Biblio

Found 3032 results

Filters: Keyword is Metrics  [Clear All Filters]
2017-03-20
Dormann, Will.  Submitted.  Google Authentication Risks on iOS. Proceedings of the 1st International Workshop on Mobile Development. :3–5.

The Google Identity Platform is a system that allows a user to sign in to applications and other services by using a Google account. Google Sign-In is one such method for providing one’s identity to the Google Identity Platform. Google Sign-In is available for Android applications and iOS applications, as well as for websites and other devices. Users of Google Sign-In find that it integrates well with the Android platform, but iOS users (iPhone, iPad, etc.) do not have the same experience. The user experience when logging in to a Google account on an iOS application can not only be more tedious than the Android experience, but it also conditions users to engage in behaviors that put the information in their Google accounts at risk.

2017-04-11
Christopher Theisen, Brendan Murphy, Kim Herzig, Laurie Williams.  Submitted.  Risk-Based Attack Surface Approximation: How Much Data is Enough? International Conference on Software Engineering (ICSE) Software Engineering in Practice (SEIP) 2017.

Proactive security reviews and test efforts are a necessary component of the software development lifecycle. Resource limitations often preclude reviewing the entire code
base. Making informed decisions on what code to review can improve a team’s ability to find and remove vulnerabilities. Risk-based attack surface approximation (RASA) is a technique that uses crash dump stack traces to predict what code may contain exploitable vulnerabilities. The goal of this research is to help software development teams prioritize security efforts by the efficient development of a risk-based attack surface approximation. We explore the use of RASA using Mozilla Firefox and Microsoft Windows stack traces from crash dumps. We create RASA at the file level for Firefox, in which the 15.8% of the files that were part of the approximation contained 73.6% of the vulnerabilities seen for the product. We also explore the effect of random sampling of crashes on the approximation, as it may be impractical for organizations to store and process every crash received. We find that 10-fold random sampling of crashes at a rate of 10% resulted in 3% less vulnerabilities identified than using the entire set of stack traces for Mozilla Firefox. Sampling crashes in Windows 8.1 at a rate of 40% resulted in insignificant differences in vulnerability and file coverage as compared to a rate of 100%.

2019-09-23
Zheng, N., Alawini, A., Ives, Z. G..  2019.  Fine-Grained Provenance for Matching ETL. 2019 IEEE 35th International Conference on Data Engineering (ICDE). :184–195.
Data provenance tools capture the steps used to produce analyses. However, scientists must choose among workflow provenance systems, which allow arbitrary code but only track provenance at the granularity of files; provenance APIs, which provide tuple-level provenance, but incur overhead in all computations; and database provenance tools, which track tuple-level provenance through relational operators and support optimization, but support a limited subset of data science tasks. None of these solutions are well suited for tracing errors introduced during common ETL, record alignment, and matching tasks - for data types such as strings, images, etc. Scientists need new capabilities to identify the sources of errors, find why different code versions produce different results, and identify which parameter values affect output. We propose PROVision, a provenance-driven troubleshooting tool that supports ETL and matching computations and traces extraction of content within data objects. PROVision extends database-style provenance techniques to capture equivalences, support optimizations, and enable selective evaluation. We formalize our extensions, implement them in the PROVision system, and validate their effectiveness and scalability for common ETL and matching tasks.
2019-02-22
Liao, X., Yu, Y., Li, B., Li, Z., Qin, Z..  2019.  A New Payload Partition Strategy in Color Image Steganography. IEEE Transactions on Circuits and Systems for Video Technology. :1-1.
In traditional steganographic schemes, RGB three channels payloads are assigned equally in a true color image. In fact, the security of color image steganography relates not only to data-embedding algorithms but also to different payload partition. How to exploit inter-channel correlations to allocate payload for performance enhancement is still an open issue in color image steganography. In this paper, a novel channel-dependent payload partition strategy based on amplifying channel modification probabilities is proposed, so as to adaptively assign the embedding capacity among RGB channels. The modification probabilities of three corresponding pixels in RGB channels are simultaneously increased, and thus the embedding impacts could be clustered, in order to improve the empirical steganographic security against the channel co-occurrences detection. Experimental results show that the new color image steganographic schemes incorporated with the proposed strategy can effectively make the embedding changes concentrated mainly in textured regions, and achieve better performance on resisting the modern color image steganalysis.
2019-10-10
Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, Serge Egelman.  2019.  50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System. 28th USENIX Security Symposium (USENIX Security 19). :603–620.

