@Article{Gu:2018:ADecisionTheoretic, author = {Chen Gu and Matthew Bradbury and Jack Kirton and Arshad Jhumka}, journal = {Future Generation Computer Systems}, title = {{A Decision Theoretic Framework for Selecting Source Location Privacy Aware Routing Protocols in Wireless Sensor Networks}}, year = {2018}, issn = {0167-739X}, month = oct, pages = {514--526}, volume = {87}, abstract = {Source location privacy (SLP) is becoming an important property for a large class of security-critical wireless sensor network applications such as monitoring and tracking. Many routing protocols have been proposed that provide SLP, all of which provide a trade-off between SLP and energy. Experiments have been conducted to gauge the performance of the proposed protocols under different network parameters such as noise levels. As that there exists a plethora of protocols which contain a set of possibly conflicting performance attributes, it is difficult to select the SLP protocol that will provide the best trade-offs across them for a given application with specific requirements. In this paper, we propose a methodology where SLP protocols are first profiled to capture their performance under various protocol configurations. Then, we present a novel decision theoretic procedure for selecting the most appropriate SLP routing algorithm for the application and network under investigation. We show the viability of our approach through different case studies.}, dataset = {https://doi.org/10.5281/zenodo.1045453}, doi = {10.1016/j.future.2018.01.046}, file = {:FGCS2018.pdf:PDF}, } @InProceedings{Bradbury:2015:DynamicFakeSource, author = {Matthew Bradbury and Matthew Leeke and Arshad Jhumka}, booktitle = {14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)}, title = {{A Dynamic Fake Source Algorithm for Source Location Privacy in Wireless Sensor Networks}}, year = {2015}, month = {20--22 August}, pages = {531--538}, abstract = {Wireless sensor networks (WSNs) are commonly used in asset monitoring applications, where it is often desirable for the location of the asset being monitored to be kept private. The source location privacy (SLP) problem involves protecting the location of a WSN source node from an attacker who is attempting to locate it. Among the most promising approaches to the SLP problem is the use of fake sources, with much existing research demonstrating their efficacy. Despite the effectiveness of the approach, the most effective algorithms providing SLP require network and situational knowledge that makes their deployment impractical in many contexts. In this paper, we develop a novel dynamic fake sources-based algorithm for SLP. We show that the algorithm provides state-of-the-art levels of location privacy under practical operational assumptions.}, doi = {10.1109/Trustcom.2015.416}, file = {:TrustCom2015.pdf:PDF}, keywords = {data privacy;telecommunication security;wireless sensor networks;SLP problem;WSN source node;asset monitoring applications;dynamic fake source algorithm;location protection;source location privacy problem;wireless sensor networks;Context;Heuristic algorithms;Monitoring;Position measurement;Privacy;Temperature sensors;Wireless sensor networks;Dynamic;Sensor Networks;Source Location Privacy}, } @InProceedings{Bradbury:2017:OptimalSourceLocation, author = {Bradbury, Matthew and Jhumka, Arshad}, booktitle = {16th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)}, title = {{A Near-Optimal Source Location Privacy Scheme for Wireless Sensor Networks}}, year = {2017}, address = {Sydney, NSW, Australia}, month = {01--04 August}, pages = {409--416}, publisher = {IEEE}, abstract = {As interest in using Wireless Sensor Networks (WSNs) for deployments in scenarios such as asset monitoring increases, the need to consider security and privacy issues also becomes greater. One such issue is that of Source Location Privacy (SLP) where the location of a source in the network needs to be kept secret from a malicious attacker. Many techniques have been proposed to provide SLP against an eavesdropping attacker. Most techniques work by first developing an algorithm followed by extensive performance validation. Differently, in this paper, we model the SLP problem as an Integer Linear Programming optimization problem. Using the IBM ILOG CPLEX optimiser, we obtain an optimal solution to provide SLP. However, that solution is centralised (i.e., requires network-wide knowledge) making the solution unsuitable for WSNs. Therefore, we develop a distributed version of the solution and evaluate the level of privacy provided by it. The solution is hybrid in nature, in that it uses both spatial and temporal redundancy to provide SLP. Results from extensive simulations using the TOSSIM WSN simulator indicate a 1% capture ratio is achievable as a trade-off for an increase in the delivery latency.}, dataset = {https://doi.org/10.5281/zenodo.801222}, doi = {10.1109/Trustcom/BigDataSE/ICESS.2017.265}, file = {:TrustCom2017.pdf:PDF}, keywords = {Integer linear programming;Monitoring;Privacy;Routing;Routing protocols;Wireless sensor networks;Integer Linear Programming;Optimal Routing;Source Location Privacy;Wireless Sensor Networks}, } @InProceedings{Gu:2015:AssessingPerformancePhantom, author = {Gu, Chen and Bradbury, Matthew and Jhumka, Arshad and Leeke, Matthew}, booktitle = {21st IEEE Pacific Rim International Symposium on Dependable Computing (PRDC)}, title = {{Assessing the Performance of Phantom Routing on Source Location Privacy in Wireless Sensor Networks}}, year = {2015}, month = {18--20 November}, pages = {99--108}, abstract = {As wireless sensor networks (WSNs) have been applied across a spectrum of application domains, the problem of source location privacy (SLP) has emerged as a significant issue, particularly in safety-critical situations. In seminal work on SLP, phantom routing was proposed as an approach to addressing the issue. However, results presented in support of phantom routing have not included considerations for practical network configurations, omitting simulations and analyses with larger network sizes. This paper addresses this shortcoming by conducting an in-depth investigation of phantom routing under various network configurations. The results presented demonstrate that previous work in phantom routing does not generalise well to different network configurations. Specifically, under certain configurations, it is shown that the afforded SLP is reduced by a factor of up to 75.}, doi = {10.1109/PRDC.2015.9}, file = {:PRDC2015.pdf:PDF}, keywords = {Context;Monitoring;Phantoms;Position measurement;Privacy;Routing;Wireless sensor networks;Multiple Sources;Phantom Routing;Sensor networks;Source Location Privacy}, } @InProceedings{Jhumka:2017:DeconstructingSourceLocation, author = {Jhumka, Arshad and Bradbury, Matthew}, booktitle = {Proceedings of the Symposium on Applied Computing}, title = {{Deconstructing Source Location Privacy-aware Routing Protocols}}, year = {2017}, address = {Marrakech, Morocco}, month = {03--07 April}, pages = {431--436}, publisher = {ACM}, series = {SAC'17}, abstract = {Source location privacy (SLP) is becoming an important property for a large class of security-critical wireless sensor network applications such as monitoring and tracking. Much of the previous work on SLP have focused on the development of various protocols to enhance the level of SLP imparted to the network, under various attacker models and other conditions. Others works have focused on analysing the level of SLP being imparted by a specific protocol. In this paper, we focus on deconstructing routing-based SLP protocols to enable a better understanding of their structure. We argue that the SLP-aware routing protocols can be classified into two main categories, namely (i) spatial and (ii) temporal. Based on this, we show that there are three important components, namely (i) decoy selection, (ii) use and routing of control messages and (iii) use and routing of decoy messages. The decoy selection technique imparts the spatial or temporal property of SLP-aware routing. We show the viability of the framework through the construction of well-known SLP-aware routing protocols using the identified components.