Attacks and Defense Mechanisms

#### **Chapter 1**

## Introductory Chapter: Data Privacy Preservation on the Internet of Things

*Jaydip Sen and Subhasis Dasgupta*

#### **1. Introduction**

Recent developments in hardware and information technology have enabled the emergence of billions of connected, intelligent devices around the world exchanging information with minimal human involvement. This paradigm, known as the Internet of Things (IoT), is progressing quickly, with an estimated 27 billion devices by 2025 (almost four devices per person) [1, 2]. These smart devices help improve our quality of life, with wearables to monitor health, vehicles that interact with traffic centers and other vehicles to ensure safety, and various home appliances offering comfort. This increase in the number of IoT devices and successful IoT services has generated tremendous data. The International Data Corporation report estimates that by 2025 this data will grow from 4 to 140 zettabytes [3].

However, this humongous volume of data poses growing concerns for user privacy. Gartner predicts approximately 15 billion connected devices will be linked to computing networks by 2022 [4]. These gadgets could be vulnerable, and the massive amounts of unsecured online data create a liability. In addition, users having difficulty controlling the data from their devices has highlighted privacy as a major issue. To guarantee high levels of user data protection, IoT systems must adhere to regulations such as the European Union's *general data protection regulation* (GDRP) of 2018 [5]. GDPR is a law enacted in the European Union that specifies rules for how organizations and companies must use personal data without violating their integrity. These regulation policies focus on giving users control over what is collected, when, and for what purpose. By 2023, the regulators will demand organizations protect consumer privacy rights for more than 5 billion citizens and comply with more than 70% of the GDPR requirements [5].

Traditional privacy protection schemes are insufficient for IoT applications which necessitate new techniques such as distributed cybersecurity controls, models, and decisions that take into account vulnerabilities in system development platforms as well as malicious users and attack surfaces. Machine learning techniques can provide improved detection of novel cyberattacks when dealing with large volumes of data in IoT systems. Furthermore, they can enhance how sensitive data are shared between components to keep them secure. Machine learning-based schemes thus improve the operations related to privacy protection and more

effectively comply with the regulations. This chapter presents a survey on the currently existing machine learning-based approaches for the privacy preservation of data in the IoT.

The rest of the chapter is organized as follows. Section 2 identifies some of the existing surveys on the privacy preservation of data in the IoT. Section 3 discusses current privacy schemes for IoT based on a centralized architecture. Section 4 highlights the existing schemes working on the principles of distributed learning. In Section 5, some well-known privacy schemes on distributed encryption mechanisms are discussed. The concept of differential privacy and some schemes working on this principle are presented in Section 6. Finally, the chapter is concluded in Section 7, highlighting some emerging trends in the field of privacy in the IoT.

#### **2. Some existing survey works on privacy issues in the IoT**

In the literature, several studies have reviewed privacy issues in IoT environments, focusing mostly on threats and attacks on such systems. A comprehensive survey is carried out on various threat models and the classification of various attack types in the context of IoT [6]. The study found that the training dataset used for building the machine learning model for designing the privacy protection system is the most vulnerable to attack. Other sensitive assets are the model, the parameters and hyper-parameters involved, and the model architecture. On the other hand, the sensitive actors are the owners of data, the owners of the model, and the users of the model. Another important observation of this study is that among the machine learning models, the ordinary least square regression model, decision tree, and support vector machine model are the most vulnerable ones. Another recently published paper presented a comprehensive survey on various machine learning and deep learning-based approaches used for protecting user data privacy in the IoT [7].

Many surveys focus on reviewing the mechanisms and models for preserving data privacy. Various issues include differential privacy, homomorphic encryption, and learning architectures and models. In one study, the threats and vulnerabilities of privacy protection systems in IoT are classified into four groups (i) attacks on authentication, (ii) attacks on the components of edge computing, (iii) attacks on the anatomization and perturbation schemes, and (iv) attacks on data summarization [8]. In another survey work, the existing privacy protection systems with centralized architectures and machine learning approaches are analyzed by categorizing the data generated at different layers [9]. Kounoudes and Kapitsaki [10] analyzed several privacy-preservation solutions to determine basic characteristics. The authors proposed a mix of machine learning techniques for providing user protection, along with the policy languages to set user privacy preferences and negotiation techniques that improve services while preserving user rights. Zhu et al.'s survey work included several approaches, including differential privacy, secure multi-party computing, and homomorphic encryption for training models [11]. The authors classified the models based on collaborative or aggregated scenarios to protect user identity or information. Ouadrhiri et al. analyzed the current methods within federated learning environments classifying them into three distinct groups: (i) *k*-anonymity, (ii) *l*-diversity, and (iii) *t*-closeness to protect datasets [12]. The authors also observe that differential privacy-based technologies are

mostly used for training the privacy models. This approach, however, suffers from a high computational complexity for the encryption and decryption operations.

#### **3. Centralized architecture-based encryption schemes**

The data privacy mechanisms and systems under this category use encryption techniques such as homomorphic encryption, attribute access control, multi-party computation, and lightweight cryptography. These approaches are usually resource hungry and involve high computational resources and large memory spaces. On the other hand, homomorphic encryption systems provide a very high level of privacy even when deployed in third-party computations. Researchers designed several variants of homomorphic encryption systems such as partially homomorphic and somewhat homomorphic encryption [13–15]. While somewhat homomorphic encryption systems minimize communication overhead by using a smaller key size, partially homomorphic encryption systems are suitable for lightweight protocols of IoT since they yield shorter ciphertexts.

In building privacy models, the modelers encounter a difficult challenge. While data owners do not want what to expose their sensitive information to untrusted and potentially malicious models, the model owners prefer not to share information about their models as they are valuable assets. As such, classification protocols utilize machine learning classifiers over encrypted data to protect privacy on both sides. Bost et al., De Cock et al., Rahulamathavan et al., Wang et al., Zhu et al., and Jiang et al. all proposed several protocols for privacy-preserving classification using different datasets and models including hyperplane decision, naive Bayes, decision trees, support vector machines, multilayer extreme learning machine among others. These models have yielded an accuracy of results varying between 86% and 98% [16–21]. These efforts also reduce training and execution times compared to traditional deep learning models like convolutional neural networks.

#### **4. Distributed learning-based solutions**

Of late, privacy protection of data using distributed machine learning [22, 23] has gained considerable popularity in the context of the IoT. Distributed machine learning allows the learning models to be generated at each participant device, while the central server acting as the coordinator, creates a global model and distributes the knowledge to the participating nodes. Shokri and Shmatikov proposed a collaborative computing system that works on deep learning to protect a user's sensitive data while utilizing the information content of nonsensitive data of other users in the system [22]. The deep learning algorithms use the stochastic gradient descent algorithm because of the parallelization and asynchronous execution capability of the latter. The privacy model yields a very high accuracy on the test dataset. A distributed learning-based mechanism for data privacy preservation on IoT devices is proposed by Servia-Rodriguez et al. [23]. The scheme does not involve any data communication to the cloud environment. The system works in two phases. In the first step, the model is trained on data voluntarily shared by some users and possibly not containing any privacy-sensitive information. Once the model is trained, no further user data are shared. The model, tested on a public dataset, yields high accuracy. This scheme assumes user data privacy preservation since the original data never leaves their device. However, this is incorrect as the distributed machine learning models are vulnerable to privacy inference attacks that attempt to access privacy-sensitive data or model inversion attacks recovering original data [24, 25]. This enforces protection techniques such as encryption or differential privacy into distributed learning systems.

#### **5. Distributed learning and encryption**

Encryption techniques are integrated into distributed machine learning to boost data privacy in IoT applications. The most commonly used encryption method used is homomorphic encryption, in which the user data is encrypted before being sent to the computing nodes. A privacy protection system has been proposed based on the joint operation of a multilayer perceptron and a convolutional neural network model [26]. The model has been tested on the *modified national institute of standards and technology* (MNIST) and *street view house number* (SVHN) datasets [27]. A secure information system for healthcare applications in the IoT environment has been proposed [28]. The proposed model uses Pallier additive homomorphic encryption [29]. Another privacy system based on the Pallier system has been presented that works on blockchain technology [30]. The authors tested the system on two datasets of the University of California, Irvine (UCI) data repository [31, 32]. Homomorphic encryption systems offer increased privacy compared to differential privacy-based ones. However, fully homomorphic encryption can be costly in terms of computation overload, while partial homomorphic encryption can only be used for carrying out single operations. Moreover, partial homomorphic encryption methods require trusted third parties in place, or they work on simpler models approximating complex equations using single mathematical operations. A mechanism is proposed for protecting the privacy of data for the Industrial Internet of Things (IIoT) built on the principles of distributed learning [33]. The scheme works on a variational autoencoder model trained using homomorphic encryption. The accuracy of the model is found to be high, while its execution time is low. A hybrid framework for privacy protection is proposed by Osia et al. [34]. The scheme utilizes Siamese architecture and can perform efficient privacy-preserving analytics splitting a neural network IoT devices and cloud [35]. The feature extraction is done at the device, while the classification is carried out in the cloud. The scheme uses a convolutional neural network model evaluated with gender classification datasets *Internet movie database* (IMDB-Wiki) [36] and *labeled faces in the wild* (LFW) [37], achieving an accuracy of 94% and 93%, respectively. A data privacy-preserving scheme known named CP-ABPRE is presented by Zhou et al. that works on a policy-based encryption approach [38]. The scheme is found to be robust against privacy attacks and has a low computational overhead required for its encryption and decryption processes.

#### **6. Distributed learning and differential privacy**

In the differential privacy approach, the privacy of data is protected through the addition of some random perturbations into the original data. In other words, a perturbation in the data is done with a predetermined measure of the error caused by modifications to the data [39]. Several well-known techniques of perturbation include swapping, randomized response, micro-aggregation, additive perturbation, and condensation. However, perturbations reduce the quality of the data for analysis as

#### *Introductory Chapter: Data Privacy Preservation on the Internet of Things DOI: http://dx.doi.org/10.5772/intechopen.111477*

the original data are modified. Privacy models work on a trade-off between the utility of data and its associated privacy level. In the privacy-utility trade-off, several algorithms and approaches exist in the literature. In the context of differential privacy, Abadi et al. presented a scheme involving training a neural network with differential privacy to prevent the disclosure of sensitive information [40]. The scheme is proved to be highly effective in preserving the privacy of sensitive data, as observed from its performance on the test dataset. Another scheme for privacy preservation of sensitive data is proposed in which a subset of parameters is shared and obfuscated using differential privacy as the training of the deep learning structures is carried out locally [41]. While the differential privacy-based schemes do not need high computational resources, they may be inaccurate since perturbations can reduce training quality. Moreover, these schemes cannot fully protect data privacy (i.e., there is always a trade-off between the model's accuracy-privacy). Wang et al. [42] enhanced the performance of the distributed machine learning system with differential privacy in an IoT environment via their Arden framework [42]. The scheme proposed by the authors involves protecting sensitive information using nullification or noise addition [27]. The model is tested on the MNIST/SVHN datasets and has yielded high accuracy while considerably reducing resource consumption [27]. The scheme proposed by Zhang et al. focused on distributed sensing systems where an obfuscate function was used to preserve training data privacy when shared with third parties [43].

Lyu et al. proposed a privacy mechanism using the random projection method to perturb the original data and embedding fog computing into deep learning [44]. This scheme is able to reduce communication overhead and computation load. The novel method of privacy protection, known as the fog-embedded privacy-preserving deep learning framework, can preserve the privacy of data using a robust defense method. First, a random perturbation is used to preserve the original data's statistical characteristics. Then, differentially private stochastic gradient descent is used to train the fog-level models with a multilayer perceptron model. The multilayer perceptron model consists of two hidden layers equipped with the *rectified linear unit* (ReLU) activation function. The accuracy yielded by the scheme on the test data is quite acceptable, although it is slightly lower compared to models with centralized architecture. However, the communication and computation overheads are significantly reduced.

Some privacy-preservation schemes utilize Gaussian projections to implement collaborative learning environments [45] efficiently. In these schemes, the resourceconstrained IoT devices participate collaboratively and randomly apply multiplicative Gaussian projections on the training data records. This process obfuscates the privacy-sensitive input data. The coordinator node applies a deep learning-based model to learn from the complex patterns of the obfuscated data supplied by the Gaussian random projections. The performance results of the scheme demonstrated its efficiency and effectiveness in data privacy protection.

Among other approaches, obfuscation-based methods are also used in distributed machine learning to control the computation overhead involved in the encryption procedures in massively large-sized data. A scheme proposed by Alguliyev et al. protects big data in the context of IoT [46]. The mechanism involves the transformation of sensitive data into data that can be publicly shared. The proposed method works in two phases. In the first phase, data is transformed through a denoising type autoencoder. The parameter for designating the sparsity parameter of the autoencoder is specified for minimizing the loss in the autoencoder objective function during the data compression process. In the second phase, the transformed data from the output

of the denoising autoencoder is classified using a convolutional neural network model. The proposed scheme was tested on several disease datasets and was found to be highly accurate in its prediction. Du et al. proposed a novel privacy-preserving scheme for big data in IoT deployed in edge computing applications [47]. The mechanism is based on a differential privacy approach built on machine learning models, which can improve query accuracy while minimizing the exposure of sensitive data to the public. The working mechanism involves two steps. In the first step, a Laplacian noise is added to the output data to carry out perturbation, while in the second step, random noise is added to the objective function that reduces the disturbance to the objective values. The data perturbation is carried out before transferring the data to the edge nodes. The model is tested on four diverse datasets and is found to be highly accurate in its performance. The machine learning models used in the scheme are stochastic gradient descent and generative adversarial networks.

Speech recognition systems, commonly found in IoT services, are susceptible to breaching user privacy as voice information is generally transmitted as plaintext and sometimes used for authentication purposes. To address this issue, Rouhani et al. proposed a scheme called *deepsecure* [48]. The working principle of the scheme is based on the garbled circuit protocol of Yao [49], and it executes much faster than the homomorphic encryption-based schemes. However, the proposition suffers from issues related to reusability and difficulty in implementation [50]. Differential privacy has been utilized in work by adding perturbations to user data [40]. However, the proposed scheme has a lower level of accuracy. Ma et al. [51] have thereby improved upon this by proposing a secret-sharing-based method that improves accuracy and reduces the computation and communication overhead for both linear and nonlinear operations using a long-and-short-term memory network model with interactive protocols for each gate. The proposed scheme was tested on a private dataset yielding a very high accuracy. Although privacy-preservation approaches based on obfuscation methods, in most cases, overcome the shortcomings of distributed machine learning and encryption-based distributed machine learning methods, these schemes are found to be vulnerable to some attacks [52–54].

#### **7. Conclusion**

This introductory chapter has presented a brief survey of some of the existing data privacy-preservation schemes proposed by researchers in the field of the Internet of Things. However, the design of privacy protection schemes in resource-constrained devices is still in its early stages. Reducing the latency and throughput of neural network training on encrypted data for privacy protection is a big challenge. Most of the existing schemes deploy their deep learning tasks to some external resources with adequate computing resources and storage spaces while keeping user data protected, making the schemes computationally efficient. New approaches should explore alternatives, such as quantum computing techniques, for designing more efficient and precise systems. In terms of future possibilities, parallel learning and cost optimization are being pursued, like network pruning and how different malicious activities interact. The relevant standard bodies should also make effective standardization efforts for all privacy protection schemes [55]. Finally, evaluating and assessing privacy solutions in real-world scenarios is tough, especially when considering the balance between IoT quality-of-service and privacy protection.

*Introductory Chapter: Data Privacy Preservation on the Internet of Things DOI: http://dx.doi.org/10.5772/intechopen.111477*

#### **Author details**

Jaydip Sen\* and Subhasis Dasgupta Department of Data Science, Praxis Business School, Kolkata, India

\*Address all correspondence to: jaydip.sen@acm.org

© 2023 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

### **References**

[1] State of IoT 2022: Number of Connected IoT Devices Growing 18% to 14.4 Billion Globally. Available from: https://iot-analytics.com/numberconnected-iot-devices/ [Accessed: March 27, 2023]

[2] Cisco Cybersecurity Report Series— Security Outcomes Study. Available from: https://www.cisco.com/c/dam/en/ us/products/collateral/security/2020 outcomes-study-main-report.pdf [Accessed: March 27, 2023]

[3] The State of Cybersecurity Resilience 2021. Available from: https://www. accenture.com/\_acnmedia/PDF-165/ Accenture-State-Of-Cybersecurity-2021. pdf [Accessed: March 27, 2023]

[4] Gartner Press Release. Available from: https://www.gartner.com/en/newsroom [Accessed: March 27, 2023]

[5] Complete Guide to GDPR Compliance. Available from: https://gdpr. eu/ [Accessed: March 27, 2023]

[6] Rigaki M, Garcia S. A survey of privacy attacks in machine learning. arXiv. 2021 arXiv:2007.07646 DOI: 10.48550/arXiv.2007.07646

[7] Rodriguez E, Otero B, Canal R. A survey of machine and deep learning methods for privacy protection in the Internet of Things. Sensors. 2023;**23**. DOI: 10.3390/s23031252

[8] Seliem M, Elgazzar K, Khalil K. Towards privacy preserving IoT environments: A survey. Wireless Communications and Mobile Computing. 2018;**1**:1-15. DOI: 10.1155/2018/1032761

[9] Amiri-Zarandi M, Dara RA, Fraser E. A survey of machine learning-based

solutions to protect privacy in the Internet of Things. Computers & Security. 2020;**96**:21-45. DOI: 10.1016/j. cose.2020.101921

[10] Kounoudes AD, Kapitsaki GM. A mapping of IoT user-centric privacy preserving approaches to the GDPR. Internet of Things. 2020;**11**:100179. DOI: 10.1016/j.iot.2020.100179

[11] Zhu L, Tang X, Shen M, Gao F, Zhang J, Du X. Privacy-preserving machine learning training in IoT aggregation scenarios. IEEE Internet of Things Journal. 2021;**8**(15):12106-12118. DOI: 10.1109/JIOT.2021.3060764

[12] Ouadrhiri AE, Abdelhadi A. Differential privacy for deep and federated learning: A survey. IEEE Access. 2022;**10**:22359-22380. DOI: 10.1109/ACCESS.2022.3151670

[13] Pisa PS, Abdalla M, Duarte OCMB. Somewhat homomorphic encryption scheme for arithmetic operations on large integers. In: Proceedings of the Global Information Infrastructure and Networking Symposium (GIIS). December 17-19, 2012; Choroni, Venezuela. Piscataway, NJ, USA: IEEE; pp. 1-8. DOI: 10.1109/GIIS.2012.6466769

[14] Sen J. Homomorphic encryption – Theory and application. In: Sen J, editor. Theory and Practice of Cryptography and Network Security Protocols and Technologies. London, UK, London, UK: IntechOpen; 2011. pp. 1-30. DOI: 10.5772/56687

[15] Mahmood ZH, Ibrahem MK. New fully homomorphic encryption scheme based on multistage partial homomorphic encryption applied in cloud computing. In: Proceedings of the *Introductory Chapter: Data Privacy Preservation on the Internet of Things DOI: http://dx.doi.org/10.5772/intechopen.111477*

1st Annual International Conference on Information and Sciences (AiCIS). November 20-21, 2018; Fallujah, Iraq. Piscataway, NJ, USA: IEEE. 2018. pp. 182-186. DOI: 10.1109/AiCIS.2018.00043

[16] Bost R, Popa RA, Tu S, Goldwasser S. Machine learning classification over encrypted data. In: Proceedings of NDSS Symposium. San Diego, CA, USA: Internet Society; 2015. DOI: 10.14722/ ndss.2015.23241

[17] De Cock M, Dowsley R, Horst C, Katti R, Nascimento ACA, Poon WS, et al. Efficient and private scoring of decision trees, support vector machines and logistic regression models based on pre-computation. IEEE Transactions on Dependable and Secure Computing. 2019;**16**(2):217-230. DOI: 10.1109/ TDSC.2017.2679189

[18] Rahulamathavan Y, Phan RC-W, Veluru S, Cumanan K, Rajarajan M. Privacy-preserving multi-class support vector machine for outsourcing the data classification in cloud. IEEE Transactions on Dependable and Secure Computing. 2014;**11**(5):467-479. DOI: 10.1109/ TDSC.2013.51

[19] Wang W, Vong CM, Yang Y, Wong P-K. Encrypted image classification based on multilayer extreme learning machine. Multidimensional Systems and Signal Processing. 2017;**28**:851-865. DOI: 10.1007/s11045-016-0408-1

[20] Zhu H, Liu X, Lu R, Li H. Efficient and privacy-preserving online medical prediagnosis framework using nonlinear SVM. IEEE Journal of Biomedical and Health Informatics. 2017;**21**(3):838-850. DOI: 10.1109/JBHI.2016.2548248

[21] Jiang L, Chen L, Giannetsos T, Luo B, Liang K, Han J. Toward practical privacypreserving processing over encrypted data in IoT: An assistive healthcare use case. IEEE Internet of Things Journal.

