Michael Schukat

Authentication Using Virtual Certificate Authorities: A New Security Paradigm for Wireless Sensor Networks

Wireless sensor networks (WSN) are inherently difficult to secure: Limited memory resources rule out the predistribution of keys or certificates, while manual device (and key) configuration in the field is not feasible due to the dynamic and ad-hoc nature of WSNs. All this is complicated by the fact that WSN nodes are not tamper resistant and operate over an unsecure wireless medium. Public key infrastructures (PKI) can help to address this problem by providing initial trust between network nodes. While it has been already shown, that public key encryption methods (like Elliptic Curve Cryptography - ECC) can be implemented on sensor nodes with very limited resources, a fully-fleshed PKI infrastructure that enables many different devices from potentially many different manufactures to participate in many different separate distributed networks in a secure manner has not been introduced yet. This paper presents AVCA, “Authentication using Virtual Certificate Authorities”, which is such a PKI architecture. It is based on commonly used and well established PKI concepts and designed specifically for resource constrained devices on distributed ad-hoc networks. It provides a mechanism to overcome the difficulties in securing many distributed networks with non tamper-proof devices. AVCA has many benefits including that the basis for initial trust is not stored on any of the sensor devices and that these devices do not require significant memory. The architecture itself can be quite easily integrated into existing protocol stacks including those defined by IEEE 802.15.4 [1] and ZigBee [2]. AVCA also enhances many of the original design goals of these wireless sensor network protocols such as simplicity, interoperability and scalability. The authors believe that AVCA offers a practical solution to many of the security issues that exist with sensor networks to date.

Peer to peer authentication for small embedded systems: A zero-knowledge-based approach to security for the Internet of Things

With an estimated 50 billion internet-enabled devices deployed by 2020, the arrival of the Internet of Things (IoT) or Internet of Everything (IoE) raises many questions regarding the suitability and adaptability of current computer security standards to provide privacy, data integrity and end entity authentication between communicating peers. In this paper we present a new protocol which combines zero-knowledge proofs and key exchange mechanisms to provide secure and authenticated communication in static machine-to-machine (M2M) networks. This approach addresses all of the aforementioned issues while also being suitable for devices with limited computational resources and can be deployed in wireless sensor networks. While the protocol requires an a-priori knowledge about the network setup and structure, it guarantees perfect forward secrecy.

Securing critical infrastructure

Energy Systems are undergoing radical changes, driven by a combination of factors, including full economic cost, efficiency, environmental impact and security-of-supply, while being facilitated by increased deregulation. This complexity can only be dealt with effectively with the rollout of complex ICT systems that will play a significant role in managing, planning, and securing the energy infrastructure. However, this ever-increasing complexity of energy and support ICT systems greatly increases the potential for cyber attacks. Modern energy systems are becoming increasingly coupled and interdependent and the move/convergence from heterogeneous protocols and systems to all IP-based systems and open standards, whilst beneficial from many perspectives, increases the attack surface and scope, and thus raises many cyber-security challenges. This paper will provide an overview of the cyber threat landscape in smart grid infrastructure from a Machine-to-Machine (M2M) communication perspective and discuss the role of PKI and authentication protocols for risk mitigation.

Collaborative exploration for a group of self-interested robots

This paper presents and new approach to robot exploration and mapping using a team of cooperative robots. This approach aims to exploit the increase in sensor data that multiple robots offer to improve efficiency, accuracy and detail in maps created, and also the lower cost in employing a group of inexpensive robots. The exploration technique involves covering an area as efficiently as possible while cooperating to estimate each others positions and orientations. The ability to observe objects of interest from a number of viewpoints and combine this data means that cooperative robots can localize objects and estimate their shape in cluttered real world scenes. Robots in the system act as social agents, and are motivated to cooperate by a desire to increase their own utility. Within this society, robots form coalitions to complete tasks that arise which require input from multiple robots. The coalitions involve the adoption of certain roles or behaviors on the part of the different robots to carry out these tasks.

