Visible to the public Hard Problems: Predictive Security Metrics (IEEE)

SoS Newsletter- Advanced Book Block


SoS Logo

Hard Problems: Predictive Security Metrics (IEEE)


Predictive security metrics are a hard problem in the Science of Security.  A survey of the IEEE Digital Library found sixteen scholarly articles about research into security metrics that were published in 2014.  A separate listing of works published by ACM is referenced under the heading “Hard Problems: Predictive Security Metrics,” and those research works cited by, but not published by ACM, and therefore subject to intellectual property restrictions about the use of abstracts, are cited under the heading “Citations for Hard Problems.”


Savola, R.M.; Kylanpaa, M., "Security Objectives, Controls and Metrics Development for an Android Smartphone Application," Information Security for South Africa (ISSA), 2014, pp.1, 8, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950501 Abstract: Security in Android smartphone platforms deployed in public safety and security mobile networks is a remarkable challenge. We analyse the security objectives and controls for these systems based on an industrial risk analysis. The target system of the investigation is an Android platform utilized for public safety and security mobile network. We analyse how a security decision making regarding this target system can be supported by effective and efficient security metrics. In addition, we describe implementation details of security controls for authorization and integrity objectives of a demonstration of the target system.
Keywords: Android (operating system); authorisation; data integrity; decision making; risk analysis; safety;smart phones; Android smartphone application ;authorization objective; industrial risk analysis; integrity objective; metrics development; public safety; security controls; security decision making; security metrics; security mobile networks; security objectives; Authorization; Libraries; Monitoring; Android; risk analysis; security effectiveness; security metrics; security objectives (ID#: 15-4441)


Hatzivasilis, G.; Papaefstathiou, I.; Manifavas, C.; Papadakis, N., "A Reasoning System for Composition Verification and Security Validation," New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on, pp.1,4, March 30 2014-April 2 2014. doi: 10.1109/NTMS.2014.6814001 Abstract: The procedure to prove that a system-of-systems is composable and secure is a very difficult task. Formal methods are mathematically-based techniques used for the specification, development and verification of software and hardware systems. This paper presents a model-based framework for dynamic embedded system composition and security evaluation. Event Calculus is applied for modeling the security behavior of a dynamic system and calculating its security level with the progress in time. The framework includes two main functionalities: composition validation and derivation of security and performance metrics and properties. Starting from an initial system state and given a series of further composition events, the framework derives the final system state as well as its security and performance metrics and properties. We implement the proposed framework in an epistemic reasoner, the rule engine JESS with an extension of DECKT for the reasoning process and the JAVA programming language.
Keywords: Java; embedded systems; formal specification; formal verification; reasoning about programs; security of data; software metrics; temporal logic; DECKT; JAVA programming language; composition validation; composition verification; dynamic embedded system composition; epistemic reasoner; event calculus; formal methods; model-based framework; performance metrics; reasoning system; rule engine JESS; security evaluation; security validation; system specification; system-of-systems; Cognition; Computational modeling; Embedded systems; Measurement; Protocols; Security; Unified modeling language (ID#: 15-4442)