}, acmid = {3019655}, doi = {10.1145/3019612.3019655}, file = {:SAC-DADS2017.pdf:PDF}, isbn = {978-1-4503-4486-9}, keywords = {components, decomposition, routing, source location privacy, spatial, temporal, wireless sensor networks}, numpages = {6}, } @InProceedings{Thomason:2013:EvaluatingImpactBroadcast, author = {Thomason, Alasdair and Leeke, Matthew and Bradbury, Matthew and Jhumka, Arshad}, booktitle = {12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)}, title = {{Evaluating the Impact of Broadcast Rates and Collisions on Fake Source Protocols for Source Location Privacy}}, year = {2013}, month = {16--18 July}, pages = {667--674}, abstract = {Providing source location privacy has become a relevant issue for protocols used in the context of wireless sensor networks. In particular, where an asset is monitored using a wireless sensor network it is often the case that the location of the asset being monitored should be concealed from those eavesdropping on the network. The use of fake sources represents an approach to addressing the source location privacy problem. This paper explores practical factors for the configuration and application of fake source protocols, with a focus on the interplay between the broadcast rates of sensor nodes, message collisions and achieved privacy. Combined with existing work in energy efficient fake source protocols, these contributions evidence the existence of an effective range of broadcast rates for fake source protocols.}, doi = {10.1109/TrustCom.2013.81}, file = {:TrustCom2013.pdf:PDF}, keywords = {protocols;telecommunication security;wireless sensor networks;broadcast rates;collisions;eavesdropping;energy efficient fake source protocols;message collisions;sensor nodes;source location privacy problem;wireless sensor networks;Context;Monitoring;Position measurement;Privacy;Protocols;Safety;Wireless sensor networks;Collisions;Distributed Eavesdropper;Fake Source;Security;Source Location Privacy;Wireless Sensor Networks}, } @Article{Jhumka:2015:Fakesourcebased, author = {Arshad Jhumka and Matthew Bradbury and Matthew Leeke}, journal = {Concurrency and Computation: Practice and Experience}, title = {Fake source-based source location privacy in wireless sensor networks}, year = {2015}, month = {25 August}, issn = {1532-0634}, number = {12}, pages = {2999--3020}, volume = {27}, abstract = {The development of novel wireless sensor network (WSN) applications, such as asset monitoring, has led to novel reliability requirements. One such property is source location privacy (SLP). The original SLP problem is to protect the location of a source node in a WSN from a single distributed eavesdropper attacker. Several techniques have been proposed to address the SLP problem, and most of them use some form of traffic analysis and engineering to provide enhanced SLP. The use of fake sources is considered to be promising for providing SLP, and several works have investigated the effectiveness of the fake sources approach under various attacker models. However, very little work has been done to understand the theoretical underpinnings of the fake source technique. In this paper, we (i) provide a novel formalisation of the fake sources selection problem; (ii) prove the fake sources selection problem to be NP-complete; (iii) provide parametric heuristics for three different network configurations; and (iv) show that these heuristics provide (near) optimal levels of SLP under appropriate parameterisation. Our results show that fake sources can provide a high level of SLP. Our work is the first to investigate the theoretical underpinnings of the fake source technique.}, doi = {10.1002/cpe.3242}, file = {:CCPE2015.pdf:PDF}, keywords = {complexity, distributed eavesdropper, fake source, source location privacy, wireless sensor networks}, } @Article{Bradbury:2018:HybridOnlineProtocols, author = {Matthew Bradbury and Arshad Jhumka and Matthew Leeke}, journal = {Journal of Parallel and Distributed Computing}, title = {{Hybrid Online Protocols for Source Location Privacy in Wireless Sensor Networks}}, year = {2018}, issn = {0743-7315}, month = may, pages = {67--81}, volume = {115}, abstract = {Wireless sensor networks (WSNs) will form the building blocks of many novel applications such as asset monitoring. These applications will have to guarantee that the location of the occurrence of specific events is kept private from attackers, in what is called the source location privacy (SLP) problem. Fake sources have been used in numerous techniques, however, the solution’s efficiency is typically achieved by fine-tuning parameters at compile time. This is undesirable as WSN conditions may change. In this paper, we first present an SLP algorithm – Dynamic – that estimates the relevant parameters at runtime and show that it provides a high level of SLP, albeit at the expense of a high number of messages. To address this, we provide a hybrid online algorithm – DynamicSPR – that uses directed random walks for the fake sources allocation strategy to reduce energy usage. We perform simulations of the various protocols we present and our results show that DynamicSPR provides a similar level of SLP as when parameters are optimised at compile-time, with a lower number of messages sent.}, doi = {10.1016/j.jpdc.2018.01.006}, file = {:JPDC2018.pdf:PDF}, keywords = {Wireless sensor networks, Source location privacy, Fake sources, Random walks, Online algorithm}, } @InProceedings{Gu:2017:PhantomWalkaboutsWireless, author = {Gu, Chen and Bradbury, Matthew and Jhumka, Arshad}, booktitle = {Proceedings of the Symposium on Applied Computing}, title = {{Phantom Walkabouts in Wireless Sensor Networks}}, year = {2017}, address = {Marrakech, Morocco}, month = {03--07 April}, pages = {609--616}, publisher = {ACM}, series = {SAC'17}, abstract = {As wireless sensor networks (WSNs) have been applied across a spectrum of application domains, the problem of source location privacy (SLP) has emerged as a significant issue, particularly in security-critical situations. In the seminal work on SLP, phantom routing was proposed as a viable approach to address SLP. However, recent work has shown some limitations of phantom routing such as poor performance with multiple sources. In this paper, we propose phantom walkabouts, a novel version and more general version of phantom routing, which performs phantom routes of variable lengths. Through extensive simulations we show that phantom walkabouts provides high SLP levels with a low message overhead and hence, low energy usage.}, acmid = {3019732}, doi = {10.1145/3019612.3019732}, file = {:SAC-NET2017.pdf:PDF}, isbn = {978-1-4503-4486-9}, keywords = {phantom routing, phantom walkabouts, routing, source location privacy, wireless sensor networks}, numpages = {8}, } @InProceedings{Kirton:2017:SourceLocationPrivacy, author = {Jack Kirton and Matthew Bradbury and Arshad Jhumka}, booktitle = {37th IEEE International Conference on Distributed Computing Systems (ICDCS)}, title = {{Source Location Privacy-Aware Data Aggregation Scheduling for Wireless Sensor Networks}}, year = {2017}, month = {05--08 June}, pages = {2200--2205}, abstract = {Source location privacy (SLP) is an important property for the class of asset monitoring problems in wireless sensor networks (WSNs). SLP aims to prevent an attacker from finding a valuable asset when a WSN node is broadcasting information due to the detection of the asset. Most SLP techniques focus at the routing level, with typically high message overhead. The objective of this paper is to investigate the novel problem of developing a TDMA MAC schedule that can provide SLP. We make a number of important contributions: (i) we develop a novel formalisation of a class of eavesdropping attackers and provide novel formalisations of SLP-aware data aggregation schedules (DAS), (ii) we present a decision procedure to verify whether a DAS schedule is SLP-aware, that returns a counterexample if the schedule is not, similar to model checking, and (iii) we develop a 3-stage distributed algorithm that transforms an initial DAS algorithm into a corresponding SLP-aware schedule against a specific class of eavesdroppers. Our simulation results show that the resulting SLP-aware DAS protocol reduces the capture ratio by 50% at the expense of negligable message overhead.}, doi = {10.1109/ICDCS.2017.171}, file = {:ICDCS2017.pdf:PDF}, issn = {1063-6927}, keywords = {Data aggregation;Monitoring;Protocols;Routing;Safety;Schedules;Wireless sensor networks;Data Aggregation Scheduling;Source Location Privacy;TDMA;Wireless Sensor Networks}, } @InProceedings{Laikin:2016:TowardsFakeSources, author = {Joanna F. Laikin and Matthew Bradbury and Chen Gu and Matthew Leeke}, booktitle = {15th IEEE International Conference on Communication Systems (ICCS'16)}, title = {{Towards Fake Sources for Source Location Privacy in Wireless Sensor Networks with Multiple Sources}}, year = {2016}, month = {14--16 December}, pages = {1--6}, abstract = {Wireless sensor networks (WSNs) are regularly used in asset monitoring applications, where the location of an asset or assets must be kept private. Providing location privacy for such an asset is tantamount to protecting the location of a source node from an attacker who is attempting to locate it. Although no solution exists to provide source location privacy over an extended period, it has been shown that attackers can be sufficiently inhibited by prominent approaches that use either a phantom node, via which protocol messages are routed, or nodes assigned to be fake sources, each of which then broadcast fake messages. However, the applicability of fake source approaches to networks where location privacy must be maintained for multiple sources has yet to be considered. This paper addresses this issue by analysing a representative fake source algorithm in the context of multiple sources, presenting simulation results that demonstrate the shortcomings of the approach and identifying the underlying limitations to pave the way for the development of algorithms capable of accounting for multiple sources.