- Bhubaneswar, India
Research Interests:
Recent advances in cloud technology facilitates data owners having limited resources to outsource their data and computations to remote servers in Cloud. To protect against unauthorized information access, sensitive data are encrypted... more
Recent advances in cloud technology facilitates data owners having limited resources to outsource their data and computations to remote servers in Cloud. To protect against unauthorized information access, sensitive data are encrypted before outsourcing. However, traditional cryptosystems need decrypting ciphertext for outsourced computations that may violate data security as well may introduce higher computational complexity. Homomorphic encryption is a solution that allows performing computations directly on ciphertext. On the otherhand, it is evident that the computations on data may vary from users to users depending on the requirements. So, it is not always feasible to allow all computations to different users on the whole ciphertext stored in cloud. In this paper, we proposed a framework for integration of role based access control (RBAC) mechanism with homomorphic cryptosystem for secure and controlled access of data in cloud. Our proposed framework is developed based on trust and role hierarchy with multi-granular operational access rights to heterogeneous stakeholders or users.
Research Interests:
A group of mobile nodes with limited capabilities sparsed in different clusters forms the backbone of Mobile Ad-Hoc Networks (MANET). In such situations, the requirements (mobility, performance, security, trust and timing constraints)... more
A group of mobile nodes with limited capabilities sparsed in different clusters forms the backbone of Mobile Ad-Hoc Networks (MANET). In such situations, the requirements (mobility, performance, security, trust and timing constraints) vary with change in context, time, and geographic location of deployment. This leads to various performance and security challenges which necessitates a trade-off between them on the application of routing protocols in a specific context. The focus of our research is towards developing an adaptive and secure routing protocol for Mobile Ad-Hoc Networks, which dynamically configures the routing functions using varying contextual features with secure and real-time processing of traffic. In this paper, we propose a formal framework for modelling and verification of requirement constraints to be used in designing adaptive routing protocols for MANET. We formally represent the network topology, behaviour, and functionalities of the network in SMT-LIB languag...
Research Interests:
Nowadays, the digitization of the world is under a serious threat due to the emergence of various new and complex malware every day. Due to this, the traditional signature-based methods for detection of malware effectively become an... more
Nowadays, the digitization of the world is under a serious threat due to the emergence of various new and complex malware every day. Due to this, the traditional signature-based methods for detection of malware effectively become an obsolete method. The efficiency of the machine learning techniques in context to the detection of malwares has been proved by state-of-the-art research works. In this paper, we have proposed a framework to detect and classify different files (e.g., exe, pdf, php, etc.) as benign and malicious using two level classifier namely, Macro (for detection of malware) and Micro (for classification of malware files as a Trojan, Spyware, Ad-ware, etc.). Our solution uses Cuckoo Sandbox for generating static and dynamic analysis report by executing the sample files in the virtual environment. In addition, a novel feature extraction module has been developed which functions based on static, behavioral and network analysis using the reports generated by the Cuckoo Sandbox. Weka Framework is used to develop machine learning models by using training datasets. The experimental results using the proposed framework shows high detection rate and high classification rate using different machine learning algorithms
Research Interests:
Firewall is a core element of a network security system which takes care of the availability, privacy, and integrity of network resources. However, managing a system with large scale, heterogeneous policies is complex and error prone. In... more
Firewall is a core element of a network security system which takes care of the availability, privacy, and integrity of network resources. However, managing a system with large scale, heterogeneous policies is complex and error prone. In multi-firewall systems, it is very important to configure the policy rules in the relevant firewall to prevent malicious flow into the network. Any modification to a firewall rule or insertion of a new rule needs intra and inter firewall conflict resolution to find correct mapping of rule to firewall. In SDN, the controller generates flow rules for different switches depending on application requirements and network topologies. Firewall can be used as a first line of defense against different attacks to the data plane and the control plane of SDN. The state-of-art work on firewall implementation in SDN shows various anomalies that may introduce functional failures and security violations. In this paper, we have proposed a novel approach for distributed anomaly-free firewall implementation on SDN controller. Here, the controller receives the firewall policies of different domains through north bound API and resolves the intra and inter firewall conflicts and derives a single anomaly-free firewall policy at the controller level. When the controller receives a packet_in message from a switch at run time, it selects a conflict free rule from global policy and sends it to appropriate switches. We have evaluated our proposed distributed firewall system for different network topologies under different attacking scenarios, e.g., DDoS attacks and experimental results are reported. The results show the efficacy of our solution in terms of reduced malicious traffic flows, improvements in CPU utilization of controller, packet loss and response time of legitimate packets.
