMSMTT) that solves measurement to track association conflicts in sensor data reports and capable of initiating and terminating new tracks. The proposed solution enhances the Multiple Hypotheses Tracking (MHT) algorithm with multidimensional assignment approach by modified scoring procedure which improves performance of the tracker. The work exploits a generalized assignment problem structure; formulate the new framework which treats measurement to track assignment for each target as a random variable and transform it to the particle filter for non maneuvering multi-target models. The algorithm is tested with non maneuvering targets with sparse scenarios in presence of clutter against traditional Multiple Hypothesis Tracker (MHT) under extreme conditions such as track swap and coalescences and analyzes it using different performance metrics.