2019;**6**(6):10177-10190. DOI: 10.1109/ JIOT.2019.2936532

[22] Shokri R, Shmatikov V. Privacy-preserving deep learning. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security; 12 October 2015; Denver, CO, USA. pp. 1310-1321. DOI: 10.1145/2810103.2813687

[23] Servia-Rodriguez S, Wang L, Zhao JR, Mortier R, Haddadi H. Personal model training under privacy constraints. In: Proceedings of the 2018 IEEE/ACM 3rd International Conference on Internet-of-Things Design and Implementation (IoTDI). April 17-20, 2018; Orlando, FL, USA. Washington, D.C., USA: IEEE Computer Society; 2018. pp. 153-164. DOI: 10.1109/ IoTDI.2018.00024

[24] Shokri R, Stronati M, Song C, Shmatikov V. Membership inference attacks against machine learning models. In: Proceedings of the IEEE Symposium on Security and Privacy. Washington, D.C., USA: IEEE Computer Society. May 22-24, 2017; San Jose, CA, USA. pp. 3-18. DOI: 10.1109/SP.2017.41

[25] Fredrikson M, Lantz E, Jha S, Lin S, Page D, Ristenpart T. An end-to-end case study of personalized warfarin dosing. In: Proceedings of the 23rd USENIX Security Symposium. August 20-22, 2014; San Diego, CA, USA. Berkeley, CA, USA: USENIX Association; 2014. pp. 17-32

[26] Phong LT, Aono Y, Hayashi T, Wang L, Moriai S. Privacy-preserving deep learning: Revisited and enhanced. In: Batten L, Kim D, Zhang X, Li G, editors. Applications and Techniques in Information Security (ATIS), Communications in Computer and Information Science. Vol. vol. 719. Singapore: Springer; 2017. pp. 100-110. DOI: 10.1007/978-981-10-5421-1\_9

[27] Netzer Y, Wang T, Coates A, Bissacco A, Wu B, Ng AY. Reading digits in natural images with unsupervised feature learning. In: Proceedings of the NIPS Workshop on Deep Learning and Unsupervised Feature Learning. December 12-17, 2011; Granada, Spain. San Francisco, CA, USA: Google Research; 2011. pp. 1-9

[28] González-Serrano FJ, Navia-Vázquez Á, Amor-Martín A. Training support vector machines with privacyprotected data. Pattern Recognition. 2017;**72**:93-107. DOI: 10.1016/j. patcog.2017.06.016

[29] Katz J, Lindell Y. Introduction to Modern Cryptography: Principles and Protocols. Boca Raton, FL, USA: CRC Press; 2020. ISBN-13: 978-1584885511

[30] Shen M, Tang X, Zhu L, Du X, Guizani M. Privacy-preserving support vector machine training over blockchainbased encrypted IoT data in smart cities. IEEE Internet of Things Journal. 2019;**6**(5):7702-7712. DOI: 10.1109/ JIOT.2019.2901840

[31] Breast Cancer Wisconsin Data Set (Diagnostic). Available from: https:// archive.ics.uci.edu/ml/datasets/ Breast+Cancer+Wisconsin+ [Accessed: March 27, 2023]

[32] Heart Disease Databases. Available from: https://archive-beta.ics.uci.edu/ml/ datasets/heart+disease [Accessed: March 27, 2023]

[33] Almaiah MA, Ali A, Hajjej F, Pasha MF, Alohali MA. A lightweight hybrid deep learning privacy preserving model for FC-based industrial Internet of Medical Things. Sensors. 2002;**22**(6). DOI: 10.3390/s22062112

[34] Osia SA, Shamsabadi AS, Sajadmanesh S, Taheri A, Katevas K, Rabiee HR, et al. A hybrid deep learning architecture for privacy-preserving mobile analytics. IEEE Internet of Things Journal. 2020;**7**(5):4505-4518. DOI: 10.1109/JIOT.2020.2967734

[35] Chopra S, Hadsell R, LeCun Y. Learning a similarity metric discriminatively, with application to face verification. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR); July 2005; San Diego, CA, USA. Piscataway, NJ, USA: IEEE; 2005. pp. 539-546. DOI: 10.1109/ CVPR.2005.202

[36] Rothe R, Timofte R, Van Gool L. Dex: Deep expectation of apparent age from a single image. In: Proceedings of the IEEE International Conference on Computer Vision Workshop (ICCVW), Santiago, Chile. December 7-13, 2015. Piscataway, NJ, USA: IEEE; 2015. pp. 252-257. DOI: 10.1109/ICCVW.2015.41

[37] Huang GB, Mattar M, Berg T, Learned-Miller E. Labeled faces in the wild: A database for studying face recognition in unconstrained environments. In: Proceedings of the Workshop on Faces in 'Real-Life' Images: Detection, Alignment, and Recognition. 12-18 October, 2008; Marseille, France. Berlin, Germany: Springer-Verlag; 2008. pp. 1-8

[38] Zhou X, Xu K, Wang N, Jiao J, Dong N, Han M, et al. A secure and privacy-preserving machine learning model sharing scheme for edge-enabled IoT. IEEE Access. 2021;**9**:17256-17265. DOI: 10.1109/ACCESS.2021.3051945

[39] Zhou J, Cao Z, Dong X, Vasilakos AV. Security and privacy for cloud-based IoT: Challenges. IEEE Communications Magazine. 2017;**55**(1):26-33. DOI: 10.1109/ MCOM.2017.1600363CM

*Introductory Chapter: Data Privacy Preservation on the Internet of Things DOI: http://dx.doi.org/10.5772/intechopen.111477*

[40] Abadi M, Chu A, Goodfellow I, McMahan HB, Mironov I, Talwar K, et al. Deep learning with differential privacy. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. October 24-28, 2016; Vienna, Austria. New York, NY, USA: ACM; 2016. pp. 308-318. DOI: 10.1145/2976749.2978318

[41] Hitaj B, Ateniese G, Perez-Cruz F. Deep models under the GAN: Information leakage from collaborative deep learning. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. October 30–November 3, 2017; Dallas, TX, USA. New York, NY, USA: ACM; 2017. pp. 603-618. DOI: 10.1145/3133956.3134012

[42] Wang J, Zhang J, Bao W, Zhu X, Cao B, Yu PS. Not just privacy: Improving performance of private deep learning in mobile cloud. In: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. August 19-23, 2018; London, UK. New York, NY, USA: ACM; 2018. pp. 2407-2416. DOI: 10.1145/3219819.3220106

[43] Zhang T, He Z, Lee RB. Privacypreserving machine learning through data obfuscation. arXiv. 2018, arXiv:1807.01860. DOI: 10.48550/ arXiv.1807.01860

[44] Lyu L, Bezdek JC, He X, Jin J. Fog-embedded deep learning for the Internet of Things. IEEE Transactions on Industrial Informatics. 2019;**15**(7):4206- 4215. DOI: 10.1109/TII.2019.2912465

[45] Jiang L, Tan R, Lou X, Lin G. On lightweight privacy-preserving collaborative learning for Internet of Things by independent random projections. ACM Transactions on Internet Things. 2021;**2**(2):1-32. DOI: 10.1145/3441303

[46] Alguliyev RM, Aliguliyev RM, Abdullayeva FJ. Privacy-preserving deep learning algorithm for big personal data analysis. Journal of Industrial Information Integration. 2019;**15**:1-14. DOI: 10.1016/j.jii.2019.07.002

[47] Du M, Wang K, Chen Y, Wang X, Sun Y. Big data privacy preserving in multi-access edge computing for heterogeneous Internet of Things. IEEE Communications Magazine. 2018;**56**(8):62-67. DOI: 10.1109/ MCOM.2018.1701148

[48] Rouhani BD, Riazi MS, Koushanfar F. Deepsecure: Scalable provably-secure deep learning. In: Proceedings of the 55th Annual Design Automation Conference. 24 June, 2018; San Francisco, CA, USA. New York, NY, USA: ACM; 2018. pp. 1-6. DOI: 10.1145/3195970.3196023

[49] Yao AC-C. How to generate and exchange secrets. In: Proceedings of 27th Annual Symposium on Foundations of Computer Science (SFCS). October 27-29, 1986; Toronto, ON, Canada. Piscataway, NJ, USA: IEEE; 1986. pp. 162-167. DOI: 10.1109/SFCS.1986.25

[50] Saleem A, Khan A, Shahid F, Alam MM, Khan MK. Recent advancements in garbled computing: How far have we come towards achieving secure, efficient and reusable garbled circuits. Journal of Network and Computer Applications. 2018;**108**:1-19. DOI: 10.1016/j.jnca.2018.02.006

[51] Ma Z, Liu Y, Liu X, Ma J, Li F. Privacy-preserving outsourced speech recognition for smart IoT devices. IEEE Internet of Things Journal. 2019;**6**(5):8406-8420. DOI: 10.1109/ JIOT.2019.2917933

[52] Zhang L, Jajodia S, Brodsky A. Information disclosure under realistic assumptions: Privacy versus optimality. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. October 31– November 2, 2007; Alexandria, VA, USA. New York, NY, USA: ACM; 2007. pp. 573-583. DOI: 10.1145/1315245.1315316

[53] Wong RCW, Fu AWC, Wang K, Yu PS, Pei J. Can the utility of anonymized data be used for privacy breaches? ACM Transactions on Knowledge Discovery from Data. 2011;**5**(3):1-24. DOI: 10.1145/1993077.1993080

[54] Aggarwal CC. Privacy and the dimensionality curse. In: Aggarwal CC, Yu PS, editors. Privacy-Preserving Data Mining: Advances in Database Systems. Vol. 34. Boston, MA, USA: Springer; 2008. pp. 433-460. DOI: 10.1007/978-0-387-70992-5\_18

[55] Bandyopadhyay D, Sen J. Internet of Things: Applications and challenges in technology and standardization. Wireless Personal Communications. 2011;**58**(1):49-69. DOI: 10.1007/ s11277-011-0288-5

#### **Chapter 2**

## Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact

*Jaydip Sen and Subhasis Dasgupta*

#### **Abstract**

This chapter introduces the concept of adversarial attacks on image classification models built on convolutional neural networks (CNN). CNNs are very popular deeplearning models which are used in image classification tasks. However, very powerful and pre-trained CNN models working very accurately on image datasets for image classification tasks may perform disastrously when the networks are under adversarial attacks. In this work, two very well-known adversarial attacks are discussed and their impact on the performance of image classifiers is analyzed. These two adversarial attacks are the fast gradient sign method (FGSM) and adversarial patch attack. These attacks are launched on three powerful pre-trained image classifier architectures, ResNet-34, GoogleNet, and DenseNet-161. The classification accuracy of the models in the absence and presence of the two attacks are computed on images from the publicly accessible ImageNet dataset. The results are analyzed to evaluate the impact of the attacks on the image classification task.

**Keywords:** image classification, convolutional neural network, adversarial attack, fast gradient sign method (FGSM), adversarial patch, ResNet-34, GoogleNet, DenseNet-161, classification accuracy

#### **1. Introduction**

Szegedy et al. observed that a number of machine-learning models, even cuttingedge neural networks, are susceptible to adversarial samples [1]. In other words, these machine learning models categorize incorrectly cases that differ by a marginal amount from examples that are correctly classified and taken from the distribution of data. The same adversarial example is most often classified incorrectly by a wide range of models of varied architecture which are built on different sub-samples of the training data. This shows that fundamental flaws in our training algorithms are exposed by adversarial samples. It was unclear what caused these adversarial cases. However, speculative explanations have indicated that it may be related to the extreme nonlinearity property of deep neural networks in combination with inadequate model averaging and insufficient regularization of the supervised learning problem that the models attempt to handle.

However, Goodfellow et al. disprove the need for these speculative hypotheses [2]. The authors argued that only linear behavior in high-dimensional domains is needed to produce adversarial cases. With the help of this viewpoint, it is possible to quickly create adversarial examples, which makes adversarial training feasible. The authors have also demonstrated that in addition to the regularization benefits offered by the techniques such as dropout, adversarial training can also regularize deep learning models [3]. Changing to nonlinear model families like RBF networks can significantly reduce a model's vulnerability to adversarial examples compared to generic regularization procedures like dropout, pretraining, and model averaging.

One may consider deep learning, which is frequently employed in autonomous (driverless) automobiles, to see why such misclassification is risky [4]. To recognize signs or other cars on the road, systems based on DNNs are utilized [5]. The automobile might not stop and end up in a collision, which might have disastrous repercussions, if tampering with the input of such systems, for as by significantly changing the body of the car, stops DNNs from correctly recognizing it as a moving vehicle. When an enemy may gain by avoiding detection or having their information misclassified, there is a significant threat. These kinds of attacks are frequent in non-DL classification systems nowadays [6–10].

Goodfellow et al. argue that there is a fundamental incompatibility between building simple-to-train linear models and building models that use nonlinear effects to withstand hostile disruption [2]. By creating more effective optimization methods that can successfully train more nonlinear models in the long run, this trade-off may be avoided.

While the bulk of adversarial attacks has concentrated on slightly altering each pixel of an image, there are examples of attacks that are not limited to barely discernible alterations in the image. An approach that is based on creating an imageindependent patch and positioning it to cover a tiny area of the image was demonstrated by Brown et al. [11]. The classifier will reliably predict a particular class for the image in the presence of this patch based on the attacker's preference. This assault is significantly more dangerous than pixel-based attacks like FGSM because it can potentially cause even more damage and because the attacker does not need to know what image they are attacking when they are building the attack. An adversarial patch might then be produced and disseminated for use by more attackers. The conventional defense strategies, which concentrate on protecting against minor perturbations, may not be robust to larger disturbances like these since the attack involves a massive perturbation.

This chapter discusses various adversarial attacks on image classification models and focuses particularly on two specific attacks, the *fast gradient sign method* (FGSM), and the *adversarial patch attack*. The impact of these two attacks on image classification accuracy is analyzed and extensive results are presented. The rest of the chapter is organized as follows. Section 2 presents a few related works. Some theoretical background information on adversarial attacks and pre-trained image classification models is discussed in Section 3. Section 4 presents detailed results and their analysis. Finally, the chapter is concluded in Section 5 highlighting some future works.

#### **2. Related work**

Deep learning systems are generally prone to adversarial instances. These instances are deliberately selected inputs that influence the network to alter its output without being obvious to a human [5, 12]. Several optimization techniques, including L-BFGS

#### *Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*

[1], Fast Gradient Sign Method (FGSM) [2], DeepFool [13], and Projected Gradient Descent (PGD) [14] can be used to find these adversarial examples, which typically change each pixel by only a small amount. Other attack strategies aim to change only a small portion of the image's pixels (Jacobian-based saliency map [15]), or a small patch at a predetermined location [16].

A wide range of fascinating traits of neural networks and related models were demonstrated by Szegedy et al. [1]. The following are some of the important observations of the study: (1) Box-constrained L-BFGS can consistently discover adversarial cases. (2) The adversarial instances in ImageNet [17] data are so similar to the original examples that it is impossible for a human to distinguish between the two. (3) The same adversarial example is commonly classified incorrectly by a large number of classification models, each of which is trained using a different sample of the training data. (4) Adversarial events sometimes make shallow Softmax regression models less robust. (5) Training on adversarial examples can lead to a better regularization of the classification models.

By printing out a huge poster that resembles a stop sign or by applying various stickers to a stop sign, Eykholt et al. [12] demonstrated numerous techniques for creating stop signs that are misclassified by models.

These results suggest that classifiers developed using modern machine learning methods do not actually learn the underlying principles that determine the appropriate output label, even if they perform exceptionally well on the test data. The classification algorithms working for these models perform flawlessly with naturally occurring data. However, their classification accuracy drastically reduces for points that have a low probability in the underlying data distribution. This poses a big challenge to image classification since convolutional neural networks used in the classification work on the computation of perceptual feature similarity based on Euclidean distance. However, the resemblance found in this approach is false if images with unrealistically small perceptual distances actually belong to different classes as per the representation of the neural network.

The problem discussed above is particularly relevant to deep neural networks although linear classifiers are not immune to this problem. No model has yet been able to resist adversarial perturbation while preserving state-of-the-art accuracy on clean inputs. However, several approaches to defending against small perturbations-based adversarial attacks and some novel training approaches have been proposed by researchers [14, 15, 18–26]. Some of these works proposing methods to defend against adversarial attacks are briefly presented in the following.

Madry et al. designed and trained deep neural networks on the MNIST and CIFAR10 image set that are robust to a wide range of adversarial attacks [14]. The authors formulated an approach to identify a saddle point for optimizing the error function and used a projected gradient descent (PGD) as the adversary. The proposed approach was found to yield a classification accuracy of 89% against the strongest adversary in the test data.

Papernot et al. proposed a novel method to create adversarial samples based on a thorough comprehension of the mapping between inputs and outputs of deep neural networks [15]. In a computer vision application, the authors demonstrated that, while only changing an average of 4.02% of the input characteristics of each sample, their proposed method can consistently create samples that were correctly classified by humans but incorrectly classified in certain targets by a deep neural network with a 97% adversarial success rate. Then, by designing a hardness metric, the authors assessed the susceptibility of various sample classes to adversarial perturbations and outlined a defense mechanism against adversarial samples.

Tramer et al. observed that adversarial attacks are more impactful in a black-box setup, in which perturbations are computed and transferred on undefended models [18]. Adversarial attacks are also very effective when they are launched in a single step that escapes the non-smooth neighborhood of the input data through a short random step. The authors proposed an ensemble adversarial training, a method that adds perturbations obtained from other models to training data. The proposed approach is found to be resistant to black-box adversarial attacks on the ImageNet dataset.

For assessing adversarial resilience on image classification tasks, Dong et al. developed a reliable benchmark [21]. The authors made some important useful observations including the following. First, adversarial training is one of the most effective defense strategies because it can generalize across different threat models. Second. model robustness ness curves are useful in the evaluation of the adversarial robustness of models. Finally, the randomization-based defenses are more resistant to querybased black-box attacks.

Chen et al. examined and evaluated the features and effectiveness of several defense strategies against adversarial attacks [22]. The authors considered the evaluation from four different perspectives: (i) gradient masking, (ii) adversarial training, (iii) adversarial examples detection, and (iv) input modifications. The authors presented several benefits and drawbacks of various defense mechanisms against adversarial attacks and explored the future trends in designing robust methods to defend against such attacks on image classification models.