Research Interests:
Nowadays, Malware has become a serious threat to the digitization of the world due to the emergence of various new and complex malware every day. Due to this, the traditional signature-based methods for detection of malware effectively... more
Nowadays, Malware has become a serious threat to the digitization of the world due to the emergence of various new and complex malware every day. Due to this, the traditional signature-based methods for detection of malware effectively becomes an obsolete method. The efficiency of the machine learning model in context to the detection of malware files has been proved by different researches and studies. In this paper, a framework has been developed to detect and classify different files (e.g exe, pdf, php, etc.) as benign and malicious using two level classifier namely, Macro (for detection of malware) and Micro (for classification of malware files as a Trojan, Spyware, Adware, etc.). Cuckoo Sandbox is used for generating static and dynamic analysis report by executing files in the virtual environment. In addition, a novel model is developed for extracting features based on static, behavioral and network analysis using analysis report generated by the Cuckoo Sandbox. Weka Framework is used to develop machine learning models by using training datasets. The experimental results using proposed framework shows high detection rate with an accuracy of 100% using J48 Decision tree model, 99% using SMO (Sequential Minimal Optimization) and 97% using Random Forest tree. It also shows effective classification rate with accuracy 100% using J48 Decision tree, 91% using SMO and 66% using Random Forest tree. These results are used for detecting and classifying unknown files as benign or malicious.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Software Defined Network (SDN) paradigm provides a flexible execution platform for running different Network Control and Management Functions (NF). This provides scope for efficient management and control of traffic flows in the network.... more
Software Defined Network (SDN) paradigm provides a flexible execution platform for running different Network Control and Management Functions (NF). This provides scope for efficient management and control of traffic flows in the network. The network functions heavily rely on heterogeneous and complex network policies. These network policies can be defined by different administrators and configured (pushed to the controller) through distributed Network Application and Management Servers. Thus, efficient management and correct enforcement of network policies is an important, but a challenging problem. Our proposed policy management framework ensures, the policies are enforced by certified servers as well as focuses on detecting and resolving the potential conflicts among the heterogeneous policy rules. In addition, it maintains consistency between the flow table rules and the on-demand changes in policy rules in the application layer. Our proposed framework comprises of three novel network control functions namely, Trust_Verify, Policy_Conflict_Resolve and Policy_Consistency_Check. These functions combinedly ensure security, correctness and adaptability with the dynamic on-demand changes in heterogeneous policy rules in an SDN environment. We demonstrate our framework with an extended case study of an SDN-based enterprise network.
Research Interests:
The Mobile Ad Hoc Network (MANET) has become a key communication technology in various domains such as, military defense networks, disastrous and rescue operational command centers, vehicular networks, etc. The dynamic topology and open... more
The Mobile Ad Hoc Network (MANET) has become a key communication technology in various domains such as, military defense networks, disastrous and rescue operational command centers, vehicular networks, etc. The dynamic topology and open wireless communication medium may potentially introduce various security threats in MANET. The recent research on MANET focuses on developing security enforcement mechanisms based on various trust models. However, most of the existing trust models are application specific which impose limitations on their applicability with changes in requirements, resource constraints, and behavioural dynamics. In this paper, we present a comparative study of various trust models in MANET with respect to their performance, security enforcing features, and usability. This study experimentally reveals the limitations of existing trust models. It also shows that their is a need for designing adaptive, multi-level trust models for MANET, that supports heterogeneous applications with different requirements and contexts.