Optimising QoS of VoIP over wireless LANs via synchronized time

In the existing IEEE 802.11e standard, all VoIP sessions contend within the same prioritization Access Category (AC), despite potentially having very different, and varying one-way (M2E - Mouth to Ear) delays. In this paper we show how VoIP endpoints that are time synchronized can help optimize 802.11e EDCA in order to prioritize VoIP sessions that have relatively large M2E delays and thus distinguish between VoIP sessions. Using the NS-3 Network Simulator, we quantify the benefits achievable through synchronization of an 802.11e network handling multiple VoIP calls in the presence of other TCP traffic.

A New Secure Wireless Financial Transaction Architecture

Mobile commerce (m-commerce) offers a practical, and complementary solution to credit card transactions. This paper proposes a secure wireless financial transaction (SWiFT) system and describes a prototype implementation. A review of similar m-commerce solutions is included with comparison to the proposed SWiFT system

A ZigBee honeypot to assess IoT cyberattack behaviour

Wireless Personal Area Networks (WPAN) allow for the implementation of applications such as home automation, remote control services, near-field technologies and personal health care management. Security is a critical requirement of the standards and protocols for these environments. One suite of layered protocols within WPAN is ZigBee. ZigBee is a low bit rate protocol utilised in Wireless Sensor Networks (WSN). Attacks such as physical, crypto key interception, injection and replay are perpetrated on ZigBee networks. These attacks can be instigated and controlled within the physical ZigBee WSN location or via a gateway. This paper creates a honeypot that simulates a ZigBee gateway. It is designed to assess the presence of ZigBee attack intelligence on a SSH attack vector. It captures all attack traffic for retrospective analysis. It sandboxes attacks of interest to determine if any attempts are targeting ZigBee specifically. Finally it concludes that all captured mass attacks are mainstream DDoS and bot malware, whereas individual attackers where attracted to and interacted with the ZigBee simulated Honeypot.

Deep Reinforcement Learning: An Overview

In recent years, a specific machine learning method called deep learning has gained huge attraction, as it has obtained astonishing results in broad applications such as pattern recognition, speech recognition, computer vision, and natural language processing. Recent research has also been shown that deep learning techniques can be combined with reinforcement learning methods to learn useful representations for the problems with high dimensional raw data input. This article reviews the recent advances in deep reinforcement learning with focus on the most used deep architectures such as autoencoders, convolutional neural networks and recurrent neural networks which have successfully been come together with the reinforcement learning framework.

Public key infrastructures and digital certificates for the Internet of things

The exponential growth of connected autonomous embedded devices (aka the IoT) will pose huge challenges with regard to device- and inter-device communication security. Features like encrypted communication, device authentication and device authorisation must be appropriately addressed in order to provide a reliable and penetration-resistant device network. However, recent examples of cyber-attacks on such networks and the current lack of generic standards have shown that there is still a long way to go. Public key infrastructures (PKI) and digital certificates are key elements of todays secure Internet infrastructure. This paper analyses the benefits, limitations and suitability of both concepts for IoT deployments in combination with secure communication protocols. Based on this assessment it proposes an adopted PKI architecture that provides and manages customised X.509 digital certificates.

A QoS enabled multimedia WiFi access point

Summary The Internet has evolved to a stage where the number of Internet enabled devices exceeds the global population. With much of the required connectivity over wireless, contention for bandwidth is an important issue that has to be addressed. In this context, applications that have certain quality of service (QoS) requirements must be protected. WiFi-enabled mobile devices such as smartphones and tablets are commonly used by both personal and business users for voice over IP (VoIP) communications, while also supporting conventional data applications such as email, file transfer and web access. Previous research has shown that time synchronized endpoints can provide better QoS by calculating accurate mouth-to-ear delays, and using this information to better inform buffer playout strategies. The IEEE 802.11e protocol extends 802.11 by providing different traffic priorities based on traffic type. However, it cannot distinguish between traffic streams within the same category. In this paper, we present an access point-centred mechanism for further distinguishing between streams within 802.11e categories. The mechanism predicts the VoIP quality for multiple sessions using the ITU-T E-Model. Delay values are determined from RTCP packet timing information. We provide implementation details on a real world proof-of-concept and present results that correlate well with previous NS-3 based simulations. In addition, we address scalability issues for large scale deployments. Copyright