Search Results (312)

The Internet of Things (IoT) has transformed modern life through interconnected devices enabling automation across diverse environments. However, its reliance on legacy network architectures has introduced significant security vulnerabilities and efficiency challenges—for example, when Datagram Transport Layer Security (DTLS) encrypts transport-layer communications to protect IoT traffic, it simultaneously blinds intermediate proxies that need to inspect message contents for protocol translation and caching, forcing a fundamental trade-off between security and functionality. This paper presents an architectural solution based on the Recursive InterNetwork Architecture (RINA) to address these issues. We analyze current IoT network stacks, highlighting their inherent limitations—particularly how adding security at one layer often disrupts functionality at others, forcing a detrimental trade-off between security and performance. A central principle underlying our approach is the role of structural symmetry in RINA’s design. Unlike the heterogeneous, protocol-specific layers of TCP/IP, RINA exhibits recursive self-similarity: every Distributed IPC Facility (DIF), regardless of its position in the network hierarchy, instantiates identical mechanisms and offers the same interface to layers above. This architectural symmetry ensures predictable, auditable behavior while enabling policy-driven asymmetry for context-specific security enforcement. By embedding security within each layer and allowing flexible layer arrangement, RINA mitigates common IoT attacks and resolves persistent issues such as the inability of Performance Enhancing Proxies to operate on encrypted connections. We demonstrate RINA’s applicability through use cases spanning smart homes, healthcare monitoring, autonomous vehicles, and industrial edge computing, showcasing its adaptability to both RINA-native and legacy device integration. Our mixed-methods evaluation combines qualitative architectural analysis with quantitative experimental validation, providing both theoretical foundations and empirical evidence for RINA’s effectiveness. We also address emerging trends including AI-driven security and massive IoT scalability. This work establishes a conceptual foundation for leveraging recursive symmetry principles to achieve secure, efficient, and scalable IoT ecosystems. Full article

There are many types of IP surveillance cameras that connect to organizational or home data networks. However, these devices have vulnerabilities from their technological nature, and people often ignore procedures to protect their networks and devices, which generates security risks for networks, users, and information where they are connected. IP camera vulnerabilities can be exploited by threats and unauthorized persons to cause damage to an infrastructure. Security tests require specific knowledge, equipment, and specialized tools. Furthermore, their execution includes different steps and devices that require time for execution and processing. A methodology for rapid security testing of IP cameras could help identify vulnerabilities and security gaps to select cybersecurity controls to mitigate the risk of their use. This article presents a proof of concept for a methodology for rapid security tests on IP cameras based on NIST SP 800-115, to guide analysts in security tests to obtain results that allow them to take actions to mitigate risks. Full article

This paper presents a methodology for studying the level of network security of VoIP platforms. The methodology is designed for VoIP platforms where the voice and video traffic passes through and are processed by the VoIP server itself, rather than being exchanged directly between the end devices. The proposed methodology consists of four stages: scanning for open ports; scanning for well-known vulnerabilities; penetration testing; and finally, analysis and recommendations (if necessary). Well-known tools used for monitoring IP networks were used to implement the methodology: Namp, Wireshark, hping3, and Colasoft Capsa Free. The studied VoIP platforms were VitalPBX and Issabel, which are based on the Asterisk FreePBX platform. The penetration tests included attacking VitalPBX and Issabel with TCP and UDP DoS attacks. The penetration tests were carried out and implemented using the GNS3 IP network modeling platform. This study found that Issabel has many more unnecessarily open ports than VitalPBX; on both platforms, DoS attacks are likely to be unsuccessful, which was confirmed by the experimental studies carried out. The applicability of the proposed methodology was confirmed by the study carried out. Full article