#### **3. Background concepts**

In this section, for the benefit of the readers, some background theories are discussed. The concepts of adversarial attack, fast gradient sign method (FGSM) attack, and three pre-trained convolutional neural network (CNN)-based deep neural network models, ResNet-34, GoogleNet, and DenseNet-161, are briefly introduced in this section.

#### **3.1 Adversarial attacks**

Many different adversarial attack plans have been put out, all of which aim to significantly affect the model's prediction by slightly changing the data or picture input. How can we modify the image of a goldfish so that a classification model that could correctly classify the image before would no longer recognize it? On the other hand, a human would still categorize the image as a goldfish without any doubt, hence the label of the image should not change at the same time. The generator network's goal under the framework for generative adversarial networks is the same as this one: try to trick another network (a discriminator) by altering its input.

#### **3.2 Fast gradient sign method**

The Fast Gradient Sign Method (FGSM), created by Ian Goodfellow et al., is one of the initial attack tactics suggested [2]. The FGSM uses a neural network's gradients to produce an adversarial image. Essentially, the adversarial image is produced by FGSM by computing the gradients of a loss function (such as mean-square error or category cross-entropy) with respect to the input image and using the sign of the gradients to produce a new image (i.e., the adversarial image) that maximizes the loss. The end

*Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*

result is an output image that, to human sight, appears just like the original, but it causes the neural network to anticipate something different than it should have. The FGSM is represented in (1).

$$adv\_{\mathfrak{x}} = \mathfrak{x} + \varepsilon \ast \text{sign}(\nabla\_{\mathfrak{x}} f(\theta, \mathfrak{x}, \mathfrak{y}) \tag{1}$$

The symbols used in (1) have the following significance:

*advx* the adversarial image as the output

*x* the original image as the input

*y* the actual class (i.e., the ground-truth label) of the input image

ε the noise intensity expressed as a small fractional value by which the signed gradients are multiplied to create perturbations. The perturbations should be small enough so that the human eye cannot distinguish the adversarial image from the original image.

θ the neural network model used for image classification *J* the loss function

The FGSM attack on an image involves the following three steps.


Most often, in machine learning, determining the loss after forward propagation is frequently the initial step. To determine how closely the model's prediction matches the actual class, a negative likelihood loss function is used. Gradients are used to choose the direction in which to move the weights in order to lower the value of the loss function when training neural networks. However, calculating gradients in relation to an image's pixels is not a usual task. In FGSM, the pixels in the input image are moved in the direction of the gradient to maximize the value of the loss function.

#### **3.3 ResNet-34 architecture**

He et al. presented a cutting-edge image classification neural network model containing 34 layers [27]. This deep convolutional neural network is known as the ResNet-34 model. The ImageNet dataset, which includes more than 100,000 images in 200 different classes, served as the pre-training data for ResNet-34. Similar to residual neural networks used for text prediction, ResNet architecture differs from typical neural networks in that it uses the residuals from each layer in the connected layers that follow.

#### **3.4 GoogleNet architecture**

Szegedy et al. introduced GoogleNet (also known as Inception V1) in their paper titled "Going Deeper with Convolutions" [28]. In the 2014 ILSVRC image classification competition, this architecture was the winner. This architecture employs

methods like global average pooling and 1–1 convolution in the middle of the architecture. A network may experience the issue of overfitting if it is constructed with very deep layers. To address this issue, the GoogleNet architecture was developed with the idea of having filters of various sizes that could function at the same level [28]. The network actually gets bigger with this concept rather than deeper. The architecture has a total of 22 layers, including 27 pooling layers. There are nine linearly stacked inception components that are connected to the global average pooling layer. The readers may refer to the work of Szegedy et al. for more details [28].

#### **3.5 DenseNet-161 architecture**

A class of CNN called DenseNets uses dense connections between network layers for matching convolution operation feature-map sizes [29]. These dense connections are called dense blocks. Each layer receives extra inputs from all earlier layers and transmits its own feature maps to all later layers in order to maintain the feed-forward character of the system. Huang et al. demonstrated that a variant of DenseNet architecture called DensseNet-161with *k* = 48 features per layer and having 29 million parameters can achieve a classification accuracy of 77.8% (i.e., top-1 classification accuracy) on the ImageNet ILSVRC classification dataset. As its name implies, the DenseNet-161 architecture contains 161 layers of nodes. More details on DenseNet-161 architecture may be found in [29, 30].

#### **4. Image classification results and analysis**

Experiments are conducted to analyze the effect of two types of adversarial attacks on three well-known pre-trained CNN architectures. Two adversarial attacks considered in the study are the *FGSM attack* and the *adversarial patch attack* on a set of images. Three pre-trained architectures on which the attacks are simulated are ResNet-34, GoogleNet, and DenseNet-161. The images are chosen from the ImageNet dataset [17]. The pre-trained CNN models of ResNet-34, GoogleNet, and DenseNet-161 integrated into PyTorch's *torchvision* package, are used in the experiments.

#### **4.1 Classification results in the absence of an attack**

Before we study the impact of adversarial attacks on the image classification models, we analyze the classification accuracy of the models in the absence of any attack. Since the ImageNet dataset includes 1000 classes, it is not prudent to evaluate a model's performance just on the basis of its classification accuracy alone. Consider a model that consistently predicts the true label of an input image as the second-highest class using the *Softmax* activation function. Despite the fact that we would say it recognizes the object in the image, its accuracy is zero. There is not always one distinct label we can assign an image to in ImageNet's 1000 classes. This is why "Top-5 accuracy" is a popular alternative metric for picture classification over a large number of classes. It shows how often the real label has been within the model's top 5 most likely predictions. Since the three pre-trained architectures perform very well on the images in the ImageNet dataset, instead of accuracy, the error, i.e., (1- accuracy) values are presented in the results.

**Table 1** presents the performance results of three classification models on the whole ImageNet dataset containing 1000 classes of images. It is evident that all three *Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*


#### **Table 1.**

*Classification accuracy of ResNet-34, GoogleNet, and Densenet-161 CNN models on the ImageNet data.*

models are highly accurate as depicted by their Top-% error percentage values. The DeepNet-161 model has yielded the highest level of accuracy and the least error among the three architectures. The Top-5 and Top-1 error rates for this model are found to be 2.30% and 15.10%, respectively.

After evaluating the overall performance of the three models, we investigate some specific images in the dataset. For this purpose, the images with the indices 0, 6, 13, and 18 are randomly chosen and how the model has classified these images are checked. The images corresponding to the four indices chosen belong to the classes "tench", "goldfish", "great white shark" and "tiger shark", respectively.

**Table 2** presents the performance of the ResNet-34 model on the classification task for the four images. It is evident that the model has been very accurate in classification as the confidence associated with the true class of each of the four images is more than 90%. It may be noted that confidence here means the probability value that the model associates with the corresponding class. For example, the ResNet-34 model has yielded a confidence value of 0.9817 for the image whose true class is "tench" with the predicted class "tench", implying that the model has associated a probability of 0.9817 with its classification of the image to the class "tench".

**Figure 1** depicts the classification results of the ResNet-34 model on the four images. In **Figure 1**, the input image is shown on the left and the confidence values of



#### **Table 2.**

*The classification results of the ResNet-34 model for the chosen images.*

**Figure 1.** *The classification results of the ResNet34 model for the chosen images.*


*Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*

#### **Table 3.**

*The classification results of the GoogleNet model for the chosen images.*

the model for the top five classes for the image are shown on the right. The confidence values are shown in the form of horizontal bars.

**Table 3** presents the performance of the GoogleNet model on the classification task for the four images. It is observed that the model has been very accurate in the classification task for the "tench" and "goldfish" images. While its accuracy for the image "great white shark" class is high, the model has performed poorly for the image "tiger shark". However, for the "tiger shark" image the model has still associated the highest confidence value for the correct class, although the confidence is quite low, i.e., 0.3484.

**Figure 2** depicts the classification results of the GoogleNet model on the four images. In **Figure 2**, the input image is shown on the left and the confidence values of the model for the top five classes for the image are shown on the right. The confidence values are shown in the form of horizontal bars.

**Table 4** presents the performance of the DenseNet-161 model on the classification task for the four images. It is observed that the performance of the model on the classification task has been excellent. For all four images, the confidence values computed by the model for the true class have been higher than 94. The results also show that among the three architectures, DenseNet-161 has been the most accurate model for the classification of the four images chosen for analysis.

#### *Information Security and Privacy in the Digital World – Some Selected Topics*

**Figure 2.**

*The classification results of the GoogleNet model for the chosen images.*



*Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*

**Table 4.**

*The classification results of the DenseNet-161 model for the chosen images.*

**Figure 3** depicts the classification results of the DenseNet-161 model on the four images. In **Figure 3**, the input image is shown on the left and the confidence values of the model for the top five classes for the image are shown on the right. The confidence values are shown in the form of horizontal bars.

#### **4.2 Classification results in the presence of the FGSM attack**

After observing the performance of the three CNN architectures for the image classification tasks on the images in the ImageNet dataset, the impact of the adversarial attacks on the classifier models is studied. We start with the FGSM attack with a value of 0.02 for epsilon (ε). The value of ε = 0.02 indicates that the values of pixels are changed by an amount of 1 (approximately) in the range of 0 to 255 – the range over which a pixel value can change. This change is so small that it will be impossible to distinguish the adversarial image from the original one. The performance results of the three models in the presence of FGSM attack with ε = 0.02 have been presented in **Tables 5**–**7**. The results are pictorially depicted in **Figures 4**–**6**.

It is evident that all three models are adversely affected by the FGSM attack even with a value of ε as low as 0.02. While the adversarial images are impossible to distinguish from the original ones, none of the models could correctly classify any of the four images as the highest confidence values were assigned to incorrect classes (**Tables 8**–**10**).

The value of the parameter ε is increased from 0.01 to 0.10 by a step of 0.01. It is observed that except for a few cases, the classification error increased consistently

#### *Information Security and Privacy in the Digital World – Some Selected Topics*

#### **Figure 3.**

*The classification results of the DenseNet161 model for the chosen images.*


*Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*


#### **Table 5.**

*The performance of ResNet-34 model under FGSM attack with ε = 0.02.*



#### **Table 6.**

*The performance of GoogleNet model under FGSM attack with ε = 0.02.*


**Table 7.**

*The performance of DenseNet-161 model under FGSM attack with ε 0.02.*

with ε till ε reaches a value in the range of 0.08–0.09. The impact of the FGSM attack is so severe that the classification error for the ResNet-34 model in the presence of this attack reaches as high values as 97.00% (Top-1 error) and 77.68% (Top-5 error). The

*Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*

**Figure 4.**

*The performance of the ResNet-34 model under FGSM attack with ε = 0.02.*

corresponding values for the GoogleNet model are 95.46% (Top-1 error) and 79.24% (Top-5 error), and for the DenseNet-161 are 94.42% (Top-1 error) and 66.94% (Top-5 error). Among the three models, DenseNet-161 looked to be the most robust against the FGSM attack.

#### **4.3 Classification results in the presence of the adversarial patch attack**

As mentioned in Section 1, an attack can also be launched on image classification models by introducing adversarial patches [11]. In this attack, the strategy is to transform a small portion of the image into a desired form and shape instead of the FGSM's approach of slightly altering some pixels. This will be able to deceive the classification model and force it to predict a certain pre-determined class. In practical applications, this type of attack poses a greater hazard than FGSM. Consider an autonomous vehicle network that receives a real-time image from a camera. To trick this vehicle into thinking that an automobile is actually a pedestrian, another driver may print out a certain design and stick it on the rear part of the vehicle.

**Figure 5.**

*The performance of the GoogleNet model under FGSM attack with ε = 0.02.*

For simulating the adversarial patch attack on the same four images on which the FGSM attack was launched, at first, five images are chosen randomly which will be used as the patches. As shown in **Figure 7**, the five patch images are (i) cock, (ii) balloon, (iii) computer keyboard, (iv) electric guitar, and (v) radio. For the purpose of studying the effect of the sizes of the patch images on the accuracies of the classification models, three different sizes are considered for each patch image. The three sizes are (i) 32\*32, (ii) 48\*48, and (iii) 64\*64. The sizes are expressed in terms of the number of pixels along the x and y dimensions. **Tables 11**–**16** present the accuracies (Top 1% and Top 5%) of the models for different sizes of different patch images. Here, accuracy refers to the percentage of cases in which the images have been classified as the target class (i.e., patch class) with the highest confidence. **Figures 8**–**10** depict the performance of the classification models in the presence of a "balloon" patch of size 64\*64. The pictures for other patch images and other sizes are not presented for the sake of brevity.

The following observations are made on the results of the adversarial patch attack.

1.For the same patch image, all three models, ResNet-34, GoogleNet, and DenseNet-161, exhibited higher accuracy in deceiving the models into the *Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*

**Figure 6.**

*The performance of DenseNet-161 model under FGSM attack with ε = 0.02.*

wrong classification for a bigger patch size. In other words, for all three models, the attack effectiveness is the highest for the patch size 64\*64, for a given patch image.


#### *Information Security and Privacy in the Digital World – Some Selected Topics*


#### **Table 8.**

*Performance of ResNet34 under FGSM attack for different values of ε.*


#### **Table 9.**

*Performance of GoogleNet under FGSM attack for different values of ε.*


*Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*


#### **Table 10.**

*Performance of DenseNet161 under FGSM attack for different values of ε.*

#### **Figure 7.**

*Five images used as patches: cock, balloon, computer keyboard, electric guitar, and radio. The sizes for the patch images: 32\*32, 48\*48, and 64\*64.*


#### **Table 11.**

*Top-1 accuracy (%) of ResNet34 model for different patch sizes.*

#### *Information Security and Privacy in the Digital World – Some Selected Topics*


#### **Table 12.**

*Top-5 accuracy (%) of ResNet34 model for different patch sizes.*


#### **Table 13.**

*Top-1 accuracy (%) of GoogleNet model for different patch sizes.*


#### **Table 14.**

*Top-5 accuracy (%) of GoogleNet model for different patch sizes.*


#### **Table 15.**

*Top-1 accuracy (%) of DenseNet-161 model for different patch sizes.*

*Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*


#### **Table 16.**

*Top-5 accuracy (%) of DenseNet161 model for different patch sizes.*

**Figure 8.**

*The classification results of the ResNet-34 model in the presence of a patch image of a balloon with size 64\*64.*

**Figure 9.**

*The classification results of the GoogleNet model in the presence of a patch image of a balloon with size 64\*64.*

#### **5. Conclusion**

In this chapter, some adversarial attacks on CNN-based image classification models are discussed. In particular, two attacks, e.g., the FGSM attack and adversarial patch attack are presented in detail. The former attack involves changing the pixels of an image in the direction of their maximum gradients so that the value of the loss function is maximized. While the resultant adversarial image is impossible to distinguish from the original image by human eyes, the highly trained classification models will most likely classify the adversarial image into a class that is different from its

#### *Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*

**Figure 10.**

*The classification results of the DenseNet-161 model in the presence of a patch image of a balloon with size 64\*64.*

ground truth. For the adversarial patch attack, an image patch of a different class is inserted in the original image in such a way that the trained models will be deceived and forced to incorrectly classify the original image into the class of the patch image. It is observed in the study that with the increase in the amount of perturbation created in the original image by the FGSM attack, the error in the classification increases till a threshold level is reached at which the attack saturates. No further increase in perturbation usually leads to a further decrease in the classification accuracy of the models. For the adversarial patch attack, the attack effectiveness increases with the increase in the patch size.

### **Author details**

Jaydip Sen\* and Subhasis Dasgupta Department of Data Science, Praxis Business School, Kolkata, India

\*Address all correspondence to: jaydip.sen@acm.org

© 2023 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

*Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*

#### **References**

[1] Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow IJ, et al. Intriguing properties of neural networks. In: Proceedings of International Conference on Learning Representations (ICLR'14), Poster Track, April 14–16, 2014, Banff, Canada. 2014. DOI: 10.48550/arXiv.1312.6199

[2] Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. In: Proceedings of International Conference on Learning and Representations (ICLR'15), Poster Track, May 7–9, 2015, San Diego, CA, USA. 2015. DOI: 10.48550/ arXiv.1412.6572

[3] Srivastava N, Hinton G, Krizhevsky A, Sutskever I, Salakhutdinov R. Dropout: A simple way to prevent neural networks from overfitting. The Journal of Machine Learning Research. 2014;**15**(1):1929-1958

[4] NVIDIA. Solutions for self-driving cars. 2023. Available online at: https:// www.nvidia.com/en-us/self-driving-cars [Accessed: May 9, 2023]

[5] Ciresan D, Meier U, Masci J, Schmidhuber J. Multi-column deep neural network for traffic sign classification. Neural Networks. 2012;**32**: 333-338. DOI: 10.1016/j. neunet.2012.02.023

[6] Huang L, Joseph AD, Nelson B, Rubinstein BIP, Tygar JD. Adversarial machine learning. In: Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, Chicago, IL, USA, October 21, 2011. New York, NY: ACM Press; 2011. pp. 43-58. DOI: 10.1145/ 2046684.2046692

[7] Biggio B, Fumera G, Roli F. Pattern recognition systems under attack: Design issues and research challenges. International Journal of Pattern Recognition and Artificial Intelligence. 2014;**28**(7):1460002. DOI: 10.1142/ S0218001414600027

[8] Biggio B, Corona I, Maiorca D, Nelson B, Srndic N, Laskov P, et al. Evasion attacks against machine learning at test time. In: Blockeel H et al., editors. Machine Learning and Knowledge Discovery in Databases. Vol. 8190. Berlin, Heidelberg, Germany: Springer; 2012. pp. 387-402. DOI: 10.1007/978-3- 642-40994-3\_25

[9] Anjos A, Marcel S. Counter-measures to photo attacks in face recognition: A public database and a baseline. In: Proceedings of the 2011 International Joint Conference on Biometrics (IJCB), October 11–13, 2011. Washington DC, USA: IEEE; 2011. pp. 1-7. DOI: 10.1109/ IJCB.2011.6117503

[10] Fogla P, Lee W. Evading network anomaly detection systems: Formal reasoning and practical techniques. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, October 30– November 3, 2006, Alexandria, VA, USA. New York, USA: ACM; 2006. pp. 59-68. DOI: 10.1145/ 1180405.1180414

[11] Brown TB, Mane D, Roy A, Abadi M, Gilmer J. Adversarial patch. In: Proceedings of the 31st Conference on Neural Information Processing Systems (NIPS'17) Workshop, December 4-9, 2017, Long Beach, CA, USA. Red Hook, NY, USA: Curran Associates Inc; 2017. DOI: 10.48550/arXiv.1712.09665

[12] Eykholt K, Evtimov I, Fernandes E, Li B, Rahmati A, Xiao C, et al. Robust physical-world attacks on deep learning visual classification. In: Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR'18), June 18–23, 2018, Salt Lake City, UT, USA. Piscataway, NJ, USA: IEEE Press. pp. 1625-1634. DOI: 10.1109/ CVPR.2018.00175

[13] Dezfooli M, Fawzi A, Frossard P. Deepfool: A simple and accurate method to fool deep neural networks. In: Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR'16), June 27–30, 2016, Las Vegas, NV, USA. Piscataway, NJ, USA: IEEE Press; 2016. pp. 2574-2582. DOI: 10.1109/ CVPR.2016.282

[14] Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. In: Proceedings of International Conference on Learning Representations (ICLR'18), Poster Track, April 30–May 3 2018, Vancouver, BC, Canada. 2018. DOI: 10.48550/arXiv.1706.06083

[15] Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A. The limitations of deep learning in adversarial settings. In: Proceedings of 2016 IEEE European Symposium on Security and Privacy (EuroS&P'16), March 21–24, 2016, Saarbruecken, Germany. Piscataway, NJ, USA: IEEE Press; 2016. pp. 372-387. DOI: 10.1109/ EuroSP.2016.36

