Research on the Application Security Isolation Model

Typical isolation models are studied and a New Application Security Isolation model called NASI is proposed, which is based on trusted computing technology and least privilege principle. This paper introduces the design ideas of NASI, gives out formal description and safety analysis for the model, and finally describes the implementation of prototype system based on NASI.

Hybrid Security Assessment Methodology for Web Applications

This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks.

Time Parameter Based Low-Energy Data Encryption Method for Mobile Applications

Various mobile devices and applications are now used in daily life.These devices require high-speed data processing,low energy consumption,low communication latency,and secure data transmission,especially in 5G and 6G mobile networks.High-security cryptography guarantees that essential data can be transmitted securely;however,it increases energy consumption and reduces data processing speed.Therefore,this study proposes a low-energy data encryption(LEDE)algorithm based on the Advanced Encryption Standard(AES)for improving data transmission security and reducing the energy consumption of encryption in Internet-of-Things(IoT)devices.In the proposed LEDE algorithm,the system time parameter is employed to create a dynamic S-Box to replace the static S-Box of AES.Tests indicated that six-round LEDE encryption achieves the same security level as 10-round conventional AES encryption.This reduction in encryption time results in the LEDE algorithm having a 67.4%lower energy consumption and 43.9%shorter encryption time than conventional AES;thus,the proposed LEDE algorithm can improve the performance and the energy consumption of IoT edge devices.

Determination of optimum nitrogen application rates in Zhejiang Province, China, based on rice yields and ecological security

Excessive nitrogen（N） fertilization in intensive agricultural areas such as the plain region of South China has resulted in low nitrogen use efficiency and serious environmental problems. To determine the optimum N application rate, grain yield, apparent nitrogen recovery efficiency（ANRE）, apparent N loss, and ammonium（NH_3） volatilization under different N application rates in the three years from 2012 to 2014 were studied. The results showed that the relationship between grain yields and N application rate in the three years were well fitted by quadratic equations. When N application rate reached 197 kg ha^（–1） in 2012, 199 kg ha^（–1） in 2013 and 196 kg ha^（–1） in 2014, the plateau of the grain yields appeared. With the increase of N application rate, the ANRE for rice decreased which could be expressed with sigmoidal equation; when N application rate was 305 kg ha^（–1） in 2012, 275 kg ha^（–1） in 2013 and 312 kg ha^（–1） in 2014, the curves of ANRE appeared turing points. Besides, the relationship between soil Nresidual and N application rate was fitted by the quadratic equation and the maximums of soil Nresidual were reached in the three years with the N application rate of 206, 244 and 170 kg ha^（–1）, respectively. Statistical analysis indicated that NH3 volatilization and apparent N loss in three years all increased with the increasing N application rate. When the amount of NH3 volatilization increased to 11.6 kg N ha^（–1） in 2012, 40.5 kg N ha^（–1） in 2013 and 57.0 kg N ha^（–1）in 2014, the apparent N loss in the three years had obvious increase. To determine the optimum N application rate, the average N application on the plateau of the grain yield was considered as the lower limit while the average N application rate at the turning points of ANRE, the residual N in soil and apparent N loss was taken as the upper limit. According to the results in three years, the optimum N application rate for rice in Zhejiang was 197–255 kg ha^（–1）.

Guest Editorial Special Issue on Information Security and Applications

With the growing of digitized data transforming on Internet,the issues of information security,data privacy,and forensic analysis have become more and more attracted.Researchers have provided solutions for problems in the field.The objective of this special issue is to present research and development activities in the various aspects.After a very careful review,

Secure Web Application Technologies Implementation through Hardening Security Headers Using Automated Threat Modelling Techniques

This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Referrer-Policy, Content-Security-Policy, and Permissions-Policy. The study employed a controlled experiment using a security header analysis tool. The web-based applications (websites) were analyzed to determine whether security headers have been correctly implemented. The experiment was iterated for 100 universities in Africa which are ranked high. The purposive sampling technique was employed to understand the status quo of the security headers implementations. The results revealed that 70% of the web-based applications in Africa have not enforced security headers in web-based applications. The study proposes a secure system architecture design for addressing web-based applications’ misconfiguration and insecure design. It presents security techniques for securing web-based applications through hardening security headers using automated threat modelling techniques. Furthermore, it recommends adopting the security headers in web-based applications using the proposed secure system architecture design.

