فهرست مطالب پیام محمودی نصر

Wireless Body Area Network (WBAN) is a pioneer trend in healthcare technology. Since any cyber-attack on a WBAN could jeopardize the patient's health, securing the WBAN plays a crucial role in healthcare applications. An intrusion detection system (IDS), as a second-line defense, is one of the security methods in computer networks. In this paper, a new IDS has been presented which is able to detect denial of service (DoS) attacks in a WBAN. In the proposed IDS, a genetic algorithm is used to select features of collected data, in a way that increases the performance of the IDS and as a result the WBAN. Then, using support vector machine and k nearest neighbor techniques, the data classification is performed to detect DoS traffic from regular data traffic. Simulation results indicate that the proposed IDS has effective performance with a 90% detection rate.

Today, data plays an essential role in all levels of human life, from personal cell phones to medical, educational, military and government agencies. In such circumstances, the rate of cyber-attacks is also increasing. According to official reports, data breaches exposed 4.1 billion records in the first half of 2019. An information system consists of several components, which one of the most important them is the database. A database in addition to being a repository of data, acts as a common information bus between system components. For this reason, any attack on the database may disrupt the operation of other components of the system. In fact, database security is shared throughout the whole information system. The attack may carried out in various ways, such as data theft, damaging data, and privacy breach. According to the sensitivity of the stored data, database attack could lead to significant human and financial losses even at the national level. Among the different types of threats, since legitimate operator plays a key role in an information system, his/her threat is one of the most dangerous threats to the security and integrity of a database system. This type of cyber-attack occurs when an insider operator abuses his/her legal permissions in order to access unauthorized data. In this paper, a new performance-based authorization framework has been presented which is able to reduce the potential of insider threat in the database system. The proposed method insure that only authenticated operator performs authorized activities on the database objects. In the proposed framework, the access permission of the operator to a database table is determined using his/her performance and the level of sensitivity of the table. The value of the operator performance is updated periodically or when an abuse is detected, in order to protect access to the contents of a database as well as preserve the consistency, integrity, and overall quality of the data. Simulation results, using real dataset from a hospital information system, indicate that the proposed framework has effective performance for mitigating insider threats.

Today, we are witnessing the expansion of various Internet of Things (IoT) applications and services such as monitoring and health. These services are delivered to users via smart devices anywhere and anytime. Forecasts show that the IoT, which is controlled online in the user environment, will reach 25 billion devices worldwide by 2020. Data security is one of the main concerns in the IoT. The IoT is supposed to deal with a population of about billions of objects, so the number of malicious attacks can be very high and alarming given the global connection (anyone access) and the wide availability (access to any place at any time). However, these accesses can make security and privacy critical. Reports show that 26% of IoT attacks in 2019 were related to non-authentication, which is why IoT authentication has become one of the most sensitive security concepts. IoT devices are usually left unattended and this makes it easy for an attacker to target such equipment. For example, security breaches and unwanted changes in patient's health parameters in smart health care systems can cause wrong treatments or even lead to his death. The fact that each device in the IoT knows who it is communicating with and at what level of access is one of the important aspects of security, especially in cases where various devices with different capabilities have to perform common tasks and cooperate with each other. IoT authentication is a trust model to protect control access and data when information travels between devices. So far, different methods have been proposed for authentication in the IoT network. These methods are usually based on the public key, private key, random key distribution, and hash function. A point that should be taken into account in IoT authentication is that IoT networks and devices have limited bandwidth, low memory, low processing power, and energy limitations. Therefore, the proposed method should pay special attention to such limitations. In addition, IoT authentication needs to ensure enhanced security features such as confidentiality, data integrity, reliability, maintainability, scalability, and privacy to their consumers. This paper proposes a two-way or mutual authentication protocol in which both devices authenticate each other without human intervention in a smart home network. The proposed protocol is based on asymmetric encryption for authentication of devices, which have a shared private session key, along with hashing operations in the network. Also, to ensure the security of communications at each session, each device has a one-time private session key. The session keys are changed regularly to ensure the security of sessions between devices. The proposed protocol is programmed by HLPSL and simulated and verified by the SPAN and AVISPA tools. The security analysis results show the proposed protocol is extremely practical, and secure against potential attacks.