Modern TCP/IP networks are increasingly exposed to unpredictable conditions, both from the physical transmission medium and from malicious cyber threats. Traditional stochastic models often fail to capture the non-linear and highly sensitive nature of these disturbances. This work introduces a formal mathematical framework combining classical network modeling with chaos theory to describe perturbations in latency and packet loss, alongside adversarial processes such as denial-of-service, packet injection, or routing attacks. By structuring the problem into four scenarios (quiescent, perturbed, attacked, perturbed-attacked), the model enables a systematic exploration of resilience and emergent dynamics. The integration of artificial intelligence techniques further enhances this approach, allowing automated detection of chaotic patterns, anomaly classification, and predictive analytics. Machine learning models trained on simulation outputs can identify subtle signatures distinguishing chaotic perturbations from cyber attacks, supporting proactive defense and adaptive traffic engineering. This combination of formal modeling, chaos theory, and AI-driven analysis provides network engineers and security specialists with a powerful toolkit to understand, predict, and mitigate complex threats that go beyond conventional probabilistic assumptions. The result is a more robust methodology for safeguarding critical infrastructures in highly dynamic and adversarial environments. Full article

Network operators increasingly rely on abstracted telemetry (e.g., flow records and time-aggregated statistics) to achieve scalable monitoring of high-speed networks, but this abstraction fundamentally constrains the forensic and security inferences that can be supported from network data. We present a design-time audit framework that evaluates which threat hypotheses become non-supportable as network evidence is transformed from packet-level traces to flow records and time-aggregated statistics. Our methodology examines three evidence layers (L0: packet headers, L1: IP Flow Information Export (IPFIX) flow records, L2: time-aggregated flows), computes a catalog of 13 network-forensic artifacts (e.g., destination fan-out, inter-arrival time burstiness, SYN-dominant connection patterns) at each layer, and maps artifact availability to tactic support using literature-grounded associations with MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). Applied to backbone traffic from the MAWI Day-In-The-Life (DITL) archive, the audit reveals selectiveinference loss: Execution becomes non-supportable at L1 (due to loss of packet-level timing artifacts), while Lateral Movement and Persistence become non-supportable at L2 (due to loss of entity-linked structural artifacts). Inference coverage decreases from 9 to 7 out of 9 evaluated ATT&CK tactics, while coverage of defensive countermeasures (MITRE D3FEND) increases at L1 (7 → 8 technique categories) then decreases at L2 (8 → 7), reflecting a shift from behavioral monitoring to flow-based controls. The framework provides network architects with a practical tool for configuring telemetry systems (e.g., IPFIX exporters, P4 pipelines) to reason about and provision the minimum forensic coverage. Full article

The Transport Layer Security (TLS) protocol is widely used nowadays to create secure communications over TCP/IP networks. Its purpose is to ensure confidentiality, authentication, and data integrity for messages exchanged between two endpoints. In order to facilitate its integration into widely used applications, the protocol is typically implemented through libraries, such as OpenSSL, BoringSSL, LibreSSL, WolfSSL, NSS, or mbedTLS. These libraries encompass functions that execute the specialized TLS handshake required for channel establishment, as well as the construction and processing of TLS records, and the procedures for closing the secure channel. However, these software libraries may contain vulnerabilities or errors that could potentially jeopardize the security of the TLS channel. To identify flaws or deviations from established standards within the implemented TLS code, a specialized tool known as TLS-Anvil can be utilized. This tool also verifies the compliance of TLS libraries with the specifications outlined in the Request for Comments documents published by the IETF. TLS-Anvil conducts numerous tests with a client/server configuration utilizing a specified TLS library and subsequently generates a report that details the number of successful tests. In this work, we exploit the results obtained from a selected subset of TLS-Anvil tests to generate rules used for anomaly detection in Suricata, a well-known signature-based Intrusion Detection System. During the tests, TLS-Anvil generates .pcap capture files that report all the messages exchanged. Such files can be subsequently analyzed with Wireshark, allowing for a detailed examination of the messages exchanged during the tests and a thorough understanding of their structure on a byte-by-byte basis. Through the analysis of the TLS handshake messages produced during testing, we develop customized Suricata rules aimed at detecting TLS anomalies that result from flawed implementations within the intercepted traffic. Furthermore, we describe the specific test environment established for the purpose of deriving and validating certain Suricata rules intended to identify anomalies in nodes utilizing a version of the OpenSSL library that does not conform to the TLS specification. The rules that delineate TLS deviations or potential attacks may subsequently be integrated into a threat detection platform supporting Suricata. This integration will enhance the capability to identify TLS anomalies arising from code that fails to adhere to the established specifications. Full article