Modern smartphone platforms implement permission-based models to protect access to sensitive data and system resources. However, apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels. Side channels present in the implementation of the permission system allow apps to access protected data and system resources without permission; whereas covert channels enable communication between two colluding apps so that one app can share its permission-protected data with another app lacking those permissions. Both pose threats to user privacy.

In this work, we make use of our infrastructure that runs hundreds of thousands of apps in an instrumented environment. This testing environment includes mechanisms to monitor apps' runtime behaviour and network traffic. We look for evidence of side and covert channels being used in practice by searching for sensitive data being sent over the network for which the sending app did not have permissions to access it. We then reverse engineer the apps and third-party libraries responsible for this behaviour to determine how the unauthorized access occurred. We also use software fingerprinting methods to measure the static prevalence of the technique that we discover among other apps in our corpus.

Using this testing environment and method, we uncovered a number of side and covert channels in active use by hundreds of popular apps and third-party SDKs to obtain unauthorized access to both unique identifiers as well as geolocation data. We have responsibly disclosed our findings to Google and have received a bug bounty for our work.

2019-08-26
Gonzalez, D., Alhenaki, F., Mirakhorli, M..  2019.  Architectural Security Weaknesses in Industrial Control Systems (ICS) an Empirical Study Based on Disclosed Software Vulnerabilities. 2019 IEEE International Conference on Software Architecture (ICSA). :31–40.

Industrial control systems (ICS) are systems used in critical infrastructures for supervisory control, data acquisition, and industrial automation. ICS systems have complex, component-based architectures with many different hardware, software, and human factors interacting in real time. Despite the importance of security concerns in industrial control systems, there has not been a comprehensive study that examined common security architectural weaknesses in this domain. Therefore, this paper presents the first in-depth analysis of 988 vulnerability advisory reports for Industrial Control Systems developed by 277 vendors. We performed a detailed analysis of the vulnerability reports to measure which components of ICS have been affected the most by known vulnerabilities, which security tactics were affected most often in ICS and what are the common architectural security weaknesses in these systems. Our key findings were: (1) Human-Machine Interfaces, SCADA configurations, and PLCs were the most affected components, (2) 62.86% of vulnerability disclosures in ICS had an architectural root cause, (3) the most common architectural weaknesses were “Improper Input Validation”, followed by “Im-proper Neutralization of Input During Web Page Generation” and “Improper Authentication”, and (4) most tactic-related vulnerabilities were related to the tactics “Validate Inputs”, “Authenticate Actors” and “Authorize Actors”.

2019-10-07
Agrawal, R., Stokes, J. W., Selvaraj, K., Marinescu, M..  2019.  Attention in Recurrent Neural Networks for Ransomware Detection. ICASSP 2019 - 2019 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). :3222–3226.

Ransomware, as a specialized form of malicious software, has recently emerged as a major threat in computer security. With an ability to lock out user access to their content, recent ransomware attacks have caused severe impact at an individual and organizational level. While research in malware detection can be adapted directly for ransomware, specific structural properties of ransomware can further improve the quality of detection. In this paper, we adapt the deep learning methods used in malware detection for detecting ransomware from emulation sequences. We present specialized recurrent neural networks for capturing local event patterns in ransomware sequences using the concept of attention mechanisms. We demonstrate the performance of enhanced LSTM models on a sequence dataset derived by the emulation of ransomware executables targeting the Windows environment.

2019-05-08
Yaseen, Q., Alabdulrazzaq, A., Albalas, F..  2019.  A Framework for Insider Collusion Threat Prediction and Mitigation in Relational Databases. 2019 IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC). :0721–0727.

