Yasser Karim

Bio: Yasser Karim is an academic researcher from University of Alabama at Birmingham. The author has contributed to research in topics: Cloud computing & Service provider. The author has an hindex of 4, co-authored 13 publications receiving 65 citations. Previous affiliations of Yasser Karim include Wichita State University & University of Alabama.

FIF-IoT: A Forensic Investigation Framework for IoT Using a Public Digital Ledger

Abstract: The increased deployment of Internet of Things (IoT) devices will make them targets for attacks. IoT devices can also be used as tools for committing crimes. In this regard, we propose FIF-IoT – a forensic investigation framework using a public digital ledger to find facts in criminal incidents in IoT-based systems. FIF-IoT collects interactions that take place among various IoT entities (clouds, users, and IoT devices) as evidence and store them securely as transactions in a public, distributed and decentralized blockchain network which is similar to the Bitcoin network. Hence, FIF-IoT eliminates a single entity's control over the evidence storage, avoids single-point-offailure on the storage media, and ensures high availability of evidence. FIF-IoT presents a framework that ensures integrity, confidentiality, anonymity, and non-repudiation of the evidence stored in the public digital ledger. Furthermore, FIF-IoT provides a mechanism to acquire evidence from the ledger and to verify the integrity of the obtained evidence. We present a case study of a forensic investigation to demonstrate that FIF-IoT is secure against evidence tampering. We also implement a prototype to evaluate the performance of FIF-IoT.

IoTbed: A Generic Architecture for Testbed as a Service for Internet of Things-Based Systems

Abstract: In recent years, the concept of the Internet of Things (IoT) has already been implemented in numerous application domains, such as smart city, intelligent healthcare assistant, and smart transportation management. Researchers or developers associated with these domains frequently require diverse types of IoT devices to implement or test their IoT related innovations. However, building an IoT-testbed by purchasing these IoT devices in every few months is infeasible considering that most of them will be used only for a small amount of time and will become obsolete with the arrival of an upgraded version of those devices. Instead, a better approach would be rented out the IoT devices in on-demand, just-in-time, and pay for only the time the devices are used basis. Therefore, in this paper, we propose IoTbed – an architecture to deliver a large scale Testbed as a service using the IoT devices located in the users' proximal networks. IoTbed enables testbed providers to build their testbeds in the edge of the network and allows easy and secure access for IoT service providers to run experiments on those testbeds. IoTbed presents an economic model that offers monetary incentives to the device owners for using their devices in the testbed experiments. We posit that such an incentive model will encourage more testbed providers to rent out their smart devices through IoTbed. To demonstrate the feasibility of IoTbed, we implemented a prototype of IoTbed to run on Contiki powered IoT devices and evaluated the performance.

SecuPAN: A Security Scheme to Mitigate Fragmentation-Based Network Attacks in 6LoWPAN

Abstract: 6LoWPAN is a widely used protocol for communication over IPV6 Low-power Wireless Personal Area Networks. Unfortunately, the 6LoWPAN packet fragmentation mechanism possesses vulnerabilities that adversaries can exploit to perform network attacks. Lack of fragment authentication, payload integrity verification, and sender IP address validation lead to fabrication, duplication, and impersonation attacks. Moreover, adversaries can abuse the poor reassembly buffer management technique of the 6LoWPAN layer to perform buffer exhaustion and selective forwarding attacks. In this paper, we propose SecuPAN - a security scheme for mitigating fragmentation-based network attacks in 6LoWPAN networks and devices. We propose a Message Authentication Code based per-fragment integrity and authenticity verification scheme to defend against fabrication and duplication attacks. We also present a mechanism for computing datagram-tag and IPv6 address cryptographically to mitigate impersonation attacks. Additionally, our reputation-based buffer management scheme protects 6LoWPAN devices from buffer reservation attacks. We provide an extensive security analysis of SecuPAN to demonstrate that SecuPAN is secure against strong adversarial scenarios. We also implemented a prototype of SecuPAN on Contiki enabled IoT devices and provided a performance analysis of our proposed scheme.

On mapping releases to commits in open source systems

Abstract: The paper presents an empirical study on the release naming and structure in three open source projects: Google Chrome, GNU gcc, and Subversion. Their commonality and variability are discussed. An approach is developed that establishes the mapping from a particular release (major or minor) to the specific earliest and latest revisions, i.e., a commit window of a release, in the source control repository. For example, the major release 25.0 in Chrome is mapped to the earliest revision 157687 and latest revision 165096 in the trunk. This mapping between releases and commits would facilitate a systematic choice of history in units of the project evolution scale (i.e., commits that constitute a software release). A projected application is in forming a training set for a source-code change prediction model, e.g., using the association rule mining or machine learning techniques, commits from the source code history are needed.