[16] Sharif M, Bhagavatula S, Bauer L, Reiter MK. Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, October 24–28, 2016, Vienna, Austria. New York, NY, USA: ACM Press; 2016. pp. 1528-1540. DOI: 10.1145/ 2976749.2978392

[17] Deng J, Dong W, Socher R, Li L, Li K, Fei LF. ImageNet: A large-scale hierarchical image database. In: Proceedings of 2009 IEEE Conference on Computer Vision and Pattern Recognition (CVPR'09), June 20–25, Miami, FL, USA. Piscataway, NJ, USA: IEEE Press. pp. 248-255. DOI: 10.1109/ CVPR.2009.5206848

[18] Tramer F, Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P. Ensemble adversarial training: Attacks and defenses. In: Proceedings of International Conference on Learning Representations (ICLR'18), Poster Track, April 30–May 3, 2018, Vancouver, BC, Canada. 2018. DOI: 10.48550/arXiv.1705.07204

[19] Gu S, Rigazio L. Towards deep neural network architectures robust to adversarial examples. In: Proceedings of International Conference on Learning and Representations (ICLR'15), Poster Track, May 7–9, 2015, San Diego, CA, USA. 2015. DOI: 10.48550/ arXiv.1412.5068

[20] Chalupka K, Perona P, Eberhardt F. Visual causal feature learning. In: Proceedings of the 31st Conference on Uncertainty in Artificial Intelligence, Amsterdam, Netherlands, July 12–16, 2015. Arlington, VA, USA: AUAI Press; 2015. pp. 181-190. DOI: 10.48550/ arXiv.1412.2309

[21] Dong Y, Fu QA, Yang X, Pang T, Su H, Xiao Z, et al. Benchmarking adversarial robustness on image classification. In: Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR'20), June 13–19, 2020. Seattle, WA, USA; 2020. pp. 318-328. DOI: 10.1109/CVPR42600.2020.00040

[22] Chen Y, Zhang M, Li J, Kuang X. Adversarial attacks and defenses in

*Adversarial Attacks on Image Classification Models: FGSM and Patch Attacks and Their Impact DOI: http://dx.doi.org/10.5772/intechopen.112442*

image classification: A practical perspective. In: Proceedings of the 7th International Conference on Image, Vision and Computing (ICIVC'22), July 26–28, 2022, Xian, China. Piscataway, NJ, USA: IEEE Press; 2022. pp. 424-430. DOI: 10.1109/ICIVC55077.2022.9886997

[23] Pestana C, Akhtar N, Liu W, Glance D, Mian A. Adversarial attacks and defense on deep learning classification models using YCbCr color images. In: Proceedings of 2021 International Joint Conference on Neural Networks (IJCNN'21), July 18–22, 2021, Shenzhen, China. Piscataway, NJ, USA: IEEE Press; 2021. pp. 1-9. DOI: 10.1109/ IJCNN52387.2021.9533495

[24] Li C, Fan C, Zhang J, Li C, Teng Y. A block gray adversarial attack method for image classification neural network. In: Proceedings of 2022 IEEE 24th International Conference on High Performance Computing & Communications (HPCC'22), December 18–20, 2022, Hainan, China. Piscataway, NJ, USA: IEEE Press; 2022. pp. 1682-1689. DOI: 10.1109/HPCC-DSS-SmartCity-DependSys57074.2022. 00255

[25] Yuan H, Li S, Sun W, Li Z, Steven X. An efficient attention based image adversarial attack algorithm with differential evolution on realistic highresolution image. In: Proceedings of 2021 IEEE/ACIS 20th International Fall Conference on Computer and Information Science (ICIS Fall'21), October 1–15, 2021, Xian, China. Piscataway, NJ, USA: IEEE Press; 2021. pp. 115-120. DOI: 10.1109/ ICISFall51598.2021.9627468

[26] Xu Y, Du B, Zhang L. Self-attention context network: Addressing the threat of adversarial attacks for hyperspectral image classification. IEEE Transactions on Image Processing. 2021;**30**:8671-8685. DOI: 10.1109/TIP.2021.3118977

[27] He K, Zhang X, Ren S, Sun J. Deep residual learning for image recognition. In: Proceedings of 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR'16), Las Vegas, NV, USAJune 27–30, 2016. Piscataway, NJ, USA: IEEE Press; 2016. pp. 770-778. DOI: 10.1109/CVPR.2016.90

[28] Szegedy C, Liu W, Jia Y, Sermanet P, Reed S, Anguelov D, et al. Going deeper with convolutions. In: Proceedings of 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR'15), Boston, MA, USA, June 7–12, 2015. Piscataway, NJ, USA: IEEE Press; 2015. pp. 1-9. DOI: 10.1109/ CVPR.2015.7298594

[29] Huang G, Liu Z, Van Der Maaten L, Weinberger K. Densely connected convolutional networks. In: Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR'17), Honolulu, HI, USA. Piscataway, NJ, USA: IEEE Press; 2017. pp. 2261-2269. DOI: 10.1109/ CVPR.2017.243

[30] Pleiss G, Chen D, Huang G, Li T, van der Maaten L, Weinberger KQ. Memoryefficient implementation of DenseNets. Technical report, arXiv:1707.06990. 2017. DOI: 10.48550/arXiv.1707.06990

#### **Chapter 3**

## Recent Results on Some Word Oriented Stream Ciphers: SNOW 1.0, SNOW 2.0 and SNOW 3G

*Subrata Nandi, Srinivasan Krishnaswamy and Pinaki Mitra*

#### **Abstract**

In this chapter, we have studied three word-oriented stream ciphers SNOW 1.0, SNOW 2.0 and SNOW 3G in a detailed way. The detailed description includes the working principles of each cipher, security vulnerabilities and implementation issues. It also helps us to study the challenges in each cipher. As SNOW 3G is used as a confidentiality and integrity component in 3G, 4G and 5G communications, the after study of this article may instigate the reader to find the fixes from different cryptanalysis and also find a new suitable design in Mobile telephony security.

**Keywords:** finite field, pseudorandomness, Boolean function, attacks, stream ciphers

#### **1. Introduction**

In modern era of communication, mobile devices, tablets, computers are developed with huge processing power, memory and storage. When one mobile device communicates with a remote server or another mobile device, the communication always takes place in a secret way. For any bank transaction or any online purchase through PC, we always require communication link between the source and the server which ensures the authentication, confidentiality and integrity of the channel. Before the year 1999, Block ciphers was the only way to provide confidentiality in any kind of communication in word oriented environment. AES, DES, 3-DES, BlowFish, Serpent, Twofish are some of the common used block cipher algorithms. The problems associated with block ciphers are mainly processing power, throughput in comparison to stream cipher. Stream cipher works very efficiently in hardware due to its simple design and good statistical properties. But it lacks in software based applications. But is it possible to make a word-oriented cipher which will be faster than Block cipher, at least gives security of AES [1] (Advance Encryption Standard) and suits in software as well as hardware? This initiate the design and analysis of word-oriented stream cipher. The basic building block of word oriented stream cipher is designed by LFSR (Linear Feedback Shift Register) with multi input multi output (MIMO) delay blocks and a Nonlinear function. In this kind of design, LFSR plays the role of generating sequence with uniform distribution. It generates *m*sequence. As, sequence from LFSR can be easily cryptanalyzed by Barleycamp Massey Algorithm [2], Nonlinear maps are used along with LFSR to increase the linear complexity as well as nonlinearity of the output

sequence. Generally, S-box, Addition modulo 2*n*( ⊞ ), Subtraction modulo 2*n*(⊟) are used as Nonlinear function. Word-based Cipher acts as a pseudorandom number generator (PRNG) which produces vector in each clock cycle as keystreams. Plaintext block and keystream block are encrypted with bitwise EXOR operator and it creates cipher text block. In the receiving end, cipher text block and the same keystream generator produces the plaintext block using the same bitwise exor operator. In the next subsection, we discuss about some existing word-based LFSR.

#### **1.1 Related work**

The research on word-based stream cipher was coined by Bart Preneel in FSE 1994. In NESSIE (New European Schemes for Signature, Integrity, and Encryption) competition (2000–2003), six stream ciphers (BMGL, Leviathan, LILI-128, SNOW [3], SOBERt16 [4] and SOBER-t32 [5]) were submitted. Among which SNOW 1.0, SOBER-t16 and SOBER t-32 were found as word oriented stream ciphers. In 2002, SNOW, SOBER-t16 and SOBER t-32 were found with security flaws with certain cryptographic attacks (Distinguishing attack, Guess and Determine attack and Linear cryptanalysis). In 2002, SNOW 2 [6] was proposed by Ekdahl and Johansson, the same author published SNOW 1.0. But two cryptographic attacks, Algebraic attack and Linear Distinguishing attack made SNOW 2.0 vulnerable. After SNOW 2.0, in 2006 SNOW 3G and in 2008 Sosemanuk [7] (as a Estream finalist) came into the literature. SNOW 3G was selected as 3GPP Confidentiality and Integrity Algorithms UEA2 and UIA2. It was also analyzed by Fault Analysis attack [8] in 2009. Sosemanuk cipher is an modified of version of SNOW 2.0. There are some attacks on Sosemanuk like Linear masking method [9], byte based guess and determine attack [10]. Ekdahl et al. recently proposed SNOW-V [11] stream cipher with the feature of 256-bit security and huge throughput in 5G environment. Still, we find fast correlation attack [12] with 2251*:*<sup>93</sup> complexity and improved guess and determining attack [13] with 2406 complexity on SNOW-V.

In this literature, we are trying to present detailed study of SNOW 1.0, SNOW 2.0 and SNOW 3G and discuss the basic problems related to it.

#### **2. Symbols used and their meaning**

The following mathematical symbols will be used in this article (**Table 1**).

#### **3. Preliminaries**

In this section, we present some definitions and related concepts useful to understand the context of next sections.

**Primitive polynomial:** A polynomial that generates all elements in an extension field over a base field is called Primitive Polynomial. It is also irreducible polynomial. There are *<sup>ϕ</sup> <sup>q</sup>*ð Þ *<sup>n</sup>*�<sup>1</sup> *<sup>n</sup>* primitive polynomials of degree *n* in GFð Þ*q* ½ � *X* , where *ϕ* is the Euler phi function.

**Example 1.** *<sup>x</sup>*<sup>4</sup> <sup>þ</sup> *<sup>x</sup>* <sup>þ</sup> 1 and *<sup>x</sup>*<sup>4</sup> <sup>þ</sup> *<sup>x</sup>*<sup>3</sup> <sup>þ</sup> 1 are two primitive polynomials of GF 24 .

**Linear feedback shift register (LFSR):** LFSR is an important source of PRNG in stream cipher design. It is very fast and easy to implement in hardware. It consists of some D flip flops and a feedback polynomial. If *f* is the primitive polynomial of degree *n* and f g *x*1, *x*2, ⋯, *xn* where each *xi* ∈2, is the state of the LFSR, the state update function of the LFSR *L* is defined:

*Recent Results on Some Word Oriented Stream Ciphers: SNOW 1.0, SNOW 2.0 and SNOW 3G DOI: http://dx.doi.org/10.5772/intechopen.105848*


#### **Table 1.**

*Symbol and their meaning.*

$$L: \{\mathbf{x}\_1, \mathbf{x}\_2, \dots, \mathbf{x}\_n\} \to \{f(\mathbf{x}\_1, \mathbf{x}\_2, \dots, \mathbf{x}\_n), \mathbf{x}\_2, \dots, \mathbf{x}\_{n-1}\} \tag{1}$$

If the feedback polynomial of a LFSR is primitive, it can generate all the nonzero states in its period. But LFSR based PRNG is vulnerable to Barleycamp Massey attack. It finds the initial state and the feedback polynomial of the LFSR if 2 � *n* keystream can be accessed from the LFSR state. So, various forms of nonlinear feedback shift register (NLFSR) like Nonlinear combiner generator, Nonlinear feedforward generator, Clock control generator are used as a keystream generator to resist BMA attack. But LFSRs are slow in smartphone, PC, embedded system applications with respect to word oriented operation. So word oriented PRNG's like RC4, SOBER, SNOW, SNOW 2.0 etc. came to the market to serve the purpose of PRNG. The important factor in word oriented LFSR is primitive polynomial over extension field. These papers [14–16] are a good source of materials to study primitive polynomials over extension field.

Let *b* be the number of *m* input output delay blocks (*D*0, *D*1, ⋯, *Db* where each *Di* ∈*<sup>m</sup>* <sup>2</sup> ) and gain matrices *<sup>B</sup>*0, *<sup>B</sup>*1, <sup>⋯</sup>, *Bb*�<sup>1</sup> <sup>∈</sup>*<sup>m</sup>*�*<sup>m</sup>* <sup>2</sup> of a multi-input multi-output LFSR (MIMO LFSR). Initial state of the MIMO LFSR is of *mb* bits. The state update function of a *σ*�LFSR, *Amb* is defined as:

$$A\_{mb} = \begin{bmatrix} \mathbf{0} & I & \mathbf{0} & \cdots & \mathbf{0} \\ \mathbf{0} & \mathbf{0} & I & \cdots & \mathbf{0} \\ \vdots & \vdots & \vdots & \cdots & \vdots \\ \mathbf{0} & \mathbf{0} & \mathbf{0} & \cdots & I \\ B\_0 & B\_1 & B\_2 & \cdots & B\_{b-1} \end{bmatrix} \in \mathbb{F}\_2^{mb \times mb}$$

where 0,*I* ∈ *<sup>m</sup>*�*<sup>m</sup>* <sup>2</sup> are all zero and identity matrix respectively. The characteristic polynomial of *Amb*,

$$f(\mathbf{x}) = \mathbf{x}^n + B\_{b-1}\mathbf{x}^{n-1} + B\_{b-2}\mathbf{x}^{n-2} + \dots + B\_0 \tag{2}$$

is called a primitive polynomial over 2*<sup>m</sup>* if periodicity of the polynomial is 2*mb* � 1. Primitive MIMO LFSR is a good PRNG as the keystreams generated from it satisfy balancedness, span-n, 2-level autocorrelation property according to Golomb's

**Figure 1.** *Word oriented LFSR based Encryption.*

randomness criterion. But only LFSR cannot be used as a PRNG due to small linear complexity. Linear complexity is the length of the smallest linear feedback shift register which can generate the sequence. To increase the linear complexity, nonlinear functions are used in PRNG along with LFSR (**Figure 1**).

**Substituation Box (S-Box):** An S-Box or substitution box *f* is a vectorial Boolean function [17] which is defined as follows:

$$f: \mathbb{F}\_{\mathbb{Z}^\*} \to \mathbb{F}\_{\mathbb{Z}^\*}$$

It is nothing but the permutation of *n* elements from one set to another. We can represent *f* as (*f* <sup>1</sup>, *f* <sup>2</sup>, ⋯, *f <sup>n</sup>*) where each *fi* is the component Boolean function [18] of the S-box.

$$f\_i: V\_n \to \mathbb{F}\_2$$

There are *n*! S-box'es for a set of *n* elements. We can categorize S-boxes into two section.

1.**Affine S-box:** If all the component functions are affine functions.

2.**Non Affine S-box:** If at least one component function is nonlinear function.

In cryptology, researchers are interested on Non affine S-boxes whose all component functions are nonlinear. S-box should have good cryptographic characteristics such as balancedness, good nonlinearity, resiliency, optimal algebraic immunity, good differential uniformity [19].

**Example 2.** One of the S-boxes used in DES(Data Encryption Standard) is:


*There are four boolean function with respect to this S-box. Their Algebraic Normal Form(ANF) are:*

$$\mathbf{1}\_{\mathcal{I}} f\_1: \mathcal{Y} \mathbf{0}^\* \mathcal{Y} \mathbf{1}^\* \mathcal{Y} \mathbf{3} + \mathcal{Y} \mathbf{0}^\* \mathcal{Y} \mathbf{2} + \mathcal{Y} \mathbf{0}^\* \mathcal{Y} \mathbf{3} + \mathcal{Y} \mathbf{1} + \mathcal{Y} \mathbf{3}$$

$$2f\_2: \mathbf{y} \mathbf{0}^\* \mathbf{y} \mathbf{1} + \mathbf{y} \mathbf{0}^\* \mathbf{y} \mathbf{2}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{0}^\* \mathbf{y} \mathbf{2} + \mathbf{y} \mathbf{0}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{0} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{2}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{2} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{2} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{2} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{3}$$

*Recent Results on Some Word Oriented Stream Ciphers: SNOW 1.0, SNOW 2.0 and SNOW 3G DOI: http://dx.doi.org/10.5772/intechopen.105848*

$$\begin{array}{c} 3.f\_3: \mathbf{y} \mathbf{0}^\* \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{0}^\* \mathbf{y} \mathbf{1} + \mathbf{y} \mathbf{0}^\* \mathbf{y} \mathbf{2}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{0} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{2}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{2} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{2}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{1} \\\\ 4.f\_4: \mathbf{y} \mathbf{0}^\* \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{0}^\* \mathbf{y} \mathbf{1} + \mathbf{y} \mathbf{0}^\* \mathbf{y} \mathbf{2} + \mathbf{y} \mathbf{1}^\* \mathbf{y} \mathbf{3} + \mathbf{y} \mathbf{2} + \mathbf{y} \mathbf{3} + \mathbf{1} \\\\ \end{array}$$

#### **4. SNOW 1.0 KSG**

In this section, we demonstrate SNOW 1.0 Keystream generator and various attacks possible on it (**Figure 2**).

SNOW 1.0 consists of two parts as LFSR part and FSM part. The LFSR of SNOW 1.0 has 16 delay blocks *Sti*, each can store 32 values. It means *Sti* ∈2<sup>32</sup> . The LFSR has a primitive feedback polynomial over 2<sup>32</sup> which is

$$p(\mathbf{y}) = \mathbf{y}^{16} + \mathbf{y}^{13} + \mathbf{y}^{7} + a \tag{3}$$

where *α* is the generating element of 2<sup>32</sup> . The irreducible polynomial *f y*ð Þ used to generate 2<sup>32</sup> as an ideal is *f y*ð Þ¼ *<sup>y</sup>*<sup>32</sup> <sup>þ</sup> *<sup>y</sup>*<sup>29</sup> <sup>þ</sup> *<sup>y</sup>*<sup>20</sup> <sup>þ</sup> *<sup>y</sup>*<sup>15</sup> <sup>þ</sup> *<sup>y</sup>*<sup>10</sup> <sup>þ</sup> *<sup>y</sup>* <sup>þ</sup> 1 such that *<sup>f</sup>*ð Þ¼ *<sup>α</sup>* <sup>0</sup>*:*

$$\mathbb{F}\_{2^{32}} = \mathbb{F}\_2[\boldsymbol{y}] \boldsymbol{\zeta}\_{(\boldsymbol{y})}$$

The FSM (Finite State Machine) part comprised of registers *Re g*1, *Re g*2∈<sup>232</sup> and substitution box *S*,

$$\begin{aligned} Fm: \{0, 1\}^{32} \times \{0, 1\}^{32} &\to \{0, 1\}^{32} \\ Fm\_t &= (\text{St}\_{t+i} \boxplus \text{Reg1}\_t) \oplus \text{Reg2}\_t \end{aligned} \tag{4}$$

Here, <sup>⊞</sup> operator is integer addition modulo 232 such as *<sup>x</sup>* <sup>⊞</sup> *<sup>y</sup>* <sup>¼</sup> ð Þ *<sup>x</sup>* <sup>þ</sup> *<sup>y</sup>* mod2<sup>32</sup> . In the FSM the registers are updated as follows.

$$\operatorname{Reg}\mathbf{1}\_{t+1} = ((Fm\boxplus\operatorname{Reg}\mathbf{2}\_t)\lll)\oplus\operatorname{Reg}\mathbf{1}\_t\tag{5}$$

$$\text{Reg}\,\mathbf{2}\_{t+1} = \mathbf{S}(\operatorname{Reg}\mathbf{1}\_t) \tag{6}$$

**Figure 2.** *Block Diagram of SNOW 1.0.*

**Figure 3.** *Block Diagram of SNOW 2.0.*

The S-box *S* operation acts as follows (**Figure 3**). The input y is broken into 4 bytes. Each of the bytes are changed to another byte by a nonlinear mapping from 8 to 8 bits. The nonlinear mapping is

$$\propto = Y^{\dagger} \oplus \beta^2 \oplus \beta \oplus \mathbf{1} \tag{7}$$

where *x* is output of nonlinear map, *Y* is the input and both considered to be representing elements ∈ 2<sup>8</sup> with the polynomial basis *β*<sup>7</sup> ⋯*β*, 1 . *β* is the root of the irreducible polynomial *h y*ð Þ¼ *<sup>y</sup>*<sup>8</sup> <sup>þ</sup> *<sup>y</sup>*<sup>5</sup> <sup>þ</sup> *<sup>y</sup>*<sup>3</sup> <sup>þ</sup> *<sup>y</sup>* <sup>þ</sup> 1 such that *<sup>h</sup>*ð Þ¼ *<sup>β</sup>* 0. The nonlinear mapping followed by a permutation of the bits in the output word.