This paper proposes a framework for predicting and mitigating insider collusion threat in relational database systems. The proposed model provides a robust technique for database architect and administrators to predict insider collusion threat when designing database schema or when granting privileges. Moreover, it proposes a real time monitoring technique that monitors the growing knowledgebases of insiders while executing transactions and the possible collusion insider attacks that may be launched based on insiders accesses and inferences. Furthermore, the paper proposes a mitigating technique based on the segregation of duties principle and the discovered collusion insider threat to mitigate the problem. The proposed model was tested to show its usefulness and applicability.

2019-05-20
Dey, H., Islam, R., Arif, H..  2019.  An Integrated Model To Make Cloud Authentication And Multi-Tenancy More Secure. 2019 International Conference on Robotics,Electrical and Signal Processing Techniques (ICREST). :502–506.

Cloud Computing is an important term of modern technology. The usefulness of Cloud is increasing day by day and simultaneously more and more security problems are arising as well. Two of the major threats of Cloud are improper authentication and multi-tenancy. According to the specialists both pros and cons belong to multi-tenancy. There are security protocols available but it is difficult to claim these protocols are perfect and ensure complete protection. The purpose of this paper is to propose an integrated model to ensure better Cloud security for Authentication and multi-tenancy. Multi-tenancy means sharing of resources and virtualization among clients. Since multi-tenancy allows multiple users to access same resources simultaneously, there is high probability of accessing confidential data without proper privileges. Our model includes Kerberos authentication protocol to enhance authentication security. During our research on Kerberos we have found some flaws in terms of encryption method which have been mentioned in couple of IEEE conference papers. Pondering about this complication we have elected Elliptic Curve Cryptography. On the other hand, to attenuate arose risks due to multi-tenancy we are proposing a Resource Allocation Manager Unit, a Control Database and Resource Allocation Map. This part of the model will perpetuate resource allocation for the users.

2019-08-12
Liu, Y., Yang, Y., Shi, A., Jigang, P., Haowei, L..  2019.  Intelligent monitoring of indoor surveillance video based on deep learning. 2019 21st International Conference on Advanced Communication Technology (ICACT). :648–653.

With the rapid development of information technology, video surveillance system has become a key part in the security and protection system of modern cities. Especially in prisons, surveillance cameras could be found almost everywhere. However, with the continuous expansion of the surveillance network, surveillance cameras not only bring convenience, but also produce a massive amount of monitoring data, which poses huge challenges to storage, analytics and retrieval. The smart monitoring system equipped with intelligent video analytics technology can monitor as well as pre-alarm abnormal events or behaviours, which is a hot research direction in the field of surveillance. This paper combines deep learning methods, using the state-of-the-art framework for instance segmentation, called Mask R-CNN, to train the fine-tuning network on our datasets, which can efficiently detect objects in a video image while simultaneously generating a high-quality segmentation mask for each instance. The experiment show that our network is simple to train and easy to generalize to other datasets, and the mask average precision is nearly up to 98.5% on our own datasets.

2019-09-11
Yin, Z., Dou, S., Bai, H., Hou, Y..  2019.  Light-Weighted Security Access Scheme of Broadband Power Line Communications for Multi-Source Information Collection. 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC). :1087–1090.

With the continuously development of smart meter-reading technologies for decades, remote information collection of electricity, water, gas and heat meters have been realized. Due to the difference of electrical interfaces and communication protocols among various types of meters, communication modes of meter terminals are not so compatible, it is difficult to realize communication optimization of electricity, water, gas and heat meters information collection services. In addition, with the development of power consumption information acquisition system, the number of acquisition terminals soars greatly and the data of terminal access is highly concurrent. Therefore, the risk of security access is increasing. This paper presents a light-weighted security access scheme of power line communication based on multi-source data acquisition of electricity, water, gas and heat meters, which separates multi-source data acquisition services and achieve services security isolation and channel security isolation. The communication reliability and security of the meter-reading service of "electricity, water, gas and heat" will be improved and the integrated meter service will be realized reliably.