The current trend of globalization of the supply chain in the integrated circuit (IC) industry has led to numerous security issues, such as intellectual property (IP) piracy, overbuilding, hardware Trojan (HT), and so on. Over the past decade or so, logic locking has been developed as an important method to prevent or mitigate the above security issues in ICs throughout their lifecycles. However, most published logic locking schemes are vulnerable to the SAT attack and its variants. Existing SAT-resilient locking schemes always entail a trade-off between security and effectiveness and incur significant hardware overhead. In this paper, we propose a new replacement-based key-controlled circuit (called RKC), the application of which changes the underlying framework of traditional logic locking designs, making the SAT attack and its variants infeasible in the framework. To achieve stronger functional and structural obfuscation and to validate the extensibility of the proposed method within the modified logic-locking design framework, we develop a new multi-input key-controlled circuit (called MKC) via vertical extension, also based on replacement applied to the locking design. In addition, we expand the two proposed circuits horizontally by varying the design parameter m, yielding four logic-locking design circuits. Relevant experiments performed on six selected benchmark circuits from ISCAS’85 and MCNC benchmarks show that the proposed method demonstrates superior/less hardware overhead compared to four recently published locking methods, i.e., GateLock, SKG-Lock, SKG-Lock+, and CAS-Lock. Full article

The development of cross-border hydrogen energy value chains involves complex interactions between technological, regulatory, and logistical subsystems. Static assessment models often fail to capture the dynamic response of these coupled systems to external perturbations. This study addresses this gap by proposing the Dual Carbon Cooperation Index (DCCI), a data-driven framework designed to quantify the synergy efficiency of the China–Korea hydrogen ecosystem. We construct a dynamic state estimation model integrating three coupled dimensions—Technology Synergy, Regulatory Alignment, and Supply Chain Resilience—utilizing an adaptive weighting algorithm (Triple Dynamic Response). Based on multi-source heterogeneous data (2020–2024), the model employs Natural Language Processing (NLP) for vectorizing unstructured regulatory texts and incorporates an exogenous signal detection mechanism (GPR). Empirical results reveal that the ecosystem’s composite synergy score recovered from 0.38 to 0.50, driven by robust supply chain resilience but constrained by high impedance in technological transfer protocols. Crucially, the novel dynamic weighting algorithm significantly reduces state estimation error during high-volatility periods compared to static linear models, as validated by bootstrapping analysis (1000 resamples). The study provides a quantitative engineering tool for monitoring ecosystem coupling stability and proposes a technical roadmap for reducing system constraints through secure IP data architectures and synchronized standard protocols. Full article

Dynamic heterogeneous redundancy (DHR) architectures combine heterogeneity, redundancy, and dynamism to create security-centric frameworks that can be used to mitigate network attacks that exploit unknown vulnerabilities. However, conventional DHR architectures rely on centralized control modules for scheduling and adjudication, leading to significant single-point failure risks and trust bottlenecks that severely limit their deployment in security-critical scenarios. To address these challenges, this paper proposes a decentralized DHR architecture based on the Raft consensus algorithm. It deeply integrates the Raft consensus mechanism with the DHR execution layer to build a consensus-centric control plane and designs a dual-log pipeline to ensure all security-critical decisions are executed only after global consistency via Raft. Furthermore, we define a multi-dimensional attacker model—covering external, internal executor, internal node, and collaborative Byzantine adversaries—to analyze the security properties and explicit defense boundaries of the architecture under Raft’s crash-fault-tolerant assumptions. To assess the effectiveness of the proposed architecture, a prototype consisting of five heterogeneous nodes was developed for thorough evaluation. The experimental results show that, for non-Byzantine external and internal attacks, the architecture achieves high detection and isolation rates, maintains high availability, and ensures state consistency among non-malicious nodes. For stress tests in which a minority of nodes exhibit Byzantine-like behavior, our prototype preserves log consistency and prevents incorrect state commitments; however, we explicitly treat these as empirical observations under a restricted adversary rather than a general Byzantine fault tolerance guarantee. Performance testing revealed that the system exhibits strong security resilience in attack scenarios, with manageable performance overhead. Instead of turning Raft into a Byzantine-fault-tolerant consensus protocol, the proposed architecture preserves Raft’s crash-fault-tolerant guarantees at the consensus layer and achieves Byzantine-resilient behavior at the execution layer through heterogeneous redundant executors and majority-hash validation. To support evaluation during peer review, we provide a runnable prototype package containing Docker-based deployment scripts, pre-built heterogeneous executors, and Raft control-plane images, enabling reviewers to observe and assess the representative architectural behaviors of the system under controlled configurations without exposing the internal source code. The complete implementation will be made available after acceptance in accordance with institutional IP requirements, without affecting the scope or validity of the current evaluation. Full article