#### **4.1 SNOW 1.0 algorithm**

In this section, we demonstrate the working nature of SNOW 1.0. It starts with Initialization, LFSRupdate, FSMupdate and finally ends with SNOW 1.0 algorithm.

**Algorithm 1:** Initialization().

**Input:** Key *K* ¼ ð Þ *k*1, ⋯, *k*<sup>8</sup> ∈2<sup>256</sup> where each *ki* ∈<sup>232</sup> and Initialization vector *IV* ¼ ð Þ *IV*2,*IV*<sup>1</sup> ∈ 2<sup>64</sup> where each *IV*2,*IV*<sup>1</sup> ∈2<sup>32</sup> . 1: *Stt* ð Þ , ⋯, *Stt*þ<sup>15</sup> ð*k*<sup>1</sup> ⊕ *IV*1, *k*2, *k*3, *k*<sup>4</sup> ⊕ *IV*2, *k*5, *k*6, *k*7, *k*8, *k*<sup>1</sup> ⊕ 1, *k*<sup>2</sup> ⊕ 1, *k*<sup>3</sup> ⊕ 1, *k*<sup>4</sup> ⊕ 1, *k*<sup>5</sup> ⊕ 1, *k*<sup>6</sup> ⊕ 1, *k*<sup>7</sup> ⊕ 1, *k*<sup>8</sup> ⊕ 1Þ 2: *Re g*1*<sup>t</sup>* ð , *Re g*2*t*Þ ð Þ 0, 0 3: **for all** *t* 1 to 32 **do** 4: *Fmt* ð Þ *Re g*1*<sup>t</sup>* ⊞ *Stt* ⊕ *Re g*2*<sup>t</sup>* 5: *FSMupdate*ðÞ 6: *LFSRupdate*ðÞ 7: *Stt* ð Þ , ⋯, *Stt*þ<sup>15</sup> *Stt* ð Þ , ⋯, *Stt*þ<sup>15</sup> ⊕ *Fmt* 8: **end for**

*Recent Results on Some Word Oriented Stream Ciphers: SNOW 1.0, SNOW 2.0 and SNOW 3G DOI: http://dx.doi.org/10.5772/intechopen.105848*

#### **Algorithm 2:** FSMupdate().

**Input:** *Stt*, *Fmt* **Output:** Output of the FSM *Fmt* at time *t*. [19] 1: *Fmt* ð Þ *Re g*1*<sup>t</sup>* ⊞ *Stt* ⊕ *Re g*2*<sup>t</sup>* 2: *Re g*1*t*þ<sup>1</sup> ¼ ð Þ ð Þ *Fmt* ⊞ *Re g*2*<sup>t</sup>* ⋘ ⊕ *Re g*1*<sup>t</sup>* 3: *Re g*2*t*þ<sup>1</sup> ¼ *S Re g* ð Þ 1*<sup>t</sup>* 4: *Re g*1*<sup>t</sup>* ¼ *Re g*1*t*þ<sup>1</sup> 5: *Re g*2*<sup>t</sup>* ¼ *Re g*2*t*þ<sup>1</sup>

#### **Algorithm 3:** LFSRupdate()

```
1: temp ¼ αð Þ Stt ⊕ Sttþ3 ⊕ Sttþ9
2: Stt ð Þ , ⋯, Sttþ15 temp, Stt ð Þ , ⋯, Sttþ14
Algorithm 4 SNOW 1.0().
Input: K,IV
Output: Keystream zt at time t.
1: Initialization Kð Þ ,IV
2: t 1
3: while t≤ GivenNumber do
4: zt ¼ Fmt ⊕ Stt
5: FSMupdateðÞ
6: LFSRUpdateðÞ
7: Output zt
8: t t þ 1
9: end while
```
#### **4.2 Weaknesses in SNOW 1.0**

1.**Guess and determine attack**: It is one type of key recovery attack. It [20] utilizes the relationship between internal values (recurrence relation in a shift register) and the relationship used to establish the key-stream values from the registers values. In this attack, value of some registers are guessed and then the relationships are utilized to find other internal values.

The problem in SNOW 1.0 is the recurrence relation

$$\text{St}\_{t+16} = a(\text{St}\_t \oplus \text{St}\_{t+3} \oplus \text{St}\_{t+9}) \tag{8}$$

If we square Eq. (1),

$$\text{St}\_{t+32} = a^2(\text{St}\_t \oplus \text{St}\_{t+6} \oplus \text{St}\_{t+18}) \tag{9}$$

We can find out the distance of three words between *Stt* and *Stt*þ3, and the distance of 6 words between *Stt*þ<sup>3</sup> and *Stt*þ9. So the attacker can use ð Þ *Stt*þ*<sup>i</sup>* ⊕ *Stt*þ6þ*<sup>i</sup>* as a single input to both the equation. Another aspect the use of ⋘ operator (Circular shift operator) helps in finding relation between FSM and Reg2 (**Table 2**).


**Table 2.** *GD attack complexity*

> 2.**Distinguishing attack**: In this kind of attack linear approximation of the nonlinear part is done first and combined with the linear part. Coppersmith et al. [21] observed that only *α* present which in 2<sup>32</sup> . Using Frobenious automorphism (*<sup>ϕ</sup>* : *<sup>y</sup>* ! *<sup>y</sup>*2<sup>32</sup> ) they eliminated *<sup>α</sup>* and gave a new linear relation over *GF*ð Þ2 .

$$\left(p(\mathbf{y})^{2^{2^2}} + p(\mathbf{y}) = \mathbf{y}^{16 \times 2^{2^2}} + \mathbf{y}^{13 \times 2^{2^2}} + \mathbf{y}^{7 \times 2^{2^2}} + \mathbf{y}^{16} + \mathbf{y}^{13} + \mathbf{y}^{7} \tag{10}$$

The best linear approximation of the two consecutive round input outputs of the FSM from the following.

$$\delta = (\mathbf{S}t\_l)\_{1\mathfrak{F}} \oplus (\mathbf{S}t\_l)\_{1\mathfrak{G}} \oplus (\mathbf{S}t\_{l+1})\_{22} \oplus (\mathbf{S}t\_{l+1})\_{2\mathfrak{F}} \oplus (Fm\_l)\_{1\mathfrak{F}} \oplus (Fm\_{l+1})\_{2\mathfrak{F}} \tag{11}$$

where ð Þ *Stt <sup>k</sup>* signify k th bit of *St*<sup>0</sup> state of the LFSR at time *t*. The bias of the linear approximation evaluated was at least 2�9*:*3. And the author calculated 2101*:*<sup>6</sup> rounds keystream requirement for distinguishing the output sequence from SNOW 1.0 and the sequences from true random bit generator.

#### **5. SNOW 2.0 KSG**

This section discusses all about SNOW 2.0 Keystream generator. We also mention about some cryptographic attacks on SNOW 2.0.

SNOW 2.0 is the updated KSG over SNOW 1.0. Here, the primitive polynomial over *GF* 2<sup>32</sup> is chosen by studying the weakness of the primitive polynomial in SNOW 1.0. Let *δ* be the generating element of the primitive polynomial *f y*ð Þ¼ *<sup>y</sup>*<sup>8</sup> <sup>þ</sup> *<sup>y</sup>*<sup>7</sup> <sup>þ</sup> *<sup>y</sup>*<sup>5</sup> <sup>þ</sup> *<sup>y</sup>*<sup>3</sup> <sup>þ</sup> 1, such that *<sup>f</sup>*ð Þ¼ *<sup>δ</sup>* 0 and *<sup>α</sup>* be the generator of the primitive polynomial *g y*ð Þ¼ *<sup>y</sup>*<sup>4</sup> <sup>þ</sup> *<sup>δ</sup>*<sup>23</sup>*y*<sup>3</sup> <sup>þ</sup> *<sup>δ</sup>*<sup>245</sup>*y*<sup>2</sup> <sup>þ</sup> *<sup>δ</sup>*<sup>48</sup>*<sup>y</sup>* <sup>þ</sup> *<sup>δ</sup>*<sup>239</sup> such that *<sup>g</sup>*ð Þ¼ *<sup>α</sup>* 0. We can represent each element in 2<sup>32</sup> with the help of the basis *<sup>α</sup>*3, *<sup>α</sup>*2, *<sup>α</sup>*, 1 . Using the above 2 extension fields the generator polynomial of SNOW 2.0

$$H(\mathbf{y}) = a\mathbf{y}^{16} + \mathbf{y}^{14} + a^{-1}\mathbf{y}^{5} + \mathbf{1} \in \mathbb{F}\_{2^{32}}[Y] \tag{12}$$

is calculated and the recurrence relation of *H y*ð Þ is as follows:

$$\text{St}\_{t+15} = a^{-1}\text{St}\_{t+11} + \text{St}\_{t+2} + a\text{St}\_t \tag{13}$$

where *Stt* ∈ 2<sup>32</sup> is the state of the first delay block in clock time *t*.

The FSM part of SNOW 2.0 is same as SNOW 1.0, except *Stt*þ<sup>5</sup> is used as a input to the FSM. It makes more dependency of state vectors to the FSM. We can evaluate the FSM *Fmt* as:

*Recent Results on Some Word Oriented Stream Ciphers: SNOW 1.0, SNOW 2.0 and SNOW 3G DOI: http://dx.doi.org/10.5772/intechopen.105848*

$$Fm\_t = (\mathbf{St}\_{t+15} \boxplus \operatorname{Reg1}\_t) \oplus \operatorname{Reg2}\_t \tag{14}$$

and the keystream *zt* is given by

$$z\_t = Fm\_t \oplus \mathbf{S}t\_t \tag{15}$$

The updation of registers *Re g*1*t*þ1, *Re g*2*t*þ<sup>1</sup> from *Re g*1*t*, *R*2*<sup>t</sup>* are related as follows:

$$\operatorname{Reg}\mathbf{1}\_{t+1} = \operatorname{St}\_{t+4} \boxplus \operatorname{Reg}\mathbf{2}\_{t} \tag{16}$$

$$\operatorname{Reg} \mathbf{2}\_{t+1} = \operatorname{S}(\operatorname{Reg} \mathbf{1}\_t) \tag{17}$$

Here S is the S-box which takes 4 bytes (*b*0, *b*1, *b*2, *b*3) as input and uses AES S-box followed by mixcolumn operation to output 4 bytes.

$$
\begin{bmatrix} b\_0^{t+1} \\ b\_1^{t+1} \\ b\_2^{t+1} \\ b\_3^{t+1} \end{bmatrix} = \begin{bmatrix} X & X+1 & 1 & 1 \\ 1 & X & X+1 & 1 \\ 1 & 1 & X & X+1 \\ X+1 & X & 1 & 1 \end{bmatrix} \begin{bmatrix} \mathcal{S}(b\_0^t) \\ \mathcal{S}(b\_1^t) \\ \mathcal{S}(b\_2^t) \\ \mathcal{S}(b\_3^t) \end{bmatrix} \tag{18}
$$

In the above equation, the matrix used is for Mixcolumn operation where the value in *X* ∈ *F*2<sup>8</sup> and the S-box *S* : 2<sup>8</sup> ! 2<sup>8</sup> is a permutation function used in SubByte step defined as:

$$\mathcal{S}(\mathcal{y}) = \begin{cases} \mathbf{0}, & \text{if } \mathcal{y} = \mathbf{0} \\ \mathcal{y}^{-1}, & \forall \mathcal{y} \in \mathbb{F}\_2^{\mathbb{S}} - \{\mathbf{0}\} \end{cases}$$

#### **5.1 Key initialization**

In SNOW 2.0128 bits or 256 bits key (K) and a initialization vector IV (public) is used. The *IV* <sup>∈</sup> 0, 1, <sup>⋯</sup>, 2<sup>128</sup> � <sup>1</sup> � � and the two memory registers are set to 0. The cipher is then clocked 32 times where no keystream is produced and the FSM output is feeded as following:

$$\text{St}\_{t+1\mathfrak{F}} = a^{-1}\text{St}\_{t+1\mathfrak{I}} \oplus \text{St}\_{t+2} \oplus a\text{St}\_t \oplus Fm\_t \tag{19}$$

The cipher is then switched into the normal mode, but the first output of the keystream is discarded. After 250 keystream the cipher's key *K* is changed to a new value for resisting from cryptanalysis.

#### **5.2 SNOW 2.0 algorithm**

In this section, we describe the working principle of SNOW 2.0 algorithm which consists of Initialization, LFSRupdate, FSMupdate.

**Algorithm 5:** Initialization().

**Input:** Key *K* ¼ ð Þ *k*0, ⋯, *k*<sup>7</sup> ∈2<sup>256</sup> where each *ki* ∈2<sup>32</sup> and Initialization vector *IV* ¼ ð Þ *IV*3,*IV*2,*IV*1,*IV*<sup>0</sup> ∈2<sup>128</sup> where each *IVi* ∈2<sup>32</sup> .

1: *Stt* ð Þ , ⋯, *Stt*þ<sup>15</sup> ð*k*<sup>0</sup> ⊕ 1, *k*<sup>1</sup> ⊕ 1, *k*<sup>2</sup> ⊕ 1, *k*<sup>3</sup> ⊕ 1, *k*<sup>4</sup> ⊕ 1, *k*<sup>5</sup> ⊕ 1, *k*<sup>6</sup> ⊕ 1, *k*<sup>7</sup> ⊕ 1, *k*0, *k*<sup>1</sup> ⊕ *IV*3, *k*<sup>2</sup> ⊕ *IV*2, *k*3, *k*<sup>4</sup> ⊕ *IV*1, *k*5, *k*6, *k*<sup>7</sup> ⊕ *IV*0Þ 2: *Re g*1*<sup>t</sup>* ð , *Re g*2*t*Þ ð Þ 0, 0 3: **for all** *t* 1 to 32 **do** 4: *Fmt* ð Þ *Re g*1*<sup>t</sup>* ⊞ *Stt*þ<sup>15</sup> ⊕ *Re g*2*<sup>t</sup>* 5: *FSMupdate*ðÞ 6: *LFSRupdate*ðÞ 7: *Stt* ð Þ , ⋯, *Stt*þ<sup>15</sup> *Stt* ð Þ , ⋯, *Stt*þ<sup>15</sup> ⊕ *Fmt* 8: **end for**

#### **Algorithm 6:** FSMupdate()

**(Input)** *Stt*þ15, *Stt*þ<sup>5</sup> **Output:** Output of the FSM *Fmt* at time *t*. 1: *Fmt* ð Þ *Re g*1*<sup>t</sup>* ⊞ *Stt*þ<sup>15</sup> ⊕ *Re g*2*<sup>t</sup>* 2: *Re g*1*<sup>t</sup>*þ<sup>1</sup> ¼ *Stt*þ<sup>5</sup> ⊞ *Re g*2*<sup>t</sup>* 3: *Re g*2*<sup>t</sup>*þ<sup>1</sup> ¼ *St Re g* ð Þ 1*<sup>t</sup>* 4: *Re g*1*<sup>t</sup>* ¼ *Re g*1*<sup>t</sup>*þ<sup>1</sup> 5: *Re g*2*<sup>t</sup>* ¼ *Re g*2*<sup>t</sup>*þ<sup>1</sup>

#### **Algorithm 7:** LFSRupdate()

1: *temp* <sup>¼</sup> *<sup>α</sup>*�<sup>1</sup>*Stt*þ<sup>11</sup> <sup>⊕</sup> *Stt*þ<sup>2</sup> <sup>⊕</sup> *<sup>α</sup>Stt* 2: ð Þ *Stt*þ15, ⋯, *Stt* ð Þ *temp*, *Stt*þ15, ⋯, *Stt*þ<sup>1</sup>

#### **Algorithm 8:** SNOW 2.0()

```
Input: K,IV
Output: Keystream zt at time t.
1: Initialization Kð Þ ,IV
2: t 1
3: while t≤250 do
4: zt ¼ Ft ⊕ St
5: FSMupdateðÞ
6: LFSRUpdateðÞ
7: Output zt
8: t t þ 1
9: end while
```
#### **5.3 Cryptographic attack on SNOW 2.0**

#### *5.3.1 Distinguishing attack*

In this kind of attack a distinguisher algorithm is constructed to distinguish the output keystream from a PRNG and same length output from a true random number generator. If the distinguishing algorithm complexity is less than the brute force search algorithm, this is called an attack on the cipher.

*Recent Results on Some Word Oriented Stream Ciphers: SNOW 1.0, SNOW 2.0 and SNOW 3G DOI: http://dx.doi.org/10.5772/intechopen.105848*

1.Watanabe et al. [21] 2003 used linear masking method to distinguish the output of SNOW 2.0 from a TRNG. Basically it tries to find out linear relation between the output of the keystream with FSM and LFSR. SO to serve this purpose we need to find a mask T ∈2<sup>32</sup> with high bias such that

$$T\mathsf{St}\_{t+16} \oplus \left(T.a^{-1}\right).\mathsf{St}\_{t+11} \oplus T\mathsf{St}\_{t+2} \oplus \left(T.a\right).\mathsf{St}\_t = \mathsf{0}\tag{20}$$

holds. The 2 rounds approximation of FSM

$$\mathcal{T}\_0 \text{St}\_t \oplus \mathcal{T}\_1 \text{St}\_{t+1} \mathcal{T}\_5 \text{St}\_{t+5} \oplus \mathcal{T}\_{15} \text{St}\_{t+15} \oplus \mathcal{T}\_{16} \text{St}\_{t+16} = \mathcal{T}\_0 \mathbf{z}\_t \oplus \mathcal{T}\_1 \mathbf{z}\_{t+1} \tag{21}$$

with assumption that all the masks values are same, becomes possible of two nonlinear approximation such as S-box and the three ⊞ operator,

$$T\mathbf{S}(\mathbf{X}) = T\mathbf{X} \tag{22}$$

$$T(\mathbf{X} \boxplus \mathbf{y}) = T\mathbf{X} \oplus \mathbf{Ty} \tag{23}$$

The bias of the total approximation can be found with complexity O 2�112*:*<sup>25</sup> . So we need about 2225 words to distinguish SNOW 2.0 from true random bit sequence.