Research Interests:
Research Interests:
In this paper, we present NetSecSlider, an automated framework for synthesizing network configurations exploring various security and safety design alternatives. The design alternatives include distribution of different level of... more
In this paper, we present NetSecSlider, an automated framework for synthesizing network configurations exploring various security and safety design alternatives. The design alternatives include distribution of different level of isolations (firewall, IPSec, etc.) and safety enforcement process (e.g. tampering of network flow) in the network. NetSecSlider takes the network topology, organizational security and safety requirements and business constraints as input, and synthesizes a correct and optimal security configuration. Finally, it determines the optimal placement of enabling devices in the network. The framework uses (i) a SMT solver for finding the correct and optimal security configuration and (ii) a method for determining the optimal placement of devices. The framework is evaluated on different networks with varying security and safety requirements.
Research Interests:
One of the key indicators of leveraging Cloud Computing is the penetration of e-business among Cloud Service Providers(CSP). The cloud computing applications are being developed across various domains to enable easy and efficient access... more
One of the key indicators of leveraging Cloud Computing is the penetration of e-business among Cloud Service Providers(CSP). The cloud computing applications are being developed across various domains to enable easy and efficient access to the data and services remotely. There is a potential for CSPs in applying e-business technologies, especially in the migration process between virtual machines (VM) running in different hosts. It is to enable efficient computing, resource sharing and to provide a real time response. There is a need to integrate an auction (bidding) in the VM migration process by applying new business models in the cloud computing marketplace to ensure competitiveness among CSPs. This paper describes an effort to establish a novel bidding process for the VM migration process in Cloud environment for e-business. The Internet-based auction process has been developed by considering English and Dutch auction. Various components for VM auction (actors, relations, VM, and business model) are presented. The suitable architecture in the VM auction service and the required tools are described. The IDEF0 model has been used for the central functionality of the broker service. In this proposed approach, the objective is to make independent CSPs function in a co-operative manner to provide uninterrupted service to the users on their interest and preference.
Research Interests:
Cloud technology is becoming more and more popular in recent time. With the popularity of the Cloud Computing, Cloud security becomes a vital issue in the Cloud computing domain. Particularly, the new evolving threat to the enterprise... more
Cloud technology is becoming more and more popular in recent time. With the popularity of the Cloud Computing, Cloud security becomes a vital issue in the Cloud computing domain. Particularly, the new evolving threat to the enterprise cloud makes the firewall systems of enterprise cloud to slow down the operation. On the other hand, one of the central challenges to deploy, Cloud applications into the existing environment is to configure the Cloud firewalls. The state of art technology is to open the ports as many as required. Such firewall policy is so hazardous, and a more dynamic means of checking the firewall is called for. In this report, we offer a dynamic and dependable mechanism to adaptively control the firewall for enterprise cloud computing. Likewise, a conceptual design and its execution have been talked about.
Research Interests:
In today's organizations, the large scale deployment of wireless networks has opened up new directions in network security management. The organizational security policies aim at protecting the network resources from unauthorized... more
In today's organizations, the large scale deployment of wireless networks has opened up new directions in network security management. The organizational security policies aim at protecting the network resources from unauthorized accesses in the wireless local area networks (WLAN). In WLAN security policy management, the standard IP‐based access control mechanisms are not sufficient due to dynamic changes in network topology and access control states. The role‐based access control (RBAC) models may be appropriate to strengthen the security perimeter over the network resources. However, formalizing the dynamic binding of the access policies to the roles, depending on various control states, is a major challenge. In this paper, we propose a WLAN security policy management framework based on a formal spatio‐temporal RBAC (STRBAC) model. The present work primarily focuses on dynamic computation of security policies based on various control states, its formal representation using STR...