Real-time peer-to-peer communication in web browsers typically relies on centralized signaling servers, creating single points of failure, privacy vulnerabilities, and censorship risks. We present WebRTC Swarms, a fully decentralized signaling architecture integrated into GRIDNET OS that combines onion-routed relay circuits with designated verifier zero-knowledge authentication and cryptoeconomic incentives. The proposed system empowers peers to discover and connect without exposing identities or IP addresses through an overlay of incentivized full nodes that carry signaling traffic using transmission tokens. We introduce a MAC-based designated verifier ZK authentication protocol allowing peers sharing a pre-shared key to mutually authenticate without revealing the key, ensuring only authorized participants can join sessions while preserving unlinkability to outsiders across sessions. Through formal verification using TLA+, we prove key safety and liveness properties of both the signaling protocol and the authentication mechanism. Empirical evaluation demonstrates near-100% NAT traversal success via incentivized decentralized TURN relaying (compared to approximately 85% for STUN-only approaches), join latencies under 2 s for swarms of dozens of peers, and strong resilience against Sybil and denial-of-service attacks through token-based rate limiting. Our work represents the first practical integration of decentralized WebRTC signaling with designated verifier cryptographic authentication and built-in economic incentives, providing a privacy-first substrate for secure, community-governed communication networks. Full article

The proliferation of Internet of Things (IoT) applications in safety-critical domains, such as healthcare, smart transportation, and industrial automation, demands robust solutions for data integrity, traceability, and security that surpass the capabilities of centralized databases. This paper analyzes how blockchain technology can be integrated with core IoT service functions—including data management, security, device management, group coordination, and automated billing—to enhance immutability, trust, and operational efficiency. Our analysis identifies practical use cases such as consensus-driven tamper-proof storage, role-based access control, firmware integrity verification, and automated micropayments. These use cases showcase blockchain’s potential beyond traditional data storage. Building on this, we propose a novel framework that integrates a permissioned distributed ledger with a standardized IoT service layer platform through a Blockchain Interworking Proxy Entity (BlockIPE). This proxy dynamically maps IoT service functions to smart contracts, enabling flexible data routing to conventional databases or blockchains based on the application requirements. We implement a Dockerized prototype that integrates a C-based oneM2M platform with an Ethereum-compatible permissioned ledger (implemented using Hyperledger Besu) via BlockIPE, incorporating security features such as role-based access control. For performance evaluation, we use Ganache to isolate proxy-level overhead and scalability. At the proxy level, the blockchain-integrated path achieves processing latencies (≈86 ms) comparable to, and slightly faster than, the traditional database path. Although the end-to-end latency is inherently governed by on-chain confirmation (≈0.586–1.086 s), the scalability remains high (up to 100,000 TPS). This validates that the architecture secures IoT ecosystems with manageable operational overhead. Full article

The increasing prevalence of deep learning models in industry has highlighted the critical need to protect the intellectual property (IP) of these models, especially generative adversarial networks (GANs) capable of synthesizing realistic data. Traditional IP protection methods, such as watermarking model parameters (white-box) or verifying outputs (black-box), are insufficient against non-public misappropriation. To address these limitations, we introduce EGAN (Encrypted GANs), which secures GAN models by embedding a novel self-adversarial mechanism. This mechanism is trained to actively maximize the feature divergence between authorized and unauthorized inputs, thereby intentionally corrupting the outputs from non-key inputs and preventing unauthorized operation. Our methodology utilizes key-based transformations applied to GAN inputs and incorporates a generator loss regularization term to enforce model protection without compromising performance. This technique is compatible with existing watermark-based verification methods. Extensive experimental evaluations reveal that EGAN maintains the generative capabilities of original GAN architectures, including DCGAN, SRGAN, and CycleGAN, while exhibiting robust resistance to common attack strategies such as fine-tuning. Compared with prior work, EGAN provides comprehensive IP protection by ensuring unauthorized users cannot achieve desired outcomes, thus safeguarding both the models and their generated data. Full article