2. In 2006 FSE, Nyberg et al. [22] improved this attack by approximating FSM (Finite state machine) and output of the cipher with different linear mask (T , *λ*∈<sup>32</sup> 2 )

$$TF(\mathfrak{x}) = \lambda \mathfrak{x} \tag{24}$$

$$T(\mathbf{z}\_{t+16}\oplus\mathbf{z}\_{t+2})\oplus T a \mathbf{z}\_t \oplus T a^{-1} \mathbf{z}\_{t+11} \oplus \lambda (\mathbf{z}\_{t+17}\oplus\mathbf{z}\_{t+3}) \oplus \lambda a \mathbf{z}\_{t+1} \oplus \lambda a^{-1} \mathbf{z}\_{t+12} = \mathbf{0} \tag{25}$$

measured the bias of the above relation with correlation (T , *λ*) which is defined as:

$$\text{correlation}(\mathcal{T}, \lambda) = \left(\#\{\mathbf{x} \in \mathbb{F}\_2^{32} : \mathcal{T}F(\mathbf{x}) = \lambda \mathbf{x}\} - \#\{\mathbf{x} \in \mathbb{F}\_2^{32} : \mathcal{T}F(\mathbf{x})! = \lambda \mathbf{x}\}\right) \tag{26}$$

They also investigated the diffusion property of Mixcolumn, improved the search complexity of linear distinguishing attack.

#### *5.3.2 Correlation attack*

In correlation attack [23] over extension field, the correlation of output keystream with the LFSR output is calculated for a particular *N* (# available words). If the correlation or bias value is far greater than <sup>1</sup> <sup>2</sup>*<sup>n</sup>*, we find linear relation between input and output and also find out the initial state of the LFSR. It is also one kind of key recovery attack. Another kind of correlation attack is Fast Correlation attack [24] where the each output of a keystream *zi* is written as:

$$z\_i = u\_i + \varepsilon\_i \tag{27}$$

*ui* is the output of the LFSR and *ei* is considered as error in the discrete memoryless channel which is the nonlinear function attached with LFSR. So, finding initial state of the LFSR is equivalent of solving the decoding problem in error correcting code. We consider LFSR as ð Þ *N*, *l* linear code, where *l* is the size of the LFSR.


**Theorem 6.1** *The carry bit ci in the addition X* ⊞ *Y* ¼ *Z is equal to zero with probability* <sup>1</sup> <sup>2</sup> <sup>þ</sup> <sup>1</sup> <sup>2</sup>*i*þ<sup>1</sup>*.*

#### *5.3.3 Algebraic attack*

Any stream cipher can be expressed with respect to algebraic equations where the variables of the equations are nothing but the initial state of the LFSR. We know that the challenge is to solving system of nonlinear equations with respect to the keystreams available to the us. It is well known to us that Solving such system of nonlinear equations over finite field is NP-Hard problem. But there are some approaches in the literature to mount algebraic attack like linearization, Grobner basis, Finding low degree annihilators [28] of a Boolean function etc.

In 2005, [29] Olivier Billet et. el cryptanalyzed SNOW 2.0 with algebraic attack like following:

1.Assuming ⊞ in the cipher as ⊕ operation, the equations at time stamp *t* help in mounting algebraic attack:

$$\text{Reg2}\_{t} = \text{Reg2}\_{0} + \sum\_{i=0}^{t} \mathbf{z}^{i} + \sum\_{i=0}^{t} (\text{St}\_{4+i} + \text{St}\_{15+i} + \text{St}\_{i}) \tag{28}$$

where only known information is output keystreams(*z*).

$$\text{Reg}\,\mathbf{2}\_{t+1} = \mathbf{S}(\operatorname{Reg}\mathbf{1}\_t) \tag{29}$$

$$=\mathcal{S}(\operatorname{Reg}\mathcal{Z}\_t + z^t + \mathcal{S}t\_{1\mathbb{S}+t} + \mathcal{S}t\_t) \tag{30}$$

*Recent Results on Some Word Oriented Stream Ciphers: SNOW 1.0, SNOW 2.0 and SNOW 3G DOI: http://dx.doi.org/10.5772/intechopen.105848*

From each S-boxes we can find 39 linearly independent equations, So total 39 � 4 ¼ 156 quadratic equations can be found from equation (11) for one keystream. The authors took linearization as a tool to make P<sup>2</sup> *i*¼0 544 *i* � � <sup>≈</sup> <sup>217</sup> many unknown variables. The equations can be solved using Graobner basis with the help of about less than 17 keystreams. It results to find the initial state of the cipher with time complexity O 2<sup>51</sup> � �.

#### *5.3.4 Guess and determining attack*

In this kind of attack, the attacker first assumes the value of some registers and determine the value of the rest registers following the guesses. Later, keystream is generated from the cipher. If the keystream is equal to the keystream found by known keystream, the guess is a valid one. The terminology for the minimum guessed values of the cipher is called guessed basis. First systematic algorithm was proposed by Ahmadi et al. [30] which was a Viterbi like algorithm. Guessed basis for this algorithm was 8 and time complexity of the algorithm is O 2<sup>265</sup> � �. The next updated result is found from the article [31] which uses two auxiliary equations. Moreover, the guessed basis for this result is 6 and time complexity of the algorithm is O 2<sup>192</sup> � �.

#### **5.4 KDFC SNOW**

To resist from Algebraic attack, another version of SNOW 2.0 called Key dependent feedback configuration (KDFC) SNOW is proposed in [32]. It replaces the LFSR over F<sup>232</sup> by *σ*�LFSR over *M*32ð Þ *F*<sup>2</sup> . Moreover, it also implements the idea of different feedback matrices [33] for the *σ*�LFSR based on the key of the cipher. The whole process of changing the existing feedback matrix is done on the initialization phase of the cipher (**Figure 4**).

KDFC Scheme hides the feedback matrix of the *σ*�LFSR which helps the SNOW 2.0 to resist from some known plaintext attacks like Algebraic attack, Distinguishing Attack, Some Fast correlation attacks, Guess and Determining Attacks.

**Figure 4.** *Block diagram of KDFC-SNOW.*

#### **6. SNOW 3G KSG**

SNOW 3G is an updated version of SNOW 2G. To get resistance from Algebraic Attack on SNOW 2.0, this cipher is proposed. It is used in mobile telephony for 4G and 5G communication as authenticated encrypted word oriented stream cipher in UEA2 and UIA2. The basic building block of SNOW 3G is as follows (**Figure 5**):

The LFSR configuration of SNOW 3G is as same as SNOW 2.0. The only changes are in the FSM configuration. One extra register R3 and extra Sbox is proposed by the designer. We discuss only the FSM construction of SNOW 3G in the following paragraph.

**FSM:** The FSM of SNOW 3G consists of two input words *St*<sup>15</sup> and *St*5. It generates a 32-bit output word FW.

$$Fw = (\mathbf{St}\_{15} \boxplus \mathbf{R1}) \oplus \mathbf{St}\_{5} \tag{31}$$

On the next step, the registers are updated. To do so, we calculate one value *r* like following:

$$r = R2\boxplus (R3 \oplus \text{St}\_{\mathbb{S}}) \tag{32}$$

Next, we update the registers

$$R\mathfrak{Z} = \text{SBox}\mathfrak{Z}(R\mathfrak{Z})\tag{33}$$

$$R2 = \text{SBox1}(R1) \tag{34}$$

$$R1 = r \tag{35}$$

**SBox1:** This Sbox is same as the Sbox described in SNOW 2.0.

**SBox2:** The SBox2 (S2 in Eq. (23)) is constructed using the Dickson polynomial. It is defined as an element of *GF* 28 which is generated by *<sup>x</sup>*<sup>8</sup> <sup>þ</sup> *<sup>x</sup>*<sup>6</sup> <sup>þ</sup> *<sup>x</sup>*<sup>5</sup> <sup>þ</sup> *<sup>x</sup>*<sup>3</sup> <sup>þ</sup> 1.

**Figure 5.** *Block diagram of SNOW 3G.*

*Recent Results on Some Word Oriented Stream Ciphers: SNOW 1.0, SNOW 2.0 and SNOW 3G DOI: http://dx.doi.org/10.5772/intechopen.105848*

Suppose *bi* <sup>∈</sup> *GF* 28 � �, using that we find an 32�bits inputs *<sup>b</sup>* <sup>¼</sup> *<sup>b</sup>*1k*b*2k*b*3k*b*<sup>4</sup> which is given as a input to the SBox2. It works as the following:

$$
\begin{bmatrix} b\_0^{t+1} \\ b\_1^{t+1} \\ b\_2^{t+1} \\ b\_3^{t+1} \end{bmatrix} = \begin{bmatrix} Y & Y+1 & 1 & 1 \\ \mathbf{1} & Y & Y+1 & \mathbf{1} \\ \mathbf{1} & \mathbf{1} & Y & Y+1 \\ Y+\mathbf{1} & Y & \mathbf{1} & \mathbf{1} \end{bmatrix} \begin{bmatrix} \operatorname{S2}(b\_0^t) \\ \operatorname{S2}(b\_1^t) \\ \operatorname{S2}(b\_2^t) \\ \operatorname{S2}(b\_3^t) \end{bmatrix} \tag{36}
$$

Here, *Y* ∈ *GF* 28 � � and the matrix of Y and 1 is used for mixcolumn transformation.

#### **6.1 Cryptographic attack on SNOW 3G**

*6.1.1 Fault attack on SNOW 3G*

In this attack [8, 34] the attacker has a access of the physical device and it can cause transient fault attack on the device. In this kind of fault attack, the attacker can reset the device to its original state and apply a fault to the same device to get new keystream. The attacker can find the secret key of the cipher by verifying the faulty keystream and the actual keystream.

In SNOW 3G KSG, fault is injected between two computations of the following registers:


We need to keep track that we consider the memory locations of *R*1*<sup>t</sup>*þ<sup>1</sup> , *R*2*<sup>t</sup>*þ<sup>1</sup> , *St<sup>t</sup>*þ<sup>1</sup> 15 after computation of a new word. Next we can find out *Xt* ⊕ *Xt*<sup>0</sup> which can give value either 1 or 0 for a certain fault injected positions, where *Xt* denotes the value the above mentioned registers in RAM and *Xt*<sup>0</sup> is the faulty valued of the registers. We also verify the *Zt* ⊕ *Zt*<sup>0</sup> value to get the confirmation of the fault occurrence. Finally, the state of the LFSR of SNOW 3G can be found by at least 24 fault injections and solving 512 linear equation by Gaussian elimination.

**Note:** Besides, all the attacks on SNOW 2.0 written before except algebraic attacks are also performed on SNOW 3G. It results SNOW 3G as a 128-bit secure cipher.

In **Table 3**, we enlist the attacks possible on SNOW 1.0, SNOW 2.0 and SNOW 3G.


**Table 3.**

*Various attacks on SNOW 1.0, SNOW 2.0, SNOW 3G.*

#### **7. Implementation issues**

#### **7.1 Vector-vector multiplication over** F**2<sup>32</sup>**

Whole SNOW family of ciphers use LFSR with *y* <sup>∗</sup> *β* operation over F2<sup>32</sup> where *β* is a primitive element of GF 232 . SNOW 2.0 and SNOW 3G uses the following approach:

$$
\Diamond y.\beta = (y \ll 8) \oplus \text{Table}(y \gg 24) \tag{37}
$$

Here, Table(x) function takes 8-bit vector as input and return 32-bit vector as output. It can be described as follows:

$$Table(\mathbf{x}) = F\_1(\mathbf{x}, \mathbf{23}, \mathbf{0x}A\mathbf{9}) || F\_1(\mathbf{x}, \mathbf{245}, \mathbf{0x}A\mathbf{9}) || F\_1(\mathbf{x}, \mathbf{48}, \mathbf{0x}A\mathbf{9}) || F\_1(\mathbf{x}, \mathbf{239}, \mathbf{0x}A\mathbf{9}) \tag{38}$$

where 0*xA*9 is the hexadecimal representation of the primitive polynomial *<sup>x</sup>*<sup>8</sup> <sup>þ</sup> *<sup>x</sup>*<sup>7</sup> <sup>þ</sup> *<sup>x</sup>*<sup>5</sup> <sup>þ</sup> *<sup>x</sup>*<sup>3</sup> <sup>þ</sup> 1 over <sup>F</sup>2, *<sup>F</sup>*<sup>1</sup> is a function which takes 16 bit inputs and positive integer *i* to 8-bit vector. *F*1ð Þ¼ *W*, *i*, *x W* if *i* ¼¼ 0 and *F*1ð Þ¼ *W*, *i*, *x F*2ð Þ *F*1ð Þ *W*, *i* � 1, *x* , *x* , otherwise, where *W*, *x*∈ F<sup>8</sup> 2. And *F*2ð Þ¼ *W*, *x* ð Þ *W* ≪ 81 ⊕ *x* if leftmostbit(W)==1, else *F*2ð Þ¼ *W*, *x* ð Þ *W* ≪ 81 . *F*<sup>2</sup> is a function which takes two 8� bit inputs and gives 8- bit output. This whole procedure reduces the time complexity of vector-vector multiplication over finite field to Oð Þ1 complexity.

### **7.2 Addition modulo 2<sup>32</sup>**<sup>ð</sup> **<sup>⊞</sup> )**

Let us take two vectors *P*, *Q* ∈ F<sup>32</sup> <sup>2</sup> and addition modulo 232 is defined as follows:

$$P \boxplus Q = (P + Q) \big(\text{mod} 2^{32}\big) = (P + Q) \& (\text{0xFFFFFFFF}) \tag{39}$$

Here, þ is normal addition and & is bitwise AND-operator.

#### **8. Conclusion**

In this article, we can observe that SNOW 1.0 has problems in its design regarding the ⋘<sup>7</sup> shift operator. The interaction between the ⋘<sup>7</sup> shift operator and the S-box is one of the reasons for the large correlation in the FSM. Besides, the S-box used in SNOW 1.0 is not up to the mark. So, changing the S-box with Rijndael improves its power [35] against Guess and Distinguishing attack. In this context, SNOW 2.0 is better than SNOW 1.0 with respect to the design issues and cryptographic attacks. Still, it is susceptible to several attacks. Among all the attacks, the best-known attack is Algebraic Attack [29] which is taken care in the upgraded version SNOW 3G. A new S-Box and another Register are introduced in SNOW 3G to circumvent the problems in SNOW 2.0. Besides, the only practical attack possible for SNOW 2.0 and SNOW 3G is Fault Attack [8, 34] which is possible if someone access the memory location of the SNOW algorithm. This results SNOW 3G to be used in mobile telephony with 128 bit security. Though, KDFC-SNOW is another approach which is also potential candidate to resist some known plaintext attacks on SNOW 2.0, it requires some research on the implementation issue in the initialization phase. Besides, KDFC-SNOW cannot resist

*Recent Results on Some Word Oriented Stream Ciphers: SNOW 1.0, SNOW 2.0 and SNOW 3G DOI: http://dx.doi.org/10.5772/intechopen.105848*

the recent fast correlation attack by Gond et al. [27] on SNOW 2.0. A possible research towards the improvement of SNOW family may be the finding an word LFSR with 64- or 128-bit block size with 256 bit key security which would be beneficial in 5G communication. Also, resistance of Fast Correlation Attack may be another kind of research which can be taken as future study.

### **Author details**

Subrata Nandi<sup>1</sup> , Srinivasan Krishnaswamy<sup>2</sup> and Pinaki Mitra<sup>1</sup> \*

1 Department of Computer Science and Engineering, IIT Guwahati, Assam, India

2 Department of Electronics and Electrical Engineering, IIT Guwahati, Assam, India

\*Address all correspondence to: pinaki@iitg.ac.in

© 2022 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

### **References**

[1] Daemen J. Rijmen V. Rijndael: Aes proposal; 1999

[2] Berlekamp ER. Algebraic coding theory. Negacyclic Codes. 1968:207-217

[3] Ekdahl P, Johansson T. Snow—A new stream cipher. In: Proceedings of First Open NESSIE Workshop. KU-Leuven; 2000. pp. 167-168

[4] Rose G. A stream cipher based on linear feedback over gf (2 8). In: Australasian Conference on Information Security and Privacy. Springer; 1998. pp. 135-146

[5] Rose G, Hawkes P. The t-class of sober stream ciphers. Unpublished manuscript. http://www.home.aone.net. au/qualcomm, 1999

[6] Ekdahl P, Johansson T. A new version of the stream cipher snow. In: International Workshop on Selected Areas in Cryptography. Springer; 2002. pp. 47-61

[7] Berbain C, Billet O, Canteaut A, Courtois N, Gilbert H, Goubin L, et al. Sosemanuk, a fast software-oriented stream cipher. In: New Stream Cipher Designs. Springer; 2008. pp. 98-118

[8] Debraize B, Corbella IM. Fault analysis of the stream cipher snow 3g. In: 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE; 2009. pp. 103-110

[9] Lee J-K, Lee DH, Park S. Cryptanalysis of sosemanuk and snow 2.0 using linear masks. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2008. pp. 524-538

[10] Feng X, Liu J, Zhou Z, Wu C, Feng D. A byte-based guess and determine attack on sosemanuk. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2010. pp. 146-157

[11] Ekdahl P, Johansson T, Maximov A, Yang J. A new snow stream cipher called snow-v. IACR Transactions on Symmetric Cryptology. 2019;**2019**(3): 1-42

[12] Gong X, Zhang B. Resistance of snow-v against fast correlation attacks. IACR Transactions on Symmetric Cryptology. 2021:378-410

[13] Yang J, Johansson T, Maximov A. Improved guess-and-determine and distinguishing attacks on snow-v. Cryptology ePrint Archive. 2021

[14] Krishnaswamy S, Pillai HK. On the number of special feedback configurations in linear modular systems. Systems and Control Letters. 2014;**66**:28-34

[15] Tsaban B, Vishne U. Efficient linear feedback shift registers with maximal period. Finite Fields and Their Applications. 2002;**80**(2):256-267

[16] Zeng G, Han W, He K. High efficiency feedback shift register: Sigmalfsr. IACR Cryptology ePrint Archive. 2007:**114**;2007

[17] Carlet C. Boolean functions for cryptography and error correcting codes. Boolean Methods and Models. 2006

[18] Cusick TW, Stanica P. Cryptographic Boolean Functions and Applications. Academic Press; 2017

*Recent Results on Some Word Oriented Stream Ciphers: SNOW 1.0, SNOW 2.0 and SNOW 3G DOI: http://dx.doi.org/10.5772/intechopen.105848*

[19] Adams C, Tavares S. The structured design of cryptographically good s-boxes. Journal of Cryptology. 1990; **30**(1):27-41

[20] Hawkes P, Rose GG. Guess-anddetermine attacks on snow. In: International Workshop on Selected Areas in Cryptography. Springer; 2002. pp. 37-46

[21] Watanabe D, Biryukov A, De Canniere C. A distinguishing attack of snow 2.0 with linear masking method. In: International Workshop on Selected Areas in Cryptography. Springer; 2003. pp. 222-233

[22] Nyberg K, Wallén J. Improved linear distinguishers for snow 2.0. In: International Workshop on Fast Software Encryption. Springer; 2006. pp. 144-162

[23] Siegenthaler T. Correlation attacks on certain stream ciphers with nonlinear generators. In: IEEE International Symposium Information Theory, Saint Jovite, Canada. 1983. pp. 26-29

[24] Meier W, Staffelbach O. Fast correlation attacks on certain stream ciphers. Journal of Cryptology. 1989; **10**(3):159-176

[25] Zhang B, Xu C, Meier W. Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of snow 2.0. In: Annual Cryptology Conference. Springer; 2015. pp. 643-662

[26] Funabiki Y, Todo Y, Isobe T, Morii M. Several milp-aided attacks against snow 2.0. In: International Conference on Cryptology and Network Security. Springer; 2018. pp. 394-413

[27] Gong X, Zhang B. Fast computation of linear approximation over certain

composition functions and applications to snow 2.0 and snow 3g. Designs, Codes and Cryptography. 2020;**880**(11): 2407-2431

[28] Dalai DK. Some necessary conditions of boolean functions to resist algebraic attacks [PhD thesis]. Indian Statistical Institute; 2006

[29] Billet O, Gilbert H. Resistance of snow 2.0 against algebraic attacks. In: Cryptographers' Track at the RSA Conference. Springer; 2005. pp. 19-28

[30] Ahmadi H, Eghlidos T. Heuristic guess-and-determine attacks on stream ciphers. IET Information Security. 2009; **30**(2):66-73

[31] Nia MSN, Payandeh A. The new heuristic guess and determine attack on snow 2.0 stream cipher. IACR Cryptology ePrint Archive. 2014;**2014**: 619

[32] Nandi S, Krishnaswamy S, Zolfaghari B, Mitra P. Key-dependent feedback configuration matrix of primitive *σ*–lfsr and resistance to some known plaintext attacks. IEEE Access. 2022;**10**:44840-44854

[33] Krishnaswamy S, Pillai HK. On multisequences and their extensions. arXiv preprint arXiv:1208.4501. 2012

[34] Armknecht F, Meier W. Fault attacks on combiners with memory. In: International Workshop on Selected Areas in Cryptography. Springer; 2005. pp. 36-50

[35] Yilmaz E. Two versions of the stream cipher snow [PhD thesis]. Middle East Technical University. 2004

#### **Chapter 4**

## Role of Access Control in Information Security: A Security Analysis Approach

*Mahendra Pratap Singh*

#### **Abstract**

Information plays a vital role in decision-making and driving the world further in the ever-growing digital world. Authorization, which comes immediately after authentication, is essential in restricting access to information in the digital world. Various access control models have been proposed to ensure authorization by specifying access control policies. Security analysis of access control policies is a highly challenging task. Additionally, the security analysis of decentralized access control policies is complex because decentralization simplifies policy administration but raises security concerns. Therefore, an efficient security analysis approach is required to ensure the correctness of access control policies. This chapter presents a propositional rule-based machine learning approach for analyzing the Role-Based Access Control (RBAC) policies. Specifically, the proposed method maps RBAC policies into propositional rules to analyze security policies. Extensive experiments on various datasets containing RBAC policies demonstrate that the machine learning-based approach can offer valuable insight into analyzing RBAC policies.