Axelrod, C.W., "Reducing Software Assurance Risks for Security-Critical and Safety-Critical Systems," Systems, Applications and Technology Conference (LISAT), 2014 IEEE Long Island, vol., no., pp.1,6, 2-2 May 2014. doi: 10.1109/LISAT.2014.6845212 Abstract: According to the Office of the Assistant Secretary of Defense for Research and Engineering (ASD(R&E)), the US Department of Defense (DoD) recognizes that there is a “persistent lack of a consistent approach ... for the certification of software assurance tools, testing and methodologies” [1]. As a result, the ASD(R&E) is seeking “to address vulnerabilities and weaknesses to cyber threats of the software that operates ... routine applications and critical kinetic systems ...” The mitigation of these risks has been recognized as a significant issue to be addressed in both the public and private sectors. In this paper we examine deficiencies in various software-assurance approaches and suggest ways in which they can be improved. We take a broad look at current approaches, identify their inherent weaknesses and propose approaches that serve to reduce risks. Some technical, economic and governance issues are: (1) Development of software-assurance technical standards (2) Management of software-assurance standards (3) Evaluation of tools, techniques, and metrics (4) Determination of update frequency for tools, techniques (5) Focus on most pressing threats to software systems (6) Suggestions as to risk-reducing research areas (7) Establishment of models of the economics of software-assurance solutions, and testing and certifying software We show that, in order to improve current software assurance policy and practices, particularly with respect to security, there has to be a major overhaul in how software is developed, especially with respect to the requirements and testing phases of the SDLC (Software Development Lifecycle). We also suggest that the current preventative approaches are inadequate and that greater reliance should be placed upon avoidance and deterrence. We also recommend that those developing and operating security-critical and safety-critical systems exchange best-ofbreed software assurance methods to prevent the v- lnerability of components leading to compromise of entire systems of systems. The recent catastrophic loss of a Malaysia Airlines airplane is then presented as an example of possible compromises of physical and logical security of on-board communications and management and control systems.
Keywords: program testing; safety-critical software; software development management; software metrics; ASD(R&E);Assistant Secretary of Defense for Research and Engineering; Malaysia Airlines airplane; SDLC;US Department of Defense; US DoD; component vulnerability prevention; control systems; critical kinetic systems; cyber threats; economic issues; governance issues; logical security; management systems; on-board communications; physical security; private sectors; public sectors; risk mitigation; safety-critical systems; security-critical systems; software assurance risk reduction; software assurance tool certification; software development; software development lifecycle; software methodologies; software metric evaluation; software requirements; software system threats; software technique evaluation; software testing; software tool evaluation; software-assurance standard management; software-assurance technical standard development; technical issues; update frequency determination; Measurement; Organizations; Security; Software systems; Standards; Testing; cyber threats; cyber-physical systems; governance; risk; safety-critical systems; security-critical systems; software assurance; technical standards; vulnerabilities; weaknesses (ID#: 15-4443)


Cain, A.A.; Schuster, D., "Measurement of Situation Awareness Among Diverse Agents in Cyber Security," Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), 2014 IEEE International Inter-Disciplinary Conference on, pp.124,129, 3-6 March 2014. doi: 10.1109/CogSIMA.2014.6816551 Abstract: Development of innovative algorithms, metrics, visualizations, and other forms of automation are needed to enable network analysts to build situation awareness (SA) from large amounts of dynamic, distributed, and interacting data in cyber security. Several models of cyber SA can be classified as taking an individual or a distributed approach to modeling SA within a computer network. While these models suggest ways to integrate the SA contributed by multiple actors, implementing more advanced data center automation will require consideration of the differences and similarities between human teaming and human-automation interaction. The purpose of this paper is to offer guidance for quantifying the shared cognition of diverse agents in cyber security. The recommendations presented can inform the development of automated aids to SA as well as illustrate paths for future empirical research.
Keywords: cognition; security of data; SA; cyber security; data center automation; diverse agents; shared cognition; situation awareness measurement; Automation; Autonomous agents; Cognition; Computer security; Data models; Sociotechnical systems; Situation awareness; cognition; cyber security; information security ;teamwork (ID#: 15-4444)


Elgendy, M.A.; Shawish, A.; Moussa, M.I., "MCACC: New Approach for Augmenting the Computing Capabilities of Mobile Devices With Cloud Computing," Science and Information Conference (SAI), 2014, pp.79,86, 27-29 Aug. 2014. doi: 10.1109/SAI.2014.6918175 Abstract: Smartphones are becoming increasingly popular with a wide range of capabilities for the purpose of handling heavy applications like gaming, video editing, and face recognition etc. These kinds of applications continuously require intensive computational power, memory, and battery. Many of the early techniques solve this problem by offloading these applications to run on the Cloud due to its famous resources availability. Later, enhanced techniques choosed to offload part of the applications while leaving the rest to be processed on the smartphone based on one or two metrics like power and CPU consumption without any consideration to the communication and network overhead. With the notable development of the smartphone's hardware, it becomes crucial to develop a smarter offloading framework that is able to efficiently utilize the available smartphone's resources and only offload when necessary based on real-time decision metrics. This paper proposed such framework, which we called Mobile Capabilities Augmentation using Cloud Computing (MCACC). In this framework, any mobile application is divided into a group of services, and then each of them is either executed locally on the mobile or remotely on the Cloud based a novel dynamic offloading decision model. Here, the decision is based on five realtime metrics: total execution time, energy consumption, remaining battery, memory and security. The extensive simulation studies show that both heavy and light applications can benefit from our proposed model while saving energy and improving performance compare to previous techniques. The proposed MCACC turns the smartphones to be more smarter as the offloading decision is taken without any user interaction.
Keywords: cloud computing; face recognition; smart phones; CPU consumption; MCACC; battery; cloud computing; dynamic offloading decision model; energy consumption; face recognition; gaming ;intensive computational power; memory; mobile capabilities augmentation; mobile devices; network overhead; notable development; offloading framework; real-time decision metrics; realtime metrics; smart phone hardware; smart phone resources ;total execution time; user interaction; video editing; Androids; Batteries; Humanoid robots; Java; Measurement; Mobile communication; Smart phones; Android; battery; mobile Cloud computing; offloading; security; smartphones (ID#: 15-4445)