The Internet of Things (IoT) connects billions of heterogeneous devices, necessitating lightweight, efficient, and secure communication protocols to support a diverse range of use cases. While physical and network-layer technologies enable connectivity, transport and application-layer protocols determine how IoT devices exchange, manage, and secure information. The diverse and constrained nature of IoT devices presents a challenge in selecting appropriate communication protocols, with no one-size-fits-all solution existing. This article provides a comprehensive review of key transport and application protocols in IoT, including MQTT, MQTT-SN, CoAP, LwM2M, AMQP, XMPP, WebSockets, HTTP/HTTPS, and OPC UA. Each protocol is examined in terms of its design principles, communication patterns, reliability mechanisms, and security features. The discussion highlights their suitability for different deployment scenarios, ranging from resource-constrained sensor networks to industrial automation and cloud-integrated consumer devices. By mapping protocol characteristics to IoT requirements, such as scalability, interoperability, power efficiency, and manageability, the article provides guidelines for selecting the optimal protocol stack to optimize IoT system performance and long-term sustainability. Our analysis reveals that while MQTT dominates cloud telemetry, CoAP and LwM2M are superior in IP-based constrained networks, and emerging solutions like OSCORE are critical for end-to-end security. Full article

Recent advancements in nanotechnology have intensified research efforts to address security concerns like hardware trojans and intellectual property (IP) piracy, particularly by exploring novel alternatives to traditional MOSFET devices. Spin-based devices, known for their low power consumption, non-volatility, and seamless integration with silicon substrates, have emerged as promising candidates. This research proposes a novel approach to enhance the security of integrated circuits using spin-based devices known as magnetic tunnel junctions (MTJs). A Non-volatile Polymorphic Logic (NPL) is optimized and designed to perform multiple operations, effectively concealing its true functionality. The analytical studies conducted on the Cadence Virtuoso platform using TSMC 65 nm MOS technology demonstrate the feasibility and efficacy of the proposed approach. The proposed NPL circuit enables polymorphism by allowing the circuit to perform all one- and two-input Boolean logic operations, including NOT, AND/NAND, OR/NOR, and XOR/XNOR, through adjustments of applied keys. This dynamic functionality makes it challenging for attackers to determine the circuit’s true operation. The proposed design exhibits similar timing characteristics for different logic operations, which further complicates the tampering attempts. Additionally, the circuit’s layout is designed to be symmetric, ensuring the execution of all possible operations by the same physical layout. This provides post-manufacturing security from reverse engineering and finds its applications in securing custom IC designs against the evolving landscape of hardware-based threats. Full article

As embedded and IoT systems demand secure and compact encryption, developing cryptographic solutions that are both lightweight and efficient remains a major challenge. Many existing AES implementations either lack flexibility or consume excessive hardware resources. This paper presents an area-efficient and flexible AES-128 implementation based on a hardware/software (HW/SW) co-design, specifically optimized for platforms with limited hardware resources, resulting in reduced power consumption. In this approach, key expansion is performed in software on a lightweight MicroBlaze processor, while encryption and decryption are accelerated by dedicated hardware IP cores optimized at the Look-up Table (LuT) level. The design is implemented on a Xilinx XC5VLX50T Virtex-5 FPGA, synthesized using Xilinx ISE 14.7, and tested at a 100 MHz system clock. It achieves a throughput of 13.3 Gbps and an area efficiency of 5.44 Gbps per slice, requiring only 2303 logic slices and 7 BRAMs on a Xilinx FPGA. It is particularly well-suited for resource-constrained applications such as IoT nodes, secure mobile devices, and smart cards. Since key expansion is executed only once per session, the runtime is dominated by AES core operations, enabling efficient processing of large data volumes. Although the present implementation targets AES-128, the HW/SW partitioning allows straightforward extension to AES-192 and AES-256 by modifying only the software Key expansion module, ensuring practical scalability with no hardware changes. Moreover, the architecture offers a balanced trade-off between performance, flexibility and resource utilization without relying on complex pipelining. Experimental results demonstrate the effectiveness and flexibility of the proposed lightweight design. Full article