Research Interests:
Virtual machine migration auction (VMMA) is a bidding process to select potential target cloud service providers (CSPs) for migration. It is realized as a single application running on top of the hypervisor, where the overall... more
Virtual machine migration auction (VMMA) is a bidding process to select potential target cloud service providers (CSPs) for migration. It is realized as a single application running on top of the hypervisor, where the overall communication between the CSPs is done through the Internet, an insecure channel. Therefore, ensuring security along with performance satisfaction of the VMMA system is an important but challenging problem. This requires identification of various threats and development of security and systematic protection mechanism. In this paper, we present a security enforcement framework for VMMA system. The core element of our proposed framework identifies various potential threats and security constraints by investigating different interactions between participants in VMMA system. Then our framework extracts a set of formal security requirements based on the identified threats which enforces the security by using elliptic curve cryptography and bilinear pairing. Our approach will facilitate in designing and implementing strong security defense-in-depth against various threats to VMMA system in cloud computing platform.
Research Interests:
The Advanced Metering Infrastructure (AMI) is the core component in smart grid that exhibits highly complex network configurations comprising of heterogeneous cyber-physical components. These components are interconnected through... more
The Advanced Metering Infrastructure (AMI) is the core component in smart grid that exhibits highly complex network configurations comprising of heterogeneous cyber-physical components. These components are interconnected through different communication media, protocols, and secure tunnels, and they are operated using different data delivery modes and security policies. The inherent complexity and heterogeneity in AMI significantly increase the potential of security threats due to misconfiguration or absence of defense, which may cause devastating damage to AMI. Therefore, there is a need of creating a formal model that can represent the global behavior of AMI configuration in order to verify the potential threats. In this paper, we present SmartAnalyzer, a formal security analysis tool, which offers manifold contributions: (i) formal modeling of AMI configuration including device configurations, topology, communication properties, interactions between the devices, data flows, and security properties; (ii) formal modeling of AMI invariant and user-driven constraints based on the interdependencies between AMI device configurations, security properties, and security control guidelines; (iii) verifying the AMI configuration's compliances with security constraints using Satisfiability Modulo Theory (SMT) solver; (iv) generating a comprehensive security threat report with possible remediation plan based on the verification results. The accuracy, scalability, and usability of the tool are evaluated on real smart grid environment and synthetic test networks.
Research Interests:
In today's organizations, the large scale deployment of wireless networks has opened up new directions in network security management. The organizational security policies aim at protecting the network resources from unauthorized accesses... more
In today's organizations, the large scale deployment of wireless networks has opened up new directions in network security management. The organizational security policies aim at protecting the network resources from unauthorized accesses in the wireless local area networks (WLAN). In WLAN security policy management, the standard IP-based access control mechanisms are not sufficient due to dynamic changes in network topology and access control states. The role-based access control (RBAC) models may be appropriate to strengthen the security perimeter over the network resources. However, formalizing the dynamic binding of the access policies to the roles, depending on various control states, is a major challenge. In this paper, we propose a WLAN security policy management framework based on a formal spatio-temporal RBAC (STRBAC) model. The present work primarily focuses on dynamic computation of security policies based on various control states, its formal representation using STRBAC model, and security property verification of the proposed STRBAC model. The proposed policy management framework logically partitions the WLAN topology into various security policy zones. The framework includes a Central Authentication & Role Server (CARS) which authenticates the users (nodes) and access points (AP) and also assigns appropriate roles to the users; a Global Policy Server (GPS) that dynamically computes the global security policy and policy configurations for different policy zones based on local user-role and control state information; a distributed policy zone control architecture. Each policy zone consists of a Policy Zone Controller (WPZCon) which dynamically computes the low-level access configurations. Finally, a SAT based verification procedure has been presented for verifying the security properties of the proposed STRBAC model. Copyright © 2010 John Wiley & Sons, Ltd.
Page 1. Generating Policy based Security Implementations in Enterprise Networks-A formal framework Padmalochan Bera School of Information Technology Indian Institute of Technology, Kharagpur 721302, India bera.padmalochan@gmail.com ...