**Keywords:** role-based access control, security analysis, propositional rule, safety analysis, reachability analysis

#### **1. Introduction**

Access control [1] ensures secure access to resources, devices, and data through policies. It regulates who can access which computing environment and its components. There are various access control models, such as Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), etc., that can specify and enforce access control policies. Among these, RBAC [2] is a widely adopted access control model that groups job functions into roles to simplify the administration. In RBAC, permissions are actions on objects assigned to roles instead of users. Therefore, a user can get specific permission only if the user is a member of the role to which the permission is assigned. RBAC can be described as a 6-tuple access control model, and its components are as follows.

• U, P, R, and Sessions represent a set of users, permissions, roles, and sessions, respectively. Sessions are not considered in the proposed approach because they do not influence security analysis.


The RBAC components (UA, PA, RH) determine whether users can access a particular resource, system, or data. Therefore, any change in these components would take a system to a new state. Hence, verifying whether it is safe is necessary before moving the system into a new state.

Security analysis aims to answer critical questions, such as whether a state is reachable to at least one user, whether all the reachable states satisfy security property, etc. An undesired state would be one in which an authorized user does not get access despite being entitled to it or an unauthorized user gains access.

One should consider various security properties before deploying a system. In this paper, we focus on safety and reachability properties that are described as follows:

#### **Safety Property:**


#### **Reachability Property:**


If the evaluation outcome of a safety query mentioned above is no, then the system is safe. In contrast, if the evaluation outcome of a reachability query is yes, then the system is reachable.

The rest of the chapter is organized as follows. Previous works related to this research are presented in Section 2. Section 3 explains the proposed model, whereas Section 4 describes the security analysis of RBAC policies. Section 5 presents the result analysis and parameters used in the model, while Section 6 concludes the work and provides future research directions.

#### **2. Related work**

This section reviews the literature on recent applications, administration, and security analysis of RBAC policies.

Over the last few years, various access control models have been proposed. Among these, RBAC [2] is one of the well-adapted access control models. In RBAC, permissions are available to users according to their membership in specific roles. A large

group of users can be grouped into roles to access resources according to permission assigned to the roles. Therefore, users should have a specific role to gain the required permissions for a task. The role-role relation enables delegation of authority and separation of authority. The main advantage of RBAC is the ease of policy administration.

#### **2.1 Applications of RBAC**

Recently, Kim et al. [3] have demonstrated RBAC usage in video surveillance using smart contracts, whereas Shaobo et al. [4] used RBAC to ensure fine-grained access to electronic health records. Additionally, Gurucharansing et al. [5] demonstrated the use of RBAC in specifying large-scale application access control policies. A Blockchainbased RBAC model with separation of duty presented by Ok-Chol et al. [6].

#### **2.2 Administration of RBAC**

Despite the advantages of RBAC, the administration of RBAC is complex and crucial for its proper management. Sandhu et al. [7] have presented the formal definition, intuition, and motivation of a role-based model for the administration of RBAC, ARBAC97 (administrative RBAC). The primary basis for the model is the simplification of administration along with scalability and administrative convenience. The components of the ARBAC97 model are user-role assignment (URA97), permission-role assignment (PRA97), and role-role assignment (RRA97).

#### **2.3 Security analysis of RBAC**

Apart from the administration, security analysis of the RBAC policies needs to be considered seriously. Alpern et al. [8] have formally defined safety and liveness security properties. Additionally, a topological characterization of both properties is also given. Their work captures all the main distinctions of the security properties. Koch et al. [9] have proposed safety state change rules where the RBAC states are posed as graph formalism in the RBAC model. Safety is defined as if a provided graph can become a subgraph of another graph. They have demonstrated that safety is decidable because a state change rule cannot simultaneously add and remove components to a graph. The proposed notion of safety captures the general notion but needs to cover bounded safety. Phillips et al. [10] proposed an access control model for servers, databases, inter-operating legacy, etc. Their work presents several theorems and lemmas to validate integrity and security. The combination of security and integrity ensured the proposed approach's liveness and safety. This approach does not consider the constraints of the RBAC model.

Li et al. [11] have proposed a security analysis approach using role-based trust management language for RBAC. They defined the problems related to security analysis and presented a way to represent and capture several security properties in a complex RBAC system. Specifically, two problem classes, namely AAR (Assignment and Revocation) and AATU (Assignment and Trusted Users), are discussed in the paper. The approach is based on reducing the two problem classes into another similar role-based trust-management language. This way, a relationship between the RT framework and RBAC is established. The approach produces efficient algorithms to solve significant queries. They demonstrated that several problems in security analysis need to be more concrete and intractable.

Jha et al. [12] performed the security analysis of the URA97 component of the ARBAC97 model using model-checking and logic programming approaches. Their work results demonstrate that the logic programming approach is better for many roles than the model-checking approach. Rakkay et al. [13] performed the security analysis by modeling and analyzing RBAC policies with the help of CPN tools and Colored Petri Nets (CP-Nets). The approach elaborates on the CP-Net model, which explains a generic access control structure based on RBAC policies. The significant advantage of CPN tools and CP-Nets is to provide an analytical framework and a graphical representation, which the security administrators use to understand why some permissions are denied or granted. Also, the framework and model are used to verify the security constraints.

Ferrera et al. [14] have proposed an approach to verify RBAC security policies using an abstraction-based tool. The proposed method converts data into imperative programs and performs security analysis. VAC tool was used to convert policies into crucial programs. An interval-based static analysis was carried out on the critical programs to show the correctness of policies. Martin et al. [15] have proposed a datamining methodology to infer access control policies. The proposed approach is based on a tool developed for automatically generating requests, evaluating the requests to obtain the responses, and finally, using machine learning on the response-request pair to infer policy properties. The tool assists a user in identifying those requests, which can identify mistakes in the policy specification.

Most approaches mentioned above need to consider the overhead of translation of access control policies from one format (say XACML) to a specific format to perform security analysis. To address this, Singh et al. [16] have presented a framework that enables the specification and enforcement of heterogeneous access control policies, such as RBAC and ABAC, as data in the Database. Additionally, Singh et al. [17] have also presented a novel methodology for analyzing the security properties of heterogeneous access control policies. The proposed methodology models policies as facts using Datalog and analyses them through the *μ*z tool in the presence of the administrative model. In addition, an approach to analyzing unified access control policies is also presented in [18] that captures policies as data in the Database.

It can be observed from the above literature survey that it is the first attempt to analyze access control policies using a machine learning-based model. The following section presents the proposed machine learning-based approach for analyzing RBAC policies.

#### **3. Proposed security analysis approach**

This section presents the approach for analyzing the security properties of RBAC policies. The proposed approach uses a rule-based machine learning algorithm to map RBAC policies into propositional rules. **Figure 1** shows the proposed model, and the description of its components is as follows.

#### **3.1 Extraction of RBAC policy data from the unified database Schema**

Generally, RBAC policies are specified using XACML, but we captured them as data in a unified database schema presented in [19]. There can be various combinations of RBAC policy data, but we have considered the following.

*Role of Access Control in Information Security: A Security Analysis Approach DOI: http://dx.doi.org/10.5772/intechopen.111371*

#### **Figure 1.** *Proposed model.*


In the above combinations, attributes such as role, user, permission, object, and right act as features. Moreover, an extra feature, named label, has also been added. The above policy data combinations are fed to the following subsection for further processing.

#### **3.2 Pre-processing of policy data to generate a dataset**

In pre-processing, the policy data obtained in Subsection 3.1 was passed as input to AWK [20] for text manipulation and labeling. AWK is a Linux/Unix text manipulation utility that searches and substitutes text. Its output is a file containing only valid entries. Each valid entry represents authorized access and is marked as a safe state.

For security analysis, it is essential to consider valid and invalid entries. Therefore, another file containing both valid and invalid entries was created using the cartesian product of the attributes. Unlike valid entries, invalid entries represent unsafe states

that indicate unauthorized access. Both valid and invalid entries were combined to form a broad system with safe and unsafe states. The valid and invalid entries were labeled 'Permit' and 'Deny', respectively.

The step-by-step process to create the dataset is as follows:


The above process is used to create the testing and following training datasets.


The datasets created in this subsection are used in the following subsections for training and testing the proposed model.

#### **3.3 Proposed model and its training**

This subsection describes the proposed model and its training using the dataset created in Subsection 3.2. We use a rule-based machine learning algorithm to create the model that takes the labeled dataset as input and maps it into propositional rules.

In the rule-based algorithm, a machine learning process identifies, evolves, or learns 'rules' to apply, manipulate or store.

The structure of a propositional rule is as follows:

If attribute1 ð Þ <a and attribute2 ð Þ > b … … and attributen ð <*ϕ* Þ ¼ >class label

Where a, b, … , and *ϕ* are the values the algorithm identifies from the policy attribute1, attribute2, … , and attributen, respectively, to generate the rule. In the above rule, the left side denotes the pre-condition or antecedent, a combination of attributes, whereas the right side shows the rule's consequent/class label.

We develop the model using **JRipper** [21] algorithm that implements a propositional rule learner known as RIPPER. This rule learner was proposed by William W. *Role of Access Control in Information Security: A Security Analysis Approach DOI: http://dx.doi.org/10.5772/intechopen.111371*

Cohen and is based on a very effective and common technique of REP found in the decision tree algorithms.

The rule learner divides the training dataset into pruning and growing. First, the growing set is used to form an initial rule set with the help of some heuristic approach. Later, the large rule set is simplified repetitively using different pruning operators. The pruning operator with the most error reduction is selected at every simplification stage. The terminating point of simplification is when none of the operators reduces errors. It provides propositional rules for the training dataset used for classification.

The description of steps involved in the JRipper algorithm are as follows:


We evaluate the model's performance using testing datasets in the following subsection.

#### **3.4 Model testing**

After training the model, the next step is to test the model. Testing datasets created in Subsection 3.2 are used to predicate the model's accuracy. Like the training dataset, the testing dataset contained policy data in ARFF file format. Every policy data is mapped to a predicate rule, then compared with the model's predicate rules. The outcome of the evaluation and accuracy is reported in Section 5.

In the following section, we use an example to demonstrate the security analysis of RBAC policies through the proposed model.

#### **4. Analysis of security property**

This section shows how the proposed model can be used to verify the safety and reachability properties of RBAC policies.

To understand the security analysis effectively, we consider an RABC system that consists of 20 users, 3 roles, and 30 permissions and the following UA, PA, and RH assignments:

**Role**={1,2,3} **User**={1,2,3....20} **Permission**={1,2,3,4....30} RH={3≼ 1} **UA**={({1,2..7},1), ({8,9..13},2), ({14,15..20},3)} **PA**={({1,2..10},1), ({11,12..20},2), ({21,22..30},3)}

We create a model using the proposed approach for the above specification that contains propositional rules. The propositional rules correspond to some of the policies specified above are as follows:


Similarly, the propositional rules are specified for the remaining policies.

To perform the security analysis, we consider safety and reachability security properties defined in Section 1, and their analysis is as follows.

	- (User ID=5) and (Role ID=1) and (Permission ID=17)
	- (User ID=23) and (Role ID=2) and (Permission ID=27)
	- (User ID=9) and (Role ID=3) and (Permission ID=15)

The model classified all the test cases mentioned above as 'Deny' for the following reasons.


It can be noticed from the above analysis that the Role ID in each test case cannot provide permission to the user according to the rules present in the model. Thus, safety property satisfies.

	- (User ID=5) and (Role ID=1)
	- (User ID=14) and (Role ID=3)
	- (User ID=9) and (Role ID=2)

The model classified all the test cases mentioned above as 'Permit' for the following reasons.


It can be seen from the above analysis the Role ID in each test case is available to the user according to the rules present in the model. Thus, the reachability property holds.

The experimental analysis of the proposed model is demonstrated in the following section.

#### **5. Experimental results and analysis**

Several experiments were performed on the system having 64 GB RAM and an Intel Core i7 processor to observe the impact of various components of RBAC policies.

To evaluate the performance of the proposed model, we created three synthetic RBAC policy datasets shown in **Table 1** using Oracle 12c that capture policies as data. To reflect the real-world scenario, it can be observed from **Table 1** that the number of users and the number of objects were increased 100 times, whereas the number of rights was increased only two times. The number of permissions and roles were increased 200 times and four times, respectively. Additionally, the number of permission-role assignments was increased to 100, while the number of permissions and user-role assignments were increased to 200 times.

The following parameters were used to measure the performance of the proposed model:

• True Positive(TP) rate is the ratio of instances correctly classified for a class to the total number of instances.

$$\text{TP rate} = \text{TP}/(\text{TP} + \text{FN})$$

• False Positive(FP) rate is the ratio of negative events wrongly categorized as positive to the total number of actual negative events.

$$\textbf{FP rate} = \textbf{FP}/(\textbf{FP} + \textbf{TN})$$

• Precision is the ratio of instances that belong to that class to the total number of instances classified as that class.

$$\text{Precision} = \text{TP}/(\text{TP} + \text{FP})$$

• Recall is the ratio of instances classified as a given class to the actual number of instances that belong to that class.


#### **Table 1.**

*Number of entries for relations in the datasets*.

*Role of Access Control in Information Security: A Security Analysis Approach DOI: http://dx.doi.org/10.5772/intechopen.111371*

$$\text{Recall} = \text{TP}/(\text{TP} + \text{FN})$$


<sup>F</sup>‐measure <sup>¼</sup> <sup>2</sup> <sup>∗</sup> precision<sup>∗</sup> ð Þ recall *<sup>=</sup>*ð Þ precision <sup>þ</sup> recall

• k-fold cross validation: The training dataset is divided into k-sets. Of the k sets, the k-1 is used for training, and the remaining one is used for testing. It is repeated k times, and a different set is used for testing each time. After k iterations, the average error across k-trials is measured.

The following four models were trained and tested to classify instances as Permit or Deny using Datasets 1, 2, and 3. The value of k was kept at 10 for Dataset 1, while 2 for Datasets 2 and 3. The description of the models is as follows:


The following parameter values were obtained for the above models.


**Table 2** shows the model's accuracy, the time to build a model, and the accuracy of test results. It can be observed from the table that model and test result accuracy are


**Table 2.** *Performance of models*.


**Table 3.**

*Confusion matrix of models*.

near about 100% for all three datasets. Additionally, there is no significant increase in time to build models for Datasets 1, 2, and 3.

The confusion matrix of models is shown in **Table 3**. From the table, it can be seen that most of the models predicted instances accurately. Therefore, it can be concluded that the proposed model is scalable and can be a viable option.

#### **6. Conclusion**

The security analysis of the RBAC policies has been performed through the Machine Learning-based model that uses the JRipper algorithm. The proposed model could map most policies correctly to rule sets for each classifier. The results show that the proposed model is highly reliable and efficient for the security analysis of RBAC policies. Additionally, it can also be observed that the model's efficiency has improved significantly due to an increase in the RBAC policy datasets. Thus, the proposed approach can be considered a viable solution for performing the security analysis of large policy sets.

In the future, the proposed model can be extended to analyze the other security properties of RBAC with and without an administrative model. Moreover, it can also be used to analyze RBAC extensions (such as TRBAC, ESTRBAC, etc.) security properties in the presence and absence of an administrative model.