Detection and Prevention of Malware in Android Mobile Devices: A Literature Review

Despite only being around for a few years, mobile devices have steadily risen to become the most extensively used computer devices. Given the number of people who rely on smartphones, which can install third-party apps, it has become an increasingly important issue for end-users and service providers to ensure that both the devices and the underlying network are secure. People will become more reliant on applications such as SMS, MMS, Internet Access, Online Transactions, and so on due to such features and capabilities. Thousands of devices ranging from low-cost phones to high-end luxury phones are powered by the Android operating system, which has dominated the smartphone marketplace. It is about making it possible for people from all socioeconomic backgrounds to get and use mobile devices in their daily activities. In response to this growing popularity, the number of new applications introduced to the Android market has skyrocketed. The recent appearance of a wide range of mobile malware has caught the attention of security professionals and scholars alike. In light of the ongoing expansion of the mobile phone industry, the likelihood of it being used in criminal activities will only continue to rise in the future. This article reviews the literature on malware detection and prevention in Android mobile devices, analyzes the existing literature on major studies and tasks, and covers articles, journals, and digital resources such as Internet security publications, scientific studies, and conferences.

Cross-Site Scripting Attacks and Defensive Techniques: A Comprehensive Survey*

The advancement of technology and the digitization of organizational functions and services have propelled the world into a new era of computing capability and sophistication. The proliferation and usability of such complex technological services raise several security concerns. One of the most critical concerns is cross-site scripting (XSS) attacks. This paper has concentrated on revealing and comprehensively analyzing XSS injection attacks, detection, and prevention concisely and accurately. I have done a thorough study and reviewed several research papers and publications with a specific focus on the researchers’ defensive techniques for preventing XSS attacks and subdivided them into five categories: machine learning techniques, server-side techniques, client-side techniques, proxy-based techniques, and combined approaches. The majority of existing cutting-edge XSS defensive approaches carefully analyzed in this paper offer protection against the traditional XSS attacks, such as stored and reflected XSS. There is currently no reliable solution to provide adequate protection against the newly discovered XSS attack known as DOM-based and mutation-based XSS attacks. After reading all of the proposed models and identifying their drawbacks, I recommend a combination of static, dynamic, and code auditing in conjunction with secure coding and continuous user awareness campaigns about XSS emerging attacks.

SGuard：A Lightweight SDN Safe-Guard Architecture for DoS Attacks

Software Defined Networking(SDN) is a revolutionary networking paradigm towards the future network,experiencing rapid development nowadays.However,its main characteristic,the separation of control plane and data plane,also brings about new security challenges,i.e.,Denial-of-Service(DoS) attacks specific to Open Flow SDN networks to exhaust the control plane bandwidth and overload the buffer memory of Open Flow switch.To mitigate the DoS attacks in the Open Flow networks,we design and implement SGuard,a security application on top of the NOX controller that mainly contains two modules:Access control module and Classification module.We employ novel six-tuple as feature vector to classify traffic flows,meanwhile optimizing classification by feature ranking and selecting algorithms.All the modules will cooperate with each other to complete a series of tasks such as authorization,classification and so on.At the end of this paper,we experimentally use Mininet to evaluate SGuard in a software environment.The results show that SGuard works efficiently and accurately without adding more overhead to the SDN networks.

A hybrid biometric identification framework for high security applications

Research on biometrics for high security applica- tions has not attracted as much attention as civilian or foren- sic applications. Limited research and deficient analysis so far has led to a lack of general solutions and leaves this as a challenging issue. This work provides a systematic analy- sis and identification of the problems to be solved in order to meet the performance requirements for high security applica- tions, a double low problem. A hybrid ensemble framework is proposed to solve this problem. Setting an adequately high threshold for each matcher can guarantee a zero false accep- tance rate （FAR） and then use the hybrid ensemble framework makes the false reject rate （FRR） as low as possible. Three ex- periments are performed to verify the effectiveness and gener- alization of the framework. First, two fingerprint verification algorithms are fused. In this test only 10.55% of fingerprints are falsely rejected with zero false acceptance rate, this is sig- nificantly lower than other state of the art methods. Second, in face verification, the framework also results in a large re- duction in incorrect classification. Finally, assessing the per- formance of the framework on a combination of face and gait verification using a heterogeneous database show this frame- work can achieve both 0% false rejection and 0% false accep- tance simultaneously.