Hills, M.; Klint, P., "PHP AiR: Analyzing PHP Systems With Rascal," Software Maintenance, Reengineering and Reverse Engineering (CSMR-WCRE), 2014 Software Evolution Week - IEEE Conference on, pp.454,457, 3-6 Feb. 2014. doi: 10.1109/CSMR-WCRE.2014.6747217 Abstract: PHP is currently one of the most popular programming languages, widely used in both the open source community and in industry to build large web-focused applications and application frameworks. To provide a solid framework for working with large PHP systems in areas such as evaluating how language features are used, studying how PHP systems evolve, program analysis for refactoring and security validation, and software metrics, we have developed PHP AiR, a framework for PHP Analysis in Rascal. Here we briefly describe features available in PHP AiR, integration with the Eclipse PHP Development Tools, and usage scenarios in program analysis, metrics, and empirical software engineering.
Keywords: Internet; object-oriented languages; program diagnostics; public domain software; security of data; software maintenance; software metrics; Eclipse PHP development tools; PHP AiR; PHP system analysis; Rascal; Web-focused applications; application frameworks; empirical software engineering; open source community; program analysis; programming languages; refactoring; security validation; software metrics; Java; Libraries; Manuals; Performance analysis; Runtime; Software (ID#: 15-4446)


Rostami, M.; Wendt, J.B.; Potkonjak, M.; Koushanfar, F., "Quo Vadis, PUF?: Trends and challenges of emerging physical-disorder based security," Design, Automation and Test in Europe Conference and Exhibition (DATE), 2014, pp.1,6, 24-28 March 2014. doi: 10.7873/DATE.2014.365 Abstract: The physical unclonable function (PUF) has emerged as a popular and widely studied security primitive based on the randomness of the underlying physical medium. To date, most of the research emphasis has been placed on finding new ways to measure randomness, hardware realization and analysis of a few initially proposed structures, and conventional secret-key based protocols. In this work, we present our subjective analysis of the emerging and future trends in this area that aim to change the scope, widen the application domain, and make a lasting impact. We emphasize on the development of new PUF-based primitives and paradigms, robust protocols, public-key protocols, digital PUFs, new technologies, implementations, metrics and tests for evaluation/validation, as well as relevant attacks and countermeasures.
Keywords: cryptographic protocols; public key cryptography; PUF-based paradigms; PUF-based primitives; Quo Vadis; application domain; digital PUF; hardware realization; physical medium randomness measurement; physical unclonable function; physical-disorder-based security; public-key protocol; secret-key based protocols; security primitive; structure analysis; subjective analysis; Aging; Correlation; Hardware; NIST; Protocols; Public key (ID#: 15-4447)


Witkowski, M.; Igras, M.; Grzybowska, J.; Jaciow, P.; Galka, J.; Ziolko, M., "Caller Identification by Voice," Pacific Voice Conference (PVC), 2014 XXII Annual, pp.1,7, 11-13 April 2014. doi: 10.1109/PVC.2014.6845420 Abstract: The aim of our work is to develop the software for caller identification or to create his characteristic by analysis of his voice. Based on collected speech samples, our system aims to identify emergency callers both on-line and off-line. This homeland security project covers speaker recognition (when speaker's speech sample is known), speaker's gender, age detection and recognition of emotions. Proposed system is not limited to bio-metrics. The goal of this application is to provide an innovative, supporting tool for rapid and accurate threat detection and threat neutralization. This complex system will include: a speech signal analysis, an automatic development of speech patterns database and appropriate classification methods.
Keywords: emotion recognition; national security; signal classification; speaker recognition; speech intelligibility; age detection; automatic development of; biometrics; caller identification; classification methods; emergency callers identification; emotion recognition; homeland security project; innovative supporting tool; software development; speaker gender; speaker recognition; speaker speech sample; speech patterns database; speech signal analysis; threat detection; threat neutralization; voice analysis; Acoustics; Databases; Feature extraction; Hidden Markov models; Psychoacoustic models; Spectrogram; Speech; Acoustic Background Detection; Age Detection; Emotion Detection; Speaker Identification; Speaker Recognition; Speaker Verification (ID#: 15-4448)