2019-05-01
Vagin, V. V., Butakova, N. G..  2019.  Mathematical Modeling of Group Authentication Based on Isogeny of Elliptic Curves. 2019 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus). :1780–1785.

In this paper, we consider ways of organizing group authentication, as well as the features of constructing the isogeny of elliptic curves. The work includes the study of isogeny graphs and their application in postquantum systems. A hierarchical group authentication scheme has been developed using transformations based on the search for isogeny of elliptic curves.

2019-05-20
Goncharov, N. I., Goncharov, I. V., Parinov, P. A., Dushkin, A. V., Maximova, M. M..  2019.  Modeling of Information Processes for Modern Information System Security Assessment. 2019 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus). :1758-1763.

A new approach of a formalism of hybrid automatons has been proposed for the analysis of conflict processes between the information system and the information's security malefactor. An example of probability-based assessment on malefactor's victory has been given and the possibility to abstract from a specific type of probability density function for the residence time of parties to the conflict in their possible states. A model of the distribution of destructive informational influences in the information system to connect the process of spread of destructive information processes and the process of changing subjects' states of the information system has been proposed. An example of the destructive information processes spread analysis has been given.

2019-06-28
Hazari, S. S., Mahmoud, Q. H..  2019.  A Parallel Proof of Work to Improve Transaction Speed and Scalability in Blockchain Systems. 2019 IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC). :0916-0921.

A blockchain is a distributed ledger forming a distributed consensus on a history of transactions, and is the underlying technology for the Bitcoin cryptocurrency. However, its applications are far beyond the financial sector. The transaction verification process for cryptocurrencies is much slower than traditional digital transaction systems. One approach to increase transaction speed and scalability is to identify a solution that offers faster Proof of Work. In this paper, we propose a method for accelerating the process of Proof of Work based on parallel mining rather than solo mining. The goal is to ensure that no more than two or more miners put the same effort into solving a specific block. The proposed method includes a process for selection of a manager, distribution of work and a reward system. This method has been implemented in a test environment that contains all the characteristics needed to perform Proof of Work for Bitcoin and has been tested, using a variety of case scenarios, by varying the difficulty level and number of validators. Preliminary results show improvement in the scalability of Proof of Work up to 34% compared to the current system.

2019-08-05
Jimenez, J. I., Jahankhani, H..  2019.  “Privacy by Design” Governance Framework to Achieve Privacy Assurance of Personal Health Information (PHI) Processed by IoT-based Telemedicine Devices and Applications Within Healthcare Services. 2019 IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3). :212–212.

Future that IoT has to enhance the productivity on healthcare applications.

2019-10-08
Rahman, M. S., Hossam-E-Haider, M..  2019.  Quantum IoT: A Quantum Approach in IoT Security Maintenance. 2019 International Conference on Robotics,Electrical and Signal Processing Techniques (ICREST). :269–272.

Securing Internet of things is a major concern as it deals with data that are personal, needed to be reliable, can direct and manipulate device decisions in a harmful way. Also regarding data generation process is heterogeneous, data being immense in volume, complex management. Quantum Computing and Internet of Things (IoT) coined as Quantum IoT defines a concept of greater security design which harness the virtue of quantum mechanics laws in Internet of Things (IoT) security management. Also it ensures secured data storage, processing, communication, data dynamics. In this paper, an IoT security infrastructure is introduced which is a hybrid one, with an extra layer, which ensures quantum state. This state prevents any sort of harmful actions from the eavesdroppers in the communication channel and cyber side, by maintaining its state, protecting the key by quantum cryptography BB84 protocol. An adapted version is introduced specific to this IoT scenario. A classical cryptography system `One-Time pad (OTP)' is used in the hybrid management. The novelty of this paper lies with the integration of classical and quantum communication for Internet of Things (IoT) security.

2019-09-26
Khatchadourian, R., Tang, Y., Bagherzadeh, M., Ahmed, S..  2019.  Safe Automated Refactoring for Intelligent Parallelization of Java 8 Streams. 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). :619-630.