Research Interests:
AbstractThe complex security constraints in present day enterprise networks (wired or wireless LAN) demand formal analysis of security policy configurations deployed in the network. One of the needs of a network administrator is to... more
AbstractThe complex security constraints in present day enterprise networks (wired or wireless LAN) demand formal analysis of security policy configurations deployed in the network. One of the needs of a network administrator is to evaluate network service accesses through ...
Research Interests: Network Security, Access Control, Formal Analysis, Wireless Network, Formal method, and 12 moreSecurity Analysis, Security Policy, Wireless Lan, Query processing, Management System, decision Procedure, Formal Model, Network Services, Network Topology, Enterprise Social Networks, Role Based Access Control, and IT Evaluation
The widespread proliferation of wireless networks (WLAN) demands formal evaluation and analysis of security policy management in enterprise networks. The enforcement of organizational security policies in wireless local area networks... more
The widespread proliferation of wireless networks (WLAN) demands formal evaluation and analysis of security policy management in enterprise networks. The enforcement of organizational security policies in wireless local area networks (WLANs) requires protection over the network resources from unauthorized access. Hence it is required to ensure correct distribution of access control rules to the network access points conforming to the security policy. In WLAN security policy management, the role-based access control (RBAC) mechanisms can be deployed to strengthen the security perimeter over the network resources. Further, there is a need to model the time and location dependent access constraints. In this paper, we propose WLAN security management system supported by a spatio-temporal RBAC (STRBAC) model and a SAT based verification framework. The system stems from logical partitioning of the WLAN topology into various security policy zones. It includes a Global Policy Server (GPS) that formalizes the organizational access policies and determines the high level policy configurations; a Central Authentication & Role Server (CARS) which authenticates the users and the access points (AP) in various zones and also assigns appropriate roles to the users. Each policy zone consists of an Wireless Policy Zone Controller (WPZCon) that co-ordinates with a dedicated Local Role Server (LRS) to extract the low level access configurations corresponding to the zone access router. We also propose a formal spatio-temporal RBAC (STRBAC) model to represent the global security policies formally and a SAT based verification framework to verify the access configurations.
Research Interests:
In a typical enterprise network, there are several sub-networks or network zones corresponding to different departments or sections of the organization. These zones are interconnected through set of Layer-3 network devices (or routers).... more
In a typical enterprise network, there are several sub-networks or network zones corresponding to different departments or sections of the organization. These zones are interconnected through set of Layer-3 network devices (or routers). The service accesses within the zones and also with the external network (e.g., Internet) are usually governed by a enterprise-wide security policy. This policy is implemented through appropriate set of access control lists (ACL rules) distributed across various network interfaces of the enterprise network. Such networks faces two major security challenges, (i) conflict free representation of the security policy, and (ii) correct implementation of the policy through distributed ACL rules. This work presents a formal verification framework to analyze the security implementations in an enterprise network with respect to the organizational security policy. It generates conflict-free policy model from the enterprise-wide security policy and then formally verifies the distributed ACL implementations with respect to the conflict-free policy model. The complexity in the verification process arises from extensive use of temporal service access rules and presence of hidden service access paths in the networks. The proposed framework incorporates formal modeling of conflict-free policy specification and distributed ACL implementation in the network and finally deploys Boolean satisfiability (SAT) based verification procedure to check the conformation between the policy and implementation models.
Research Interests:
In a typical local area network (LAN), the global security policies, often defined in abstract form, are implemented through a set of access control rules (ACL) placed in a distributed fashion to the access switches of its sub-networks.... more
In a typical local area network (LAN), the global security policies, often defined in abstract form, are implemented through a set of access control rules (ACL) placed in a distributed fashion to the access switches of its sub-networks. Proper enforcement of the global security policies of the network demands well-defined policy specification as a whole as well as correct implementation
Research Interests:
Page 1. A Mobile IP based WLAN Security Management Framework with Reconfigurable Hardware Acceleration Soumya Maity School of Information Technology Indian Institute of Technology, Kharagpur 721302, India soumyam@iitkgp.ac.in ...