}, doi = {10.1109/ICCS.2016.7833572}, file = {:ICCS2016.pdf:PDF}, keywords = {Algorithm design and analysis;Energy consumption;Monitoring;Position measurement;Privacy;Safety;Wireless sensor networks;Context Privacy;Fake Source;Location;Multiple Sources;Wireless Sensor Networks}, } @Article{Kirton:2018:Towardsoptimalsource, author = {Jack Kirton and Matthew Bradbury and Arshad Jhumka}, journal = {Computer Networks}, title = {Towards optimal source location privacy-aware {TDMA} schedules in wireless sensor networks}, year = {2018}, issn = {1389-1286}, month = {09 December}, pages = {125--137}, volume = {146}, abstract = {Source Location Privacy (SLP) is becoming important for wireless sensor networks where the source of messages is kept hidden from an attacker. In this paper, we conjecture that similar traffic perturbation to altering the routing protocol can be achieved at the link layer through assignment of time slots to nodes. This paper presents a multi-objective optimisation problem where SLP, schedule latency and final attacker distance are criteria. We employ genetic algorithms to generate Pareto-optimal schedules using two fitness criteria, examining the Pareto efficiency of selecting either and confirming the efficiency by performing simulations which show a near optimal capture ratio.}, doi = {10.1016/j.comnet.2018.09.010}, file = {:COMNET2018.pdf:PDF}, keywords = {Genetic algorithm, Wireless sensor networks, TDMA, Data aggregation schedule, Source location privacy}, } @InProceedings{Jhumka:2012:TowardsUnderstandingSource, author = {Arshad Jhumka and Matthew Bradbury and Matthew Leeke}, booktitle = {11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)}, title = {{Towards Understanding Source Location Privacy in Wireless Sensor Networks through Fake Sources}}, year = {2012}, month = {25--27 June}, pages = {760--768}, abstract = {Source location privacy is becoming an increasingly important property in wireless sensor network applications, such as asset monitoring. The original source location problem is to protect the location of a source in a wireless sensor network from a single distributed eavesdropper attack. Several techniques have been proposed to address the source location problem, where most of these apply some form of traffic analysis and engineering to provide enhanced privacy. One such technique, namely fake sources, has proved to be promising for providing source location privacy. Recent research has concentrated on investigating the efficiency of fake source approaches under various attacker models. In this paper, we (i) provide a novel formalisation of the source location privacy problem, (ii) prove the source location privacy problem to be NP-complete, and (iii) provide a heuristic that yields an optimal level of privacy under appropriate parameterisation. Crucially, the results presented show that fake sources can provide a high, sometimes optimal, level of privacy.}, doi = {10.1109/TrustCom.2012.281}, file = {:TrustCom2012.pdf:PDF}, keywords = {computational complexity;data privacy;telecommunication security;wireless sensor networks;NP-complete problem;asset monitoring;attacker models;fake sources approach;original source location problem;privacy optimal level;single distributed eavesdropper attack;source location privacy problem formalisation;traffic analysis;wireless sensor network applications;Monitoring;Position measurement;Privacy;Protocols;Routing;Wireless communication;Wireless sensor networks;Complexity;Distributed Eavesdropper;Fake Source;Security;Source Location Privacy;Wireless Sensor Networks}, } @InProceedings{Bradbury:2017:UnderstandingSourceLocation, author = {Bradbury, Matthew and Jhumka, Arshad}, booktitle = {IEEE INFOCOM}, title = {{Understanding Source Location Privacy Protocols in Sensor Networks via Perturbation of Time Series}}, year = {2017}, address = {Atlanta, GA, USA}, month = {01--04 May}, pages = {1611--1619}, abstract = {Source location privacy (SLP) is becoming an important property for a large class of security-critical wireless sensor network applications such as monitoring and tracking. Much of the previous work on SLP has focused on the development of various protocols to enhance the level of SLP imparted to the network, under various attacker models and other conditions. Other work has focused on analysing the level of SLP being imparted by a specific protocol. In this paper, we adopt a different approach where we model the attacker movement as a time series and use information theoretic concepts to infer the properties of a routing protocol that imparts high levels of SLP. We propose the notion of a properly competing path that causes an attacker to "stall" when moving towards the source. This concept provides the basis for developing a perturbation model, similar to those in privacy-preserving data mining. We then show how to use properly competing paths to develop properties of an SLP-aware routing protocol. Further, we show how different SLP-aware routing protocols can be obtained through different instantiations of the framework. Those instantiations are obtained based on a notion of information loss achieved through the use of the perturbation model proposed.}, doi = {10.1109/INFOCOM.2017.8057122}, file = {:InfoCom2017.pdf:PDF}, keywords = {Phantoms;Privacy;Routing;Routing protocols;Time series analysis;Wireless sensor networks;Entropy;Mutual Information;Source Location Privacy;Time Series;Wireless Sensor Networks}, } @Article{Jhumka:2014:Efficientfaulttolerant, author = {Arshad Jhumka and Matthew Bradbury and Sain Saginbekov}, journal = {Journal of Parallel and Distributed Computing}, title = {Efficient fault-tolerant collision-free data aggregation scheduling for wireless sensor networks}, year = {2014}, issn = {0743-7315}, month = jan, number = {1}, pages = {1789--1801}, volume = {74}, abstract = {Abstract This paper investigates the design of fault-tolerant TDMA-based data aggregation scheduling (DAS) protocols for wireless sensor networks (WSNs). \{DAS\} is a fundamental pattern of communication in wireless sensor networks where sensor nodes aggregate and relay data to a sink node. However, any such \{DAS\} protocol needs to be cognisant of the fact that crash failures can occur. We make the following contributions: (i) we identify a necessary condition to solve the \{DAS\} problem, (ii) we introduce a strong and weak version of the \{DAS\} problem, (iii) we show several impossibility results due to the crash failures, (iv) we develop a modular local algorithm that solves stabilising weak \{DAS\} and (v) we show, through simulations and an actual deployment on a small testbed, how specific instantiations of parameters can lead to the algorithm achieving very efficient stabilisation.}, doi = {10.1016/j.jpdc.2013.09.011}, file = {:JPDC2014.pdf:PDF}, keywords = {Wireless sensor networks}, } @InProceedings{Bradbury:2019:ImpactDecreasingTransmit, author = {Matthew Bradbury and Arshad Jhumka and Carsten Maple}, booktitle = {Proceedings of the 2nd Workshop on Benchmarking Cyber-Physical Systems and Internet of Things}, title = {{The Impact of Decreasing Transmit Power Levels on FlockLab To Achieve a Sparse Network}}, year = {2019}, address = {New York, NY, USA}, month = {15 April}, pages = {7--12}, publisher = {ACM}, series = {CPS-IoTBench '19}, abstract = {For research in Wireless Sensor Networks (WSNs) and the Internet of Things (IoT), while many protocols are either analysed mathematically or simulated to assess performance, it has become necessary that they are tested on hardware in real world environments. Algorithms are often validated in either (i) a densely connected network or (ii) a sparsely connected network. The majority of existing testbeds have implemented dense networks, making evaluation and validation of certain protocols, such as spatially-redundant source location privacy (SLP) protocols, challenging. We explore the use of transmission power to achieve network sparsity and present the results of such experiments performed on the FlockLab testbed. Based upon our experience in using FlockLab, we also identify additional aspects of testbed performance that need to be monitored to ensure reliable and reproducible results.