Supervisory control and data acquisition (SCADA) system monitors and controls industrial processes in critical infrastructures (CIs) and plays the vital role in maintaining the reliability of CIs such as power, oil, and gas system. In fact, SCADA system refers to the set of control process, which measures and monitors sensors in remote substations from a control center. These sensors usually have a type of automated response capability when a certain criteria is met. When an abnormal system status occurs, an alarm signal is raised in control center and as a result the operator will be notified. In this way, all normal and abnormal system statuses are monitored in control center. In CI’s application, since several substation resources and their related sensors are too high (because the CI’s grid is often large, complex and wide), the number of alarms is very high. It gets worse when the operator mistakes and as a result, cascading alarms are flooded. In this condition, the rate of raising alarms may be more than clearing them. In SCADA system, alarm clearing is one of the main duties of operators. When an alarm is raised in control center, the operator should clear it as soon as possible. However, the recent reports confirm the poor alarm clearing causes accidents in the SCADA system. As any operator mistake can increase the number of alarms and jeopardize the system reliability, alarms processing and decision-making for clearing them are a stressful and time-consuming for the SCADA operators. In a large and complex CI such as power system, when operators are overwhelmed by the system alarms, they may take wrong decisions and even ignore alarms. Alarm flooding, lots of operator’s workload and his/her fatigue as a result, are the main causes of operator’s mistake. If generating of an alarm in a remote substation is denoted as an operational cycle in an SCADA system until clearing it by the operator in control center, the aim of this paper is modeling the operational cycle by using colored petri nets. The proposed model is based on a general approach which alarm messages are integrated with the operator’s commands. Of course, the model focuses on generating of alarms by substation resources. To verify the proposed model, a real data set of power system of Iran is used and to demonstrate the potential of the proposed model some scenarios about operator’ workload and alarm flooding are simulated.

One of the most dangerous insider threats in a supervisory control and data acquisition (SCADA) system is the operational threat. An operational threat occurs when an authorized operator misuses the permissions, and brings catastrophic damages by sending legitimate control commands. Providing too many permissions may backfire, when an operator wrongly or deliberately abuses the privileges. Therefore, an access management system is required to provide necessary permissions and prevent malicious usage. An operational threat on a critical infrastructure has the potential to cause large financial losses and irreparable damages at the national level. In this paper, we propose a new alarm-trust based access management system reducing the potential of operational threats in SCADA system. In the proposed system, the accessibility of a remote substation will be determined based on the operator trust and the criticality level of the substation. The trust value of the operator is calculated using the performance of the operator, periodically or in emergencies, when an anomaly is detected. The criticality level of the substation is computed using its properties. Our system is able to detect anomalies that may result from the operational threats. The simulation results in the SCADA power system of Iran show effectiveness of our system.

Insider attack is one of the most dangerous threats for the security of a critical infrastructure (CI). An insider attack occurs when an authorized operator misuses his/her permissions in order to perform malicious operations in the CI. Providing too many permissions for an operator may backfire when the operator abuses his/her privileges, either intentional or unintentional. Therefore, an access control model is required to provide necessary permissions in order to prevent malicious operations. In this paper, a hybrid access control model (HAC) has been proposed for CI applications which are monitored and controlled by a CIM (IEC-61970-301 common information model)-based supervisory control and data acquisition system. The proposed HAC is an extension of the mandatory and role-based access control models. In the proposed model, the permissions of an operator will be determined according to the predefined types of responsibilities, grid statuses, activation times of roles, security levels, and their periods of validity. A colored Petri-net is employed to simulate and illustrate the effectiveness of the proposed HAC.

One of the most dangerous insider threats in a supervisory control and data acquisition (SCADA) system is operational threat. An operational threat occurs when an SCADA operator does not perform his duties, or decides to abuse the privileges in order to perform malicious operations in remote substations. An operational threat on a critical infrastructure has the potential to cause large financial losses and irreparable damages at the national level. In this paper a new alarm-based anomaly detection system has been proposed to detect operational threats in SCADA system. The proposed system uses statistical quality control techniques for detecting anomalies and estimating control limits. The value of anomaly is calculated according to the severity of longed-unresolved alarms. The simulation results in power system SCADA as a case study show effectiveness of proposed system.