Research Interests:
The configuration and management of security policies in enterprise networks becoming hard due to complex policy constraints of the organizations and dynamic changes in the network topologies. Typically, the organizational security policy... more
The configuration and management of security policies in enterprise networks becoming hard due to complex policy constraints of the organizations and dynamic changes in the network topologies. Typically, the organizational security policy is defined as a collection of rules for allowing/denying service accesses between various network zones. Implementation of the policy is realized in a distributed fashion through appropriate sets
Research Interests:
A semi-infrastructured ad hoc network is a wireless MANET subnetwork connected to a structured backbone network (LAN). This kind of network is becoming popular for low cost implementation and practicability issues. But the security is... more
A semi-infrastructured ad hoc network is a wireless MANET subnetwork connected to a structured backbone network (LAN). This kind of network is becoming popular for low cost implementation and practicability issues. But the security is being considered as the major bottleneck of such semi-infrastructured Ad Hoc network. Uncontrolled access medium, dynamically changing topology, mobility of the hosts in the Ad Hoc mode challenges the security issues if the overall organizational network. In this paper a framework has been proposed to enforce Access Control Policy over such network. Both reactive and proactive routing is considered to implement the access control mechanism. The basis of the framework lies on distributed enforcement of the global access policy through different Policy Enforcing Nodes (PEN). The backbone network contains the Global Policy Management Server (GPMS) and Authentication Server. PENs after being selected and authorized by the GPMS take the responsibility to distribute the Access Control Rules to different Ad Hoc nodes. We have considered an underlying trust model is already implemented over the Ad Hoc network and the nodes are capable to handle symmetric key encryption for Message Authentication. The recent advancement of the research in MANET con rms the assumptions are valid.
Research Interests:
The widespread proliferation of wireless networks (WLAN) has opened up new paradigms of security policy management in enterprise networks. To enforce the organizational security policies in wireless local area networks (WLANs), it is... more
The widespread proliferation of wireless networks (WLAN) has opened up new paradigms of security policy management in enterprise networks. To enforce the organizational security policies in wireless local area networks (WLANs), it is required to protect the network resources from unauthorized access. In WLAN security policy management, the standard IP based access control mechanisms are not sufficient to meet the organizational requirements due to its dynamic topology characteristics. In such dynamic network environments, the role-based access control (RBAC) mechanisms can be deployed to strengthen the security perimeter over the network resources. Further, there is a need to incorporate time and location dependent constraints in the access control models. In this paper, we propose a WLAN security management system which supports a spatio-temporal RBAC (STRBAC) model. The system stems from logical partitioning of the WLAN topology into various security policy zones. It includes a Global Policy Server (GPS) that formalizes the organizational access policies and determines the high level policy configurations for different policy zones; a Central Authentication & Role Server (CARS) which authenticates the users (or nodes) and the access points (AP) in various zones and also assigns appropriate roles to the users. Each policy zone consists of an Wireless Policy Zone Controller (WPZCon) that co-ordinates with a dedicated Local Role Server (LRS) to extract the low level access configurations corresponding to the zone access points. We also propose a formal spatio-temporal RBAC (STRBAC) model to represent the security policies formally.
Research Interests: Access Control, Pervasive Computing, Security Management, Wireless Network, Security Policy, and 10 moreAccess Control Models, Temporal Information Extraction, Wireless Lan, Formal Model, Information Systems Technology, Enterprise Social Networks, Access Point, Role Based Access Control, Dynamic Networks, and Wireless Local Area Network
In enterprise networks, the management of security policies and their configurations becoming increasingly difficult due to complex security constraints of the organizations. In such networks, the overall organizational security policy... more
In enterprise networks, the management of security policies and their configurations becoming increasingly difficult due to complex security constraints of the organizations. In such networks, the overall organizational security policy (global policy) is defined as a collection of rules for providing service accesses between various network zones. Often, the specification of the global policy is incomplete; where all possible service