}, acmid = {3313171}, dataset = {https://doi.org/10.5281/zenodo.2528757}, doi = {10.1145/3312480.3313171}, file = {:CPS-IoTBench2019.pdf:PDF}, isbn = {978-1-4503-6693-9}, keywords = {FlockLab, IoT, benchmark, wireless sensor networks}, location = {Montreal, Quebec, Canada}, numpages = {6}, } @InProceedings{Grosso:2019:ReliableManyMany, author = {Jasmine Grosso and Arshad Jhumka and Matthew Bradbury}, booktitle = {15th European Dependable Computing Conference (EDCC)}, title = {{Reliable Many-to-Many Routing in Wireless Sensor Networks Using Ant Colony Optimisation}}, year = {2019}, month = {17--20 September}, pages = {111--118}, abstract = {Wireless sensor networks (WSNs) have been widely studied in the context of many-to-one communication, in which multiple data sources send messages to a dedicated sink. However, there has been little research in the area of many-to-many communication. Many-to-many communication in WSNs is a growing application area, with examples including fire detection in both natural and urban areas, and the monitoring of heating and air conditioning within buildings. In this paper, we propose a scalable many-to-many routing protocol that makes use of Ant Colony Optimisation (ACO) that is applicable for an arbitrary number of sources and sinks. The protocol aggregates data sent from multiple sources into a single, shared backbone of nodes to reduce the total number of packets sent and so increase network lifetime. Results from simulations using the Cooja Network simulator show that the protocol is able to achieve packet delivery ratios above 95%, with the algorithm becoming more efficient with larger networks, sending fewer packets relative to the size of the networks, as well as involving fewer nodes in routing.}, doi = {10.1109/EDCC.2019.00030}, file = {:EDCC2019.pdf:PDF}, issn = {2641-810X}, keywords = {ant colony optimisation;routing protocols;telecommunication network reliability;wireless sensor networks;WSN;growing application area;fire detection;natural areas;urban areas;air conditioning;ant colony optimisation;protocol aggregates data;network lifetime;Cooja Network simulator show;wireless sensor networks;multiple data sources;scalable many-to-many routing protocol;Wireless sensor networks;Routing protocols;Routing;Optimization;Network topology;Topology;wireless sensor networks;many-to-many routing;ant colony optimisation}, } @InProceedings{Farrell:2019:UsingThreatAnalysis, author = {Farrell, Marie and Bradbury, Matthew and Fisher, Michael and Dennis, Louise A. and Dixon, Clare and Yuan, Hu and Maple, Carsten}, booktitle = {Software Engineering and Formal Methods}, title = {{Using Threat Analysis Techniques to Guide Formal Verification: A Case Study of Cooperative Awareness Messages}}, year = {2019}, address = {Cham}, editor = {{\"O}lveczky, Peter Csaba and Sala{\"u}n, Gwen}, month = {09 September}, pages = {471--490}, publisher = {Springer International Publishing}, abstract = {Autonomous robotic systems such as Connected and Autonomous Vehicle (CAV) systems are both safety-and security-critical, since a breach in system security may impact safety. Generally, safety and security concerns for such systems are treated separately during the development process. In this paper, we consider an algorithm for sending Cooperative Awareness Messages (CAMs) between vehicles in a CAV system and the use of CAMs in preventing vehicle collisions. We employ threat analysis techniques that are commonly used in the cyber security domain to guide our formal verification. This allows us to focus our formal methods on those security properties that are particularly important and to consider both safety and security in tandem. Our analysis centres on identifying STRIDE security properties and we illustrate how these can be formalised, and subsequently verified, using a combination of formal tools for distinct aspects, namely Promela/SPIN and Dafny.}, doi = {10.1007/978-3-030-30446-1_25}, file = {:SEFM2019.pdf:PDF}, isbn = {978-3-030-30446-1}, } @InProceedings{Yuan:2019:ThroughputAwareAuthentication, author = {Hu Yuan and Matthew Bradbury and Carsten Maple and Chen Gu}, booktitle = {90th IEEE Vehicular Technology Conference (VTC2019-Fall)}, title = {{Throughput Aware Authentication Prioritisation for Vehicular Communication Networks}}, year = {2019}, month = {22--25 September}, pages = {1--5}, abstract = {Connected vehicles will be a prominent feature of future Intelligent Transport Systems. Which means that there will be a very high volume of wireless traffic that vehicles will receive and process. Due to this large quantity of traffic, there will be Quality of Service (QoS) constraints on the system that means messages will need to be prioritised. As vehicles will have a finite buffer to hold messages, the prioritisation scheme must consider network throughput to ensure QoS requirements are met. In our throughput authentication prioritisation technique, a Markov model is used to detect abnormally large data traffic users who are potential attackers performing a Denial of Service (DoS). Our results show that the algorithm can efficiently enhance network throughput.}, doi = {10.1109/VTCFall.2019.8891375}, file = {:VTC-Fall2019.pdf:PDF}, issn = {1090-3038}, keywords = {authorisation;Markov processes;quality of service;telecommunication security;telecommunication traffic;vehicular ad hoc networks;throughput aware authentication prioritisation;vehicular communication networks;intelligent transport systems;wireless traffic;finite buffer;quality of service constraints;network throughput;QoS requirements;data traffic users;QoS constraints;Markov model;denial of service;DoS;Authentication;Throughput;Roads;Hidden Markov models;Vehicular ad hoc networks;Interference;Data models}, } @Article{Maple:2019:ConnectedAutonomousVehicle, author = {Maple, Carsten and Bradbury, Matthew and Le, Anh Tuan and Ghirardello, Kevin}, journal = {Applied Sciences}, title = {{A Connected and Autonomous Vehicle Reference Architecture for Attack Surface Analysis}}, year = {2019}, issn = {2076-3417}, month = nov, number = {23}, pages = {5101}, volume = {9}, abstract = {Connected autonomous vehicles (CAVs) will be deployed over the next decade with autonomous functionalities supported by new sensing and communication capabilities. Such functionality exposes CAVs to new attacks that current vehicles will not face. To ensure the safety and security of CAVs, it is important to be able to identify the ways in which the system could be attacked and to build defences against these attacks. One possible approach is to use reference architectures to perform an attack surface analysis. Existing research has developed a variety of reference architectures but none for the specific purpose of attack surface analysis. Existing approaches are either too simple for sufficiently detailed modelling or require too many details to be specified to easily analyse a CAV’s attack surface. Therefore, we propose a reference architecture using a hybrid Functional-Communication viewpoint for attack surface analysis of CAVs, including the Devices, Edge and Cloud systems CAVs interact with. Using two case studies, we demonstrate how attack trees can be used to understand the attack surface of CAV systems.}, doi = {10.3390/app9235101}, file = {:AppSci2019.pdf:PDF}, publisher = {MDPI AG}, } @InProceedings{Maple:2020:SecurityMindedVerification, author = {Carsten Maple and Matthew Bradbury and Hu Yuan and Marie Farrell and Clare Dixon and Michael Fisher and Uger Ilker Atmaca}, booktitle = {IEEE Aerospace Conference}, title = {{Security-Minded Verification of Space Systems}}, year = {2020}, address = {Big Sky, Montana, USA}, month = {7--14 March}, publisher = {IEEE}, abstract = {Modern space systems are increasing in complexity. The advent of the Internet of Space Things, coupled with the commercialisation of space has resulted in an ecosystem that is difficult to control and brings about new security challenges. In such critical systems, it is common to conduct verification strategies to ensure that the underpinning software is correct. Formal verification is achieved by modelling the system and verifying that the model obeys particular functional and safety properties. Many connected systems are now the target of a variety of threat actors attempting to realise different goals. Threat modelling is the approach employed to analyse and manage the threats from adversaries. Common practice is that these two approaches are conducted independently of one another. In this paper, we argue that the two should be mutually informed, and describe a methodology for security-minded formal verification that combines these analysis techniques. This approach will streamline the development process and give a more formal grounding to the security properties identified during threat analysis.