فصلنامه پدافند الکترونیکی و سایبری
سال نهم شماره 1 (پیاپی 33، بهار 1400)

Distributed association rules mining is one of the most important data mining methods that extracts the inter dependence of data items from decentralized data sources, regardless of their physical location and is based on the process of extracting repeated items. When exploration algorithms are implemented on   large-scale data, a large number of recurring items are produced, many of which are irrelevant,            ambiguous, and unusable for the business, thus causing a challenge called "combination explosion ". In this paper, a new coalition method based on distributed data mining and domain archeology, abbreviated to DARMASO, is proposed to address this challenge. This method uses three algorithms: the   DARMASOMAIN algorithm to guide and control the process of exploration and aggregation of universal rules, the DARMASOPRU algorithm to reduce and prune the data and the DARMASOINT algorithm to explore and aggregate the rules of all the generated data sources. DARMASO uses a map-reduce-based distributed computational model in a multi-agent distributed environment. It also provides a practical way for semantic mining of large-scale data sets. This method filters out the association rules of generality based on the purposes of data mining as well as the needs of the user and only produces and maintains useful rules. Reducing the scope of exploration and filtration of rules is achieved through the process of semantic pruning in the form of removing inappropriate candidates from the set of frequent items and    producing association rules of utility. The implementation is performed using a data set from the scope of natural disasters and the earthquake class. It also improves the speed and quality of rule extraction and generates practical, reliable, logical, quality and valuable rules to support decision-making amid the  masses of data.

The scrambler block is one of the most commonly used blocks in digital communication protocol design. This block is used to randomize the bit string and usually is used after the source encoder or after the  channel encoder. In blind detection this block, is assumed to be located after the source encoder or after the channel encoder. LFSRs are often used to design linear scramblers. Therefore, scramblers are defined by usage of feedback polynomials and initial states. In previous works, the initial state of the scrambler  after channel encoder has been identified, but under some circumstances, these algorithms cannot provide proper response. In these conditions, to identify initial state of the scrambler, a full search method may be used which takes a long time. In this paper, a new algorithm for initial state of scrambler detection, after channel encoder, is presented. The proposed algorithm is able to identify the initial state of scrambler in the cases that other algorithms cannot do anything. The new algorithm also reduces the search space and as a result, it need much less time for the identification process.

Over the last years, several differentially private mechanisms have been proposed to answer statistical   queries over trajectory databases. However, most of these mechanisms aim to answer statistical queries without releasing  trajectories. In this paper, we present DP-STDR; a new differentially private  mechanism that releases synthetic  trajectories for data analysis purposes while preserving spatial and temporal utilities. DP-STDR keeps some main spatial, temporal, and statistical properties of original trajectories and defines a new differentially private tree      structure to keep the most probable paths with different lengths and different starting points. This tree structure is used to generate synthetic trajectories. Our experiments show that DP-STDR enhances the utility of query answers and  better preserves the main spatial, temporal, and statistical properties of original trajectories in comparison to prior related work.

The software defined network (SDN) is a new computer architecture, where the central controller is applied. These networks rely on software and consequently, their security is exposed to different attacks through different components therein. One type of these attacks, which is the latest threat in computer network realm and the efficiency therein, is called the distributed denial of services (DDoS). An attempt is made to develop an attack- detector, through a combined statistical and machine learning method. In the statistical method, the entropy, based on destination IP and normal distribution in addition to dynamic threshold are applied to detect attacks. Normal distribution is one of the most important distributions in the theory of probability. In this distribution the entropy average and standard deviation are effective in attack detection. As for the learning algorithm, by applying the extracted features from the flows and supervised  classification algorithms, the accuracy of attack detection increases in such networks. The applied datasets in this study consist of: ISCX-SlowDDoS2016، ISCX-IDS2012, CTU-13 and ISOT. This method outperforms its counterparts with an accuracy of 99.65% and 0.12 false positive rate (FPR) for the UNB-ISCX dataset, and with an accuracy of 99.84% and 0.25 FPR for CTU-13 dataset.

Botnet is a group of hosts infected with the same malicious code and managed by an attacker or Botmaster through one or more command and control (C&C) servers. The new generation of Botnets generates C&C domain name  server’s list dynamically. This dynamic list created by a domain generation algorithm helps an attacker to periodically change its C&C servers and prevent their addresses from being blacklisted. Each infected host generates a large   number of domain names using a predefined algorithm and attempts to map them to their corresponding addresses by sending queries to the domain server. In this paper, the deep autoencoder neural network is used to identify domains without any knowledge of their generating algorithm, and the performance of the proposed method is compared with the performance of machine learning algorithms. Initially, a new dataset is created by combining a data set with normal domains and two datasets containing malicious and abnormal domains and both manual and automated   methods are used to extract the features of the new dataset. Deep autoencoder neural network is applied to new and pre-processed datasets and the results are compared with machine learning algorithms. Based on the obtained results, it is possible to identify the malicious domains generated by domain generating algorithms using the deep autoencoder neural network with a higher speed and an accuracy rate larger than 98.61%.