StreetBit: A Bluetooth Beacon-based Personal Safety Application for Distracted Pedestrians

Abstract: The safety of distracted pedestrians presents a significant public health challenge in the United States and worldwide. An estimated 6,704 American pedestrians died and over 200,000 pedestrians were injured in traffic crashes in 2018, according to the Centers for Disease Control and Prevention (CDC) [1]. This number is increasing annually and many researchers posit that distraction by smartphones is a primary reason for the increasing number of pedestrian injuries and deaths. One strategy to prevent pedestrian injuries and death is to use intrusive interruptions that warn distracted pedestrians directly on their smartphones. To this end, we developed StreetBit, a Bluetooth beacon-based mobile application that alerts distracted pedestrians with a visual and/or audio interruption when they are distracted by their smartphones and are approaching a potentially-dangerous traffic intersection. In this paper, we present the background, architecture, and operations of the StreetBit Application.

A Survey on the Internet of Things (IoT) Forensics: Challenges, Approaches, and Open Issues

Abstract: Today is the era of the Internet of Things (IoT). The recent advances in hardware and information technology have accelerated the deployment of billions of interconnected, smart and adaptive devices in critical infrastructures like health, transportation, environmental control, and home automation. Transferring data over a network without requiring any kind of human-to-computer or human-to-human interaction, brings reliability and convenience to consumers, but also opens a new world of opportunity for intruders, and introduces a whole set of unique and complicated questions to the field of Digital Forensics. Although IoT data could be a rich source of evidence, forensics professionals cope with diverse problems, starting from the huge variety of IoT devices and non-standard formats, to the multi-tenant cloud infrastructure and the resulting multi-jurisdictional litigations. A further challenge is the end-to-end encryption which represents a trade-off between users’ right to privacy and the success of the forensics investigation. Due to its volatile nature, digital evidence has to be acquired and analyzed using validated tools and techniques that ensure the maintenance of the Chain of Custody. Therefore, the purpose of this paper is to identify and discuss the main issues involved in the complex process of IoT-based investigations, particularly all legal, privacy and cloud security challenges. Furthermore, this work provides an overview of the past and current theoretical models in the digital forensics science. Special attention is paid to frameworks that aim to extract data in a privacy-preserving manner or secure the evidence integrity using decentralized blockchain-based solutions. In addition, the present paper addresses the ongoing Forensics-as-a-Service (FaaS) paradigm, as well as some promising cross-cutting data reduction and forensics intelligence techniques. Finally, several other research trends and open issues are presented, with emphasis on the need for proactive Forensics Readiness strategies and generally agreed-upon standards.

Internet of Things (IoT): Research, Simulators, and Testbeds

Abstract: The Internet of Things (IoT) vision is increasingly being realized to facilitate convenient and efficient human living. To conduct effective IoT research using the most appropriate tools and techniques, we discuss recent research trends in the IoT area along with current challenges faced by the IoT research community. Several existing and emerging IoT research areas such as lightweight energy-efficient protocol development, object cognition and intelligence, as well as the critical need for robust security and privacy mechanisms will continue to be significant fields of research for IoT. IoT research can be a challenging process spanning both virtual and physical domains through the use of simulators and testbeds to develop and validate the initial proof-of-concepts and subsequent prototypes. To support researchers in planning IoT research activities, we present a comparative analysis of existing simulation tools categorized based on the scope of coverage of the IoT architecture layers. We compare existing large-scale IoT testbeds that have been adopted by researchers for examining the physical IoT prototypes. Finally, we discuss several open challenges of current IoT simulators and testbeds that need to be addressed by the IoT research community to conduct large-scale, robust and effective IoT simulation, and prototype evaluations.

Predicting Vulnerable Components: Software Metrics vs Text Mining

Abstract: Building secure software is difficult, time-consuming, and expensive. Prediction models that identify vulnerability prone software components can be used to focus security efforts, thus helping to reduce the time and effort required to secure software. Several kinds of vulnerability prediction models have been proposed over the course of the past decade. However, these models were evaluated with differing methodologies and datasets, making it difficult to determine the relative strengths and weaknesses of different modeling techniques. In this paper, we provide a high-quality, public dataset, containing 223 vulnerabilities found in three web applications, to help address this issue. We used this dataset to compare vulnerability prediction models based on text mining with models using software metrics as predictors. We found that text mining models had higher recall than software metrics based models for all three applications.