Parihar, J.S.; Rathore, J.S.; Burse, K., "Agent Based Intrusion Detection System to Find Layers Attacks," Communication Systems and Network Technologies (CSNT), 2014 Fourth International Conference on, pp.685,689, 7-9 April 2014. doi: 10.1109/CSNT.2014.144 Abstract: The development and advancement in communication technology and its related techniques, users have experienced the joy of the fast information technology era. Advancements in thin devices such as smart phone like windows phone or Google Android phones has a key factor to glue on network access service. The most amazing fact is that conventional TCP/IP model has driven all the services to the end user with some valuable enrichment on it. The key metrics play an important role to keep the information intact-Confidentiality, Integrity and Availability (CIA). Intrusion detection system prevents unauthorized access of computer without giving permission and detection helps to us to determine whether or not someone attempted to break into our system. In this paper we present an enhanced Agent Based [1-2] security model to discover unknown attacks or intrusion. Proposed system works in dual mode, network and host. In network model the real time traffic behavior (flows /attribute) has captured from the network while in host mode the user logs and user activity has been checked and monitored from. Attributes collected from both the mode, i.e. Network as well as host traffic with respect to the time as well as acknowledgment of protocol. In Proposed "Agent Based Intrusion Detection System" (ABIDS) has designed five types of agents to shield from both side (Host and Network). Agents are works in distributed manner to and communicate with each other to check the abnormality (suspicious) of the incoming traffic or logs via ACL.
Keywords: computer network security; multi-agent systems; software agents; transport protocols; ABIDS;CIA metrics; Google Android phones ;Internet protocol;TCP/IP model; Windows phone; agent based intrusion detection system; agent based security model; communication technology; confidentiality-integrity-availability metrics; information technology; smart phone; traffic behavior; transport control protocol; user activity; user logs; Communication systems; ACL; Agent; DoS; IDPS; IDS; IPS; Intrusion Detection; JADE; MAS; Network security: Layers Attacks (ID#: 15-4449)


Chandrasekhar, A.M.; Raghuveer, K., "Confederation of FCM Clustering, ANN and SVM Techniques to Implement Hybrid NIDS Using Corrected KDD Cup 99 Dataset," Communications and Signal Processing (ICCSP), 2014 International Conference on, pp.672,676, 3-5 April 2014. doi: 10.1109/ICCSP.2014.6949927 Abstract: With the rapid advancement in the network technologies including higher bandwidths and ease of connectivity of wireless and mobile devices, Intrusion detection and protection systems have become a essential addition to the security infrastructure of almost every organization. Data mining techniques now a day play a vital role in development of IDS. In this paper, an effort has been made to propose an efficient intrusion detection model by blending competent data mining techniques such as Fuzzy-C-means clustering, Artificial neural network(ANN) and support vector machine (SVM), which is significantly improvises the prediction of network intrusions. We implemented the proposed IDS in MATLAB version R2013a on a Windows PC having 3.20 GHz CPU and 4GB RAM. The experiments and evaluations of proposed method were performed with Corrected KDD cup 99 intrusion detection dataset and we used sensitivity, specificity and accuracy as the evaluation metrics. We attained detection accuracy of about 99.66% for DOS attacks, 98.55% for PROBE, 98.99% for R2L and 98.81% for U2R attacks. Results are compared with relevant existing techniques so as to prove efficiency of our model.
Keywords: data mining; mathematics computing; neural nets; security of data; support vector machines; ANN techniques; FCM clustering; Matlab; SVM techniques; artificial neural network; corrected KDD cup 99 dataset; data mining ;fuzzy-C-means clustering; hybrid NIDS; intrusion detection; mobile devices; protection systems; support vector machine; wireless devices; Accuracy; Artificial neural networks; Databases; Measurement; Probes; Random access memory; Support vector machines; Artificial Neural Networks; Corrected KDD cup 99;Fuzzy-C-means Clustering; Intrusion Detection System; Support Vector Machine (ID#: 15-4450)