}, doi = {10.1109/AERO47225.2020.9172563}, file = {:AeroConf2020-SMV.pdf:PDF}, } @InProceedings{Bradbury:2020:IdentifyingAttackSurfaces, author = {Matthew Bradbury and Carsten Maple and Hu Yuan and Uger Ilker Atmaca and Sara Cannizzaro}, booktitle = {IEEE Aerospace Conference}, title = {{Identifying Attack Surfaces in the Evolving Space Industry Using Reference Architectures}}, year = {2020}, address = {Big Sky, Montana, USA}, month = {7--14 March}, publisher = {IEEE}, abstract = {The space environment is currently undergoing a substantial change and many new entrants to the market are deploying devices, satellites and systems in space; this evolution has been termed as NewSpace. The change is complicated by technological developments such as deploying machine learning based autonomous space systems and the Internet of Space Things (IoST). In the IoST, space systems will rely on satellite-to-x communication and interactions with wider aspects of the ground segment to a greater degree than existing systems. Such developments will inevitably lead to a change in the cyber security threat landscape of space systems. Inevitably, there will be a greater number of attack vectors for adversaries to exploit, and previously infeasible threats can be realised, and thus require mitigation. In this paper, we present a reference architecture (RA) that can be used to abstractly model in situ applications of this new space landscape. The RA specifies high-level system components and their interactions. By instantiating the RA for two scenarios we demonstrate how to analyse the attack surface using attack trees.}, doi = {10.1109/AERO47225.2020.9172785}, file = {:AeroConf2020-SRA.pdf:PDF}, } @Article{Gu:2019:Phantomwalkabouts:customisable, author = {Gu, Chen and Bradbury, Matthew and Jhumka, Arshad}, journal = {Concurrency and Computation: Practice and Experience}, title = {{Phantom walkabouts: A customisable source location privacy aware routing protocol for wireless sensor networks}}, year = {2019}, month = apr, number = {20}, pages = {e5304}, volume = {31}, abstract = {Summary Source location privacy (SLP) is an important property for a large class of security-critical wireless sensor network (WSN) applications such as monitoring and tracking. In the seminal work on SLP, phantom routing was proposed as a viable approach to address SLP. However, recent work has shown some limitations of phantom routing such as poor data yield and low SLP. In this paper, we propose phantom walkabouts, a novel and more general version of phantom routing, which performs phantom routes of variable lengths. Through extensive simulations, we show that phantom walkabouts provides high SLP level than phantom routing under specific network configuration.}, doi = {10.1002/cpe.5304}, file = {:CCPE2019.pdf:PDF}, keywords = {biased random walk, phantom routing, phantom walkabouts, source location privacy, wireless sensor networks}, } @TechReport{Maple:2019:IoTTransportMobility, author = {Carsten Maple and Matthew Bradbury and Miles Elsden and Haitham Cruickshank and Hu Yuan and Chen Gu and Phillip Asuquo}, institution = {{University of Warwick}}, title = {{IoT Transport and Mobility Demonstrator: Cyber Security Testing on National Infrastructure}}, year = {2019}, address = {Coventry, UK}, month = may, type = {{Technical Report}}, abstract = {With the intent for Connected Autonomous Vehicles (CAVs) to be deployed on UK roads in the near future it is vital that they are rigorously tested. Part of this testing will involve the cyber security aspects of these vehicles. This report covers the technical aspects of the IoT-TRaM project, which deployed four cyber security and privacy innovations developed within PETRAS in real world environments. This report describes (i) the four academic innovations, (ii) the requirements and experiences of CAV testbed users and (iii) testbed sites and the protocols for researchers to perform cyber security testing there. Throughout the report recommendations are made to reduce the barriers of entry and ways to improve the experience of performing cyber security testing in real world environments.}, file = {:IoT_TRaM_Report.pdf:PDF}, } @PhdThesis{Bradbury:2018:NearOptimalRouting, author = {Matthew Bradbury}, school = {University of Warwick}, title = {{Near Optimal Routing Protocols for Source Location Privacy in Wireless Sensor Networks: Modelling, Design and Evaluation}}, year = {2018}, address = {Coventry, UK}, month = may, abstract = {Wireless Sensor Networks (WSNs) are collections of small computing devices that are used to monitor valuable assets such as endangered animals. As WSNs communicate wirelessly they leak information to malicious eavesdroppers. When monitoring assets it is important to provide Source Location Privacy (SLP), where the location of the message source must be kept hidden. Many SLP protocols have been developed by designing a protocol using intuition before evaluating its performance. However, this does not provide insight into how to develop optimal approaches. This thesis will present an alternate approach where the SLP problem is modelled using different techniques to give an optimal output. However, as this optimal output is typically for a restricted scenario, algorithms that trade optimality for generality are subsequently designed. Four main contributions are presented. First, an analysis is performed based on entropy and divergence to gain insight into how to reduce the information an attacker gains via the use of competing paths, and ways to compare the information loss of arbitrary routing protocols. Secondly, the SLP problem is modelled using Integer Linear Programming. The model result guides the design of a generic protocol called ILPRouting that groups messages together to reduce the moves an attacker makes. Thirdly, a timing analysis of when events occur is used to dynamically determine fake source parameters for the Dynamic and DynamicSPR algorithms. These fake sources lure the attacker to their location instead of the real source. Finally, the first SLP-aware duty cycle is investigated, and implemented for DynamicSPR to make it more energy efficient. These techniques are evaluated through simulations and deployments on WSN testbeds to demonstrate their effectiveness.}, dataset = {https://doi.org/10.5281/zenodo.1209158}, ethos = {uk.bl.ethos.773910}, file = {:Thesis.pdf:PDF}, url = {http://wrap.warwick.ac.uk/115772}, } @TechReport{Adegoke:2020:PntCyberResilience, author = {Elijah Adegoke and Matthew Bradbury and Erik Kampert and Matthew Higgins and Tim Watson and Paul Jennings and Colin Ford and Guy Buesnel and Steve Hickling}, institution = {{University of Warwick}}, title = {{PNT Cyber Resilience: a Lab2Live Observer Based Approach, Report 1: GNSS Resilience and Identified Vulnerabilities}}, year = {2020}, address = {Coventry, UK}, month = apr, note = {{Version 1.0}}, number = {1}, type = {{Technical Report}}, abstract = {The use of global navigation satellite systems (GNSS) such as GPS and Galileo are vital sources of positioning, navigation and timing (PNT) information for vehicles. This information is of critical importance for connected autonomous vehicles (CAVs) due to their dependence on this information for localisation, route planning and situational awareness. A downside to solely relying on GNSS for PNT is that the signal strength arriving from navigation satellites in space is weak and currently there is no authentication included in the civilian GNSS adopted in the automotive industry. This means that cyber-attacks against the GNSS signal via jamming or spoofing are attractive to adversaries due to the potentially high impact they can achieve. This report reviews the vulnerabilities of GNSS services for CAVs (a summary is shown in Figure 1), as well as detection and mitigating techniques, summarises the opinions on PNT cyber testing sourced from a select group of experts, and finishes with a description of the associated lab-based and real-world feasibility study and proposed research methodology.}, file = {:PNTReport1.pdf:PDF}, url = {http://wrap.warwick.ac.uk/139519/}, } @TechReport{Bradbury:2020:PntCyberResilience, author = {Matthew Bradbury and Elijah Adegoke and Erik Kampert and Matthew Higgins and Tim Watson and Paul Jennings and Colin Ford and Guy Buesnel and Steve Hickling}, institution = {{University of Warwick}}, title = {{PNT Cyber Resilience: a Lab2Live Observer Based Approach, Report 2: Specifications for Cyber Testing Facilities}}, year = {2020}, address = {Coventry, UK}, month = apr, note = {{Version 1.2}}, number = {2}, type = {{Technical Report}}, abstract = {The use of global navigation satellite systems (GNSS) such as GPS and Galileo are vital sources of positioning, navigation and timing (PNT) information for vehicles. This information is of critical importance for connected autonomous vehicles (CAVs) due to their dependence on this information for localisation, route planning and situational awareness. A downside to solely relying on GNSS for PNT is that the signal strength arriving from navigation satellites in space is weak and currently there is no authentication included in the civilian GNSS adopted in the automotive industry. This means that cyber-attacks against the GNSS signal via jamming or spoofing are attractive to adversaries due to the potentially high impact they can achieve. This report introduces specifications and recommendations for GNSS cyber-security test facilities for CAVs. These specifications are based on a survey of academic literature, interviews with a select group of experts, and experiences obtained performing laboratory and real-world testing (shown in Figure 1).