The popularity of audio formats usually attracts the attention of intruders and criminals to use this medium as a cover for establishing their secret communications. The extensive use of this formats, along with  various modern techniques, designed for audio steganography, can cause the cyber spaces to be insecure environments. In order to deal with threats, some audio steganalysis techniques have been presented that statistically analyze various audio formats, such as music, MP3, and VoIP, efficiently. Among the presented approaches, combining the techniques of signal processing and machine learning has made possible the creation of steganalyzers that are highly accurate. However, since the statistical properties of audio files differ from purely speech ones, the current steganalysis methods cannot detect speech stego files,            accurately. Another issue is the large number of analysis dimensions which increase the implementation cost, significantly. As response to these issues, this paper proposes the percentage of equal adjacent  samples (PEAS) feature, as a one-dimensional feature for speech steganalysis. Using a classifier, based on the Gaussian membership function, on stego instances with 50% embedding ratio, the evaluation results for the designed steganalyzer, show a sensitivity of 99.82%. Additionally, it can efficiently estimate the length of a hidden message with the desirable accuracy. Also, the PEAS steganalysis was evaluated on a database, containing classic music instances, and the results show an 81.2% efficient performance.

A cryptographic hash function maps an arbitrary length input to a fixed length output. These functions are used in many cryptographic applications such as digital signatures. They must be secure against collision, preimage and 2-preimage attacks. Rotational cryptanalysis is an approach to the analysis of ARX ciphers. The Hash functions Shabal and Cubehash, which are two candidates of the second round of the SHA-3   competition, have an ARX structure. They have been analyzed with respect to rotational cryptanalysis by Tabatabaei et al. In this paper we consider their analysis and present some observations. Our observations show that the results of Tabatabaei et al.’s cryptanalysis are not accurate. Then we present some new     results about rotational cryptanalysis of Shabal and Cubehash. Thereafter we present some new results and show that rotational cryptanalysis is effective on a smaller number of rounds on Shabal and Cubehash Hash functions.

Digital watermarking technology is presented as one of the best solutions for solving unauthorized copying, content identification and authentication of digital media. Digital watermarking can be applied in the fields of image, text, audio, and video contents. Audio watermarking has recently attracted the attention of researchers because the human auditory system is much more sensitive than his vision system. Therefore, insertion of the data into audio signals in a transparent way is much more difficult than other watermarking species. An efficient audio watermarking system should be able to improve reconciliation of the three measures of transparency, strength and capacitance. Improving the compromise between these three measures is a challenging problem, due to the fact that increasing the capacity of the input signal, causes distortions in the signal which in turn causes a reduction in transparency and robustness. In this paper, a new method is proposed for watermarking of audio signals that is able to improve the three criteria of transparency, robustness and capacity in an appropriate manner. In order to improve the resilience of the hidden  signal against signal processing attacks, the synergy of three efficient transforms in the field of signal processing namely, the graph-centric conversion (GBT), the discrete cosine transform (DCT) and the discrete wavelet transform (DWT), has been used. In addition, in order to maintain the transparency of the watermarked signal, the watermarked data in the high triangle matrix resulting from the LU decomposition of the approximation coefficients of the discrete wavelet are entered in an order which is based on the Fibonacci sequence. The procedure is based on the value of the watermarked bit, the non-zero values ​​of the upper triangular matrix are replaced by the nearest even or odd numbers in the Fibonacci sequence. The latent extraction operation is completely blind. The results of the evaluation of the   proposed method on audio files with Blue, Electronic, Classic and Jazz styles show that the proposed method, despite good resistance to various signal processing attacks, has an average signal rate of 45.13 dB and a placement rate of 625.75 bits per second.

Since the detection of anomalies in dynamic social networks takes place in a sequence of graphs over time, in addition to the storage management challenge, the detection process is difficult due to the slow evolution of graphs. A number of graphs are selected in the specified time frame, and by examining the changes of these graphs, the possible anomalies are detected. Therefore, choosing the number of time points (graphs) in the sequence of graphs is an important challenge in the detection of anomalies. In this paper, a novel method is proposed to detect anomalies based on structural data extracted from dynamic social network graphs. By extracting the centrality indicators from the network graph and their normalized mean, the activity criterion for each individual has been defined. Over time, changes in the activity criterion for each individual are measured and marked as the possibility of normal or abnormal behavior. If the individual's behavior measure exceeds a certain threshold, it is reported as an anomaly. The results show that the   proposed method detects more anomalies with the accuracy and recall of 64.29 and 81.82 respectively, for the VAST 2008 data set. It also, detects more anomalies by selecting different number of time points in the graph sequence.