Streaming APIs are becoming more pervasive in mainstream Object-Oriented programming languages. For example, the Stream API introduced in Java 8 allows for functional-like, MapReduce-style operations in processing both finite and infinite data structures. However, using this API efficiently involves subtle considerations like determining when it is best for stream operations to run in parallel, when running operations in parallel can be less efficient, and when it is safe to run in parallel due to possible lambda expression side-effects. In this paper, we present an automated refactoring approach that assists developers in writing efficient stream code in a semantics-preserving fashion. The approach, based on a novel data ordering and typestate analysis, consists of preconditions for automatically determining when it is safe and possibly advantageous to convert sequential streams to parallel and unorder or de-parallelize already parallel streams. The approach was implemented as a plug-in to the Eclipse IDE, uses the WALA and SAFE analysis frameworks, and was evaluated on 11 Java projects consisting of ?642K lines of code. We found that 57 of 157 candidate streams (36.31%) were refactorable, and an average speedup of 3.49 on performance tests was observed. The results indicate that the approach is useful in optimizing stream code to their full potential.

2019-09-09
Abdel-Fattah, F., Farhan, K. A., Al-Tarawneh, F. H., AlTamimi, F..  2019.  Security Challenges and Attacks in Dynamic Mobile Ad Hoc Networks MANETs. 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT). :28-33.

Mobile Ad hoc Network (MANET for short) is a new art of wireless technology that connect a group of mobile nodes in a dynamically decentralized fashion without the need of a base station, or a centralized administration, whereas each mobile node can work as a router. MANET topology changes frequently, because of the MANET dynamically formation nature, and freely to move randomly. MANET can function as standalone or can be connected to external networks. Mobile nodes are characterized with minimal human interaction, weight, less memory, and power. Despite all the pros of MANET and the widely spreading in many and critical industries, MANET has some cons and suffers from severe security issues. In this survey we emphasize on the different types of attacks at MANET protocol stack, and show how MANET is vulnerable to those attacks.

2019-08-26
Mohammad, Z., Qattam, T. A., Saleh, K..  2019.  Security Weaknesses and Attacks on the Internet of Things Applications. 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT). :431–436.

Internet of Things (IoT) is a contemporary concept for connecting the existing things in our environment with the Internet for a sake of making the objects information are accessible from anywhere and anytime to support a modern life style based on the Internet. With the rapid development of the IoT technologies and widely spreading in most of the fields such as buildings, health, education, transportation and agriculture. Thus, the IoT applications require increasing data collection from the IoT devices to send these data to the applications or servers which collect or analyze the data, so it is a very important to secure the data and ensure that do not reach a malicious adversary. This paper reviews some attacks in the IoT applications and the security weaknesses in the IoT environment. In addition, this study presents the challenges of IoT in terms of hardware, network and software. Moreover, this paper summarizes and points to some attacks on the smart car, smart home, smart campus, smart farm and healthcare.

2019-06-24
Ijaz, M., Durad, M. H., Ismail, M..  2019.  Static and Dynamic Malware Analysis Using Machine Learning. 2019 16th International Bhurban Conference on Applied Sciences and Technology (IBCAST). :687–691.

Malware detection is an indispensable factor in security of internet oriented machines. The combinations of different features are used for dynamic malware analysis. The different combinations are generated from APIs, Summary Information, DLLs and Registry Keys Changed. Cuckoo sandbox is used for dynamic malware analysis, which is customizable, and provide good accuracy. More than 2300 features are extracted from dynamic analysis of malware and 92 features are extracted statically from binary malware using PEFILE. Static features are extracted from 39000 malicious binaries and 10000 benign files. Dynamically 800 benign files and 2200 malware files are analyzed in Cuckoo Sandbox and 2300 features are extracted. The accuracy of dynamic malware analysis is 94.64% while static analysis accuracy is 99.36%. The dynamic malware analysis is not effective due to tricky and intelligent behaviours of malwares. The dynamic analysis has some limitations due to controlled network behavior and it cannot be analyzed completely due to limited access of network.