}, file = {:PNTReport2.pdf:PDF}, url = {http://wrap.warwick.ac.uk/139522/}, } @Article{Bradbury:2021:SpatialSourceLocation, author = {Matthew Bradbury and Arshad Jhumka and Carsten Maple}, journal = {{ACM Transactions on Internet of Things}}, title = {{A Spatial Source Location Privacy-Aware Duty Cycle for Internet of Things Sensor Networks}}, year = {2021}, issn = {2691-1914}, month = feb, number = {1}, pages = {1--32}, volume = {2}, abstract = {Source Location Privacy (SLP) is an important property for monitoring assets in privacy-critical sensor network and Internet of Things applications. Many SLP-aware routing techniques exist, with most striking a tradeoff between SLP and other key metrics such as energy (due to battery power). Typically, the number of messages sent has been used as a proxy for the energy consumed. Existing work (for SLP against a local attacker) does not consider the impact of sleeping via duty cycling to reduce the energy cost of an SLP-aware routing protocol. Therefore, two main challenges exist: (i) how to achieve a low duty cycle without loss of control messages that configure the SLP protocol and (ii) how to achieve high SLP without requiring a long time spent awake. In this article, we present a novel formalisation of a duty cycling protocol as a transformation process. Using derived transformation rules, we present the first duty cycling protocol for an SLP-aware routing protocol for a local eavesdropping attacker. Simulation results on grids demonstrate a duty cycle of 10%, while only increasing the capture ratio of the source by 3 percentage points, and testbed experiments on FlockLab demonstrate an 80% reduction in the average current draw.}, address = {New York, NY, USA}, articleno = {4}, doi = {10.1145/3430379}, file = {:TIOT2021.pdf:PDF}, issue_date = {February 2021}, keywords = {Source Location Privacy, wireless sensor networks, fake sources, duty cycle}, numpages = {32}, publisher = {ACM}, } @Article{Bradbury:2020:PrivacyChallengesProtecting, author = {Matthew Bradbury and Phillip Taylor and Ugur Ilker Atmaca and Carsten Maple and Nathan Griffiths}, journal = {IEEE Access}, title = {{Privacy Challenges with Protecting Live Vehicular Location Context}}, year = {2020}, issn = {2169-3536}, month = nov, pages = {207465--207484}, volume = {8}, abstract = {Future Intelligent Transport Systems (ITS) will require that vehicles are equipped with Dedicated Short Range Communications (DSRC). With these DSRC capabilities, new privacy threats are emerging that can be taken advantage of by threat actors with little experience and cheap components. However, the origins of these privacy threats are not limited to the vehicle and its communications, but extend to non-vehicular devices carried by the driver and passengers. A shortcoming of existing work is that it tends to focus on a specific aspect of privacy leakage when attempting to protect location privacy. In doing so, interactions between privacy threats are not considered. In this work, we investigate the privacy surface of a vehicle by considering the many different ways in which location privacy can be leaked. Following this, we identify techniques to protect privacy and that it is insufficient to provide location privacy against a single threat vector. A methodology to calculate the interactions of privacy preserving techniques is used to highlight the need to consider the wider threat landscape and for techniques to collaborate to ensure location privacy is provided against multiple sources of privacy threats where possible.}, doi = {10.1109/ACCESS.2020.3038533}, file = {:Access2020.pdf:PDF}, } @InProceedings{Bradbury:2021:TrustAssessment32, author = {Matthew Bradbury and Arshad Jhumka and Tim Watson}, booktitle = {{The 36th ACM/SIGAPP Symposium on Applied Computing}}, title = {{Trust Assessment in 32 KiB of RAM: Multi-application Trust-based Task Offloading for Resource-constrained IoT Nodes}}, year = {2021}, address = {Virtual Event, Republic of Korea}, month = {22--26 March}, pages = {1--10}, publisher = {ACM}, series = {SAC'21}, abstract = {There is an increasing demand for Internet of Things (IoT) systems comprised of resource-constrained sensor and actuator nodes executing increasingly complex applications, possibly simultaneously. IoT devices will not be able to execute computationally expensive tasks and will require more powerful computing nodes, called edge nodes, for such execution, in a process called computation offloading. When multiple powerful nodes are available, a selection problem arises: which edge node should a task be submitted to? This problem is even more acute when the system is subjected to attacks, such as DoS, or network perturbations such as system overload. In this paper, we present a trust model-based system architecture for computation offloading, based on behavioural evidence. The system architecture provides confidentiality, authentication and non-repudiation of messages in required scenarios and will operate within the resource constraints of embedded IoT nodes. We demonstrate the viability of the architecture with an example deployment of Beta Reputation System trust model on real hardware.}, dataset = {https://doi.org/10.5281/zenodo.4312801}, doi = {10.1145/3412841.3441898}, file = {:SAC-DADS2021.pdf:PDF}, isbn = {978-1-4503-8104-8/21/03}, } @InProceedings{Bradbury:2021:TrustTrackersComputation, author = {Matthew Bradbury and Arshad Jhumka and Tim Watson}, booktitle = {IEEE INFOCOM}, title = {{Trust Trackers for Computation Offloading in Edge-Based IoT Networks}}, year = {2021}, address = {Vancouver, BC, Canada}, month = {10--13 May}, pages = {1--10}, publisher = {IEEE}, abstract = {Wireless Internet of Things (IoT) devices will be deployed to enable applications such as sensing and actuation. These devices are typically resource-constrained and are unable to perform resource-intensive computations. Therefore, these jobs need to be offloaded to resource-rich nodes at the edge of the IoT network for execution. However, the timeliness and correctness of edge nodes may not be trusted (such as during high network load or attack). In this paper, we look at the applicability of trust for successful offloading. Traditionally, trust is computed at the application level, with suitable mechanisms to adjust for factors such as recency. However, these do not work well in IoT networks due to resource constraints. We propose a novel device called Trust Tracker (denoted by Σ) that provides higher-level applications with up-to-date trust information of the resource-rich nodes. We prove impossibility results regarding computation offloading and show that Σ is necessary and sufficient for correct offloading. We show that, Σ cannot be implemented even in a synchronous network and we compute the probability of offloading to a bad node, which we show to be negligible when a majority of nodes are correct. We perform a small-scale deployment to demonstrate our approach.}, dataset = {https://doi.org/10.5281/zenodo.4339398}, doi = {10.1109/INFOCOM42981.2021.9488844}, file = {:InfoCom2021.pdf:PDF}, } @Article{Bradbury:2022:ThreatModellingGuided, author = {Matthew Bradbury and Arshad Jhumka and Tim Watson and Denys Flores and Jonathan Burton and Matthew Butler}, journal = {ACM Transactions on Sensor Networks}, title = {{Threat-Modeling-Guided Trust-Based Task Offloading for Resource-Constrained Internet of Things}}, year = {2022}, issn = {1550-4859}, month = may, number = {2}, pages = {41}, volume = {18}, abstract = {There is an increasing demand for Internet of Things (IoT) networks consisting of resource-constrained devices executing increasingly complex applications. Due to these resource constraints, IoT devices will not be able to execute expensive tasks. One solution is to offload expensive tasks to resource-rich edge nodes, which requires a framework that facilitates the selection of suitable edge nodes to perform task offloading. Therefore, in this article, we present a novel trust-model-driven system architecture, based on behavioral evidence, that is suitable for resource-constrained IoT devices and supports computation offloading. We demonstrate the viability of the proposed architecture with an example deployment of the Beta Reputation System trust model on real hardware to capture node behaviors. The open environment of edge-based IoT networks means that threats against edge nodes can lead to deviation from expected behavior. Hence, we perform a threat modeling to identify such threats. The proposed system architecture includes threat handling mechanisms that provide security properties such as confidentiality, authentication, and non-repudiation of messages in required scenarios and operate within the resource constraints. We evaluate the efficacy of the threat handling mechanisms and identify future work for the standards used.