Michaels, Alan J.; Lau, Chad, "Performance of Percent Gaussian Orthogonal Signaling Waveforms," Military Communications Conference (MILCOM), 2014 IEEE, pp.338,343, 6-8 Oct. 2014. doi: 10.1109/MILCOM.2014.61 Abstract: Recent developments of secure digital chaotic spread spectrum communication systems have been based on the generalized ideals of maximum channel capacity and maximal entropy/security, which result in a Gaussian-distributed noise like signal that is indistinguishable from naturally occurring (band limited) thermal noise. An implementation challenge associated with these waveforms is that the signal peak-to average power ratio (PAPR) is approximately that of an i.i.d Gaussian distributed random sequence, with infinite tails in the Gaussian distribution, modeled practically by a Gaussian distribution truncated to ±4.8s, the peak excursions of the output can be 13-15 dB over that of the average signal power. To address this PAPR constraint, a series of "percent Gaussian" orthogonal signaling waveforms were developed, allowing parameterized waveform selection that compactly trade PAPR improvements with cyclostationary feature content, these waveforms are bounded by the Gaussian distributed digital chaos signal and a constant amplitude zero autocorrelation (CAZAC) signal, all of which deliver security advantages over traditional direct sequence spread spectrum (DSSS) waveforms. This paper presents an underlying model for these "percent Gaussian" waveforms, derives a generalized set of symbol error rate metrics. Discussion of the performance bounds is also presented.
Keywords: Chaotic communication; Correlation; Noise; Peak to average power ratio; Receivers; Spread spectrum communication; CAZAC; digital chaos; percent Gaussian (ID#: 15-4451)


Almutairi, A.; Shawly, T.A.; Basalamah, S.M.; Ghafoor, A., "Policy-Driven High Assurance Cyber Infrastructure-Based Systems," High-Assurance Systems Engineering (HASE), 2014 IEEE 15th International Symposium on, pp.146,153, 9-11 Jan. 2014. doi: 10.1109/HASE.2014.28 Abstract: The objective of this paper is to present major challenges and a framework for modeling and managing context-aware policy-driven Cyber Infrastructure-Based Systems (CIBS). With the growing reliance on Cyber technology providing solutions for a broad range of CIBS applications, comes the high assurance challenges in terms of reliability, trustworthiness and vulnerabilities. The paper proposes a development framework to allow dynamic reconfigurability of CIBS components under various contexts to achieve a desired degree of assurance.
Keywords: cloud computing; software reliability; ubiquitous computing; CIBS component dynamic reconfigurability; cloud computing; context-aware policy-driven cyber infrastructure-based systems; cyber technology; policy-driven high assurance cyber infrastructure-based systems; reliability; trustworthiness; vulnerabilities; Availability; Complexity theory; Context; Linear programming; Measurement; Security; CIBS optimization; cloud computing; cyber-physical systems; high assurance metrics; policy composition (ID#: 15-4452)


Pirinen, Rauno, "Studies of Integration Readiness Levels: Case Shared Maritime Situational Awareness System," Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pp.212,215, 24-26 Sept. 2014. doi: 10.1109/JISIC.2014.79 Abstract. The research question of this study is: How Integration Readiness Level (IRL) metrics can be understood and realized in the domain of border control information systems. The study address to the IRL metrics and their definition, criteria, references, and questionnaires for validation of border control information systems in case of the shared maritime situational awareness system. The target of study is in improvements of ways for acceptance, operational validation, risk assessment, and development of sharing mechanisms and integration of information systems and border control information interactions and collaboration concepts in Finnish national and European border control domains.
Keywords: Buildings; Context; Control systems; Information systems; Interviews; Measurement; Systems engineering and theory; integration; integration readiness levels; maturity; pre-operational validation; situational awareness (ID#: 15-4453)