Quantum key distribution (QKD) solves the problem of key generation and exchange between  cryptography parties with unconditional security guaranteed by the principles and phenomena of quantum mechanics. In the 40-year old history of quantum cryptography, several QKD protocols have been invented of which, the BB84 protocol is the most famous one, and some others such as the six-state and  Ardehali-Chau-Lo protocols have been created by making some variations of it. In this paper, a more general version of BB84 using 2n polarization states which create n orthogonal pairs of polarization states and n polarization bases is presented. In addition, it is assumed that distinct polarization bases are chosen with necessarily unequal probabilities. Then by studying and analyzing the new QKD protocol and its two special cases using the probability theory, they are compared with the BB84, six-state and Ardehali-Chau-Lo protocols and finally, the results are supported and confirmed by constructing four various numerical examples. The advantage of the new QKD protocol in comparison to the BB84, the six-state and  Ardehali-Chau-Lo protocols is its high flexibility in choosing the number of polarization states and the manner of probability allocation on choosing the polarization bases. By analyzing the new protocol and its two special cases using the probability theory, this advantage causes better application of knowledge for a suitable QKD protocol selection in order to realize a certain goal and exploit its technological advantages.

The growing spread of botnet threats and the development of new platforms for deploying botnets such as the Internet of Things urges the need for confrontation. Research in the field of botnet detection based on machine learning methods, shows that these methods have the necessary efficiency for botnet detection. In this paper, normal and botnet traffic are analyzed by the proposed method based on the Minkowski distance vector. The results of the article show that normal traffic flow affects the feature selection and extraction stage by changing the importance of features. This method scores the features based on near bot-bot behavioral vectors and far bot-normal behavioral vectors. The results of these experiments on ten sets of normal data and three sets of bot data showed that the score of a feature increases or decreases by more than 50% in environments with various normal traffic.

ICT development has caused evolution in service delivery methods. With the increase in population density in urban areas, it is necessary to change and develop the infrastructures. Fiber optic network is a  sustainable communication platform in the smart city and supports all broadband and narrowband services. In this paper, the role of fiber optics in the smart home (with broadband capability) and mobile network (5G) are considered as the two main parts of a smart city. A techno-economic model of  communication infrastructure in the smart city (using multi-purpose fiber optic network with existing  resources consideration) is stated by mixed integer linear programming (MILP) method. In this literature, whilst providing fundamental communication in the smart city, decreasing the vulnerability to threats and increasing the percentage of security and reliability, technical requirements are met and the Capital Expenditure (CAPEX) of network is reduced, as well.

Multi-facet dependency of human life on computer networks and its widespread vulnerability has made network robustness a necessity. With cost as a limiting factor, network robustness is considered as a great challenge for network administrators. This goal would be achievable by prioritizing the vulnerabilities based on their risk and choosing the most hazardous ones for elimination. Nowadays, CVSS is being used as the most widely used vulnerability scoring system. In CVSS, vulnerability ranking is based on its intrinsic features while temporal features such as the probability of developing exploitation tools, are ignored.  So, dynamic risk evaluation is not possible with CVSS and it is incapable of performing effective vulnerability discretion. This is because, only limited number of vulnerabilities are available for prioritization of infinite number of vulnerabilities. In addition, CVSS only ranks single step attacks whilst a wide variety of attacks are multi-step attacks. In this paper, a security system is proposed that is an improvement over CVSS and some other existing vulnerability scoring systems. It performs dynamic risk evaluation of multi-step attacks by considering vulnerabilities' temporal features. As the introduced model is developed based on security metrics of the security model, security evaluation of multi-step attacks is now possible by CVSS. Also, the capability of risk evaluation of zero-day attacks is one unique feature of the proposed system which cannot be accomplished by the present vulnerability scoring systems. In CVSS, the impact of exploiting 35.5% of vulnerabilities on confidentiality, integrity and availability are scored the same. But, in the proposed  system, by considering the relative priority of the three mentioned security parameters, vulnerability  discrimination of risk score of the mentioned percentage of vulnerabilities may be possible. On the other hand, the continuity of the probability assessment function of the proposed method in comparison to the discrete one in CVSS, improves the score diversity.

In recent years, a new generation of networks called software defined networks (SDN) has been  introduced whose main focus is on separating control logic from hardware and concentrating it on acentral software called the "controller". SDN improves the network efficiency and reduces the expenses. Despite numerous advantages, SDN faces a lot of challenges such as scalability and reliability that can be fixed through physical decentralization of the control level and introduction of distributed controllers. However, the distributed controllers also face challenges including scalability, stability, and coordination strategy. This research deals with the improvement of distributed controllers’ scalability using the concept of load balancing. For this purpose, we have suggested that a controller load detection function (CLDF) be placed on each of the related controllers, and if the load exceeds the threshold level, the new load be transferred to a controller with the least load. The suggested method is implemented on the Floodlight  controller in a distributed manner, and implemented on Ubuntu 14.04 operating system using the mininet simulation platform. The simulation results show that suggested method causes an average growth of 31.6 percent on the transition rate.