}, address = {New York, NY, USA}, articleno = {29}, dataset = {https://doi.org/10.5281/zenodo.4568700}, doi = {10.1145/3510424}, file = {:TOSN2022.pdf:PDF}, issue_date = {May 2022}, numpages = {41}, presentation = {:SenSys2022.pdf:PDF}, publisher = {ACM}, } @Article{Bradbury:2022:InformationManagementTrust, author = {Matthew Bradbury and Arshad Jhumka and Tim Watson}, journal = {Future Generation Computer Systems}, title = {{Information Management for Trust Computation on Resource-constrained IoT Devices}}, year = {2022}, month = oct, issn = {0167-739X}, pages = {348--363}, volume = {135}, abstract = {Resource-constrained Internet of Things (IoT) devices are executing increasingly sophisticated applications that may require computational or memory intensive tasks to be executed. Due to their resource constraints, IoT devices may be unable to compute these tasks and will offload them to more powerful resource-rich edge nodes. However, as edge nodes may not necessarily behave as expected, an IoT device needs to be able to select which edge node should execute its tasks. This selection problem can be addressed by using a measure of behavioural trust of the edge nodes delivering a correct response, based on historical information about past interactions with edge nodes that are stored in memory. However, due to their constrained memory capacity, IoT devices will only be able to store a limited amount of trust information, thereby requiring an eviction strategy when its memory is full of which there has been limited investigation in the literature. To address this, we develop the concept of the memory profile of an agent and that profile’s utility. We formalise the profile eviction problem in a unified profile memory model and show it is NP-complete. To circumvent the inherent complexity, we study the performance of eviction algorithms in a partitioned profile memory model using our utility metric. Our results show that localised eviction strategies which only consider one specific type of information do not perform well. Thus we propose a novel eviction strategy that globally considers all types of trust information stored and we show that it outperforms local eviction strategies for the majority of memory sizes and agent behaviours. In this paper, we develop a concept of information utility to a trust model and formalise the problem of information eviction, which we prove to be NP-complete. We then investigate the usefulness of different eviction strategies to maximise the utility of information stored to enable trust-based task offloading.}, dataset = {https://doi.org/10.5281/zenodo.4353611}, doi = {10.1016/j.future.2022.05.004}, file = {:FGCS2022.pdf:PDF}, keywords = {Trust, Information management, IoT, Resource-constraints, Edge nodes, Offloading}, } @InProceedings{Chen:2022:SlowCoach:MutatingCode, author = {Yiqun Chen and Oliver Schwahn and Roberto Natella and Matthew Bradbury and Neeraj Suri}, booktitle = {The 33rd IEEE International Symposium on Software Reliability Engineering}, title = {{SlowCoach: Mutating Code to Simulate Performance Bugs}}, year = {2022}, address = {Charlotte, North Carolina, USA}, month = {31 October -- 3 November}, pages = {274--285}, series = {ISSRE}, abstract = {Performance bugs are unnecessarily inefficient code chunks in software codebases that cause prolonged execution times and degraded computational resource utilization. For performance bug diagnostics, tools that aid in the identification of said bugs, such as benchmarks and profilers, are commonly employed. However, due to factors such as insufficient workloads or ineffective benchmarks, software defects related to code inefficiencies are inherently difficult to diagnose. Hence, the capabilities of performance bug diagnostic tools are limited and performance bug instances may be missed. Traditional mutation testing (MT) is a technique for quantifying a test suite's ability to find functional bugs by mutating the code of the test subject. Similarly, we adopt performance mutation testing (PMT) to evaluate performance bug diagnostic tools and identify where improvements need to be made to a performance testing methodology. We carefully investigate the different performance bug fault models and how synthesized performance bugs based on these models can evaluate benchmarks and workload selection to help improve performance diagnostics. In this paper, we present the design of our PMT framework, SlowCoach, and evaluate it with over 1600 mutants from 4 real-world software projects.}, dataset = {https://github.com/61OlkVq8/PMT}, doi = {10.1109/ISSRE55969.2022.00035}, file = {:ISSRE2022.pdf:PDF}, } @InProceedings{Chen:2022:TowardsEffectivePerformance, author = {Yiqun Chen and Matthew Bradbury and Neeraj Suri}, booktitle = {The 33rd IEEE International Symposium on Software Reliability Engineering Workshops}, title = {{Towards Effective Performance Fuzzing}}, year = {2022}, address = {Charlotte, North Carolina, USA}, month = {31 October -- 3 November}, pages = {128--129}, series = {ISSREW}, abstract = {Fuzzing is an automated testing technique that utilizes injection of random inputs in a target program to help uncover vulnerabilities. Performance fuzzing extends the classic fuzzing approach and generates inputs that trigger poor performance. During our evaluation of performance fuzzing tools, we have identified certain conventionally used assumptions that do not always hold true. Our research (re)evaluates PERFFUZZ in order to identify the limitations of current techniques, and guide the direction of future work for improvements to performance fuzzing. Our experimental results highlight two specific limitations. Firstly, we identify the assumption that the length of execution paths correlate to program performance is not always the case, and thus cannot reflect the quality of test cases generated by performance fuzzing. Secondly, the default testing parameters by the fuzzing process (timeouts and size limits) overly confine the input search space. Based on these observations, we suggest further investigation on performance fuzzing guidance, as well as controlled fuzzing and testing parameters.}, dataset = {https://doi.org/10.17635/lancaster/researchdata/557}, doi = {10.1109/ISSREW55968.2022.00055}, file = {:ISSRE2022FA.pdf:PDF}, } @InProceedings{Manzoor:2022:Poster:EffectivenessMoving, author = {Salman Manzoor and Antonios Gouglidis and Matthew Bradbury and Neeraj Suri}, booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security}, title = {{Poster: Effectiveness of Moving Target Defense Techniques to Disrupt Attacks in the Cloud}}, year = {2022}, address = {Los Angeles, CA, USA}, month = {7--11 November}, pages = {3415--3417}, publisher = {ACM}, series = {CCS'22}, abstract = {Moving Target Defense (MTD) can eliminate the asymmetric advantage that attackers have in terms of time by changing a system's configuration dynamically to reduce the efficacy of reconnaissance and increase uncertainty and complexity for attackers. There are numerous MTDs proposed that target specific aspects of a system. However, deploying MTDs at different layers/components of the Cloud and assessing their effects on the overall security gains for the entire system is still challenging since the Cloud is a complex system entailing physical and virtual resources, and there exists a multitude of attack surfaces that an attacker can target. Thus, we explore the combination of different MTDs at different layers to maximize the security gains offered by the MTDs. We propose a quantification mechanism to evaluate the effectiveness of the MTDs against the attacks in the Cloud.