#### **Abbreviations**


*Role of Access Control in Information Security: A Security Analysis Approach DOI: http://dx.doi.org/10.5772/intechopen.111371*


### **Author details**

Mahendra Pratap Singh Department of Computer Science and Engineering, National Institute of Technology Karnataka, Surathkal, Mangaluru, India

\*Address all correspondence to: mahoo15@gmail.com

© 2023 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

### **References**

[1] National Institute of Standards and Technology, and National Security Agency. A Survey of Access Control Models. 2009. Available from: https:// csrc.nist.gov/csrc/media/events/ privilege-management-workshop/doc uments/pvm-model-survey-aug26-2009. pdf

[2] Sandhu RS, Coyne EJ, Feinstein HL, Youman CE. Role based access control models. IEEE Computer. 1996;**29**(2): 38-47. Available from: https://ieeexplore. ieee.org/document/485845

[3] Kim J, Park N. Role-based access control video surveillance mechanism modeling in smart contract environment. Transactions on Emerging Tel Tech. 2022;**33**:e4227. DOI: 10.1002/ett.4227

[4] Zhang S, Yang S, Zhu G, Luo E, Xiang JZD. A fine-grained access control scheme for electronic health records based on roles and attributes. International Conference on Ubiquitous Security. 2022;**1557**:25-37. DOI: 10.1007/ 978-981-19-0468-4\_3

[5] Sahani GJ, Thaker CS, Shah SM. Scalable RBAC model for large-scale applications with automatic user-role assignment. International Journal Communication Networks and Distributed Systems. 2022;**28**(1): 120294. DOI: 10.1504/IJCNDS. 2022.120294

[6] Ri OC, Kim YJ, Jong YJ. Blockchainbased RBAC Model with Separation of Duties constraint in Cloud Environment. arXiv. 2022. Available from: https:// arxiv.org/abs/2203.00351

[7] Sandhu R, Bhamidipati V. Qamar Munawer: The ARBAC97 model for rolebased administration of roles. ACM Transactions on Information and

System Security. 1999;**1999**:105-135. Available from: https://dl.acm.org/doi/ 10.1145/300830.300839

[8] Alpern B, Schneider FB. Defining liveness. Information Processing Letters. 1985;**21**(4):181-185. Available from: https://www.sciencedirect.com/science/ article/abs/pii/0020019085900560

[9] Koch M, Mancini LV, Parisi-Presicce F. Decidability of safety in graph-based models for access control. In: Proceedings of the Seventh European Symposium on Research in Computer Security. 2002. pp. 229-243. Available from: https://link.springer.com/chapter/ 10.1007/3-h540-45853-0\_14

[10] Phillips C, Demurjian S, Ting TC. Safety and liveness for an RBAC/MAC security model. In: Proceedings of the Data and Applications Security XVII. 2004. pp. 316-329. Available from: https://link.springer.com/chapter/ 10.1007/1-4020-8070-0\_23

[11] Li N, Tripunitara MV. Security analysis in role-based access control. ACM Transactions on Information and System Security. 2006;**9**(4):391-420. Available from: https://dl.acm.org/doi/ 10.1145/1187441.1187442

[12] Jha S, Li N, Tripunitara M, Wang Q, Winsborough W. Towards formal verification of role-based access control policies. IEEE Transactions on Dependable and Secure Computing. 2008;**2008**:242-255. Available from: https://ieeexplore.ieee.org/document/ 4358710

[13] Rakkay H, Boucheneb H. Security analysis of role based access control models using Colored petri nets and CPNtools. Transactions on Computational Science IV. 2009;**2009**: *Role of Access Control in Information Security: A Security Analysis Approach DOI: http://dx.doi.org/10.5772/intechopen.111371*

147-176. Available from: https://link. springer.com/chapter/10.1007/978-3- 642-01004-0\_9

[14] Ferrara AL, Madhusudan P, Parlato G. Security analysis of role-based access control through program verification. In: In the Proceedings of the IEEE 25th Computer Security Foundations Symposium. 2012. pp. 113-125. Available from: https:// ieeexplore.ieee.org/document/6266155

[15] Martin E, Xie T. Inferring accesscontrol policy properties via machine learning. In: In the Proceedings of the Seventh IEEE International Workshop on Policies for Distributed Systems and Networks. 2006. pp. 1-4. Available from: https://ieeexplore.ieee.org/document/ 1631178

[16] Singh MP, Sural S, Vaidya J, Atluri V. Managing attribute-based access control policies in a unified framework using data warehousing and In-memory database. Computer & Security. 2019;**86**:183-205. Available from: https://www.sciencedirect. com/science/article/pii/ S0167404819301166

[17] Singh MP, Sural S, Atluri V, Vaidya J. A role-based administrative model for administration of heterogeneous access control policies and its security analysis. Information Systems Frontiers. 2021;**2021**. Available from: https://link. springer.com/article/10.1007/s10796- 021-10167-z

[18] Singh MP, Sural S, Atluri V, Vaidya J. Security analysis of unified access control policies. In: Proceedings of the International Conference on Secure Knowledge Management in Artificial Intelligence Era. 2019. pp. 126-146. Available from: https://link.springer. com/chapter/10.1007/978-981-15- 3817-9\_8

[19] Singh MP, Sural S, Atluri V, Vaidya J. Managing multi-dimensional multi-granular security policies using data warehousing. In: In the Proceedings of the International Conference on Network and System Security. 2015. pp. 221-235. Available from: https://link. springer.com/chapter/10.1007/978-3- 319-25645-0\_15

[20] Awk. Available from: http://www. grymoire.com/Unix/Awk.html

[21] Shahzad W, Asad S, Khan MA. Feature subset selection using association rule mining and JRip classifier. International Journal of Physical Sciences. 2013;**8**(18):885-896. Available from: https://academicjourna ls.org/journal/IJPS/article-abstract/ 22AC4CB27262

## Enhanced Hybrid Privacy Preserving Data Mining Technique

*Naga Prasanthi Kundeti, Chandra Sekhara Rao MVP, Sudha Sree Chekuri and Seshu Babu Pallapothu*

#### **Abstract**

At present, almost every domain is handling large volumes of data even as storage device capacities increase. Amidst humongous data volumes, Data mining applications help find useful patterns that can be used to drive business growth, improved services, better health care facilities etc. The accumulated data can be exploted for identity theft, fake credit/debit card transactions, etc. In such scenarios, data mining techniques that provide privacy are helpful. Though privacy-preserving data mining techniques like randomization, perturbation, anonymization etc., provide privacy, but when applied separately, they fail to be effective. Hence, this chapter suggests an Enhanced Hybrid Privacy Preserving Data Mining (EHPPDM) technique by combining them. The proposed technique provides more privacy of data than existing techniques while providing better classification accuracy as well as evidenced by our experimental results.

**Keywords:** privacy, privacy preserving data mining, k-anonymization, geometric data perturbation, l-diversity

#### **1. Introduction**

Modern machine learning models are applied on large volumes of data accumulated over time. The data used for training or building models may contain personal data. Data owners may not want to share their personal data. To safeguard privacy of personal data, this paper seeks to perform data analysis without revealing the sensitive personal information of users.

Privacy has often been defined in many different ways. Westin (1968) defined privacy as "the assertion of individuals, groups or institutions to specify when, how and to what extent their information can be shared to others". Bertino et al. [1]defined privacy as "the security of data about an individual contained in an electronic repository from unauthorized disclosure".

Privacy threats can be categorized into three types, namely (a) Membership Disclosure, (b) Attribute Disclosure and (c) Identity Disclosure.

*Membership Disclosure:* Such threats occur when an attacker manages to check the presence of specific user data in a data set and infers certain meta-information thereof.

*Attribute Disclosure:* In this type of attack, some sensitive user data can be anecdoted by the attacker by connecting data entries with some data from other sources.

*Identity Disclosure:* Here, an attacker can identify all sensitive data about a person by making a particular data admission in a data set, thereby revealing his identity and threatening his safety.

Privacy preservation methods protect data from data leakage by altering the original data, minimizing exposure as specified in literature [2, 3]. Prominent techniques include randomization, perturbation, suppression, generalization etc. In order to preserve useful data after altering the data, various data utility metrics such as discernability metric, KL-divergence, entropy-based information loss etc. are applied as mentioned in literature.

The data shown in tabular form is processed with each row representing an entity in the real world. The attributes of a data table can be categorized into four types viz., Identifier Attributes (Ids), Quasi-identifier Attributes (QIDs), non-Sensitive Attributes (NSAs) and Sensitive Attributes (SAs). The attributes that help identify a person from a given data are called identifier attributes. For ex: SSN, Aadhar id etc. Generally, such attributes are removed from data before sharing the data for data analysis to protect personal identity. Sensitive attributes contain delicate personal information health condition, financial status etc. Such attributes do not share or remove sensitive personal data to avoid bad results. So, the sensitive data is maintained but personal identity also needs to be protected. Quasi identifiers are the attributes purportedly used by attackers to disclose identity of the individual when combined with some background knowledge. Hence, such quasi identifiers need to be modified to prevent identity disclosures by attackers. The last attributes i.e., non-sensitive attributes do not disclose any information about individuals by retained them intact while sharing data for analysis.

So, while sharing data for analysis, several privacy preservation methods are proposed like randomization, perturbation etc. to protect privacy [4, 5]. Though data transformations are applied to provide privacy of data, yet it may lead to inaccurate data mining results, thereby reducing its utility. Hence, to balance both privacy preservation and accuracy in data mining results, Privacy Preserving Data Mining (PPDM) techniques are applied. In the process, divergence of data is minimized and actual data is validated from the analysts' perspective through some metrics that evaluate the privacy level and data utility of different PPDM techniques [1, 6, 7].

#### **2. Review of PPDM techniques**

Data present in various data sources can be privacy enabled with application of different privacy preserving techniques. Some of them are Generalization, Suppression, Anatomization and Perturbation.


• Perturbation: Here. original data field values are substituted by artificial values with the similar statistical information.

Samarati and Sweeny [8, 9] proposed a popular privacy model i.e., k-anonymization. Further, k-anonymity for a table is defined as follows [10]:

"Let T(A1,...,An) be a table.

Let QI be the set of quasi-identifiers corresponding to table T.

T fulfills k-anonymity property with respect to QI if and only if each sequence of values in T[QI] appears at least with k occurrences in T[QI]".

Generalization and suppression techniques are applied on Quasi Identifiers (QIDs) as part of k-anonymization. All the QIDs in a group of size 'k' have similar values on ensures that the confidential data about individual users is not revealed when data is shared for analysis purpose. So, K-anonymized data provides privacy of data. An attacker can still infer sensitive information about individuals using a K-anonymized table and some background knowledge, if the value of sensitive attribute is same for all individuals in a given k-group. Let us consider the k-anonymized table shown below in **Table 1**.

While *k*-anonymity is a promising approach in group based anonymization due to its ease of use and the varied array of algorithms that perform it, yet it is vulnerable to many attacks. When attackers access background information, they can cause massive damage to sensitive data, including the following:


An attacker who has access to this 3-anonymous table can use background knowledge from other data sources and identify all patients in Mumbai having disease 'Flu'.


**Table 1.** *3-anonymized table.* So, sensitive information about an individual residing in Mumbai is revealed. To overcome this security breach, l-diversity principle is applied on sensitive attribute.

Agarwal et al. [4] defines *l*-diversity as, "Let a q\*-block be a set of tuples such that its non-sensitive values generalize to q\*. A q\*-block is *l*-diverse if it contains *l* 'well represented' values for the sensitive attribute S. A table is *l*-diverse, if every q\*-block in it is *l*-diverse."

Li et al. [12] defined *l*-diversity as "an equivalence class is said to have *l*-diversity if there are at least *l* "well-represented" values for the sensitive attribute. A table is said to have *l*-diversity if every equivalence class of the table has *l*-diversity".

Aggarwal and Yu [4] showed the likelihood of more than one sensitive field when the *l*-diversity problem becomes more difficult due to added dimensionalities.

#### **3. Methodology**

Kundeti et al. [13] had introduced a hybrid privacy preserving data mining (HPPDM) technique that provided privacy and lesser attacks, which, however can be extended to create more privacy by applying the l-diversity principle. In fact, L-diversity provides more privacy against different background attacks.

Algorithm: - Enhanced Hybrid Privacy Preserving Data Mining (EHPPDM). Input: - Adult Dataset D.

Output: - Privacy enabled Adult Data setD'.

Step1: Categorize attributes of Adult Data set into Identifiers, Quasi Identifiers, Sensitive and Non-Sensitive Attributes.

Step2: Consider the Quasi Identifiers and create value generalization hierarchies for quasi identifiers.

Step3: Apply geometric perturbation technique in numerical quasi identifiers to obtain perturbed numerical quasi identifier.

Step4: Create generalization hierarchies in categorical quasi identifiers and choose different levels in generalization hierarchy based on k-value chosen for anonymization.

Step5: apply l-diversity for sensitive attributes based on number of different values for classpresent.

Step 6: Obtain the privacy preserved Adult data set D′.

#### **4. Implementation**

An Enhanced Hybrid Privacy Preserving Data Mining (EHPPDM) technique is implemented by using R language. The ARX anonymization tool is used for performing K-Anonymization.

An adult Dataset from the UCI machine learning repository is used for evaluating the EHPPDM technique. The dataset consists of 15 attributes, including the Class attribute. The attributes are age (numerical), work-class (categorical), fnlwgt (numerical), education (categorical), education-num (numerical), marital-status (categorical), occupation (categorical), relationship (categorical), race (categorical), sex (categorical), capital-gain (numerical), capital-loss (numerical), hours-perweek (numerical), native-country (categorical) and class variable. These attributes can be divided into quasi-**i**dentifiers, sensitive attributes and Insensitive attributes. The quasi identifiers in this data set are age, work class, education and nativity.

Class attribute is sensitive attribute, while the remaining attributes are classified as Insensitive attributes.

Among the quasi identifiers, age is the numerical attribute. The Geometric data perturbation technique [14] is applied on numerical quasi identifier i.e. age. Value generalization hierarchies are created for categorical quasi identifier attributes. K-anonymization algorithm is applied to these categorical quasi identifiers. For different values of K, different anonymization levels are obtained, which provide privacy at different levels. The k-values considered are 50, 100, 150, 200, 250, 300, 350, 400, 450, 500. After anonymization, the anonymized data sets are applied with classification algorithms like naive bayes, J48 and decision tree. The accuracies of classification are noted down.

To further enhance the privacy of data, l-diversity is applied on sensitive attribute i.e. Class attribute. L-diversity is applied to reduce background attacks and linkage attacks. As l-diversity ensures that the class attribute value in a given anonymized group does not have single value, the attacker cannot identify an individual's sensitive attribute value. The anonymized and l-diversity-applied dataset is obtained. After applying classification algorithms on the anonymized data, their accuracies are tabulated. Later, the risk analysis for various types of attacks is represented in the various figures.

**Figure 1** depicts the classification accuracies for Adult data set when applied with k-anonymization. K-anonymization for different values of k is applied. **Figure 2** displays the classification accuracies for the adult data set wherein *l-*diversity is applied to decrease background attacks. After detecting the increase in privacy, *l*-diversity principle is applied.

The classification accuracies of Hybrid Privacy Preserving Data Mining (HPPDM) [13] technique for adult data set are shown in **Figure 3**. The experimental results depict better classification accuracies with HPPDM technique as compared to k-anonymization.

**Figure 4** illustrates the classification accuracies for adult data set when Enhanced Hybrid Privacy Preserving Data Mining (EHPPDM) is applied.

**Figures 5**-**8** illustrate the risk analysis for adult data set.

**Figure 5** demonstrates the risk analysis against various types of attacks when k-anonymization is applied on adult data set. **Figure 6** displays the risk analysis against various types of attacks when k-anonymization and l-diversity are applied

**Figure 1.** *Classification accuracies for adult K-anonymized data for different k-values.*

#### **Figure 2.**

*Classification accuracies for adult K-anonymized and l-diversity (l-value = 2) applied.*

#### **Figure 3.**

*Classification accuracies for adult after applying hybrid privacy preserving data mining technique.*

#### **Figure 4.**

*Classification accuracies for enhanced hybrid privacy preserving data mining technique.*

on adult data set. **Figure 7** illustrates the risk analysis against various types of attacks when Hybrid Privacy Preserving Data Mining (HPPDM) technique [13] is applied on adult data set. **Figure 8** depicts the risk analysis against various types of attacks when

#### **Figure 5.**

*Risk analysis for various types of attacks after applying k-anonymization (k-value = 100).*

#### **Figure 6.**

*Risk analysis for various types of attacks after applying k-anonymization (k-value = 100) and l-diversity (l-value = 2).*

#### **Figure 7.**

*Risk analysis for various types of attacks after applying hybrid privacy preserving data mining (HPPDM) technique for kvalue = 100.*

#### **Figure 8.**

*Risk analysis for various types of attacks after applying enhanced hybrid privacy preserving data mining (EHPPDM) technique for kvalue = 100,l-2 diversity.*

Enhanced Hybrid Privacy Preserving Data Mining (EHPPDM) technique is applied on adult data set. The Experimental results confirm reduction of risks to negligible levels when HPPDM and EHPPDM techniques are applied.

### **5. Conclusion**

The proposed Enhanced Hybrid Privacy Preserving Data Mining (EHPPDM) technique is applied on adult datasets from UCI machine learning repository. In fact, EHPPDM technique combines two privacy preservation techniques viz., perturbation and k-anonymization. The numerical quasi identifiers are applied with geometric data perturbation, whereas categorical quasi identifiers are applied with k-anonymization technique. To enhance privacy and reduce attacks, l-diversity (lvalue = 2) is applied on sensitive attributes. The experimental results showed that classification accuracy considerably increased by applying the proposed EHPPDM technique. Moreover, the EHPPDM technique can be extended by including t-closeness property in future works.

### **Author details**

Naga Prasanthi Kundeti1 \*, Chandra Sekhara Rao MVP<sup>2</sup> , Sudha Sree Chekuri2 and Seshu Babu Pallapothu3

1 Department of CSE, Lakireddy Balireddy College of Engineering, Mylavaram, Affiliated to JNTU, Kakinada, India

2 Department of CSE, RVR & JC college of Engineering, Guntur, India

3 Department of Mathematics and statistics, K.B.N. College, Vijayawada, India

\*Address all correspondence to: prasanthi.kundeti@gmail.com

© 2022 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

### **References**

[1] Bertino E, Lin D, Jiang W. A survey of quantification of privacy preserving data mining algorithms. In: Privacy-Preserving Data Mining. New York, NY, USA: Springer; 2008. pp. 183-205. DOI: 10.1007/978-0-387-70992-5\_8

[2] Langheinrich M. Privacy in Ubiquitous Computing, Ubiquitous Computing Fundamentals. Imprint Chapman and Hall/CRC; 2009. p. 66. ISBN: 9781315145792

[3] Prasanthi KN, Chandra Sekhara Rao MVP. A comprehensive assessment of privacy preserving data mining techniques. Lecture Notes in Networks and Systems. 2022;**351**:833-842. DOI: 10.1007/978-981-16-7657-4\_67

[4] Aggarwal CC, Yu PS. A general survey of privacy-preservingdata mining models and algorithms. In: Privacy-Preserving Data Mining. New York, NY, USA: Springer; 2008. pp. 11-52. DOI: 10.1007/978-0-387-70992-5\_2

[5] Aggarwal CC. Data Mining: The Textbook. New York, NY, USA: Springer; 2015

[6] Bertino E, Fovino IN. Information driven evaluation of data hiding algorithms, Proc. Int. Conf. In: Data Warehousing Knowledge Discovery. Berlin: Springer; 2005. pp. 418-427. DOI: 10.1007/11546849\_41

[7] Fletcher S, Islam MZ. Measuring information quality for privacypreserving data mining. International Journal of Computer Theory and Engineering. 2015;**7**(1):21- 28. DOI: 10.7763/IJCTE.2015.V7.924

[8] Samarati P, Sweeney L. Protecting privacy when disclosing information: kanonymity and its enforcement through generalization and suppression. In: Proc. of the IEEE Symposium on Research in Security and Privacy. 1998. pp. 384-393. DOI: 10.1184/R1/6625469.v1

[9] Samarati P, Sweeney L. Generalizing data to provide anonymity when disclosing information. PODS. 1998;**98**:188. DOI: 10.1145/275487.275508

[10] Samarati P. Protecting respondents identities in microdata release. IEEE Transactions on Knowledge and Data Engineering. 2001;**13**(6):1010-1027. DOI: 10.1109/69.971193

[11] Machanavajjhala A, Kifer D, Gehrke J, Venkitasubramaniam M. L-diversity: Privacy beyond K-anonymity. ACM Transactionson Knowledge Discovery from Data. 2007;**1**(1):3–es. DOI: 10.1145/1217299.1217302

[12] Ninghui L, Tiancheng L, Venkatasubramanian S. T-closeness: Privacy beyond k-anonymity and l-diversity. IEEE Explore. In: IEEE 23rd International Conference on Data Engineering. ICDE; 2007. pp. 106-115. DOI: 10.1109/ICDE.2007.367856

[13] Prasanthi KN, Chandra Sekhara Rao MVP. Accuracy and utility balanced privacy preserving classification mining by improving K-anonymization. International Journal of Simulation: Systems, Science & Technology. 2019;**19**:6. DOI: 10.5013/IJSSST.a.19.06.51

[14] Chen K, Liu L. Geometric data perturbation for privacy preserving outsourced data mining. Knowledge Information and Systems. 2011;**29**:657- 695. DOI: 10.1007/s10115-010-0362-4

Section 2