Chaudhary, R.; Chatterjee, R., "Reusability in AOSD - The Aptness, Assessment and Analysis," Optimization, Reliabilty, and Information Technology (ICROIT), 2014 International Conference on,  pp.34,39, 6-8 Feb. 2014. doi: 10.1109/ICROIT.2014.6798291 Abstract: Aspect-Oriented Programming (AOP) is an emerging technique that has profound impact in the area of software development. AOP aims to ease maintenance and promotes reuse of software components by providing mechanism for implementing cross-cutting concerns. Examples of cross-cutting concerns are readability, security etc. Reusability is the cost of transferring a module or program to another application. It is the most important criteria for the evaluation of software system. A reusable component will help in better understandability and low maintenance efforts for the application. Therefore, it is necessary to estimate reusability of the component, before integrating it into the system. In the present study, our focus is on those AO languages that have features of Java and AO technology. In this category, we have selected the Aspect AOP language. The MATLAB and Fuzzy logic approach have been used for the assessment of reusability in Aspect-Oriented Systems.
Keywords: Java; aspect-oriented programming; fuzzy logic; fuzzy set theory; security of data; software maintenance; software metrics ;software reusability; AO technology; AOSD; Aspect AOP language; Java technology; MATLAB; analysis; aptness; aspect oriented metrics; aspect-oriented programming; assessment; cross-cutting concerns; fuzzy logic approach; software component maintenance; software component reusability; software development; software system evaluation; Measurement; Syntactics; Aspect Oriented Metrics; Aspect-Oriented Software development (AOSD); FuzzyLogic (ID#: 15-4454)


Yangsong Wu; Yibiao Yang; Yangyang Zhao; Hongmin Lu; Yuming Zhou; Baowen Xu, "The Influence of Developer Quality on Software Fault-Proneness Prediction," Software Security and Reliability (SERE), 2014 Eighth International Conference on, pp.11,19, June 30 2014-July 2 2014. doi: 10.1109/SERE.2014.14 Abstract: Previous studies have shown that process metrics are useful for building fault-proneness prediction models. In particular, it has been found that those process metrics incorporating developer experience (defined as the percentage of the code a developer contributes) exhibit a good ability to predict fault-proneness. However, developer quality, which we strongly believe should have a great influence on software quality, is surprisingly ignored. In this paper, we first quantify the quality of a developer via the percentage of history bug-introduce commits over all his/her commits during the development process. Then, we leverage developer quality information to develop eight file quality metrics. Finally, we empirically study the usefulness of these eight file quality metrics for fault-proneness prediction. Based on eight open source software systems, our experiment results show that: 1) these proposed file quality metrics capture additional information compared with existing process metrics, 2) almost all the proposed file quality metrics have a significant association with fault-proneness in an expected direction, and 3) the proposed file quality metrics can in general improve the effectiveness of fault-proneness prediction models when together used with existing process metrics. These results suggest that developer quality has a strong influence on software quality and should be taken into account when predicting software fault-proneness.
Keywords: public domain software; software fault tolerance; software metrics; software quality; file quality metrics; open source software systems; process metrics; software fault-proneness prediction; software quality; Security; Software; Software reliability; Developer quality ;faultproneness; prediction; process metrics (ID#: 15-4455)


Sethi, M.; Antikainen, M.; Aura, T., "Commitment-Based Device Pairing With Synchronized Drawing," Pervasive Computing and Communications (PerCom), 2014 IEEE International Conference on, pp.181,189, 24-28 March 2014. doi: 10.1109/PerCom.2014.6813959 Abstract: Secure device pairing is a widely studied problem. Local wireless connections such as Bluetooth and WiFi typically rely on user-entered secret keys or manually verified authentication codes. Several recent proposals replace these with contextual or location-dependent sensor inputs, which are assumed to be secret from anyone not present at the location where the pairing takes place. These protocols have to cope with a fuzzy secret, i.e. noisy secret input that differs between the devices. In this paper, we overview such protocols and propose a new variation using time-based opening of commitments. Our protocol has the advantage of treating the fuzzy secret as one piece of data rather than requiring it to be partitioned into time intervals, and being more robust against variations in input entropy than those based on error correction codes. The protocol development is motivated by the discovery of a novel human source for the fuzzy secret: synchronized drawing with two fingers of the same hand on two touch screens or surfaces. Metrics for measuring the distance between the drawings are described and evaluated. We implement a prototype of this surprisingly simple and natural pairing mechanism and show that it accurately differentiates between true positives and man-in-the-middle attackers.
Keywords: fuzzy set theory; mobile computing; protocols; security of data; Bluetooth; WiFi; Wireless Fidelity; commitment-based device pairing; contextual-dependent sensor inputs; device pairing security; error correction codes; fuzzy secret; input entropy; location-dependent sensor inputs; man-in-the-middle attackers; manually verified authentication codes; synchronized drawing; time intervals; time-based commitment opening; user-entered secret keys; wireless connections; Authentication; Cryptography; Entropy; Noise measurement; Protocols; Synchronization (ID#: 15-4456)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.