}, doi = {10.1145/3548606.3563514}, file = {:CCS2022-MTD.pdf:PDF}, isbn = {9781450394505}, keywords = {cloud security, moving target defense, optimization}, numpages = {3}, } @InProceedings{Manzoor:2022:Poster:MultiLayer, author = {Salman Manzoor and Antonios Gouglidis and Matthew Bradbury and Neeraj Suri}, booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security}, title = {{Poster: Multi-Layer Threat Analysis of the Cloud}}, year = {2022}, address = {Los Angeles, CA, USA}, month = {7--11 November}, pages = {3419--3421}, publisher = {ACM}, series = {CCS'22}, abstract = {A variety of Threat Analysis (TA) techniques exist that typically target exploring threats to discrete assets (e.g., services, data, etc.) and reveal potential attacks pertinent to these assets. Furthermore, these techniques assume that the interconnection among the assets is static. However, in the Cloud, resources can instantiate or migrate across physical hosts at run-time, thus making the Cloud a dynamic environment. Additionally, the number of attacks targeting multiple assets/layers emphasizes the need for threat analysis approaches developed for Cloud environments. Therefore, this proposal presents a threat analysis approach that addresses multi-layer attacks. The proposed approach facilitates threat analysis by developing a technology-agnostic information flow model. It contributes to exploring a threat’s propagation across the operational stack of the Cloud and, consequently, assessing the security of the Cloud holistically.}, doi = {10.1145/3548606.3563515}, file = {:CCS2022-Cloud.pdf:PDF}, isbn = {9781450394505}, numpages = {3}, } @InProceedings{Bradbury:2022:AttributesDimensionsTrust, author = {Matthew Bradbury and Daniel Prince and Victoria Marcinkiewicz and Tim Watson}, booktitle = {Proceedings of the 12th International Conference on the Internet of Things}, title = {{Attributes and Dimensions of Trust in Secure Systems}}, year = {2022}, address = {Delft, Netherlands}, month = {7 November}, pages = {179--186}, publisher = {ACM}, series = {STaR-IoT'22}, abstract = {What is it to be trusted? This is an important question as trust is increasingly placed in a system and the degree to which a system is trusted is increasingly being assessed. However, there are issues with how related terms are used. Many definitions focus on one attribute of trust (typically behaviour) preventing that definition from being used for other attributes (e.g., identity). This is confused further by conflating what trustors measure about a trustee and what conclusions a trustor reaches about a trustee. Therefore, in this paper we present definitions of measures (trustiness and trustworthiness) and conclusions (trusted and trustworthy). These definitions are general and do not refer to a specific attribute allowing them to be used with arbitrary attributes which are being assessed (e.g., identity, behaviour, limitation, execution, correctness, data, environment). In addition, in order to demonstrate the complexities of describing if a trustee is designated as trusted or trustworthy, a set of dimensions are defined to describe attributes (time, scale, proactive/reactive, strength, scope, source). Finally, an example system is classified using these attributes and their dimensions in order to highlight the complexities of describing a system as holistically trusted or trustworthy.}, doi = {10.1145/3567445.3571105}, file = {:STaR-IoT2022.pdf:PDF}, isbn = {9781450396653}, numpages = {8}, } @Article{Bradbury:2022:QuantifyingSourceLocation, author = {Matthew Bradbury and Arshad Jhumka}, journal = {IEEE Transactions on Information Forensics and Security}, title = {{Quantifying Source Location Privacy Routing Performance via Divergence and Information Loss}}, year = {2022}, pages = {3890--3905}, volume = {17}, abstract = {Source location Privacy (SLP) is an important property for security critical applications deployed over a wireless sensor network. This property specifies that the location of the source of messages needs to be kept secret from an eavesdropping adversary that is able to move around the network. Most previous work on SLP has focused on developing protocols to enhance the SLP imparted to the network under various attacker models and other conditions. Other works have focused on analysing the level of SLP being imparted by a specific protocol. In this paper, we introduce the notion of a routing matrix which captures when messages are first received. We then introduce a novel approach where an optimal SLP routing matrix is derived. In this approach, the attacker's movement is modelled as a Markov chain where measures of conditional entropy and divergence are used to compare routing matrices and quantify if they provide high levels of SLP. We propose the notion of a properly competing paths that causes an attacker to divert when moving towards the source. This concept provides the basis for developing a perturbation model, similar to those used in privacy-preserving data mining. We formally prove that properly competing paths are both necessary and sufficient in ensuring the existence of an SLP-aware routing matrix and show their usage in developing an SLP-aware routing matrix. Further, we show how different SLP-aware routing matrices can be obtained through different instantiations of the framework. Those instantiations are obtained based on a notion of information loss achieved through the use of the perturbation model proposed.}, doi = {10.1109/TIFS.2022.3217385}, file = {:TIFS2022.pdf:PDF}, } @Article{Farrell:2023:SecurityMindedVerification, author = {Marie Farrell and Matthew Bradbury and Rafael C. Cardoso and Michael Fisher and Louise A. Dennis and Clare Dixon and Al Tariq Sheik and Hu Yuan and Carsten Maple}, journal = {{IEEE Transactions on Dependable and Secure Computing}}, title = {{Security-Minded Verification of Cooperative Awareness Messages}}, year = {2023}, month = dec, pages = {18}, abstract = {Autonomous robotic systems systems are both safety- and security-critical, since a breach in system security may impact safety. In such critical systems, formal verification is used to model the system and verify that it obeys specific functional and safety properties. Independently, threat modelling is used to analyse and manage the cyber security threats that such systems may encounter. Both verification and threat analysis serve the purpose of ensuring that the system will be reliable, albeit from differing perspectives. In prior work, we argued that these analyses should be used to inform one another and, in this paper, we extend our previously defined methodology for security-minded verification by incorporating runtime verification. To illustrate our approach, we analyse an algorithm for sending Cooperative Awareness Messages between autonomous vehicles. Our analysis centres on identifying STRIDE security threats. We show how these can be formalised, and subsequently verified, using a combination of formal tools for static aspects, namely Promela/SPIN and Dafny, and generate runtime monitors for dynamic verification. Our approach allows us to focus our verification effort on those security properties that are particularly important and to consider safety and security in tandem, both statically and at runtime.}, doi = {10.1109/TDSC.2023.3345543}, file = {:TDSC2023.pdf:PDF}, } @Article{Manzoor:2024:EnablingMultiLayer, author = {Salman Manzoor and Antonios Gouglidis and Matthew Bradbury and Neeraj Suri}, journal = {IEEE Transactions on Cloud Computing}, title = {{Enabling Multi-Layer Threat Analysis in Dynamic Cloud Environments}}, year = {2024}, month = feb, abstract = {Most Threat Analysis (TA) techniques analyze threats to targeted assets (e.g., components, services) by considering static interconnections among them. However, in dynamic environments, e.g., the Cloud, resources can instantiate, migrate across physical hosts, or decommission to provide rapid resource elasticity to its users. Existing TA techniques are not capable of addressing such requirements. Moreover, complex multi-layer/multi-asset attacks on Cloud systems are increasing, e.g., the Equifax data breach; thus, TA approaches must be able to analyze them. This paper proposes ThreatPro, which supports dynamic interconnections and analysis of multi-layer attacks in the Cloud. ThreatPro facilitates threat analysis by developing a technology-agnostic information flow model, representing the Cloud's functionality through conditional transitions. The model establishes the basis to capture the multi-layer and dynamic interconnections during the life cycle of a Virtual Machine. ThreatPro contributes to (1) enabling the exploration of a threat's behavior and its propagation across the Cloud, and (2) assessing the security of the Cloud by analyzing the impact of multiple threats across various operational layers/assets. Using public information on threats from the National Vulnerability Database, we validate ThreatPro's capabilities, i.e., identify and trace actual Cloud attacks and speculatively postulate alternate potential attack paths.}, doi = {10.1109/TCC.2024.3365736}, file = {:TCC2024.pdf:PDF}, } @Comment{jabref-meta: databaseType:bibtex;} @Comment{jabref-meta: fileDirectory:papers;}