2019-06-10
Hussain, K., Hussain, S. J., Jhanjhi, N., Humayun, M..  2019.  SYN Flood Attack Detection based on Bayes Estimator (SFADBE) For MANET. 2019 International Conference on Computer and Information Sciences (ICCIS). :1–4.

SYN flood attack is a very serious cause for disturbing the normal traffic in MANET. SYN flood attack takes advantage of the congestion caused by populating a specific route with unwanted traffic that results in the denial of services. In this paper, we proposed an Adaptive Detection Mechanism using Artificial Intelligence technique named as SYN Flood Attack Detection Based on Bayes Estimator (SFADBE) for Mobile ad hoc Network (MANET). In SFADBE, every node will gather the current information of the available channel and the secure and congested free (Best Path) channel for the traffic is selected. Due to constant congestion, the availability of the data path can be the cause of SYN Flood attack. By using this AI technique, we experienced the SYN Flood detection probability more than the others did. Simulation results show that our proposed SFADBE algorithm is low cost and robust as compared to the other existing approaches.

2019-07-08
zhao, ellin, Sukkerd, Roykrong.  2019.  Interactive Explanation for Planning-Based Systems. ICCPS '19 Proceedings of the 10th ACM/IEEE International Conference on Cyber-Physical Systems.

As Cyber-Physical Systems (CPSs) become more autonomous, it becomes harder for humans who interact with the CPSs to understand the behavior of the systems. Particularly for CPSs that must perform tasks while optimizing for multiple quality objectives and acting under uncertainty, it can be difficult for humans to understand the system behavior generated by an automated planner. This work-in-progress presents an approach at clarifying system behavior through interactive explanation by allowing end-users to ask Why and Why-Not questions about specific behaviors of the system, and providing answers in the form of contrastive explanation.

Sharif, Mahmood, Bhagavatula, Sruti, Bauer, Lujo, Reiter, Michael K..  2019.  A General Framework for Adversarial Examples with Objectives. ACM Transactions on Privacy and Security (TOPS). 22(3)

Images perturbed subtly to be misclassified by neural networks, called adversarial examples, have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only constraint that the perturbed images are similar to the originals. However, real-world application of these ideas often requires the examples to satisfy additional objectives, which are typically enforced through custom modifications of the perturbation process. In this article, we propose adversarial generative nets (AGNs), a general methodology to train a generator neural network to emit adversarial examples satisfying desired objectives. We demonstrate the ability of AGNs to accommodate a wide range of objectives, including imprecise ones difficult to model, in two application domains. In particular, we demonstrate physical adversarial examples—eyeglass frames designed to fool face recognition—with better robustness, inconspicuousness, and scalability than previous approaches, as well as a new attack to fool a handwritten-digit classifier.

2019-10-10
Nuthan Munaiah, Akond Rahman, Justin Pelletier, Laurie Williams, Andrew Meneely.  2019.  Characterizing Attacker Behavior in a Cybersecurity Penetration Testing Competition. 13th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).
2019-09-11
Wang, L., Wang, D., Gao, J., Huo, C., Bai, H., Yuan, J..  2019.  Research on Multi-Source Data Security Protection of Smart Grid Based on Quantum Key Combination. 2019 IEEE 4th International Conference on Cloud Computing and Big Data Analysis (ICCCBDA). :449–453.

Power communication network is an important infrastructure of power system. For a large number of widely distributed business terminals and communication terminals. The data protection is related to the safe and stable operation of the whole power grid. How to solve the problem that lots of nodes need a large number of keys and avoid the situation that these nodes cannot exchange information safely because of the lack of keys. In order to solve the problem, this paper proposed a segmentation and combination technology based on quantum key to extend the limited key. The basic idea was to obtain a division scheme according to different conditions, and divide a key into several different sub-keys, and then combine these key segments to generate new keys and distribute them to different terminals in the system. Sufficient keys were beneficial to key updating, and could effectively enhance the ability of communication system to resist damage and intrusion. Through the analysis and calculation, the validity of this method in the use of limited quantum keys to achieve the business data secure transmission of a large number of terminal was further verified.