An Efficient GCD-Based Cancelable Biometric Algorithm for Single and Multiple Biometrics

Cancelable biometrics are required in most remote access applications that need an authentication stage such as the cloud and Internet of Things(IoT)networks.The objective of using cancelable biometrics is to save the original ones from hacking attempts.A generalized algorithm to generate cancelable templates that is applicable on both single and multiple biometrics is proposed in this paper to be considered for cloud and IoT applications.The original biometric is blurred with two co-prime operators.Hence,it can be recovered as the Greatest Common Divisor(GCD)between its two blurred versions.Minimal changes if induced in the biometric image prior to processing with co-prime operators prevents the recovery of the original biometric image through a GCD operation.Hence,the ability to change cancelable templates is guaranteed,since the owner of the biometric can pre-determine and manage the minimal change induced in the biometric image.Furthermore,we test the utility of the proposed algorithm in the single-and multi-biometric scenarios.The multi-biometric scenario depends on compressing face,fingerprint,iris,and palm print images,simultaneously,to generate the cancelable templates.Evaluation metrics such as Equal Error Rate(EER)and Area and Receiver Operator Characteristic curve(AROC)are considered.Simulation results on single-and multi-biometric scenarios show high AROC values up to 99.59%,and low EER values down to 0.04%.

Lom： Discovering Logic Flaws Within MongoDB-based Web Applications

Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language （SQL） statement construction and cannot be applied to the new generation of web applications that use not only structured query language （NoSQL） databases as the storage tier. In this paper, we present Lom, a black-box approach for discovering many categories of logic flaws within MongoDB- based web applications. Our approach introduces a MongoDB operation model to support new features of MongoDB and models the application logic as a mealy finite state machine. During the testing phase, test inputs which emulate state violation attacks are constructed for identifying logic flaws at each application state. We apply Lom to several MongoDB-based web applications and demonstrate its effectiveness.

Sifu-a cybersecurity awareness platform with challenge assessment and intelligent coach

Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the software is deployed in critical infrastructures.Therefore,several industrial standards mandate secure coding guidelines and industrial software developers’training,as software quality is a significant contributor to secure software.CyberSecurity Challenges(CSC)form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry.These cybersecurity awareness events have been used with success in industrial environments.However,until now,these coached events took place on-site.In the present work,we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online.The introduced cybersecurity awareness platform,which the authors call Sifu,performs automatic assessment of challenges in compliance to secure coding guidelines,and uses an artificial intelligence method to provide players with solution-guiding hints.Furthermore,due to its characteristics,the Sifu platform allows for remote(online)learning,in times of social distancing.The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events.We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding.

Sifu-a cybersecurity awareness platform with challenge assessment and intelligent coach

Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the software is deployed in critical infrastructures.Therefore,several industrial standards mandate secure coding guidelines and industrial software developers’training,as software quality is a significant contributor to secure software.CyberSecurity Challenges(CSC)form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry.These cybersecurity awareness events have been used with success in industrial environments.However,until now,these coached events took place on-site.In the present work,we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online.The introduced cybersecurity awareness platform,which the authors call Sifu,performs automatic assessment of challenges in compliance to secure coding guidelines,and uses an artificial intelligence method to provide players with solution-guiding hints.Furthermore,due to its characteristics,the Sifu platform allows for remote(online)learning,in times of social distancing.The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events.We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding.

User behaviour analysis using data analytics and machine learning to predict malicious user versus legitimate user

Research-based on user behavior analysis for authentication is the motivation for this research.We move ahead using a behavioral approach to identify malicious users and legitimate users.In this paper,we have explained how we have applied big data analytics to application-layer logs and predicted malicious users by employing a Machine Learning algorithm based on certain metrics explained later in the paper.Machine Learning would present a list of IP addresses or user identification tokens(UIT),deduced from live data which would be performing a malicious activity or are suspected of malicious activity based on their browsing behavior.We have created an e-commerce web application and induced vulnerabilities intentionally for this purpose.We have hosted our setup on LAMP[1]stack based on AWS cloud[2].This method has a huge potential as any organization can imply this to monitor probable attackers thus narrowing down on their efforts to safeguard their infrastructure.The idea is based on the fact that the browsing pattern,as well as the access pattern of a genuine user,varies widely with that of a hacker.These patterns would be used to sort out the incoming traffic from and list out IP addresses and UIT that are the most probable cases of hack attempts.